* [PATCH 6.1 000/522] 6.1.176-rc1 review
@ 2026-06-16 14:52 Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 001/522] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Greg Kroah-Hartman
` (522 more replies)
0 siblings, 523 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.1.176 release.
There are 522 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 18 Jun 2026 14:49:57 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.176-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.1.176-rc1
Borislav Petkov (AMD) <bp@alien8.de>
x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function
Ben Hutchings <benh@debian.org>
apparmor: validate default DFA states are in bounds
Ben Hutchings <benh@debian.org>
fbdev: vt8500lcdfb: Fix dma_free_coherent() cpu_addr parameter
Petr Machata <petrm@nvidia.com>
Revert "selftest/ptp: update ptp selftest to exercise the gettimex options"
Will Deacon <will@kernel.org>
arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU
Shanker Donthineni <sdonthineni@nvidia.com>
arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU
Mark Rutland <mark.rutland@arm.com>
arm64: errata: Mitigate TLBI errata on various Arm CPUs
Mark Rutland <mark.rutland@arm.com>
arm64: cputype: Add C1-Premium definitions
Mark Rutland <mark.rutland@arm.com>
arm64: cputype: Add C1-Ultra definitions
Shanker Donthineni <sdonthineni@nvidia.com>
arm64: cputype: Add NVIDIA Olympus definitions
Ashutosh Desai <ashutoshdesai993@gmail.com>
drm/v3d: Reject empty multisync extension to prevent infinite loop
SeongJae Park <sj@kernel.org>
mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values
SeongJae Park <sj@kernel.org>
mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values
SeongJae Park <sj@kernel.org>
mm/damon/core: implement damon_kdamond_pid()
Corey Minyard <corey@minyard.net>
ipmi:ssif: NULL thread on error
Corey Minyard <corey@minyard.net>
ipmi:ssif: Remove unnecessary indention
Lukas Wunner <lukas@wunner.de>
lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
Amit Sunil Dhamne <amitsd@google.com>
usb: typec: tcpm: reset internal port states on soft reset AMS
SeongJae Park <sj@kernel.org>
mm/damon/core: disallow time-quota setting zero esz
SeongJae Park <sj@kernel.org>
mm/damon/core: use time_in_range_open() for damos quota window start
Corey Minyard <corey@minyard.net>
ipmi:ssif: Clean up kthread on errors
Corey Minyard <corey@minyard.net>
ipmi:ssif: Fix a shutdown race
Marc Zyngier <maz@kernel.org>
KVM: arm64: Wake-up from WFI when iqrchip is in userspace
Arnaldo Carvalho de Melo <acme@redhat.com>
perf build: Remove -Wno-unused-but-set-variable from the flex flags when building with clang < 13.0.0
Arnaldo Carvalho de Melo <acme@redhat.com>
tools build: Add 3-component logical version comparators
Ian Rogers <irogers@google.com>
perf build: Disable fewer bison warnings
Ian Rogers <irogers@google.com>
perf parse-events: Make YYDEBUG dependent on doing a debug build
Ian Rogers <irogers@google.com>
perf build: Conditionally define NDEBUG
Aaron Erhardt <aer@tuxedocomputers.com>
ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: fix tp_num leak on kmalloc failure
Jiexun Wang <wangjiexun2025@gmail.com>
batman-adv: stop tp_meter sessions during mesh teardown
Tejun Heo <tj@kernel.org>
blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init
Julian Anastasov <ja@ssi.bg>
ipvs: skip ipv6 extension headers for csum checks
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/umem: Fix truncation for block sizes >= 4G
Leon Romanovsky <leon@kernel.org>
RDMA: Move DMA block iterator logic into dedicated files
Randy Dunlap <rdunlap@infradead.org>
RDMA/umem: fix kernel-doc warnings
Wupeng Ma <mawupeng1@huawei.com>
mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison
Jane Chu <jane.chu@oracle.com>
mm/memory-failure: fix missing ->mf_stats count in hugetlb poison
David Hildenbrand <david@redhat.com>
mm/hugetlb: rename folio_putback_active_hugetlb() to folio_putback_hugetlb()
David Hildenbrand <david@redhat.com>
mm/migrate: don't call folio_putback_active_hugetlb() on dst hugetlb folio
David Hildenbrand <david@redhat.com>
mm/hugetlb: rename isolate_hugetlb() to folio_isolate_hugetlb()
Anton Leontev <leontyevantony@gmail.com>
hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
Davide Ornaghi <d.ornaghi97@gmail.com>
netfilter: nft_fib: fix stale stack leak via the OIFNAME register
Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
usb: typec: ucsi: Don't update power_supply on power role change if not connected
Michael Bommarito <michael.bommarito@gmail.com>
scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd()
Prasanna S <prasanna.s@oss.qualcomm.com>
serial: qcom-geni: fix UART_RX_PAR_EN bit position
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
tty: serial: qcom-geni-serial: align #define values
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
tty: serial: qcom-geni-serial: remove unused symbols
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
usb: typec: ucsi: Check if power role change actually happened before handling
Guangshuo Li <lgs201920130244@gmail.com>
usb: gadget: f_hid: fix device reference leak in hidg_alloc()
John Keeping <john@metanate.com>
usb: gadget: f_hid: tidy error handling in hidg_alloc
Wentao Liang <vulab@iscas.ac.cn>
usb: musb: omap2430: Fix use-after-free in omap2430_probe()
Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
usb: dwc3: xilinx: fix error handling in zynqmp init error paths
Tudor Ambarus <tudor.ambarus@linaro.org>
tty: serial: samsung: Remove redundant port lock acquisition in rx helpers
Tudor Ambarus <tudor.ambarus@linaro.org>
tty: serial: samsung: use u32 for register interactions
Thomas Gleixner <tglx@linutronix.de>
serial: samsung_tty: Use port lock wrappers
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: firewire-motu: Protect register DSP event queue positions
Rodrigo Alencar <rodrigo.alencar@analog.com>
iio: dac: ad5686: fix ref bit initialization for single-channel parts
Peter Chen <peter.chen@cixtech.com>
usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: chemical: scd30: fix division by zero in write_raw
Jonathan Cameron <Jonathan.Cameron@huawei.com>
iio: chemical: scd30: Use guard(mutex) to allow early returns
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: gyro: adis16260: fix division by zero in write_raw
David Carlier <devnexen@gmail.com>
iio: adc: npcm: fix unbalanced clk_disable_unprepare()
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
iio: adc: npcm: Convert to platform remove callback returning void
Ruan Jinjie <ruanjinjie@huawei.com>
iio: adc: fix the return value handle for platform_get_irq()
Wayne Chang <waynec@nvidia.com>
phy: tegra: xusb: Fix per-pad high-speed termination calibration
Wayne Chang <waynec@nvidia.com>
phy: tegra: xusb: Disable trk clk when not in use
Zeng Heng <zengheng4@huawei.com>
arm64: tlb: Flush walk cache when unsharing PMD tables
Johan Hovold <johan@kernel.org>
spi: qup: fix error pointer deref after DMA setup failure
Yang Yingliang <yangyingliang@huawei.com>
spi: qup: switch to use modern name
Dawei Feng <dawei.feng@seu.edu.cn>
octeontx2-pf: avoid double free of pool->stack on AQ init failure
Lukas Wunner <lukas@wunner.de>
platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery
David E. Box <david.e.box@linux.intel.com>
platform/x86/intel/vsec: Make driver_data info const
David E. Box <david.e.box@linux.intel.com>
platform/x86/intel/vsec: Create wrapper to walk PCI config space
David E. Box <david.e.box@linux.intel.com>
platform/x86/intel/vsec: Add private data for per-device data
Shardul Bankar <shardul.b@mpiricsoftware.com>
mptcp: do not drop partial packets
Paolo Abeni <pabeni@redhat.com>
mptcp: reset rcv wnd on disconnect
Sam Daly <sam@samdaly.ie>
octeontx2-af: CGX: add bounds check to cgx_speed_mbps index
Justin Stitt <justinstitt@google.com>
octeontx2-af: replace deprecated strncpy with strscpy
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: drop nanoseconds width specifier
Li Xiasong <lixiasong1@huawei.com>
mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient
Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
ice: fix VF queue configuration with low MTU values
Justin Iurman <justin.iurman@gmail.com>
ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()
Michael Bommarito <michael.bommarito@gmail.com>
net: hsr: defer node table free until after RCU readers
Jiexun Wang <wangjiexun2025@gmail.com>
Bluetooth: serialize accept_q access
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: Init sk_peer_* on bt_sock_alloc
Alistair Popple <apopple@nvidia.com>
mm/memory: fix spurious warning when unmapping device-private/exclusive pages
Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Bluetooth: hci_qca: Convert timeout from jiffies to ms
Michael Bommarito <michael.bommarito@gmail.com>
smb: client: require net admin for CIFS SWN netlink
Ido Schimmel <idosch@nvidia.com>
genetlink: Use internal flags for multicast groups
Guopeng Zhang <zhangguopeng@kylinos.cn>
cgroup/cpuset: Reset DL migration state on can_attach() failure
Johan Hovold <johan@kernel.org>
spi: lantiq-ssc: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: st-ssc4: fix controller deregistration
Yang Yingliang <yangyingliang@huawei.com>
spi: st-ssc4: switch to use modern name
Chao Yu <chao@kernel.org>
f2fs: fix false alarm of lockdep on cp_global_sem lock
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix incorrect file address mapping when inline inode is unwritten
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: fix potential data-race
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: allow ID 0
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: prio: skip closed subflows
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: fastclose msk when linger time is 0
Filipe Manana <fdmanana@suse.com>
btrfs: fix missing last_unlink_trans update when removing a directory
Piyush Sachdeva <s.piyush1024@gmail.com>
smb: client: Use FullSessionKey for AES-256 encryption key derivation
Michael Bommarito <michael.bommarito@gmail.com>
smb: client: validate dacloffset before building DACL pointers
Ulf Hansson <ulf.hansson@linaro.org>
pmdomain: core: Fix detach procedure for virtual devices in genpd
Guangshuo Li <lgs201920130244@gmail.com>
btrfs: fix double free in create_space_info_sub_group() error path
Filipe Manana <fdmanana@suse.com>
btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type()
Steven Rostedt <rostedt@goodmis.org>
tracing/probes: Limit size of event probe to 3K
Yochai Eisenrich <yochaie@sweet.security>
btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
spi: topcliff-pch: Convert to platform remove callback returning void
Thomas Zimmermann <tzimmermann@suse.de>
fbcon: Avoid OOB font access if console rotation fails
Johan Hovold <johan@kernel.org>
spi: microchip-core-qspi: fix controller deregistration
Li Zetao <lizetao1@huawei.com>
spi: microchip-core-qspi: Use helper function devm_clk_get_enabled()
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
spi: microchip-core-qspi: Convert to platform remove callback returning void
Pavitra Jha <jhapavitra98@gmail.com>
net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
Sang-Heon Jeon <ekffu200098@gmail.com>
mm/hugetlb_cma: round up per_node before logging it
Johan Hovold <johan@kernel.org>
spi: uniphier: fix controller deregistration
Pei Xiao <xiaopei01@kylinos.cn>
spi: uniphier: Simplify clock handling with devm_clk_get_enabled()
Yang Yingliang <yangyingliang@huawei.com>
spi: uniphier: switch to use modern name
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
spi: uniphier: Convert to platform remove callback returning void
Johan Hovold <johan@kernel.org>
spi: tegra20-sflash: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: tegra114: fix controller deregistration
Tudor Ambarus <tudor.ambarus@linaro.org>
mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
Zeng Heng <zengheng4@huawei.com>
mtd: spi-nor: core: fix implicit declaration warning
Johan Hovold <johan@kernel.org>
spi: s3c64xx: fix NULL-deref on driver unbind
Andi Shyti <andi.shyti@kernel.org>
spi: s3c64xx: Use devm_clk_get_enabled()
Johan Hovold <johan@kernel.org>
spi: sun6i: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: zynq-qspi: fix controller deregistration
Pei Xiao <xiaopei01@kylinos.cn>
spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled()
Yang Yingliang <yangyingliang@huawei.com>
spi: zynq-qspi: switch to use modern name
Ruan Jinjie <ruanjinjie@huawei.com>
spi: spi-zynq: Do not check for 0 return after calling platform_get_irq()
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
spi: zynq-qspi: Convert to platform remove callback returning void
Johan Hovold <johan@kernel.org>
spi: ti-qspi: fix controller deregistration
Yang Yingliang <yangyingliang@huawei.com>
spi: spi-ti-qspi: switch to use modern name
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
spi: spi-ti-qspi: Convert to platform remove callback returning void
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
spi: Convert to SPI_CONTROLLER_HALF_DUPLEX
Johan Hovold <johan@kernel.org>
spi: sun4i: fix controller deregistration
Yang Yingliang <yangyingliang@huawei.com>
spi: sun4i: switch to use modern name
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
spi: sun4i: Convert to platform remove callback returning void
Johan Hovold <johan@kernel.org>
spi: syncuacer: fix controller deregistration
Yang Yingliang <yangyingliang@huawei.com>
spi: synquacer: switch to use modern name
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
spi: synquacer: Convert to platform remove callback returning void
Michal Kosiorek <mkosiorek121@gmail.com>
xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
Michael Bommarito <michael.bommarito@gmail.com>
xfrm: ah: account for ESN high bits in async callbacks
Eric Biggers <ebiggers@google.com>
net: ipv6: stop checking crypto_ahash_alignmask
Eric Biggers <ebiggers@google.com>
net: ipv4: stop checking crypto_ahash_alignmask
Selvarasu Ganesan <selvarasu.g@samsung.com>
usb: dwc3: Move GUID programming after PHY initialization
Marek Szyprowski <m.szyprowski@samsung.com>
wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: remove station if connection prep fails
David Carlier <devnexen@gmail.com>
tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
Sam Edwards <cfsworks@gmail.com>
net: stmmac: Prevent NULL deref when RX memory exhausted
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
net: stmmac: avoid shadowing global buf_sz
Thorsten Blum <thorsten.blum@linux.dev>
crypto: caam - guard HMAC key hex dumps in hash_digest_key
Thorsten Blum <thorsten.blum@linux.dev>
printk: add print_hex_dump_devel()
Max Kellermann <max.kellermann@ionos.com>
ceph: only d_add() negative dentries when they are unhashed
Junrui Luo <moonafterrain@outlook.com>
erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
Thorsten Blum <thorsten.blum@linux.dev>
crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
Ard Biesheuvel <ardb@kernel.org>
crypto: nx - Migrate to scomp API
Gustavo A. R. Silva <gustavoars@kernel.org>
crypto: nx - Avoid -Wflex-array-member-not-at-end warning
Zilin Guan <zilin@seu.edu.cn>
hfsplus: fix held lock freed on hfsplus_fill_super()
Deepanshu Kartikey <kartikey406@gmail.com>
hfsplus: fix uninit-value by validating catalog record size
Seohyeon Maeng <bioloidgp@gmail.com>
udf: fix partition descriptor append bookkeeping
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
xfs: fix a resource leak in xfs_alloc_buftarg()
Thomas Zimmermann <tzimmermann@suse.de>
fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
Johan Hovold <johan@kernel.org>
spi: fix resource leaks on device setup failure
Zhengchuan Liang <zcliangcn@gmail.com>
net: bridge: use a stable FDB dst snapshot in RCU readers
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
net: qrtr: ns: Limit the total number of nodes
Yuan Zhaoming <yuanzm2@lenovo.com>
net: mctp: fix don't require received header reserved bits to be zero
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
net: qrtr: ns: Free the node during ctrl_cmd_bye()
Vignesh Viswanathan <quic_viswanat@quicinc.com>
net: qrtr: ns: Change servers radix tree to xarray
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
net: qrtr: ns: Limit the maximum number of lookups
Joseph Salisbury <joseph.salisbury@oracle.com>
sched: Use u64 for bandwidth ratio calculations
Oliver Neukum <oneukum@suse.com>
media: rc: igorplugusb: heed coherency rules
Thorsten Blum <thorsten.blum@linux.dev>
ALSA: aoa: Skip devices with no codecs in i2sbus_resume()
Oliver Neukum <oneukum@suse.com>
media: rc: ttusbir: respect DMA coherency rules
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: aoa: i2sbus: clear stale prepared state
Takashi Iwai <tiwai@suse.de>
ALSA: aoa: Use guard() for mutex locks
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
thermal: core: Fix thermal zone governor cleanup issues
Johan Hovold <johan@kernel.org>
spi: imx: fix use-after-free on unbind
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
spi: imx: Convert to platform remove callback returning void
Daniel Hodges <git@danielhodges.dev>
wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
Alistair Popple <apopple@nvidia.com>
lib: test_hmm: evict device pages on file close to avoid use-after-free
Anshuman Khandual <anshuman.khandual@arm.com>
arm64/mm: Enable batched TLB flush in unmap_hotplug_range()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
LoongArch: Add spectre boundry for syscall dispatch table
Michael Bommarito <michael.bommarito@gmail.com>
smb: client: validate the whole DACL before rewriting it in cifsacl
Michael Bommarito <michael.bommarito@gmail.com>
ksmbd: require minimum ACE size in smb_check_perm_dacl()
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()
Chao Yu <chao@kernel.org>
f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally
Jiazi Li <jqqlijiazi@gmail.com>
f2fs: use kfree() instead of kvfree() to free some memory
Yin Tirui <yintirui@huawei.com>
mm/huge_memory: update file PMD counter before folio_put()
SeongJae Park <sj@kernel.org>
mm/damon/ops-common: call folio_test_lru() after folio_get()
Lorenzo Stoakes <ljs@kernel.org>
mm/hugetlb: avoid false positive lockdep assertion
Mingyu Wang <25181214217@stu.xidian.edu.cn>
fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Use krealloc_array() in dal_vector_reserve()
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Clamp VBIOS HDMI retimer register count to array size
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
Christian König <christian.koenig@amd.com>
drm/amdgpu: restart the CS if some parts of the VM are still invalidated
Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
slimbus: qcom-ngd-ctrl: fix OF node refcount
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: Limit XDomain response copy to actual frame size
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: Validate XDomain request packet size before type cast
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: Clamp XDomain response data copy to allocation size
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: Bound root directory content to block size
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: Reject zero-length property entries in validator
Wyatt Feng <bronzed_45_vested@icloud.com>
sctp: stream: fully roll back denied add-stream state
Zhao Zhang <zzhan461@ucr.edu>
sctp: diag: reject stale associations in dump_one path
Jisheng Zhang <jszhang@kernel.org>
mmc: sdhci: add signal voltage switch in sdhci_resume_host
Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC
Inochi Amaoto <inochiama@gmail.com>
mmc: litex_mmc: Set mandatory idle clocks before CMD0
Kamal Dasu <kamal.dasu@broadcom.com>
mmc: core: Fix host controller programming for fixed driver type
Dawei Feng <dawei.feng@seu.edu.cn>
octeontx2-af: fix memory leak in rvu_setup_hw_resources()
Yuqi Xu <xuyq21@lenovo.com>
net: rds: clear i_sends on setup unwind
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
net: mv643xx: fix OF node refcount
ZhaoJinming <zhaojinming@uniontech.com>
net: bonding: fix NULL pointer dereference in bond_do_ioctl()
Nikolay Kuratov <kniv@yandex-team.ru>
net/mlx5: Reorder completion before putting command entry in cmd_work_handler
Junrui Luo <moonafterrain@outlook.com>
misc: fastrpc: fix DMA address corruption due to find_vma misuse
Zhenghang Xiao <kipreyyy@gmail.com>
misc: fastrpc: fix use-after-free race in fastrpc_map_create
Anandu Krishnan E <anandu.e@oss.qualcomm.com>
misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
Yilin Zhu <zylzyl2333@gmail.com>
ipc/shm: serialize orphan cleanup with shm_nattch updates
Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard
Zeyu WANG <zeyu.thomas.wang@gmail.com>
Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK)
Akhil R <akhilrajeev@nvidia.com>
i2c: tegra: Fix NOIRQ suspend/resume
Guillermo Rodríguez <guille.rodriguez@gmail.com>
i2c: stm32f7: fix timing computation ignoring i2c-analog-filter
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
Jann Horn <jannh@google.com>
fuse: reject fuse_notify() pagecache ops on directories
Christian Brauner <brauner@kernel.org>
pidfd: refuse access to tasks that have started exiting harder
Michael Bommarito <michael.bommarito@gmail.com>
IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
Kyle Meyer <kyle.meyer@hpe.com>
bnxt_en: Fix NULL pointer dereference
Raf Dickson <rafdog35@gmail.com>
vsock/vmci: fix sk_ack_backlog leak on failed handshake
Yuqi Xu <xuyuqiabc@gmail.com>
wifi: nl80211: reject oversized EMA RNR lists
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: sockopt: check timestamping ret value
Paolo Abeni <pabeni@redhat.com>
mptcp: allow subflow rcv wnd to shrink
Paolo Abeni <pabeni@redhat.com>
mptcp: close TOCTOU race while computing rcv_wnd
Paolo Abeni <pabeni@redhat.com>
mptcp: fix retransmission loop when csum is enabled
Karl Mehltretter <kmehltretter@gmail.com>
ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow
Karl Mehltretter <kmehltretter@gmail.com>
ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O
Yuho Choi <dbgh9129@gmail.com>
ARM: socfpga: Fix OF node refcount leak in SMP setup
Sechang Lim <rhkrqnwk98@gmail.com>
udp: clear skb->dev before running a sockmap verdict
Michael Bommarito <michael.bommarito@gmail.com>
RDMA/srp: bound SRP_RSP sense copy by the received length
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info()
Takashi Iwai <tiwai@suse.de>
ALSA: timer: Fix UAF at snd_timer_user_params()
HyeongJun An <sammiee5311@gmail.com>
USB: serial: kl5kusb105: fix bulk-out buffer overflow
Jack Wu <jackbb_wu@compal.com>
USB: serial: option: add usb-id for Dell Wireless DW5826e-m
Adrian Korwel <adriank20047@gmail.com>
USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
Adrian Korwel <adriank20047@gmail.com>
USB: serial: io_ti: fix heap overflow in get_manuf_info()
Wyatt Feng <bronzed_45_vested@icloud.com>
xfrm: espintcp: do not reuse an in-progress partial send
Gil Portnoy <dddhkts1@gmail.com>
ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
drm/i915/gem: Fix phys BO pread/pwrite with offset
Inochi Amaoto <inochiama@gmail.com>
mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation
Michael Bommarito <michael.bommarito@gmail.com>
Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
Yuqi Xu <xuyq21@lenovo.com>
Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
Tristan Madani <tristan@talencesecurity.com>
netfilter: nft_tunnel: fix use-after-free on object destroy
Alexander A. Klimov <grandmaster@al2klimov.de>
drm/vc4: fix krealloc() memory leak
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ctnetlink: ensure safe access to master conntrack
Til Kaiser <mail@tk154.de>
net: mvpp2: build skb from XDP-adjusted data on XDP_PASS
Til Kaiser <mail@tk154.de>
net: mvpp2: refill RX buffers before XDP or skb use
Lorenzo Bianconi <lorenzo@kernel.org>
net: mvpp2: Add metadata support for xdp mode
Til Kaiser <mail@tk154.de>
net: mvpp2: limit XDP frame size to the RX buffer
Til Kaiser <mail@tk154.de>
net: mvpp2: sync RX data at the hardware packet offset
Florian Westphal <fw@strlen.de>
netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
Xiang Mei <xmei5@asu.edu>
netfilter: nf_log: validate MAC header was set before dumping it
Kyle Zeng <kylebot@openai.com>
netfilter: x_tables: avoid leaking percpu counter pointers
Weiming Shi <bestswngs@gmail.com>
netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
Breno Leitao <leitao@debian.org>
rds: mark snapshot pages dirty in rds_info_getsockopt()
Eric Dumazet <edumazet@google.com>
ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
Weiming Shi <bestswngs@gmail.com>
net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion
Kyle Zeng <kylebot@openai.com>
net: guard timestamp cmsgs to real error queue skbs
Michael Bommarito <michael.bommarito@gmail.com>
sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
Chih Kai Hsu <hsu.chih.kai@realtek.com>
r8152: handle the return value of usb_reset_device()
Douglas Anderson <dianders@chromium.org>
r8152: Block future register access if register access fails
Hayes Wang <hayeswang@realtek.com>
r8152: reduce the control transfer of rtl8152_get_version()
Adrian Moreno <amorenoz@redhat.com>
net: openvswitch: fix possible kfree_skb of ERR_PTR
Kyle Zeng <kylebot@openai.com>
ipv6: sit: reload inner IPv6 header after GSO offloads
Mingyu Wang <25181214217@stu.xidian.edu.cn>
net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
Yao Sang <sangyao@kylinos.cn>
net/mlx4: avoid GCC 10 __bad_copy_from() false positive
Eric Dumazet <edumazet@google.com>
tcp: restrict SO_ATTACH_FILTER to priv users
Richard Fitzgerald <rf@opensource.cirrus.com>
ASoC: wm_adsp: Fix NULL dereference when removing firmware controls
Chenguang Zhao <zhaochenguang@kylinos.cn>
netlabel: validate unlabeled address and mask attribute lengths
Sanghyun Park <sanghyun.park.cnu@gmail.com>
xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
Brian Foster <bfoster@redhat.com>
iomap: don't revert iov_iter on partially completed buffered writes
Mark Rutland <mark.rutland@arm.com>
arm64: tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI
Mark Rutland <mark.rutland@arm.com>
arm64: tlb: Allow XZR argument to TLBI ops
Marc Zyngier <maz@kernel.org>
KVM: arm64: Remove VPIPT I-cache handling
Weiming Shi <bestswngs@gmail.com>
tap: free page on error paths in tap_get_user_xdp()
Minh Nguyen <minhnguyen.080505@gmail.com>
net: skbuff: fix missing zerocopy reference in pskb_carve helpers
Kuen-Han Tsai <khtsai@google.com>
usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo
Kuen-Han Tsai <khtsai@google.com>
usb: gadget: f_ncm: Fix net_device lifecycle with device_move
Edward Lo <loyuantsung@gmail.com>
fs/ntfs3: Return error for inconsistent extended attributes
Ji'an Zhou <eilaimemedsnaimel@gmail.com>
ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams
Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
time: Fix off-by-one in settimeofday() usec validation
Aleksandr Nogikh <nogikh@google.com>
signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
Rui Qi <qirui.001@bytedance.com>
ipmi: Fix rcu_read_unlock to srcu_read_unlock in handle_read_event_rsp
Xin Long <lucien.xin@gmail.com>
sctp: purge outqueue on stale COOKIE-ECHO handling
Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
Eric Dumazet <edumazet@google.com>
ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit()
Andy Roulin <aroulin@nvidia.com>
vxlan: vnifilter: fix spurious notification on VNI update
Andy Roulin <aroulin@nvidia.com>
vxlan: vnifilter: send notification on VNI add
Nithin Dabilpuram <ndabilpuram@marvell.com>
octeontx2-af: npc: Fix CPT channel mask in npc_install_flow
Kurt Kanzenbach <kurt@linutronix.de>
ptp: vclock: Switch from RCU to SRCU
Eric Dumazet <edumazet@google.com>
ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: MGMT: Fix backward compatibility with userspace
Bharath Reddy <kbreddy.rpbc@gmail.com>
Bluetooth: fix memory leak in error path of hci_alloc_dev()
Zhang Cen <rollkingzzc@gmail.com>
Bluetooth: bnep: reject short frames before parsing
Dudu Lu <phx0fer@gmail.com>
Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling
SeungJu Cheon <suunj1331@gmail.com>
Bluetooth: RFCOMM: validate skb length in MCC handlers
Zhang Cen <rollkingzzc@gmail.com>
Bluetooth: MGMT: validate advertising TLV before type checks
Zhang Cen <rollkingzzc@gmail.com>
Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
Tapio Reijonen <tapio.reijonen@vaisala.com>
net: fec: fix pinctrl default state restore order on resume
David Thompson <davthompson@nvidia.com>
net: lan743x: permit VLAN-tagged packets up to configured MTU
Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
net: garp: fix unsigned integer underflow in garp_pdu_parse_attr
Kuniyuki Iwashima <kuniyu@google.com>
net: Annotate sk->sk_write_space() for UDP SOCKMAP.
Oscar Maes <oscmaes92@gmail.com>
pcnet32: stop holding device spin lock during napi_complete_done
Yicong Hui <yiconghui@gmail.com>
drm/imx: Fix three kernel-doc warnings in dcss-scaler.c
Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
6lowpan: fix off-by-one in multicast context address compression
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: act_api: use RCU with deferred freeing for action lifecycle
Guangshuo Li <lgs201920130244@gmail.com>
dm cache policy smq: check allocation under invalidate lock
Yiming Qian <yimingqian591@gmail.com>
netfilter: bridge: make ebt_snat ARP rewrite writable
Florian Westphal <fw@strlen.de>
netfilter: conntrack_irc: fix possible out-of-bounds read
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: synproxy: add mutex to guard hook reference counting
Julian Anastasov <ja@ssi.bg>
ipvs: clear the svc scheduler ptr early on edit
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: xt_NFQUEUE: prefer raw_smp_processor_id
Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
tee: optee: prevent use-after-free when the client exits before the supplicant
Nicolò Coccia <n.coccia96@gmail.com>
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
Ido Schimmel <idosch@nvidia.com>
ipv6: mcast: Fix use-after-free when processing MLD queries
Mingyu Wang <25181214217@stu.xidian.edu.cn>
i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
Nathan Chancellor <nathan@kernel.org>
Disable -Wattribute-alias for clang-23 and newer
Vinicius Costa Gomes <vinicius.gomes@intel.com>
dmaengine: idxd: Fix not releasing workqueue on .release()
Johan Hovold <johan@kernel.org>
USB: serial: mct_u232: fix memory corruption with small endpoint
Kuniyuki Iwashima <kuniyu@google.com>
bpf: Free reuseport cBPF prog after RCU grace period.
Michal Pecio <michal.pecio@gmail.com>
usb: core: Fix SuperSpeed root hub wMaxPacketSize
Jiayuan Chen <jiayuan.chen@shopee.com>
bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded
Maciej W. Rozycki <macro@orcam.me.uk>
serial: dz: Fix bootconsole handover lockup
Johan Hovold <johan@kernel.org>
USB: serial: cypress_m8: fix memory corruption with small endpoint
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: restore set elements when delete set fails
Wei-Cheng Chen <weichengc@nvidia.com>
xhci: tegra: Fix ghost USB device on dual-role port unplug
Johan Hovold <johan@kernel.org>
USB: serial: digi_acceleport: fix memory corruption with small endpoints
Vladislav Nikolaev <vlad102nikolaev@gmail.com>
RDMA/rxe: Complete the rxe_cleanup_task backport
Nathan Chancellor <nathan@kernel.org>
HID: core: Fix size_t specifier in hid_report_raw_event()
Benjamin Tissoires <bentiss@kernel.org>
HID: pass the buffer size to hid_report_raw_event
Vicki Pfau <vi@endrift.com>
HID: core: Add printk_ratelimited variants to hid_warn() etc
Maciej W. Rozycki <macro@orcam.me.uk>
serial: zs: Switch to using channel reset
Maciej W. Rozycki <macro@orcam.me.uk>
serial: zs: Fix bootconsole handover lockup
Maciej W. Rozycki <macro@orcam.me.uk>
serial: dz: Fix bootconsole message clobbering at chip reset
David Francis <David.Francis@amd.com>
drm/amdkfd: Check for pdd drm file first in CRIU restore path
Eric Huang <jinhuieric.huang@amd.com>
drm/amdkfd: fix NULL pointer bug in svm_range_set_attr
Shitalkumar Gandhi <shital.gandhi45@gmail.com>
serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma
Maciej W. Rozycki <macro@orcam.me.uk>
serial: zs: Fix swapped RI/DSR modem line transition counting
Hongling Zeng <zenghongling@kylinos.cn>
serial: sh-sci: fix memory region release in error path
Myeonghun Pak <mhun512@gmail.com>
serial: altera_jtaguart: handle uart_add_one_port() failures
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/si: Disregard vblank time when no displays are connected
Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
drm/i915: Fix potential UAF in TTM object purge
Berkant Koc <me@berkoc.com>
drm/hyperv: validate VMBus packet size in receive callback
Berkant Koc <me@berkoc.com>
drm/hyperv: validate resolution_count and fix WIN8 fallback
Alexandru Hossu <hossu.alexandru@gmail.com>
scsi: target: iscsi: Validate CHAP_R length before base64 decode
Michael Bommarito <michael.bommarito@gmail.com>
scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
Michael Bommarito <michael.bommarito@gmail.com>
scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32
Michael Bommarito <michael.bommarito@gmail.com>
scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
Michael Bommarito <michael.bommarito@gmail.com>
usb: gadget: f_fs: copy only received bytes on short ep0 read
Seungjin Bae <eeodqql09@gmail.com>
usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
Guangshuo Li <lgs201920130244@gmail.com>
usb: gadget: net2280: Fix double free in probe error path
Johan Hovold <johan@kernel.org>
USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
Johan Hovold <johan@kernel.org>
USB: serial: mxuport: fix memory corruption with small endpoint
Johan Hovold <johan@kernel.org>
USB: serial: keyspan: fix missing indat transfer sanity check
Zhang Cen <rollkingzzc@gmail.com>
USB: serial: cypress_m8: validate interrupt packet headers
Zhang Cen <rollkingzzc@gmail.com>
USB: serial: belkin_sa: validate interrupt status length
Wanquan Zhong <wanquan.zhong@fibocom.com>
USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
Jan Volckaert <janvolck@gmail.com>
USB: serial: option: add MeiG SRM813Q
Heitor Alves de Siqueira <halves@igalia.com>
usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
Heitor Alves de Siqueira <halves@igalia.com>
usb: usbtmc: check URB actual_length for interrupt-IN notifications
Michael Bommarito <michael.bommarito@gmail.com>
usbip: vudc: Fix use after free bug in vudc_remove due to race condition
Sam Burkels <sam@1a38.nl>
usb: storage: Add quirks for PNY Elite Portable SSD
Stephen J. Fuhry <fuhrysteve@gmail.com>
USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers
Michal Pecio <michal.pecio@gmail.com>
usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
Xu Yang <xu.yang_2@nxp.com>
usb: chipidea: core: convert ci_role_switch to local variable
Zhaoyang Yu <2426767509@qq.com>
tty: serial: pch_uart: add check for dma_alloc_coherent()
Guangshuo Li <lgs201920130244@gmail.com>
counter: Fix refcount leak in counter_alloc() error path
Ian Abbott <abbotti@mev.co.uk>
comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest()
Ian Abbott <abbotti@mev.co.uk>
comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest()
Nicolás Bazaes <contacto@bazaes.cl>
Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
Jingguo Tan <tanjingguo@huawei.com>
xfrm: esp: restore combined single-frag length gate
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6asm-dai: close stream only when running
Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check
Michael Bommarito <michael.bommarito@gmail.com>
xfrm: ah: use skb_to_full_sk in async output callbacks
Maoyi Xie <maoyixie.tju@gmail.com>
xfrm: route MIGRATE notifications to caller's netns
Ashutosh Desai <ashutoshdesai993@gmail.com>
nfc: hci: fix out-of-bounds read in HCP header parsing
Arnd Bergmann <arnd@arndb.de>
iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
Lee Jones <lee@kernel.org>
HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
Kuniyuki Iwashima <kuniyu@google.com>
ip6: vti: Use ip6_tnl.net in vti6_changelink().
Zhengchuan Liang <zcliangcn@gmail.com>
xfrm: input: hold netns during deferred transport reinjection
Qi Tang <tpluszz77@gmail.com>
ipv6: validate extension header length before copying to cmsg
Maoyi Xie <maoyixie.tju@gmail.com>
ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
Zhengchuan Liang <zcliangcn@gmail.com>
ipv6: exthdrs: refresh nh after handling HAO option
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params
Justin Iurman <justin.iurman@gmail.com>
ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
Junrui Luo <moonafterrain@outlook.com>
macsec: fix replay protection at XPN lower-PN wrap
Yuqi Xu <xuyq21@lenovo.com>
bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: elan_i2c - validate firmware size before use
Dan Carpenter <error27@gmail.com>
usb: dwc2: Fix use after free in debug code
Peter Chen <peter.chen@cixtech.com>
usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles
Yongchao Wu <yongchao.wu@autochips.com>
usb: cdns3: gadget: fix request skipping after clearing halt
Johan Hovold <johan@kernel.org>
USB: serial: omninet: fix memory corruption with small endpoint
Felix Gu <ustc.gu@gmail.com>
iio: buffer: hw-consumer: fix use-after-free in error path
Aldo Conte <aldocontelk@gmail.com>
iio: light: cm3323: fix reg_conf not being initialized correctly
Advait Dhamorikar <advaitd@mechasystems.com>
iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL
Salah Triki <salah.triki@gmail.com>
iio: temperature: tsys01: fix broken PROM checksum validation
Sanjay Chitroda <sanjayembeddedse@gmail.com>
iio: ssp_sensors: cancel delayed work_refresh on remove
David Carlier <devnexen@gmail.com>
iio: gyro: itg3200: fix i2c read into the wrong stack location
Salah Triki <salah.triki@gmail.com>
iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
Rodrigo Alencar <rodrigo.alencar@analog.com>
iio: dac: ad5686: acquire lock when doing powerdown control
Rodrigo Alencar <rodrigo.alencar@analog.com>
iio: dac: ad5686: fix input raw value check
Salah Triki <salah.triki@gmail.com>
iio: dac: max5821: fix return value check in powerdown sync
Christofer Jonason <christofer.jonason@guidelinegeo.com>
iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: send: append trailer after expanding head
Wentao Guan <guanwentao@uniontech.com>
USB: cdc-acm: Fix bit overlap and move quirk definitions to header
Ben Hutchings <benh@debian.org>
parport: Fix race between port and client registration
Muhammad Bilal <meatuni001@gmail.com>
Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
Muhammad Bilal <meatuni001@gmail.com>
Bluetooth: ISO: fix UAF in iso_recv_frame
Muhammad Bilal <meatuni001@gmail.com>
Bluetooth: HIDP: fix missing length checks in hidp_input_report()
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
Stepan Ionichev <sozdayvek@gmail.com>
auxdisplay: line-display: fix OOB read on zero-length message_store()
Linpu Yu <linpu5433@gmail.com>
ipc: limit next_id allocation to the valid ID range
Mikulas Patocka <mpatocka@redhat.com>
hpfs: fix a crash if hpfs_map_dnode_bitmap fails
Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Bluetooth: btusb: Allow firmware re-download when version matches
hlleng <a909204013@gmail.com>
HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse
Thomas Fourier <fourier.thomas@gmail.com>
Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()
Johan Hovold <johan@kernel.org>
USB: serial: safe_serial: fix memory corruption with small endpoint
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: ucsi: validate connector number in ucsi_connector_change()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: altmodes/displayport: validate count before reading Status Update VDO
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: ucsi: ccg: reject firmware images without a ':' record header
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) serialize NVMEM blackbox read with pmbus_lock
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock
Horatiu Vultur <horatiu.vultur@microchip.com>
phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X
Harini Katakam <harini.katakam@amd.com>
phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table
Sabrina Dubroca <sd@queasysnail.net>
net: gro: don't merge zcopy skbs
Jiasheng Jiang <jiashengjiangcool@gmail.com>
RDMA/rxe: Fix double free in rxe_srq_from_init
Ben Hutchings <benh@debian.org>
Revert "RDMA/rxe: Fix double free in rxe_srq_from_init"
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Read Intel DPCD workaround register
Suraj Kandpal <suraj.kandpal@intel.com>
drm/dp: Add eDP 1.5 bit definition
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register
Bingquan Chen <patzilla007@gmail.com>
net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
Eric Dumazet <edumazet@google.com>
net/packet: convert po->running to an atomic flag
Eric Dumazet <edumazet@google.com>
net/packet: convert po->has_vnet_hdr to an atomic flag
Eric Dumazet <edumazet@google.com>
net/packet: convert po->tp_loss to an atomic flag
Eric Dumazet <edumazet@google.com>
net/packet: convert po->tp_tx_has_off to an atomic flag
Martin KaFai Lau <martin.lau@kernel.org>
selftests/bpf: S/iptables/iptables-legacy/ in the bpf_nf and xdp_synproxy test
Daniel Borkmann <daniel@iogearbox.net>
selftests/bpf: Fix ARG_PTR_TO_LONG {half-,}uninitialized test
Paul Chaignon <paul.chaignon@gmail.com>
Revert "selftests/bpf: Add a cgroup prog bpf_get_ns_current_pid_tgid() test"
Andrii Nakryiko <andrii@kernel.org>
selftests/bpf: enhance align selftest's expected log matching
Stanislav Fomichev <sdf@google.com>
selftests/bpf: Update bpf_clone_redirect expected return code
Yonghong Song <yonghong.song@linux.dev>
bpf: Fix a few selftest failures due to llvm18 change
Jiri Olsa <jolsa@kernel.org>
selftests/bpf: Add read_build_id function
Paul Chaignon <paul.chaignon@gmail.com>
Revert "selftests/bpf: Add tests for _opts variants of bpf_*_get_fd_by_id()"
Paul Chaignon <paul.chaignon@gmail.com>
Revert "selftests/bpf: Workaround strict bpf_lsm return value check."
Andrii Nakryiko <andrii@kernel.org>
selftests/bpf: Convert test_global_funcs test to test_loader framework
Andrii Nakryiko <andrii@kernel.org>
selftests/bpf: add generic BPF program tester-loader
Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
mm/page_alloc: clear page->private in free_pages_prepare()
Sven Eckelmann <sven@narfation.org>
batman-adv: bla: avoid double decrement of bla.num_requests
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: avoid empty VLAN responses
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: fix TOCTOU race for reported vlans
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: directly shut down timer on cleanup
Petr Machata <petrm@nvidia.com>
selftests: forwarding: lib: Add helpers for checksum handling
Sven Eckelmann <sven@narfation.org>
batman-adv: iv: recover OGM scheduling after forward packet error
Sven Eckelmann <sven@narfation.org>
batman-adv: tvlv: reject oversized TVLV packets
Sven Eckelmann <sven@narfation.org>
batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: reject oversized local TVLV buffers
Sven Eckelmann <sven@narfation.org>
batman-adv: tvlv: abort OGM send on tvlv append failure
Sven Eckelmann <sven@narfation.org>
batman-adv: v: stop OGMv2 on disabled interface
Pavel Begunkov <asml.silence@gmail.com>
net: skbuff: fix pskb_carve leaking zcopy pages
Jiayuan Chen <jiayuan.chen@linux.dev>
ipv6: fix possible infinite loop in fib6_select_path()
Jiayuan Chen <jiayuan.chen@linux.dev>
ipv6: fix possible infinite loop in rt6_fill_node()
Zhenghang Xiao <kipreyyy@gmail.com>
sctp: fix race between sctp_wait_for_connect and peeloff
Dipayaan Roy <dipayanroy@linux.microsoft.com>
net: mana: Add NULL guards in teardown path to prevent panic on attach failure
Marco Scardovi <scardracs@disroot.org>
gpio: rockchip: convert bank->clk to devm_clk_get_enabled()
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
Zhenghang Xiao <kipreyyy@gmail.com>
Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree"
Rahul Chandelkar <rc@rexion.ai>
ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
Jakub Kicinski <kuba@kernel.org>
ethtool: eeprom: add more safeties to EEPROM Netlink fallback
Oliver Hartkopp <socketcan@hartkopp.net>
bonding: refuse to enslave CAN devices
Zhao Dongdong <zhaodongdong@kylinos.cn>
Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ASoC: codecs: simple-mux: Fix enum control bounds check
Eric Dumazet <edumazet@google.com>
tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()
Eric Dumazet <edumazet@google.com>
vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()
Eric Dumazet <edumazet@google.com>
tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]()
Luka Gejak <luka.gejak@linux.dev>
net: hsr: fix potential OOB access in supervision frame handling
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
Eric Dumazet <edumazet@google.com>
ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table()
Breno Leitao <leitao@debian.org>
net/iucv: fix locking in .getsockopt
Alexandra Winter <wintera@linux.ibm.com>
net/smc: Do not re-initialize smc hashtables
Ilya Maximets <i.maximets@ovn.org>
net: netlink: don't set nsid on local notifications
Ilya Maximets <i.maximets@ovn.org>
net: netlink: fix sending unassigned nsid after assigned one
Weiming Shi <bestswngs@gmail.com>
tun: free page on build_skb failure in tun_xdp_one()
Weiming Shi <bestswngs@gmail.com>
tun: free page on short-frame rejection in tun_xdp_one()
Florian Westphal <fw@strlen.de>
netfilter: ebtables: fix OOB read in compat_mtw_from_user
Florian Westphal <fw@strlen.de>
netfilter: xt_cpu: prefer raw_smp_processor_id
Chris Mason <clm@meta.com>
netfilter: synproxy: refresh tcphdr after skb_ensure_writable
Hongtao Lee <lihongtao@kylinos.cn>
tools/bootconfig: Fix buf leaks in apply_xbc
Masami Hiramatsu (Google) <mhiramat@kernel.org>
tools/bootconfig: Cleanup bootconfig footer size calculations
Carl Lee <carl.lee@amd.com>
nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems
David Ahern <dahern@nvidia.com>
xfrm: Check for underflow in xfrm_state_mtu
Lee Jones <lee@kernel.org>
nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
Lee Jones <lee@kernel.org>
nfc: llcp: Fix use-after-free in llcp_sock_release()
Kevin Hao <haokexin@gmail.com>
net: cpsw_new: Fix potential unregister of netdev that has not been registered yet
Carlos Eduardo Gallo Filho <gcarlos@disroot.org>
drm: Remove plane hsub/vsub alignment requirement for core helpers
Victor Nogueria <victor@mojatatu.com>
net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked
Jeremy Kerr <jk@codeconstruct.com.au>
net: mctp: ensure our nlmsg responses are initialised
Davide Caratti <dcaratti@redhat.com>
net/sched: cls_fw: fix NULL dereference of "old" filters before change()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
-------------
Diffstat:
Documentation/arm64/silicon-errata.rst | 46 ++++
Makefile | 4 +-
arch/arm/include/asm/io.h | 15 +-
arch/arm/kernel/entry-armv.S | 2 +-
arch/arm/mach-socfpga/platsmp.c | 1 +
arch/arm64/Kconfig | 50 +++++
arch/arm64/include/asm/cputype.h | 6 +
arch/arm64/include/asm/kvm_mmu.h | 4 +-
arch/arm64/include/asm/tlb.h | 2 +-
arch/arm64/include/asm/tlbflush.h | 52 +++--
arch/arm64/kernel/cpu_errata.c | 34 ++-
arch/arm64/kernel/sys_compat.c | 2 +-
arch/arm64/kvm/arm.c | 5 +
arch/arm64/kvm/hyp/nvhe/tlb.c | 41 +---
arch/arm64/kvm/hyp/pgtable.c | 2 +-
arch/arm64/kvm/hyp/vhe/tlb.c | 19 +-
arch/arm64/mm/mmu.c | 36 ++--
arch/loongarch/kernel/syscall.c | 3 +-
arch/x86/kernel/cpu/amd.c | 18 +-
block/blk-cgroup.c | 32 +--
drivers/auxdisplay/line-display.c | 2 +-
drivers/base/power/domain.c | 10 +-
drivers/bluetooth/btusb.c | 8 +-
drivers/bluetooth/hci_qca.c | 33 ++-
drivers/char/ipmi/ipmi_msghandler.c | 2 +-
drivers/char/ipmi/ipmi_ssif.c | 42 ++--
drivers/comedi/drivers/comedi_test.c | 5 +-
drivers/counter/counter-core.c | 3 +-
drivers/crypto/caam/caamalg_qi2.c | 4 +-
drivers/crypto/caam/caamhash.c | 4 +-
drivers/crypto/nx/nx-842.c | 47 +++--
drivers/crypto/nx/nx-842.h | 24 ++-
drivers/crypto/nx/nx-common-powernv.c | 31 ++-
drivers/crypto/nx/nx-common-pseries.c | 33 ++-
drivers/dma/idxd/init.c | 1 -
drivers/dma/idxd/sysfs.c | 1 +
drivers/gpio/gpio-rockchip.c | 6 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 4 +-
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 +-
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 3 +
.../drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 5 +
drivers/gpu/drm/amd/display/dc/basics/vector.c | 4 +-
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 54 +++--
.../gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c | 3 +-
drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 4 +
drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 113 ++++++++--
drivers/gpu/drm/i915/display/intel_display_types.h | 1 +
drivers/gpu/drm/i915/display/intel_dpcd.h | 15 ++
drivers/gpu/drm/i915/display/intel_psr.c | 34 ++-
drivers/gpu/drm/i915/gem/i915_gem_phys.c | 19 +-
drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 28 +--
drivers/gpu/drm/imx/dcss/dcss-scaler.c | 3 +
drivers/gpu/drm/v3d/v3d_gem.c | 5 +
drivers/gpu/drm/vc4/vc4_validate_shaders.c | 13 +-
drivers/hid/hid-core.c | 33 ++-
drivers/hid/hid-gfrm.c | 4 +-
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-logitech-hidpp.c | 2 +-
drivers/hid/hid-multitouch.c | 2 +-
drivers/hid/hid-primax.c | 2 +-
drivers/hid/hid-quirks.c | 1 +
drivers/hid/hid-vivaldi-common.c | 2 +-
drivers/hid/wacom_sys.c | 19 +-
drivers/hid/wacom_wac.h | 1 +
drivers/hwmon/pmbus/adm1266.c | 56 ++++-
drivers/i2c/busses/i2c-qcom-cci.c | 2 +-
drivers/i2c/busses/i2c-stm32f7.c | 6 +-
drivers/i2c/busses/i2c-tegra.c | 53 +++--
drivers/i2c/i2c-dev.c | 9 +-
drivers/iio/adc/bcm_iproc_adc.c | 4 +-
drivers/iio/adc/lpc32xx_adc.c | 4 +-
drivers/iio/adc/npcm_adc.c | 31 +--
drivers/iio/adc/spear_adc.c | 4 +-
drivers/iio/adc/viperboard_adc.c | 4 +-
drivers/iio/adc/xilinx-xadc-core.c | 11 +-
drivers/iio/buffer/industrialio-hw-consumer.c | 4 +-
drivers/iio/chemical/scd30_core.c | 65 +++---
drivers/iio/common/ssp_sensors/ssp_dev.c | 1 +
drivers/iio/dac/ad5686.c | 16 +-
drivers/iio/dac/ad5686.h | 1 +
drivers/iio/dac/max5821.c | 9 +-
drivers/iio/gyro/adis16260.c | 3 +
drivers/iio/gyro/itg3200_buffer.c | 2 +-
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 2 +-
drivers/iio/light/cm3323.c | 5 +-
drivers/iio/magnetometer/st_magn_core.c | 13 +-
drivers/iio/temperature/tsys01.c | 2 +-
drivers/infiniband/core/Makefile | 2 +-
drivers/infiniband/core/iter.c | 43 ++++
drivers/infiniband/core/verbs.c | 38 ----
drivers/infiniband/hw/bnxt_re/qplib_res.c | 2 +-
drivers/infiniband/hw/cxgb4/mem.c | 2 +-
drivers/infiniband/hw/efa/efa_verbs.c | 2 +-
drivers/infiniband/hw/erdma/erdma_verbs.c | 2 +-
drivers/infiniband/hw/hns/hns_roce_alloc.c | 2 +-
drivers/infiniband/hw/irdma/main.h | 2 +-
drivers/infiniband/hw/mlx4/mr.c | 1 +
drivers/infiniband/hw/mlx5/mem.c | 1 +
drivers/infiniband/hw/mlx5/umr.c | 1 +
drivers/infiniband/hw/mthca/mthca_provider.c | 2 +-
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +-
drivers/infiniband/hw/qedr/verbs.c | 2 +-
drivers/infiniband/hw/vmw_pvrdma/pvrdma.h | 2 +-
drivers/infiniband/sw/rxe/rxe_qp.c | 4 +-
drivers/infiniband/sw/rxe/rxe_srq.c | 3 -
drivers/infiniband/ulp/isert/ib_isert.c | 6 +
drivers/infiniband/ulp/srp/ib_srp.c | 30 ++-
drivers/input/keyboard/atkbd.c | 15 ++
drivers/input/misc/ims-pcu.c | 2 +-
drivers/input/mouse/elan_i2c_core.c | 5 +
drivers/input/mouse/synaptics.c | 1 +
drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
drivers/input/touchscreen/usbtouchscreen.c | 5 +
drivers/iommu/io-pgtable-arm-v7s.c | 18 +-
drivers/md/dm-cache-policy-smq.c | 12 +-
drivers/media/rc/igorplugusb.c | 16 +-
drivers/media/rc/ttusbir.c | 13 +-
drivers/misc/fastrpc.c | 102 +++++----
drivers/mmc/core/mmc.c | 4 +-
drivers/mmc/host/litex_mmc.c | 20 +-
drivers/mmc/host/renesas_sdhi_internal_dmac.c | 1 +
drivers/mmc/host/sdhci.c | 1 +
drivers/mtd/spi-nor/core.c | 1 +
drivers/mtd/spi-nor/debugfs.c | 4 +-
drivers/net/bonding/bond_main.c | 19 +-
drivers/net/bonding/bond_options.c | 2 +
drivers/net/ethernet/amd/pcnet32.c | 4 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
drivers/net/ethernet/freescale/fec_main.c | 3 +-
drivers/net/ethernet/intel/ice/ice_virtchnl.c | 2 +-
drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +-
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 75 ++++---
drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 13 +-
drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +-
drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 1 +
.../net/ethernet/marvell/octeontx2/af/rvu_npc.c | 32 +--
.../net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c | 2 +-
.../ethernet/marvell/octeontx2/nic/otx2_common.c | 2 +
drivers/net/ethernet/mellanox/mlx4/cq.c | 9 +-
drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 +-
drivers/net/ethernet/microchip/lan743x_main.c | 32 +++
drivers/net/ethernet/microchip/lan743x_main.h | 1 +
drivers/net/ethernet/microsoft/mana/mana_en.c | 72 ++++---
drivers/net/ethernet/stmicro/stmmac/chain_mode.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/common.h | 2 +-
drivers/net/ethernet/stmicro/stmmac/ring_mode.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 47 +++--
drivers/net/ethernet/ti/cpsw_new.c | 4 +-
drivers/net/hyperv/netvsc.c | 19 +-
drivers/net/macsec.c | 3 +-
drivers/net/phy/mscc/mscc.h | 9 +-
drivers/net/phy/mscc/mscc_main.c | 38 +---
drivers/net/tap.c | 2 +
drivers/net/tun.c | 5 +-
drivers/net/usb/r8152.c | 211 ++++++++++++++++---
drivers/net/vxlan/vxlan_core.c | 4 +-
drivers/net/vxlan/vxlan_vnifilter.c | 5 +-
drivers/net/wireguard/send.c | 20 +-
.../wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 +
drivers/net/wireless/marvell/mwifiex/init.c | 2 +-
drivers/net/wwan/t7xx/t7xx_modem_ops.c | 17 +-
drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c | 18 +-
drivers/net/wwan/t7xx/t7xx_port_proxy.h | 2 +-
drivers/nfc/nxp-nci/i2c.c | 21 +-
drivers/parport/share.c | 11 +-
drivers/phy/tegra/xusb-tegra186.c | 38 +++-
drivers/phy/tegra/xusb.h | 1 +
drivers/platform/x86/intel/vsec.c | 77 +++++--
drivers/platform/x86/intel/vsec.h | 2 +-
drivers/ptp/ptp_vclock.c | 14 +-
drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
drivers/scsi/scsi_transport_fc.c | 77 +++----
drivers/slimbus/qcom-ngd-ctrl.c | 5 +-
drivers/spi/spi-amd.c | 2 +-
drivers/spi/spi-cavium-thunderx.c | 2 +-
drivers/spi/spi-falcon.c | 2 +-
drivers/spi/spi-imx.c | 8 +-
drivers/spi/spi-lantiq-ssc.c | 8 +-
drivers/spi/spi-lp8841-rtc.c | 2 +-
drivers/spi/spi-microchip-core-qspi.c | 47 ++---
drivers/spi/spi-mxs.c | 2 +-
drivers/spi/spi-omap-uwire.c | 2 +-
drivers/spi/spi-pic32-sqi.c | 2 +-
drivers/spi/spi-qcom-qspi.c | 2 +-
drivers/spi/spi-qup.c | 169 +++++++--------
drivers/spi/spi-rockchip-sfc.c | 2 +-
drivers/spi/spi-s3c64xx.c | 44 +---
drivers/spi/spi-sprd-adi.c | 2 +-
drivers/spi/spi-st-ssc4.c | 76 +++----
drivers/spi/spi-sun4i.c | 84 ++++----
drivers/spi/spi-sun6i.c | 9 +-
drivers/spi/spi-synquacer.c | 92 ++++----
drivers/spi/spi-tegra114.c | 8 +-
drivers/spi/spi-tegra20-sflash.c | 8 +-
drivers/spi/spi-ti-qspi.c | 97 +++++----
drivers/spi/spi-topcliff-pch.c | 6 +-
drivers/spi/spi-uniphier.c | 216 ++++++++++---------
drivers/spi/spi-xcomm.c | 2 +-
drivers/spi/spi-zynq-qspi.c | 89 +++-----
drivers/spi/spi-zynqmp-gqspi.c | 4 +-
drivers/spi/spi.c | 61 +++---
drivers/staging/greybus/hid.c | 2 +-
drivers/target/iscsi/iscsi_target.c | 6 +-
drivers/target/iscsi/iscsi_target_auth.c | 19 +-
drivers/target/iscsi/iscsi_target_nego.c | 7 +-
drivers/target/iscsi/iscsi_target_parameters.c | 62 ++++--
drivers/target/iscsi/iscsi_target_parameters.h | 2 +-
drivers/tee/optee/supp.c | 107 +++++++---
drivers/thermal/thermal_core.c | 7 +-
drivers/thunderbolt/property.c | 38 +++-
drivers/thunderbolt/xdomain.c | 14 +-
drivers/tty/serial/altera_jtaguart.c | 7 +-
drivers/tty/serial/dz.c | 57 ++---
drivers/tty/serial/fsl_lpuart.c | 15 +-
drivers/tty/serial/pch_uart.c | 19 +-
drivers/tty/serial/qcom_geni_serial.c | 75 +++----
drivers/tty/serial/samsung_tty.c | 130 ++++++------
drivers/tty/serial/sh-sci.c | 2 +-
drivers/tty/serial/zs.c | 40 ++--
drivers/tty/serial/zs.h | 2 +-
drivers/usb/cdns3/cdns3-gadget.c | 12 +-
drivers/usb/cdns3/cdns3-plat.c | 11 +-
drivers/usb/chipidea/core.c | 16 +-
drivers/usb/class/cdc-acm.c | 2 -
drivers/usb/class/cdc-acm.h | 2 +
drivers/usb/class/usbtmc.c | 14 ++
drivers/usb/core/config.c | 9 +-
drivers/usb/core/hcd.c | 4 +-
drivers/usb/core/quirks.c | 4 +
drivers/usb/dwc2/hcd.c | 4 +-
drivers/usb/dwc3/core.c | 12 +-
drivers/usb/dwc3/dwc3-xilinx.c | 26 +--
drivers/usb/gadget/function/f_fs.c | 2 +-
drivers/usb/gadget/function/f_hid.c | 20 +-
drivers/usb/gadget/function/f_ncm.c | 33 ++-
drivers/usb/gadget/function/u_ether.c | 28 ++-
drivers/usb/gadget/function/u_ether.h | 26 +++
drivers/usb/gadget/function/u_ncm.h | 2 +-
drivers/usb/gadget/udc/dummy_hcd.c | 4 +
drivers/usb/gadget/udc/net2280.c | 4 +-
drivers/usb/host/xhci-tegra.c | 76 ++++---
drivers/usb/musb/omap2430.c | 3 +-
drivers/usb/serial/belkin_sa.c | 3 +
drivers/usb/serial/cypress_m8.c | 20 +-
drivers/usb/serial/digi_acceleport.c | 23 +-
drivers/usb/serial/io_ti.c | 11 +
drivers/usb/serial/keyspan.c | 4 +
drivers/usb/serial/kl5kusb105.c | 4 +-
drivers/usb/serial/mct_u232.c | 26 ++-
drivers/usb/serial/mxuport.c | 8 +
drivers/usb/serial/omninet.c | 9 +-
drivers/usb/serial/option.c | 12 +-
drivers/usb/serial/safe_serial.c | 11 +
drivers/usb/storage/unusual_uas.h | 7 +
drivers/usb/typec/altmodes/displayport.c | 2 +
drivers/usb/typec/tcpm/tcpm.c | 2 +
drivers/usb/typec/tcpm/wcove.c | 13 +-
drivers/usb/typec/ucsi/displayport.c | 4 +
drivers/usb/typec/ucsi/ucsi.c | 24 ++-
drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +
drivers/usb/usbip/vudc_dev.c | 1 +
drivers/usb/usbip/vudc_transfer.c | 3 +-
drivers/video/fbdev/core/fb_defio.c | 164 +++++++++++++--
drivers/video/fbdev/core/fbcon_rotate.c | 5 +-
drivers/video/fbdev/vt8500lcdfb.c | 2 +-
fs/btrfs/inode.c | 2 +
fs/btrfs/ioctl.c | 5 +-
fs/btrfs/space-info.c | 8 +-
fs/btrfs/sysfs.c | 5 +-
fs/btrfs/sysfs.h | 3 +-
fs/ceph/dir.c | 6 +-
fs/erofs/decompressor.c | 1 +
fs/f2fs/data.c | 4 +-
fs/f2fs/f2fs.h | 5 +-
fs/f2fs/inline.c | 13 +-
fs/f2fs/node.c | 4 +-
fs/f2fs/segment.c | 10 +-
fs/f2fs/super.c | 29 ++-
fs/fcntl.c | 8 +-
fs/fuse/dev.c | 9 +-
fs/hfsplus/bfind.c | 51 +++++
fs/hfsplus/catalog.c | 4 +-
fs/hfsplus/dir.c | 2 +-
fs/hfsplus/hfsplus_fs.h | 9 +
fs/hfsplus/super.c | 6 +-
fs/hpfs/alloc.c | 2 +-
fs/iomap/buffered-io.c | 4 -
fs/ntfs3/xattr.c | 1 +
fs/smb/client/cifsacl.c | 128 +++++++++--
fs/smb/client/ioctl.c | 2 +-
fs/smb/client/netlink.c | 6 +-
fs/smb/client/smb2transport.c | 32 ++-
fs/smb/server/smb2pdu.c | 11 +
fs/smb/server/smbacl.c | 17 +-
fs/udf/super.c | 4 +-
fs/xfs/xfs_buf.c | 1 +
include/drm/display/drm_dp.h | 1 +
include/drm/drm_fourcc.h | 5 +-
include/linux/compat.h | 4 +
include/linux/compiler-clang.h | 6 +
include/linux/compiler_attributes.h | 11 +
include/linux/compiler_types.h | 4 +
include/linux/damon.h | 2 +
include/linux/fb.h | 4 +-
include/linux/hid.h | 15 +-
include/linux/hugetlb.h | 14 +-
include/linux/mm.h | 5 -
include/linux/parport.h | 1 +
include/linux/printk.h | 13 ++
include/linux/syscalls.h | 4 +
include/net/act_api.h | 1 +
include/net/bluetooth/bluetooth.h | 1 +
include/net/bluetooth/l2cap.h | 1 +
include/net/bonding.h | 1 +
include/net/genetlink.h | 9 +-
include/net/ip_vs.h | 3 +-
include/net/mctp.h | 3 +
include/net/netfilter/nf_conntrack_core.h | 5 +
include/net/netfilter/nf_conntrack_helper.h | 1 +
include/net/sock.h | 1 +
include/net/xfrm.h | 3 +-
include/rdma/ib_umem.h | 36 +---
include/rdma/ib_verbs.h | 48 -----
include/rdma/iter.h | 88 ++++++++
ipc/shm.c | 10 +-
ipc/util.c | 2 +-
kernel/cgroup/cpuset.c | 8 +-
kernel/pid.c | 8 +-
kernel/sched/core.c | 2 +-
kernel/sched/rt.c | 2 +-
kernel/sched/sched.h | 2 +-
kernel/signal.c | 1 +
kernel/time/time.c | 2 +-
kernel/trace/trace_probe.c | 6 +
kernel/trace/trace_probe.h | 4 +-
kernel/tracepoint.c | 2 +
lib/debugobjects.c | 2 +-
lib/mpi/mpicoder.c | 2 +-
lib/test_hmm.c | 86 ++++----
mm/damon/core.c | 37 +++-
mm/damon/lru_sort.c | 84 +++++---
mm/damon/ops-common.c | 4 +-
mm/damon/reclaim.c | 84 +++++---
mm/gup.c | 2 +-
mm/huge_memory.c | 2 +
mm/hugetlb.c | 113 +++++++---
mm/memory-failure.c | 92 ++++----
mm/memory.c | 2 +-
mm/memory_hotplug.c | 2 +-
mm/mempolicy.c | 2 +-
mm/migrate.c | 18 +-
mm/page_alloc.c | 1 +
net/6lowpan/iphc.c | 4 +-
net/802/garp.c | 2 +-
net/802/mrp.c | 9 +
net/batman-adv/bat_iv_ogm.c | 82 ++++++--
net/batman-adv/bat_v_ogm.c | 59 +++---
net/batman-adv/bridge_loop_avoidance.c | 57 +++--
net/batman-adv/main.c | 1 +
net/batman-adv/soft-interface.c | 1 +
net/batman-adv/tp_meter.c | 109 +++++++---
net/batman-adv/tp_meter.h | 1 +
net/batman-adv/translation-table.c | 43 +++-
net/batman-adv/tvlv.c | 28 ++-
net/batman-adv/tvlv.h | 2 +-
net/batman-adv/types.h | 46 +++-
net/bluetooth/6lowpan.c | 2 +
net/bluetooth/af_bluetooth.c | 113 ++++++++--
net/bluetooth/bnep/core.c | 50 +++--
net/bluetooth/hci_sync.c | 5 +
net/bluetooth/hci_sysfs.c | 6 +-
net/bluetooth/hidp/core.c | 23 +-
net/bluetooth/hidp/sock.c | 10 +-
net/bluetooth/iso.c | 12 +-
net/bluetooth/l2cap_core.c | 87 +++++++-
net/bluetooth/l2cap_sock.c | 35 +---
net/bluetooth/mgmt.c | 17 +-
net/bluetooth/rfcomm/core.c | 69 ++++--
net/bluetooth/rfcomm/sock.c | 26 ++-
net/bridge/br_arp_nd_proxy.c | 8 +-
net/bridge/br_fdb.c | 28 ++-
net/bridge/netfilter/ebt_snat.c | 3 +
net/bridge/netfilter/ebtables.c | 30 +++
net/core/drop_monitor.c | 2 +-
net/core/filter.c | 17 +-
net/core/gro.c | 3 +
net/core/skbuff.c | 20 +-
net/core/sock.c | 13 +-
net/ethtool/eeprom.c | 5 +-
net/hsr/hsr_forward.c | 4 +-
net/hsr/hsr_framereg.c | 6 +-
net/ieee802154/6lowpan/tx.c | 5 +
net/ipv4/ah4.c | 31 +--
net/ipv4/esp4.c | 4 +-
net/ipv4/ip_options.c | 4 +
net/ipv4/ip_tunnel_core.c | 22 +-
net/ipv4/netfilter/arp_tables.c | 15 +-
net/ipv4/netfilter/ip_tables.c | 15 +-
net/ipv4/netfilter/nf_nat_h323.c | 2 +
net/ipv4/netfilter/nft_fib_ipv4.c | 2 +-
net/ipv4/sysctl_net_ipv4.c | 2 +-
net/ipv4/udp.c | 8 +
net/ipv6/ah6.c | 29 ++-
net/ipv6/datagram.c | 54 ++++-
net/ipv6/esp6.c | 4 +-
net/ipv6/exthdrs.c | 21 +-
net/ipv6/ip6_vti.c | 25 ++-
net/ipv6/mcast.c | 8 +-
net/ipv6/netfilter/ip6_tables.c | 15 +-
net/ipv6/netfilter/nft_fib_ipv6.c | 2 +-
net/ipv6/route.c | 5 +
net/ipv6/sit.c | 1 +
net/iucv/af_iucv.c | 20 +-
net/key/af_key.c | 6 +-
net/mac80211/mlme.c | 4 +-
net/mctp/device.c | 1 +
net/mctp/neigh.c | 1 +
net/mctp/route.c | 9 +-
net/mptcp/options.c | 43 ++--
net/mptcp/pm.c | 34 ++-
net/mptcp/pm_netlink.c | 45 ++--
net/mptcp/protocol.c | 29 ++-
net/mptcp/sockopt.c | 8 +-
net/netfilter/ipvs/ip_vs_ctl.c | 13 +-
net/netfilter/ipvs/ip_vs_proto_sctp.c | 18 +-
net/netfilter/ipvs/ip_vs_proto_tcp.c | 21 +-
net/netfilter/ipvs/ip_vs_proto_udp.c | 20 +-
net/netfilter/ipvs/ip_vs_sched.c | 14 +-
net/netfilter/nf_conntrack_ecache.c | 2 +
net/netfilter/nf_conntrack_expect.c | 10 +-
net/netfilter/nf_conntrack_helper.c | 19 ++
net/netfilter/nf_conntrack_irc.c | 4 +-
net/netfilter/nf_conntrack_netlink.c | 28 ++-
net/netfilter/nf_conntrack_proto_tcp.c | 3 +-
net/netfilter/nf_log_syslog.c | 4 +-
net/netfilter/nf_nat_core.c | 2 +
net/netfilter/nf_nat_sip.c | 1 +
net/netfilter/nf_synproxy_core.c | 26 ++-
net/netfilter/nf_tables_api.c | 41 +++-
net/netfilter/nft_exthdr.c | 3 +
net/netfilter/nft_fib.c | 6 +
net/netfilter/nft_set_bitmap.c | 4 +-
net/netfilter/nft_set_hash.c | 8 +-
net/netfilter/nft_set_pipapo.c | 5 +-
net/netfilter/nft_set_rbtree.c | 4 +-
net/netfilter/nft_tunnel.c | 2 +-
net/netfilter/xt_NFQUEUE.c | 2 +-
net/netfilter/xt_cpu.c | 2 +-
net/netlabel/netlabel_unlabeled.c | 30 +--
net/netlink/af_netlink.c | 11 +-
net/netlink/genetlink.c | 4 +-
net/nfc/hci/core.c | 10 +
net/nfc/llcp_core.c | 11 +
net/nfc/llcp_sock.c | 2 +
net/nfc/nci/hci.c | 10 +
net/openvswitch/datapath.c | 1 +
net/packet/af_packet.c | 74 ++++---
net/packet/diag.c | 6 +-
net/packet/internal.h | 8 +-
net/psample/psample.c | 2 +-
net/qrtr/af_qrtr.c | 4 +-
net/qrtr/ns.c | 180 ++++++----------
net/rds/ib_cm.c | 1 +
net/rds/ib_send.c | 2 +
net/rds/info.c | 2 +-
net/sched/act_api.c | 7 +-
net/sched/cls_fw.c | 6 +-
net/sched/sch_netem.c | 40 ----
net/sched/sch_sfb.c | 2 +-
net/sctp/diag.c | 17 +-
net/sctp/input.c | 8 +
net/sctp/sm_statefuns.c | 6 +-
net/sctp/socket.c | 2 +
net/sctp/stream.c | 6 +-
net/smc/af_smc.c | 21 +-
net/socket.c | 11 +-
net/vmw_vsock/vmci_transport.c | 4 +-
net/wireless/nl80211.c | 3 +
net/xfrm/espintcp.c | 4 +
net/xfrm/xfrm_input.c | 16 +-
net/xfrm/xfrm_policy.c | 15 +-
net/xfrm/xfrm_state.c | 35 +++-
net/xfrm/xfrm_user.c | 5 +-
security/apparmor/policy_unpack.c | 27 +--
sound/aoa/codecs/onyx.c | 104 +++------
sound/aoa/codecs/tas.c | 113 ++++------
sound/aoa/core/gpio-feature.c | 20 +-
sound/aoa/core/gpio-pmf.c | 26 +--
sound/aoa/soundbus/i2sbus/core.c | 3 +
sound/aoa/soundbus/i2sbus/pcm.c | 143 ++++++-------
sound/core/pcm_native.c | 7 +-
sound/core/timer.c | 1 +
.../motu/motu-register-dsp-message-parser.c | 14 +-
sound/pci/hda/patch_hdmi.c | 1 +
sound/soc/codecs/simple-mux.c | 2 +-
sound/soc/codecs/wm_adsp.c | 3 +
sound/soc/intel/boards/bytcht_es8316.c | 29 ++-
sound/soc/qcom/qdsp6/q6asm-dai.c | 43 ++--
tools/bootconfig/main.c | 23 +-
tools/perf/Makefile.config | 1 +
tools/perf/util/Build | 32 ++-
tools/perf/util/expr.y | 4 +-
tools/perf/util/parse-events.y | 3 +
tools/perf/util/pmu.y | 3 +
tools/scripts/utilities.mak | 20 ++
tools/testing/selftests/bpf/DENYLIST.s390x | 1 -
tools/testing/selftests/bpf/Makefile | 2 +-
tools/testing/selftests/bpf/prog_tests/align.c | 18 +-
tools/testing/selftests/bpf/prog_tests/bpf_nf.c | 6 +-
tools/testing/selftests/bpf/prog_tests/empty_skb.c | 12 +-
.../bpf/prog_tests/libbpf_get_fd_by_id_opts.c | 87 --------
.../selftests/bpf/prog_tests/ns_current_pid_tgid.c | 73 -------
.../selftests/bpf/prog_tests/test_global_funcs.c | 131 +++---------
.../selftests/bpf/prog_tests/xdp_synproxy.c | 6 +-
tools/testing/selftests/bpf/progs/bpf_misc.h | 5 +
.../selftests/bpf/progs/test_global_func1.c | 6 +-
.../selftests/bpf/progs/test_global_func10.c | 1 +
.../selftests/bpf/progs/test_global_func11.c | 4 +-
.../selftests/bpf/progs/test_global_func12.c | 4 +-
.../selftests/bpf/progs/test_global_func13.c | 4 +-
.../selftests/bpf/progs/test_global_func14.c | 4 +-
.../selftests/bpf/progs/test_global_func15.c | 4 +-
.../selftests/bpf/progs/test_global_func16.c | 4 +-
.../selftests/bpf/progs/test_global_func17.c | 5 +-
.../selftests/bpf/progs/test_global_func2.c | 43 +++-
.../selftests/bpf/progs/test_global_func3.c | 10 +-
.../selftests/bpf/progs/test_global_func4.c | 55 ++++-
.../selftests/bpf/progs/test_global_func5.c | 4 +-
.../selftests/bpf/progs/test_global_func6.c | 4 +-
.../selftests/bpf/progs/test_global_func7.c | 4 +-
.../selftests/bpf/progs/test_global_func8.c | 4 +-
.../selftests/bpf/progs/test_global_func9.c | 4 +-
.../bpf/progs/test_libbpf_get_fd_by_id_opts.c | 37 ----
.../selftests/bpf/progs/test_ns_current_pid_tgid.c | 7 -
tools/testing/selftests/bpf/test_loader.c | 233 +++++++++++++++++++++
tools/testing/selftests/bpf/test_progs.h | 33 +++
tools/testing/selftests/bpf/trace_helpers.c | 82 ++++++++
tools/testing/selftests/bpf/trace_helpers.h | 5 +
tools/testing/selftests/bpf/verifier/int_ptr.c | 6 +-
tools/testing/selftests/net/forwarding/lib.sh | 56 +++++
tools/testing/selftests/net/mptcp/mptcp_connect.sh | 6 +-
tools/testing/selftests/ptp/testptp.c | 62 +-----
tools/testing/selftests/vm/hmm-tests.c | 50 +++++
543 files changed, 6595 insertions(+), 3687 deletions(-)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 001/522] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 002/522] net/sched: cls_fw: fix NULL dereference of "old" filters before change() Greg Kroah-Hartman
` (521 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2905281cbda52ec9df540113b35b835feb5fafd3 upstream.
nexio_read_data() pulls data_len and x_len from a packed __be16 header
in the device's interrupt packet and then walks packet->data[0..x_len)
and packet->data[x_len..data_len) comparing each byte against a
threshold.
Both fields are 16-bit on the wire (max 65535). The existing
adjustments shave at most 0x100 / 0x80 off, so the loop bound can still
reach roughly 0xfeff. The URB transfer buffer for NEXIO is rept_size
(1024) bytes from usb_alloc_coherent(), with the first 7 occupied by the
packed header — so packet->data[] has 1017 valid bytes. read_data()
callbacks are not given urb->actual_length, and nothing else bounds the
walk.
A device that lies about its length can get a ~64 KiB out-of-bounds read
past the coherent DMA allocation. The first index whose byte exceeds
NEXIO_THRESHOLD lands in begin_x / begin_y and from there into the
reported touch coordinates, so adjacent kernel memory contents leak to
userspace as ABS_X / ABS_Y events. Far enough out, the read can also
hit an unmapped page and fault.
Fix this all by clamping data_len to the buffer's data[] capacity and
x_len to data_len.
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Fixes: 5197424cdccc ("Input: usbtouchscreen - add NEXIO (or iNexio) support")
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026042026-chlorine-epidermis-fd6d@gregkh
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/usbtouchscreen.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/input/touchscreen/usbtouchscreen.c
+++ b/drivers/input/touchscreen/usbtouchscreen.c
@@ -1061,6 +1061,11 @@ static int nexio_read_data(struct usbtou
if (x_len > 0xff)
x_len -= 0x80;
+ if (data_len > usbtouch->data_size - sizeof(*packet))
+ data_len = usbtouch->data_size - sizeof(*packet);
+ if (x_len > data_len)
+ x_len = data_len;
+
/* send ACK */
ret = usb_submit_urb(priv->ack, GFP_ATOMIC);
if (ret)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 002/522] net/sched: cls_fw: fix NULL dereference of "old" filters before change()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 001/522] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 003/522] net: mctp: ensure our nlmsg responses are initialised Greg Kroah-Hartman
` (520 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jamal Hadi Salim, Davide Caratti,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davide Caratti <dcaratti@redhat.com>
[ Upstream commit 65782b2db7321d5f97c16718c4c7f6c7205a56be ]
Like pointed out by Sashiko [1], since commit ed76f5edccc9 ("net: sched:
protect filter_chain list with filter_chain_lock mutex") TC filters are
added to a shared block and published to datapath before their ->change()
function is called. This is a problem for cls_fw: an invalid filter
created with the "old" method can still classify some packets before it
is destroyed by the validation logic added by Xiang.
Therefore, insisting with repeated runs of the following script:
# ip link add dev crash0 type dummy
# ip link set dev crash0 up
# mausezahn crash0 -c 100000 -P 10 \
> -A 4.3.2.1 -B 1.2.3.4 -t udp "dp=1234" -q &
# sleep 1
# tc qdisc add dev crash0 egress_block 1 clsact
# tc filter add block 1 protocol ip prio 1 matchall \
> action skbedit mark 65536 continue
# tc filter add block 1 protocol ip prio 2 fw
# ip link del dev crash0
can still make fw_classify() hit the WARN_ON() in [2]:
WARNING: ./include/net/pkt_cls.h:88 at fw_classify+0x244/0x250 [cls_fw], CPU#18: mausezahn/1399
Modules linked in: cls_fw(E) act_skbedit(E)
CPU: 18 UID: 0 PID: 1399 Comm: mausezahn Tainted: G E 7.0.0-rc6-virtme #17 PREEMPT(full)
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Red Hat KVM, BIOS 1.16.3-2.el9 04/01/2014
RIP: 0010:fw_classify+0x244/0x250 [cls_fw]
Code: 5c 49 c7 45 00 00 00 00 00 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 5b b8 ff ff ff ff 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 90 <0f> 0b 90 eb a0 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffd1b7026bf8a8 EFLAGS: 00010202
RAX: ffff8c5ac9c60800 RBX: ffff8c5ac99322c0 RCX: 0000000000000004
RDX: 0000000000000001 RSI: ffff8c5b74d7a000 RDI: ffff8c5ac8284f40
RBP: ffffd1b7026bf8d0 R08: 0000000000000000 R09: ffffd1b7026bf9b0
R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000010000
R13: ffffd1b7026bf930 R14: ffff8c5ac8284f40 R15: 0000000000000000
FS: 00007fca40c37740(0000) GS:ffff8c5b74d7a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fca40e822a0 CR3: 0000000005ca0001 CR4: 0000000000172ef0
Call Trace:
<TASK>
tcf_classify+0x17d/0x5c0
tc_run+0x9d/0x150
__dev_queue_xmit+0x2ab/0x14d0
ip_finish_output2+0x340/0x8f0
ip_output+0xa4/0x250
raw_sendmsg+0x147d/0x14b0
__sys_sendto+0x1cc/0x1f0
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x126/0xf80
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fca40e822ba
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
RSP: 002b:00007ffc248a42c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 000055ef233289d0 RCX: 00007fca40e822ba
RDX: 000000000000001e RSI: 000055ef23328c30 RDI: 0000000000000003
RBP: 000055ef233289d0 R08: 00007ffc248a42d0 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001e
R13: 00000000000186a0 R14: 0000000000000000 R15: 00007fca41043000
</TASK>
irq event stamp: 1045778
hardirqs last enabled at (1045784): [<ffffffff864ec042>] __up_console_sem+0x52/0x60
hardirqs last disabled at (1045789): [<ffffffff864ec027>] __up_console_sem+0x37/0x60
softirqs last enabled at (1045426): [<ffffffff874d48c7>] __alloc_skb+0x207/0x260
softirqs last disabled at (1045434): [<ffffffff874fe8f8>] __dev_queue_xmit+0x78/0x14d0
Then, because of the value in the packet's mark, dereference on 'q->handle'
with NULL 'q' occurs:
BUG: kernel NULL pointer dereference, address: 0000000000000038
[...]
RIP: 0010:fw_classify+0x1fe/0x250 [cls_fw]
[...]
Skip "old-style" classification on shared blocks, so that the NULL
dereference is fixed and WARN_ON() is not hit anymore in the short
lifetime of invalid cls_fw "old-style" filters.
[1] https://sashiko.dev/#/patchset/20260331050217.504278-1-xmei5%40asu.edu
[2] https://elixir.bootlin.com/linux/v7.0-rc6/source/include/net/pkt_cls.h#L86
Fixes: faeea8bbf6e9 ("net/sched: cls_fw: fix NULL pointer dereference on shared blocks")
Fixes: ed76f5edccc9 ("net: sched: protect filter_chain list with filter_chain_lock mutex")
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Link: https://patch.msgid.link/e39cbd3103a337f1e515d186fe697b4459d24757.1775661704.git.dcaratti@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/cls_fw.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index 366bcc960e43e6..979662292dced6 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -72,9 +72,13 @@ static int fw_classify(struct sk_buff *skb, const struct tcf_proto *tp,
}
}
} else {
- struct Qdisc *q = tcf_block_q(tp->chain->block);
+ struct Qdisc *q;
/* Old method: classify the packet using its skb mark. */
+ if (tcf_block_shared(tp->chain->block))
+ return -1;
+
+ q = tcf_block_q(tp->chain->block);
if (id && (TC_H_MAJ(id) == 0 ||
!(TC_H_MAJ(id ^ q->handle)))) {
res->classid = id;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 003/522] net: mctp: ensure our nlmsg responses are initialised
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 001/522] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 002/522] net/sched: cls_fw: fix NULL dereference of "old" filters before change() Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 004/522] net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
` (519 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeremy Kerr, Simon Horman,
Jakub Kicinski, Li hongliang, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Kerr <jk@codeconstruct.com.au>
[ Upstream commit a6a9bc544b675d8b5180f2718ec985ad267b5cbf ]
Syed Faraz Abrar (@farazsth98) from Zellic, and Pumpkin (@u1f383) from
DEVCORE Research Team working with Trend Micro Zero Day Initiative
report that a RTM_GETNEIGH will return uninitalised data in the pad
bytes of the ndmsg data.
Ensure we're initialising the netlink data to zero, in the link, addr
and neigh response messages.
Fixes: 831119f88781 ("mctp: Add neighbour netlink interface")
Fixes: 06d2f4c583a7 ("mctp: Add netlink route management")
Fixes: 583be982d934 ("mctp: Add device handling and netlink interface")
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260209-dev-mctp-nlmsg-v1-1-f1e30c346a43@codeconstruct.com.au
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Li hongliang <1468888505@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mctp/device.c | 1 +
net/mctp/neigh.c | 1 +
net/mctp/route.c | 1 +
3 files changed, 3 insertions(+)
diff --git a/net/mctp/device.c b/net/mctp/device.c
index 85cc5f31f1e7c0..fd368249246dff 100644
--- a/net/mctp/device.c
+++ b/net/mctp/device.c
@@ -71,6 +71,7 @@ static int mctp_fill_addrinfo(struct sk_buff *skb,
return -EMSGSIZE;
hdr = nlmsg_data(nlh);
+ memset(hdr, 0, sizeof(*hdr));
hdr->ifa_family = AF_MCTP;
hdr->ifa_prefixlen = 0;
hdr->ifa_flags = 0;
diff --git a/net/mctp/neigh.c b/net/mctp/neigh.c
index 590f642413e4ef..c0151a69d2b7c2 100644
--- a/net/mctp/neigh.c
+++ b/net/mctp/neigh.c
@@ -218,6 +218,7 @@ static int mctp_fill_neigh(struct sk_buff *skb, u32 portid, u32 seq, int event,
return -EMSGSIZE;
hdr = nlmsg_data(nlh);
+ memset(hdr, 0, sizeof(*hdr));
hdr->ndm_family = AF_MCTP;
hdr->ndm_ifindex = dev->ifindex;
hdr->ndm_state = 0; // TODO other state bits?
diff --git a/net/mctp/route.c b/net/mctp/route.c
index fdeaf80691e555..c9b0b75422432e 100644
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -1331,6 +1331,7 @@ static int mctp_fill_rtinfo(struct sk_buff *skb, struct mctp_route *rt,
return -EMSGSIZE;
hdr = nlmsg_data(nlh);
+ memset(hdr, 0, sizeof(*hdr));
hdr->rtm_family = AF_MCTP;
/* we use the _len fields as a number of EIDs, rather than
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 004/522] net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 003/522] net: mctp: ensure our nlmsg responses are initialised Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 005/522] drm: Remove plane hsub/vsub alignment requirement for core helpers Greg Kroah-Hartman
` (518 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Victor Nogueria, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Nogueria <victor@mojatatu.com>
[ Upstream commit 1b9bc71153b01dbde8045b9edede4240f4f5520e ]
When sfb has children (eg qfq qdisc) whose peek() callback is
qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such
qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from
its child (sfb in this case), it will do the following:
1a. do a peek() - and when sensing there's an skb the child can offer, then
- the child in this case(sfb) calls its child's (qfq) peek.
qfq does the right thing and will return the gso_skb queue packet.
Note: if there wasnt a gso_skb entry then qfq will store it there.
1b. invoke a dequeue() on the child (sfb). And herein lies the problem.
- sfb will call the child's dequeue() which will essentially just
try to grab something of qfq's queue.
[ 127.594489][ T453] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]
[ 127.594741][ T453] CPU: 2 UID: 0 PID: 453 Comm: ping Not tainted 7.1.0-rc1-00035-gac961974495b-dirty #793 PREEMPT(full)
[ 127.595059][ T453] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 127.595254][ T453] RIP: 0010:qfq_dequeue+0x35c/0x1650 [sch_qfq]
[ 127.595461][ T453] Code: 00 fc ff df 80 3c 02 00 0f 85 17 0e 00 00 4c 8d 73 48 48 89 9d b8 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 76 0c 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b
[ 127.596081][ T453] RSP: 0018:ffff88810e5af440 EFLAGS: 00010216
[ 127.596337][ T453] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: dffffc0000000000
[ 127.596623][ T453] RDX: 0000000000000009 RSI: 0000001880000000 RDI: ffff888104fd82b0
[ 127.596917][ T453] RBP: ffff888104fd8000 R08: ffff888104fd8280 R09: 1ffff110211893a3
[ 127.597165][ T453] R10: 1ffff110211893a6 R11: 1ffff110211893a7 R12: 0000001880000000
[ 127.597404][ T453] R13: ffff888104fd82b8 R14: 0000000000000048 R15: 0000000040000000
[ 127.597644][ T453] FS: 00007fc380cbfc40(0000) GS:ffff88816f2a8000(0000) knlGS:0000000000000000
[ 127.597956][ T453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 127.598160][ T453] CR2: 00005610aa9890a8 CR3: 000000010369e000 CR4: 0000000000750ef0
[ 127.598390][ T453] PKRU: 55555554
[ 127.598509][ T453] Call Trace:
[ 127.598629][ T453] <TASK>
[ 127.598718][ T453] ? mark_held_locks+0x40/0x70
[ 127.598890][ T453] ? srso_alias_return_thunk+0x5/0xfbef5
[ 127.599053][ T453] sfb_dequeue+0x88/0x4d0
[ 127.599174][ T453] ? ktime_get+0x137/0x230
[ 127.599328][ T453] ? srso_alias_return_thunk+0x5/0xfbef5
[ 127.599480][ T453] ? qdisc_peek_dequeued+0x7b/0x350 [sch_qfq]
[ 127.599670][ T453] ? srso_alias_return_thunk+0x5/0xfbef5
[ 127.599831][ T453] tbf_dequeue+0x6b1/0x1098 [sch_tbf]
[ 127.599988][ T453] __qdisc_run+0x169/0x1900
The right thing to do in #1b is to grab the skb off gso_skb queue.
This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked()
method instead.
Fixes: e13e02a3c68d ("net_sched: SFB flow scheduler")
Signed-off-by: Victor Nogueria <victor@mojatatu.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260430152957.194015-3-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_sfb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c
index ce67826fdf9b6d..58bf4c803f7fee 100644
--- a/net/sched/sch_sfb.c
+++ b/net/sched/sch_sfb.c
@@ -439,7 +439,7 @@ static struct sk_buff *sfb_dequeue(struct Qdisc *sch)
struct Qdisc *child = q->qdisc;
struct sk_buff *skb;
- skb = child->dequeue(q->qdisc);
+ skb = qdisc_dequeue_peeked(child);
if (skb) {
qdisc_bstats_update(sch, skb);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 005/522] drm: Remove plane hsub/vsub alignment requirement for core helpers
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 004/522] net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 006/522] net: cpsw_new: Fix potential unregister of netdev that has not been registered yet Greg Kroah-Hartman
` (517 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carlos Eduardo Gallo Filho,
André Almeida, Thomas Zimmermann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Eduardo Gallo Filho <gcarlos@disroot.org>
[ Upstream commit f2f455981a34ce8ca88a41458c09494b387d344f ]
The drm_format_info_plane_{height,width} functions was implemented using
regular division for the plane size calculation, which cause issues [1][2]
when used on contexts where the dimensions are misaligned with relation
to the subsampling factors. So, replace the regular division by the
DIV_ROUND_UP macro.
This allows these functions to be used in more drivers, making further
work to bring more core presence on them possible.
[1] http://patchwork.freedesktop.org/patch/msgid/20170321181218.10042-3-ville.syrjala@linux.intel.com
[2] https://patchwork.freedesktop.org/patch/msgid/20211026225105.2783797-2-imre.deak@intel.com
Signed-off-by: Carlos Eduardo Gallo Filho <gcarlos@disroot.org>
Reviewed-by: André Almeida <andrealmeid@igalia.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20230926141519.9315-2-gcarlos@disroot.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/drm/drm_fourcc.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/drm/drm_fourcc.h b/include/drm/drm_fourcc.h
index 532ae78ca747e6..ccf91daa430702 100644
--- a/include/drm/drm_fourcc.h
+++ b/include/drm/drm_fourcc.h
@@ -22,6 +22,7 @@
#ifndef __DRM_FOURCC_H__
#define __DRM_FOURCC_H__
+#include <linux/math.h>
#include <linux/types.h>
#include <uapi/drm/drm_fourcc.h>
@@ -279,7 +280,7 @@ int drm_format_info_plane_width(const struct drm_format_info *info, int width,
if (plane == 0)
return width;
- return width / info->hsub;
+ return DIV_ROUND_UP(width, info->hsub);
}
/**
@@ -301,7 +302,7 @@ int drm_format_info_plane_height(const struct drm_format_info *info, int height,
if (plane == 0)
return height;
- return height / info->vsub;
+ return DIV_ROUND_UP(height, info->vsub);
}
const struct drm_format_info *__drm_format_info(u32 format);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 006/522] net: cpsw_new: Fix potential unregister of netdev that has not been registered yet
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 005/522] drm: Remove plane hsub/vsub alignment requirement for core helpers Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 007/522] nfc: llcp: Fix use-after-free in llcp_sock_release() Greg Kroah-Hartman
` (516 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kevin Hao, Alexander Sverdlin,
Jakub Kicinski, Wenshan Lan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Hao <haokexin@gmail.com>
[ Upstream commit 9d724b34fbe13b71865ad0906a4be97571f19cf5 ]
If an error occurs during register_netdev() for the first MAC in
cpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL,
cpsw->slaves[1].ndev would remain unchanged. This could later cause
cpsw_unregister_ports() to attempt unregistering the second MAC.
To address this, add a check for ndev->reg_state before calling
unregister_netdev(). With this change, setting cpsw->slaves[i].ndev
to NULL becomes unnecessary and can be removed accordingly.
Fixes: ed3525eda4c4 ("net: ethernet: ti: introduce cpsw switchdev based driver part 1 - dual-emac")
Signed-off-by: Kevin Hao <haokexin@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
Link: https://patch.msgid.link/20260205-cpsw-error-path-v1-2-6e58bae6b299@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Wenshan Lan <jetlan9@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/ti/cpsw_new.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/ti/cpsw_new.c b/drivers/net/ethernet/ti/cpsw_new.c
index c99dde9dbe7750..17c267f6d79aa9 100644
--- a/drivers/net/ethernet/ti/cpsw_new.c
+++ b/drivers/net/ethernet/ti/cpsw_new.c
@@ -1437,7 +1437,8 @@ static void cpsw_unregister_ports(struct cpsw_common *cpsw)
int i = 0;
for (i = 0; i < cpsw->data.slaves; i++) {
- if (!cpsw->slaves[i].ndev)
+ if (!cpsw->slaves[i].ndev ||
+ cpsw->slaves[i].ndev->reg_state != NETREG_REGISTERED)
continue;
unregister_netdev(cpsw->slaves[i].ndev);
@@ -1457,7 +1458,6 @@ static int cpsw_register_ports(struct cpsw_common *cpsw)
if (ret) {
dev_err(cpsw->dev,
"cpsw: err registering net device%d\n", i);
- cpsw->slaves[i].ndev = NULL;
break;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 007/522] nfc: llcp: Fix use-after-free in llcp_sock_release()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 006/522] net: cpsw_new: Fix potential unregister of netdev that has not been registered yet Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 008/522] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() Greg Kroah-Hartman
` (515 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Jones, David Heidelberg,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
[ Upstream commit f4268b466190dae95a7585f69b4f1f8ad097632c ]
llcp_sock_release() unconditionally unlinks the socket from the local
sockets list. However, if the socket is still in connecting state, it
is on the connecting list.
Fix this by checking the socket state and unlinking from the correct list.
Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
Signed-off-by: Lee Jones <lee@kernel.org>
Link: https://patch.msgid.link/20260429134115.3558604-1-lee@kernel.org
Signed-off-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index cd0fd26196b8b6..6cdcc49a58bcd5 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -633,6 +633,8 @@ static int llcp_sock_release(struct socket *sock)
if (sock->type == SOCK_RAW)
nfc_llcp_sock_unlink(&local->raw_sockets, sk);
+ else if (sk->sk_state == LLCP_CONNECTING)
+ nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
else
nfc_llcp_sock_unlink(&local->sockets, sk);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 008/522] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 007/522] nfc: llcp: Fix use-after-free in llcp_sock_release() Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 009/522] xfrm: Check for underflow in xfrm_state_mtu Greg Kroah-Hartman
` (514 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Jones, Simon Horman,
David Heidelberg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
[ Upstream commit b493ea2765cc17cb8aa7e7544a4b6dcb05b6ed77 ]
A race condition exists in the NFC LLCP connection state machine where
the connection acceptance packet (CC) can be processed concurrently with
socket release. This can lead to a use-after-free of the socket object.
When nfc_llcp_recv_cc() moves the socket from the connecting_sockets
list to the sockets list, it does so without holding the socket lock.
If llcp_sock_release() is executing concurrently, it might have already
unlinked the socket and dropped its references, which can result in
nfc_llcp_recv_cc() linking a freed socket into the live list.
Fix this by holding lock_sock() during the state transition and list
movement in nfc_llcp_recv_cc(). After acquiring the lock, check if
the socket is still hashed to ensure it hasn't already been unlinked
and marked for destruction by the release path. This aligns the locking
pattern with recv_hdlc() and recv_disc().
Fixes: a69f32af86e3 ("NFC: Socket linked list")
Signed-off-by: Lee Jones <lee@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260429134115.3558604-2-lee@kernel.org
Signed-off-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/llcp_core.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index d9562840fa180b..62b0f2d6686eb8 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1216,6 +1216,15 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local,
sk = &llcp_sock->sk;
+ lock_sock(sk);
+
+ /* Check if socket was destroyed whilst waiting for the lock */
+ if (!sk_hashed(sk)) {
+ release_sock(sk);
+ nfc_llcp_sock_put(llcp_sock);
+ return;
+ }
+
/* Unlink from connecting and link to the client array */
nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
nfc_llcp_sock_link(&local->sockets, sk);
@@ -1227,6 +1236,8 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local,
sk->sk_state = LLCP_CONNECTED;
sk->sk_state_change(sk);
+ release_sock(sk);
+
nfc_llcp_sock_put(llcp_sock);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 009/522] xfrm: Check for underflow in xfrm_state_mtu
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 008/522] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 010/522] nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems Greg Kroah-Hartman
` (513 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Lin, David Ahern,
Steffen Klassert, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Ahern <dahern@nvidia.com>
[ Upstream commit 742b04d0550b0ec89dcbc99537ec88653bd1ad90 ]
Leo Lin reported OOB write issue in esp component:
xfrm_state_mtu() returns u32 but performs its arithmetic in unsigned
modulo-2^32 space using an attacker-influenced "header_len + authsize +
net_adj" subtracted from a small "mtu" argument. A nobody user can
install an IPv4 ESP tunnel SA with a large authentication key
(XFRMA_ALG_AUTH_TRUNC, e.g. hmac(sha512), 64-byte key, 64-byte trunc),
configure a small interface MTU (68 bytes), and set XFRMA_TFCPAD to a
large value. When a single UDP datagram is then sent through the
tunnel, xfrm_state_mtu() underflows to a near-2^32 value, and
esp_output() consumes it as a signed int via:
padto = min(x->tfcpad, xfrm_state_mtu(x, mtu_cached))
esp.tfclen = padto - skb->len (assigned to int)
esp.tfclen ends up negative (e.g. -207). It is sign-extended to size_t
when passed to memset() inside esp_output_fill_trailer(), producing a
~16 EB write of zeroes at skb_tail_pointer(skb). KASAN logs it as
"Write of size 18446744073709551537 at addr ffff888...".
Check for underflow and return 1. This causes the sendmsg attempt to
fail with ENETUNREACH.
Fixes: c5c252389374 ("[XFRM]: Optimize MTU calculation")
Reported-by: Leo Lin <leo@depthfirst.com>
Assisted-by: Codex:26.506.31004
Signed-off-by: David Ahern <dahern@nvidia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_state.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 7dd536d5f43f3a..f3661d2946e6ef 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2577,10 +2577,14 @@ u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
const struct xfrm_type *type = READ_ONCE(x->type);
struct crypto_aead *aead;
u32 blksize, net_adj = 0;
+ u32 overhead, payload_mtu;
if (x->km.state != XFRM_STATE_VALID ||
- !type || type->proto != IPPROTO_ESP)
+ !type || type->proto != IPPROTO_ESP) {
+ if (mtu <= x->props.header_len)
+ return 1;
return mtu - x->props.header_len;
+ }
aead = x->data;
blksize = ALIGN(crypto_aead_blocksize(aead), 4);
@@ -2600,8 +2604,17 @@ u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
break;
}
- return ((mtu - x->props.header_len - crypto_aead_authsize(aead) -
- net_adj) & ~(blksize - 1)) + net_adj - 2;
+ overhead = x->props.header_len + crypto_aead_authsize(aead) + net_adj;
+ if (mtu <= overhead)
+ return 1;
+
+ payload_mtu = mtu - overhead;
+ payload_mtu &= ~(blksize - 1);
+ if (payload_mtu <= 2)
+ return 1;
+
+ return payload_mtu + net_adj - 2;
+
}
EXPORT_SYMBOL_GPL(xfrm_state_mtu);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 010/522] nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 009/522] xfrm: Check for underflow in xfrm_state_mtu Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 011/522] tools/bootconfig: Cleanup bootconfig footer size calculations Greg Kroah-Hartman
` (512 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carl Lee, Bartosz Golaszewski,
Mark Pearson, Luca Stefani, David Heidelberg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carl Lee <carl.lee@amd.com>
[ Upstream commit f23bf992d65a42007c517b060ca35cebdea3525a ]
Some ACPI-based platforms report incorrect IRQ trigger types (e.g.
IRQF_TRIGGER_HIGH), which can lead to interrupt storms.
Use the historically working rising-edge trigger on ACPI systems to
avoid this regression.
Device Tree-based systems continue to use the firmware-provided
trigger type.
Fixes: 57be33f85e36 ("nfc: nxp-nci: remove interrupt trigger type")
Signed-off-by: Carl Lee <carl.lee@amd.com>
Tested-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Tested-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Tested-by: Luca Stefani <luca.stefani.ge1@gmail.com>
Link: https://patch.msgid.link/20260516-nfc-nxp-nci-i2c-restore-irq-trigger-fallback-v3-1-37ba4b6e9086@amd.com
Signed-off-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nfc/nxp-nci/i2c.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c
index f256c85888229a..9b9ca3ced856b4 100644
--- a/drivers/nfc/nxp-nci/i2c.c
+++ b/drivers/nfc/nxp-nci/i2c.c
@@ -16,6 +16,7 @@
#include <linux/delay.h>
#include <linux/i2c.h>
#include <linux/interrupt.h>
+#include <linux/irq.h>
#include <linux/module.h>
#include <linux/nfc.h>
#include <linux/gpio/consumer.h>
@@ -268,6 +269,7 @@ static int nxp_nci_i2c_probe(struct i2c_client *client,
{
struct device *dev = &client->dev;
struct nxp_nci_i2c_phy *phy;
+ unsigned long irqflags;
int r;
if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
@@ -304,9 +306,26 @@ static int nxp_nci_i2c_probe(struct i2c_client *client,
if (r < 0)
return r;
+ /*
+ * ACPI platforms may report incorrect IRQ trigger types
+ * (e.g. level-high), which can lead to interrupt storms.
+ *
+ * Use the historically stable rising-edge trigger for ACPI devices.
+ *
+ * On non-ACPI systems (e.g. Device Tree), prefer the firmware-
+ * provided trigger type, falling back to rising-edge if not set.
+ */
+ if (ACPI_COMPANION(dev)) {
+ irqflags = IRQF_TRIGGER_RISING;
+ } else {
+ irqflags = irq_get_trigger_type(client->irq);
+ if (!irqflags)
+ irqflags = IRQF_TRIGGER_RISING;
+ }
+
r = request_threaded_irq(client->irq, NULL,
nxp_nci_i2c_irq_thread_fn,
- IRQF_ONESHOT,
+ irqflags | IRQF_ONESHOT,
NXP_NCI_I2C_DRIVER_NAME, phy);
if (r < 0)
nfc_err(&client->dev, "Unable to register IRQ handler\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 011/522] tools/bootconfig: Cleanup bootconfig footer size calculations
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 010/522] nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 21:06 ` Ben Hutchings
2026-06-16 14:52 ` [PATCH 6.1 012/522] tools/bootconfig: Fix buf leaks in apply_xbc Greg Kroah-Hartman
` (511 subsequent siblings)
522 siblings, 1 reply; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu (Google),
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
[ Upstream commit 26dda57695090e05c1a99c3e8f802f862d1ac474 ]
There are many same pattern of 8 + BOOTCONFIG_MAGIC_LEN for calculating
the size of bootconfig footer. Use BOOTCONFIG_FOOTER_SIZE macro to
clean up those magic numbers.
Link: https://lore.kernel.org/all/175211425693.2591046.16029516706923643510.stgit@mhiramat.tok.corp.google.com/
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Stable-dep-of: f42d01aadced ("tools/bootconfig: Fix buf leaks in apply_xbc")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/bootconfig/main.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c
index 32cf48f2da9a1d..d302235f6b9743 100644
--- a/tools/bootconfig/main.c
+++ b/tools/bootconfig/main.c
@@ -16,6 +16,10 @@
#define pr_err(fmt, ...) fprintf(stderr, fmt, ##__VA_ARGS__)
+/* Bootconfig footer is [size][csum][BOOTCONFIG_MAGIC]. */
+#define BOOTCONFIG_FOOTER_SIZE \
+ (sizeof(uint32_t) * 2 + BOOTCONFIG_MAGIC_LEN)
+
static int xbc_show_value(struct xbc_node *node, bool semicolon)
{
const char *val, *eol;
@@ -188,7 +192,7 @@ static int load_xbc_from_initrd(int fd, char **buf)
if (ret < 0)
return -errno;
- if (stat.st_size < 8 + BOOTCONFIG_MAGIC_LEN)
+ if (stat.st_size < BOOTCONFIG_FOOTER_SIZE)
return 0;
if (lseek(fd, -BOOTCONFIG_MAGIC_LEN, SEEK_END) < 0)
@@ -201,7 +205,7 @@ static int load_xbc_from_initrd(int fd, char **buf)
if (memcmp(magic, BOOTCONFIG_MAGIC, BOOTCONFIG_MAGIC_LEN) != 0)
return 0;
- if (lseek(fd, -(8 + BOOTCONFIG_MAGIC_LEN), SEEK_END) < 0)
+ if (lseek(fd, -BOOTCONFIG_FOOTER_SIZE, SEEK_END) < 0)
return pr_errno("Failed to lseek for size", -errno);
if (read(fd, &size, sizeof(uint32_t)) < 0)
@@ -213,12 +217,12 @@ static int load_xbc_from_initrd(int fd, char **buf)
csum = le32toh(csum);
/* Wrong size error */
- if (stat.st_size < size + 8 + BOOTCONFIG_MAGIC_LEN) {
+ if (stat.st_size < size + BOOTCONFIG_FOOTER_SIZE) {
pr_err("bootconfig size is too big\n");
return -E2BIG;
}
- if (lseek(fd, stat.st_size - (size + 8 + BOOTCONFIG_MAGIC_LEN),
+ if (lseek(fd, stat.st_size - (size + BOOTCONFIG_FOOTER_SIZE),
SEEK_SET) < 0)
return pr_errno("Failed to lseek", -errno);
@@ -349,7 +353,7 @@ static int delete_xbc(const char *path)
ret = fstat(fd, &stat);
if (!ret)
ret = ftruncate(fd, stat.st_size
- - size - 8 - BOOTCONFIG_MAGIC_LEN);
+ - size - BOOTCONFIG_FOOTER_SIZE);
if (ret)
ret = -errno;
} /* Ignore if there is no boot config in initrd */
@@ -379,8 +383,7 @@ static int apply_xbc(const char *path, const char *xbc_path)
csum = xbc_calc_checksum(buf, size);
/* Backup the bootconfig data */
- data = calloc(size + BOOTCONFIG_ALIGN +
- sizeof(uint32_t) + sizeof(uint32_t) + BOOTCONFIG_MAGIC_LEN, 1);
+ data = calloc(size + BOOTCONFIG_ALIGN + BOOTCONFIG_FOOTER_SIZE, 1);
if (!data)
return -ENOMEM;
memcpy(data, buf, size);
@@ -428,7 +431,7 @@ static int apply_xbc(const char *path, const char *xbc_path)
}
/* To align up the total size to BOOTCONFIG_ALIGN, get padding size */
- total_size = stat.st_size + size + sizeof(uint32_t) * 2 + BOOTCONFIG_MAGIC_LEN;
+ total_size = stat.st_size + size + BOOTCONFIG_FOOTER_SIZE;
pad = ((total_size + BOOTCONFIG_ALIGN - 1) & (~BOOTCONFIG_ALIGN_MASK)) - total_size;
size += pad;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 012/522] tools/bootconfig: Fix buf leaks in apply_xbc
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 011/522] tools/bootconfig: Cleanup bootconfig footer size calculations Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 013/522] netfilter: synproxy: refresh tcphdr after skb_ensure_writable Greg Kroah-Hartman
` (510 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hongtao Lee,
Masami Hiramatsu (Google), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongtao Lee <lihongtao@kylinos.cn>
[ Upstream commit f42d01aadcedd7bbf4f9a466cabe25c1781dedad ]
If data calloc failed, free the buf before return.
Link: https://lore.kernel.org/all/20260520030126.147782-1-lihongtao@kylinos.cn/
Fixes: 950313ebf79c ("tools: bootconfig: Add bootconfig command")
Signed-off-by: Hongtao Lee <lihongtao@kylinos.cn>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/bootconfig/main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c
index d302235f6b9743..49573044e93a58 100644
--- a/tools/bootconfig/main.c
+++ b/tools/bootconfig/main.c
@@ -384,8 +384,10 @@ static int apply_xbc(const char *path, const char *xbc_path)
/* Backup the bootconfig data */
data = calloc(size + BOOTCONFIG_ALIGN + BOOTCONFIG_FOOTER_SIZE, 1);
- if (!data)
+ if (!data) {
+ free(buf);
return -ENOMEM;
+ }
memcpy(data, buf, size);
/* Check the data format */
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 013/522] netfilter: synproxy: refresh tcphdr after skb_ensure_writable
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 012/522] tools/bootconfig: Fix buf leaks in apply_xbc Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 014/522] netfilter: xt_cpu: prefer raw_smp_processor_id Greg Kroah-Hartman
` (509 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Mason,
Fernando Fernandez Mancera, Florian Westphal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Mason <clm@meta.com>
[ Upstream commit 92170e6afe927ab2792a3f71902845789c8e31b1 ]
synproxy_tstamp_adjust() rewrites the TCP timestamp option in place
and then patches the TCP checksum via inet_proto_csum_replace4() on
the caller-supplied tcphdr pointer. Both ipv4_synproxy_hook() and
ipv6_synproxy_hook() obtain that pointer with skb_header_pointer()
before calling in, so it may either alias skb->head directly or
point at the caller's on-stack _tcph buffer.
Between obtaining the pointer and using it, the function calls
skb_ensure_writable(skb, optend), which on a cloned or non-linear
skb invokes pskb_expand_head() and frees the old skb->head. After
that point the cached th is stale:
caller (ipv[46]_synproxy_hook)
th = skb_header_pointer(skb, ..., &_tcph)
synproxy_tstamp_adjust(skb, protoff, th, ...)
skb_ensure_writable(skb, optend)
pskb_expand_head() /* kfree(old skb->head) */
...
inet_proto_csum_replace4(&th->check, ...)
/* writes into freed head, or
into the caller's stack copy
leaving the on-wire checksum
stale */
The option bytes are written through skb->data and are fine; only
the checksum update goes through th and so lands in the wrong
place. The result is either a write into freed slab memory or a
packet leaving with a checksum that does not match its payload.
Fix by re-deriving th from skb->data + protoff immediately after
skb_ensure_writable() succeeds, so the subsequent checksum update
targets the linear, writable header.
Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
Assisted-by: kres (claude-opus-4-7)
Signed-off-by: Chris Mason <clm@meta.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_synproxy_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index 16915f8eef2b16..f5a52075691faa 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -199,6 +199,8 @@ synproxy_tstamp_adjust(struct sk_buff *skb, unsigned int protoff,
if (skb_ensure_writable(skb, optend))
return 0;
+ th = (struct tcphdr *)(skb->data + protoff);
+
while (optoff < optend) {
unsigned char *op = skb->data + optoff;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 014/522] netfilter: xt_cpu: prefer raw_smp_processor_id
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 013/522] netfilter: synproxy: refresh tcphdr after skb_ensure_writable Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 015/522] netfilter: ebtables: fix OOB read in compat_mtw_from_user Greg Kroah-Hartman
` (508 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+690d3e3ffa7335ac10eb,
Florian Westphal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit c376f07e16c02239ed44cabb97145d03f65b4d15 ]
With PREEMPT_RCU we get splat:
BUG: using smp_processor_id() in preemptible [..]
caller is cpu_mt+0x53/0xd0 net/netfilter/xt_cpu.c:37
CPU: 1 .. Comm: syz.3.1377 #0 PREEMPT(full)
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
cpu_mt+0x53/0xd0 net/netfilter/xt_cpu.c:37
[..]
Just use raw version instead.
This is similar to 14d14a5d2957 ("netfilter: nft_meta: use raw_smp_processor_id()").
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Reported-by: syzbot+690d3e3ffa7335ac10eb@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_cpu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/xt_cpu.c b/net/netfilter/xt_cpu.c
index 3bdc302a0f9137..9cb259902a586b 100644
--- a/net/netfilter/xt_cpu.c
+++ b/net/netfilter/xt_cpu.c
@@ -34,7 +34,7 @@ static bool cpu_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_cpu_info *info = par->matchinfo;
- return (info->cpu == smp_processor_id()) ^ info->invert;
+ return (info->cpu == raw_smp_processor_id()) ^ info->invert;
}
static struct xt_match cpu_mt_reg __read_mostly = {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 015/522] netfilter: ebtables: fix OOB read in compat_mtw_from_user
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 014/522] netfilter: xt_cpu: prefer raw_smp_processor_id Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 306/378] mm/mincore: handle non-swap entries before !CONFIG_SWAP guard Greg Kroah-Hartman
` (507 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Xin Liu, Luxiao Xu, Ren Wei, Fernando Fernandez Mancera,
Florian Westphal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit f438d1786d657d57790c5d138d6db3fc9fdac392 ]
Luxiao Xu says:
The function compat_mtw_from_user() converts ebtables extensions from
32-bit user structures to kernel native structures. However, it lacks
proper validation of the user-supplied match_size/target_size.
When certain extensions are processed, the kernel-side translation
logic may perform memory accesses based on the extension's expected
size. If the user provides a size smaller than what the extension
requires, it results in an out-of-bounds read as reported by KASAN.
This fix introduces a check to ensure match_size is at least as large
as the extension's required compatsize. This covers matches, watchers,
and targets, while maintaining compatibility with standard targets.
AFAIU this is relevant for matches that need to go though
match->compat_from_user() call. Those that use plain memcpy with the
user-provided size are ok because the caller checks that size vs the
start of the next rule entry offset (which itself is checked vs. total
size copied from userspace).
The ->compat_from_user() callbacks assume they can read compatsize bytes,
so they need this extra check.
Based on an earlier patch from Luxiao Xu.
Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/ebtables.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index f99e348c8f37fa..bc69406d103df6 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1952,6 +1952,25 @@ enum compat_mwt {
EBT_COMPAT_TARGET,
};
+static bool match_size_ok(const struct xt_match *match, unsigned int match_size)
+{
+ u16 csize;
+
+ if (match->matchsize == -1) /* cannot validate ebt_among */
+ return true;
+
+ csize = match->compatsize ? : match->matchsize;
+
+ return match_size >= csize;
+}
+
+static bool tgt_size_ok(const struct xt_target *tgt, unsigned int tgt_size)
+{
+ u16 csize = tgt->compatsize ? : tgt->targetsize;
+
+ return tgt_size >= csize;
+}
+
static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
enum compat_mwt compat_mwt,
struct ebt_entries_buf_state *state,
@@ -1977,6 +1996,11 @@ static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
if (IS_ERR(match))
return PTR_ERR(match);
+ if (!match_size_ok(match, match_size)) {
+ module_put(match->me);
+ return -EINVAL;
+ }
+
off = ebt_compat_match_offset(match, match_size);
if (dst) {
if (match->compat_from_user)
@@ -1996,6 +2020,12 @@ static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
mwt->u.revision);
if (IS_ERR(wt))
return PTR_ERR(wt);
+
+ if (!tgt_size_ok(wt, match_size)) {
+ module_put(wt->me);
+ return -EINVAL;
+ }
+
off = xt_compat_target_offset(wt);
if (dst) {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 016/522] tun: free page on short-frame rejection in tun_xdp_one()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 002/378] KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation Greg Kroah-Hartman
` (377 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Dongli Zhang,
Willem de Bruijn, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit f4feb1e20058e407cb00f45aff47f5b7e19a6bbf ]
tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without
freeing the page that vhost_net_build_xdp() allocated for it.
tun_sendmsg() discards that -EINVAL and still returns total_len, so
vhost_tx_batch() takes the success path and never frees the page; each
short frame in a batch leaks one page-frag chunk.
A local process that can open /dev/net/tun and /dev/vhost-net can hit
this path: it attaches a tun/tap device as the vhost-net backend and
feeds TX descriptors whose length minus the virtio-net header is below
ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a
tight submission loop exhausts host memory and triggers an OOM panic.
Free the page before returning -EINVAL, matching the XDP-program error
path in the same function.
Fixes: 049584807f1d ("tun: add missing verification for short frame")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Dongli Zhang <dongli.zhang@oracle.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260520160020.375349-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/tun.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 03478ae3ff2448..1ad6af74de7c3f 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2448,8 +2448,10 @@ static int tun_xdp_one(struct tun_struct *tun,
bool skb_xdp = false;
struct page *page;
- if (unlikely(datasize < ETH_HLEN))
+ if (unlikely(datasize < ETH_HLEN)) {
+ put_page(virt_to_head_page(xdp->data));
return -EINVAL;
+ }
xdp_prog = rcu_dereference(tun->xdp_prog);
if (xdp_prog) {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 017/522] tun: free page on build_skb failure in tun_xdp_one()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 306/378] mm/mincore: handle non-swap entries before !CONFIG_SWAP guard Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 018/522] net: netlink: fix sending unassigned nsid after assigned one Greg Kroah-Hartman
` (505 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Dongli Zhang,
Willem de Bruijn, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit aa8963fdce667a42fb7f0bdd2909fadcab02f9a8 ]
When build_skb() fails in tun_xdp_one(), the function sets ret to
-ENOMEM and jumps to the out label, which returns without freeing the
page that vhost_net_build_xdp() allocated for the frame. As with the
short-frame rejection path, tun_sendmsg() discards the per-buffer error
and still returns total_len, so vhost_tx_batch() takes the success path
and never frees the page. Each build_skb() failure in a batch leaks one
page-frag chunk.
Free the page before taking the error path, matching the put_page() the
other error exits of tun_xdp_one() already perform.
Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Dongli Zhang <dongli.zhang@oracle.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260521163312.1479805-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/tun.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 1ad6af74de7c3f..e8f8c7d5df29ec 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2494,6 +2494,7 @@ static int tun_xdp_one(struct tun_struct *tun,
build:
skb = build_skb(xdp->data_hard_start, buflen);
if (!skb) {
+ put_page(virt_to_head_page(xdp->data));
ret = -ENOMEM;
goto out;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 018/522] net: netlink: fix sending unassigned nsid after assigned one
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 017/522] tun: free page on build_skb failure in tun_xdp_one() Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 019/522] net: netlink: dont set nsid on local notifications Greg Kroah-Hartman
` (504 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilya Maximets, Nicolas Dichtel,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
[ Upstream commit 70f8592ee90585272018a725054b6eb2ab7e99ca ]
If the current skb is not shared, it is re-used directly for all the
sockets subscribed to the notification. If we have remote all-nsid
socket receiving a message first, then the 'nsid_is_set' will be
set to 'true'. If the nsid is NOT_ASSIGNED for the next socket in
the list, the 'nsid_is_set' will remain 'true' and the negative value
is be delivered to the user space. All subsequent nsid values will be
delivered as well, since there is no code path that sets the flag
back to 'false'.
Fix that by always dropping the flag to 'false' first.
Fixes: 7212462fa6fd ("netlink: don't send unknown nsid")
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Link: https://patch.msgid.link/20260520172317.175168-2-i.maximets@ovn.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlink/af_netlink.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 8c441c98ba5630..f502a57ad5470e 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1473,6 +1473,7 @@ static void do_one_broadcast(struct sock *sk,
p->skb2 = NULL;
goto out;
}
+ NETLINK_CB(p->skb2).nsid_is_set = false;
NETLINK_CB(p->skb2).nsid = peernet2id(sock_net(sk), p->net);
if (NETLINK_CB(p->skb2).nsid != NETNSA_NSID_NOT_ASSIGNED)
NETLINK_CB(p->skb2).nsid_is_set = true;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 019/522] net: netlink: dont set nsid on local notifications
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 018/522] net: netlink: fix sending unassigned nsid after assigned one Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 020/522] net/smc: Do not re-initialize smc hashtables Greg Kroah-Hartman
` (503 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Perin, Ilya Maximets,
Nicolas Dichtel, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
[ Upstream commit 88b126b39f9757e9debc322d4679239e9af089c7 ]
In most cases, notifications on sockets with NETLINK_LISTEN_ALL_NSID
do not contain NSID in their ancillary data in case the event is local
to the listener.
However, when a self-referential NSID is allocated for a namespace,
every local notification starts sending this ID to the user space.
This is problematic, because the listener cannot tell if those
notifications are local or not anymore without making extra requests
to figure out if the provided NSID is local or not. The listener
can also not figure out the local NSID beforehand as it can be
allocated at any point in time by other processes, changing the
structure of the future notifications for everyone.
The value is practically not useful, since it's the namespace's own
ID that the application has to obtain from other sources in order to
figure out if it's the same or not. So, for the application it's
just an extra busy work with no benefits. Moreover, applications
that do not know about this quirk may be mishandling notifications
with NSID set as notifications from remote namespaces. This is the
case for ovs-vswitchd and the iproute2's 'ip monitor' that stops
printing 'current' and starts printing the nsid number mid-session.
Lack of clear documentation for this behavior is also not helping.
A search though open-source projects doesn't reveal any projects
that use NETNSA_NSID_NOT_ASSIGNED and rely on metadata to contain
self-referential NSIDs (expected, since the value is not useful).
Quite the opposite, as already mentioned, there are few applications
that rely on NSID to not be present in local events.
Since the value is not useful and actively harmful in some cases,
let's not report it for local events, making the notifications more
consistent.
Also adding some blank lines for readability.
Fixes: 59324cf35aba ("netlink: allow to listen "all" netns")
Reported-by: Matteo Perin <matteo.perin@canonical.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Link: https://patch.msgid.link/20260520172317.175168-3-i.maximets@ovn.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlink/af_netlink.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index f502a57ad5470e..f5d4eba785d03c 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1473,10 +1473,14 @@ static void do_one_broadcast(struct sock *sk,
p->skb2 = NULL;
goto out;
}
+
NETLINK_CB(p->skb2).nsid_is_set = false;
- NETLINK_CB(p->skb2).nsid = peernet2id(sock_net(sk), p->net);
- if (NETLINK_CB(p->skb2).nsid != NETNSA_NSID_NOT_ASSIGNED)
- NETLINK_CB(p->skb2).nsid_is_set = true;
+ if (!net_eq(sock_net(sk), p->net)) {
+ NETLINK_CB(p->skb2).nsid = peernet2id(sock_net(sk), p->net);
+ if (NETLINK_CB(p->skb2).nsid != NETNSA_NSID_NOT_ASSIGNED)
+ NETLINK_CB(p->skb2).nsid_is_set = true;
+ }
+
val = netlink_broadcast_deliver(sk, p->skb2);
if (val < 0) {
netlink_overrun(sk);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 020/522] net/smc: Do not re-initialize smc hashtables
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 019/522] net: netlink: dont set nsid on local notifications Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 021/522] net/iucv: fix locking in .getsockopt Greg Kroah-Hartman
` (502 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Halil Pasic, Alexandra Winter,
Mahanta Jambigi, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandra Winter <wintera@linux.ibm.com>
[ Upstream commit 9e4389b0038781f19f97895186ed941ff8ac1678 ]
INIT_HLIST_HEAD(&smc_v*_hashinfo.ht) are called after smc_nl_init(),
proto_register() and sock_register(). This can lead to smc_v*_hashinfo.ht
being reset even though hash entries already exist and are being used,
possibly resulting in a corrupted list.
Remove unnecessary and dangerous re-initialisation of smc_v*_hashinfo.ht in
smc_init(); it is implicitly initialised to zero anyhow. Add
HLIST_HEAD_INIT to the definitions for clarity.
Fixes: f16a7dd5cf27 ("smc: netlink interface for SMC sockets")
Suggested-by: Halil Pasic <pasic@linux.ibm.com>
Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
Acked-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Mahanta Jambigi <mjambigi@linux.ibm.com>
Link: https://patch.msgid.link/20260521145639.10317-1-wintera@linux.ibm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/smc/af_smc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index b0f8eca077b893..012a7da967441d 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -180,10 +180,12 @@ static bool smc_hs_congested(const struct sock *sk)
static struct smc_hashinfo smc_v4_hashinfo = {
.lock = __RW_LOCK_UNLOCKED(smc_v4_hashinfo.lock),
+ .ht = HLIST_HEAD_INIT,
};
static struct smc_hashinfo smc_v6_hashinfo = {
.lock = __RW_LOCK_UNLOCKED(smc_v6_hashinfo.lock),
+ .ht = HLIST_HEAD_INIT,
};
int smc_hash_sk(struct sock *sk)
@@ -3495,8 +3497,6 @@ static int __init smc_init(void)
pr_err("%s: sock_register fails with %d\n", __func__, rc);
goto out_proto6;
}
- INIT_HLIST_HEAD(&smc_v4_hashinfo.ht);
- INIT_HLIST_HEAD(&smc_v6_hashinfo.ht);
rc = smc_ib_register_client();
if (rc) {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 021/522] net/iucv: fix locking in .getsockopt
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 020/522] net/smc: Do not re-initialize smc hashtables Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 022/522] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() Greg Kroah-Hartman
` (501 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanislav Fomichev, Breno Leitao,
Alexandra Winter, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 3589d20a666caf30ad100c960a2de7de390fce88 ]
Mirror iucv_sock_setsockopt() and wrap the whole switch in
lock_sock()/release_sock(). The pre-existing SO_MSGLIMIT-only lock
becomes redundant and is removed.
Any AF_IUCV HIPER user can potentially crash the kernel by racing
recvmsg() with getsockopt(SO_MSGSIZE): the SO_MSGSIZE arm dereferences
iucv->hs_dev->mtu after iucv_sock_close() (called from the racing
recvmsg()) has set hs_dev to NULL, producing a NULL pointer dereference
oops.
Suggested-by: Stanislav Fomichev <sdf.kernel@gmail.com>
Fixes: 51363b8751a6 ("af_iucv: allow retrieval of maximum message size")
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Tested-by: Alexandra Winter <wintera@linux.ibm.com>
Link: https://patch.msgid.link/20260521-af_iucv_fix2-v1-1-f16b1c510aa9@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/iucv/af_iucv.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 0f660b1d3bd51c..e9a9bb0dee065a 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -1539,7 +1539,7 @@ static int iucv_sock_getsockopt(struct socket *sock, int level, int optname,
struct sock *sk = sock->sk;
struct iucv_sock *iucv = iucv_sk(sk);
unsigned int val;
- int len;
+ int len, rc;
if (level != SOL_IUCV)
return -ENOPROTOOPT;
@@ -1552,26 +1552,34 @@ static int iucv_sock_getsockopt(struct socket *sock, int level, int optname,
len = min_t(unsigned int, len, sizeof(int));
+ rc = 0;
+
+ lock_sock(sk);
switch (optname) {
case SO_IPRMDATA_MSG:
val = (iucv->flags & IUCV_IPRMDATA) ? 1 : 0;
break;
case SO_MSGLIMIT:
- lock_sock(sk);
val = (iucv->path != NULL) ? iucv->path->msglim /* connected */
: iucv->msglimit; /* default */
- release_sock(sk);
break;
case SO_MSGSIZE:
- if (sk->sk_state == IUCV_OPEN)
- return -EBADFD;
+ if (sk->sk_state == IUCV_OPEN) {
+ rc = -EBADFD;
+ break;
+ }
val = (iucv->hs_dev) ? iucv->hs_dev->mtu -
sizeof(struct af_iucv_trans_hdr) - ETH_HLEN :
0x7fffffff;
break;
default:
- return -ENOPROTOOPT;
+ rc = -ENOPROTOOPT;
+ break;
}
+ release_sock(sk);
+
+ if (rc)
+ return rc;
if (put_user(len, optlen))
return -EFAULT;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 022/522] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 021/522] net/iucv: fix locking in .getsockopt Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 023/522] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors Greg Kroah-Hartman
` (500 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Zhou, Eric Dumazet, Cong Wang,
Jason Xing, Jiayuan Chen, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 87a1e0fe7776da7ab411be332b4be58ac8840d10 ]
ipv4_sysctl_exit_net() is currently freeing net->ipv4.sysctl_local_reserved_ports
too soon.
Only after unregister_net_sysctl_table() we can be sure no threads can possibly
use the sysctls, including /proc/sys/net/ipv4/ip_local_reserved_ports.
Fixes: 122ff243f5f1 ("ipv4: make ip_local_reserved_ports per netns")
Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260521122147.3584624-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/sysctl_net_ipv4.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 6b4c9b0fc9abb7..ef17d0f95a9da5 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -1449,10 +1449,10 @@ static __net_exit void ipv4_sysctl_exit_net(struct net *net)
{
struct ctl_table *table;
- kfree(net->ipv4.sysctl_local_reserved_ports);
table = net->ipv4.ipv4_hdr->ctl_table_arg;
unregister_net_sysctl_table(net->ipv4.ipv4_hdr);
kfree(table);
+ kfree(net->ipv4.sysctl_local_reserved_ports);
}
static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 023/522] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 022/522] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 024/522] net: hsr: fix potential OOB access in supervision frame handling Greg Kroah-Hartman
` (499 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit afb2a3a9d8369d18122a0d7cd294eba9a98259c6 ]
byt_cht_es8316_init() enables MCLK before configuring the codec sysclk
and creating the headset jack. If either of those later steps fails, the
function returns without disabling MCLK, leaving the clock enabled after
card registration fails.
Track whether this driver enabled MCLK and disable it on the init error
paths. Add the matching DAI link exit callback so the same clock enable
is also balanced when ASoC cleans up a successfully initialized link.
Fixes: a03bdaa565cb ("ASoC: Intel: add machine driver for BYT/CHT + ES8316")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260519-asoc-bytcht-es8316-mclk-leak-v1-1-b4a11cdc2afd@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/boards/bytcht_es8316.c | 29 ++++++++++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/sound/soc/intel/boards/bytcht_es8316.c b/sound/soc/intel/boards/bytcht_es8316.c
index fa2c3981dacac9..ff3642e8c132f8 100644
--- a/sound/soc/intel/boards/bytcht_es8316.c
+++ b/sound/soc/intel/boards/bytcht_es8316.c
@@ -39,6 +39,7 @@ struct byt_cht_es8316_private {
struct gpio_desc *speaker_en_gpio;
struct device *codec_dev;
bool speaker_en;
+ bool mclk_enabled;
};
enum {
@@ -169,6 +170,15 @@ static struct snd_soc_jack_pin byt_cht_es8316_jack_pins[] = {
},
};
+static void byt_cht_es8316_disable_mclk(struct byt_cht_es8316_private *priv)
+{
+ if (!priv->mclk_enabled)
+ return;
+
+ clk_disable_unprepare(priv->mclk);
+ priv->mclk_enabled = false;
+}
+
static int byt_cht_es8316_init(struct snd_soc_pcm_runtime *runtime)
{
struct snd_soc_component *codec = asoc_rtd_to_codec(runtime, 0)->component;
@@ -225,12 +235,14 @@ static int byt_cht_es8316_init(struct snd_soc_pcm_runtime *runtime)
ret = clk_prepare_enable(priv->mclk);
if (ret)
dev_err(card->dev, "unable to enable MCLK\n");
+ else
+ priv->mclk_enabled = true;
ret = snd_soc_dai_set_sysclk(asoc_rtd_to_codec(runtime, 0), 0, 19200000,
SND_SOC_CLOCK_IN);
if (ret < 0) {
dev_err(card->dev, "can't set codec clock %d\n", ret);
- return ret;
+ goto err_disable_mclk;
}
ret = snd_soc_card_jack_new_pins(card, "Headset",
@@ -239,13 +251,25 @@ static int byt_cht_es8316_init(struct snd_soc_pcm_runtime *runtime)
ARRAY_SIZE(byt_cht_es8316_jack_pins));
if (ret) {
dev_err(card->dev, "jack creation failed %d\n", ret);
- return ret;
+ goto err_disable_mclk;
}
snd_jack_set_key(priv->jack.jack, SND_JACK_BTN_0, KEY_PLAYPAUSE);
snd_soc_component_set_jack(codec, &priv->jack, NULL);
return 0;
+
+err_disable_mclk:
+ byt_cht_es8316_disable_mclk(priv);
+ return ret;
+}
+
+static void byt_cht_es8316_exit(struct snd_soc_pcm_runtime *runtime)
+{
+ struct snd_soc_card *card = runtime->card;
+ struct byt_cht_es8316_private *priv = snd_soc_card_get_drvdata(card);
+
+ byt_cht_es8316_disable_mclk(priv);
}
static int byt_cht_es8316_codec_fixup(struct snd_soc_pcm_runtime *rtd,
@@ -355,6 +379,7 @@ static struct snd_soc_dai_link byt_cht_es8316_dais[] = {
.dpcm_playback = 1,
.dpcm_capture = 1,
.init = byt_cht_es8316_init,
+ .exit = byt_cht_es8316_exit,
SND_SOC_DAILINK_REG(ssp2_port, ssp2_codec, platform),
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 024/522] net: hsr: fix potential OOB access in supervision frame handling
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 023/522] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 025/522] tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() Greg Kroah-Hartman
` (498 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luka Gejak,
Fernando Fernandez Mancera, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luka Gejak <luka.gejak@linux.dev>
[ Upstream commit f229426072fc865654a60978bb7fda790a051ff3 ]
Ensure the entire TLV header is linearized before access by adding
sizeof(struct hsr_sup_tlv) to the pskb_may_pull() calls. Without this,
a truncated frame could cause an out-of-bounds access.
Fixes: eafaa88b3eb7 ("net: hsr: Add support for redbox supervision frames")
Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Link: https://patch.msgid.link/20260523130330.61880-1-luka.gejak@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/hsr/hsr_forward.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
index 3852fd99509f04..7a596c4f603e2d 100644
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -84,7 +84,7 @@ static bool is_supervision_frame(struct hsr_priv *hsr, struct sk_buff *skb)
/* Get next tlv */
total_length += hsr_sup_tag->tlv.HSR_TLV_length;
- if (!pskb_may_pull(skb, total_length))
+ if (!pskb_may_pull(skb, total_length + sizeof(struct hsr_sup_tlv)))
return false;
skb_pull(skb, total_length);
hsr_sup_tlv = (struct hsr_sup_tlv *)skb->data;
@@ -100,7 +100,7 @@ static bool is_supervision_frame(struct hsr_priv *hsr, struct sk_buff *skb)
/* make sure another tlv follows */
total_length += sizeof(struct hsr_sup_tlv) + hsr_sup_tlv->HSR_TLV_length;
- if (!pskb_may_pull(skb, total_length))
+ if (!pskb_may_pull(skb, total_length + sizeof(struct hsr_sup_tlv)))
return false;
/* get next tlv */
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 025/522] tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 024/522] net: hsr: fix potential OOB access in supervision frame handling Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 026/522] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() Greg Kroah-Hartman
` (497 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Stefano Brivio,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit b4bc94353050b1fa7b702bd4c6600710dd926cff ]
Sashiko found that iptunnel_pmtud_build_icmp() and
iptunnel_pmtud_build_icmpv6() were caching ip_hdr() and ipv6_hdr()
before an skb_cow() call which can reallocate skb->head.
Fix this possible UAF by initializing the local variables
after the skb_cow() call.
Remove skb_reset_network_header() calls which were not needed.
Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Link: https://patch.msgid.link/20260525201335.2361845-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_tunnel_core.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index 75e3d7501752df..5fb437f040ace7 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -194,7 +194,7 @@ EXPORT_SYMBOL_GPL(iptunnel_handle_offloads);
*/
static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
{
- const struct iphdr *iph = ip_hdr(skb);
+ const struct iphdr *iph;
struct icmphdr *icmph;
struct iphdr *niph;
struct ethhdr eh;
@@ -208,7 +208,6 @@ static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
skb_copy_bits(skb, skb_mac_offset(skb), &eh, ETH_HLEN);
pskb_pull(skb, ETH_HLEN);
- skb_reset_network_header(skb);
err = pskb_trim(skb, 576 - sizeof(*niph) - sizeof(*icmph));
if (err)
@@ -218,7 +217,7 @@ static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
err = skb_cow(skb, sizeof(*niph) + sizeof(*icmph) + ETH_HLEN);
if (err)
return err;
-
+ iph = ip_hdr(skb);
icmph = skb_push(skb, sizeof(*icmph));
*icmph = (struct icmphdr) {
.type = ICMP_DEST_UNREACH,
@@ -290,7 +289,7 @@ static int iptunnel_pmtud_check_icmp(struct sk_buff *skb, int mtu)
*/
static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
{
- const struct ipv6hdr *ip6h = ipv6_hdr(skb);
+ const struct ipv6hdr *ip6h;
struct icmp6hdr *icmp6h;
struct ipv6hdr *nip6h;
struct ethhdr eh;
@@ -305,7 +304,6 @@ static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
skb_copy_bits(skb, skb_mac_offset(skb), &eh, ETH_HLEN);
pskb_pull(skb, ETH_HLEN);
- skb_reset_network_header(skb);
err = pskb_trim(skb, IPV6_MIN_MTU - sizeof(*nip6h) - sizeof(*icmp6h));
if (err)
@@ -316,6 +314,7 @@ static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
if (err)
return err;
+ ip6h = ipv6_hdr(skb);
icmp6h = skb_push(skb, sizeof(*icmp6h));
*icmp6h = (struct icmp6hdr) {
.icmp6_type = ICMPV6_PKT_TOOBIG,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 026/522] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 025/522] tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 027/522] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() Greg Kroah-Hartman
` (496 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Stefano Brivio,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 7d9ef0cb271555d8cf39fefe6c981e1493b25ecf ]
skb_tunnel_check_pmtu() can change skb->head.
Reusing old_iph afer skb_tunnel_check_pmtu() can cause an UAF.
Use instead ip_hdr(skb) as done in drivers/net/bareudp.c
and drivers/net/geneve.c.
Found by Sashiko.
Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Link: https://patch.msgid.link/20260525203642.2389723-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vxlan/vxlan_core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
index 6ad59c8afdcfc1..9d7ebf8aa79f66 100644
--- a/drivers/net/vxlan/vxlan_core.c
+++ b/drivers/net/vxlan/vxlan_core.c
@@ -2682,7 +2682,7 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
goto out_unlock;
}
- tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
+ tos = ip_tunnel_ecn_encap(tos, ip_hdr(skb), skb);
ttl = ttl ? : ip4_dst_hoplimit(&rt->dst);
err = vxlan_build_skb(skb, ndst, sizeof(struct iphdr),
vni, md, flags, udp_sum);
@@ -2745,7 +2745,7 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
goto out_unlock;
}
- tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
+ tos = ip_tunnel_ecn_encap(tos, ip_hdr(skb), skb);
ttl = ttl ? : ip6_dst_hoplimit(ndst);
skb_scrub_packet(skb, xnet);
err = vxlan_build_skb(skb, ndst, sizeof(struct ipv6hdr),
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 027/522] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 026/522] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 028/522] ASoC: codecs: simple-mux: Fix enum control bounds check Greg Kroah-Hartman
` (495 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damiano Melotti, Eric Dumazet,
Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 509323077ef79a26ba0c60bb556e45c12c398b2d ]
In some cases, iptunnel_pmtud_check_icmp() can be called while
skb transport header is not set.
This triggers an out-of-bound access, because
(typeof(skb->transport_header))~0U is 65535.
Access the icmp header based on IPv4 network header,
after making sure icmp->type is present in skb linear part.
Note that iptunnel_pmtud_check_icmpv6()) is fine.
Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Reported-by: Damiano Melotti <melotti@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260522115512.1519110-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_tunnel_core.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index 5fb437f040ace7..9f6f1b435d8d72 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -262,7 +262,6 @@ static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
*/
static int iptunnel_pmtud_check_icmp(struct sk_buff *skb, int mtu)
{
- const struct icmphdr *icmph = icmp_hdr(skb);
const struct iphdr *iph = ip_hdr(skb);
if (mtu < 576 || iph->frag_off != htons(IP_DF))
@@ -273,9 +272,17 @@ static int iptunnel_pmtud_check_icmp(struct sk_buff *skb, int mtu)
ipv4_is_lbcast(iph->saddr) || ipv4_is_multicast(iph->saddr))
return 0;
- if (iph->protocol == IPPROTO_ICMP && icmp_is_err(icmph->type))
- return 0;
+ if (iph->protocol == IPPROTO_ICMP) {
+ const struct icmphdr *icmph;
+ if (!pskb_network_may_pull(skb, iph->ihl * 4 +
+ offsetofend(struct icmphdr, type)))
+ return 0;
+ iph = ip_hdr(skb);
+ icmph = (void *)iph + iph->ihl * 4;
+ if (icmp_is_err(icmph->type))
+ return 0;
+ }
return iptunnel_pmtud_build_icmp(skb, mtu);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 028/522] ASoC: codecs: simple-mux: Fix enum control bounds check
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 027/522] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 029/522] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() Greg Kroah-Hartman
` (494 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit f63ad68e18d774a5d15cd7e405ead63f6b322679 ]
simple_mux_control_put() rejects values greater than e->items, but
enum control values are zero based. For the two-entry mux used by this
driver, valid values are 0 and 1, so value 2 must be rejected as well.
Accepting e->items can store an invalid mux state, pass it to the GPIO
setter, and pass it on to the DAPM mux update path where it is used as
an index into the enum text array.
Use the same >= e->items check used by the ASoC enum helpers.
Fixes: 342fbb7578d1 ("ASoC: add simple-mux")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260527-asoc-simple-mux-enum-bounds-v1-1-3f805b9fc671@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/simple-mux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/simple-mux.c b/sound/soc/codecs/simple-mux.c
index d30c0d24d90a65..c5aa58c6e7bae6 100644
--- a/sound/soc/codecs/simple-mux.c
+++ b/sound/soc/codecs/simple-mux.c
@@ -40,7 +40,7 @@ static int simple_mux_control_put(struct snd_kcontrol *kcontrol,
struct snd_soc_component *c = snd_soc_dapm_to_component(dapm);
struct simple_mux *priv = snd_soc_component_get_drvdata(c);
- if (ucontrol->value.enumerated.item[0] > e->items)
+ if (ucontrol->value.enumerated.item[0] >= e->items)
return -EINVAL;
if (priv->mux == ucontrol->value.enumerated.item[0])
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 029/522] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 028/522] ASoC: codecs: simple-mux: Fix enum control bounds check Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 030/522] bonding: refuse to enslave CAN devices Greg Kroah-Hartman
` (493 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhao Dongdong,
Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Dongdong <zhaodongdong@kylinos.cn>
[ Upstream commit 3c40d381ce04f9575a5d8b542898183c3b4b38dc ]
The skb_clone() function can return NULL if memory allocation fails.
send_mcast_pkt() calls skb_clone() without checking the return value, which
can lead to a NULL pointer dereference in send_pkt() when it dereferences
skb->data.
Add a NULL check after skb_clone() and skip the peer if the clone fails.
Fixes: 18722c247023 ("Bluetooth: Enable 6LoWPAN support for BT LE devices")
Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/6lowpan.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index 347361ff0cc878..dc3d1d5326e96a 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -485,6 +485,8 @@ static int send_mcast_pkt(struct sk_buff *skb, struct net_device *netdev)
int ret;
local_skb = skb_clone(skb, GFP_ATOMIC);
+ if (!local_skb)
+ continue;
BT_DBG("xmit %s to %pMR type %u IP %pI6c chan %p",
netdev->name,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 030/522] bonding: refuse to enslave CAN devices
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 029/522] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 031/522] ethtool: eeprom: add more safeties to EEPROM Netlink fallback Greg Kroah-Hartman
` (492 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8ed98cbd0161632bce95,
Oliver Hartkopp, Jay Vosburgh, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Hartkopp <socketcan@hartkopp.net>
[ Upstream commit 8ba68464e4787b6a7ec938826e16124df20fd23d ]
syzbot reported a kernel paging request crash in
can_rx_unregister() inside net/can/af_can.c. The crash occurs
because a virtual CAN device (vxcan) is being enslaved to a
bonding master.
During the enslavement process, the bonding driver mutates
and modifies the network device states to fit an Ethernet-like
aggregation model. However, CAN devices operate on a completely
different Layer 2 architecture, relying on the CAN mid-layer
private data structure (can_ml_priv) instead of standard
Ethernet structures. Since bonding does not initialize or
maintain these CAN structures, subsequent operations on the
half-enslaved interface (such as closing associated sockets
via isotp_release) lead to a null-pointer dereference when
accessing the CAN receiver lists.
Bonding CAN interfaces is architecturally invalid as CAN lacks
MAC addresses, ARP capabilities, and standard Ethernet
link-layer mechanisms. While generic loopback devices are
blocked globally in net/core/dev.c, virtual CAN devices
bypass this check because they do not carry the IFF_LOOPBACK
flag, despite acting as local software-loopbacks.
Fix this by explicitly blocking network devices of type
ARPHRD_CAN from being enslaved at the very beginning of
bond_enslave(). This prevents illegal state mutations,
eliminates the resulting KASAN crashes, and avoids potential
memory leaks from incomplete socket cleanups.
As the CAN support has been added a long time after bonding
the Fixes-tag points to the introduction of ARPHRD_CAN that
would have needed a specific handling in bonding_main.c.
Fixes: cd05acfe65ed ("[CAN]: Allocate protocol numbers for PF_CAN")
Reported-by: syzbot+8ed98cbd0161632bce95@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8ed98cbd0161632bce95
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Jay Vosburgh <jv@jvosburgh.net>
Link: https://patch.msgid.link/20260526-bonding-candev-v1-1-ba1df400918a@hartkopp.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index e9e2dec1dcb131..0e078252b52a98 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1848,6 +1848,12 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
int link_reporting;
int res = 0, i;
+ if (slave_dev->type == ARPHRD_CAN) {
+ BOND_NL_ERR(bond_dev, extack,
+ "CAN devices cannot be enslaved");
+ return -EPERM;
+ }
+
if (slave_dev->flags & IFF_MASTER &&
!netif_is_bond_master(slave_dev)) {
BOND_NL_ERR(bond_dev, extack,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 031/522] ethtool: eeprom: add more safeties to EEPROM Netlink fallback
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 030/522] bonding: refuse to enslave CAN devices Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 032/522] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() Greg Kroah-Hartman
` (491 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 67cfdd9210b99f260b3e0afeb9525e0acc7be31e ]
The Netlink fallback path for reading module EEPROM
(fallback_set_params()) validates that offset < eeprom_len,
but does not check that offset + length stays within eeprom_len.
The ioctl equivalent (ethtool_get_any_eeprom() in ioctl.c) has
always enforced both bounds:
if (eeprom.offset + eeprom.len > total_len)
return -EINVAL;
This could lead to surprises in both drivers and device FW.
Add the missing offset + length validation to fallback_set_params(),
mirroring the ioctl.
Similarly - ethtool core in general, and ethtool_get_any_eeprom()
in particular tries to zero-init all buffers passed to the drivers
to avoid any extra work of zeroing things out. eeprom_fallback()
uses a plain kmalloc(), change it to zalloc.
Fixes: 96d971e307cc ("ethtool: Add fallback to get_module_eeprom from netlink command")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-11-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/eeprom.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/ethtool/eeprom.c b/net/ethtool/eeprom.c
index 49c0a2a77f02de..6ce40f95d8aba5 100644
--- a/net/ethtool/eeprom.c
+++ b/net/ethtool/eeprom.c
@@ -43,6 +43,9 @@ static int fallback_set_params(struct eeprom_req_info *request,
if (offset >= modinfo->eeprom_len)
return -EINVAL;
+ if (length > modinfo->eeprom_len - offset)
+ return -EINVAL;
+
eeprom->cmd = ETHTOOL_GMODULEEEPROM;
eeprom->len = length;
eeprom->offset = offset;
@@ -69,7 +72,7 @@ static int eeprom_fallback(struct eeprom_req_info *request,
if (err < 0)
return err;
- data = kmalloc(eeprom.len, GFP_KERNEL);
+ data = kzalloc(eeprom.len, GFP_KERNEL);
if (!data)
return -ENOMEM;
err = ethtool_get_module_eeprom_call(dev, &eeprom, data);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 032/522] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 031/522] ethtool: eeprom: add more safeties to EEPROM Netlink fallback Greg Kroah-Hartman
@ 2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 033/522] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" Greg Kroah-Hartman
` (490 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rahul Chandelkar, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rahul Chandelkar <rc@rexion.ai>
[ Upstream commit 9d5e7a46a9f6d8f503b41bfefef70659845f1679 ]
ipv6_rpl_srh_decompress() computes:
outhdr->hdrlen = (((n + 1) * sizeof(struct in6_addr)) >> 3);
hdrlen is __u8. For n >= 127 the result exceeds 255 and silently
truncates. With n=127 (cmpri=15, cmpre=15, pad=0, hdrlen=16):
(128 * 16) >> 3 = 256, truncated to 0 as __u8
The caller in ipv6_rpl_srh_rcv() then places the compressed header
at buf + ((ohdr->hdrlen + 1) << 3). With hdrlen=0 this is buf + 8,
but the decompressed region occupies buf[0..2055] (8-byte header
plus 128 full addresses). The compressed header overlaps the
decompressed data, and ipv6_rpl_srh_compress() writes into this
overlap, corrupting the routing header of the forwarded packet.
The existing guard at exthdrs.c:546 checks (n + 1) > 255, which
prevents n+1 from overflowing unsigned char (the segments_left
field), but does not prevent the computed hdrlen from overflowing
__u8. n=127 passes because 128 <= 255, yet hdrlen=256 does not
fit.
Tighten the bound to (n + 1) > 127. This caps n at 126, giving
hdrlen = (127 * 16) >> 3 = 254, which fits in __u8. The compressed
header then lands at buf + ((254 + 1) << 3) = buf + 2040, exactly
past the decompressed region (buf[0..2039]). No overlap. 127
segments is well beyond any realistic RPL deployment.
Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr")
Signed-off-by: Rahul Chandelkar <rc@rexion.ai>
Link: https://patch.msgid.link/20260525154031.2290876-1-rc@rexion.ai
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/exthdrs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 826ef36aa2bcc0..13e57e3f7d7981 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -564,7 +564,7 @@ static int ipv6_rpl_srh_rcv(struct sk_buff *skb)
* unsigned char which is segments_left field. Should not be
* higher than that.
*/
- if (r || (n + 1) > 255) {
+ if (r || (n + 1) > 127) {
kfree_skb(skb);
return -1;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 033/522] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree"
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-06-16 14:52 ` [PATCH 6.1 032/522] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 034/522] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success Greg Kroah-Hartman
` (489 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ji-Soo Chung, Gerlinde, zyc zyc,
Manas Ghandat, Stephen Hemminger, Jamal Hadi Salim, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit eda0b7f203bb166c98d1418b204135bd566ac83b ]
This reverts commit ec8e0e3d7adef940cdf9475e2352c0680189d14e.
The original patch rejects any tree containing two netems when
either has duplication set, even when they sit on unrelated classes
of the same classful parent. That broke configurations that have
worked since netem was introduced.
The re-entrancy problem the original commit was trying to solve is
handled by later patch using tc_depth flag.
Doing this revert will (re)expose the original bug with multiple
netem duplication. When this patch is backported make sure
and get the full series.
Fixes: ec8e0e3d7ade ("net/sched: Restrict conditions for adding duplicating netems to qdisc tree")
Reported-by: Ji-Soo Chung <jschung2@proton.me>
Reported-by: Gerlinde <lrGerlinde@mailfence.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220774
Reported-by: zyc zyc <zyc199902@zohomail.cn>
Closes: https://lore.kernel.org/all/19adda5a1e2.12410b78222774.9191120410578703463@zohomail.cn/
Reported-by: Manas Ghandat <ghandatmanas@gmail.com>
Closes: https://lore.kernel.org/netdev/f69b2c8f-8325-4c2e-a011-6dbc089f30e4@gmail.com/
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260525122556.973584-3-jhs@mojatatu.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 40 ----------------------------------------
1 file changed, 40 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 2c47bd8dba6478..3bebe8043cfaf5 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -984,41 +984,6 @@ static int parse_attr(struct nlattr *tb[], int maxtype, struct nlattr *nla,
return 0;
}
-static const struct Qdisc_class_ops netem_class_ops;
-
-static int check_netem_in_tree(struct Qdisc *sch, bool duplicates,
- struct netlink_ext_ack *extack)
-{
- struct Qdisc *root, *q;
- unsigned int i;
-
- root = qdisc_root_sleeping(sch);
-
- if (sch != root && root->ops->cl_ops == &netem_class_ops) {
- if (duplicates ||
- ((struct netem_sched_data *)qdisc_priv(root))->duplicate)
- goto err;
- }
-
- if (!qdisc_dev(root))
- return 0;
-
- hash_for_each(qdisc_dev(root)->qdisc_hash, i, q, hash) {
- if (sch != q && q->ops->cl_ops == &netem_class_ops) {
- if (duplicates ||
- ((struct netem_sched_data *)qdisc_priv(q))->duplicate)
- goto err;
- }
- }
-
- return 0;
-
-err:
- NL_SET_ERR_MSG(extack,
- "netem: cannot mix duplicating netems with other netems in tree");
- return -EINVAL;
-}
-
/* Parse netlink message to set options */
static int netem_change(struct Qdisc *sch, struct nlattr *opt,
struct netlink_ext_ack *extack)
@@ -1083,11 +1048,6 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
q->gap = qopt->gap;
q->counter = 0;
q->loss = qopt->loss;
-
- ret = check_netem_in_tree(sch, qopt->duplicate, extack);
- if (ret)
- goto unlock;
-
q->duplicate = qopt->duplicate;
/* for compatibility with earlier versions.
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 034/522] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 033/522] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 035/522] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Greg Kroah-Hartman
` (488 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhenghang Xiao,
Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenghang Xiao <kipreyyy@gmail.com>
[ Upstream commit 00e1950716c6ed67d74777b2db286b0fa23b4be9 ]
l2cap_ecred_reconf_rsp() returns early on success without clearing
chan->ident. Every other L2CAP response handler (l2cap_ecred_conn_rsp,
l2cap_le_connect_rsp, l2cap_config_rsp) clears chan->ident after a
successful transaction to prevent the channel from matching subsequent
responses with the recycled ident value.
A remote attacker that completed a reconfiguration as the peer can
replay a failure response with the stale ident, causing the kernel to
match and destroy the already-established channel via
l2cap_chan_del(chan, ECONNRESET).
Clear chan->ident for all matching channels on success, and harden the
failure path by using l2cap_chan_hold_unless_zero() consistent with
other L2CAP handlers (l2cap_le_command_rej, __l2cap_get_chan_by_ident).
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 21f63ca434e3fd..a3ee31f2fa2880 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6454,14 +6454,20 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
BT_DBG("result 0x%4.4x", result);
- if (!result)
+ if (!result) {
+ list_for_each_entry(chan, &conn->chan_l, list) {
+ if (chan->ident == cmd->ident)
+ chan->ident = 0;
+ }
return 0;
+ }
list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
if (chan->ident != cmd->ident)
continue;
- l2cap_chan_hold(chan);
+ if (!l2cap_chan_hold_unless_zero(chan))
+ continue;
l2cap_chan_lock(chan);
l2cap_chan_del(chan, ECONNRESET);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 035/522] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 034/522] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 036/522] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() Greg Kroah-Hartman
` (487 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 41c2713b204e6cb6a94587bc6bf6935107df5479 ]
If dcid is received for an already-assigned destination CID the spec
requires that both channels to be discarded, but calling l2cap_chan_del
may invalidate the tmp cursor created by list_for_each_entry_safe and
in fact it is the wrong procedure as the chan->dcid may be assigned
previously it really needs to be disconnected.
Calling l2cap_chan_clone directly may still lead to l2cap_chan_del so
instead schedule l2cap_chan_timeout with delay 0 to close the channel
asynchronously.
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index a3ee31f2fa2880..8031f83b10832e 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6254,6 +6254,7 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
cmd_len -= sizeof(*rsp);
list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
+ struct l2cap_chan *orig;
u16 dcid;
if (chan->ident != cmd->ident ||
@@ -6275,8 +6276,10 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
+ orig = __l2cap_get_chan_by_dcid(conn, dcid);
+
/* Check if dcid is already in use */
- if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
+ if (dcid && orig) {
/* If a device receives a
* L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an
* already-assigned Destination CID, then both the
@@ -6285,10 +6288,24 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
*/
l2cap_chan_del(chan, ECONNREFUSED);
l2cap_chan_unlock(chan);
- chan = __l2cap_get_chan_by_dcid(conn, dcid);
- l2cap_chan_lock(chan);
- l2cap_chan_del(chan, ECONNRESET);
- l2cap_chan_unlock(chan);
+
+ /* Check that the dcid channel mode is
+ * L2CAP_MODE_EXT_FLOWCTL since this procedure is only
+ * valid for that mode and shouldn't disconnect a dcid
+ * in other modes.
+ */
+ if (orig->mode == L2CAP_MODE_EXT_FLOWCTL) {
+ l2cap_chan_lock(orig);
+ /* Disconnect the original channel as it may be
+ * considered connected since dcid has already
+ * been assigned; don't call l2cap_chan_close
+ * directly since that could lead to
+ * l2cap_chan_del and then removing the channel
+ * from the list while we're iterating over it.
+ */
+ __set_chan_timer(orig, 0);
+ l2cap_chan_unlock(orig);
+ }
continue;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 036/522] gpio: rockchip: convert bank->clk to devm_clk_get_enabled()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 035/522] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 037/522] net: mana: Add NULL guards in teardown path to prevent panic on attach failure Greg Kroah-Hartman
` (486 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marco Scardovi, Bartosz Golaszewski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marco Scardovi <scardracs@disroot.org>
[ Upstream commit 3e46c18d5d87f063a93ae0fe7662fbf6660459d5 ]
The bank->clk was previously obtained via of_clk_get() and manually
prepared/enabled. However, it was missing a corresponding clk_put() in
both the error paths and the remove function, leading to a reference leak.
Convert the allocation to devm_clk_get_enabled(), which also properly
propagates failures from clk_prepare_enable() that were previously ignored.
The GPIO bank device uses the same OF node as the previous of_clk_get()
call, so devm_clk_get_enabled(dev, NULL) correctly resolves the same
clock provider entry.
Fix the reference leak and simplify the code by removing the manual
clk_disable_unprepare() calls in the probe error paths and in the
remove function.
Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio")
Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Marco Scardovi <scardracs@disroot.org>
Link: https://patch.msgid.link/20260526171050.12785-2-scardracs@disroot.org
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-rockchip.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/gpio/gpio-rockchip.c b/drivers/gpio/gpio-rockchip.c
index bf301b2d18b8f1..147d2fda4fe120 100644
--- a/drivers/gpio/gpio-rockchip.c
+++ b/drivers/gpio/gpio-rockchip.c
@@ -647,11 +647,10 @@ static int rockchip_get_bank_data(struct rockchip_pin_bank *bank)
if (!bank->irq)
return -EINVAL;
- bank->clk = of_clk_get(bank->of_node, 0);
+ bank->clk = devm_clk_get_enabled(bank->dev, NULL);
if (IS_ERR(bank->clk))
return PTR_ERR(bank->clk);
- clk_prepare_enable(bank->clk);
id = readl(bank->reg_base + gpio_regs_v2.version_id);
/* If not gpio v2, that is default to v1. */
@@ -661,7 +660,6 @@ static int rockchip_get_bank_data(struct rockchip_pin_bank *bank)
bank->db_clk = of_clk_get(bank->of_node, 1);
if (IS_ERR(bank->db_clk)) {
dev_err(bank->dev, "cannot find debounce clk\n");
- clk_disable_unprepare(bank->clk);
return -EINVAL;
}
} else {
@@ -735,7 +733,6 @@ static int rockchip_gpio_probe(struct platform_device *pdev)
ret = rockchip_gpiolib_register(bank);
if (ret) {
- clk_disable_unprepare(bank->clk);
mutex_unlock(&bank->deferred_lock);
return ret;
}
@@ -776,7 +773,6 @@ static int rockchip_gpio_remove(struct platform_device *pdev)
{
struct rockchip_pin_bank *bank = platform_get_drvdata(pdev);
- clk_disable_unprepare(bank->clk);
gpiochip_remove(&bank->gpio_chip);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 037/522] net: mana: Add NULL guards in teardown path to prevent panic on attach failure
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 036/522] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 038/522] sctp: fix race between sctp_wait_for_connect and peeloff Greg Kroah-Hartman
` (485 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haiyang Zhang, Dipayaan Roy,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dipayaan Roy <dipayanroy@linux.microsoft.com>
[ Upstream commit 17bfe0a8c014ee1d542ad352cd6a0a505361664a ]
When queue allocation fails partway through, the error cleanup frees
and NULLs apc->tx_qp and apc->rxqs. Multiple teardown paths such as
mana_remove(), mana_change_mtu() recovery, and internal error handling
in mana_alloc_queues() can subsequently call into functions that
dereference these pointers without NULL checks:
- mana_chn_setxdp() dereferences apc->rxqs[0], causing a NULL pointer
dereference panic (CR2: 0000000000000000 at mana_chn_setxdp+0x26).
- mana_destroy_vport() iterates apc->rxqs without a NULL check.
- mana_fence_rqs() iterates apc->rxqs without a NULL check.
- mana_dealloc_queues() iterates apc->tx_qp without a NULL check.
Add NULL guards for apc->rxqs in mana_fence_rqs(),
mana_destroy_vport(), and before the mana_chn_setxdp() call. Add a
NULL guard for apc->tx_qp in mana_dealloc_queues() to skip TX queue
draining when TX queues were never allocated or already freed.
Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
Link: https://patch.msgid.link/20260525081129.1230035-2-dipayanroy@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 70 +++++++++++--------
1 file changed, 41 insertions(+), 29 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index 3f46a6edcee521..0f84cc4586f02e 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -914,6 +914,9 @@ static void mana_fence_rqs(struct mana_port_context *apc)
struct mana_rxq *rxq;
int err;
+ if (!apc->rxqs)
+ return;
+
for (rxq_idx = 0; rxq_idx < apc->num_queues; rxq_idx++) {
rxq = apc->rxqs[rxq_idx];
err = mana_fence_rq(apc, rxq);
@@ -1815,13 +1818,16 @@ static void mana_destroy_vport(struct mana_port_context *apc)
struct mana_rxq *rxq;
u32 rxq_idx;
- for (rxq_idx = 0; rxq_idx < apc->num_queues; rxq_idx++) {
- rxq = apc->rxqs[rxq_idx];
- if (!rxq)
- continue;
+ if (apc->rxqs) {
- mana_destroy_rxq(apc, rxq, true);
- apc->rxqs[rxq_idx] = NULL;
+ for (rxq_idx = 0; rxq_idx < apc->num_queues; rxq_idx++) {
+ rxq = apc->rxqs[rxq_idx];
+ if (!rxq)
+ continue;
+
+ mana_destroy_rxq(apc, rxq, true);
+ apc->rxqs[rxq_idx] = NULL;
+ }
}
mana_destroy_txq(apc);
@@ -2010,7 +2016,8 @@ static int mana_dealloc_queues(struct net_device *ndev)
if (apc->port_is_up)
return -EINVAL;
- mana_chn_setxdp(apc, NULL);
+ if (apc->rxqs)
+ mana_chn_setxdp(apc, NULL);
if (gd->gdma_context->is_pf)
mana_pf_deregister_filter(apc);
@@ -2028,33 +2035,38 @@ static int mana_dealloc_queues(struct net_device *ndev)
* number of queues.
*/
- for (i = 0; i < apc->num_queues; i++) {
- txq = &apc->tx_qp[i].txq;
- tsleep = 1000;
- while (atomic_read(&txq->pending_sends) > 0 &&
- time_before(jiffies, timeout)) {
- usleep_range(tsleep, tsleep + 1000);
- tsleep <<= 1;
- }
- if (atomic_read(&txq->pending_sends)) {
- err = pcie_flr(to_pci_dev(gd->gdma_context->dev));
- if (err) {
- netdev_err(ndev, "flr failed %d with %d pkts pending in txq %u\n",
- err, atomic_read(&txq->pending_sends),
- txq->gdma_txq_id);
+ if (apc->tx_qp) {
+ for (i = 0; i < apc->num_queues; i++) {
+ txq = &apc->tx_qp[i].txq;
+ tsleep = 1000;
+ while (atomic_read(&txq->pending_sends) > 0 &&
+ time_before(jiffies, timeout)) {
+ usleep_range(tsleep, tsleep + 1000);
+ tsleep <<= 1;
+ }
+ if (atomic_read(&txq->pending_sends)) {
+ err =
+ pcie_flr(to_pci_dev(gd->gdma_context->dev));
+ if (err) {
+ netdev_err(ndev, "flr failed %d with %d pkts pending in txq %u\n",
+ err,
+ atomic_read(&txq->pending_sends),
+ txq->gdma_txq_id);
+ }
+ break;
}
- break;
}
- }
- for (i = 0; i < apc->num_queues; i++) {
- txq = &apc->tx_qp[i].txq;
- while ((skb = skb_dequeue(&txq->pending_skbs))) {
- mana_unmap_skb(skb, apc);
- dev_kfree_skb_any(skb);
+ for (i = 0; i < apc->num_queues; i++) {
+ txq = &apc->tx_qp[i].txq;
+ while ((skb = skb_dequeue(&txq->pending_skbs))) {
+ mana_unmap_skb(skb, apc);
+ dev_kfree_skb_any(skb);
+ }
+ atomic_set(&txq->pending_sends, 0);
}
- atomic_set(&txq->pending_sends, 0);
}
+
/* We're 100% sure the queues can no longer be woken up, because
* we're sure now mana_poll_tx_cq() can't be running.
*/
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 038/522] sctp: fix race between sctp_wait_for_connect and peeloff
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 037/522] net: mana: Add NULL guards in teardown path to prevent panic on attach failure Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 039/522] ipv6: fix possible infinite loop in rt6_fill_node() Greg Kroah-Hartman
` (484 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhenghang Xiao, Xin Long,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenghang Xiao <kipreyyy@gmail.com>
[ Upstream commit f14fe6395a8b3d961a61e138ad7b36ba3626dd4e ]
sctp_wait_for_connect() drops and re-acquires the socket lock while
waiting for the association to reach ESTABLISHED state. During this
window, another thread can peeloff the association to a new socket via
getsockopt(SCTP_SOCKOPT_PEELOFF), changing asoc->base.sk. After
re-acquiring the old socket lock, sctp_wait_for_connect() returns
success without noticing the migration — the caller then accesses
the association under the wrong lock in sctp_datamsg_from_user().
Add the same sk != asoc->base.sk check that sctp_wait_for_sndbuf()
already has, returning an error if the association was migrated while
we slept.
Fixes: 668c9beb9020 ("sctp: implement assign_number for sctp_stream_interleave")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260527032411.60959-1-kipreyyy@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/socket.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index b544f403f7ca8f..867a426867a7d1 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -9364,6 +9364,8 @@ static int sctp_wait_for_connect(struct sctp_association *asoc, long *timeo_p)
release_sock(sk);
current_timeo = schedule_timeout(current_timeo);
lock_sock(sk);
+ if (sk != asoc->base.sk)
+ goto do_error;
*timeo_p = current_timeo;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 039/522] ipv6: fix possible infinite loop in rt6_fill_node()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 038/522] sctp: fix race between sctp_wait_for_connect and peeloff Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 040/522] ipv6: fix possible infinite loop in fib6_select_path() Greg Kroah-Hartman
` (483 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, Ido Schimmel,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 9f72412bcf60144f252b0d6205106abf14344abc ]
Sashiko reported this issue [1]. Apply the same fix as
commit f8d8ce1b515a ("ipv6: fix possible infinite loop in fib6_info_uses_dev()").
Writers holding tb6_lock can list_del_rcu(&rt->fib6_siblings)
without waiting for RCU readers; rt->fib6_siblings.next then still
points into the old ring and this softirq-side walker never reaches
&rt->fib6_siblings, causing a CPU stall. fib6_del_route() always
WRITE_ONCE()s rt->fib6_nsiblings to 0 before list_del_rcu(), so an
inside-loop check is a reliable detach signal.
[1] https://sashiko.dev/#/patchset/20260526020227.4857-1-jiayuan.chen%40linux.dev
Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260527053133.180695-1-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 987ef0954e2ea2..0e96f7cb21a297 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -5790,6 +5790,8 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb,
goto nla_put_failure;
}
+ if (!READ_ONCE(rt->fib6_nsiblings))
+ break;
}
rcu_read_unlock();
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 040/522] ipv6: fix possible infinite loop in fib6_select_path()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 039/522] ipv6: fix possible infinite loop in rt6_fill_node() Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 041/522] net: skbuff: fix pskb_carve leaking zcopy pages Greg Kroah-Hartman
` (482 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, Ido Schimmel,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 9c7da87c2dc860bb17ca1ece942495d28b1ce3b9 ]
Found while auditing the same pattern Sashiko reported in
rt6_fill_node() [1]. Apply the same fix as
commit f8d8ce1b515a ("ipv6: fix possible infinite loop in fib6_info_uses_dev()").
Writers holding tb6_lock can list_del_rcu(&first->fib6_siblings)
without waiting for RCU readers; first->fib6_siblings.next then
still points into the old ring and this softirq-side walker never
reaches &first->fib6_siblings as its terminator. fib6_purge_rt()
always WRITE_ONCE()s first->fib6_nsiblings to 0 before
list_del_rcu(), so an inside-loop check is a reliable detach signal.
[1] https://sashiko.dev/#/patchset/20260526020227.4857-1-jiayuan.chen%40linux.dev
Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260527053133.180695-2-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 0e96f7cb21a297..2b861eacee30e4 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -486,6 +486,9 @@ void fib6_select_path(const struct net *net, struct fib6_result *res,
const struct fib6_nh *nh = sibling->fib6_nh;
int nh_upper_bound;
+ if (!READ_ONCE(first->fib6_nsiblings))
+ break;
+
nh_upper_bound = atomic_read(&nh->fib_nh_upper_bound);
if (hash > nh_upper_bound)
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 041/522] net: skbuff: fix pskb_carve leaking zcopy pages
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 040/522] ipv6: fix possible infinite loop in fib6_select_path() Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 042/522] batman-adv: v: stop OGMv2 on disabled interface Greg Kroah-Hartman
` (481 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Minh Nguyen, Willem de Bruijn,
Pavel Begunkov, Willem de Bruijn, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov <asml.silence@gmail.com>
[ Upstream commit ff6e798c2eac3ebd0501ad7e796f583fab928de8 ]
When SKBFL_MANAGED_FRAG_REFS is set, frag pages are not refcounted but
their lifetime is controlled by the attached ubuf_info. To make a copy
of the skb_shared_info, we either should clear the flag and reference
the frags, or keep the flag and have frags unreferenced.
pskb_carve_inside_header() and pskb_carve_inside_nonlinear() don't
follow the rule and thus can leak page references. Let's clear
SKBFL_MANAGED_FRAG_REFS from the original skb to fix it. It's the
simplest way to address it, but there are more performant ways to do
that if it ever becomes a problem.
Link: https://lore.kernel.org/all/20260523085809.26331-1-nvminh232@clc.fitus.edu.vn/
Fixes: 753f1ca4e1e50 ("net: introduce managed frags infrastructure")
Reported-by: Minh Nguyen <minhnguyen.080505@gmail.com>
Reported-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/1e2086aa69217d7f9c8da3d38f5be7160f1b4cd1.1779993185.git.asml.silence@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skbuff.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 8bc4b26de5e538..41b2aaed7a14aa 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -6232,6 +6232,11 @@ static int pskb_carve_inside_header(struct sk_buff *skb, const u32 off,
skb_copy_from_linear_data_offset(skb, off, data, new_hlen);
skb->len -= off;
+ /* Remove SKBFL_MANAGED_FRAG_REFS instead of trying to honour it
+ * while refcounting frags below.
+ */
+ skb_zcopy_downgrade_managed(skb);
+
memcpy((struct skb_shared_info *)(data + size),
skb_shinfo(skb),
offsetof(struct skb_shared_info,
@@ -6344,6 +6349,11 @@ static int pskb_carve_inside_nonlinear(struct sk_buff *skb, const u32 off,
return -ENOMEM;
size = SKB_WITH_OVERHEAD(size);
+ /* Remove SKBFL_MANAGED_FRAG_REFS instead of trying to honour it
+ * while refcounting frags below.
+ */
+ skb_zcopy_downgrade_managed(skb);
+
memcpy((struct skb_shared_info *)(data + size),
skb_shinfo(skb), offsetof(struct skb_shared_info, frags[0]));
if (skb_orphan_frags(skb, gfp_mask)) {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 042/522] batman-adv: v: stop OGMv2 on disabled interface
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 041/522] net: skbuff: fix pskb_carve leaking zcopy pages Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 043/522] batman-adv: tvlv: abort OGM send on tvlv append failure Greg Kroah-Hartman
` (480 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit f8ce8b8331a1bc44ad4905886a482214d428b253 upstream.
When a batadv_hard_iface is disabled, its mesh_iface pointer is set to
NULL. However, batadv_v_ogm_send_meshif() may still dispatch OGMs via
batadv_v_ogm_queue_on_if() for interfaces that have since lost their
mesh_iface association. This results in a NULL pointer dereference when
batadv_v_ogm_queue_on_if() unconditionally calls netdev_priv() on the
now NULL hard_iface->mesh_iface to retrieve the batadv_priv.
It is necessary to ensure that the batadv_v_ogm_queue_on_if() checks that
it is using the same mesh_iface for which batadv_v_ogm_send_meshif() was
called.
Cc: stable@kernel.org
Fixes: 0da0035942d4 ("batman-adv: OGMv2 - add basic infrastructure")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reviewed-by: Yuan Tan <yuantan098@gmail.com>
[ switch to old "mesh_iface" name "soft_iface" ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bat_v_ogm.c | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
index deef817b28f0ae..24beb06f7c332a 100644
--- a/net/batman-adv/bat_v_ogm.c
+++ b/net/batman-adv/bat_v_ogm.c
@@ -116,14 +116,14 @@ static void batadv_v_ogm_start_timer(struct batadv_priv *bat_priv)
/**
* batadv_v_ogm_send_to_if() - send a batman ogm using a given interface
+ * @bat_priv: the bat priv with all the mesh interface information
* @skb: the OGM to send
* @hard_iface: the interface to use to send the OGM
*/
-static void batadv_v_ogm_send_to_if(struct sk_buff *skb,
+static void batadv_v_ogm_send_to_if(struct batadv_priv *bat_priv,
+ struct sk_buff *skb,
struct batadv_hard_iface *hard_iface)
{
- struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
-
if (hard_iface->if_status != BATADV_IF_ACTIVE) {
kfree_skb(skb);
return;
@@ -190,6 +190,7 @@ static void batadv_v_ogm_aggr_list_free(struct batadv_hard_iface *hard_iface)
/**
* batadv_v_ogm_aggr_send() - flush & send aggregation queue
+ * @bat_priv: the bat priv with all the mesh interface information
* @hard_iface: the interface with the aggregation queue to flush
*
* Aggregates all OGMv2 packets currently in the aggregation queue into a
@@ -199,7 +200,8 @@ static void batadv_v_ogm_aggr_list_free(struct batadv_hard_iface *hard_iface)
*
* Caller needs to hold the hard_iface->bat_v.aggr_list.lock.
*/
-static void batadv_v_ogm_aggr_send(struct batadv_hard_iface *hard_iface)
+static void batadv_v_ogm_aggr_send(struct batadv_priv *bat_priv,
+ struct batadv_hard_iface *hard_iface)
{
unsigned int aggr_len = hard_iface->bat_v.aggr_len;
struct sk_buff *skb_aggr;
@@ -229,27 +231,32 @@ static void batadv_v_ogm_aggr_send(struct batadv_hard_iface *hard_iface)
consume_skb(skb);
}
- batadv_v_ogm_send_to_if(skb_aggr, hard_iface);
+ batadv_v_ogm_send_to_if(bat_priv, skb_aggr, hard_iface);
}
/**
* batadv_v_ogm_queue_on_if() - queue a batman ogm on a given interface
+ * @bat_priv: the bat priv with all the mesh interface information
* @skb: the OGM to queue
* @hard_iface: the interface to queue the OGM on
*/
-static void batadv_v_ogm_queue_on_if(struct sk_buff *skb,
+static void batadv_v_ogm_queue_on_if(struct batadv_priv *bat_priv,
+ struct sk_buff *skb,
struct batadv_hard_iface *hard_iface)
{
- struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
+ if (hard_iface->soft_iface != bat_priv->soft_iface) {
+ kfree_skb(skb);
+ return;
+ }
if (!atomic_read(&bat_priv->aggregated_ogms)) {
- batadv_v_ogm_send_to_if(skb, hard_iface);
+ batadv_v_ogm_send_to_if(bat_priv, skb, hard_iface);
return;
}
spin_lock_bh(&hard_iface->bat_v.aggr_list.lock);
if (!batadv_v_ogm_queue_left(skb, hard_iface))
- batadv_v_ogm_aggr_send(hard_iface);
+ batadv_v_ogm_aggr_send(bat_priv, hard_iface);
hard_iface->bat_v.aggr_len += batadv_v_ogm_len(skb);
__skb_queue_tail(&hard_iface->bat_v.aggr_list, skb);
@@ -348,7 +355,7 @@ static void batadv_v_ogm_send_softif(struct batadv_priv *bat_priv)
break;
}
- batadv_v_ogm_queue_on_if(skb_tmp, hard_iface);
+ batadv_v_ogm_queue_on_if(bat_priv, skb_tmp, hard_iface);
batadv_hardif_put(hard_iface);
}
rcu_read_unlock();
@@ -388,12 +395,14 @@ void batadv_v_ogm_aggr_work(struct work_struct *work)
{
struct batadv_hard_iface_bat_v *batv;
struct batadv_hard_iface *hard_iface;
+ struct batadv_priv *bat_priv;
batv = container_of(work, struct batadv_hard_iface_bat_v, aggr_wq.work);
hard_iface = container_of(batv, struct batadv_hard_iface, bat_v);
+ bat_priv = netdev_priv(hard_iface->soft_iface);
spin_lock_bh(&hard_iface->bat_v.aggr_list.lock);
- batadv_v_ogm_aggr_send(hard_iface);
+ batadv_v_ogm_aggr_send(bat_priv, hard_iface);
spin_unlock_bh(&hard_iface->bat_v.aggr_list.lock);
batadv_v_ogm_start_queue_timer(hard_iface);
@@ -583,7 +592,7 @@ static void batadv_v_ogm_forward(struct batadv_priv *bat_priv,
if_outgoing->net_dev->name, ntohl(ogm_forward->throughput),
ogm_forward->ttl, if_incoming->net_dev->name);
- batadv_v_ogm_queue_on_if(skb, if_outgoing);
+ batadv_v_ogm_queue_on_if(bat_priv, skb, if_outgoing);
out:
batadv_orig_ifinfo_put(orig_ifinfo);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 043/522] batman-adv: tvlv: abort OGM send on tvlv append failure
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 042/522] batman-adv: v: stop OGMv2 on disabled interface Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 044/522] batman-adv: tt: reject oversized local TVLV buffers Greg Kroah-Hartman
` (479 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 501368506563e151b322c8c3f228b796e615b90d upstream.
batadv_tvlv_container_ogm_append() could fail in two ways: a memory
allocation failure when resizing the packet buffer, or the tvlv data
exceeding U16_MAX bytes. In both cases the function previously returned the
old (now stale) tvlv_value_len rather than signalling an error, causing the
OGM/OGM2 send path to transmit a packet whose TVLV length field no longer
matched the actual buffer contents. And because it also didn't fill in the
new TVLV data, sending either uninitialized or corrupted data on the wire.
All errors in batadv_tvlv_container_ogm_append() must be forwarded to the
caller. And the caller must abort the send of the OGM2. For B.A.T.M.A.N.
IV, it is currently not allowed to abort the send. The non-TVLV part of the
OGM must be queued up instead.
Cc: stable@kernel.org
Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bat_iv_ogm.c | 16 +++++++++++++---
net/batman-adv/bat_v_ogm.c | 26 ++++++++++++++------------
net/batman-adv/tvlv.c | 17 ++++++++++++-----
net/batman-adv/tvlv.h | 2 +-
4 files changed, 40 insertions(+), 21 deletions(-)
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index 495196b741040e..c93d30462054ce 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -782,6 +782,7 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
u32 seqno;
u16 tvlv_len = 0;
unsigned long send_time;
+ int ret;
lockdep_assert_held(&hard_iface->bat_iv.ogm_buff_mutex);
@@ -805,9 +806,18 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
* appended as it may alter the tt tvlv container
*/
batadv_tt_local_commit_changes(bat_priv);
- tvlv_len = batadv_tvlv_container_ogm_append(bat_priv, ogm_buff,
- ogm_buff_len,
- BATADV_OGM_HLEN);
+ ret = batadv_tvlv_container_ogm_append(bat_priv, ogm_buff,
+ ogm_buff_len,
+ BATADV_OGM_HLEN);
+ if (ret < 0) {
+ /* OGMs must be queued even when the buffer allocation for
+ * TVLVs failed. just fall back to the non-TVLV version
+ */
+ ret = 0;
+ *ogm_buff_len = BATADV_OGM_HLEN;
+ }
+
+ tvlv_len = ret;
}
batadv_ogm_packet = (struct batadv_ogm_packet *)(*ogm_buff);
diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
index 24beb06f7c332a..57d0c6862f449c 100644
--- a/net/batman-adv/bat_v_ogm.c
+++ b/net/batman-adv/bat_v_ogm.c
@@ -272,9 +272,9 @@ static void batadv_v_ogm_send_softif(struct batadv_priv *bat_priv)
struct batadv_hard_iface *hard_iface;
struct batadv_ogm2_packet *ogm_packet;
struct sk_buff *skb, *skb_tmp;
- unsigned char *ogm_buff;
- int ogm_buff_len;
- u16 tvlv_len = 0;
+ unsigned char **ogm_buff;
+ int *ogm_buff_len;
+ u16 tvlv_len;
int ret;
lockdep_assert_held(&bat_priv->bat_v.ogm_buff_mutex);
@@ -282,25 +282,27 @@ static void batadv_v_ogm_send_softif(struct batadv_priv *bat_priv)
if (atomic_read(&bat_priv->mesh_state) == BATADV_MESH_DEACTIVATING)
goto out;
- ogm_buff = bat_priv->bat_v.ogm_buff;
- ogm_buff_len = bat_priv->bat_v.ogm_buff_len;
+ ogm_buff = &bat_priv->bat_v.ogm_buff;
+ ogm_buff_len = &bat_priv->bat_v.ogm_buff_len;
+
/* tt changes have to be committed before the tvlv data is
* appended as it may alter the tt tvlv container
*/
batadv_tt_local_commit_changes(bat_priv);
- tvlv_len = batadv_tvlv_container_ogm_append(bat_priv, &ogm_buff,
- &ogm_buff_len,
- BATADV_OGM2_HLEN);
+ ret = batadv_tvlv_container_ogm_append(bat_priv, ogm_buff,
+ ogm_buff_len,
+ BATADV_OGM2_HLEN);
+ if (ret < 0)
+ goto reschedule;
- bat_priv->bat_v.ogm_buff = ogm_buff;
- bat_priv->bat_v.ogm_buff_len = ogm_buff_len;
+ tvlv_len = ret;
- skb = netdev_alloc_skb_ip_align(NULL, ETH_HLEN + ogm_buff_len);
+ skb = netdev_alloc_skb_ip_align(NULL, ETH_HLEN + *ogm_buff_len);
if (!skb)
goto reschedule;
skb_reserve(skb, ETH_HLEN);
- skb_put_data(skb, ogm_buff, ogm_buff_len);
+ skb_put_data(skb, *ogm_buff, *ogm_buff_len);
ogm_packet = (struct batadv_ogm2_packet *)skb->data;
ogm_packet->seqno = htonl(atomic_read(&bat_priv->bat_v.ogm_seqno));
diff --git a/net/batman-adv/tvlv.c b/net/batman-adv/tvlv.c
index 7ec2e234388454..83e20b0be747b6 100644
--- a/net/batman-adv/tvlv.c
+++ b/net/batman-adv/tvlv.c
@@ -8,6 +8,7 @@
#include <linux/byteorder/generic.h>
#include <linux/container_of.h>
+#include <linux/errno.h>
#include <linux/etherdevice.h>
#include <linux/gfp.h>
#include <linux/if_ether.h>
@@ -306,9 +307,10 @@ static bool batadv_tvlv_realloc_packet_buff(unsigned char **packet_buff,
* The ogm packet might be enlarged or shrunk depending on the current size
* and the size of the to-be-appended tvlv containers.
*
- * Return: size of all appended tvlv containers in bytes.
+ * Return: size of all appended tvlv containers in bytes (max U16_MAX), negative
+ * if operation failed
*/
-u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
+int batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
unsigned char **packet_buff,
int *packet_buff_len, int packet_min_len)
{
@@ -316,6 +318,7 @@ u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
struct batadv_tvlv_hdr *tvlv_hdr;
u16 tvlv_value_len;
void *tvlv_value;
+ int tvlv_len_ret;
bool ret;
spin_lock_bh(&bat_priv->tvlv.container_list_lock);
@@ -323,9 +326,12 @@ u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
ret = batadv_tvlv_realloc_packet_buff(packet_buff, packet_buff_len,
packet_min_len, tvlv_value_len);
-
- if (!ret)
+ if (!ret) {
+ tvlv_len_ret = -ENOMEM;
goto end;
+ }
+
+ tvlv_len_ret = tvlv_value_len;
if (!tvlv_value_len)
goto end;
@@ -344,7 +350,8 @@ u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
end:
spin_unlock_bh(&bat_priv->tvlv.container_list_lock);
- return tvlv_value_len;
+
+ return tvlv_len_ret;
}
/**
diff --git a/net/batman-adv/tvlv.h b/net/batman-adv/tvlv.h
index 4cf8af00fc11a0..485b2a6070994b 100644
--- a/net/batman-adv/tvlv.h
+++ b/net/batman-adv/tvlv.h
@@ -15,7 +15,7 @@
void batadv_tvlv_container_register(struct batadv_priv *bat_priv,
u8 type, u8 version,
void *tvlv_value, u16 tvlv_value_len);
-u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
+int batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
unsigned char **packet_buff,
int *packet_buff_len, int packet_min_len);
void batadv_tvlv_ogm_receive(struct batadv_priv *bat_priv,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 044/522] batman-adv: tt: reject oversized local TVLV buffers
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 043/522] batman-adv: tvlv: abort OGM send on tvlv append failure Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 045/522] batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface Greg Kroah-Hartman
` (478 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 1e9fab756f8395096d5bba7be0c373c4c8f5d165 upstream.
The commit 3a359bf5c61d ("batman-adv: reject oversized global TT response
buffers") added a check to ensure that a global return buffer size can be
stored in an u16. The same buffer handling also exists for the local data
buffer but was not touched.
A similar check should be also be in place for the local TVLV buffer. It
doesn't have the similar attack surface because it is only generated from
locally discovered MAC addresses but the dynamic nature could still cause
temporarily to large buffers.
Cc: stable@kernel.org
Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/translation-table.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index f1e93a60482038..6c40d690ac6c3a 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -924,12 +924,12 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
{
struct batadv_tvlv_tt_vlan_data *tt_vlan;
struct batadv_softif_vlan *vlan;
+ size_t change_offset;
u16 num_vlan = 0;
u16 vlan_entries = 0;
u16 total_entries = 0;
u16 tvlv_len;
u8 *tt_change_ptr;
- int change_offset;
spin_lock_bh(&bat_priv->softif_vlan_list_lock);
hlist_for_each_entry(vlan, &bat_priv->softif_vlan_list, list) {
@@ -948,8 +948,10 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
if (*tt_len < 0)
*tt_len = batadv_tt_len(total_entries);
- tvlv_len = *tt_len;
- tvlv_len += change_offset;
+ if (check_add_overflow(*tt_len, change_offset, &tvlv_len)) {
+ tvlv_len = 0;
+ goto out;
+ }
*tt_data = kmalloc(tvlv_len, GFP_ATOMIC);
if (!*tt_data) {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 045/522] batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 044/522] batman-adv: tt: reject oversized local TVLV buffers Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 046/522] batman-adv: tvlv: reject oversized TVLV packets Greg Kroah-Hartman
` (477 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Ido Schimmel,
syzbot+9fdcc9f05a98a540b816, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit f80d3d98d2ff78d9e2fe5d68b1f45948c4f7bd24 upstream.
Without rtnl_lock held, a hardif might be retrieved as primary interface of
a meshif, but then (while operating on this interface) getting decoupled
from the mesh interface. In this case, the meshif still exists but the
pointer from the primary hardif to the meshif is set to NULL.
The mesh_iface must be checked first to be non-NULL before continuing to
send an ARP request using meshif.
Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Reported-by: Ido Schimmel <idosch@nvidia.com>
Reported-by: syzbot+9fdcc9f05a98a540b816@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9fdcc9f05a98a540b816
[ switch to old "mesh_iface" name "soft_iface" ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bridge_loop_avoidance.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index f614709e6cda74..76d8c91c156a3b 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -356,12 +356,14 @@ static void batadv_bla_send_claim(struct batadv_priv *bat_priv, const u8 *mac,
sizeof(local_claim_dest));
local_claim_dest.type = claimtype;
- soft_iface = primary_if->soft_iface;
+ soft_iface = READ_ONCE(primary_if->soft_iface);
+ if (!soft_iface)
+ goto out;
skb = arp_create(ARPOP_REPLY, ETH_P_ARP,
/* IP DST: 0.0.0.0 */
zeroip,
- primary_if->soft_iface,
+ soft_iface,
/* IP SRC: 0.0.0.0 */
zeroip,
/* Ethernet DST: Broadcast */
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 046/522] batman-adv: tvlv: reject oversized TVLV packets
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 045/522] batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 047/522] batman-adv: iv: recover OGM scheduling after forward packet error Greg Kroah-Hartman
` (476 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit f50487e3566358b2b982b7801945e858c78ad9ab upstream.
batadv_tvlv_container_ogm_append() builds a TVLV packet section from
the tvlv.container_list. The total size of this section is computed by
batadv_tvlv_container_list_size(), which sums the sizes of all registered
containers.
The return type and accumulator in batadv_tvlv_container_list_size() were
u16. If the accumulated size exceeds U16_MAX, the value wraps around,
causing the subsequent allocation in batadv_tvlv_container_ogm_append()
to be undersized. The memcpy-style copy that follows would then write
beyond the end of the allocated buffer, corrupting kernel memory.
Fix this by widening the return type of batadv_tvlv_container_list_size()
to size_t. In batadv_tvlv_container_ogm_append(), check the computed length
against U16_MAX before proceeding, and bail out as if the allocation had
failed when the limit is exceeded.
Cc: stable@kernel.org
Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reviewed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tvlv.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/tvlv.c b/net/batman-adv/tvlv.c
index 83e20b0be747b6..99e5e8518dcc9a 100644
--- a/net/batman-adv/tvlv.c
+++ b/net/batman-adv/tvlv.c
@@ -13,6 +13,7 @@
#include <linux/gfp.h>
#include <linux/if_ether.h>
#include <linux/kref.h>
+#include <linux/limits.h>
#include <linux/list.h>
#include <linux/lockdep.h>
#include <linux/netdevice.h>
@@ -160,10 +161,10 @@ batadv_tvlv_container_get(struct batadv_priv *bat_priv, u8 type, u8 version)
*
* Return: size of all currently registered tvlv containers in bytes.
*/
-static u16 batadv_tvlv_container_list_size(struct batadv_priv *bat_priv)
+static size_t batadv_tvlv_container_list_size(struct batadv_priv *bat_priv)
{
struct batadv_tvlv_container *tvlv;
- u16 tvlv_len = 0;
+ size_t tvlv_len = 0;
lockdep_assert_held(&bat_priv->tvlv.container_list_lock);
@@ -316,13 +317,17 @@ int batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
{
struct batadv_tvlv_container *tvlv;
struct batadv_tvlv_hdr *tvlv_hdr;
- u16 tvlv_value_len;
+ size_t tvlv_value_len;
void *tvlv_value;
int tvlv_len_ret;
bool ret;
spin_lock_bh(&bat_priv->tvlv.container_list_lock);
tvlv_value_len = batadv_tvlv_container_list_size(bat_priv);
+ if (tvlv_value_len > U16_MAX) {
+ tvlv_len_ret = -E2BIG;
+ goto end;
+ }
ret = batadv_tvlv_realloc_packet_buff(packet_buff, packet_buff_len,
packet_min_len, tvlv_value_len);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 047/522] batman-adv: iv: recover OGM scheduling after forward packet error
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 046/522] batman-adv: tvlv: reject oversized TVLV packets Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 048/522] selftests: forwarding: lib: Add helpers for checksum handling Greg Kroah-Hartman
` (475 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit aa3153bd139a6c48667dcd02608d3b2c80bff02c upstream.
When batadv_iv_ogm_schedule_buff() fails to allocate and queue a forward
packet for OGM transmission, the work item that drives periodic OGM
scheduling is never re-armed. This silently halts transmission of the
node's own OGMs on the affected interface — only OGMs from other peers
continue to be aggregated and forwarded.
Fix this by tracking whether batadv_iv_ogm_queue_add() (and transitively
batadv_iv_ogm_aggregate_new()) successfully scheduled a forward packet.
When scheduling fails, batadv_iv_ogm_schedule_buff() falls back to queuing
a dedicated recovery work item (reschedule_work) that fires after one
originator interval and calls batadv_iv_ogm_schedule() again.
Cc: stable@kernel.org
Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bat_iv_ogm.c | 76 +++++++++++++++++++++++++++----------
net/batman-adv/types.h | 3 ++
2 files changed, 60 insertions(+), 19 deletions(-)
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index c93d30462054ce..c52e3b82889868 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -224,6 +224,8 @@ static void batadv_iv_ogm_iface_disable(struct batadv_hard_iface *hard_iface)
hard_iface->bat_iv.ogm_buff = NULL;
mutex_unlock(&hard_iface->bat_iv.ogm_buff_mutex);
+
+ cancel_delayed_work_sync(&hard_iface->bat_iv.reschedule_work);
}
static void batadv_iv_ogm_iface_update_mac(struct batadv_hard_iface *hard_iface)
@@ -528,8 +530,10 @@ batadv_iv_ogm_can_aggregate(const struct batadv_ogm_packet *new_bat_ogm_packet,
* @if_incoming: interface where the packet was received
* @if_outgoing: interface for which the retransmission should be considered
* @own_packet: true if it is a self-generated ogm
+ *
+ * Return: whether forward packet was scheduled
*/
-static void batadv_iv_ogm_aggregate_new(const unsigned char *packet_buff,
+static bool batadv_iv_ogm_aggregate_new(const unsigned char *packet_buff,
int packet_len, unsigned long send_time,
bool direct_link,
struct batadv_hard_iface *if_incoming,
@@ -553,13 +557,13 @@ static void batadv_iv_ogm_aggregate_new(const unsigned char *packet_buff,
skb = netdev_alloc_skb_ip_align(NULL, skb_size);
if (!skb)
- return;
+ return false;
forw_packet_aggr = batadv_forw_packet_alloc(if_incoming, if_outgoing,
queue_left, bat_priv, skb);
if (!forw_packet_aggr) {
kfree_skb(skb);
- return;
+ return false;
}
forw_packet_aggr->skb->priority = TC_PRIO_CONTROL;
@@ -581,6 +585,8 @@ static void batadv_iv_ogm_aggregate_new(const unsigned char *packet_buff,
batadv_iv_send_outstanding_bat_ogm_packet);
batadv_forw_packet_ogmv1_queue(bat_priv, forw_packet_aggr, send_time);
+
+ return true;
}
/* aggregate a new packet into the existing ogm packet */
@@ -610,8 +616,10 @@ static void batadv_iv_ogm_aggregate(struct batadv_forw_packet *forw_packet_aggr,
* @if_outgoing: interface for which the retransmission should be considered
* @own_packet: true if it is a self-generated ogm
* @send_time: timestamp (jiffies) when the packet is to be sent
+ *
+ * Return: whether forward packet was scheduled
*/
-static void batadv_iv_ogm_queue_add(struct batadv_priv *bat_priv,
+static bool batadv_iv_ogm_queue_add(struct batadv_priv *bat_priv,
unsigned char *packet_buff,
int packet_len,
struct batadv_hard_iface *if_incoming,
@@ -663,14 +671,16 @@ static void batadv_iv_ogm_queue_add(struct batadv_priv *bat_priv,
if (!own_packet && atomic_read(&bat_priv->aggregated_ogms))
send_time += max_aggregation_jiffies;
- batadv_iv_ogm_aggregate_new(packet_buff, packet_len,
- send_time, direct_link,
- if_incoming, if_outgoing,
- own_packet);
+ return batadv_iv_ogm_aggregate_new(packet_buff, packet_len,
+ send_time, direct_link,
+ if_incoming, if_outgoing,
+ own_packet);
} else {
batadv_iv_ogm_aggregate(forw_packet_aggr, packet_buff,
packet_len, direct_link);
spin_unlock_bh(&bat_priv->forw_bat_list_lock);
+
+ return true;
}
}
@@ -782,6 +792,8 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
u32 seqno;
u16 tvlv_len = 0;
unsigned long send_time;
+ bool reschedule = false;
+ bool scheduled;
int ret;
lockdep_assert_held(&hard_iface->bat_iv.ogm_buff_mutex);
@@ -810,11 +822,8 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
ogm_buff_len,
BATADV_OGM_HLEN);
if (ret < 0) {
- /* OGMs must be queued even when the buffer allocation for
- * TVLVs failed. just fall back to the non-TVLV version
- */
- ret = 0;
- *ogm_buff_len = BATADV_OGM_HLEN;
+ reschedule = true;
+ goto out;
}
tvlv_len = ret;
@@ -836,8 +845,11 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
/* OGMs from secondary interfaces are only scheduled on their
* respective interfaces.
*/
- batadv_iv_ogm_queue_add(bat_priv, *ogm_buff, *ogm_buff_len,
- hard_iface, hard_iface, 1, send_time);
+ scheduled = batadv_iv_ogm_queue_add(bat_priv, *ogm_buff, *ogm_buff_len,
+ hard_iface, hard_iface, 1, send_time);
+ if (!scheduled)
+ reschedule = true;
+
goto out;
}
@@ -852,15 +864,28 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
if (!kref_get_unless_zero(&tmp_hard_iface->refcount))
continue;
- batadv_iv_ogm_queue_add(bat_priv, *ogm_buff,
- *ogm_buff_len, hard_iface,
- tmp_hard_iface, 1, send_time);
-
+ scheduled = batadv_iv_ogm_queue_add(bat_priv, *ogm_buff,
+ *ogm_buff_len, hard_iface,
+ tmp_hard_iface, 1, send_time);
batadv_hardif_put(tmp_hard_iface);
+
+ if (!scheduled && tmp_hard_iface == hard_iface)
+ reschedule = true;
}
rcu_read_unlock();
out:
+ if (reschedule) {
+ /* there was a failure scheduling the own forward packet.
+ * as result, the batadv_iv_send_outstanding_bat_ogm_packet()
+ * work item is no longer scheduled. it is therefore necessary
+ * to reschedule it manually
+ */
+ queue_delayed_work(batadv_event_workqueue,
+ &hard_iface->bat_iv.reschedule_work,
+ msecs_to_jiffies(atomic_read(&bat_priv->orig_interval)));
+ }
+
batadv_hardif_put(primary_if);
}
@@ -875,6 +900,17 @@ static void batadv_iv_ogm_schedule(struct batadv_hard_iface *hard_iface)
mutex_unlock(&hard_iface->bat_iv.ogm_buff_mutex);
}
+static void batadv_iv_ogm_reschedule(struct work_struct *work)
+{
+ struct delayed_work *delayed_work = to_delayed_work(work);
+ struct batadv_hard_iface *hard_iface;
+
+ hard_iface = container_of(delayed_work,
+ struct batadv_hard_iface,
+ bat_iv.reschedule_work);
+ batadv_iv_ogm_schedule(hard_iface);
+}
+
/**
* batadv_iv_orig_ifinfo_sum() - Get bcast_own sum for originator over interface
* @orig_node: originator which reproadcasted the OGMs directly
@@ -2278,6 +2314,8 @@ batadv_iv_ogm_neigh_is_sob(struct batadv_neigh_node *neigh1,
static void batadv_iv_iface_enabled(struct batadv_hard_iface *hard_iface)
{
+ INIT_DELAYED_WORK(&hard_iface->bat_iv.reschedule_work, batadv_iv_ogm_reschedule);
+
/* begin scheduling originator messages on that interface */
batadv_iv_ogm_schedule(hard_iface);
}
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index afd71f061c409a..41959a4eea7d3f 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -82,6 +82,9 @@ struct batadv_hard_iface_bat_iv {
/** @ogm_seqno: OGM sequence number - used to identify each OGM */
atomic_t ogm_seqno;
+ /** @reschedule_work: recover OGM schedule after schedule error */
+ struct delayed_work reschedule_work;
+
/** @ogm_buff_mutex: lock protecting ogm_buff and ogm_buff_len */
struct mutex ogm_buff_mutex;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 048/522] selftests: forwarding: lib: Add helpers for checksum handling
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 047/522] batman-adv: iv: recover OGM scheduling after forward packet error Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 049/522] batman-adv: tp_meter: directly shut down timer on cleanup Greg Kroah-Hartman
` (474 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Machata, Nikolay Aleksandrov,
David S. Miller, Ben Hutchings, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Machata <petrm@nvidia.com>
commit 952e0ee38c7215c45192d8c899acd1830873f28b upstream.
In order to generate IGMPv3 and MLDv2 packets on the fly, we will need
helpers to calculate the packet checksum.
The approach presented in this patch revolves around payload templates
for mausezahn. These are mausezahn-like payload strings (01:23:45:...)
with possibly one 2-byte sequence replaced with the word PAYLOAD. The
main function is payload_template_calc_checksum(), which calculates
RFC 1071 checksum of the message. There are further helpers to then
convert the checksum to the payload format, and to expand it.
For IPv6, MLDv2 message checksum is computed using a pseudoheader that
differs from the header used in the payload itself. The fact that the
two messages are different means that the checksum needs to be
returned as a separate quantity, instead of being expanded in-place in
the payload itself. Furthermore, the pseudoheader includes a length of
the message. Much like the checksum, this needs to be expanded in
mausezahn format. And likewise for number of addresses for (S,G)
entries. Thus we have several places where a computed quantity needs
to be presented in the payload format. Add a helper u16_to_bytes(),
which will be used in all these cases.
Signed-off-by: Petr Machata <petrm@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 02cb2e6bacbb ("selftests: forwarding: vxlan_bridge_1d: fix test failure with br_netfilter enabled")
[bwh: Backported to 6,1: adjust context]
Signed-off-by: Ben Hutchings <benh@debian.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/forwarding/lib.sh | 56 +++++++++++++++++++
1 file changed, 56 insertions(+)
diff --git a/tools/testing/selftests/net/forwarding/lib.sh b/tools/testing/selftests/net/forwarding/lib.sh
index 06027772cf79af..48d913341af267 100755
--- a/tools/testing/selftests/net/forwarding/lib.sh
+++ b/tools/testing/selftests/net/forwarding/lib.sh
@@ -1701,3 +1701,59 @@ hw_stats_monitor_test()
log_test "${type}_stats notifications"
}
+
+u16_to_bytes()
+{
+ local u16=$1; shift
+
+ printf "%04x" $u16 | sed 's/^/000/;s/^.*\(..\)\(..\)$/\1:\2/'
+}
+
+# Given a mausezahn-formatted payload (colon-separated bytes given as %02x),
+# possibly with a keyword CHECKSUM stashed where a 16-bit checksum should be,
+# calculate checksum as per RFC 1071, assuming the CHECKSUM field (if any)
+# stands for 00:00.
+payload_template_calc_checksum()
+{
+ local payload=$1; shift
+
+ (
+ # Set input radix.
+ echo "16i"
+ # Push zero for the initial checksum.
+ echo 0
+
+ # Pad the payload with a terminating 00: in case we get an odd
+ # number of bytes.
+ echo "${payload%:}:00:" |
+ sed 's/CHECKSUM/00:00/g' |
+ tr '[:lower:]' '[:upper:]' |
+ # Add the word to the checksum.
+ sed 's/\(..\):\(..\):/\1\2+\n/g' |
+ # Strip the extra odd byte we pushed if left unconverted.
+ sed 's/\(..\):$//'
+
+ echo "10000 ~ +" # Calculate and add carry.
+ echo "FFFF r - p" # Bit-flip and print.
+ ) |
+ dc |
+ tr '[:upper:]' '[:lower:]'
+}
+
+payload_template_expand_checksum()
+{
+ local payload=$1; shift
+ local checksum=$1; shift
+
+ local ckbytes=$(u16_to_bytes $checksum)
+
+ echo "$payload" | sed "s/CHECKSUM/$ckbytes/g"
+}
+
+payload_template_nbytes()
+{
+ local payload=$1; shift
+
+ payload_template_expand_checksum "${payload%:}" 0 |
+ sed 's/:/\n/g' | wc -l
+}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 049/522] batman-adv: tp_meter: directly shut down timer on cleanup
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 048/522] selftests: forwarding: lib: Add helpers for checksum handling Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 050/522] batman-adv: tt: fix TOCTOU race for reported vlans Greg Kroah-Hartman
` (473 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit d5487249a81ea658717614009c8f46acc5b7101a upstream.
batadv_tp_sender_cleanup() was calling timer_delete_sync() followed by
timer_delete() to guard against the timer handler re-arming itself between
the two calls. This double-deletion hack relied on the sending status being
set to 0 to suppress re-arming.
Replace both calls with a single timer_shutdown_sync(). This function both
waits for any running timer callback to complete (like timer_delete_sync())
and permanently disarms the timer so it cannot be re-armed afterwards,
making re-arming prevention unconditional and self-documenting.
The re-arming property is also required because otherwise:
1. context 0 (batadv_tp_recv_ack()) checks in
batadv_tp_reset_sender_timer() if sending is still 1 -> it is
2. context 1 changes in batadv_tp_sender_shutdown() sending to 0 and in
this process forces the kthread to stop timer in
batadv_tp_sender_cleanup()
3. context 0 continues in batadv_tp_reset_sender_timer() and rearms the
timer -> but the reference for it is already gone
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
[ adapt pre-hunk to old del_timer* names ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 61e6cb5bce8ec5..707f05aa14791f 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -384,13 +384,7 @@ static void batadv_tp_sender_cleanup(struct batadv_priv *bat_priv,
atomic_dec(&tp_vars->bat_priv->tp_num);
/* kill the timer and remove its reference */
- del_timer_sync(&tp_vars->timer);
- /* the worker might have rearmed itself therefore we kill it again. Note
- * that if the worker should run again before invoking the following
- * del_timer(), it would not re-arm itself once again because the status
- * is OFF now
- */
- del_timer(&tp_vars->timer);
+ timer_shutdown_sync(&tp_vars->timer);
batadv_tp_vars_put(tp_vars);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 050/522] batman-adv: tt: fix TOCTOU race for reported vlans
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 049/522] batman-adv: tp_meter: directly shut down timer on cleanup Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 051/522] batman-adv: tt: avoid empty VLAN responses Greg Kroah-Hartman
` (472 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 94d27005016be15ffc638b2ecbc4d58805ad7b48 upstream.
The local TT based TVLV is generated by first checking the number of VLANs
which have at least one TT entry. A new buffer with the correct size for
the VLANs is then allocated. Only then, the list of VLANs s used to fill
the VLAN entries in the buffer. During this time, the meshif_vlan_list_lock
is held. But the actual number of TT entries of each VLAN can still
increase during this time - just not the number of VLANs in the list.
But the prefilter used in the buffer size calculation might still cause an
increase of the number of VLANs which need to be stored. Simply because a
VLAN might now suddenly have at least one entry when it had none in the
pre-alloc check - and then needs to occupy space which was not allocated.
It is better to overestimate the buffer size at the beginning and then fill
the buffer only with the VLANs which are not empty.
Cc: stable@kernel.org
Fixes: 16116dac2339 ("batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs")
[ Context, drop flex array dependency ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/translation-table.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 6c40d690ac6c3a..ac6c05971348d8 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -934,11 +934,8 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
spin_lock_bh(&bat_priv->softif_vlan_list_lock);
hlist_for_each_entry(vlan, &bat_priv->softif_vlan_list, list) {
vlan_entries = atomic_read(&vlan->tt.num_entries);
- if (vlan_entries < 1)
- continue;
-
- num_vlan++;
total_entries += vlan_entries;
+ num_vlan++;
}
change_offset = sizeof(**tt_data);
@@ -964,6 +961,7 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
(*tt_data)->num_vlan = htons(num_vlan);
tt_vlan = (struct batadv_tvlv_tt_vlan_data *)(*tt_data + 1);
+ num_vlan = 0;
hlist_for_each_entry(vlan, &bat_priv->softif_vlan_list, list) {
vlan_entries = atomic_read(&vlan->tt.num_entries);
if (vlan_entries < 1)
@@ -974,8 +972,16 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
tt_vlan->reserved = 0;
tt_vlan++;
+ num_vlan++;
}
+ /* recalculate in case number of VLANs reduced */
+ change_offset = sizeof(**tt_data);
+ change_offset += num_vlan * sizeof(*tt_vlan);
+ tvlv_len = *tt_len + change_offset;
+
+ (*tt_data)->num_vlan = htons(num_vlan);
+
tt_change_ptr = (u8 *)*tt_data + change_offset;
*tt_change = (struct batadv_tvlv_tt_change *)tt_change_ptr;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 051/522] batman-adv: tt: avoid empty VLAN responses
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 050/522] batman-adv: tt: fix TOCTOU race for reported vlans Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 052/522] batman-adv: bla: avoid double decrement of bla.num_requests Greg Kroah-Hartman
` (471 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit fa1bd704940b5bcbc32c0b28db9167405c8ee5e0 upstream.
The commit 16116dac2339 ("batman-adv: prevent TT request storms by not
sending inconsistent TT TLVLs") added checks to the local (direct) TT
response code. But the response can also be done indirectly by another node
using the global TT state. To avoid such inconsistency states reported in
the original fix, also avoid sending empty VLANs for replies from the
global TT state.
Cc: stable@kernel.org
Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
[ Context, drop flex array dependency ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/translation-table.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index ac6c05971348d8..e0503c8f24c353 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -843,17 +843,19 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node,
s32 *tt_len)
{
u16 num_vlan = 0;
- u16 num_entries = 0;
u16 tvlv_len = 0;
unsigned int change_offset;
struct batadv_tvlv_tt_vlan_data *tt_vlan;
struct batadv_orig_node_vlan *vlan;
+ u16 total_entries = 0;
u8 *tt_change_ptr;
+ int vlan_entries;
spin_lock_bh(&orig_node->vlan_list_lock);
hlist_for_each_entry(vlan, &orig_node->vlan_list, list) {
+ vlan_entries = atomic_read(&vlan->tt.num_entries);
+ total_entries += vlan_entries;
num_vlan++;
- num_entries += atomic_read(&vlan->tt.num_entries);
}
change_offset = sizeof(**tt_data);
@@ -861,7 +863,7 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node,
/* if tt_len is negative, allocate the space needed by the full table */
if (*tt_len < 0)
- *tt_len = batadv_tt_len(num_entries);
+ *tt_len = batadv_tt_len(total_entries);
if (change_offset > U16_MAX || *tt_len > U16_MAX - change_offset) {
*tt_len = 0;
@@ -882,14 +884,27 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node,
(*tt_data)->num_vlan = htons(num_vlan);
tt_vlan = (struct batadv_tvlv_tt_vlan_data *)(*tt_data + 1);
+ num_vlan = 0;
hlist_for_each_entry(vlan, &orig_node->vlan_list, list) {
+ vlan_entries = atomic_read(&vlan->tt.num_entries);
+ if (vlan_entries < 1)
+ continue;
+
tt_vlan->vid = htons(vlan->vid);
tt_vlan->crc = htonl(vlan->tt.crc);
tt_vlan->reserved = 0;
tt_vlan++;
+ num_vlan++;
}
+ /* recalculate in case number of VLANs reduced */
+ change_offset = sizeof(**tt_data);
+ change_offset += num_vlan * sizeof(*tt_vlan);
+ tvlv_len = *tt_len + change_offset;
+
+ (*tt_data)->num_vlan = htons(num_vlan);
+
tt_change_ptr = (u8 *)*tt_data + change_offset;
*tt_change = (struct batadv_tvlv_tt_change *)tt_change_ptr;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 052/522] batman-adv: bla: avoid double decrement of bla.num_requests
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 051/522] batman-adv: tt: avoid empty VLAN responses Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 053/522] mm/page_alloc: clear page->private in free_pages_prepare() Greg Kroah-Hartman
` (470 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 83ab69bd12b80f6ea169c8bea6977701b53a043d upstream.
The bla.num_requests is increased when no request_sent was in progress. And
it is decremented in various places (announcement was received, backbone is
purged, periodic work). But the check if the request_sent is actually set
to a specific state and the atomic_dec/_inc are not safe because they are
not atomic (TOCTOU) and multiple such code portions can run concurrently.
At the same time, it is necessary to modify request_sent (state) and
bla.num_requests atomically. Otherwise batadv_bla_send_request() might set
request_sent to 1 and is interrupted. batadv_handle_announce() can then
set request_sent back to 0 and decrement num_requests before
batadv_bla_send_request() incremented it.
The two operations must therefore be locked. And since state (request_sent)
and wait_periods are only accessed inside this lock, they can be converted
to simpler datatypes. And to avoid that the bla.num_requests is touched by
a parallel running context with a valid backbone_gw reference after
batadv_bla_purge_backbone_gw() ran, a third state "stopped" is required to
correctly signal that a backbone_gw is in the state of being cleaned up.
Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bridge_loop_avoidance.c | 51 ++++++++++++++++++--------
net/batman-adv/soft-interface.c | 1 +
net/batman-adv/types.h | 39 ++++++++++++++++----
3 files changed, 67 insertions(+), 24 deletions(-)
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index 76d8c91c156a3b..cfb1eb25c6ac4d 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -516,8 +516,8 @@ batadv_bla_get_backbone_gw(struct batadv_priv *bat_priv, const u8 *orig,
entry->crc = BATADV_BLA_CRC_INIT;
entry->bat_priv = bat_priv;
spin_lock_init(&entry->crc_lock);
- atomic_set(&entry->request_sent, 0);
- atomic_set(&entry->wait_periods, 0);
+ entry->state = BATADV_BLA_BACKBONE_GW_SYNCED;
+ entry->wait_periods = 0;
ether_addr_copy(entry->orig, orig);
INIT_WORK(&entry->report_work, batadv_bla_loopdetect_report);
kref_init(&entry->refcount);
@@ -546,9 +546,13 @@ batadv_bla_get_backbone_gw(struct batadv_priv *bat_priv, const u8 *orig,
batadv_bla_send_announce(bat_priv, entry);
/* this will be decreased in the worker thread */
- atomic_inc(&entry->request_sent);
- atomic_set(&entry->wait_periods, BATADV_BLA_WAIT_PERIODS);
- atomic_inc(&bat_priv->bla.num_requests);
+ spin_lock_bh(&bat_priv->bla.num_requests_lock);
+ if (entry->state == BATADV_BLA_BACKBONE_GW_SYNCED) {
+ entry->state = BATADV_BLA_BACKBONE_GW_UNSYNCED;
+ entry->wait_periods = BATADV_BLA_WAIT_PERIODS;
+ atomic_inc(&bat_priv->bla.num_requests);
+ }
+ spin_unlock_bh(&bat_priv->bla.num_requests_lock);
}
return entry;
@@ -651,10 +655,12 @@ static void batadv_bla_send_request(struct batadv_bla_backbone_gw *backbone_gw)
backbone_gw->vid, BATADV_CLAIM_TYPE_REQUEST);
/* no local broadcasts should be sent or received, for now. */
- if (!atomic_read(&backbone_gw->request_sent)) {
+ spin_lock_bh(&backbone_gw->bat_priv->bla.num_requests_lock);
+ if (backbone_gw->state == BATADV_BLA_BACKBONE_GW_SYNCED) {
+ backbone_gw->state = BATADV_BLA_BACKBONE_GW_UNSYNCED;
atomic_inc(&backbone_gw->bat_priv->bla.num_requests);
- atomic_set(&backbone_gw->request_sent, 1);
}
+ spin_unlock_bh(&backbone_gw->bat_priv->bla.num_requests_lock);
}
/**
@@ -875,10 +881,12 @@ static bool batadv_handle_announce(struct batadv_priv *bat_priv, u8 *an_addr,
/* if we have sent a request and the crc was OK,
* we can allow traffic again.
*/
- if (atomic_read(&backbone_gw->request_sent)) {
+ spin_lock_bh(&bat_priv->bla.num_requests_lock);
+ if (backbone_gw->state == BATADV_BLA_BACKBONE_GW_UNSYNCED) {
+ backbone_gw->state = BATADV_BLA_BACKBONE_GW_SYNCED;
atomic_dec(&backbone_gw->bat_priv->bla.num_requests);
- atomic_set(&backbone_gw->request_sent, 0);
}
+ spin_unlock_bh(&bat_priv->bla.num_requests_lock);
}
batadv_backbone_gw_put(backbone_gw);
@@ -1257,9 +1265,13 @@ static void batadv_bla_purge_backbone_gw(struct batadv_priv *bat_priv, int now)
purged = true;
/* don't wait for the pending request anymore */
- if (atomic_read(&backbone_gw->request_sent))
+ spin_lock_bh(&bat_priv->bla.num_requests_lock);
+ if (backbone_gw->state == BATADV_BLA_BACKBONE_GW_UNSYNCED)
atomic_dec(&bat_priv->bla.num_requests);
+ backbone_gw->state = BATADV_BLA_BACKBONE_GW_STOPPED;
+ spin_unlock_bh(&bat_priv->bla.num_requests_lock);
+
batadv_bla_del_backbone_claims(backbone_gw);
hlist_del_rcu(&backbone_gw->hash_entry);
@@ -1510,7 +1522,7 @@ static void batadv_bla_periodic_work(struct work_struct *work)
batadv_bla_send_loopdetect(bat_priv,
backbone_gw);
- /* request_sent is only set after creation to avoid
+ /* state is only set to unsynced after creation to avoid
* problems when we are not yet known as backbone gw
* in the backbone.
*
@@ -1519,14 +1531,21 @@ static void batadv_bla_periodic_work(struct work_struct *work)
* some grace time.
*/
- if (atomic_read(&backbone_gw->request_sent) == 0)
- continue;
+ spin_lock_bh(&bat_priv->bla.num_requests_lock);
+ if (backbone_gw->state != BATADV_BLA_BACKBONE_GW_UNSYNCED)
+ goto unlock_next;
- if (!atomic_dec_and_test(&backbone_gw->wait_periods))
- continue;
+ if (backbone_gw->wait_periods > 0)
+ backbone_gw->wait_periods--;
+
+ if (backbone_gw->wait_periods > 0)
+ goto unlock_next;
+ backbone_gw->state = BATADV_BLA_BACKBONE_GW_SYNCED;
atomic_dec(&backbone_gw->bat_priv->bla.num_requests);
- atomic_set(&backbone_gw->request_sent, 0);
+
+unlock_next:
+ spin_unlock_bh(&bat_priv->bla.num_requests_lock);
}
rcu_read_unlock();
}
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index d7b525a495e451..c0549abcae7a64 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -785,6 +785,7 @@ static int batadv_softif_init_late(struct net_device *dev)
atomic_set(&bat_priv->tt.ogm_append_cnt, 0);
#ifdef CONFIG_BATMAN_ADV_BLA
atomic_set(&bat_priv->bla.num_requests, 0);
+ spin_lock_init(&bat_priv->bla.num_requests_lock);
#endif
atomic_set(&bat_priv->tp_num, 0);
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index 41959a4eea7d3f..12fbcc89581adf 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1026,6 +1026,12 @@ struct batadv_priv_bla {
/** @num_requests: number of bla requests in flight */
atomic_t num_requests;
+ /**
+ * @num_requests_lock: locks update num_requests +
+ * batadv_backbone_gw::state + batadv_backbone_gw::wait_periods update
+ */
+ spinlock_t num_requests_lock;
+
/**
* @claim_hash: hash table containing mesh nodes this host has claimed
*/
@@ -1748,6 +1754,27 @@ struct batadv_priv {
#ifdef CONFIG_BATMAN_ADV_BLA
+enum batadv_bla_backbone_gw_state {
+ /**
+ * @BATADV_BLA_BACKBONE_GW_STOPPED: backbone gw is being removed
+ * and it must not longer work on requests
+ */
+ BATADV_BLA_BACKBONE_GW_STOPPED,
+
+ /**
+ * @BATADV_BLA_BACKBONE_GW_UNSYNCED: backbone was detected out
+ * of sync and a request was send. No traffic is forwarded until the
+ * situation is resolved
+ */
+ BATADV_BLA_BACKBONE_GW_UNSYNCED,
+
+ /**
+ * @BATADV_BLA_BACKBONE_GW_SYNCED: backbone is consider to be in
+ * sync. traffic can be forwarded
+ */
+ BATADV_BLA_BACKBONE_GW_SYNCED,
+};
+
/**
* struct batadv_bla_backbone_gw - batman-adv gateway bridged into the LAN
*/
@@ -1773,16 +1800,12 @@ struct batadv_bla_backbone_gw {
/**
* @wait_periods: grace time for bridge forward delays and bla group
* forming at bootup phase - no bcast traffic is formwared until it has
- * elapsed
+ * elapsed. Must only be access with num_requests_lock.
*/
- atomic_t wait_periods;
+ u8 wait_periods;
- /**
- * @request_sent: if this bool is set to true we are out of sync with
- * this backbone gateway - no bcast traffic is formwared until the
- * situation was resolved
- */
- atomic_t request_sent;
+ /** @state: sync state. Must only be access with num_requests_lock. */
+ enum batadv_bla_backbone_gw_state state;
/** @crc: crc16 checksum over all claims */
u16 crc;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 053/522] mm/page_alloc: clear page->private in free_pages_prepare()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 052/522] batman-adv: bla: avoid double decrement of bla.num_requests Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 054/522] selftests/bpf: add generic BPF program tester-loader Greg Kroah-Hartman
` (469 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikhail Gavrilov, Zi Yan,
David Hildenbrand (Arm), Vlastimil Babka, Brendan Jackman,
Chris Li, Hugh Dickins, Johannes Weiner, Kairui Song,
Matthew Wilcox (Oracle), Michal Hocko, Nicholas Piggin,
Suren Baghdasaryan, Andrew Morton, Li Wang, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
[ Upstream commit ac1ea219590c09572ed5992dc233bbf7bb70fef9 ]
Several subsystems (slub, shmem, ttm, etc.) use page->private but don't
clear it before freeing pages. When these pages are later allocated as
high-order pages and split via split_page(), tail pages retain stale
page->private values.
This causes a use-after-free in the swap subsystem. The swap code uses
page->private to track swap count continuations, assuming freshly
allocated pages have page->private == 0. When stale values are present,
swap_count_continued() incorrectly assumes the continuation list is valid
and iterates over uninitialized page->lru containing LIST_POISON values,
causing a crash:
KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]
RIP: 0010:__do_sys_swapoff+0x1151/0x1860
Fix this by clearing page->private in free_pages_prepare(), ensuring all
freed pages have clean state regardless of previous use.
Link: https://lkml.kernel.org/r/20260207173615.146159-1-mikhail.v.gavrilov@gmail.com
Fixes: 3b8000ae185c ("mm/vmalloc: huge vmalloc backing pages should be split rather than compound")
Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Suggested-by: Zi Yan <ziy@nvidia.com>
Acked-by: Zi Yan <ziy@nvidia.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Chris Li <chrisl@kernel.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kairui Song <ryncsn@gmail.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[backport: context only]
Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/page_alloc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 4c17b9ceff8099..93c63b5fad2889 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1483,6 +1483,7 @@ static __always_inline bool free_pages_prepare(struct page *page,
page_cpupid_reset_last(page);
page->flags &= ~PAGE_FLAGS_CHECK_AT_PREP;
+ page->private = 0;
reset_page_owner(page, order);
page_table_check_free(page, order);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 054/522] selftests/bpf: add generic BPF program tester-loader
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 053/522] mm/page_alloc: clear page->private in free_pages_prepare() Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 055/522] selftests/bpf: Convert test_global_funcs test to test_loader framework Greg Kroah-Hartman
` (468 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Fastabend, Andrii Nakryiko,
Alexei Starovoitov, Paul Chaignon, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit 537c3f66eac137a02ec50a40219d2da6597e5dc9 ]
It's become a common pattern to have a collection of small BPF programs
in one BPF object file, each representing one test case. On user-space
side of such tests we maintain a table of program names and expected
failure or success, along with optional expected verifier log message.
This works, but each set of tests reimplement this mundane code over and
over again, which is a waste of time for anyone trying to add a new set
of tests. Furthermore, it's quite error prone as it's way too easy to miss
some entries in these manually maintained test tables (as evidences by
dynptr_fail tests, in which ringbuf_release_uninit_dynptr subtest was
accidentally missed; this is fixed in next patch).
So this patch implements generic test_loader, which accepts skeleton
name and handles the rest of details: opens and loads BPF object file,
making sure each program is tested in isolation. Optionally each test
case can specify expected BPF verifier log message. In case of failure,
tester makes sure to report verifier log, but it also reports verifier
log in verbose mode unconditionally.
Now, the interesting deviation from existing custom implementations is
the use of btf_decl_tag attribute to specify expected-to-fail vs
expected-to-succeed markers and, optionally, expected log message
directly next to BPF program source code, eliminating the need to
manually create and update table of tests.
We define few macros wrapping btf_decl_tag with a convention that all
values of btf_decl_tag start with "comment:" prefix, and then utilizing
a very simple "just_some_text_tag" or "some_key_name=<value>" pattern to
define things like expected success/failure, expected verifier message,
extra verifier log level (if necessary). This approach is demonstrated
by next patch in which two existing sets of failure tests are converted.
Tester supports both expected-to-fail and expected-to-succeed programs,
though this patch set didn't convert any existing expected-to-succeed
programs yet, as existing tests couple BPF program loading with their
further execution through attach or test_prog_run. One way to allow
testing scenarios like this would be ability to specify custom callback,
executed for each successfully loaded BPF program. This is left for
follow up patches, after some more analysis of existing test cases.
This test_loader is, hopefully, a start of a test_verifier-like runner,
but integrated into test_progs infrastructure. It will allow much better
"user experience" of defining low-level verification tests that can take
advantage of all the libbpf-provided nicety features on BPF side: global
variables, declarative maps, etc. All while having a choice of defining
it in C or as BPF assembly (through __attribute__((naked)) functions and
using embedded asm), depending on what makes most sense in each
particular case. This will be explored in follow up patches as well.
Acked-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20221207201648.2990661-1-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Stable-dep-of: 95ebb376176c ("selftests/bpf: Convert test_global_funcs test to test_loader framework")
[ Note: Minor conflict in Makefile. ]
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/Makefile | 2 +-
tools/testing/selftests/bpf/progs/bpf_misc.h | 5 +
tools/testing/selftests/bpf/test_loader.c | 233 +++++++++++++++++++
tools/testing/selftests/bpf/test_progs.h | 33 +++
4 files changed, 272 insertions(+), 1 deletion(-)
create mode 100644 tools/testing/selftests/bpf/test_loader.c
diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
index b09205d925114a..541f251036ae7b 100644
--- a/tools/testing/selftests/bpf/Makefile
+++ b/tools/testing/selftests/bpf/Makefile
@@ -519,7 +519,7 @@ TRUNNER_BPF_PROGS_DIR := progs
TRUNNER_EXTRA_SOURCES := test_progs.c cgroup_helpers.c trace_helpers.c \
network_helpers.c testing_helpers.c \
btf_helpers.c flow_dissector_load.h \
- cap_helpers.c
+ cap_helpers.c test_loader.c
TRUNNER_EXTRA_FILES := $(OUTPUT)/urandom_read $(OUTPUT)/bpf_testmod.ko \
$(OUTPUT)/liburandom_read.so \
$(OUTPUT)/xdp_synproxy \
diff --git a/tools/testing/selftests/bpf/progs/bpf_misc.h b/tools/testing/selftests/bpf/progs/bpf_misc.h
index 5bb11fe595a439..4a01ea9113bfd7 100644
--- a/tools/testing/selftests/bpf/progs/bpf_misc.h
+++ b/tools/testing/selftests/bpf/progs/bpf_misc.h
@@ -2,6 +2,11 @@
#ifndef __BPF_MISC_H__
#define __BPF_MISC_H__
+#define __msg(msg) __attribute__((btf_decl_tag("comment:test_expect_msg=" msg)))
+#define __failure __attribute__((btf_decl_tag("comment:test_expect_failure")))
+#define __success __attribute__((btf_decl_tag("comment:test_expect_success")))
+#define __log_level(lvl) __attribute__((btf_decl_tag("comment:test_log_level="#lvl)))
+
#if defined(__TARGET_ARCH_x86)
#define SYSCALL_WRAPPER 1
#define SYS_PREFIX "__x64_"
diff --git a/tools/testing/selftests/bpf/test_loader.c b/tools/testing/selftests/bpf/test_loader.c
new file mode 100644
index 00000000000000..679efb3aa785e3
--- /dev/null
+++ b/tools/testing/selftests/bpf/test_loader.c
@@ -0,0 +1,233 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/* Copyright (c) 2022 Meta Platforms, Inc. and affiliates. */
+#include <stdlib.h>
+#include <test_progs.h>
+#include <bpf/btf.h>
+
+#define str_has_pfx(str, pfx) \
+ (strncmp(str, pfx, __builtin_constant_p(pfx) ? sizeof(pfx) - 1 : strlen(pfx)) == 0)
+
+#define TEST_LOADER_LOG_BUF_SZ 1048576
+
+#define TEST_TAG_EXPECT_FAILURE "comment:test_expect_failure"
+#define TEST_TAG_EXPECT_SUCCESS "comment:test_expect_success"
+#define TEST_TAG_EXPECT_MSG_PFX "comment:test_expect_msg="
+#define TEST_TAG_LOG_LEVEL_PFX "comment:test_log_level="
+
+struct test_spec {
+ const char *name;
+ bool expect_failure;
+ const char *expect_msg;
+ int log_level;
+};
+
+static int tester_init(struct test_loader *tester)
+{
+ if (!tester->log_buf) {
+ tester->log_buf_sz = TEST_LOADER_LOG_BUF_SZ;
+ tester->log_buf = malloc(tester->log_buf_sz);
+ if (!ASSERT_OK_PTR(tester->log_buf, "tester_log_buf"))
+ return -ENOMEM;
+ }
+
+ return 0;
+}
+
+void test_loader_fini(struct test_loader *tester)
+{
+ if (!tester)
+ return;
+
+ free(tester->log_buf);
+}
+
+static int parse_test_spec(struct test_loader *tester,
+ struct bpf_object *obj,
+ struct bpf_program *prog,
+ struct test_spec *spec)
+{
+ struct btf *btf;
+ int func_id, i;
+
+ memset(spec, 0, sizeof(*spec));
+
+ spec->name = bpf_program__name(prog);
+
+ btf = bpf_object__btf(obj);
+ if (!btf) {
+ ASSERT_FAIL("BPF object has no BTF");
+ return -EINVAL;
+ }
+
+ func_id = btf__find_by_name_kind(btf, spec->name, BTF_KIND_FUNC);
+ if (func_id < 0) {
+ ASSERT_FAIL("failed to find FUNC BTF type for '%s'", spec->name);
+ return -EINVAL;
+ }
+
+ for (i = 1; i < btf__type_cnt(btf); i++) {
+ const struct btf_type *t;
+ const char *s;
+
+ t = btf__type_by_id(btf, i);
+ if (!btf_is_decl_tag(t))
+ continue;
+
+ if (t->type != func_id || btf_decl_tag(t)->component_idx != -1)
+ continue;
+
+ s = btf__str_by_offset(btf, t->name_off);
+ if (strcmp(s, TEST_TAG_EXPECT_FAILURE) == 0) {
+ spec->expect_failure = true;
+ } else if (strcmp(s, TEST_TAG_EXPECT_SUCCESS) == 0) {
+ spec->expect_failure = false;
+ } else if (str_has_pfx(s, TEST_TAG_EXPECT_MSG_PFX)) {
+ spec->expect_msg = s + sizeof(TEST_TAG_EXPECT_MSG_PFX) - 1;
+ } else if (str_has_pfx(s, TEST_TAG_LOG_LEVEL_PFX)) {
+ errno = 0;
+ spec->log_level = strtol(s + sizeof(TEST_TAG_LOG_LEVEL_PFX) - 1, NULL, 0);
+ if (errno) {
+ ASSERT_FAIL("failed to parse test log level from '%s'", s);
+ return -EINVAL;
+ }
+ }
+ }
+
+ return 0;
+}
+
+static void prepare_case(struct test_loader *tester,
+ struct test_spec *spec,
+ struct bpf_object *obj,
+ struct bpf_program *prog)
+{
+ int min_log_level = 0;
+
+ if (env.verbosity > VERBOSE_NONE)
+ min_log_level = 1;
+ if (env.verbosity > VERBOSE_VERY)
+ min_log_level = 2;
+
+ bpf_program__set_log_buf(prog, tester->log_buf, tester->log_buf_sz);
+
+ /* Make sure we set at least minimal log level, unless test requirest
+ * even higher level already. Make sure to preserve independent log
+ * level 4 (verifier stats), though.
+ */
+ if ((spec->log_level & 3) < min_log_level)
+ bpf_program__set_log_level(prog, (spec->log_level & 4) | min_log_level);
+ else
+ bpf_program__set_log_level(prog, spec->log_level);
+
+ tester->log_buf[0] = '\0';
+}
+
+static void emit_verifier_log(const char *log_buf, bool force)
+{
+ if (!force && env.verbosity == VERBOSE_NONE)
+ return;
+ fprintf(stdout, "VERIFIER LOG:\n=============\n%s=============\n", log_buf);
+}
+
+static void validate_case(struct test_loader *tester,
+ struct test_spec *spec,
+ struct bpf_object *obj,
+ struct bpf_program *prog,
+ int load_err)
+{
+ if (spec->expect_msg) {
+ char *match;
+
+ match = strstr(tester->log_buf, spec->expect_msg);
+ if (!ASSERT_OK_PTR(match, "expect_msg")) {
+ /* if we are in verbose mode, we've already emitted log */
+ if (env.verbosity == VERBOSE_NONE)
+ emit_verifier_log(tester->log_buf, true /*force*/);
+ fprintf(stderr, "EXPECTED MSG: '%s'\n", spec->expect_msg);
+ return;
+ }
+ }
+}
+
+/* this function is forced noinline and has short generic name to look better
+ * in test_progs output (in case of a failure)
+ */
+static noinline
+void run_subtest(struct test_loader *tester,
+ const char *skel_name,
+ skel_elf_bytes_fn elf_bytes_factory)
+{
+ LIBBPF_OPTS(bpf_object_open_opts, open_opts, .object_name = skel_name);
+ struct bpf_object *obj = NULL, *tobj;
+ struct bpf_program *prog, *tprog;
+ const void *obj_bytes;
+ size_t obj_byte_cnt;
+ int err;
+
+ if (tester_init(tester) < 0)
+ return; /* failed to initialize tester */
+
+ obj_bytes = elf_bytes_factory(&obj_byte_cnt);
+ obj = bpf_object__open_mem(obj_bytes, obj_byte_cnt, &open_opts);
+ if (!ASSERT_OK_PTR(obj, "obj_open_mem"))
+ return;
+
+ bpf_object__for_each_program(prog, obj) {
+ const char *prog_name = bpf_program__name(prog);
+ struct test_spec spec;
+
+ if (!test__start_subtest(prog_name))
+ continue;
+
+ /* if we can't derive test specification, go to the next test */
+ err = parse_test_spec(tester, obj, prog, &spec);
+ if (!ASSERT_OK(err, "parse_test_spec"))
+ continue;
+
+ tobj = bpf_object__open_mem(obj_bytes, obj_byte_cnt, &open_opts);
+ if (!ASSERT_OK_PTR(tobj, "obj_open_mem")) /* shouldn't happen */
+ continue;
+
+ bpf_object__for_each_program(tprog, tobj)
+ bpf_program__set_autoload(tprog, false);
+
+ bpf_object__for_each_program(tprog, tobj) {
+ /* only load specified program */
+ if (strcmp(bpf_program__name(tprog), prog_name) == 0) {
+ bpf_program__set_autoload(tprog, true);
+ break;
+ }
+ }
+
+ prepare_case(tester, &spec, tobj, tprog);
+
+ err = bpf_object__load(tobj);
+ if (spec.expect_failure) {
+ if (!ASSERT_ERR(err, "unexpected_load_success")) {
+ emit_verifier_log(tester->log_buf, false /*force*/);
+ goto tobj_cleanup;
+ }
+ } else {
+ if (!ASSERT_OK(err, "unexpected_load_failure")) {
+ emit_verifier_log(tester->log_buf, true /*force*/);
+ goto tobj_cleanup;
+ }
+ }
+
+ emit_verifier_log(tester->log_buf, false /*force*/);
+ validate_case(tester, &spec, tobj, tprog, err);
+
+tobj_cleanup:
+ bpf_object__close(tobj);
+ }
+
+ bpf_object__close(obj);
+}
+
+void test_loader__run_subtests(struct test_loader *tester,
+ const char *skel_name,
+ skel_elf_bytes_fn elf_bytes_factory)
+{
+ /* see comment in run_subtest() for why we do this function nesting */
+ run_subtest(tester, skel_name, elf_bytes_factory);
+}
diff --git a/tools/testing/selftests/bpf/test_progs.h b/tools/testing/selftests/bpf/test_progs.h
index feb14f14006d98..ff1caffefa5256 100644
--- a/tools/testing/selftests/bpf/test_progs.h
+++ b/tools/testing/selftests/bpf/test_progs.h
@@ -1,4 +1,7 @@
/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef __TEST_PROGS_H
+#define __TEST_PROGS_H
+
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
@@ -210,6 +213,12 @@ int test__join_cgroup(const char *path);
#define CHECK_ATTR(condition, tag, format...) \
_CHECK(condition, tag, tattr.duration, format)
+#define ASSERT_FAIL(fmt, args...) ({ \
+ static int duration = 0; \
+ CHECK(false, "", fmt"\n", ##args); \
+ false; \
+})
+
#define ASSERT_TRUE(actual, name) ({ \
static int duration = 0; \
bool ___ok = (actual); \
@@ -395,3 +404,27 @@ int write_sysctl(const char *sysctl, const char *value);
#endif
#define BPF_TESTMOD_TEST_FILE "/sys/kernel/bpf_testmod"
+
+struct test_loader {
+ char *log_buf;
+ size_t log_buf_sz;
+
+ struct bpf_object *obj;
+};
+
+typedef const void *(*skel_elf_bytes_fn)(size_t *sz);
+
+extern void test_loader__run_subtests(struct test_loader *tester,
+ const char *skel_name,
+ skel_elf_bytes_fn elf_bytes_factory);
+
+extern void test_loader_fini(struct test_loader *tester);
+
+#define RUN_TESTS(skel) ({ \
+ struct test_loader tester = {}; \
+ \
+ test_loader__run_subtests(&tester, #skel, skel##__elf_bytes); \
+ test_loader_fini(&tester); \
+})
+
+#endif /* __TEST_PROGS_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 055/522] selftests/bpf: Convert test_global_funcs test to test_loader framework
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 054/522] selftests/bpf: add generic BPF program tester-loader Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 056/522] Revert "selftests/bpf: Workaround strict bpf_lsm return value check." Greg Kroah-Hartman
` (467 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrii Nakryiko, Daniel Borkmann,
Stanislav Fomichev, Paul Chaignon, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit 95ebb376176c52382293e05e63f142114a5e40ef ]
Convert 17 test_global_funcs subtests into test_loader framework for
easier maintenance and more declarative way to define expected
failures/successes.
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Stanislav Fomichev <sdf@google.com>
Link: https://lore.kernel.org/bpf/20230216045954.3002473-3-andrii@kernel.org
Fixes: bbac91d57ac2 ("bpf: Allow reads from uninit stack")
[ Notes: This backport fixes backport commit bbac91d57ac2 ("bpf: Allow
reads from uninit stack"), which broke the BPF selftest build. A minor
conflict needed resolution in test_global_func10.c on the error
message. ]
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../bpf/prog_tests/test_global_funcs.c | 131 +++++-------------
.../selftests/bpf/progs/test_global_func1.c | 6 +-
.../selftests/bpf/progs/test_global_func10.c | 1 +
.../selftests/bpf/progs/test_global_func11.c | 4 +-
.../selftests/bpf/progs/test_global_func12.c | 4 +-
.../selftests/bpf/progs/test_global_func13.c | 4 +-
.../selftests/bpf/progs/test_global_func14.c | 4 +-
.../selftests/bpf/progs/test_global_func15.c | 4 +-
.../selftests/bpf/progs/test_global_func16.c | 4 +-
.../selftests/bpf/progs/test_global_func17.c | 4 +-
.../selftests/bpf/progs/test_global_func2.c | 43 +++++-
.../selftests/bpf/progs/test_global_func3.c | 10 +-
.../selftests/bpf/progs/test_global_func4.c | 55 +++++++-
.../selftests/bpf/progs/test_global_func5.c | 4 +-
.../selftests/bpf/progs/test_global_func6.c | 4 +-
.../selftests/bpf/progs/test_global_func7.c | 4 +-
.../selftests/bpf/progs/test_global_func8.c | 4 +-
.../selftests/bpf/progs/test_global_func9.c | 4 +-
18 files changed, 172 insertions(+), 122 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/test_global_funcs.c b/tools/testing/selftests/bpf/prog_tests/test_global_funcs.c
index 7295cc60f72487..2ff4d5c7abfceb 100644
--- a/tools/testing/selftests/bpf/prog_tests/test_global_funcs.c
+++ b/tools/testing/selftests/bpf/prog_tests/test_global_funcs.c
@@ -1,104 +1,41 @@
// SPDX-License-Identifier: GPL-2.0
/* Copyright (c) 2020 Facebook */
#include <test_progs.h>
-
-const char *err_str;
-bool found;
-
-static int libbpf_debug_print(enum libbpf_print_level level,
- const char *format, va_list args)
-{
- char *log_buf;
-
- if (level != LIBBPF_WARN ||
- strcmp(format, "libbpf: \n%s\n")) {
- vprintf(format, args);
- return 0;
- }
-
- log_buf = va_arg(args, char *);
- if (!log_buf)
- goto out;
- if (err_str && strstr(log_buf, err_str) == 0)
- found = true;
-out:
- printf(format, log_buf);
- return 0;
-}
-
-extern int extra_prog_load_log_flags;
-
-static int check_load(const char *file)
-{
- struct bpf_object *obj = NULL;
- struct bpf_program *prog;
- int err;
-
- found = false;
-
- obj = bpf_object__open_file(file, NULL);
- err = libbpf_get_error(obj);
- if (err)
- return err;
-
- prog = bpf_object__next_program(obj, NULL);
- if (!prog) {
- err = -ENOENT;
- goto err_out;
- }
-
- bpf_program__set_flags(prog, BPF_F_TEST_RND_HI32);
- bpf_program__set_log_level(prog, extra_prog_load_log_flags);
-
- err = bpf_object__load(obj);
-
-err_out:
- bpf_object__close(obj);
- return err;
-}
-
-struct test_def {
- const char *file;
- const char *err_str;
-};
+#include "test_global_func1.skel.h"
+#include "test_global_func2.skel.h"
+#include "test_global_func3.skel.h"
+#include "test_global_func4.skel.h"
+#include "test_global_func5.skel.h"
+#include "test_global_func6.skel.h"
+#include "test_global_func7.skel.h"
+#include "test_global_func8.skel.h"
+#include "test_global_func9.skel.h"
+#include "test_global_func10.skel.h"
+#include "test_global_func11.skel.h"
+#include "test_global_func12.skel.h"
+#include "test_global_func13.skel.h"
+#include "test_global_func14.skel.h"
+#include "test_global_func15.skel.h"
+#include "test_global_func16.skel.h"
+#include "test_global_func17.skel.h"
void test_test_global_funcs(void)
{
- struct test_def tests[] = {
- { "test_global_func1.bpf.o", "combined stack size of 4 calls is 544" },
- { "test_global_func2.bpf.o" },
- { "test_global_func3.bpf.o", "the call stack of 8 frames" },
- { "test_global_func4.bpf.o" },
- { "test_global_func5.bpf.o", "expected pointer to ctx, but got PTR" },
- { "test_global_func6.bpf.o", "modified ctx ptr R2" },
- { "test_global_func7.bpf.o", "foo() doesn't return scalar" },
- { "test_global_func8.bpf.o" },
- { "test_global_func9.bpf.o" },
- { "test_global_func10.bpf.o", "invalid indirect read from stack" },
- { "test_global_func11.bpf.o", "Caller passes invalid args into func#1" },
- { "test_global_func12.bpf.o", "invalid mem access 'mem_or_null'" },
- { "test_global_func13.bpf.o", "Caller passes invalid args into func#1" },
- { "test_global_func14.bpf.o", "reference type('FWD S') size cannot be determined" },
- { "test_global_func15.bpf.o", "At program exit the register R0 has value" },
- { "test_global_func16.bpf.o", "invalid indirect read from stack" },
- { "test_global_func17.bpf.o", "Caller passes invalid args into func#1" },
- };
- libbpf_print_fn_t old_print_fn = NULL;
- int err, i, duration = 0;
-
- old_print_fn = libbpf_set_print(libbpf_debug_print);
-
- for (i = 0; i < ARRAY_SIZE(tests); i++) {
- const struct test_def *test = &tests[i];
-
- if (!test__start_subtest(test->file))
- continue;
-
- err_str = test->err_str;
- err = check_load(test->file);
- CHECK_FAIL(!!err ^ !!err_str);
- if (err_str)
- CHECK(found, "", "expected string '%s'", err_str);
- }
- libbpf_set_print(old_print_fn);
+ RUN_TESTS(test_global_func1);
+ RUN_TESTS(test_global_func2);
+ RUN_TESTS(test_global_func3);
+ RUN_TESTS(test_global_func4);
+ RUN_TESTS(test_global_func5);
+ RUN_TESTS(test_global_func6);
+ RUN_TESTS(test_global_func7);
+ RUN_TESTS(test_global_func8);
+ RUN_TESTS(test_global_func9);
+ RUN_TESTS(test_global_func10);
+ RUN_TESTS(test_global_func11);
+ RUN_TESTS(test_global_func12);
+ RUN_TESTS(test_global_func13);
+ RUN_TESTS(test_global_func14);
+ RUN_TESTS(test_global_func15);
+ RUN_TESTS(test_global_func16);
+ RUN_TESTS(test_global_func17);
}
diff --git a/tools/testing/selftests/bpf/progs/test_global_func1.c b/tools/testing/selftests/bpf/progs/test_global_func1.c
index 7b42dad187b894..23970a20b3249d 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func1.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func1.c
@@ -3,10 +3,9 @@
#include <stddef.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
-#ifndef MAX_STACK
#define MAX_STACK (512 - 3 * 32 + 8)
-#endif
static __attribute__ ((noinline))
int f0(int var, struct __sk_buff *skb)
@@ -39,7 +38,8 @@ int f3(int val, struct __sk_buff *skb, int var)
}
SEC("tc")
-int test_cls(struct __sk_buff *skb)
+__failure __msg("combined stack size of 4 calls is 544")
+int global_func1(struct __sk_buff *skb)
{
return f0(1, skb) + f1(skb) + f2(2, skb) + f3(3, skb, 4);
}
diff --git a/tools/testing/selftests/bpf/progs/test_global_func10.c b/tools/testing/selftests/bpf/progs/test_global_func10.c
index d361eba167f6a4..8fba3f3649e227 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func10.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func10.c
@@ -2,6 +2,7 @@
#include <stddef.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
struct Small {
long x;
diff --git a/tools/testing/selftests/bpf/progs/test_global_func11.c b/tools/testing/selftests/bpf/progs/test_global_func11.c
index ef5277d982d921..283e036dc401e9 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func11.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func11.c
@@ -2,6 +2,7 @@
#include <stddef.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
struct S {
int x;
@@ -13,7 +14,8 @@ __noinline int foo(const struct S *s)
}
SEC("cgroup_skb/ingress")
-int test_cls(struct __sk_buff *skb)
+__failure __msg("Caller passes invalid args into func#1")
+int global_func11(struct __sk_buff *skb)
{
return foo((const void *)skb);
}
diff --git a/tools/testing/selftests/bpf/progs/test_global_func12.c b/tools/testing/selftests/bpf/progs/test_global_func12.c
index 62343527cc598d..7f159d83c6f673 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func12.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func12.c
@@ -2,6 +2,7 @@
#include <stddef.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
struct S {
int x;
@@ -13,7 +14,8 @@ __noinline int foo(const struct S *s)
}
SEC("cgroup_skb/ingress")
-int test_cls(struct __sk_buff *skb)
+__failure __msg("invalid mem access 'mem_or_null'")
+int global_func12(struct __sk_buff *skb)
{
const struct S s = {.x = skb->len };
diff --git a/tools/testing/selftests/bpf/progs/test_global_func13.c b/tools/testing/selftests/bpf/progs/test_global_func13.c
index ff8897c1ac22b4..02ea80da75b573 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func13.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func13.c
@@ -2,6 +2,7 @@
#include <stddef.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
struct S {
int x;
@@ -16,7 +17,8 @@ __noinline int foo(const struct S *s)
}
SEC("cgroup_skb/ingress")
-int test_cls(struct __sk_buff *skb)
+__failure __msg("Caller passes invalid args into func#1")
+int global_func13(struct __sk_buff *skb)
{
const struct S *s = (const struct S *)(0xbedabeda);
diff --git a/tools/testing/selftests/bpf/progs/test_global_func14.c b/tools/testing/selftests/bpf/progs/test_global_func14.c
index 698c77199ebf7d..33b7d5efd7b262 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func14.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func14.c
@@ -2,6 +2,7 @@
#include <stddef.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
struct S;
@@ -14,7 +15,8 @@ __noinline int foo(const struct S *s)
}
SEC("cgroup_skb/ingress")
-int test_cls(struct __sk_buff *skb)
+__failure __msg("reference type('FWD S') size cannot be determined")
+int global_func14(struct __sk_buff *skb)
{
return foo(NULL);
diff --git a/tools/testing/selftests/bpf/progs/test_global_func15.c b/tools/testing/selftests/bpf/progs/test_global_func15.c
index c19c435988d557..b512d6a6c75e54 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func15.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func15.c
@@ -2,6 +2,7 @@
#include <stddef.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
__noinline int foo(unsigned int *v)
{
@@ -12,7 +13,8 @@ __noinline int foo(unsigned int *v)
}
SEC("cgroup_skb/ingress")
-int test_cls(struct __sk_buff *skb)
+__failure __msg("At program exit the register R0 has value")
+int global_func15(struct __sk_buff *skb)
{
unsigned int v = 1;
diff --git a/tools/testing/selftests/bpf/progs/test_global_func16.c b/tools/testing/selftests/bpf/progs/test_global_func16.c
index 0312d1e8d8c060..e7206304632e15 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func16.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func16.c
@@ -2,6 +2,7 @@
#include <stddef.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
__noinline int foo(int (*arr)[10])
{
@@ -12,7 +13,8 @@ __noinline int foo(int (*arr)[10])
}
SEC("cgroup_skb/ingress")
-int test_cls(struct __sk_buff *skb)
+__failure __msg("invalid indirect read from stack")
+int global_func16(struct __sk_buff *skb)
{
int array[10];
diff --git a/tools/testing/selftests/bpf/progs/test_global_func17.c b/tools/testing/selftests/bpf/progs/test_global_func17.c
index 2b8b9b8ba0183c..a32e11c7d933ee 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func17.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func17.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0-only
#include <vmlinux.h>
#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
__noinline int foo(int *p)
{
@@ -10,7 +11,8 @@ __noinline int foo(int *p)
const volatile int i;
SEC("tc")
-int test_cls(struct __sk_buff *skb)
+__failure __msg("Caller passes invalid args into func#1")
+int global_func17(struct __sk_buff *skb)
{
return foo((int *)&i);
}
diff --git a/tools/testing/selftests/bpf/progs/test_global_func2.c b/tools/testing/selftests/bpf/progs/test_global_func2.c
index 2c18d82923a2d5..3dce97fb52a4b7 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func2.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func2.c
@@ -1,4 +1,45 @@
// SPDX-License-Identifier: GPL-2.0-only
/* Copyright (c) 2020 Facebook */
+#include <stddef.h>
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
+
#define MAX_STACK (512 - 3 * 32)
-#include "test_global_func1.c"
+
+static __attribute__ ((noinline))
+int f0(int var, struct __sk_buff *skb)
+{
+ return skb->len;
+}
+
+__attribute__ ((noinline))
+int f1(struct __sk_buff *skb)
+{
+ volatile char buf[MAX_STACK] = {};
+
+ return f0(0, skb) + skb->len;
+}
+
+int f3(int, struct __sk_buff *skb, int);
+
+__attribute__ ((noinline))
+int f2(int val, struct __sk_buff *skb)
+{
+ return f1(skb) + f3(val, skb, 1);
+}
+
+__attribute__ ((noinline))
+int f3(int val, struct __sk_buff *skb, int var)
+{
+ volatile char buf[MAX_STACK] = {};
+
+ return skb->ifindex * val * var;
+}
+
+SEC("tc")
+__success
+int global_func2(struct __sk_buff *skb)
+{
+ return f0(1, skb) + f1(skb) + f2(2, skb) + f3(3, skb, 4);
+}
diff --git a/tools/testing/selftests/bpf/progs/test_global_func3.c b/tools/testing/selftests/bpf/progs/test_global_func3.c
index 01bf8275dfd640..142b682d3c2f08 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func3.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func3.c
@@ -3,6 +3,7 @@
#include <stddef.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
__attribute__ ((noinline))
int f1(struct __sk_buff *skb)
@@ -46,20 +47,15 @@ int f7(struct __sk_buff *skb)
return f6(skb);
}
-#ifndef NO_FN8
__attribute__ ((noinline))
int f8(struct __sk_buff *skb)
{
return f7(skb);
}
-#endif
SEC("tc")
-int test_cls(struct __sk_buff *skb)
+__failure __msg("the call stack of 8 frames")
+int global_func3(struct __sk_buff *skb)
{
-#ifndef NO_FN8
return f8(skb);
-#else
- return f7(skb);
-#endif
}
diff --git a/tools/testing/selftests/bpf/progs/test_global_func4.c b/tools/testing/selftests/bpf/progs/test_global_func4.c
index 610f75edf27643..1733d87ad3f3ea 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func4.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func4.c
@@ -1,4 +1,55 @@
// SPDX-License-Identifier: GPL-2.0-only
/* Copyright (c) 2020 Facebook */
-#define NO_FN8
-#include "test_global_func3.c"
+#include <stddef.h>
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
+
+__attribute__ ((noinline))
+int f1(struct __sk_buff *skb)
+{
+ return skb->len;
+}
+
+__attribute__ ((noinline))
+int f2(int val, struct __sk_buff *skb)
+{
+ return f1(skb) + val;
+}
+
+__attribute__ ((noinline))
+int f3(int val, struct __sk_buff *skb, int var)
+{
+ return f2(var, skb) + val;
+}
+
+__attribute__ ((noinline))
+int f4(struct __sk_buff *skb)
+{
+ return f3(1, skb, 2);
+}
+
+__attribute__ ((noinline))
+int f5(struct __sk_buff *skb)
+{
+ return f4(skb);
+}
+
+__attribute__ ((noinline))
+int f6(struct __sk_buff *skb)
+{
+ return f5(skb);
+}
+
+__attribute__ ((noinline))
+int f7(struct __sk_buff *skb)
+{
+ return f6(skb);
+}
+
+SEC("tc")
+__success
+int global_func4(struct __sk_buff *skb)
+{
+ return f7(skb);
+}
diff --git a/tools/testing/selftests/bpf/progs/test_global_func5.c b/tools/testing/selftests/bpf/progs/test_global_func5.c
index 9248d03e0d06fb..cc55aedaf82d57 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func5.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func5.c
@@ -3,6 +3,7 @@
#include <stddef.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
__attribute__ ((noinline))
int f1(struct __sk_buff *skb)
@@ -25,7 +26,8 @@ int f3(int val, struct __sk_buff *skb)
}
SEC("tc")
-int test_cls(struct __sk_buff *skb)
+__failure __msg("expected pointer to ctx, but got PTR")
+int global_func5(struct __sk_buff *skb)
{
return f1(skb) + f2(2, skb) + f3(3, skb);
}
diff --git a/tools/testing/selftests/bpf/progs/test_global_func6.c b/tools/testing/selftests/bpf/progs/test_global_func6.c
index af8c78bdfb2575..46c38c8f2cf032 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func6.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func6.c
@@ -3,6 +3,7 @@
#include <stddef.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
__attribute__ ((noinline))
int f1(struct __sk_buff *skb)
@@ -25,7 +26,8 @@ int f3(int val, struct __sk_buff *skb)
}
SEC("tc")
-int test_cls(struct __sk_buff *skb)
+__failure __msg("modified ctx ptr R2")
+int global_func6(struct __sk_buff *skb)
{
return f1(skb) + f2(2, skb) + f3(3, skb);
}
diff --git a/tools/testing/selftests/bpf/progs/test_global_func7.c b/tools/testing/selftests/bpf/progs/test_global_func7.c
index 6cb8e2f5254cf1..f182febfde3c08 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func7.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func7.c
@@ -3,6 +3,7 @@
#include <stddef.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
__attribute__ ((noinline))
void foo(struct __sk_buff *skb)
@@ -11,7 +12,8 @@ void foo(struct __sk_buff *skb)
}
SEC("tc")
-int test_cls(struct __sk_buff *skb)
+__failure __msg("foo() doesn't return scalar")
+int global_func7(struct __sk_buff *skb)
{
foo(skb);
return 0;
diff --git a/tools/testing/selftests/bpf/progs/test_global_func8.c b/tools/testing/selftests/bpf/progs/test_global_func8.c
index d55a6544b1abd2..9b9c57fa2dd34b 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func8.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func8.c
@@ -3,6 +3,7 @@
#include <stddef.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
__noinline int foo(struct __sk_buff *skb)
{
@@ -10,7 +11,8 @@ __noinline int foo(struct __sk_buff *skb)
}
SEC("cgroup_skb/ingress")
-int test_cls(struct __sk_buff *skb)
+__success
+int global_func8(struct __sk_buff *skb)
{
if (!foo(skb))
return 0;
diff --git a/tools/testing/selftests/bpf/progs/test_global_func9.c b/tools/testing/selftests/bpf/progs/test_global_func9.c
index bd233ddede98ae..1f2cb0159b8d83 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func9.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func9.c
@@ -2,6 +2,7 @@
#include <stddef.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
struct S {
int x;
@@ -74,7 +75,8 @@ __noinline int quuz(int **p)
}
SEC("cgroup_skb/ingress")
-int test_cls(struct __sk_buff *skb)
+__success
+int global_func9(struct __sk_buff *skb)
{
int result = 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 056/522] Revert "selftests/bpf: Workaround strict bpf_lsm return value check."
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 055/522] selftests/bpf: Convert test_global_funcs test to test_loader framework Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 057/522] Revert "selftests/bpf: Add tests for _opts variants of bpf_*_get_fd_by_id()" Greg Kroah-Hartman
` (466 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Chaignon, Shung-Hsi Yu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Chaignon <paul.chaignon@gmail.com>
This reverts commit a1914d146622 ("selftests/bpf: Workaround strict
bpf_lsm return value check"). It seems it was picked up by mistake.
It applies to a selftest that didn't exist in 6.1. The whole selftest
was then backported as a stable-dep in commit 45108a7b4866
("selftests/bpf: Add tests for _opts variants of bpf_*_get_fd_by_id()")
(reverted as well in the next patch).
The new selftest covers the bpf_*_get_fd_by_id structures. Those don't
exist in 6.1 so the selftest shouldn't either.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c b/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c
index 568816307f7125..f5ac5f3e89196f 100644
--- a/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c
+++ b/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c
@@ -31,7 +31,6 @@ int BPF_PROG(check_access, struct bpf_map *map, fmode_t fmode)
if (fmode & FMODE_WRITE)
return -EACCES;
- barrier();
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 057/522] Revert "selftests/bpf: Add tests for _opts variants of bpf_*_get_fd_by_id()"
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 056/522] Revert "selftests/bpf: Workaround strict bpf_lsm return value check." Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 058/522] selftests/bpf: Add read_build_id function Greg Kroah-Hartman
` (465 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Chaignon, Shung-Hsi Yu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Chaignon <paul.chaignon@gmail.com>
This reverts commit 45108a7b4866 ("selftests/bpf: Add tests for _opts
variants of bpf_*_get_fd_by_id()"). As explained in the previous patch,
it introduces a new selftest for a feature that doesn't exist in 6.1. It
was backported as a stable-dep of a1914d146622 ("selftests/bpf:
Workaround strict bpf_lsm return value check"), also reverted in the
previous patch.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/DENYLIST.s390x | 1 -
.../bpf/prog_tests/libbpf_get_fd_by_id_opts.c | 87 -------------------
.../bpf/progs/test_libbpf_get_fd_by_id_opts.c | 36 --------
3 files changed, 124 deletions(-)
delete mode 100644 tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_by_id_opts.c
delete mode 100644 tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c
diff --git a/tools/testing/selftests/bpf/DENYLIST.s390x b/tools/testing/selftests/bpf/DENYLIST.s390x
index beef1232a47aeb..0fb03b8047d535 100644
--- a/tools/testing/selftests/bpf/DENYLIST.s390x
+++ b/tools/testing/selftests/bpf/DENYLIST.s390x
@@ -76,4 +76,3 @@ lookup_key # JIT does not support calling kernel f
verify_pkcs7_sig # JIT does not support calling kernel function (kfunc)
kfunc_dynptr_param # JIT does not support calling kernel function (kfunc)
deny_namespace # failed to attach: ERROR: strerror_r(-524)=22 (trampoline)
-libbpf_get_fd_by_id_opts # failed to attach: ERROR: strerror_r(-524)=22 (trampoline)
diff --git a/tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_by_id_opts.c b/tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_by_id_opts.c
deleted file mode 100644
index 25e5dfa9c315ce..00000000000000
--- a/tools/testing/selftests/bpf/prog_tests/libbpf_get_fd_by_id_opts.c
+++ /dev/null
@@ -1,87 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-
-/*
- * Copyright (C) 2022 Huawei Technologies Duesseldorf GmbH
- *
- * Author: Roberto Sassu <roberto.sassu@huawei.com>
- */
-
-#include <test_progs.h>
-
-#include "test_libbpf_get_fd_by_id_opts.skel.h"
-
-void test_libbpf_get_fd_by_id_opts(void)
-{
- struct test_libbpf_get_fd_by_id_opts *skel;
- struct bpf_map_info info_m = {};
- __u32 len = sizeof(info_m), value;
- int ret, zero = 0, fd = -1;
- LIBBPF_OPTS(bpf_get_fd_by_id_opts, fd_opts_rdonly,
- .open_flags = BPF_F_RDONLY,
- );
-
- skel = test_libbpf_get_fd_by_id_opts__open_and_load();
- if (!ASSERT_OK_PTR(skel,
- "test_libbpf_get_fd_by_id_opts__open_and_load"))
- return;
-
- ret = test_libbpf_get_fd_by_id_opts__attach(skel);
- if (!ASSERT_OK(ret, "test_libbpf_get_fd_by_id_opts__attach"))
- goto close_prog;
-
- ret = bpf_obj_get_info_by_fd(bpf_map__fd(skel->maps.data_input),
- &info_m, &len);
- if (!ASSERT_OK(ret, "bpf_obj_get_info_by_fd"))
- goto close_prog;
-
- fd = bpf_map_get_fd_by_id(info_m.id);
- if (!ASSERT_LT(fd, 0, "bpf_map_get_fd_by_id"))
- goto close_prog;
-
- fd = bpf_map_get_fd_by_id_opts(info_m.id, NULL);
- if (!ASSERT_LT(fd, 0, "bpf_map_get_fd_by_id_opts"))
- goto close_prog;
-
- fd = bpf_map_get_fd_by_id_opts(info_m.id, &fd_opts_rdonly);
- if (!ASSERT_GE(fd, 0, "bpf_map_get_fd_by_id_opts"))
- goto close_prog;
-
- /* Map lookup should work with read-only fd. */
- ret = bpf_map_lookup_elem(fd, &zero, &value);
- if (!ASSERT_OK(ret, "bpf_map_lookup_elem"))
- goto close_prog;
-
- if (!ASSERT_EQ(value, 0, "map value mismatch"))
- goto close_prog;
-
- /* Map update should not work with read-only fd. */
- ret = bpf_map_update_elem(fd, &zero, &len, BPF_ANY);
- if (!ASSERT_LT(ret, 0, "bpf_map_update_elem"))
- goto close_prog;
-
- /* Map update should work with read-write fd. */
- ret = bpf_map_update_elem(bpf_map__fd(skel->maps.data_input), &zero,
- &len, BPF_ANY);
- if (!ASSERT_OK(ret, "bpf_map_update_elem"))
- goto close_prog;
-
- /* Prog get fd with opts set should not work (no kernel support). */
- ret = bpf_prog_get_fd_by_id_opts(0, &fd_opts_rdonly);
- if (!ASSERT_EQ(ret, -EINVAL, "bpf_prog_get_fd_by_id_opts"))
- goto close_prog;
-
- /* Link get fd with opts set should not work (no kernel support). */
- ret = bpf_link_get_fd_by_id_opts(0, &fd_opts_rdonly);
- if (!ASSERT_EQ(ret, -EINVAL, "bpf_link_get_fd_by_id_opts"))
- goto close_prog;
-
- /* BTF get fd with opts set should not work (no kernel support). */
- ret = bpf_btf_get_fd_by_id_opts(0, &fd_opts_rdonly);
- ASSERT_EQ(ret, -EINVAL, "bpf_btf_get_fd_by_id_opts");
-
-close_prog:
- if (fd >= 0)
- close(fd);
-
- test_libbpf_get_fd_by_id_opts__destroy(skel);
-}
diff --git a/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c b/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c
deleted file mode 100644
index f5ac5f3e89196f..00000000000000
--- a/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c
+++ /dev/null
@@ -1,36 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-
-/*
- * Copyright (C) 2022 Huawei Technologies Duesseldorf GmbH
- *
- * Author: Roberto Sassu <roberto.sassu@huawei.com>
- */
-
-#include "vmlinux.h"
-#include <errno.h>
-#include <bpf/bpf_helpers.h>
-#include <bpf/bpf_tracing.h>
-
-/* From include/linux/mm.h. */
-#define FMODE_WRITE 0x2
-
-struct {
- __uint(type, BPF_MAP_TYPE_ARRAY);
- __uint(max_entries, 1);
- __type(key, __u32);
- __type(value, __u32);
-} data_input SEC(".maps");
-
-char _license[] SEC("license") = "GPL";
-
-SEC("lsm/bpf_map")
-int BPF_PROG(check_access, struct bpf_map *map, fmode_t fmode)
-{
- if (map != (struct bpf_map *)&data_input)
- return 0;
-
- if (fmode & FMODE_WRITE)
- return -EACCES;
-
- return 0;
-}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 058/522] selftests/bpf: Add read_build_id function
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 057/522] Revert "selftests/bpf: Add tests for _opts variants of bpf_*_get_fd_by_id()" Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 059/522] bpf: Fix a few selftest failures due to llvm18 change Greg Kroah-Hartman
` (464 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Olsa, Alexei Starovoitov,
Paul Chaignon, Shung-Hsi Yu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Olsa <jolsa@kernel.org>
[ Upstream commit 88dc8b3605b38a440fba45edcc53a6c7a98eee3b ]
Adding read_build_id function that parses out build id from
specified binary.
It will replace extract_build_id and also be used in following
changes.
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/r/20230331093157.1749137-3-jolsa@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Fixes: be4e85369e5a ("selftests/bpf: Replace extract_build_id with read_build_id")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/trace_helpers.c | 82 +++++++++++++++++++++
tools/testing/selftests/bpf/trace_helpers.h | 5 ++
2 files changed, 87 insertions(+)
diff --git a/tools/testing/selftests/bpf/trace_helpers.c b/tools/testing/selftests/bpf/trace_helpers.c
index 9c4be2cdb21a02..afc33ba36ccc6e 100644
--- a/tools/testing/selftests/bpf/trace_helpers.c
+++ b/tools/testing/selftests/bpf/trace_helpers.c
@@ -11,6 +11,9 @@
#include <linux/perf_event.h>
#include <sys/mman.h>
#include "trace_helpers.h"
+#include <linux/limits.h>
+#include <libelf.h>
+#include <gelf.h>
#define DEBUGFS "/sys/kernel/debug/tracing/"
@@ -224,3 +227,82 @@ ssize_t get_rel_offset(uintptr_t addr)
fclose(f);
return -EINVAL;
}
+
+static int
+parse_build_id_buf(const void *note_start, Elf32_Word note_size, char *build_id)
+{
+ Elf32_Word note_offs = 0;
+
+ while (note_offs + sizeof(Elf32_Nhdr) < note_size) {
+ Elf32_Nhdr *nhdr = (Elf32_Nhdr *)(note_start + note_offs);
+
+ if (nhdr->n_type == 3 && nhdr->n_namesz == sizeof("GNU") &&
+ !strcmp((char *)(nhdr + 1), "GNU") && nhdr->n_descsz > 0 &&
+ nhdr->n_descsz <= BPF_BUILD_ID_SIZE) {
+ memcpy(build_id, note_start + note_offs +
+ ALIGN(sizeof("GNU"), 4) + sizeof(Elf32_Nhdr), nhdr->n_descsz);
+ memset(build_id + nhdr->n_descsz, 0, BPF_BUILD_ID_SIZE - nhdr->n_descsz);
+ return (int) nhdr->n_descsz;
+ }
+
+ note_offs = note_offs + sizeof(Elf32_Nhdr) +
+ ALIGN(nhdr->n_namesz, 4) + ALIGN(nhdr->n_descsz, 4);
+ }
+
+ return -ENOENT;
+}
+
+/* Reads binary from *path* file and returns it in the *build_id* buffer
+ * with *size* which is expected to be at least BPF_BUILD_ID_SIZE bytes.
+ * Returns size of build id on success. On error the error value is
+ * returned.
+ */
+int read_build_id(const char *path, char *build_id, size_t size)
+{
+ int fd, err = -EINVAL;
+ Elf *elf = NULL;
+ GElf_Ehdr ehdr;
+ size_t max, i;
+
+ if (size < BPF_BUILD_ID_SIZE)
+ return -EINVAL;
+
+ fd = open(path, O_RDONLY | O_CLOEXEC);
+ if (fd < 0)
+ return -errno;
+
+ (void)elf_version(EV_CURRENT);
+
+ elf = elf_begin(fd, ELF_C_READ_MMAP, NULL);
+ if (!elf)
+ goto out;
+ if (elf_kind(elf) != ELF_K_ELF)
+ goto out;
+ if (!gelf_getehdr(elf, &ehdr))
+ goto out;
+
+ for (i = 0; i < ehdr.e_phnum; i++) {
+ GElf_Phdr mem, *phdr;
+ char *data;
+
+ phdr = gelf_getphdr(elf, i, &mem);
+ if (!phdr)
+ goto out;
+ if (phdr->p_type != PT_NOTE)
+ continue;
+ data = elf_rawfile(elf, &max);
+ if (!data)
+ goto out;
+ if (phdr->p_offset + phdr->p_memsz > max)
+ goto out;
+ err = parse_build_id_buf(data + phdr->p_offset, phdr->p_memsz, build_id);
+ if (err > 0)
+ break;
+ }
+
+out:
+ if (elf)
+ elf_end(elf);
+ close(fd);
+ return err;
+}
diff --git a/tools/testing/selftests/bpf/trace_helpers.h b/tools/testing/selftests/bpf/trace_helpers.h
index 238a9c98cde27f..709871f3285256 100644
--- a/tools/testing/selftests/bpf/trace_helpers.h
+++ b/tools/testing/selftests/bpf/trace_helpers.h
@@ -4,6 +4,9 @@
#include <bpf/libbpf.h>
+#define __ALIGN_MASK(x, mask) (((x)+(mask))&~(mask))
+#define ALIGN(x, a) __ALIGN_MASK(x, (typeof(x))(a)-1)
+
struct ksym {
long addr;
char *name;
@@ -21,4 +24,6 @@ void read_trace_pipe(void);
ssize_t get_uprobe_offset(const void *addr);
ssize_t get_rel_offset(uintptr_t addr);
+int read_build_id(const char *path, char *build_id, size_t size);
+
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 059/522] bpf: Fix a few selftest failures due to llvm18 change
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 058/522] selftests/bpf: Add read_build_id function Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 060/522] selftests/bpf: Update bpf_clone_redirect expected return code Greg Kroah-Hartman
` (463 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yonghong Song, Daniel Borkmann,
Paul Chaignon, Shung-Hsi Yu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yonghong Song <yonghong.song@linux.dev>
[ Upstream commit b16904fd9f01b580db357ef2b1cc9e86d89576c2 ]
With latest upstream llvm18, the following test cases failed:
$ ./test_progs -j
#13/2 bpf_cookie/multi_kprobe_link_api:FAIL
#13/3 bpf_cookie/multi_kprobe_attach_api:FAIL
#13 bpf_cookie:FAIL
#77 fentry_fexit:FAIL
#78/1 fentry_test/fentry:FAIL
#78 fentry_test:FAIL
#82/1 fexit_test/fexit:FAIL
#82 fexit_test:FAIL
#112/1 kprobe_multi_test/skel_api:FAIL
#112/2 kprobe_multi_test/link_api_addrs:FAIL
[...]
#112 kprobe_multi_test:FAIL
#356/17 test_global_funcs/global_func17:FAIL
#356 test_global_funcs:FAIL
Further analysis shows llvm upstream patch [1] is responsible for the above
failures. For example, for function bpf_fentry_test7() in net/bpf/test_run.c,
without [1], the asm code is:
0000000000000400 <bpf_fentry_test7>:
400: f3 0f 1e fa endbr64
404: e8 00 00 00 00 callq 0x409 <bpf_fentry_test7+0x9>
409: 48 89 f8 movq %rdi, %rax
40c: c3 retq
40d: 0f 1f 00 nopl (%rax)
... and with [1], the asm code is:
0000000000005d20 <bpf_fentry_test7.specialized.1>:
5d20: e8 00 00 00 00 callq 0x5d25 <bpf_fentry_test7.specialized.1+0x5>
5d25: c3 retq
... and <bpf_fentry_test7.specialized.1> is called instead of <bpf_fentry_test7>
and this caused test failures for #13/#77 etc. except #356.
For test case #356/17, with [1] (progs/test_global_func17.c)), the main prog
looks like:
0000000000000000 <global_func17>:
0: b4 00 00 00 2a 00 00 00 w0 = 0x2a
1: 95 00 00 00 00 00 00 00 exit
... which passed verification while the test itself expects a verification
failure.
Let us add 'barrier_var' style asm code in both places to prevent function
specialization which caused selftests failure.
[1] https://github.com/llvm/llvm-project/pull/72903
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20231127050342.1945270-1-yonghong.song@linux.dev
[ Note: The change to test_run.c conflicted and was dropped. The related
tests are not failing anyway. ]
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/progs/test_global_func17.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/testing/selftests/bpf/progs/test_global_func17.c b/tools/testing/selftests/bpf/progs/test_global_func17.c
index a32e11c7d933ee..5de44b09e8ec17 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func17.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func17.c
@@ -5,6 +5,7 @@
__noinline int foo(int *p)
{
+ barrier_var(p);
return p ? (*p = 42) : 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 060/522] selftests/bpf: Update bpf_clone_redirect expected return code
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 059/522] bpf: Fix a few selftest failures due to llvm18 change Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 061/522] selftests/bpf: enhance align selftests expected log matching Greg Kroah-Hartman
` (462 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Borkmann, Stanislav Fomichev,
Paul Chaignon, Shung-Hsi Yu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislav Fomichev <sdf@google.com>
[ Upstream commit b772b70b69046c5b76e3f2eda680f692dee5e6d5 ]
Commit 151e887d8ff9 ("veth: Fixing transmit return status for dropped
packets") started propagating proper NET_XMIT_DROP error to the caller
which means it's now possible to get positive error code when calling
bpf_clone_redirect() in this particular test. Update the test to reflect
that.
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20230911194731.286342-2-sdf@google.com
[ Note: Commit 151e887d8ff9 was backported to 6.1 so this fix should be
as well. ]
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/prog_tests/empty_skb.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/empty_skb.c b/tools/testing/selftests/bpf/prog_tests/empty_skb.c
index 0613f3bb8b5e4e..329e34e5226e3a 100644
--- a/tools/testing/selftests/bpf/prog_tests/empty_skb.c
+++ b/tools/testing/selftests/bpf/prog_tests/empty_skb.c
@@ -29,6 +29,7 @@ void serial_test_empty_skb(void)
int *ifindex;
int err;
int ret;
+ int lwt_egress_ret; /* expected retval at lwt/egress */
bool success_on_tc;
} tests[] = {
/* Empty packets are always rejected. */
@@ -62,6 +63,7 @@ void serial_test_empty_skb(void)
.data_size_in = sizeof(eth_hlen),
.ifindex = &veth_ifindex,
.ret = -ERANGE,
+ .lwt_egress_ret = -ERANGE,
.success_on_tc = true,
},
{
@@ -75,6 +77,7 @@ void serial_test_empty_skb(void)
.data_size_in = sizeof(eth_hlen),
.ifindex = &ipip_ifindex,
.ret = -ERANGE,
+ .lwt_egress_ret = -ERANGE,
},
/* ETH_HLEN+1-sized packet should be redirected. */
@@ -84,6 +87,7 @@ void serial_test_empty_skb(void)
.data_in = eth_hlen_pp,
.data_size_in = sizeof(eth_hlen_pp),
.ifindex = &veth_ifindex,
+ .lwt_egress_ret = 1, /* veth_xmit NET_XMIT_DROP */
},
{
.msg = "ipip ETH_HLEN+1 packet ingress",
@@ -113,8 +117,12 @@ void serial_test_empty_skb(void)
for (i = 0; i < ARRAY_SIZE(tests); i++) {
bpf_object__for_each_program(prog, bpf_obj->obj) {
- char buf[128];
+ bool at_egress = strstr(bpf_program__name(prog), "egress") != NULL;
bool at_tc = !strncmp(bpf_program__section_name(prog), "tc", 2);
+ int expected_ret;
+ char buf[128];
+
+ expected_ret = at_egress && !at_tc ? tests[i].lwt_egress_ret : tests[i].ret;
tattr.data_in = tests[i].data_in;
tattr.data_size_in = tests[i].data_size_in;
@@ -133,7 +141,7 @@ void serial_test_empty_skb(void)
if (at_tc && tests[i].success_on_tc)
ASSERT_GE(bpf_obj->bss->ret, 0, buf);
else
- ASSERT_EQ(bpf_obj->bss->ret, tests[i].ret, buf);
+ ASSERT_EQ(bpf_obj->bss->ret, expected_ret, buf);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 061/522] selftests/bpf: enhance align selftests expected log matching
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 060/522] selftests/bpf: Update bpf_clone_redirect expected return code Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 062/522] Revert "selftests/bpf: Add a cgroup prog bpf_get_ns_current_pid_tgid() test" Greg Kroah-Hartman
` (461 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrii Nakryiko, Alexei Starovoitov,
Paul Chaignon, Shung-Hsi Yu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit 6f876e75d316a75957f3d43c3a8c2a6fe9bc18b2 ]
Allow to search for expected register state in all the verifier log
output that's related to specified instruction number.
See added comment for an example of possible situation that is happening
due to a simple enhancement done in the next patch, which fixes handling
of env->test_state_freq flag in state checkpointing logic.
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20230302235015.2044271-4-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
[ Note: Backport needed to fix the align selftest where some of the
expected log messages can't be found. This is happening because
commit 1a8a315f008a ("bpf: Ensure proper register state printing for
cond jumps") was also backported to 6.1. ]
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/prog_tests/align.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/align.c b/tools/testing/selftests/bpf/prog_tests/align.c
index 8baebb41541dc7..b9277059256300 100644
--- a/tools/testing/selftests/bpf/prog_tests/align.c
+++ b/tools/testing/selftests/bpf/prog_tests/align.c
@@ -660,16 +660,22 @@ static int do_test_single(struct bpf_align_test *test)
* func#0 @0
* 0: R1=ctx(off=0,imm=0) R10=fp0
* 0: (b7) r3 = 2 ; R3_w=2
+ *
+ * Sometimes it's actually two lines below, e.g. when
+ * searching for "6: R3_w=scalar(umax=255,var_off=(0x0; 0xff))":
+ * from 4 to 6: R0_w=pkt(off=8,r=8,imm=0) R1=ctx(off=0,imm=0) R2_w=pkt(off=0,r=8,imm=0) R3_w=pkt_end(off=0,imm=0) R10=fp0
+ * 6: R0_w=pkt(off=8,r=8,imm=0) R1=ctx(off=0,imm=0) R2_w=pkt(off=0,r=8,imm=0) R3_w=pkt_end(off=0,imm=0) R10=fp0
+ * 6: (71) r3 = *(u8 *)(r2 +0) ; R2_w=pkt(off=0,r=8,imm=0) R3_w=scalar(umax=255,var_off=(0x0; 0xff))
*/
- if (!strstr(line_ptr, m.match)) {
+ while (!strstr(line_ptr, m.match)) {
cur_line = -1;
line_ptr = strtok(NULL, "\n");
- sscanf(line_ptr, "%u: ", &cur_line);
+ sscanf(line_ptr ?: "", "%u: ", &cur_line);
+ if (!line_ptr || cur_line != m.line)
+ break;
}
- if (cur_line != m.line || !line_ptr ||
- !strstr(line_ptr, m.match)) {
- printf("Failed to find match %u: %s\n",
- m.line, m.match);
+ if (cur_line != m.line || !line_ptr || !strstr(line_ptr, m.match)) {
+ printf("Failed to find match %u: %s\n", m.line, m.match);
ret = 1;
printf("%s", bpf_vlog);
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 062/522] Revert "selftests/bpf: Add a cgroup prog bpf_get_ns_current_pid_tgid() test"
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 061/522] selftests/bpf: enhance align selftests expected log matching Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 063/522] selftests/bpf: Fix ARG_PTR_TO_LONG {half-,}uninitialized test Greg Kroah-Hartman
` (460 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Chaignon, Shung-Hsi Yu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Chaignon <paul.chaignon@gmail.com>
This reverts commit 4d8fb7ed7a55 ("selftests/bpf: Add a cgroup prog
bpf_get_ns_current_pid_tgid() test").
That commit should have never been backported to 6.1 because it
introduces a test for a feature that isn't supported:
bpf_get_ns_current_pid_tgid() cannot be called from cgroup BPF programs
in 6.1.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../bpf/prog_tests/ns_current_pid_tgid.c | 73 -------------------
.../bpf/progs/test_ns_current_pid_tgid.c | 7 --
2 files changed, 80 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c
index 2c57ceede095eb..a84c41862ff8c9 100644
--- a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c
+++ b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c
@@ -12,7 +12,6 @@
#include <sys/wait.h>
#include <sys/mount.h>
#include <fcntl.h>
-#include "network_helpers.h"
#define STACK_SIZE (1024 * 1024)
static char child_stack[STACK_SIZE];
@@ -75,50 +74,6 @@ static int test_current_pid_tgid_tp(void *args)
return ret;
}
-static int test_current_pid_tgid_cgrp(void *args)
-{
- struct test_ns_current_pid_tgid__bss *bss;
- struct test_ns_current_pid_tgid *skel;
- int server_fd = -1, ret = -1, err;
- int cgroup_fd = *(int *)args;
- pid_t tgid, pid;
-
- skel = test_ns_current_pid_tgid__open();
- if (!ASSERT_OK_PTR(skel, "test_ns_current_pid_tgid__open"))
- return ret;
-
- bpf_program__set_autoload(skel->progs.cgroup_bind4, true);
-
- err = test_ns_current_pid_tgid__load(skel);
- if (!ASSERT_OK(err, "test_ns_current_pid_tgid__load"))
- goto cleanup;
-
- bss = skel->bss;
- if (get_pid_tgid(&pid, &tgid, bss))
- goto cleanup;
-
- skel->links.cgroup_bind4 = bpf_program__attach_cgroup(
- skel->progs.cgroup_bind4, cgroup_fd);
- if (!ASSERT_OK_PTR(skel->links.cgroup_bind4, "bpf_program__attach_cgroup"))
- goto cleanup;
-
- server_fd = start_server(AF_INET, SOCK_STREAM, NULL, 0, 0);
- if (!ASSERT_GE(server_fd, 0, "start_server"))
- goto cleanup;
-
- if (!ASSERT_EQ(bss->user_pid, pid, "pid"))
- goto cleanup;
- if (!ASSERT_EQ(bss->user_tgid, tgid, "tgid"))
- goto cleanup;
- ret = 0;
-
-cleanup:
- if (server_fd >= 0)
- close(server_fd);
- test_ns_current_pid_tgid__destroy(skel);
- return ret;
-}
-
static void test_ns_current_pid_tgid_new_ns(int (*fn)(void *), void *arg)
{
int wstatus;
@@ -140,25 +95,6 @@ static void test_ns_current_pid_tgid_new_ns(int (*fn)(void *), void *arg)
return;
}
-static void test_in_netns(int (*fn)(void *), void *arg)
-{
- struct nstoken *nstoken = NULL;
-
- SYS(cleanup, "ip netns add ns_current_pid_tgid");
- SYS(cleanup, "ip -net ns_current_pid_tgid link set dev lo up");
-
- nstoken = open_netns("ns_current_pid_tgid");
- if (!ASSERT_OK_PTR(nstoken, "open_netns"))
- goto cleanup;
-
- test_ns_current_pid_tgid_new_ns(fn, arg);
-
-cleanup:
- if (nstoken)
- close_netns(nstoken);
- SYS_NOFAIL("ip netns del ns_current_pid_tgid");
-}
-
/* TODO: use a different tracepoint */
void serial_test_ns_current_pid_tgid(void)
{
@@ -166,13 +102,4 @@ void serial_test_ns_current_pid_tgid(void)
test_current_pid_tgid_tp(NULL);
if (test__start_subtest("new_ns_tp"))
test_ns_current_pid_tgid_new_ns(test_current_pid_tgid_tp, NULL);
- if (test__start_subtest("new_ns_cgrp")) {
- int cgroup_fd = -1;
-
- cgroup_fd = test__join_cgroup("/sock_addr");
- if (ASSERT_GE(cgroup_fd, 0, "join_cgroup")) {
- test_in_netns(test_current_pid_tgid_cgrp, &cgroup_fd);
- close(cgroup_fd);
- }
- }
}
diff --git a/tools/testing/selftests/bpf/progs/test_ns_current_pid_tgid.c b/tools/testing/selftests/bpf/progs/test_ns_current_pid_tgid.c
index d0010e698f6688..aa3ec7ca16d9b6 100644
--- a/tools/testing/selftests/bpf/progs/test_ns_current_pid_tgid.c
+++ b/tools/testing/selftests/bpf/progs/test_ns_current_pid_tgid.c
@@ -28,11 +28,4 @@ int tp_handler(const void *ctx)
return 0;
}
-SEC("?cgroup/bind4")
-int cgroup_bind4(struct bpf_sock_addr *ctx)
-{
- get_pid_tgid();
- return 1;
-}
-
char _license[] SEC("license") = "GPL";
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 063/522] selftests/bpf: Fix ARG_PTR_TO_LONG {half-,}uninitialized test
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 062/522] Revert "selftests/bpf: Add a cgroup prog bpf_get_ns_current_pid_tgid() test" Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 064/522] selftests/bpf: S/iptables/iptables-legacy/ in the bpf_nf and xdp_synproxy test Greg Kroah-Hartman
` (459 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Borkmann, Andrii Nakryiko,
Alexei Starovoitov, Paul Chaignon, Shung-Hsi Yu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit b8e188f023e07a733b47d5865311ade51878fe40 ]
The assumption of 'in privileged mode reads from uninitialized stack locations
are permitted' is not quite correct since the verifier was probing for read
access rather than write access. Both tests need to be annotated as __success
for privileged and unprivileged.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20240913191754.13290-6-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
[ Note: The format of logs completely changed since 6.1 so this change
had to be reapplied to the old test file. This commit needs to be
backported because it fixes a test broken by commit 32556ce93bc4
("bpf: Fix helper writes to read-only maps") from the same patchset. ]
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/verifier/int_ptr.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/tools/testing/selftests/bpf/verifier/int_ptr.c b/tools/testing/selftests/bpf/verifier/int_ptr.c
index 02d9e004260b33..8c74cff2090364 100644
--- a/tools/testing/selftests/bpf/verifier/int_ptr.c
+++ b/tools/testing/selftests/bpf/verifier/int_ptr.c
@@ -25,9 +25,8 @@
BPF_MOV64_IMM(BPF_REG_0, 1),
BPF_EXIT_INSN(),
},
- .result = REJECT,
+ .result = ACCEPT,
.prog_type = BPF_PROG_TYPE_CGROUP_SYSCTL,
- .errstr = "invalid indirect read from stack R4 off -16+0 size 8",
},
{
"ARG_PTR_TO_LONG half-uninitialized",
@@ -57,9 +56,6 @@
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN(),
},
- .result_unpriv = REJECT,
- .errstr_unpriv = "invalid indirect read from stack R4 off -16+4 size 8",
- /* in privileged mode reads from uninitialized stack locations are permitted */
.result = ACCEPT,
},
{
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 064/522] selftests/bpf: S/iptables/iptables-legacy/ in the bpf_nf and xdp_synproxy test
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 063/522] selftests/bpf: Fix ARG_PTR_TO_LONG {half-,}uninitialized test Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 065/522] net/packet: convert po->tp_tx_has_off to an atomic flag Greg Kroah-Hartman
` (458 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin KaFai Lau, Andrii Nakryiko,
David Vernet, Paul Chaignon, Shung-Hsi Yu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin KaFai Lau <martin.lau@kernel.org>
[ Upstream commit de9c8d848d90cf2e53aced50b350827442ca5a4f ]
The recent vm image in CI has reported error in selftests that use
the iptables command. Manu Bretelle has pointed out the difference
in the recent vm image that the iptables is sym-linked to the iptables-nft.
With this knowledge, I can also reproduce the CI error by manually running
with the 'iptables-nft'.
This patch is to replace the iptables command with iptables-legacy
to unblock the CI tests.
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: David Vernet <void@manifault.com>
Link: https://lore.kernel.org/bpf/20221012221235.3529719-1-martin.lau@linux.dev
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/prog_tests/bpf_nf.c | 6 +++---
tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c
index b2998896f9f7bc..b30ff6b3b81ae3 100644
--- a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c
+++ b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c
@@ -49,14 +49,14 @@ static int connect_to_server(int srv_fd)
static void test_bpf_nf_ct(int mode)
{
- const char *iptables = "iptables -t raw %s PREROUTING -j CONNMARK --set-mark 42/0";
+ const char *iptables = "iptables-legacy -t raw %s PREROUTING -j CONNMARK --set-mark 42/0";
int srv_fd = -1, client_fd = -1, srv_client_fd = -1;
struct sockaddr_in peer_addr = {};
struct test_bpf_nf *skel;
int prog_fd, err;
socklen_t len;
u16 srv_port;
- char cmd[64];
+ char cmd[128];
LIBBPF_OPTS(bpf_test_run_opts, topts,
.data_in = &pkt_v4,
.data_size_in = sizeof(pkt_v4),
@@ -69,7 +69,7 @@ static void test_bpf_nf_ct(int mode)
/* Enable connection tracking */
snprintf(cmd, sizeof(cmd), iptables, "-A");
- if (!ASSERT_OK(system(cmd), "iptables"))
+ if (!ASSERT_OK(system(cmd), cmd))
goto end;
srv_port = (mode == TEST_XDP) ? 5005 : 5006;
diff --git a/tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c b/tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c
index 879f5da2f21e63..13daa3746064af 100644
--- a/tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c
+++ b/tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c
@@ -94,12 +94,12 @@ static void test_synproxy(bool xdp)
SYS("sysctl -w net.ipv4.tcp_syncookies=2");
SYS("sysctl -w net.ipv4.tcp_timestamps=1");
SYS("sysctl -w net.netfilter.nf_conntrack_tcp_loose=0");
- SYS("iptables -t raw -I PREROUTING \
+ SYS("iptables-legacy -t raw -I PREROUTING \
-i tmp1 -p tcp -m tcp --syn --dport 8080 -j CT --notrack");
- SYS("iptables -t filter -A INPUT \
+ SYS("iptables-legacy -t filter -A INPUT \
-i tmp1 -p tcp -m tcp --dport 8080 -m state --state INVALID,UNTRACKED \
-j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460");
- SYS("iptables -t filter -A INPUT \
+ SYS("iptables-legacy -t filter -A INPUT \
-i tmp1 -m state --state INVALID -j DROP");
ctrl_file = SYS_OUT("./xdp_synproxy --iface tmp1 --ports 8080 \
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 065/522] net/packet: convert po->tp_tx_has_off to an atomic flag
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 064/522] selftests/bpf: S/iptables/iptables-legacy/ in the bpf_nf and xdp_synproxy test Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 066/522] net/packet: convert po->tp_loss " Greg Kroah-Hartman
` (457 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David S. Miller,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 7438344660fa55b33b8234c1797c886eb73667a7 ]
This is to use existing space in po->flags, and reclaim
the storage used by the non atomic bit fields.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 2c054e17d9d4 ("net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/packet/af_packet.c | 6 +++---
net/packet/internal.h | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 502d2f6de18a29..1ceb8f765114b3 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2723,7 +2723,7 @@ static int tpacket_parse_header(struct packet_sock *po, void *frame,
return -EMSGSIZE;
}
- if (unlikely(po->tp_tx_has_off)) {
+ if (unlikely(packet_sock_flag(po, PACKET_SOCK_TX_HAS_OFF))) {
int off_min, off_max;
off_min = po->tp_hdrlen - sizeof(struct sockaddr_ll);
@@ -4064,7 +4064,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, sockptr_t optval,
lock_sock(sk);
if (!po->rx_ring.pg_vec && !po->tx_ring.pg_vec)
- po->tp_tx_has_off = !!val;
+ packet_sock_flag_set(po, PACKET_SOCK_TX_HAS_OFF, val);
release_sock(sk);
return 0;
@@ -4191,7 +4191,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
lv = sizeof(rstats);
break;
case PACKET_TX_HAS_OFF:
- val = po->tp_tx_has_off;
+ val = packet_sock_flag(po, PACKET_SOCK_TX_HAS_OFF);
break;
case PACKET_QDISC_BYPASS:
val = packet_use_direct_xmit(po);
diff --git a/net/packet/internal.h b/net/packet/internal.h
index b2edfe6fc8e770..31bac09a687233 100644
--- a/net/packet/internal.h
+++ b/net/packet/internal.h
@@ -119,8 +119,7 @@ struct packet_sock {
unsigned long flags;
unsigned int running; /* bind_lock must be held */
unsigned int has_vnet_hdr:1, /* writer must hold sock lock */
- tp_loss:1,
- tp_tx_has_off:1;
+ tp_loss:1;
int pressure;
int ifindex; /* bound device */
__be16 num;
@@ -146,6 +145,7 @@ static inline struct packet_sock *pkt_sk(struct sock *sk)
enum packet_sock_flags {
PACKET_SOCK_ORIGDEV,
PACKET_SOCK_AUXDATA,
+ PACKET_SOCK_TX_HAS_OFF,
};
static inline void packet_sock_flag_set(struct packet_sock *po,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 066/522] net/packet: convert po->tp_loss to an atomic flag
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 065/522] net/packet: convert po->tp_tx_has_off to an atomic flag Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 067/522] net/packet: convert po->has_vnet_hdr " Greg Kroah-Hartman
` (456 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David S. Miller,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 164bddace2e03f6005e650cb88f101a66ebdc05a ]
tp_loss can be read locklessly.
Convert it to an atomic flag to avoid races.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 2c054e17d9d4 ("net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/packet/af_packet.c | 6 +++---
net/packet/diag.c | 2 +-
net/packet/internal.h | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 1ceb8f765114b3..490bfec158035e 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2900,7 +2900,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
if (unlikely(tp_len < 0)) {
tpacket_error:
- if (po->tp_loss) {
+ if (packet_sock_flag(po, PACKET_SOCK_TP_LOSS)) {
__packet_set_status(po, ph,
TP_STATUS_AVAILABLE);
packet_increment_head(&po->tx_ring);
@@ -3957,7 +3957,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, sockptr_t optval,
if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
ret = -EBUSY;
} else {
- po->tp_loss = !!val;
+ packet_sock_flag_set(po, PACKET_SOCK_TP_LOSS, val);
ret = 0;
}
release_sock(sk);
@@ -4166,7 +4166,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
val = po->tp_reserve;
break;
case PACKET_LOSS:
- val = po->tp_loss;
+ val = packet_sock_flag(po, PACKET_SOCK_TP_LOSS);
break;
case PACKET_TIMESTAMP:
val = po->tp_tstamp;
diff --git a/net/packet/diag.c b/net/packet/diag.c
index 057ee37bd0766c..677d442cd930fe 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -29,7 +29,7 @@ static int pdiag_put_info(const struct packet_sock *po, struct sk_buff *nlskb)
pinfo.pdi_flags |= PDI_ORIGDEV;
if (po->has_vnet_hdr)
pinfo.pdi_flags |= PDI_VNETHDR;
- if (po->tp_loss)
+ if (packet_sock_flag(po, PACKET_SOCK_TP_LOSS))
pinfo.pdi_flags |= PDI_LOSS;
return nla_put(nlskb, PACKET_DIAG_INFO, sizeof(pinfo), &pinfo);
diff --git a/net/packet/internal.h b/net/packet/internal.h
index 31bac09a687233..82a997824e5733 100644
--- a/net/packet/internal.h
+++ b/net/packet/internal.h
@@ -118,8 +118,7 @@ struct packet_sock {
struct mutex pg_vec_lock;
unsigned long flags;
unsigned int running; /* bind_lock must be held */
- unsigned int has_vnet_hdr:1, /* writer must hold sock lock */
- tp_loss:1;
+ unsigned int has_vnet_hdr:1; /* writer must hold sock lock */
int pressure;
int ifindex; /* bound device */
__be16 num;
@@ -146,6 +145,7 @@ enum packet_sock_flags {
PACKET_SOCK_ORIGDEV,
PACKET_SOCK_AUXDATA,
PACKET_SOCK_TX_HAS_OFF,
+ PACKET_SOCK_TP_LOSS,
};
static inline void packet_sock_flag_set(struct packet_sock *po,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 067/522] net/packet: convert po->has_vnet_hdr to an atomic flag
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 066/522] net/packet: convert po->tp_loss " Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 068/522] net/packet: convert po->running " Greg Kroah-Hartman
` (455 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David S. Miller,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 50d935eafee292fc432d5ac8c8715a6492961abc ]
po->has_vnet_hdr can be read locklessly.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 2c054e17d9d4 ("net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/packet/af_packet.c | 19 ++++++++++---------
net/packet/diag.c | 2 +-
net/packet/internal.h | 2 +-
3 files changed, 12 insertions(+), 11 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 490bfec158035e..50d9618d85f3c7 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2357,7 +2357,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
netoff = TPACKET_ALIGN(po->tp_hdrlen +
(maclen < 16 ? 16 : maclen)) +
po->tp_reserve;
- if (po->has_vnet_hdr) {
+ if (packet_sock_flag(po, PACKET_SOCK_HAS_VNET_HDR)) {
netoff += sizeof(struct virtio_net_hdr);
do_vnet = true;
}
@@ -2831,7 +2831,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
size_max = po->tx_ring.frame_size
- (po->tp_hdrlen - sizeof(struct sockaddr_ll));
- if ((size_max > dev->mtu + reserve + VLAN_HLEN) && !po->has_vnet_hdr)
+ if ((size_max > dev->mtu + reserve + VLAN_HLEN) &&
+ !packet_sock_flag(po, PACKET_SOCK_HAS_VNET_HDR))
size_max = dev->mtu + reserve + VLAN_HLEN;
timeo = sock_sndtimeo(&po->sk, msg->msg_flags & MSG_DONTWAIT);
@@ -2866,7 +2867,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
status = TP_STATUS_SEND_REQUEST;
hlen = LL_RESERVED_SPACE(dev);
tlen = dev->needed_tailroom;
- if (po->has_vnet_hdr) {
+ if (packet_sock_flag(po, PACKET_SOCK_HAS_VNET_HDR)) {
vnet_hdr = data;
data += sizeof(*vnet_hdr);
tp_len -= sizeof(*vnet_hdr);
@@ -2894,7 +2895,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
addr, hlen, copylen, &sockc);
if (likely(tp_len >= 0) &&
tp_len > dev->mtu + reserve &&
- !po->has_vnet_hdr &&
+ !packet_sock_flag(po, PACKET_SOCK_HAS_VNET_HDR) &&
!packet_extra_vlan_len_allowed(dev, skb))
tp_len = -EMSGSIZE;
@@ -2913,7 +2914,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
}
}
- if (po->has_vnet_hdr) {
+ if (packet_sock_flag(po, PACKET_SOCK_HAS_VNET_HDR)) {
if (virtio_net_hdr_to_skb(skb, vnet_hdr, vio_le())) {
tp_len = -EINVAL;
goto tpacket_error;
@@ -3041,7 +3042,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
if (sock->type == SOCK_RAW)
reserve = dev->hard_header_len;
- if (po->has_vnet_hdr) {
+ if (packet_sock_flag(po, PACKET_SOCK_HAS_VNET_HDR)) {
err = packet_snd_vnet_parse(msg, &len, &vnet_hdr);
if (err)
goto out_unlock;
@@ -3506,7 +3507,7 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
packet_rcv_try_clear_pressure(pkt_sk(sk));
- if (pkt_sk(sk)->has_vnet_hdr) {
+ if (packet_sock_flag(pkt_sk(sk), PACKET_SOCK_HAS_VNET_HDR)) {
err = packet_rcv_vnet(msg, skb, &len);
if (err)
goto out_free;
@@ -4002,7 +4003,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, sockptr_t optval,
if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
ret = -EBUSY;
} else {
- po->has_vnet_hdr = !!val;
+ packet_sock_flag_set(po, PACKET_SOCK_HAS_VNET_HDR, val);
ret = 0;
}
release_sock(sk);
@@ -4136,7 +4137,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
val = packet_sock_flag(po, PACKET_SOCK_ORIGDEV);
break;
case PACKET_VNET_HDR:
- val = po->has_vnet_hdr;
+ val = packet_sock_flag(po, PACKET_SOCK_HAS_VNET_HDR);
break;
case PACKET_VERSION:
val = po->tp_version;
diff --git a/net/packet/diag.c b/net/packet/diag.c
index 677d442cd930fe..a3bd91dba43945 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -27,7 +27,7 @@ static int pdiag_put_info(const struct packet_sock *po, struct sk_buff *nlskb)
pinfo.pdi_flags |= PDI_AUXDATA;
if (packet_sock_flag(po, PACKET_SOCK_ORIGDEV))
pinfo.pdi_flags |= PDI_ORIGDEV;
- if (po->has_vnet_hdr)
+ if (packet_sock_flag(po, PACKET_SOCK_HAS_VNET_HDR))
pinfo.pdi_flags |= PDI_VNETHDR;
if (packet_sock_flag(po, PACKET_SOCK_TP_LOSS))
pinfo.pdi_flags |= PDI_LOSS;
diff --git a/net/packet/internal.h b/net/packet/internal.h
index 82a997824e5733..0956e4a934492d 100644
--- a/net/packet/internal.h
+++ b/net/packet/internal.h
@@ -118,7 +118,6 @@ struct packet_sock {
struct mutex pg_vec_lock;
unsigned long flags;
unsigned int running; /* bind_lock must be held */
- unsigned int has_vnet_hdr:1; /* writer must hold sock lock */
int pressure;
int ifindex; /* bound device */
__be16 num;
@@ -146,6 +145,7 @@ enum packet_sock_flags {
PACKET_SOCK_AUXDATA,
PACKET_SOCK_TX_HAS_OFF,
PACKET_SOCK_TP_LOSS,
+ PACKET_SOCK_HAS_VNET_HDR,
};
static inline void packet_sock_flag_set(struct packet_sock *po,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 068/522] net/packet: convert po->running to an atomic flag
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 067/522] net/packet: convert po->has_vnet_hdr " Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 069/522] net/packet: fix TOCTOU race on mmapd vnet_hdr in tpacket_snd() Greg Kroah-Hartman
` (454 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David S. Miller,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 61edf479818e63978cabd243b82ca80f8948a313 ]
Instead of consuming 32 bits for po->running, use
one available bit in po->flags.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 2c054e17d9d4 ("net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/packet/af_packet.c | 20 ++++++++++----------
net/packet/diag.c | 2 +-
net/packet/internal.h | 2 +-
3 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 50d9618d85f3c7..36347814ec7ceb 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -340,14 +340,14 @@ static void __register_prot_hook(struct sock *sk)
{
struct packet_sock *po = pkt_sk(sk);
- if (!po->running) {
+ if (!packet_sock_flag(po, PACKET_SOCK_RUNNING)) {
if (po->fanout)
__fanout_link(sk, po);
else
dev_add_pack(&po->prot_hook);
sock_hold(sk);
- po->running = 1;
+ packet_sock_flag_set(po, PACKET_SOCK_RUNNING, 1);
}
}
@@ -369,7 +369,7 @@ static void __unregister_prot_hook(struct sock *sk, bool sync)
lockdep_assert_held_once(&po->bind_lock);
- po->running = 0;
+ packet_sock_flag_set(po, PACKET_SOCK_RUNNING, 0);
if (po->fanout)
__fanout_unlink(sk, po);
@@ -389,7 +389,7 @@ static void unregister_prot_hook(struct sock *sk, bool sync)
{
struct packet_sock *po = pkt_sk(sk);
- if (po->running)
+ if (packet_sock_flag(po, PACKET_SOCK_RUNNING))
__unregister_prot_hook(sk, sync);
}
@@ -1834,7 +1834,7 @@ static int fanout_add(struct sock *sk, struct fanout_args *args)
err = -EINVAL;
spin_lock(&po->bind_lock);
- if (po->running &&
+ if (packet_sock_flag(po, PACKET_SOCK_RUNNING) &&
match->type == type &&
match->prot_hook.type == po->prot_hook.type &&
match->prot_hook.dev == po->prot_hook.dev) {
@@ -3277,7 +3277,7 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
if (need_rehook) {
dev_hold(dev);
- if (po->running) {
+ if (packet_sock_flag(po, PACKET_SOCK_RUNNING)) {
rcu_read_unlock();
/* prevents packet_notifier() from calling
* register_prot_hook()
@@ -3290,7 +3290,7 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
dev->ifindex);
}
- BUG_ON(po->running);
+ BUG_ON(packet_sock_flag(po, PACKET_SOCK_RUNNING));
WRITE_ONCE(po->num, proto);
po->prot_hook.type = proto;
@@ -4230,7 +4230,7 @@ static int packet_notifier(struct notifier_block *this,
case NETDEV_DOWN:
if (dev->ifindex == po->ifindex) {
spin_lock(&po->bind_lock);
- if (po->running) {
+ if (packet_sock_flag(po, PACKET_SOCK_RUNNING)) {
__unregister_prot_hook(sk, false);
sk->sk_err = ENETDOWN;
if (!sock_flag(sk, SOCK_DEAD))
@@ -4541,7 +4541,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
/* Detach socket from network */
spin_lock(&po->bind_lock);
- was_running = po->running;
+ was_running = packet_sock_flag(po, PACKET_SOCK_RUNNING);
num = po->num;
WRITE_ONCE(po->num, 0);
if (was_running)
@@ -4752,7 +4752,7 @@ static int packet_seq_show(struct seq_file *seq, void *v)
s->sk_type,
ntohs(READ_ONCE(po->num)),
READ_ONCE(po->ifindex),
- po->running,
+ packet_sock_flag(po, PACKET_SOCK_RUNNING),
atomic_read(&s->sk_rmem_alloc),
from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)),
sock_i_ino(s));
diff --git a/net/packet/diag.c b/net/packet/diag.c
index a3bd91dba43945..cd30cc619c6b45 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -21,7 +21,7 @@ static int pdiag_put_info(const struct packet_sock *po, struct sk_buff *nlskb)
pinfo.pdi_tstamp = po->tp_tstamp;
pinfo.pdi_flags = 0;
- if (po->running)
+ if (packet_sock_flag(po, PACKET_SOCK_RUNNING))
pinfo.pdi_flags |= PDI_RUNNING;
if (packet_sock_flag(po, PACKET_SOCK_AUXDATA))
pinfo.pdi_flags |= PDI_AUXDATA;
diff --git a/net/packet/internal.h b/net/packet/internal.h
index 0956e4a934492d..9e50bf06131f29 100644
--- a/net/packet/internal.h
+++ b/net/packet/internal.h
@@ -117,7 +117,6 @@ struct packet_sock {
spinlock_t bind_lock;
struct mutex pg_vec_lock;
unsigned long flags;
- unsigned int running; /* bind_lock must be held */
int pressure;
int ifindex; /* bound device */
__be16 num;
@@ -146,6 +145,7 @@ enum packet_sock_flags {
PACKET_SOCK_TX_HAS_OFF,
PACKET_SOCK_TP_LOSS,
PACKET_SOCK_HAS_VNET_HDR,
+ PACKET_SOCK_RUNNING,
};
static inline void packet_sock_flag_set(struct packet_sock *po,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 069/522] net/packet: fix TOCTOU race on mmapd vnet_hdr in tpacket_snd()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 068/522] net/packet: convert po->running " Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 070/522] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register Greg Kroah-Hartman
` (453 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bingquan Chen, Willem de Bruijn,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bingquan Chen <patzilla007@gmail.com>
[ Upstream commit 2c054e17d9d41f1020376806c7f750834ced4dc5 ]
In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points
directly into the mmap'd TX ring buffer shared with userspace. The
kernel validates the header via __packet_snd_vnet_parse() but then
re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent
userspace thread can modify the vnet_hdr fields between validation
and use, bypassing all safety checks.
The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr
to a stack-local variable. All other vnet_hdr consumers in the kernel
(tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX
path is the only caller of virtio_net_hdr_to_skb() that reads directly
from user-controlled shared memory.
Fix this by copying vnet_hdr from the mmap'd ring buffer to a
stack-local variable before validation and use, consistent with the
approach used in packet_snd() and all other callers.
Fixes: 1d036d25e560 ("packet: tpacket_snd gso and checksum offload")
Signed-off-by: Bingquan Chen <patzilla007@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260418112006.78823-1-patzilla007@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/packet/af_packet.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 36347814ec7ceb..f3850784d66404 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2767,7 +2767,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
{
struct sk_buff *skb = NULL;
struct net_device *dev;
- struct virtio_net_hdr *vnet_hdr = NULL;
+ struct virtio_net_hdr vnet_hdr;
+ bool has_vnet_hdr = false;
struct sockcm_cookie sockc;
__be16 proto;
int err, reserve = 0;
@@ -2868,16 +2869,20 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
hlen = LL_RESERVED_SPACE(dev);
tlen = dev->needed_tailroom;
if (packet_sock_flag(po, PACKET_SOCK_HAS_VNET_HDR)) {
- vnet_hdr = data;
- data += sizeof(*vnet_hdr);
- tp_len -= sizeof(*vnet_hdr);
- if (tp_len < 0 ||
- __packet_snd_vnet_parse(vnet_hdr, tp_len)) {
+ data += sizeof(vnet_hdr);
+ tp_len -= sizeof(vnet_hdr);
+ if (tp_len < 0) {
+ tp_len = -EINVAL;
+ goto tpacket_error;
+ }
+ memcpy(&vnet_hdr, data - sizeof(vnet_hdr), sizeof(vnet_hdr));
+ if (__packet_snd_vnet_parse(&vnet_hdr, tp_len)) {
tp_len = -EINVAL;
goto tpacket_error;
}
copylen = __virtio16_to_cpu(vio_le(),
- vnet_hdr->hdr_len);
+ vnet_hdr.hdr_len);
+ has_vnet_hdr = true;
}
copylen = max_t(int, copylen, dev->hard_header_len);
skb = sock_alloc_send_skb(&po->sk,
@@ -2914,12 +2919,12 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
}
}
- if (packet_sock_flag(po, PACKET_SOCK_HAS_VNET_HDR)) {
- if (virtio_net_hdr_to_skb(skb, vnet_hdr, vio_le())) {
+ if (has_vnet_hdr) {
+ if (virtio_net_hdr_to_skb(skb, &vnet_hdr, vio_le())) {
tp_len = -EINVAL;
goto tpacket_error;
}
- virtio_net_hdr_set_proto(skb, vnet_hdr);
+ virtio_net_hdr_set_proto(skb, &vnet_hdr);
}
skb->destructor = tpacket_destruct_skb;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 070/522] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 069/522] net/packet: fix TOCTOU race on mmapd vnet_hdr in tpacket_snd() Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 071/522] drm/dp: Add eDP 1.5 bit definition Greg Kroah-Hartman
` (452 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander, Suraj Kandpal,
Tvrtko Ursulin, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit fbceb39b536e40c2f7cc47ab42037bb7c2b7ced9 upstream.
EDP specification says:
"If either VSC SDP is unable to be transmitted 100 ns before the SU region,
the Source device may optionally transmit the VSC SDP during the prior
video scan line’s HBlank period There is a Intel specific drm dp register
currently containing bits related how TCON can support PSR2 with SDP on
prior line."
Unfortunately many panels are having problems in implementing this. So
there is a custom Intel specific DPCD register (INTEL_WA_REGISTER_CAPS) to
figure out if this is properly implemented on a panel or if panel doesn't
require that 100 ns delay before the SU region. Here are the definitions in
this custom DPCD address:
0 = Panel doesn't support SDP on prior line
1 = Panel supports SDP on prior line
2 = Panel doesn't have 100ns requirement
3 = Reserved
Add definitions for this new register and it's values into new header
intel_dpcd.h.
v2: add INTEL_DPCD_ prefix to definitions
Bspec: 74741
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515095756.2799483-2-jouni.hogander@intel.com
(cherry picked from commit 1da1c9294825f08f622c473480d185680c2a3b75)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_dpcd.h | 15 +++++++++++++++
1 file changed, 15 insertions(+)
create mode 100644 drivers/gpu/drm/i915/display/intel_dpcd.h
diff --git a/drivers/gpu/drm/i915/display/intel_dpcd.h b/drivers/gpu/drm/i915/display/intel_dpcd.h
new file mode 100644
index 00000000000000..4aea5326f2ed48
--- /dev/null
+++ b/drivers/gpu/drm/i915/display/intel_dpcd.h
@@ -0,0 +1,15 @@
+/* SPDX-License-Identifier: MIT */
+/*
+ * Copyright © 2026 Intel Corporation
+ */
+
+#ifndef __INTEL_DPCD_H__
+#define __INTEL_DPCD_H__
+
+#define INTEL_DPCD_INTEL_WA_REGISTER_CAPS 0x3f0
+# define INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_EARLYSCANLINE_SDP_SUPPORT_MASK REG_GENMASK(1, 0)
+# define INTEL_DPCD_INTEL_WA_REGISTER_CAPS_FALL_BACK_TO_PSR1 0
+# define INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_WITH_EARLY_SCANLINE 1
+# define INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_WITHOUT_EARLY_SCANLINE 2
+
+#endif /* __INTEL_DPCD_H__ */
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 071/522] drm/dp: Add eDP 1.5 bit definition
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 070/522] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 072/522] drm/i915/psr: Read Intel DPCD workaround register Greg Kroah-Hartman
` (451 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suraj Kandpal, Arun R Murthy,
Ben Kao, Maarten Lankhorst, Jouni Högander, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suraj Kandpal <suraj.kandpal@intel.com>
commit 5dfc37a6b77bf6beedbd30d70184b54e1a08ccac upstream.
Add the eDP revision bit value for 1.5.
Spec: eDPv1.5 Table 16-5
Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
Reviewed-by: Arun R Murthy <arun.r.murthy@intel.com>
Tested-by: Ben Kao <ben.kao@intel.com>
Acked-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250206063253.2827017-2-suraj.kandpal@intel.com
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/drm/display/drm_dp.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/drm/display/drm_dp.h b/include/drm/display/drm_dp.h
index b235d6833e27d9..7d3700490b68f0 100644
--- a/include/drm/display/drm_dp.h
+++ b/include/drm/display/drm_dp.h
@@ -955,6 +955,7 @@
# define DP_EDP_14 0x03
# define DP_EDP_14a 0x04 /* eDP 1.4a */
# define DP_EDP_14b 0x05 /* eDP 1.4b */
+# define DP_EDP_15 0x06 /* eDP 1.5 */
#define DP_EDP_GENERAL_CAP_1 0x701
# define DP_EDP_TCON_BACKLIGHT_ADJUSTMENT_CAP (1 << 0)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 072/522] drm/i915/psr: Read Intel DPCD workaround register
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 071/522] drm/dp: Add eDP 1.5 bit definition Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 073/522] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used Greg Kroah-Hartman
` (450 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander, Suraj Kandpal,
Tvrtko Ursulin, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit f30bece421a4ae34359254e1dc2a187a42b6af9b upstream.
Read Intel DPCD workaround register and store it into
intel_connector->dp.psr_caps. psr_caps was chosen as currently it contains
only PSR workaround for PSR2 SDP on prior scanline implementation.
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515095756.2799483-3-jouni.hogander@intel.com
(cherry picked from commit c48ff24d0f4ab7ad696b2d35ad64ce7e049c668c)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_display_types.h | 1 +
drivers/gpu/drm/i915/display/intel_psr.c | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/drivers/gpu/drm/i915/display/intel_display_types.h b/drivers/gpu/drm/i915/display/intel_display_types.h
index a8bf91a21cb246..a26c082bdc3289 100644
--- a/drivers/gpu/drm/i915/display/intel_display_types.h
+++ b/drivers/gpu/drm/i915/display/intel_display_types.h
@@ -1637,6 +1637,7 @@ struct intel_dp {
u8 lttpr_phy_caps[DP_MAX_LTTPR_COUNT][DP_LTTPR_PHY_CAP_SIZE];
u8 fec_capable;
u8 pcon_dsc_dpcd[DP_PCON_DSC_ENCODER_CAP_SIZE];
+ u8 intel_wa_dpcd;
/* source rates */
int num_source_rates;
const int *source_rates;
diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
index a465b192931085..01fadf300ff679 100644
--- a/drivers/gpu/drm/i915/display/intel_psr.c
+++ b/drivers/gpu/drm/i915/display/intel_psr.c
@@ -31,6 +31,7 @@
#include "intel_crtc.h"
#include "intel_de.h"
#include "intel_display_types.h"
+#include "intel_dpcd.h"
#include "intel_dp_aux.h"
#include "intel_hdmi.h"
#include "intel_psr.h"
@@ -388,6 +389,12 @@ void intel_psr_init_dpcd(struct intel_dp *intel_dp)
intel_dp_get_su_granularity(intel_dp);
}
}
+
+ if (intel_dp->psr.sink_psr2_support)
+ drm_dp_dpcd_read(&intel_dp->aux,
+ INTEL_DPCD_INTEL_WA_REGISTER_CAPS,
+ &intel_dp->intel_wa_dpcd,
+ sizeof(intel_dp->intel_wa_dpcd));
}
static void intel_psr_enable_sink(struct intel_dp *intel_dp)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 073/522] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 072/522] drm/i915/psr: Read Intel DPCD workaround register Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 074/522] Revert "RDMA/rxe: Fix double free in rxe_srq_from_init" Greg Kroah-Hartman
` (449 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander, Suraj Kandpal,
Tvrtko Ursulin, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit 4703049f768fc1c1caac754134118bee1a3af189 upstream.
There is Intel specific workaround DPCD address containing workaround for
case where SDP is on prior line. Apply this workaround according to values
in the offset.
Fixes: 61e887329e33 ("drm/i915/xelpd: Handle PSR2 SDP indication in the prior scanline")
Cc: <stable@vger.kernel.org> # v5.15+
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515095756.2799483-4-jouni.hogander@intel.com
(cherry picked from commit c3fe899fbeac86ea4a5ca9dd845b2cbc0da46249)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_psr.c | 27 +++++++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
index 01fadf300ff679..3c5553b21fa894 100644
--- a/drivers/gpu/drm/i915/display/intel_psr.c
+++ b/drivers/gpu/drm/i915/display/intel_psr.c
@@ -818,6 +818,30 @@ static bool psr2_granularity_check(struct intel_dp *intel_dp,
return true;
}
+static bool apply_scanline_indication_wa(struct intel_dp *intel_dp,
+ struct intel_crtc_state *crtc_state)
+{
+ u8 early_scanline_support = intel_dp->intel_wa_dpcd &
+ INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_EARLYSCANLINE_SDP_SUPPORT_MASK;
+
+ if (intel_dp->edp_dpcd[0] >= DP_EDP_15)
+ return true;
+
+ switch (early_scanline_support) {
+ case INTEL_DPCD_INTEL_WA_REGISTER_CAPS_FALL_BACK_TO_PSR1:
+ crtc_state->req_psr2_sdp_prior_scanline = false;
+ return false;
+ case INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_WITH_EARLY_SCANLINE:
+ return true;
+ case INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_WITHOUT_EARLY_SCANLINE:
+ crtc_state->req_psr2_sdp_prior_scanline = false;
+ return true;
+ default:
+ MISSING_CASE(early_scanline_support);
+ return false;
+ }
+}
+
static bool _compute_psr2_sdp_prior_scanline_indication(struct intel_dp *intel_dp,
struct intel_crtc_state *crtc_state)
{
@@ -839,7 +863,8 @@ static bool _compute_psr2_sdp_prior_scanline_indication(struct intel_dp *intel_d
return false;
crtc_state->req_psr2_sdp_prior_scanline = true;
- return true;
+
+ return apply_scanline_indication_wa(intel_dp, crtc_state);
}
static bool _compute_psr2_wake_times(struct intel_dp *intel_dp,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 074/522] Revert "RDMA/rxe: Fix double free in rxe_srq_from_init"
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 073/522] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 075/522] RDMA/rxe: Fix double free in rxe_srq_from_init Greg Kroah-Hartman
` (448 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ben Hutchings, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <benh@debian.org>
This reverts commit d286f0d4e3ad3caf5f0e673cdad7bf89bf37d947, which
was commit 0beefd0e15d962f497aad750b2d5e9c3570b66d1 upstream. The
backported version did not move but duplicated the problematic
assignment, so it did not fix the bug. A proper backport will follow.
Signed-off-by: Ben Hutchings <benh@debian.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/sw/rxe/rxe_srq.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c
index 115ff5428f6cfb..02b39498c370d2 100644
--- a/drivers/infiniband/sw/rxe/rxe_srq.c
+++ b/drivers/infiniband/sw/rxe/rxe_srq.c
@@ -87,9 +87,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq,
}
}
- srq->rq.queue = q;
- init->attr.max_wr = srq->rq.max_wr;
-
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 075/522] RDMA/rxe: Fix double free in rxe_srq_from_init
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 074/522] Revert "RDMA/rxe: Fix double free in rxe_srq_from_init" Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 076/522] net: gro: dont merge zcopy skbs Greg Kroah-Hartman
` (447 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Zhu Yanjun,
Leon Romanovsky, Ben Hutchings, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
commit 0beefd0e15d962f497aad750b2d5e9c3570b66d1 upstream.
In rxe_srq_from_init(), the queue pointer 'q' is assigned to
'srq->rq.queue' before copying the SRQ number to user space.
If copy_to_user() fails, the function calls rxe_queue_cleanup()
to free the queue, but leaves the now-invalid pointer in
'srq->rq.queue'.
The caller of rxe_srq_from_init() (rxe_create_srq) eventually
calls rxe_srq_cleanup() upon receiving the error, which triggers
a second rxe_queue_cleanup() on the same memory, leading to a
double free.
The call trace looks like this:
kmem_cache_free+0x.../0x...
rxe_queue_cleanup+0x1a/0x30 [rdma_rxe]
rxe_srq_cleanup+0x42/0x60 [rdma_rxe]
rxe_elem_release+0x31/0x70 [rdma_rxe]
rxe_create_srq+0x12b/0x1a0 [rdma_rxe]
ib_create_srq_user+0x9a/0x150 [ib_core]
Fix this by moving 'srq->rq.queue = q' after copy_to_user.
Fixes: aae0484e15f0 ("IB/rxe: avoid srq memory leak")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Link: https://patch.msgid.link/20260112015412.29458-1-jiashengjiangcool@gmail.com
Reviewed-by: Zhu Yanjun <yanjun.Zhu@linux.dev>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
[bwh: Backported to 6.1: There was no assignment to init->attr.max_wr
here; don't add it]
Signed-off-by: Ben Hutchings <benh@debian.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/sw/rxe/rxe_srq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c
index 02b39498c370d2..038a9cd55413e0 100644
--- a/drivers/infiniband/sw/rxe/rxe_srq.c
+++ b/drivers/infiniband/sw/rxe/rxe_srq.c
@@ -69,8 +69,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq,
return -ENOMEM;
}
- srq->rq.queue = q;
-
err = do_mmap_info(rxe, uresp ? &uresp->mi : NULL, udata, q->buf,
q->buf_size, &q->ip);
if (err) {
@@ -87,6 +85,8 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq,
}
}
+ srq->rq.queue = q;
+
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 076/522] net: gro: dont merge zcopy skbs
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 075/522] RDMA/rxe: Fix double free in rxe_srq_from_init Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 077/522] phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table Greg Kroah-Hartman
` (446 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huzaifa Sidhpurwala, Sabrina Dubroca,
Willem de Bruijn, Jakub Kicinski, Salvatore Bonaccorso,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 4db79a322db8c97f7b73b8a347395ef4d685eb40 ]
skb_gro_receive() can currently copy frags between the source and GRO
skb, without checking the zerocopy status, and in particular the
SKBFL_MANAGED_FRAG_REFS flag.
When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference
on the pages in shinfo->frags. Appending those frags to another skb's
frags without fixing up the page refcount can lead to UAF.
When either the last skb in the GRO chain (the one we would append
frags to) or the source skb is zerocopy, don't merge the skbs.
Fixes: 753f1ca4e1e5 ("net: introduce managed frags infrastructure")
Reported-by: Huzaifa Sidhpurwala <huzaifas@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/c3b7f906bbfcbdfd7b4fa9d6c18a438870df85be.1779307748.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[Salvatore Bonaccorso: Adjust for context in 6.1.y series without
e8d4d34df715 ("net: Add netif_get_gro_max_size helper for GRO")]
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/gro.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/gro.c b/net/core/gro.c
index ea6571c01faa9e..c5a9733d929a95 100644
--- a/net/core/gro.c
+++ b/net/core/gro.c
@@ -171,6 +171,9 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
if (p->pp_recycle != skb->pp_recycle)
return -ETOOMANYREFS;
+ if (skb_zcopy(p) || skb_zcopy(skb))
+ return -ETOOMANYREFS;
+
/* pairs with WRITE_ONCE() in netif_set_gro_max_size() */
gro_max_size = READ_ONCE(p->dev->gro_max_size);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 077/522] phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 076/522] net: gro: dont merge zcopy skbs Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 078/522] phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X Greg Kroah-Hartman
` (445 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harini Katakam, Andrew Lunn,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harini Katakam <harini.katakam@amd.com>
[ Upstream commit 31605c01fb242806f5b8c9d08abe11328d514206 ]
All the PHY devices variants specified have the same mask and
hence can be simplified to one vendor look up for 0x00070400.
Any individual config can be identified by PHY_ID_MATCH_EXACT
in the respective structure.
Signed-off-by: Harini Katakam <harini.katakam@amd.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 1bc80d673087 ("phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mscc/mscc.h | 1 +
drivers/net/phy/mscc/mscc_main.c | 15 +--------------
2 files changed, 2 insertions(+), 14 deletions(-)
diff --git a/drivers/net/phy/mscc/mscc.h b/drivers/net/phy/mscc/mscc.h
index fcfbff691b3c6b..4a9c12516f2057 100644
--- a/drivers/net/phy/mscc/mscc.h
+++ b/drivers/net/phy/mscc/mscc.h
@@ -291,6 +291,7 @@ enum rgmii_clock_delay {
#define PHY_ID_VSC8575 0x000707d0
#define PHY_ID_VSC8582 0x000707b0
#define PHY_ID_VSC8584 0x000707c0
+#define PHY_VENDOR_MSCC 0x00070400
#define MSCC_VDDMAC_1500 1500
#define MSCC_VDDMAC_1800 1800
diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c
index d9ad8aac580982..dd3b102fb4eec9 100644
--- a/drivers/net/phy/mscc/mscc_main.c
+++ b/drivers/net/phy/mscc/mscc_main.c
@@ -2676,20 +2676,7 @@ static struct phy_driver vsc85xx_driver[] = {
module_phy_driver(vsc85xx_driver);
static struct mdio_device_id __maybe_unused vsc85xx_tbl[] = {
- { PHY_ID_VSC8502, 0xfffffff0, },
- { PHY_ID_VSC8504, 0xfffffff0, },
- { PHY_ID_VSC8514, 0xfffffff0, },
- { PHY_ID_VSC8530, 0xfffffff0, },
- { PHY_ID_VSC8531, 0xfffffff0, },
- { PHY_ID_VSC8540, 0xfffffff0, },
- { PHY_ID_VSC8541, 0xfffffff0, },
- { PHY_ID_VSC8552, 0xfffffff0, },
- { PHY_ID_VSC856X, 0xfffffff0, },
- { PHY_ID_VSC8572, 0xfffffff0, },
- { PHY_ID_VSC8574, 0xfffffff0, },
- { PHY_ID_VSC8575, 0xfffffff0, },
- { PHY_ID_VSC8582, 0xfffffff0, },
- { PHY_ID_VSC8584, 0xfffffff0, },
+ { PHY_ID_MATCH_VENDOR(PHY_VENDOR_MSCC) },
{ }
};
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 078/522] phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 077/522] phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 079/522] hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock Greg Kroah-Hartman
` (444 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Horatiu Vultur,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit 1bc80d673087e5704adbb3ee8e4b785c14899cce ]
As the PHYs VSC8584, VSC8582, VSC8575 and VSC856X exists only as rev B,
we can use PHY_ID_MATCH_EXACT to match exactly on revision B of the PHY.
Because of this change then there is not need the check if it is a
different revision than rev B in the function vsc8584_probe() as we
already know that this will never happen.
These changes are a preparation for the next patch because in that patch
we will make the PHYs VSC8574 and VSC8572 to use vsc8584_probe() and
these PHYs have multiple revision.
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Link: https://patch.msgid.link/20251023191350.190940-2-horatiu.vultur@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mscc/mscc.h | 8 ++++----
drivers/net/phy/mscc/mscc_main.c | 23 ++++-------------------
2 files changed, 8 insertions(+), 23 deletions(-)
diff --git a/drivers/net/phy/mscc/mscc.h b/drivers/net/phy/mscc/mscc.h
index 4a9c12516f2057..17273895bbb361 100644
--- a/drivers/net/phy/mscc/mscc.h
+++ b/drivers/net/phy/mscc/mscc.h
@@ -285,12 +285,12 @@ enum rgmii_clock_delay {
#define PHY_ID_VSC8540 0x00070760
#define PHY_ID_VSC8541 0x00070770
#define PHY_ID_VSC8552 0x000704e0
-#define PHY_ID_VSC856X 0x000707e0
+#define PHY_ID_VSC856X 0x000707e1
#define PHY_ID_VSC8572 0x000704d0
#define PHY_ID_VSC8574 0x000704a0
-#define PHY_ID_VSC8575 0x000707d0
-#define PHY_ID_VSC8582 0x000707b0
-#define PHY_ID_VSC8584 0x000707c0
+#define PHY_ID_VSC8575 0x000707d1
+#define PHY_ID_VSC8582 0x000707b1
+#define PHY_ID_VSC8584 0x000707c1
#define PHY_VENDOR_MSCC 0x00070400
#define MSCC_VDDMAC_1500 1500
diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c
index dd3b102fb4eec9..f1ca1e0b7934c3 100644
--- a/drivers/net/phy/mscc/mscc_main.c
+++ b/drivers/net/phy/mscc/mscc_main.c
@@ -1713,12 +1713,6 @@ static int vsc8584_config_init(struct phy_device *phydev)
* in this pre-init function.
*/
if (phy_package_init_once(phydev)) {
- /* The following switch statement assumes that the lowest
- * nibble of the phy_id_mask is always 0. This works because
- * the lowest nibble of the PHY_ID's below are also 0.
- */
- WARN_ON(phydev->drv->phy_id_mask & 0xf);
-
switch (phydev->phy_id & phydev->drv->phy_id_mask) {
case PHY_ID_VSC8504:
case PHY_ID_VSC8552:
@@ -2257,11 +2251,6 @@ static int vsc8584_probe(struct phy_device *phydev)
VSC8531_DUPLEX_COLLISION};
int ret;
- if ((phydev->phy_id & MSCC_DEV_REV_MASK) != VSC8584_REVB) {
- dev_err(&phydev->mdio.dev, "Only VSC8584 revB is supported.\n");
- return -ENOTSUPP;
- }
-
vsc8531 = devm_kzalloc(&phydev->mdio.dev, sizeof(*vsc8531), GFP_KERNEL);
if (!vsc8531)
return -ENOMEM;
@@ -2524,9 +2513,8 @@ static struct phy_driver vsc85xx_driver[] = {
.get_stats = &vsc85xx_get_stats,
},
{
- .phy_id = PHY_ID_VSC856X,
+ PHY_ID_MATCH_EXACT(PHY_ID_VSC856X),
.name = "Microsemi GE VSC856X SyncE",
- .phy_id_mask = 0xfffffff0,
/* PHY_GBIT_FEATURES */
.soft_reset = &genphy_soft_reset,
.config_init = &vsc8584_config_init,
@@ -2598,9 +2586,8 @@ static struct phy_driver vsc85xx_driver[] = {
.get_stats = &vsc85xx_get_stats,
},
{
- .phy_id = PHY_ID_VSC8575,
+ PHY_ID_MATCH_EXACT(PHY_ID_VSC8575),
.name = "Microsemi GE VSC8575 SyncE",
- .phy_id_mask = 0xfffffff0,
/* PHY_GBIT_FEATURES */
.soft_reset = &genphy_soft_reset,
.config_init = &vsc8584_config_init,
@@ -2622,9 +2609,8 @@ static struct phy_driver vsc85xx_driver[] = {
.get_stats = &vsc85xx_get_stats,
},
{
- .phy_id = PHY_ID_VSC8582,
+ PHY_ID_MATCH_EXACT(PHY_ID_VSC8582),
.name = "Microsemi GE VSC8582 SyncE",
- .phy_id_mask = 0xfffffff0,
/* PHY_GBIT_FEATURES */
.soft_reset = &genphy_soft_reset,
.config_init = &vsc8584_config_init,
@@ -2646,9 +2632,8 @@ static struct phy_driver vsc85xx_driver[] = {
.get_stats = &vsc85xx_get_stats,
},
{
- .phy_id = PHY_ID_VSC8584,
+ PHY_ID_MATCH_EXACT(PHY_ID_VSC8584),
.name = "Microsemi GE VSC8584 SyncE",
- .phy_id_mask = 0xfffffff0,
/* PHY_GBIT_FEATURES */
.soft_reset = &genphy_soft_reset,
.config_init = &vsc8584_config_init,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 079/522] hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 078/522] phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 080/522] hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read " Greg Kroah-Hartman
` (443 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain,
Bartosz Golaszewski, Guenter Roeck, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
[ Upstream commit bab8c6fb5af8df7e753d196c1262cb78e92ca872 ]
adm1266_gpio_get(), adm1266_gpio_get_multiple(), and
adm1266_gpio_dbg_show() all issue PMBus reads against the device but
none of them take pmbus_lock. The pmbus_core framework holds
pmbus_lock around its own multi-transaction sequences (notably the
"set PAGE, then read paged register" pattern used by hwmon
attributes), so an unlocked GPIO accessor can land between a PAGE
write and the subsequent paged read in another thread and corrupt
either side's view of the device state machine.
Take pmbus_lock at the top of each of the three accessors via the
scope-based guard(). The lock is uncontended in the common case and
adds only a single mutex round-trip per call.
Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-6-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
[ open-coded each `guard(pmbus_lock)(data->client)` as explicit `pmbus_lock_interruptible()`/`pmbus_unlock()` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/pmbus/adm1266.c | 40 +++++++++++++++++++++++++++++------
1 file changed, 34 insertions(+), 6 deletions(-)
diff --git a/drivers/hwmon/pmbus/adm1266.c b/drivers/hwmon/pmbus/adm1266.c
index a616439cecbf51..51e76e4413519e 100644
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -173,7 +173,12 @@ static int adm1266_gpio_get(struct gpio_chip *chip, unsigned int offset)
else
pmbus_cmd = ADM1266_PDIO_STATUS;
+ ret = pmbus_lock_interruptible(data->client);
+ if (ret)
+ return ret;
+
ret = i2c_smbus_read_block_data(data->client, pmbus_cmd, read_buf);
+ pmbus_unlock(data->client);
if (ret < 0)
return ret;
if (ret < 2)
@@ -195,11 +200,19 @@ static int adm1266_gpio_get_multiple(struct gpio_chip *chip, unsigned long *mask
unsigned int gpio_nr;
int ret;
+ ret = pmbus_lock_interruptible(data->client);
+ if (ret)
+ return ret;
+
ret = i2c_smbus_read_block_data(data->client, ADM1266_GPIO_STATUS, read_buf);
- if (ret < 0)
+ if (ret < 0) {
+ pmbus_unlock(data->client);
return ret;
- if (ret < 2)
+ }
+ if (ret < 2) {
+ pmbus_unlock(data->client);
return -EIO;
+ }
status = read_buf[0] + (read_buf[1] << 8);
@@ -210,10 +223,14 @@ static int adm1266_gpio_get_multiple(struct gpio_chip *chip, unsigned long *mask
}
ret = i2c_smbus_read_block_data(data->client, ADM1266_PDIO_STATUS, read_buf);
- if (ret < 0)
+ if (ret < 0) {
+ pmbus_unlock(data->client);
return ret;
- if (ret < 2)
+ }
+ if (ret < 2) {
+ pmbus_unlock(data->client);
return -EIO;
+ }
status = read_buf[0] + (read_buf[1] << 8);
@@ -222,6 +239,8 @@ static int adm1266_gpio_get_multiple(struct gpio_chip *chip, unsigned long *mask
set_bit(gpio_nr, bits);
}
+ pmbus_unlock(data->client);
+
return 0;
}
@@ -236,11 +255,16 @@ static void adm1266_gpio_dbg_show(struct seq_file *s, struct gpio_chip *chip)
int ret;
int i;
+ if (pmbus_lock_interruptible(data->client))
+ return;
+
for (i = 0; i < ADM1266_GPIO_NR; i++) {
write_cmd = adm1266_gpio_mapping[i][1];
ret = adm1266_pmbus_block_xfer(data, ADM1266_GPIO_CONFIG, 1, &write_cmd, read_buf);
- if (ret != 2)
+ if (ret != 2) {
+ pmbus_unlock(data->client);
return;
+ }
gpio_config = read_buf[0];
seq_puts(s, adm1266_names[i]);
@@ -262,8 +286,10 @@ static void adm1266_gpio_dbg_show(struct seq_file *s, struct gpio_chip *chip)
write_cmd = 0xFF;
ret = adm1266_pmbus_block_xfer(data, ADM1266_PDIO_CONFIG, 1, &write_cmd, read_buf);
- if (ret != 32)
+ if (ret != 32) {
+ pmbus_unlock(data->client);
return;
+ }
for (i = 0; i < ADM1266_PDIO_NR; i++) {
seq_puts(s, adm1266_names[ADM1266_GPIO_NR + i]);
@@ -286,6 +312,8 @@ static void adm1266_gpio_dbg_show(struct seq_file *s, struct gpio_chip *chip)
seq_puts(s, ")\n");
}
+
+ pmbus_unlock(data->client);
}
static int adm1266_config_gpio(struct adm1266_data *data)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 080/522] hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 079/522] hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 081/522] hwmon: (pmbus/adm1266) serialize NVMEM blackbox " Greg Kroah-Hartman
` (442 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
[ Upstream commit 4e4af55aaca7f6d7673d5f9889ad0529db86a048 ]
adm1266_state_read() backs the sequencer_state debugfs entry and
issues an i2c_smbus_read_word_data(client, ADM1266_READ_STATE)
against the device without taking pmbus_lock. pmbus_core holds
pmbus_lock around its own multi-transaction sequences (notably the
"set PAGE, then read paged register" pattern used by hwmon
attributes), so an unlocked debugfs reader can land between a PAGE
write and the subsequent paged read in another thread. READ_STATE
itself is not paged, so it cannot corrupt PAGE in flight, but the
same defensive serialisation that applies to the GPIO accessors
applies here: any direct device access from outside pmbus_core
should be ordered with respect to pmbus_core's own.
Take pmbus_lock at the top of adm1266_state_read() via the
scope-based guard().
Fixes: ed1ff457e187 ("hwmon: (pmbus/adm1266) add debugfs for states")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-8-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
[ open-coded `guard(pmbus_lock)(client)` as `pmbus_lock_interruptible()`/`pmbus_unlock()` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/pmbus/adm1266.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/hwmon/pmbus/adm1266.c b/drivers/hwmon/pmbus/adm1266.c
index 51e76e4413519e..b212aafae1dc4b 100644
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -356,7 +356,14 @@ static int adm1266_state_read(struct seq_file *s, void *pdata)
struct i2c_client *client = to_i2c_client(dev);
int ret;
+ ret = pmbus_lock_interruptible(client);
+ if (ret)
+ return ret;
+
ret = i2c_smbus_read_word_data(client, ADM1266_READ_STATE);
+
+ pmbus_unlock(client);
+
if (ret < 0)
return ret;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 081/522] hwmon: (pmbus/adm1266) serialize NVMEM blackbox read with pmbus_lock
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 080/522] hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read " Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 082/522] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer Greg Kroah-Hartman
` (441 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
[ Upstream commit 9f1dd8f9491eb840cbea7ffdf4cad031e25f8ae0 ]
adm1266_nvmem_read() is the reg_read callback the NVMEM core invokes
when userspace reads /sys/bus/nvmem/devices/.../nvmem on this chip.
On the first byte of every read it does a memset of data->dev_mem,
walks the device blackbox through adm1266_nvmem_read_blackbox()
(which issues a chain of PMBus block transactions), and then memcpys
the refreshed buffer out to userspace. None of that runs under
pmbus_lock today.
Two consequences:
- The PMBus traffic the refresh issues is not serialised against
pmbus_core's own multi-step PAGE+register sequences. A paged
hwmon attribute read from another thread can land between a
PAGE write and the paged read in either direction and corrupt
one side's view of the device state machine.
- The NVMEM core does not serialise concurrent reg_read calls, so
two userspace readers racing at offset 0 can interleave the
memset of data->dev_mem with another reader's
adm1266_nvmem_read_blackbox() refill or memcpy out, returning
torn data to userspace.
Take pmbus_lock at the top of adm1266_nvmem_read() via the
scope-based guard(). Patch 5 of this series moves
adm1266_config_nvmem() past pmbus_do_probe() so the lock is
guaranteed to be live before the callback is reachable from
userspace.
Fixes: 15609d189302 ("hwmon: (pmbus/adm1266) read blackbox")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-7-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
[ adapted `guard(pmbus_lock)(data->client)` to manual `pmbus_lock_interruptible()`/`pmbus_unlock()` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/pmbus/adm1266.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/hwmon/pmbus/adm1266.c b/drivers/hwmon/pmbus/adm1266.c
index b212aafae1dc4b..0f1cc0dbfc157b 100644
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -430,18 +430,25 @@ static int adm1266_nvmem_read(void *priv, unsigned int offset, void *val, size_t
if (offset + bytes > data->nvmem_config.size)
return -EINVAL;
+ ret = pmbus_lock_interruptible(data->client);
+ if (ret)
+ return ret;
+
if (offset == 0) {
memset(data->dev_mem, 0, data->nvmem_config.size);
ret = adm1266_nvmem_read_blackbox(data, data->dev_mem);
if (ret) {
dev_err(&data->client->dev, "Could not read blackbox!");
+ pmbus_unlock(data->client);
return ret;
}
}
memcpy(val, data->dev_mem + offset, bytes);
+ pmbus_unlock(data->client);
+
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 082/522] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 081/522] hwmon: (pmbus/adm1266) serialize NVMEM blackbox " Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 083/522] usb: typec: ucsi: ccg: reject firmware images without a : record header Greg Kroah-Hartman
` (440 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jonathan Cameron,
David Lechner, Nuno Sá, Andy Shevchenko, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c9d8e9adaa63150ef7e833480b799d0bab83a276 upstream.
The tagged FIFO path declares iio_buff on the stack with __aligned(8)
but no initializer, but there is a hole in the structure, which will
then leak to userspace as ST_LSM6DSX_SAMPLE_SIZE bytes (6) will be
copied, but the space between that and the timestamp are not
initialized.
Commit c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak
issues") moved the untagged FIFO path to a kzalloc'd buffer in hw->scan,
but for the tagged path it only added the alignment qualifier and not
the initializer :(
Fix this by just zero-initializing the structure on the stack.
Cc: Lorenzo Bianconi <lorenzo@kernel.org>
Cc: Jonathan Cameron <jic23@kernel.org>
Cc: David Lechner <dlechner@baylibre.com>
Cc: "Nuno Sá" <nuno.sa@analog.com>
Cc: Andy Shevchenko <andy@kernel.org>
Fixes: c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak issues")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
@@ -572,7 +572,7 @@ int st_lsm6dsx_read_tagged_fifo(struct s
* must be passed a buffer that is aligned to 8 bytes so
* as to allow insertion of a naturally aligned timestamp.
*/
- u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8);
+ u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8) = { };
u8 tag;
bool reset_ts = false;
int i, err, read_len;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 083/522] usb: typec: ucsi: ccg: reject firmware images without a : record header
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 082/522] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 084/522] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO Greg Kroah-Hartman
` (439 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Heikki Krogerus
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d7486952bf74e546ee3748fb14b2d07881fa6273 upstream.
do_flash() locates the first .cyacd record with
p = strnchr(fw->data, fw->size, ':');
while (p < eof) {
s = strnchr(p + 1, eof - p - 1, ':');
...
}
If the firmware image contains no ':' byte, strnchr() returns NULL.
NULL compares less than the valid kernel pointer eof, so the loop body
runs and strnchr() is called with p + 1 == (void *)1 and a length of
roughly (unsigned long)eof, causing a wonderful crash.
The not_signed_fw fallthrough earlier in do_flash() and the chip-state
branches in ccg_fw_update_needed() allow an unsigned blob to reach this
loop, so a root user who can place a crafted file under /lib/firmware
and write the do_flash sysfs attribute can trigger the oops.
Bail out with -EINVAL when the initial strnchr() returns NULL.
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026051405-posture-shrill-7884@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/typec/ucsi/ucsi_ccg.c
+++ b/drivers/usb/typec/ucsi/ucsi_ccg.c
@@ -1178,6 +1178,11 @@ not_signed_fw:
*****************************************************************/
p = strnchr(fw->data, fw->size, ':');
+ if (!p) {
+ dev_err(dev, "Bad FW format: no ':' record header found\n");
+ err = -EINVAL;
+ goto release_mem;
+ }
while (p < eof) {
s = strnchr(p + 1, eof - p - 1, ':');
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 000/378] 7.0.13-rc1 review
@ 2026-06-16 14:53 Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 001/378] bpf: Free reuseport cBPF prog after RCU grace period Greg Kroah-Hartman
` (378 more replies)
0 siblings, 379 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 7.0.13 release.
There are 378 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 18 Jun 2026 14:49:57 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v7.x/stable-review/patch-7.0.13-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-7.0.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 7.0.13-rc1
Will Deacon <will@kernel.org>
arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU
Shanker Donthineni <sdonthineni@nvidia.com>
arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU
Mark Rutland <mark.rutland@arm.com>
arm64: errata: Mitigate TLBI errata on various Arm CPUs
Mark Rutland <mark.rutland@arm.com>
arm64: cputype: Add C1-Premium definitions
Mark Rutland <mark.rutland@arm.com>
arm64: cputype: Add C1-Ultra definitions
Waiman Long <longman@redhat.com>
debugobjects: Don't call fill_pool() in early boot hardirq context
Helen Koike <koike@igalia.com>
debugobjects: Do not fill_pool() if pi_blocked_on
Stefano Garzarella <sgarzare@redhat.com>
vsock/virtio: fix skb overhead accounting to preserve full buf_alloc
Eric Dumazet <edumazet@google.com>
vsock/virtio: fix potential unbounded skb queue
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/umem: Fix truncation for block sizes >= 4G
Leon Romanovsky <leon@kernel.org>
RDMA: Move DMA block iterator logic into dedicated files
Randy Dunlap <rdunlap@infradead.org>
RDMA/umem: fix kernel-doc warnings
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: tests: mark HT check strict
Rio Liu <rio@r26.me>
wifi: mac80211: skip ieee80211_verify_sta_ht_mcs_support check in non-strict mode
Tejun Heo <tj@kernel.org>
sched_ext: Don't warn on NULL cgrp_moving_from in scx_cgroup_move_task()
Davide Ornaghi <d.ornaghi97@gmail.com>
netfilter: nft_fib: fix stale stack leak via the OIFNAME register
Jason Gunthorpe <jgg@ziepe.ca>
RDMA: During rereg_mr ensure that REREG_ACCESS is compatible
Johan Hovold <johan@kernel.org>
driver core: reject devices with unregistered buses
Johan Hovold <johan@kernel.org>
driver core: faux: fix root device registration
Mingyu Wang <25181214217@stu.xidian.edu.cn>
fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Use krealloc_array() in dal_vector_reserve()
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Fix out-of-bounds read in dp_get_eq_aux_rd_interval()
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
Leorize <leorize+oss@disroot.org>
drm/amd/display: add missing CSC entries for BT.2020 for DCE IPs
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Clamp VBIOS HDMI retimer register count to array size
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Bound VBIOS record-chain walk loops
Priya Hosur <Priya.Hosur@amd.com>
drm/amd/pm: smu_v14_0_0: use SoftMin for gfxclk in set_soft_freq_limited_range
Yang Wang <kevinyang.wang@amd.com>
drm/amd/pm: mark metrics.energy_accumulator is invalid for smu 14.0.2
Yang Wang <kevinyang.wang@amd.com>
drm/amd/pm: fix smu13 power limit default/cap calculation
Yang Wang <kevinyang.wang@amd.com>
drm/amd/pm: apply SMU 13.0.10 workaround during MP1 unload
Donet Tom <donettom@linux.ibm.com>
drm/amdgpu: Fix incorrect VRAM GART mappings on non-4K page size systems
Vitaly Prosyak <vitaly.prosyak@amd.com>
drm/amdgpu: set noretry=1 as default for GFX 10.1.x (Navi10/12/14)
Christian König <christian.koenig@amd.com>
drm/amdgpu: restart the CS if some parts of the VM are still invalidated
Christian König <christian.koenig@amd.com>
drm/amdgpu: fix waiting for all submissions for userptrs
Maíra Canal <mcanal@igalia.com>
drm/v3d: Skip CSD when it has zeroed workgroups
Maíra Canal <mcanal@igalia.com>
drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups
Maíra Canal <mcanal@igalia.com>
drm/v3d: Fix global performance monitor reference counting
Maíra Canal <mcanal@igalia.com>
drm/v3d: Wait for pending L2T flush before cleaning caches
Tangudu Tilak Tirumalesh <tilak.tirumalesh.tangudu@intel.com>
drm/xe: Clear pending_disable before signaling suspend fence
Niranjana Vishwanathapura <niranjana.vishwanathapura@intel.com>
drm/xe/multi_queue: skip submit when primary queue is suspended
Jani Nikula <jani.nikula@intel.com>
drm/xe/display: fix oops in suspend/shutdown without display
Andrew Martin <andrew.martin@amd.com>
drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11
Muhammad Bilal <meatuni001@gmail.com>
drm/amdkfd: fix NULL dereference in get_queue_ids()
Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
drm/i915: Fix color blob reference handling in intel_plane_state
Simona Vetter <simona.vetter@ffwll.ch>
drm/gem: Try to fix change_handle ioctl, attempt 4
Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock
Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD
Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
slimbus: qcom-ngd-ctrl: Correct PDR and SSR cleanup ownership
Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
slimbus: qcom-ngd-ctrl: Initialize controller resources in controller
Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd
Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
slimbus: qcom-ngd-ctrl: Fix probe error path ordering
Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
slimbus: qcom-ngd-ctrl: Fix up platform_driver registration
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
slimbus: qcom-ngd-ctrl: fix OF node refcount
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: Limit XDomain response copy to actual frame size
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: Validate XDomain request packet size before type cast
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: Clamp XDomain response data copy to allocation size
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: Bound root directory content to block size
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: Reject zero-length property entries in validator
Wyatt Feng <bronzed_45_vested@icloud.com>
sctp: stream: fully roll back denied add-stream state
Zhao Zhang <zzhan461@ucr.edu>
sctp: diag: reject stale associations in dump_one path
David Howells <dhowells@redhat.com>
rxrpc: Fix the ACK parser to extract the SACK table for parsing
Justin Lai <justinlai0215@realtek.com>
rtase: Reset TX subqueue when clearing TX ring
Justin Lai <justinlai0215@realtek.com>
rtase: Avoid sleeping in get_stats64()
Kendall Willis <k-willis@ti.com>
pmdomain: ti_sci: add wakeup constraint to parent devices of wakeup source
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
pmdomain: imx: fix OF node refcount
Jisheng Zhang <jszhang@kernel.org>
mmc: sdhci: add signal voltage switch in sdhci_resume_host
Huan He <hehuan1@eswincomputing.com>
mmc: sdhci-of-dwcmshc: Fix reset, clk, and SDIO support for Eswin EIC7700
Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC
Inochi Amaoto <inochiama@gmail.com>
mmc: litex_mmc: Set mandatory idle clocks before CMD0
Heiko Stuebner <heiko@sntech.de>
mmc: dw_mmc-rockchip: Add missing private data for very old controllers
Kamal Dasu <kamal.dasu@broadcom.com>
mmc: core: Fix host controller programming for fixed driver type
Usama Arif <usama.arif@linux.dev>
mm/mincore: handle non-swap entries before !CONFIG_SWAP guard
Shakeel Butt <shakeel.butt@linux.dev>
mm/list_lru: drain before clearing xarray entry on reparent
David Carlier <devnexen@gmail.com>
mm/hugetlb: restore reservation on error in hugetlb folio copy paths
Lorenzo Stoakes <ljs@kernel.org>
mm/hugetlb: avoid false positive lockdep assertion
Lorenzo Stoakes <ljs@kernel.org>
mm/huge_memory: use correct flags for device private PMD entry
SeongJae Park <sj@kernel.org>
mm/damon/reclaim: handle ctx allocation failure
SeongJae Park <sj@kernel.org>
mm/damon/lru_sort: handle ctx allocation failure
Muchun Song <muchun.song@linux.dev>
mm/cma_debug: fix invalid accesses for inactive CMA areas
Muchun Song <muchun.song@linux.dev>
mm/cma: fix reserved page leak on activation failure
Judith Mendez <jm@ti.com>
pinctrl: mcp23s08: Read spi-present-mask as u8 not u32
Dawei Feng <dawei.feng@seu.edu.cn>
octeontx2-af: fix memory leak in rvu_setup_hw_resources()
Andre Heider <a.heider@gmail.com>
nvmem: layouts: onie-tlv: fix hang on unknown types
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
nvmem: core: fix use-after-free bugs in error paths
Jonas Jelonek <jelonek.jonas@gmail.com>
net: sfp: initialize i2c_block_size at adapter configure time
Yuqi Xu <xuyq21@lenovo.com>
net: rds: clear i_sends on setup unwind
Santosh Kalluri <santosh.kalluri129@gmail.com>
net: phonet: free phonet_device after RCU grace period
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
net: mv643xx: fix OF node refcount
ZhaoJinming <zhaojinming@uniontech.com>
net: bonding: fix NULL pointer dereference in bond_do_ioctl()
ZhaoJinming <zhaojinming@uniontech.com>
net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues()
Nikolay Kuratov <kniv@yandex-team.ru>
net/mlx5: Reorder completion before putting command entry in cmd_work_handler
Tudor Ambarus <tudor.ambarus@linaro.org>
firmware: samsung: acpm: Fix mailbox channel leak on probe error
Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
Junrui Luo <moonafterrain@outlook.com>
misc: fastrpc: fix DMA address corruption due to find_vma misuse
Zhenghang Xiao <kipreyyy@gmail.com>
misc: fastrpc: fix use-after-free race in fastrpc_map_create
Anandu Krishnan E <anandu.e@oss.qualcomm.com>
misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
Alexander Dahl <ada@thorsis.com>
memory: atmel-ebi: Allow deferred probing
Shakeel Butt <shakeel.butt@linux.dev>
memcg: use round-robin victim selection in refill_stock
Davidlohr Bueso <dave@stgolabs.net>
locking/rtmutex: Skip remove_waiter() when waiter is not enqueued
Yilin Zhu <zylzyl2333@gmail.com>
ipc/shm: serialize orphan cleanup with shm_nattch updates
Jason Gunthorpe <jgg@ziepe.ca>
iommu/dma: Do not try to iommu_map a 0 length region in swiotlb
Joanne Koong <joannelkoong@gmail.com>
iomap: avoid potential null folio->mapping deref during error reporting
Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard
Zeyu WANG <zeyu.thomas.wang@gmail.com>
Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK)
Akhil R <akhilrajeev@nvidia.com>
i2c: tegra: Fix NOIRQ suspend/resume
Guillermo Rodríguez <guille.rodriguez@gmail.com>
i2c: stm32f7: fix timing computation ignoring i2c-analog-filter
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
Carlos Song <carlos.song@nxp.com>
i2c: imx: fix clock and pinctrl state inconsistency in runtime PM
Carlos Song <carlos.song@nxp.com>
i2c: imx-lpi2c: fix resource leaks switching to devm_dma_request_chan()
Ji'an Zhou <eilaimemedsnaimel@gmail.com>
futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock
Jann Horn <jannh@google.com>
fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios
Jann Horn <jannh@google.com>
fuse: reject fuse_notify() pagecache ops on directories
Arpith Kalaginanavoor <arpithk@nvidia.com>
fs/qnx6: fix pointer arithmetic in directory iteration
Muhammad Bilal <meatuni001@gmail.com>
accel/ethosu: reject NPU_OP_RESIZE commands from userspace
Muhammad Bilal <meatuni001@gmail.com>
accel/ethosu: reject DMA commands with uninitialized length
Muhammad Bilal <meatuni001@gmail.com>
accel/ethosu: fix arithmetic issues in dma_length()
Muhammad Bilal <meatuni001@gmail.com>
accel/ethosu: fix wrong weight index in NPU_SET_SCALE1_LENGTH on U85
Muhammad Bilal <meatuni001@gmail.com>
accel/ethosu: fix IFM region index out-of-bounds in command stream parser
Muhammad Bilal <meatuni001@gmail.com>
accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate()
Heiko Carstens <hca@linux.ibm.com>
s390: Remove GENERIC_LOCKBREAK Kconfig option
Christian Brauner <brauner@kernel.org>
pidfd: refuse access to tasks that have started exiting harder
Nirmoy Das <nirmoyd@nvidia.com>
ovl: keep err zero after successful ovl_cache_get()
Hyunwoo Kim <imv4bel@gmail.com>
inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush
Michael Bommarito <michael.bommarito@gmail.com>
IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
Thorsten Blum <thorsten.blum@linux.dev>
hv: utils: handle and propagate errors in kvp_register
Jann Horn <jannh@google.com>
fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()
Dexuan Cui <decui@microsoft.com>
Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs
Kyle Meyer <kyle.meyer@hpe.com>
bnxt_en: Fix NULL pointer dereference
Chancel Liu <chancel.liu@nxp.com>
ASoC: fsl_sai: Fix 32 slots TDM broken by integer shift UB in xMR write
Salman Alghamdi <me@cipherat.com>
staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtraction
Salman Alghamdi <me@cipherat.com>
staging: rtl8723bs: fix buffer over-read in rtw_update_protection
Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
spi: qcom-geni: Fix cs_change handling on the last transfer
Amit Matityahu <amitmat@amazon.com>
timers/migration: Fix livelock in tmigr_handle_remote_up()
Raf Dickson <rafdog35@gmail.com>
vsock/vmci: fix sk_ack_backlog leak on failed handshake
Yuqi Xu <xuyuqiabc@gmail.com>
wifi: nl80211: reject oversized EMA RNR lists
Emmanuel Grumbach <emmanuel.grumbach@intel.com>
wifi: iwlwifi: pcie: simplify the resume flow if fast resume is not used
Yingjie Gao <gaoyingjie@uniontech.com>
xfs: fix rtgroup cleanup in CoW fork repair
Yingjie Gao <gaoyingjie@uniontech.com>
xfs: fix error returns in CoW fork repair
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: add-addr: always drop other suboptions
Tao Cui <cuitao@kylinos.cn>
selftests: mptcp: add test for extra_subflows underflow on userspace PM
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: sockopt: set sockopt on all subflows
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: sockopt: check timestamping ret value
Gang Yan <yangang@kylinos.cn>
mptcp: check desc->count in read_sock
Tao Cui <cuitao@kylinos.cn>
mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation
Paolo Abeni <pabeni@redhat.com>
mptcp: allow subflow rcv wnd to shrink
Paolo Abeni <pabeni@redhat.com>
mptcp: close TOCTOU race while computing rcv_wnd
Paolo Abeni <pabeni@redhat.com>
mptcp: fix retransmission loop when csum is enabled
Paolo Abeni <pabeni@redhat.com>
mptcp: fix missing wakeups in edge scenarios
Alistair Popple <apopple@nvidia.com>
arm64: mm: call pagetable dtor when freeing hot-removed page tables
Karl Mehltretter <kmehltretter@gmail.com>
ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow
Karl Mehltretter <kmehltretter@gmail.com>
ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O
Yuho Choi <dbgh9129@gmail.com>
ARM: socfpga: Fix OF node refcount leak in SMP setup
Sechang Lim <rhkrqnwk98@gmail.com>
udp: clear skb->dev before running a sockmap verdict
Cunlong Li <shenxiaogll@gmail.com>
zram: fix use-after-free in zram_bvec_write_partial()
Michael Bommarito <michael.bommarito@gmail.com>
RDMA/srp: bound SRP_RSP sense copy by the received length
Yishai Hadas <yishaih@nvidia.com>
RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/core: Validate the passed in fops for ib_get_ucaps()
Yin Tirui <yintirui@huawei.com>
mm/huge_memory: update file PUD counter before folio_put()
SeongJae Park <sj@kernel.org>
mm/damon/ops-common: call folio_test_lru() after folio_get()
Yin Tirui <yintirui@huawei.com>
mm/huge_memory: update file PMD counter before folio_put()
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info()
Wentao Liang <vulab@iscas.ac.cn>
drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait()
Clément Léger <cleger@meta.com>
io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries
Jens Axboe <axboe@kernel.dk>
io_uring/kbuf: don't truncate end buffer for bundles
Christian A. Ehrhardt <lk@c--e.de>
io_uring/wait: fix min_timeout behavior
Takashi Iwai <tiwai@suse.de>
ALSA: timer: Fix UAF at snd_timer_user_params()
Takashi Iwai <tiwai@suse.de>
ALSA: timer: Forcibly close timer instances at closing
HyeongJun An <sammiee5311@gmail.com>
USB: serial: kl5kusb105: fix bulk-out buffer overflow
Jack Wu <jackbb_wu@compal.com>
USB: serial: option: add usb-id for Dell Wireless DW5826e-m
Adrian Korwel <adriank20047@gmail.com>
USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
Adrian Korwel <adriank20047@gmail.com>
USB: serial: io_ti: fix heap overflow in get_manuf_info()
Tristan Madani <tristmd@gmail.com>
xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()
Takao Sato <takaosato1997@gmail.com>
xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()
Wyatt Feng <bronzed_45_vested@icloud.com>
xfrm: espintcp: do not reuse an in-progress partial send
Gil Portnoy <dddhkts1@gmail.com>
ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
Judith Mendez <jm@ti.com>
pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init
Anton Leontev <leontyevantony@gmail.com>
hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
drm/i915/gem: Fix phys BO pread/pwrite with offset
Joey Gouly <joey.gouly@arm.com>
KVM: arm64: Restore POR_EL0 access to host EL0
Oliver Upton <oupton@kernel.org>
KVM: arm64: Correctly identify executable PTEs at stage-2
Oliver Upton <oupton@kernel.org>
KVM: arm64: nv: Fix handling of XN[0] when !FEAT_XNX
Sean Christopherson <seanjc@google.com>
KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA
Sean Christopherson <seanjc@google.com>
KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying
Wei Liu <wei.liu@kernel.org>
mshv: add a missing padding field
Nathan Chancellor <nathan@kernel.org>
cfi: Include uaccess.h for get_kernel_nofault()
Inochi Amaoto <inochiama@gmail.com>
mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation
Alice Ryhl <aliceryhl@google.com>
rust: kasan/kbuild: fix rustc-option when cross-compiling
Alice Ryhl <aliceryhl@google.com>
rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES
Nathan Chancellor <nathan@kernel.org>
ARM: Do not select HAVE_RUST when KASAN is enabled
Miguel Ojeda <ojeda@kernel.org>
rust: x86: support Rust >= 1.98.0 target spec
Tangudu Tilak Tirumalesh <tilak.tirumalesh.tangudu@intel.com>
Revert "drm/xe: Skip exec queue schedule toggle if queue is idle during suspend"
Sun Shaojie <sunshaojie@kylinos.cn>
cgroup/cpuset: Use effective_xcpus in partcmd_update add/del mask calculation
Masami Hiramatsu (Google) <mhiramat@kernel.org>
tracing/probes: Point the error offset correctly for eprobe argument error
Eva Kurchatova <eva.kurchatova@virtuozzo.com>
tracing: Fix CFI violation in probestub being called by tprobes
Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
accel/ivpu: Fix signed integer truncation in IPC receive
Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
accel/ivpu: Add buffer overflow check in MS get_info_ioctl
Dinh Nguyen <dinguyen@kernel.org>
firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe
Muhammad Amirul Asyraf Mohamad Jamian <muhammad.amirul.asyraf.mohamad.jamian@altera.com>
firmware: stratix10-svc: Return -EOPNOTSUPP when ATF async unsupported
Muhammad Amirul Asyraf Mohamad Jamian <muhammad.amirul.asyraf.mohamad.jamian@altera.com>
firmware: stratix10-svc: Don't fail probe when async ops unsupported
Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
accel/ivpu: Add bounds checks for firmware log indices
Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
accel/ivpu: Add bounds check for firmware runtime memory
Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
Revert "drm/xe/nvls: Define GuC firmware for NVL-S"
Wupeng Ma <mawupeng1@huawei.com>
mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get()
Michael Bommarito <michael.bommarito@gmail.com>
Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
Yuqi Xu <xuyq21@lenovo.com>
Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
Georgiy Osokin <g.osokin@auroraos.dev>
tee: shm: fix shm leak in register_shm_helper()
Davide Ornaghi <d.ornaghi97@gmail.com>
netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
Tristan Madani <tristan@talencesecurity.com>
netfilter: nft_tunnel: fix use-after-free on object destroy
Jann Horn <jannh@google.com>
namespace: restrict OPEN_TREE_NAMESPACE/FSMOUNT_NAMESPACE to directories
Lizhi Hou <lizhi.hou@amd.com>
accel/amdxdna: Fix mm_struct reference leak in aie2_populate_range()
Rodrigo Vivi <rodrigo.vivi@intel.com>
drm/xe: fix job timeout recovery for unstarted jobs and kernel queues
Wentao Liang <vulab@iscas.ac.cn>
drm/xe: fix refcount leak in xe_range_fence_insert()
Melissa Wen <mwen@igalia.com>
drm/amd/display: use plane color_mgmt_changed to track colorop changes
Melissa Wen <mwen@igalia.com>
drm/atomic: track individual colorop updates
Melissa Wen <mwen@igalia.com>
drm/colorop: make lut(1/3)d_interpolation props correctly behave as mutable
Alex Hung <alex.hung@amd.com>
drm/colorop: Remove read-only comments from interpolation fields
Alexander A. Klimov <grandmaster@al2klimov.de>
drm/vc4: fix krealloc() memory leak
Dmitry Osipenko <dmitry.osipenko@collabora.com>
drm/virtio: Fix driver removal with disabled KMS
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
drm/i915/edp: Check supported link rates DPCD read
Pengyu Luo <mitltlatltl@gmail.com>
clk: qcom: dispcc-sc8280xp: Don't park mdp_clk_src at registration time
Kuan-Wei Chiu <visitorckw@gmail.com>
clk: samsung: gs101: Fix missing USI7_USI DIV clock in peric0_clk_regs
Hans de Goede <johannes.goede@oss.qualcomm.com>
clk: qcom: x1e80100-dispcc: Stop disp_cc_mdss_mdp_clk_src from getting parked
Kean Ren <rh_king@163.com>
ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions
Ido Schimmel <idosch@nvidia.com>
ipv6: Fix a potential NPD in cleanup_prefix_route()
Jiawen Wu <jiawenwu@trustnetic.com>
net: txgbe: initialize PHY interface to 0
Jiawen Wu <jiawenwu@trustnetic.com>
net: txgbe: distinguish module types by checking identifier
Jiawen Wu <jiawenwu@trustnetic.com>
net: txgbe: initialize module info buffer
Til Kaiser <mail@tk154.de>
net: mvpp2: build skb from XDP-adjusted data on XDP_PASS
Til Kaiser <mail@tk154.de>
net: mvpp2: refill RX buffers before XDP or skb use
Til Kaiser <mail@tk154.de>
net: mvpp2: limit XDP frame size to the RX buffer
Til Kaiser <mail@tk154.de>
net: mvpp2: sync RX data at the hardware packet offset
Florian Westphal <fw@strlen.de>
netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
Xiang Mei <xmei5@asu.edu>
netfilter: nf_log: validate MAC header was set before dumping it
Kyle Zeng <kylebot@openai.com>
netfilter: x_tables: avoid leaking percpu counter pointers
Weiming Shi <bestswngs@gmail.com>
netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
Florian Westphal <fw@strlen.de>
netfilter: revalidate bridge ports
Felix Gu <ustc.gu@gmail.com>
spi: rzv2h-rspi: Fix SPDR read access width for 16-bit RX
Breno Leitao <leitao@debian.org>
rds: mark snapshot pages dirty in rds_info_getsockopt()
Eric Dumazet <edumazet@google.com>
ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
Vadim Fedorenko <vadim.fedorenko@linux.dev>
ptp: ocp: fix resource freeing order
Xiang Mei <xmei5@asu.edu>
tun: zero the whole vnet header in tun_put_user()
Weiming Shi <bestswngs@gmail.com>
net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion
Kyle Zeng <kylebot@openai.com>
net: guard timestamp cmsgs to real error queue skbs
Xin Long <lucien.xin@gmail.com>
sctp: validate embedded INIT chunk and address list lengths in cookie
Eric Dumazet <edumazet@google.com>
ip6_vti: set netns_immutable on the fallback device.
Michael Bommarito <michael.bommarito@gmail.com>
sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
Vijendar Mukunda <Vijendar.Mukunda@amd.com>
ASoC: SOF: amd: fix for ipc flags check
Alessandro Schino <7991aleschino@gmail.com>
esp: fix page frag reference leak on skb_to_sgvec failure
Jeremy Kerr <jk@codeconstruct.com.au>
net: mctp: usb: don't fail mctp_usb_rx_queue on a deferred submission
Jeremy Kerr <jk@codeconstruct.com.au>
net: mctp: usb: fix race between urb completion and rx_retry cancellation
Marco Scardovi <scardracs@disroot.org>
gpio: rockchip: fix generic IRQ chip leak on remove
Ruoyu Wang <ruoyuw560@gmail.com>
gpio: zynq: fix runtime PM leak on remove
Chih Kai Hsu <hsu.chih.kai@realtek.com>
r8152: handle the return value of usb_reset_device()
Adrian Moreno <amorenoz@redhat.com>
net: openvswitch: fix possible kfree_skb of ERR_PTR
Kyle Zeng <kylebot@openai.com>
ipv6: sit: reload inner IPv6 header after GSO offloads
Fushuai Wang <wangfushuai@baidu.com>
net/mlx5: Use effective affinity mask for IRQ selection
Dragos Tatulea <dtatulea@nvidia.com>
net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure
Dragos Tatulea <dtatulea@nvidia.com>
net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list
Mingyu Wang <25181214217@stu.xidian.edu.cn>
net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
Maxime Chevallier <maxime.chevallier@bootlin.com>
net: phy: don't try to setup PHY-driven SFP cages when using genphy
Maxime Chevallier <maxime.chevallier@bootlin.com>
net: phy: Clean the phy_ports after unregistering the downstream SFP bus
Maxime Chevallier <maxime.chevallier@bootlin.com>
net: phy: remove phy ports upon probe failure
Maxime Chevallier <maxime.chevallier@bootlin.com>
net: phy: clean the sfp upstream if phy probing fails
Jakub Kicinski <kuba@kernel.org>
netdev: fix double-free in netdev_nl_bind_rx_doit()
Rosen Penev <rosenp@gmail.com>
net: ibm: emac: Fix use-after-free during device removal
Yao Sang <sangyao@kylinos.cn>
net/mlx4: avoid GCC 10 __bad_copy_from() false positive
HanQuan <eilaimemedsnaimel@gmail.com>
net: add pskb_may_pull() to skb_gro_receive_list()
Eric Dumazet <edumazet@google.com>
tcp: restrict SO_ATTACH_FILTER to priv users
Richard Fitzgerald <rf@opensource.cirrus.com>
ASoC: wm_adsp: Fix NULL dereference when removing firmware controls
Yun Zhou <yun.zhou@windriver.com>
gpio: mvebu: fix NULL pointer dereference in suspend/resume
Chenguang Zhao <zhaochenguang@kylinos.cn>
netlabel: validate unlabeled address and mask attribute lengths
Vikas Gupta <vikas.gupta@broadcom.com>
bnge: fix context mem iteration
Arthur Kiyanovski <akiyano@amazon.com>
net: ena: PHC: Add missing barrier
Alok Tiwari <alok.a.tiwari@oracle.com>
idpf: fix mailbox capability for set device clock time
Petr Oros <poros@redhat.com>
ice: fix missing priority callbacks for U.FL DPLL pins
Sanghyun Park <sanghyun.park.cnu@gmail.com>
xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
Li RongQing <lirongqing@baidu.com>
dma-debug: fix physical address retrieval in debug_dma_sync_sg_for_device
Li RongQing <lirongqing@baidu.com>
dma-mapping: direct: fix missing mapping for THRU_HOST_BRIDGE segments
Zhenghang Xiao <kipreyyy@gmail.com>
xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload
Richard Patel <ripatel@wii.dev>
riscv: cfi: reject unknown flags in PR_SET_CFI
Andreas Schwab <schwab@suse.de>
riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI
Gabriele Monaco <gmonaco@redhat.com>
verification/rvgen: Fix ltl2k writing True as a literal
Gabriele Monaco <gmonaco@redhat.com>
verification/rvgen: Fix options shared among commands
Gabriele Monaco <gmonaco@redhat.com>
tools/rv: Fix cleanup after failed trace setup
Gabriele Monaco <gmonaco@redhat.com>
tools/rv: Fix substring match when listing container monitors
Gabriele Monaco <gmonaco@redhat.com>
tools/rv: Fix substring match bug in monitor name search
Gabriele Monaco <gmonaco@redhat.com>
tools/rv: Ensure monitor name and desc are NUL-terminated
Tomas Glozar <tglozar@redhat.com>
rtla: Fix parsing of multi-character short options
Zhan Xusheng <zhanxusheng1024@gmail.com>
cpufreq/amd-pstate: drop stale @epp_cached kdoc
Tony Luck <tony.luck@intel.com>
x86/resctrl: Only check Intel systems for SNC
Kyle Zeng <kylebot@openai.com>
ALSA: seq: dummy: fix UMP event stack overread
Ji'an Zhou <eilaimemedsnaimel@gmail.com>
ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams
Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
time: Fix off-by-one in settimeofday() usec validation
Qing Wang <wangqing7171@gmail.com>
rseq: Fix using an uninitialized stack variable in rseq_exit_user_update()
Arnd Bergmann <arnd@arndb.de>
crypto: s390 - add select CRYPTO_AEAD for aes
NeilBrown <neilb@ownmail.net>
VFS: fix possible failure to unlock in nfsd4_create_file()
Dexuan Cui <decui@microsoft.com>
hyperv: Clean up and fix the guest ID comment in hvgdk.h
Arnd Bergmann <arnd@arndb.de>
regulator: mt6363: select CONFIG_IRQ_DOMAIN
Aleksandr Nogikh <nogikh@google.com>
signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
Geliang Tang <geliang@kernel.org>
selftests: harness: fix pidfd leak in __wait_for_test
Michael Kelley <mhklinux@outlook.com>
drm/hyperv: During panic do VMBus unload after frame buffer is flushed
Michael Kelley <mhklinux@outlook.com>
Drivers: hv: vmbus: Provide option to skip VMBus unload on panic
Jakub Kicinski <kuba@kernel.org>
Reapply "bnxt_en: bring back rtnl_lock() in the bnxt_open() path"
Pavan Chebbi <pavan.chebbi@broadcom.com>
fwctl/bnxt_en: Refactor aux bus functions to be more generic
Pavan Chebbi <pavan.chebbi@broadcom.com>
fwctl/bnxt_en: Move common definitions to include/linux/bnxt/
Xin Long <lucien.xin@gmail.com>
sctp: purge outqueue on stale COOKIE-ECHO handling
Eric Dumazet <edumazet@google.com>
bonding: annotate data-races arcound churn variables
Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
Eric Dumazet <edumazet@google.com>
ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit()
Andy Roulin <aroulin@nvidia.com>
vxlan: vnifilter: fix spurious notification on VNI update
Andy Roulin <aroulin@nvidia.com>
vxlan: vnifilter: send notification on VNI add
Nithin Dabilpuram <ndabilpuram@marvell.com>
octeontx2-af: npc: Fix CPT channel mask in npc_install_flow
Xin Long <lucien.xin@gmail.com>
sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing
Rajat Gupta <rajat.gupta@oss.qualcomm.com>
net/sched: fix pedit partial COW leading to page cache corruption
Antoine Tenart <atenart@kernel.org>
geneve: fix length used in GRO hint UDP checksum adjustment
Lorenzo Bianconi <lorenzo@kernel.org>
net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Fix use-after-free in metadata dst teardown
Kurt Kanzenbach <kurt@linutronix.de>
ptp: vclock: Switch from RCU to SRCU
Eric Dumazet <edumazet@google.com>
ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options
Jianyu Li <jianyu.li@mediatek.com>
af_unix: Fix inq_len update problem in partial read
Suman Ghosh <sumang@marvell.com>
octeontx2-af: Fix initialization of mcam's entry2target_pffunc field
Geetha sowjanya <gakula@marvell.com>
octeontx2-pf: Fix NDC sync operation errors
Jason Xing <kerneljasonxing@gmail.com>
xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata()
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: MGMT: Fix backward compatibility with userspace
SeungJu Cheon <suunj1331@gmail.com>
Bluetooth: SCO: Fix data-race on sco_pi fields in sco_connect
SeungJu Cheon <suunj1331@gmail.com>
Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync
Bharath Reddy <kbreddy.rpbc@gmail.com>
Bluetooth: fix memory leak in error path of hci_alloc_dev()
Zhang Cen <rollkingzzc@gmail.com>
Bluetooth: bnep: reject short frames before parsing
Dudu Lu <phx0fer@gmail.com>
Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling
SeungJu Cheon <suunj1331@gmail.com>
Bluetooth: RFCOMM: validate skb length in MCC handlers
Zhang Cen <rollkingzzc@gmail.com>
Bluetooth: MGMT: validate advertising TLV before type checks
Zhang Cen <rollkingzzc@gmail.com>
Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
Johannes Berg <johannes.berg@intel.com>
wifi: cfg80211: enforce HE/EHT cap/oper consistency
Johannes Berg <johannes.berg@intel.com>
wifi: nl80211: split out UHR operation information
Hari Chandrakanthan <quic_haric@quicinc.com>
wifi: cfg80211: add support to handle incumbent signal detected event from mac80211/driver
Fedor Pchelkin <pchelkin@ispras.ru>
wifi: fix leak if split 6 GHz scanning fails
Jiayuan Chen <jiayuan.chen@linux.dev>
ipv6: anycast: insert aca into global hash under idev->lock
Tapio Reijonen <tapio.reijonen@vaisala.com>
net: fec: fix pinctrl default state restore order on resume
David Thompson <davthompson@nvidia.com>
net: lan743x: permit VLAN-tagged packets up to configured MTU
Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
net: garp: fix unsigned integer underflow in garp_pdu_parse_attr
Kuniyuki Iwashima <kuniyu@google.com>
hsr: Remove WARN_ONCE() in hsr_addr_is_self().
Kuniyuki Iwashima <kuniyu@google.com>
tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req().
Kuniyuki Iwashima <kuniyu@google.com>
net: Annotate sk->sk_write_space() for UDP SOCKMAP.
Oscar Maes <oscmaes92@gmail.com>
pcnet32: stop holding device spin lock during napi_complete_done
Deepanshu Kartikey <kartikey406@gmail.com>
wifi: mac80211: limit injected antenna index in ieee80211_parse_tx_radiotap
Yicong Hui <yiconghui@gmail.com>
drm/imx: Fix three kernel-doc warnings in dcss-scaler.c
Mark Bloch <mbloch@nvidia.com>
devlink: Release nested relation on devlink free
Lee Jones <lee@kernel.org>
l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()
Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
6lowpan: fix off-by-one in multicast context address compression
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: act_api: use RCU with deferred freeing for action lifecycle
Guangshuo Li <lgs201920130244@gmail.com>
dm cache policy smq: check allocation under invalidate lock
Yiming Qian <yimingqian591@gmail.com>
netfilter: bridge: make ebt_snat ARP rewrite writable
Jiayuan Chen <jiayuan.chen@linux.dev>
netfilter: nft_ct: bail out on template ct in get eval
Florian Westphal <fw@strlen.de>
netfilter: conntrack_irc: fix possible out-of-bounds read
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: synproxy: add mutex to guard hook reference counting
Julian Anastasov <ja@ssi.bg>
ipvs: clear the svc scheduler ptr early on edit
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: xt_NFQUEUE: prefer raw_smp_processor_id
Gil Portnoy <dddhkts1@gmail.com>
ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers
Emmanuel Grumbach <emmanuel.grumbach@intel.com>
wifi: iwlwifi: mvm: don't support the reset handshake for old firmwares
Gao Xiang <xiang@kernel.org>
erofs: fix use-after-free on sbi->sync_decompress
Linus Walleij <linusw@kernel.org>
ARM: dts: gemini: Fix partition offsets
Jan Polensky <japo@linux.ibm.com>
s390/bug: Always emit format word in __BUG_ENTRY
Robertus Diawan Chris <robertusdchris@gmail.com>
tee: qcomtee: add missing va_end in early return qcomtee_object_user_init()
Arnd Bergmann <arnd@arndb.de>
tee: fix tee_ioctl_object_invoke_arg padding
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
soc: qcom: ice: Return -ENODEV if the ICE platform device is not found
Mihai Sain <mihai.sain@microchip.com>
ARM: dts: microchip: sam9x7: fix GMAC clock configuration
Val Packett <val@packett.cool>
arm64: dts: qcom: x1-dell-thena: remove i2c20 (battery SMBus) and reserve its pins
Harshal Dev <harshal.dev@oss.qualcomm.com>
soc: qcom: ice: Allow explicit votes on 'iface' clock for ICE
Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
tee: optee: prevent use-after-free when the client exits before the supplicant
Nicolò Coccia <n.coccia96@gmail.com>
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
Ido Schimmel <idosch@nvidia.com>
ipv6: mcast: Fix use-after-free when processing MLD queries
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer
Mingyu Wang <25181214217@stu.xidian.edu.cn>
i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
Hyunwoo Kim <imv4bel@gmail.com>
KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation
Kuniyuki Iwashima <kuniyu@google.com>
bpf: Free reuseport cBPF prog after RCU grace period.
-------------
Diffstat:
Documentation/arch/arm64/silicon-errata.rst | 48 +++
Makefile | 7 +-
arch/arm/Kconfig | 2 +-
arch/arm/boot/dts/gemini/gemini-sl93512r.dts | 2 +-
arch/arm/boot/dts/gemini/gemini-sq201.dts | 2 +-
arch/arm/boot/dts/microchip/sam9x7.dtsi | 6 +-
arch/arm/include/asm/io.h | 15 +-
arch/arm/kernel/entry-armv.S | 2 +-
arch/arm/mach-socfpga/platsmp.c | 1 +
arch/arm64/Kconfig | 38 +++
arch/arm64/Makefile | 3 +
arch/arm64/boot/dts/qcom/x1-dell-thena.dtsi | 7 +-
arch/arm64/include/asm/cputype.h | 4 +
arch/arm64/include/asm/kvm_nested.h | 4 +-
arch/arm64/kernel/cpu_errata.c | 34 ++-
arch/arm64/kvm/at.c | 6 +-
arch/arm64/kvm/hyp/include/hyp/switch.h | 2 +
arch/arm64/kvm/hyp/pgtable.c | 4 +-
arch/arm64/mm/mmu.c | 1 +
arch/riscv/include/asm/usercfi.h | 1 +
arch/riscv/kernel/ptrace.c | 2 +-
arch/riscv/kernel/usercfi.c | 3 +
arch/s390/Kconfig | 3 -
arch/s390/crypto/Kconfig | 1 +
arch/s390/include/asm/bug.h | 12 +-
arch/x86/Makefile | 4 +
arch/x86/Makefile.um | 8 +
arch/x86/kernel/cpu/resctrl/monitor.c | 7 +-
arch/x86/kvm/svm/sev.c | 27 +-
drivers/accel/amdxdna/aie2_ctx.c | 3 +
drivers/accel/ethosu/ethosu_gem.c | 35 ++-
drivers/accel/ivpu/ivpu_fw.c | 16 +
drivers/accel/ivpu/ivpu_fw_log.c | 5 +
drivers/accel/ivpu/ivpu_ipc.c | 2 +-
drivers/accel/ivpu/ivpu_ms.c | 7 +
drivers/base/bus.c | 11 +-
drivers/base/faux.c | 22 +-
drivers/block/zram/zram_drv.c | 2 +-
drivers/clk/qcom/dispcc-sc8280xp.c | 4 +-
drivers/clk/qcom/dispcc-x1e80100.c | 2 +-
drivers/clk/samsung/clk-gs101.c | 2 +-
drivers/cpufreq/amd-pstate.h | 1 -
drivers/firmware/samsung/exynos-acpm.c | 13 +-
drivers/firmware/stratix10-rsu.c | 45 ++-
drivers/firmware/stratix10-svc.c | 21 +-
drivers/gpio/gpio-mvebu.c | 4 +-
drivers/gpio/gpio-rockchip.c | 4 +-
drivers/gpio/gpio-zynq.c | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 4 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c | 12 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c | 6 +-
.../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 +-
drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v11.c | 49 ++-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 6 +-
.../drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 5 +
drivers/gpu/drm/amd/display/dc/basics/vector.c | 4 +-
drivers/gpu/drm/amd/display/dc/bios/bios_parser.c | 15 +-
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 81 +++--
.../drm/amd/display/dc/bios/bios_parser_helper.h | 5 +
drivers/gpu/drm/amd/display/dc/dc_dp_types.h | 2 +-
drivers/gpu/drm/amd/display/dc/dce/dce_transform.c | 10 +-
.../drm/amd/display/dc/dce110/dce110_opp_csc_v.c | 10 +-
.../gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c | 3 +-
.../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 42 ++-
.../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 32 +-
.../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_0_ppt.c | 3 +-
.../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 1 -
drivers/gpu/drm/drm_atomic.c | 4 +-
drivers/gpu/drm/drm_atomic_uapi.c | 68 ++++-
drivers/gpu/drm/drm_colorop.c | 16 +-
drivers/gpu/drm/drm_gem.c | 73 +++--
drivers/gpu/drm/drm_ioctl.c | 3 +-
drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 5 +
drivers/gpu/drm/hyperv/hyperv_drm_modeset.c | 15 +-
drivers/gpu/drm/i915/display/intel_dp.c | 11 +-
drivers/gpu/drm/i915/display/intel_plane.c | 27 ++
drivers/gpu/drm/i915/gem/i915_gem_phys.c | 19 +-
drivers/gpu/drm/imx/dcss/dcss-scaler.c | 3 +
drivers/gpu/drm/v3d/v3d_gem.c | 8 +
drivers/gpu/drm/v3d/v3d_perfmon.c | 24 +-
drivers/gpu/drm/v3d/v3d_sched.c | 17 +-
drivers/gpu/drm/vc4/vc4_validate_shaders.c | 13 +-
drivers/gpu/drm/virtio/virtgpu_drv.c | 5 +-
drivers/gpu/drm/virtio/virtgpu_submit.c | 4 +-
drivers/gpu/drm/xe/display/xe_display.c | 11 +-
drivers/gpu/drm/xe/xe_exec_queue.h | 17 --
drivers/gpu/drm/xe/xe_guc_submit.c | 111 +++----
drivers/gpu/drm/xe/xe_hw_engine_group.c | 10 +-
drivers/gpu/drm/xe/xe_range_fence.c | 2 +
drivers/gpu/drm/xe/xe_uc_fw.c | 1 -
drivers/hv/channel_mgmt.c | 1 +
drivers/hv/hv_kvp.c | 25 +-
drivers/hv/hyperv_vmbus.h | 1 -
drivers/hv/vmbus_drv.c | 54 +++-
drivers/i2c/busses/i2c-imx-lpi2c.c | 53 ++--
drivers/i2c/busses/i2c-imx.c | 15 +-
drivers/i2c/busses/i2c-qcom-cci.c | 2 +-
drivers/i2c/busses/i2c-stm32f7.c | 6 +-
drivers/i2c/busses/i2c-tegra.c | 53 ++--
drivers/i2c/i2c-dev.c | 9 +-
drivers/infiniband/core/Makefile | 2 +-
drivers/infiniband/core/iter.c | 43 +++
drivers/infiniband/core/ucaps.c | 8 +-
drivers/infiniband/core/umem.c | 16 +
drivers/infiniband/core/uverbs_std_types_dmah.c | 5 +
drivers/infiniband/core/verbs.c | 38 ---
drivers/infiniband/hw/bnxt_re/debugfs.c | 2 +-
drivers/infiniband/hw/bnxt_re/main.c | 2 +-
drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 +-
drivers/infiniband/hw/bnxt_re/qplib_res.c | 2 +-
drivers/infiniband/hw/bnxt_re/qplib_res.h | 2 +-
drivers/infiniband/hw/cxgb4/mem.c | 2 +-
drivers/infiniband/hw/efa/efa_verbs.c | 2 +-
drivers/infiniband/hw/erdma/erdma_verbs.c | 2 +-
drivers/infiniband/hw/hns/hns_roce_alloc.c | 2 +-
drivers/infiniband/hw/hns/hns_roce_mr.c | 4 +
drivers/infiniband/hw/ionic/ionic_ibdev.h | 2 +-
drivers/infiniband/hw/irdma/main.h | 2 +-
drivers/infiniband/hw/irdma/verbs.c | 4 +
drivers/infiniband/hw/mana/mana_ib.h | 2 +-
drivers/infiniband/hw/mlx4/mr.c | 5 +
drivers/infiniband/hw/mlx5/mem.c | 1 +
drivers/infiniband/hw/mlx5/mr.c | 4 +
drivers/infiniband/hw/mlx5/umr.c | 1 +
drivers/infiniband/hw/mthca/mthca_provider.c | 2 +-
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +-
drivers/infiniband/hw/qedr/verbs.c | 2 +-
drivers/infiniband/hw/vmw_pvrdma/pvrdma.h | 2 +-
drivers/infiniband/sw/rxe/rxe_verbs.c | 5 +
drivers/infiniband/ulp/isert/ib_isert.c | 6 +
drivers/infiniband/ulp/srp/ib_srp.c | 30 +-
drivers/input/keyboard/atkbd.c | 15 +
drivers/iommu/dma-iommu.c | 19 +-
drivers/md/dm-cache-policy-smq.c | 12 +-
drivers/memory/atmel-ebi.c | 3 +-
drivers/misc/fastrpc.c | 107 ++++---
drivers/mmc/core/mmc.c | 4 +-
drivers/mmc/host/dw_mmc-rockchip.c | 17 ++
drivers/mmc/host/litex_mmc.c | 20 +-
drivers/mmc/host/renesas_sdhi_internal_dmac.c | 1 +
drivers/mmc/host/sdhci-of-dwcmshc.c | 44 +--
drivers/mmc/host/sdhci.c | 1 +
drivers/net/bonding/bond_3ad.c | 18 +-
drivers/net/bonding/bond_main.c | 4 +-
drivers/net/bonding/bond_netlink.c | 4 +-
drivers/net/bonding/bond_procfs.c | 8 +-
drivers/net/ethernet/airoha/airoha_eth.c | 5 +-
drivers/net/ethernet/amazon/ena/ena_com.c | 5 +
drivers/net/ethernet/amd/pcnet32.c | 4 +-
drivers/net/ethernet/broadcom/bnge/bnge_hwrm_lib.c | 14 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 87 ++++--
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 19 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c | 10 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 4 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 337 +++++++++++++--------
drivers/net/ethernet/freescale/fec_main.c | 3 +-
drivers/net/ethernet/ibm/emac/core.c | 9 +-
drivers/net/ethernet/intel/ice/ice_dpll.c | 2 +
drivers/net/ethernet/intel/idpf/idpf_ptp.c | 2 +-
drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +-
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 67 ++--
drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +-
drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 1 +
.../net/ethernet/marvell/octeontx2/af/rvu_npc.c | 36 +--
.../net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c | 2 +-
.../net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 2 +-
drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +-
drivers/net/ethernet/mellanox/mlx4/cq.c | 9 +-
drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 +-
drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c | 10 +-
drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 13 +-
.../net/ethernet/mellanox/mlx5/core/irq_affinity.c | 5 +-
drivers/net/ethernet/mellanox/mlx5/core/vport.c | 72 +++--
drivers/net/ethernet/microchip/lan743x_main.c | 32 ++
drivers/net/ethernet/microchip/lan743x_main.h | 1 +
drivers/net/ethernet/realtek/rtase/rtase_main.c | 7 +-
drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c | 24 +-
drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 3 +
drivers/net/geneve.c | 2 +-
drivers/net/hyperv/netvsc.c | 19 +-
drivers/net/mctp/mctp-usb.c | 28 +-
drivers/net/phy/phy_device.c | 24 +-
drivers/net/phy/sfp.c | 1 +
drivers/net/tun.c | 1 +
drivers/net/usb/r8152.c | 7 +-
drivers/net/vxlan/vxlan_vnifilter.c | 5 +-
drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 6 +
drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 56 ++--
drivers/nvmem/core.c | 12 +-
drivers/nvmem/layouts/onie-tlv.c | 3 +-
drivers/pinctrl/pinctrl-mcp23s08_spi.c | 11 +-
drivers/pmdomain/imx/gpc.c | 2 +-
drivers/pmdomain/ti/ti_sci_pm_domains.c | 2 +-
drivers/ptp/ptp_ocp.c | 24 +-
drivers/ptp/ptp_vclock.c | 14 +-
drivers/regulator/Kconfig | 1 +
drivers/slimbus/qcom-ngd-ctrl.c | 122 +++++---
drivers/soc/qcom/ice.c | 57 +++-
drivers/spi/spi-geni-qcom.c | 27 +-
drivers/spi/spi-rzv2h-rspi.c | 3 +-
drivers/staging/rtl8723bs/core/rtw_mlme.c | 24 +-
drivers/tee/optee/supp.c | 107 +++++--
drivers/tee/qcomtee/core.c | 6 +-
drivers/tee/tee_shm.c | 2 +-
drivers/thunderbolt/property.c | 6 +
drivers/thunderbolt/xdomain.c | 14 +-
drivers/usb/serial/io_ti.c | 11 +
drivers/usb/serial/kl5kusb105.c | 4 +-
drivers/usb/serial/option.c | 3 +
fs/erofs/zdata.c | 6 +-
fs/fcntl.c | 8 +-
fs/fhandle.c | 16 +-
fs/fuse/dev.c | 13 +-
fs/iomap/buffered-io.c | 10 +-
fs/mount.h | 10 +-
fs/namei.c | 10 +
fs/namespace.c | 9 +-
fs/overlayfs/readdir.c | 7 +-
fs/qnx6/dir.c | 8 +-
fs/smb/server/oplock.c | 15 +-
fs/smb/server/smb2pdu.c | 11 +
fs/xfs/scrub/cow_repair.c | 12 +-
include/drm/drm_atomic_uapi.h | 4 +-
include/drm/drm_colorop.h | 34 +--
include/hyperv/hvgdk.h | 10 +-
include/hyperv/hvhdk.h | 1 +
.../bnxt/bnxt_ulp.h => include/linux/bnxt/ulp.h | 25 +-
include/linux/cfi.h | 1 +
include/linux/hugetlb.h | 8 -
include/linux/hyperv.h | 3 +
include/linux/mlx5/vport.h | 4 +-
include/linux/mm.h | 8 -
include/linux/rseq_entry.h | 5 +-
include/linux/tracepoint.h | 8 +
include/net/act_api.h | 1 +
include/net/bluetooth/l2cap.h | 1 +
include/net/cfg80211.h | 23 ++
include/net/ip_vs.h | 3 +-
include/net/netfilter/nf_conntrack_helper.h | 1 +
include/net/sock.h | 1 +
include/net/tc_act/tc_pedit.h | 1 -
include/rdma/ib_umem.h | 44 +--
include/rdma/ib_verbs.h | 48 ---
include/rdma/iter.h | 88 ++++++
include/uapi/linux/nl80211.h | 25 ++
include/uapi/linux/tee.h | 1 +
io_uring/kbuf.c | 1 -
io_uring/net.c | 3 +-
io_uring/wait.c | 2 +-
ipc/shm.c | 10 +-
kernel/cgroup/cpuset.c | 13 +-
kernel/dma/debug.c | 2 +-
kernel/dma/direct.c | 2 +-
kernel/futex/requeue.c | 6 +
kernel/locking/rtmutex.c | 3 +
kernel/locking/rtmutex_api.c | 2 +-
kernel/pid.c | 8 +-
kernel/sched/ext.c | 10 +-
kernel/signal.c | 1 +
kernel/time/time.c | 2 +-
kernel/time/timer_migration.c | 8 +-
kernel/trace/trace_probe.c | 2 -
lib/debugobjects.c | 54 +++-
mm/cma.c | 7 +-
mm/cma_debug.c | 3 +-
mm/damon/lru_sort.c | 4 +
mm/damon/ops-common.c | 4 +-
mm/damon/reclaim.c | 4 +
mm/huge_memory.c | 49 ++-
mm/hugetlb.c | 69 +++--
mm/list_lru.c | 21 +-
mm/memcontrol.c | 5 +-
mm/memory-failure.c | 19 +-
mm/mincore.c | 10 +-
net/6lowpan/iphc.c | 4 +-
net/802/garp.c | 2 +-
net/802/mrp.c | 9 +
net/bluetooth/bnep/core.c | 50 ++-
net/bluetooth/hci_sync.c | 5 +
net/bluetooth/hci_sysfs.c | 6 +-
net/bluetooth/iso.c | 63 ++--
net/bluetooth/l2cap_core.c | 46 +++
net/bluetooth/mgmt.c | 17 +-
net/bluetooth/rfcomm/core.c | 69 +++--
net/bluetooth/rfcomm/sock.c | 26 +-
net/bluetooth/sco.c | 20 +-
net/bridge/netfilter/ebt_dnat.c | 4 +-
net/bridge/netfilter/ebt_redirect.c | 16 +-
net/bridge/netfilter/ebt_snat.c | 3 +
net/bridge/netfilter/nft_meta_bridge.c | 2 +
net/core/filter.c | 15 +-
net/core/gro.c | 5 +
net/core/netdev-genl.c | 4 +-
net/core/skbuff.c | 6 +-
net/core/sock.c | 13 +-
net/devlink/core.c | 2 +
net/hsr/hsr_framereg.c | 4 +-
net/ieee802154/6lowpan/tx.c | 5 +
net/ipv4/esp4.c | 17 +-
net/ipv4/inet_connection_sock.c | 6 +
net/ipv4/inet_fragment.c | 3 +
net/ipv4/ip_fragment.c | 3 -
net/ipv4/ip_options.c | 4 +
net/ipv4/netfilter/arp_tables.c | 15 +-
net/ipv4/netfilter/ip_tables.c | 15 +-
net/ipv4/netfilter/nf_nat_h323.c | 2 +
net/ipv4/netfilter/nft_fib_ipv4.c | 2 +-
net/ipv4/udp.c | 8 +
net/ipv6/addrconf.c | 6 +-
net/ipv6/anycast.c | 16 +-
net/ipv6/esp6.c | 17 +-
net/ipv6/ip6_vti.c | 3 +
net/ipv6/mcast.c | 8 +-
net/ipv6/netfilter/ip6_tables.c | 15 +-
net/ipv6/netfilter/nft_fib_ipv6.c | 2 +-
net/ipv6/sit.c | 1 +
net/l2tp/l2tp_ppp.c | 92 +++---
net/mac80211/mlme.c | 9 +
net/mac80211/tests/chan-mode.c | 1 +
net/mac80211/tx.c | 4 +-
net/mptcp/options.c | 73 ++---
net/mptcp/pm.c | 15 +-
net/mptcp/pm_userspace.c | 14 +-
net/mptcp/protocol.c | 10 +
net/mptcp/protocol.h | 7 +-
net/mptcp/sockopt.c | 15 +-
net/netfilter/ipvs/ip_vs_ctl.c | 13 +-
net/netfilter/ipvs/ip_vs_sched.c | 14 +-
net/netfilter/nf_conntrack_helper.c | 19 ++
net/netfilter/nf_conntrack_irc.c | 4 +-
net/netfilter/nf_log_syslog.c | 4 +-
net/netfilter/nf_nat_core.c | 2 +
net/netfilter/nf_nat_sip.c | 1 +
net/netfilter/nf_synproxy_core.c | 24 +-
net/netfilter/nfnetlink_log.c | 23 +-
net/netfilter/nfnetlink_queue.c | 64 +++-
net/netfilter/nft_ct.c | 8 +-
net/netfilter/nft_ct_fast.c | 2 +-
net/netfilter/nft_exthdr.c | 3 +
net/netfilter/nft_fib.c | 6 +
net/netfilter/nft_tunnel.c | 2 +-
net/netfilter/xt_NFQUEUE.c | 2 +-
net/netlabel/netlabel_unlabeled.c | 30 +-
net/openvswitch/datapath.c | 1 +
net/phonet/pn_dev.c | 2 +-
net/qrtr/af_qrtr.c | 4 +-
net/rds/ib_cm.c | 1 +
net/rds/ib_send.c | 2 +
net/rds/info.c | 2 +-
net/rxrpc/input.c | 26 +-
net/sched/act_api.c | 7 +-
net/sched/act_pedit.c | 77 ++---
net/sctp/bind_addr.c | 11 +-
net/sctp/diag.c | 17 +-
net/sctp/input.c | 8 +
net/sctp/sm_make_chunk.c | 12 +-
net/sctp/sm_statefuns.c | 6 +-
net/sctp/stream.c | 6 +-
net/smc/af_smc.c | 17 +-
net/socket.c | 11 +-
net/unix/af_unix.c | 11 +-
net/vmw_vsock/virtio_transport_common.c | 11 +-
net/vmw_vsock/vmci_transport.c | 4 +-
net/wireless/nl80211.c | 73 ++++-
net/wireless/scan.c | 9 +-
net/wireless/trace.h | 19 ++
net/xdp/xsk.c | 11 +-
net/xfrm/espintcp.c | 4 +
net/xfrm/xfrm_iptfs.c | 11 +-
net/xfrm/xfrm_policy.c | 13 +-
scripts/Makefile.compiler | 2 +-
scripts/generate_rust_target.rs | 8 +-
sound/core/pcm_native.c | 7 +-
sound/core/seq/seq_dummy.c | 15 +-
sound/core/timer.c | 17 +-
sound/soc/codecs/wm_adsp.c | 3 +
sound/soc/fsl/fsl_sai.c | 2 +-
sound/soc/sdca/sdca_function_device.c | 24 +-
sound/soc/sof/amd/acp-ipc.c | 4 +-
sound/soc/sof/amd/acp.h | 2 +
.../test.d/dynevent/eprobes_syntax_errors.tc | 2 +-
tools/testing/selftests/kselftest_harness.h | 1 +
tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 +
tools/testing/selftests/riscv/cfi/cfitests.c | 6 +
tools/tracing/rtla/src/common.c | 28 +-
tools/tracing/rtla/src/common.h | 12 +-
tools/tracing/rtla/src/osnoise_hist.c | 7 +-
tools/tracing/rtla/src/osnoise_top.c | 7 +-
tools/tracing/rtla/src/timerlat_hist.c | 7 +-
tools/tracing/rtla/src/timerlat_top.c | 7 +-
tools/verification/rv/src/in_kernel.c | 67 ++--
tools/verification/rvgen/__main__.py | 10 +-
tools/verification/rvgen/rvgen/ltl2ba.py | 9 +-
virt/kvm/kvm_main.c | 3 +-
396 files changed, 3849 insertions(+), 1908 deletions(-)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 084/522] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 083/522] usb: typec: ucsi: ccg: reject firmware images without a : record header Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 085/522] usb: typec: altmodes/displayport: validate count before reading Status Update VDO Greg Kroah-Hartman
` (438 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pooja Katiyar, Johan Hovold, stable,
Heikki Krogerus
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 167dd8d12226587ee554f520aed0256b7769cd5d upstream.
ucsi_displayport_vdm() handles a DP_CMD_CONFIGURE by copying the first
payload VDO from data[], but unlike the equivalent handler in
altmodes/displayport.c it does not check that count covers a VDO beyond
the header. A header-only Configure VDM (count == 1) would read one u32
past the caller's array.
In the normal UCSI path the caller controls count, so this is hardening
for non-standard delivery paths. NAK and bail when no configuration VDO
is present, matching the generic DP altmode driver's existing guard.
Assisted-by: gkh_clanker_t1000
Cc: Pooja Katiyar <pooja.katiyar@intel.com>
Cc: Johan Hovold <johan@kernel.org>
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/2026051351-vividly-flattered-eb3d@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/displayport.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/typec/ucsi/displayport.c
+++ b/drivers/usb/typec/ucsi/displayport.c
@@ -240,6 +240,10 @@ static int ucsi_displayport_vdm(struct t
dp->header |= VDO_CMDT(CMDT_RSP_ACK);
break;
case DP_CMD_CONFIGURE:
+ if (count < 2) {
+ dp->header |= VDO_CMDT(CMDT_RSP_NAK);
+ break;
+ }
dp->data.conf = *data;
if (ucsi_displayport_configure(dp)) {
dp->header |= VDO_CMDT(CMDT_RSP_NAK);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 001/378] bpf: Free reuseport cBPF prog after RCU grace period.
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 002/378] KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation Greg Kroah-Hartman
` (377 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eulgyu Kim, Taeyang Lee,
Kuniyuki Iwashima, Daniel Borkmann, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 18fc650ccd7fe3376eca89203668cfb8268f60df ]
Eulgyu Kim reported the splat below with a repro. [0]
The repro sets up a UDP reuseport group with a cBPF prog and
replaces it with a new one while another thread is sending
a UDP packet to the group.
The reuseport prog is freed by sk_reuseport_prog_free().
bpf_prog_put() is called for "e"BPF prog to destruct through
multiple stages while cBPF prog is freed immediately by
bpf_release_orig_filter() and bpf_prog_free().
If a reuseport prog is detached from the setsockopt() path
(reuseport_attach_prog() or reuseport_detach_prog()),
sk_reuseport_prog_free() is called without waiting for RCU
readers to complete, resulting in various bugs.
Let's defer freeing the reuseport cBPF prog after one RCU
grace period.
Note "e"BPF prog is safe as is unless the fast path starts
to touch fields destroyed in bpf_prog_put_deferred() and
__bpf_prog_put_noref().
[0]:
BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
Read of size 4 at addr ffffc9000051e004 by task slowme/10208
CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495
__udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723
__udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752
__udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752
ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
__netif_receive_skb_one_core net/core/dev.c:6181 [inline]
__netif_receive_skb net/core/dev.c:6294 [inline]
process_backlog+0xaa4/0x1960 net/core/dev.c:6645
__napi_poll+0xae/0x340 net/core/dev.c:7709
napi_poll net/core/dev.c:7772 [inline]
net_rx_action+0x5d7/0xf50 net/core/dev.c:7929
handle_softirqs+0x22b/0x870 kernel/softirq.c:622
do_softirq+0x76/0xd0 kernel/softirq.c:523
</IRQ>
<TASK>
__local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
__dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890
neigh_output include/net/neighbour.h:556 [inline]
ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip_output+0x29f/0x450 net/ipv4/ip_output.c:438
ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508
udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195
udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
__sys_sendto+0x554/0x680 net/socket.c:2206
__do_sys_sendto net/socket.c:2213 [inline]
__se_sys_sendto net/socket.c:2209 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2209
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x415a2d
Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d
RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003
RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0
R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0
</TASK>
Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
Reported-by: Taeyang Lee <0wn@theori.io>
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20260426012647.3233119-1-kuniyu@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index e4ed3b343ed9f4..959e84f4b81384 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1659,15 +1659,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk)
return err;
}
+static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu)
+{
+ struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
+ struct bpf_prog *prog = aux->prog;
+
+ bpf_release_orig_filter(prog);
+ bpf_prog_free(prog);
+}
+
void sk_reuseport_prog_free(struct bpf_prog *prog)
{
if (!prog)
return;
- if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT)
- bpf_prog_put(prog);
+ if (bpf_prog_was_classic(prog))
+ call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu);
else
- bpf_prog_destroy(prog);
+ bpf_prog_put(prog);
}
static inline int __bpf_try_make_writable(struct sk_buff *skb,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 085/522] usb: typec: altmodes/displayport: validate count before reading Status Update VDO
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 084/522] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 086/522] usb: typec: wcove: dont write past struct pd_message in wcove_read_rx_buffer() Greg Kroah-Hartman
` (437 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Heikki Krogerus
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8a18f896e667df491331371b55d4ad644dc51d60 upstream.
A broken/malicious device can send the incorrect count for a status
update VDO, which will cause the kernel to read uninitialized stack data
and send it off elsewhere.
Fix this up by correctly verifying the count for the update object.
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/2026051350-reacquire-sculpture-4244@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/altmodes/displayport.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/typec/altmodes/displayport.c
+++ b/drivers/usb/typec/altmodes/displayport.c
@@ -308,6 +308,8 @@ static int dp_altmode_vdm(struct typec_a
}
break;
case DP_CMD_STATUS_UPDATE:
+ if (count < 2)
+ break;
dp->data.status = *vdo;
ret = dp_altmode_status_update(dp);
break;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 002/378] KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 001/378] bpf: Free reuseport cBPF prog after RCU grace period Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 003/378] i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl Greg Kroah-Hartman
` (376 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Upton, Hyunwoo Kim,
Marc Zyngier
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
commit f2ca45b50d4216c9cc7ffabf50d9ad1932209251 upstream.
walk_s1() and kvm_walk_nested_s2() expect to be called while holding
kvm->srcu to guard against memslot changes. While this is generally
the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the
respective walkers without taking kvm->srcu.
Fix by acquiring kvm->srcu prior to the table walk in both instances.
Cc: stable@vger.kernel.org
Fixes: 50f77dc87f13 ("KVM: arm64: Populate level on S1PTW SEA injection")
Fixes: be04cebf3e78 ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}")
Suggested-by: Oliver Upton <oupton@kernel.org>
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reviewed-by: Oliver Upton <oupton@kernel.org>
Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/at.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/arch/arm64/kvm/at.c
+++ b/arch/arm64/kvm/at.c
@@ -1568,7 +1568,8 @@ int __kvm_at_s12(struct kvm_vcpu *vcpu,
/* Do the stage-2 translation */
ipa = (par & GENMASK_ULL(47, 12)) | (vaddr & GENMASK_ULL(11, 0));
out.esr = 0;
- ret = kvm_walk_nested_s2(vcpu, ipa, &out);
+ scoped_guard(srcu, &vcpu->kvm->srcu)
+ ret = kvm_walk_nested_s2(vcpu, ipa, &out);
if (ret < 0)
return ret;
@@ -1664,7 +1665,8 @@ int __kvm_find_s1_desc_level(struct kvm_
}
/* Walk the guest's PT, looking for a match along the way */
- ret = walk_s1(vcpu, &wi, &wr, va);
+ scoped_guard(srcu, &vcpu->kvm->srcu)
+ ret = walk_s1(vcpu, &wi, &wr, va);
switch (ret) {
case -EINTR:
/* We interrupted the walk on a match, return the level */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 086/522] usb: typec: wcove: dont write past struct pd_message in wcove_read_rx_buffer()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 085/522] usb: typec: altmodes/displayport: validate count before reading Status Update VDO Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 087/522] usb: typec: ucsi: validate connector number in ucsi_connector_change() Greg Kroah-Hartman
` (436 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Heikki Krogerus
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4af7ad0e6d7aa4403dbb1dac7b9659b0421efcaa upstream.
wcove_read_rx_buffer() copies the PD RX FIFO into the caller's
struct pd_message with
for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++)
regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i);
which has two problems:
USBC_RXINFO_RXBYTES() is a 5-bit field (max 31) while struct pd_message
is 30 bytes (__le16 header + __le32 payload[PD_MAX_PAYLOAD], packed).
The byte count latched in RXINFO is the number of bytes the port partner
put on the wire, so a malicious partner that transmits a 31-byte frame
can drive the loop one byte past the destination if the WCOVE BMC
receiver does not enforce the PD object-count limit in hardware. The
existing FIXME flagged this as unverified.
Independently, regmap_read() takes an unsigned int * and stores a full
unsigned int at the destination. Passing the byte pointer msg + i means
each iteration writes four bytes; the high three are zero (val_bits is
8) and are normally overwritten by the next iteration, but the final
iteration's high bytes are not. With RXBYTES == 30 the i == 29 iteration
already writes three zero bytes past msg, which sits on the IRQ thread's
stack in wcove_typec_irq().
Clamp the loop to sizeof(struct pd_message) and read each register into
a local before storing only its low byte, so the copy can never exceed
the destination regardless of what RXINFO reports.
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/2026051347-clustered-deflected-9543@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/wcove.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/usb/typec/tcpm/wcove.c
+++ b/drivers/usb/typec/tcpm/wcove.c
@@ -444,9 +444,11 @@ static int wcove_start_toggling(struct t
return regmap_write(wcove->regmap, USBC_CONTROL1, usbc_ctrl);
}
-static int wcove_read_rx_buffer(struct wcove_typec *wcove, void *msg)
+static int wcove_read_rx_buffer(struct wcove_typec *wcove,
+ struct pd_message *msg)
{
- unsigned int info;
+ unsigned int info, val, len;
+ u8 *buf = (u8 *)msg;
int ret;
int i;
@@ -454,12 +456,13 @@ static int wcove_read_rx_buffer(struct w
if (ret)
return ret;
- /* FIXME: Check that USBC_RXINFO_RXBYTES(info) matches the header */
+ len = min(USBC_RXINFO_RXBYTES(info), sizeof(*msg));
- for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++) {
- ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i);
+ for (i = 0; i < len; i++) {
+ ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, &val);
if (ret)
return ret;
+ buf[i] = val;
}
return regmap_write(wcove->regmap, USBC_RXSTATUS,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 003/378] i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 001/378] bpf: Free reuseport cBPF prog after RCU grace period Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 002/378] KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 004/378] Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer Greg Kroah-Hartman
` (375 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mingyu Wang, Wolfram Sang
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
commit 617eb7c0961a8dfcfc811844a6396e406b2923ea upstream.
While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
timeout value` warning was observed, accompanied by SMBus controller
state machine corruption.
The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
10 ms. The user argument is checked against INT_MAX, but it is
subsequently multiplied by 10 before being passed to msecs_to_jiffies().
A malicious user can pass a large value (e.g., 429496729) that passes
the `arg > INT_MAX` check but overflows when multiplied by 10. This
results in a truncated 32-bit unsigned value that bypasses the
internal `(int)m < 0` check in `msecs_to_jiffies()`.
The truncated value is then assigned to `client->adapter->timeout`
(a signed 32-bit int), which is reinterpreted as a negative number.
When passed to wait_for_completion_timeout(), this negative value
undergoes sign extension to a 64-bit unsigned long, triggering the
`schedule_timeout` warning and causing premature returns. This leaves
the SMBus state machine in an unrecoverable state, constituting a
local Denial of Service (DoS).
Fix this by bounding the user argument to `INT_MAX / 10`.
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
[wsa: move the comment as well]
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/i2c-dev.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *fi
client->adapter->retries = arg;
break;
case I2C_TIMEOUT:
- if (arg > INT_MAX)
+ /*
+ * For historical reasons, user-space sets the timeout value in
+ * units of 10 ms.
+ */
+ if (arg > INT_MAX / 10)
return -EINVAL;
- /* For historical reasons, user-space sets the timeout
- * value in units of 10 ms.
- */
client->adapter->timeout = msecs_to_jiffies(arg * 10);
break;
default:
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 087/522] usb: typec: ucsi: validate connector number in ucsi_connector_change()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 086/522] usb: typec: wcove: dont write past struct pd_message in wcove_read_rx_buffer() Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 088/522] USB: serial: safe_serial: fix memory corruption with small endpoint Greg Kroah-Hartman
` (435 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heikki Krogerus, Benson Leung,
Jameson Thies, Nathan Rebello, Johan Hovold, Pooja Katiyar,
Hsin-Te Yuan, Abel Vesa, stable, Abel Vesa
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 288a81a8507052bcfbf884d39a463c44c42c5fd9 upstream.
The connector number in a UCSI CCI notification is a 7-bit field
supplied by the PPM. ucsi_connector_change() uses it to index the
ucsi->connector[] array without checking it against the number of
connectors the PPM reported at init time, so a buggy or malicious PPM
(EC firmware, or an I2C-attached UCSI controller on the ccg / stm32g0 /
glink transports) can drive schedule_work() on memory past the end of
the array.
Reject connector numbers that are zero or exceed cap.num_connectors
before dereferencing the array.
Assisted-by: gkh_clanker_t1000
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: Benson Leung <bleung@chromium.org>
Cc: Jameson Thies <jthies@google.com>
Cc: Nathan Rebello <nathan.c.rebello@gmail.com>
Cc: Johan Hovold <johan@kernel.org>
Cc: Pooja Katiyar <pooja.katiyar@intel.com>
Cc: Hsin-Te Yuan <yuanhsinte@chromium.org>
Cc: Abel Vesa <abelvesa@kernel.org>
Cc: stable <stable@kernel.org>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Benson Leung <bleung@chromium.org>
Link: https://patch.msgid.link/2026051351-truck-steadfast-df48@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -852,13 +852,22 @@ out_unlock:
*/
void ucsi_connector_change(struct ucsi *ucsi, u8 num)
{
- struct ucsi_connector *con = &ucsi->connector[num - 1];
+ struct ucsi_connector *con;
if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) {
dev_dbg(ucsi->dev, "Early connector change event\n");
return;
}
+ if (!num || num > ucsi->cap.num_connectors) {
+ dev_warn_ratelimited(ucsi->dev,
+ "Bogus connector change on %u (max %u)\n",
+ num, ucsi->cap.num_connectors);
+ return;
+ }
+
+ con = &ucsi->connector[num - 1];
+
if (!test_and_set_bit(EVENT_PENDING, &ucsi->flags))
schedule_work(&con->work);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 004/378] Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 7.0 003/378] i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 005/378] ipv6: mcast: Fix use-after-free when processing MLD queries Greg Kroah-Hartman
` (374 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sashiko, Luiz Augusto von Dentz
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit f50331f2a1441ec49988832c3a95f2edacc47322 upstream.
In iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is
dropped:
bis = iso_pi(sk)->conn->hcon;
/* Release the socket before lookups since that requires hci_dev_lock
* which shall not be acquired while holding sock_lock for proper
* ordering.
*/
release_sock(sk);
hci_dev_lock(bis->hdev);
During the unlocked window, could a concurrent close() destroy the connection
and free the bis structure, causing hci_dev_lock(bis->hdev) to access memory
after it is freed, fix this by using the hdev reference which was safely
acquired via iso_conn_get_hdev().
Fixes: d3413703d5f8 ("Bluetooth: ISO: Add support to bind to trigger PAST")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/iso.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -1090,7 +1090,7 @@ static int iso_sock_rebind_bc(struct soc
* ordering.
*/
release_sock(sk);
- hci_dev_lock(bis->hdev);
+ hci_dev_lock(hdev);
lock_sock(sk);
if (!iso_pi(sk)->conn || iso_pi(sk)->conn->hcon != bis) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 088/522] USB: serial: safe_serial: fix memory corruption with small endpoint
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 087/522] usb: typec: ucsi: validate connector number in ucsi_connector_change() Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 089/522] Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() Greg Kroah-Hartman
` (434 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 438061ed1ad85e6743e2dce826671772d81089ec upstream.
Make sure that the bulk-out buffer size is at least eight bytes to avoid
user-controlled slab corruption in "safe" mode should a malicious device
report a smaller size.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/safe_serial.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/usb/serial/safe_serial.c
+++ b/drivers/usb/serial/safe_serial.c
@@ -259,6 +259,7 @@ static int safe_prepare_write_buffer(str
static int safe_startup(struct usb_serial *serial)
{
struct usb_interface_descriptor *desc;
+ int bulk_out_size;
if (serial->dev->descriptor.bDeviceClass != CDC_DEVICE_CLASS)
return -ENODEV;
@@ -279,6 +280,16 @@ static int safe_startup(struct usb_seria
default:
return -EINVAL;
}
+
+ /*
+ * The bulk-out buffer needs to be large enough for the two-byte
+ * trailer in safe mode, but assume anything smaller than eight bytes
+ * is broken.
+ */
+ bulk_out_size = serial->port[0]->bulk_out_size;
+ if (bulk_out_size > 0 && bulk_out_size < 8)
+ return -EINVAL;
+
return 0;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 005/378] ipv6: mcast: Fix use-after-free when processing MLD queries
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 7.0 004/378] Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 006/378] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS Greg Kroah-Hartman
` (373 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Lin, David Ahern, Ido Schimmel,
Eric Dumazet, Jiayuan Chen, Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 upstream.
When processing an MLD query, a pointer to the multicast group address
is retrieved when initially parsing the packet. This pointer is later
dereferenced without being reloaded despite the fact that the skb header
might have been reallocated following the pskb_may_pull() calls, leading
to a use-after-free [1].
Fix by copying the multicast group address when the packet is initially
parsed.
[1]
BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
Workqueue: mld mld_query_work
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
print_address_description.constprop.0 (mm/kasan/report.c:378)
print_report (mm/kasan/report.c:482)
kasan_report (mm/kasan/report.c:595)
__mld_query_work (net/ipv6/mcast.c:1512)
mld_query_work (net/ipv6/mcast.c:1563)
process_one_work (kernel/workqueue.c:3314)
worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
kthread (kernel/kthread.c:436)
ret_from_fork (arch/x86/kernel/process.c:158)
ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
</TASK>
[...]
Freed by task 118:
kasan_save_stack (mm/kasan/common.c:57)
kasan_save_track (mm/kasan/common.c:78)
kasan_save_free_info (mm/kasan/generic.c:584)
__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
pskb_expand_head (net/core/skbuff.c:2335)
__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
mld_query_work (net/ipv6/mcast.c:1563)
process_one_work (kernel/workqueue.c:3314)
worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
kthread (kernel/kthread.c:436)
ret_from_fork (arch/x86/kernel/process.c:158)
ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
Reported-by: Leo Lin <leo@depthfirst.com>
Reviewed-by: David Ahern <dahern@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/mcast.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1424,9 +1424,9 @@ out:
static void __mld_query_work(struct sk_buff *skb)
{
struct mld2_query *mlh2 = NULL;
- const struct in6_addr *group;
unsigned long max_delay;
struct inet6_dev *idev;
+ struct in6_addr group;
struct ifmcaddr6 *ma;
struct mld_msg *mld;
int group_type;
@@ -1458,8 +1458,8 @@ static void __mld_query_work(struct sk_b
goto kfree_skb;
mld = (struct mld_msg *)icmp6_hdr(skb);
- group = &mld->mld_mca;
- group_type = ipv6_addr_type(group);
+ group = mld->mld_mca;
+ group_type = ipv6_addr_type(&group);
if (group_type != IPV6_ADDR_ANY &&
!(group_type&IPV6_ADDR_MULTICAST))
@@ -1509,7 +1509,7 @@ static void __mld_query_work(struct sk_b
}
} else {
for_each_mc_mclock(idev, ma) {
- if (!ipv6_addr_equal(group, &ma->mca_addr))
+ if (!ipv6_addr_equal(&group, &ma->mca_addr))
continue;
if (ma->mca_flags & MAF_TIMER_RUNNING) {
/* gsquery <- gsquery && mark */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 089/522] Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 088/522] USB: serial: safe_serial: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 090/522] HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse Greg Kroah-Hartman
` (433 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Dmitry Torokhov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit dab48a7e74e6a394f3aa0461a2b1fb0c7b38fcb8 upstream.
The input buffer size is pcu->max_in_size, but pcu->max_out_size is
passed to usb_free_coherent().
Change size to match the allocation size.
Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20260522085412.45430-2-fourier.thomas@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/misc/ims-pcu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1598,7 +1598,7 @@ static void ims_pcu_buffers_free(struct
usb_kill_urb(pcu->urb_in);
usb_free_urb(pcu->urb_in);
- usb_free_coherent(pcu->udev, pcu->max_out_size,
+ usb_free_coherent(pcu->udev, pcu->max_in_size,
pcu->urb_in_buf, pcu->read_dma);
kfree(pcu->urb_out_buf);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 006/378] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 7.0 005/378] ipv6: mcast: Fix use-after-free when processing MLD queries Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 007/378] tee: optee: prevent use-after-free when the client exits before the supplicant Greg Kroah-Hartman
` (372 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolò Coccia, Dust Li,
Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolò Coccia <n.coccia96@gmail.com>
commit a3fdd924d88c30b9f488636ce0e4696012cf5511 upstream.
A logic flaw in __smc_setsockopt() allows a local unprivileged user to
cause a Denial of Service (DoS) by holding the socket lock indefinitely.
The function __smc_setsockopt() calls copy_from_sockptr() while holding
lock_sock(sk). By passing a userfaultfd-monitored memory page (or
FUSE-backed memory on systems where unprivileged userfaultfd is disabled)
as the optval, an attacker can halt execution during the copy operation,
keeping the lock held.
Combined with asynchronous tear-down operations like shutdown(), this
exhausts the kernel wq (kworkers) and triggers the hung task watchdog.
[ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds.
[ 240.123489] Call Trace:
[ 240.123501] smc_shutdown+...
[ 240.123512] lock_sock_nested+...
This patch moves the user-space copy outside the lock_sock() critical
section to prevent the issue.
Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by socket options")
Signed-off-by: Nicolò Coccia <n.coccia96@gmail.com>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Tested-by: Dust Li <dust.li@linux.alibaba.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/smc/af_smc.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -3061,18 +3061,17 @@ static int __smc_setsockopt(struct socke
smc = smc_sk(sk);
+ /* pre-fetch user data outside the lock */
+ if (optname == SMC_LIMIT_HS) {
+ if (optlen < sizeof(int))
+ return -EINVAL;
+ if (copy_from_sockptr(&val, optval, sizeof(int)))
+ return -EFAULT;
+ }
+
lock_sock(sk);
switch (optname) {
case SMC_LIMIT_HS:
- if (optlen < sizeof(int)) {
- rc = -EINVAL;
- break;
- }
- if (copy_from_sockptr(&val, optval, sizeof(int))) {
- rc = -EFAULT;
- break;
- }
-
smc->limit_smc_hs = !!val;
rc = 0;
break;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 090/522] HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 089/522] Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 091/522] Bluetooth: btusb: Allow firmware re-download when version matches Greg Kroah-Hartman
` (432 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, hlleng, Benjamin Tissoires
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: hlleng <a909204013@gmail.com>
commit 07466fc91c55532edcfb5c6a7ccd2ea52728d6bd upstream.
The SIGMACHIP USB mouse with VID/PID 1c4f:0034 can disconnect and
re-enumerate repeatedly after it has been enumerated if its interrupt
endpoint is not continuously polled.
This was observed with the device reporting itself as "SIGMACHIP Usb
Mouse". Keeping the input event device open avoids the disconnects.
Add HID_QUIRK_ALWAYS_POLL for this device so the HID core keeps polling
it even when there is no userspace input consumer.
Cc: stable@vger.kernel.org
Signed-off-by: hlleng <a909204013@gmail.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-quirks.c | 1 +
2 files changed, 2 insertions(+)
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -1167,6 +1167,7 @@
#define USB_VENDOR_ID_SIGMA_MICRO 0x1c4f
#define USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD 0x0002
+#define USB_DEVICE_ID_SIGMA_MICRO_USB_MOUSE 0x0034
#define USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD2 0x0059
#define USB_VENDOR_ID_SIGMATEL 0x066F
--- a/drivers/hid/hid-quirks.c
+++ b/drivers/hid/hid-quirks.c
@@ -175,6 +175,7 @@ static const struct hid_device_id hid_qu
{ HID_USB_DEVICE(USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD), HID_QUIRK_NO_INIT_REPORTS },
{ HID_USB_DEVICE(USB_VENDOR_ID_SENNHEISER, USB_DEVICE_ID_SENNHEISER_BTD500USB), HID_QUIRK_NOGET },
{ HID_USB_DEVICE(USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD), HID_QUIRK_NO_INIT_REPORTS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_USB_MOUSE), HID_QUIRK_ALWAYS_POLL },
{ HID_USB_DEVICE(USB_VENDOR_ID_SIGMATEL, USB_DEVICE_ID_SIGMATEL_STMP3780), HID_QUIRK_NOGET },
{ HID_USB_DEVICE(USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS1030_TOUCH), HID_QUIRK_NOGET },
{ HID_USB_DEVICE(USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS817_TOUCH), HID_QUIRK_NOGET },
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 007/378] tee: optee: prevent use-after-free when the client exits before the supplicant
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 7.0 006/378] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 008/378] soc: qcom: ice: Allow explicit votes on iface clock for ICE Greg Kroah-Hartman
` (371 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amirreza Zarrabi, Ox Yeh, Sumit Garg,
Jens Wiklander, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
[ Upstream commit 387a926ee166814611acecb960207fe2f3c4fd3e ]
Commit 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") made the
client wait as killable so it can be interrupted during shutdown or
after a supplicant crash. This changes the original lifetime expectations:
the client task can now terminate while the supplicant is still processing
its request.
If the client exits first it removes the request from its queue and
kfree()s it, while the request ID remains in supp->idr. A subsequent
lookup on the supplicant path then dereferences freed memory, leading to
a use-after-free.
Serialise access to the request with supp->mutex:
* Hold supp->mutex in optee_supp_recv() and optee_supp_send() while
looking up and touching the request.
* Let optee_supp_thrd_req() notice that the client has terminated and
signal optee_supp_send() accordingly.
With these changes the request cannot be freed while the supplicant still
has a reference, eliminating the race.
Fixes: 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop")
Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
Tested-by: Ox Yeh <ox.yeh@mediatek.com>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tee/optee/supp.c | 107 +++++++++++++++++++++++++++------------
1 file changed, 74 insertions(+), 33 deletions(-)
diff --git a/drivers/tee/optee/supp.c b/drivers/tee/optee/supp.c
index a3d11b1f90fa55..06747e90c2309b 100644
--- a/drivers/tee/optee/supp.c
+++ b/drivers/tee/optee/supp.c
@@ -10,7 +10,11 @@
struct optee_supp_req {
struct list_head link;
+ int id;
+
bool in_queue;
+ bool processed;
+
u32 func;
u32 ret;
size_t num_params;
@@ -19,6 +23,9 @@ struct optee_supp_req {
struct completion c;
};
+/* It is temporary request used for revoked pending request in supp->idr. */
+#define INVALID_REQ_PTR ((struct optee_supp_req *)ERR_PTR(-EBADF))
+
void optee_supp_init(struct optee_supp *supp)
{
memset(supp, 0, sizeof(*supp));
@@ -39,21 +46,23 @@ void optee_supp_release(struct optee_supp *supp)
{
int id;
struct optee_supp_req *req;
- struct optee_supp_req *req_tmp;
mutex_lock(&supp->mutex);
- /* Abort all request retrieved by supplicant */
+ /* Abort all request */
idr_for_each_entry(&supp->idr, req, id) {
idr_remove(&supp->idr, id);
- req->ret = TEEC_ERROR_COMMUNICATION;
- complete(&req->c);
- }
+ /* Skip if request was already marked invalid */
+ if (IS_ERR(req))
+ continue;
- /* Abort all queued requests */
- list_for_each_entry_safe(req, req_tmp, &supp->reqs, link) {
- list_del(&req->link);
- req->in_queue = false;
+ /* For queued requests where supplicant has not seen it */
+ if (req->in_queue) {
+ list_del(&req->link);
+ req->in_queue = false;
+ }
+
+ req->processed = true;
req->ret = TEEC_ERROR_COMMUNICATION;
complete(&req->c);
}
@@ -100,8 +109,16 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params,
/* Insert the request in the request list */
mutex_lock(&supp->mutex);
+ req->id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL);
+ if (req->id < 0) {
+ mutex_unlock(&supp->mutex);
+ kfree(req);
+ return TEEC_ERROR_OUT_OF_MEMORY;
+ }
+
list_add_tail(&req->link, &supp->reqs);
req->in_queue = true;
+ req->processed = false;
mutex_unlock(&supp->mutex);
/* Tell an eventual waiter there's a new request */
@@ -117,21 +134,43 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params,
if (wait_for_completion_killable(&req->c)) {
mutex_lock(&supp->mutex);
if (req->in_queue) {
+ /* Supplicant has not seen this request yet. */
+ idr_remove(&supp->idr, req->id);
list_del(&req->link);
req->in_queue = false;
+
+ ret = TEEC_ERROR_COMMUNICATION;
+ } else if (req->processed) {
+ /*
+ * Supplicant has processed this request. Ignore the
+ * kill signal for now and submit the result. req is not
+ * in supp->reqs (removed by supp_pop_entry()) nor in
+ * supp->idr (removed by supp_pop_req()).
+ */
+ ret = req->ret;
+ } else {
+ /*
+ * Supplicant is in the middle of processing this
+ * request. Replace req with INVALID_REQ_PTR so that
+ * the ID remains busy, causing optee_supp_send() to
+ * fail on the next call to supp_pop_req() with this ID.
+ */
+ idr_replace(&supp->idr, INVALID_REQ_PTR, req->id);
+ ret = TEEC_ERROR_COMMUNICATION;
}
+
mutex_unlock(&supp->mutex);
- req->ret = TEEC_ERROR_COMMUNICATION;
+ } else {
+ ret = req->ret;
}
- ret = req->ret;
kfree(req);
return ret;
}
static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp,
- int num_params, int *id)
+ int num_params)
{
struct optee_supp_req *req;
@@ -153,10 +192,6 @@ static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp,
return ERR_PTR(-EINVAL);
}
- *id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL);
- if (*id < 0)
- return ERR_PTR(-ENOMEM);
-
list_del(&req->link);
req->in_queue = false;
@@ -214,7 +249,6 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
struct optee *optee = tee_get_drvdata(teedev);
struct optee_supp *supp = &optee->supp;
struct optee_supp_req *req = NULL;
- int id;
size_t num_meta;
int rc;
@@ -224,15 +258,11 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
while (true) {
mutex_lock(&supp->mutex);
- req = supp_pop_entry(supp, *num_params - num_meta, &id);
+ req = supp_pop_entry(supp, *num_params - num_meta);
+ if (req)
+ break; /* Keep mutex held. */
mutex_unlock(&supp->mutex);
- if (req) {
- if (IS_ERR(req))
- return PTR_ERR(req);
- break;
- }
-
/*
* If we didn't get a request we'll block in
* wait_for_completion() to avoid needless spinning.
@@ -245,6 +275,13 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
return -ERESTARTSYS;
}
+ /* supp->mutex held and req != NULL. */
+
+ if (IS_ERR(req)) {
+ mutex_unlock(&supp->mutex);
+ return PTR_ERR(req);
+ }
+
if (num_meta) {
/*
* tee-supplicant support meta parameters -> requsts can be
@@ -252,13 +289,11 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
*/
param->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT |
TEE_IOCTL_PARAM_ATTR_META;
- param->u.value.a = id;
+ param->u.value.a = req->id;
param->u.value.b = 0;
param->u.value.c = 0;
} else {
- mutex_lock(&supp->mutex);
- supp->req_id = id;
- mutex_unlock(&supp->mutex);
+ supp->req_id = req->id;
}
*func = req->func;
@@ -266,6 +301,7 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
memcpy(param + num_meta, req->param,
sizeof(struct tee_param) * req->num_params);
+ mutex_unlock(&supp->mutex);
return 0;
}
@@ -297,12 +333,17 @@ static struct optee_supp_req *supp_pop_req(struct optee_supp *supp,
if (!req)
return ERR_PTR(-ENOENT);
+ /* optee_supp_thrd_req() already returned to optee. */
+ if (IS_ERR(req))
+ goto failed_req;
+
if ((num_params - nm) != req->num_params)
return ERR_PTR(-EINVAL);
+ *num_meta = nm;
+failed_req:
idr_remove(&supp->idr, id);
supp->req_id = -1;
- *num_meta = nm;
return req;
}
@@ -328,10 +369,9 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params,
mutex_lock(&supp->mutex);
req = supp_pop_req(supp, num_params, param, &num_meta);
- mutex_unlock(&supp->mutex);
-
if (IS_ERR(req)) {
- /* Something is wrong, let supplicant restart. */
+ mutex_unlock(&supp->mutex);
+ /* Something is wrong, let supplicant handel it. */
return PTR_ERR(req);
}
@@ -355,9 +395,10 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params,
}
}
req->ret = ret;
-
+ req->processed = true;
/* Let the requesting thread continue */
complete(&req->c);
+ mutex_unlock(&supp->mutex);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 091/522] Bluetooth: btusb: Allow firmware re-download when version matches
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 090/522] HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 092/522] hpfs: fix a crash if hpfs_map_dnode_bitmap fails Greg Kroah-Hartman
` (431 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shuai Zhang, Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
commit 82855073c1081732656734b74d7d1d5e4cfd0da7 upstream.
The Bluetooth host decides whether to download firmware by reading the
controller firmware download completion flag and firmware version
information.
If a USB error occurs during the firmware download process (for example
due to a USB disconnect), the download is aborted immediately. An
incomplete firmware transfer does not cause the controller to set the
download completion flag, but the firmware version information may be
updated at an early stage of the download process.
In this case, after USB reconnection, the host attempts to re-download
the firmware because the download completion flag is not set. However,
since the controller reports the same firmware version as the target
firmware, the download is skipped. This ultimately results in the
firmware not being properly updated on the controller.
This change removes the restriction that skips firmware download when
the versions are equal. It covers scenarios where the USB connection
can be disconnected at any time and ensures that firmware download can
be retriggered after USB reconnection, allowing the Bluetooth firmware
to be correctly and completely updated.
Fixes: 3267c884cefa ("Bluetooth: btusb: Add support for QCA ROME chipset family")
Cc: stable@vger.kernel.org
Signed-off-by: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btusb.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -3440,7 +3440,13 @@ static int btusb_setup_qca_load_rampatch
"firmware rome 0x%x build 0x%x",
rver_rom, rver_patch, ver_rom, ver_patch);
- if (rver_rom != ver_rom || rver_patch <= ver_patch) {
+ /* Allow rampatch when the patch version equals the firmware version.
+ * A firmware download may be aborted by a transient USB error (e.g.
+ * disconnect) after the controller updates version info but before
+ * completion.
+ * Allowing equal versions enables re-flashing during recovery.
+ */
+ if (rver_rom != ver_rom || rver_patch < ver_patch) {
bt_dev_err(hdev, "rampatch file version did not match with firmware");
err = -EINVAL;
goto done;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 008/378] soc: qcom: ice: Allow explicit votes on iface clock for ICE
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 7.0 007/378] tee: optee: prevent use-after-free when the client exits before the supplicant Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 009/378] arm64: dts: qcom: x1-dell-thena: remove i2c20 (battery SMBus) and reserve its pins Greg Kroah-Hartman
` (370 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam, Kuldeep Singh,
Konrad Dybcio, Harshal Dev, Bjorn Andersson, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harshal Dev <harshal.dev@oss.qualcomm.com>
[ Upstream commit 0d5dc5818191b55e4364d04b1b898a14a2ccac38 ]
Since Qualcomm inline-crypto engine (ICE) is now a dedicated driver
de-coupled from the QCOM UFS driver, it explicitly votes for its required
clocks during probe. For scenarios where the 'clk_ignore_unused' flag is
not passed on the kernel command line, to avoid potential unclocked ICE
hardware register access during probe the ICE driver should additionally
vote on the 'iface' clock.
Also update the suspend and resume callbacks to handle un-voting and voting
on the 'iface' clock.
Fixes: 2afbf43a4aec6 ("soc: qcom: Make the Qualcomm UFS/SDCC ICE a dedicated driver")
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Kuldeep Singh <kuldeep.singh@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Harshal Dev <harshal.dev@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260416-qcom_ice_power_and_clk_vote-v5-2-5ccf5d7e2846@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/ice.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/drivers/soc/qcom/ice.c b/drivers/soc/qcom/ice.c
index b203bc685cadd2..bf4ab2d9e5c036 100644
--- a/drivers/soc/qcom/ice.c
+++ b/drivers/soc/qcom/ice.c
@@ -108,6 +108,7 @@ struct qcom_ice {
void __iomem *base;
struct clk *core_clk;
+ struct clk *iface_clk;
bool use_hwkm;
bool hwkm_init_complete;
u8 hwkm_version;
@@ -312,8 +313,13 @@ int qcom_ice_resume(struct qcom_ice *ice)
err = clk_prepare_enable(ice->core_clk);
if (err) {
- dev_err(dev, "failed to enable core clock (%d)\n",
- err);
+ dev_err(dev, "Failed to enable core clock: %d\n", err);
+ return err;
+ }
+
+ err = clk_prepare_enable(ice->iface_clk);
+ if (err) {
+ dev_err(dev, "Failed to enable iface clock: %d\n", err);
return err;
}
qcom_ice_hwkm_init(ice);
@@ -323,6 +329,7 @@ EXPORT_SYMBOL_GPL(qcom_ice_resume);
int qcom_ice_suspend(struct qcom_ice *ice)
{
+ clk_disable_unprepare(ice->iface_clk);
clk_disable_unprepare(ice->core_clk);
ice->hwkm_init_complete = false;
@@ -579,11 +586,17 @@ static struct qcom_ice *qcom_ice_create(struct device *dev,
engine->core_clk = devm_clk_get_optional_enabled(dev, "ice_core_clk");
if (!engine->core_clk)
engine->core_clk = devm_clk_get_optional_enabled(dev, "ice");
+ if (!engine->core_clk)
+ engine->core_clk = devm_clk_get_optional_enabled(dev, "core");
if (!engine->core_clk)
engine->core_clk = devm_clk_get_enabled(dev, NULL);
if (IS_ERR(engine->core_clk))
return ERR_CAST(engine->core_clk);
+ engine->iface_clk = devm_clk_get_optional_enabled(dev, "iface");
+ if (IS_ERR(engine->iface_clk))
+ return ERR_CAST(engine->iface_clk);
+
if (!qcom_ice_check_supported(engine))
return ERR_PTR(-EOPNOTSUPP);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 092/522] hpfs: fix a crash if hpfs_map_dnode_bitmap fails
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 091/522] Bluetooth: btusb: Allow firmware re-download when version matches Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 093/522] ipc: limit next_id allocation to the valid ID range Greg Kroah-Hartman
` (430 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Farhad Alemi
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 974820a59efde7c1a7e1260bcfe9bb81f833cc9f upstream.
If hpfs_map_dnode_bitmap fails, the code would call hpfs_brelse4 on
uninitialized quad buffer head, causing a crash.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Farhad Alemi <farhad.alemi@berkeley.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hpfs/alloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/hpfs/alloc.c
+++ b/fs/hpfs/alloc.c
@@ -372,8 +372,8 @@ int hpfs_check_free_dnodes(struct super_
return 0;
}
}
+ hpfs_brelse4(&qbh);
}
- hpfs_brelse4(&qbh);
i = 0;
if (hpfs_sb(s)->sb_c_bitmap != -1) {
bmp = hpfs_map_bitmap(s, b, &qbh, "chkdn1");
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 009/378] arm64: dts: qcom: x1-dell-thena: remove i2c20 (battery SMBus) and reserve its pins
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 7.0 008/378] soc: qcom: ice: Allow explicit votes on iface clock for ICE Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 010/378] ARM: dts: microchip: sam9x7: fix GMAC clock configuration Greg Kroah-Hartman
` (369 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Abel Vesa,
Val Packett, Bjorn Andersson, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit 4b15b03166cc5d28e9912287b1f9b6607c8710ec ]
i2c20 is used by the battmgr service on the ADSP to communicate with the
SBS interface of the battery. Initializing it from Linux would break the
battmgr functionality when booted in EL2. Mark those pins as reserved.
Fixes: e7733b42111c ("arm64: dts: qcom: Add support for Dell Inspiron 7441 / Latitude 7455")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Signed-off-by: Val Packett <val@packett.cool>
Link: https://lore.kernel.org/r/20260312005731.12488-2-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/x1-dell-thena.dtsi | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/x1-dell-thena.dtsi b/arch/arm64/boot/dts/qcom/x1-dell-thena.dtsi
index 217ca8c7d81dae..488129bb1ae198 100644
--- a/arch/arm64/boot/dts/qcom/x1-dell-thena.dtsi
+++ b/arch/arm64/boot/dts/qcom/x1-dell-thena.dtsi
@@ -982,12 +982,6 @@ &i2c8 {
status = "okay";
};
-&i2c20 {
- clock-frequency = <400000>;
-
- status = "okay";
-};
-
&lpass_tlmm {
spkr_01_sd_n_active: spkr-01-sd-n-active-state {
pins = "gpio12";
@@ -1308,6 +1302,7 @@ right_tweeter: speaker@0,1 {
&tlmm {
gpio-reserved-ranges = <44 4>, /* SPI11 (TPM) */
<76 4>, /* SPI19 (TZ Protected) */
+ <80 2>, /* I2C20 (Battery SMBus) */
<238 1>; /* UFS Reset */
cam_rgb_default: cam-rgb-default-state {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 093/522] ipc: limit next_id allocation to the valid ID range
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-06-16 14:53 ` [PATCH 6.1 092/522] hpfs: fix a crash if hpfs_map_dnode_bitmap fails Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 094/522] auxdisplay: line-display: fix OOB read on zero-length message_store() Greg Kroah-Hartman
` (429 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linpu Yu, Ren Wei, Yuan Tan,
Yifan Wu, Juefei Pu, Xin Liu, Kees Cook, Stanislav Kinsbursky,
Davidlohr Bueso, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linpu Yu <linpu5433@gmail.com>
commit fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139 upstream.
The checkpoint/restore sysctl path can request the next SysV IPC id
through ids->next_id. ipc_idr_alloc() currently forwards that request to
idr_alloc() with an open-ended upper bound.
If the valid tail of the SysV IPC id space is full, the allocation can
spill beyond ipc_mni. The returned SysV IPC id still uses the normal
index encoding, so later lookup and removal can target the wrong slot.
This leaves the real IDR entry behind and breaks the IDR state for the
object.
The bug is in ipc_idr_alloc() in the checkpoint/restore path.
1. ids->next_id is passed to:
idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), 0, ...)
2. The zero upper bound makes the allocation effectively open-ended.
Once the valid SysV IPC tail is occupied, idr_alloc() can spill past
ipc_mni and allocate an entry beyond the valid IPC id range.
3. The new object id is still encoded with the narrower SysV IPC index
width:
new->id = (new->seq << ipcmni_seq_shift()) + idx
4. Later removal goes through ipc_rmid(), which uses:
ipcid_to_idx(ipcp->id)
That truncates the real IDR index. An object actually stored at a
high index can then be removed as if it lived at a low in-range
index.
5. For shared memory, shm_destroy() frees the current object anyway, but
the real high IDR slot is left behind as a dangling pointer.
6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry
and dereferences freed memory.
Prevent this by bounding the requested allocation to ipc_mni so the
checkpoint/restore path fails once the valid range is exhausted.
Link: https://lore.kernel.org/cover.1778336914.git.linpu5433@gmail.com
Link: https://lore.kernel.org/2eebe949bfa7d1f6e13b5be6a92c64c850ce9d45.1778336914.git.linpu5433@gmail.com
Fixes: 03f595668017 ("ipc: add sysctl to specify desired next object id")
Signed-off-by: Linpu Yu <linpu5433@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Cc: Kees Cook <kees@kernel.org>
Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
ipc/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/ipc/util.c
+++ b/ipc/util.c
@@ -253,7 +253,7 @@ static inline int ipc_idr_alloc(struct i
} else {
new->seq = ipcid_to_seqx(next_id);
idx = idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id),
- 0, GFP_NOWAIT);
+ ipc_mni, GFP_NOWAIT);
}
if (idx >= 0)
new->id = (new->seq << ipcmni_seq_shift()) + idx;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 010/378] ARM: dts: microchip: sam9x7: fix GMAC clock configuration
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 009/378] arm64: dts: qcom: x1-dell-thena: remove i2c20 (battery SMBus) and reserve its pins Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 011/378] soc: qcom: ice: Return -ENODEV if the ICE platform device is not found Greg Kroah-Hartman
` (368 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mihai Sain, Claudiu Beznea,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mihai Sain <mihai.sain@microchip.com>
[ Upstream commit 765aaba18413a66f6c8fe8416336ca9b3dd98a79 ]
The GMAC node incorrectly listed four clocks, including a separate tx_clk
and a TSU GCK clock sourced from ID 67. According to the SAM9X7 clocking
scheme, the GMAC uses only three clocks: HCLK, PCLK, and the TSU GCK
derived from the GMAC peripheral clock (ID 24).
Remove the unused tx_clk, update the clock-names accordingly, and correct
the assigned clock to use GCK 24 instead of GCK 67. This aligns the device
tree with the actual hardware clock topology and prevents misconfiguration
of the GMAC clock tree.
[root@SAM9X75 ~]$ cat /sys/kernel/debug/clk/clk_summary | grep gmac
gmac_gclk 1 1 1 266666666 0 0 50000 Y f802c000.ethernet tsu_clk
f802c000.ethernet tsu_clk
gmac_clk 2 2 0 266666666 0 0 50000 Y f802c000.ethernet hclk
f802c000.ethernet pclk
Fixes: 41af45af8bc3 ("ARM: dts: at91: sam9x7: add device tree for SoC")
Signed-off-by: Mihai Sain <mihai.sain@microchip.com>
Link: https://lore.kernel.org/r/20260309075329.1528-5-mihai.sain@microchip.com
[claudiu.beznea: massaged the patch description]
Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/microchip/sam9x7.dtsi | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm/boot/dts/microchip/sam9x7.dtsi b/arch/arm/boot/dts/microchip/sam9x7.dtsi
index d242d7a934d0fa..c680a5033b6b4e 100644
--- a/arch/arm/boot/dts/microchip/sam9x7.dtsi
+++ b/arch/arm/boot/dts/microchip/sam9x7.dtsi
@@ -990,9 +990,9 @@ gmac: ethernet@f802c000 {
<62 IRQ_TYPE_LEVEL_HIGH 3>, /* Queue 3 */
<63 IRQ_TYPE_LEVEL_HIGH 3>, /* Queue 4 */
<64 IRQ_TYPE_LEVEL_HIGH 3>; /* Queue 5 */
- clocks = <&pmc PMC_TYPE_PERIPHERAL 24>, <&pmc PMC_TYPE_PERIPHERAL 24>, <&pmc PMC_TYPE_GCK 24>, <&pmc PMC_TYPE_GCK 67>;
- clock-names = "hclk", "pclk", "tx_clk", "tsu_clk";
- assigned-clocks = <&pmc PMC_TYPE_GCK 67>;
+ clocks = <&pmc PMC_TYPE_PERIPHERAL 24>, <&pmc PMC_TYPE_PERIPHERAL 24>, <&pmc PMC_TYPE_GCK 24>;
+ clock-names = "hclk", "pclk", "tsu_clk";
+ assigned-clocks = <&pmc PMC_TYPE_GCK 24>;
assigned-clock-rates = <266666666>;
status = "disabled";
};
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 094/522] auxdisplay: line-display: fix OOB read on zero-length message_store()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 093/522] ipc: limit next_id allocation to the valid ID range Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 095/522] Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() Greg Kroah-Hartman
` (428 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stepan Ionichev, Andy Shevchenko
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stepan Ionichev <sozdayvek@gmail.com>
commit a7511dcd9dd4bc55d123f9b800c8a4ed2662e5c6 upstream.
linedisp_display() unconditionally reads msg[count - 1] before
checking whether count is zero, so a write of zero bytes to the
message sysfs attribute hits msg[-1]:
write(fd, "", 0);
-> message_store(..., buf, count=0)
-> linedisp_display(linedisp, buf, count=0)
-> msg[count - 1] == '\n' ; OOB read
The kernfs write buffer for that store is a 1-byte allocation
(kernfs_fop_write_iter() does kmalloc(len + 1) with len == 0),
so msg[-1] is a 1-byte read before the slab object. On a
KASAN-enabled kernel this trips an out-of-bounds report and
panics; on stock kernels it silently reads adjacent slab data
and, if that byte happens to be '\n', the following count--
wraps ssize_t 0 to -1 and is then passed to kmemdup_nul().
linedisp_display() is reached from the message_store() sysfs
callback (drivers/auxdisplay/line-display.c message attribute,
mode 0644) and from the in-tree initial-message setup with
count == -1, so the OOB path is only userspace-triggerable via
zero-byte writes; vfs_write() does not short-circuit on
count == 0 and kernfs_fop_write_iter() dispatches the store
callback regardless.
Guard the trailing-newline trim with a count check. The
existing if (!count) block then takes the clear-display path
unchanged.
Affects every auxdisplay driver that registers via
linedisp_register() / linedisp_attach(): ht16k33, max6959,
img-ascii-lcd, seg-led-gpio.
Fixes: 7e76aece6f03 ("auxdisplay: Extract character line display core support")
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/auxdisplay/line-display.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/auxdisplay/line-display.c
+++ b/drivers/auxdisplay/line-display.c
@@ -80,7 +80,7 @@ static int linedisp_display(struct lined
count = strlen(msg);
/* if the string ends with a newline, trim it */
- if (msg[count - 1] == '\n')
+ if (count && msg[count - 1] == '\n')
count--;
if (!count) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 011/378] soc: qcom: ice: Return -ENODEV if the ICE platform device is not found
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 010/378] ARM: dts: microchip: sam9x7: fix GMAC clock configuration Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 012/378] tee: fix tee_ioctl_object_invoke_arg padding Greg Kroah-Hartman
` (367 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sumit Garg, Manivannan Sadhasivam,
Bjorn Andersson, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
[ Upstream commit 5a4dc805a80e6fe303d6a4748cd451ea15987ffd ]
By the time the consumer driver calls devm_of_qcom_ice_get(), all the
platform devices for ICE nodes would've been created by
of_platform_default_populate().
So for the absence of any platform device, -ENODEV should not returned, not
-EPROBE_DEFER.
Fixes: 2afbf43a4aec ("soc: qcom: Make the Qualcomm UFS/SDCC ICE a dedicated driver")
Tested-by: Sumit Garg <sumit.garg@oss.qualcomm.com> # OP-TEE as TZ
Acked-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260518-qcom-ice-fix-v7-2-2a595382185b@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/ice.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/qcom/ice.c b/drivers/soc/qcom/ice.c
index bf4ab2d9e5c036..6520e146d2ce06 100644
--- a/drivers/soc/qcom/ice.c
+++ b/drivers/soc/qcom/ice.c
@@ -657,7 +657,7 @@ static struct qcom_ice *of_qcom_ice_get(struct device *dev)
pdev = of_find_device_by_node(node);
if (!pdev) {
dev_err(dev, "Cannot find device node %s\n", node->name);
- return ERR_PTR(-EPROBE_DEFER);
+ return ERR_PTR(-ENODEV);
}
ice = platform_get_drvdata(pdev);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 095/522] Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 094/522] auxdisplay: line-display: fix OOB read on zero-length message_store() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 096/522] Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn Greg Kroah-Hartman
` (427 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Siwei Zhang, Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 8c8e620467a7b51562dbcefbd1f09f288d7d710d upstream.
l2cap_chan_close() removes the channel from conn->chan_l, which
must be done under conn->lock. cleanup_listen() runs under the
parent sk_lock, so acquiring conn->lock would invert the
established conn->lock -> chan->lock -> sk_lock order.
Instead of calling l2cap_chan_close() directly, schedule
l2cap_chan_timeout with delay 0 to close the channel
asynchronously. The timeout handler already acquires conn->lock
and chan->lock in the correct order.
The timer is only armed when chan->conn is still set: if it is
already NULL, l2cap_conn_del() has already processed this channel
(l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb),
so there is nothing left to do. If l2cap_conn_del() races in
after the timer is armed, __clear_chan_timer() inside
l2cap_chan_del() cancels it; if the timer has already fired, the
handler returns harmlessly because chan->conn was cleared.
Fixes: 3df91ea20e74 ("Bluetooth: Revert to mutexes from RCU list")
Cc: <stable@vger.kernel.org> # 0b58004: Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_sock.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1501,6 +1501,10 @@ static void l2cap_sock_cleanup_listen(st
* pin it (hold_unless_zero() additionally skips a chan already past
* its last reference). We then drop the sk lock before taking
* chan->lock, so sk and chan locks are never held together.
+ *
+ * Since we cannot call l2cap_chan_close() without conn->lock,
+ * schedule l2cap_chan_timeout to close the channel; it already
+ * acquires conn->lock -> chan->lock in the correct order.
*/
while ((sk = bt_accept_dequeue(parent, NULL))) {
struct l2cap_chan *chan;
@@ -1518,14 +1522,12 @@ static void l2cap_sock_cleanup_listen(st
state_to_string(chan->state));
l2cap_chan_lock(chan);
- __clear_chan_timer(chan);
- l2cap_chan_close(chan, ECONNRESET);
- /* l2cap_conn_del() may already have killed this socket
- * (it sets SOCK_DEAD); skip the duplicate to avoid a
- * double sock_put()/l2cap_chan_put().
+ /* Since we cannot call l2cap_chan_close() without
+ * conn->lock, schedule its timer to trigger the close
+ * and cleanup of this channel.
*/
- if (!sock_flag(sk, SOCK_DEAD))
- l2cap_sock_kill(sk);
+ if (chan->conn)
+ __set_chan_timer(chan, 0);
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 012/378] tee: fix tee_ioctl_object_invoke_arg padding
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 011/378] soc: qcom: ice: Return -ENODEV if the ICE platform device is not found Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 013/378] tee: qcomtee: add missing va_end in early return qcomtee_object_user_init() Greg Kroah-Hartman
` (366 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Jens Wiklander,
Harshal Dev, Sumit Garg, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit c15d7a2a11ea055bcecc0b538ae8ba79475637f9 ]
The tee_ioctl_object_invoke_arg structure has padding on some
architectures but not on x86-32 and a few others:
include/linux/tee.h:474:32: error: padding struct to align 'params' [-Werror=padded]
I expect that all current users of this are on architectures that do
have implicit padding here (arm64, arm, x86, riscv), so make the padding
explicit in order to avoid surprises if this later gets used elsewhere.
Fixes: d5b8b0fa1775 ("tee: add TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Harshal Dev <harshal.dev@oss.qualcomm.com>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/tee.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/uapi/linux/tee.h b/include/uapi/linux/tee.h
index cab5cadca8ef99..5203977ed35d1d 100644
--- a/include/uapi/linux/tee.h
+++ b/include/uapi/linux/tee.h
@@ -470,6 +470,7 @@ struct tee_ioctl_object_invoke_arg {
__u32 op;
__u32 ret;
__u32 num_params;
+ __u32 :32;
/* num_params tells the actual number of element in params */
struct tee_ioctl_param params[];
};
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 096/522] Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 095/522] Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 097/522] Bluetooth: HIDP: fix missing length checks in hidp_input_report() Greg Kroah-Hartman
` (426 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Siwei Zhang, Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 9dbd84990394c51f5cee1e8871bb5ff8af5ed939 upstream.
__set_chan_timer() takes a l2cap_chan reference via l2cap_chan_hold()
before scheduling the delayed work. The normal path in
l2cap_chan_timeout() drops this reference with l2cap_chan_put() at the
end, but the early return when chan->conn is NULL skips the put,
leaking the reference.
Add the missing l2cap_chan_put() before the early return.
Fixes: adf0398cee86 ("Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout")
Cc: stable@vger.kernel.org
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -435,8 +435,10 @@ static void l2cap_chan_timeout(struct wo
BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
- if (!conn)
+ if (!conn) {
+ l2cap_chan_put(chan);
return;
+ }
mutex_lock(&conn->chan_lock);
/* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 013/378] tee: qcomtee: add missing va_end in early return qcomtee_object_user_init()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 012/378] tee: fix tee_ioctl_object_invoke_arg padding Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 014/378] s390/bug: Always emit format word in __BUG_ENTRY Greg Kroah-Hartman
` (365 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robertus Diawan Chris,
Amirreza Zarrabi, Jens Wiklander, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robertus Diawan Chris <robertusdchris@gmail.com>
[ Upstream commit 471c18323dfdfe7844e193b896a9267ae23a1026 ]
qcomtee_object_user_init() is a variadic function and when the function
return because there's no dispatch callback in QCOMTEE_OBJECT_TYPE_CB
case, there's no va_end to cleanup "ap" object initialized by va_start
and that can cause undefined behavior. So make sure to use va_end before
returning the error code when there's no dispatch callback.
This is reported by Coverity Scan as "Missing varargs init or cleanup".
Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver")
Signed-off-by: Robertus Diawan Chris <robertusdchris@gmail.com>
Reviewed-by: Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tee/qcomtee/core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/tee/qcomtee/core.c b/drivers/tee/qcomtee/core.c
index b1cb50e434f00a..60fe3b5776e36d 100644
--- a/drivers/tee/qcomtee/core.c
+++ b/drivers/tee/qcomtee/core.c
@@ -306,8 +306,10 @@ int qcomtee_object_user_init(struct qcomtee_object *object,
break;
case QCOMTEE_OBJECT_TYPE_CB:
object->ops = ops;
- if (!object->ops->dispatch)
- return -EINVAL;
+ if (!object->ops->dispatch) {
+ ret = -EINVAL;
+ break;
+ }
/* If failed, "no-name". */
object->name = kvasprintf_const(GFP_KERNEL, fmt, ap);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 097/522] Bluetooth: HIDP: fix missing length checks in hidp_input_report()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 096/522] Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 098/522] Bluetooth: ISO: fix UAF in iso_recv_frame Greg Kroah-Hartman
` (425 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal,
Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit 2a3ac9ee11dbb9845f3947cef4a79dba658cf6f6 upstream.
hidp_input_report() reads keyboard and mouse payload data from an skb
without first verifying that skb->len contains enough data.
hidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching
to hidp_input_report(). If a paired device sends a truncated packet,
the handler reads beyond the valid skb data, resulting in an
out-of-bounds read of skb data. The OOB bytes may be interpreted as
phantom key presses or spurious mouse movement.
Replace the open-coded length tracking and pointer arithmetic with
skb_pull_data() calls. skb_pull_data() returns NULL if the requested
bytes are not present, eliminating the need for a manual size variable
and the separate skb->len guard.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hidp/core.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -179,12 +179,21 @@ static void hidp_input_report(struct hid
{
struct input_dev *dev = session->input;
unsigned char *keys = session->keys;
- unsigned char *udata = skb->data + 1;
- signed char *sdata = skb->data + 1;
- int i, size = skb->len - 1;
+ unsigned char *udata;
+ signed char *sdata;
+ u8 *hdr;
+ int i;
+
+ hdr = skb_pull_data(skb, 1);
+ if (!hdr)
+ return;
- switch (skb->data[0]) {
+ switch (*hdr) {
case 0x01: /* Keyboard report */
+ udata = skb_pull_data(skb, 8);
+ if (!udata)
+ break;
+
for (i = 0; i < 8; i++)
input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
@@ -213,6 +222,10 @@ static void hidp_input_report(struct hid
break;
case 0x02: /* Mouse report */
+ sdata = skb_pull_data(skb, 3);
+ if (!sdata)
+ break;
+
input_report_key(dev, BTN_LEFT, sdata[0] & 0x01);
input_report_key(dev, BTN_RIGHT, sdata[0] & 0x02);
input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
@@ -222,7 +235,7 @@ static void hidp_input_report(struct hid
input_report_rel(dev, REL_X, sdata[1]);
input_report_rel(dev, REL_Y, sdata[2]);
- if (size > 3)
+ if (skb->len > 0)
input_report_rel(dev, REL_WHEEL, sdata[3]);
break;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 014/378] s390/bug: Always emit format word in __BUG_ENTRY
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 013/378] tee: qcomtee: add missing va_end in early return qcomtee_object_user_init() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 015/378] ARM: dts: gemini: Fix partition offsets Greg Kroah-Hartman
` (364 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Polensky, Heiko Carstens,
Alexander Gordeev, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Polensky <japo@linux.ibm.com>
[ Upstream commit 3daad7f60aa92d0307fa2b2edd38c886a09902f2 ]
When CONFIG_DEBUG_BUGVERBOSE is disabled, the s390 __BUG_ENTRY() macro
omits the format string pointer, so the generated __bug_table entry no
longer matches struct bug_entry.
With HAVE_ARCH_BUG_FORMAT enabled, the generic BUG infrastructure reads
bug_entry::format via bug_get_format(). If the format word is missing,
subsequent fields are read from the wrong offset, which may:
- Misinterpret flags (BUG vs WARN classification errors)
- Fault when dereferencing a misread format pointer
The root cause is that __BUG_ENTRY() delegates format word emission to
__BUG_ENTRY_VERBOSE(), which is conditional on CONFIG_DEBUG_BUGVERBOSE.
Fix this by moving the format field emission directly into __BUG_ENTRY()
so it is always emitted unconditionally. Remove the format parameter from
__BUG_ENTRY_VERBOSE() and keep only file/line emission conditional on
CONFIG_DEBUG_BUGVERBOSE.
Fixes: 2b71b8ab9718 ("s390/bug: Use BUG_FORMAT for DEBUG_BUGVERBOSE_DETAILED")
Signed-off-by: Jan Polensky <japo@linux.ibm.com>
Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/include/asm/bug.h | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/arch/s390/include/asm/bug.h b/arch/s390/include/asm/bug.h
index 59017fd3d9358d..50a270edb02035 100644
--- a/arch/s390/include/asm/bug.h
+++ b/arch/s390/include/asm/bug.h
@@ -12,12 +12,11 @@
#if defined(CONFIG_BUG) && defined(CONFIG_CC_HAS_ASM_IMMEDIATE_STRINGS)
#ifdef CONFIG_DEBUG_BUGVERBOSE
-#define __BUG_ENTRY_VERBOSE(format, file, line) \
- " .long " format " - . # bug_entry::format\n" \
+#define __BUG_ENTRY_VERBOSE(file, line) \
" .long " file " - . # bug_entry::file\n" \
" .short " line " # bug_entry::line\n"
#else
-#define __BUG_ENTRY_VERBOSE(format, file, line)
+#define __BUG_ENTRY_VERBOSE(file, line)
#endif
#ifdef CONFIG_DEBUG_BUGVERBOSE_DETAILED
@@ -28,9 +27,10 @@
#define __BUG_ENTRY(format, file, line, flags, size) \
" .section __bug_table,\"aw\"\n" \
- "1: .long 0b - . # bug_entry::bug_addr\n" \
- __BUG_ENTRY_VERBOSE(format, file, line) \
- " .short "flags" # bug_entry::flags\n" \
+ "1: .long 0b - . # bug_entry::bug_addr\n"\
+ " .long " format " - . # bug_entry::format\n" \
+ __BUG_ENTRY_VERBOSE(file, line) \
+ " .short "flags" # bug_entry::flags\n" \
" .org 1b+"size"\n" \
" .previous"
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 098/522] Bluetooth: ISO: fix UAF in iso_recv_frame
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 097/522] Bluetooth: HIDP: fix missing length checks in hidp_input_report() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 099/522] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock Greg Kroah-Hartman
` (424 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal,
Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit 47f23a259517abbdb8032c057a1e8a6bf3734878 upstream.
iso_recv_frame reads conn->sk under iso_conn_lock but releases the lock
before using sk, with no reference held. A concurrent iso_sock_kill()
can free sk in that window, causing use-after-free on sk->sk_state and
sock_queue_rcv_skb().
Fix by replacing the bare pointer read with iso_sock_hold(conn), which
calls sock_hold() while the spinlock is held, atomically elevating the
refcount before the lock drops. Add a drop_put label so sock_put() is
called on all exit paths where the hold succeeded.
Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/iso.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -445,7 +445,7 @@ static void iso_recv_frame(struct iso_co
struct sock *sk;
iso_conn_lock(conn);
- sk = conn->sk;
+ sk = iso_sock_hold(conn);
iso_conn_unlock(conn);
if (!sk)
@@ -454,11 +454,15 @@ static void iso_recv_frame(struct iso_co
BT_DBG("sk %p len %d", sk, skb->len);
if (sk->sk_state != BT_CONNECTED)
- goto drop;
+ goto drop_put;
- if (!sock_queue_rcv_skb(sk, skb))
+ if (!sock_queue_rcv_skb(sk, skb)) {
+ sock_put(sk);
return;
+ }
+drop_put:
+ sock_put(sk);
drop:
kfree_skb(skb);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 015/378] ARM: dts: gemini: Fix partition offsets
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 014/378] s390/bug: Always emit format word in __BUG_ENTRY Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 016/378] erofs: fix use-after-free on sbi->sync_decompress Greg Kroah-Hartman
` (363 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Arnd Bergmann,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linusw@kernel.org>
[ Upstream commit 66ac2df408ede627aaae588d4ce7e611dd25b4f9 ]
These FIS partition offsets were never right: the comment clearly
states the FIS index is at 0xfe0000 and 0x7f * 0x200000 is
0xfe0000.
Tested on the iTian SQ201.
Fixes: d88b11ef91b1 ("ARM: dts: Fix up SQ201 flash access")
Fixes: b5a923f8c739 ("ARM: dts: gemini: Switch to redboot partition parsing")
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/gemini/gemini-sl93512r.dts | 2 +-
arch/arm/boot/dts/gemini/gemini-sq201.dts | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm/boot/dts/gemini/gemini-sl93512r.dts b/arch/arm/boot/dts/gemini/gemini-sl93512r.dts
index 4992ec276de92e..341dec9b636a8b 100644
--- a/arch/arm/boot/dts/gemini/gemini-sl93512r.dts
+++ b/arch/arm/boot/dts/gemini/gemini-sl93512r.dts
@@ -146,7 +146,7 @@ flash@30000000 {
partitions {
compatible = "redboot-fis";
/* Eraseblock at 0xfe0000 */
- fis-index-block = <0x1fc>;
+ fis-index-block = <0x7f>;
};
};
diff --git a/arch/arm/boot/dts/gemini/gemini-sq201.dts b/arch/arm/boot/dts/gemini/gemini-sq201.dts
index f8c6f6e5cdea6a..bfd1e8581ad67c 100644
--- a/arch/arm/boot/dts/gemini/gemini-sq201.dts
+++ b/arch/arm/boot/dts/gemini/gemini-sq201.dts
@@ -134,7 +134,7 @@ flash@30000000 {
partitions {
compatible = "redboot-fis";
/* Eraseblock at 0xfe0000 */
- fis-index-block = <0x1fc>;
+ fis-index-block = <0x7f>;
};
};
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 099/522] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 098/522] Bluetooth: ISO: fix UAF in iso_recv_frame Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 100/522] parport: Fix race between port and client registration Greg Kroah-Hartman
` (423 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal,
Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit 4b5f8e608749b7e8fa386c6e4301cf9272595859 upstream.
iso_sock_close() calls iso_sock_clear_timer() before acquiring
lock_sock(sk).
iso_sock_clear_timer() reads iso_pi(sk)->conn twice without the
socket lock held:
if (!iso_pi(sk)->conn)
return;
cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
Concurrently, iso_conn_del() executes under lock_sock(sk) and calls
iso_chan_del(), which sets iso_pi(sk)->conn to NULL and may result in
the final reference to the connection being dropped:
CPU0 CPU1
---- ----
iso_sock_clear_timer()
if (conn != NULL) ... lock_sock(sk)
iso_chan_del()
iso_pi(sk)->conn = NULL
cancel_delayed_work(conn) /* NULL deref or UAF */
iso_pi(sk)->conn is not stable across the unlock window, causing a
NULL pointer dereference or use-after-free.
Serialize iso_sock_clear_timer() with the socket lock by moving it
inside lock_sock()/release_sock(), matching the pattern used in
iso_conn_del() and all other call sites.
Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/iso.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -666,8 +666,8 @@ static void __iso_sock_close(struct sock
/* Must be called on unlocked socket. */
static void iso_sock_close(struct sock *sk)
{
- iso_sock_clear_timer(sk);
lock_sock(sk);
+ iso_sock_clear_timer(sk);
__iso_sock_close(sk);
release_sock(sk);
iso_sock_kill(sk);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 016/378] erofs: fix use-after-free on sbi->sync_decompress
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 015/378] ARM: dts: gemini: Fix partition offsets Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 017/378] wifi: iwlwifi: mvm: dont support the reset handshake for old firmwares Greg Kroah-Hartman
` (362 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+52bae5c495dbe261a0bc, Chao Yu,
Jianan Huang, Gao Xiang, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gao Xiang <hsiangkao@linux.alibaba.com>
[ Upstream commit 1aee05e814d292064bf5fa15733741040cdc48ba ]
z_erofs_decompress_kickoff() can race with filesystem unmount, causing
a use-after-free on sbi->sync_decompress.
When I/O completes, z_erofs_endio() calls z_erofs_decompress_kickoff()
to queue z_erofs_decompressqueue_work() asynchronously. Then, after all
folios are unlocked, unmount workflow can proceed and sbi will be freed
before accessing to sbi->sync_decompress.
Thread (unmount) I/O completion kworker
queue_work
z_erofs_decompressqueue_work
(all folios are unlocked)
cleanup_mnt
..
erofs_kill_sb
erofs_sb_free
kfree(sbi)
access sbi->sync_decompress // UAF!!
Fixes: 40452ffca3c1 ("erofs: add sysfs node to control sync decompression strategy")
Reported-by: syzbot+52bae5c495dbe261a0bc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=52bae5c495dbe261a0bc
Reviewed-by: Chao Yu <chao@kernel.org>
Reviewed-by: Jianan Huang <jnhuang95@gmail.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/erofs/zdata.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
index d7445e98312d80..50a5a1568370b0 100644
--- a/fs/erofs/zdata.c
+++ b/fs/erofs/zdata.c
@@ -1457,6 +1457,9 @@ static void z_erofs_decompress_kickoff(struct z_erofs_decompressqueue *io,
if (atomic_add_return(bios, &io->pending_bios))
return;
if (z_erofs_in_atomic()) {
+ /* See `sync_decompress` in sysfs-fs-erofs for more details */
+ if (sbi->sync_decompress == EROFS_SYNC_DECOMPRESS_AUTO)
+ sbi->sync_decompress = EROFS_SYNC_DECOMPRESS_FORCE_ON;
#ifdef CONFIG_EROFS_FS_PCPU_KTHREAD
struct kthread_worker *worker;
@@ -1473,9 +1476,6 @@ static void z_erofs_decompress_kickoff(struct z_erofs_decompressqueue *io,
#else
queue_work(z_erofs_workqueue, &io->u.work);
#endif
- /* See `sync_decompress` in sysfs-fs-erofs for more details */
- if (sbi->sync_decompress == EROFS_SYNC_DECOMPRESS_AUTO)
- sbi->sync_decompress = EROFS_SYNC_DECOMPRESS_FORCE_ON;
return;
}
gfp_flag = memalloc_noio_save();
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 100/522] parport: Fix race between port and client registration
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 099/522] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 101/522] USB: cdc-acm: Fix bit overlap and move quirk definitions to header Greg Kroah-Hartman
` (422 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ben Hutchings,
Sudip Mukherjee
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <benh@debian.org>
commit ef15ccbb3e8640a723c42ad90eaf81d66ae02017 upstream.
The parport subsystem registers port devices before they are fully
initialised, resulting in a race condition where client drivers such
as lp can attach to ports that are not completely initialised or even
being torn down.
When the port and client drivers are built as modules and loaded
around the same time during boot, this occasionally results in a
crash. I was able to make this happen reliably in a VM with a
PC-style parallel port by patching parport_pc to fail probing:
> --- a/drivers/parport/parport_pc.c
> +++ b/drivers/parport/parport_pc.c
> @@ -2069,7 +2069,7 @@ static struct parport *__parport_pc_probe_port(unsigned long int base,
> if (!p)
> goto out3;
>
> - base_res = request_region(base, 3, p->name);
> + base_res = NULL;
> if (!base_res)
> goto out4;
>
and then running:
while true; do
modprobe lp & modprobe parport_pc
wait
rmmod lp parport_pc
done
for a few seconds.
In the long term I think port registration should be changed to put
the call to device_add() inside parport_announce_port(), but since the
latter currently cannot fail this will require changing all port
drivers.
For now, add a flag to indicate whether a port has been "announced"
and only try to attach client drivers to ports when the flag is set.
Fixes: 6fa45a226897 ("parport: add device-model to parport subsystem")
Closes: https://bugs.debian.org/1130365
Closes: https://lore.kernel.org/all/6ba903ad-9897-42bb-8c2d-337385cc3746@molgen.mpg.de/
Cc: stable <stable@kernel.org>
Signed-off-by: Ben Hutchings <benh@debian.org>
Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Link: https://patch.msgid.link/afo6uBv68GDevbMD@decadent.org.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/parport/share.c | 11 +++++++++--
include/linux/parport.h | 1 +
2 files changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/parport/share.c
+++ b/drivers/parport/share.c
@@ -223,10 +223,14 @@ static void get_lowlevel_driver(void)
static int port_check(struct device *dev, void *dev_drv)
{
struct parport_driver *drv = dev_drv;
+ struct parport *port;
/* only send ports, do not send other devices connected to bus */
- if (is_parport(dev))
- drv->match_port(to_parport_dev(dev));
+ if (is_parport(dev)) {
+ port = to_parport_dev(dev);
+ if (test_bit(PARPORT_ANNOUNCED, &port->devflags))
+ drv->match_port(port);
+ }
return 0;
}
@@ -553,6 +557,7 @@ void parport_announce_port(struct parpor
if (slave)
attach_driver_chain(slave);
}
+ set_bit(PARPORT_ANNOUNCED, &port->devflags);
mutex_unlock(®istration_lock);
}
EXPORT_SYMBOL(parport_announce_port);
@@ -582,6 +587,8 @@ void parport_remove_port(struct parport
mutex_lock(®istration_lock);
+ clear_bit(PARPORT_ANNOUNCED, &port->devflags);
+
/* Spread the word. */
detach_driver_chain(port);
--- a/include/linux/parport.h
+++ b/include/linux/parport.h
@@ -245,6 +245,7 @@ struct parport {
unsigned long devflags;
#define PARPORT_DEVPROC_REGISTERED 0
+#define PARPORT_ANNOUNCED 1
struct pardevice *proc_device; /* Currently register proc device */
struct list_head full_list;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 017/378] wifi: iwlwifi: mvm: dont support the reset handshake for old firmwares
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 016/378] erofs: fix use-after-free on sbi->sync_decompress Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 018/378] ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers Greg Kroah-Hartman
` (361 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emmanuel Grumbach, Johannes Berg,
Miri Korenblit, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
[ Upstream commit 0eaa1f245ac03ed0c6394159360532726f666811 ]
-77.ucode doesn't contain the fixes for this flow it seems.
Don't use the firmware reset handshake even if the firmware claims
support for it.
Fixes: 906d4eb84408 ("iwlwifi: support firmware reset handshake")
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220600
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260529085453.9307b81d9b02.I21bba9e649f4cd0e35d3ea6cd97a03258be5832f@changeid
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
index ae177477b20127..384bed95835d74 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
@@ -1416,6 +1416,12 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_rf_cfg *cfg,
fw_has_capa(&mvm->fw->ucode_capa,
IWL_UCODE_TLV_CAPA_FW_RESET_HANDSHAKE);
+ /* Those firmware versions claim to support the fw_reset_handshake
+ * but they are buggy.
+ */
+ if (IWL_UCODE_MAJOR(mvm->fw->ucode_ver) <= 77)
+ trans->conf.fw_reset_handshake = false;
+
trans->conf.queue_alloc_cmd_ver =
iwl_fw_lookup_cmd_ver(mvm->fw,
WIDE_ID(DATA_PATH_GROUP,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 101/522] USB: cdc-acm: Fix bit overlap and move quirk definitions to header
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 100/522] parport: Fix race between port and client registration Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 102/522] wireguard: send: append trailer after expanding head Greg Kroah-Hartman
` (421 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Wentao Guan
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Guan <guanwentao@uniontech.com>
commit 5eb070769ea5e18405535609d1d3f6886f3755bd upstream.
The VENDOR_CLASS_DATA_IFACE and ALWAYS_POLL_CTRL quirk flags added in
commit f58752ebcb35 ("USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10
INGENIC touchscreen") were placed inside the acm_ctrl_msg() function
rather than in the header with the other quirk flags. Then, their
values (BIT(9) and BIT(10)) collided with NO_UNION_12 which is already
BIT(9).
Move the definitions to drivers/usb/class/cdc-acm.h where they belong
and shift them to BIT(10) and BIT(11) to avoid the overlap.
Fixes: f58752ebcb35 ("USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen")
Cc: stable <stable@kernel.org>
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Link: https://patch.msgid.link/20260522091357.1301196-1-guanwentao@uniontech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 2 --
drivers/usb/class/cdc-acm.h | 2 ++
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -113,8 +113,6 @@ static int acm_ctrl_msg(struct acm *acm,
int retval;
retval = usb_autopm_get_interface(acm->control);
-#define VENDOR_CLASS_DATA_IFACE BIT(9) /* data interface uses vendor-specific class */
-#define ALWAYS_POLL_CTRL BIT(10) /* keep ctrl URB active even without an open TTY */
if (retval)
return retval;
--- a/drivers/usb/class/cdc-acm.h
+++ b/drivers/usb/class/cdc-acm.h
@@ -115,3 +115,5 @@ struct acm {
#define DISABLE_ECHO BIT(7)
#define MISSING_CAP_BRK BIT(8)
#define NO_UNION_12 BIT(9)
+#define VENDOR_CLASS_DATA_IFACE BIT(10) /* data interface uses vendor-specific class */
+#define ALWAYS_POLL_CTRL BIT(11) /* keep ctrl URB active even without an open TTY */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 018/378] ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 017/378] wifi: iwlwifi: mvm: dont support the reset handshake for old firmwares Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 019/378] netfilter: xt_NFQUEUE: prefer raw_smp_processor_id Greg Kroah-Hartman
` (360 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gil Portnoy, Namjae Jeon,
Steve French, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gil Portnoy <dddhkts1@gmail.com>
[ Upstream commit b003086d76968298f22e7cf62239833b5a3a06b1 ]
smb2_oplock_break_noti() and smb2_lease_break_noti() read opinfo->conn
into a local with neither READ_ONCE() nor a NULL check. Both run from
oplock_break() after opinfo_get_list() has dropped ci->m_lock, so a
concurrent SMB2 LOGOFF (session_fd_check()) can set op->conn = NULL
under ci->m_lock within that window. ksmbd_conn_r_count_inc(conn) then
writes through NULL at offset 0xc4 -- a remotely triggerable oops.
Guard both reads the way compare_guid_key() already does: read
opinfo->conn with READ_ONCE() and return early if it is NULL, before
allocating the work struct so nothing leaks. A NULL conn means the
client is gone and the break is moot, so return 0; oplock_break() treats
that as success and runs the normal teardown.
Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2")
Assisted-by: Henry (Claude):claude-opus-4
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/oplock.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/fs/smb/server/oplock.c b/fs/smb/server/oplock.c
index f5ec1283b16edf..d09fa50ba03a29 100644
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -714,11 +714,16 @@ static void __smb2_oplock_break_noti(struct work_struct *wk)
*/
static int smb2_oplock_break_noti(struct oplock_info *opinfo)
{
- struct ksmbd_conn *conn = opinfo->conn;
+ struct ksmbd_conn *conn;
struct oplock_break_info *br_info;
int ret = 0;
- struct ksmbd_work *work = ksmbd_alloc_work_struct();
+ struct ksmbd_work *work;
+
+ conn = READ_ONCE(opinfo->conn);
+ if (!conn)
+ return 0;
+ work = ksmbd_alloc_work_struct();
if (!work)
return -ENOMEM;
@@ -818,11 +823,15 @@ static void __smb2_lease_break_noti(struct work_struct *wk)
*/
static int smb2_lease_break_noti(struct oplock_info *opinfo)
{
- struct ksmbd_conn *conn = opinfo->conn;
+ struct ksmbd_conn *conn;
struct ksmbd_work *work;
struct lease_break_info *br_info;
struct lease *lease = opinfo->o_lease;
+ conn = READ_ONCE(opinfo->conn);
+ if (!conn)
+ return 0;
+
work = ksmbd_alloc_work_struct();
if (!work)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 102/522] wireguard: send: append trailer after expanding head
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 101/522] USB: cdc-acm: Fix bit overlap and move quirk definitions to header Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 103/522] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux Greg Kroah-Hartman
` (420 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason A. Donenfeld, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason A. Donenfeld <Jason@zx2c4.com>
commit f75e3eb08fe31d30a9af6ed80cdd22e6772837e2 upstream.
With how this is currently written, we add the trailer, zero it out, and
then add the header space on. If that header space requires a
reallocation + copy, the zeros in the trailer aren't copied, because the
skb len hasn't actually been yet expanded to cover that. Instead add the
padding at the end of the process rather than at the beginning.
Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
Cc: stable@vger.kernel.org
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://patch.msgid.link/20260529173134.3080773-2-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireguard/send.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/drivers/net/wireguard/send.c
+++ b/drivers/net/wireguard/send.c
@@ -177,16 +177,6 @@ static bool encrypt_packet(struct sk_buf
trailer_len = padding_len + noise_encrypted_len(0);
plaintext_len = skb->len + padding_len;
- /* Expand data section to have room for padding and auth tag. */
- num_frags = skb_cow_data(skb, trailer_len, &trailer);
- if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg)))
- return false;
-
- /* Set the padding to zeros, and make sure it and the auth tag are part
- * of the skb.
- */
- memset(skb_tail_pointer(trailer), 0, padding_len);
-
/* Expand head section to have room for our header and the network
* stack's headers.
*/
@@ -198,6 +188,16 @@ static bool encrypt_packet(struct sk_buf
skb_checksum_help(skb)))
return false;
+ /* Expand data section to have room for padding and auth tag. */
+ num_frags = skb_cow_data(skb, trailer_len, &trailer);
+ if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg)))
+ return false;
+
+ /* Set the padding to zeros, and make sure it and the auth tag are part
+ * of the skb.
+ */
+ memset(skb_tail_pointer(trailer), 0, padding_len);
+
/* Only after checksumming can we safely add on the padding at the end
* and the header.
*/
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 019/378] netfilter: xt_NFQUEUE: prefer raw_smp_processor_id
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 018/378] ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 020/378] ipvs: clear the svc scheduler ptr early on edit Greg Kroah-Hartman
` (359 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit c6c5327dd18bec1e1bbf139b2cf5ae53608a9d30 ]
With PREEMPT_RCU this triggers a splat because smp_processor_id() can be
preempted while inside a RCU critical section. If xt_NFQUEUE target is
invoked via nft_compat_eval() path, we are inside a RCU critical
section.
Just use the raw version instead.
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_NFQUEUE.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 466da23e36ff47..b32d153e3a1862 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -91,7 +91,7 @@ nfqueue_tg_v3(struct sk_buff *skb, const struct xt_action_param *par)
if (info->queues_total > 1) {
if (info->flags & NFQ_FLAG_CPU_FANOUT) {
- int cpu = smp_processor_id();
+ int cpu = raw_smp_processor_id();
queue = info->queuenum + cpu % info->queues_total;
} else {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 103/522] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 102/522] wireguard: send: append trailer after expanding head Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 104/522] iio: dac: max5821: fix return value check in powerdown sync Greg Kroah-Hartman
` (419 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christofer Jonason, Andy Shevchenko,
Nuno Sá, Salih Erim, Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christofer Jonason <christofer.jonason@guidelinegeo.com>
commit 852534744c2d35626a604f128ff0b8ec12805591 upstream.
xadc_postdisable() unconditionally sets the sequencer to continuous
mode. For dual external multiplexer configurations this is incorrect:
simultaneous sampling mode is required so that ADC-A samples through
the mux on VAUX[0-7] while ADC-B simultaneously samples through the
mux on VAUX[8-15]. In continuous mode only ADC-A is active, so
VAUX[8-15] channels return incorrect data.
Since postdisable is also called from xadc_probe() to set the initial
idle state, the wrong sequencer mode is active from the moment the
driver loads.
The preenable path already uses xadc_get_seq_mode() which returns
SIMULTANEOUS for dual mux. Fix postdisable to do the same.
Fixes: bdc8cda1d010 ("iio:adc: Add Xilinx XADC driver")
Cc: stable@vger.kernel.org
Signed-off-by: Christofer Jonason <christofer.jonason@guidelinegeo.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: Salih Erim <salih.erim@amd.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/xilinx-xadc-core.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/xilinx-xadc-core.c
+++ b/drivers/iio/adc/xilinx-xadc-core.c
@@ -821,6 +821,7 @@ static int xadc_postdisable(struct iio_d
{
struct xadc *xadc = iio_priv(indio_dev);
unsigned long scan_mask;
+ int seq_mode;
int ret;
int i;
@@ -828,6 +829,12 @@ static int xadc_postdisable(struct iio_d
for (i = 0; i < indio_dev->num_channels; i++)
scan_mask |= BIT(indio_dev->channels[i].scan_index);
+ /*
+ * Use the correct sequencer mode for the idle state: simultaneous
+ * mode for dual external mux configurations, continuous otherwise.
+ */
+ seq_mode = xadc_get_seq_mode(xadc, scan_mask);
+
/* Enable all channels and calibration */
ret = xadc_write_adc_reg(xadc, XADC_REG_SEQ(0), scan_mask & 0xffff);
if (ret)
@@ -838,11 +845,11 @@ static int xadc_postdisable(struct iio_d
return ret;
ret = xadc_update_adc_reg(xadc, XADC_REG_CONF1, XADC_CONF1_SEQ_MASK,
- XADC_CONF1_SEQ_CONTINUOUS);
+ seq_mode);
if (ret)
return ret;
- return xadc_power_adc_b(xadc, XADC_CONF1_SEQ_CONTINUOUS);
+ return xadc_power_adc_b(xadc, seq_mode);
}
static int xadc_preenable(struct iio_dev *indio_dev)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 020/378] ipvs: clear the svc scheduler ptr early on edit
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 019/378] netfilter: xt_NFQUEUE: prefer raw_smp_processor_id Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 021/378] netfilter: synproxy: add mutex to guard hook reference counting Greg Kroah-Hartman
` (358 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julian Anastasov, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julian Anastasov <ja@ssi.bg>
[ Upstream commit 193989cc6d80dd8e0460fb3992e69fa03bf0ff9b ]
ip_vs_edit_service() while unbinding the old scheduler clears
the svc->scheduler ptr after the scheduler module initiates
RCU callbacks. This can cause packets to use the old
scheduler at the time when svc->sched_data is already freed
after RCU grace period.
Fix it by clearing the ptr early in ip_vs_unbind_scheduler(),
before the done_service method schedules any RCU callbacks.
Also, if the new scheduler fails to initialize when replacing
the old scheduler, try to restore the old scheduler while still
returning the error code.
Link: https://sashiko.dev/#/patchset/20260519015506.634185-1-rosenp%40gmail.com
Fixes: 05f00505a89a ("ipvs: fix crash if scheduler is changed")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/ip_vs.h | 3 +--
net/netfilter/ipvs/ip_vs_ctl.c | 13 ++++++++-----
net/netfilter/ipvs/ip_vs_sched.c | 14 +++++++-------
3 files changed, 16 insertions(+), 14 deletions(-)
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index 29a36709e7f35c..2163f32ef6abc1 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -1519,8 +1519,7 @@ int register_ip_vs_scheduler(struct ip_vs_scheduler *scheduler);
int unregister_ip_vs_scheduler(struct ip_vs_scheduler *scheduler);
int ip_vs_bind_scheduler(struct ip_vs_service *svc,
struct ip_vs_scheduler *scheduler);
-void ip_vs_unbind_scheduler(struct ip_vs_service *svc,
- struct ip_vs_scheduler *sched);
+void ip_vs_unbind_scheduler(struct ip_vs_service *svc);
struct ip_vs_scheduler *ip_vs_scheduler_get(const char *sched_name);
void ip_vs_scheduler_put(struct ip_vs_scheduler *scheduler);
struct ip_vs_conn *
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 2aaf50f52c8e8e..ff55ff6b8a4cba 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1496,7 +1496,7 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
if (ret_hooks >= 0)
ip_vs_unregister_hooks(ipvs, u->af);
if (svc != NULL) {
- ip_vs_unbind_scheduler(svc, sched);
+ ip_vs_unbind_scheduler(svc);
ip_vs_service_free(svc);
}
ip_vs_scheduler_put(sched);
@@ -1558,9 +1558,8 @@ ip_vs_edit_service(struct ip_vs_service *svc, struct ip_vs_service_user_kern *u)
old_sched = rcu_dereference_protected(svc->scheduler, 1);
if (sched != old_sched) {
if (old_sched) {
- ip_vs_unbind_scheduler(svc, old_sched);
- RCU_INIT_POINTER(svc->scheduler, NULL);
- /* Wait all svc->sched_data users */
+ ip_vs_unbind_scheduler(svc);
+ /* Wait all svc->scheduler/sched_data users */
synchronize_rcu();
}
/* Bind the new scheduler */
@@ -1568,6 +1567,10 @@ ip_vs_edit_service(struct ip_vs_service *svc, struct ip_vs_service_user_kern *u)
ret = ip_vs_bind_scheduler(svc, sched);
if (ret) {
ip_vs_scheduler_put(sched);
+ /* Try to restore the old_sched */
+ if (old_sched &&
+ !ip_vs_bind_scheduler(svc, old_sched))
+ old_sched = NULL;
goto out;
}
}
@@ -1624,7 +1627,7 @@ static void __ip_vs_del_service(struct ip_vs_service *svc, bool cleanup)
/* Unbind scheduler */
old_sched = rcu_dereference_protected(svc->scheduler, 1);
- ip_vs_unbind_scheduler(svc, old_sched);
+ ip_vs_unbind_scheduler(svc);
ip_vs_scheduler_put(old_sched);
/* Unbind persistence engine, keep svc->pe */
diff --git a/net/netfilter/ipvs/ip_vs_sched.c b/net/netfilter/ipvs/ip_vs_sched.c
index c6e421c4e29913..24adc38942a0d1 100644
--- a/net/netfilter/ipvs/ip_vs_sched.c
+++ b/net/netfilter/ipvs/ip_vs_sched.c
@@ -56,19 +56,19 @@ int ip_vs_bind_scheduler(struct ip_vs_service *svc,
/*
* Unbind a service with its scheduler
*/
-void ip_vs_unbind_scheduler(struct ip_vs_service *svc,
- struct ip_vs_scheduler *sched)
+void ip_vs_unbind_scheduler(struct ip_vs_service *svc)
{
- struct ip_vs_scheduler *cur_sched;
+ struct ip_vs_scheduler *sched;
- cur_sched = rcu_dereference_protected(svc->scheduler, 1);
- /* This check proves that old 'sched' was installed */
- if (!cur_sched)
+ sched = rcu_dereference_protected(svc->scheduler, 1);
+ if (!sched)
return;
+ /* Reset the scheduler before initiating any RCU callbacks */
+ rcu_assign_pointer(svc->scheduler, NULL);
+ smp_wmb(); /* paired with smp_rmb() in ip_vs_schedule() */
if (sched->done_service)
sched->done_service(svc);
- /* svc->scheduler can be set to NULL only by caller */
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 104/522] iio: dac: max5821: fix return value check in powerdown sync
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 103/522] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 105/522] iio: dac: ad5686: fix input raw value check Greg Kroah-Hartman
` (418 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salah Triki, Andy Shevchenko, Stable,
Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
commit d0a228d903425e653f18a4341e60c0538afb6d41 upstream.
The function max5821_sync_powerdown_mode() returned the result of
i2c_master_send() directly. If a partial transfer occurred, it would
be incorrectly treated as a success by the caller.
While the caller currently handles the positive return value of 2 as
success, this patch refactors the function to return 0 on full success
and -EIO on short writes. This ensures robust error handling for
incomplete transfers and improves code maintainability by using
sizeof(outbuf).
Fixes: 472988972737 ("iio: add support of the max5821")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/max5821.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/iio/dac/max5821.c
+++ b/drivers/iio/dac/max5821.c
@@ -91,6 +91,7 @@ static int max5821_sync_powerdown_mode(s
const struct iio_chan_spec *chan)
{
u8 outbuf[2];
+ int ret;
outbuf[0] = MAX5821_EXTENDED_COMMAND_MODE;
@@ -104,7 +105,13 @@ static int max5821_sync_powerdown_mode(s
else
outbuf[1] |= MAX5821_EXTENDED_POWER_UP;
- return i2c_master_send(data->client, outbuf, 2);
+ ret = i2c_master_send(data->client, outbuf, sizeof(outbuf));
+ if (ret < 0)
+ return ret;
+ if (ret != sizeof(outbuf))
+ return -EIO;
+
+ return 0;
}
static ssize_t max5821_write_dac_powerdown(struct iio_dev *indio_dev,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 021/378] netfilter: synproxy: add mutex to guard hook reference counting
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 020/378] ipvs: clear the svc scheduler ptr early on edit Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 022/378] netfilter: conntrack_irc: fix possible out-of-bounds read Greg Kroah-Hartman
` (357 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 2fcba19caaeb2a33017459d3430f057967bb91b6 ]
As the synproxy infrastructure register netfilter hooks on-demand when a
user adds the first iptables target or nftables expression, if done
concurrently they can race each other.
Introduce a mutex to serialize the refcount control blocks access from
both frontends. While a per namespace mutex might be more efficient, it
is not needed for target/expression like SYNPROXY.
Fixes: ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_synproxy_core.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index 036c8586f49b75..ed00114f65f392 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -22,6 +22,8 @@
#include <net/netfilter/nf_conntrack_zones.h>
#include <net/netfilter/nf_synproxy.h>
+static DEFINE_MUTEX(synproxy_mutex);
+
unsigned int synproxy_net_id;
EXPORT_SYMBOL_GPL(synproxy_net_id);
@@ -769,26 +771,31 @@ static const struct nf_hook_ops ipv4_synproxy_ops[] = {
int nf_synproxy_ipv4_init(struct synproxy_net *snet, struct net *net)
{
- int err;
+ int err = 0;
+ mutex_lock(&synproxy_mutex);
if (snet->hook_ref4 == 0) {
err = nf_register_net_hooks(net, ipv4_synproxy_ops,
ARRAY_SIZE(ipv4_synproxy_ops));
if (err)
- return err;
+ goto out;
}
snet->hook_ref4++;
- return 0;
+out:
+ mutex_unlock(&synproxy_mutex);
+ return err;
}
EXPORT_SYMBOL_GPL(nf_synproxy_ipv4_init);
void nf_synproxy_ipv4_fini(struct synproxy_net *snet, struct net *net)
{
+ mutex_lock(&synproxy_mutex);
snet->hook_ref4--;
if (snet->hook_ref4 == 0)
nf_unregister_net_hooks(net, ipv4_synproxy_ops,
ARRAY_SIZE(ipv4_synproxy_ops));
+ mutex_unlock(&synproxy_mutex);
}
EXPORT_SYMBOL_GPL(nf_synproxy_ipv4_fini);
@@ -1193,27 +1200,32 @@ static const struct nf_hook_ops ipv6_synproxy_ops[] = {
int
nf_synproxy_ipv6_init(struct synproxy_net *snet, struct net *net)
{
- int err;
+ int err = 0;
+ mutex_lock(&synproxy_mutex);
if (snet->hook_ref6 == 0) {
err = nf_register_net_hooks(net, ipv6_synproxy_ops,
ARRAY_SIZE(ipv6_synproxy_ops));
if (err)
- return err;
+ goto out;
}
snet->hook_ref6++;
- return 0;
+out:
+ mutex_unlock(&synproxy_mutex);
+ return err;
}
EXPORT_SYMBOL_GPL(nf_synproxy_ipv6_init);
void
nf_synproxy_ipv6_fini(struct synproxy_net *snet, struct net *net)
{
+ mutex_lock(&synproxy_mutex);
snet->hook_ref6--;
if (snet->hook_ref6 == 0)
nf_unregister_net_hooks(net, ipv6_synproxy_ops,
ARRAY_SIZE(ipv6_synproxy_ops));
+ mutex_unlock(&synproxy_mutex);
}
EXPORT_SYMBOL_GPL(nf_synproxy_ipv6_fini);
#endif /* CONFIG_IPV6 */
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 105/522] iio: dac: ad5686: fix input raw value check
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 104/522] iio: dac: max5821: fix return value check in powerdown sync Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 106/522] iio: dac: ad5686: acquire lock when doing powerdown control Greg Kroah-Hartman
` (417 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Rodrigo Alencar,
Stable, Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Alencar <rodrigo.alencar@analog.com>
commit d01220ee5e43c65a206df827b39bf5cf5f7b9dce upstream.
Fix range check for input raw value, which is off by one, i.e., for a
10-bit DAC the max valid value is 1023, but 1 << 10 equals 1024, which
passes the previous check, allowing an out-of-range write. The issue
exists since the ad5686 driver was first introduced.
Fixes: c2f37c8dcadc ("iio: dac: New driver for AD5686R, AD5685R, AD5684R Digital to analog converters")
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Rodrigo Alencar <rodrigo.alencar@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5686.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/dac/ad5686.c
+++ b/drivers/iio/dac/ad5686.c
@@ -154,7 +154,7 @@ static int ad5686_write_raw(struct iio_d
switch (mask) {
case IIO_CHAN_INFO_RAW:
- if (val > (1 << chan->scan_type.realbits) || val < 0)
+ if (val >= (1 << chan->scan_type.realbits) || val < 0)
return -EINVAL;
mutex_lock(&st->lock);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 022/378] netfilter: conntrack_irc: fix possible out-of-bounds read
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 021/378] netfilter: synproxy: add mutex to guard hook reference counting Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 023/378] netfilter: nft_ct: bail out on template ct in get eval Greg Kroah-Hartman
` (356 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal,
Fernando Fernandez Mancera, Pablo Neira Ayuso, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 66eba0ffce3b7e11449946b4cbbef8ea36112f56 ]
When parsing fails after we've matched the command string we
should bail out instead of trying to match a different command.
This helper should be deprecated, given prevalence of TLS I doubt it has
any relevance in 2026.
Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port")
Closes: https://sashiko.dev/#/patchset/20260525182924.28456-1-fw%40strlen.de
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_irc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index b8e6d724acd155..064df01953ebf7 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -209,7 +209,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
if (parse_dcc(data, data_limit, &dcc_ip,
&dcc_port, &addr_beg_p, &addr_end_p)) {
pr_debug("unable to parse dcc command\n");
- continue;
+ goto out;
}
pr_debug("DCC bound ip/port: %pI4:%u\n",
@@ -223,7 +223,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
net_warn_ratelimited("Forged DCC command from %pI4: %pI4:%u\n",
&tuple->src.u3.ip,
&dcc_ip, dcc_port);
- continue;
+ goto out;
}
exp = nf_ct_expect_alloc(ct);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 106/522] iio: dac: ad5686: acquire lock when doing powerdown control
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 105/522] iio: dac: ad5686: fix input raw value check Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 107/522] iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw Greg Kroah-Hartman
` (416 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Alencar, Stable,
Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Alencar <rodrigo.alencar@analog.com>
commit 5237c3175cae5ab05f18878cec3301a04403859e upstream.
Protect access of pwr_down_mode and pwr_down_mask fields with existing
mutex lock. Each channel exposes their own attributes for controlling
powerdown modes and powerdown state. This fixes potential race conditions
as those the write functions perform non-atomic read-modify-write
operations to those pwr_down_* fields. This issue exists since the ad5686
driver was first introduced.
Fixes: c2f37c8dcadc ("iio: dac: New driver for AD5686R, AD5685R, AD5684R Digital to analog converters")
Signed-off-by: Rodrigo Alencar <rodrigo.alencar@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5686.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/iio/dac/ad5686.c
+++ b/drivers/iio/dac/ad5686.c
@@ -30,6 +30,8 @@ static int ad5686_get_powerdown_mode(str
{
struct ad5686_state *st = iio_priv(indio_dev);
+ guard(mutex)(&st->lock);
+
return ((st->pwr_down_mode >> (chan->channel * 2)) & 0x3) - 1;
}
@@ -39,6 +41,8 @@ static int ad5686_set_powerdown_mode(str
{
struct ad5686_state *st = iio_priv(indio_dev);
+ guard(mutex)(&st->lock);
+
st->pwr_down_mode &= ~(0x3 << (chan->channel * 2));
st->pwr_down_mode |= ((mode + 1) << (chan->channel * 2));
@@ -57,6 +61,8 @@ static ssize_t ad5686_read_dac_powerdown
{
struct ad5686_state *st = iio_priv(indio_dev);
+ guard(mutex)(&st->lock);
+
return sysfs_emit(buf, "%d\n", !!(st->pwr_down_mask &
(0x3 << (chan->channel * 2))));
}
@@ -77,6 +83,8 @@ static ssize_t ad5686_write_dac_powerdow
if (ret)
return ret;
+ guard(mutex)(&st->lock);
+
if (readin)
st->pwr_down_mask |= (0x3 << (chan->channel * 2));
else
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 023/378] netfilter: nft_ct: bail out on template ct in get eval
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 022/378] netfilter: conntrack_irc: fix possible out-of-bounds read Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 024/378] netfilter: bridge: make ebt_snat ARP rewrite writable Greg Kroah-Hartman
` (355 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Jiayuan Chen,
Pablo Neira Ayuso, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 3027ecbdb5fdf9200251c21d4818e4c447ef78e1 ]
I noticed this issue while looking at a historic syzbot report [1].
A rule like the one below is enough to trigger the bug:
table ip t {
chain pre {
type filter hook prerouting priority raw;
ct zone set 1
ct original saddr 1.2.3.4 accept
}
}
The first expression attaches a per-cpu template ct via
nft_ct_set_zone_eval() (nf_ct_tmpl_alloc -> kzalloc, tuple is all
zero, nf_ct_l3num(ct) == 0). The next expression then calls
nft_ct_get_eval() on the same skb, treats the template as a real ct
and hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this
overflows past struct nft_regs on the kernel stack; with smaller
dreg values it silently clobbers adjacent registers.
Reject template ct at the eval entry and in nft_ct_get_fast_eval(),
mirroring the check nft_ct_set_eval() already has. Additionally,
bound the address copy in NFT_CT_SRC / NFT_CT_DST by priv->len
instead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple
before pkt_to_tuple() fills in only the protocol-relevant leading
bytes, so the trailing bytes of tuple->{src,dst}.u3.all are
well-defined zero. priv->len is validated at rule load, so the
copy size is now bounded by the destination register rather than
by an untrusted field on the conntrack.
[1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c
Fixes: 45d9bcda21f4 ("netfilter: nf_tables: validate len in nft_validate_data_load()")
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_ct.c | 8 +++-----
net/netfilter/nft_ct_fast.c | 2 +-
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 272ce181180777..92b673f4582a2d 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -78,7 +78,7 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
break;
}
- if (ct == NULL)
+ if (!ct || nf_ct_is_template(ct))
goto err;
switch (priv->key) {
@@ -180,12 +180,10 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
tuple = &ct->tuplehash[priv->dir].tuple;
switch (priv->key) {
case NFT_CT_SRC:
- memcpy(dest, tuple->src.u3.all,
- nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
+ memcpy(dest, tuple->src.u3.all, priv->len);
return;
case NFT_CT_DST:
- memcpy(dest, tuple->dst.u3.all,
- nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
+ memcpy(dest, tuple->dst.u3.all, priv->len);
return;
case NFT_CT_PROTO_SRC:
nft_reg_store16(dest, (__force u16)tuple->src.u.all);
diff --git a/net/netfilter/nft_ct_fast.c b/net/netfilter/nft_ct_fast.c
index e684c8a9184877..ecf7b3a404be26 100644
--- a/net/netfilter/nft_ct_fast.c
+++ b/net/netfilter/nft_ct_fast.c
@@ -30,7 +30,7 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr,
break;
}
- if (!ct) {
+ if (!ct || nf_ct_is_template(ct)) {
regs->verdict.code = NFT_BREAK;
return;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 107/522] iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 106/522] iio: dac: ad5686: acquire lock when doing powerdown control Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 108/522] iio: gyro: itg3200: fix i2c read into the wrong stack location Greg Kroah-Hartman
` (415 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salah Triki, Joshua Crofts,
Maxwell Doose, Nuno Sá, Stable, Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
commit 422b5bbf333f75fb486855ad0eedc23cf21f3277 upstream.
The driver proceeds to the reception phase even if the preceding
transmission fails.
This uses a goto error label for an early bail out and ensures the mutex is
properly unlocked in case of failure.
Fixes: ffd8a6e7a778 ("iio: adc: Add viperboard adc driver")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Reviewed-by: Joshua Crofts <joshua.crofts1@gmail.com>
Reviewed-by: Maxwell Doose <m32285159@gmail.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/viperboard_adc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/iio/adc/viperboard_adc.c
+++ b/drivers/iio/adc/viperboard_adc.c
@@ -70,8 +70,10 @@ static int vprbrd_iio_read_raw(struct ii
VPRBRD_USB_TYPE_OUT, 0x0000, 0x0000, admsg,
sizeof(struct vprbrd_adc_msg), VPRBRD_USB_TIMEOUT_MS);
if (ret != sizeof(struct vprbrd_adc_msg)) {
- dev_err(&iio_dev->dev, "usb send error on adc read\n");
+ mutex_unlock(&vb->lock);
error = -EREMOTEIO;
+ dev_err(&iio_dev->dev, "usb send error on adc read\n");
+ goto error;
}
ret = usb_control_msg(vb->usb_dev,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 024/378] netfilter: bridge: make ebt_snat ARP rewrite writable
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 023/378] netfilter: nft_ct: bail out on template ct in get eval Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 025/378] dm cache policy smq: check allocation under invalidate lock Greg Kroah-Hartman
` (354 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yiming Qian <yimingqian591@gmail.com>
[ Upstream commit 67ba971ae02514d85818fe0c32549ab4bfa3bf49 ]
The ebtables SNAT target keeps the Ethernet source address rewrite
behind skb_ensure_writable(skb, 0). This is intentional: at the bridge
ebtables hooks the Ethernet header is addressed through
skb_mac_header()/eth_hdr(), while skb->data points at the Ethernet
payload. Asking skb_ensure_writable() for ETH_HLEN bytes would check
the payload, not the Ethernet header, and would reintroduce the small
packet regression fixed by commit 63137bc5882a.
However, the optional ARP sender hardware address rewrite is different.
It writes through skb_store_bits() at an offset relative to skb->data:
skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN)
skb_header_pointer() only safely reads the ARP header; it does not make
the later sender hardware address range writable. If that range is
still held in a nonlinear skb fragment backed by a splice-imported file
page, skb_store_bits() maps the frag page and copies the new MAC address
directly into it.
Ensure the ARP SHA range is writable before reading the ARP header and
before calling skb_store_bits().
Fixes: 63137bc5882a ("netfilter: ebtables: Fixes dropping of small packets in bridge nat")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/ebt_snat.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 7dfbcdfc30e5d2..c9e229af0366b8 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -31,6 +31,9 @@ ebt_snat_tg(struct sk_buff *skb, const struct xt_action_param *par)
const struct arphdr *ap;
struct arphdr _ah;
+ if (skb_ensure_writable(skb, sizeof(_ah) + ETH_ALEN))
+ return EBT_DROP;
+
ap = skb_header_pointer(skb, 0, sizeof(_ah), &_ah);
if (ap == NULL)
return EBT_DROP;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 108/522] iio: gyro: itg3200: fix i2c read into the wrong stack location
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 107/522] iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 109/522] iio: ssp_sensors: cancel delayed work_refresh on remove Greg Kroah-Hartman
` (414 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Andy Shevchenko,
Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
commit 6bdc3023d62ed5c7d591f0eb27a5adb37fb892ae upstream.
itg3200_read_all_channels() takes `__be16 *buf' as a parameter and
fills the i2c_msg destination as `(char *)&buf'. Since `buf' is the
parameter (a pointer), `&buf' is the address of the local pointer
slot on the stack of itg3200_read_all_channels(), not the address
of the caller's scan buffer. The (char *) cast hides the type
mismatch.
i2c_transfer() therefore writes ITG3200_SCAN_ELEMENTS * sizeof(s16)
= 8 bytes into the parameter's stack slot, which is discarded when
the function returns. The caller's scan buffer in
itg3200_trigger_handler() is never written to, so
iio_push_to_buffers_with_timestamp() pushes uninitialised stack
contents to userspace via /dev/iio:deviceX every scan -- both a
functional bug (no actual gyroscope or temperature data is
delivered through the triggered buffer) and an information leak.
The non-buffered read_raw() path is unaffected: it goes through
itg3200_read_reg_s16() which uses `&out' on a local s16 value,
where that is correct.
Drop the spurious `&' so the i2c read writes into the caller's
buffer.
Fixes: 9dbf091da080 ("iio: gyro: Add itg3200")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/itg3200_buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/gyro/itg3200_buffer.c
+++ b/drivers/iio/gyro/itg3200_buffer.c
@@ -34,7 +34,7 @@ static int itg3200_read_all_channels(str
.addr = i2c->addr,
.flags = i2c->flags | I2C_M_RD,
.len = ITG3200_SCAN_ELEMENTS * sizeof(s16),
- .buf = (char *)&buf,
+ .buf = (char *)buf,
},
};
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 025/378] dm cache policy smq: check allocation under invalidate lock
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 024/378] netfilter: bridge: make ebt_snat ARP rewrite writable Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 026/378] net/sched: act_api: use RCU with deferred freeing for action lifecycle Greg Kroah-Hartman
` (353 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Mikulas Patocka,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
[ Upstream commit d3f0a606b9f278ece8a0df626ded9c4044071235 ]
commit 2d1f7b65f5de ("dm cache policy smq: fix missing locks in
invalidating cache blocks") added mq->lock around the destructive part of
smq_invalidate_mapping(), but left the e->allocated check outside the
critical section.
That leaves a check-then-act race. Two concurrent invalidators can both
observe e->allocated as true before either of them takes mq->lock. The
first invalidator that acquires the lock removes the entry from the
queues and hash table and then calls free_entry(), which clears
e->allocated and puts the entry back on the free list. The second
invalidator can then acquire mq->lock and continue with the stale result
of the unlocked check.
This can corrupt the SMQ queues or hash table by deleting an entry that
is no longer on those structures. It can also hit the allocation check in
free_entry() when the same entry is freed again.
Move the allocation check under mq->lock so the predicate and the
destructive operations are serialized by the same lock.
Fixes: 2d1f7b65f5de ("dm cache policy smq: fix missing locks in invalidating cache blocks")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-policy-smq.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/md/dm-cache-policy-smq.c b/drivers/md/dm-cache-policy-smq.c
index dd77a93fd68d2d..1ae304c2f5737c 100644
--- a/drivers/md/dm-cache-policy-smq.c
+++ b/drivers/md/dm-cache-policy-smq.c
@@ -1590,18 +1590,22 @@ static int smq_invalidate_mapping(struct dm_cache_policy *p, dm_cblock_t cblock)
struct smq_policy *mq = to_smq_policy(p);
struct entry *e = get_entry(&mq->cache_alloc, from_cblock(cblock));
unsigned long flags;
-
- if (!e->allocated)
- return -ENODATA;
+ int r = 0;
spin_lock_irqsave(&mq->lock, flags);
+ if (!e->allocated) {
+ r = -ENODATA;
+ goto out;
+ }
// FIXME: what if this block has pending background work?
del_queue(mq, e);
h_remove(&mq->table, e);
free_entry(&mq->cache_alloc, e);
+
+out:
spin_unlock_irqrestore(&mq->lock, flags);
- return 0;
+ return r;
}
static uint32_t smq_get_hint(struct dm_cache_policy *p, dm_cblock_t cblock)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 109/522] iio: ssp_sensors: cancel delayed work_refresh on remove
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 108/522] iio: gyro: itg3200: fix i2c read into the wrong stack location Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 110/522] iio: temperature: tsys01: fix broken PROM checksum validation Greg Kroah-Hartman
` (413 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanjay Chitroda, Stable,
Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanjay Chitroda <sanjayembeddedse@gmail.com>
commit eedf7602fbd929e97e0c480da501dc7a34beb2a8 upstream.
The work_refresh may still be pending or running when the device is
removed, cancel the delayed work_refresh in remove path.
Fixes: 50dd64d57eee ("iio: common: ssp_sensors: Add sensorhub driver")
Signed-off-by: Sanjay Chitroda <sanjayembeddedse@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/common/ssp_sensors/ssp_dev.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/common/ssp_sensors/ssp_dev.c
+++ b/drivers/iio/common/ssp_sensors/ssp_dev.c
@@ -590,6 +590,7 @@ static void ssp_remove(struct spi_device
ssp_clean_pending_list(data);
free_irq(data->spi->irq, data);
+ cancel_delayed_work_sync(&data->work_refresh);
del_timer_sync(&data->wdt_timer);
cancel_work_sync(&data->work_wdt);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 026/378] net/sched: act_api: use RCU with deferred freeing for action lifecycle
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 025/378] dm cache policy smq: check allocation under invalidate lock Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 027/378] 6lowpan: fix off-by-one in multicast context address compression Greg Kroah-Hartman
` (352 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Kyle Zeng,
Victor Nogueira, syzbot, Jamal Hadi Salim, Pedro Tammela,
Eric Dumazet, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit 5057e1aca011e51ef51498c940ef96f3d3e8a305 ]
When NEWTFILTER and DELFILTER are run concurrently it is possible to create a
race with an associated action.
Let's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:
0: mutex_lock() <-- holds the idr lock
0: rcu_read_lock()
0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR)
0: mutex_unlock() <-- releases the idr lock
1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held
1: idr_remove(idr, index) <-- Action removed from IDR
1: mutex_unlock() <-- mutex released allowing us to delete the action
1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral
0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory
This patch fixes the race condition between NEWTFILTER and DELFILTER by
adding struct rcu_head to tc_action used in the deferral and introducing a
call_rcu() in the delete path to defer the final kfree().
Note: this is a revert of commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu")
but also modernization/simplification to directly use kfree_rcu().
Let's illustrate the new restored code path:
0: rcu_read_lock()
1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held
1: idr_remove(idr, index)
1: mutex_unlock()
1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period
0: p = idr_find(idr, index)
0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0
1: rcu_read_unlock() <-- release so freeing can run after grace period
After CPU1 calls idr_remove(), the object is no longer reachable through the IDR.
CPU0's subsequent idr_find() will return NULL, and even if it still held a
stale pointer, the immediate kfree() is now deferred until after the RCU grace
period, so no UAF can occur.
Fixes: d7fb60b9cafb ("net_sched: get rid of tcfa_rcu")
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Reported-by: Kyle Zeng <kylebot@openai.com>
Tested-by: Victor Nogueira <victor@mojatatu.com>
Tested-by: syzbot@syzkaller.appspotmail.com
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Tested-by: Kyle Zeng <kylebot@openai.com>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Link: https://patch.msgid.link/20260531160812.68020-1-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/act_api.h | 1 +
net/sched/act_api.c | 7 +------
2 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/include/net/act_api.h b/include/net/act_api.h
index d11b791079302f..fd2967ee08f7a6 100644
--- a/include/net/act_api.h
+++ b/include/net/act_api.h
@@ -45,6 +45,7 @@ struct tc_action {
struct tc_cookie __rcu *user_cookie;
struct tcf_chain __rcu *goto_chain;
u32 tcfa_flags;
+ struct rcu_head tcfa_rcu;
u8 hw_stats;
u8 used_hw_stats;
bool used_hw_stats_valid;
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 332fd9695e54a1..04ea11c90e0330 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -112,11 +112,6 @@ struct tcf_chain *tcf_action_set_ctrlact(struct tc_action *a, int action,
}
EXPORT_SYMBOL(tcf_action_set_ctrlact);
-/* XXX: For standalone actions, we don't need a RCU grace period either, because
- * actions are always connected to filters and filters are already destroyed in
- * RCU callbacks, so after a RCU grace period actions are already disconnected
- * from filters. Readers later can not find us.
- */
static void free_tcf(struct tc_action *p)
{
struct tcf_chain *chain = rcu_dereference_protected(p->goto_chain, 1);
@@ -129,7 +124,7 @@ static void free_tcf(struct tc_action *p)
if (chain)
tcf_chain_put_by_act(chain);
- kfree(p);
+ kfree_rcu(p, tcfa_rcu);
}
static void offload_action_hw_count_set(struct tc_action *act,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 110/522] iio: temperature: tsys01: fix broken PROM checksum validation
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 109/522] iio: ssp_sensors: cancel delayed work_refresh on remove Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 111/522] iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL Greg Kroah-Hartman
` (412 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Salah Triki, Stable,
Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
commit 4701e471c16866e7aa8f5e6a3a6b0d31e097e2c9 upstream.
The current implementation of tsys01_crc_valid() incorrectly sums the
first word (n_prom[0]) repeatedly instead of iterating over the 8 words
retrieved from the PROM. This leads to a checksum mismatch and probe
failure on hardware.
According to the TSYS01 datasheet, the PROM consists of 8 words. A valid
check must iterate through all 8 words to verify the integrity of the
calibration data. The current driver only checks the first word 8 times.
Note: This fix was identified during a code audit and is based on
datasheet specifications. It has not been tested on real hardware.
Fixes: 43e53407f680 ("Add tsys01 meas-spec driver support")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/temperature/tsys01.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/temperature/tsys01.c
+++ b/drivers/iio/temperature/tsys01.c
@@ -119,7 +119,7 @@ static bool tsys01_crc_valid(u16 *n_prom
u8 sum = 0;
for (cnt = 0; cnt < TSYS01_PROM_WORDS_NB; cnt++)
- sum += ((n_prom[0] >> 8) + (n_prom[0] & 0xFF));
+ sum += ((n_prom[cnt] >> 8) + (n_prom[cnt] & 0xFF));
return (sum == 0);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 027/378] 6lowpan: fix off-by-one in multicast context address compression
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 026/378] net/sched: act_api: use RCU with deferred freeing for action lifecycle Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 028/378] l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl() Greg Kroah-Hartman
` (351 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yizhou Zhao, Yuxiang Yang, Ao Wang,
Xuewei Feng, Qi Li, Ke Xu, Alexander Aring, Jakub Kicinski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
[ Upstream commit 2a58899d11009bffc7b4b32a571858f381121837 ]
The second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses
&data[1] as destination and &ipaddr->s6_addr[11] as source, but
both should be offset by one: &data[2] and &ipaddr->s6_addr[12]
respectively.
This off-by-one has two consequences:
1. data[1] is overwritten with s6_addr[11], corrupting the RIID
field in the compressed multicast address
2. data[5] is never written, so uninitialized kernel stack memory
is transmitted over the network via lowpan_push_hc_data(),
leaking kernel stack contents
The correct inline data layout must match what the decompression
function lowpan_uncompress_multicast_ctx_daddr() expects:
data[0..1] = s6_addr[1..2] (flags/scope + RIID)
data[2..5] = s6_addr[12..15] (group ID)
Also zero-initialize the data array as a defensive measure against
similar bugs in the future.
Fixes: 5609c185f24d ("6lowpan: iphc: add support for stateful compression")
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Acked-by: Alexander Aring <aahringo@redhat.com>
Link: https://patch.msgid.link/20260527081806.42747-1-zhaoyz24@mails.tsinghua.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/6lowpan/iphc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/6lowpan/iphc.c b/net/6lowpan/iphc.c
index e116d308a8df6d..37eaff3f7b6940 100644
--- a/net/6lowpan/iphc.c
+++ b/net/6lowpan/iphc.c
@@ -1086,12 +1086,12 @@ static u8 lowpan_iphc_mcast_ctx_addr_compress(u8 **hc_ptr,
const struct lowpan_iphc_ctx *ctx,
const struct in6_addr *ipaddr)
{
- u8 data[6];
+ u8 data[6] = {};
/* flags/scope, reserved (RIID) */
memcpy(data, &ipaddr->s6_addr[1], 2);
/* group ID */
- memcpy(&data[1], &ipaddr->s6_addr[11], 4);
+ memcpy(&data[2], &ipaddr->s6_addr[12], 4);
lowpan_push_hc_data(hc_ptr, data, 6);
return LOWPAN_IPHC_DAM_00;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 111/522] iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 110/522] iio: temperature: tsys01: fix broken PROM checksum validation Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 112/522] iio: light: cm3323: fix reg_conf not being initialized correctly Greg Kroah-Hartman
` (411 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Advait Dhamorikar, Andy Shevchenko,
Stable, Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Advait Dhamorikar <advaitd@mechasystems.com>
commit 49f79cd28f1e3333cbe0d616ce59ead0b24bf34e upstream.
The device tree binding for st,lis2mdl does not support
st,drdy-int-pin property. However, when no platform data is provided
and the property is absent, the driver falls back to default_magn_pdata
which hardcodes drdy_int_pin = 2. This causes
`st_sensors_set_drdy_int_pin` to fail with -EINVAL because the LIS2MDL
sensor settings have no INT2 DRDY mask defined.
Fix this by checking the sensor's INT2 DRDY mask availability at
probe time and selecting the appropriate default pin. Sensors that
do not support INT2 DRDY will default to INT1, while all others
retain the existing default of INT2.
Fixes: 38934daf7b5c ("iio: magnetometer: st_magn: Provide default platform data")
Signed-off-by: Advait Dhamorikar <advaitd@mechasystems.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/magnetometer/st_magn_core.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/iio/magnetometer/st_magn_core.c
+++ b/drivers/iio/magnetometer/st_magn_core.c
@@ -504,6 +504,11 @@ static const struct st_sensors_platform_
.drdy_int_pin = 2,
};
+/* LIS2MDL only supports DRDY on INT1 */
+static const struct st_sensors_platform_data alt_magn_pdata = {
+ .drdy_int_pin = 1,
+};
+
static int st_magn_read_raw(struct iio_dev *indio_dev,
struct iio_chan_spec const *ch, int *val,
int *val2, long mask)
@@ -626,8 +631,12 @@ int st_magn_common_probe(struct iio_dev
mdata->current_fullscale = &mdata->sensor_settings->fs.fs_avl[0];
mdata->odr = mdata->sensor_settings->odr.odr_avl[0].hz;
- if (!pdata)
- pdata = (struct st_sensors_platform_data *)&default_magn_pdata;
+ if (!pdata) {
+ if (mdata->sensor_settings->drdy_irq.int2.mask)
+ pdata = (struct st_sensors_platform_data *)&default_magn_pdata;
+ else
+ pdata = (struct st_sensors_platform_data *)&alt_magn_pdata;
+ }
err = st_sensors_init_sensor(indio_dev, pdata);
if (err < 0)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 028/378] l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 027/378] 6lowpan: fix off-by-one in multicast context address compression Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 029/378] devlink: Release nested relation on devlink free Greg Kroah-Hartman
` (350 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lee Jones, Jakub Kicinski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
[ Upstream commit a213a8950414c684999dcf03edeea6c46ede172e ]
pppol2tp_ioctl() read sock->sk->sk_user_data directly without any
locks or reference counting. If a controllable sleep was induced during
copy_from_user() (e.g. via a userfaultfd page fault sleep), a concurrent
socket close could trigger pppol2tp_session_close() asynchronously. This
frees the l2tp_session structure via the l2tp_session_del_work workqueue.
Upon resuming, the ioctl thread dereferences the stale session pointer,
resulting in a Use-After-Free (UAF).
Fix this by securely fetching the session reference using the RCU-safe,
refcounted helper pppol2tp_sock_to_session(sk) on entry. This locks the
session's refcount across the sleep. We structured the function to exit
via standard err breaks, guaranteeing that l2tp_session_put() is cleanly
called on all return paths to drop the reference.
To preserve existing behavior we validate the session and its magic
signature only for the specific L2TP commands that require it. This
ensures that generic/unknown ioctls called on an unconnected socket
still return -ENOIOCTLCMD and correctly fall back to generic handlers
(e.g. in sock_do_ioctl()).
Signed-off-by: Lee Jones <lee@kernel.org>
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Link: https://patch.msgid.link/20260527133630.2120612-1-lee@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/l2tp/l2tp_ppp.c | 82 +++++++++++++++++++++++++++------------------
1 file changed, 50 insertions(+), 32 deletions(-)
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index ae4543d5597b66..8ff8bf45dc2231 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1044,64 +1044,76 @@ static int pppol2tp_ioctl(struct socket *sock, unsigned int cmd,
{
struct pppol2tp_ioc_stats stats;
struct l2tp_session *session;
+ int err = 0;
+
+ session = pppol2tp_sock_to_session(sock->sk);
+ /* Validate session presence and magic integrity ONLY for commands
+ * that belong to L2TP and require a valid session.
+ */
switch (cmd) {
case PPPIOCGMRU:
case PPPIOCGFLAGS:
- session = sock->sk->sk_user_data;
+ case PPPIOCSMRU:
+ case PPPIOCSFLAGS:
+ case PPPIOCGL2TPSTATS:
if (!session)
return -ENOTCONN;
- if (WARN_ON(session->magic != L2TP_SESSION_MAGIC))
+ if (session->magic != L2TP_SESSION_MAGIC) {
+ l2tp_session_put(session);
return -EBADF;
+ }
+ break;
+ default:
+ break;
+ }
+ switch (cmd) {
+ case PPPIOCGMRU:
+ case PPPIOCGFLAGS:
/* Not defined for tunnels */
- if (!session->session_id && !session->peer_session_id)
- return -ENOSYS;
+ if (!session->session_id && !session->peer_session_id) {
+ err = -ENOSYS;
+ break;
+ }
- if (put_user(0, (int __user *)arg))
- return -EFAULT;
+ if (put_user(0, (int __user *)arg)) {
+ err = -EFAULT;
+ break;
+ }
break;
case PPPIOCSMRU:
case PPPIOCSFLAGS:
- session = sock->sk->sk_user_data;
- if (!session)
- return -ENOTCONN;
-
- if (WARN_ON(session->magic != L2TP_SESSION_MAGIC))
- return -EBADF;
-
/* Not defined for tunnels */
- if (!session->session_id && !session->peer_session_id)
- return -ENOSYS;
+ if (!session->session_id && !session->peer_session_id) {
+ err = -ENOSYS;
+ break;
+ }
- if (!access_ok((int __user *)arg, sizeof(int)))
- return -EFAULT;
+ if (!access_ok((int __user *)arg, sizeof(int))) {
+ err = -EFAULT;
+ break;
+ }
break;
case PPPIOCGL2TPSTATS:
- session = sock->sk->sk_user_data;
- if (!session)
- return -ENOTCONN;
-
- if (WARN_ON(session->magic != L2TP_SESSION_MAGIC))
- return -EBADF;
-
/* Session 0 represents the parent tunnel */
if (!session->session_id && !session->peer_session_id) {
u32 session_id;
- int err;
if (copy_from_user(&stats, (void __user *)arg,
- sizeof(stats)))
- return -EFAULT;
+ sizeof(stats))) {
+ err = -EFAULT;
+ break;
+ }
session_id = stats.session_id;
err = pppol2tp_tunnel_copy_stats(&stats,
session->tunnel);
if (err < 0)
- return err;
+ break;
stats.session_id = session_id;
} else {
@@ -1111,15 +1123,21 @@ static int pppol2tp_ioctl(struct socket *sock, unsigned int cmd,
stats.tunnel_id = session->tunnel->tunnel_id;
stats.using_ipsec = l2tp_tunnel_uses_xfrm(session->tunnel);
- if (copy_to_user((void __user *)arg, &stats, sizeof(stats)))
- return -EFAULT;
+ if (copy_to_user((void __user *)arg, &stats, sizeof(stats))) {
+ err = -EFAULT;
+ break;
+ }
break;
default:
- return -ENOIOCTLCMD;
+ err = -ENOIOCTLCMD;
+ break;
}
- return 0;
+ if (session)
+ l2tp_session_put(session);
+
+ return err;
}
/*****************************************************************************
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 112/522] iio: light: cm3323: fix reg_conf not being initialized correctly
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 111/522] iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 113/522] iio: buffer: hw-consumer: fix use-after-free in error path Greg Kroah-Hartman
` (410 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aldo Conte, Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aldo Conte <aldocontelk@gmail.com>
commit 1f4f0bcc5255dec5c4c3a1551bf49d8c33b69b20 upstream.
The code stores the return value of i2c_smbus_write_word_data()
in data->reg_conf; however, this value represents the result
of the write operation and not the value actually written to
the configuration register. This meant that the contents of
data->reg_conf did not truly reflect the contents
of the hardware register.
Instead, save the value of the register before the write
and use this value in the I2C write.
The bug was found by code inspection: i2c_smbus_write_word_data()
returns 0 on success, not the value written to the register.
Tested using i2c-stub on a Raspberry Pi 3B running a custom 6.19.10
kernel. Before loading the driver, the configuration register 0x00
CM3323_CMD_CONF was populated with 0x0030 using
`i2cset -y 11 0x10 0x00 0x0030 w`, encoding an integration time of 320ms
in bits[6:4].
Due to incorrect initialization of data->reg_conf in
cm3323_init(), the print of integration_time returns 0.040000
instead of the expected 0.320000. This happens because the read of the
integration_time depends on cm3323_get_it_bits() that is based on the
value of data->reg_conf, which is erroneously set to 0.
With this fix applied, data->reg_conf correctly saves 0x0030 after init
and the successive integration_time reports 0.320000 as expected.
Fixes: 8b0544263761 ("iio: light: Add support for Capella CM3323 color sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Aldo Conte <aldocontelk@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/cm3323.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/iio/light/cm3323.c
+++ b/drivers/iio/light/cm3323.c
@@ -89,15 +89,14 @@ static int cm3323_init(struct iio_dev *i
/* enable sensor and set auto force mode */
ret &= ~(CM3323_CONF_SD_BIT | CM3323_CONF_AF_BIT);
+ data->reg_conf = ret;
- ret = i2c_smbus_write_word_data(data->client, CM3323_CMD_CONF, ret);
+ ret = i2c_smbus_write_word_data(data->client, CM3323_CMD_CONF, data->reg_conf);
if (ret < 0) {
dev_err(&data->client->dev, "Error writing reg_conf\n");
return ret;
}
- data->reg_conf = ret;
-
return 0;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 029/378] devlink: Release nested relation on devlink free
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 028/378] l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 030/378] drm/imx: Fix three kernel-doc warnings in dcss-scaler.c Greg Kroah-Hartman
` (349 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Bloch, Jiri Pirko,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Bloch <mbloch@nvidia.com>
[ Upstream commit 3522b21fd7e1863d0734537737bd59f1b90d0190 ]
devlink relation state is normally released from devl_unregister(), which
calls devlink_rel_put(). This misses devlink instances that get a nested
relation before registration and then fail probe before devl_register() is
reached.
That flow can happen for SFs. The child devlink gets linked to its
parent before registration, then a later probe error calls devlink_free()
directly. Since the instance was never registered, devl_unregister() is not
called and devlink->rel is leaked.
Release any pending relation from devlink_free() as well. The registered
path is unchanged because devl_unregister() already clears devlink->rel
before devlink_free() runs.
Fixes: c137743bce02 ("devlink: introduce object and nested devlink relationship infra")
Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Link: https://patch.msgid.link/20260528191411.3270532-1-mbloch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/devlink/core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/devlink/core.c b/net/devlink/core.c
index d8e509a669bf6c..998ba9eae9aed6 100644
--- a/net/devlink/core.c
+++ b/net/devlink/core.c
@@ -467,6 +467,8 @@ void devlink_free(struct devlink *devlink)
{
ASSERT_DEVLINK_NOT_REGISTERED(devlink);
+ devlink_rel_put(devlink);
+
WARN_ON(!list_empty(&devlink->trap_policer_list));
WARN_ON(!list_empty(&devlink->trap_group_list));
WARN_ON(!list_empty(&devlink->trap_list));
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 113/522] iio: buffer: hw-consumer: fix use-after-free in error path
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 112/522] iio: light: cm3323: fix reg_conf not being initialized correctly Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 114/522] USB: serial: omninet: fix memory corruption with small endpoint Greg Kroah-Hartman
` (409 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, sashiko, Felix Gu, Andy Shevchenko,
Nuno Sá, Maxwell Doose, Stable, Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
commit 6f5ed4f2c7c83f33344e0ba179f72a12e5dad4a4 upstream.
In the err_put_buffers cleanup path of iio_hw_consumer_alloc(), the code
was using list_for_each_entry() to iterate through buffers while calling
iio_buffer_put() which can free the current buffer if refcount drops to 0.
The list_for_each_entry() loop macro then evaluates buf->head.next to
continue iteration, accessing the freed buffer.
Fix this by using list_for_each_entry_safe().
Fixes: 48b66f8f936f ("iio: Add hardware consumer buffer support")
Reported-by: sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260427-iio_buf-v1-1-2bbdac844647%40gmail.com
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: Maxwell Doose <m32285159@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/buffer/industrialio-hw-consumer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/buffer/industrialio-hw-consumer.c
+++ b/drivers/iio/buffer/industrialio-hw-consumer.c
@@ -82,7 +82,7 @@ static struct hw_consumer_buffer *iio_hw
*/
struct iio_hw_consumer *iio_hw_consumer_alloc(struct device *dev)
{
- struct hw_consumer_buffer *buf;
+ struct hw_consumer_buffer *buf, *tmp;
struct iio_hw_consumer *hwc;
struct iio_channel *chan;
int ret;
@@ -113,7 +113,7 @@ struct iio_hw_consumer *iio_hw_consumer_
return hwc;
err_put_buffers:
- list_for_each_entry(buf, &hwc->buffers, head)
+ list_for_each_entry_safe(buf, tmp, &hwc->buffers, head)
iio_buffer_put(&buf->buffer);
iio_channel_release_all(hwc->channels);
err_free_hwc:
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 030/378] drm/imx: Fix three kernel-doc warnings in dcss-scaler.c
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 029/378] devlink: Release nested relation on devlink free Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 031/378] wifi: mac80211: limit injected antenna index in ieee80211_parse_tx_radiotap Greg Kroah-Hartman
` (348 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yicong Hui, Laurentiu Palcu,
Liu Ying, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yicong Hui <yiconghui@gmail.com>
[ Upstream commit ae0383e5a9a4b12d68c76c4769857def4665deff ]
Fix the following W=1 kerneldoc warnings by adding the missing parameter
descriptions for @phase0_identity and @nn_interpolation in
dcss_scaler_filter_design() and @phase0_identity in
dcss_scaler_gaussian_filter()
Warning: drivers/gpu/drm/imx/dcss/dcss-scaler.c:173 function parameter 'phase0_identity' not described in 'dcss_scaler_gaussian_filter'
Warning: drivers/gpu/drm/imx/dcss/dcss-scaler.c:270 function parameter 'phase0_identity' not described in 'dcss_scaler_filter_design'
Warning: drivers/gpu/drm/imx/dcss/dcss-scaler.c:270 function parameter 'nn_interpolation' not described in 'dcss_scaler_filter_design'
Fixes: 9021c317b770 ("drm/imx: Add initial support for DCSS on iMX8MQ")
Signed-off-by: Yicong Hui <yiconghui@gmail.com>
Reviewed-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
Link: https://patch.msgid.link/20260406180013.2442096-1-yiconghui@gmail.com
Signed-off-by: Liu Ying <victor.liu@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/imx/dcss/dcss-scaler.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/imx/dcss/dcss-scaler.c b/drivers/gpu/drm/imx/dcss/dcss-scaler.c
index 32c3f46b21daea..5c7f8d952ec1a1 100644
--- a/drivers/gpu/drm/imx/dcss/dcss-scaler.c
+++ b/drivers/gpu/drm/imx/dcss/dcss-scaler.c
@@ -166,6 +166,7 @@ static int exp_approx_q(int x)
* dcss_scaler_gaussian_filter() - Generate gaussian prototype filter.
* @fc_q: fixed-point cutoff frequency normalized to range [0, 1]
* @use_5_taps: indicates whether to use 5 taps or 7 taps
+ * @phase0_identity: whether to override phase 0 coefficients with identity filter
* @coef: output filter coefficients
*/
static void dcss_scaler_gaussian_filter(int fc_q, bool use_5_taps,
@@ -262,7 +263,9 @@ static void dcss_scaler_nearest_neighbor_filter(bool use_5_taps,
* @src_length: length of input
* @dst_length: length of output
* @use_5_taps: 0 for 7 taps per phase, 1 for 5 taps
+ * @phase0_identity: whether to override phase 0 coefficients with identity filter
* @coef: output coefficients
+ * @nn_interpolation: whether to use nearest neighbor instead of gaussian filter
*/
static void dcss_scaler_filter_design(int src_length, int dst_length,
bool use_5_taps, bool phase0_identity,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 114/522] USB: serial: omninet: fix memory corruption with small endpoint
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 113/522] iio: buffer: hw-consumer: fix use-after-free in error path Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 115/522] usb: cdns3: gadget: fix request skipping after clearing halt Greg Kroah-Hartman
` (408 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 60df93d30f9bdd27db17c4d80ed80ef718d7226b upstream.
Make sure that the bulk-out buffers are at least as large as the
hardcoded transfer size to avoid user-controlled slab corruption should
a malicious device report a smaller endpoint max packet size than
expected.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/omninet.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/usb/serial/omninet.c
+++ b/drivers/usb/serial/omninet.c
@@ -30,6 +30,10 @@
/* This one seems to be a re-branded ZyXEL device */
#define BT_IGNITIONPRO_ID 0x2000
+#define OMNINET_HEADERLEN 4
+#define OMNINET_BULKOUTSIZE 64
+#define OMNINET_PAYLOADSIZE (OMNINET_BULKOUTSIZE - OMNINET_HEADERLEN)
+
/* function prototypes */
static void omninet_process_read_urb(struct urb *urb);
static int omninet_prepare_write_buffer(struct usb_serial_port *port,
@@ -55,6 +59,7 @@ static struct usb_serial_driver zyxel_om
.description = "ZyXEL - omni.net usb",
.id_table = id_table,
.num_bulk_out = 2,
+ .bulk_out_size = OMNINET_BULKOUTSIZE,
.calc_num_ports = omninet_calc_num_ports,
.port_probe = omninet_port_probe,
.port_remove = omninet_port_remove,
@@ -131,10 +136,6 @@ static void omninet_port_remove(struct u
kfree(od);
}
-#define OMNINET_HEADERLEN 4
-#define OMNINET_BULKOUTSIZE 64
-#define OMNINET_PAYLOADSIZE (OMNINET_BULKOUTSIZE - OMNINET_HEADERLEN)
-
static void omninet_process_read_urb(struct urb *urb)
{
struct usb_serial_port *port = urb->context;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 031/378] wifi: mac80211: limit injected antenna index in ieee80211_parse_tx_radiotap
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 030/378] drm/imx: Fix three kernel-doc warnings in dcss-scaler.c Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 032/378] pcnet32: stop holding device spin lock during napi_complete_done Greg Kroah-Hartman
` (347 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8e0622f6d9446420271f,
Deepanshu Kartikey, Johannes Berg, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit 6c0cf89f36ac0c0fd8687a4ccdce2efb23a9c663 ]
When parsing the radiotap header of an injected frame,
ieee80211_parse_tx_radiotap() uses the IEEE80211_RADIOTAP_ANTENNA value
directly as a shift count:
info->control.antennas |= BIT(*iterator.this_arg);
*iterator.this_arg is an 8-bit value taken straight from the frame
supplied by userspace, so BIT() can be asked to shift by up to 255. That
is undefined behaviour on the unsigned long and is reported by UBSAN:
UBSAN: shift-out-of-bounds in net/mac80211/tx.c:2174:30
shift exponent 235 is too large for 64-bit type 'unsigned long'
Call Trace:
ieee80211_parse_tx_radiotap+0xadb/0x1950 net/mac80211/tx.c:2174
ieee80211_monitor_start_xmit+0xb1f/0x1250 net/mac80211/tx.c:2451
...
packet_sendmsg+0x3eb6/0x50f0 net/packet/af_packet.c:3109
info->control.antennas is a 2-bit bitmap (u8 antennas:2), so only antenna
indices 0 and 1 can ever be represented. Ignore any larger value instead
of shifting out of bounds.
Reported-by: syzbot+8e0622f6d9446420271f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8e0622f6d9446420271f
Fixes: ef246a1480cc ("wifi: mac80211: support antenna control in injection")
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Link: https://patch.msgid.link/20260531011721.102941-1-kartikey406@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/tx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index b7aedaab848386..d2ba2d81224f97 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -2172,7 +2172,9 @@ bool ieee80211_parse_tx_radiotap(struct sk_buff *skb,
case IEEE80211_RADIOTAP_ANTENNA:
/* this can appear multiple times, keep a bitmap */
- info->control.antennas |= BIT(*iterator.this_arg);
+ /* control.antennas is only a 2-bit bitmap */
+ if (*iterator.this_arg < 2)
+ info->control.antennas |= BIT(*iterator.this_arg);
break;
case IEEE80211_RADIOTAP_DATA_RETRIES:
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 115/522] usb: cdns3: gadget: fix request skipping after clearing halt
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 114/522] USB: serial: omninet: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 116/522] usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles Greg Kroah-Hartman
` (407 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Peter Chen, Yongchao Wu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongchao Wu <yongchao.wu@autochips.com>
commit c8778ff817a7047d6848fefba99dcb27b1bf01fe upstream.
According to the cdns3 datasheet, the EPRST (Endpoint Reset) command
causes the DMA engine to reposition its internal pointer to the next
Transfer Descriptor (TD) if it was already processing one.
This issue is consistently observed during the ADB identification
process on macOS hosts, where the host issues a Clear_Halt. Although
commit 4bf2dd65135a ("usb: cdns3: gadget: toggle cycle bit before reset
endpoint") attempted to avoid DMA advance by toggling the cycle bit,
trace logs show that on certain hosts like macOS, the DMA pointer
(EP_TRADDR) still shifts after EPRST:
cdns3_ctrl_req: Clear Endpoint Feature(Halt ep1out)
cdns3_doorbell_epx: ep1out, ep_trbaddr f9c04030 <-- Should be f9c04000
cdns3_gadget_giveback: ep1out: req: ... length: 16384/16384
As shown above, the DMA pointer jumped to the next TD, causing
the controller to skip the initial TRBs of the request. This leads to
data misalignment and ADB protocol hangs on macOS.
Fix this by manually restoring the EP_TRADDR register to the starting
physical address of the current request after the EPRST operation is
complete.
Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
Cc: stable <stable@kernel.org>
Cc: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Yongchao Wu <yongchao.wu@autochips.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://patch.msgid.link/20260513160012.2547894-1-yongchao.wu@autochips.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdns3-gadget.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/usb/cdns3/cdns3-gadget.c
+++ b/drivers/usb/cdns3/cdns3-gadget.c
@@ -2812,9 +2812,19 @@ int __cdns3_gadget_ep_clear_halt(struct
priv_ep->flags &= ~(EP_STALLED | EP_STALL_PENDING);
if (request) {
- if (trb)
+ if (trb) {
*trb = trb_tmp;
+ /*
+ * Per datasheet, EPRST causes DMA to reposition to the next TD.
+ * Manually reset EP_TRADDR to the current TRB to prevent
+ * the hardware from skipping the interrupted request.
+ */
+ writel(EP_TRADDR_TRADDR(priv_ep->trb_pool_dma +
+ priv_req->start_trb * TRB_SIZE),
+ &priv_dev->regs->ep_traddr);
+ }
+
cdns3_rearm_transfer(priv_ep, 1);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 032/378] pcnet32: stop holding device spin lock during napi_complete_done
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 031/378] wifi: mac80211: limit injected antenna index in ieee80211_parse_tx_radiotap Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 033/378] net: Annotate sk->sk_write_space() for UDP SOCKMAP Greg Kroah-Hartman
` (346 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Oscar Maes,
Alexander Lobakin, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oscar Maes <oscmaes92@gmail.com>
[ Upstream commit 73bf3cca7de6a73f53b6a52dc3b1c82ae5667a4d ]
napi_complete_done may call gro_flush_normal (though not currently, as GRO
is unsupported at the moment), which may result in packet TX. This will
eventually result in calling pcnet32_start_xmit - resulting in a deadlock
while trying to re-acquire the already locked spin lock.
It is safe to split the spinlock block into two, because the hardware
registers are still protected from concurrent access, and the two blocks
perform unrelated operations that don't need to happen atomically.
Fixes: 5b2ec6f2be51 ("pcnet32: use napi_complete_done()")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Oscar Maes <oscmaes92@gmail.com>
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Link: https://patch.msgid.link/20260528140320.5556-1-oscmaes92@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/pcnet32.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/amd/pcnet32.c b/drivers/net/ethernet/amd/pcnet32.c
index 911808ab13a79d..4f3076d4ea34eb 100644
--- a/drivers/net/ethernet/amd/pcnet32.c
+++ b/drivers/net/ethernet/amd/pcnet32.c
@@ -1407,8 +1407,10 @@ static int pcnet32_poll(struct napi_struct *napi, int budget)
pcnet32_restart(dev, CSR0_START);
netif_wake_queue(dev);
}
+ spin_unlock_irqrestore(&lp->lock, flags);
if (work_done < budget && napi_complete_done(napi, work_done)) {
+ spin_lock_irqsave(&lp->lock, flags);
/* clear interrupt masks */
val = lp->a->read_csr(ioaddr, CSR3);
val &= 0x00ff;
@@ -1416,9 +1418,9 @@ static int pcnet32_poll(struct napi_struct *napi, int budget)
/* Set interrupt enable. */
lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN);
+ spin_unlock_irqrestore(&lp->lock, flags);
}
- spin_unlock_irqrestore(&lp->lock, flags);
return work_done;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 116/522] usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 115/522] usb: cdns3: gadget: fix request skipping after clearing halt Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 117/522] usb: dwc2: Fix use after free in debug code Greg Kroah-Hartman
` (406 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, sashiko-bot, Peter Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Chen <peter.chen@cixtech.com>
commit ae6f3b82324e4f39ad8443c9020787e6fc889637 upstream.
Call pm_runtime_allow(dev) conditionally at cdns3_plat_remove.
Fixes: f738957277ba ("usb: cdns3: Split core.c into cdns3-plat and core.c file")
Cc: stable <stable@kernel.org>
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/linux-devicetree/agKaEePSFknhDBg2@nchen-desktop/T/#m21e1d9c1574eb127ce03c0c2a1a49002ce435b52
Signed-off-by: Peter Chen <peter.chen@cixtech.com>
Link: https://patch.msgid.link/20260513085310.2217547-3-peter.chen@cixtech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdns3-plat.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/cdns3/cdns3-plat.c
+++ b/drivers/usb/cdns3/cdns3-plat.c
@@ -181,6 +181,9 @@ static int cdns3_plat_remove(struct plat
struct device *dev = cdns->dev;
pm_runtime_get_sync(dev);
+ if (!(cdns->pdata && (cdns->pdata->quirks & CDNS3_DEFAULT_PM_RUNTIME_ALLOW)))
+ pm_runtime_allow(dev);
+
pm_runtime_disable(dev);
pm_runtime_put_noidle(dev);
cdns_remove(cdns);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 033/378] net: Annotate sk->sk_write_space() for UDP SOCKMAP.
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 032/378] pcnet32: stop holding device spin lock during napi_complete_done Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 034/378] tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req() Greg Kroah-Hartman
` (345 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Jakub Sitnicki,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit b748765019fe9e9234660327090fc1a9665cdbdd ]
UDP TX skb->destructor() is sock_wfree(), and UDP holds lock_sock()
only for UDP_CORK / MSG_MORE sendmsg().
Otherwise, sk->sk_write_space() may be read locklessly while SOCKMAP
rewrites sk->sk_write_space().
Let's use WRITE_ONCE() and READ_ONCE() for sk->sk_write_space().
Note that the write side is annotated by commit 2ef2b20cf4e0
("net: annotate data-races around sk->sk_{data_ready,write_space}").
Fixes: 7b98cd42b049 ("bpf: sockmap: Add UDP support")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Link: https://patch.msgid.link/20260529193941.3897256-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/sock.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/core/sock.c b/net/core/sock.c
index 5976100a9d55a0..b197a795306392 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2673,8 +2673,12 @@ void sock_wfree(struct sk_buff *skb)
int old;
if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) {
+ void (*sk_write_space)(struct sock *sk);
+
+ sk_write_space = READ_ONCE(sk->sk_write_space);
+
if (sock_flag(sk, SOCK_RCU_FREE) &&
- sk->sk_write_space == sock_def_write_space) {
+ sk_write_space == sock_def_write_space) {
rcu_read_lock();
free = __refcount_sub_and_test(len, &sk->sk_wmem_alloc,
&old);
@@ -2690,7 +2694,7 @@ void sock_wfree(struct sk_buff *skb)
* after sk_write_space() call
*/
WARN_ON(refcount_sub_and_test(len - 1, &sk->sk_wmem_alloc));
- sk->sk_write_space(sk);
+ sk_write_space(sk);
len = 1;
}
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 117/522] usb: dwc2: Fix use after free in debug code
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 116/522] usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 118/522] Input: elan_i2c - validate firmware size before use Greg Kroah-Hartman
` (405 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Dan Carpenter
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <error27@gmail.com>
commit 9ea06a3fbf9f16e0d98c52cb3b99642be15ec281 upstream.
We're not allowed to dereference "urb" after calling
usb_hcd_giveback_urb() so save the urb->status ahead of time.
Fixes: 7359d482eb4d ("staging: HCD files for the DWC2 driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Dan Carpenter <error27@gmail.com>
Link: https://patch.msgid.link/ag1NwBpqT4IEQcdJ@stanley.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc2/hcd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -4804,6 +4804,7 @@ static int _dwc2_hcd_urb_dequeue(struct
struct dwc2_hsotg *hsotg = dwc2_hcd_to_hsotg(hcd);
int rc;
unsigned long flags;
+ int urb_status;
dev_dbg(hsotg->dev, "DWC OTG HCD URB Dequeue\n");
dwc2_dump_urb_info(hcd, urb, "urb_dequeue");
@@ -4828,11 +4829,12 @@ static int _dwc2_hcd_urb_dequeue(struct
/* Higher layer software sets URB status */
spin_unlock(&hsotg->lock);
+ urb_status = urb->status;
usb_hcd_giveback_urb(hcd, urb, status);
spin_lock(&hsotg->lock);
dev_dbg(hsotg->dev, "Called usb_hcd_giveback_urb()\n");
- dev_dbg(hsotg->dev, " urb->status = %d\n", urb->status);
+ dev_dbg(hsotg->dev, " urb->status = %d\n", urb_status);
out:
spin_unlock_irqrestore(&hsotg->lock, flags);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 034/378] tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req().
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 033/378] net: Annotate sk->sk_write_space() for UDP SOCKMAP Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 035/378] hsr: Remove WARN_ONCE() in hsr_addr_is_self() Greg Kroah-Hartman
` (344 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+e809069bc15f26300526,
Kuniyuki Iwashima, Eric Dumazet, Sebastian Andrzej Siewior,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit e10902df24488ca722303133acfc82490f7d59ad ]
syzbot reported a weird reqsk->rsk_refcnt underflow in
__inet_csk_reqsk_queue_drop().
The captured reqsk_put() in __inet_csk_reqsk_queue_drop()
is called only when it successfully removes reqsk from ehash.
Moreover, reqsk_timer_handler() calls another reqsk_put()
after that.
This indicates that the reqsk was missing both refcnts for
ehash and the timer itself.
Since all the syzbot reports had PREEMPT_RT enabled, the only
possible scenario is that reqsk_queue_hash_req() is preempted
after mod_timer() and before refcount_set(), and then the timer
triggered after 1s aborts the reqsk due to its listener's close().
Let's wrap mod_timer() and refcount_set() with
preempt_disable_nested() and preempt_enable_nested().
Note that inet_ehash_insert() holds the normal spin_lock()
(mutex in PREEMPT_RT), so it must be called outside of
preempt_disable_nested(), but this is fine.
The lookup path just ignores 0 sk_refcnt entries in ehash
and tries to create another reqsk, but this will fail at
inet_ehash_insert().
[0]:
refcount_t: underflow; use-after-free.
WARNING: lib/refcount.c:28 at refcount_warn_saturate+0xb2/0x110 lib/refcount.c:28, CPU#0: ktimers/0/16
Modules linked in:
CPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)}
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:refcount_warn_saturate+0xb2/0x110 lib/refcount.c:28
Code: e4 7d d1 0a 67 48 0f b9 3a eb 4a e8 38 3d 23 fd 48 8d 3d e1 7d d1 0a 67 48 0f b9 3a eb 37 e8 25 3d 23 fd 48 8d 3d de 7d d1 0a <67> 48 0f b9 3a eb 24 e8 12 3d 23 fd 48 8d 3d db 7d d1 0a 67 48 0f
RSP: 0000:ffffc90000157948 EFLAGS: 00010246
RAX: ffffffff84a1301b RBX: 0000000000000003 RCX: ffff88801ca98000
RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffffff8f72ae00
RBP: ffffffff99ae3b01 R08: ffff88801ca98000 R09: 0000000000000005
R10: 0000000000000100 R11: 0000000000000004 R12: ffff8880425ef568
R13: ffff8880425ef4f8 R14: ffff8880425ef578 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff888126386000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7b46710e9c CR3: 000000000dbb6000 CR4: 00000000003526f0
Call Trace:
<TASK>
__refcount_sub_and_test include/linux/refcount.h:400 [inline]
__refcount_dec_and_test include/linux/refcount.h:432 [inline]
refcount_dec_and_test include/linux/refcount.h:450 [inline]
reqsk_put include/net/request_sock.h:136 [inline]
__inet_csk_reqsk_queue_drop+0x3ce/0x440 net/ipv4/inet_connection_sock.c:1007
reqsk_timer_handler+0x651/0xdf0 net/ipv4/inet_connection_sock.c:1137
call_timer_fn+0x192/0x5e0 kernel/time/timer.c:1748
expire_timers kernel/time/timer.c:1799 [inline]
__run_timers kernel/time/timer.c:2374 [inline]
__run_timer_base+0x6a3/0x9f0 kernel/time/timer.c:2386
run_timer_base kernel/time/timer.c:2395 [inline]
run_timer_softirq+0x67/0x170 kernel/time/timer.c:2403
handle_softirqs+0x1de/0x6d0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
run_ktimerd+0x69/0x100 kernel/softirq.c:1151
smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Fixes: d2d6422f8bd1 ("x86: Allow to enable PREEMPT_RT.")
Reported-by: syzbot+e809069bc15f26300526@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6a1a7bcf.0a9e871e.332604.000b.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://patch.msgid.link/20260601182101.3183993-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/inet_connection_sock.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index f1988fd503540d..d9f6c8d4d7e63a 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -1151,6 +1151,9 @@ static bool reqsk_queue_hash_req(struct request_sock *req)
/* The timer needs to be setup after a successful insertion. */
req->timeout = tcp_timeout_init((struct sock *)req);
timer_setup(&req->rsk_timer, reqsk_timer_handler, TIMER_PINNED);
+
+ preempt_disable_nested();
+
mod_timer(&req->rsk_timer, jiffies + req->timeout);
/* before letting lookups find us, make sure all req fields
@@ -1158,6 +1161,9 @@ static bool reqsk_queue_hash_req(struct request_sock *req)
*/
smp_wmb();
refcount_set(&req->rsk_refcnt, 2 + 1);
+
+ preempt_enable_nested();
+
return true;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 118/522] Input: elan_i2c - validate firmware size before use
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 117/522] usb: dwc2: Fix use after free in debug code Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 119/522] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data Greg Kroah-Hartman
` (404 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 76b0d0baa9ae9c60e726bbe1b6ff0bec2c993634 upstream.
Ensure that the firmware file is large enough to contain the expected
number of pages and the signature (which resides at the end of the
firmware blob) before accessing them to prevent potential out-of-bounds
reads.
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/ae2dOgiFvXRm4BHo@google.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/mouse/elan_i2c_core.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -646,6 +646,11 @@ static ssize_t elan_sysfs_update_fw(stru
return error;
}
+ if (fw->size < data->fw_signature_address + sizeof(signature)) {
+ dev_err(dev, "firmware file too small\n");
+ return -EBADF;
+ }
+
/* Firmware file must match signature data */
fw_signature = &fw->data[data->fw_signature_address];
if (memcmp(fw_signature, signature, sizeof(signature)) != 0) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 035/378] hsr: Remove WARN_ONCE() in hsr_addr_is_self().
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 034/378] tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 036/378] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr Greg Kroah-Hartman
` (343 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+652670cf249077eb498b,
Kuniyuki Iwashima, Fernando Fernandez Mancera, Jakub Kicinski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit afd0f17ca46258cec3a5cc48b8df9327fe772490 ]
syzbot reported the warning [0] in hsr_addr_is_self(),
whose assumption is simply wrong.
hsr->self_node is cleared in hsr_del_self_node(), which
is called from hsr_dellink().
Since dev->rtnl_link_ops->dellink() is called before
unregister_netdevice_many(), there is a window when
user can find the device but without hsr->self_node.
Let's remove WARN_ONCE() in hsr_addr_is_self().
[0]:
HSR: No self node
WARNING: net/hsr/hsr_framereg.c:39 at hsr_addr_is_self+0x211/0x3f0 net/hsr/hsr_framereg.c:39, CPU#0: syz.4.16848/17220
Modules linked in:
CPU: 0 UID: 0 PID: 17220 Comm: syz.4.16848 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)}
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:hsr_addr_is_self+0x211/0x3f0 net/hsr/hsr_framereg.c:39
Code: 33 2f 41 0f b7 dd 89 ee 09 de 31 ff e8 c8 b4 c6 f6 09 dd 74 54 e8 0f b0 c6 f6 31 ed eb 53 e8 06 b0 c6 f6 48 8d 3d 2f 50 9c 04 <67> 48 0f b9 3a 31 ed eb 42 e8 c1 13 1f 00 89 c5 31 ff 89 c6 e8 96
RSP: 0018:ffffc900041c70e0 EFLAGS: 00010283
RAX: ffffffff8afdc6ca RBX: ffffffff8afdc4e6 RCX: 0000000000080000
RDX: ffffc90010493000 RSI: 0000000000000948 RDI: ffffffff8f9a1700
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc900041c71e8 R11: fffff52000838e3f R12: dffffc0000000000
R13: ffff888041f9e3c0 R14: ffff888086ee3802 R15: 0000000000000000
FS: 00007f6fe985d6c0(0000) GS:ffff888126176000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f80bd437dac CR3: 0000000025096000 CR4: 00000000003526f0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000002
DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
check_local_dest net/hsr/hsr_forward.c:592 [inline]
fill_frame_info net/hsr/hsr_forward.c:728 [inline]
hsr_forward_skb+0xa11/0x2a80 net/hsr/hsr_forward.c:739
hsr_dev_xmit+0x253/0x370 net/hsr/hsr_device.c:236
__netdev_start_xmit include/linux/netdevice.h:5368 [inline]
netdev_start_xmit include/linux/netdevice.h:5377 [inline]
xmit_one net/core/dev.c:3888 [inline]
dev_hard_start_xmit+0x2df/0x860 net/core/dev.c:3904
__dev_queue_xmit+0x1428/0x3900 net/core/dev.c:4870
neigh_output include/net/neighbour.h:556 [inline]
ip_finish_output2+0xcec/0x10b0 net/ipv4/ip_output.c:237
ip_send_skb net/ipv4/ip_output.c:1510 [inline]
ip_push_pending_frames+0x8b/0x110 net/ipv4/ip_output.c:1530
raw_sendmsg+0x1547/0x1a50 net/ipv4/raw.c:659
sock_sendmsg_nosec net/socket.c:787 [inline]
__sock_sendmsg net/socket.c:802 [inline]
____sys_sendmsg+0x7da/0x9c0 net/socket.c:2698
___sys_sendmsg+0x2a5/0x360 net/socket.c:2752
__sys_sendmsg net/socket.c:2784 [inline]
__do_sys_sendmsg net/socket.c:2789 [inline]
__se_sys_sendmsg net/socket.c:2787 [inline]
__x64_sys_sendmsg+0x1c3/0x2a0 net/socket.c:2787
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6feb62ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6fe985d028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f6feb8a6090 RCX: 00007f6feb62ce59
RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000004
RBP: 00007f6feb6c2d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6feb8a6128 R14: 00007f6feb8a6090 R15: 00007ffcf01cc488
</TASK>
Fixes: f266a683a480 ("net/hsr: Better frame dispatch")
Reported-by: syzbot+652670cf249077eb498b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6a1a861e.b111c304.35cd64.0016.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Link: https://patch.msgid.link/20260530064300.340793-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/hsr/hsr_framereg.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c
index f268e469af4f09..7f55e12edc8341 100644
--- a/net/hsr/hsr_framereg.c
+++ b/net/hsr/hsr_framereg.c
@@ -35,10 +35,8 @@ bool hsr_addr_is_self(struct hsr_priv *hsr, unsigned char *addr)
rcu_read_lock();
sn = rcu_dereference(hsr->self_node);
- if (!sn) {
- WARN_ONCE(1, "HSR: No self node\n");
+ if (!sn)
goto out;
- }
if (ether_addr_equal(addr, sn->macaddress_A) ||
ether_addr_equal(addr, sn->macaddress_B))
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 119/522] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 118/522] Input: elan_i2c - validate firmware size before use Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 120/522] macsec: fix replay protection at XPN lower-PN wrap Greg Kroah-Hartman
` (403 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Zhengchuan Liang,
Xin Liu, Yuqi Xu, Ren Wei, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuqi Xu <xuyq21@lenovo.com>
commit f72eed9b84fb771019a955908132410a9ba9ea3f upstream.
When bpf_msg_push_data() inserts data in the middle of a scatterlist
entry, it splits the original entry into a left fragment and a right
fragment.
The right fragment offset is page-local, but the code advances it with
`start`, which is the message-global insertion point. For inserts into a
non-first SG entry, this over-advances the offset and leaves the split
layout inconsistent.
Advance the right fragment offset by the fragment-local delta,
`start - offset`, which matches the length removed from the front of the
original entry.
Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/8b129d10566aa3eb43f61a8f9757bcf51707d324.1779636774.git.xuyq21@lenovo.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/filter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2841,7 +2841,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
psge->length = start - offset;
rsge.length -= psge->length;
- rsge.offset += start;
+ rsge.offset += start - offset;
sk_msg_iter_var_next(i);
sg_unmark_end(psge);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 036/378] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 035/378] hsr: Remove WARN_ONCE() in hsr_addr_is_self() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 037/378] net: lan743x: permit VLAN-tagged packets up to configured MTU Greg Kroah-Hartman
` (342 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yizhou Zhao, Yuxiang Yang, Ao Wang,
Xuewei Feng, Qi Li, Ke Xu, Simon Horman, Jakub Kicinski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
[ Upstream commit 16e408e607a94b646fb14a2a98422c6877ae4b3c ]
The receive-side GARP attribute parser computes dlen with reversed
operands:
dlen = sizeof(*ga) - ga->len;
ga->len is the on-wire attribute length and includes the GARP attribute
header. For normal attributes with data, ga->len is larger than
sizeof(*ga), so the subtraction underflows in unsigned arithmetic.
The resulting value is later passed to garp_attr_lookup(), whose length
argument is u8. After truncation, the parsed data length usually no
longer matches the length stored for locally registered attributes, so
received Join/Leave events are ignored. This breaks the GARP receive path
for common attributes, such as GVRP VLAN registration attributes.
Compute the data length as the attribute length minus the header length.
Fixes: eca9ebac651f ("net: Add GARP applicant-only participant")
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260527083200.42861-1-zhaoyz24@mails.tsinghua.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/802/garp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/802/garp.c b/net/802/garp.c
index 6f563b6797d99e..c7a39f298ad6ed 100644
--- a/net/802/garp.c
+++ b/net/802/garp.c
@@ -453,7 +453,7 @@ static int garp_pdu_parse_attr(struct garp_applicant *app, struct sk_buff *skb,
if (!pskb_may_pull(skb, ga->len))
return -1;
skb_pull(skb, ga->len);
- dlen = sizeof(*ga) - ga->len;
+ dlen = ga->len - sizeof(*ga);
if (attrtype > app->app->maxattr)
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 120/522] macsec: fix replay protection at XPN lower-PN wrap
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 119/522] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 121/522] ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() Greg Kroah-Hartman
` (402 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit e68842b3356471ba56c882209f324613dac47f64 upstream.
In macsec_post_decrypt(), when pn is U32_MAX, pn + 1 overflows u32 to 0
and the first branch never fires. If next_pn_halves.lower is also in the
upper half, pn_same_half(pn, lower) is true and the XPN else-if does not
fire either, leaving next_pn_halves unchanged. An attacker that captures
the legitimate frame carrying pn == 0xFFFFFFFF on an XPN association
can then replay it indefinitely, since lowest_pn never rises above
the captured pn and macsec_decrypt() reconstructs the same IV.
Extend the XPN else-if to also fire when pn + 1 wraps to 0, so receipt
of pn == U32_MAX advances next_pn_halves to (upper + 1, 0).
Fixes: a21ecf0e0338 ("macsec: Support XPN frame handling - IEEE 802.1AEbw")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB78813FD49E58F253B989F197AF012@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/macsec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -806,7 +806,8 @@ static bool macsec_post_decrypt(struct s
if (pn + 1 > rx_sa->next_pn_halves.lower) {
rx_sa->next_pn_halves.lower = pn + 1;
} else if (secy->xpn &&
- !pn_same_half(pn, rx_sa->next_pn_halves.lower)) {
+ (pn + 1 == 0 ||
+ !pn_same_half(pn, rx_sa->next_pn_halves.lower))) {
rx_sa->next_pn_halves.upper++;
rx_sa->next_pn_halves.lower = pn + 1;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 037/378] net: lan743x: permit VLAN-tagged packets up to configured MTU
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 036/378] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 038/378] net: fec: fix pinctrl default state restore order on resume Greg Kroah-Hartman
` (341 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Thompson, Thangaraj Samynathan,
Nicolai Buchwitz, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Thompson <davthompson@nvidia.com>
[ Upstream commit 8173d22b211f615015f7b35f48ab11a6dd78dc99 ]
VLAN-tagged interfaces on lan743x devices were previously unreachable via
SSH and failed to respond to large ping packets (e.g. "ping -s 1469" given
MTU=1500). In these scenarios, "ethtool -S" reports non-zero "RX Oversize
Frame Errors". According to Microchip AN2948, the MAC_RX FSE (VLAN field
size enforcement) bit determines whether frames with VLAN tags exceeding
the base MTU plus tag length are discarded.
The driver must set the MAC_RX.FSE bit before setting MAC_RX.RXEN to allow
VLAN-tagged frames up to the interface MTU, preventing them from being
treated as oversized. As a result, both the base and VLAN-tagged interfaces
can use the same MTU without receive errors.
Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver")
Signed-off-by: David Thompson <davthompson@nvidia.com>
Reviewed-by: Thangaraj Samynathan <Thangaraj.s@microchip.com>
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Tested-by: Nicolai Buchwitz <nb@tipi-net.de> # lan7430 on arm64 (RevPi
Link: https://patch.msgid.link/20260529210300.433135-1-davthompson@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microchip/lan743x_main.c | 32 +++++++++++++++++++
drivers/net/ethernet/microchip/lan743x_main.h | 1 +
2 files changed, 33 insertions(+)
diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c
index f0b5dd752f084f..5af49b2b20245d 100644
--- a/drivers/net/ethernet/microchip/lan743x_main.c
+++ b/drivers/net/ethernet/microchip/lan743x_main.c
@@ -1212,6 +1212,36 @@ static void lan743x_mac_set_address(struct lan743x_adapter *adapter,
"MAC address set to %pM\n", addr);
}
+static void lan743x_mac_rx_enable_fse(struct lan743x_adapter *adapter)
+{
+ u32 mac_rx;
+ bool rxen;
+
+ mac_rx = lan743x_csr_read(adapter, MAC_RX);
+ if (mac_rx & MAC_RX_FSE_)
+ return;
+
+ rxen = mac_rx & MAC_RX_RXEN_;
+ if (rxen) {
+ mac_rx &= ~MAC_RX_RXEN_;
+ lan743x_csr_write(adapter, MAC_RX, mac_rx);
+ lan743x_csr_wait_for_bit(adapter, MAC_RX, MAC_RX_RXD_,
+ 1, 1000, 20000, 100);
+ }
+
+ /* Per AN2948, hardware prevents modification of the FSE bit while the
+ * MAC receiver is enabled (RXEN bit set). Use separate register write
+ * to assert the FSE bit before enabling the RXEN bit in MAC_RX
+ */
+ mac_rx |= MAC_RX_FSE_;
+ lan743x_csr_write(adapter, MAC_RX, mac_rx);
+
+ if (rxen) {
+ mac_rx |= MAC_RX_RXEN_;
+ lan743x_csr_write(adapter, MAC_RX, mac_rx);
+ }
+}
+
static int lan743x_mac_init(struct lan743x_adapter *adapter)
{
bool mac_address_valid = true;
@@ -1251,6 +1281,8 @@ static int lan743x_mac_init(struct lan743x_adapter *adapter)
lan743x_mac_set_address(adapter, adapter->mac_address);
eth_hw_addr_set(netdev, adapter->mac_address);
+ lan743x_mac_rx_enable_fse(adapter);
+
return 0;
}
diff --git a/drivers/net/ethernet/microchip/lan743x_main.h b/drivers/net/ethernet/microchip/lan743x_main.h
index 02a28b7091630d..b977256b742061 100644
--- a/drivers/net/ethernet/microchip/lan743x_main.h
+++ b/drivers/net/ethernet/microchip/lan743x_main.h
@@ -181,6 +181,7 @@
#define MAC_RX (0x104)
#define MAC_RX_MAX_SIZE_SHIFT_ (16)
#define MAC_RX_MAX_SIZE_MASK_ (0x3FFF0000)
+#define MAC_RX_FSE_ BIT(2)
#define MAC_RX_RXD_ BIT(1)
#define MAC_RX_RXEN_ BIT(0)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 121/522] ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 120/522] macsec: fix replay protection at XPN lower-PN wrap Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 122/522] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params Greg Kroah-Hartman
` (401 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Iurman, Ido Schimmel,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Iurman <justin.iurman@gmail.com>
commit d47548a36639095939f4747d4c43f2271366f565 upstream.
ipv6_hop_jumbo() calls pskb_trim_rcsum(), which can change skb pointers.
Let's recompute nh pointer to make sure any change won't mess things up.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Justin Iurman <justin.iurman@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260522112013.12342-1-justin.iurman@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/exthdrs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -186,6 +186,8 @@ static bool ip6_parse_tlv(bool hopbyhop,
case IPV6_TLV_JUMBO:
if (!ipv6_hop_jumbo(skb, off))
return false;
+
+ nh = skb_network_header(skb);
break;
case IPV6_TLV_CALIPSO:
if (!ipv6_hop_calipso(skb, off))
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 038/378] net: fec: fix pinctrl default state restore order on resume
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 037/378] net: lan743x: permit VLAN-tagged packets up to configured MTU Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 039/378] ipv6: anycast: insert aca into global hash under idev->lock Greg Kroah-Hartman
` (340 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tapio Reijonen, Wei Fang,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tapio Reijonen <tapio.reijonen@vaisala.com>
[ Upstream commit b455410146bf723c7ebcb49ecd5becc0d6611482 ]
In fec_resume(), fec_enet_clk_enable() is called before
pinctrl_pm_select_default_state() in the non-WoL path, inverting the
ordering used in fec_suspend() which correctly switches to the sleep
pinctrl state before disabling clocks.
For PHYs with the PHY_RST_AFTER_CLK_EN flag (e.g. TI DP83848 or
SMSC LAN87xx), fec_enet_clk_enable() triggers a hardware reset pulse
via the phy-reset GPIO. With the GPIO pin still in sleep pinctrl state
at that point, the GPIO write has no physical effect and the PHY never
receives the required reset after clock enable, leading to unreliable
link establishment after system resume.
Fix by restoring the default pinctrl state before enabling clocks,
making resume the proper mirror of suspend. The call is made
unconditionally: fec_suspend() only switches to the sleep pinctrl state
on the non-WoL path and leaves the pins in the default state when WoL
is enabled, so on a WoL resume the device is already in the default
state and pinctrl_pm_select_default_state() is a no-op.
Fixes: de40ed31b3c5 ("net: fec: add Wake-on-LAN support")
Signed-off-by: Tapio Reijonen <tapio.reijonen@vaisala.com>
Reviewed-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20260529-b4-fec-resume-pinctrl-order-v3-1-6eda0f592fca@vaisala.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fec_main.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index f89aa94ce0202d..6ebde65d7f1b87 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -5594,6 +5594,7 @@ static int fec_resume(struct device *dev)
if (fep->rpm_active)
pm_runtime_force_resume(dev);
+ pinctrl_pm_select_default_state(&fep->pdev->dev);
ret = fec_enet_clk_enable(ndev, true);
if (ret) {
rtnl_unlock();
@@ -5610,8 +5611,6 @@ static int fec_resume(struct device *dev)
val &= ~(FEC_ECR_MAGICEN | FEC_ECR_SLEEP);
writel(val, fep->hwp + FEC_ECNTRL);
fep->wol_flag &= ~FEC_WOL_FLAG_SLEEP_ON;
- } else {
- pinctrl_pm_select_default_state(&fep->pdev->dev);
}
fec_restart(ndev);
netif_tx_lock_bh(ndev);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 122/522] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 121/522] ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 123/522] ipv6: exthdrs: refresh nh after handling HAO option Greg Kroah-Hartman
` (400 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 4b4db09f283df65d780bc7cee66cb4a7e9bf4770 upstream.
Fix error handling in q6asm_dai_compr_set_params() and q6asm_dai_prepare()
for both CMD_CLOSE and q6asm_unmap_memory_regions().
In both the functions, we are doing q6asm_audio_client_free in failure
cases, which means if prepare or set_params fail, we can never recover.
Now open and close are done in respective dai_open/close functions.
Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260518092347.3446946-4-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -239,9 +239,19 @@ static int q6asm_dai_prepare(struct snd_
/* rate and channels are sent to audio driver */
if (prtd->state == Q6ASM_STREAM_RUNNING) {
/* clear the previous setup if any */
- q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
- q6asm_unmap_memory_regions(substream->stream,
- prtd->audio_client);
+ ret = q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
+ if (ret < 0) {
+ dev_err(dev, "Failed to close q6asm stream %d\n", prtd->stream_id);
+ return ret;
+ }
+
+ ret = q6asm_unmap_memory_regions(substream->stream, prtd->audio_client);
+ if (ret < 0) {
+ dev_err(dev, "Failed to unmap memory regions for q6asm stream %d\n",
+ prtd->stream_id);
+ return ret;
+ }
+
q6routing_stream_close(soc_prtd->dai_link->id,
substream->stream);
prtd->state = Q6ASM_STREAM_STOPPED;
@@ -309,8 +319,6 @@ routing_err:
q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
open_err:
q6asm_unmap_memory_regions(substream->stream, prtd->audio_client);
- q6asm_audio_client_free(prtd->audio_client);
- prtd->audio_client = NULL;
return ret;
}
@@ -912,7 +920,7 @@ static int q6asm_dai_compr_set_params(st
prtd->session_id, dir);
if (ret) {
dev_err(dev, "Stream reg failed ret:%d\n", ret);
- goto q6_err;
+ goto routing_err;
}
ret = __q6asm_dai_compr_set_codec_params(component, stream,
@@ -938,11 +946,11 @@ static int q6asm_dai_compr_set_params(st
return 0;
q6_err:
+ q6routing_stream_close(rtd->dai_link->id, dir);
+routing_err:
q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
open_err:
- q6asm_audio_client_free(prtd->audio_client);
- prtd->audio_client = NULL;
return ret;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 039/378] ipv6: anycast: insert aca into global hash under idev->lock
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 038/378] net: fec: fix pinctrl default state restore order on resume Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 040/378] wifi: fix leak if split 6 GHz scanning fails Greg Kroah-Hartman
` (339 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+819eb928d120d2bdad0e,
Kuniyuki Iwashima, Jiayuan Chen, Ido Schimmel, Jakub Kicinski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit f723ccaff2fb72b71ae8a9fd283f0dee4d9ae7a3 ]
syzbot reported a splat [1]: a slab-use-after-free in
ipv6_chk_acast_addr(), which walks the global inet6_acaddr_lst[] hash
under RCU and dereferences a struct ifacaddr6 that has already been
freed while still linked in the hash, so a later reader walks into a
dangling node.
In __ipv6_dev_ac_inc() the aca is allocated with refcount 1, then
aca_get() bumps it to 2 to keep it alive across the unlocked region.
It is published to idev->ac_list under idev->lock, but
ipv6_add_acaddr_hash() runs after write_unlock_bh(). A concurrent
teardown (ipv6_ac_destroy_dev() from addrconf_ifdown(), under RTNL)
can slip into that window:
CPU0 __ipv6_dev_ac_inc CPU1 ipv6_ac_destroy_dev (RTNL)
------------------------------ ------------------------------------
aca_alloc() refcnt 1
aca_get() refcnt 2
write_lock_bh(idev->lock)
add aca to ac_list
write_unlock_bh(idev->lock)
write_lock_bh(idev->lock)
pull aca off ac_list
write_unlock_bh(idev->lock)
ipv6_del_acaddr_hash(aca)
hlist_del_init_rcu() is a no-op,
aca is not in the hash yet
aca_put() refcnt 2->1
ipv6_add_acaddr_hash(aca)
aca now inserted into the hash
aca_put() refcnt 1->0
call_rcu(aca_free_rcu) -> kfree(aca)
The hash removal becomes a no-op because the insertion has not
happened yet, so once CPU0 inserts and drops the last reference, the
aca is freed while still linked in inet6_acaddr_lst[], and readers
dereference freed memory after the slab slot is reused.
This window opened once RTNL stopped serializing the join path against
device teardown. Move ipv6_add_acaddr_hash() inside the idev->lock
section so the ac_list and hash insertions are atomic with respect to
teardown: a racing remover now either misses the aca entirely or finds
it in both lists.
acaddr_hash_lock is now nested under idev->lock, which is acquired in
softirq context, so switch all acaddr_hash_lock sites to spin_lock_bh()
to avoid the irq lock inversion reported in [2].
[1] https://syzkaller.appspot.com/bug?extid=a01df04303c131efbf3a
[2] https://lore.kernel.org/netdev/6a194ef7.ba3b1513.1890b4.0000.GAE@google.com/
Reported-by: syzbot+819eb928d120d2bdad0e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6a191f87.ce022c6e.138e56.0003.GAE@google.com/T/
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Fixes: eb1ac9ff6c4a ("ipv6: anycast: Don't hold RTNL for IPV6_JOIN_ANYCAST.")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260529152219.235475-1-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/anycast.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/net/ipv6/anycast.c b/net/ipv6/anycast.c
index 67a42e01dfc3f0..be6dac8a8566a1 100644
--- a/net/ipv6/anycast.c
+++ b/net/ipv6/anycast.c
@@ -243,16 +243,16 @@ static void ipv6_add_acaddr_hash(struct net *net, struct ifacaddr6 *aca)
{
unsigned int hash = inet6_acaddr_hash(net, &aca->aca_addr);
- spin_lock(&acaddr_hash_lock);
+ spin_lock_bh(&acaddr_hash_lock);
hlist_add_head_rcu(&aca->aca_addr_lst, &inet6_acaddr_lst[hash]);
- spin_unlock(&acaddr_hash_lock);
+ spin_unlock_bh(&acaddr_hash_lock);
}
static void ipv6_del_acaddr_hash(struct ifacaddr6 *aca)
{
- spin_lock(&acaddr_hash_lock);
+ spin_lock_bh(&acaddr_hash_lock);
hlist_del_init_rcu(&aca->aca_addr_lst);
- spin_unlock(&acaddr_hash_lock);
+ spin_unlock_bh(&acaddr_hash_lock);
}
static void aca_get(struct ifacaddr6 *aca)
@@ -371,10 +371,10 @@ int __ipv6_dev_ac_inc(struct inet6_dev *idev, const struct in6_addr *addr)
aca->aca_next = idev->ac_list;
rcu_assign_pointer(idev->ac_list, aca);
- write_unlock_bh(&idev->lock);
-
ipv6_add_acaddr_hash(net, aca);
+ write_unlock_bh(&idev->lock);
+
ip6_ins_rt(net, f6i);
addrconf_join_solict(idev->dev, &aca->aca_addr);
@@ -649,8 +649,8 @@ void ipv6_anycast_cleanup(void)
{
int i;
- spin_lock(&acaddr_hash_lock);
+ spin_lock_bh(&acaddr_hash_lock);
for (i = 0; i < IN6_ADDR_HSIZE; i++)
WARN_ON(!hlist_empty(&inet6_acaddr_lst[i]));
- spin_unlock(&acaddr_hash_lock);
+ spin_unlock_bh(&acaddr_hash_lock);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 123/522] ipv6: exthdrs: refresh nh after handling HAO option
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 122/522] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 124/522] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate() Greg Kroah-Hartman
` (399 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Xin Liu,
Luxing Yin, Zhengchuan Liang, Ren Wei, Justin Iurman,
Ido Schimmel, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
commit f7b52afe3592eae66e160586b45a3f2242972c63 upstream.
ip6_parse_tlv() caches skb_network_header(skb) in nh while walking
IPv6 TLVs.
ipv6_dest_hao() may call pskb_expand_head() for a cloned skb, which can
move the skb head and invalidate the cached network header pointer.
Refresh nh after ipv6_dest_hao() returns so any trailing padding or TLVs
are parsed from the current skb head.
This matches the existing pattern used in ip6_parse_tlv() after helpers
that can modify skb header storage.
Fixes: a831f5bbc89a ("[IPV6] MIP6: Add inbound interface of home address option.")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/7aba1debc2196189172499e5769802b026f8caf8.1779247873.git.zcliangcn@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/exthdrs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -205,6 +205,8 @@ static bool ip6_parse_tlv(bool hopbyhop,
case IPV6_TLV_HAO:
if (!ipv6_dest_hao(skb, off))
return false;
+
+ nh = skb_network_header(skb);
break;
#endif
default:
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 040/378] wifi: fix leak if split 6 GHz scanning fails
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 039/378] ipv6: anycast: insert aca into global hash under idev->lock Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 041/378] wifi: cfg80211: add support to handle incumbent signal detected event from mac80211/driver Greg Kroah-Hartman
` (338 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Johannes Berg,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit e8694f7cc29287e843648d1075177b9a2000d957 ]
rdev->int_scan_req is leaked if cfg80211_scan() fails. Note that it's
supposed to be released at ___cfg80211_scan_done() but this doesn't happen
as rdev->scan_req is NULL at that point, too, leading to the early return
from the freeing function.
unreferenced object 0xffff8881161d0800 (size 512):
comm "wpa_supplicant", pid 379, jiffies 4294749765
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 f0 81 13 16 81 88 ff ff ................
backtrace (crc c867fdb6):
kmemleak_alloc+0x89/0x90
__kmalloc_noprof+0x2fd/0x410
cfg80211_scan+0x133/0x730
nl80211_trigger_scan+0xc69/0x1cc0
genl_family_rcv_msg_doit+0x204/0x2f0
genl_rcv_msg+0x431/0x6b0
netlink_rcv_skb+0x143/0x3f0
genl_rcv+0x27/0x40
netlink_unicast+0x4f6/0x820
netlink_sendmsg+0x797/0xce0
__sock_sendmsg+0xc4/0x160
____sys_sendmsg+0x5e4/0x890
___sys_sendmsg+0xf8/0x180
__sys_sendmsg+0x136/0x1e0
__x64_sys_sendmsg+0x76/0xc0
x64_sys_call+0x13f0/0x17d0
Found by Linux Verification Center (linuxtesting.org).
Fixes: c8cb5b854b40 ("nl80211/cfg80211: support 6 GHz scanning")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Link: https://patch.msgid.link/20260601094157.92703-1-pchelkin@ispras.ru
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/scan.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 358cbc9e43d851..27a56ee2e8f0b3 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1071,6 +1071,7 @@ int cfg80211_scan(struct cfg80211_registered_device *rdev)
struct cfg80211_scan_request_int *request;
struct cfg80211_scan_request_int *rdev_req = rdev->scan_req;
u32 n_channels = 0, idx, i;
+ int err;
if (!(rdev->wiphy.flags & WIPHY_FLAG_SPLIT_SCAN_6GHZ)) {
rdev_req->req.first_part = true;
@@ -1100,8 +1101,14 @@ int cfg80211_scan(struct cfg80211_registered_device *rdev)
rdev_req->req.scan_6ghz = false;
rdev_req->req.first_part = true;
+ err = rdev_scan(rdev, request);
+ if (err) {
+ kfree(request);
+ return err;
+ }
+
rdev->int_scan_req = request;
- return rdev_scan(rdev, request);
+ return 0;
}
void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 124/522] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 123/522] ipv6: exthdrs: refresh nh after handling HAO option Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 125/522] ipv6: validate extension header length before copying to cmsg Greg Kroah-Hartman
` (398 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Xiao Liang,
Maoyi Xie, Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit 8b484efd5cb4eeef9021a661e198edc5349dacf6 upstream.
After patch 1/2 in this series, vti6_update() unlinks and relinks
the tunnel through t->net. vti6_siocdevprivate() still uses
dev_net(dev) for the collision lookup. For a tunnel moved through
IFLA_NET_NS_FD, dev_net(dev) is the new netns, not t->net.
SIOCCHGTUNNEL on a migrated tunnel then runs:
net = dev_net(dev) /* migrated netns */
t = vti6_locate(net, &p1, false) /* misses target in t->net */
...
t = netdev_priv(dev)
vti6_update(t, &p1, false) /* mutates t->net's hash */
A caller in the migrated netns picks params that match a tunnel
in the creation netns. The lookup in dev_net(dev) finds nothing.
vti6_update() prepends the migrated tunnel at the head of the
creation netns hash bucket for those params. Later lookups in
the creation netns resolve to the migrated device. xfrm receive
delivers the matched packets through a device the caller controls.
Reachable from an unprivileged user namespace (unshare --user
--map-root-user --net). Cross tenant scope on container hosts.
Switch the SIOCCHGTUNNEL path on a non fallback device to use
t->net for the lookup. The lookup now matches the netns
vti6_update() operates on.
Also add ns_capable(self->net->user_ns, CAP_NET_ADMIN) before
the lookup. The check at the top of the case is against
dev_net(dev)->user_ns, which after migration is the attacker's
netns. A caller there can pick params absent from self->net,
the lookup returns NULL, t becomes self, and vti6_update()
inserts the device into the creation netns hash. The new check
requires CAP_NET_ADMIN in the creation netns user_ns too.
SIOCADDTUNNEL and SIOCCHGTUNNEL on the fallback device keep
dev_net(dev), which equals init_net there.
Fixes: 61220ab34948 ("vti6: Enable namespace changing")
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Suggested-by: Xiao Liang <shaw.leon@gmail.com>
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Link: https://patch.msgid.link/20260521130555.3421684-3-maoyixie.tju@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_vti.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -840,17 +840,24 @@ vti6_siocdevprivate(struct net_device *d
if (p.proto != IPPROTO_IPV6 && p.proto != 0)
break;
vti6_parm_from_user(&p1, &p);
- t = vti6_locate(net, &p1, cmd == SIOCADDTUNNEL);
if (dev != ip6n->fb_tnl_dev && cmd == SIOCCHGTUNNEL) {
+ struct ip6_tnl *self = netdev_priv(dev);
+
+ err = -EPERM;
+ if (!ns_capable(self->net->user_ns, CAP_NET_ADMIN))
+ break;
+ t = vti6_locate(self->net, &p1, false);
if (t) {
if (t->dev != dev) {
err = -EEXIST;
break;
}
} else
- t = netdev_priv(dev);
+ t = self;
err = vti6_update(t, &p1, false);
+ } else {
+ t = vti6_locate(net, &p1, cmd == SIOCADDTUNNEL);
}
if (t) {
err = 0;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 041/378] wifi: cfg80211: add support to handle incumbent signal detected event from mac80211/driver
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 040/378] wifi: fix leak if split 6 GHz scanning fails Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 042/378] wifi: nl80211: split out UHR operation information Greg Kroah-Hartman
` (337 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hari Chandrakanthan, Amith A,
Johannes Berg, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hari Chandrakanthan <quic_haric@quicinc.com>
[ Upstream commit 6a584e336cefb230e2d981a464f4d85562eb750c ]
When any incumbent signal is detected by an AP/mesh interface operating
in 6 GHz band, FCC mandates the AP/mesh to vacate the channels affected
by it [1].
Add a new API cfg80211_incumbent_signal_notify() that can be used
by mac80211 or drivers to notify the higher layers about the signal
interference event with the interference bitmap in which each bit
denotes the affected 20 MHz in the operating channel.
Add support for the new nl80211 event and nl80211 attribute as well to
notify userspace on the details about the interference event. Userspace is
expected to process it and take further action - vacate the channel, or
reduce the bandwidth.
[1] - https://apps.fcc.gov/kdb/GetAttachment.html?id=nXQiRC%2B4mfiA54Zha%2BrW4Q%3D%3D&desc=987594%20D02%20U-NII%206%20GHz%20EMC%20Measurement%20v03&tracking_number=277034
Signed-off-by: Hari Chandrakanthan <quic_haric@quicinc.com>
Signed-off-by: Amith A <amith.a@oss.qualcomm.com>
Link: https://patch.msgid.link/20260216032027.2310956-2-amith.a@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stable-dep-of: cb9959ab5f99 ("wifi: cfg80211: enforce HE/EHT cap/oper consistency")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/cfg80211.h | 23 +++++++++++++++++++++
include/uapi/linux/nl80211.h | 19 +++++++++++++++++
net/wireless/nl80211.c | 40 ++++++++++++++++++++++++++++++++++++
net/wireless/trace.h | 19 +++++++++++++++++
4 files changed, 101 insertions(+)
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index fc01de19c7981a..2311d852e19ebc 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -10472,4 +10472,27 @@ cfg80211_s1g_get_primary_sibling(struct wiphy *wiphy,
return ieee80211_get_channel_khz(wiphy, sibling_1mhz_khz);
}
+
+/**
+ * cfg80211_incumbent_signal_notify - Notify userspace of incumbent signal detection
+ * @wiphy: the wiphy to use
+ * @chandef: channel definition in which the interference was detected
+ * @signal_interference_bitmap: bitmap indicating interference across 20 MHz segments
+ * @gfp: allocation context for message creation and multicast; pass GFP_ATOMIC
+ * if called from atomic context (e.g. firmware event handler), otherwise
+ * GFP_KERNEL
+ *
+ * Use this function to notify userspace when an incumbent signal is detected on
+ * the operating channel in the 6 GHz band. The notification includes the
+ * current channel definition and a bitmap representing interference across
+ * the operating bandwidth. Each bit in the bitmap corresponds to a 20 MHz
+ * segment, with the lowest bit representing the lowest frequency segment.
+ * Punctured sub-channels are included in the bitmap structure but are always
+ * set to zero since interference detection is not performed on them.
+ */
+void cfg80211_incumbent_signal_notify(struct wiphy *wiphy,
+ const struct cfg80211_chan_def *chandef,
+ u32 signal_interference_bitmap,
+ gfp_t gfp);
+
#endif /* __NET_CFG80211_H */
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index b63f718509060d..b53e2d78c7bb3f 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -1361,6 +1361,12 @@
* user space that the NAN new cluster has been joined. The cluster ID is
* indicated by %NL80211_ATTR_MAC.
*
+ * @NL80211_CMD_INCUMBENT_SIGNAL_DETECT: Once any incumbent signal is detected
+ * on the operating channel in 6 GHz band, userspace is notified with the
+ * signal interference bitmap using
+ * %NL80211_ATTR_INCUMBENT_SIGNAL_INTERFERENCE_BITMAP. The current channel
+ * definition is also sent.
+ *
* @NL80211_CMD_MAX: highest used command number
* @__NL80211_CMD_AFTER_LAST: internal use
*/
@@ -1624,6 +1630,8 @@ enum nl80211_commands {
NL80211_CMD_NAN_NEXT_DW_NOTIFICATION,
NL80211_CMD_NAN_CLUSTER_JOINED,
+ NL80211_CMD_INCUMBENT_SIGNAL_DETECT,
+
/* add new commands above here */
/* used to define NL80211_CMD_MAX below */
@@ -2984,6 +2992,15 @@ enum nl80211_commands {
* this feature during association. This is a flag attribute.
* Currently only supported in mac80211 drivers.
*
+ * @NL80211_ATTR_INCUMBENT_SIGNAL_INTERFERENCE_BITMAP: u32 attribute specifying
+ * the signal interference bitmap detected on the operating bandwidth for
+ * %NL80211_CMD_INCUMBENT_SIGNAL_DETECT. Each bit represents a 20 MHz
+ * segment, lowest bit corresponds to the lowest 20 MHz segment, in the
+ * operating bandwidth where the interference is detected. Punctured
+ * sub-channels are included in the bitmap structure; however, since
+ * interference detection is not performed on these sub-channels, their
+ * corresponding bits are consistently set to zero.
+ *
* @NUM_NL80211_ATTR: total number of nl80211_attrs available
* @NL80211_ATTR_MAX: highest attribute number currently defined
* @__NL80211_ATTR_AFTER_LAST: internal use
@@ -3557,6 +3574,8 @@ enum nl80211_attrs {
NL80211_ATTR_UHR_CAPABILITY,
NL80211_ATTR_DISABLE_UHR,
+ NL80211_ATTR_INCUMBENT_SIGNAL_INTERFERENCE_BITMAP,
+
/* add attributes here, update the policy in nl80211.c */
__NL80211_ATTR_AFTER_LAST,
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index b94231c8441c48..d00357488ea8ea 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -21120,6 +21120,46 @@ void cfg80211_ch_switch_notify(struct net_device *dev,
}
EXPORT_SYMBOL(cfg80211_ch_switch_notify);
+void cfg80211_incumbent_signal_notify(struct wiphy *wiphy,
+ const struct cfg80211_chan_def *chandef,
+ u32 signal_interference_bitmap,
+ gfp_t gfp)
+{
+ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
+ struct sk_buff *msg;
+ void *hdr;
+
+ trace_cfg80211_incumbent_signal_notify(wiphy, chandef, signal_interference_bitmap);
+
+ msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
+ if (!msg)
+ return;
+
+ hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_INCUMBENT_SIGNAL_DETECT);
+ if (!hdr)
+ goto nla_put_failure;
+
+ if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
+ goto nla_put_failure;
+
+ if (nl80211_send_chandef(msg, chandef))
+ goto nla_put_failure;
+
+ if (nla_put_u32(msg, NL80211_ATTR_INCUMBENT_SIGNAL_INTERFERENCE_BITMAP,
+ signal_interference_bitmap))
+ goto nla_put_failure;
+
+ genlmsg_end(msg, hdr);
+
+ genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
+ NL80211_MCGRP_MLME, gfp);
+ return;
+
+nla_put_failure:
+ nlmsg_free(msg);
+}
+EXPORT_SYMBOL(cfg80211_incumbent_signal_notify);
+
void cfg80211_ch_switch_started_notify(struct net_device *dev,
struct cfg80211_chan_def *chandef,
unsigned int link_id, u8 count,
diff --git a/net/wireless/trace.h b/net/wireless/trace.h
index 643ccf4f022722..352a57d8b96819 100644
--- a/net/wireless/trace.h
+++ b/net/wireless/trace.h
@@ -4225,6 +4225,25 @@ TRACE_EVENT(cfg80211_nan_cluster_joined,
WDEV_PR_ARG, __entry->cluster_id,
__entry->new_cluster ? " [new]" : "")
);
+
+TRACE_EVENT(cfg80211_incumbent_signal_notify,
+ TP_PROTO(struct wiphy *wiphy,
+ const struct cfg80211_chan_def *chandef,
+ u32 signal_interference_bitmap),
+ TP_ARGS(wiphy, chandef, signal_interference_bitmap),
+ TP_STRUCT__entry(
+ WIPHY_ENTRY
+ CHAN_DEF_ENTRY
+ __field(u32, signal_interference_bitmap)
+ ),
+ TP_fast_assign(
+ WIPHY_ASSIGN;
+ CHAN_DEF_ASSIGN(chandef);
+ __entry->signal_interference_bitmap = signal_interference_bitmap;
+ ),
+ TP_printk(WIPHY_PR_FMT ", " CHAN_DEF_PR_FMT ", signal_interference_bitmap=0x%x",
+ WIPHY_PR_ARG, CHAN_DEF_PR_ARG, __entry->signal_interference_bitmap)
+);
#endif /* !__RDEV_OPS_TRACE || TRACE_HEADER_MULTI_READ */
#undef TRACE_INCLUDE_PATH
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 125/522] ipv6: validate extension header length before copying to cmsg
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 124/522] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 126/522] xfrm: input: hold netns during deferred transport reinjection Greg Kroah-Hartman
` (397 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qi Tang, Willem de Bruijn,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qi Tang <tpluszz77@gmail.com>
commit dd433671fef381fdaf7b530c631e6b782d66e224 upstream.
ip6_datagram_recv_specific_ctl() builds IPV6_{HOPOPTS,DSTOPTS,RTHDR}
cmsgs (and their IPV6_2292* legacy counterparts) by trusting the
on-wire hdrlen byte (ptr[1]) when computing the put_cmsg() length.
The length was validated only at parse time (ipv6_parse_hopopts(),
etc.). An nftables payload-write expression can rewrite hdrlen after
parsing and before the skb reaches recvmsg; the write itself is
in-bounds but put_cmsg() then reads up to ((hdrlen+1) << 3) = 2040
bytes from an 8-byte header. nftables is reachable from an
unprivileged user namespace, so this is an unprivileged
slab-out-of-bounds read:
BUG: KASAN: slab-out-of-bounds in put_cmsg+0x3ac/0x540
put_cmsg+0x3ac/0x540
udpv6_recvmsg+0xca0/0x1250
sock_recvmsg+0xdf/0x190
____sys_recvmsg+0x1b1/0x620
Add ipv6_get_exthdr_len() which validates that at least two bytes
are accessible before reading the hdrlen field, then checks the
computed length against skb_tail_pointer(skb), returning 0 on
failure. Extension headers are kept in the linear skb area by
pskb_may_pull() during input, so skb_tail_pointer() is the correct
bound.
Use ipv6_get_exthdr_len() at all non-AH call sites: the five
standalone cmsg blocks (HbH, 2292HbH, 2292DSTOPTS x2, 2292RTHDR)
and the three standard cases in the extension-header walk loop
(DSTOPTS, ROUTING, default). AH retains an inline bounds check
because its length formula differs ((ptr[1]+2)<<2).
The walk loop also gets a pre-read bounds check at the top to
validate ptr before any case accesses ptr[0] or ptr[1].
When the walk loop detects a corrupted header, return from the
function instead of continuing to process later socket options.
Cc: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260523143245.2281415-1-tpluszz77@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/datagram.c | 54 ++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 46 insertions(+), 8 deletions(-)
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -616,6 +616,18 @@ void ip6_datagram_recv_common_ctl(struct
}
}
+static u16 ipv6_get_exthdr_len(const struct sk_buff *skb, const u8 *ptr)
+{
+ u16 len;
+
+ if (ptr + 2 > skb_tail_pointer(skb))
+ return 0;
+
+ len = (ptr[1] + 1) << 3;
+
+ return (len <= skb_tail_pointer(skb) - ptr) ? len : 0;
+}
+
void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg,
struct sk_buff *skb)
{
@@ -642,7 +654,10 @@ void ip6_datagram_recv_specific_ctl(stru
/* HbH is allowed only once */
if (np->rxopt.bits.hopopts && (opt->flags & IP6SKB_HOPBYHOP)) {
u8 *ptr = nh + sizeof(struct ipv6hdr);
- put_cmsg(msg, SOL_IPV6, IPV6_HOPOPTS, (ptr[1]+1)<<3, ptr);
+ u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_HOPOPTS, len, ptr);
}
if (opt->lastopt &&
@@ -663,26 +678,37 @@ void ip6_datagram_recv_specific_ctl(stru
unsigned int len;
u8 *ptr = nh + off;
+ if (ptr + 2 > skb_tail_pointer(skb))
+ return;
+
switch (nexthdr) {
case IPPROTO_DSTOPTS:
nexthdr = ptr[0];
- len = (ptr[1] + 1) << 3;
+ len = ipv6_get_exthdr_len(skb, ptr);
+ if (!len)
+ return;
if (np->rxopt.bits.dstopts)
put_cmsg(msg, SOL_IPV6, IPV6_DSTOPTS, len, ptr);
break;
case IPPROTO_ROUTING:
nexthdr = ptr[0];
- len = (ptr[1] + 1) << 3;
+ len = ipv6_get_exthdr_len(skb, ptr);
+ if (!len)
+ return;
if (np->rxopt.bits.srcrt)
put_cmsg(msg, SOL_IPV6, IPV6_RTHDR, len, ptr);
break;
case IPPROTO_AH:
nexthdr = ptr[0];
len = (ptr[1] + 2) << 2;
+ if (ptr + len > skb_tail_pointer(skb))
+ return;
break;
default:
nexthdr = ptr[0];
- len = (ptr[1] + 1) << 3;
+ len = ipv6_get_exthdr_len(skb, ptr);
+ if (!len)
+ return;
break;
}
@@ -704,19 +730,31 @@ void ip6_datagram_recv_specific_ctl(stru
}
if (np->rxopt.bits.ohopopts && (opt->flags & IP6SKB_HOPBYHOP)) {
u8 *ptr = nh + sizeof(struct ipv6hdr);
- put_cmsg(msg, SOL_IPV6, IPV6_2292HOPOPTS, (ptr[1]+1)<<3, ptr);
+ u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_2292HOPOPTS, len, ptr);
}
if (np->rxopt.bits.odstopts && opt->dst0) {
u8 *ptr = nh + opt->dst0;
- put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, (ptr[1]+1)<<3, ptr);
+ u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, len, ptr);
}
if (np->rxopt.bits.osrcrt && opt->srcrt) {
struct ipv6_rt_hdr *rthdr = (struct ipv6_rt_hdr *)(nh + opt->srcrt);
- put_cmsg(msg, SOL_IPV6, IPV6_2292RTHDR, (rthdr->hdrlen+1) << 3, rthdr);
+ u16 len = ipv6_get_exthdr_len(skb, (u8 *)rthdr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_2292RTHDR, len, rthdr);
}
if (np->rxopt.bits.odstopts && opt->dst1) {
u8 *ptr = nh + opt->dst1;
- put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, (ptr[1]+1)<<3, ptr);
+ u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, len, ptr);
}
if (np->rxopt.bits.rxorigdstaddr) {
struct sockaddr_in6 sin6;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 042/378] wifi: nl80211: split out UHR operation information
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 041/378] wifi: cfg80211: add support to handle incumbent signal detected event from mac80211/driver Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 043/378] wifi: cfg80211: enforce HE/EHT cap/oper consistency Greg Kroah-Hartman
` (336 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit e4b993f2bca78357b430170574f8de7bc7874088 ]
The beacon doesn't contain the full UHR operation, a number
of fields (such as NPCA) are only partially there. Add a new
attribute to contain the full information, so it's available
to the driver/mac80211.
Link: https://patch.msgid.link/20260303221710.866bacf82639.Iafdf37fb0f4304bdcdb824977d61e17b38c47685@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stable-dep-of: cb9959ab5f99 ("wifi: cfg80211: enforce HE/EHT cap/oper consistency")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/nl80211.h | 6 ++++++
net/wireless/nl80211.c | 26 ++++++++++++++++----------
2 files changed, 22 insertions(+), 10 deletions(-)
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index b53e2d78c7bb3f..b997e6c6fc4b38 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -3001,6 +3001,10 @@ enum nl80211_commands {
* interference detection is not performed on these sub-channels, their
* corresponding bits are consistently set to zero.
*
+ * @NL80211_ATTR_UHR_OPERATION: Full UHR Operation element, as it appears in
+ * association response etc., since it's abridged in the beacon. Used
+ * for START_AP etc.
+ *
* @NUM_NL80211_ATTR: total number of nl80211_attrs available
* @NL80211_ATTR_MAX: highest attribute number currently defined
* @__NL80211_ATTR_AFTER_LAST: internal use
@@ -3576,6 +3580,8 @@ enum nl80211_attrs {
NL80211_ATTR_INCUMBENT_SIGNAL_INTERFERENCE_BITMAP,
+ NL80211_ATTR_UHR_OPERATION,
+
/* add attributes here, update the policy in nl80211.c */
__NL80211_ATTR_AFTER_LAST,
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index d00357488ea8ea..84fcfb1e53a156 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -341,6 +341,17 @@ static int validate_uhr_capa(const struct nlattr *attr,
return ieee80211_uhr_capa_size_ok(data, len, false);
}
+static int validate_uhr_operation(const struct nlattr *attr,
+ struct netlink_ext_ack *extack)
+{
+ const u8 *data = nla_data(attr);
+ unsigned int len = nla_len(attr);
+
+ if (!ieee80211_uhr_oper_size_ok(data, len, false))
+ return -EINVAL;
+ return 0;
+}
+
/* policy for the attributes */
static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
@@ -946,6 +957,8 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
[NL80211_ATTR_UHR_CAPABILITY] =
NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_uhr_capa, 255),
[NL80211_ATTR_DISABLE_UHR] = { .type = NLA_FLAG },
+ [NL80211_ATTR_UHR_OPERATION] =
+ NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_uhr_operation),
};
/* policy for the key attributes */
@@ -6486,16 +6499,6 @@ static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
return -EINVAL;
}
- cap = cfg80211_find_ext_elem(WLAN_EID_EXT_UHR_OPER, ies, ies_len);
- if (cap) {
- if (!cap->datalen)
- return -EINVAL;
- params->uhr_oper = (void *)(cap->data + 1);
- if (!ieee80211_uhr_oper_size_ok((const u8 *)params->uhr_oper,
- cap->datalen - 1, true))
- return -EINVAL;
- }
-
return 0;
}
@@ -6928,6 +6931,9 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
if (err)
goto out;
+ if (info->attrs[NL80211_ATTR_UHR_OPERATION])
+ params->uhr_oper = nla_data(info->attrs[NL80211_ATTR_UHR_OPERATION]);
+
err = nl80211_validate_ap_phy_operation(params);
if (err)
goto out;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 126/522] xfrm: input: hold netns during deferred transport reinjection
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 125/522] ipv6: validate extension header length before copying to cmsg Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 127/522] ip6: vti: Use ip6_tnl.net in vti6_changelink() Greg Kroah-Hartman
` (396 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Xin Liu,
Luxing Yin, Zhengchuan Liang, Ren Wei, Steffen Klassert
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
commit c16f74dc1d75d0e2e7670076d5375deda110ebeb upstream.
Transport-mode reinjection stores a struct net pointer in skb->cb and
uses it later from xfrm_trans_reinject(). That pointer must stay valid
until the deferred callback runs.
Take a netns reference when queueing deferred reinjection work and drop
it after the callback completes. Use maybe_get_net() so the queueing
path does not revive a namespace that is already being torn down.
This keeps the existing workqueue design and fixes the netns lifetime
handling in one place for all users of xfrm_trans_queue_net().
Fixes: 7b3801927e52 ("xfrm: introduce xfrm_trans_queue_net")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Assisted-by: Codex:gpt-5.4
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_input.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -759,9 +759,12 @@ static void xfrm_trans_reinject(struct w
spin_unlock_bh(&trans->queue_lock);
local_bh_disable();
- while ((skb = __skb_dequeue(&queue)))
- XFRM_TRANS_SKB_CB(skb)->finish(XFRM_TRANS_SKB_CB(skb)->net,
- NULL, skb);
+ while ((skb = __skb_dequeue(&queue))) {
+ struct net *net = XFRM_TRANS_SKB_CB(skb)->net;
+
+ XFRM_TRANS_SKB_CB(skb)->finish(net, NULL, skb);
+ put_net(net);
+ }
local_bh_enable();
}
@@ -770,6 +773,7 @@ int xfrm_trans_queue_net(struct net *net
struct sk_buff *))
{
struct xfrm_trans_tasklet *trans;
+ struct net *hold_net;
trans = this_cpu_ptr(&xfrm_trans_tasklet);
@@ -778,8 +782,12 @@ int xfrm_trans_queue_net(struct net *net
BUILD_BUG_ON(sizeof(struct xfrm_trans_cb) > sizeof(skb->cb));
+ hold_net = maybe_get_net(net);
+ if (!hold_net)
+ return -ENODEV;
+
XFRM_TRANS_SKB_CB(skb)->finish = finish;
- XFRM_TRANS_SKB_CB(skb)->net = net;
+ XFRM_TRANS_SKB_CB(skb)->net = hold_net;
spin_lock_bh(&trans->queue_lock);
__skb_queue_tail(&trans->queue, skb);
spin_unlock_bh(&trans->queue_lock);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 043/378] wifi: cfg80211: enforce HE/EHT cap/oper consistency
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 042/378] wifi: nl80211: split out UHR operation information Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 044/378] Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() Greg Kroah-Hartman
` (335 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xiang Mei, Johannes Berg,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit cb9959ab5f99611d27a06586add84811fe8102dc ]
Xiang Mei reports that mac80211 could crash if eht_cap is set
but eht_oper isn't. Rather than fixing that for the individual
user(s), enforce that both HE/EHT have consistent elements.
Reported-by: Xiang Mei <xmei5@asu.edu>
Fixes: 22c64f37e1d4 ("wifi: mac80211: Update MCS15 support in link_conf")
Link: https://patch.msgid.link/20260603091812.101894-2-johannes@sipsolutions.net
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/nl80211.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 84fcfb1e53a156..fe0c0c198b2526 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -6499,6 +6499,12 @@ static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
return -EINVAL;
}
+ if (!!params->he_cap != !!params->he_oper)
+ return -EINVAL;
+
+ if (!!params->eht_cap != !!params->eht_oper)
+ return -EINVAL;
+
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 127/522] ip6: vti: Use ip6_tnl.net in vti6_changelink().
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 126/522] xfrm: input: hold netns during deferred transport reinjection Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 128/522] HID: wacom: Fix OOB write in wacom_hid_set_device_mode() Greg Kroah-Hartman
` (395 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maoyi Xie, Eric Dumazet,
Kuniyuki Iwashima, Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
commit 11b326fb0a374f4654f9be22d0f0f7abd9f7d3fe upstream.
ip netns add ns1
ip netns add ns2
ip -n ns1 link add vti6_test type vti6 remote ::1 local ::2 key 7
ip -n ns1 link set vti6_test netns ns2
ip -n ns2 link set vti6_test type vti6 remote ::3 local ::4 key 9
ip netns del ns2
ip netns del ns1
[ 132.495484] ------------[ cut here ]------------
[ 132.497609] kernel BUG at net/core/dev.c:12376!
Commit 61220ab34948 ("vti6: Enable namespace changing") dropped
NETIF_F_NETNS_LOCAL from vti6 devices. A vti6 tunnel can then
move through IFLA_NET_NS_FD. After the move dev_net(dev) points
at the new netns while t->net stays at the creation netns.
vti6_changelink() and vti6_update() still use dev_net(dev) and
dev_net(t->dev). They unlink from one per netns hash and relink
into another. The creation netns is left with a stale entry.
cleanup_net() of that netns later walks freed memory.
Reachable from an unprivileged user namespace (unshare --user
--map-root-user --net). Cross tenant scope on container hosts.
Fixes: 61220ab34948 ("vti6: Enable namespace changing")
Reported-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260521130555.3421684-2-maoyixie.tju@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_vti.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -728,10 +728,11 @@ vti6_tnl_change(struct ip6_tnl *t, const
static int vti6_update(struct ip6_tnl *t, struct __ip6_tnl_parm *p,
bool keep_mtu)
{
- struct net *net = dev_net(t->dev);
- struct vti6_net *ip6n = net_generic(net, vti6_net_id);
+ struct net *net = t->net;
+ struct vti6_net *ip6n;
int err;
+ ip6n = net_generic(net, vti6_net_id);
vti6_tnl_unlink(ip6n, t);
synchronize_net();
err = vti6_tnl_change(t, p, keep_mtu);
@@ -1045,11 +1046,12 @@ static int vti6_changelink(struct net_de
struct nlattr *data[],
struct netlink_ext_ack *extack)
{
- struct ip6_tnl *t;
+ struct ip6_tnl *t = netdev_priv(dev);
+ struct net *net = t->net;
struct __ip6_tnl_parm p;
- struct net *net = dev_net(dev);
- struct vti6_net *ip6n = net_generic(net, vti6_net_id);
+ struct vti6_net *ip6n;
+ ip6n = net_generic(net, vti6_net_id);
if (dev == ip6n->fb_tnl_dev)
return -EINVAL;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 044/378] Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 043/378] wifi: cfg80211: enforce HE/EHT cap/oper consistency Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 045/378] Bluetooth: MGMT: validate advertising TLV before type checks Greg Kroah-Hartman
` (334 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Cen, Luiz Augusto von Dentz,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
[ Upstream commit 43c441edacf953b39517a44f5e5e10a93618b226 ]
rfcomm_get_sock_by_channel() scans rfcomm_sk_list under the list lock,
but returns the selected listener after dropping that lock without
taking a reference. rfcomm_connect_ind() then locks the listener,
queues a child socket on it, and may notify it after unlocking it.
The buggy scenario involves two paths, with each column showing the
order within that path:
rfcomm_connect_ind(): listener close:
1. Find parent in 1. close() enters
rfcomm_get_sock_by_channel() rfcomm_sock_release().
2. Drop rfcomm_sk_list.lock 2. rfcomm_sock_shutdown()
without pinning parent. closes the listener.
3. Call lock_sock(parent) and 3. rfcomm_sock_kill()
bt_accept_enqueue(parent, unlinks and puts parent.
sk, true).
4. Read parent flags and may 4. parent can be freed.
call sk_state_change().
If close wins the race, parent can be freed before
rfcomm_connect_ind() reaches lock_sock(), bt_accept_enqueue(), or the
deferred-setup callback.
Take a reference on the listener before leaving rfcomm_sk_list.lock.
After lock_sock() succeeds, recheck that it is still in BT_LISTEN
before queueing a child, cache the deferred-setup bit while the parent
is locked, and drop the reference after the last parent use.
KASAN reported a slab-use-after-free in lock_sock_nested() from
rfcomm_connect_ind(), with the freeing stack going through
rfcomm_sock_kill() and rfcomm_sock_release().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/rfcomm/sock.c | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index bd7d959c6e9eb8..805ed5d28ed668 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -122,7 +122,7 @@ static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
}
/* Find socket with channel and source bdaddr.
- * Returns closest match.
+ * Returns closest match with an extra reference held.
*/
static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
{
@@ -136,15 +136,25 @@ static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *
if (rfcomm_pi(sk)->channel == channel) {
/* Exact match. */
- if (!bacmp(&rfcomm_pi(sk)->src, src))
+ if (!bacmp(&rfcomm_pi(sk)->src, src)) {
+ sock_hold(sk);
break;
+ }
/* Closest match */
- if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
+ if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY)) {
+ if (sk1)
+ sock_put(sk1);
+
sk1 = sk;
+ sock_hold(sk1);
+ }
}
}
+ if (sk && sk1)
+ sock_put(sk1);
+
read_unlock(&rfcomm_sk_list.lock);
return sk ? sk : sk1;
@@ -941,6 +951,7 @@ int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc *
{
struct sock *sk, *parent;
bdaddr_t src, dst;
+ bool defer_setup = false;
int result = 0;
BT_DBG("session %p channel %d", s, channel);
@@ -954,6 +965,11 @@ int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc *
lock_sock(parent);
+ if (parent->sk_state != BT_LISTEN)
+ goto done;
+
+ defer_setup = test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags);
+
/* Check for backlog size */
if (sk_acceptq_is_full(parent)) {
BT_DBG("backlog full %d", parent->sk_ack_backlog);
@@ -981,9 +997,11 @@ int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc *
done:
release_sock(parent);
- if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
+ if (defer_setup)
parent->sk_state_change(parent);
+ sock_put(parent);
+
return result;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 128/522] HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 127/522] ip6: vti: Use ip6_tnl.net in vti6_changelink() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 129/522] iommu, debugobjects: avoid gcc-16.1 section mismatch warnings Greg Kroah-Hartman
` (394 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ping Cheng, Lee Jones,
Benjamin Tissoires
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
commit c0a8899e02ddebd51e2589835182c239c2e224ae upstream.
wacom_hid_set_device_mode() currently assumes that the HID_DG_INPUTMODE
usage is always located in the first field (field[0]) of the feature report.
However, a device can specify HID_DG_INPUTMODE in a different field.
If HID_DG_INPUTMODE is in a field other than the first one and the first
field has a report_count smaller than the usage_index of HID_DG_INPUTMODE,
this leads to an out-of-bounds write to r->field[0]->value.
Fix this by storing the field index of HID_DG_INPUTMODE in 'struct
hid_data' during feature mapping. In wacom_hid_set_device_mode(), use
this stored field index to access the correct field and add bounds
checks to ensure both the field index and the value index are within
valid ranges before writing.
Cc: stable@vger.kernel.org
Fixes: 5ae6e89f7409 ("HID: wacom: implement the finger part of the HID generic handling")
Tested-by: Ping Cheng <ping.cheng@wacom.com>
Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/wacom_sys.c | 13 ++++++++++---
drivers/hid/wacom_wac.h | 1 +
2 files changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -341,6 +341,7 @@ static void wacom_feature_mapping(struct
hid_data->inputmode = field->report->id;
hid_data->inputmode_index = usage->usage_index;
+ hid_data->inputmode_field_index = field->index;
break;
case HID_UP_DIGITIZER:
@@ -556,9 +557,14 @@ static int wacom_hid_set_device_mode(str
re = &(hdev->report_enum[HID_FEATURE_REPORT]);
r = re->report_id_hash[hid_data->inputmode];
- if (r) {
- r->field[0]->value[hid_data->inputmode_index] = 2;
- hid_hw_request(hdev, r, HID_REQ_SET_REPORT);
+ if (r && hid_data->inputmode_field_index >= 0 &&
+ hid_data->inputmode_field_index < r->maxfield) {
+ struct hid_field *field = r->field[hid_data->inputmode_field_index];
+
+ if (field && hid_data->inputmode_index < field->report_count) {
+ field->value[hid_data->inputmode_index] = 2;
+ hid_hw_request(hdev, r, HID_REQ_SET_REPORT);
+ }
}
return 0;
}
@@ -2813,6 +2819,7 @@ static int wacom_probe(struct hid_device
return error;
wacom_wac->hid_data.inputmode = -1;
+ wacom_wac->hid_data.inputmode_field_index = -1;
wacom_wac->mode_report = -1;
if (hid_is_usb(hdev)) {
--- a/drivers/hid/wacom_wac.h
+++ b/drivers/hid/wacom_wac.h
@@ -297,6 +297,7 @@ struct wacom_shared {
struct hid_data {
__s16 inputmode; /* InputMode HID feature, -1 if non-existent */
__s16 inputmode_index; /* InputMode HID feature index in the report */
+ __s16 inputmode_field_index; /* InputMode HID feature field index in the report */
bool sense_state;
bool inrange_state;
bool invert_state;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 045/378] Bluetooth: MGMT: validate advertising TLV before type checks
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 044/378] Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 046/378] Bluetooth: RFCOMM: validate skb length in MCC handlers Greg Kroah-Hartman
` (333 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Menzel, Zhang Cen,
Luiz Augusto von Dentz, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
[ Upstream commit de23fb62259aa01d294f77238ae3b835eb674413 ]
tlv_data_is_valid() reads each advertising data field length from
data[i], then inspects data[i + 1] for managed EIR types before
checking that the current field still fits inside the supplied buffer.
A malformed field whose length byte is the last byte of the buffer can
therefore make the parser read one byte past the advertising data.
KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING
request reached that path:
BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid()
Read of size 1
Call trace:
tlv_data_is_valid()
add_advertising()
hci_mgmt_cmd()
hci_sock_sendmsg()
Move the existing element-length check before any type-octet inspection
so each non-empty element is proven to contain its type byte before the
parser looks at data[i + 1].
Fixes: 2bb36870e8cb ("Bluetooth: Unify advertising instance flags check")
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/mgmt.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index de5bd6b637b205..027b266ccc747c 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -8638,6 +8638,12 @@ static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
if (!cur_len)
continue;
+ /* If the current field length would exceed the total data
+ * length, then it's invalid.
+ */
+ if (i + cur_len >= len)
+ return false;
+
if (data[i + 1] == EIR_FLAGS &&
(!is_adv_data || flags_managed(adv_flags)))
return false;
@@ -8654,12 +8660,6 @@ static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
if (data[i + 1] == EIR_APPEARANCE &&
appearance_managed(adv_flags))
return false;
-
- /* If the current field length would exceed the total data
- * length, then it's invalid.
- */
- if (i + cur_len >= len)
- return false;
}
return true;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 129/522] iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 128/522] HID: wacom: Fix OOB write in wacom_hid_set_device_mode() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 130/522] nfc: hci: fix out-of-bounds read in HCP header parsing Greg Kroah-Hartman
` (393 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Will Deacon, Thomas Gleixner,
Andrew Morton, Miguel Ojeda, linux-kbuild, Arnd Bergmann,
Joerg Roedel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 4c9ad387aa2d6785299722e54224d34764edaeb3 upstream.
gcc-16 has gained some more advanced inter-procedual optimization
techniques that enable it to inline the dummy_tlb_add_page() and
dummy_tlb_flush() function pointers into a specialized version of
__arm_v7s_unmap:
WARNING: modpost: vmlinux: section mismatch in reference: __arm_v7s_unmap+0x2cc (section: .text) -> dummy_tlb_add_page (section: .init.text)
ERROR: modpost: Section mismatches detected.
>From what I can tell, the transformation is correct, as this is only
called when __arm_v7s_unmap() is called from arm_v7s_do_selftests(),
which is also __init. Since __arm_v7s_unmap() however is not __init,
gcc cannot inline the inner function calls directly.
In debug_objects_selftest(), the same thing happens. Both the
caller and the leaf function are __init, but the IPA pulls
it into a non-init one:
WARNING: modpost: vmlinux: section mismatch in reference: lookup_object_or_alloc+0x7c (section: .text.lookup_object_or_alloc) -> is_static_object (section: .init.text)
Marking the affected functions as not "__init" would reliably avoid this
issue but is not a good solution because it removes an otherwise correct
annotation. I tried marking the functions as 'noinline', but that ended
up not covering all the affected configurations.
With some more experimenting, I found that marking these functions as
__attribute__((noipa)) is both logical and reliable.
In order to keep the syntax readable, add a custom macro for this in
include/linux/compiler_attributes.h next to other related macros and
use it to annotate both files.
Link: https://lore.kernel.org/all/abRB6g-48ZX6Yl2r@willie-the-truck/
Cc: Will Deacon <will@kernel.org>
Cc: Thomas Gleixner <tglx@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: linux-kbuild@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Will Deacon <will@kernel.org>
Acked-by: Thomas Gleixner <tglx@kernel.org>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/io-pgtable-arm-v7s.c | 18 ++++++++++++------
include/linux/compiler_attributes.h | 11 +++++++++++
lib/debugobjects.c | 2 +-
3 files changed, 24 insertions(+), 7 deletions(-)
--- a/drivers/iommu/io-pgtable-arm-v7s.c
+++ b/drivers/iommu/io-pgtable-arm-v7s.c
@@ -909,21 +909,27 @@ struct io_pgtable_init_fns io_pgtable_ar
static struct io_pgtable_cfg *cfg_cookie __initdata;
-static void __init dummy_tlb_flush_all(void *cookie)
+/*
+ * __noipa prevents gcc from turning indirect iommu_flush_ops calls
+ * into direct calls from a specialized __arm_v7s_unmap() that triggers
+ * a build time section mismatch assertion.
+ */
+static __noipa void __init dummy_tlb_flush_all(void *cookie)
{
WARN_ON(cookie != cfg_cookie);
}
-static void __init dummy_tlb_flush(unsigned long iova, size_t size,
- size_t granule, void *cookie)
+static __noipa void __init dummy_tlb_flush(unsigned long iova, size_t size,
+ size_t granule, void *cookie)
{
WARN_ON(cookie != cfg_cookie);
WARN_ON(!(size & cfg_cookie->pgsize_bitmap));
}
-static void __init dummy_tlb_add_page(struct iommu_iotlb_gather *gather,
- unsigned long iova, size_t granule,
- void *cookie)
+static __noipa void __init dummy_tlb_add_page(struct iommu_iotlb_gather *gather,
+ unsigned long iova,
+ size_t granule,
+ void *cookie)
{
dummy_tlb_flush(iova, granule, granule, cookie);
}
--- a/include/linux/compiler_attributes.h
+++ b/include/linux/compiler_attributes.h
@@ -385,6 +385,17 @@
#endif
/*
+ * Optional: not supported by clang
+ *
+ * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Attributes.html#index-noipa
+ */
+#if __has_attribute(noipa)
+# define __noipa __attribute__((noipa))
+#else
+# define __noipa
+#endif
+
+/*
* gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-weak-function-attribute
* gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-weak-variable-attribute
*/
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -1065,7 +1065,7 @@ struct self_test {
static __initconst const struct debug_obj_descr descr_type_test;
-static bool __init is_static_object(void *addr)
+static __noipa bool __init is_static_object(void *addr)
{
struct self_test *obj = addr;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 046/378] Bluetooth: RFCOMM: validate skb length in MCC handlers
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 045/378] Bluetooth: MGMT: validate advertising TLV before type checks Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 047/378] Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling Greg Kroah-Hartman
` (332 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muhammad Bilal, SeungJu Cheon,
Luiz Augusto von Dentz, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeungJu Cheon <suunj1331@gmail.com>
[ Upstream commit 23882b828c3c8c51d0c946446a396b10abb3b16b ]
The RFCOMM MCC handlers cast skb->data to protocol-specific structs
without validating skb->len first. A malicious remote device can send
truncated MCC frames and trigger out-of-bounds reads in these handlers.
Fix this by using skb_pull_data() to validate and access the required
data before dereferencing it.
rfcomm_recv_rpn() requires special handling since ETSI TS 07.10 allows
1-byte RPN requests. Handle this by validating only the DLCI byte first,
and validating the full struct only when len > 1.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Suggested-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/rfcomm/core.c | 67 +++++++++++++++++++++++++++----------
1 file changed, 49 insertions(+), 18 deletions(-)
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 611a9a94151ecf..33d4d6fdf8681f 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1431,10 +1431,15 @@ static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
{
- struct rfcomm_pn *pn = (void *) skb->data;
+ struct rfcomm_pn *pn;
struct rfcomm_dlc *d;
- u8 dlci = pn->dlci;
+ u8 dlci;
+
+ pn = skb_pull_data(skb, sizeof(*pn));
+ if (!pn)
+ return -EILSEQ;
+ dlci = pn->dlci;
BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
if (!dlci)
@@ -1483,8 +1488,8 @@ static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
{
- struct rfcomm_rpn *rpn = (void *) skb->data;
- u8 dlci = __get_dlci(rpn->dlci);
+ struct rfcomm_rpn *rpn;
+ u8 dlci;
u8 bit_rate = 0;
u8 data_bits = 0;
@@ -1495,15 +1500,16 @@ static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_
u8 xoff_char = 0;
u16 rpn_mask = RFCOMM_RPN_PM_ALL;
- BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
- dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
- rpn->xon_char, rpn->xoff_char, rpn->param_mask);
+ if (len == 1) {
+ rpn = skb_pull_data(skb, 1);
+ if (!rpn)
+ return -EILSEQ;
- if (!cr)
- return 0;
+ dlci = __get_dlci(rpn->dlci);
+
+ if (!cr)
+ return 0;
- if (len == 1) {
- /* This is a request, return default (according to ETSI TS 07.10) settings */
bit_rate = RFCOMM_RPN_BR_9600;
data_bits = RFCOMM_RPN_DATA_8;
stop_bits = RFCOMM_RPN_STOP_1;
@@ -1514,6 +1520,19 @@ static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_
goto rpn_out;
}
+ rpn = skb_pull_data(skb, sizeof(*rpn));
+ if (!rpn)
+ return -EILSEQ;
+
+ dlci = __get_dlci(rpn->dlci);
+
+ BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
+ dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
+ rpn->xon_char, rpn->xoff_char, rpn->param_mask);
+
+ if (!cr)
+ return 0;
+
/* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
* no parity, no flow control lines, normal XON/XOFF chars */
@@ -1589,9 +1608,14 @@ static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_
static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
{
- struct rfcomm_rls *rls = (void *) skb->data;
- u8 dlci = __get_dlci(rls->dlci);
+ struct rfcomm_rls *rls;
+ u8 dlci;
+ rls = skb_pull_data(skb, sizeof(*rls));
+ if (!rls)
+ return -EILSEQ;
+
+ dlci = __get_dlci(rls->dlci);
BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
if (!cr)
@@ -1608,10 +1632,15 @@ static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb
static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
{
- struct rfcomm_msc *msc = (void *) skb->data;
+ struct rfcomm_msc *msc;
struct rfcomm_dlc *d;
- u8 dlci = __get_dlci(msc->dlci);
+ u8 dlci;
+
+ msc = skb_pull_data(skb, sizeof(*msc));
+ if (!msc)
+ return -EILSEQ;
+ dlci = __get_dlci(msc->dlci);
BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
d = rfcomm_dlc_get(s, dlci);
@@ -1644,17 +1673,19 @@ static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb
static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
{
- struct rfcomm_mcc *mcc = (void *) skb->data;
+ struct rfcomm_mcc *mcc;
u8 type, cr, len;
+ mcc = skb_pull_data(skb, sizeof(*mcc));
+ if (!mcc)
+ return -EILSEQ;
+
cr = __test_cr(mcc->type);
type = __get_mcc_type(mcc->type);
len = __get_mcc_len(mcc->len);
BT_DBG("%p type 0x%x cr %d", s, type, cr);
- skb_pull(skb, 2);
-
switch (type) {
case RFCOMM_PN:
rfcomm_recv_pn(s, cr, skb);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 130/522] nfc: hci: fix out-of-bounds read in HCP header parsing
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 129/522] iommu, debugobjects: avoid gcc-16.1 section mismatch warnings Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 131/522] xfrm: route MIGRATE notifications to callers netns Greg Kroah-Hartman
` (392 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Ashutosh Desai,
David Heidelberg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ashutosh Desai <ashutoshdesai993@gmail.com>
commit f040e590c035bfd9553fe79ee9585caf1b14d67b upstream.
Both nfc_hci_recv_from_llc() and nci_hci_data_received_cb() read
packet->header from skb->data at function entry without first checking
that the buffer holds at least one byte. A malicious NFC peer can send
a 0-byte HCP frame that passes through the SHDLC layer and reaches
these functions, causing an out-of-bounds heap read of packet->header.
The same 0-byte frame, if queued as a non-final fragment, also causes
the reassembly loop to underflow msg_len to UINT_MAX, triggering
skb_over_panic() when the reassembled skb is written.
Fix this by adding a pskb_may_pull() check at the entry of each
function before packet->header is first accessed. The existing
pskb_may_pull() checks before the reassembled hcp_skb is cast to
struct hcp_packet remain in place to guard the 2-byte HCP message
header.
Fixes: 8b8d2e08bf0d ("NFC: HCI support")
Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
Link: https://patch.msgid.link/20260505170712.96560-1-ashutoshdesai993@gmail.com
Signed-off-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/nfc/hci/core.c | 10 ++++++++++
net/nfc/nci/hci.c | 10 ++++++++++
2 files changed, 20 insertions(+)
--- a/net/nfc/hci/core.c
+++ b/net/nfc/hci/core.c
@@ -861,6 +861,11 @@ static void nfc_hci_recv_from_llc(struct
struct sk_buff *frag_skb;
int msg_len;
+ if (!pskb_may_pull(skb, NFC_HCI_HCP_PACKET_HEADER_LEN)) {
+ kfree_skb(skb);
+ return;
+ }
+
packet = (struct hcp_packet *)skb->data;
if ((packet->header & ~NFC_HCI_FRAGMENT) == 0) {
skb_queue_tail(&hdev->rx_hcp_frags, skb);
@@ -904,6 +909,11 @@ static void nfc_hci_recv_from_llc(struct
* unblock waiting cmd context. Otherwise, enqueue to dispatch
* in separate context where handler can also execute command.
*/
+ if (!pskb_may_pull(hcp_skb, NFC_HCI_HCP_HEADER_LEN)) {
+ kfree_skb(hcp_skb);
+ return;
+ }
+
packet = (struct hcp_packet *)hcp_skb->data;
type = HCP_MSG_GET_TYPE(packet->message.header);
if (type == NFC_HCI_HCP_RESPONSE) {
--- a/net/nfc/nci/hci.c
+++ b/net/nfc/nci/hci.c
@@ -437,6 +437,11 @@ void nci_hci_data_received_cb(void *cont
return;
}
+ if (!pskb_may_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN)) {
+ kfree_skb(skb);
+ return;
+ }
+
packet = (struct nci_hcp_packet *)skb->data;
if ((packet->header & ~NCI_HCI_FRAGMENT) == 0) {
skb_queue_tail(&ndev->hci_dev->rx_hcp_frags, skb);
@@ -480,6 +485,11 @@ void nci_hci_data_received_cb(void *cont
* unblock waiting cmd context. Otherwise, enqueue to dispatch
* in separate context where handler can also execute command.
*/
+ if (!pskb_may_pull(hcp_skb, NCI_HCI_HCP_HEADER_LEN)) {
+ kfree_skb(hcp_skb);
+ return;
+ }
+
packet = (struct nci_hcp_packet *)hcp_skb->data;
type = NCI_HCP_MSG_GET_TYPE(packet->message.header);
if (type == NCI_HCI_HCP_RESPONSE) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 047/378] Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 046/378] Bluetooth: RFCOMM: validate skb length in MCC handlers Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 048/378] Bluetooth: bnep: reject short frames before parsing Greg Kroah-Hartman
` (331 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dudu Lu, Luiz Augusto von Dentz,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dudu Lu <phx0fer@gmail.com>
[ Upstream commit 72b8deccff17a7644e0367e1aaf1a36cfb014324 ]
In bnep_rx_frame(), the BNEP_FILTER_NET_TYPE_SET and
BNEP_FILTER_MULTI_ADDR_SET extension header parsing has two bugs:
1) The 2-byte length field is read with *(u16 *)(skb->data + 1), which
performs a native-endian read. The BNEP protocol specifies this field
in big-endian (network byte order), and the same file correctly uses
get_unaligned_be16() for the identical fields in
bnep_ctrl_set_netfilter() and bnep_ctrl_set_mcfilter().
2) The length is multiplied by 2, but unlike BNEP_SETUP_CONN_REQ where
the length byte counts UUID pairs (requiring * 2 for two UUIDs per
entry), the filter extension length field already represents the total
data size in bytes. This is confirmed by bnep_ctrl_set_netfilter()
which reads the same field as a byte count and divides by 4 to get
the number of filter entries.
The bogus * 2 means skb_pull advances twice as far as it should,
either dropping valid data from the next header or causing the pull
to fail entirely when the doubled length exceeds the remaining skb.
Fix by splitting the pull into two steps: first use skb_pull_data() to
safely pull and validate the 3-byte fixed header (ctrl type + length),
then pull the variable-length data using the properly decoded length.
Fixes: bf8b9a9cb77b ("Bluetooth: bnep: Add support to extended headers of control frames")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Stable-dep-of: 6770d3a8acdf ("Bluetooth: bnep: reject short frames before parsing")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/bnep/core.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index b3cef7a4db5412..0de5df690bd0b2 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -330,11 +330,18 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
goto badframe;
break;
case BNEP_FILTER_MULTI_ADDR_SET:
- case BNEP_FILTER_NET_TYPE_SET:
- /* Pull: ctrl type (1 b), len (2 b), data (len bytes) */
- if (!skb_pull(skb, 3 + *(u16 *)(skb->data + 1) * 2))
+ case BNEP_FILTER_NET_TYPE_SET: {
+ u8 *hdr;
+
+ /* Pull ctrl type (1 b) + len (2 b) */
+ hdr = skb_pull_data(skb, 3);
+ if (!hdr)
+ goto badframe;
+ /* Pull data (len bytes); length is big-endian */
+ if (!skb_pull(skb, get_unaligned_be16(&hdr[1])))
goto badframe;
break;
+ }
default:
kfree_skb(skb);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 131/522] xfrm: route MIGRATE notifications to callers netns
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 130/522] nfc: hci: fix out-of-bounds read in HCP header parsing Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 132/522] xfrm: ah: use skb_to_full_sk in async output callbacks Greg Kroah-Hartman
` (391 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maoyi Xie, Steffen Klassert
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit 7e2a4f7ca0952820731ef7bdadfc9a9e9d3571b4 upstream.
xfrm_send_migrate() in net/xfrm/xfrm_user.c and pfkey_send_migrate()
in net/key/af_key.c both hardcode &init_net for the multicast that
announces a successful XFRM_MSG_MIGRATE / SADB_X_MIGRATE.
XFRM_MSG_MIGRATE arrives on a per-netns NETLINK_XFRM socket, and the
rest of the xfrm/af_key netlink path was made netns-aware in 2008.
The other 14 multicast paths in xfrm_user.c route their event using
xs_net(x), xp_net(xp) or sock_net(skb->sk); only the migrate path
was missed.
Two consequences of the init_net hardcoding:
1. The notification (selector, old/new endpoint addresses, and the
km_address) is delivered to listeners on init_net's
XFRMNLGRP_MIGRATE / pfkey BROADCAST_ALL groups rather than on
the issuing netns. An IKE daemon running in init_net therefore
receives migration notifications originating from any other
netns on the host.
2. An IKE daemon running inside a non-init netns and subscribed
to its own XFRMNLGRP_MIGRATE / pfkey groups never receives the
notification of its own migration. IKEv2 MOBIKE / address-update
handling inside a netns is silently broken.
Thread struct net through km_migrate() and the xfrm_mgr.migrate
function pointer, drop the &init_net override in xfrm_send_migrate()
and pfkey_send_migrate(), and pass the caller's net (already in
scope in xfrm_migrate() via sock_net(skb->sk)) all the way down.
struct xfrm_mgr is in-tree only and not exported as a stable API,
so the function-pointer signature change is internal.
pfkey_broadcast() is already netns-aware via net_generic(net,
pfkey_net_id) since the pernet conversion. The five other
pfkey_broadcast() callers in af_key.c already pass xs_net(x),
sock_net(sk) or a per-netns net, so this only removes the
&init_net outlier.
Fixes: 5c79de6e79cd ("[XFRM]: User interface for handling XFRM_MSG_MIGRATE")
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/xfrm.h | 3 ++-
net/key/af_key.c | 6 +++---
net/xfrm/xfrm_policy.c | 2 +-
net/xfrm/xfrm_state.c | 4 ++--
net/xfrm/xfrm_user.c | 5 ++---
5 files changed, 10 insertions(+), 10 deletions(-)
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -590,6 +590,7 @@ struct xfrm_mgr {
const struct xfrm_migrate *m,
int num_bundles,
const struct xfrm_kmaddress *k,
+ struct net *net,
const struct xfrm_encap_tmpl *encap);
bool (*is_alive)(const struct km_event *c);
};
@@ -1692,7 +1693,7 @@ int xfrm_sk_policy_insert(struct sock *s
#ifdef CONFIG_XFRM_MIGRATE
int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_bundles,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap);
struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net,
u32 if_id);
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3548,7 +3548,7 @@ static int set_ipsecrequest(struct sk_bu
#ifdef CONFIG_NET_KEY_MIGRATE
static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_bundles,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
int i;
@@ -3653,7 +3653,7 @@ static int pfkey_send_migrate(const stru
}
/* broadcast migrate message to sockets */
- pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, &init_net);
+ pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, net);
return 0;
@@ -3664,7 +3664,7 @@ err:
#else
static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_bundles,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
return -ENOPROTOOPT;
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -4492,7 +4492,7 @@ int xfrm_migrate(const struct xfrm_selec
}
/* Stage 5 - announce */
- km_migrate(sel, dir, type, m, num_migrate, k, encap);
+ km_migrate(sel, dir, type, m, num_migrate, k, net, encap);
xfrm_pol_put(pol);
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2300,7 +2300,7 @@ EXPORT_SYMBOL(km_policy_expired);
#ifdef CONFIG_XFRM_MIGRATE
int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_migrate,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
int err = -EINVAL;
@@ -2311,7 +2311,7 @@ int km_migrate(const struct xfrm_selecto
list_for_each_entry_rcu(km, &xfrm_km_list, list) {
if (km->migrate) {
ret = km->migrate(sel, dir, type, m, num_migrate, k,
- encap);
+ net, encap);
if (!ret)
err = ret;
}
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2908,10 +2908,9 @@ out_cancel:
static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_migrate,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
- struct net *net = &init_net;
struct sk_buff *skb;
int err;
@@ -2929,7 +2928,7 @@ static int xfrm_send_migrate(const struc
#else
static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_migrate,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
return -ENOPROTOOPT;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 048/378] Bluetooth: bnep: reject short frames before parsing
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 047/378] Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 049/378] Bluetooth: fix memory leak in error path of hci_alloc_dev() Greg Kroah-Hartman
` (330 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Cen, Luiz Augusto von Dentz,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
[ Upstream commit 6770d3a8acdf9151769180cc3710346c4cfbe6f0 ]
A BNEP peer can send a short BNEP SDU. bnep_rx_frame() reads the
packet type byte immediately and, for control packets, reads the control
opcode and setup UUID-size byte before proving that those bytes are
present. bnep_rx_control() also dereferences the control opcode without
rejecting an empty control payload.
Use skb_pull_data() for the fixed fields in bnep_rx_frame() so a NULL
return gates each dereference. Split the control handler so the frame
path can pass an opcode that has already been pulled, and keep the
byte-buffer wrapper for extension control payloads.
For BNEP_SETUP_CONN_REQ, name the UUID-size byte before pulling the
setup payload. struct bnep_setup_conn_req carries destination and source
service UUIDs after that byte, each uuid_size bytes, so the parser now
documents that tuple explicitly instead of leaving the pull length as an
opaque multiplication.
Validation reproduced this kernel report:
KASAN slab-out-of-bounds in bnep_rx_frame.isra.0+0x130c/0x1790
The buggy address belongs to the object at ffff88800c0f7908 which belongs
to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes to the right of allocated 1-byte
region [ffff88800c0f7908, ffff88800c0f7909)
Read of size 1
Call trace:
dump_stack_lvl+0xb3/0x140 (?:?)
print_address_description+0x57/0x3a0 (?:?)
bnep_rx_frame+0x130c/0x1790 (net/bluetooth/bnep/core.c:306)
print_report+0xb9/0x2b0 (?:?)
__virt_addr_valid+0x1ba/0x3a0 (?:?)
srso_alias_return_thunk+0x5/0xfbef5 (?:?)
kasan_addr_to_slab+0x21/0x60 (?:?)
kasan_report+0xe0/0x110 (?:?)
process_one_work+0xfce/0x17e0 (kernel/workqueue.c:3200)
worker_thread+0x65c/0xe40 (?:?)
__kthread_parkme+0x184/0x230 (?:?)
kthread+0x35e/0x470 (?:?)
_raw_spin_unlock_irq+0x28/0x50 (?:?)
ret_from_fork+0x586/0x870 (?:?)
__switch_to+0x74f/0xdc0 (?:?)
ret_from_fork_asm+0x1a/0x30 (?:?)
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/bnep/core.c | 57 ++++++++++++++++++++++++---------------
1 file changed, 36 insertions(+), 21 deletions(-)
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index 0de5df690bd0b2..5c5f53ff30e8e5 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -206,14 +206,11 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
return 0;
}
-static int bnep_rx_control(struct bnep_session *s, void *data, int len)
+static int bnep_rx_control_cmd(struct bnep_session *s, u8 cmd, void *data,
+ int len)
{
- u8 cmd = *(u8 *)data;
int err = 0;
- data++;
- len--;
-
switch (cmd) {
case BNEP_CMD_NOT_UNDERSTOOD:
case BNEP_SETUP_CONN_RSP:
@@ -254,6 +251,14 @@ static int bnep_rx_control(struct bnep_session *s, void *data, int len)
return err;
}
+static int bnep_rx_control(struct bnep_session *s, void *data, int len)
+{
+ if (len < 1)
+ return -EILSEQ;
+
+ return bnep_rx_control_cmd(s, *(u8 *)data, data + 1, len - 1);
+}
+
static int bnep_rx_extension(struct bnep_session *s, struct sk_buff *skb)
{
struct bnep_ext_hdr *h;
@@ -299,19 +304,26 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
{
struct net_device *dev = s->dev;
struct sk_buff *nskb;
+ u8 *data;
u8 type, ctrl_type;
dev->stats.rx_bytes += skb->len;
- type = *(u8 *) skb->data;
- skb_pull(skb, 1);
- ctrl_type = *(u8 *)skb->data;
+ data = skb_pull_data(skb, sizeof(type));
+ if (!data)
+ goto badframe;
+ type = *data;
if ((type & BNEP_TYPE_MASK) >= sizeof(__bnep_rx_hlen))
goto badframe;
if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) {
- if (bnep_rx_control(s, skb->data, skb->len) < 0) {
+ data = skb_pull_data(skb, sizeof(ctrl_type));
+ if (!data)
+ goto badframe;
+ ctrl_type = *data;
+
+ if (bnep_rx_control_cmd(s, ctrl_type, skb->data, skb->len) < 0) {
dev->stats.tx_errors++;
kfree_skb(skb);
return 0;
@@ -324,24 +336,27 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
/* Verify and pull ctrl message since it's already processed */
switch (ctrl_type) {
- case BNEP_SETUP_CONN_REQ:
- /* Pull: ctrl type (1 b), len (1 b), data (len bytes) */
- if (!skb_pull(skb, 2 + *(u8 *)(skb->data + 1) * 2))
+ case BNEP_SETUP_CONN_REQ: {
+ u8 uuid_size;
+
+ /* Pull uuid_size and the dst/src service UUIDs. */
+ data = skb_pull_data(skb, sizeof(uuid_size));
+ if (!data)
+ goto badframe;
+ uuid_size = *data;
+ if (!skb_pull(skb, uuid_size + uuid_size))
goto badframe;
break;
+ }
case BNEP_FILTER_MULTI_ADDR_SET:
- case BNEP_FILTER_NET_TYPE_SET: {
- u8 *hdr;
-
- /* Pull ctrl type (1 b) + len (2 b) */
- hdr = skb_pull_data(skb, 3);
- if (!hdr)
+ case BNEP_FILTER_NET_TYPE_SET:
+ /* Pull: len (2 b), data (len bytes) */
+ data = skb_pull_data(skb, sizeof(u16));
+ if (!data)
goto badframe;
- /* Pull data (len bytes); length is big-endian */
- if (!skb_pull(skb, get_unaligned_be16(&hdr[1])))
+ if (!skb_pull(skb, get_unaligned_be16(data)))
goto badframe;
break;
- }
default:
kfree_skb(skb);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 132/522] xfrm: ah: use skb_to_full_sk in async output callbacks
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 131/522] xfrm: route MIGRATE notifications to callers netns Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 133/522] netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check Greg Kroah-Hartman
` (390 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steffen Klassert
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 79d8be262377f7112cfa3088dfc4142d5a2533f3 upstream.
When AH output is offloaded to an asynchronous crypto provider
(hardware accelerators such as AMD CCP, or a forced-async software
shim used for testing), the digest completion fires
ah_output_done() / ah6_output_done() on a workqueue. The egress
skb at that point may have been originated by a TCP listener
sending a SYN-ACK, which sets skb->sk to a request_sock via
skb_set_owner_edemux(); it may also have been originated by an
inet_timewait_sock retransmit. Neither is a full struct sock, and
passing the raw skb->sk to xfrm_output_resume() then forwards a
non-full socket through the rest of the xfrm output chain.
xfrm_output_resume() and its downstream consumers expect a full
sk where they dereference at all. The natural egress path
through ah_output_done() does not crash today because the
consumers that read past sock_common are either gated by
sk_fullsock() or short-circuit on flags that are clear on a fresh
request_sock; an exhaustive walk of the 50 most plausible
consumers under sch_fq, dev_queue_xmit, netfilter, tc-egress and
cgroup-egress BPF found no current unguarded deref. The bug is
still a real type confusion that future consumer changes could
turn into a memory-corruption primitive.
This is the same bug class fixed for ESP in commit 1620c88887b1
("xfrm: Fix the usage of skb->sk"). Apply the analogous fix to
AH: convert skb->sk to a full socket pointer (or NULL) via
skb_to_full_sk() before handing it to xfrm_output_resume().
The same async AH callbacks were touched recently for an
independent ESN-related ICV layout bug in commit ec54093e6a8f
("xfrm: ah: account for ESN high bits in async callbacks"); the
sk type-confusion addressed here is orthogonal. This patch is
part of an ongoing audit of the AH callback paths; an ah_output
ihl-validation hardening series is also currently under review on
netdev.
Reproduced under UML + KASAN + lockdep with a forced-async
hmac(sha1) shim that registers at priority 9999 and wraps the
sync in-tree hmac-sha1-lib. With the shim loaded, ah_output_done
runs on every SYN-ACK egress through a transport-mode AH SA and
skb->sk arrives as a request_sock (TCP_NEW_SYN_RECV); after this
patch, xfrm_output_resume() receives the listener (the result of
sk_to_full_sk()) and consumer derefs land on full-sock fields as
intended.
Fixes: 9ab1265d5231 ("xfrm: Use actual socket sk instead of skb socket for xfrm_output_resume")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ah4.c | 2 +-
net/ipv6/ah6.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -141,7 +141,7 @@ static void ah_output_done(struct crypto
}
kfree(AH_SKB_CB(skb)->tmp);
- xfrm_output_resume(skb->sk, skb, err);
+ xfrm_output_resume(skb_to_full_sk(skb), skb, err);
}
static int ah_output(struct xfrm_state *x, struct sk_buff *skb)
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -335,7 +335,7 @@ static void ah6_output_done(struct crypt
ah6_restore_hdrs(top_iph, iph_ext, extlen);
kfree(AH_SKB_CB(skb)->tmp);
- xfrm_output_resume(skb->sk, skb, err);
+ xfrm_output_resume(skb_to_full_sk(skb), skb, err);
}
static int ah6_output(struct xfrm_state *x, struct sk_buff *skb)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 049/378] Bluetooth: fix memory leak in error path of hci_alloc_dev()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 048/378] Bluetooth: bnep: reject short frames before parsing Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 050/378] Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync Greg Kroah-Hartman
` (329 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+535ecc844591e50588a5,
Bharath Reddy, Luiz Augusto von Dentz, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bharath Reddy <kbreddy.rpbc@gmail.com>
[ Upstream commit 37b3009bf5976e8ab77c8b9a9bc3bbd7ff49e37f ]
Early failures in Bluetooth HCI UART configuration leak SRCU percpu
memory.
When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).
Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.
Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.
Reported-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
Tested-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Fixes: 1d6123102e9f ("Bluetooth: hci_core: Fix use-after-free in vhci_flush()")
Signed-off-by: Bharath Reddy <kbreddy.rpbc@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sysfs.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 041ce9adc378ae..8957ce7c21b76c 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -83,10 +83,12 @@ static void bt_host_release(struct device *dev)
{
struct hci_dev *hdev = to_hci_dev(dev);
- if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
+ if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
hci_release_dev(hdev);
- else
+ } else {
+ cleanup_srcu_struct(&hdev->srcu);
kfree(hdev);
+ }
module_put(THIS_MODULE);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 133/522] netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 132/522] xfrm: ah: use skb_to_full_sk in async output callbacks Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 134/522] ASoC: qcom: q6asm-dai: close stream only when running Greg Kroah-Hartman
` (389 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hamza Mahfooz, Florian Westphal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
commit bed6e04be8e6b9133d8b16d5a42d0e0ce674fa9a upstream.
An unintended behavior in the TCP conntrack state machine allows a
connection to be forced into the CLOSE state using an RST packet with an
invalid sequence number.
Specifically, after a SYN packet is observed, an RST with an invalid SEQ
can transition the conntrack entry to TCP_CONNTRACK_CLOSE, regardless of
whether the RST corresponds to the expected reply direction. The relevant
code path assumes the RST is a response to an outgoing SYN, but does not
validate packet direction or ensure that a matching SYN was actually sent
in the opposite direction.
As a result, a crafted packet sequence consisting of a SYN followed by an
invalid-sequence RST can prematurely terminate an active NAT entry. This
makes connection teardown easier than intended.
So, tighten the state transition logic to ensure that RST-triggered
CLOSE transitions only occur when the RST is a valid response to a
previously observed SYN in the correct direction.
Cc: stable@vger.kernel.org
Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.")
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_conntrack_proto_tcp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1222,7 +1222,8 @@ int nf_conntrack_tcp_packet(struct nf_co
new_state = old_state;
}
if (((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
- && ct->proto.tcp.last_index == TCP_SYN_SET)
+ && ct->proto.tcp.last_index == TCP_SYN_SET
+ && ct->proto.tcp.last_dir != dir)
|| (!test_bit(IPS_ASSURED_BIT, &ct->status)
&& ct->proto.tcp.last_index == TCP_ACK_SET))
&& ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 050/378] Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 049/378] Bluetooth: fix memory leak in error path of hci_alloc_dev() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 051/378] Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls Greg Kroah-Hartman
` (328 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko, Luiz Augusto von Dentz,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 5cbf290b79351971f20c7a533247e8d58a3f970c ]
hci_get_route() returns a reference-counted hci_dev pointer via
hci_dev_hold(). The function exits normally or with an error without ever
releasing it.
Fixes: 07a9342b94a9 ("Bluetooth: ISO: Send BIG Create Sync via hci_sync")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/iso.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index a6bd608cbda69d..2363b6135c6f1b 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -1603,6 +1603,7 @@ static void iso_conn_big_sync(struct sock *sk)
release_sock(sk);
hci_dev_unlock(hdev);
+ hci_dev_put(hdev);
}
static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 134/522] ASoC: qcom: q6asm-dai: close stream only when running
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 133/522] netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 135/522] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks Greg Kroah-Hartman
` (388 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 048c540ee76ded666bda74f9dae1ca3254e0633c upstream.
q6asm_dai_close() and q6asm_dai_compr_free() currently issue CMD_CLOSE
whenever prtd->state is non-zero.
After prepare() closes an existing stream, the state is updated to
Q6ASM_STREAM_STOPPED. Since this state is also non-zero, the close and
free paths can send CMD_CLOSE again for a stream that has already been
closed.
Restrict CMD_CLOSE to the Q6ASM_STREAM_RUNNING state so the command is
sent only when the ASM stream is still active.
Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260518092347.3446946-3-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -456,12 +456,12 @@ static int q6asm_dai_close(struct snd_so
struct q6asm_dai_rtd *prtd = runtime->private_data;
if (prtd->audio_client) {
- if (prtd->state)
+ if (prtd->state == Q6ASM_STREAM_RUNNING) {
q6asm_cmd(prtd->audio_client, prtd->stream_id,
CMD_CLOSE);
-
- q6asm_unmap_memory_regions(substream->stream,
+ q6asm_unmap_memory_regions(substream->stream,
prtd->audio_client);
+ }
q6asm_audio_client_free(prtd->audio_client);
prtd->audio_client = NULL;
}
@@ -678,7 +678,7 @@ static int q6asm_dai_compr_free(struct s
struct snd_soc_pcm_runtime *rtd = stream->private_data;
if (prtd->audio_client) {
- if (prtd->state) {
+ if (prtd->state == Q6ASM_STREAM_RUNNING) {
q6asm_cmd(prtd->audio_client, prtd->stream_id,
CMD_CLOSE);
if (prtd->next_track_stream_id) {
@@ -686,11 +686,11 @@ static int q6asm_dai_compr_free(struct s
prtd->next_track_stream_id,
CMD_CLOSE);
}
- }
- snd_dma_free_pages(&prtd->dma_buffer);
- q6asm_unmap_memory_regions(stream->direction,
+ q6asm_unmap_memory_regions(stream->direction,
prtd->audio_client);
+ }
+ snd_dma_free_pages(&prtd->dma_buffer);
q6asm_audio_client_free(prtd->audio_client);
prtd->audio_client = NULL;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 051/378] Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 050/378] Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 052/378] Bluetooth: SCO: Fix data-race on sco_pi fields in sco_connect Greg Kroah-Hartman
` (327 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeungJu Cheon,
Luiz Augusto von Dentz, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeungJu Cheon <suunj1331@gmail.com>
[ Upstream commit 9ca7053d6215d89c33f28893bfd1625a32919d3f ]
iso_connect_bis(), iso_connect_cis(), iso_listen_bis(), and
iso_conn_big_sync() call hci_get_route() using iso_pi(sk)->dst,
iso_pi(sk)->src, and iso_pi(sk)->src_type without holding lock_sock().
These fields may be modified concurrently by connect() or setsockopt()
on the same socket, resulting in data-races reported by KCSAN.
Fix this by snapshotting the required fields under lock_sock() before
calling hci_get_route().
BUG: KCSAN: data-race in memcmp+0x45/0xb0
race at unknown origin, with read to 0xffff8880122135cf of 1 bytes
by task 333 on cpu 1:
memcmp+0x45/0xb0
hci_get_route+0x27e/0x490
iso_connect_cis+0x4c/0xa10
iso_sock_connect+0x60e/0xb30
__sys_connect_file+0xbd/0xe0
__sys_connect+0xe0/0x110
__x64_sys_connect+0x40/0x50
x64_sys_call+0xcad/0x1c60
do_syscall_64+0x133/0x590
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 241f51931c35 ("Bluetooth: ISO: Avoid circular locking dependency")
Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/iso.c | 60 +++++++++++++++++++++++++++++++++------------
1 file changed, 44 insertions(+), 16 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 05a3f1e554fe67..34e4803313d130 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -337,12 +337,20 @@ static int iso_connect_bis(struct sock *sk)
struct iso_conn *conn;
struct hci_conn *hcon;
struct hci_dev *hdev;
+ bdaddr_t src, dst;
+ u8 src_type, bc_sid;
int err;
- BT_DBG("%pMR (SID 0x%2.2x)", &iso_pi(sk)->src, iso_pi(sk)->bc_sid);
+ lock_sock(sk);
+ bacpy(&src, &iso_pi(sk)->src);
+ bacpy(&dst, &iso_pi(sk)->dst);
+ src_type = iso_pi(sk)->src_type;
+ bc_sid = iso_pi(sk)->bc_sid;
+ release_sock(sk);
- hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
- iso_pi(sk)->src_type);
+ BT_DBG("%pMR (SID 0x%2.2x)", &src, bc_sid);
+
+ hdev = hci_get_route(&dst, &src, src_type);
if (!hdev)
return -EHOSTUNREACH;
@@ -434,12 +442,19 @@ static int iso_connect_cis(struct sock *sk)
struct iso_conn *conn;
struct hci_conn *hcon;
struct hci_dev *hdev;
+ bdaddr_t src, dst;
+ u8 src_type;
int err;
- BT_DBG("%pMR -> %pMR", &iso_pi(sk)->src, &iso_pi(sk)->dst);
+ lock_sock(sk);
+ bacpy(&src, &iso_pi(sk)->src);
+ bacpy(&dst, &iso_pi(sk)->dst);
+ src_type = iso_pi(sk)->src_type;
+ release_sock(sk);
+
+ BT_DBG("%pMR -> %pMR", &src, &dst);
- hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
- iso_pi(sk)->src_type);
+ hdev = hci_get_route(&dst, &src, src_type);
if (!hdev)
return -EHOSTUNREACH;
@@ -1220,18 +1235,25 @@ static int iso_sock_connect(struct socket *sock, struct sockaddr_unsized *addr,
static int iso_listen_bis(struct sock *sk)
{
- struct hci_dev *hdev;
- int err = 0;
struct iso_conn *conn;
struct hci_conn *hcon;
+ struct hci_dev *hdev;
+ bdaddr_t src, dst;
+ u8 src_type, bc_sid;
+ int err = 0;
+
+ lock_sock(sk);
+ bacpy(&src, &iso_pi(sk)->src);
+ bacpy(&dst, &iso_pi(sk)->dst);
+ src_type = iso_pi(sk)->src_type;
+ bc_sid = iso_pi(sk)->bc_sid;
+ release_sock(sk);
- BT_DBG("%pMR -> %pMR (SID 0x%2.2x)", &iso_pi(sk)->src,
- &iso_pi(sk)->dst, iso_pi(sk)->bc_sid);
+ BT_DBG("%pMR -> %pMR (SID 0x%2.2x)", &src, &dst, bc_sid);
write_lock(&iso_sk_list.lock);
- if (__iso_get_sock_listen_by_sid(&iso_pi(sk)->src, &iso_pi(sk)->dst,
- iso_pi(sk)->bc_sid))
+ if (__iso_get_sock_listen_by_sid(&src, &dst, bc_sid))
err = -EADDRINUSE;
write_unlock(&iso_sk_list.lock);
@@ -1239,8 +1261,7 @@ static int iso_listen_bis(struct sock *sk)
if (err)
return err;
- hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
- iso_pi(sk)->src_type);
+ hdev = hci_get_route(&dst, &src, src_type);
if (!hdev)
return -EHOSTUNREACH;
@@ -1576,9 +1597,16 @@ static void iso_conn_big_sync(struct sock *sk)
{
int err;
struct hci_dev *hdev;
+ bdaddr_t src, dst;
+ u8 src_type;
+
+ lock_sock(sk);
+ bacpy(&src, &iso_pi(sk)->src);
+ bacpy(&dst, &iso_pi(sk)->dst);
+ src_type = iso_pi(sk)->src_type;
+ release_sock(sk);
- hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
- iso_pi(sk)->src_type);
+ hdev = hci_get_route(&dst, &src, src_type);
if (!hdev)
return;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 135/522] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 134/522] ASoC: qcom: q6asm-dai: close stream only when running Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 136/522] xfrm: esp: restore combined single-frag length gate Greg Kroah-Hartman
` (387 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit cee3e63e7106c3c81b2053371fdf14240bfba2fc upstream.
The q6asm-dai stream state is used by prepare() to decide whether an
existing stream setup needs to be closed before opening/configuring a new
one. Updating the state from trigger or asynchronous DSP callbacks can make
that state stale or incorrect relative to the actual setup lifetime.
In particular, setting Q6ASM_STREAM_STOPPED on STOP or EOS completion can
make prepare() believe there is no active setup to close, which can result
in opening/configuring the same stream more than once.
Keep stream state updates tied to prepare(), where the stream is actually
closed and reopened, and stop changing it from trigger and EOS callbacks.
Fixes: bfbb12dfa144 ("ASoC: qcom: q6asm-dai: perform correct state check before closing")
Cc: Stable@vger.kernel.org
Closes: https://lore.kernel.org/all/afS7rTHdc9TyIeLx@rdacayan/
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260518092347.3446946-2-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 5 -----
1 file changed, 5 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -191,7 +191,6 @@ static void event_handler(uint32_t opcod
prtd->pcm_count, 0, 0, 0);
break;
case ASM_CLIENT_EVENT_CMD_EOS_DONE:
- prtd->state = Q6ASM_STREAM_STOPPED;
break;
case ASM_CLIENT_EVENT_DATA_WRITE_DONE: {
prtd->pcm_irq_pos += prtd->pcm_count;
@@ -338,7 +337,6 @@ static int q6asm_dai_trigger(struct snd_
0, 0, 0);
break;
case SNDRV_PCM_TRIGGER_STOP:
- prtd->state = Q6ASM_STREAM_STOPPED;
ret = q6asm_cmd_nowait(prtd->audio_client, prtd->stream_id,
CMD_EOS);
break;
@@ -554,8 +552,6 @@ static void compress_event_handler(uint3
snd_compr_drain_notify(prtd->cstream);
prtd->notify_on_drain = false;
- } else {
- prtd->state = Q6ASM_STREAM_STOPPED;
}
spin_unlock_irqrestore(&prtd->lock, flags);
break;
@@ -1018,7 +1014,6 @@ static int q6asm_dai_compr_trigger(struc
0, 0, 0);
break;
case SNDRV_PCM_TRIGGER_STOP:
- prtd->state = Q6ASM_STREAM_STOPPED;
ret = q6asm_cmd_nowait(prtd->audio_client, prtd->stream_id,
CMD_EOS);
break;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 052/378] Bluetooth: SCO: Fix data-race on sco_pi fields in sco_connect
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 051/378] Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 053/378] Bluetooth: MGMT: Fix backward compatibility with userspace Greg Kroah-Hartman
` (326 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeungJu Cheon,
Luiz Augusto von Dentz, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeungJu Cheon <suunj1331@gmail.com>
[ Upstream commit 4847c5bca22227100ae69e96af86618b6fd2671f ]
sco_sock_connect() copies the destination address into sco_pi(sk)->dst
under lock_sock(), then releases the lock and calls sco_connect(),
which reads dst, src, setting, and codec without holding lock_sock() in
hci_get_route() and hci_connect_sco().
These fields may be modified concurrently by connect(), bind(), or
setsockopt() on the same socket, resulting in data-races reported by
KCSAN.
Fix this by snapshotting dst, src, setting, and codec under lock_sock()
at the start of sco_connect() before passing them to hci_get_route()
and hci_connect_sco().
BUG: KCSAN: data-race in memcmp+0x45/0xb0
race at unknown origin, with read to 0xffff88800e6b0dd0 of 1 bytes
by task 315 on cpu 0:
memcmp+0x45/0xb0
hci_connect_acl+0x1b7/0x6b0
hci_connect_sco+0x4d/0xb30
sco_sock_connect+0x27b/0xd60
__sys_connect_file+0xbd/0xe0
__sys_connect+0xe0/0x110
__x64_sys_connect+0x40/0x50
x64_sys_call+0xcad/0x1c60
do_syscall_64+0x133/0x590
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 9a8ec9e8ebb5 ("Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm")
Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/sco.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 770b9d6fad88f9..47ff4b8d1ae2cd 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -312,11 +312,21 @@ static int sco_connect(struct sock *sk)
struct sco_conn *conn;
struct hci_conn *hcon;
struct hci_dev *hdev;
+ bdaddr_t src, dst;
+ struct bt_codec codec;
+ __u16 setting;
int err, type;
- BT_DBG("%pMR -> %pMR", &sco_pi(sk)->src, &sco_pi(sk)->dst);
+ lock_sock(sk);
+ bacpy(&src, &sco_pi(sk)->src);
+ bacpy(&dst, &sco_pi(sk)->dst);
+ setting = sco_pi(sk)->setting;
+ codec = sco_pi(sk)->codec;
+ release_sock(sk);
+
+ BT_DBG("%pMR -> %pMR", &src, &dst);
- hdev = hci_get_route(&sco_pi(sk)->dst, &sco_pi(sk)->src, BDADDR_BREDR);
+ hdev = hci_get_route(&dst, &src, BDADDR_BREDR);
if (!hdev)
return -EHOSTUNREACH;
@@ -327,7 +337,7 @@ static int sco_connect(struct sock *sk)
else
type = SCO_LINK;
- switch (sco_pi(sk)->setting & SCO_AIRMODE_MASK) {
+ switch (setting & SCO_AIRMODE_MASK) {
case SCO_AIRMODE_TRANSP:
if (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev)) {
err = -EOPNOTSUPP;
@@ -336,8 +346,8 @@ static int sco_connect(struct sock *sk)
break;
}
- hcon = hci_connect_sco(hdev, type, &sco_pi(sk)->dst,
- sco_pi(sk)->setting, &sco_pi(sk)->codec,
+ hcon = hci_connect_sco(hdev, type, &dst,
+ setting, &codec,
READ_ONCE(sk->sk_sndtimeo));
if (IS_ERR(hcon)) {
err = PTR_ERR(hcon);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 136/522] xfrm: esp: restore combined single-frag length gate
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 135/522] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 137/522] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem Greg Kroah-Hartman
` (386 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lin Ma, Chenyuan Mi, Jingguo Tan,
Sabrina Dubroca, Steffen Klassert
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jingguo Tan <tanjingguo@huawei.com>
commit dfa0d7b0ff1eb6b2c416b8fdb9b4f2cefba57a40 upstream.
The ESP out-of-place fast path appends the trailer in esp_output_head()
before esp_output_tail() allocates the destination page frag. The
head-side gate currently checks skb->data_len and tailen separately, but
the tail code allocates a single destination frag from the combined
post-trailer skb->data_len.
Reject the page-frag fast path when the combined aligned length exceeds a
page. Otherwise skb_page_frag_refill() may fall back to a single page while
the destination sg still spans the combined skb->data_len.
Restore this combined-length page gate for both IPv4 and IPv6.
Fixes: 5bd8baab087d ("esp: limit skb_page_frag_refill use to a single page")
Cc: stable@vger.kernel.org
Signed-off-by: Lin Ma <malin89@huawei.com>
Signed-off-by: Chenyuan Mi <michenyuan@huawei.com>
Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/esp4.c | 4 ++--
net/ipv6/esp6.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -419,8 +419,8 @@ int esp_output_head(struct xfrm_state *x
return err;
}
- if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
- ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
+ if (ALIGN(skb->data_len + tailen, L1_CACHE_BYTES) >
+ PAGE_SIZE)
goto cow;
if (!skb_cloned(skb)) {
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -454,8 +454,8 @@ int esp6_output_head(struct xfrm_state *
return err;
}
- if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
- ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
+ if (ALIGN(skb->data_len + tailen, L1_CACHE_BYTES) >
+ PAGE_SIZE)
goto cow;
if (!skb_cloned(skb)) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 053/378] Bluetooth: MGMT: Fix backward compatibility with userspace
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 052/378] Bluetooth: SCO: Fix data-race on sco_pi fields in sco_connect Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 054/378] xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata() Greg Kroah-Hartman
` (325 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 149324fc762c2a7acef9c26790566f81f475e51f ]
bluetoothd has a bug with makes it send extra bytes as part of
MGMT_OP_ADD_EXT_ADV_DATA which are now being checked to be the
exact the expected length, relax this so only when the expected
length is greater than the data length to cause an error since
that would result in accessing invalid memory, otherwise just
ignore the extra bytes.
Link: https://lore.kernel.org/linux-bluetooth/20260602204749.210857-1-luiz.dentz@gmail.com/T/#u
Fixes: d3f7d17960ed ("Bluetooth: MGMT: validate Add Extended Advertising Data length")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/mgmt.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 027b266ccc747c..f4aa814a039759 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -9114,8 +9114,9 @@ static int add_ext_adv_data(struct sock *sk, struct hci_dev *hdev, void *data,
BT_DBG("%s", hdev->name);
- expected_len = struct_size(cp, data, cp->adv_data_len + cp->scan_rsp_len);
- if (expected_len != data_len)
+ expected_len = struct_size(cp, data, cp->adv_data_len +
+ cp->scan_rsp_len);
+ if (expected_len > data_len)
return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
MGMT_STATUS_INVALID_PARAMS);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 137/522] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 136/522] xfrm: esp: restore combined single-frag length gate Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 138/522] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 Greg Kroah-Hartman
` (385 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ricardo Ribalda, Dmitry Torokhov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit baa0210fb6a9dc3882509a9411b6d284d88fe30e upstream.
When a configuration file provides an object size that is larger than the
driver's known mxt_obj_size(object), the driver intends to discard the
extra bytes.
The loop iterates using for (i = 0; i < size; i++). Inside the loop, the
condition to skip processing extra bytes is:
if (i > mxt_obj_size(object))
continue;
Since i is a 0-based index, the valid indices for the object are 0 through
mxt_obj_size(object) - 1.
When i == mxt_obj_size(object), the condition evaluates to false, and the
code processes the byte instead of discarding it.
This causes the code to calculate byte_offset = reg + i - cfg->start_ofs
and writes the byte there, overwriting exactly one byte of the adjacent
instance or object.
Update the boundary check to skip extra bytes correctly by using >=.
Fixes: 50a77c658b80 ("Input: atmel_mxt_ts - download device config using firmware loader")
Cc: stable@vger.kernel.org
Assisted-by: Gemini:gemini-3.1-pro
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Link: https://patch.msgid.link/20260504185448.4055973-1-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/touchscreen/atmel_mxt_ts.c
+++ b/drivers/input/touchscreen/atmel_mxt_ts.c
@@ -1443,7 +1443,7 @@ static int mxt_prepare_cfg_mem(struct mx
}
cfg->raw_pos += offset;
- if (i > mxt_obj_size(object))
+ if (i >= mxt_obj_size(object))
continue;
byte_offset = reg + i - cfg->start_ofs;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 054/378] xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 053/378] Bluetooth: MGMT: Fix backward compatibility with userspace Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 055/378] octeontx2-pf: Fix NDC sync operation errors Greg Kroah-Hartman
` (324 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej Fijalkowski, Jason Xing,
Stanislav Fomichev, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Xing <kernelxing@tencent.com>
[ Upstream commit 22ba97ea9cc1f63a0d0244fae38057ed452b6ac7 ]
The TX metadata area resides in the UMEM buffer which is memory-mapped
and concurrently writable by userspace. In xsk_skb_metadata(),
csum_start and csum_offset are read from shared memory for bounds
validation, then read again for skb assignment. A malicious userspace
application can race to overwrite these values between the two reads,
bypassing the bounds check and causing out-of-bounds memory access
during checksum computation in the transmit path.
Fix this by reading csum_start and csum_offset into local variables
once, then using the local copies for both validation and assignment.
Note that other metadata fields (flags, launch_time) and the cached
csum fields may be mutually inconsistent due to concurrent userspace
writes, but this is benign: the only security-critical invariant is
that each field's validated value is the same one used, which local
caching guarantees.
Closes: https://lore.kernel.org/all/20260503200927.73EA1C2BCB4@smtp.kernel.org/
Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Signed-off-by: Jason Xing <kernelxing@tencent.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Fixes: 48eb03dd2630 ("xsk: Add TX timestamp and TX checksum offload support")
Link: https://patch.msgid.link/20260530042630.80626-1-kerneljasonxing@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xdp/xsk.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index c8ef9e427c9cd5..db0fb2203af63c 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -683,6 +683,7 @@ static int xsk_skb_metadata(struct sk_buff *skb, void *buffer,
u32 hr)
{
struct xsk_tx_metadata *meta = NULL;
+ u16 csum_start, csum_offset;
if (unlikely(pool->tx_metadata_len == 0))
return -EINVAL;
@@ -692,13 +693,15 @@ static int xsk_skb_metadata(struct sk_buff *skb, void *buffer,
return -EINVAL;
if (meta->flags & XDP_TXMD_FLAGS_CHECKSUM) {
- if (unlikely(meta->request.csum_start +
- meta->request.csum_offset +
+ csum_start = READ_ONCE(meta->request.csum_start);
+ csum_offset = READ_ONCE(meta->request.csum_offset);
+
+ if (unlikely(csum_start + csum_offset +
sizeof(__sum16) > desc->len))
return -EINVAL;
- skb->csum_start = hr + meta->request.csum_start;
- skb->csum_offset = meta->request.csum_offset;
+ skb->csum_start = hr + csum_start;
+ skb->csum_offset = csum_offset;
skb->ip_summed = CHECKSUM_PARTIAL;
if (unlikely(pool->tx_sw_csum)) {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 138/522] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 137/522] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 139/522] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() Greg Kroah-Hartman
` (384 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nicolás Bazaes, Dmitry Torokhov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolás Bazaes <contacto@bazaes.cl>
commit 16ca52bc209fa4bf9239cd9e5643e95533476b58 upstream.
The Lenovo ThinkPad E490 (PNP ID: LEN2058) has a Synaptics TM3471-020
touchpad that supports SMBus/RMI4 mode but is not listed in
smbus_pnp_ids[]. Without this entry, RMI4 over SMBus is not enabled
by default, and the touchpad falls back to PS/2 mode.
Adding LEN2058 to the passlist enables automatic RMI4 detection without
requiring the psmouse.synaptics_intertouch parameter, and matches
the behavior of similar ThinkPad models already in the list
(E480/LEN2054, E580/LEN2055).
Tested on ThinkPad E490 with kernel 7.0.5-zen1 and Arch Linux.
RMI4 over SMBus is confirmed working without any kernel parameters.
Signed-off-by: Nicolás Bazaes <contacto@bazaes.cl>
Assisted-by: Claude:claude-sonnet-4-6
Link: https://patch.msgid.link/20260514013552.14234-1-contacto@bazaes.cl
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/mouse/synaptics.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
@@ -189,6 +189,7 @@ static const char * const smbus_pnp_ids[
"LEN2044", /* L470 */
"LEN2054", /* E480 */
"LEN2055", /* E580 */
+ "LEN2058", /* E490 */
"LEN2068", /* T14 Gen 1 */
"SYN1221", /* TUXEDO InfinityBook Pro 14 v5 */
"SYN3003", /* HP EliteBook 850 G1 */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 055/378] octeontx2-pf: Fix NDC sync operation errors
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 054/378] xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 056/378] octeontx2-af: Fix initialization of mcams entry2target_pffunc field Greg Kroah-Hartman
` (323 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geetha sowjanya, Subbaraya Sundeep,
Simon Horman, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geetha sowjanya <gakula@marvell.com>
[ Upstream commit a910fb8f7b9e4c566db363e6c2ec378dc7153995 ]
On system reboot "rvu_nicpf 0002:03:00.0: NDC sync operation failed"
error messages are shown, even if the operations is successful.
This is due to wrong if error check in ndc_syc() function.
Fixes: 42c45ac1419c ("octeontx2-af: Sync NIX and NPA contexts from NDC to LLC/DRAM")
Signed-off-by: Geetha sowjanya <gakula@marvell.com>
Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/1780054677-17249-1-git-send-email-sbhatta@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
index ee623476e5ff1a..f9fbf0c1764825 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
@@ -3473,7 +3473,7 @@ static void otx2_ndc_sync(struct otx2_nic *pf)
req->nix_lf_rx_sync = 1;
req->npa_lf_sync = 1;
- if (!otx2_sync_mbox_msg(mbox))
+ if (otx2_sync_mbox_msg(mbox))
dev_err(pf->dev, "NDC sync operation failed\n");
mutex_unlock(&mbox->lock);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 139/522] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 138/522] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 140/522] comedi: comedi_test: Fix limiting of convert_arg " Greg Kroah-Hartman
` (383 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ian Abbott
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 542f5248cb481073203e0dadab5bcbd28aeae308 upstream.
Commit 783ddaebd397 ("staging: comedi: comedi_test: support
scan_begin_src == TRIG_FOLLOW") neglected to add a test that
`scan_begin_src` has only one bit set. The allowed values are
`TRIG_FOLLOW` and `TRIG_TIMER`, but the code incorrectly also allows
`TRIG_FOLLOW | TRIG_TIMER`. Add a call to
`comedi_check_trigger_is_unique()` to check that only one trigger source
bit is set.
Fixes: 783ddaebd397 ("staging: comedi: comedi_test: support scan_begin_src == TRIG_FOLLOW")
Cc: stable <stable@kernel.org>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20260422162138.36003-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/comedi_test.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/comedi/drivers/comedi_test.c
+++ b/drivers/comedi/drivers/comedi_test.c
@@ -271,6 +271,7 @@ static int waveform_ai_cmdtest(struct co
/* Step 2a : make sure trigger sources are unique */
err |= comedi_check_trigger_is_unique(cmd->convert_src);
+ err |= comedi_check_trigger_is_unique(cmd->scan_begin_src);
err |= comedi_check_trigger_is_unique(cmd->stop_src);
/* Step 2b : and mutually compatible */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 056/378] octeontx2-af: Fix initialization of mcams entry2target_pffunc field
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 055/378] octeontx2-pf: Fix NDC sync operation errors Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 057/378] af_unix: Fix inq_len update problem in partial read Greg Kroah-Hartman
` (322 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suman Ghosh, Subbaraya Sundeep,
Simon Horman, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suman Ghosh <sumang@marvell.com>
[ Upstream commit 9a85ec3dc28b6df246801c19e4d9bae6297a25b0 ]
NPC mcam entry stores a mapping between mcam entry and target pcifunc.
During initialization of this field, API kmalloc_array has been used which
caused some junk values to array. Whereas, the array is expected to be
initialized by 0. This patch fixes the same by using kcalloc instead of
kmalloc_array.
Fixes: 55307fcb9258 ("octeontx2-af: Add mbox messages to install and delete MCAM rules")
Signed-off-by: Suman Ghosh <sumang@marvell.com>
Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/1780054625-17090-1-git-send-email-sbhatta@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
index e28675fe189071..a0d2ed56186d8d 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
@@ -1932,8 +1932,8 @@ int npc_mcam_rsrcs_init(struct rvu *rvu, int blkaddr)
goto free_entry_cntr_map;
/* Alloc memory for saving target device of mcam rule */
- mcam->entry2target_pffunc = kmalloc_array(mcam->total_entries,
- sizeof(u16), GFP_KERNEL);
+ mcam->entry2target_pffunc = kcalloc(mcam->total_entries,
+ sizeof(u16), GFP_KERNEL);
if (!mcam->entry2target_pffunc)
goto free_cntr_refcnt;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 140/522] comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 139/522] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 141/522] counter: Fix refcount leak in counter_alloc() error path Greg Kroah-Hartman
` (382 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ian Abbott
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 8a3bee801d420be8a7a0bae4a26547b353b8fe22 upstream.
The function checks and possibly modifies the description of an
asynchronous command to be run on the analog input subdevice of a comedi
device attached to the "comedi_test" driver, returning 0 if no
modifications were required, or a positive value that indicates which
step of the checking process it failed on. Step 4 fixes up various
argument values for various trigger sources.
There are two bugs in the fixing up of the `convert_arg` value to keep
the `scan_begin_arg` value within the range of `unsigned int` when
`scan_begin_src` and `convert_src` both have the value `TRIG_TIMER`,
which indicates that the corresponding `_arg` values hold a time period
in nanoseconds. The code also uses `scan_end_arg` which hold the number
of "conversions" within each "scan". The goal is to end up with the
scan period being less than or equal to the convert period multiplied by
the number of conversions per scan. It intends to do that by clamping
the `convert_arg` value to a maximum value of `UINT_MAX / scan_end_arg`
rounded down to a multiple of 1000 (`NSEC_PER_USEC`).
(The rounding from nanoseconds to microseconds is because the driver is
modelling a device that uses a 1 MHz clock for timing. This is partly
because that is a more typical timing base for real hardware devices
driven by comedi, and partly because the driver used to use `struct
timeval` internally.)
The first bug is that the code checks if `scan_begin_arg == TRIG_TIMER`
when it should be checking if `scan_begin_src == TRIG_TIMER`. The
bugged check will always fail because if `scan_begin_src == TRIG_TIMER`,
then `scan_begin_arg` will be at least 1000 (`NSEC_PER_USEC`), otherwise
`scan_begin_src == TRIG_FOLLOW` and `scan_begin_arg` will be 0. (N.B
`TRIG_TIMER` is defined as `0x10`.) The second bug is that is rounding
the maximum value down to a multiple of 1000000000 (`NSEC_PER_SEC`)
instead of 1000 (`NSEC_PER_USEC`), however this bug is not reached due
to the first bug. This patch fixes both bugs.
Fixes: 783ddaebd397 ("staging: comedi: comedi_test: support scan_begin_src == TRIG_FOLLOW")
Fixes: 5afdcad2f818 ("staging: comedi: comedi_test: limit maximum convert_arg")
Cc: stable <stable@kernel.org>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20260422144637.27692-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/comedi_test.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/comedi/drivers/comedi_test.c
+++ b/drivers/comedi/drivers/comedi_test.c
@@ -322,10 +322,10 @@ static int waveform_ai_cmdtest(struct co
arg = min(arg,
rounddown(UINT_MAX, (unsigned int)NSEC_PER_USEC));
arg = NSEC_PER_USEC * DIV_ROUND_CLOSEST(arg, NSEC_PER_USEC);
- if (cmd->scan_begin_arg == TRIG_TIMER) {
+ if (cmd->scan_begin_src == TRIG_TIMER) {
/* limit convert_arg to keep scan_begin_arg in range */
limit = UINT_MAX / cmd->scan_end_arg;
- limit = rounddown(limit, (unsigned int)NSEC_PER_SEC);
+ limit = rounddown(limit, (unsigned int)NSEC_PER_USEC);
arg = min(arg, limit);
}
err |= comedi_check_trigger_arg_is(&cmd->convert_arg, arg);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 057/378] af_unix: Fix inq_len update problem in partial read
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 056/378] octeontx2-af: Fix initialization of mcams entry2target_pffunc field Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 058/378] ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options Greg Kroah-Hartman
` (321 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianyu Li, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianyu Li <jianyu.li@mediatek.com>
[ Upstream commit c1f07a7f2d47aeb9878301e7bb36bc1c2bc2be8e ]
Currently inq_len is updated only when the whole skb is consumed.
If only part of the data is read, following SIOCINQ query would
get value greater than what actually left.
This change update inq_len timely in unix_stream_read_generic(),
and adjust unix_stream_read_skb() accordingly to prevent
repetitive update.
Fixes: f4e1fb04c123 ("af_unix: Use cached value for SOCK_STREAM in unix_inq_len().")
Signed-off-by: Jianyu Li <jianyu.li@mediatek.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260601113640.231897-2-jianyu.li@mediatek.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index c3d68bf26ce19b..62ec16c8ab2ede 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2882,7 +2882,7 @@ static int unix_stream_read_skb(struct sock *sk, skb_read_actor_t recv_actor)
return -EAGAIN;
}
- WRITE_ONCE(u->inq_len, u->inq_len - skb->len);
+ WRITE_ONCE(u->inq_len, u->inq_len - unix_skb_len(skb));
#if IS_ENABLED(CONFIG_AF_UNIX_OOB)
if (skb == u->oob_skb) {
@@ -3059,11 +3059,12 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state,
unix_detach_fds(&scm, skb);
}
- if (unix_skb_len(skb))
- break;
-
spin_lock(&sk->sk_receive_queue.lock);
- WRITE_ONCE(u->inq_len, u->inq_len - skb->len);
+ WRITE_ONCE(u->inq_len, u->inq_len - chunk);
+ if (unix_skb_len(skb)) {
+ spin_unlock(&sk->sk_receive_queue.lock);
+ break;
+ }
__skb_unlink(skb, &sk->sk_receive_queue);
spin_unlock(&sk->sk_receive_queue.lock);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 141/522] counter: Fix refcount leak in counter_alloc() error path
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 140/522] comedi: comedi_test: Fix limiting of convert_arg " Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 142/522] tty: serial: pch_uart: add check for dma_alloc_coherent() Greg Kroah-Hartman
` (381 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guangshuo Li, William Breathitt Gray
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit d9eeb0ea0d2de658663bfaa9c26eccdd8fd64440 upstream.
After device_initialize(), the lifetime of the embedded struct device
is expected to be managed through the device core reference counting.
In counter_alloc(), if dev_set_name() fails after device_initialize(),
the error path removes the chrdev, frees the ID, and frees the backing
allocation directly instead of releasing the device reference with
put_device(). This bypasses the normal device lifetime rules and may
leave the reference count of the embedded struct device unbalanced,
resulting in a refcount leak.
The issue was identified by a static analysis tool I developed and
confirmed by manual review.
Fix this by using put_device() in the dev_set_name() failure path and
let counter_device_release() handle the final cleanup.
Fixes: 4da08477ea1f ("counter: Set counter device name")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Link: https://lore.kernel.org/r/20260413134604.2861772-1-lgs201920130244@gmail.com
Signed-off-by: William Breathitt Gray <wbg@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/counter/counter-core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/counter/counter-core.c
+++ b/drivers/counter/counter-core.c
@@ -123,7 +123,8 @@ struct counter_device *counter_alloc(siz
err_dev_set_name:
- counter_chrdev_remove(counter);
+ put_device(dev);
+ return NULL;
err_chrdev_add:
ida_free(&counter_ida, dev->id);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 058/378] ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 057/378] af_unix: Fix inq_len update problem in partial read Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 059/378] ptp: vclock: Switch from RCU to SRCU Greg Kroah-Hartman
` (320 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tamir Shahar, Amit Klein,
Eric Dumazet, David Ahern, Ido Schimmel, Jakub Kicinski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d3915a1f5a4bc0ac911032903c3c6ab8df9fcc7c ]
This patch restricts setting Loose Source and Record Route (LSRR)
and Strict Source and Record Route (SSRR) IP options to users
with CAP_NET_RAW capability.
This prevents unprivileged applications from forcing packets to route
through attacker-controlled nodes to leak TCP ISN and possibly other
protocol information.
While LSRR and SSRR are commonly filtered in many network environments,
they may still be supported and forwarded along some network paths.
RFC 7126 (Recommendations on Filtering of IPv4 Packets Containing
IPv4 Options) recommend to drop these options in 4.3 and 4.4.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Tamir Shahar <tamirthesis@gmail.com>
Reported-by: Amit Klein <aksecurity@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260602161547.2642155-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_options.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index be8815ce3ac242..09d745112c1526 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -530,6 +530,10 @@ int ip_options_get(struct net *net, struct ip_options_rcu **optp,
kfree(opt);
return -EINVAL;
}
+ if (opt->opt.srr && !ns_capable(net->user_ns, CAP_NET_RAW)) {
+ kfree(opt);
+ return -EPERM;
+ }
kfree(*optp);
*optp = opt;
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 142/522] tty: serial: pch_uart: add check for dma_alloc_coherent()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 141/522] counter: Fix refcount leak in counter_alloc() error path Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 143/522] usb: chipidea: core: convert ci_role_switch to local variable Greg Kroah-Hartman
` (380 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Zhaoyang Yu, Andy Shevchenko
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhaoyang Yu <2426767509@qq.com>
commit 6fe472c1bbbe238e91141f7cabc1226e96a60d43 upstream.
Add a check for dma_alloc_coherent() failure to prevent a potential
NULL pointer dereference in dma_handle_rx(). Properly release DMA
channels and the PCI device reference using a goto ladder if the
allocation fails.
Fixes: 3c6a483275f4 ("Serial: EG20T: add PCH_UART driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Zhaoyang Yu <2426767509@qq.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/tencent_E328416B7CFD436F6029F2DF02AD7ED89C08@qq.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/pch_uart.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
--- a/drivers/tty/serial/pch_uart.c
+++ b/drivers/tty/serial/pch_uart.c
@@ -694,8 +694,7 @@ static void pch_request_dma(struct uart_
if (!chan) {
dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Tx)\n",
__func__);
- pci_dev_put(dma_dev);
- return;
+ goto err_pci_get;
}
priv->chan_tx = chan;
@@ -709,18 +708,26 @@ static void pch_request_dma(struct uart_
if (!chan) {
dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Rx)\n",
__func__);
- dma_release_channel(priv->chan_tx);
- priv->chan_tx = NULL;
- pci_dev_put(dma_dev);
- return;
+ goto err_req_tx;
}
/* Get Consistent memory for DMA */
priv->rx_buf_virt = dma_alloc_coherent(port->dev, port->fifosize,
&priv->rx_buf_dma, GFP_KERNEL);
+ if (!priv->rx_buf_virt)
+ goto err_req_rx;
priv->chan_rx = chan;
pci_dev_put(dma_dev);
+ return;
+
+err_req_rx:
+ dma_release_channel(chan);
+err_req_tx:
+ dma_release_channel(priv->chan_tx);
+ priv->chan_tx = NULL;
+err_pci_get:
+ pci_dev_put(dma_dev);
}
static void pch_dma_rx_complete(void *arg)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 059/378] ptp: vclock: Switch from RCU to SRCU
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 058/378] ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 060/378] net: airoha: Fix use-after-free in metadata dst teardown Greg Kroah-Hartman
` (319 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Zeitz, Kurt Kanzenbach,
Sebastian Andrzej Siewior, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kurt Kanzenbach <kurt@linutronix.de>
[ Upstream commit 672bd0519e27c357c43b7f8c0d653fce3817d06e ]
The usage of PTP vClocks leads immediately to the following issues with
ptp4l with LOCKDEP and DEBUG_ATOMIC_SLEEP enabled: "BUG: sleeping function
called from invalid context".
ptp_convert_timestamp() acquires a mutex_t within a RCU read section. This
is illegal, because acquiring a mutex_t can result in voluntary scheduling
request which is not allowed within a RCU read section.
Replace the RCU usage with SRCU where sleeping is allowed.
Reported-by: Florian Zeitz <florian.zeitz@schettke.com>
Closes: https://lore.kernel.org/all/00a8cce8-410e-4038-98af-49be6d93d7bd@schettke.com/
Fixes: 67d93ffc0f3c ("ptp: vclock: use mutex to fix "sleep on atomic" bug")
Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://patch.msgid.link/20260529-vclock_rcu-v2-1-02a5531fab92@linutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ptp/ptp_vclock.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/ptp/ptp_vclock.c b/drivers/ptp/ptp_vclock.c
index 915a4f6defc945..84cb527f59ccc6 100644
--- a/drivers/ptp/ptp_vclock.c
+++ b/drivers/ptp/ptp_vclock.c
@@ -19,6 +19,8 @@ static DEFINE_SPINLOCK(vclock_hash_lock);
static DEFINE_READ_MOSTLY_HASHTABLE(vclock_hash, 8);
+DEFINE_STATIC_SRCU(vclock_srcu);
+
static void ptp_vclock_hash_add(struct ptp_vclock *vclock)
{
spin_lock(&vclock_hash_lock);
@@ -37,7 +39,7 @@ static void ptp_vclock_hash_del(struct ptp_vclock *vclock)
spin_unlock(&vclock_hash_lock);
- synchronize_rcu();
+ synchronize_srcu(&vclock_srcu);
}
static int ptp_vclock_adjfine(struct ptp_clock_info *ptp, long scaled_ppm)
@@ -276,14 +278,16 @@ ktime_t ptp_convert_timestamp(const ktime_t *hwtstamp, int vclock_index)
{
unsigned int hash = vclock_index % HASH_SIZE(vclock_hash);
struct ptp_vclock *vclock;
- u64 ns;
u64 vclock_ns = 0;
+ int srcu_idx;
+ u64 ns;
ns = ktime_to_ns(*hwtstamp);
- rcu_read_lock();
+ srcu_idx = srcu_read_lock(&vclock_srcu);
- hlist_for_each_entry_rcu(vclock, &vclock_hash[hash], vclock_hash_node) {
+ hlist_for_each_entry_srcu(vclock, &vclock_hash[hash], vclock_hash_node,
+ srcu_read_lock_held(&vclock_srcu)) {
if (vclock->clock->index != vclock_index)
continue;
@@ -294,7 +298,7 @@ ktime_t ptp_convert_timestamp(const ktime_t *hwtstamp, int vclock_index)
break;
}
- rcu_read_unlock();
+ srcu_read_unlock(&vclock_srcu, srcu_idx);
return ns_to_ktime(vclock_ns);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 143/522] usb: chipidea: core: convert ci_role_switch to local variable
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 142/522] tty: serial: pch_uart: add check for dma_alloc_coherent() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 144/522] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval Greg Kroah-Hartman
` (379 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Peter Chen, Frank Li,
Xu Yang
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 8f6aa392653e52a45858cff5c063df550028836b upstream.
When a system contains multiple USB controllers, the global ci_role_switch
variable may be overwritten by subsequent driver initialization code.
This can cause issues in the following cases:
- The 2nd ci_hdrc_probe() sees ci_role_switch.fwnode as non-NULL even
though the "usb-role-switch" property is not present for the controller.
- When the ci_hdrc device is unbound and bound again, ci_role_switch
fwnode will not be reassigned, and the old value will be used instead.
Convert ci_role_switch to a local variable to fix these issues.
Fixes: 05559f10ed79 ("usb: chipidea: add role switch class support")
Cc: stable <stable@kernel.org>
Acked-by: Peter Chen <peter.chen@kernel.org>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Link: https://patch.msgid.link/20260427075755.3611217-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/chipidea/core.c | 16 ++++++----------
1 file changed, 6 insertions(+), 10 deletions(-)
--- a/drivers/usb/chipidea/core.c
+++ b/drivers/usb/chipidea/core.c
@@ -661,12 +661,6 @@ static int ci_usb_role_switch_set(struct
return 0;
}
-static struct usb_role_switch_desc ci_role_switch = {
- .set = ci_usb_role_switch_set,
- .get = ci_usb_role_switch_get,
- .allow_userspace_control = true,
-};
-
static int ci_get_platdata(struct device *dev,
struct ci_hdrc_platform_data *platdata)
{
@@ -793,9 +787,6 @@ static int ci_get_platdata(struct device
cable->connected = false;
}
- if (device_property_read_bool(dev, "usb-role-switch"))
- ci_role_switch.fwnode = dev->fwnode;
-
platdata->pctl = devm_pinctrl_get(dev);
if (!IS_ERR(platdata->pctl)) {
struct pinctrl_state *p;
@@ -1016,6 +1007,7 @@ ATTRIBUTE_GROUPS(ci);
static int ci_hdrc_probe(struct platform_device *pdev)
{
+ struct usb_role_switch_desc ci_role_switch = {};
struct device *dev = &pdev->dev;
struct ci_hdrc *ci;
struct resource *res;
@@ -1159,7 +1151,11 @@ static int ci_hdrc_probe(struct platform
}
}
- if (ci_role_switch.fwnode) {
+ if (device_property_read_bool(dev, "usb-role-switch")) {
+ ci_role_switch.set = ci_usb_role_switch_set;
+ ci_role_switch.get = ci_usb_role_switch_get;
+ ci_role_switch.allow_userspace_control = true;
+ ci_role_switch.fwnode = dev_fwnode(dev);
ci_role_switch.driver_data = ci;
ci->role_switch = usb_role_switch_register(dev,
&ci_role_switch);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 060/378] net: airoha: Fix use-after-free in metadata dst teardown
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 059/378] ptp: vclock: Switch from RCU to SRCU Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 061/378] net: ethernet: mtk_eth_soc: " Greg Kroah-Hartman
` (318 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jakub Kicinski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit b38cae85d1c45ff189d7ecb6ac36f41cdc3d84d0 ]
airoha_metadata_dst_free() runs metadata_dst_free() which frees the
metadata_dst with kfree() immediately, bypassing the RCU grace period.
In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from
the skb to the metadata_dst. This function requires RCU read-side
protection and the dst must remain valid until all RCU readers complete.
Since metadata_dst_free() calls kfree() directly, an use-after-free can
occur if any skb still holds a noref pointer to the dst when the driver
tears it down.
Replace metadata_dst_free() with dst_release() which properly goes
through the refcount path: when the refcount drops to zero, it schedules
the actual free via call_rcu_hurry(), ensuring all RCU readers have
completed before the memory is freed.
Fixes: af3cf757d5c9 ("net: airoha: Move DSA tag in DMA descriptor")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260602-airoha-mtk-metadata-uaf-fix-v1-1-3aaa99d83351@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 13f74335928660..698a305ca694c6 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -2935,7 +2935,7 @@ static void airoha_metadata_dst_free(struct airoha_gdm_port *port)
if (!port->dsa_meta[i])
continue;
- metadata_dst_free(port->dsa_meta[i]);
+ dst_release(&port->dsa_meta[i]->dst);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 144/522] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 143/522] usb: chipidea: core: convert ci_role_switch to local variable Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 145/522] USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers Greg Kroah-Hartman
` (378 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michal Pecio, Tao Xue
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Pecio <michal.pecio@gmail.com>
commit 727d045d064b7c9a24db3bce9c0485a382cb768b upstream.
Tao Xue found that some common devices violate USB 3.x section 9.6.7
by reporting wBytesPerInterval lower than the size of packets they
actually send. I confirmed that AX88179 may set it to 0 and RTL8153
CDC configuration sets it to 8 but sends both 8 and 16 byte packets:
S Ii:11:007:3 -115:128 16 <
C Ii:11:007:3 0:128 8 = a1000000 01000000
S Ii:11:007:3 -115:128 16 <
C Ii:11:007:3 0:128 16 = a12a0000 01000800 00000000 00000000
Most xHCI host controllers neglect interrupt bandwidth reservations
and let such devices exceed theirs, some fail the URB with EOVERFLOW.
Assume that wBytesPerInterval lower than wMaxPacketSize is bogus and
increase it to the worst case maximum on interrupt IN endpoints. This
solves xHCI problems and appears to have no other effect. Interrupt
transfers are not limited to one interval and drivers submit URBs of
class defined size without looking at wBytesPerInterval. Any multi-
interval transfer is considered terminated by a packet shorter than
wMaxPacketSize regardless of wBytesPerInterval - see USB3 8.10.3.
Stay in spec on OUT endpoints and isochronous. No buggy devices are
known and we don't want to risk sending more data than the device
is prepared to handle or confusing isoc drivers regarding altsetting
capacities guaranteed by the device itself. And don't complain when
wMaxPacketSize <= wBytesPerInterval < wMaxPacketSize * (bMaxBurst+1)
because enabling this seems to be the exact goal of the spec.
Reported-and-tested-by: Tao Xue <xuetao09@huawei.com>
Closes: https://lore.kernel.org/linux-usb/20260402021400.28853-1-xuetao09@huawei.com/
Cc: stable@vger.kernel.org
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Link: https://patch.msgid.link/20260518073207.5b7d26e7.michal.pecio@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/config.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -165,7 +165,14 @@ static void usb_parse_ss_endpoint_compan
(desc->bMaxBurst + 1);
else
max_tx = 999999;
- if (le16_to_cpu(desc->wBytesPerInterval) > max_tx) {
+ /*
+ * wBytesPerInterval > max_tx is bogus, but USB3 spec doesn't forbid the opposite.
+ * Experience shows that wBytesPerInterval < wMaxPacketSize on common interrupt IN
+ * endpoints is usually bogus too, and recent HCs enforce interrupt BW limits.
+ */
+ if (le16_to_cpu(desc->wBytesPerInterval) > max_tx ||
+ (le16_to_cpu(desc->wBytesPerInterval) < usb_endpoint_maxp(&ep->desc) &&
+ usb_endpoint_is_int_in(&ep->desc))) {
dev_notice(ddev, "%s endpoint with wBytesPerInterval of %d in "
"config %d interface %d altsetting %d ep %d: "
"setting to %d\n",
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 061/378] net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 060/378] net: airoha: Fix use-after-free in metadata dst teardown Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 062/378] geneve: fix length used in GRO hint UDP checksum adjustment Greg Kroah-Hartman
` (317 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jakub Kicinski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 80df409e1a483676826a6c66e693dba6ac507751 ]
mtk_free_dev() calls metadata_dst_free() which frees the metadata_dst
with kfree() immediately, bypassing the RCU grace period.
In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from
the skb to the metadata_dst. This function requires RCU read-side
protection and the dst must remain valid until all RCU readers complete.
Since metadata_dst_free() calls kfree() directly, a use-after-free can
occur if any skb still holds a noref pointer to the dst when the driver
tears it down.
Replace metadata_dst_free() with dst_release() which properly goes
through the refcount path: when the refcount drops to zero, it schedules
the actual free via call_rcu_hurry(), ensuring all RCU readers have
completed before the memory is freed.
Fixes: 2d7605a72906 ("net: ethernet: mtk_eth_soc: enable hardware DSA untagging")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260602-airoha-mtk-metadata-uaf-fix-v1-2-3aaa99d83351@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
index 796f79088f3662..2eca2b2a964fef 100644
--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
@@ -4469,7 +4469,7 @@ static int mtk_free_dev(struct mtk_eth *eth)
for (i = 0; i < ARRAY_SIZE(eth->dsa_meta); i++) {
if (!eth->dsa_meta[i])
break;
- metadata_dst_free(eth->dsa_meta[i]);
+ dst_release(ð->dsa_meta[i]->dst);
}
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 145/522] USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 144/522] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 146/522] usb: storage: Add quirks for PNY Elite Portable SSD Greg Kroah-Hartman
` (377 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stephen J. Fuhry, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen J. Fuhry <fuhrysteve@gmail.com>
commit 9ddb9c0deca48d2c2a22ebf4d2f35c925a520328 upstream.
The Lenovo ThinkPad USB-C Dock Gen2 (17ef:a391, 17ef:a392) hub
controllers exhibit link instability when USB Link Power Management
is enabled, similar to the dock's Ethernet adapter (17ef:a387) which
already carries USB_QUIRK_NO_LPM.
When the dock reconnects after a transient disconnect, the hub
controllers enter LPM states between re-enumeration retries, causing
repeated disconnect/reconnect cycles lasting up to two minutes.
Disabling LPM for these devices restores stable enumeration.
Signed-off-by: Stephen J. Fuhry <fuhrysteve@gmail.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260513171419.44849-1-fuhrysteve@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -511,6 +511,10 @@ static const struct usb_device_id usb_qu
/* Lenovo ThinkPad USB-C Dock Gen2 Ethernet (RTL8153 GigE) */
{ USB_DEVICE(0x17ef, 0xa387), .driver_info = USB_QUIRK_NO_LPM },
+ /* Lenovo ThinkPad USB-C Dock Gen2 USB 3.1 and USB 2.0 hub controllers */
+ { USB_DEVICE(0x17ef, 0xa391), .driver_info = USB_QUIRK_NO_LPM },
+ { USB_DEVICE(0x17ef, 0xa392), .driver_info = USB_QUIRK_NO_LPM },
+
/* BUILDWIN Photo Frame */
{ USB_DEVICE(0x1908, 0x1315), .driver_info =
USB_QUIRK_HONOR_BNUMINTERFACES },
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 062/378] geneve: fix length used in GRO hint UDP checksum adjustment
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 061/378] net: ethernet: mtk_eth_soc: " Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 063/378] net/sched: fix pedit partial COW leading to page cache corruption Greg Kroah-Hartman
` (316 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Sashiko, Antoine Tenart,
Simon Horman, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoine Tenart <atenart@kernel.org>
[ Upstream commit 1231623fd3b5aa6b41cce799ffb0d82e10914be4 ]
In geneve_post_decap_hint the length used for adjusting the UDP checksum
should be 'skb->len - gro_hint->nested_tp_offset' (UDP length) instead
of 'skb->len - gro_hint->nested_nh_offset' (IP length).
Fixes: fd0dd796576e ("geneve: use GRO hint option in the RX path")
Cc: Paolo Abeni <pabeni@redhat.com>
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260521131436.748832-1-jhs%40mojatatu.com
Signed-off-by: Antoine Tenart <atenart@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260529144713.780938-1-atenart@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/geneve.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index 01cdd06102e0db..8ea9482d52e538 100644
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -633,7 +633,7 @@ static int geneve_post_decap_hint(const struct sock *sk, struct sk_buff *skb,
uh = udp_hdr(skb);
uh->len = htons(skb->len - gro_hint->nested_tp_offset);
if (uh->check) {
- len = skb->len - gro_hint->nested_nh_offset;
+ len = skb->len - gro_hint->nested_tp_offset;
skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL_CSUM;
if (gro_hint->nested_is_v6)
uh->check = ~udp_v6_check(len, &ipv6h->saddr,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 146/522] usb: storage: Add quirks for PNY Elite Portable SSD
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 145/522] USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 147/522] usbip: vudc: Fix use after free bug in vudc_remove due to race condition Greg Kroah-Hartman
` (376 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sam Burkels, Oliver Neukum, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Burkels <sam@1a38.nl>
commit b53ebb811e00be50a779ce4e7aee604178b4a825 upstream.
The PNY Elite Portable SSD (USB ID 154b:f009) is a sibling of the
already-quirked PNY Pro Elite SSDs (154b:f00b and 154b:f00d). Like its
siblings, it uses a Phison-based USB-SATA bridge that exhibits
firmware bugs when bound to the uas driver.
Without quirks, the device fails to complete READ CAPACITY commands
when accessed over UAS on a SuperSpeed (USB 3) port. The device
enumerates and reports as a SCSI direct-access device, but reports
zero logical blocks and never finishes spin-up:
usb 2-3: new SuperSpeed USB device number 8 using xhci_hcd
usb 2-3: New USB device found, idVendor=154b, idProduct=f009
usb 2-3: Product: PNY ELITE PSSD
usb 2-3: Manufacturer: PNY
scsi host0: uas
scsi 0:0:0:0: Direct-Access PNY PNY ELITE PSSD 0
sd 0:0:0:0: [sda] Spinning up disk...
[...10+ seconds of polling, no progress...]
sd 0:0:0:0: [sda] Read Capacity(16) failed: hostbyte=DID_ERROR
sd 0:0:0:0: [sda] Read Capacity(10) failed: hostbyte=DID_ERROR
sd 0:0:0:0: [sda] 0 512-byte logical blocks: (0 B/0 B)
Tested each individual quirk to find the minimum that fixes this:
- US_FL_NO_ATA_1X alone: device hangs on spin-up
- US_FL_NO_REPORT_OPCODES alone: works on USB 2.0, hangs on USB 3.0
- US_FL_NO_ATA_1X | US_FL_NO_REPORT_OPCODES: works on both
With both quirks the device enumerates correctly while still using
the uas driver, and delivers full UAS throughput (~281 MB/s
sequential read on a USB 3.0 Gen 1 port).
The existing PNY Pro Elite entries (f00b, f00d) only set NO_ATA_1X,
but this device additionally chokes on REPORT OPCODES under
SuperSpeed.
Signed-off-by: Sam Burkels <sam@1a38.nl>
Acked-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260501132346.86572-1-sam@1a38.nl
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_uas.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -132,6 +132,13 @@ UNUSUAL_DEV(0x152d, 0x0583, 0x0000, 0x99
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_NO_REPORT_OPCODES),
+/* Reported-by: Sam Burkels <sam@1a38.nl> */
+UNUSUAL_DEV(0x154b, 0xf009, 0x0000, 0x9999,
+ "PNY",
+ "PNY ELITE PSSD",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_ATA_1X | US_FL_NO_REPORT_OPCODES),
+
/* Reported-by: Thinh Nguyen <thinhn@synopsys.com> */
UNUSUAL_DEV(0x154b, 0xf00b, 0x0000, 0x9999,
"PNY",
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 063/378] net/sched: fix pedit partial COW leading to page cache corruption
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 062/378] geneve: fix length used in GRO hint UDP checksum adjustment Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 064/378] sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing Greg Kroah-Hartman
` (315 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Keenan Dong,
Han Guidong, Zhang Cen, Davide Caratti,
Toke Høiland-Jørgensen, Victor Nogueira,
Jamal Hadi Salim, Rajat Gupta, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
[ Upstream commit 899ee91156e57784090c5565e4f31bd7dbffbc5a ]
tcf_pedit_act() computes the COW range for skb_ensure_writable()
once before the key loop using tcfp_off_max_hint, but the hint does
not account for the runtime header offset added by typed keys. This
can leave part of the write region un-COW'd.
Fix by moving skb_ensure_writable() inside the per-key loop where
the actual write offset is known, and add overflow checking on the
offset arithmetic. For negative offsets (e.g. Ethernet header edits
at ingress), use skb_cow() to COW the headroom instead. Guard
offset_valid() against INT_MIN, where negation is undefined.
Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Reported-by: Han Guidong <2045gemini@gmail.com>
Reported-by: Zhang Cen <rollkingzzc@gmail.com>
Reviewed-by: Han Guidong <2045gemini@gmail.com>
Tested-by: Han Guidong <2045gemini@gmail.com>
Reviewed-by: Davide Caratti <dcaratti@redhat.com>
Tested-by: Davide Caratti <dcaratti@redhat.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Tested-by: Toke Høiland-Jørgensen <toke@redhat.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Tested-by: Victor Nogueira <victor@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
Link: https://patch.msgid.link/20260531123221.48732-1-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/tc_act/tc_pedit.h | 1 -
net/sched/act_pedit.c | 77 +++++++++++++++++++----------------
2 files changed, 41 insertions(+), 37 deletions(-)
diff --git a/include/net/tc_act/tc_pedit.h b/include/net/tc_act/tc_pedit.h
index f58ee15cd858cf..cb7b82f2cbc7fd 100644
--- a/include/net/tc_act/tc_pedit.h
+++ b/include/net/tc_act/tc_pedit.h
@@ -15,7 +15,6 @@ struct tcf_pedit_parms {
struct tc_pedit_key *tcfp_keys;
struct tcf_pedit_key_ex *tcfp_keys_ex;
int action;
- u32 tcfp_off_max_hint;
unsigned char tcfp_nkeys;
unsigned char tcfp_flags;
struct rcu_head rcu;
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index bc20f08a278901..bd3b1da3cd63b5 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -16,6 +16,8 @@
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/slab.h>
+#include <linux/overflow.h>
+#include <linux/unaligned.h>
#include <net/ipv6.h>
#include <net/netlink.h>
#include <net/pkt_sched.h>
@@ -242,7 +244,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
goto out_free_ex;
}
- nparms->tcfp_off_max_hint = 0;
nparms->tcfp_flags = parm->flags;
nparms->tcfp_nkeys = parm->nkeys;
@@ -268,14 +269,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
BITS_PER_TYPE(int) - 1,
nparms->tcfp_keys[i].shift);
- /* The AT option can read a single byte, we can bound the actual
- * value with uchar max.
- */
- cur += (0xff & offmask) >> nparms->tcfp_keys[i].shift;
-
- /* Each key touches 4 bytes starting from the computed offset */
- nparms->tcfp_off_max_hint =
- max(nparms->tcfp_off_max_hint, cur + 4);
}
p = to_pedit(*a);
@@ -318,15 +311,12 @@ static void tcf_pedit_cleanup(struct tc_action *a)
call_rcu(&parms->rcu, tcf_pedit_cleanup_rcu);
}
-static bool offset_valid(struct sk_buff *skb, int offset)
+static bool offset_valid(struct sk_buff *skb, int offset, int len)
{
- if (offset > 0 && offset > skb->len)
- return false;
-
- if (offset < 0 && -offset > skb_headroom(skb))
+ if (offset < -(int)skb_headroom(skb))
return false;
- return true;
+ return offset <= (int)skb->len - len;
}
static int pedit_l4_skb_offset(struct sk_buff *skb, int *hoffset, const int header_type)
@@ -393,18 +383,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
struct tcf_pedit_key_ex *tkey_ex;
struct tcf_pedit_parms *parms;
struct tc_pedit_key *tkey;
- u32 max_offset;
int i;
parms = rcu_dereference_bh(p->parms);
- max_offset = (skb_transport_header_was_set(skb) ?
- skb_transport_offset(skb) :
- skb_network_offset(skb)) +
- parms->tcfp_off_max_hint;
- if (skb_ensure_writable(skb, min(skb->len, max_offset)))
- goto done;
-
tcf_lastuse_update(&p->tcf_tm);
tcf_action_update_bstats(&p->common, skb);
@@ -412,10 +394,11 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
tkey_ex = parms->tcfp_keys_ex;
for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) {
+ int write_offset, write_len;
int offset = tkey->off;
int hoffset = 0;
- u32 *ptr, hdata;
- u32 val;
+ u32 cur_val, val;
+ u32 *ptr;
int rc;
if (tkey_ex) {
@@ -433,13 +416,15 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
if (tkey->offmask) {
u8 *d, _d;
+ int at_offset;
- if (!offset_valid(skb, hoffset + tkey->at)) {
+ if (check_add_overflow(hoffset, (int)tkey->at, &at_offset) ||
+ !offset_valid(skb, at_offset, sizeof(_d))) {
pr_info_ratelimited("tc action pedit 'at' offset %d out of bounds\n",
hoffset + tkey->at);
goto bad;
}
- d = skb_header_pointer(skb, hoffset + tkey->at,
+ d = skb_header_pointer(skb, at_offset,
sizeof(_d), &_d);
if (!d)
goto bad;
@@ -451,31 +436,51 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
}
}
- if (!offset_valid(skb, hoffset + offset)) {
- pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset);
+ if (check_add_overflow(hoffset, offset, &write_offset)) {
+ pr_info_ratelimited("tc action pedit offset overflow\n");
goto bad;
}
- ptr = skb_header_pointer(skb, hoffset + offset,
- sizeof(hdata), &hdata);
- if (!ptr)
+ if (!offset_valid(skb, write_offset, sizeof(*ptr))) {
+ pr_info_ratelimited("tc action pedit offset %d out of bounds\n",
+ write_offset);
goto bad;
+ }
+
+ if (write_offset < 0) {
+ if (skb_cow(skb, -write_offset))
+ goto bad;
+ if (write_offset + (int)sizeof(*ptr) > 0) {
+ if (skb_ensure_writable(skb,
+ min_t(int, skb->len,
+ write_offset + (int)sizeof(*ptr))))
+ goto bad;
+ }
+ } else {
+ if (check_add_overflow(write_offset, (int)sizeof(*ptr),
+ &write_len))
+ goto bad;
+ if (skb_ensure_writable(skb, min_t(int, skb->len,
+ write_len)))
+ goto bad;
+ }
+
+ ptr = (u32 *)(skb->data + write_offset);
+ cur_val = get_unaligned(ptr);
/* just do it, baby */
switch (cmd) {
case TCA_PEDIT_KEY_EX_CMD_SET:
val = tkey->val;
break;
case TCA_PEDIT_KEY_EX_CMD_ADD:
- val = (*ptr + tkey->val) & ~tkey->mask;
+ val = (cur_val + tkey->val) & ~tkey->mask;
break;
default:
pr_info_ratelimited("tc action pedit bad command (%d)\n", cmd);
goto bad;
}
- *ptr = ((*ptr & tkey->mask) ^ val);
- if (ptr == &hdata)
- skb_store_bits(skb, hoffset + offset, ptr, 4);
+ put_unaligned((cur_val & tkey->mask) ^ val, ptr);
}
goto done;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 147/522] usbip: vudc: Fix use after free bug in vudc_remove due to race condition
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 146/522] usb: storage: Add quirks for PNY Elite Portable SSD Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 148/522] usb: usbtmc: check URB actual_length for interrupt-IN notifications Greg Kroah-Hartman
` (375 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Zheng Wang,
Michael Bommarito, Shuah Khan
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit d96209626a29ea64666be98c30b30ac82e5f1be6 upstream.
This patch follows up Zheng Wang's 2023 report of a use-after-free in
vudc_remove(). The original thread stalled on Shuah Khan's request for
runtime testing of the unplug/unbind path. This patch supplies that
testing and keeps Zheng's original fix shape.
In vudc_probe(), v_init_timer() binds udc->tr_timer.timer to v_timer().
usbip_sockfd_store() starts the timer via v_start_timer()/v_kick_timer().
vudc_remove() can then free the containing struct vudc while the timer is
still pending or executing.
KASAN confirms the race on an unpatched x86_64 QEMU guest with
CONFIG_KASAN=y, CONFIG_USBIP_VUDC=y, CONFIG_USB_ZERO=y, and a tight loop
that repeatedly writes a socket fd to usbip_sockfd, closes the socket
pair, and unbinds/rebinds usbip-vudc.0:
BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x8ba/0x8e0
Write of size 8 at addr ffff888001b80740 by task trigger_and_unb/239
Allocated by task 239:
vudc_probe+0x4d/0xaa0
Freed by task 239:
kfree+0x18f/0x520
device_release_driver_internal+0x388/0x540
unbind_store+0xd9/0x100
This lands in the timer core rather than v_timer() itself because the
embedded timer_list is being walked after its containing struct vudc has
already been freed. The underlying lifetime bug is the same one Zheng
reported.
With v_stop_timer() called from vudc_remove() and the timer deleted
synchronously, the same harness completed 5000 bind/unbind iterations
with no KASAN report.
Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
Cc: stable <stable@kernel.org>
Reported-by: Zheng Wang <zyytlz.wz@163.com>
Closes: https://lore.kernel.org/linux-usb/20230317100954.2626573-1-zyytlz.wz@163.com/
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://patch.msgid.link/20260417163552.807548-1-michael.bommarito@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/usbip/vudc_dev.c | 1 +
drivers/usb/usbip/vudc_transfer.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/usbip/vudc_dev.c
+++ b/drivers/usb/usbip/vudc_dev.c
@@ -633,6 +633,7 @@ int vudc_remove(struct platform_device *
{
struct vudc *udc = platform_get_drvdata(pdev);
+ v_stop_timer(udc);
usb_del_gadget_udc(&udc->gadget);
cleanup_vudc_hw(udc);
kfree(udc);
--- a/drivers/usb/usbip/vudc_transfer.c
+++ b/drivers/usb/usbip/vudc_transfer.c
@@ -490,7 +490,8 @@ void v_stop_timer(struct vudc *udc)
{
struct transfer_timer *t = &udc->tr_timer;
- /* timer itself will take care of stopping */
+ /* Delete the timer synchronously before teardown frees udc. */
dev_dbg(&udc->pdev->dev, "timer stop");
+ timer_delete_sync(&t->timer);
t->state = VUDC_TR_STOPPED;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 064/378] sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 063/378] net/sched: fix pedit partial COW leading to page cache corruption Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 065/378] octeontx2-af: npc: Fix CPT channel mask in npc_install_flow Greg Kroah-Hartman
` (314 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Geffon, Xin Long,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 0861615c28de668669d748ef4eb913ea9262d13b ]
When a listening SCTP server processes a COOKIE_ECHO chunk, the cached
peer INIT chunk embedded after the cookie is parsed and its parameters
are later walked by sctp_process_init() using sctp_walk_params().
However, the chunk header length of this cached INIT chunk was not
validated against the remaining buffer in the COOKIE_ECHO payload. If
the length field is inflated, the parameter walk can run beyond the
actual received data, leading to out-of-bounds reads and potential
memory corruption during later parameter handling (e.g. STATE_COOKIE
processing and kmemdup() copies).
Add a bounds check in sctp_unpack_cookie() to ensure the cached INIT
chunk length does not exceed the available data in the COOKIE_ECHO
buffer before it is used.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Brian Geffon <bgeffon@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/eb60825fa22d6f9e663c7d4dbb69f397b5d34d42.1780362366.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/sm_make_chunk.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 2c0017d058d409..9014b095f52ddb 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1730,6 +1730,7 @@ struct sctp_association *sctp_unpack_cookie(
struct sctp_signed_cookie *cookie;
struct sk_buff *skb = chunk->skb;
struct sctp_cookie *bear_cookie;
+ struct sctp_chunkhdr *ch;
enum sctp_scope scope;
unsigned int len;
ktime_t kt;
@@ -1759,6 +1760,10 @@ struct sctp_association *sctp_unpack_cookie(
cookie = chunk->subh.cookie_hdr;
bear_cookie = &cookie->c;
+ ch = (struct sctp_chunkhdr *)(bear_cookie + 1);
+ if (ntohs(ch->length) > len - fixed_size)
+ goto malformed;
+
/* Verify the cookie's MAC, if cookie authentication is enabled. */
if (sctp_sk(ep->base.sk)->cookie_auth_enable) {
u8 mac[SHA256_DIGEST_SIZE];
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 148/522] usb: usbtmc: check URB actual_length for interrupt-IN notifications
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 147/522] usbip: vudc: Fix use after free bug in vudc_remove due to race condition Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 149/522] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize Greg Kroah-Hartman
` (374 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+abbfd103085885cf16a2, stable,
Michal Pecio, Heitor Alves de Siqueira
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heitor Alves de Siqueira <halves@igalia.com>
commit 52f2ad3f7e5eb3b5908e1d685d4342519dc9cfcd upstream.
USBTMC devices can use an optional interrupt endpoint for notification
messages. These typically contain two-byte headers indicating the
payload format, but the driver does not check if these headers are
present before accessing the data buffers. In cases where the URB
actual_length is not enough to fit these headers, the driver will either
cause an out-of-bounds read, or consume stale leftover data from a
previous notification.
Fix by checking if actual_data contains enough bytes for the headers,
otherwise resubmit URB to the interrupt endpoint.
Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
Reported-by: syzbot+abbfd103085885cf16a2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
Cc: stable <stable@kernel.org>
Suggested-by: Michal Pecio <michal.pecio@gmail.com>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Link: https://patch.msgid.link/20260505-usbtmc-iin-size-v3-1-a36113f62db7@igalia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -2310,6 +2310,14 @@ static void usbtmc_interrupt(struct urb
switch (status) {
case 0: /* SUCCESS */
+ /* ensure at least two bytes of headers were transferred */
+ if (urb->actual_length < 2) {
+ dev_warn(dev,
+ "actual length %d not sufficient for interrupt headers\n",
+ urb->actual_length);
+ goto exit;
+ }
+
/* check for valid STB notification */
if (data->iin_buffer[0] > 0x81) {
data->bNotify1 = data->iin_buffer[0];
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 065/378] octeontx2-af: npc: Fix CPT channel mask in npc_install_flow
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 064/378] sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 066/378] vxlan: vnifilter: send notification on VNI add Greg Kroah-Hartman
` (313 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naveen Mamindlapalli,
Nithin Dabilpuram, Ratheesh Kannoth, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nithin Dabilpuram <ndabilpuram@marvell.com>
[ Upstream commit 1d31eb27e570daa04f5373345f9ac98c95863be9 ]
Use the CPT-aware NIX channel mask in the npc_install_flow path so that
when the host PF installs steering rules in kernel for a VF used from
userspace (e.g. DPDK), MCAM entries see the same channel mask semantics as
other RX paths.
Fixes: 56bcef528bd8 ("octeontx2-af: Use npc_install_flow API for promisc and broadcast entries")
Cc: Naveen Mamindlapalli <naveenm@marvell.com>
Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
Link: https://patch.msgid.link/20260602045853.1558530-1-rkannoth@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/marvell/octeontx2/af/rvu.h | 1 +
.../ethernet/marvell/octeontx2/af/rvu_npc.c | 32 +++++++++----------
.../marvell/octeontx2/af/rvu_npc_fs.c | 2 +-
3 files changed, 18 insertions(+), 17 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.h b/drivers/net/ethernet/marvell/octeontx2/af/rvu.h
index 3f76ec6c5cf3b9..e31d7bc4a0e9c2 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.h
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.h
@@ -1138,6 +1138,7 @@ int rvu_cpt_lf_teardown(struct rvu *rvu, u16 pcifunc, int blkaddr, int lf,
int slot);
int rvu_cpt_ctx_flush(struct rvu *rvu, u16 pcifunc);
int rvu_cpt_init(struct rvu *rvu);
+u32 rvu_get_cpt_chan_mask(struct rvu *rvu);
#define NDC_AF_BANK_MASK GENMASK_ULL(7, 0)
#define NDC_AF_BANK_LINE_MASK GENMASK_ULL(31, 16)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
index a0d2ed56186d8d..65aa6aeab8e782 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
@@ -599,6 +599,19 @@ void npc_set_mcam_action(struct rvu *rvu, struct npc_mcam *mcam,
NPC_AF_MCAMEX_BANKX_ACTION(index, bank), cfg);
}
+u32 rvu_get_cpt_chan_mask(struct rvu *rvu)
+{
+ /* For cn10k the upper two bits of the channel number are
+ * cpt channel number. with masking out these bits in the
+ * mcam entry, same entry used for NIX will allow packets
+ * received from cpt for parsing.
+ */
+ if (!is_rvu_otx2(rvu))
+ return NIX_CHAN_CPT_X2P_MASK;
+ else
+ return 0xFFFu;
+}
+
void rvu_npc_install_ucast_entry(struct rvu *rvu, u16 pcifunc,
int nixlf, u64 chan, u8 *mac_addr)
{
@@ -642,7 +655,7 @@ void rvu_npc_install_ucast_entry(struct rvu *rvu, u16 pcifunc,
eth_broadcast_addr((u8 *)&req.mask.dmac);
req.features = BIT_ULL(NPC_DMAC);
req.channel = chan;
- req.chan_mask = 0xFFFU;
+ req.chan_mask = rvu_get_cpt_chan_mask(rvu);
req.intf = pfvf->nix_rx_intf;
req.op = action.op;
req.hdr.pcifunc = 0; /* AF is requester */
@@ -712,11 +725,7 @@ void rvu_npc_install_promisc_entry(struct rvu *rvu, u16 pcifunc,
* mcam entry, same entry used for NIX will allow packets
* received from cpt for parsing.
*/
- if (!is_rvu_otx2(rvu)) {
- req.chan_mask = NIX_CHAN_CPT_X2P_MASK;
- } else {
- req.chan_mask = 0xFFFU;
- }
+ req.chan_mask = rvu_get_cpt_chan_mask(rvu);
if (chan_cnt > 1) {
if (!is_power_of_2(chan_cnt)) {
@@ -887,16 +896,7 @@ void rvu_npc_install_allmulti_entry(struct rvu *rvu, u16 pcifunc, int nixlf,
ether_addr_copy(req.mask.dmac, mac_addr);
req.features = BIT_ULL(NPC_DMAC);
- /* For cn10k the upper two bits of the channel number are
- * cpt channel number. with masking out these bits in the
- * mcam entry, same entry used for NIX will allow packets
- * received from cpt for parsing.
- */
- if (!is_rvu_otx2(rvu))
- req.chan_mask = NIX_CHAN_CPT_X2P_MASK;
- else
- req.chan_mask = 0xFFFU;
-
+ req.chan_mask = rvu_get_cpt_chan_mask(rvu);
req.channel = chan;
req.intf = pfvf->nix_rx_intf;
req.entry = index;
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c
index 1930b54e72f219..02663530368965 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c
@@ -1470,7 +1470,7 @@ int rvu_mbox_handler_npc_install_flow(struct rvu *rvu,
/* ignore chan_mask in case pf func is not AF, revisit later */
if (!is_pffunc_af(req->hdr.pcifunc))
- req->chan_mask = 0xFFF;
+ req->chan_mask = rvu_get_cpt_chan_mask(rvu);
err = npc_check_unsupported_flows(rvu, req->features, req->intf);
if (err)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 149/522] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 148/522] usb: usbtmc: check URB actual_length for interrupt-IN notifications Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 150/522] USB: serial: option: add MeiG SRM813Q Greg Kroah-Hartman
` (373 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Michal Pecio,
Heitor Alves de Siqueira
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heitor Alves de Siqueira <halves@igalia.com>
commit 121d2f682ba912b1427cddca7cf84840f41cc620 upstream.
The USB488 subclass specification requires interrupt wMaxPacketSize to
be 0x02, unless the device sends vendor-specific notifications.
Endpoints that advertise less than 2 bytes for wMaxPacketSize are
unlikely to work with the current driver, as URBs will not have enough
space for interrupt headers. Considering that any notification URBs will
be ignored by the driver, reject these endpoints early during probe.
Fixes: 041370cce889 ("USB: usbtmc: refactor endpoint retrieval")
Cc: stable <stable@kernel.org>
Suggested-by: Michal Pecio <michal.pecio@gmail.com>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Link: https://patch.msgid.link/20260505-usbtmc-iin-size-v3-2-a36113f62db7@igalia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -2444,6 +2444,12 @@ static int usbtmc_probe(struct usb_inter
data->iin_ep = int_in->bEndpointAddress;
data->iin_wMaxPacketSize = usb_endpoint_maxp(int_in);
data->iin_interval = int_in->bInterval;
+ /* wMaxPacketSize should be 0x02 or more as per USB488 Table 22 */
+ if (iface_desc->desc.bInterfaceProtocol == 1 &&
+ data->iin_wMaxPacketSize < 2) {
+ retcode = -EINVAL;
+ goto err_put;
+ }
dev_dbg(&intf->dev, "Found Int in endpoint at %u\n",
data->iin_ep);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 066/378] vxlan: vnifilter: send notification on VNI add
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 065/378] octeontx2-af: npc: Fix CPT channel mask in npc_install_flow Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 067/378] vxlan: vnifilter: fix spurious notification on VNI update Greg Kroah-Hartman
` (312 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chirag Shah, Andy Roulin,
Petr Machata, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Roulin <aroulin@nvidia.com>
[ Upstream commit aa6ca1c5c338907817374b59f7551fd855a88754 ]
When a new VNI is added to a vxlan device with vnifilter enabled,
no RTM_NEWTUNNEL notification is sent to userspace. This means
'bridge monitor vni' never shows VNI add events, even though
VNI delete events are reported correctly.
The bug is in vxlan_vni_add(), where the notification is guarded by
'if (changed)'. The 'changed' flag is set by vxlan_vni_update_group()
only when the multicast group or remote IP is modified, but for a
new VNI added without a group (e.g. in L3 VxLAN interface scenarios),
the function returns early without setting changed=true. Since this
is a new VNI, the notification should be sent unconditionally.
The notification is not guarded by the return value of
vxlan_vni_update_group() because, at this point, the VNI has already
been inserted into the hash table and list with no rollback on error.
The VNI will be visible in 'bridge vni show' regardless, so userspace
should be informed. This is consistent with vxlan_vni_del() which also
notifies unconditionally.
The 'if (changed)' guard remains correct in vxlan_vni_update(), which
handles the case where a VNI already exists and is being re-added --
there, we only want to notify if the group/remote actually changed.
Reproducer:
# ip link add vxlan100 type vxlan dstport 4789 local 10.0.0.1 \
nolearning external vnifilter
# ip link set vxlan100 up
# bridge monitor vni &
# bridge vni add vni 1000 dev vxlan100 # no notification
# bridge vni delete vni 1000 dev vxlan100 # notification received
Fixes: f9c4bb0b245c ("vxlan: vni filtering support on collect metadata device")
Reported-by: Chirag Shah <chirag@nvidia.com>
Signed-off-by: Andy Roulin <aroulin@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Link: https://patch.msgid.link/20260602185138.253265-2-aroulin@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vxlan/vxlan_vnifilter.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/vxlan/vxlan_vnifilter.c b/drivers/net/vxlan/vxlan_vnifilter.c
index 2042369379ffc6..f2a202d468928c 100644
--- a/drivers/net/vxlan/vxlan_vnifilter.c
+++ b/drivers/net/vxlan/vxlan_vnifilter.c
@@ -759,8 +759,7 @@ static int vxlan_vni_add(struct vxlan_dev *vxlan,
err = vxlan_vni_update_group(vxlan, vninode, group, true, &changed,
extack);
- if (changed)
- vxlan_vnifilter_notify(vxlan, vninode, RTM_NEWTUNNEL);
+ vxlan_vnifilter_notify(vxlan, vninode, RTM_NEWTUNNEL);
return err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 150/522] USB: serial: option: add MeiG SRM813Q
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 149/522] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 151/522] USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL Greg Kroah-Hartman
` (372 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Volckaert, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Volckaert <janvolck@gmail.com>
commit 7d2b37d3e42d19071b62f4ddbee6e16e905efbf1 upstream.
Add support for the Qualcomm Technology Snapdragon X35-based MeiG
SRM813Q module.
The module can be put in different modes via AT commands to
enable/disable GPS functionality:
MODEM - PPP mode(2dee:4d63): AT+SER=1,1
If#= 0: RMNET
If#= 1: DIAG/ADB
If#= 2: MODEM
If#= 3: AT
P: Vendor=2dee ProdID=4d63 Rev=05.15
S: Manufacturer=MEIG
S: Product=LTE-A Module
S: SerialNumber=1bd51f0e
C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
NMEA mode(2dee:4d64): AT+SER=51,1
If#= 0: RMNET
If#= 1: DIAG/ADB
If#= 2: NMEA
If#= 3: AT
P: Vendor=2dee ProdID=4d64 Rev=05.15
S: Manufacturer=MEIG
S: Product=LTE-A Module
S: SerialNumber=1bd51f0e
C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
Signed-off-by: Jan Volckaert <janvolck@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2450,6 +2450,12 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x30) }, /* MeiG Smart SRM825WN (Diag) */
{ USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x40) }, /* MeiG Smart SRM825WN (AT) */
{ USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x60) }, /* MeiG Smart SRM825WN (NMEA) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d63, 0xff, 0xff, 0x30) }, /* MeiG SRM813Q (Diag) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d63, 0xff, 0xff, 0x40) }, /* MeiG SRM813Q (AT) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x30) }, /* MeiG SRM813Q (Diag) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x40) }, /* MeiG SRM813Q (AT) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x60) }, /* MeiG SRM813Q (NMEA) */
+
{ USB_DEVICE_INTERFACE_CLASS(0x2df3, 0x9d03, 0xff) }, /* LongSung M5710 */
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1404, 0xff) }, /* GosunCn GM500 RNDIS */
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1405, 0xff) }, /* GosunCn GM500 MBIM */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 067/378] vxlan: vnifilter: fix spurious notification on VNI update
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 066/378] vxlan: vnifilter: send notification on VNI add Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 068/378] ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() Greg Kroah-Hartman
` (311 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Roulin, Petr Machata,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Roulin <aroulin@nvidia.com>
[ Upstream commit 84683b5b60c7274e2c8f7f413d39d78d3db5540f ]
When a VNI is re-added with the same attributes (e.g. same group or no
group), vxlan_vni_update() sends a spurious RTM_NEWTUNNEL notification
even though nothing changed.
The bug is that 'if (changed)' tests whether the pointer is non-NULL,
not the bool value it points to. Since every caller passes a valid
pointer, the condition is always true and the notification fires
unconditionally.
Fix by dereferencing the pointer: 'if (*changed)'.
Reproducer:
# ip link add vxlan100 type vxlan dstport 4789 local 10.0.0.1 \
nolearning external vnifilter
# ip link set vxlan100 up
# bridge monitor vni &
# bridge vni add vni 1000 dev vxlan100
# bridge vni add vni 1000 dev vxlan100 # spurious notification
Fixes: f9c4bb0b245c ("vxlan: vni filtering support on collect metadata device")
Signed-off-by: Andy Roulin <aroulin@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Link: https://patch.msgid.link/20260602185138.253265-3-aroulin@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vxlan/vxlan_vnifilter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/vxlan/vxlan_vnifilter.c b/drivers/net/vxlan/vxlan_vnifilter.c
index f2a202d468928c..3e76f4e210944f 100644
--- a/drivers/net/vxlan/vxlan_vnifilter.c
+++ b/drivers/net/vxlan/vxlan_vnifilter.c
@@ -661,7 +661,7 @@ static int vxlan_vni_update(struct vxlan_dev *vxlan,
if (ret)
return ret;
- if (changed)
+ if (*changed)
vxlan_vnifilter_notify(vxlan, vninode, RTM_NEWTUNNEL);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 151/522] USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 150/522] USB: serial: option: add MeiG SRM813Q Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 152/522] USB: serial: belkin_sa: validate interrupt status length Greg Kroah-Hartman
` (371 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wanquan Zhong, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wanquan Zhong <wanquan.zhong@fibocom.com>
commit 689f2facc689c8add11d7ff69fbbad17d65ee596 upstream.
The RW135R-GL entry added in commit 01e8d0f74222 ("USB: serial: option:
add support for Rolling Wireless RW135R-GL") was missing the
.driver_info = RSVD(5) flag used by other Rolling Wireless MBIM laptop
modules (e.g. RW135-GL and RW350-GL).
Without this flag, the option driver incorrectly binds to the reserved
ADB interface (If#5) in multi-interface USB modes, causing AT/MBIM
communication failures after mode switching. This matches the handling
of other Rolling Wireless MBIM devices.
- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
interface for Linux/Chrome OS)
0x1003: mbim, diag, AT, pipe
Here are the outputs of usb-devices:
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 8 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=33f8 ProdID=1003 Rev= 5.15
S: Manufacturer=Rolling Wireless S.a.r.l.
S: Product=Rolling RW135R-GL Module
S: SerialNumber=12345678
C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
interface for Linux/Chrome OS)
0x1003: mbim, diag, AT, ADB, pipe
Here are the outputs of usb-devices:
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 7 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=33f8 ProdID=1003 Rev= 5.15
S: Manufacturer=Rolling Wireless S.a.r.l.
S: Product=Rolling RW135R-GL Module
S: SerialNumber=12345678
C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
interface for Linux/Chrome OS)
0x1003: mbim, pipe
Here are the outputs of usb-devices:
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 9 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=33f8 ProdID=1003 Rev= 5.15
S: Manufacturer=Rolling Wireless S.a.r.l.
S: Product=Rolling RW135R-GL Module
S: SerialNumber=12345678
C:* #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=500mA
A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Fixes: 01e8d0f74222 ("USB: serial: option: add support for Rolling Wireless RW135R-GL")
Signed-off-by: Wanquan Zhong <wanquan.zhong@fibocom.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2476,7 +2476,8 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0302, 0xff) }, /* Rolling RW101R-GL (laptop MBIM) */
{ USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0802, 0xff), /* Rolling RW350-GL (laptop MBIM) */
.driver_info = RSVD(5) },
- { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x1003, 0xff) }, /* Rolling RW135R-GL (laptop MBIM) */
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x1003, 0xff), /* Rolling RW135R-GL (laptop MBIM) */
+ .driver_info = RSVD(5) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for Global */
{ USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0x00, 0x40) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x40) },
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 068/378] ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 067/378] vxlan: vnifilter: fix spurious notification on VNI update Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 069/378] net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr Greg Kroah-Hartman
` (310 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f13c19f75e1097abd116,
Eric Dumazet, Miquel Raynal, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 3a5f3f7aff18bcc36a57839cf50cf0cc8de707f3 ]
The aoe driver (or similar) generates a non-IPv6 packet
(e.g., ETH_P_AOE) and queues it for transmission via dev_queue_xmit()
on a 6LoWPAN interface (configured by the user or test case).
Since the packet is not IPv6, the 6LoWPAN header_ops->create function
(lowpan_header_create or header_create) returns early without initializing
the lowpan_addr_info structure in the skb headroom.
In the transmit function (lowpan_xmit), the driver calls lowpan_header
(or setup_header) which unconditionally copies and uses the lowpan_addr_info
from the headroom, which contains uninitialized data.
Fix this by dropping non IPv6 packets.
A similar fix is needed in net/bluetooth/6lowpan.c bt_xmit().
Fixes: 4dc315e267fe ("ieee802154: 6lowpan: move transmit functionality")
Reported-by: syzbot+f13c19f75e1097abd116@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6a1fd763.278b5b03.2bcf39.0049.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://patch.msgid.link/20260603072955.4032221-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ieee802154/6lowpan/tx.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/ieee802154/6lowpan/tx.c b/net/ieee802154/6lowpan/tx.c
index 0c07662b44c0ca..4df76ff50699ed 100644
--- a/net/ieee802154/6lowpan/tx.c
+++ b/net/ieee802154/6lowpan/tx.c
@@ -255,6 +255,11 @@ netdev_tx_t lowpan_xmit(struct sk_buff *skb, struct net_device *ldev)
pr_debug("package xmit\n");
+ if (skb->protocol != htons(ETH_P_IPV6)) {
+ kfree_skb(skb);
+ return NET_XMIT_DROP;
+ }
+
WARN_ON_ONCE(skb->len > IPV6_MIN_MTU);
/* We must take a copy of the skb before we modify/replace the ipv6
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 152/522] USB: serial: belkin_sa: validate interrupt status length
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 151/522] USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 153/522] USB: serial: cypress_m8: validate interrupt packet headers Greg Kroah-Hartman
` (370 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Cen, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
commit 4ce058df2ee02cc2a0f0fd5cd64ce6f1482a0b65 upstream.
The Belkin interrupt callback treats interrupt data as a four-byte
status report and reads LSR/MSR fields at offsets 2 and 3. The
interrupt-in buffer length is derived from endpoint wMaxPacketSize, and
short interrupt transfers may complete successfully with a smaller
actual_length.
Check the completed interrupt packet length before parsing status
fields so short interrupt endpoints and short successful packets are
ignored instead of causing out-of-bounds or stale status-byte reads.
KASAN report as below:
BUG: KASAN: slab-out-of-bounds in belkin_sa_read_int_callback()
Read of size 1
Call trace:
belkin_sa_read_int_callback() (drivers/usb/serial/belkin_sa.c:202)
__usb_hcd_giveback_urb() (drivers/usb/core/hcd.c:1630)
dummy_timer() (?:?)
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/belkin_sa.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/serial/belkin_sa.c
+++ b/drivers/usb/serial/belkin_sa.c
@@ -195,6 +195,9 @@ static void belkin_sa_read_int_callback(
usb_serial_debug_data(&port->dev, __func__, urb->actual_length, data);
+ if (urb->actual_length < BELKIN_SA_MSR_INDEX + 1)
+ goto exit;
+
/* Handle known interrupt data */
/* ignore data[0] and data[1] */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 069/378] net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 7.0 068/378] ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 070/378] bonding: annotate data-races arcound churn variables Greg Kroah-Hartman
` (309 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yizhou Zhao, Yuxiang Yang, Ao Wang,
Xuewei Feng, Qi Li, Ke Xu, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
[ Upstream commit 7561c7fbc694308da73300f036719e63e42bf0b4 ]
In mrp_pdu_parse_vecattr(), vector attribute events are encoded three
per byte and valen tracks the number of events left to process.
The parser decrements valen after processing the first and second events
from each event byte, but not after processing the third one. When valen
is exactly a multiple of three, the loop continues after the last valid
event and consumes the next byte as a new event byte, applying a
spurious event to the MRP applicant state.
Additionally, when valen is zero the parser unconditionally consumes
attrlen bytes as FirstValue and advances the offset, even though per
IEEE 802.1ak a VectorAttribute with only a LeaveAllEvent has valen of
zero and no FirstValue or Vector fields. This corrupts the offset for
subsequent PDU parsing.
Also, when valen exceeds three the loop crosses byte boundaries but
the attribute value is not incremented between the last event of one
byte and the first event of the next. This causes the first event of
the next byte to use the same attribute value as the third event
rather than the next consecutive value.
Decrement valen after processing the third event, skip FirstValue
consumption when valen is zero, and increment the attribute value at
the end of each loop iteration.
Fixes: febf018d2234 ("net/802: Implement Multiple Registration Protocol (MRP)")
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Link: https://patch.msgid.link/20260603060016.21522-1-zhaoyz24@mails.tsinghua.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/802/mrp.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/802/mrp.c b/net/802/mrp.c
index ff0e80574e6b7b..160a3b14569cbd 100644
--- a/net/802/mrp.c
+++ b/net/802/mrp.c
@@ -703,6 +703,12 @@ static int mrp_pdu_parse_vecattr(struct mrp_applicant *app,
valen = be16_to_cpu(get_unaligned(&mrp_cb(skb)->vah->lenflags) &
MRP_VECATTR_HDR_LEN_MASK);
+ /* If valen is 0, only a LeaveAllEvent is present; FirstValue and
+ * Vector fields are absent per IEEE 802.1ak.
+ */
+ if (valen == 0)
+ return 0;
+
/* The VectorAttribute structure in a PDU carries event information
* about one or more attributes having consecutive values. Only the
* value for the first attribute is contained in the structure. So
@@ -753,6 +759,9 @@ static int mrp_pdu_parse_vecattr(struct mrp_applicant *app,
vaevents %= __MRP_VECATTR_EVENT_MAX;
vaevent = vaevents;
mrp_pdu_parse_vecattr_event(app, skb, vaevent);
+ valen--;
+ mrp_attrvalue_inc(mrp_cb(skb)->attrvalue,
+ mrp_cb(skb)->mh->attrlen);
}
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 153/522] USB: serial: cypress_m8: validate interrupt packet headers
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 6.1 152/522] USB: serial: belkin_sa: validate interrupt status length Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 154/522] USB: serial: keyspan: fix missing indat transfer sanity check Greg Kroah-Hartman
` (369 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Cen, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
commit 9f9bfc80c67f35a275820da7e83a35dface08281 upstream.
cypress_read_int_callback() parses the interrupt-in buffer according to
the selected Cypress packet format. Format 1 has a two-byte status/count
header and format 2 has a one-byte combined status/count header. The
usb-serial core sizes the interrupt-in buffer from the endpoint
descriptor's wMaxPacketSize, and successful interrupt transfers can
complete short when URB_SHORT_NOT_OK is not set.
Check that the completed packet contains the selected header before
reading it. Malformed short reports are ignored and the interrupt URB is
resubmitted through the existing retry path, preventing out-of-bounds
header-byte reads.
KASAN report as below:
KASAN slab-out-of-bounds in cypress_read_int_callback+0x240/0x7f0
Read of size 1
Call trace:
cypress_read_int_callback() (drivers/usb/serial/cypress_m8.c:1009)
__usb_hcd_giveback_urb()
dummy_timer()
Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Cc: stable@vger.kernel.org # 2.6.26
[ johan: use constants in header length sanity checks ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/cypress_m8.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -1020,8 +1020,8 @@ static void cypress_read_int_callback(st
char tty_flag = TTY_NORMAL;
int bytes = 0;
int result;
- int i = 0;
int status = urb->status;
+ int i;
switch (status) {
case 0: /* success */
@@ -1059,22 +1059,32 @@ static void cypress_read_int_callback(st
spin_lock_irqsave(&priv->lock, flags);
result = urb->actual_length;
+ i = 0;
switch (priv->pkt_fmt) {
default:
case packet_format_1:
/* This is for the CY7C64013... */
+ if (result < 2)
+ break;
priv->current_status = data[0] & 0xF8;
bytes = data[1] + 2;
i = 2;
break;
case packet_format_2:
/* This is for the CY7C63743... */
+ if (result < 1)
+ break;
priv->current_status = data[0] & 0xF8;
bytes = (data[0] & 0x07) + 1;
i = 1;
break;
}
spin_unlock_irqrestore(&priv->lock, flags);
+ if (i == 0) {
+ dev_dbg(dev, "%s - short packet received: %d bytes\n",
+ __func__, result);
+ goto continue_read;
+ }
if (result < bytes) {
dev_dbg(dev,
"%s - wrong packet size - received %d bytes but packet said %d bytes\n",
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 070/378] bonding: annotate data-races arcound churn variables
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 069/378] net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 071/378] sctp: purge outqueue on stale COOKIE-ECHO handling Greg Kroah-Hartman
` (308 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit b47ff80f280e18ad2310f44293cc057d9b64ff11 ]
These fields are updated asynchronously by the bonding state machine
in ad_churn_machine() while holding bond->mode_lock.
bond_info_show_slave() and bond_fill_slave_info() read them without
bond->mode_lock being held, we need to add READ_ONCE() and
WRITE_ONCE() annotations.
Note that AD_CHURN_MONITOR, AD_CHURN, and AD_NO_CHURN are defined
exclusively in (kernel private) include/net/bond_3ad.h header.
They should be moved to include/uapi/linux/if_bonding.h or userspace
tools will have to hardcode their values.
Fixes: 4916f2e2f3fc ("bonding: print churn state via netlink")
Fixes: 14c9551a32eb ("bonding: Implement port churn-machine (AD standard 43.4.17).")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260603123514.388226-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_3ad.c | 18 ++++++++++--------
drivers/net/bonding/bond_netlink.c | 4 ++--
drivers/net/bonding/bond_procfs.c | 8 ++++----
3 files changed, 16 insertions(+), 14 deletions(-)
diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
index f0aa7d2f21717a..985ef66dc3331e 100644
--- a/drivers/net/bonding/bond_3ad.c
+++ b/drivers/net/bonding/bond_3ad.c
@@ -1386,8 +1386,8 @@ static void ad_churn_machine(struct port *port)
{
if (port->sm_vars & AD_PORT_CHURNED) {
port->sm_vars &= ~AD_PORT_CHURNED;
- port->sm_churn_actor_state = AD_CHURN_MONITOR;
- port->sm_churn_partner_state = AD_CHURN_MONITOR;
+ WRITE_ONCE(port->sm_churn_actor_state, AD_CHURN_MONITOR);
+ WRITE_ONCE(port->sm_churn_partner_state, AD_CHURN_MONITOR);
port->sm_churn_actor_timer_counter =
__ad_timer_to_ticks(AD_ACTOR_CHURN_TIMER, 0);
port->sm_churn_partner_timer_counter =
@@ -1398,20 +1398,22 @@ static void ad_churn_machine(struct port *port)
!(--port->sm_churn_actor_timer_counter) &&
port->sm_churn_actor_state == AD_CHURN_MONITOR) {
if (port->actor_oper_port_state & LACP_STATE_SYNCHRONIZATION) {
- port->sm_churn_actor_state = AD_NO_CHURN;
+ WRITE_ONCE(port->sm_churn_actor_state, AD_NO_CHURN);
} else {
- port->churn_actor_count++;
- port->sm_churn_actor_state = AD_CHURN;
+ WRITE_ONCE(port->churn_actor_count,
+ port->churn_actor_count + 1);
+ WRITE_ONCE(port->sm_churn_actor_state, AD_CHURN);
}
}
if (port->sm_churn_partner_timer_counter &&
!(--port->sm_churn_partner_timer_counter) &&
port->sm_churn_partner_state == AD_CHURN_MONITOR) {
if (port->partner_oper.port_state & LACP_STATE_SYNCHRONIZATION) {
- port->sm_churn_partner_state = AD_NO_CHURN;
+ WRITE_ONCE(port->sm_churn_partner_state, AD_NO_CHURN);
} else {
- port->churn_partner_count++;
- port->sm_churn_partner_state = AD_CHURN;
+ WRITE_ONCE(port->churn_partner_count,
+ port->churn_partner_count + 1);
+ WRITE_ONCE(port->sm_churn_partner_state, AD_CHURN);
}
}
}
diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
index c7d3e0602c831d..90365d3f7ebff7 100644
--- a/drivers/net/bonding/bond_netlink.c
+++ b/drivers/net/bonding/bond_netlink.c
@@ -82,10 +82,10 @@ static int bond_fill_slave_info(struct sk_buff *skb,
goto nla_put_failure_rcu;
if (nla_put_u8(skb, IFLA_BOND_SLAVE_AD_CHURN_ACTOR_STATE,
- ad_port->sm_churn_actor_state))
+ READ_ONCE(ad_port->sm_churn_actor_state)))
goto nla_put_failure_rcu;
if (nla_put_u8(skb, IFLA_BOND_SLAVE_AD_CHURN_PARTNER_STATE,
- ad_port->sm_churn_partner_state))
+ READ_ONCE(ad_port->sm_churn_partner_state)))
goto nla_put_failure_rcu;
}
rcu_read_unlock();
diff --git a/drivers/net/bonding/bond_procfs.c b/drivers/net/bonding/bond_procfs.c
index 0c0146b7617721..62a5b40b43a28e 100644
--- a/drivers/net/bonding/bond_procfs.c
+++ b/drivers/net/bonding/bond_procfs.c
@@ -220,13 +220,13 @@ static void bond_info_show_slave(struct seq_file *seq,
seq_printf(seq, "Aggregator ID: %d\n",
agg->aggregator_identifier);
seq_printf(seq, "Actor Churn State: %s\n",
- bond_3ad_churn_desc(port->sm_churn_actor_state));
+ bond_3ad_churn_desc(READ_ONCE(port->sm_churn_actor_state)));
seq_printf(seq, "Partner Churn State: %s\n",
- bond_3ad_churn_desc(port->sm_churn_partner_state));
+ bond_3ad_churn_desc(READ_ONCE(port->sm_churn_partner_state)));
seq_printf(seq, "Actor Churned Count: %d\n",
- port->churn_actor_count);
+ READ_ONCE(port->churn_actor_count));
seq_printf(seq, "Partner Churned Count: %d\n",
- port->churn_partner_count);
+ READ_ONCE(port->churn_partner_count));
if (capable(CAP_NET_ADMIN)) {
seq_puts(seq, "details actor lacp pdu:\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 154/522] USB: serial: keyspan: fix missing indat transfer sanity check
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 153/522] USB: serial: cypress_m8: validate interrupt packet headers Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 155/522] USB: serial: mxuport: fix memory corruption with small endpoint Greg Kroah-Hartman
` (368 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit ab8336a7e414f018430aa1af3a46944032f7ff96 upstream.
Add the missing sanity check on the size of usa49wg indat transfers to
avoid parsing stale or uninitialised slab data.
Fixes: 0ca1268e109a ("USB Serial Keyspan: add support for USA-49WG & USA-28XG")
Cc: stable@vger.kernel.org # 2.6.23
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/keyspan.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/serial/keyspan.c
+++ b/drivers/usb/serial/keyspan.c
@@ -1185,6 +1185,10 @@ static void usa49wg_indat_callback(struc
len = 0;
while (i < urb->actual_length) {
+ if (urb->actual_length - i < 3) {
+ dev_warn_ratelimited(&urb->dev->dev, "malformed indat packet\n");
+ break;
+ }
/* Check port number from message */
if (data[i] >= serial->num_ports) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 071/378] sctp: purge outqueue on stale COOKIE-ECHO handling
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 070/378] bonding: annotate data-races arcound churn variables Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 072/378] fwctl/bnxt_en: Move common definitions to include/linux/bnxt/ Greg Kroah-Hartman
` (307 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Zhengchuan Liang, Xin Liu, Yuqi Xu, Ren Wei, Xin Long,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit e374b22e9b07b72a25909621464ff74096151bfb ]
sctp_stream_update() is only invoked when the association is moved into
COOKIE_WAIT during association setup/reconfiguration. In this path, the
outbound stream scheduler state (stream->out_curr) is expected to be
clean, since no user data should have been transmitted yet unless the
state machine has already partially progressed.
However, a corner case exists in sctp_sf_do_5_2_6_stale(): when a
Stale Cookie ERROR is received, the association is rolled back from
COOKIE_ECHOED to COOKIE_WAIT. In this scenario, user data may already
have been queued and even bundled with the COOKIE-ECHO chunk.
During the rollback, sctp_stream_update() frees the old stream table
and installs a new one, but it does not invalidate stream->out_curr.
As a result, out_curr may still point to a freed sctp_stream_out
entry from the previous stream state.
Later, SCTP scheduler dequeue paths (FCFS, RR, PRIO, etc.) rely on
stream->out_curr->ext, which can lead to use-after-free once the old
stream state has been released via sctp_stream_free().
This results in crashes such as (reported by Yuqi):
BUG: KASAN: slab-use-after-free in sctp_sched_fcfs_dequeue+0x13a/0x140
Read of size 8 at addr ff1100004d4d3208 by task mini_poc/9312
CPU: 1 UID: 1001 PID: 9312 Comm: mini_poc Not tainted
7.1.0-rc1-00305-gbd3a4795d574 #5 PREEMPT(full)
sctp_sched_fcfs_dequeue+0x13a/0x140
sctp_outq_flush+0x1603/0x33e0
sctp_do_sm+0x31c9/0x5d30
sctp_assoc_bh_rcv+0x392/0x6f0
sctp_inq_push+0x1db/0x270
sctp_rcv+0x138d/0x3c10
Fix this by fully purging the association outqueue when handling the
Stale Cookie case. This ensures all pending transmit and retransmit
state is dropped, and any scheduler cached pointers are invalidated,
making it safe to rebuild stream state during COOKIE_WAIT restart.
Updating only stream->out_curr would be insufficient, since queued
and retransmittable data would still reference the old stream state and
trigger later use-after-free in dequeue paths.
Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reported-by: Yuqi Xu <xuyq21@lenovo.com>
Reported-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/94318159b9052907a6cbb7256aee8b5f8dfbfccb.1780510304.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/sm_statefuns.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 8e89a870780c49..9b23c11cbb9ea4 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -2598,11 +2598,7 @@ static enum sctp_disposition sctp_sf_do_5_2_6_stale(
*/
sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
- /* If we've sent any data bundled with COOKIE-ECHO we will need to
- * resend
- */
- sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
- SCTP_TRANSPORT(asoc->peer.primary_path));
+ sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
/* Cast away the const modifier, as we want to just
* rerun it through as a sideffect.
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 155/522] USB: serial: mxuport: fix memory corruption with small endpoint
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 154/522] USB: serial: keyspan: fix missing indat transfer sanity check Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 156/522] USB: serial: mct_u232: fix missing interrupt-in transfer sanity check Greg Kroah-Hartman
` (367 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 4085f0dbb1ce2251c9a5938d693de6593f0ab2bd upstream.
Make sure that the bulk-out endpoint max packet size is at least eight
bytes to avoid user-controlled slab corruption should a malicious device
report a smaller size.
Fixes: ee467a1f2066 ("USB: serial: add Moxa UPORT 12XX/14XX/16XX driver")
Cc: stable@vger.kernel.org # 3.14
Cc: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/mxuport.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/usb/serial/mxuport.c
+++ b/drivers/usb/serial/mxuport.c
@@ -962,6 +962,14 @@ static int mxuport_calc_num_ports(struct
*/
BUILD_BUG_ON(ARRAY_SIZE(epds->bulk_out) < 16);
+ /*
+ * The bulk-out buffers must be large enough for the four-byte header
+ * (and following data), but assume anything smaller than eight bytes
+ * is broken.
+ */
+ if (usb_endpoint_maxp(epds->bulk_out[0]) < 8)
+ return -EINVAL;
+
for (i = 1; i < num_ports; ++i)
epds->bulk_out[i] = epds->bulk_out[0];
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 072/378] fwctl/bnxt_en: Move common definitions to include/linux/bnxt/
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 071/378] sctp: purge outqueue on stale COOKIE-ECHO handling Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 073/378] fwctl/bnxt_en: Refactor aux bus functions to be more generic Greg Kroah-Hartman
` (306 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Gospodarek, Leon Romanovsky,
linux-rdma, Pavan Chebbi, Jason Gunthorpe, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavan Chebbi <pavan.chebbi@broadcom.com>
[ Upstream commit 7be18a1fa00eab5283b35c13e26c6b76fcaab9ce ]
We have common definitions that are now going to be used
by more than one component outside of bnxt (bnxt_re and
fwctl)
Move bnxt_ulp.h to include/linux/bnxt/ as ulp.h.
Link: https://patch.msgid.link/r/20260314151605.932749-2-pavan.chebbi@broadcom.com
Reviewed-by: Andy Gospodarek <gospo@broadcom.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Cc: linux-rdma@vger.kernel.org
Signed-off-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Stable-dep-of: b6197b386677 ("Reapply "bnxt_en: bring back rtnl_lock() in the bnxt_open() path"")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/debugfs.c | 2 +-
drivers/infiniband/hw/bnxt_re/main.c | 2 +-
drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 +-
drivers/infiniband/hw/bnxt_re/qplib_res.h | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 2 +-
.../broadcom/bnxt/bnxt_ulp.h => include/linux/bnxt/ulp.h | 0
10 files changed, 9 insertions(+), 9 deletions(-)
rename drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.h => include/linux/bnxt/ulp.h (100%)
diff --git a/drivers/infiniband/hw/bnxt_re/debugfs.c b/drivers/infiniband/hw/bnxt_re/debugfs.c
index a2ad79c3bbd021..5fed2cf66be30a 100644
--- a/drivers/infiniband/hw/bnxt_re/debugfs.c
+++ b/drivers/infiniband/hw/bnxt_re/debugfs.c
@@ -10,8 +10,8 @@
#include <linux/pci.h>
#include <linux/seq_file.h>
#include <rdma/ib_addr.h>
+#include <linux/bnxt/ulp.h>
-#include "bnxt_ulp.h"
#include "roce_hsi.h"
#include "qplib_res.h"
#include "qplib_sp.h"
diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
index b576f05e3b26b2..47afccddf55e57 100644
--- a/drivers/infiniband/hw/bnxt_re/main.c
+++ b/drivers/infiniband/hw/bnxt_re/main.c
@@ -55,8 +55,8 @@
#include <rdma/ib_umem.h>
#include <rdma/ib_addr.h>
#include <linux/hashtable.h>
+#include <linux/bnxt/ulp.h>
-#include "bnxt_ulp.h"
#include "roce_hsi.h"
#include "qplib_res.h"
#include "qplib_sp.h"
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
index 2d7932b3c492fa..b4c7b8f582ba9f 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
@@ -46,6 +46,7 @@
#include <linux/delay.h>
#include <linux/prefetch.h>
#include <linux/if_ether.h>
+#include <linux/bnxt/ulp.h>
#include <rdma/ib_mad.h>
#include "roce_hsi.h"
@@ -55,7 +56,6 @@
#include "qplib_sp.h"
#include "qplib_fp.h"
#include <rdma/ib_addr.h>
-#include "bnxt_ulp.h"
#include "bnxt_re.h"
#include "ib_verbs.h"
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.h b/drivers/infiniband/hw/bnxt_re/qplib_res.h
index 9a5dcf97b6f440..0a4a03efeb0bab 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_res.h
+++ b/drivers/infiniband/hw/bnxt_re/qplib_res.h
@@ -39,7 +39,7 @@
#ifndef __BNXT_QPLIB_RES_H__
#define __BNXT_QPLIB_RES_H__
-#include "bnxt_ulp.h"
+#include <linux/bnxt/ulp.h>
extern const struct bnxt_qplib_gid bnxt_qplib_gid_zero;
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 3f775196ef8194..5d05084e32d93f 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -59,10 +59,10 @@
#include <net/netdev_rx_queue.h>
#include <linux/pci-tph.h>
#include <linux/bnxt/hsi.h>
+#include <linux/bnxt/ulp.h>
#include "bnxt.h"
#include "bnxt_hwrm.h"
-#include "bnxt_ulp.h"
#include "bnxt_sriov.h"
#include "bnxt_ethtool.h"
#include "bnxt_dcb.h"
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c
index 15de802bbac48e..230cd95d30a269 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c
@@ -13,12 +13,12 @@
#include <net/devlink.h>
#include <net/netdev_lock.h>
#include <linux/bnxt/hsi.h>
+#include <linux/bnxt/ulp.h>
#include "bnxt.h"
#include "bnxt_hwrm.h"
#include "bnxt_vfr.h"
#include "bnxt_devlink.h"
#include "bnxt_ethtool.h"
-#include "bnxt_ulp.h"
#include "bnxt_ptp.h"
#include "bnxt_coredump.h"
#include "bnxt_nvm_defs.h"
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
index 0407aa1b3190e4..ef646a3463b1ec 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
@@ -27,9 +27,9 @@
#include <net/netdev_queues.h>
#include <net/netlink.h>
#include <linux/bnxt/hsi.h>
+#include <linux/bnxt/ulp.h>
#include "bnxt.h"
#include "bnxt_hwrm.h"
-#include "bnxt_ulp.h"
#include "bnxt_xdp.h"
#include "bnxt_ptp.h"
#include "bnxt_ethtool.h"
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
index 7f9829287c4950..edcc002e4ca358 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
@@ -17,9 +17,9 @@
#include <linux/etherdevice.h>
#include <net/dcbnl.h>
#include <linux/bnxt/hsi.h>
+#include <linux/bnxt/ulp.h>
#include "bnxt.h"
#include "bnxt_hwrm.h"
-#include "bnxt_ulp.h"
#include "bnxt_sriov.h"
#include "bnxt_vfr.h"
#include "bnxt_ethtool.h"
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
index e1e82a72cf1bb8..11ced44ead29b3 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
@@ -22,10 +22,10 @@
#include <linux/auxiliary_bus.h>
#include <net/netdev_lock.h>
#include <linux/bnxt/hsi.h>
+#include <linux/bnxt/ulp.h>
#include "bnxt.h"
#include "bnxt_hwrm.h"
-#include "bnxt_ulp.h"
static DEFINE_IDA(bnxt_aux_dev_ids);
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.h b/include/linux/bnxt/ulp.h
similarity index 100%
rename from drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.h
rename to include/linux/bnxt/ulp.h
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 156/522] USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 155/522] USB: serial: mxuport: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 157/522] usb: gadget: net2280: Fix double free in probe error path Greg Kroah-Hartman
` (366 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 245aba83e3c288e176ed037a1f6b618b09e92ed8 upstream.
Add the missing sanity check on the size of interrupt-in transfers to
avoid parsing stale or uninitialised slab data (and leaking it to user
space).
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/mct_u232.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -544,6 +544,11 @@ static void mct_u232_read_int_callback(s
goto exit;
}
+ if (urb->actual_length < 2) {
+ dev_warn_ratelimited(&port->dev, "short interrupt-in packet\n");
+ goto exit;
+ }
+
/*
* The interrupt-in pipe signals exceptional conditions (modem line
* signal changes and errors). data[0] holds MSR, data[1] holds LSR.
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 073/378] fwctl/bnxt_en: Refactor aux bus functions to be more generic
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 072/378] fwctl/bnxt_en: Move common definitions to include/linux/bnxt/ Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 074/378] Reapply "bnxt_en: bring back rtnl_lock() in the bnxt_open() path" Greg Kroah-Hartman
` (305 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Gospodarek, Leon Romanovsky,
Pavan Chebbi, Jason Gunthorpe, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavan Chebbi <pavan.chebbi@broadcom.com>
[ Upstream commit 2c7c85c8c7881d57c5fa1114f4b0dbd7fc53a36f ]
Up until now there was only one auxiliary device that bnxt
created and that was for RoCE driver. bnxt fwctl is also
going to use an aux bus device that bnxt should create.
This requires some nomenclature changes and refactoring of
the existing bnxt aux dev functions.
Convert 'aux_priv' and 'edev' members of struct bnxt into
arrays where each element contains supported auxbus device's
data. Move struct bnxt_aux_priv from bnxt.h to ulp.h because
that is where it belongs. Make aux bus init/uninit/add/del
functions more generic which will loop through all the aux
device types. Make bnxt_ulp_start/stop functions (the only
other common functions applicable to any aux device) loop
through the aux devices to update their config and states.
Make callers of bnxt_ulp_start() call it only when there
are no errors.
Also, as an improvement in code, bnxt_register_dev() can skip
unnecessary dereferencing of edev from bp, instead use the
edev pointer from the function parameter.
Future patches will reuse these functions to add an aux bus
device for fwctl.
Link: https://patch.msgid.link/r/20260314151605.932749-3-pavan.chebbi@broadcom.com
Reviewed-by: Andy Gospodarek <gospo@broadcom.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Stable-dep-of: b6197b386677 ("Reapply "bnxt_en: bring back rtnl_lock() in the bnxt_open() path"")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 47 ++-
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 19 +-
.../net/ethernet/broadcom/bnxt/bnxt_devlink.c | 8 +-
.../net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 339 +++++++++++-------
include/linux/bnxt/ulp.h | 25 +-
6 files changed, 273 insertions(+), 167 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 5d05084e32d93f..86e45352cec105 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -6896,7 +6896,8 @@ int bnxt_hwrm_vnic_cfg(struct bnxt *bp, struct bnxt_vnic_info *vnic)
#endif
if ((bp->flags & BNXT_FLAG_STRIP_VLAN) || def_vlan)
req->flags |= cpu_to_le32(VNIC_CFG_REQ_FLAGS_VLAN_STRIP_MODE);
- if (vnic->vnic_id == BNXT_VNIC_DEFAULT && bnxt_ulp_registered(bp->edev))
+ if (vnic->vnic_id == BNXT_VNIC_DEFAULT &&
+ bnxt_ulp_registered(bp->edev[BNXT_AUXDEV_RDMA]))
req->flags |= cpu_to_le32(bnxt_get_roce_vnic_mode(bp));
return hwrm_req_send(bp, req);
@@ -8031,6 +8032,7 @@ static int bnxt_get_avail_msix(struct bnxt *bp, int num);
static int __bnxt_reserve_rings(struct bnxt *bp)
{
+ struct bnxt_en_dev *edev = bp->edev[BNXT_AUXDEV_RDMA];
struct bnxt_hw_rings hwr = {0};
int rx_rings, old_rx_rings, rc;
int cp = bp->cp_nr_rings;
@@ -8041,7 +8043,7 @@ static int __bnxt_reserve_rings(struct bnxt *bp)
if (!bnxt_need_reserve_rings(bp))
return 0;
- if (BNXT_NEW_RM(bp) && !bnxt_ulp_registered(bp->edev)) {
+ if (BNXT_NEW_RM(bp) && !bnxt_ulp_registered(edev)) {
ulp_msix = bnxt_get_avail_msix(bp, bp->ulp_num_msix_want);
if (!ulp_msix)
bnxt_set_ulp_stat_ctxs(bp, 0);
@@ -8094,8 +8096,7 @@ static int __bnxt_reserve_rings(struct bnxt *bp)
}
rx_rings = min_t(int, rx_rings, hwr.grp);
hwr.cp = min_t(int, hwr.cp, bp->cp_nr_rings);
- if (bnxt_ulp_registered(bp->edev) &&
- hwr.stat > bnxt_get_ulp_stat_ctxs(bp))
+ if (bnxt_ulp_registered(edev) && hwr.stat > bnxt_get_ulp_stat_ctxs(bp))
hwr.stat -= bnxt_get_ulp_stat_ctxs(bp);
hwr.cp = min_t(int, hwr.cp, hwr.stat);
rc = bnxt_trim_rings(bp, &rx_rings, &hwr.tx, hwr.cp, sh);
@@ -8139,7 +8140,7 @@ static int __bnxt_reserve_rings(struct bnxt *bp)
!netif_is_rxfh_configured(bp->dev))
bnxt_set_dflt_rss_indir_tbl(bp, NULL);
- if (!bnxt_ulp_registered(bp->edev) && BNXT_NEW_RM(bp)) {
+ if (!bnxt_ulp_registered(edev) && BNXT_NEW_RM(bp)) {
int resv_msix, resv_ctx, ulp_ctxs;
struct bnxt_hw_resc *hw_resc;
@@ -11496,6 +11497,7 @@ static void bnxt_clear_int_mode(struct bnxt *bp)
int bnxt_reserve_rings(struct bnxt *bp, bool irq_re_init)
{
+ struct bnxt_en_dev *edev = bp->edev[BNXT_AUXDEV_RDMA];
bool irq_cleared = false;
bool irq_change = false;
int tcs = bp->num_tc;
@@ -11505,7 +11507,7 @@ int bnxt_reserve_rings(struct bnxt *bp, bool irq_re_init)
if (!bnxt_need_reserve_rings(bp))
return 0;
- if (BNXT_NEW_RM(bp) && !bnxt_ulp_registered(bp->edev)) {
+ if (BNXT_NEW_RM(bp) && !bnxt_ulp_registered(edev)) {
int ulp_msix = bnxt_get_avail_msix(bp, bp->ulp_num_msix_want);
if (ulp_msix > bp->ulp_num_msix_want)
@@ -14604,7 +14606,7 @@ static void bnxt_fw_echo_reply(struct bnxt *bp)
static void bnxt_ulp_restart(struct bnxt *bp)
{
bnxt_ulp_stop(bp);
- bnxt_ulp_start(bp, 0);
+ bnxt_ulp_start(bp);
}
static void bnxt_sp_task(struct work_struct *work)
@@ -14761,7 +14763,7 @@ int bnxt_check_rings(struct bnxt *bp, int tx, int rx, bool sh, int tcs,
hwr.cp_p5 = hwr.tx + rx;
rc = bnxt_hwrm_check_rings(bp, &hwr);
if (!rc && pci_msix_can_alloc_dyn(bp->pdev)) {
- if (!bnxt_ulp_registered(bp->edev)) {
+ if (!bnxt_ulp_registered(bp->edev[BNXT_AUXDEV_RDMA])) {
hwr.cp += bnxt_get_ulp_msix_num(bp);
hwr.cp = min_t(int, hwr.cp, bnxt_get_max_func_irqs(bp));
}
@@ -15281,7 +15283,7 @@ static void bnxt_fw_reset_task(struct work_struct *work)
bnxt_dl_health_fw_status_update(bp, true);
}
netdev_unlock(bp->dev);
- bnxt_ulp_start(bp, 0);
+ bnxt_ulp_start(bp);
bnxt_reenable_sriov(bp);
netdev_lock(bp->dev);
bnxt_vf_reps_alloc(bp);
@@ -15303,7 +15305,8 @@ static void bnxt_fw_reset_task(struct work_struct *work)
bnxt_fw_reset_abort(bp, rc);
netdev_unlock(bp->dev);
ulp_start:
- bnxt_ulp_start(bp, rc);
+ if (!rc)
+ bnxt_ulp_start(bp);
}
static int bnxt_init_board(struct pci_dev *pdev, struct net_device *dev)
@@ -16344,12 +16347,13 @@ static void bnxt_remove_one(struct pci_dev *pdev)
if (BNXT_PF(bp))
__bnxt_sriov_disable(bp);
- bnxt_rdma_aux_device_del(bp);
+ bnxt_aux_devices_del(bp);
unregister_netdev(dev);
bnxt_ptp_clear(bp);
- bnxt_rdma_aux_device_uninit(bp);
+ bnxt_aux_devices_uninit(bp);
+ bnxt_auxdev_id_free(bp, bp->auxdev_id);
bnxt_free_l2_filters(bp, true);
bnxt_free_ntp_fltrs(bp, true);
@@ -16946,7 +16950,9 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
bnxt_set_tpa_flags(bp);
bnxt_init_ring_params(bp);
bnxt_set_ring_params(bp);
- bnxt_rdma_aux_device_init(bp);
+ mutex_init(&bp->auxdev_lock);
+ if (!bnxt_auxdev_id_alloc(bp))
+ bnxt_aux_devices_init(bp);
rc = bnxt_set_dflt_rings(bp, true);
if (rc) {
if (BNXT_VF(bp) && rc == -ENODEV) {
@@ -17011,7 +17017,7 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
bnxt_dl_fw_reporters_create(bp);
- bnxt_rdma_aux_device_add(bp);
+ bnxt_aux_devices_add(bp);
bnxt_print_device_info(bp);
@@ -17019,7 +17025,8 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
return 0;
init_err_cleanup:
- bnxt_rdma_aux_device_uninit(bp);
+ bnxt_aux_devices_uninit(bp);
+ bnxt_auxdev_id_free(bp, bp->auxdev_id);
bnxt_dl_unregister(bp);
init_err_dl:
bnxt_shutdown_tc(bp);
@@ -17153,9 +17160,10 @@ static int bnxt_resume(struct device *device)
resume_exit:
netdev_unlock(bp->dev);
- bnxt_ulp_start(bp, rc);
- if (!rc)
+ if (!rc) {
+ bnxt_ulp_start(bp);
bnxt_reenable_sriov(bp);
+ }
return rc;
}
@@ -17335,9 +17343,10 @@ static void bnxt_io_resume(struct pci_dev *pdev)
netif_device_attach(netdev);
netdev_unlock(netdev);
- bnxt_ulp_start(bp, err);
- if (!err)
+ if (!err) {
+ bnxt_ulp_start(bp);
bnxt_reenable_sriov(bp);
+ }
}
static const struct pci_error_handlers bnxt_err_handler = {
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index 4bc7f7aeaab378..8899ef51bdcfec 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -24,12 +24,12 @@
#include <linux/interrupt.h>
#include <linux/rhashtable.h>
#include <linux/crash_dump.h>
-#include <linux/auxiliary_bus.h>
#include <net/devlink.h>
#include <net/dst_metadata.h>
#include <net/xdp.h>
#include <linux/dim.h>
#include <linux/io-64-nonatomic-lo-hi.h>
+#include <linux/bnxt/ulp.h>
#ifdef CONFIG_TEE_BNXT_FW
#include <linux/firmware/broadcom/tee_bnxt_fw.h>
#endif
@@ -2085,12 +2085,6 @@ struct bnxt_fw_health {
#define BNXT_FW_IF_RETRY 10
#define BNXT_FW_SLOT_RESET_RETRY 4
-struct bnxt_aux_priv {
- struct auxiliary_device aux_dev;
- struct bnxt_en_dev *edev;
- int id;
-};
-
enum board_idx {
BCM57301,
BCM57302,
@@ -2350,8 +2344,8 @@ struct bnxt {
#define BNXT_CHIP_P5_AND_MINUS(bp) \
(BNXT_CHIP_P3(bp) || BNXT_CHIP_P4(bp) || BNXT_CHIP_P5(bp))
- struct bnxt_aux_priv *aux_priv;
- struct bnxt_en_dev *edev;
+ struct bnxt_aux_priv *aux_priv[__BNXT_AUXDEV_MAX];
+ struct bnxt_en_dev *edev[__BNXT_AUXDEV_MAX];
struct bnxt_napi **bnapi;
@@ -2763,6 +2757,13 @@ struct bnxt {
struct bnxt_ctx_pg_info *fw_crash_mem;
u32 fw_crash_len;
struct bnxt_bs_trace_info bs_trace[BNXT_TRACE_MAX];
+ int auxdev_id;
+ /* synchronize validity checks of available aux devices */
+ struct mutex auxdev_lock;
+ u8 auxdev_state[__BNXT_AUXDEV_MAX];
+#define BNXT_ADEV_STATE_NONE 0
+#define BNXT_ADEV_STATE_INIT 1
+#define BNXT_ADEV_STATE_ADD 2
};
#define BNXT_NUM_RX_RING_STATS 8
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c
index 230cd95d30a269..835f2b413931c2 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c
@@ -440,13 +440,13 @@ static int bnxt_dl_reload_down(struct devlink *dl, bool netns_change,
"reload is unsupported while VFs are allocated or being configured");
netdev_unlock(bp->dev);
rtnl_unlock();
- bnxt_ulp_start(bp, 0);
+ bnxt_ulp_start(bp);
return -EOPNOTSUPP;
}
if (bp->dev->reg_state == NETREG_UNREGISTERED) {
netdev_unlock(bp->dev);
rtnl_unlock();
- bnxt_ulp_start(bp, 0);
+ bnxt_ulp_start(bp);
return -ENODEV;
}
if (netif_running(bp->dev))
@@ -578,8 +578,8 @@ static int bnxt_dl_reload_up(struct devlink *dl, enum devlink_reload_action acti
}
netdev_unlock(bp->dev);
rtnl_unlock();
- if (action == DEVLINK_RELOAD_ACTION_DRIVER_REINIT)
- bnxt_ulp_start(bp, rc);
+ if (!rc && action == DEVLINK_RELOAD_ACTION_DRIVER_REINIT)
+ bnxt_ulp_start(bp);
return rc;
}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
index ef646a3463b1ec..6596cd7447526e 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
@@ -5209,7 +5209,7 @@ static void bnxt_self_test(struct net_device *dev, struct ethtool_test *etest,
memset(buf, 0, sizeof(u64) * bp->num_tests);
if (etest->flags & ETH_TEST_FL_OFFLINE &&
- bnxt_ulp_registered(bp->edev)) {
+ bnxt_ulp_registered(bp->edev[BNXT_AUXDEV_RDMA])) {
etest->flags |= ETH_TEST_FL_FAILED;
netdev_warn(dev, "Offline tests cannot be run with RoCE driver loaded\n");
return;
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
index 11ced44ead29b3..3705ef3a75c9ec 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
@@ -29,9 +29,32 @@
static DEFINE_IDA(bnxt_aux_dev_ids);
+struct bnxt_aux_device {
+ const char *name;
+};
+
+static void bnxt_auxdev_set_state(struct bnxt *bp, int idx, int state)
+{
+ bp->auxdev_state[idx] = state;
+}
+
+static bool bnxt_auxdev_is_init(struct bnxt *bp, int idx)
+{
+ return (bp->auxdev_state[idx] == BNXT_ADEV_STATE_INIT);
+}
+
+static bool bnxt_auxdev_is_active(struct bnxt *bp, int idx)
+{
+ return (bp->auxdev_state[idx] == BNXT_ADEV_STATE_ADD);
+}
+
+static struct bnxt_aux_device bnxt_aux_devices[__BNXT_AUXDEV_MAX] = {{
+ .name = "rdma",
+}};
+
static void bnxt_fill_msix_vecs(struct bnxt *bp, struct bnxt_msix_entry *ent)
{
- struct bnxt_en_dev *edev = bp->edev;
+ struct bnxt_en_dev *edev = bp->edev[BNXT_AUXDEV_RDMA];
int num_msix, i;
if (!edev->ulp_tbl->msix_requested) {
@@ -51,61 +74,75 @@ static void bnxt_fill_msix_vecs(struct bnxt *bp, struct bnxt_msix_entry *ent)
int bnxt_get_ulp_msix_num(struct bnxt *bp)
{
- if (bp->edev)
- return bp->edev->ulp_num_msix_vec;
+ struct bnxt_en_dev *edev = bp->edev[BNXT_AUXDEV_RDMA];
+
+ if (edev)
+ return edev->ulp_num_msix_vec;
return 0;
}
void bnxt_set_ulp_msix_num(struct bnxt *bp, int num)
{
- if (bp->edev)
- bp->edev->ulp_num_msix_vec = num;
+ struct bnxt_en_dev *edev = bp->edev[BNXT_AUXDEV_RDMA];
+
+ if (edev)
+ edev->ulp_num_msix_vec = num;
}
int bnxt_get_ulp_msix_num_in_use(struct bnxt *bp)
{
- if (bnxt_ulp_registered(bp->edev))
- return bp->edev->ulp_num_msix_vec;
+ struct bnxt_en_dev *edev = bp->edev[BNXT_AUXDEV_RDMA];
+
+ if (bnxt_ulp_registered(edev))
+ return edev->ulp_num_msix_vec;
return 0;
}
int bnxt_get_ulp_stat_ctxs(struct bnxt *bp)
{
- if (bp->edev)
- return bp->edev->ulp_num_ctxs;
+ struct bnxt_en_dev *edev = bp->edev[BNXT_AUXDEV_RDMA];
+
+ if (edev)
+ return edev->ulp_num_ctxs;
return 0;
}
void bnxt_set_ulp_stat_ctxs(struct bnxt *bp, int num_ulp_ctx)
{
- if (bp->edev)
- bp->edev->ulp_num_ctxs = num_ulp_ctx;
+ struct bnxt_en_dev *edev = bp->edev[BNXT_AUXDEV_RDMA];
+
+ if (edev)
+ edev->ulp_num_ctxs = num_ulp_ctx;
}
int bnxt_get_ulp_stat_ctxs_in_use(struct bnxt *bp)
{
- if (bnxt_ulp_registered(bp->edev))
- return bp->edev->ulp_num_ctxs;
+ struct bnxt_en_dev *edev = bp->edev[BNXT_AUXDEV_RDMA];
+
+ if (bnxt_ulp_registered(edev))
+ return edev->ulp_num_ctxs;
return 0;
}
void bnxt_set_dflt_ulp_stat_ctxs(struct bnxt *bp)
{
- if (bp->edev) {
- bp->edev->ulp_num_ctxs = BNXT_MIN_ROCE_STAT_CTXS;
+ struct bnxt_en_dev *edev = bp->edev[BNXT_AUXDEV_RDMA];
+
+ if (edev) {
+ edev->ulp_num_ctxs = BNXT_MIN_ROCE_STAT_CTXS;
/* Reserve one additional stat_ctx for PF0 (except
* on 1-port NICs) as it also creates one stat_ctx
* for PF1 in case of RoCE bonding.
*/
if (BNXT_PF(bp) && !bp->pf.port_id &&
bp->port_count > 1)
- bp->edev->ulp_num_ctxs++;
+ edev->ulp_num_ctxs++;
/* Reserve one additional stat_ctx when the device is capable
* of supporting port mirroring on RDMA device.
*/
if (BNXT_MIRROR_ON_ROCE_CAP(bp))
- bp->edev->ulp_num_ctxs++;
+ edev->ulp_num_ctxs++;
}
}
@@ -141,7 +178,7 @@ int bnxt_register_dev(struct bnxt_en_dev *edev,
edev->ulp_tbl->msix_requested = bnxt_get_ulp_msix_num(bp);
- bnxt_fill_msix_vecs(bp, bp->edev->msix_entries);
+ bnxt_fill_msix_vecs(bp, edev->msix_entries);
exit:
mutex_unlock(&edev->en_dev_lock);
netdev_unlock(dev);
@@ -227,20 +264,27 @@ EXPORT_SYMBOL(bnxt_send_msg);
void bnxt_ulp_stop(struct bnxt *bp)
{
- struct bnxt_aux_priv *aux_priv = bp->aux_priv;
- struct bnxt_en_dev *edev = bp->edev;
+ int i;
- if (!edev)
- return;
-
- mutex_lock(&edev->en_dev_lock);
- if (!bnxt_ulp_registered(edev) ||
- (edev->flags & BNXT_EN_FLAG_ULP_STOPPED))
- goto ulp_stop_exit;
-
- edev->flags |= BNXT_EN_FLAG_ULP_STOPPED;
- if (aux_priv) {
+ mutex_lock(&bp->auxdev_lock);
+ for (i = 0; i < __BNXT_AUXDEV_MAX; i++) {
+ struct bnxt_aux_priv *aux_priv;
struct auxiliary_device *adev;
+ struct bnxt_en_dev *edev;
+
+ if (!bnxt_auxdev_is_active(bp, i))
+ continue;
+
+ aux_priv = bp->aux_priv[i];
+ edev = bp->edev[i];
+ mutex_lock(&edev->en_dev_lock);
+ if (!bnxt_ulp_registered(edev) ||
+ (edev->flags & BNXT_EN_FLAG_ULP_STOPPED)) {
+ mutex_unlock(&edev->en_dev_lock);
+ continue;
+ }
+
+ edev->flags |= BNXT_EN_FLAG_ULP_STOPPED;
adev = &aux_priv->aux_dev;
if (adev->dev.driver) {
@@ -251,29 +295,35 @@ void bnxt_ulp_stop(struct bnxt *bp)
edev->en_state = bp->state;
adrv->suspend(adev, pm);
}
+ mutex_unlock(&edev->en_dev_lock);
}
-ulp_stop_exit:
- mutex_unlock(&edev->en_dev_lock);
+ mutex_unlock(&bp->auxdev_lock);
}
-void bnxt_ulp_start(struct bnxt *bp, int err)
+void bnxt_ulp_start(struct bnxt *bp)
{
- struct bnxt_aux_priv *aux_priv = bp->aux_priv;
- struct bnxt_en_dev *edev = bp->edev;
+ int i;
- if (!edev || err)
- return;
+ mutex_lock(&bp->auxdev_lock);
+ for (i = 0; i < __BNXT_AUXDEV_MAX; i++) {
+ struct bnxt_aux_priv *aux_priv;
+ struct auxiliary_device *adev;
+ struct bnxt_en_dev *edev;
- mutex_lock(&edev->en_dev_lock);
- if (!bnxt_ulp_registered(edev) ||
- !(edev->flags & BNXT_EN_FLAG_ULP_STOPPED))
- goto ulp_start_exit;
+ if (!bnxt_auxdev_is_active(bp, i))
+ continue;
- if (edev->ulp_tbl->msix_requested)
- bnxt_fill_msix_vecs(bp, edev->msix_entries);
+ aux_priv = bp->aux_priv[i];
+ edev = bp->edev[i];
+ mutex_lock(&edev->en_dev_lock);
+ if (!bnxt_ulp_registered(edev) ||
+ !(edev->flags & BNXT_EN_FLAG_ULP_STOPPED)) {
+ goto clear_flag_continue;
+ }
+
+ if (edev->ulp_tbl->msix_requested)
+ bnxt_fill_msix_vecs(bp, edev->msix_entries);
- if (aux_priv) {
- struct auxiliary_device *adev;
adev = &aux_priv->aux_dev;
if (adev->dev.driver) {
@@ -283,22 +333,23 @@ void bnxt_ulp_start(struct bnxt *bp, int err)
edev->en_state = bp->state;
adrv->resume(adev);
}
+clear_flag_continue:
+ edev->flags &= ~BNXT_EN_FLAG_ULP_STOPPED;
+ mutex_unlock(&edev->en_dev_lock);
}
-ulp_start_exit:
- edev->flags &= ~BNXT_EN_FLAG_ULP_STOPPED;
- mutex_unlock(&edev->en_dev_lock);
+ mutex_unlock(&bp->auxdev_lock);
}
void bnxt_ulp_irq_stop(struct bnxt *bp)
{
- struct bnxt_en_dev *edev = bp->edev;
+ struct bnxt_en_dev *edev = bp->edev[BNXT_AUXDEV_RDMA];
struct bnxt_ulp_ops *ops;
bool reset = false;
if (!edev)
return;
- if (bnxt_ulp_registered(bp->edev)) {
+ if (bnxt_ulp_registered(edev)) {
struct bnxt_ulp *ulp = edev->ulp_tbl;
if (!ulp->msix_requested)
@@ -315,13 +366,13 @@ void bnxt_ulp_irq_stop(struct bnxt *bp)
void bnxt_ulp_irq_restart(struct bnxt *bp, int err)
{
- struct bnxt_en_dev *edev = bp->edev;
+ struct bnxt_en_dev *edev = bp->edev[BNXT_AUXDEV_RDMA];
struct bnxt_ulp_ops *ops;
if (!edev)
return;
- if (bnxt_ulp_registered(bp->edev)) {
+ if (bnxt_ulp_registered(edev)) {
struct bnxt_ulp *ulp = edev->ulp_tbl;
struct bnxt_msix_entry *ent = NULL;
@@ -346,7 +397,7 @@ void bnxt_ulp_irq_restart(struct bnxt *bp, int err)
void bnxt_ulp_async_events(struct bnxt *bp, struct hwrm_async_event_cmpl *cmpl)
{
u16 event_id = le16_to_cpu(cmpl->event_id);
- struct bnxt_en_dev *edev = bp->edev;
+ struct bnxt_en_dev *edev = bp->edev[BNXT_AUXDEV_RDMA];
struct bnxt_ulp_ops *ops;
struct bnxt_ulp *ulp;
@@ -387,18 +438,21 @@ void bnxt_register_async_events(struct bnxt_en_dev *edev,
}
EXPORT_SYMBOL(bnxt_register_async_events);
-void bnxt_rdma_aux_device_uninit(struct bnxt *bp)
+void bnxt_aux_devices_uninit(struct bnxt *bp)
{
struct bnxt_aux_priv *aux_priv;
struct auxiliary_device *adev;
-
- /* Skip if no auxiliary device init was done. */
- if (!bp->aux_priv)
- return;
-
- aux_priv = bp->aux_priv;
- adev = &aux_priv->aux_dev;
- auxiliary_device_uninit(adev);
+ int idx;
+
+ mutex_lock(&bp->auxdev_lock);
+ for (idx = 0; idx < __BNXT_AUXDEV_MAX; idx++) {
+ if (bnxt_auxdev_is_init(bp, idx)) {
+ aux_priv = bp->aux_priv[idx];
+ adev = &aux_priv->aux_dev;
+ auxiliary_device_uninit(adev);
+ }
+ }
+ mutex_unlock(&bp->auxdev_lock);
}
static void bnxt_aux_dev_release(struct device *dev)
@@ -407,20 +461,25 @@ static void bnxt_aux_dev_release(struct device *dev)
container_of(dev, struct bnxt_aux_priv, aux_dev.dev);
struct bnxt *bp = netdev_priv(aux_priv->edev->net);
- ida_free(&bnxt_aux_dev_ids, aux_priv->id);
kfree(aux_priv->edev->ulp_tbl);
- bp->edev = NULL;
+ bp->edev[aux_priv->id] = NULL;
kfree(aux_priv->edev);
+ bp->aux_priv[aux_priv->id] = NULL;
kfree(aux_priv);
- bp->aux_priv = NULL;
}
-void bnxt_rdma_aux_device_del(struct bnxt *bp)
+void bnxt_aux_devices_del(struct bnxt *bp)
{
- if (!bp->edev)
- return;
+ int idx;
- auxiliary_device_delete(&bp->aux_priv->aux_dev);
+ mutex_lock(&bp->auxdev_lock);
+ for (idx = 0; idx < __BNXT_AUXDEV_MAX; idx++) {
+ if (bnxt_auxdev_is_active(bp, idx)) {
+ auxiliary_device_delete(&bp->aux_priv[idx]->aux_dev);
+ bnxt_auxdev_set_state(bp, idx, BNXT_ADEV_STATE_INIT);
+ }
+ }
+ mutex_unlock(&bp->auxdev_lock);
}
static void bnxt_set_edev_info(struct bnxt_en_dev *edev, struct bnxt *bp)
@@ -450,83 +509,105 @@ static void bnxt_set_edev_info(struct bnxt_en_dev *edev, struct bnxt *bp)
edev->bar0 = bp->bar0;
}
-void bnxt_rdma_aux_device_add(struct bnxt *bp)
+void bnxt_aux_devices_add(struct bnxt *bp)
{
struct auxiliary_device *aux_dev;
- int rc;
-
- if (!bp->edev)
- return;
-
- aux_dev = &bp->aux_priv->aux_dev;
- rc = auxiliary_device_add(aux_dev);
- if (rc) {
- netdev_warn(bp->dev, "Failed to add auxiliary device for ROCE\n");
- auxiliary_device_uninit(aux_dev);
- bp->flags &= ~BNXT_FLAG_ROCE_CAP;
+ int rc, idx;
+
+ mutex_lock(&bp->auxdev_lock);
+ for (idx = 0; idx < __BNXT_AUXDEV_MAX; idx++) {
+ if (bnxt_auxdev_is_init(bp, idx)) {
+ aux_dev = &bp->aux_priv[idx]->aux_dev;
+ rc = auxiliary_device_add(aux_dev);
+ if (rc) {
+ netdev_warn(bp->dev, "Failed to add auxiliary device for ROCE\n");
+ auxiliary_device_uninit(aux_dev);
+ if (idx == BNXT_AUXDEV_RDMA)
+ bp->flags &= ~BNXT_FLAG_ROCE_CAP;
+ continue;
+ }
+ bnxt_auxdev_set_state(bp, idx, BNXT_ADEV_STATE_ADD);
+ }
}
+ mutex_unlock(&bp->auxdev_lock);
}
-void bnxt_rdma_aux_device_init(struct bnxt *bp)
+void bnxt_aux_devices_init(struct bnxt *bp)
{
struct auxiliary_device *aux_dev;
struct bnxt_aux_priv *aux_priv;
struct bnxt_en_dev *edev;
struct bnxt_ulp *ulp;
- int rc;
+ int rc, idx;
+
+ mutex_lock(&bp->auxdev_lock);
+ for (idx = 0; idx < __BNXT_AUXDEV_MAX; idx++) {
+ bnxt_auxdev_set_state(bp, idx, BNXT_ADEV_STATE_NONE);
+
+ if (idx == BNXT_AUXDEV_RDMA &&
+ !(bp->flags & BNXT_FLAG_ROCE_CAP))
+ continue;
+
+ aux_priv = kzalloc_obj(*aux_priv);
+ if (!aux_priv)
+ goto next_auxdev;
+
+ aux_dev = &aux_priv->aux_dev;
+ aux_dev->id = bp->auxdev_id;
+ aux_dev->name = bnxt_aux_devices[idx].name;
+ aux_dev->dev.parent = &bp->pdev->dev;
+ aux_dev->dev.release = bnxt_aux_dev_release;
+
+ rc = auxiliary_device_init(aux_dev);
+ if (rc) {
+ kfree(aux_priv);
+ goto next_auxdev;
+ }
+ bp->aux_priv[idx] = aux_priv;
- if (!(bp->flags & BNXT_FLAG_ROCE_CAP))
- return;
+ /* From this point, all cleanup will happen via the .release
+ * callback & any error unwinding will need to include a call
+ * to auxiliary_device_uninit.
+ */
+ edev = kzalloc_obj(*edev);
+ if (!edev)
+ goto aux_dev_uninit;
- aux_priv = kzalloc_obj(*bp->aux_priv);
- if (!aux_priv)
- goto exit;
+ aux_priv->edev = edev;
+ bnxt_set_edev_info(edev, bp);
- aux_priv->id = ida_alloc(&bnxt_aux_dev_ids, GFP_KERNEL);
- if (aux_priv->id < 0) {
- netdev_warn(bp->dev,
- "ida alloc failed for ROCE auxiliary device\n");
- kfree(aux_priv);
- goto exit;
- }
+ ulp = kzalloc_obj(*ulp);
+ if (!ulp)
+ goto aux_dev_uninit;
- aux_dev = &aux_priv->aux_dev;
- aux_dev->id = aux_priv->id;
- aux_dev->name = "rdma";
- aux_dev->dev.parent = &bp->pdev->dev;
- aux_dev->dev.release = bnxt_aux_dev_release;
+ edev->ulp_tbl = ulp;
+ bp->edev[idx] = edev;
+ if (idx == BNXT_AUXDEV_RDMA)
+ bp->ulp_num_msix_want = bnxt_set_dflt_ulp_msix(bp);
+ aux_priv->id = idx;
+ bnxt_auxdev_set_state(bp, idx, BNXT_ADEV_STATE_INIT);
- rc = auxiliary_device_init(aux_dev);
- if (rc) {
- ida_free(&bnxt_aux_dev_ids, aux_priv->id);
- kfree(aux_priv);
- goto exit;
+ continue;
+aux_dev_uninit:
+ auxiliary_device_uninit(aux_dev);
+next_auxdev:
+ if (idx == BNXT_AUXDEV_RDMA)
+ bp->flags &= ~BNXT_FLAG_ROCE_CAP;
}
- bp->aux_priv = aux_priv;
-
- /* From this point, all cleanup will happen via the .release callback &
- * any error unwinding will need to include a call to
- * auxiliary_device_uninit.
- */
- edev = kzalloc_obj(*edev);
- if (!edev)
- goto aux_dev_uninit;
-
- aux_priv->edev = edev;
-
- ulp = kzalloc_obj(*ulp);
- if (!ulp)
- goto aux_dev_uninit;
+ mutex_unlock(&bp->auxdev_lock);
+}
- edev->ulp_tbl = ulp;
- bp->edev = edev;
- bnxt_set_edev_info(edev, bp);
- bp->ulp_num_msix_want = bnxt_set_dflt_ulp_msix(bp);
+int bnxt_auxdev_id_alloc(struct bnxt *bp)
+{
+ bp->auxdev_id = ida_alloc(&bnxt_aux_dev_ids, GFP_KERNEL);
+ if (bp->auxdev_id < 0)
+ return bp->auxdev_id;
- return;
+ return 0;
+}
-aux_dev_uninit:
- auxiliary_device_uninit(aux_dev);
-exit:
- bp->flags &= ~BNXT_FLAG_ROCE_CAP;
+void bnxt_auxdev_id_free(struct bnxt *bp, int id)
+{
+ if (bp->auxdev_id >= 0)
+ ida_free(&bnxt_aux_dev_ids, id);
}
diff --git a/include/linux/bnxt/ulp.h b/include/linux/bnxt/ulp.h
index 3c5b8a53f71507..1a4643c46f86fb 100644
--- a/include/linux/bnxt/ulp.h
+++ b/include/linux/bnxt/ulp.h
@@ -10,6 +10,8 @@
#ifndef BNXT_ULP_H
#define BNXT_ULP_H
+#include <linux/auxiliary_bus.h>
+
#define BNXT_MIN_ROCE_CP_RINGS 2
#define BNXT_MIN_ROCE_STAT_CTXS 1
@@ -20,6 +22,17 @@
struct hwrm_async_event_cmpl;
struct bnxt;
+enum bnxt_auxdev_type {
+ BNXT_AUXDEV_RDMA = 0,
+ __BNXT_AUXDEV_MAX
+};
+
+struct bnxt_aux_priv {
+ struct auxiliary_device aux_dev;
+ struct bnxt_en_dev *edev;
+ int id;
+};
+
struct bnxt_msix_entry {
u32 vector;
u32 ring_idx;
@@ -110,19 +123,21 @@ void bnxt_set_ulp_stat_ctxs(struct bnxt *bp, int num_ctxs);
int bnxt_get_ulp_stat_ctxs_in_use(struct bnxt *bp);
void bnxt_set_dflt_ulp_stat_ctxs(struct bnxt *bp);
void bnxt_ulp_stop(struct bnxt *bp);
-void bnxt_ulp_start(struct bnxt *bp, int err);
+void bnxt_ulp_start(struct bnxt *bp);
void bnxt_ulp_sriov_cfg(struct bnxt *bp, int num_vfs);
void bnxt_ulp_irq_stop(struct bnxt *bp);
void bnxt_ulp_irq_restart(struct bnxt *bp, int err);
void bnxt_ulp_async_events(struct bnxt *bp, struct hwrm_async_event_cmpl *cmpl);
-void bnxt_rdma_aux_device_uninit(struct bnxt *bp);
-void bnxt_rdma_aux_device_del(struct bnxt *bp);
-void bnxt_rdma_aux_device_add(struct bnxt *bp);
-void bnxt_rdma_aux_device_init(struct bnxt *bp);
+void bnxt_aux_devices_uninit(struct bnxt *bp);
+void bnxt_aux_devices_del(struct bnxt *bp);
+void bnxt_aux_devices_add(struct bnxt *bp);
+void bnxt_aux_devices_init(struct bnxt *bp);
int bnxt_register_dev(struct bnxt_en_dev *edev, struct bnxt_ulp_ops *ulp_ops,
void *handle);
void bnxt_unregister_dev(struct bnxt_en_dev *edev);
int bnxt_send_msg(struct bnxt_en_dev *edev, struct bnxt_fw_msg *fw_msg);
void bnxt_register_async_events(struct bnxt_en_dev *edev,
unsigned long *events_bmap, u16 max_id);
+int bnxt_auxdev_id_alloc(struct bnxt *bp);
+void bnxt_auxdev_id_free(struct bnxt *bp, int id);
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 157/522] usb: gadget: net2280: Fix double free in probe error path
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 156/522] USB: serial: mct_u232: fix missing interrupt-in transfer sanity check Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 158/522] usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports Greg Kroah-Hartman
` (365 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Guangshuo Li, Alan Stern
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit c8547c74988e0b5f4cbb1b895e2a57aae084f070 upstream.
usb_initialize_gadget() installs gadget_release() as the release
callback for the embedded gadget device. The struct net2280 instance is
therefore released through gadget_release() when the gadget device's last
reference is dropped.
The probe error path calls net2280_remove(), which tears down the
partially initialized device and drops the gadget reference with
usb_put_gadget(). Calling kfree(dev) afterwards can free the same object
again.
Drop the explicit kfree() and let the gadget device release callback
handle the final free. This issue was found by a static analysis tool
I am developing.
Fixes: f770fbec4165 ("USB: UDC: net2280: Fix memory leaks")
Cc: stable <stable@kernel.org>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20260427153651.337846-1-lgs201920130244@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/net2280.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/usb/gadget/udc/net2280.c
+++ b/drivers/usb/gadget/udc/net2280.c
@@ -3790,10 +3790,8 @@ static int net2280_probe(struct pci_dev
return 0;
done:
- if (dev) {
+ if (dev)
net2280_remove(pdev);
- kfree(dev);
- }
return retval;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 074/378] Reapply "bnxt_en: bring back rtnl_lock() in the bnxt_open() path"
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 073/378] fwctl/bnxt_en: Refactor aux bus functions to be more generic Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 075/378] Drivers: hv: vmbus: Provide option to skip VMBus unload on panic Greg Kroah-Hartman
` (304 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Stanislav Fomichev,
Michael Chan, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit b6197b386677ae5268d4702e23849d9ad53051ad ]
This reverts commit 850d9248d2eac662f869c766a598c877690c74e5.
This reapplies commit 325eb217e41f ("bnxt_en: bring back rtnl_lock()
in the bnxt_open() path").
Breno reports a lockdep warning in bnxt. During FW reset the driver
may end up calling netif_set_real_num_tx_queues() (if queue count
changes), so calls to bnxt_open() still require rtnl_lock.
net/sched/sch_generic.c:1416 suspicious rcu_dereference_protected() usage!
dev_qdisc_change_real_num_tx+0x54/0xe0
netif_set_real_num_tx_queues+0x4ed/0xa80
__bnxt_open_nic+0x9cb/0x3490
bnxt_open+0x1cb/0x370
bnxt_fw_reset_task+0x80d/0x1e80
process_scheduled_works+0x9c1/0x13b0
The reverted commit was just an optimization / experiment
so let's go back to taking the lock.
Reported-by: Breno Leitao <leitao@debian.org>
Link: https://lore.kernel.org/ah726OtFX-Qw3U-R@gmail.com
Fixes: 850d9248d2ea ("Revert "bnxt_en: bring back rtnl_lock() in the bnxt_open() path"")
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Reviewed-by: Michael Chan <michael.chan@broadcom.com>
Reviewed-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/20260603195845.2574426-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 36 ++++++++++++++++++-----
1 file changed, 29 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 86e45352cec105..ff5501999b4df1 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -14290,13 +14290,28 @@ static void bnxt_unlock_sp(struct bnxt *bp)
netdev_unlock(bp->dev);
}
+/* Same as bnxt_lock_sp() with additional rtnl_lock */
+static void bnxt_rtnl_lock_sp(struct bnxt *bp)
+{
+ clear_bit(BNXT_STATE_IN_SP_TASK, &bp->state);
+ rtnl_lock();
+ netdev_lock(bp->dev);
+}
+
+static void bnxt_rtnl_unlock_sp(struct bnxt *bp)
+{
+ set_bit(BNXT_STATE_IN_SP_TASK, &bp->state);
+ netdev_unlock(bp->dev);
+ rtnl_unlock();
+}
+
/* Only called from bnxt_sp_task() */
static void bnxt_reset(struct bnxt *bp, bool silent)
{
- bnxt_lock_sp(bp);
+ bnxt_rtnl_lock_sp(bp);
if (test_bit(BNXT_STATE_OPEN, &bp->state))
bnxt_reset_task(bp, silent);
- bnxt_unlock_sp(bp);
+ bnxt_rtnl_unlock_sp(bp);
}
/* Only called from bnxt_sp_task() */
@@ -14304,9 +14319,9 @@ static void bnxt_rx_ring_reset(struct bnxt *bp)
{
int i;
- bnxt_lock_sp(bp);
+ bnxt_rtnl_lock_sp(bp);
if (!test_bit(BNXT_STATE_OPEN, &bp->state)) {
- bnxt_unlock_sp(bp);
+ bnxt_rtnl_unlock_sp(bp);
return;
}
/* Disable and flush TPA before resetting the RX ring */
@@ -14345,7 +14360,7 @@ static void bnxt_rx_ring_reset(struct bnxt *bp)
}
if (bp->flags & BNXT_FLAG_TPA)
bnxt_set_tpa(bp, true);
- bnxt_unlock_sp(bp);
+ bnxt_rtnl_unlock_sp(bp);
}
static void bnxt_fw_fatal_close(struct bnxt *bp)
@@ -15255,15 +15270,17 @@ static void bnxt_fw_reset_task(struct work_struct *work)
bp->fw_reset_state = BNXT_FW_RESET_STATE_OPENING;
fallthrough;
case BNXT_FW_RESET_STATE_OPENING:
- while (!netdev_trylock(bp->dev)) {
+ while (!rtnl_trylock()) {
bnxt_queue_fw_reset_work(bp, HZ / 10);
return;
}
+ netdev_lock(bp->dev);
rc = bnxt_open(bp->dev);
if (rc) {
netdev_err(bp->dev, "bnxt_open() failed during FW reset\n");
bnxt_fw_reset_abort(bp, rc);
netdev_unlock(bp->dev);
+ rtnl_unlock();
goto ulp_start;
}
@@ -15283,6 +15300,7 @@ static void bnxt_fw_reset_task(struct work_struct *work)
bnxt_dl_health_fw_status_update(bp, true);
}
netdev_unlock(bp->dev);
+ rtnl_unlock();
bnxt_ulp_start(bp);
bnxt_reenable_sriov(bp);
netdev_lock(bp->dev);
@@ -16272,7 +16290,7 @@ static int bnxt_queue_start(struct net_device *dev,
rc);
napi_enable_locked(&bnapi->napi);
bnxt_db_nq_arm(bp, &cpr->cp_db, cpr->cp_raw_cons);
- bnxt_reset_task(bp, true);
+ netif_close(dev);
return rc;
}
@@ -17116,6 +17134,7 @@ static int bnxt_resume(struct device *device)
struct bnxt *bp = netdev_priv(dev);
int rc = 0;
+ rtnl_lock();
netdev_lock(dev);
rc = pci_enable_device(bp->pdev);
if (rc) {
@@ -17160,6 +17179,7 @@ static int bnxt_resume(struct device *device)
resume_exit:
netdev_unlock(bp->dev);
+ rtnl_unlock();
if (!rc) {
bnxt_ulp_start(bp);
bnxt_reenable_sriov(bp);
@@ -17326,6 +17346,7 @@ static void bnxt_io_resume(struct pci_dev *pdev)
int err;
netdev_info(bp->dev, "PCI Slot Resume\n");
+ rtnl_lock();
netdev_lock(netdev);
err = bnxt_hwrm_func_qcaps(bp);
@@ -17343,6 +17364,7 @@ static void bnxt_io_resume(struct pci_dev *pdev)
netif_device_attach(netdev);
netdev_unlock(netdev);
+ rtnl_unlock();
if (!err) {
bnxt_ulp_start(bp);
bnxt_reenable_sriov(bp);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 158/522] usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 157/522] usb: gadget: net2280: Fix double free in probe error path Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 159/522] usb: gadget: f_fs: copy only received bytes on short ep0 read Greg Kroah-Hartman
` (364 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alan Stern, Seungjin Bae
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seungjin Bae <eeodqql09@gmail.com>
commit 7d9633528dd40e33964d2dc74a5abbf5c4d116ce upstream.
The `dummy_hub_control()` function handles USB hub class requests
to the virtual root hub. The `GetPortStatus` case returns -EPIPE for
requests with `wIndex != 1`, since the virtual root hub has only a
single port. However, the `ClearPortFeature` and `SetPortFeature`
cases lack the same check.
Fix this by extending the `wIndex != 1` rejection to both cases,
matching the existing behavior of `GetPortStatus`.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@kernel.org>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20260518234314.1889396-1-eeodqql09@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/dummy_hcd.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/gadget/udc/dummy_hcd.c
+++ b/drivers/usb/gadget/udc/dummy_hcd.c
@@ -2133,6 +2133,8 @@ static int dummy_hub_control(
case ClearHubFeature:
break;
case ClearPortFeature:
+ if (wIndex != 1)
+ goto error;
switch (wValue) {
case USB_PORT_FEAT_SUSPEND:
if (hcd->speed == HCD_USB3) {
@@ -2247,6 +2249,8 @@ static int dummy_hub_control(
retval = -EPIPE;
break;
case SetPortFeature:
+ if (wIndex != 1)
+ goto error;
switch (wValue) {
case USB_PORT_FEAT_LINK_STATE:
if (hcd->speed != HCD_USB3) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 075/378] Drivers: hv: vmbus: Provide option to skip VMBus unload on panic
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 074/378] Reapply "bnxt_en: bring back rtnl_lock() in the bnxt_open() path" Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 076/378] drm/hyperv: During panic do VMBus unload after frame buffer is flushed Greg Kroah-Hartman
` (303 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Kelley, Long Li, Wei Liu,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Kelley <mhklinux@outlook.com>
[ Upstream commit c5c3ef8d49e15d2fc1cec4ad7c91d81b99977440 ]
Currently, VMBus code initiates a VMBus unload in the panic path so
that if a kdump kernel is loaded, it can start fresh in setting up its
own VMBus connection. However, a driver for the VMBus virtual frame
buffer may need to flush dirty portions of the frame buffer back to
the Hyper-V host so that panic information is visible in the graphics
console. To support such flushing, provide exported functions for the
frame buffer driver to specify that the VMBus unload should not be
done by the VMBus driver, and to initiate the VMBus unload itself.
Together these allow a frame buffer driver to delay the VMBus unload
until after it has completed the flush.
Ideally, the VMBus driver could use its own panic-path callback to do
the unload after all frame buffer drivers have finished. But DRM frame
buffer drivers use the kmsg dump callback, and there are no callbacks
after that in the panic path. Hence this somewhat messy approach to
properly sequencing the frame buffer flush and the VMBus unload.
Fixes: 3671f3777758 ("drm/hyperv: Add support for drm_panic")
Signed-off-by: Michael Kelley <mhklinux@outlook.com>
Reviewed-by: Long Li <longli@microsoft.com>
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hv/channel_mgmt.c | 1 +
drivers/hv/hyperv_vmbus.h | 1 -
drivers/hv/vmbus_drv.c | 25 ++++++++++++++++++-------
include/linux/hyperv.h | 3 +++
4 files changed, 22 insertions(+), 8 deletions(-)
diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
index 7c77ada12b2e94..327d05ccf41683 100644
--- a/drivers/hv/channel_mgmt.c
+++ b/drivers/hv/channel_mgmt.c
@@ -944,6 +944,7 @@ void vmbus_initiate_unload(bool crash)
else
vmbus_wait_for_unload();
}
+EXPORT_SYMBOL_GPL(vmbus_initiate_unload);
static void vmbus_setup_channel_state(struct vmbus_channel *channel,
struct vmbus_channel_offer_channel *offer)
diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
index 7bd8f8486e858c..592a16303b3bed 100644
--- a/drivers/hv/hyperv_vmbus.h
+++ b/drivers/hv/hyperv_vmbus.h
@@ -440,7 +440,6 @@ void hv_vss_deinit(void);
int hv_vss_pre_suspend(void);
int hv_vss_pre_resume(void);
void hv_vss_onchannelcallback(void *context);
-void vmbus_initiate_unload(bool crash);
static inline void hv_poll_channel(struct vmbus_channel *channel,
void (*cb)(void *))
diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
index 3d2827477f0a54..59fc09d73a05d0 100644
--- a/drivers/hv/vmbus_drv.c
+++ b/drivers/hv/vmbus_drv.c
@@ -70,19 +70,29 @@ bool vmbus_is_confidential(void)
}
EXPORT_SYMBOL_GPL(vmbus_is_confidential);
+static bool skip_vmbus_unload;
+
+/*
+ * Allow a VMBus framebuffer driver to specify that in the case of a panic,
+ * it will do the VMbus unload operation once it has flushed any dirty
+ * portions of the framebuffer to the Hyper-V host.
+ */
+void vmbus_set_skip_unload(bool skip)
+{
+ skip_vmbus_unload = skip;
+}
+EXPORT_SYMBOL_GPL(vmbus_set_skip_unload);
+
/*
* The panic notifier below is responsible solely for unloading the
* vmbus connection, which is necessary in a panic event.
- *
- * Notice an intrincate relation of this notifier with Hyper-V
- * framebuffer panic notifier exists - we need vmbus connection alive
- * there in order to succeed, so we need to order both with each other
- * [see hvfb_on_panic()] - this is done using notifiers' priorities.
*/
static int hv_panic_vmbus_unload(struct notifier_block *nb, unsigned long val,
void *args)
{
- vmbus_initiate_unload(true);
+ if (!skip_vmbus_unload)
+ vmbus_initiate_unload(true);
+
return NOTIFY_DONE;
}
static struct notifier_block hyperv_panic_vmbus_unload_block = {
@@ -2903,7 +2913,8 @@ static void hv_crash_handler(struct pt_regs *regs)
{
int cpu;
- vmbus_initiate_unload(true);
+ if (!skip_vmbus_unload)
+ vmbus_initiate_unload(true);
/*
* In crash handler we can't schedule synic cleanup for all CPUs,
* doing the cleanup for current CPU only. This should be sufficient
diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
index dfc516c1c7193f..b0502a336eb3a5 100644
--- a/include/linux/hyperv.h
+++ b/include/linux/hyperv.h
@@ -1334,6 +1334,9 @@ int vmbus_allocate_mmio(struct resource **new, struct hv_device *device_obj,
bool fb_overlap_ok);
void vmbus_free_mmio(resource_size_t start, resource_size_t size);
+void vmbus_initiate_unload(bool crash);
+void vmbus_set_skip_unload(bool skip);
+
/*
* GUID definitions of various offer types - services offered to the guest.
*/
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 159/522] usb: gadget: f_fs: copy only received bytes on short ep0 read
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 158/522] usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 160/522] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() Greg Kroah-Hartman
` (363 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Michael Bommarito
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 4e036c10e7f4df5d951c69cc3697bc8e209c6d02 upstream.
ffs_ep0_read() allocates its control-OUT data buffer with
kmalloc() (not kzalloc) at the Length value from the Setup
packet, then copies that full len to userspace regardless of
how many bytes were actually received:
data = kmalloc(len, GFP_KERNEL);
...
ret = __ffs_ep0_queue_wait(ffs, data, len);
if ((ret > 0) && (copy_to_user(buf, data, len)))
ret = -EFAULT;
__ffs_ep0_queue_wait() returns req->actual, which on a short
control OUT transfer is strictly less than len. The
copy_to_user() call still copies len bytes, so on a short OUT
the last (len - ret) bytes of the kmalloc() buffer --
uninitialised slab residue -- are delivered to the FunctionFS
daemon.
Short ep0 OUT completions are specified USB control-transfer
behavior and are produced by in-tree UDCs:
* dwc2 continues on req->actual < req->length for ep0 DATA OUT
(short-not-ok is the only ep0-OUT stall path).
* aspeed_udc ends ep0 OUT on rx_len < ep->ep.maxpacket.
* renesas_usbf logs "ep0 short packet" and completes the
request.
* dwc3 stalls on short IN but not on short OUT.
A short ep0 OUT is therefore not evidence of a broken UDC; it is
a normal condition f_fs has to cope with. The sibling gadgetfs
implementation in drivers/usb/gadget/legacy/inode.c already does
this correctly via min(len, dev->req->actual) before
copy_to_user(). This patch brings f_fs.c to the same safe
pattern rather than trimming at a defensive layer.
The bug is reached from the FunctionFS device node, which in
real deployments is owned by the privileged gadget daemon
(adbd, UMS, composite gadget services, etc.); it is not
reachable from unprivileged userspace. Linux host stacks
normally reject short-wLength control OUTs before they reach
the gadget, so reproducing this required a build that
bypasses that host-side check. With the bypass in place, a
1-byte payload on a 64-byte Setup produces 63 bytes of
non-canary slab residue in the daemon's read buffer.
Fix by copying only ret (actually received) bytes to
userspace.
Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
Cc: stable <stable@kernel.org>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260419160359.1577270-1-michael.bommarito@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_fs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -592,7 +592,7 @@ static ssize_t ffs_ep0_read(struct file
/* unlocks spinlock */
ret = __ffs_ep0_queue_wait(ffs, data, len);
- if ((ret > 0) && (copy_to_user(buf, data, len)))
+ if ((ret > 0) && (copy_to_user(buf, data, ret)))
ret = -EFAULT;
goto done_mutex;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 076/378] drm/hyperv: During panic do VMBus unload after frame buffer is flushed
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 075/378] Drivers: hv: vmbus: Provide option to skip VMBus unload on panic Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 077/378] selftests: harness: fix pidfd leak in __wait_for_test Greg Kroah-Hartman
` (302 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Kelley, Jocelyn Falempe,
Wei Liu, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Kelley <mhklinux@outlook.com>
[ Upstream commit 8b35874f56ded0cc1a90a25b87411249a86246cd ]
In a VM, Linux panic information (reason for the panic, stack trace,
etc.) may be written to a serial console and/or a virtual frame buffer
for a graphics console. The latter may need to be flushed back to the
host hypervisor for display.
The current Hyper-V DRM driver for the frame buffer does the flushing
*after* the VMBus connection has been unloaded, such that panic messages
are not displayed on the graphics console. A user with a Hyper-V graphics
console is left with just a hung empty screen after a panic. The enhanced
control that DRM provides over the panic display in the graphics console
is similarly non-functional.
Commit 3671f3777758 ("drm/hyperv: Add support for drm_panic") added
the Hyper-V DRM driver support to flush the virtual frame buffer. It
provided necessary functionality but did not handle the sequencing
problem with VMBus unload.
Fix the full problem by using VMBus functions to suppress the VMBus
unload that is normally done by the VMBus driver in the panic path. Then
after the frame buffer has been flushed, do the VMBus unload so that a
kdump kernel can start cleanly. As expected, CONFIG_DRM_PANIC must be
selected for these changes to have effect. As a side benefit, the
enhanced features of the DRM panic path are also functional.
Fixes: 3671f3777758 ("drm/hyperv: Add support for drm_panic")
Signed-off-by: Michael Kelley <mhklinux@outlook.com>
Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 5 +++++
drivers/gpu/drm/hyperv/hyperv_drm_modeset.c | 15 ++++++++-------
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/hyperv/hyperv_drm_drv.c b/drivers/gpu/drm/hyperv/hyperv_drm_drv.c
index 06b5d96e6eaf6b..b6bf6412ae34ac 100644
--- a/drivers/gpu/drm/hyperv/hyperv_drm_drv.c
+++ b/drivers/gpu/drm/hyperv/hyperv_drm_drv.c
@@ -150,6 +150,10 @@ static int hyperv_vmbus_probe(struct hv_device *hdev,
goto err_free_mmio;
}
+ /* If DRM panic path is stubbed out VMBus code must do the unload */
+ if (IS_ENABLED(CONFIG_DRM_PANIC))
+ vmbus_set_skip_unload(true);
+
drm_client_setup(dev, NULL);
return 0;
@@ -169,6 +173,7 @@ static void hyperv_vmbus_remove(struct hv_device *hdev)
struct drm_device *dev = hv_get_drvdata(hdev);
struct hyperv_drm_device *hv = to_hv(dev);
+ vmbus_set_skip_unload(false);
drm_dev_unplug(dev);
drm_atomic_helper_shutdown(dev);
vmbus_close(hdev->channel);
diff --git a/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c b/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c
index 7978f8c8108c23..d48ca6c23b7c5e 100644
--- a/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c
+++ b/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c
@@ -212,15 +212,16 @@ static void hyperv_plane_panic_flush(struct drm_plane *plane)
struct hyperv_drm_device *hv = to_hv(plane->dev);
struct drm_rect rect;
- if (!plane->state || !plane->state->fb)
- return;
+ if (plane->state && plane->state->fb) {
+ rect.x1 = 0;
+ rect.y1 = 0;
+ rect.x2 = plane->state->fb->width;
+ rect.y2 = plane->state->fb->height;
- rect.x1 = 0;
- rect.y1 = 0;
- rect.x2 = plane->state->fb->width;
- rect.y2 = plane->state->fb->height;
+ hyperv_update_dirt(hv->hdev, &rect);
+ }
- hyperv_update_dirt(hv->hdev, &rect);
+ vmbus_initiate_unload(true);
}
static const struct drm_plane_helper_funcs hyperv_plane_helper_funcs = {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 160/522] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 159/522] usb: gadget: f_fs: copy only received bytes on short ep0 read Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 161/522] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow Greg Kroah-Hartman
` (362 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 01deda0152066c6c955f0619114ea6afa070aaec upstream.
entry->value is u32 and entry->length is u16; the sum is performed in
u32 and wraps. A malicious XDomain peer can pick
value = 0xffffff00, length = 0x100 so the sum 0x100000000 wraps to 0
and passes the > block_len check. tb_property_parse() then passes
entry->value to parse_dwdata() as a dword offset into the property
block, reading attacker-directed memory far past the allocation.
For TEXT-typed entries with the "deviceid" or "vendorid" keys this
lands in xd->device_name / xd->vendor_name and is readable back via
the per-XDomain device_name / vendor_name sysfs attributes; the leak
is NUL-bounded (kstrdup() stops at the first zero byte) and
untargeted (the attacker picks a delta, not an absolute address).
DATA-typed entries are parsed into property->value.data but not
generically surfaced to userspace.
Use check_add_overflow() so a wrapped sum is rejected.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -8,6 +8,7 @@
*/
#include <linux/err.h>
+#include <linux/overflow.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/uuid.h>
@@ -52,13 +53,16 @@ static inline void format_dwdata(void *d
static bool tb_property_entry_valid(const struct tb_property_entry *entry,
size_t block_len)
{
+ u32 end;
+
switch (entry->type) {
case TB_PROPERTY_TYPE_DIRECTORY:
case TB_PROPERTY_TYPE_DATA:
case TB_PROPERTY_TYPE_TEXT:
if (entry->length > block_len)
return false;
- if (entry->value + entry->length > block_len)
+ if (check_add_overflow(entry->value, entry->length, &end) ||
+ end > block_len)
return false;
break;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 077/378] selftests: harness: fix pidfd leak in __wait_for_test
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 076/378] drm/hyperv: During panic do VMBus unload after frame buffer is flushed Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 078/378] signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() Greg Kroah-Hartman
` (301 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geliang Tang, Thomas Weißschuh,
Christian Brauner (Amutable), Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geliang Tang <tanggeliang@kylinos.cn>
[ Upstream commit 0eb307d61317b42b120ab02099b597226318358a ]
Fix the pidfd leak in kselftest_harness.h's __wait_for_test() where
childfd = syscall(__NR_pidfd_open, t->pid, 0) is never closed.
Fixes: 73a3cde97677 ("selftests: harness: Implement test timeouts through pidfd")
Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
Link: https://patch.msgid.link/a82e275ccfb2609a1984d90ab559fa3af78f1e81.1776678050.git.tanggeliang@kylinos.cn
Reviewed-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/kselftest_harness.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h
index 4afaef01c22e97..27d1bf5fd86180 100644
--- a/tools/testing/selftests/kselftest_harness.h
+++ b/tools/testing/selftests/kselftest_harness.h
@@ -996,6 +996,7 @@ static void __wait_for_test(struct __test_metadata *t)
poll_child.fd = childfd;
poll_child.events = POLLIN;
ret = poll(&poll_child, 1, t->timeout * 1000);
+ close(childfd);
if (ret == -1) {
t->exit_code = KSFT_FAIL;
fprintf(TH_LOG_STREAM,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 161/522] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 160/522] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 162/522] scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker Greg Kroah-Hartman
` (361 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit de21b59c29e31c5108ddc04210631bbfab81b997 upstream.
On the non-root path, __tb_property_parse_dir() takes dir_len from
entry->length (u16 widened to size_t). Two distinct OOB conditions
follow when entry->length < 4:
1. The non-root path begins with kmemdup(&block[dir_offset],
sizeof(*dir->uuid), ...) which always reads 4 dwords from
dir_offset. tb_property_entry_valid() only enforces
dir_offset + entry->length <= block_len, so a crafted entry
with dir_offset close to the end of the property block and
entry->length in 0..3 passes that gate but lets the UUID copy
run off the block (e.g. dir_offset = 497, dir_len = 3 in a
500-dword block reads block[497..501]).
2. After the kmemdup, content_len = dir_len - 4 underflows size_t
to ~SIZE_MAX, nentries becomes SIZE_MAX / 4, and the entry
walk runs OOB on each iteration until an entry fails
validation or the kernel oopses on an unmapped page.
Reject dir_len < 4 on the non-root path *before* the UUID kmemdup,
which closes both holes.
Also move INIT_LIST_HEAD(&dir->properties) up to immediately after
the dir allocation so the new error-return path (and the existing
uuid-alloc failure path) calling tb_property_free_dir() sees a
walkable list rather than the zero-initialized NULL next/prev that
list_for_each_entry_safe() would oops on.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -174,10 +174,16 @@ static struct tb_property_dir *__tb_prop
if (!dir)
return NULL;
+ INIT_LIST_HEAD(&dir->properties);
+
if (is_root) {
content_offset = dir_offset + 2;
content_len = dir_len;
} else {
+ if (dir_len < 4) {
+ tb_property_free_dir(dir);
+ return NULL;
+ }
dir->uuid = kmemdup(&block[dir_offset], sizeof(*dir->uuid),
GFP_KERNEL);
if (!dir->uuid) {
@@ -191,8 +197,6 @@ static struct tb_property_dir *__tb_prop
entries = (const struct tb_property_entry *)&block[content_offset];
nentries = content_len / (sizeof(*entries) / 4);
- INIT_LIST_HEAD(&dir->properties);
-
for (i = 0; i < nentries; i++) {
struct tb_property *property;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 078/378] signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 077/378] selftests: harness: fix pidfd leak in __wait_for_test Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 079/378] regulator: mt6363: select CONFIG_IRQ_DOMAIN Greg Kroah-Hartman
` (300 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b109633ea805cac54a61,
Aleksandr Nogikh, Christian Brauner (Amutable), Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandr Nogikh <nogikh@google.com>
[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ]
When a multi-threaded process receives a stop signal (e.g., SIGSTOP),
do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all
threads and sets signal->group_stop_count to the number of threads. If
one of the threads concurrently calls execve(), de_thread() invokes
zap_other_threads() to kill all other threads. zap_other_threads()
aborts the pending group stop by resetting signal->group_stop_count to 0
and clears the JOBCTL_PENDING_MASK for all other threads. However, it
fails to clear the job control flags for the calling thread.
When execve() completes, the calling thread returns to user mode and
checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag,
it calls do_signal_stop(), which invokes task_participate_group_stop().
Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the
already-zero signal->group_stop_count, triggering a warning:
sig->group_stop_count == 0
WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373
task_participate_group_stop+0x215/0x2d0
Call Trace:
<TASK>
do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619
get_signal+0xa8c/0x1330 kernel/signal.c:2884
arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98
do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Fix this race condition by clearing the JOBCTL_PENDING_MASK for the
calling thread in zap_other_threads(), ensuring it does not retain any
stale job control state after the thread group is destroyed. This aligns
with other functions that tear down a thread group and abort group
stops, such as zap_process() and complete_signal(), which correctly
clear these flags for all threads including the current one.
Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop")
Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot
Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61
Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3
Signed-off-by: Aleksandr Nogikh <nogikh@google.com>
Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/signal.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/signal.c b/kernel/signal.c
index d65d0fe24bfb8c..1c9b5bf8126e01 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1340,6 +1340,7 @@ int zap_other_threads(struct task_struct *p)
int count = 0;
p->signal->group_stop_count = 0;
+ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK);
for_other_threads(p, t) {
task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 162/522] scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 161/522] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 163/522] scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 Greg Kroah-Hartman
` (360 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Hannes Reinecke,
Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 9eed1bd59937e6828b00d2f2dfef631d964f3636 upstream.
drivers/scsi/fcoe/fcoe_ctlr.c::fcoe_ctlr_recv_clr_vlink() advanced the
descriptor cursor by an attacker-supplied fip_dlen without ever
requiring dlen >= sizeof(struct fip_desc) in the default branch. The
named descriptor cases (FIP_DT_MAC, FIP_DT_NAME, FIP_DT_VN_ID) checked
their per-type minimum lengths, but a FIP_DT_NON_CRITICAL descriptor
(fip_dtype >= 128, which the standard requires receivers to silently
ignore) skipped that check entirely.
An unauthenticated L2 peer on the FCoE control VLAN could hang
fcoe_ctlr_recv_work on an fcoe, qedf, or bnx2fc initiator indefinitely
by emitting one FIP CVL frame whose single descriptor had fip_dtype ==
FIP_DT_NON_CRITICAL and fip_dlen == 0: the cursor advanced zero bytes
per iteration and the loop condition rlen >= sizeof(*desc) stayed true
forever, blocking every subsequent FIP frame on that controller.
Tighten the outer dlen guard to also reject dlen < sizeof(struct
fip_desc), so a malformed descriptor whose length cannot even cover the
descriptor header is rejected before the switch. This is the same
lower-bound the named cases already apply and is the minimum scope that
closes the loop.
Fixes: 97c8389d54b9 ("[SCSI] fcoe, libfcoe: Add support for FIP. FCoE discovery and keep-alive.")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Link: https://patch.msgid.link/20260518144307.2820961-1-michael.bommarito@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/fcoe/fcoe_ctlr.c
+++ b/drivers/scsi/fcoe/fcoe_ctlr.c
@@ -1386,7 +1386,7 @@ static void fcoe_ctlr_recv_clr_vlink(str
while (rlen >= sizeof(*desc)) {
dlen = desc->fip_dlen * FIP_BPW;
- if (dlen > rlen)
+ if (dlen < sizeof(*desc) || dlen > rlen)
goto err;
/* Drop CVL if there are duplicate critical descriptors */
if ((desc->fip_dtype < 32) &&
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 079/378] regulator: mt6363: select CONFIG_IRQ_DOMAIN
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 078/378] signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 080/378] hyperv: Clean up and fix the guest ID comment in hvgdk.h Greg Kroah-Hartman
` (299 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann,
AngeloGioacchino Del Regno, Mark Brown, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 29d87434cb91b7689de2917830ca82acfd2770f5 ]
When build-testing this driver without CONFIG_IRQ_DOMAIN causes
a compile-time error:
drivers/regulator/mt6363-regulator.c: In function 'mt6363_regulator_probe':
drivers/regulator/mt6363-regulator.c:884:18: error: implicit declaration of function 'irq_find_host' [-Wimplicit-function-declaration]
884 | domain = irq_find_host(interrupt_parent);
| ^~~~~~~~~~~~~
drivers/regulator/mt6363-regulator.c:884:16: error: assignment to 'struct irq_domain *' from 'int' makes pointer from integer without a cast [-Wint-conversion]
884 | domain = irq_find_host(interrupt_parent);
| ^
drivers/regulator/mt6363-regulator.c:896:30: error: implicit declaration of function 'irq_create_fwspec_mapping'; did you mean 'irq_create_of_mapping'? [-Wimplicit-function-declaration]
896 | info->virq = irq_create_fwspec_mapping(&fwspec);
| ^~~~~~~~~~~~~~~~~~~~~~~~~
| irq_create_of_mapping
This is rather hard to trigger because so many other drivers
enable IRQ_DOMAIN already, but I ran into this on an s390
randconfig build.
Ensure this is always enabled using a Kconfig 'select IRQ_DOMAIN'
entry, as we do for all other users of this.
Fixes: 3c36965df808 ("regulator: Add support for MediaTek MT6363 SPMI PMIC Regulators")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patch.msgid.link/20260526102003.2527570-1-arnd@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/regulator/Kconfig b/drivers/regulator/Kconfig
index d10b6f9243d515..426642d7a02c0c 100644
--- a/drivers/regulator/Kconfig
+++ b/drivers/regulator/Kconfig
@@ -977,6 +977,7 @@ config REGULATOR_MT6363
tristate "MT6363 SPMI PMIC regulator driver"
depends on SPMI
select REGMAP_SPMI
+ select IRQ_DOMAIN
help
Say Y here to enable support for regulators found in the MediaTek
MT6363 SPMI PMIC.
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 163/522] scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 162/522] scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 164/522] scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf Greg Kroah-Hartman
` (359 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Christoph Hellwig,
John Garry, Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit a9a39233ec1fc9f97ea1340a4d09bb7ec2be5153 upstream.
An adjacent Fibre Channel fabric actor that can deliver an FPIN ELS
frame to an lpfc or qla2xxx Linux initiator can trigger a non-return in
the generic FC transport. This is not a local userspace or IP network
path; the attacker must be able to inject fabric traffic, for example as
a compromised switch or fabric controller, or as a same-zone N_Port on a
fabric that permits source spoofing.
The Link-Integrity and Peer-Congestion FPIN walkers used a u8 loop
counter against the 32-bit on-wire pname_count field, and did not bound
pname_count by the descriptor body already validated by the TLV walker.
A pname_count of 256 therefore wraps the counter and keeps the loop
condition true indefinitely.
Factor the shared pname_list[] walk into one helper, widen the counter
to u32, and clamp pname_count against the entries that fit in the
descriptor body before iterating.
Fixes: 3dcfe0de5a97 ("scsi: fc: Parse FPIN packets and update statistics")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Link: https://patch.msgid.link/20260520133015.1018937-1-michael.bommarito@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/scsi_transport_fc.c | 77 ++++++++++++++++++++-------------------
1 file changed, 41 insertions(+), 36 deletions(-)
--- a/drivers/scsi/scsi_transport_fc.c
+++ b/drivers/scsi/scsi_transport_fc.c
@@ -746,6 +746,37 @@ fc_cn_stats_update(u16 event_type, struc
}
}
+static void
+fc_fpin_pname_stats_update(struct Scsi_Host *shost,
+ struct fc_rport *attach_rport, u16 event_type,
+ u32 desc_len, u32 fixed_len, u32 pname_count,
+ __be64 *pname_list,
+ void (*stats_update)(u16 event_type,
+ struct fc_fpin_stats *stats))
+{
+ u32 i;
+ struct fc_rport *rport;
+ u64 wwpn;
+
+ if (desc_len < fixed_len)
+ pname_count = 0;
+ else
+ pname_count = min(pname_count, (desc_len - fixed_len) /
+ sizeof(pname_list[0]));
+
+ for (i = 0; i < pname_count; i++) {
+ wwpn = be64_to_cpu(pname_list[i]);
+ rport = fc_find_rport_by_wwpn(shost, wwpn);
+ if (rport &&
+ (rport->roles & FC_PORT_ROLE_FCP_TARGET ||
+ rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
+ if (rport == attach_rport)
+ continue;
+ stats_update(event_type, &rport->fpin_stats);
+ }
+ }
+}
+
/*
* fc_fpin_li_stats_update - routine to update Link Integrity
* event statistics.
@@ -756,13 +787,11 @@ fc_cn_stats_update(u16 event_type, struc
static void
fc_fpin_li_stats_update(struct Scsi_Host *shost, struct fc_tlv_desc *tlv)
{
- u8 i;
struct fc_rport *rport = NULL;
struct fc_rport *attach_rport = NULL;
struct fc_host_attrs *fc_host = shost_to_fc_host(shost);
struct fc_fn_li_desc *li_desc = (struct fc_fn_li_desc *)tlv;
u16 event_type = be16_to_cpu(li_desc->event_type);
- u64 wwpn;
rport = fc_find_rport_by_wwpn(shost,
be64_to_cpu(li_desc->attached_wwpn));
@@ -773,22 +802,11 @@ fc_fpin_li_stats_update(struct Scsi_Host
fc_li_stats_update(event_type, &attach_rport->fpin_stats);
}
- if (be32_to_cpu(li_desc->pname_count) > 0) {
- for (i = 0;
- i < be32_to_cpu(li_desc->pname_count);
- i++) {
- wwpn = be64_to_cpu(li_desc->pname_list[i]);
- rport = fc_find_rport_by_wwpn(shost, wwpn);
- if (rport &&
- (rport->roles & FC_PORT_ROLE_FCP_TARGET ||
- rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
- if (rport == attach_rport)
- continue;
- fc_li_stats_update(event_type,
- &rport->fpin_stats);
- }
- }
- }
+ fc_fpin_pname_stats_update(shost, attach_rport, event_type,
+ be32_to_cpu(li_desc->desc_len),
+ FC_TLV_DESC_LENGTH_FROM_SZ(*li_desc),
+ be32_to_cpu(li_desc->pname_count),
+ li_desc->pname_list, fc_li_stats_update);
if (fc_host->port_name == be64_to_cpu(li_desc->attached_wwpn))
fc_li_stats_update(event_type, &fc_host->fpin_stats);
@@ -836,13 +854,11 @@ static void
fc_fpin_peer_congn_stats_update(struct Scsi_Host *shost,
struct fc_tlv_desc *tlv)
{
- u8 i;
struct fc_rport *rport = NULL;
struct fc_rport *attach_rport = NULL;
struct fc_fn_peer_congn_desc *pc_desc =
(struct fc_fn_peer_congn_desc *)tlv;
u16 event_type = be16_to_cpu(pc_desc->event_type);
- u64 wwpn;
rport = fc_find_rport_by_wwpn(shost,
be64_to_cpu(pc_desc->attached_wwpn));
@@ -853,22 +869,11 @@ fc_fpin_peer_congn_stats_update(struct S
fc_cn_stats_update(event_type, &attach_rport->fpin_stats);
}
- if (be32_to_cpu(pc_desc->pname_count) > 0) {
- for (i = 0;
- i < be32_to_cpu(pc_desc->pname_count);
- i++) {
- wwpn = be64_to_cpu(pc_desc->pname_list[i]);
- rport = fc_find_rport_by_wwpn(shost, wwpn);
- if (rport &&
- (rport->roles & FC_PORT_ROLE_FCP_TARGET ||
- rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
- if (rport == attach_rport)
- continue;
- fc_cn_stats_update(event_type,
- &rport->fpin_stats);
- }
- }
- }
+ fc_fpin_pname_stats_update(shost, attach_rport, event_type,
+ be32_to_cpu(pc_desc->desc_len),
+ FC_TLV_DESC_LENGTH_FROM_SZ(*pc_desc),
+ be32_to_cpu(pc_desc->pname_count),
+ pc_desc->pname_list, fc_cn_stats_update);
}
/*
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 080/378] hyperv: Clean up and fix the guest ID comment in hvgdk.h
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 079/378] regulator: mt6363: select CONFIG_IRQ_DOMAIN Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 081/378] VFS: fix possible failure to unlock in nfsd4_create_file() Greg Kroah-Hartman
` (298 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dexuan Cui, Hamza Mahfooz, Wei Liu,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dexuan Cui <decui@microsoft.com>
[ Upstream commit 83eb00f31eb1b10735d48e469df72cc2b0e06f6d ]
Change the "64 bit" to "64-bit", and the "Os" to "OS".
Remove the obsolete paragraph since the guideline has been
published in the Hypervisor Top Level Functional Specification
for many years.
The "OS Type" is 0x1 for Linux, not 0x100.
No functional change.
Fixes: 83ba0c4f3f31 ("Drivers: hv: Cleanup the guest ID computation")
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Reviewed-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/hyperv/hvgdk.h | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/include/hyperv/hvgdk.h b/include/hyperv/hvgdk.h
index 384c3f3ff4a525..f538144280ca55 100644
--- a/include/hyperv/hvgdk.h
+++ b/include/hyperv/hvgdk.h
@@ -10,18 +10,12 @@
/*
* The guest OS needs to register the guest ID with the hypervisor.
- * The guest ID is a 64 bit entity and the structure of this ID is
+ * The guest ID is a 64-bit entity and the structure of this ID is
* specified in the Hyper-V TLFS specification.
*
- * While the current guideline does not specify how Linux guest ID(s)
- * need to be generated, our plan is to publish the guidelines for
- * Linux and other guest operating systems that currently are hosted
- * on Hyper-V. The implementation here conforms to this yet
- * unpublished guidelines.
- *
* Bit(s)
* 63 - Indicates if the OS is Open Source or not; 1 is Open Source
- * 62:56 - Os Type; Linux is 0x100
+ * 62:56 - OS Type; Linux is 0x1
* 55:48 - Distro specific identification
* 47:16 - Linux kernel version number
* 15:0 - Distro specific identification
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 164/522] scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 163/522] scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 165/522] scsi: target: iscsi: Validate CHAP_R length before base64 decode Greg Kroah-Hartman
` (358 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, John Garry,
Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit bf33e01f88388c43e285492a63e539df6ffed64c upstream.
iscsi_encode_text_output() concatenates "key=value\0" records into
login->rsp_buf, an 8192-byte kzalloc(MAX_KEY_VALUE_PAIRS) buffer
allocated in iscsit_alloc_login_setup_buffer(). The three sprintf() call
sites in this function (lines 1398, 1411, 1424 in v7.1-rc2) never check
the remaining buffer capacity:
*length += sprintf(output_buf, "%s=%s", er->key, er->value);
*length += 1;
output_buf = textbuf + *length;
The 8192-byte ceiling at iscsi_target_check_login_request() bounds the
*input* Login PDU payload, but a single PDU can carry up to 2048 minimal
four-byte "a=b\0" pairs, each unknown key expanding to a 16-byte
"a=NotUnderstood\0" output record via iscsi_add_notunderstood_response().
2048 * 16 = 32 KiB of output into an 8 KiB buffer, producing a ~24 KiB
heap overrun in the kmalloc-8k slab.
The fix introduces a static iscsi_encode_text_record() helper that uses
snprintf() with a per-call bounds check against the remaining buffer,
and threads a u32 textbuf_size parameter through
iscsi_encode_text_output(). Both call sites in
iscsi_target_handle_csg_zero() (PHASE_SECURITY) and
iscsi_target_handle_csg_one() (PHASE_OPERATIONAL) pass
MAX_KEY_VALUE_PAIRS. On overflow the encoder logs the condition, calls
iscsi_release_extra_responses() to drop queued records, and returns -1;
both caller sites now emit ISCSI_STATUS_CLS_INITIATOR_ERR /
ISCSI_LOGIN_STATUS_INIT_ERR via iscsit_tx_login_rsp() before returning,
so the initiator sees an explicit failed-login response rather than a
silent connection drop. (Prior to this patch only the PHASE_OPERATIONAL
caller did that; the PHASE_SECURITY caller is converted to the same
shape.)
Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Tested-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target_nego.c | 7 ++
drivers/target/iscsi/iscsi_target_parameters.c | 62 +++++++++++++++++++------
drivers/target/iscsi/iscsi_target_parameters.h | 2
3 files changed, 55 insertions(+), 16 deletions(-)
--- a/drivers/target/iscsi/iscsi_target_nego.c
+++ b/drivers/target/iscsi/iscsi_target_nego.c
@@ -905,10 +905,14 @@ static int iscsi_target_handle_csg_zero(
SENDER_TARGET,
login->rsp_buf,
&login->rsp_length,
+ MAX_KEY_VALUE_PAIRS,
conn->param_list,
conn->tpg->tpg_attrib.login_keys_workaround);
- if (ret < 0)
+ if (ret < 0) {
+ iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR,
+ ISCSI_LOGIN_STATUS_INIT_ERR);
return -1;
+ }
if (!iscsi_check_negotiated_keys(conn->param_list)) {
bool auth_required = iscsi_conn_auth_required(conn);
@@ -992,6 +996,7 @@ static int iscsi_target_handle_csg_one(s
SENDER_TARGET,
login->rsp_buf,
&login->rsp_length,
+ MAX_KEY_VALUE_PAIRS,
conn->param_list,
conn->tpg->tpg_attrib.login_keys_workaround);
if (ret < 0) {
--- a/drivers/target/iscsi/iscsi_target_parameters.c
+++ b/drivers/target/iscsi/iscsi_target_parameters.c
@@ -1419,19 +1419,42 @@ free_buffer:
return -1;
}
+/*
+ * Append "key=value" plus a trailing NUL into @textbuf at *@length.
+ * Returns 0 on success and advances *@length, or -EMSGSIZE if the
+ * record (including the NUL) would not fit in the remaining buffer.
+ */
+static int iscsi_encode_text_record(char *textbuf, u32 *length,
+ u32 textbuf_size,
+ const char *key, const char *value)
+{
+ int n;
+ u32 avail;
+
+ if (*length >= textbuf_size)
+ return -EMSGSIZE;
+
+ avail = textbuf_size - *length;
+ n = snprintf(textbuf + *length, avail, "%s=%s", key, value);
+ if (n < 0 || (u32)n + 1 > avail)
+ return -EMSGSIZE;
+
+ *length += n + 1;
+ return 0;
+}
+
int iscsi_encode_text_output(
u8 phase,
u8 sender,
char *textbuf,
u32 *length,
+ u32 textbuf_size,
struct iscsi_param_list *param_list,
bool keys_workaround)
{
- char *output_buf = NULL;
struct iscsi_extra_response *er;
struct iscsi_param *param;
-
- output_buf = textbuf + *length;
+ int ret;
if (iscsi_enforce_integrity_rules(phase, param_list) < 0)
return -1;
@@ -1443,10 +1466,12 @@ int iscsi_encode_text_output(
!IS_PSTATE_RESPONSE_SENT(param) &&
!IS_PSTATE_REPLY_OPTIONAL(param) &&
(param->phase & phase)) {
- *length += sprintf(output_buf, "%s=%s",
- param->name, param->value);
- *length += 1;
- output_buf = textbuf + *length;
+ ret = iscsi_encode_text_record(textbuf, length,
+ textbuf_size,
+ param->name,
+ param->value);
+ if (ret < 0)
+ goto err_overflow;
SET_PSTATE_RESPONSE_SENT(param);
pr_debug("Sending key: %s=%s\n",
param->name, param->value);
@@ -1456,10 +1481,12 @@ int iscsi_encode_text_output(
!IS_PSTATE_ACCEPTOR(param) &&
!IS_PSTATE_PROPOSER(param) &&
(param->phase & phase)) {
- *length += sprintf(output_buf, "%s=%s",
- param->name, param->value);
- *length += 1;
- output_buf = textbuf + *length;
+ ret = iscsi_encode_text_record(textbuf, length,
+ textbuf_size,
+ param->name,
+ param->value);
+ if (ret < 0)
+ goto err_overflow;
SET_PSTATE_PROPOSER(param);
iscsi_check_proposer_for_optional_reply(param,
keys_workaround);
@@ -1469,14 +1496,21 @@ int iscsi_encode_text_output(
}
list_for_each_entry(er, ¶m_list->extra_response_list, er_list) {
- *length += sprintf(output_buf, "%s=%s", er->key, er->value);
- *length += 1;
- output_buf = textbuf + *length;
+ ret = iscsi_encode_text_record(textbuf, length, textbuf_size,
+ er->key, er->value);
+ if (ret < 0)
+ goto err_overflow;
pr_debug("Sending key: %s=%s\n", er->key, er->value);
}
iscsi_release_extra_responses(param_list);
return 0;
+
+err_overflow:
+ pr_err("iSCSI login response buffer (%u bytes) exhausted, dropping login.\n",
+ textbuf_size);
+ iscsi_release_extra_responses(param_list);
+ return -1;
}
int iscsi_check_negotiated_keys(struct iscsi_param_list *param_list)
--- a/drivers/target/iscsi/iscsi_target_parameters.h
+++ b/drivers/target/iscsi/iscsi_target_parameters.h
@@ -46,7 +46,7 @@ extern struct iscsi_param *iscsi_find_pa
extern int iscsi_extract_key_value(char *, char **, char **);
extern int iscsi_update_param_value(struct iscsi_param *, char *);
extern int iscsi_decode_text_input(u8, u8, char *, u32, struct iscsit_conn *);
-extern int iscsi_encode_text_output(u8, u8, char *, u32 *,
+extern int iscsi_encode_text_output(u8, u8, char *, u32 *, u32,
struct iscsi_param_list *, bool);
extern int iscsi_check_negotiated_keys(struct iscsi_param_list *);
extern void iscsi_set_connection_parameters(struct iscsi_conn_ops *,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 081/378] VFS: fix possible failure to unlock in nfsd4_create_file()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 080/378] hyperv: Clean up and fix the guest ID comment in hvgdk.h Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 082/378] crypto: s390 - add select CRYPTO_AEAD for aes Greg Kroah-Hartman
` (297 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, NeilBrown, Jeff Layton,
Benjamin Coddington, Jori Koolstra, Christian Brauner (Amutable),
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neilb@ownmail.net>
[ Upstream commit e824bbd4d224cce4b5fb59cc9dcd3447fe0b7e44 ]
atomic_create() in fs/namei.c drops the reference to the dentry
when it returns an error.
This behaviour was imported into dentry_create() so that it
will drop the reference if an error is returned from atomic_create(),
though not if vfs_create() returns an error (in the case where
->atomic_create is not supported).
The caller - nfsd4_create_file() - is made aware of this by checking
path->dentry, which will either be a counted reference to a dentry, or
an error pointer.
However the change to use start_creating()/end_creating() (which landed
shortly before the dentry_create() change landed, though was likely
developed around the same time) means that nfsd4_create_file() *needs* a
valid dentry so that it can unlock the parent.
The net result is that if NFSD exports a filesystem which uses
->atomic_create, and if a call to ->atomic_create returns an error, then
nfsd4_create_file() will pass an error pointer to end_creating()
and the parent will not be unlocked.
Fix this by changing dentry_create() to make sure path->dentry is always
a valid dentry, never an error-pointer. The actual error is already
returned a different way.
Note that if ->atomic_create() returns a different dentry (which may not
be possible in practice) we are guaranteed (because it is only ever
provided by d_spliace_alias()) that it will have the same d_parent and
so it will have the same effect when passed to end_creating().
Fixes: 64a989dbd144 ("VFS/knfsd: Teach dentry_create() to use atomic_open()")
Signed-off-by: NeilBrown <neil@brown.name>
Link: https://patch.msgid.link/177969022571.3379282.16448744624428323496@noble.neil.brown.name
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Benjamin Coddington <bcodding@hammerspace.com>
Reviewed-by: Jori Koolstra <jkoolstra@xs4all.nl>
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/namei.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/namei.c b/fs/namei.c
index 9e5500dad14f59..d615cd62885198 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -5002,6 +5002,7 @@ struct file *dentry_create(struct path *path, int flags, umode_t mode,
{
struct file *file __free(fput) = NULL;
struct dentry *dentry = path->dentry;
+ struct dentry *orig_dentry = dentry;
struct dentry *dir = dentry->d_parent;
struct inode *dir_inode = d_inode(dir);
struct mnt_idmap *idmap;
@@ -5021,9 +5022,18 @@ struct file *dentry_create(struct path *path, int flags, umode_t mode,
if (create_error)
flags &= ~O_CREAT;
+ /* atomic_open will dput(dentry) on error */
+ dget(orig_dentry);
dentry = atomic_open(path, dentry, file, flags, mode);
error = PTR_ERR_OR_ZERO(dentry);
+ if (IS_ERR(dentry))
+ /* keep the original */
+ dentry = orig_dentry;
+ else
+ /* Drop the extra reference */
+ dput(orig_dentry);
+
if (unlikely(create_error) && error == -ENOENT)
error = create_error;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 165/522] scsi: target: iscsi: Validate CHAP_R length before base64 decode
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 164/522] scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 166/522] drm/hyperv: validate resolution_count and fix WIN8 fallback Greg Kroah-Hartman
` (357 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandru Hossu, David Disseldorp,
Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Hossu <hossu.alexandru@gmail.com>
commit 85db7391310b1304d2dc8ae3b0b12105a9567147 upstream.
chap_server_compute_hash() allocates client_digest as
kzalloc(chap->digest_size) and then, for BASE64-encoded responses,
passes chap_r directly to chap_base64_decode() without checking whether
the input length could produce more than digest_size bytes of output.
chap_base64_decode() writes to the destination unconditionally as long
as there is input to consume. With MAX_RESPONSE_LENGTH set to 128 and
the "0b" prefix stripped by extract_param(), up to 127 base64 characters
can reach the decoder. 127 characters decode to 95 bytes. For SHA-256
(digest_size=32) this overflows client_digest by 63 bytes; for MD5
(digest_size=16) the overflow is 79 bytes.
The length check at line 344 fires after the write has already happened.
The HEX branch in the same switch statement already validates the length
up front. Apply the same approach to the BASE64 branch: strip trailing
base64 padding characters, then reject any input whose data length
exceeds DIV_ROUND_UP(digest_size * 4, 3) before calling the decoder.
Stripping trailing '=' before the comparison handles both padded and
unpadded encodings. chap_base64_decode() already returns early on '=',
so the full original string is still passed to the decoder unchanged.
The mutual CHAP path decodes CHAP_C into initiatorchg_binhex, which is
kzalloc(CHAP_CHALLENGE_STR_LEN). extract_param() caps initiatorchg at
CHAP_CHALLENGE_STR_LEN characters, so at most CHAP_CHALLENGE_STR_LEN-1
base64 characters reach the decoder. The maximum decoded size,
DIV_ROUND_UP((CHAP_CHALLENGE_STR_LEN-1) * 3, 4), is less than
CHAP_CHALLENGE_STR_LEN, so no overflow is possible there. A comment is
added at the call site to document this.
Fixes: 1e5733883421 ("scsi: target: iscsi: Support base64 in CHAP")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>
Link: https://patch.msgid.link/20260521151121.808477-1-hossu.alexandru@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target_auth.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
--- a/drivers/target/iscsi/iscsi_target_auth.c
+++ b/drivers/target/iscsi/iscsi_target_auth.c
@@ -339,13 +339,22 @@ static int chap_server_compute_hash(
goto out;
}
break;
- case BASE64:
+ case BASE64: {
+ size_t r_len = strlen(chap_r);
+
+ while (r_len > 0 && chap_r[r_len - 1] == '=')
+ r_len--;
+ if (r_len > DIV_ROUND_UP(chap->digest_size * 4, 3)) {
+ pr_err("Malformed CHAP_R: base64 payload too long\n");
+ goto out;
+ }
if (chap_base64_decode(client_digest, chap_r, strlen(chap_r)) !=
chap->digest_size) {
pr_err("Malformed CHAP_R: invalid BASE64\n");
goto out;
}
break;
+ }
default:
pr_err("Could not find CHAP_R\n");
goto out;
@@ -472,6 +481,14 @@ static int chap_server_compute_hash(
}
break;
case BASE64:
+ /*
+ * No overflow check needed: initiatorchg_binhex is
+ * CHAP_CHALLENGE_STR_LEN bytes and extract_param() caps
+ * initiatorchg at CHAP_CHALLENGE_STR_LEN characters, so
+ * the decoded output is at most DIV_ROUND_UP(
+ * (CHAP_CHALLENGE_STR_LEN - 1) * 3, 4) bytes, which is
+ * less than CHAP_CHALLENGE_STR_LEN.
+ */
initiatorchg_len = chap_base64_decode(initiatorchg_binhex,
initiatorchg,
strlen(initiatorchg));
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 082/378] crypto: s390 - add select CRYPTO_AEAD for aes
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 081/378] VFS: fix possible failure to unlock in nfsd4_create_file() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 083/378] rseq: Fix using an uninitialized stack variable in rseq_exit_user_update() Greg Kroah-Hartman
` (296 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Harald Freudenberger,
Herbert Xu, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit ecf3edd349dfabee9bc8a46c5ff91c9ebd858d48 ]
The aes driver registers both skcipher and aead algorithms,
but when aead is not enabled this causes a link failure:
s390-linux-ld: arch/s390/crypto/aes_s390.o: in function `aes_s390_fini':
arch/s390/crypto/aes_s390.c:969:(.text+0x115e): undefined reference to `crypto_unregister_aead'
s390-linux-ld: arch/s390/crypto/aes_s390.o: in function `aes_s390_init':
arch/s390/crypto/aes_s390.c:1028:(.init.text+0x294): undefined reference to `crypto_register_aead'
Add the missing 'select' statement.
Fixes: bf7fa038707c ("s390/crypto: add s390 platform specific aes gcm support.")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/crypto/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/s390/crypto/Kconfig b/arch/s390/crypto/Kconfig
index 79a2d0034258b6..1b12856acfbcb7 100644
--- a/arch/s390/crypto/Kconfig
+++ b/arch/s390/crypto/Kconfig
@@ -14,6 +14,7 @@ config CRYPTO_GHASH_S390
config CRYPTO_AES_S390
tristate "Ciphers: AES, modes: ECB, CBC, CTR, XTS, GCM"
+ select CRYPTO_AEAD
select CRYPTO_SKCIPHER
help
AEAD cipher: AES with GCM
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 166/522] drm/hyperv: validate resolution_count and fix WIN8 fallback
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 165/522] scsi: target: iscsi: Validate CHAP_R length before base64 decode Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 167/522] drm/hyperv: validate VMBus packet size in receive callback Greg Kroah-Hartman
` (356 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Berkant Koc, Michael Kelley,
Hamza Mahfooz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Berkant Koc <me@berkoc.com>
commit 13d33b9ef67066c77c84273fac5a1d3fde3533d1 upstream.
A SYNTHVID_RESOLUTION_RESPONSE with resolution_count > 64 walks past
the supported_resolution[SYNTHVID_MAX_RESOLUTION_COUNT] array in the
parse loop. Bound resolution_count against the array size, folded
into the existing zero-check.
When the WIN10 resolution probe fails, the caller in
hyperv_connect_vsp() left hv->screen_*_max / preferred_* unpopulated,
which sets mode_config.max_width / max_height to 0 and makes
drm_internal_framebuffer_create() reject every userspace framebuffer
with -EINVAL. The pre-WIN10 branch had the same gap for
preferred_width / preferred_height. Use a single post-probe fallback
guarded by screen_width_max == 0 so both paths converge on the WIN8
defaults.
Signed-off-by: Berkant Koc <me@berkoc.com>
Assisted-by: Claude:claude-opus-4-7 berkoc-pipeline
Fixes: 76c56a5affeb ("drm/hyperv: Add DRM driver for hyperv synthetic video device")
Cc: stable@vger.kernel.org # 5.14+
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Tested-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Link: https://patch.msgid.link/6945b22419c7d404b4954a113de2ac9c900dba93.1779542874.git.me@berkoc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
+++ b/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
@@ -396,8 +396,11 @@ static int hyperv_get_supported_resoluti
return -ETIMEDOUT;
}
- if (msg->resolution_resp.resolution_count == 0) {
- drm_err(dev, "No supported resolutions\n");
+ if (msg->resolution_resp.resolution_count == 0 ||
+ msg->resolution_resp.resolution_count >
+ SYNTHVID_MAX_RESOLUTION_COUNT) {
+ drm_err(dev, "Invalid resolution count: %d\n",
+ msg->resolution_resp.resolution_count);
return -ENODEV;
}
@@ -513,9 +516,13 @@ int hyperv_connect_vsp(struct hv_device
ret = hyperv_get_supported_resolution(hdev);
if (ret)
drm_err(dev, "Failed to get supported resolution from host, use default\n");
- } else {
+ }
+
+ if (!hv->screen_width_max) {
hv->screen_width_max = SYNTHVID_WIDTH_WIN8;
hv->screen_height_max = SYNTHVID_HEIGHT_WIN8;
+ hv->preferred_width = SYNTHVID_WIDTH_WIN8;
+ hv->preferred_height = SYNTHVID_HEIGHT_WIN8;
}
hv->mmio_megabytes = hdev->channel->offermsg.offer.mmio_megabytes;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 083/378] rseq: Fix using an uninitialized stack variable in rseq_exit_user_update()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 082/378] crypto: s390 - add select CRYPTO_AEAD for aes Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 084/378] time: Fix off-by-one in settimeofday() usec validation Greg Kroah-Hartman
` (295 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+185a631927096f9da2fc,
Qing Wang, Peter Zijlstra (Intel), Mark Rutland, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qing Wang <wangqing7171@gmail.com>
[ Upstream commit 6d99479799c69c3cb588fcda19c81d8f61d64ecd ]
There is an bug in which an uninitialized stack variable is used in
rseq_exit_user_update() as reported by syzbot:
BUG: KMSAN: kernel-infoleak in rseq_set_ids_get_csaddr include/linux/rseq_entry.h:502 [inline]
The local variable:
struct rseq_ids ids = {
.cpu_id = task_cpu(t),
.mm_cid = task_mm_cid(t),
.node_id = cpu_to_node(ids.cpu_id),
};
According to the C standard, the evaluation order of expressions in an
initializer list is indeterminately sequenced. The compiler (Clang, in
this KMSAN build) evaluates `cpu_to_node(ids.cpu_id)` *before*
`ids.cpu_id` is initialized with `task_cpu(t)`.
This is fixed by moving the assignment of ids.node_id outside the
structure initialization.
Fixes: 82f572449cfe ("rseq: Implement read only ABI enforcement for optimized RSEQ V2 mode")
Closes: https://syzkaller.appspot.com/bug?extid=185a631927096f9da2fc
Reported-by: syzbot+185a631927096f9da2fc@syzkaller.appspotmail.com
Signed-off-by: Qing Wang <wangqing7171@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://patch.msgid.link/20260602030854.574038-1-wangqing7171@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/rseq_entry.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/linux/rseq_entry.h b/include/linux/rseq_entry.h
index 413a3543fbe8ed..69bdb93951b904 100644
--- a/include/linux/rseq_entry.h
+++ b/include/linux/rseq_entry.h
@@ -625,10 +625,11 @@ static __always_inline bool rseq_exit_user_update(struct pt_regs *regs, struct t
return true;
}
+ int cpu = task_cpu(t);
struct rseq_ids ids = {
- .cpu_id = task_cpu(t),
+ .cpu_id = cpu,
.mm_cid = task_mm_cid(t),
- .node_id = cpu_to_node(ids.cpu_id),
+ .node_id = cpu_to_node(cpu),
};
return rseq_update_usr(t, regs, &ids);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 167/522] drm/hyperv: validate VMBus packet size in receive callback
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 166/522] drm/hyperv: validate resolution_count and fix WIN8 fallback Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 168/522] drm/i915: Fix potential UAF in TTM object purge Greg Kroah-Hartman
` (355 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Berkant Koc, Michael Kelley,
Hamza Mahfooz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Berkant Koc <me@berkoc.com>
commit 7f87763f47a3c22fb50265a00619ef10f2394b18 upstream.
hyperv_receive_sub() reads msg->vid_hdr.type and dispatches into one
of four message-type branches without knowing how many bytes the host
wrote into hv->recv_buf. The completion path then runs
memcpy(hv->init_buf, msg, VMBUS_MAX_PACKET_SIZE), so the consumer that
wakes on wait_for_completion_timeout() can read up to 16 KiB of
residue from a prior message as if it were the response payload.
Pass bytes_recvd into hyperv_receive_sub() and reject any packet that
does not cover the pipe + synthvid header. A single switch on
msg->vid_hdr.type then computes the type-specific payload size: the
three completion-driving types (SYNTHVID_VERSION_RESPONSE,
SYNTHVID_RESOLUTION_RESPONSE, SYNTHVID_VRAM_LOCATION_ACK) fall through
to a shared exit that requires that size before memcpy/complete, while
SYNTHVID_FEATURE_CHANGE validates its own payload and returns before
reading is_dirt_needed. Unknown types are dropped.
SYNTHVID_RESOLUTION_RESPONSE is variable length: the host fills
resolution_count entries, not the full SYNTHVID_MAX_RESOLUTION_COUNT
array. Validate the fixed prefix first so resolution_count can be
read, bound it against the array, then require only the count-sized
array, so the shorter responses the host actually sends are accepted.
Only run the sub-handler when vmbus_recvpacket() returned success. The
memcpy length is bytes_recvd, which is bounded by VMBUS_MAX_PACKET_SIZE
only on a successful receive; on -ENOBUFS vmbus_recvpacket() instead
reports the required length, which can exceed hv->recv_buf, so copying
bytes_recvd would read and write past the 16 KiB buffers. Gating on the
success return keeps the copy bounded. The nonzero-return path is itself
a malformed-message case and is now logged rather than silently skipped;
channel recovery is not attempted.
Rejected packets are reported via drm_err_ratelimited() rather than
silently dropped, matching the CoCo-hardened pattern in
hv_kvp_onchannelcallback().
Fixes: 76c56a5affeb ("drm/hyperv: Add DRM driver for hyperv synthetic video device")
Cc: stable@vger.kernel.org # 5.14+
Signed-off-by: Berkant Koc <me@berkoc.com>
Assisted-by: Claude:claude-opus-4-7 berkoc-pipeline
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Tested-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Link: https://patch.msgid.link/8200dbc199c7a9b75ac7e8af6c748d2189b5ebd5.1779542874.git.me@berkoc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 100 ++++++++++++++++++++++++++----
1 file changed, 87 insertions(+), 13 deletions(-)
--- a/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
+++ b/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
@@ -425,30 +425,92 @@ static int hyperv_get_supported_resoluti
return 0;
}
-static void hyperv_receive_sub(struct hv_device *hdev)
+static void hyperv_receive_sub(struct hv_device *hdev, u32 bytes_recvd)
{
struct hyperv_drm_device *hv = hv_get_drvdata(hdev);
struct synthvid_msg *msg;
+ size_t hdr_size;
+ size_t need;
if (!hv)
return;
- msg = (struct synthvid_msg *)hv->recv_buf;
-
- /* Complete the wait event */
- if (msg->vid_hdr.type == SYNTHVID_VERSION_RESPONSE ||
- msg->vid_hdr.type == SYNTHVID_RESOLUTION_RESPONSE ||
- msg->vid_hdr.type == SYNTHVID_VRAM_LOCATION_ACK) {
- memcpy(hv->init_buf, msg, VMBUS_MAX_PACKET_SIZE);
- complete(&hv->wait);
+ hdr_size = sizeof(struct pipe_msg_hdr) +
+ sizeof(struct synthvid_msg_hdr);
+ if (bytes_recvd < hdr_size) {
+ drm_err_ratelimited(&hv->dev,
+ "synthvid packet too small for header: %u\n",
+ bytes_recvd);
return;
}
- if (msg->vid_hdr.type == SYNTHVID_FEATURE_CHANGE) {
+ msg = (struct synthvid_msg *)hv->recv_buf;
+ need = hdr_size;
+
+ switch (msg->vid_hdr.type) {
+ case SYNTHVID_VERSION_RESPONSE:
+ need += sizeof(struct synthvid_version_resp);
+ break;
+ case SYNTHVID_RESOLUTION_RESPONSE:
+ /*
+ * The resolution response is variable length: the host
+ * fills resolution_count entries, not the full
+ * SYNTHVID_MAX_RESOLUTION_COUNT array. Require the fixed
+ * prefix first so resolution_count can be read, then
+ * demand exactly the count-sized array.
+ */
+ need += offsetof(struct synthvid_supported_resolution_resp,
+ supported_resolution);
+ if (bytes_recvd < need)
+ break;
+ if (msg->resolution_resp.resolution_count >
+ SYNTHVID_MAX_RESOLUTION_COUNT) {
+ drm_err_ratelimited(&hv->dev,
+ "synthvid resolution count too large: %u\n",
+ msg->resolution_resp.resolution_count);
+ return;
+ }
+ need += msg->resolution_resp.resolution_count *
+ sizeof(struct hvd_screen_info);
+ break;
+ case SYNTHVID_VRAM_LOCATION_ACK:
+ need += sizeof(struct synthvid_vram_location_ack);
+ break;
+ case SYNTHVID_FEATURE_CHANGE:
+ /*
+ * Not a completion-driving message: validate its own payload
+ * and consume it here rather than falling through to the
+ * memcpy/complete shared by the wait-event responses.
+ */
+ if (bytes_recvd < need +
+ sizeof(struct synthvid_feature_change)) {
+ drm_err_ratelimited(&hv->dev,
+ "synthvid feature change packet too small: %u\n",
+ bytes_recvd);
+ return;
+ }
hv->dirt_needed = msg->feature_chg.is_dirt_needed;
if (hv->dirt_needed)
hyperv_hide_hw_ptr(hv->hdev);
+ return;
+ default:
+ return;
+ }
+
+ /*
+ * Shared completion path for the wait-event responses
+ * (VERSION_RESPONSE, RESOLUTION_RESPONSE, VRAM_LOCATION_ACK):
+ * require the type-specific payload before handing the buffer to
+ * the waiter.
+ */
+ if (bytes_recvd < need) {
+ drm_err_ratelimited(&hv->dev,
+ "synthvid packet too small for type %u: %u < %zu\n",
+ msg->vid_hdr.type, bytes_recvd, need);
+ return;
}
+ memcpy(hv->init_buf, msg, bytes_recvd);
+ complete(&hv->wait);
}
static void hyperv_receive(void *ctx)
@@ -469,9 +531,21 @@ static void hyperv_receive(void *ctx)
ret = vmbus_recvpacket(hdev->channel, recv_buf,
VMBUS_MAX_PACKET_SIZE,
&bytes_recvd, &req_id);
- if (bytes_recvd > 0 &&
- recv_buf->pipe_hdr.type == PIPE_MSG_DATA)
- hyperv_receive_sub(hdev);
+ if (ret) {
+ /*
+ * A nonzero return (e.g. -ENOBUFS for an oversized
+ * packet) is itself a malformed message: bytes_recvd
+ * then reports the required length rather than a copied
+ * payload, so it must not be forwarded to the
+ * sub-handler. Channel recovery is not attempted.
+ */
+ drm_err_ratelimited(&hv->dev,
+ "vmbus_recvpacket failed: %d (need %u)\n",
+ ret, bytes_recvd);
+ } else if (bytes_recvd > 0 &&
+ recv_buf->pipe_hdr.type == PIPE_MSG_DATA) {
+ hyperv_receive_sub(hdev, bytes_recvd);
+ }
} while (bytes_recvd > 0 && ret == 0);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 084/378] time: Fix off-by-one in settimeofday() usec validation
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 083/378] rseq: Fix using an uninitialized stack variable in rseq_exit_user_update() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 085/378] ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams Greg Kroah-Hartman
` (294 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naveen Kumar Chaudhary,
Thomas Gleixner, John Stultz, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ]
The validation check uses '>' instead of '>=' when comparing tv_usec
against USEC_PER_SEC, allowing the value 1000000 through. After
conversion to nanoseconds (*= 1000), this produces tv_nsec ==
NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be
less than NSEC_PER_SEC.
Use '>=' to reject tv_usec values that are not in the valid range of
0 to 999999.
Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()")
Signed-off-by: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Acked-by: John Stultz <jstultz@google.com>
Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/time.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/time/time.c b/kernel/time/time.c
index 0d832317d5766a..771cef87ad3b0a 100644
--- a/kernel/time/time.c
+++ b/kernel/time/time.c
@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv,
get_user(new_ts.tv_nsec, &tv->tv_usec))
return -EFAULT;
- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0)
+ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0)
return -EINVAL;
new_ts.tv_nsec *= NSEC_PER_USEC;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 168/522] drm/i915: Fix potential UAF in TTM object purge
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 167/522] drm/hyperv: validate VMBus packet size in receive callback Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 169/522] drm/amd/pm/si: Disregard vblank time when no displays are connected Greg Kroah-Hartman
` (354 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Janusz Krzysztofik, Matthew Auld,
Thomas Hellström, Sebastian Brzezinka, Christian König,
Andi Shyti, Tvrtko Ursulin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
commit 5c4063c87a619e4df954c179d24628636f5db15f upstream.
TLDR: The bo->ttm object might be changed by calling ttm_bo_validate(),
move casting it to an i915_tt object later to actually get the right
pointer.
A user reported hitting the following bug under heavy use on DG2:
[26620.095550] Oops: general protection fault, probably for non-canonical address 0xa56b6b6b6b6b6b8b: 0000 1 SMP NOPTI
[26620.095556] CPU: 2 UID: 0 PID: 631 Comm: Xorg Not tainted 6.18.8 #1 PREEMPT(lazy)
[26620.095558] Hardware name: ASRock B850M Steel Legend WiFi/B850M Steel Legend WiFi, BIOS 3.50 09/18/2025
[26620.095559] RIP: 0010:i915_ttm_purge+0x84/0x100 [i915]
[26620.095604] Code: 00 00 00 48 8d 54 24 10 48 89 e6 48 89 fb e8 83 aa ae ff 85 c0 75 6f 48 83 bb a8 01 00 00 00 74 2c 48 8b 45 78 48 85 c0 74 23 <48> 8b 78 20 48 c7 c2 ff ff ff ff 31 f6 e8 7a 73 e3 e0 48 8b 7d 78
[26620.095605] RSP: 0018:ffffc90005fd7430 EFLAGS: 00010282
[26620.095607] RAX: a56b6b6b6b6b6b6b RBX: ffff8881f46c3dc0 RCX: 0000000000000000
[26620.095608] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 00000000ffffffff
[26620.095609] RBP: ffff888289610f00 R08: 0000000000000001 R09: ffff88823b022000
[26620.095609] R10: ffff888103029b28 R11: ffff8881fc7f3800 R12: ffff88810b6150d0
[26620.095609] R13: ffff888289610f00 R14: 0000000000000000 R15: ffff8881f46c3dc0
[26620.095610] FS: 00007f1004d86900(0000) GS:ffff88901c858000(0000) knlGS:0000000000000000
[26620.095611] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[26620.095611] CR2: 00007f0fdf489000 CR3: 000000035b0c1000 CR4: 0000000000750ef0
[26620.095612] PKRU: 55555554
[26620.095612] Call Trace:
[26620.095615] <TASK>
[26620.095615] i915_ttm_move+0x2b9/0x420 [i915]
[26620.095642] ? ttm_tt_init+0x65/0x80 [ttm]
[26620.095644] ? i915_ttm_tt_create+0xc6/0x150 [i915]
[26620.095667] ttm_bo_handle_move_mem+0xb6/0x160 [ttm]
[26620.095669] ttm_bo_evict+0x100/0x150 [ttm]
[26620.095671] ? preempt_count_add+0x64/0xa0
[26620.095673] ? _raw_spin_lock+0xe/0x30
[26620.095675] ? _raw_spin_unlock+0xd/0x30
[26620.095675] ? i915_gem_object_evictable+0xb7/0xd0 [i915]
[26620.095704] ttm_bo_evict_cb+0x6e/0xd0 [ttm]
[26620.095705] ttm_lru_walk_for_evict+0xa6/0x200 [ttm]
[26620.095708] ttm_bo_alloc_resource+0x185/0x4f0 [ttm]
[26620.095709] ? init_object+0x62/0xd0
[26620.095712] ttm_bo_validate+0x7a/0x180 [ttm]
[26620.095713] ? _raw_spin_unlock_irqrestore+0x16/0x30
[26620.095714] __i915_ttm_get_pages+0xb0/0x170 [i915]
[26620.095737] i915_ttm_get_pages+0x9f/0x150 [i915]
[26620.095759] ? i915_gem_do_execbuffer+0xedc/0x2b40 [i915]
[26620.095786] ? alloc_debug_processing+0xd0/0x100
[26620.095787] ? _raw_spin_unlock_irqrestore+0x16/0x30
[26620.095788] ? i915_vma_instance+0xa0/0x4e0 [i915]
[26620.095822] __i915_gem_object_get_pages+0x2f/0x40 [i915]
[26620.095848] i915_vma_pin_ww+0x706/0x980 [i915]
[26620.095875] ? i915_gem_do_execbuffer+0xedc/0x2b40 [i915]
[26620.095904] eb_validate_vmas+0x170/0xa00 [i915]
[26620.095930] i915_gem_do_execbuffer+0x1201/0x2b40 [i915]
[26620.095953] ? alloc_debug_processing+0xd0/0x100
[26620.095954] ? _raw_spin_unlock_irqrestore+0x16/0x30
[26620.095955] ? i915_gem_execbuffer2_ioctl+0xc9/0x240 [i915]
[26620.095977] ? __wake_up_sync_key+0x32/0x50
[26620.095979] ? i915_gem_execbuffer2_ioctl+0xc9/0x240 [i915]
[26620.096001] ? __slab_alloc.isra.0+0x67/0xc0
[26620.096003] i915_gem_execbuffer2_ioctl+0x11a/0x240 [i915]
Results from decode_stacktrace.sh pointed to dereference of a file pointer
field of a i915 TTM page vector container associated with an object being
purged on eviction. That path is taken when the object is marked as no
longer needed.
Code analysis revealed a possibility of the i915 TTM page vector container
being replaced with a new instance inside a function that purges content
of the object, should it be still busy. That function is called,
indirectly via a more general function that changes the object's placement
and caching policy, before the problematic dereference, but still after
a pointer to the container is captured, rendering the pointer no longer
valid.
Fix the issue by capturing the pointer to the container only after its
potential replacement.
v2: Move the container_of() inside the if block (Sebastian),
- a simplified version of the commit description that explains briefly
why the change is necessary (Christian).
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/14882
Fixes: 7ae034590ceae ("drm/i915/ttm: add tt shmem backend")
Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Cc: stable@vger.kernel.org # v5.17+
Cc: Matthew Auld <matthew.auld@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
Cc: Christian König <christian.koenig@amd.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Link: https://lore.kernel.org/r/20260508122612.469227-2-janusz.krzysztofik@linux.intel.com
(cherry picked from commit 4462966a93eb185849b7f174f0d0de53476d00a4)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 28 ++++++++++++++++------------
1 file changed, 16 insertions(+), 12 deletions(-)
--- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
@@ -422,8 +422,6 @@ void i915_ttm_free_cached_io_rsgt(struct
int i915_ttm_purge(struct drm_i915_gem_object *obj)
{
struct ttm_buffer_object *bo = i915_gem_to_ttm(obj);
- struct i915_ttm_tt *i915_tt =
- container_of(bo->ttm, typeof(*i915_tt), ttm);
struct ttm_operation_ctx ctx = {
.interruptible = true,
.no_wait_gpu = false,
@@ -438,16 +436,22 @@ int i915_ttm_purge(struct drm_i915_gem_o
if (ret)
return ret;
- if (bo->ttm && i915_tt->filp) {
- /*
- * The below fput(which eventually calls shmem_truncate) might
- * be delayed by worker, so when directly called to purge the
- * pages(like by the shrinker) we should try to be more
- * aggressive and release the pages immediately.
- */
- shmem_truncate_range(file_inode(i915_tt->filp),
- 0, (loff_t)-1);
- fput(fetch_and_zero(&i915_tt->filp));
+ if (bo->ttm) {
+ struct i915_ttm_tt *i915_tt =
+ container_of(bo->ttm, typeof(*i915_tt), ttm);
+
+ if (i915_tt->filp) {
+ /*
+ * The below fput(which eventually calls shmem_truncate)
+ * might be delayed by worker, so when directly called
+ * to purge the pages(like by the shrinker) we should
+ * try to be more aggressive and release the pages
+ * immediately.
+ */
+ shmem_truncate_range(file_inode(i915_tt->filp),
+ 0, (loff_t)-1);
+ fput(fetch_and_zero(&i915_tt->filp));
+ }
}
obj->write_domain = 0;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 085/378] ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 084/378] time: Fix off-by-one in settimeofday() usec validation Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 086/378] ALSA: seq: dummy: fix UMP event stack overread Greg Kroah-Hartman
` (293 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jian Zhou, Takashi Iwai, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
[ Upstream commit 88fe2e3658726cb21ff2dcf9770bf672f9b9d31b ]
snd_pcm_drain() uses init_waitqueue_entry which does not clear
entry.prev/next, and add_wait_queue with a conditional
remove_wait_queue that is skipped when to_check is no longer
in the group after concurrent UNLINK. The orphaned wait entry
remains on the unlinked substream sleep queue. On the next
drain iteration, add_wait_queue adds the entry to a new queue
while still linked on the old one, corrupting both lists. A
subsequent wake_up dereferences NULL at the func pointer
(mapped from the spinlock at offset 0 of the misinterpreted
wait_queue_head_t), causing a kernel panic.
Replace init_waitqueue_entry/add_wait_queue/conditional
remove_wait_queue with init_wait_entry/prepare_to_wait/
finish_wait. init_wait_entry clears prev/next via
INIT_LIST_HEAD on each iteration and sets
autoremove_wake_function which auto-removes the entry on
wake-up. finish_wait safely handles both the already-removed
and still-queued cases.
Fixes: 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain")
Signed-off-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Link: https://patch.msgid.link/20260604142559.3840881-1-eilaimemedsnaimel@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/pcm_native.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index 5a64453da7283a..6fd479d135a4d1 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -2176,9 +2176,8 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
drain_no_period_wakeup = to_check->no_period_wakeup;
drain_rate = to_check->rate;
drain_bufsz = to_check->buffer_size;
- init_waitqueue_entry(&wait, current);
- set_current_state(TASK_INTERRUPTIBLE);
- add_wait_queue(&to_check->sleep, &wait);
+ init_wait_entry(&wait, 0);
+ prepare_to_wait(&to_check->sleep, &wait, TASK_INTERRUPTIBLE);
snd_pcm_stream_unlock_irq(substream);
if (drain_no_period_wakeup)
tout = MAX_SCHEDULE_TIMEOUT;
@@ -2196,7 +2195,7 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
group = snd_pcm_stream_group_ref(substream);
snd_pcm_group_for_each_entry(s, substream) {
if (s->runtime == to_check) {
- remove_wait_queue(&to_check->sleep, &wait);
+ finish_wait(&to_check->sleep, &wait);
break;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 169/522] drm/amd/pm/si: Disregard vblank time when no displays are connected
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 168/522] drm/i915: Fix potential UAF in TTM object purge Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 170/522] serial: altera_jtaguart: handle uart_add_one_port() failures Greg Kroah-Hartman
` (353 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Deucher, Jeremy Klarenbeek,
Timur Kristóf
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
commit dd4f3ee535b3b0ac027f75dbf9dc5fc88733c765 upstream.
When no displays are connected, there is no vblank
happening so the power management code shouldn't
worry about it.
This fixes a regression that caused the memory clock
to be stuck at maximum when there were no displays
connected to a SI GPU.
Fixes: 9003a0746864 ("drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3)")
Fixes: 9d73b107a61b ("drm/amd/pm: Use pm_display_cfg in legacy DPM (v2)")
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Tested-by: Jeremy Klarenbeek <jeremy.klarenbeek99@gmail.com>
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 6d87e0199f7b83735b56e422d59f170a201897a8)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
+++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
@@ -3062,6 +3062,10 @@ static bool si_dpm_vblank_too_short(void
/* we never hit the non-gddr5 limit so disable it */
u32 switch_limit = adev->gmc.vram_type == AMDGPU_VRAM_TYPE_GDDR5 ? 450 : 0;
+ /* Disregard vblank time when there are no displays connected */
+ if (!adev->pm.pm_display_cfg.num_display)
+ return false;
+
/* Consider zero vblank time too short and disable MCLK switching.
* Note that the vblank time is set to maximum when no displays are attached,
* so we'll still enable MCLK switching in that case.
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 086/378] ALSA: seq: dummy: fix UMP event stack overread
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 085/378] ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 087/378] x86/resctrl: Only check Intel systems for SNC Greg Kroah-Hartman
` (292 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kyle Zeng, Takashi Iwai, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Zeng <kylebot@openai.com>
[ Upstream commit 2b5ff4db5d7aa5b981d966df02e687f79ad7b311 ]
The dummy sequencer port forwards events by copying an incoming
struct snd_seq_event into a stack temporary, rewriting source and
destination, and dispatching the temporary to subscribers. That legacy
event storage is smaller than struct snd_seq_ump_event.
When a UMP event reaches the dummy client, the copy leaves the UMP flag
set but only provides legacy-sized stack storage. The subscriber
delivery path then uses snd_seq_event_packet_size() and copies a
UMP-sized packet from that stack object, reading past the end of the
temporary.
Use the existing union __snd_seq_event storage and copy the packet size
reported for the incoming event before rewriting the common routing
fields. This preserves the full UMP packet for UMP events while keeping
legacy event handling unchanged.
Fixes: 32cb23a0f911 ("ALSA: seq: dummy: Allow UMP conversion")
Signed-off-by: Kyle Zeng <kylebot@openai.com>
Link: https://patch.msgid.link/20260605080204.32045-1-kylebot@openai.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/seq/seq_dummy.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/sound/core/seq/seq_dummy.c b/sound/core/seq/seq_dummy.c
index af45f328ae9901..8abe80985daddb 100644
--- a/sound/core/seq/seq_dummy.c
+++ b/sound/core/seq/seq_dummy.c
@@ -9,6 +9,7 @@
#include <linux/module.h>
#include <sound/core.h>
#include "seq_clientmgr.h"
+#include "seq_memory.h"
#include <sound/initval.h>
#include <sound/asoundef.h>
@@ -81,19 +82,21 @@ dummy_input(struct snd_seq_event *ev, int direct, void *private_data,
int atomic, int hop)
{
struct snd_seq_dummy_port *p;
- struct snd_seq_event tmpev;
+ union __snd_seq_event tmpev;
+ size_t size;
p = private_data;
if (ev->source.client == SNDRV_SEQ_CLIENT_SYSTEM ||
ev->type == SNDRV_SEQ_EVENT_KERNEL_ERROR)
return 0; /* ignore system messages */
- tmpev = *ev;
+ size = snd_seq_event_packet_size(ev);
+ memcpy(&tmpev, ev, size);
if (p->duplex)
- tmpev.source.port = p->connect;
+ tmpev.legacy.source.port = p->connect;
else
- tmpev.source.port = p->port;
- tmpev.dest.client = SNDRV_SEQ_ADDRESS_SUBSCRIBERS;
- return snd_seq_kernel_client_dispatch(p->client, &tmpev, atomic, hop);
+ tmpev.legacy.source.port = p->port;
+ tmpev.legacy.dest.client = SNDRV_SEQ_ADDRESS_SUBSCRIBERS;
+ return snd_seq_kernel_client_dispatch(p->client, &tmpev.legacy, atomic, hop);
}
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 170/522] serial: altera_jtaguart: handle uart_add_one_port() failures
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 169/522] drm/amd/pm/si: Disregard vblank time when no displays are connected Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 171/522] serial: sh-sci: fix memory region release in error path Greg Kroah-Hartman
` (352 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ijae Kim, Myeonghun Pak
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myeonghun Pak <mhun512@gmail.com>
commit ea66be25f0e934f49d24cd0c5845d13cdba3520b upstream.
altera_jtaguart_probe() maps the register window before registering the
UART port, but it ignores failures from uart_add_one_port(). If port
registration fails, probe still returns success and the mapping remains
live until a later remove path that is not part of probe failure cleanup.
Return the uart_add_one_port() error and unmap the register window on
that failure path.
This issue was identified during our ongoing static-analysis research while
reviewing kernel code.
Fixes: 5bcd601049c6 ("serial: Add driver for the Altera JTAG UART")
Cc: stable <stable@kernel.org>
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Link: https://patch.msgid.link/20260512065837.79528-1-mhun512@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/altera_jtaguart.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/tty/serial/altera_jtaguart.c
+++ b/drivers/tty/serial/altera_jtaguart.c
@@ -425,6 +425,7 @@ static int altera_jtaguart_probe(struct
struct resource *res_mem;
int i = pdev->id;
int irq;
+ int ret;
/* -1 emphasizes that the platform must have one port, no .N suffix */
if (i == -1)
@@ -464,7 +465,11 @@ static int altera_jtaguart_probe(struct
port->flags = UPF_BOOT_AUTOCONF;
port->dev = &pdev->dev;
- uart_add_one_port(&altera_jtaguart_driver, port);
+ ret = uart_add_one_port(&altera_jtaguart_driver, port);
+ if (ret) {
+ iounmap(port->membase);
+ return ret;
+ }
return 0;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 087/378] x86/resctrl: Only check Intel systems for SNC
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 086/378] ALSA: seq: dummy: fix UMP event stack overread Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 088/378] cpufreq/amd-pstate: drop stale @epp_cached kdoc Greg Kroah-Hartman
` (291 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Babu Moger, Tony Luck,
Reinette Chatre, Ingo Molnar, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Luck <tony.luck@intel.com>
[ Upstream commit 6f6947b2387e94e405f80d472f8a189bfbf2bd6c ]
topology_num_nodes_per_package() reports values greater than one on certain
AMD systems resulting in resctrl's Intel model specific SNC detection
printing the confusing message:
"CoD enabled system? Resctrl not supported"
Add a check for Intel systems before looking at the topology.
[ reinette: Add Closes tag, fix tag typos, rework changelog ]
Fixes: 59674fc9d0bf ("x86/resctrl: Fix SNC detection")
Reported-by: Babu Moger <babu.moger@amd.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Tested-by: Babu Moger <babu.moger@amd.com>
Link: https://patch.msgid.link/9849330f45ac86344cc5ac54df2d313906d70bc4.1780634584.git.reinette.chatre@intel.com
Closes: https://lore.kernel.org/lkml/37ac0376-43a3-4283-a3d5-4d57b3bec578@amd.com/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/resctrl/monitor.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/resctrl/monitor.c b/arch/x86/kernel/cpu/resctrl/monitor.c
index 9bd87bae498342..59215fef3924c8 100644
--- a/arch/x86/kernel/cpu/resctrl/monitor.c
+++ b/arch/x86/kernel/cpu/resctrl/monitor.c
@@ -377,7 +377,12 @@ static const struct x86_cpu_id snc_cpu_ids[] __initconst = {
static __init int snc_get_config(void)
{
- int ret = topology_num_nodes_per_package();
+ int ret;
+
+ if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL)
+ return 1;
+
+ ret = topology_num_nodes_per_package();
if (ret > 1 && !x86_match_cpu(snc_cpu_ids)) {
pr_warn("CoD enabled system? Resctrl not supported\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 171/522] serial: sh-sci: fix memory region release in error path
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 170/522] serial: altera_jtaguart: handle uart_add_one_port() failures Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 172/522] serial: zs: Fix swapped RI/DSR modem line transition counting Greg Kroah-Hartman
` (351 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, kernel test robot,
Dan Carpenter, Hongling Zeng, Geert Uytterhoeven
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongling Zeng <zenghongling@kylinos.cn>
commit 92b1ea22454b08a39baef3a7290fb3ec50366616 upstream.
The sci_request_port() function uses request_mem_region() to reserve
I/O memory, but in the error path when sci_remap_port() fails, it
incorrectly calls release_resource() instead of release_mem_region().
This mismatch can cause resource accounting issues. Fix it by using
the correct release function, consistent with sci_release_port().
Fixes: e2651647080930a1 ("serial: sh-sci: Handle port memory region reservations.")
Cc: stable <stable@kernel.org>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202604032356.SzEjYkBC-lkp@intel.com/
Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20260421065737.724187-1-zenghongling@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/sh-sci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -2757,7 +2757,7 @@ static int sci_request_port(struct uart_
ret = sci_remap_port(port);
if (unlikely(ret != 0)) {
- release_resource(res);
+ release_mem_region(port->mapbase, sport->reg_size);
return ret;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 088/378] cpufreq/amd-pstate: drop stale @epp_cached kdoc
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 087/378] x86/resctrl: Only check Intel systems for SNC Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 089/378] rtla: Fix parsing of multi-character short options Greg Kroah-Hartman
` (290 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello (AMD),
Zhan Xusheng, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhan Xusheng <zhanxusheng1024@gmail.com>
[ Upstream commit 3cd07ee35a66038fd1a643632bfc057645e07c9a ]
Commit 4e16c1175238 ("cpufreq/amd-pstate: Stop caching EPP") removed
the epp_cached field from struct amd_cpudata in favour of always
reading from cppc_req_cached, but the kdoc above the struct still
documents @epp_cached.
Drop the now-stale @epp_cached entry.
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Fixes: 4e16c1175238 ("cpufreq/amd-pstate: Stop caching EPP")
Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Link: https://lore.kernel.org/r/20260526022131.1302373-1-zhanxusheng@xiaomi.com
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/amd-pstate.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/cpufreq/amd-pstate.h b/drivers/cpufreq/amd-pstate.h
index cb45fdca27a6c7..75136d2250c1a5 100644
--- a/drivers/cpufreq/amd-pstate.h
+++ b/drivers/cpufreq/amd-pstate.h
@@ -76,7 +76,6 @@ struct amd_aperf_mperf {
* @hw_prefcore: check whether HW supports preferred core featue.
* Only when hw_prefcore and early prefcore param are true,
* AMD P-State driver supports preferred core featue.
- * @epp_cached: Cached CPPC energy-performance preference value
* @policy: Cpufreq policy value
*
* The amd_cpudata is key private data for each CPU thread in AMD P-State, and
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 172/522] serial: zs: Fix swapped RI/DSR modem line transition counting
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 171/522] serial: sh-sci: fix memory region release in error path Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 173/522] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma Greg Kroah-Hartman
` (350 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Maciej W. Rozycki
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit d15cd40cb1858f75846eaafa9a6bca841b790a92 upstream.
Fix a thinko in the status interrupt handler that has caused counters
for the RI and DSR modem line transitions to be used for the other line
each.
Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
Cc: stable <stable@kernel.org>
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Link: https://patch.msgid.link/alpine.DEB.2.21.2604101747110.29980@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/zs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/tty/serial/zs.c
+++ b/drivers/tty/serial/zs.c
@@ -679,9 +679,9 @@ static void zs_status_handle(struct zs_p
uart_handle_dcd_change(uport,
zport->mctrl & TIOCM_CAR);
if (delta & TIOCM_RNG)
- uport->icount.dsr++;
- if (delta & TIOCM_DSR)
uport->icount.rng++;
+ if (delta & TIOCM_DSR)
+ uport->icount.dsr++;
if (delta)
wake_up_interruptible(&uport->state->port.delta_msr_wait);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 089/378] rtla: Fix parsing of multi-character short options
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 088/378] cpufreq/amd-pstate: drop stale @epp_cached kdoc Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 090/378] tools/rv: Ensure monitor name and desc are NUL-terminated Greg Kroah-Hartman
` (289 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John Kacur, Tomas Glozar,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomas Glozar <tglozar@redhat.com>
[ Upstream commit e9e41d3035032ed6053d8bad7b7077e1cb3a6540 ]
A bug was reported where the parsing of multi-character short options,
be it a short option with an argument specified without space (e.g.
"-p100") or multiple short options in one argument (e.g. -un), ignores
options specific to individual tools.
Furthermore, if the rest of the option is supposed to be an argument, it
gets reinterpreted as a string of options. For example, -p100 gets
interpreted as -100, which is due to hackish implementation read as
--no-thread --no-irq --no-irq with timerlat hist, causing rtla to error
out:
$ rtla timerlat hist -p100
no-irq and no-thread set, there is nothing to do here
This behavior is caused by getopt_long() being called twice on each
argument, once in common_parse_options(), once in [tool]_parse_args():
- common_parse_options() calls getopt_long() with an array of options
common for all rtla tools, while suppressing errors (opterr = 0).
- If the option fails to parse, common_parse_options() returns 0.
- If 0 is returned from common_parse_options(), [tool]_parse_args()
calls getopt_long() again, with its own set of options.
* [tool] means one of {osnoise,timerlat}_{top,hist}
At least in glibc, getopt_long() increments its internal nextchar
variable even if the option is not recognized. That means that in the
case of "-p100", common_parse_options() sets nextchar pointing to '1',
and timerlat_hist_parse_args() sees '1', not 'p'; the same then repeats
for the first and second '0'.
As there is no way to restore the correct internal state of
getopt_long() reliably, fix the issue by merging the common options back
to the longopt array and option string of the [tool]_parse_args()
functions using a macro; only the switch part is left in the original
function, which is renamed to set_common_option().
Fixes: 850cd24cb6d6 ("tools/rtla: Add common_parse_options()")
Reported-by: John Kacur <jkacur@redhat.com>
Tested-by: John Kacur <jkacur@redhat.com>
Link: https://lore.kernel.org/r/20260602125506.3325345-1-tglozar@redhat.com
Signed-off-by: Tomas Glozar <tglozar@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/tracing/rtla/src/common.c | 28 +++++---------------------
tools/tracing/rtla/src/common.h | 12 ++++++++++-
tools/tracing/rtla/src/osnoise_hist.c | 7 ++++---
tools/tracing/rtla/src/osnoise_top.c | 7 ++++---
tools/tracing/rtla/src/timerlat_hist.c | 7 ++++---
tools/tracing/rtla/src/timerlat_top.c | 7 ++++---
6 files changed, 32 insertions(+), 36 deletions(-)
diff --git a/tools/tracing/rtla/src/common.c b/tools/tracing/rtla/src/common.c
index 839c78c065e12f..01d5b8d5aeaf2e 100644
--- a/tools/tracing/rtla/src/common.c
+++ b/tools/tracing/rtla/src/common.c
@@ -82,37 +82,20 @@ int getopt_auto(int argc, char **argv, const struct option *long_opts)
}
/*
- * common_parse_options - parse common command line options
+ * set_common_option - set common options
*
+ * @c: option character
* @argc: argument count
* @argv: argument vector
* @common: common parameters structure
*
* Parse command line options that are common to all rtla tools.
*
- * Returns: non zero if a common option was parsed, or 0
- * if the option should be handled by tool-specific parsing.
+ * Returns: 1 if the option was set, 0 otherwise.
*/
-int common_parse_options(int argc, char **argv, struct common_params *common)
+int set_common_option(int c, int argc, char **argv, struct common_params *common)
{
struct trace_events *tevent;
- int saved_state = optind;
- int c;
-
- static struct option long_options[] = {
- {"cpus", required_argument, 0, 'c'},
- {"cgroup", optional_argument, 0, 'C'},
- {"debug", no_argument, 0, 'D'},
- {"duration", required_argument, 0, 'd'},
- {"event", required_argument, 0, 'e'},
- {"house-keeping", required_argument, 0, 'H'},
- {"priority", required_argument, 0, 'P'},
- {0, 0, 0, 0}
- };
-
- opterr = 0;
- c = getopt_auto(argc, argv, long_options);
- opterr = 1;
switch (c) {
case 'c':
@@ -152,11 +135,10 @@ int common_parse_options(int argc, char **argv, struct common_params *common)
common->set_sched = 1;
break;
default:
- optind = saved_state;
return 0;
}
- return c;
+ return 1;
}
/*
diff --git a/tools/tracing/rtla/src/common.h b/tools/tracing/rtla/src/common.h
index d4b3715700be73..e00e3930ddb0b5 100644
--- a/tools/tracing/rtla/src/common.h
+++ b/tools/tracing/rtla/src/common.h
@@ -158,7 +158,17 @@ int osnoise_set_stop_total_us(struct osnoise_context *context,
long long stop_total_us);
int getopt_auto(int argc, char **argv, const struct option *long_opts);
-int common_parse_options(int argc, char **argv, struct common_params *common);
+
+#define COMMON_OPTIONS \
+ {"cpus", required_argument, 0, 'c'},\
+ {"cgroup", optional_argument, 0, 'C'},\
+ {"debug", no_argument, 0, 'D'},\
+ {"duration", required_argument, 0, 'd'},\
+ {"event", required_argument, 0, 'e'},\
+ {"house-keeping", required_argument, 0, 'H'},\
+ {"priority", required_argument, 0, 'P'}
+int set_common_option(int c, int argc, char **argv, struct common_params *common);
+
int common_apply_config(struct osnoise_tool *tool, struct common_params *params);
int top_main_loop(struct osnoise_tool *tool);
int hist_main_loop(struct osnoise_tool *tool);
diff --git a/tools/tracing/rtla/src/osnoise_hist.c b/tools/tracing/rtla/src/osnoise_hist.c
index 5c863e7aad28b4..5dd1d4ba0b887d 100644
--- a/tools/tracing/rtla/src/osnoise_hist.c
+++ b/tools/tracing/rtla/src/osnoise_hist.c
@@ -480,6 +480,7 @@ static struct common_params
while (1) {
static struct option long_options[] = {
+ COMMON_OPTIONS,
{"auto", required_argument, 0, 'a'},
{"bucket-size", required_argument, 0, 'b'},
{"entries", required_argument, 0, 'E'},
@@ -503,15 +504,15 @@ static struct common_params
{0, 0, 0, 0}
};
- if (common_parse_options(argc, argv, ¶ms->common))
- continue;
-
c = getopt_auto(argc, argv, long_options);
/* detect the end of the options. */
if (c == -1)
break;
+ if (set_common_option(c, argc, argv, ¶ms->common))
+ continue;
+
switch (c) {
case 'a':
/* set sample stop to auto_thresh */
diff --git a/tools/tracing/rtla/src/osnoise_top.c b/tools/tracing/rtla/src/osnoise_top.c
index b7aed40fd2164f..5c278c68b1a2c8 100644
--- a/tools/tracing/rtla/src/osnoise_top.c
+++ b/tools/tracing/rtla/src/osnoise_top.c
@@ -337,6 +337,7 @@ struct common_params *osnoise_top_parse_args(int argc, char **argv)
while (1) {
static struct option long_options[] = {
+ COMMON_OPTIONS,
{"auto", required_argument, 0, 'a'},
{"help", no_argument, 0, 'h'},
{"period", required_argument, 0, 'p'},
@@ -355,15 +356,15 @@ struct common_params *osnoise_top_parse_args(int argc, char **argv)
{0, 0, 0, 0}
};
- if (common_parse_options(argc, argv, ¶ms->common))
- continue;
-
c = getopt_auto(argc, argv, long_options);
/* Detect the end of the options. */
if (c == -1)
break;
+ if (set_common_option(c, argc, argv, ¶ms->common))
+ continue;
+
switch (c) {
case 'a':
/* set sample stop to auto_thresh */
diff --git a/tools/tracing/rtla/src/timerlat_hist.c b/tools/tracing/rtla/src/timerlat_hist.c
index 096de8ba3efbb6..5089b72c7a9439 100644
--- a/tools/tracing/rtla/src/timerlat_hist.c
+++ b/tools/tracing/rtla/src/timerlat_hist.c
@@ -789,6 +789,7 @@ static struct common_params
while (1) {
static struct option long_options[] = {
+ COMMON_OPTIONS,
{"auto", required_argument, 0, 'a'},
{"bucket-size", required_argument, 0, 'b'},
{"entries", required_argument, 0, 'E'},
@@ -822,11 +823,11 @@ static struct common_params
{0, 0, 0, 0}
};
- if (common_parse_options(argc, argv, ¶ms->common))
- continue;
-
c = getopt_auto(argc, argv, long_options);
+ if (set_common_option(c, argc, argv, ¶ms->common))
+ continue;
+
/* detect the end of the options. */
if (c == -1)
break;
diff --git a/tools/tracing/rtla/src/timerlat_top.c b/tools/tracing/rtla/src/timerlat_top.c
index 27c14aa71a8bc8..1311afc981e24c 100644
--- a/tools/tracing/rtla/src/timerlat_top.c
+++ b/tools/tracing/rtla/src/timerlat_top.c
@@ -558,6 +558,7 @@ static struct common_params
while (1) {
static struct option long_options[] = {
+ COMMON_OPTIONS,
{"auto", required_argument, 0, 'a'},
{"help", no_argument, 0, 'h'},
{"irq", required_argument, 0, 'i'},
@@ -585,11 +586,11 @@ static struct common_params
{0, 0, 0, 0}
};
- if (common_parse_options(argc, argv, ¶ms->common))
- continue;
-
c = getopt_auto(argc, argv, long_options);
+ if (set_common_option(c, argc, argv, ¶ms->common))
+ continue;
+
/* detect the end of the options. */
if (c == -1)
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 173/522] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 172/522] serial: zs: Fix swapped RI/DSR modem line transition counting Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 174/522] drm/amdkfd: fix NULL pointer bug in svm_range_set_attr Greg Kroah-Hartman
` (349 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Shitalkumar Gandhi, Frank Li
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shitalkumar Gandhi <shital.gandhi45@gmail.com>
commit 9a9254c4a2a3ca2b3da16d173f3b0dd01f397ff6 upstream.
lpuart_start_rx_dma() allocates sport->rx_ring.buf with kzalloc() and
then maps a scatterlist via dma_map_sg(). On three subsequent error
paths the function returns directly without releasing those resources:
- when dma_map_sg() returns 0 (-EINVAL):
ring->buf is leaked.
- when dmaengine_slave_config() fails:
ring->buf and the DMA mapping are leaked.
- when dmaengine_prep_dma_cyclic() returns NULL:
ring->buf and the DMA mapping are leaked.
The sole cleanup path, lpuart_dma_rx_free(), is only reached when
lpuart_dma_rx_use is set, and the caller lpuart_rx_dma_startup() clears
that flag on failure of lpuart_start_rx_dma(). So these resources are
permanently leaked on every failure in this function. Repeated port
open/close or termios changes under error conditions will slowly consume
memory and leave stale streaming DMA mappings behind.
Fix it by introducing two error labels that unmap the scatterlist and
free the ring buffer as appropriate. While here, replace the misleading
-EFAULT (bad userspace pointer) returned when dmaengine_prep_dma_cyclic()
fails with the more accurate -ENOMEM, matching how other dmaengine users
in the tree treat this failure.
No functional change on the success path.
Fixes: 5887ad43ee02 ("tty: serial: fsl_lpuart: Use cyclic DMA for Rx")
Cc: stable <stable@kernel.org>
Signed-off-by: Shitalkumar Gandhi <shitalkumar.gandhi@cambiumnetworks.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260420135903.2062024-1-shitalkumar.gandhi@cambiumnetworks.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/fsl_lpuart.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -1298,7 +1298,8 @@ static inline int lpuart_start_rx_dma(st
if (!nent) {
dev_err(sport->port.dev, "DMA Rx mapping error\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_free_buf;
}
dma_rx_sconfig.src_addr = lpuart_dma_datareg_addr(sport);
@@ -1310,7 +1311,7 @@ static inline int lpuart_start_rx_dma(st
if (ret < 0) {
dev_err(sport->port.dev,
"DMA Rx slave config failed, err = %d\n", ret);
- return ret;
+ goto err_unmap_sg;
}
sport->dma_rx_desc = dmaengine_prep_dma_cyclic(chan,
@@ -1321,7 +1322,8 @@ static inline int lpuart_start_rx_dma(st
DMA_PREP_INTERRUPT);
if (!sport->dma_rx_desc) {
dev_err(sport->port.dev, "Cannot prepare cyclic DMA\n");
- return -EFAULT;
+ ret = -ENOMEM;
+ goto err_unmap_sg;
}
sport->dma_rx_desc->callback = lpuart_dma_rx_complete;
@@ -1339,6 +1341,13 @@ static inline int lpuart_start_rx_dma(st
}
return 0;
+
+err_unmap_sg:
+ dma_unmap_sg(chan->device->dev, &sport->rx_sgl, 1, DMA_FROM_DEVICE);
+err_free_buf:
+ kfree(ring->buf);
+ ring->buf = NULL;
+ return ret;
}
static void lpuart_dma_rx_free(struct uart_port *port)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 090/378] tools/rv: Ensure monitor name and desc are NUL-terminated
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 089/378] rtla: Fix parsing of multi-character short options Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 091/378] tools/rv: Fix substring match bug in monitor name search Greg Kroah-Hartman
` (288 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, unknownbbqrx, Gabriele Monaco,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriele Monaco <gmonaco@redhat.com>
[ Upstream commit 08904765bb941f98306ae6841c33cfd299343faf ]
ikm_fill_monitor_definition() copies monitor name and description with
strncpy(), but does not guarantee NUL termination when source strings are
equal to or longer than the destination buffers.
Clamp copies to sizeof(dst) - 1 and explicitly append '\0' for both fields
to keep them safe for later string operations.
Suggested-by: unknownbbqrx <dev@unknownbbqr.xyz>
Fixes: 6d60f89691fc9 ("tools/rv: Add in-kernel monitor interface")
Link: https://lore.kernel.org/r/20260604120946.90302-2-gmonaco@redhat.com
Signed-off-by: Gabriele Monaco <gmonaco@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/verification/rv/src/in_kernel.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/tools/verification/rv/src/in_kernel.c b/tools/verification/rv/src/in_kernel.c
index 4bb746ea6e1735..d324538249d3ab 100644
--- a/tools/verification/rv/src/in_kernel.c
+++ b/tools/verification/rv/src/in_kernel.c
@@ -215,10 +215,11 @@ static int ikm_fill_monitor_definition(char *name, struct monitor *ikm, char *co
return -1;
}
- strncpy(ikm->name, nested_name, MAX_DA_NAME_LEN);
+ strncpy(ikm->name, nested_name, sizeof(ikm->name) - 1);
+ ikm->name[sizeof(ikm->name) - 1] = '\0';
ikm->enabled = enabled;
- strncpy(ikm->desc, desc, MAX_DESCRIPTION);
-
+ strncpy(ikm->desc, desc, sizeof(ikm->desc) - 1);
+ ikm->desc[sizeof(ikm->desc) - 1] = '\0';
free(desc);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 174/522] drm/amdkfd: fix NULL pointer bug in svm_range_set_attr
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 173/522] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 175/522] drm/amdkfd: Check for pdd drm file first in CRIU restore path Greg Kroah-Hartman
` (348 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Huang, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Huang <jinhuieric.huang@amd.com>
commit e984d61d92e702096058f0f828f4b2b8563b88ce upstream.
The process_info could be NULL if user doesn't call kfd_ioctl_acquire_vm
before calling kfd_ioctl_svm.
Signed-off-by: Eric Huang <jinhuieric.huang@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 83a26c812e0529eb040d31a76f73e33e637243d4)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
@@ -3404,6 +3404,9 @@ svm_range_set_attr(struct kfd_process *p
svms = &p->svms;
+ if (!process_info)
+ return -EINVAL;
+
mutex_lock(&process_info->lock);
svm_range_list_lock_and_flush_work(svms, mm);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 091/378] tools/rv: Fix substring match bug in monitor name search
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 090/378] tools/rv: Ensure monitor name and desc are NUL-terminated Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 092/378] tools/rv: Fix substring match when listing container monitors Greg Kroah-Hartman
` (287 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nam Cao, Gabriele Monaco,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriele Monaco <gmonaco@redhat.com>
[ Upstream commit a963fbf3166f2e178ac38b6c3c186a0c98092fb9 ]
__ikm_find_monitor_name() relies on strstr() to find a monitor by name,
which fails if the target monitor is a substring of a previously listed
monitor.
Fix it by tokenizing the available_monitors file and matching full
tokens instead.
Fixes: eba321a16fc6 ("tools/rv: Add support for nested monitors")
Reviewed-by: Nam Cao <namcao@linutronix.de>
Link: https://lore.kernel.org/r/20260514152055.229162-2-gmonaco@redhat.com
Signed-off-by: Gabriele Monaco <gmonaco@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/verification/rv/src/in_kernel.c | 48 ++++++++++++++-------------
1 file changed, 25 insertions(+), 23 deletions(-)
diff --git a/tools/verification/rv/src/in_kernel.c b/tools/verification/rv/src/in_kernel.c
index d324538249d3ab..95eac9ab148468 100644
--- a/tools/verification/rv/src/in_kernel.c
+++ b/tools/verification/rv/src/in_kernel.c
@@ -58,38 +58,40 @@ static int __ikm_read_enable(char *monitor_name)
*/
static int __ikm_find_monitor_name(char *monitor_name, char *out_name)
{
- char *available_monitors, container[MAX_DA_NAME_LEN+1], *cursor, *end;
- int retval = 1;
+ char *available_monitors, *cursor, *line;
+ int len = strlen(monitor_name);
+ int found = 0;
available_monitors = tracefs_instance_file_read(NULL, "rv/available_monitors", NULL);
if (!available_monitors)
return -1;
- cursor = strstr(available_monitors, monitor_name);
- if (!cursor) {
- retval = 0;
- goto out_free;
- }
+ config_is_container = 0;
+ cursor = available_monitors;
+ while ((line = strsep(&cursor, "\n"))) {
+ char *colon = strchr(line, ':');
- for (; cursor > available_monitors; cursor--)
- if (*(cursor-1) == '\n')
- break;
- end = strstr(cursor, "\n");
- memcpy(out_name, cursor, end-cursor);
- out_name[end-cursor] = '\0';
-
- cursor = strstr(out_name, ":");
- if (cursor)
- *cursor = '/';
- else {
- sprintf(container, "%s:", monitor_name);
- if (strstr(available_monitors, container))
- config_is_container = 1;
+ if (strcmp(line, monitor_name) && (!colon || strcmp(colon + 1, monitor_name)))
+ continue;
+
+ strncpy(out_name, line, 2 * MAX_DA_NAME_LEN);
+ out_name[2 * MAX_DA_NAME_LEN - 1] = '\0';
+
+ if (colon) {
+ out_name[colon - line] = '/';
+ } else {
+ /* If there are children, they are on the next line. */
+ line = strsep(&cursor, "\n");
+ if (line && !strncmp(line, monitor_name, len) && line[len] == ':')
+ config_is_container = 1;
+ }
+
+ found = 1;
+ break;
}
-out_free:
free(available_monitors);
- return retval;
+ return found;
}
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 175/522] drm/amdkfd: Check for pdd drm file first in CRIU restore path
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 174/522] drm/amdkfd: fix NULL pointer bug in svm_range_set_attr Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 176/522] serial: dz: Fix bootconsole message clobbering at chip reset Greg Kroah-Hartman
` (347 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Francis, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Francis <David.Francis@amd.com>
commit 6842b6a4b72da9b2906ffc5ca9d846ace2c54c14 upstream.
CRIU restore ioctls are meant to be called by CRIU with no
existing drm file. There's an error path
for if the drm file unexpectedly exists. It was positioned so
it was missing a fput(drm_file).
Do that check earlier, as soon as we have the pdd.
Signed-off-by: David Francis <David.Francis@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 2bab781dac78916c5cc8de76345a4102449267d7)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -2171,6 +2171,11 @@ static int criu_restore_devices(struct k
ret = -EINVAL;
goto exit;
}
+
+ if (pdd->drm_file) {
+ ret = -EINVAL;
+ goto exit;
+ }
pdd->user_gpu_id = device_buckets[i].user_gpu_id;
drm_file = fget(device_buckets[i].drm_fd);
@@ -2180,11 +2185,6 @@ static int criu_restore_devices(struct k
ret = -EINVAL;
goto exit;
}
-
- if (pdd->drm_file) {
- ret = -EINVAL;
- goto exit;
- }
/* create the vm using render nodes for kfd pdd */
if (kfd_process_device_init_vm(pdd, drm_file)) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 092/378] tools/rv: Fix substring match when listing container monitors
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 091/378] tools/rv: Fix substring match bug in monitor name search Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 093/378] tools/rv: Fix cleanup after failed trace setup Greg Kroah-Hartman
` (286 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nam Cao, Gabriele Monaco,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriele Monaco <gmonaco@redhat.com>
[ Upstream commit ba0247c5aa3fcb2890a92a97a88c70fe5ce704a6 ]
When listing monitors within a specific container (rv list <container>),
the tool incorrectly matched monitors if the requested container name
was only a prefix of the actual container (e.g., 'rv list sche' would
incorrectly list monitors from 'sched:').
Fix this by ensuring the container name is an exact match and is
immediately followed by the ':' separator.
Fixes: eba321a16fc6 ("tools/rv: Add support for nested monitors")
Reviewed-by: Nam Cao <namcao@linutronix.de>
Link: https://lore.kernel.org/r/20260514152055.229162-3-gmonaco@redhat.com
Signed-off-by: Gabriele Monaco <gmonaco@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/verification/rv/src/in_kernel.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/tools/verification/rv/src/in_kernel.c b/tools/verification/rv/src/in_kernel.c
index 95eac9ab148468..e4f35940374f5a 100644
--- a/tools/verification/rv/src/in_kernel.c
+++ b/tools/verification/rv/src/in_kernel.c
@@ -193,8 +193,12 @@ static int ikm_fill_monitor_definition(char *name, struct monitor *ikm, char *co
nested_name = strstr(name, ":");
if (nested_name) {
/* it belongs in container if it starts with "container:" */
- if (container && strstr(name, container) != name)
- return 1;
+ if (container) {
+ int len = strlen(container);
+
+ if (strncmp(name, container, len) || name[len] != ':')
+ return 1;
+ }
*nested_name = '/';
++nested_name;
ikm->nested = 1;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 176/522] serial: dz: Fix bootconsole message clobbering at chip reset
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 175/522] drm/amdkfd: Check for pdd drm file first in CRIU restore path Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 177/522] serial: zs: Fix bootconsole handover lockup Greg Kroah-Hartman
` (346 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit ca904f4b42355287bc5ce8b7550ebe909cda4c2c upstream.
In the DZ interface as implemented by the DC7085 gate array the serial
transmitters are double buffered, meaning that at the time a transmitter
is ready to accept the next character there is one in the transmit shift
register still being sent to the line. Issuing a master clear at this
time causes this character to be lost, so wait an extra amount of time
sufficient for the transmit shift register to drain at 9600bps, which is
the baud rate setting used by the firmware console.
Mind the specified 1.4us TRDY recovery time in the course and continue
using iob() as the completion barrier, since the platforms involved use
a write buffer that can delay and combine writes, and reorder them with
respect to reads regardless of the MMIO locations accessed and we still
lack a platform-independent handler for that.
When called from dz_serial_console_init() this is too early for fsleep()
to work and even before lpj has been calculated and therefore the delay
is actually not sufficient for the transmitter to drain and is merely a
placeholder now. This will be addressed in a follow-up change.
Fixes: e6ee512f5a77 ("dz.c: Resource management")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.25+
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062259080.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/dz.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
--- a/drivers/tty/serial/dz.c
+++ b/drivers/tty/serial/dz.c
@@ -544,10 +544,31 @@ static int dz_encode_baud_rate(unsigned
static void dz_reset(struct dz_port *dport)
{
struct dz_mux *mux = dport->mux;
+ unsigned short tcr;
+ int loops = 10000;
if (mux->initialised)
return;
+ tcr = dz_in(dport, DZ_TCR);
+
+ /* Do not disturb any ongoing transmissions. */
+ if (dz_in(dport, DZ_CSR) & DZ_MSE) {
+ unsigned short csr, mask;
+
+ mask = tcr;
+ while ((mask & DZ_LNENB) && loops--) {
+ csr = dz_in(dport, DZ_CSR);
+ if (!(csr & DZ_TRDY))
+ continue;
+ mask &= ~(1 << ((csr & DZ_TLINE) >> 8));
+ dz_out(dport, DZ_TCR, mask);
+ iob();
+ udelay(2); /* 1.4us TRDY recovery. */
+ }
+ udelay(1200); /* Transmitter drain. */
+ }
+
dz_out(dport, DZ_CSR, DZ_CLR);
while (dz_in(dport, DZ_CSR) & DZ_CLR);
iob();
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 093/378] tools/rv: Fix cleanup after failed trace setup
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 092/378] tools/rv: Fix substring match when listing container monitors Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 094/378] verification/rvgen: Fix options shared among commands Greg Kroah-Hartman
` (285 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nam Cao, Gabriele Monaco,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriele Monaco <gmonaco@redhat.com>
[ Upstream commit 33ec2269a4155cad7e9e42c92327dcaa9aee59a7 ]
Currently if ikm_setup_trace_instance() fails, the tool returns without
any cleanup, if rv was called with both -t and -r, this means the
reactor is not going to be cleared.
Jump to the cleanup label to restore the reactor if necessary.
Fixes: 6d60f89691fc9 ("tools/rv: Add in-kernel monitor interface")
Reviewed-by: Nam Cao <namcao@linutronix.de>
Link: https://lore.kernel.org/r/20260514152055.229162-5-gmonaco@redhat.com
Signed-off-by: Gabriele Monaco <gmonaco@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/verification/rv/src/in_kernel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/verification/rv/src/in_kernel.c b/tools/verification/rv/src/in_kernel.c
index e4f35940374f5a..e6dea4040f8f4c 100644
--- a/tools/verification/rv/src/in_kernel.c
+++ b/tools/verification/rv/src/in_kernel.c
@@ -810,7 +810,7 @@ int ikm_run_monitor(char *monitor_name, int argc, char **argv)
if (config_trace) {
inst = ikm_setup_trace_instance(nested_name);
if (!inst)
- return -1;
+ goto out_free_instance;
}
retval = ikm_enable(full_name);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 177/522] serial: zs: Fix bootconsole handover lockup
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 176/522] serial: dz: Fix bootconsole message clobbering at chip reset Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 178/522] serial: zs: Switch to using channel reset Greg Kroah-Hartman
` (345 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 6c05cf72e13314ce9b770b5951695dc5a2152920 upstream.
Calling zs_reset() in the course of setting up the serial device causes
line parameters to be reset and the transmitter disabled. We've been
lucky in that no message is usually produced to the kernel log between
this call and the later call to uart_set_options() in the course of
console setup done by zs_serial_console_init(), or the system would hang
as the console output handler in the firmware tried to access a port the
transmitter of which has been disabled and line parameters messed up.
This will change with the next change to the driver, so fix zs_reset()
such that line parameters are set for 9600n8 console operation as with
the system firmware and the transmitter re-enabled after reset. This
also means zs_pm() serves no purpose anymore, so drop it.
Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.23+
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062308040.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/zs.c | 29 ++++++++---------------------
1 file changed, 8 insertions(+), 21 deletions(-)
--- a/drivers/tty/serial/zs.c
+++ b/drivers/tty/serial/zs.c
@@ -105,18 +105,24 @@ struct zs_parms {
static struct zs_scc zs_sccs[ZS_NUM_SCCS];
+/*
+ * Set parameters in WR5, WR12, WR13 such as not to interfere
+ * with the initial PROM-based console. Otherwise any output
+ * produced before the console handover would cause the system
+ * firmware to hang (TxENAB) or produce rubbish (Tx8, B9600).
+ */
static u8 zs_init_regs[ZS_NUM_REGS] __initdata = {
0, /* write 0 */
PAR_SPEC, /* write 1 */
0, /* write 2 */
0, /* write 3 */
X16CLK | SB1, /* write 4 */
- 0, /* write 5 */
+ Tx8 | TxENAB, /* write 5 */
0, 0, 0, /* write 6, 7, 8 */
MIE | DLC | NV, /* write 9 */
NRZ, /* write 10 */
TCBR | RCBR, /* write 11 */
- 0, 0, /* BRG time constant, write 12 + 13 */
+ 0x16, 0x00, /* BRG time constant, write 12 + 13 */
BRSRC | BRENABL, /* write 14 */
0, /* write 15 */
};
@@ -955,23 +961,6 @@ static void zs_set_termios(struct uart_p
spin_unlock_irqrestore(&scc->zlock, flags);
}
-/*
- * Hack alert!
- * Required solely so that the initial PROM-based console
- * works undisturbed in parallel with this one.
- */
-static void zs_pm(struct uart_port *uport, unsigned int state,
- unsigned int oldstate)
-{
- struct zs_port *zport = to_zport(uport);
-
- if (state < 3)
- zport->regs[5] |= TxENAB;
- else
- zport->regs[5] &= ~TxENAB;
- write_zsreg(zport, R5, zport->regs[5]);
-}
-
static const char *zs_type(struct uart_port *uport)
{
@@ -1054,7 +1043,6 @@ static const struct uart_ops zs_ops = {
.startup = zs_startup,
.shutdown = zs_shutdown,
.set_termios = zs_set_termios,
- .pm = zs_pm,
.type = zs_type,
.release_port = zs_release_port,
.request_port = zs_request_port,
@@ -1209,7 +1197,6 @@ static int __init zs_console_setup(struc
return ret;
zs_reset(zport);
- zs_pm(uport, 0, -1);
if (options)
uart_parse_options(options, &baud, &parity, &bits, &flow);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 094/378] verification/rvgen: Fix options shared among commands
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 093/378] tools/rv: Fix cleanup after failed trace setup Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 095/378] verification/rvgen: Fix ltl2k writing True as a literal Greg Kroah-Hartman
` (284 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nam Cao, Gabriele Monaco,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriele Monaco <gmonaco@redhat.com>
[ Upstream commit 5f845ad706c0b394ae274e9a930044f78bef782e ]
After rvgen was refactored to use subparsers, the common options (-a and
-D) were left in the main parser. This meant that they needed to be
called /before/ the subcommand and using them without subcommand was
allowed. This is not the original intent.
rvgen -D "some description" container -n name
Define the options as parent in the subparsers to allow them to be used
from both subcommands together with other options.
rvgen container -n name -D "some description"
Fixes: 5270a0e3041c ("verification/dot2k: Replace is_container() hack with subparsers")
Reviewed-by: Nam Cao <namcao@linutronix.de>
Link: https://lore.kernel.org/r/20260514152055.229162-7-gmonaco@redhat.com
Signed-off-by: Gabriele Monaco <gmonaco@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/verification/rvgen/__main__.py | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/tools/verification/rvgen/__main__.py b/tools/verification/rvgen/__main__.py
index fa6fc1f4de2f7e..5198bccccd107b 100644
--- a/tools/verification/rvgen/__main__.py
+++ b/tools/verification/rvgen/__main__.py
@@ -17,14 +17,16 @@ if __name__ == '__main__':
import sys
parser = argparse.ArgumentParser(description='Generate kernel rv monitor')
- parser.add_argument("-D", "--description", dest="description", required=False)
- parser.add_argument("-a", "--auto_patch", dest="auto_patch",
+
+ parent_parser = argparse.ArgumentParser(add_help=False)
+ parent_parser.add_argument("-D", "--description", dest="description", required=False)
+ parent_parser.add_argument("-a", "--auto_patch", dest="auto_patch",
action="store_true", required=False,
help="Patch the kernel in place")
subparsers = parser.add_subparsers(dest="subcmd", required=True)
- monitor_parser = subparsers.add_parser("monitor")
+ monitor_parser = subparsers.add_parser("monitor", parents=[parent_parser])
monitor_parser.add_argument('-n', "--model_name", dest="model_name")
monitor_parser.add_argument("-p", "--parent", dest="parent",
required=False, help="Create a monitor nested to parent")
@@ -34,7 +36,7 @@ if __name__ == '__main__':
monitor_parser.add_argument('-t', "--monitor_type", dest="monitor_type",
help=f"Available options: {', '.join(Monitor.monitor_types.keys())}")
- container_parser = subparsers.add_parser("container")
+ container_parser = subparsers.add_parser("container", parents=[parent_parser])
container_parser.add_argument('-n', "--model_name", dest="model_name", required=True)
params = parser.parse_args()
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 178/522] serial: zs: Switch to using channel reset
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 177/522] serial: zs: Fix bootconsole handover lockup Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 179/522] HID: core: Add printk_ratelimited variants to hid_warn() etc Greg Kroah-Hartman
` (344 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 8572955630f30948837088aa98bcbe0532d1ceac upstream.
Switch the driver to using the channel reset rather than hardware reset,
simplifying handling by removing an interference between channels that
causes the other channel to become uninitialised afterwards.
There is little difference between the two kinds of reset in terms of
register settings that result, and we initialise the whole register set
right away anyway. However this prevents a hang from happening should
the console output handler in the firmware try to access the other port
whose transmitter has been disabled and line parameters messed up.
For example this will happen if the keyboard port (port A) is chosen for
the system console, unusually but not insanely for a headless system, as
the port is wired to a standard DA-15 connector and an adapter can be
easily made. Or with the next change in place this would happen for the
regular console port (port B), since the keyboard port (port A) will be
initialised first.
Just remove the unnecessary complication then, a channel reset is good
enough. We still need the initialisation marker, now per channel rather
than per SCC, as for the console port zs_reset() will be called twice:
once early on via zs_serial_console_init() for the console setup only,
and then again via zs_config_port() as the port is associated with a TTY
device.
Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.23+
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062323430.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/zs.c | 7 ++++---
drivers/tty/serial/zs.h | 2 +-
2 files changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/tty/serial/zs.c
+++ b/drivers/tty/serial/zs.c
@@ -831,21 +831,22 @@ static void zs_shutdown(struct uart_port
static void zs_reset(struct zs_port *zport)
{
+ struct zs_port *zport_a = &zport->scc->zport[ZS_CHAN_A];
struct zs_scc *scc = zport->scc;
int irq;
unsigned long flags;
spin_lock_irqsave(&scc->zlock, flags);
irq = !irqs_disabled_flags(flags);
- if (!scc->initialised) {
+ if (!zport->initialised) {
/* Reset the pointer first, just in case... */
read_zsreg(zport, R0);
/* And let the current transmission finish. */
zs_line_drain(zport, irq);
- write_zsreg(zport, R9, FHWRES);
+ write_zsreg(zport, R9, zport == zport_a ? CHRA : CHRB);
udelay(10);
write_zsreg(zport, R9, 0);
- scc->initialised = 1;
+ zport->initialised = 1;
}
load_zsregs(zport, zport->regs, irq);
spin_unlock_irqrestore(&scc->zlock, flags);
--- a/drivers/tty/serial/zs.h
+++ b/drivers/tty/serial/zs.h
@@ -22,6 +22,7 @@
struct zs_port {
struct zs_scc *scc; /* Containing SCC. */
struct uart_port port; /* Underlying UART. */
+ int initialised; /* For the console port. */
int clk_mode; /* May be 1, 16, 32, or 64. */
@@ -41,7 +42,6 @@ struct zs_scc {
struct zs_port zport[2];
spinlock_t zlock;
atomic_t irq_guard;
- int initialised;
};
#endif /* __KERNEL__ */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 095/378] verification/rvgen: Fix ltl2k writing True as a literal
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 094/378] verification/rvgen: Fix options shared among commands Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 096/378] riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI Greg Kroah-Hartman
` (283 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nam Cao, Gabriele Monaco,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriele Monaco <gmonaco@redhat.com>
[ Upstream commit df996599cc69a9b74ff437c67751cf8a61f62e39 ]
The rvgen parser for LTL stores literal true values in the python
representation (capitalised True), this doesn't build in C.
The Literal class should already handle this case but ASTNode skips its
strigification method and converts the value (true/false) directly.
Fix by delegating ASTNode stringification to the Literal and Variable
classes instead of bypassing them.
Fixes: 97ffa4ce6ab32 ("verification/rvgen: Add support for linear temporal logic")
Reviewed-by: Nam Cao <namcao@linutronix.de>
Link: https://lore.kernel.org/r/20260514152055.229162-8-gmonaco@redhat.com
Signed-off-by: Gabriele Monaco <gmonaco@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/verification/rvgen/rvgen/ltl2ba.py | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/tools/verification/rvgen/rvgen/ltl2ba.py b/tools/verification/rvgen/rvgen/ltl2ba.py
index f14e6760ac3db8..aada15ec83a3c2 100644
--- a/tools/verification/rvgen/rvgen/ltl2ba.py
+++ b/tools/verification/rvgen/rvgen/ltl2ba.py
@@ -121,10 +121,8 @@ class ASTNode:
return self.op.expand(self, node, node_set)
def __str__(self):
- if isinstance(self.op, Literal):
- return str(self.op.value)
- if isinstance(self.op, Variable):
- return self.op.name.lower()
+ if isinstance(self.op, (Literal, Variable)):
+ return str(self.op)
return "val" + str(self.id)
def normalize(self):
@@ -381,6 +379,9 @@ class Variable:
def __iter__(self):
yield from ()
+ def __str__(self):
+ return self.name.lower()
+
def negate(self):
new = ASTNode(self)
return NotOp(new)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 179/522] HID: core: Add printk_ratelimited variants to hid_warn() etc
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 178/522] serial: zs: Switch to using channel reset Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 180/522] HID: pass the buffer size to hid_report_raw_event Greg Kroah-Hartman
` (343 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vicki Pfau, Jiri Kosina, Lee Jones,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vicki Pfau <vi@endrift.com>
[ Upstream commit 1d64624243af8329b4b219d8c39e28ea448f9929 ]
hid_warn_ratelimited() is needed. Add the others as part of the block.
Signed-off-by: Vicki Pfau <vi@endrift.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/hid.h | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 6c3dc24acefc2d..058ba486fdcf87 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1230,4 +1230,15 @@ do { \
#define hid_dbg_once(hid, fmt, ...) \
dev_dbg_once(&(hid)->dev, fmt, ##__VA_ARGS__)
+#define hid_err_ratelimited(hid, fmt, ...) \
+ dev_err_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
+#define hid_notice_ratelimited(hid, fmt, ...) \
+ dev_notice_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
+#define hid_warn_ratelimited(hid, fmt, ...) \
+ dev_warn_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
+#define hid_info_ratelimited(hid, fmt, ...) \
+ dev_info_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
+#define hid_dbg_ratelimited(hid, fmt, ...) \
+ dev_dbg_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
+
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 096/378] riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 095/378] verification/rvgen: Fix ltl2k writing True as a literal Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 097/378] riscv: cfi: reject unknown flags in PR_SET_CFI Greg Kroah-Hartman
` (282 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andreas Schwab, Paul Walmsley,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Schwab <schwab@suse.de>
[ Upstream commit e3573f739e3dadab57ec80488d07e05c8f6e82d3 ]
Fixes a warning while dumping core:
[54983.546369][ C7] WARNING: [!note_name] fs/binfmt_elf.c:1771 at elf_core_dump+0x910/0xf68, CPU#7: abort01/31982
Fixes: 2af7c9cf021c ("riscv/ptrace: expose riscv CFI status and state via ptrace and in core files")
Signed-off-by: Andreas Schwab <schwab@suse.de>
Link: https://patch.msgid.link/87y0hcxuh5.fsf@igel.home
Signed-off-by: Paul Walmsley <pjw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/kernel/ptrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/riscv/kernel/ptrace.c b/arch/riscv/kernel/ptrace.c
index 793bcee4618282..f336a183667eb8 100644
--- a/arch/riscv/kernel/ptrace.c
+++ b/arch/riscv/kernel/ptrace.c
@@ -413,7 +413,7 @@ static struct user_regset riscv_user_regset[] __ro_after_init = {
#endif
#ifdef CONFIG_RISCV_USER_CFI
[REGSET_CFI] = {
- .core_note_type = NT_RISCV_USER_CFI,
+ USER_REGSET_NOTE_TYPE(RISCV_USER_CFI),
.align = sizeof(__u64),
.n = sizeof(struct user_cfi_state) / sizeof(__u64),
.size = sizeof(__u64),
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 180/522] HID: pass the buffer size to hid_report_raw_event
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 179/522] HID: core: Add printk_ratelimited variants to hid_warn() etc Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 181/522] HID: core: Fix size_t specifier in hid_report_raw_event() Greg Kroah-Hartman
` (342 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Tissoires, Johan Hovold,
Jiri Kosina, Lee Jones, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Tissoires <bentiss@kernel.org>
[ Upstream commit 2c85c61d1332e1e16f020d76951baf167dcb6f7a ]
commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing
bogus memset()") enforced the provided data to be at least the size of
the declared buffer in the report descriptor to prevent a buffer
overflow. However, we can try to be smarter by providing both the buffer
size and the data size, meaning that hid_report_raw_event() can make
better decision whether we should plaining reject the buffer (buffer
overflow attempt) or if we can safely memset it to 0 and pass it to the
rest of the stack.
Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()")
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Acked-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Stable-dep-of: 206342541fc8 ("HID: core: introduce hid_safe_input_report()")
[Lee: Backported to linux-6.12.y and beyond]
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-core.c | 33 +++++++++++++++++++++++---------
drivers/hid/hid-gfrm.c | 4 ++--
drivers/hid/hid-logitech-hidpp.c | 2 +-
drivers/hid/hid-multitouch.c | 2 +-
drivers/hid/hid-primax.c | 2 +-
drivers/hid/hid-vivaldi-common.c | 2 +-
drivers/hid/wacom_sys.c | 6 +++---
drivers/staging/greybus/hid.c | 2 +-
include/linux/hid.h | 4 ++--
9 files changed, 36 insertions(+), 21 deletions(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 3f3de08969b55c..2be5823002a3a4 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1989,24 +1989,32 @@ int __hid_request(struct hid_device *hid, struct hid_report *report,
}
EXPORT_SYMBOL_GPL(__hid_request);
-int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
- int interrupt)
+int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data,
+ size_t bufsize, u32 size, int interrupt)
{
struct hid_report_enum *report_enum = hid->report_enum + type;
struct hid_report *report;
struct hid_driver *hdrv;
int max_buffer_size = HID_MAX_BUFFER_SIZE;
u32 rsize, csize = size;
+ size_t bsize = bufsize;
u8 *cdata = data;
int ret = 0;
report = hid_get_report(report_enum, data);
if (!report)
- goto out;
+ return 0;
+
+ if (unlikely(bsize < csize)) {
+ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
+ report->id, csize, bsize);
+ return -EINVAL;
+ }
if (report_enum->numbered) {
cdata++;
csize--;
+ bsize--;
}
rsize = hid_compute_report_size(report);
@@ -2019,9 +2027,15 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
else if (rsize > max_buffer_size)
rsize = max_buffer_size;
+ if (bsize < rsize) {
+ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
+ report->id, rsize, bsize);
+ return -EINVAL;
+ }
+
if (csize < rsize) {
dbg_hid("report %d is too short, (%d < %d)\n", report->id,
- csize, rsize);
+ csize, rsize);
memset(cdata + csize, 0, rsize - csize);
}
@@ -2030,7 +2044,7 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
if (hid->claimed & HID_CLAIMED_HIDRAW) {
ret = hidraw_report_event(hid, data, size);
if (ret)
- goto out;
+ return ret;
}
if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) {
@@ -2042,7 +2056,7 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
if (hid->claimed & HID_CLAIMED_INPUT)
hidinput_report_event(hid, report);
-out:
+
return ret;
}
EXPORT_SYMBOL_GPL(hid_report_raw_event);
@@ -2058,12 +2072,13 @@ EXPORT_SYMBOL_GPL(hid_report_raw_event);
*
* This is data entry for lower layers.
*/
-int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
- int interrupt)
+int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data,
+ u32 size, int interrupt)
{
struct hid_report_enum *report_enum;
struct hid_driver *hdrv;
struct hid_report *report;
+ size_t bufsize = size;
int ret = 0;
if (!hid)
@@ -2102,7 +2117,7 @@ int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data
goto unlock;
}
- ret = hid_report_raw_event(hid, type, data, size, interrupt);
+ ret = hid_report_raw_event(hid, type, data, bufsize, size, interrupt);
unlock:
up(&hid->driver_input_lock);
diff --git a/drivers/hid/hid-gfrm.c b/drivers/hid/hid-gfrm.c
index 699186ff2349e9..d2a56bf92b416e 100644
--- a/drivers/hid/hid-gfrm.c
+++ b/drivers/hid/hid-gfrm.c
@@ -66,7 +66,7 @@ static int gfrm_raw_event(struct hid_device *hdev, struct hid_report *report,
switch (data[1]) {
case GFRM100_SEARCH_KEY_DOWN:
ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_dn,
- sizeof(search_key_dn), 1);
+ sizeof(search_key_dn), sizeof(search_key_dn), 1);
break;
case GFRM100_SEARCH_KEY_AUDIO_DATA:
@@ -74,7 +74,7 @@ static int gfrm_raw_event(struct hid_device *hdev, struct hid_report *report,
case GFRM100_SEARCH_KEY_UP:
ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_up,
- sizeof(search_key_up), 1);
+ sizeof(search_key_up), sizeof(search_key_up), 1);
break;
default:
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index c65b5f004bac57..89b0374bb9a851 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -3451,7 +3451,7 @@ static int hidpp10_consumer_keys_raw_event(struct hidpp_device *hidpp,
memcpy(&consumer_report[1], &data[3], 4);
/* We are called from atomic context */
hid_report_raw_event(hidpp->hid_dev, HID_INPUT_REPORT,
- consumer_report, 5, 1);
+ consumer_report, sizeof(consumer_report), 5, 1);
return 1;
}
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index 0039508943626d..6c04eed0a46464 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -479,7 +479,7 @@ static void mt_get_feature(struct hid_device *hdev, struct hid_report *report)
}
ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf,
- size, 0);
+ size, size, 0);
if (ret)
dev_warn(&hdev->dev, "failed to report feature\n");
}
diff --git a/drivers/hid/hid-primax.c b/drivers/hid/hid-primax.c
index 1e6413d07cae21..16e2a811eda9f0 100644
--- a/drivers/hid/hid-primax.c
+++ b/drivers/hid/hid-primax.c
@@ -44,7 +44,7 @@ static int px_raw_event(struct hid_device *hid, struct hid_report *report,
data[0] |= (1 << (data[idx] - 0xE0));
data[idx] = 0;
}
- hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, 0);
+ hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, size, 0);
return 1;
default: /* unknown report */
diff --git a/drivers/hid/hid-vivaldi-common.c b/drivers/hid/hid-vivaldi-common.c
index b0af2be948952c..7fb986615768f7 100644
--- a/drivers/hid/hid-vivaldi-common.c
+++ b/drivers/hid/hid-vivaldi-common.c
@@ -85,7 +85,7 @@ void vivaldi_feature_mapping(struct hid_device *hdev,
}
ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, report_data,
- report_len, 0);
+ report_len, report_len, 0);
if (ret) {
dev_warn(&hdev->dev, "failed to report feature %d\n",
field->report->id);
diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
index 9106f16e42df23..9d2a54451b0b5f 100644
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -74,7 +74,7 @@ static void wacom_wac_queue_flush(struct hid_device *hdev,
int err;
size = kfifo_out(fifo, buf, sizeof(buf));
- err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, false);
+ err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, size, false);
if (err) {
hid_warn(hdev, "%s: unable to flush event due to error %d\n",
__func__, err);
@@ -319,7 +319,7 @@ static void wacom_feature_mapping(struct hid_device *hdev,
data, n, WAC_CMD_RETRIES);
if (ret == n && features->type == HID_GENERIC) {
ret = hid_report_raw_event(hdev,
- HID_FEATURE_REPORT, data, n, 0);
+ HID_FEATURE_REPORT, data, n, n, 0);
} else if (ret == 2 && features->type != HID_GENERIC) {
features->touch_max = data[1];
} else {
@@ -381,7 +381,7 @@ static void wacom_feature_mapping(struct hid_device *hdev,
data, n, WAC_CMD_RETRIES);
if (ret == n) {
ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT,
- data, n, 0);
+ data, n, n, 0);
} else {
hid_warn(hdev, "%s: could not retrieve sensor offsets\n",
__func__);
diff --git a/drivers/staging/greybus/hid.c b/drivers/staging/greybus/hid.c
index adb91286803a91..49b42c0ab078ec 100644
--- a/drivers/staging/greybus/hid.c
+++ b/drivers/staging/greybus/hid.c
@@ -201,7 +201,7 @@ static void gb_hid_init_report(struct gb_hid *ghid, struct hid_report *report)
* we just need to setup the input fields, so using
* hid_report_raw_event is safe.
*/
- hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, size, 1);
+ hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, ghid->bufsize, size, 1);
}
static void gb_hid_init_reports(struct gb_hid *ghid)
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 058ba486fdcf87..c57fc6a918c030 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1188,8 +1188,8 @@ static inline u32 hid_report_len(struct hid_report *report)
return DIV_ROUND_UP(report->size, 8) + (report->id > 0);
}
-int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
- int interrupt);
+int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data,
+ size_t bufsize, u32 size, int interrupt);
/* HID quirks API */
unsigned long hid_lookup_quirk(const struct hid_device *hdev);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 097/378] riscv: cfi: reject unknown flags in PR_SET_CFI
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 096/378] riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 098/378] xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload Greg Kroah-Hartman
` (281 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Patel, Paul Walmsley,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Patel <ripatel@wii.dev>
[ Upstream commit 15b4155138505669d3d43d7692459ee8ea2a86e7 ]
prctl(PR_SET_CFI,PR_CFI_BRANCH_LANDING_PADS) silently ignored
unknown control values. Only PR_CFI_{ENABLE,DISABLE,LOCK} should
be permitted.
This changes the behavior of the uABI (fails previously accepted bits
with EINVAL).
Fixes: 08ee1559052b ("prctl: cfi: change the branch landing pad prctl()s to be more descriptive")
Signed-off-by: Richard Patel <ripatel@wii.dev>
Link: https://patch.msgid.link/20260518183918.322545-1-ripatel@wii.dev
[pjw@kernel.org: change the patch description to note that although this is a uABI change, it does not break the uABI]
Signed-off-by: Paul Walmsley <pjw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/include/asm/usercfi.h | 1 +
arch/riscv/kernel/usercfi.c | 3 +++
tools/testing/selftests/riscv/cfi/cfitests.c | 6 ++++++
3 files changed, 10 insertions(+)
diff --git a/arch/riscv/include/asm/usercfi.h b/arch/riscv/include/asm/usercfi.h
index f56966edbf5c62..61ee02cee29720 100644
--- a/arch/riscv/include/asm/usercfi.h
+++ b/arch/riscv/include/asm/usercfi.h
@@ -50,6 +50,7 @@ void set_indir_lp_status(struct task_struct *task, bool enable);
void set_indir_lp_lock(struct task_struct *task, bool lock);
#define PR_SHADOW_STACK_SUPPORTED_STATUS_MASK (PR_SHADOW_STACK_ENABLE)
+#define PR_CFI_SUPPORTED_STATUS_MASK (PR_CFI_ENABLE | PR_CFI_DISABLE | PR_CFI_LOCK)
#else
diff --git a/arch/riscv/kernel/usercfi.c b/arch/riscv/kernel/usercfi.c
index 2c535737511dce..1ea86f21fbfa61 100644
--- a/arch/riscv/kernel/usercfi.c
+++ b/arch/riscv/kernel/usercfi.c
@@ -476,6 +476,9 @@ int arch_prctl_set_branch_landing_pad_state(struct task_struct *t, unsigned long
if (!is_user_lpad_enabled())
return -EINVAL;
+ if (state & ~PR_CFI_SUPPORTED_STATUS_MASK)
+ return -EINVAL;
+
/* indirect branch tracking is locked and further can't be modified by user */
if (is_indir_lp_locked(t))
return -EINVAL;
diff --git a/tools/testing/selftests/riscv/cfi/cfitests.c b/tools/testing/selftests/riscv/cfi/cfitests.c
index 39d097b6881ff2..0e3943461e7d83 100644
--- a/tools/testing/selftests/riscv/cfi/cfitests.c
+++ b/tools/testing/selftests/riscv/cfi/cfitests.c
@@ -141,6 +141,12 @@ int main(int argc, char *argv[])
ksft_print_msg("Starting risc-v tests\n");
+ /* Test unknown PR_CFI bits */
+ ret = my_syscall5(__NR_prctl, PR_SET_CFI, PR_CFI_BRANCH_LANDING_PADS,
+ PR_CFI_ENABLE | 0xffff0, 0, 0);
+ if (!ret)
+ ksft_exit_fail_msg("PR_SET_CFI accepted reserved branch landing pad bits\n");
+
/*
* Landing pad test. Not a lot of kernel changes to support landing
* pads for user mode except lighting up a bit in senvcfg via a prctl.
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 181/522] HID: core: Fix size_t specifier in hid_report_raw_event()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 180/522] HID: pass the buffer size to hid_report_raw_event Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 182/522] RDMA/rxe: Complete the rxe_cleanup_task backport Greg Kroah-Hartman
` (341 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miguel Ojeda, Nathan Chancellor,
Linus Torvalds, Lee Jones, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 4d3a2a466b8d68d852a1f3bbf11204b718428dc4 ]
When building for 32-bit platforms, for which 'size_t' is
'unsigned int', there are warnings around using the incorrect format
specifier to print bsize in hid_report_raw_event():
drivers/hid/hid-core.c:2054:29: error: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Werror,-Wformat]
2053 | hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
| ~~~
| %zu
2054 | report->id, csize, bsize);
| ^~~~~
drivers/hid/hid-core.c:2076:29: error: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Werror,-Wformat]
2075 | hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
| ~~~
| %zu
2076 | report->id, rsize, bsize);
| ^~~~~
Use the proper 'size_t' format specifier, '%zu', to clear up the
warnings.
Cc: stable@vger.kernel.org
Fixes: 2c85c61d1332 ("HID: pass the buffer size to hid_report_raw_event")
Reported-by: Miguel Ojeda <ojeda@kernel.org>
Closes: https://lore.kernel.org/20260516020430.110135-1-ojeda@kernel.org/
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 2be5823002a3a4..2191205ce5b0bf 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2006,7 +2006,7 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
return 0;
if (unlikely(bsize < csize)) {
- hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
+ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %zu)\n",
report->id, csize, bsize);
return -EINVAL;
}
@@ -2028,7 +2028,7 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
rsize = max_buffer_size;
if (bsize < rsize) {
- hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
+ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %zu)\n",
report->id, rsize, bsize);
return -EINVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 098/378] xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 097/378] riscv: cfi: reject unknown flags in PR_SET_CFI Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 099/378] dma-mapping: direct: fix missing mapping for THRU_HOST_BRIDGE segments Greg Kroah-Hartman
` (280 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhenghang Xiao, Steffen Klassert,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenghang Xiao <kipreyyy@gmail.com>
[ Upstream commit eb48730bb827d1550401a5d391903f9d90b493c8 ]
__input_process_payload() stores first_skb into xtfs->ra_newskb under
drop_lock when starting partial reassembly, then unlocks and breaks out
of the processing loop. The post-loop check reads xtfs->ra_newskb
without the lock to decide whether first_skb is still owned:
if (first_skb && first_iplen && !defer && first_skb != xtfs->ra_newskb)
Between spin_unlock and this read, a concurrent CPU running
iptfs_reassem_cont() (or the drop_timer hrtimer) can complete
reassembly, NULL xtfs->ra_newskb, and free the skb. The check then
evaluates first_skb != NULL as true, and pskb_trim/ip_summed/consume_skb
operate on the freed skb — a use-after-free in skbuff_head_cache.
Replace the unlocked read with a local bool that records whether
first_skb was handed to the reassembly state in the current call. The
flag is set after the existing spin_unlock, before the break, using the
pointer equality that is stable at that point (first_skb == skb iff
first_skb was stored in ra_newskb).
Fixes: 3f3339885fb3 ("xfrm: iptfs: add reusing received skb for the tunnel egress packet")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_iptfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_iptfs.c b/net/xfrm/xfrm_iptfs.c
index 6c6bbc0405170c..f25504610d8b23 100644
--- a/net/xfrm/xfrm_iptfs.c
+++ b/net/xfrm/xfrm_iptfs.c
@@ -954,6 +954,7 @@ static bool __input_process_payload(struct xfrm_state *x, u32 data,
u32 first_iplen, iphlen, iplen, remaining, tail;
u32 capturelen;
u64 seq;
+ bool first_skb_partial = false;
xtfs = x->mode_data;
net = xs_net(x);
@@ -1161,6 +1162,7 @@ static bool __input_process_payload(struct xfrm_state *x, u32 data,
spin_unlock(&xtfs->drop_lock);
+ first_skb_partial = (first_skb == skb);
break;
}
@@ -1172,7 +1174,7 @@ static bool __input_process_payload(struct xfrm_state *x, u32 data,
/* this should not happen from the above code */
XFRM_INC_STATS(net, LINUX_MIB_XFRMINIPTFSERROR);
- if (first_skb && first_iplen && !defer && first_skb != xtfs->ra_newskb) {
+ if (first_skb && first_iplen && !defer && !first_skb_partial) {
/* first_skb is queued b/c !defer and not partial */
if (pskb_trim(first_skb, first_iplen)) {
/* error trimming */
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 182/522] RDMA/rxe: Complete the rxe_cleanup_task backport
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 181/522] HID: core: Fix size_t specifier in hid_report_raw_event() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 183/522] USB: serial: digi_acceleport: fix memory corruption with small endpoints Greg Kroah-Hartman
` (340 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vladislav Nikolaev, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladislav Nikolaev <vlad102nikolaev@gmail.com>
No upstream commit exists for this patch.
The issue was introduced with backporting upstream commit b2b1ddc45745
("RDMA/rxe: Fix the error "trying to register non-static key in
rxe_cleanup_task"") to the 6.1 stable tree as commit 3236221bb8e4
("RDMA/rxe: Fix the error "trying to register non-static key in
rxe_cleanup_task"").
The 6.1 backport guarded qp->req.task and qp->comp.task before calling
rxe_cleanup_task(), but left qp->resp.task unguarded. It also kept the
responder task cleanup before deleting the RC timers, while upstream had
already moved it after the timer shutdown by commit 960ebe97e523
("RDMA/rxe: Remove __rxe_do_task()").
In the 6.1 tree, rxe_qp_from_init() calls rxe_qp_init_req() before
rxe_qp_init_resp(). Therefore, if rxe_qp_init_req() fails, cleanup can
run before qp->resp.task has been initialized by rxe_init_task(), and the
unconditional rxe_cleanup_task(&qp->resp.task) can still hit the same
uninitialized task lock problem that upstream commit b2b1ddc45745 fixed.
Move responder task cleanup after deleting the RC timers, matching the
upstream cleanup order, and guard it with qp->resp.task.func like the
requester and completer tasks.
Fixes: 3236221bb8e4 ("RDMA/rxe: Fix the error "trying to register non-static key in rxe_cleanup_task"")
Signed-off-by: Vladislav Nikolaev <vlad102nikolaev@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/sw/rxe/rxe_qp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
index 709c63e9773c5f..171c0f4dcbecfc 100644
--- a/drivers/infiniband/sw/rxe/rxe_qp.c
+++ b/drivers/infiniband/sw/rxe/rxe_qp.c
@@ -781,13 +781,15 @@ static void rxe_qp_do_cleanup(struct work_struct *work)
qp->valid = 0;
qp->qp_timeout_jiffies = 0;
- rxe_cleanup_task(&qp->resp.task);
if (qp_type(qp) == IB_QPT_RC) {
del_timer_sync(&qp->retrans_timer);
del_timer_sync(&qp->rnr_nak_timer);
}
+ if (qp->resp.task.func)
+ rxe_cleanup_task(&qp->resp.task);
+
if (qp->req.task.func)
rxe_cleanup_task(&qp->req.task);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 099/378] dma-mapping: direct: fix missing mapping for THRU_HOST_BRIDGE segments
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 098/378] xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 100/378] dma-debug: fix physical address retrieval in debug_dma_sync_sg_for_device Greg Kroah-Hartman
` (279 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Logan Gunthorpe, Li RongQing,
Marek Szyprowski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li RongQing <lirongqing@baidu.com>
[ Upstream commit 560000d619ef162568746ce287f0c725e24ea967 ]
In dma_direct_map_sg(), the case PCI_P2PDMA_MAP_THRU_HOST_BRIDGE
incorrectly used 'break' instead of falling through to MAP_NONE.
As a result, segments traversing the host bridge skipped the required
dma_direct_map_phys() call entirely, leaving sg->dma_address
uninitialized and leading to DMA failures. Fix this by using
'fallthrough;'.
Fixes: a25e7962db0d79 ("PCI/P2PDMA: Refactor the p2pdma mapping helpers")
Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/r/20260603013723.2439-1-lirongqing@baidu.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/dma/direct.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/dma/direct.c b/kernel/dma/direct.c
index 8f43a930716d46..306afebf54ef06 100644
--- a/kernel/dma/direct.c
+++ b/kernel/dma/direct.c
@@ -466,7 +466,7 @@ int dma_direct_map_sg(struct device *dev, struct scatterlist *sgl, int nents,
* must be mapped with CPU physical address and not PCI
* bus addresses.
*/
- break;
+ fallthrough;
case PCI_P2PDMA_MAP_NONE:
sg->dma_address = dma_direct_map_phys(dev, sg_phys(sg),
sg->length, dir, attrs);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 183/522] USB: serial: digi_acceleport: fix memory corruption with small endpoints
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 182/522] RDMA/rxe: Complete the rxe_cleanup_task backport Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 184/522] xhci: tegra: Fix ghost USB device on dual-role port unplug Greg Kroah-Hartman
` (339 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit cb3560e8eab1dfa1cac1ed52631adf8ec6ff2cd5 upstream.
Add the missing bulk-out buffer size sanity checks to avoid
out-of-bounds memory accesses or slab corruption should a malicious
device report smaller buffers than expected.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/serial/digi_acceleport.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c
index 45d688e9b93f68..eb23f7bb41e728 100644
--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -1230,15 +1230,34 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num)
static int digi_startup(struct usb_serial *serial)
{
struct digi_serial *serial_priv;
+ int oob_port_num;
int ret;
+ int i;
+
+ /*
+ * The port bulk-out buffers must be large enough for header and
+ * buffered data.
+ */
+ for (i = 0; i < serial->type->num_ports; i++) {
+ if (serial->port[i]->bulk_out_size < DIGI_OUT_BUF_SIZE + 2)
+ return -EINVAL;
+ }
+
+ /*
+ * The OOB port bulk-out buffer must be large enough for the two
+ * commands in digi_set_modem_signals().
+ */
+ oob_port_num = serial->type->num_ports;
+ if (serial->port[oob_port_num]->bulk_out_size < 8)
+ return -EINVAL;
serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
if (!serial_priv)
return -ENOMEM;
spin_lock_init(&serial_priv->ds_serial_lock);
- serial_priv->ds_oob_port_num = serial->type->num_ports;
- serial_priv->ds_oob_port = serial->port[serial_priv->ds_oob_port_num];
+ serial_priv->ds_oob_port_num = oob_port_num;
+ serial_priv->ds_oob_port = serial->port[oob_port_num];
ret = digi_port_init(serial_priv->ds_oob_port,
serial_priv->ds_oob_port_num);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 100/378] dma-debug: fix physical address retrieval in debug_dma_sync_sg_for_device
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 099/378] dma-mapping: direct: fix missing mapping for THRU_HOST_BRIDGE segments Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 101/378] xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Greg Kroah-Hartman
` (278 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li RongQing, Marek Szyprowski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li RongQing <lirongqing@baidu.com>
[ Upstream commit 9bfaa86b405381326c971984fd6da184c289713f ]
In debug_dma_sync_sg_for_device(), when iterating over a scatterlist,
the debug entry population mistakenly uses the head of the scatterlist
'sg' to fetch the physical address via sg_phys(), instead of using the
current iterator variable 's'.
This causes dma-debug to track the physical address of the very first
scatterlist entry for all subsequent entries in the list.
Fix this by passing the correct loop iterator 's' to sg_phys()
Fixes: 9d4f645a1fd49ee ("dma-debug: store a phys_addr_t in struct dma_debug_entry")
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/r/20260603123708.1665-1-lirongqing@baidu.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/dma/debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c
index 3248f8b4d096de..2c0e2cd89b5ed7 100644
--- a/kernel/dma/debug.c
+++ b/kernel/dma/debug.c
@@ -1556,7 +1556,7 @@ void debug_dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
struct dma_debug_entry ref = {
.type = dma_debug_sg,
.dev = dev,
- .paddr = sg_phys(sg),
+ .paddr = sg_phys(s),
.dev_addr = sg_dma_address(s),
.size = sg_dma_len(s),
.direction = direction,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 184/522] xhci: tegra: Fix ghost USB device on dual-role port unplug
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 183/522] USB: serial: digi_acceleport: fix memory corruption with small endpoints Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 185/522] netfilter: nf_tables: restore set elements when delete set fails Greg Kroah-Hartman
` (338 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wei-Cheng Chen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei-Cheng Chen <weichengc@nvidia.com>
[ Upstream commit 5a4c828b8b29b47534814ade26d9aee09d5101fc ]
When a USB device is unplugged from the dual-role port, the device-mode
path in tegra_xhci_id_work() explicitly clears both SS and HS port power
via direct hub_control ClearPortFeature(POWER) calls. This preempts the
xHCI controller's normal disconnect processing -- PORT_CSC is never
generated, the USB core never sees the disconnect, and the device remains
in its internal tree as a ghost visible in lsusb.
Add an otg_set_port_power flag to control whether the dual-role switch
path performs explicit port power management. SoCs that need it
(Tegra124 / Tegra210 / Tegra186) set the flag; later SoCs (Tegra194 and
beyond) rely on the PHY mode change to handle disconnect naturally and
skip all port power calls.
Within the port power path, otg_reset_sspi additionally gates the SSPI
reset sequence on host-mode entry for SoCs that require it.
Flags set per SoC:
Tegra124, Tegra186 -> otg_set_port_power
Tegra210 -> otg_set_port_power, otg_reset_sspi
Tegra194 and later -> (none)
[ Backport to 6.1.y: keep the host-mode snapshot in the existing
tegra->lock section, retain pm_runtime_mark_last_busy() in the host
port-power path, and omit the newer Tegra234 entry. ]
Fixes: f836e7843036 ("usb: xhci-tegra: Add OTG support")
Cc: stable@vger.kernel.org
Signed-off-by: Wei-Cheng Chen <weichengc@nvidia.com>
Link: https://patch.msgid.link/20260505112630.217704-1-weichengc@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/xhci-tegra.c | 78 ++++++++++++++++++++---------------
1 file changed, 44 insertions(+), 34 deletions(-)
diff --git a/drivers/usb/host/xhci-tegra.c b/drivers/usb/host/xhci-tegra.c
index 14a772feab7946..0f936aeb88d064 100644
--- a/drivers/usb/host/xhci-tegra.c
+++ b/drivers/usb/host/xhci-tegra.c
@@ -210,6 +210,7 @@ struct tegra_xusb_soc {
bool has_ipfs;
bool lpm_support;
bool otg_reset_sspi;
+ bool otg_set_port_power;
};
struct tegra_xusb_context {
@@ -1211,14 +1212,17 @@ static void tegra_xhci_id_work(struct work_struct *work)
struct tegra_xusb_mbox_msg msg;
struct phy *phy = tegra_xusb_get_phy(tegra, "usb2",
tegra->otg_usb2_port);
+ bool host_mode;
u32 status;
int ret;
- dev_dbg(tegra->dev, "host mode %s\n", tegra->host_mode ? "on" : "off");
-
mutex_lock(&tegra->lock);
- if (tegra->host_mode)
+ host_mode = tegra->host_mode;
+
+ dev_dbg(tegra->dev, "host mode %s\n", host_mode ? "on" : "off");
+
+ if (host_mode)
phy_set_mode_ext(phy, PHY_MODE_USB_OTG, USB_ROLE_HOST);
else
phy_set_mode_ext(phy, PHY_MODE_USB_OTG, USB_ROLE_NONE);
@@ -1229,42 +1233,44 @@ static void tegra_xhci_id_work(struct work_struct *work)
tegra->otg_usb2_port);
pm_runtime_get_sync(tegra->dev);
- if (tegra->host_mode) {
- /* switch to host mode */
- if (tegra->otg_usb3_port >= 0) {
- if (tegra->soc->otg_reset_sspi) {
- /* set PP=0 */
- tegra_xhci_hc_driver.hub_control(
- xhci->shared_hcd, GetPortStatus,
- 0, tegra->otg_usb3_port+1,
- (char *) &status, sizeof(status));
- if (status & USB_SS_PORT_STAT_POWER)
- tegra_xhci_set_port_power(tegra, false,
- false);
-
- /* reset OTG port SSPI */
- msg.cmd = MBOX_CMD_RESET_SSPI;
- msg.data = tegra->otg_usb3_port+1;
-
- ret = tegra_xusb_mbox_send(tegra, &msg);
- if (ret < 0) {
- dev_info(tegra->dev,
- "failed to RESET_SSPI %d\n",
- ret);
+ if (tegra->soc->otg_set_port_power) {
+ if (host_mode) {
+ /* switch to host mode */
+ if (tegra->otg_usb3_port >= 0) {
+ if (tegra->soc->otg_reset_sspi) {
+ /* set PP=0 */
+ tegra_xhci_hc_driver.hub_control(
+ xhci->shared_hcd, GetPortStatus,
+ 0, tegra->otg_usb3_port+1,
+ (char *) &status, sizeof(status));
+ if (status & USB_SS_PORT_STAT_POWER)
+ tegra_xhci_set_port_power(tegra, false,
+ false);
+
+ /* reset OTG port SSPI */
+ msg.cmd = MBOX_CMD_RESET_SSPI;
+ msg.data = tegra->otg_usb3_port+1;
+
+ ret = tegra_xusb_mbox_send(tegra, &msg);
+ if (ret < 0) {
+ dev_info(tegra->dev,
+ "failed to RESET_SSPI %d\n",
+ ret);
+ }
}
- }
- tegra_xhci_set_port_power(tegra, false, true);
- }
+ tegra_xhci_set_port_power(tegra, false, true);
+ }
- tegra_xhci_set_port_power(tegra, true, true);
- pm_runtime_mark_last_busy(tegra->dev);
+ tegra_xhci_set_port_power(tegra, true, true);
+ pm_runtime_mark_last_busy(tegra->dev);
- } else {
- if (tegra->otg_usb3_port >= 0)
- tegra_xhci_set_port_power(tegra, false, false);
+ } else {
+ if (tegra->otg_usb3_port >= 0)
+ tegra_xhci_set_port_power(tegra, false, false);
- tegra_xhci_set_port_power(tegra, true, false);
+ tegra_xhci_set_port_power(tegra, true, false);
+ }
}
pm_runtime_put_autosuspend(tegra->dev);
}
@@ -2289,6 +2295,7 @@ static const struct tegra_xusb_soc tegra124_soc = {
.scale_ss_clock = true,
.has_ipfs = true,
.otg_reset_sspi = false,
+ .otg_set_port_power = true,
.mbox = {
.cmd = 0xe4,
.data_in = 0xe8,
@@ -2325,6 +2332,7 @@ static const struct tegra_xusb_soc tegra210_soc = {
.scale_ss_clock = false,
.has_ipfs = true,
.otg_reset_sspi = true,
+ .otg_set_port_power = true,
.mbox = {
.cmd = 0xe4,
.data_in = 0xe8,
@@ -2366,6 +2374,7 @@ static const struct tegra_xusb_soc tegra186_soc = {
.scale_ss_clock = false,
.has_ipfs = false,
.otg_reset_sspi = false,
+ .otg_set_port_power = true,
.mbox = {
.cmd = 0xe4,
.data_in = 0xe8,
@@ -2397,6 +2406,7 @@ static const struct tegra_xusb_soc tegra194_soc = {
.scale_ss_clock = false,
.has_ipfs = false,
.otg_reset_sspi = false,
+ .otg_set_port_power = false,
.mbox = {
.cmd = 0x68,
.data_in = 0x6c,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 101/378] xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 100/378] dma-debug: fix physical address retrieval in debug_dma_sync_sg_for_device Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 102/378] ice: fix missing priority callbacks for U.FL DPLL pins Greg Kroah-Hartman
` (277 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanghyun Park, Steffen Klassert,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanghyun Park <sanghyun.park.cnu@gmail.com>
[ Upstream commit 7f2d76c9c03257c0782afef9d95321fa04096f60 ]
Fix the race by pruning the bin while still holding xfrm_policy_lock,
before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since
the lock is already held. The wrapper xfrm_policy_inexact_prune_bin()
becomes unused and is removed.
Race:
CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO)
========================== ==========================
xfrm_policy_bysel_ctx():
spin_lock_bh(xfrm_policy_lock)
bin = xfrm_policy_inexact_lookup()
__xfrm_policy_unlink(pol)
spin_unlock_bh(xfrm_policy_lock)
xfrm_policy_kill(ret)
// wide window, lock not held
xfrm_hash_rebuild():
spin_lock_bh(xfrm_policy_lock)
__xfrm_policy_inexact_flush():
kfree_rcu(bin) // bin freed
spin_unlock_bh(xfrm_policy_lock)
xfrm_policy_inexact_prune_bin(bin)
// UAF: bin is freed
Fixes: 6be3b0db6db8 ("xfrm: policy: add inexact policy search tree infrastructure")
Signed-off-by: Sanghyun Park <sanghyun.park.cnu@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_policy.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index d904352fb24276..97b5ff9687a30c 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1156,15 +1156,6 @@ static void __xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b, bool
}
}
-static void xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b)
-{
- struct net *net = read_pnet(&b->k.net);
-
- spin_lock_bh(&net->xfrm.xfrm_policy_lock);
- __xfrm_policy_inexact_prune_bin(b, false);
- spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
-}
-
static void __xfrm_policy_inexact_flush(struct net *net)
{
struct xfrm_pol_inexact_bin *bin, *t;
@@ -1707,12 +1698,12 @@ xfrm_policy_bysel_ctx(struct net *net, const struct xfrm_mark *mark, u32 if_id,
}
ret = pol;
}
+ if (bin && delete)
+ __xfrm_policy_inexact_prune_bin(bin, false);
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
if (ret && delete)
xfrm_policy_kill(ret);
- if (bin && delete)
- xfrm_policy_inexact_prune_bin(bin);
return ret;
}
EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 185/522] netfilter: nf_tables: restore set elements when delete set fails
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 184/522] xhci: tegra: Fix ghost USB device on dual-role port unplug Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 186/522] USB: serial: cypress_m8: fix memory corruption with small endpoint Greg Kroah-Hartman
` (337 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Vegard Nossum,
Jakub Acs, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit e79b47a8615d42c68aaeb68971593333667382ed ]
>From abort path, nft_mapelem_activate() needs to restore refcounters to
the original state. Currently, it uses the set->ops->walk() to iterate
over these set elements. The existing set iterator skips inactive
elements in the next generation, this does not work from the abort path
to restore the original state since it has to skip active elements
instead (not inactive ones).
This patch moves the check for inactive elements to the set iterator
callback, then it reverses the logic for the .activate case which
needs to skip active elements.
Toggle next generation bit for elements when delete set command is
invoked and call nft_clear() from .activate (abort) path to restore the
next generation bit.
The splat below shows an object in mappings memleak:
[43929.457523] ------------[ cut here ]------------
[43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]
[...]
[43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]
[43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90
[43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246
[43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000
[43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550
[43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f
[43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0
[43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002
[43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000
[43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0
[43929.458114] Call Trace:
[43929.458118] <TASK>
[43929.458121] ? __warn+0x9f/0x1a0
[43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]
[43929.458188] ? report_bug+0x1b1/0x1e0
[43929.458196] ? handle_bug+0x3c/0x70
[43929.458200] ? exc_invalid_op+0x17/0x40
[43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables]
[43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]
[43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables]
[43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables]
[43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables]
[43929.458512] ? rb_insert_color+0x2e/0x280
[43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables]
[43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables]
[43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables]
[43929.458701] ? __rcu_read_unlock+0x46/0x70
[43929.458709] nft_delset+0xff/0x110 [nf_tables]
[43929.458769] nft_flush_table+0x16f/0x460 [nf_tables]
[43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]
Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit e79b47a8615d42c68aaeb68971593333667382ed)
[Vegard: CVE-2024-27012; fixed conflicts due to missing commits
0e1ea651c9717ddcd8e0648d8468477a31867b0a ("netfilter: nf_tables: shrink
memory consumption of set elements") and
9dad402b89e81a0516bad5e0ac009b7a0a80898f ("netfilter: nf_tables: expose
opaque set element as struct nft_elem_priv") so we pass the correct types
and values to nft_setelem_data_deactivate(), nft_setelem_validate(),
nft_set_elem_ext(), etc.]
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[acsjakub: clean cherry-pick of the commit 164936b2fc88
("netfilter: nf_tables: restore set elements when delete set fails")
from 6.6.y. Plus, add "[ Upstream commit .." header to the message]
Signed-off-by: Jakub Acs <acsjakub@amazon.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 41 ++++++++++++++++++++++++++++++----
net/netfilter/nft_set_bitmap.c | 4 +---
net/netfilter/nft_set_hash.c | 8 ++-----
net/netfilter/nft_set_pipapo.c | 5 +----
net/netfilter/nft_set_rbtree.c | 4 +---
5 files changed, 42 insertions(+), 20 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0c422428263873..201e2cc0453992 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -594,6 +594,12 @@ static int nft_mapelem_deactivate(const struct nft_ctx *ctx,
const struct nft_set_iter *iter,
struct nft_set_elem *elem)
{
+ struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
+ nft_set_elem_change_active(ctx->net, set, ext);
nft_setelem_data_deactivate(ctx->net, set, elem);
return 0;
@@ -619,6 +625,7 @@ static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
continue;
elem.priv = catchall->elem;
+ nft_set_elem_change_active(ctx->net, set, ext);
nft_setelem_data_deactivate(ctx->net, set, &elem);
break;
}
@@ -3593,6 +3600,9 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
const struct nft_data *data;
int err;
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
*nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
return 0;
@@ -3616,19 +3626,22 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
{
- u8 genmask = nft_genmask_next(ctx->net);
+ struct nft_set_iter dummy_iter = {
+ .genmask = nft_genmask_next(ctx->net),
+ };
struct nft_set_elem_catchall *catchall;
struct nft_set_elem elem;
+
struct nft_set_ext *ext;
int ret = 0;
list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
ext = nft_set_elem_ext(set, catchall->elem);
- if (!nft_set_elem_active(ext, genmask))
+ if (!nft_set_elem_active(ext, dummy_iter.genmask))
continue;
elem.priv = catchall->elem;
- ret = nft_setelem_validate(ctx, set, NULL, &elem);
+ ret = nft_setelem_validate(ctx, set, &dummy_iter, &elem);
if (ret < 0)
return ret;
}
@@ -5103,6 +5116,11 @@ static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
const struct nft_set_iter *iter,
struct nft_set_elem *elem)
{
+ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
return nft_setelem_data_validate(ctx, set, elem);
}
@@ -5197,6 +5215,13 @@ static int nft_mapelem_activate(const struct nft_ctx *ctx,
const struct nft_set_iter *iter,
struct nft_set_elem *elem)
{
+ struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+
+ /* called from abort path, reverse check to undo changes. */
+ if (nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
+ nft_clear(ctx->net, ext);
nft_setelem_data_activate(ctx->net, set, elem);
return 0;
@@ -5215,6 +5240,7 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx,
if (nft_set_elem_active(ext, genmask))
continue;
+ nft_clear(ctx->net, ext);
elem.priv = catchall->elem;
nft_setelem_data_activate(ctx->net, set, &elem);
break;
@@ -5488,6 +5514,9 @@ static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
struct nft_set_dump_args *args;
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
return 0;
@@ -6220,7 +6249,7 @@ static void nft_setelem_activate(struct net *net, struct nft_set *set,
struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
if (nft_setelem_is_catchall(set, elem)) {
- nft_set_elem_change_active(net, set, ext);
+ nft_clear(net, ext);
} else {
set->ops->activate(net, set, elem);
}
@@ -6902,9 +6931,13 @@ static int nft_setelem_flush(const struct nft_ctx *ctx,
const struct nft_set_iter *iter,
struct nft_set_elem *elem)
{
+ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
struct nft_trans *trans;
int err;
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
sizeof(struct nft_trans_elem), GFP_ATOMIC);
if (!trans)
diff --git a/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c
index 1e5e7a181e0bc2..cbf7f7825f1b88 100644
--- a/net/netfilter/nft_set_bitmap.c
+++ b/net/netfilter/nft_set_bitmap.c
@@ -171,7 +171,7 @@ static void nft_bitmap_activate(const struct net *net,
nft_bitmap_location(set, nft_set_ext_key(&be->ext), &idx, &off);
/* Enter 11 state. */
priv->bitmap[idx] |= (genmask << off);
- nft_set_elem_change_active(net, set, &be->ext);
+ nft_clear(net, &be->ext);
}
static bool nft_bitmap_flush(const struct net *net,
@@ -223,8 +223,6 @@ static void nft_bitmap_walk(const struct nft_ctx *ctx,
list_for_each_entry_rcu(be, &priv->list, head) {
if (iter->count < iter->skip)
goto cont;
- if (!nft_set_elem_active(&be->ext, iter->genmask))
- goto cont;
elem.priv = be;
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
index 9ea4a09903186d..5a74ee4b7dfb35 100644
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -196,7 +196,7 @@ static void nft_rhash_activate(const struct net *net, const struct nft_set *set,
{
struct nft_rhash_elem *he = elem->priv;
- nft_set_elem_change_active(net, set, &he->ext);
+ nft_clear(net, &he->ext);
}
static bool nft_rhash_flush(const struct net *net,
@@ -285,8 +285,6 @@ static void nft_rhash_walk(const struct nft_ctx *ctx, struct nft_set *set,
if (iter->count < iter->skip)
goto cont;
- if (!nft_set_elem_active(&he->ext, iter->genmask))
- goto cont;
elem.priv = he;
@@ -615,7 +613,7 @@ static void nft_hash_activate(const struct net *net, const struct nft_set *set,
{
struct nft_hash_elem *he = elem->priv;
- nft_set_elem_change_active(net, set, &he->ext);
+ nft_clear(net, &he->ext);
}
static bool nft_hash_flush(const struct net *net,
@@ -669,8 +667,6 @@ static void nft_hash_walk(const struct nft_ctx *ctx, struct nft_set *set,
hlist_for_each_entry_rcu(he, &priv->table[i], node) {
if (iter->count < iter->skip)
goto cont;
- if (!nft_set_elem_active(&he->ext, iter->genmask))
- goto cont;
elem.priv = he;
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index cfd0d020f3382b..11473275c6e263 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1849,7 +1849,7 @@ static void nft_pipapo_activate(const struct net *net,
{
struct nft_pipapo_elem *e = elem->priv;
- nft_set_elem_change_active(net, set, &e->ext);
+ nft_clear(net, &e->ext);
}
/**
@@ -2151,9 +2151,6 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set,
e = f->mt[r].e;
- if (!nft_set_elem_active(&e->ext, iter->genmask))
- goto cont;
-
elem.priv = e;
iter->err = iter->fn(ctx, set, iter, &elem);
diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
index 426becaad1b94f..23e4e656f7f0cb 100644
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -548,7 +548,7 @@ static void nft_rbtree_activate(const struct net *net,
{
struct nft_rbtree_elem *rbe = elem->priv;
- nft_set_elem_change_active(net, set, &rbe->ext);
+ nft_clear(net, &rbe->ext);
}
static bool nft_rbtree_flush(const struct net *net,
@@ -618,8 +618,6 @@ static void nft_rbtree_walk(const struct nft_ctx *ctx,
if (iter->count < iter->skip)
goto cont;
- if (!nft_set_elem_active(&rbe->ext, iter->genmask))
- goto cont;
elem.priv = rbe;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 102/378] ice: fix missing priority callbacks for U.FL DPLL pins
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 101/378] xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 103/378] idpf: fix mailbox capability for set device clock time Greg Kroah-Hartman
` (276 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov, Paul Menzel,
Petr Oros, Tony Nguyen, Jakub Kicinski, Sasha Levin, Rinitha S
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit f1fa677e428e8873486938086bd934dc18169b47 ]
The U.FL2 input pin advertises DPLL_PIN_CAPABILITIES_PRIORITY_CAN_CHANGE
in its capability mask, but ice_dpll_pin_ufl_ops does not provide
.prio_get and .prio_set callbacks. As a result the DPLL subsystem
cannot report or accept priority for U.FL pins: pin-get omits the prio
field on U.FL2 and pin-set with prio is rejected as invalid, even
though the capability is present. This prevents user space from using
priority to select or disable U.FL2 as a DPLL input source.
Reproducer with iproute2 (dpll command):
# dpll pin show board-label U.FL2
pin id 16:
module-name ice
board-label U.FL2
type ext
capabilities priority-can-change|state-can-change
parent-device:
id 0 direction input state selectable phase-offset 0
/* note: no "prio" between "direction" and "state",
even though priority-can-change is advertised */
# dpll pin set id 16 parent-device 0 prio 5
RTNETLINK answers: Operation not supported
After the fix the prio field is reported by pin show and pin set with
prio is accepted on U.FL2.
Add the missing .prio_get and .prio_set callbacks to
ice_dpll_pin_ufl_ops, reusing ice_dpll_sw_input_prio_{get,set}. The
same ops struct is shared by U.FL1 and U.FL2: U.FL2 (input) delegates
to the backing hardware input pin, while U.FL1 (output) does not
advertise DPLL_PIN_CAPABILITIES_PRIORITY_CAN_CHANGE so the dpll core
capability gate never invokes prio_set for it, and prio_get reports
the OUTPUT sentinel (ICE_DPLL_PIN_PRIO_OUTPUT) on the output side
exactly like the SMA path does today.
Fixes: 2dd5d03c77e2 ("ice: redesign dpll sma/u.fl pins control")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Petr Oros <poros@redhat.com>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Link: https://patch.msgid.link/20260602225513.393338-3-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_dpll.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/intel/ice/ice_dpll.c b/drivers/net/ethernet/intel/ice/ice_dpll.c
index 892bc7c2e28b46..0704e92ab04305 100644
--- a/drivers/net/ethernet/intel/ice/ice_dpll.c
+++ b/drivers/net/ethernet/intel/ice/ice_dpll.c
@@ -2633,6 +2633,8 @@ static const struct dpll_pin_ops ice_dpll_pin_ufl_ops = {
.state_on_dpll_set = ice_dpll_ufl_pin_state_set,
.state_on_dpll_get = ice_dpll_sw_pin_state_get,
.direction_get = ice_dpll_pin_sw_direction_get,
+ .prio_get = ice_dpll_sw_input_prio_get,
+ .prio_set = ice_dpll_sw_input_prio_set,
.frequency_get = ice_dpll_sw_pin_frequency_get,
.frequency_set = ice_dpll_sw_pin_frequency_set,
.esync_set = ice_dpll_sw_esync_set,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 186/522] USB: serial: cypress_m8: fix memory corruption with small endpoint
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 185/522] netfilter: nf_tables: restore set elements when delete set fails Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 187/522] serial: dz: Fix bootconsole handover lockup Greg Kroah-Hartman
` (336 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit e1a9d791fd66ab2431b9e6f6f835823809869047 upstream.
Make sure that the interrupt-out endpoint max packet size is at least
eight bytes to avoid user-controlled slab corruption or NULL-pointer
dereference should a malicious device report a smaller size.
Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Cc: stable@vger.kernel.org # 2.6.26
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
[ johan: adjust context for 6.18 ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/serial/cypress_m8.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
index 4c625e77da3a8f..f567617c8f2314 100644
--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -448,6 +448,14 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
return -ENODEV;
}
+ /*
+ * The buffer must be large enough for the one or two-byte header (and
+ * following data), but assume anything smaller than eight bytes is
+ * broken.
+ */
+ if (port->interrupt_out_size < 8)
+ return -EINVAL;
+
priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
if (!priv)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 103/378] idpf: fix mailbox capability for set device clock time
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 102/378] ice: fix missing priority callbacks for U.FL DPLL pins Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 104/378] net: ena: PHC: Add missing barrier Greg Kroah-Hartman
` (275 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Samuel Salin,
Aleksandr Loktionov, Tony Nguyen, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 85b0cbc1f38bc1e38956a9e6d7b04d309b435697 ]
The current code incorrectly uses VIRTCHNL2_CAP_PTP_SET_DEVICE_CLK_TIME
for both direct and mailbox capabilities, causing mailbox-only support
to be ignored and potentially reporting IDPF_PTP_NONE.
Fixes: d5dba8f7206da ("idpf: add PTP clock configuration")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Link: https://patch.msgid.link/20260602225513.393338-4-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/idpf/idpf_ptp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/idpf/idpf_ptp.c b/drivers/net/ethernet/intel/idpf/idpf_ptp.c
index 4a51d2727547d9..71fe8b2a8b4e42 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_ptp.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_ptp.c
@@ -51,7 +51,7 @@ void idpf_ptp_get_features_access(const struct idpf_adapter *adapter)
/* Set the device clock time */
direct = VIRTCHNL2_CAP_PTP_SET_DEVICE_CLK_TIME;
- mailbox = VIRTCHNL2_CAP_PTP_SET_DEVICE_CLK_TIME;
+ mailbox = VIRTCHNL2_CAP_PTP_SET_DEVICE_CLK_TIME_MB;
ptp->set_dev_clk_time_access = idpf_ptp_get_access(adapter,
direct,
mailbox);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 187/522] serial: dz: Fix bootconsole handover lockup
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 186/522] USB: serial: cypress_m8: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 188/522] bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded Greg Kroah-Hartman
` (335 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 7f127b2208e5e2b817243cad41fe4211a6d5a7a3 upstream.
Calling dz_reset() in the course of setting up the serial device causes
line parameters to be reset and the transmitter disabled. We've been
lucky in that no message is usually produced to the kernel log between
this call and the later call to uart_set_options() in the course of
console setup done by dz_serial_console_init(), or the system would hang
as the console output handler in the firmware tried to access a port the
transmitter of which has been disabled and line parameters messed up.
This will change with the next change to the driver, so fix dz_reset()
such that line parameters are set for 9600n8 console operation as with
the system firmware and the transmitter re-enabled after reset. This
also means dz_pm() serves no purpose anymore, so drop it.
Fixes: e6ee512f5a77 ("dz.c: Resource management")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.25+
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062302010.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/dz.c | 36 ++++++++++++------------------------
1 file changed, 12 insertions(+), 24 deletions(-)
diff --git a/drivers/tty/serial/dz.c b/drivers/tty/serial/dz.c
index a16738799418ca..d80bbd95a7f786 100644
--- a/drivers/tty/serial/dz.c
+++ b/drivers/tty/serial/dz.c
@@ -573,6 +573,18 @@ static void dz_reset(struct dz_port *dport)
while (dz_in(dport, DZ_CSR) & DZ_CLR);
iob();
+ /*
+ * Set parameters across all lines such as not to interfere
+ * with the initial PROM-based console. Otherwise any output
+ * produced before the console handover would cause the system
+ * firmware to produce rubbish.
+ */
+ for (int line = 0; line < DZ_NB_PORT; line++)
+ dz_out(dport, DZ_LPR, DZ_B9600 | DZ_CS8 | line);
+
+ /* Re-enable transmission for the initial PROM-based console. */
+ dz_out(dport, DZ_TCR, tcr);
+
/* Enable scanning. */
dz_out(dport, DZ_CSR, DZ_MSE);
@@ -656,26 +668,6 @@ static void dz_set_termios(struct uart_port *uport, struct ktermios *termios,
spin_unlock_irqrestore(&dport->port.lock, flags);
}
-/*
- * Hack alert!
- * Required solely so that the initial PROM-based console
- * works undisturbed in parallel with this one.
- */
-static void dz_pm(struct uart_port *uport, unsigned int state,
- unsigned int oldstate)
-{
- struct dz_port *dport = to_dport(uport);
- unsigned long flags;
-
- spin_lock_irqsave(&dport->port.lock, flags);
- if (state < 3)
- dz_start_tx(&dport->port);
- else
- dz_stop_tx(&dport->port);
- spin_unlock_irqrestore(&dport->port.lock, flags);
-}
-
-
static const char *dz_type(struct uart_port *uport)
{
return "DZ";
@@ -771,7 +763,6 @@ static const struct uart_ops dz_ops = {
.startup = dz_startup,
.shutdown = dz_shutdown,
.set_termios = dz_set_termios,
- .pm = dz_pm,
.type = dz_type,
.release_port = dz_release_port,
.request_port = dz_request_port,
@@ -896,10 +887,7 @@ static int __init dz_console_setup(struct console *co, char *options)
if (ret)
return ret;
- spin_lock_init(&dport->port.lock); /* For dz_pm(). */
-
dz_reset(dport);
- dz_pm(uport, 0, -1);
if (options)
uart_parse_options(options, &baud, &parity, &bits, &flow);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 104/378] net: ena: PHC: Add missing barrier
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 103/378] idpf: fix mailbox capability for set device clock time Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 105/378] bnge: fix context mem iteration Greg Kroah-Hartman
` (274 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arthur Kiyanovski, Jakub Kicinski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arthur Kiyanovski <akiyano@amazon.com>
[ Upstream commit 954981dbbfbd78f21d2fbac1ac0742dbf38b4e69 ]
Add dma_rmb() barrier after req_id completion check in
ena_com_phc_get_timestamp(). On weakly-ordered architectures,
payload fields may be read before req_id is observed as updated.
Fixes: e0ea34158ee8 ("net: ena: Add PHC support in the ENA driver")
Closes: https://sashiko.dev/#/patchset/20260430032507.11586-1-akiyano%40amazon.com
Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amazon/ena/ena_com.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ethernet/amazon/ena/ena_com.c b/drivers/net/ethernet/amazon/ena/ena_com.c
index 8c86789d867a5f..297fb36ab8c16f 100644
--- a/drivers/net/ethernet/amazon/ena/ena_com.c
+++ b/drivers/net/ethernet/amazon/ena/ena_com.c
@@ -1880,6 +1880,11 @@ int ena_com_phc_get_timestamp(struct ena_com_dev *ena_dev, u64 *timestamp)
continue;
}
+ /* Ensure PHC payload (timestamp, error_flags) is read
+ * after req_id update is observed
+ */
+ dma_rmb();
+
/* req_id was updated by the device which indicates that
* PHC timestamp and error_flags are updated too,
* checking errors before retrieving timestamp
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 188/522] bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 187/522] serial: dz: Fix bootconsole handover lockup Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 189/522] usb: core: Fix SuperSpeed root hub wMaxPacketSize Greg Kroah-Hartman
` (334 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5a287bcdc08104bc3132,
Jiayuan Chen, Paolo Abeni, Rajani Kantha, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@shopee.com>
[ Upstream commit 479d589b40b836442bbdadc3fdb37f001bb67f26 ]
bond_option_mode_set() already rejects mode changes that would make a
loaded XDP program incompatible via bond_xdp_check(). However,
bond_option_xmit_hash_policy_set() has no such guard.
For 802.3ad and balance-xor modes, bond_xdp_check() returns false when
xmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually
absent due to hardware offload. This means a user can:
1. Attach a native XDP program to a bond in 802.3ad/balance-xor mode
with a compatible xmit_hash_policy (e.g. layer2+3).
2. Change xmit_hash_policy to vlan+srcmac while XDP remains loaded.
This leaves bond->xdp_prog set but bond_xdp_check() now returning false
for the same device. When the bond is later destroyed, dev_xdp_uninstall()
calls bond_xdp_set(dev, NULL, NULL) to remove the program, which hits
the bond_xdp_check() guard and returns -EOPNOTSUPP, triggering:
WARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL))
Fix this by rejecting xmit_hash_policy changes to vlan+srcmac when an
XDP program is loaded on a bond in 802.3ad or balance-xor mode.
commit 39a0876d595b ("net, bonding: Disallow vlan+srcmac with XDP")
introduced bond_xdp_check() which returns false for 802.3ad/balance-xor
modes when xmit_hash_policy is vlan+srcmac. The check was wired into
bond_xdp_set() to reject XDP attachment with an incompatible policy, but
the symmetric path -- preventing xmit_hash_policy from being changed to an
incompatible value after XDP is already loaded -- was left unguarded in
bond_option_xmit_hash_policy_set().
Note:
commit 094ee6017ea0 ("bonding: check xdp prog when set bond mode")
later added a similar guard to bond_option_mode_set(), but
bond_option_xmit_hash_policy_set() remained unprotected.
Reported-by: syzbot+5a287bcdc08104bc3132@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6995aff6.050a0220.2eeac1.014e.GAE@google.com/T/
Fixes: 39a0876d595b ("net, bonding: Disallow vlan+srcmac with XDP")
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Link: https://patch.msgid.link/20260226080306.98766-2-jiayuan.chen@linux.dev
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Rajani Kantha <681739313@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 9 +++++++--
drivers/net/bonding/bond_options.c | 2 ++
include/net/bonding.h | 1 +
3 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 0e078252b52a98..f2e97f640467de 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -322,7 +322,7 @@ bool bond_sk_check(struct bonding *bond)
}
}
-bool bond_xdp_check(struct bonding *bond, int mode)
+bool __bond_xdp_check(int mode, int xmit_policy)
{
switch (mode) {
case BOND_MODE_ROUNDROBIN:
@@ -333,7 +333,7 @@ bool bond_xdp_check(struct bonding *bond, int mode)
/* vlan+srcmac is not supported with XDP as in most cases the 802.1q
* payload is not in the packet due to hardware offload.
*/
- if (bond->params.xmit_policy != BOND_XMIT_POLICY_VLAN_SRCMAC)
+ if (xmit_policy != BOND_XMIT_POLICY_VLAN_SRCMAC)
return true;
fallthrough;
default:
@@ -341,6 +341,11 @@ bool bond_xdp_check(struct bonding *bond, int mode)
}
}
+bool bond_xdp_check(struct bonding *bond, int mode)
+{
+ return __bond_xdp_check(mode, bond->params.xmit_policy);
+}
+
/*---------------------------------- VLAN -----------------------------------*/
/* In the following 2 functions, bond_vlan_rx_add_vid and bond_vlan_rx_kill_vid,
diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
index 40731d180bb505..3d15b340b5c939 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -1590,6 +1590,8 @@ static int bond_option_fail_over_mac_set(struct bonding *bond,
static int bond_option_xmit_hash_policy_set(struct bonding *bond,
const struct bond_opt_value *newval)
{
+ if (bond->xdp_prog && !__bond_xdp_check(BOND_MODE(bond), newval->value))
+ return -EOPNOTSUPP;
netdev_dbg(bond->dev, "Setting xmit hash policy to %s (%llu)\n",
newval->string, newval->value);
bond->params.xmit_policy = newval->value;
diff --git a/include/net/bonding.h b/include/net/bonding.h
index 06a048d716b19f..f2dee8cefa1963 100644
--- a/include/net/bonding.h
+++ b/include/net/bonding.h
@@ -704,6 +704,7 @@ void bond_debug_register(struct bonding *bond);
void bond_debug_unregister(struct bonding *bond);
void bond_debug_reregister(struct bonding *bond);
const char *bond_mode_name(int mode);
+bool __bond_xdp_check(int mode, int xmit_policy);
bool bond_xdp_check(struct bonding *bond, int mode);
void bond_setup(struct net_device *bond_dev);
unsigned int bond_get_num_tx_queues(void);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 105/378] bnge: fix context mem iteration
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 104/378] net: ena: PHC: Add missing barrier Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 106/378] netlabel: validate unlabeled address and mask attribute lengths Greg Kroah-Hartman
` (273 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vikas Gupta, Dharmender Garg,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vikas Gupta <vikas.gupta@broadcom.com>
[ Upstream commit 3847d94783c0b893c27ff0b26a3325796d9444c6 ]
The firmware advertises context memory (backing store) types
through a linked list, with BNGE_CTX_INV serving as the
end-of-list sentinel.
However, the driver incorrectly assumes that the list is strictly
ordered and prematurely terminates traversal when it encounters
an unrecognized type (>=BNGE_CTX_V2_MAX). As a result, any valid
context types that appear later in the chain are silently skipped,
leading to incomplete memory configuration and eventual driver load
failure.
Fix this by traversing the entire list until the BNGE_CTX_INV sentinel
is reached, while safely ignoring only those context types that fall
outside the supported range.
Fixes: 29c5b358f385 ("bng_en: Add backing store support")
Signed-off-by: Vikas Gupta <vikas.gupta@broadcom.com>
Reviewed-by: Dharmender Garg <dharmender.garg@broadcom.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bnge/bnge_hwrm_lib.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnge/bnge_hwrm_lib.c b/drivers/net/ethernet/broadcom/bnge/bnge_hwrm_lib.c
index c46da34134179c..3f07311d065e24 100644
--- a/drivers/net/ethernet/broadcom/bnge/bnge_hwrm_lib.c
+++ b/drivers/net/ethernet/broadcom/bnge/bnge_hwrm_lib.c
@@ -259,7 +259,7 @@ int bnge_hwrm_func_backing_store_qcaps(struct bnge_dev *bd)
struct hwrm_func_backing_store_qcaps_v2_output *resp;
struct hwrm_func_backing_store_qcaps_v2_input *req;
struct bnge_ctx_mem_info *ctx;
- u16 type;
+ u16 type, next_type;
int rc;
if (bd->ctx)
@@ -276,8 +276,8 @@ int bnge_hwrm_func_backing_store_qcaps(struct bnge_dev *bd)
resp = bnge_hwrm_req_hold(bd, req);
- for (type = 0; type < BNGE_CTX_V2_MAX; ) {
- struct bnge_ctx_mem_type *ctxm = &ctx->ctx_arr[type];
+ for (type = 0; type < BNGE_CTX_INV; type = next_type) {
+ struct bnge_ctx_mem_type *ctxm;
u8 init_val, init_off, i;
__le32 *p;
u32 flags;
@@ -286,8 +286,14 @@ int bnge_hwrm_func_backing_store_qcaps(struct bnge_dev *bd)
rc = bnge_hwrm_req_send(bd, req);
if (rc)
goto ctx_done;
+
+ next_type = le16_to_cpu(resp->next_valid_type);
+ if (type >= BNGE_CTX_V2_MAX)
+ continue;
+
+ ctxm = &ctx->ctx_arr[type];
flags = le32_to_cpu(resp->flags);
- type = le16_to_cpu(resp->next_valid_type);
+
if (!(flags &
FUNC_BACKING_STORE_QCAPS_V2_RESP_FLAGS_TYPE_VALID))
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 189/522] usb: core: Fix SuperSpeed root hub wMaxPacketSize
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 188/522] bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 190/522] bpf: Free reuseport cBPF prog after RCU grace period Greg Kroah-Hartman
` (333 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mathias Nyman, Michal Pecio
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Pecio <michal.pecio@gmail.com>
commit d1e280334b7f0a1df441e08bd1f6a1bcc36b3bbb upstream.
There is no good reason to have wBytesPerInterval < wMaxPacketSize -
either one is too low or the other too high, and we may want to warn
about such descriptors. Start with cleaning up our own root hubs.
USB 3.2 section 10.15.1 sets wMaxPacketSize and wBytesPerInterval of
SuperSpeed hub status endpoints at 2 bytes, so reduce wMaxPacketSize
from its former value of 4, which was derived from USB 2.0 spec and
the kernel's USB_MAXCHILDREN limit. They don't apply because USB 3.2
10.15.2.1 specifies SuperSpeed hubs to have up to 15 ports.
Suggested-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Link: https://patch.msgid.link/20260518073121.7bc1da0f.michal.pecio@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hcd.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -353,9 +353,7 @@ static const u8 ss_rh_config_descriptor[
USB_DT_ENDPOINT, /* __u8 ep_bDescriptorType; Endpoint */
0x81, /* __u8 ep_bEndpointAddress; IN Endpoint 1 */
0x03, /* __u8 ep_bmAttributes; Interrupt */
- /* __le16 ep_wMaxPacketSize; 1 + (MAX_ROOT_PORTS / 8)
- * see hub.c:hub_configure() for details. */
- (USB_MAXCHILDREN + 1 + 7) / 8, 0x00,
+ 0x02, 0x00, /* __le16 ep_wMaxPacketSize; 2 bytes per USB3 10.15.1 */
0x0c, /* __u8 ep_bInterval; (256ms -- usb 2.0 spec) */
/* one SuperSpeed endpoint companion descriptor */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 106/378] netlabel: validate unlabeled address and mask attribute lengths
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 105/378] bnge: fix context mem iteration Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 107/378] gpio: mvebu: fix NULL pointer dereference in suspend/resume Greg Kroah-Hartman
` (272 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenguang Zhao, Jakub Kicinski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenguang Zhao <zhaochenguang@kylinos.cn>
[ Upstream commit 9772589b57e44aedc240211c5c3f7a684a034d3a ]
netlbl_unlabel_addrinfo_get() used the address attribute length to
determine whether the attribute data could be read as an IPv4 or IPv6
address, but did not independently validate the corresponding mask
attribute length. A crafted Generic Netlink request could therefore
provide a valid IPv4/IPv6 address attribute with a shorter mask
attribute, which would later be read as a full struct in_addr or
struct in6_addr.
NLA_BINARY policy lengths are maximum lengths by default, so use
NLA_POLICY_EXACT_LEN() for the unlabeled IPv4/IPv6 address and mask
attributes. This rejects short attributes during policy validation and
also exposes the exact length requirements through policy introspection.
Fixes: 8cc44579d1bd ("NetLabel: Introduce static network labels for unlabeled connections")
Signed-off-by: Chenguang Zhao <zhaochenguang@kylinos.cn>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlabel/netlabel_unlabeled.c | 30 ++++++++++--------------------
1 file changed, 10 insertions(+), 20 deletions(-)
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index ca7a9e2a3de781..870e7699326a4a 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -114,14 +114,14 @@ static struct genl_family netlbl_unlabel_gnl_family;
/* NetLabel Netlink attribute policy */
static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
[NLBL_UNLABEL_A_ACPTFLG] = { .type = NLA_U8 },
- [NLBL_UNLABEL_A_IPV6ADDR] = { .type = NLA_BINARY,
- .len = sizeof(struct in6_addr) },
- [NLBL_UNLABEL_A_IPV6MASK] = { .type = NLA_BINARY,
- .len = sizeof(struct in6_addr) },
- [NLBL_UNLABEL_A_IPV4ADDR] = { .type = NLA_BINARY,
- .len = sizeof(struct in_addr) },
- [NLBL_UNLABEL_A_IPV4MASK] = { .type = NLA_BINARY,
- .len = sizeof(struct in_addr) },
+ [NLBL_UNLABEL_A_IPV6ADDR] =
+ NLA_POLICY_EXACT_LEN(sizeof(struct in6_addr)),
+ [NLBL_UNLABEL_A_IPV6MASK] =
+ NLA_POLICY_EXACT_LEN(sizeof(struct in6_addr)),
+ [NLBL_UNLABEL_A_IPV4ADDR] =
+ NLA_POLICY_EXACT_LEN(sizeof(struct in_addr)),
+ [NLBL_UNLABEL_A_IPV4MASK] =
+ NLA_POLICY_EXACT_LEN(sizeof(struct in_addr)),
[NLBL_UNLABEL_A_IFACE] = { .type = NLA_NUL_STRING,
.len = IFNAMSIZ - 1 },
[NLBL_UNLABEL_A_SECCTX] = { .type = NLA_BINARY }
@@ -757,24 +757,14 @@ static int netlbl_unlabel_addrinfo_get(struct genl_info *info,
void **mask,
u32 *len)
{
- u32 addr_len;
-
if (info->attrs[NLBL_UNLABEL_A_IPV4ADDR] &&
info->attrs[NLBL_UNLABEL_A_IPV4MASK]) {
- addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
- if (addr_len != sizeof(struct in_addr) &&
- addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV4MASK]))
- return -EINVAL;
- *len = addr_len;
+ *len = sizeof(struct in_addr);
*addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
*mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4MASK]);
return 0;
} else if (info->attrs[NLBL_UNLABEL_A_IPV6ADDR]) {
- addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
- if (addr_len != sizeof(struct in6_addr) &&
- addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV6MASK]))
- return -EINVAL;
- *len = addr_len;
+ *len = sizeof(struct in6_addr);
*addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
*mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6MASK]);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 190/522] bpf: Free reuseport cBPF prog after RCU grace period.
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 189/522] usb: core: Fix SuperSpeed root hub wMaxPacketSize Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 191/522] USB: serial: mct_u232: fix memory corruption with small endpoint Greg Kroah-Hartman
` (332 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eulgyu Kim, Taeyang Lee,
Kuniyuki Iwashima, Daniel Borkmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 18fc650ccd7fe3376eca89203668cfb8268f60df ]
Eulgyu Kim reported the splat below with a repro. [0]
The repro sets up a UDP reuseport group with a cBPF prog and
replaces it with a new one while another thread is sending
a UDP packet to the group.
The reuseport prog is freed by sk_reuseport_prog_free().
bpf_prog_put() is called for "e"BPF prog to destruct through
multiple stages while cBPF prog is freed immediately by
bpf_release_orig_filter() and bpf_prog_free().
If a reuseport prog is detached from the setsockopt() path
(reuseport_attach_prog() or reuseport_detach_prog()),
sk_reuseport_prog_free() is called without waiting for RCU
readers to complete, resulting in various bugs.
Let's defer freeing the reuseport cBPF prog after one RCU
grace period.
Note "e"BPF prog is safe as is unless the fast path starts
to touch fields destroyed in bpf_prog_put_deferred() and
__bpf_prog_put_noref().
[0]:
BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
Read of size 4 at addr ffffc9000051e004 by task slowme/10208
CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495
__udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723
__udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752
__udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752
ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
__netif_receive_skb_one_core net/core/dev.c:6181 [inline]
__netif_receive_skb net/core/dev.c:6294 [inline]
process_backlog+0xaa4/0x1960 net/core/dev.c:6645
__napi_poll+0xae/0x340 net/core/dev.c:7709
napi_poll net/core/dev.c:7772 [inline]
net_rx_action+0x5d7/0xf50 net/core/dev.c:7929
handle_softirqs+0x22b/0x870 kernel/softirq.c:622
do_softirq+0x76/0xd0 kernel/softirq.c:523
</IRQ>
<TASK>
__local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
__dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890
neigh_output include/net/neighbour.h:556 [inline]
ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip_output+0x29f/0x450 net/ipv4/ip_output.c:438
ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508
udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195
udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
__sys_sendto+0x554/0x680 net/socket.c:2206
__do_sys_sendto net/socket.c:2213 [inline]
__se_sys_sendto net/socket.c:2209 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2209
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x415a2d
Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d
RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003
RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0
R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0
</TASK>
Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
Reported-by: Taeyang Lee <0wn@theori.io>
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20260426012647.3233119-1-kuniyu@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 0ea9ede2c44724..3628ea596050f0 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1643,15 +1643,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk)
return err;
}
+static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu)
+{
+ struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
+ struct bpf_prog *prog = aux->prog;
+
+ bpf_release_orig_filter(prog);
+ bpf_prog_free(prog);
+}
+
void sk_reuseport_prog_free(struct bpf_prog *prog)
{
if (!prog)
return;
- if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT)
- bpf_prog_put(prog);
+ if (bpf_prog_was_classic(prog))
+ call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu);
else
- bpf_prog_destroy(prog);
+ bpf_prog_put(prog);
}
struct bpf_scratchpad {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 107/378] gpio: mvebu: fix NULL pointer dereference in suspend/resume
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 106/378] netlabel: validate unlabeled address and mask attribute lengths Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 108/378] ASoC: wm_adsp: Fix NULL dereference when removing firmware controls Greg Kroah-Hartman
` (271 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yun Zhou, Bartosz Golaszewski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yun Zhou <yun.zhou@windriver.com>
[ Upstream commit b9ad50d7505ebd48282ec3630258dc820fc85c81 ]
mvebu_pwm_suspend() and mvebu_pwm_resume() are called for all GPIO
banks during suspend/resume, but not all banks have PWM functionality.
GPIO banks without PWM have mvchip->mvpwm set to NULL.
Calling mvebu_pwm_suspend() with mvpwm == NULL causes a NULL pointer
dereference when it tries to access mvpwm->blink_select.
Unable to handle kernel NULL pointer dereference at virtual address 00000020 when write
[00000020] *pgd=00000000
Internal error: Oops: 815 [#1] PREEMPT ARM
Modules linked in:
CPU: 0 UID: 0 PID: 406 Comm: sh Not tainted 6.12.74-rt12-yocto-standard-g4e96f98fb7db-dirty #353
Hardware name: Marvell Armada 370/XP (Device Tree)
PC is at regmap_mmio_read+0x38/0x54
LR is at regmap_mmio_read+0x38/0x54
pc : [<c05fd2ac>] lr : [<c05fd2ac>] psr: 200f0013
sp : f0c11d10 ip : 00000000 fp : c100d2f0
r10: c14fb854 r9 : 00000000 r8 : 00000000
r7 : c1799c00 r6 : 00000020 r5 : 00000020 r4 : c179c7c0
r3 : f0a231a0 r2 : 00000020 r1 : 00000020 r0 : 00000000
Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 10c5387d Table: 135ec059 DAC: 00000051
Call trace:
regmap_mmio_read from _regmap_bus_reg_read+0x78/0xac
_regmap_bus_reg_read from _regmap_read+0x60/0x154
_regmap_read from regmap_read+0x3c/0x60
regmap_read from mvebu_gpio_suspend+0xa4/0x14c
mvebu_gpio_suspend from dpm_run_callback+0x54/0x180
dpm_run_callback from device_suspend+0x124/0x630
device_suspend from dpm_suspend+0x124/0x270
dpm_suspend from dpm_suspend_start+0x64/0x6c
dpm_suspend_start from suspend_devices_and_enter+0x140/0x8e8
suspend_devices_and_enter from pm_suspend+0x2fc/0x308
pm_suspend from state_store+0x6c/0xc8
state_store from kernfs_fop_write_iter+0x10c/0x1f8
kernfs_fop_write_iter from vfs_write+0x270/0x468
vfs_write from ksys_write+0x70/0xf0
ksys_write from ret_fast_syscall+0x0/0x54
Add a NULL check for mvchip->mvpwm before calling the PWM
suspend/resume functions.
Fixes: 757642f9a584 ("gpio: mvebu: Add limited PWM support")
Signed-off-by: Yun Zhou <yun.zhou@windriver.com>
Link: https://patch.msgid.link/20260608084334.2960803-1-yun.zhou@windriver.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-mvebu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpio/gpio-mvebu.c b/drivers/gpio/gpio-mvebu.c
index 22c36b79e249ff..c030d1f00abcae 100644
--- a/drivers/gpio/gpio-mvebu.c
+++ b/drivers/gpio/gpio-mvebu.c
@@ -996,7 +996,7 @@ static int mvebu_gpio_suspend(struct platform_device *pdev, pm_message_t state)
BUG();
}
- if (IS_REACHABLE(CONFIG_PWM))
+ if (IS_REACHABLE(CONFIG_PWM) && mvchip->mvpwm)
mvebu_pwm_suspend(mvchip);
return 0;
@@ -1048,7 +1048,7 @@ static int mvebu_gpio_resume(struct platform_device *pdev)
BUG();
}
- if (IS_REACHABLE(CONFIG_PWM))
+ if (IS_REACHABLE(CONFIG_PWM) && mvchip->mvpwm)
mvebu_pwm_resume(mvchip);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 191/522] USB: serial: mct_u232: fix memory corruption with small endpoint
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 190/522] bpf: Free reuseport cBPF prog after RCU grace period Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 192/522] dmaengine: idxd: Fix not releasing workqueue on .release() Greg Kroah-Hartman
` (331 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 915b36d701950503c4ea0f6e314b10868e59fce3 upstream.
The driver overrides the maximum transfer size for a specific device
which only accepts 16 byte packets for its 32 byte bulk-out endpoint.
Make sure to never increase the maximum transfer size to prevent slab
corruption should a malicious device report a smaller endpoint max
packet size than expected.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/serial/mct_u232.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
index 389bbab8182a41..3c1351bb7ca3d8 100644
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -379,6 +379,7 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
{
struct usb_serial *serial = port->serial;
struct mct_u232_private *priv;
+ u16 pid;
/* check first to simplify error handling */
if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
@@ -386,6 +387,16 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
return -ENODEV;
}
+ /*
+ * Compensate for a hardware bug: although the Sitecom U232-P25
+ * device reports a maximum output packet size of 32 bytes,
+ * it seems to be able to accept only 16 bytes (and that's what
+ * SniffUSB says too...)
+ */
+ pid = le16_to_cpu(serial->dev->descriptor.idProduct);
+ if (pid == MCT_U232_SITECOM_PID)
+ port->bulk_out_size = min(16, port->bulk_out_size);
+
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
if (!priv)
return -ENOMEM;
@@ -411,7 +422,6 @@ static void mct_u232_port_remove(struct usb_serial_port *port)
static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
{
- struct usb_serial *serial = port->serial;
struct mct_u232_private *priv = usb_get_serial_port_data(port);
int retval = 0;
unsigned int control_state;
@@ -419,15 +429,6 @@ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
unsigned char last_lcr;
unsigned char last_msr;
- /* Compensate for a hardware bug: although the Sitecom U232-P25
- * device reports a maximum output packet size of 32 bytes,
- * it seems to be able to accept only 16 bytes (and that's what
- * SniffUSB says too...)
- */
- if (le16_to_cpu(serial->dev->descriptor.idProduct)
- == MCT_U232_SITECOM_PID)
- port->bulk_out_size = 16;
-
/* Do a defined restart: the normal serial device seems to
* always turn on DTR and RTS here, so do the same. I'm not
* sure if this is really necessary. But it should not harm
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 108/378] ASoC: wm_adsp: Fix NULL dereference when removing firmware controls
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 107/378] gpio: mvebu: fix NULL pointer dereference in suspend/resume Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 109/378] tcp: restrict SO_ATTACH_FILTER to priv users Greg Kroah-Hartman
` (270 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Fitzgerald, Mark Brown,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Fitzgerald <rf@opensource.cirrus.com>
[ Upstream commit 7d3fb78b550301e43fdc60312aed733069694426 ]
In wm_adsp_control_remove() check that the priv pointer is not NULL
before attempting to cleanup what it points to.
When cs_dsp creates a control it calls wm_adsp_control_add_cb() so that
wm_adsp can create its own private control data. There are two cases
where private data is not created:
1. The control is a SYSTEM control, so an ALSA control is not created.
2. The codec driver has registered a control_add() callback that
hides the control, so wm_adsp_control_add() is not called.
When cs_dsp_remove destroys its control list it calls
wm_adsp_control_remove() for each control. But wm_adsp_control_remove()
was attempting to cleanup the private data pointed to by cs_ctl->priv
without checking the pointer for NULL.
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Fixes: 0700bc2fb94c ("ASoC: wm_adsp: Separate generic cs_dsp_coeff_ctl handling")
Link: https://patch.msgid.link/20260604101244.1402862-1-rf@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/wm_adsp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c
index 2e23848e1dce94..d7ba14ce613b74 100644
--- a/sound/soc/codecs/wm_adsp.c
+++ b/sound/soc/codecs/wm_adsp.c
@@ -666,6 +666,9 @@ static void wm_adsp_control_remove(struct cs_dsp_coeff_ctl *cs_ctl)
{
struct wm_coeff_ctl *ctl = cs_ctl->priv;
+ if (!ctl)
+ return;
+
cancel_work_sync(&ctl->work);
kfree(ctl->name);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 192/522] dmaengine: idxd: Fix not releasing workqueue on .release()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 191/522] USB: serial: mct_u232: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 193/522] Disable -Wattribute-alias for clang-23 and newer Greg Kroah-Hartman
` (330 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Jiang, Vinicius Costa Gomes,
Vinod Koul, Wenshan Lan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
[ Upstream commit 3d33de353b1ff9023d5ec73b9becf80ea87af695 ]
The workqueue associated with an DSA/IAA device is not released when
the object is freed.
Fixes: 47c16ac27d4c ("dmaengine: idxd: fix idxd conf_dev 'struct device' lifetime")
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-7-7ed70658a9d1@intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
[ Remove destroy_workqueue(idxd->wq) from the function idxd_remove() to
avoid the workqueue is released twice. ]
Signed-off-by: Wenshan Lan <jetlan9@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/idxd/init.c | 1 -
drivers/dma/idxd/sysfs.c | 1 +
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c
index 6059ffc08eace1..2880a0b0f5e67e 100644
--- a/drivers/dma/idxd/init.c
+++ b/drivers/dma/idxd/init.c
@@ -813,7 +813,6 @@ static void idxd_remove(struct pci_dev *pdev)
if (device_user_pasid_enabled(idxd))
iommu_dev_disable_feature(&pdev->dev, IOMMU_DEV_FEAT_SVA);
pci_disable_device(pdev);
- destroy_workqueue(idxd->wq);
perfmon_pmu_remove(idxd);
put_device(idxd_confdev(idxd));
}
diff --git a/drivers/dma/idxd/sysfs.c b/drivers/dma/idxd/sysfs.c
index 0689464c4816ab..ea222e1654ab94 100644
--- a/drivers/dma/idxd/sysfs.c
+++ b/drivers/dma/idxd/sysfs.c
@@ -1663,6 +1663,7 @@ static void idxd_conf_device_release(struct device *dev)
{
struct idxd_device *idxd = confdev_to_idxd(dev);
+ destroy_workqueue(idxd->wq);
kfree(idxd->groups);
bitmap_free(idxd->wq_enable_map);
kfree(idxd->wqs);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 109/378] tcp: restrict SO_ATTACH_FILTER to priv users
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 108/378] ASoC: wm_adsp: Fix NULL dereference when removing firmware controls Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 110/378] net: add pskb_may_pull() to skb_gro_receive_list() Greg Kroah-Hartman
` (269 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Tamir Shahar,
Amit Klein, Willem de Bruijn, Alexei Starovoitov, Daniel Borkmann,
Andrii Nakryiko, Martin KaFai Lau, Eduard Zingerman,
Kumar Kartikeya Dwivedi, Song Liu, Yonghong Song, Jiri Olsa,
John Fastabend, Stanislav Fomichev, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 5d39580f68e6ddeedd15e587282207489dfb3da2 ]
This patch restricts the use of SO_ATTACH_FILTER (cBPF) on TCP sockets
to users with CAP_NET_ADMIN capability.
This blocks potential side-channel attack where an unprivileged application
attaches a filter to leak TCP sequence/acknowledgment numbers.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Tamir Shahar <tamirthesis@gmail.com>
Reported-by: Amit Klein <aksecurity@gmail.com>
Cc: Willem de Bruijn <willemb@google.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Andrii Nakryiko <andrii@kernel.org>
Cc: Martin KaFai Lau <martin.lau@linux.dev>
Cc: Eduard Zingerman <eddyz87@gmail.com>
Cc: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Cc: Song Liu <song@kernel.org>
Cc: Yonghong Song <yonghong.song@linux.dev>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Stanislav Fomichev <sdf@fomichev.me>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/sock.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/core/sock.c b/net/core/sock.c
index b197a795306392..d317b4a8b85a25 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1463,6 +1463,11 @@ int sk_setsockopt(struct sock *sk, int level, int optname,
case SO_ATTACH_FILTER: {
struct sock_fprog fprog;
+ if (sk_is_tcp(sk) &&
+ !sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+ ret = -EPERM;
+ break;
+ }
ret = copy_bpf_fprog_from_user(&fprog, optval, optlen);
if (!ret)
ret = sk_attach_filter(&fprog, sk);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 193/522] Disable -Wattribute-alias for clang-23 and newer
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 192/522] dmaengine: idxd: Fix not releasing workqueue on .release() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 194/522] i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl Greg Kroah-Hartman
` (329 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 175db11786bde9061db526bf1ac5107d915f5163 upstream.
Clang recently added support for -Wattribute-alias [1], which results in
the same warnings that necessitated commit bee20031772a ("disable
-Wattribute-alias warning for SYSCALL_DEFINEx()") for GCC.
kernel/time/itimer.c:325:1: error: alias and aliasee have different types 'long (unsigned int)' and 'long (typeof (__builtin_choose_expr((__builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0LL)) || __builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0ULL))), 0LL, 0L)))' (aka 'long (long)') [-Werror,-Wattribute-alias]
325 | SYSCALL_DEFINE1(alarm, unsigned int, seconds)
| ^
include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
| ^
include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^
include/linux/syscalls.h:251:18: note: expanded from macro '__SYSCALL_DEFINEx'
251 | __attribute__((alias(__stringify(__se_sys##name)))); \
| ^
kernel/time/itimer.c:325:1: note: aliasee is declared here
include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
| ^
include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^
include/linux/syscalls.h:255:18: note: expanded from macro '__SYSCALL_DEFINEx'
255 | asmlinkage long __se_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \
| ^
<scratch space>:16:1: note: expanded from here
16 | __se_sys_alarm
| ^
Disable the warnings in the same way for clang-23 and newer. Disable the
warning about unknown warning options to avoid breaking the build for
versions of clang-23 that do not have -Wattribute-alias, such as ones
deployed by vendors like Android or CI systems or when bisecting LLVM
between llvmorg-23-init and release/23.x.
Cc: stable@vger.kernel.org
Closes: https://github.com/ClangBuiltLinux/linux/issues/2163
Link: https://github.com/llvm/llvm-project/commit/40da6920a0d71d49dfa2392b09153600b0759f5e [1]
Link: https://patch.msgid.link/20260515-syscall-disable-attribute-alias-for-clang-v1-1-9a9d95d41df6@kernel.org
[nathan: Drop arch/riscv hunk in older trees and address conflicts]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/compat.h | 4 ++++
include/linux/compiler-clang.h | 6 ++++++
include/linux/compiler_types.h | 4 ++++
include/linux/syscalls.h | 4 ++++
4 files changed, 18 insertions(+)
diff --git a/include/linux/compat.h b/include/linux/compat.h
index 77e84d17521eb8..38f22c9ac9109b 100644
--- a/include/linux/compat.h
+++ b/include/linux/compat.h
@@ -72,6 +72,10 @@
__diag_push(); \
__diag_ignore(GCC, 8, "-Wattribute-alias", \
"Type aliasing is used to sanitize syscall arguments");\
+ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
+ "Avoid breaking versions without -Wattribute-alias"); \
+ __diag_ignore(clang, 23, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments"); \
asmlinkage long compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
__attribute__((alias(__stringify(__se_compat_sys##name)))); \
ALLOW_ERROR_INJECTION(compat_sys##name, ERRNO); \
diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
index f9de53fff3acc4..2fd5b596b36b5c 100644
--- a/include/linux/compiler-clang.h
+++ b/include/linux/compiler-clang.h
@@ -144,5 +144,11 @@
#define __diag_clang_11(s)
#endif
+#if CONFIG_CLANG_VERSION >= 230000
+#define __diag_clang_23(s) __diag(s)
+#else
+#define __diag_clang_23(s)
+#endif
+
#define __diag_ignore_all(option, comment) \
__diag_clang(11, ignore, option)
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index ef359a76b11f89..7c9883c499cfe1 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -399,6 +399,10 @@ struct ftrace_likely_data {
#define __diag_GCC(version, severity, string)
#endif
+#ifndef __diag_clang
+#define __diag_clang(version, severity, string)
+#endif
+
#define __diag_push() __diag(push)
#define __diag_pop() __diag(pop)
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index dcce762b48facb..7ff6bc7da1f655 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -240,6 +240,10 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event)
__diag_push(); \
__diag_ignore(GCC, 8, "-Wattribute-alias", \
"Type aliasing is used to sanitize syscall arguments");\
+ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
+ "Avoid breaking versions without -Wattribute-alias");\
+ __diag_ignore(clang, 23, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments");\
asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
__attribute__((alias(__stringify(__se_sys##name)))); \
ALLOW_ERROR_INJECTION(sys##name, ERRNO); \
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 110/378] net: add pskb_may_pull() to skb_gro_receive_list()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 109/378] tcp: restrict SO_ATTACH_FILTER to priv users Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 111/378] net/mlx4: avoid GCC 10 __bad_copy_from() false positive Greg Kroah-Hartman
` (268 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, HanQuan, MingXuan, Eric Dumazet,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: HanQuan <eilaimemedsnaimel@gmail.com>
[ Upstream commit f2bb3434544454099a5b6dec213567267b05d79d ]
skb_gro_receive_list() calls skb_pull(skb, skb_gro_offset(skb)) without
first ensuring the data is in the linear area via pskb_may_pull(). When
the skb arrives via napi_gro_frags(), skb_headlen can be 0 (all data in
page fragments) while skb_gro_offset is non-zero (after IP+TCP header
parsing). The skb_pull() then decrements skb->len by skb_gro_offset
but skb->data_len stays unchanged, hitting BUG_ON(skb->len < skb->data_len)
in __skb_pull().
The UDP fraglist GRO path already contains this guard at
udp_offload.c:749. Adding it to skb_gro_receive_list() itself provides
centralized protection for all callers (TCP, UDP, and any future
protocols), and ensures the precondition of skb_pull() is satisfied
before it is called.
On pskb_may_pull() failure, set NAPI_GRO_CB(skb)->flush = 1 so the
skb is not held as a new GRO head and is instead delivered through the
normal receive path, matching the UDP handling.
Fixes: 8d95dc474f85 ("net: add code for TCP fraglist GRO")
Reported-by: HanQuan <eilaimemedsnaimel@gmail.com>
Reported-by: MingXuan <bwnie0730@outlook.com>
Signed-off-by: HanQuan <eilaimemedsnaimel@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/gro.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/core/gro.c b/net/core/gro.c
index a847539834679c..35f2f708f01052 100644
--- a/net/core/gro.c
+++ b/net/core/gro.c
@@ -232,6 +232,11 @@ int skb_gro_receive_list(struct sk_buff *p, struct sk_buff *skb)
if (unlikely(p->len + skb->len >= 65536))
return -E2BIG;
+ if (!pskb_may_pull(skb, skb_gro_offset(skb))) {
+ NAPI_GRO_CB(skb)->flush = 1;
+ return -ENOMEM;
+ }
+
if (NAPI_GRO_CB(p)->last == p)
skb_shinfo(p)->frag_list = skb;
else
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 194/522] i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 193/522] Disable -Wattribute-alias for clang-23 and newer Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 195/522] ipv6: mcast: Fix use-after-free when processing MLD queries Greg Kroah-Hartman
` (328 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mingyu Wang, Wolfram Sang
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
commit 617eb7c0961a8dfcfc811844a6396e406b2923ea upstream.
While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
timeout value` warning was observed, accompanied by SMBus controller
state machine corruption.
The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
10 ms. The user argument is checked against INT_MAX, but it is
subsequently multiplied by 10 before being passed to msecs_to_jiffies().
A malicious user can pass a large value (e.g., 429496729) that passes
the `arg > INT_MAX` check but overflows when multiplied by 10. This
results in a truncated 32-bit unsigned value that bypasses the
internal `(int)m < 0` check in `msecs_to_jiffies()`.
The truncated value is then assigned to `client->adapter->timeout`
(a signed 32-bit int), which is reinterpreted as a negative number.
When passed to wait_for_completion_timeout(), this negative value
undergoes sign extension to a 64-bit unsigned long, triggering the
`schedule_timeout` warning and causing premature returns. This leaves
the SMBus state machine in an unrecoverable state, constituting a
local Denial of Service (DoS).
Fix this by bounding the user argument to `INT_MAX / 10`.
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
[wsa: move the comment as well]
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/i2c-dev.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *fi
client->adapter->retries = arg;
break;
case I2C_TIMEOUT:
- if (arg > INT_MAX)
+ /*
+ * For historical reasons, user-space sets the timeout value in
+ * units of 10 ms.
+ */
+ if (arg > INT_MAX / 10)
return -EINVAL;
- /* For historical reasons, user-space sets the timeout
- * value in units of 10 ms.
- */
client->adapter->timeout = msecs_to_jiffies(arg * 10);
break;
default:
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 111/378] net/mlx4: avoid GCC 10 __bad_copy_from() false positive
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 110/378] net: add pskb_may_pull() to skb_gro_receive_list() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 112/378] net: ibm: emac: Fix use-after-free during device removal Greg Kroah-Hartman
` (267 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yao Sang, Jacob Keller,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yao Sang <sangyao@kylinos.cn>
[ Upstream commit 2365343f4aad3e1b1e7a2e87e98cf66d5e590589 ]
mlx4_init_user_cqes() fills a scratch buffer with the CQE
initialization pattern and then copies from that buffer to userspace.
In the single-copy path, the copy length is array_size(entries,
cqe_size), but the scratch buffer is allocated with PAGE_SIZE. GCC 10
does not carry the branch invariant strongly enough through the object
size checks and falsely triggers __bad_copy_from().
Size the scratch buffer to the actual copy length for the active path,
keep array_size() for the single-copy case, and retain a WARN_ON_ONCE()
guard for the PAGE_SIZE invariant before allocating the buffer.
Fixes: f69bf5dee7ef ("net/mlx4: Use array_size() helper in copy_to_user()")
Signed-off-by: Yao Sang <sangyao@kylinos.cn>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx4/cq.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c
index e130e7259275a3..5c55971abbf072 100644
--- a/drivers/net/ethernet/mellanox/mlx4/cq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
@@ -290,6 +290,7 @@ static void mlx4_cq_free_icm(struct mlx4_dev *dev, int cqn)
static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
{
int entries_per_copy = PAGE_SIZE / cqe_size;
+ size_t copy_bytes;
void *init_ents;
int err = 0;
int i;
@@ -314,8 +315,14 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
buf += PAGE_SIZE;
}
} else {
+ copy_bytes = array_size(entries, cqe_size);
+ if (WARN_ON_ONCE(copy_bytes > PAGE_SIZE)) {
+ err = -EINVAL;
+ goto out;
+ }
+
err = copy_to_user((void __user *)buf, init_ents,
- array_size(entries, cqe_size)) ?
+ copy_bytes) ?
-EFAULT : 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 195/522] ipv6: mcast: Fix use-after-free when processing MLD queries
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 194/522] i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 196/522] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS Greg Kroah-Hartman
` (327 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Lin, David Ahern, Ido Schimmel,
Eric Dumazet, Jiayuan Chen, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 upstream.
When processing an MLD query, a pointer to the multicast group address
is retrieved when initially parsing the packet. This pointer is later
dereferenced without being reloaded despite the fact that the skb header
might have been reallocated following the pskb_may_pull() calls, leading
to a use-after-free [1].
Fix by copying the multicast group address when the packet is initially
parsed.
[1]
BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
Workqueue: mld mld_query_work
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
print_address_description.constprop.0 (mm/kasan/report.c:378)
print_report (mm/kasan/report.c:482)
kasan_report (mm/kasan/report.c:595)
__mld_query_work (net/ipv6/mcast.c:1512)
mld_query_work (net/ipv6/mcast.c:1563)
process_one_work (kernel/workqueue.c:3314)
worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
kthread (kernel/kthread.c:436)
ret_from_fork (arch/x86/kernel/process.c:158)
ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
</TASK>
[...]
Freed by task 118:
kasan_save_stack (mm/kasan/common.c:57)
kasan_save_track (mm/kasan/common.c:78)
kasan_save_free_info (mm/kasan/generic.c:584)
__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
pskb_expand_head (net/core/skbuff.c:2335)
__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
mld_query_work (net/ipv6/mcast.c:1563)
process_one_work (kernel/workqueue.c:3314)
worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
kthread (kernel/kthread.c:436)
ret_from_fork (arch/x86/kernel/process.c:158)
ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
Reported-by: Leo Lin <leo@depthfirst.com>
Reviewed-by: David Ahern <dahern@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/mcast.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1392,9 +1392,9 @@ out:
static void __mld_query_work(struct sk_buff *skb)
{
struct mld2_query *mlh2 = NULL;
- const struct in6_addr *group;
unsigned long max_delay;
struct inet6_dev *idev;
+ struct in6_addr group;
struct ifmcaddr6 *ma;
struct mld_msg *mld;
int group_type;
@@ -1426,8 +1426,8 @@ static void __mld_query_work(struct sk_b
goto kfree_skb;
mld = (struct mld_msg *)icmp6_hdr(skb);
- group = &mld->mld_mca;
- group_type = ipv6_addr_type(group);
+ group = mld->mld_mca;
+ group_type = ipv6_addr_type(&group);
if (group_type != IPV6_ADDR_ANY &&
!(group_type&IPV6_ADDR_MULTICAST))
@@ -1477,7 +1477,7 @@ static void __mld_query_work(struct sk_b
}
} else {
for_each_mc_mclock(idev, ma) {
- if (!ipv6_addr_equal(group, &ma->mca_addr))
+ if (!ipv6_addr_equal(&group, &ma->mca_addr))
continue;
if (ma->mca_flags & MAF_TIMER_RUNNING) {
/* gsquery <- gsquery && mark */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 112/378] net: ibm: emac: Fix use-after-free during device removal
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 111/378] net/mlx4: avoid GCC 10 __bad_copy_from() false positive Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 113/378] netdev: fix double-free in netdev_nl_bind_rx_doit() Greg Kroah-Hartman
` (266 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rosen Penev, Jacob Keller,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rosen Penev <rosenp@gmail.com>
[ Upstream commit a0130d682222ae21afc395aead7cd2d87e1a8358 ]
The driver was using devm_register_netdev() which causes unregister_netdev()
to be deferred until the devres cleanup phase, which runs after emac_remove()
returns. This creates a use-after-free window where:
1. emac_remove() is called, which tears down hardware (cancels work, detaches
modules, unregisters from MAL)
2. emac_remove() returns
3. devres cleanup runs and finally calls unregister_netdev()
During step 3, the network stack might still process packets, triggering
emac_irq(), emac_poll(), or other handlers that access now-freed hardware
resources (dev->emacp, dev->mal, etc.).
Fix this by replacing devm_register_netdev() with manual register_netdev()
and calling unregister_netdev() at the beginning of emac_remove(), before
any hardware teardown. This ensures the network device is fully stopped and
unregistered before hardware resources are released.
The change is safe because:
- dev->ndev is assigned very early in probe (before any error paths that
could bypass emac_remove)
- platform_set_drvdata() is only called after successful registration, so
emac_remove() only runs for fully registered devices
- unregister_netdev() is idempotent and safe to call on any registered device
Fixes: a4dd8535a527 ("net: ibm: emac: use devm for register_netdev")
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/ibm/emac/core.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/ibm/emac/core.c b/drivers/net/ethernet/ibm/emac/core.c
index 417dfa18daae3a..4e503b3d0d2d34 100644
--- a/drivers/net/ethernet/ibm/emac/core.c
+++ b/drivers/net/ethernet/ibm/emac/core.c
@@ -3144,7 +3144,7 @@ static int emac_probe(struct platform_device *ofdev)
netif_carrier_off(ndev);
- err = devm_register_netdev(&ofdev->dev, ndev);
+ err = register_netdev(ndev);
if (err) {
printk(KERN_ERR "%pOF: failed to register net device (%d)!\n",
np, err);
@@ -3197,6 +3197,13 @@ static void emac_remove(struct platform_device *ofdev)
DBG(dev, "remove" NL);
+ /* Unregister network device before tearing down hardware
+ * to prevent use-after-free during deferred cleanup. This ensures
+ * the network stack stops all operations before hardware resources
+ * are released.
+ */
+ unregister_netdev(dev->ndev);
+
cancel_work_sync(&dev->reset_work);
if (emac_has_feature(dev, EMAC_FTR_HAS_TAH))
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 196/522] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 195/522] ipv6: mcast: Fix use-after-free when processing MLD queries Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 197/522] tee: optee: prevent use-after-free when the client exits before the supplicant Greg Kroah-Hartman
` (326 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolò Coccia, Dust Li,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolò Coccia <n.coccia96@gmail.com>
commit a3fdd924d88c30b9f488636ce0e4696012cf5511 upstream.
A logic flaw in __smc_setsockopt() allows a local unprivileged user to
cause a Denial of Service (DoS) by holding the socket lock indefinitely.
The function __smc_setsockopt() calls copy_from_sockptr() while holding
lock_sock(sk). By passing a userfaultfd-monitored memory page (or
FUSE-backed memory on systems where unprivileged userfaultfd is disabled)
as the optval, an attacker can halt execution during the copy operation,
keeping the lock held.
Combined with asynchronous tear-down operations like shutdown(), this
exhausts the kernel wq (kworkers) and triggers the hung task watchdog.
[ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds.
[ 240.123489] Call Trace:
[ 240.123501] smc_shutdown+...
[ 240.123512] lock_sock_nested+...
This patch moves the user-space copy outside the lock_sock() critical
section to prevent the issue.
Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by socket options")
Signed-off-by: Nicolò Coccia <n.coccia96@gmail.com>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Tested-by: Dust Li <dust.li@linux.alibaba.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/smc/af_smc.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -2947,18 +2947,17 @@ static int __smc_setsockopt(struct socke
smc = smc_sk(sk);
+ /* pre-fetch user data outside the lock */
+ if (optname == SMC_LIMIT_HS) {
+ if (optlen < sizeof(int))
+ return -EINVAL;
+ if (copy_from_sockptr(&val, optval, sizeof(int)))
+ return -EFAULT;
+ }
+
lock_sock(sk);
switch (optname) {
case SMC_LIMIT_HS:
- if (optlen < sizeof(int)) {
- rc = -EINVAL;
- break;
- }
- if (copy_from_sockptr(&val, optval, sizeof(int))) {
- rc = -EFAULT;
- break;
- }
-
smc->limit_smc_hs = !!val;
rc = 0;
break;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 113/378] netdev: fix double-free in netdev_nl_bind_rx_doit()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 112/378] net: ibm: emac: Fix use-after-free during device removal Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 114/378] net: phy: clean the sfp upstream if phy probing fails Greg Kroah-Hartman
` (265 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko, Bobby Eshleman,
Daniel Borkmann, Nikolay Aleksandrov, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit c849de7d8757a7af801fc4a4058f71d481d367f2 ]
Sashiko flags that genlmsg_reply() always consumes the skb.
The error path calls nlmsg_free(rsp) so we can't jump directly
to it. Let's not unbind, just propagate the error to the user.
This is the typical way of handling genlmsg_reply() failures.
They shouldn't happen unless user does something silly like
calling the kernel with an already-full rcvbuf.
Reported-by: Sashiko <sashiko-bot@kernel.org>
Fixes: 170aafe35cb9 ("netdev: support binding dma-buf to netdevice")
Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/netdev-genl.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/core/netdev-genl.c b/net/core/netdev-genl.c
index 470fabbeacd9bd..93ea09bd1e7bab 100644
--- a/net/core/netdev-genl.c
+++ b/net/core/netdev-genl.c
@@ -1019,8 +1019,6 @@ int netdev_nl_bind_rx_doit(struct sk_buff *skb, struct genl_info *info)
genlmsg_end(rsp, hdr);
err = genlmsg_reply(rsp, info);
- if (err)
- goto err_unbind;
bitmap_free(rxq_bitmap);
@@ -1028,7 +1026,7 @@ int netdev_nl_bind_rx_doit(struct sk_buff *skb, struct genl_info *info)
mutex_unlock(&priv->lock);
- return 0;
+ return err < 0 ? err : 0;
err_unbind:
net_devmem_unbind_dmabuf(binding);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 197/522] tee: optee: prevent use-after-free when the client exits before the supplicant
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 196/522] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 198/522] netfilter: xt_NFQUEUE: prefer raw_smp_processor_id Greg Kroah-Hartman
` (325 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amirreza Zarrabi, Ox Yeh, Sumit Garg,
Jens Wiklander, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
[ Upstream commit 387a926ee166814611acecb960207fe2f3c4fd3e ]
Commit 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") made the
client wait as killable so it can be interrupted during shutdown or
after a supplicant crash. This changes the original lifetime expectations:
the client task can now terminate while the supplicant is still processing
its request.
If the client exits first it removes the request from its queue and
kfree()s it, while the request ID remains in supp->idr. A subsequent
lookup on the supplicant path then dereferences freed memory, leading to
a use-after-free.
Serialise access to the request with supp->mutex:
* Hold supp->mutex in optee_supp_recv() and optee_supp_send() while
looking up and touching the request.
* Let optee_supp_thrd_req() notice that the client has terminated and
signal optee_supp_send() accordingly.
With these changes the request cannot be freed while the supplicant still
has a reference, eliminating the race.
Fixes: 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop")
Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
Tested-by: Ox Yeh <ox.yeh@mediatek.com>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tee/optee/supp.c | 107 +++++++++++++++++++++++++++------------
1 file changed, 74 insertions(+), 33 deletions(-)
diff --git a/drivers/tee/optee/supp.c b/drivers/tee/optee/supp.c
index d0f397c9024201..2386bbd38ce78b 100644
--- a/drivers/tee/optee/supp.c
+++ b/drivers/tee/optee/supp.c
@@ -10,7 +10,11 @@
struct optee_supp_req {
struct list_head link;
+ int id;
+
bool in_queue;
+ bool processed;
+
u32 func;
u32 ret;
size_t num_params;
@@ -19,6 +23,9 @@ struct optee_supp_req {
struct completion c;
};
+/* It is temporary request used for revoked pending request in supp->idr. */
+#define INVALID_REQ_PTR ((struct optee_supp_req *)ERR_PTR(-EBADF))
+
void optee_supp_init(struct optee_supp *supp)
{
memset(supp, 0, sizeof(*supp));
@@ -39,21 +46,23 @@ void optee_supp_release(struct optee_supp *supp)
{
int id;
struct optee_supp_req *req;
- struct optee_supp_req *req_tmp;
mutex_lock(&supp->mutex);
- /* Abort all request retrieved by supplicant */
+ /* Abort all request */
idr_for_each_entry(&supp->idr, req, id) {
idr_remove(&supp->idr, id);
- req->ret = TEEC_ERROR_COMMUNICATION;
- complete(&req->c);
- }
+ /* Skip if request was already marked invalid */
+ if (IS_ERR(req))
+ continue;
- /* Abort all queued requests */
- list_for_each_entry_safe(req, req_tmp, &supp->reqs, link) {
- list_del(&req->link);
- req->in_queue = false;
+ /* For queued requests where supplicant has not seen it */
+ if (req->in_queue) {
+ list_del(&req->link);
+ req->in_queue = false;
+ }
+
+ req->processed = true;
req->ret = TEEC_ERROR_COMMUNICATION;
complete(&req->c);
}
@@ -100,8 +109,16 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params,
/* Insert the request in the request list */
mutex_lock(&supp->mutex);
+ req->id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL);
+ if (req->id < 0) {
+ mutex_unlock(&supp->mutex);
+ kfree(req);
+ return TEEC_ERROR_OUT_OF_MEMORY;
+ }
+
list_add_tail(&req->link, &supp->reqs);
req->in_queue = true;
+ req->processed = false;
mutex_unlock(&supp->mutex);
/* Tell an eventual waiter there's a new request */
@@ -117,21 +134,43 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params,
if (wait_for_completion_killable(&req->c)) {
mutex_lock(&supp->mutex);
if (req->in_queue) {
+ /* Supplicant has not seen this request yet. */
+ idr_remove(&supp->idr, req->id);
list_del(&req->link);
req->in_queue = false;
+
+ ret = TEEC_ERROR_COMMUNICATION;
+ } else if (req->processed) {
+ /*
+ * Supplicant has processed this request. Ignore the
+ * kill signal for now and submit the result. req is not
+ * in supp->reqs (removed by supp_pop_entry()) nor in
+ * supp->idr (removed by supp_pop_req()).
+ */
+ ret = req->ret;
+ } else {
+ /*
+ * Supplicant is in the middle of processing this
+ * request. Replace req with INVALID_REQ_PTR so that
+ * the ID remains busy, causing optee_supp_send() to
+ * fail on the next call to supp_pop_req() with this ID.
+ */
+ idr_replace(&supp->idr, INVALID_REQ_PTR, req->id);
+ ret = TEEC_ERROR_COMMUNICATION;
}
+
mutex_unlock(&supp->mutex);
- req->ret = TEEC_ERROR_COMMUNICATION;
+ } else {
+ ret = req->ret;
}
- ret = req->ret;
kfree(req);
return ret;
}
static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp,
- int num_params, int *id)
+ int num_params)
{
struct optee_supp_req *req;
@@ -153,10 +192,6 @@ static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp,
return ERR_PTR(-EINVAL);
}
- *id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL);
- if (*id < 0)
- return ERR_PTR(-ENOMEM);
-
list_del(&req->link);
req->in_queue = false;
@@ -214,7 +249,6 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
struct optee *optee = tee_get_drvdata(teedev);
struct optee_supp *supp = &optee->supp;
struct optee_supp_req *req = NULL;
- int id;
size_t num_meta;
int rc;
@@ -224,15 +258,11 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
while (true) {
mutex_lock(&supp->mutex);
- req = supp_pop_entry(supp, *num_params - num_meta, &id);
+ req = supp_pop_entry(supp, *num_params - num_meta);
+ if (req)
+ break; /* Keep mutex held. */
mutex_unlock(&supp->mutex);
- if (req) {
- if (IS_ERR(req))
- return PTR_ERR(req);
- break;
- }
-
/*
* If we didn't get a request we'll block in
* wait_for_completion() to avoid needless spinning.
@@ -245,6 +275,13 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
return -ERESTARTSYS;
}
+ /* supp->mutex held and req != NULL. */
+
+ if (IS_ERR(req)) {
+ mutex_unlock(&supp->mutex);
+ return PTR_ERR(req);
+ }
+
if (num_meta) {
/*
* tee-supplicant support meta parameters -> requsts can be
@@ -252,13 +289,11 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
*/
param->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT |
TEE_IOCTL_PARAM_ATTR_META;
- param->u.value.a = id;
+ param->u.value.a = req->id;
param->u.value.b = 0;
param->u.value.c = 0;
} else {
- mutex_lock(&supp->mutex);
- supp->req_id = id;
- mutex_unlock(&supp->mutex);
+ supp->req_id = req->id;
}
*func = req->func;
@@ -266,6 +301,7 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
memcpy(param + num_meta, req->param,
sizeof(struct tee_param) * req->num_params);
+ mutex_unlock(&supp->mutex);
return 0;
}
@@ -297,12 +333,17 @@ static struct optee_supp_req *supp_pop_req(struct optee_supp *supp,
if (!req)
return ERR_PTR(-ENOENT);
+ /* optee_supp_thrd_req() already returned to optee. */
+ if (IS_ERR(req))
+ goto failed_req;
+
if ((num_params - nm) != req->num_params)
return ERR_PTR(-EINVAL);
+ *num_meta = nm;
+failed_req:
idr_remove(&supp->idr, id);
supp->req_id = -1;
- *num_meta = nm;
return req;
}
@@ -328,10 +369,9 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params,
mutex_lock(&supp->mutex);
req = supp_pop_req(supp, num_params, param, &num_meta);
- mutex_unlock(&supp->mutex);
-
if (IS_ERR(req)) {
- /* Something is wrong, let supplicant restart. */
+ mutex_unlock(&supp->mutex);
+ /* Something is wrong, let supplicant handel it. */
return PTR_ERR(req);
}
@@ -355,9 +395,10 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params,
}
}
req->ret = ret;
-
+ req->processed = true;
/* Let the requesting thread continue */
complete(&req->c);
+ mutex_unlock(&supp->mutex);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 114/378] net: phy: clean the sfp upstream if phy probing fails
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 113/378] netdev: fix double-free in netdev_nl_bind_rx_doit() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 115/378] net: phy: remove phy ports upon probe failure Greg Kroah-Hartman
` (264 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolai Buchwitz, Maxime Chevallier,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Chevallier <maxime.chevallier@bootlin.com>
[ Upstream commit 48774e87bbaa0056819d4b52301e4692e50e3252 ]
Sashiko reported that we don't call sfp_bus_del_upstream() in the probe
failure path, so let's add it, otherwise the sfp-bus is left with a
dangling 'upstream' field, that may be used later on during SFP events.
This issue existed before the generic phylib sfp support, back when
drivers were calling phy_sfp_probe themselves.
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Fixes: 298e54fa810e ("net: phy: add core phylib sfp support")
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260604092819.723505-2-maxime.chevallier@bootlin.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/phy_device.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index cfb505ed9a3a09..c6722592f8672a 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -1710,6 +1710,9 @@ static int phy_sfp_probe(struct phy_device *phydev)
ret = sfp_bus_add_upstream(bus, phydev, &sfp_phydev_ops);
sfp_bus_put(bus);
+
+ if (ret)
+ phydev->sfp_bus = NULL;
}
if (!ret && phydev->sfp_bus)
@@ -3791,6 +3794,9 @@ static int phy_probe(struct device *dev)
return 0;
out:
+ sfp_bus_del_upstream(phydev->sfp_bus);
+ phydev->sfp_bus = NULL;
+
if (!phydev->is_on_sfp_module)
phy_led_triggers_unregister(phydev);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 198/522] netfilter: xt_NFQUEUE: prefer raw_smp_processor_id
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 197/522] tee: optee: prevent use-after-free when the client exits before the supplicant Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 199/522] ipvs: clear the svc scheduler ptr early on edit Greg Kroah-Hartman
` (324 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit c6c5327dd18bec1e1bbf139b2cf5ae53608a9d30 ]
With PREEMPT_RCU this triggers a splat because smp_processor_id() can be
preempted while inside a RCU critical section. If xt_NFQUEUE target is
invoked via nft_compat_eval() path, we are inside a RCU critical
section.
Just use the raw version instead.
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_NFQUEUE.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 466da23e36ff47..b32d153e3a1862 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -91,7 +91,7 @@ nfqueue_tg_v3(struct sk_buff *skb, const struct xt_action_param *par)
if (info->queues_total > 1) {
if (info->flags & NFQ_FLAG_CPU_FANOUT) {
- int cpu = smp_processor_id();
+ int cpu = raw_smp_processor_id();
queue = info->queuenum + cpu % info->queues_total;
} else {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 115/378] net: phy: remove phy ports upon probe failure
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 114/378] net: phy: clean the sfp upstream if phy probing fails Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 116/378] net: phy: Clean the phy_ports after unregistering the downstream SFP bus Greg Kroah-Hartman
` (263 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolai Buchwitz, Maxime Chevallier,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Chevallier <maxime.chevallier@bootlin.com>
[ Upstream commit b1e780bb37c641d8291c51d7b4bde33450d18fb4 ]
When phy_probe fails, let's clean the phy_ports that were successfully
added already.
Suggested-by: Nicolai Buchwitz <nb@tipi-net.de>
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Fixes: 589e934d2735 ("net: phy: Introduce PHY ports representation")
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260604092819.723505-3-maxime.chevallier@bootlin.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/phy_device.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index c6722592f8672a..111e3f3deb96f4 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -3797,6 +3797,8 @@ static int phy_probe(struct device *dev)
sfp_bus_del_upstream(phydev->sfp_bus);
phydev->sfp_bus = NULL;
+ phy_cleanup_ports(phydev);
+
if (!phydev->is_on_sfp_module)
phy_led_triggers_unregister(phydev);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 199/522] ipvs: clear the svc scheduler ptr early on edit
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 198/522] netfilter: xt_NFQUEUE: prefer raw_smp_processor_id Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 200/522] netfilter: synproxy: add mutex to guard hook reference counting Greg Kroah-Hartman
` (323 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julian Anastasov, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julian Anastasov <ja@ssi.bg>
[ Upstream commit 193989cc6d80dd8e0460fb3992e69fa03bf0ff9b ]
ip_vs_edit_service() while unbinding the old scheduler clears
the svc->scheduler ptr after the scheduler module initiates
RCU callbacks. This can cause packets to use the old
scheduler at the time when svc->sched_data is already freed
after RCU grace period.
Fix it by clearing the ptr early in ip_vs_unbind_scheduler(),
before the done_service method schedules any RCU callbacks.
Also, if the new scheduler fails to initialize when replacing
the old scheduler, try to restore the old scheduler while still
returning the error code.
Link: https://sashiko.dev/#/patchset/20260519015506.634185-1-rosenp%40gmail.com
Fixes: 05f00505a89a ("ipvs: fix crash if scheduler is changed")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/ip_vs.h | 3 +--
net/netfilter/ipvs/ip_vs_ctl.c | 13 ++++++++-----
net/netfilter/ipvs/ip_vs_sched.c | 14 +++++++-------
3 files changed, 16 insertions(+), 14 deletions(-)
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index abc46f05762e6b..0b175ecd9562bd 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -1407,8 +1407,7 @@ int register_ip_vs_scheduler(struct ip_vs_scheduler *scheduler);
int unregister_ip_vs_scheduler(struct ip_vs_scheduler *scheduler);
int ip_vs_bind_scheduler(struct ip_vs_service *svc,
struct ip_vs_scheduler *scheduler);
-void ip_vs_unbind_scheduler(struct ip_vs_service *svc,
- struct ip_vs_scheduler *sched);
+void ip_vs_unbind_scheduler(struct ip_vs_service *svc);
struct ip_vs_scheduler *ip_vs_scheduler_get(const char *sched_name);
void ip_vs_scheduler_put(struct ip_vs_scheduler *scheduler);
struct ip_vs_conn *
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 6cc50f05c46c15..15a083dd459737 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1415,7 +1415,7 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
if (ret_hooks >= 0)
ip_vs_unregister_hooks(ipvs, u->af);
if (svc != NULL) {
- ip_vs_unbind_scheduler(svc, sched);
+ ip_vs_unbind_scheduler(svc);
ip_vs_service_free(svc);
}
ip_vs_scheduler_put(sched);
@@ -1477,9 +1477,8 @@ ip_vs_edit_service(struct ip_vs_service *svc, struct ip_vs_service_user_kern *u)
old_sched = rcu_dereference_protected(svc->scheduler, 1);
if (sched != old_sched) {
if (old_sched) {
- ip_vs_unbind_scheduler(svc, old_sched);
- RCU_INIT_POINTER(svc->scheduler, NULL);
- /* Wait all svc->sched_data users */
+ ip_vs_unbind_scheduler(svc);
+ /* Wait all svc->scheduler/sched_data users */
synchronize_rcu();
}
/* Bind the new scheduler */
@@ -1487,6 +1486,10 @@ ip_vs_edit_service(struct ip_vs_service *svc, struct ip_vs_service_user_kern *u)
ret = ip_vs_bind_scheduler(svc, sched);
if (ret) {
ip_vs_scheduler_put(sched);
+ /* Try to restore the old_sched */
+ if (old_sched &&
+ !ip_vs_bind_scheduler(svc, old_sched))
+ old_sched = NULL;
goto out;
}
}
@@ -1543,7 +1546,7 @@ static void __ip_vs_del_service(struct ip_vs_service *svc, bool cleanup)
/* Unbind scheduler */
old_sched = rcu_dereference_protected(svc->scheduler, 1);
- ip_vs_unbind_scheduler(svc, old_sched);
+ ip_vs_unbind_scheduler(svc);
ip_vs_scheduler_put(old_sched);
/* Unbind persistence engine, keep svc->pe */
diff --git a/net/netfilter/ipvs/ip_vs_sched.c b/net/netfilter/ipvs/ip_vs_sched.c
index d4903723be7e90..49b2e5d2b2c837 100644
--- a/net/netfilter/ipvs/ip_vs_sched.c
+++ b/net/netfilter/ipvs/ip_vs_sched.c
@@ -57,19 +57,19 @@ int ip_vs_bind_scheduler(struct ip_vs_service *svc,
/*
* Unbind a service with its scheduler
*/
-void ip_vs_unbind_scheduler(struct ip_vs_service *svc,
- struct ip_vs_scheduler *sched)
+void ip_vs_unbind_scheduler(struct ip_vs_service *svc)
{
- struct ip_vs_scheduler *cur_sched;
+ struct ip_vs_scheduler *sched;
- cur_sched = rcu_dereference_protected(svc->scheduler, 1);
- /* This check proves that old 'sched' was installed */
- if (!cur_sched)
+ sched = rcu_dereference_protected(svc->scheduler, 1);
+ if (!sched)
return;
+ /* Reset the scheduler before initiating any RCU callbacks */
+ rcu_assign_pointer(svc->scheduler, NULL);
+ smp_wmb(); /* paired with smp_rmb() in ip_vs_schedule() */
if (sched->done_service)
sched->done_service(svc);
- /* svc->scheduler can be set to NULL only by caller */
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 116/378] net: phy: Clean the phy_ports after unregistering the downstream SFP bus
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 115/378] net: phy: remove phy ports upon probe failure Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 117/378] net: phy: dont try to setup PHY-driven SFP cages when using genphy Greg Kroah-Hartman
` (262 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Nicolai Buchwitz,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Chevallier <maxime.chevallier@bootlin.com>
[ Upstream commit 4497f5028675b7e51c4aa59c3f4df01f29424277 ]
As reported by sashiko when looking a other patches, we need to ensure
that the downstream SFP bus gets unregistered prior to destroying the
phy_ports attached to a phy_device, as the SFP code may reference these
ports. Let's make sure we follow that ordering in phy_remove().
Fixes: 589e934d2735 ("net: phy: Introduce PHY ports representation")
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Link: https://patch.msgid.link/20260604092819.723505-4-maxime.chevallier@bootlin.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/phy_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index 111e3f3deb96f4..8b7e2789047694 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -3822,11 +3822,11 @@ static int phy_remove(struct device *dev)
phydev->state = PHY_DOWN;
- phy_cleanup_ports(phydev);
-
sfp_bus_del_upstream(phydev->sfp_bus);
phydev->sfp_bus = NULL;
+ phy_cleanup_ports(phydev);
+
if (phydev->drv && phydev->drv->remove)
phydev->drv->remove(phydev);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 200/522] netfilter: synproxy: add mutex to guard hook reference counting
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 199/522] ipvs: clear the svc scheduler ptr early on edit Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 201/522] netfilter: conntrack_irc: fix possible out-of-bounds read Greg Kroah-Hartman
` (322 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 2fcba19caaeb2a33017459d3430f057967bb91b6 ]
As the synproxy infrastructure register netfilter hooks on-demand when a
user adds the first iptables target or nftables expression, if done
concurrently they can race each other.
Introduce a mutex to serialize the refcount control blocks access from
both frontends. While a per namespace mutex might be more efficient, it
is not needed for target/expression like SYNPROXY.
Fixes: ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_synproxy_core.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index f5a52075691faa..500a90311ed505 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -21,6 +21,8 @@
#include <net/netfilter/nf_conntrack_zones.h>
#include <net/netfilter/nf_synproxy.h>
+static DEFINE_MUTEX(synproxy_mutex);
+
unsigned int synproxy_net_id;
EXPORT_SYMBOL_GPL(synproxy_net_id);
@@ -768,26 +770,31 @@ static const struct nf_hook_ops ipv4_synproxy_ops[] = {
int nf_synproxy_ipv4_init(struct synproxy_net *snet, struct net *net)
{
- int err;
+ int err = 0;
+ mutex_lock(&synproxy_mutex);
if (snet->hook_ref4 == 0) {
err = nf_register_net_hooks(net, ipv4_synproxy_ops,
ARRAY_SIZE(ipv4_synproxy_ops));
if (err)
- return err;
+ goto out;
}
snet->hook_ref4++;
- return 0;
+out:
+ mutex_unlock(&synproxy_mutex);
+ return err;
}
EXPORT_SYMBOL_GPL(nf_synproxy_ipv4_init);
void nf_synproxy_ipv4_fini(struct synproxy_net *snet, struct net *net)
{
+ mutex_lock(&synproxy_mutex);
snet->hook_ref4--;
if (snet->hook_ref4 == 0)
nf_unregister_net_hooks(net, ipv4_synproxy_ops,
ARRAY_SIZE(ipv4_synproxy_ops));
+ mutex_unlock(&synproxy_mutex);
}
EXPORT_SYMBOL_GPL(nf_synproxy_ipv4_fini);
@@ -1192,27 +1199,32 @@ static const struct nf_hook_ops ipv6_synproxy_ops[] = {
int
nf_synproxy_ipv6_init(struct synproxy_net *snet, struct net *net)
{
- int err;
+ int err = 0;
+ mutex_lock(&synproxy_mutex);
if (snet->hook_ref6 == 0) {
err = nf_register_net_hooks(net, ipv6_synproxy_ops,
ARRAY_SIZE(ipv6_synproxy_ops));
if (err)
- return err;
+ goto out;
}
snet->hook_ref6++;
- return 0;
+out:
+ mutex_unlock(&synproxy_mutex);
+ return err;
}
EXPORT_SYMBOL_GPL(nf_synproxy_ipv6_init);
void
nf_synproxy_ipv6_fini(struct synproxy_net *snet, struct net *net)
{
+ mutex_lock(&synproxy_mutex);
snet->hook_ref6--;
if (snet->hook_ref6 == 0)
nf_unregister_net_hooks(net, ipv6_synproxy_ops,
ARRAY_SIZE(ipv6_synproxy_ops));
+ mutex_unlock(&synproxy_mutex);
}
EXPORT_SYMBOL_GPL(nf_synproxy_ipv6_fini);
#endif /* CONFIG_IPV6 */
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 117/378] net: phy: dont try to setup PHY-driven SFP cages when using genphy
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 116/378] net: phy: Clean the phy_ports after unregistering the downstream SFP bus Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 118/378] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove Greg Kroah-Hartman
` (261 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolai Buchwitz, Maxime Chevallier,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Chevallier <maxime.chevallier@bootlin.com>
[ Upstream commit 5a0082ec20a05ef2378410323a5089a8f1786f4a ]
We don't have support for PHY-driver SFP cages with the genphy code.
On top of that, it was found by sashiko that running
sfp_bus_add_upstream() for genphy deadlocks, as for genphy the PHY
probing runs under RTNL, which isn't the case for non-genphy drivers.
This problem was reproduced, and does lead to a deadlock on RTNL.
Before the blamed commit, the phy_sfp_probe() call was made by
individual PHY drivers, so there was no way to get to the SFP probing
path when using genphy.
Let's therefore only run phy_sfp_probe when not using genphy.
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Fixes: bad869b5e41a ("net: phy: Only rely on phy_port for PHY-driven SFP")
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260604092819.723505-5-maxime.chevallier@bootlin.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/phy_device.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index 8b7e2789047694..830d6fb36c6409 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -3528,9 +3528,15 @@ static int phy_setup_ports(struct phy_device *phydev)
if (ret)
return ret;
- ret = phy_sfp_probe(phydev);
- if (ret)
- goto out;
+ /* We don't support SFP with genphy drivers. Also, genphy driver
+ * binding occurs with RTNL help, which will deadlock the call to
+ * sfp_bus_add_upstream().
+ */
+ if (!phydev->is_genphy_driven) {
+ ret = phy_sfp_probe(phydev);
+ if (ret)
+ goto out;
+ }
if (phydev->n_ports < phydev->max_n_ports) {
ret = phy_default_setup_single_port(phydev);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 201/522] netfilter: conntrack_irc: fix possible out-of-bounds read
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 200/522] netfilter: synproxy: add mutex to guard hook reference counting Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 202/522] netfilter: bridge: make ebt_snat ARP rewrite writable Greg Kroah-Hartman
` (321 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal,
Fernando Fernandez Mancera, Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 66eba0ffce3b7e11449946b4cbbef8ea36112f56 ]
When parsing fails after we've matched the command string we
should bail out instead of trying to match a different command.
This helper should be deprecated, given prevalence of TLS I doubt it has
any relevance in 2026.
Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port")
Closes: https://sashiko.dev/#/patchset/20260525182924.28456-1-fw%40strlen.de
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_irc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index 5703846bea3b69..0f50ea92ced9df 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -208,7 +208,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
if (parse_dcc(data, data_limit, &dcc_ip,
&dcc_port, &addr_beg_p, &addr_end_p)) {
pr_debug("unable to parse dcc command\n");
- continue;
+ goto out;
}
pr_debug("DCC bound ip/port: %pI4:%u\n",
@@ -222,7 +222,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
net_warn_ratelimited("Forged DCC command from %pI4: %pI4:%u\n",
&tuple->src.u3.ip,
&dcc_ip, dcc_port);
- continue;
+ goto out;
}
exp = nf_ct_expect_alloc(ct);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 118/378] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 117/378] net: phy: dont try to setup PHY-driven SFP cages when using genphy Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 119/378] net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list Greg Kroah-Hartman
` (260 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mingyu Wang, Simon Horman,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
[ Upstream commit a2171131ecda1ed61a594a1eb715e75fdad0fef5 ]
In qrtr_port_remove(), the socket reference count is decremented via
__sock_put() before the port is removed from the qrtr_ports XArray and
before the RCU grace period elapses.
This breaks the fundamental RCU update paradigm. It exposes a race
window where a concurrent RCU reader (such as qrtr_reset_ports() or
qrtr_port_lookup()) can obtain a pointer to the socket from the XArray,
and attempt to call sock_hold() on a socket whose reference count has
already dropped to zero.
This exact race condition was hit during syzkaller fuzzing, leading to
the following refcount saturation warning and a potential Use-After-Free:
refcount_t: saturated; leaking memory.
WARNING: CPU: 3 PID: 1273 at lib/refcount.c:22 refcount_warn_saturate+0xae/0x1d0
Modules linked in: qrtr(+) bochs drm_shmem_helper ...
Call Trace:
<TASK>
qrtr_reset_ports net/qrtr/af_qrtr.c:768 [inline] [qrtr]
__qrtr_bind.isra.0+0x48b/0x570 net/qrtr/af_qrtr.c:805 [qrtr]
qrtr_bind+0x17d/0x210 net/qrtr/af_qrtr.c:901 [qrtr]
kernel_bind+0xe4/0x120 net/socket.c:3592
qrtr_ns_init+0x1a6/0x380 net/qrtr/ns.c:715 [qrtr]
qrtr_proto_init+0x3b/0xff0 net/qrtr/af_qrtr.c:169 [qrtr]
do_one_initcall+0xf5/0x5e0 init/main.c:1283
...
</TASK>
Fix this by deferring the reference count decrement until after the
xa_erase() and the synchronize_rcu() complete.
(Note: The v1 of this patch incorrectly replaced __sock_put() with
sock_put(). As Simon Horman pointed out, the callers of qrtr_port_remove()
still hold a reference to the socket, so freeing the socket memory here
would lead to a subsequent UAF in the caller. Thus, the __sock_put() is
kept, but only repositioned to close the RCU race.)
Fixes: bdabad3e363d ("net: Add Qualcomm IPC router")
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260604064801.1180388-1-w15303746062@163.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/qrtr/af_qrtr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c
index d77e9c8212da51..7087bb57aeac18 100644
--- a/net/qrtr/af_qrtr.c
+++ b/net/qrtr/af_qrtr.c
@@ -707,13 +707,13 @@ static void qrtr_port_remove(struct qrtr_sock *ipc)
if (port == QRTR_PORT_CTRL)
port = 0;
- __sock_put(&ipc->sk);
-
xa_erase(&qrtr_ports, port);
/* Ensure that if qrtr_port_lookup() did enter the RCU read section we
* wait for it to up increment the refcount */
synchronize_rcu();
+
+ __sock_put(&ipc->sk);
}
/* Assign port number to socket.
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 202/522] netfilter: bridge: make ebt_snat ARP rewrite writable
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 201/522] netfilter: conntrack_irc: fix possible out-of-bounds read Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 203/522] dm cache policy smq: check allocation under invalidate lock Greg Kroah-Hartman
` (320 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yiming Qian <yimingqian591@gmail.com>
[ Upstream commit 67ba971ae02514d85818fe0c32549ab4bfa3bf49 ]
The ebtables SNAT target keeps the Ethernet source address rewrite
behind skb_ensure_writable(skb, 0). This is intentional: at the bridge
ebtables hooks the Ethernet header is addressed through
skb_mac_header()/eth_hdr(), while skb->data points at the Ethernet
payload. Asking skb_ensure_writable() for ETH_HLEN bytes would check
the payload, not the Ethernet header, and would reintroduce the small
packet regression fixed by commit 63137bc5882a.
However, the optional ARP sender hardware address rewrite is different.
It writes through skb_store_bits() at an offset relative to skb->data:
skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN)
skb_header_pointer() only safely reads the ARP header; it does not make
the later sender hardware address range writable. If that range is
still held in a nonlinear skb fragment backed by a splice-imported file
page, skb_store_bits() maps the frag page and copies the new MAC address
directly into it.
Ensure the ARP SHA range is writable before reading the ARP header and
before calling skb_store_bits().
Fixes: 63137bc5882a ("netfilter: ebtables: Fixes dropping of small packets in bridge nat")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/ebt_snat.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 7dfbcdfc30e5d2..c9e229af0366b8 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -31,6 +31,9 @@ ebt_snat_tg(struct sk_buff *skb, const struct xt_action_param *par)
const struct arphdr *ap;
struct arphdr _ah;
+ if (skb_ensure_writable(skb, sizeof(_ah) + ETH_ALEN))
+ return EBT_DROP;
+
ap = skb_header_pointer(skb, 0, sizeof(_ah), &_ah);
if (ap == NULL)
return EBT_DROP;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 119/378] net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 118/378] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 120/378] net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure Greg Kroah-Hartman
` (259 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragos Tatulea, Carolina Jubran,
Tariq Toukan, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dragos Tatulea <dtatulea@nvidia.com>
[ Upstream commit 894e036a24a26a6dd7b17d8d3fb5c53ab48a6074 ]
mlx5_query_nic_vport_mac_list() sizes its firmware command buffer using
the PF's log_max_current_uc/mc_list capabilities. When querying a VF
vport with a larger configured max (via devlink), the firmware response
can overflow this buffer:
BUG: KASAN: slab-out-of-bounds in mlx5_query_nic_vport_mac_list+0x453/0x4c0 [mlx5_core]
Read of size 4 at addr ff1100013ffc8a12 by task kworker/u96:2/385
CPU: 12 UID: 0 PID: 385 Comm: kworker/u96:2 Not tainted 7.0.0-rc6+ #1 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)
Workqueue: mlx5_esw_wq esw_vport_change_handler [mlx5_core]
Call Trace:
<TASK>
dump_stack_lvl+0x69/0xa0
print_report+0x176/0x4e4
kasan_report+0xc8/0x100
mlx5_query_nic_vport_mac_list+0x453/0x4c0 [mlx5_core]
esw_update_vport_addr_list+0x2e3/0xda0 [mlx5_core]
esw_vport_change_handle_locked+0xa1f/0x1060 [mlx5_core]
esw_vport_change_handler+0x6a/0x90 [mlx5_core]
process_one_work+0x87f/0x15e0
worker_thread+0x62b/0x1020
kthread+0x375/0x490
ret_from_fork+0x4dc/0x810
ret_from_fork_asm+0x11/0x20
</TASK>
Fix by querying the vport's own HCA caps to size the buffer correctly.
Refactor the function to allocate and return the MAC list internally,
removing the caller's dependency on knowing the correct max.
Fixes: e16aea2744ab ("net/mlx5: Introduce access functions to modify/query vport mac lists")
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260604135849.458060-1-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/eswitch.c | 13 +---
.../net/ethernet/mellanox/mlx5/core/vport.c | 72 ++++++++++++++-----
include/linux/mlx5/vport.h | 4 +-
3 files changed, 59 insertions(+), 30 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
index 7c8311f4123237..236f89a6483af1 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -533,23 +533,16 @@ static void esw_update_vport_addr_list(struct mlx5_eswitch *esw,
struct mlx5_vport *vport, int list_type)
{
bool is_uc = list_type == MLX5_NVPRT_LIST_TYPE_UC;
- u8 (*mac_list)[ETH_ALEN];
+ u8 (*mac_list)[ETH_ALEN] = NULL;
struct l2addr_node *node;
struct vport_addr *addr;
struct hlist_head *hash;
struct hlist_node *tmp;
- int size;
+ int size = 0;
int err;
int hi;
int i;
- size = is_uc ? MLX5_MAX_UC_PER_VPORT(esw->dev) :
- MLX5_MAX_MC_PER_VPORT(esw->dev);
-
- mac_list = kcalloc(size, ETH_ALEN, GFP_KERNEL);
- if (!mac_list)
- return;
-
hash = is_uc ? vport->uc_list : vport->mc_list;
for_each_l2hash_node(node, tmp, hash, hi) {
@@ -561,7 +554,7 @@ static void esw_update_vport_addr_list(struct mlx5_eswitch *esw,
goto out;
err = mlx5_query_nic_vport_mac_list(esw->dev, vport->vport, list_type,
- mac_list, &size);
+ &mac_list, &size);
if (err)
goto out;
esw_debug(esw->dev, "vport[%d] context update %s list size (%d)\n",
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
index 4effe37fd4552e..d63b0e8806b544 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
@@ -324,35 +324,63 @@ int mlx5_modify_nic_vport_mtu(struct mlx5_core_dev *mdev, u16 mtu)
}
EXPORT_SYMBOL_GPL(mlx5_modify_nic_vport_mtu);
+static int mlx5_vport_max_mac_list_size(struct mlx5_core_dev *dev, u16 vport,
+ enum mlx5_list_type list_type)
+{
+ void *query_ctx, *hca_caps;
+ int ret = 0;
+
+ if (!vport && !mlx5_core_is_ecpf(dev))
+ return list_type == MLX5_NVPRT_LIST_TYPE_UC ?
+ 1 << MLX5_CAP_GEN(dev, log_max_current_uc_list) :
+ 1 << MLX5_CAP_GEN(dev, log_max_current_mc_list);
+
+ query_ctx = kzalloc(MLX5_ST_SZ_BYTES(query_hca_cap_out), GFP_KERNEL);
+ if (!query_ctx)
+ return -ENOMEM;
+
+ ret = mlx5_vport_get_other_func_general_cap(dev, vport, query_ctx);
+ if (ret)
+ goto out;
+
+ hca_caps = MLX5_ADDR_OF(query_hca_cap_out, query_ctx, capability);
+ ret = list_type == MLX5_NVPRT_LIST_TYPE_UC ?
+ 1 << MLX5_GET(cmd_hca_cap, hca_caps, log_max_current_uc_list) :
+ 1 << MLX5_GET(cmd_hca_cap, hca_caps, log_max_current_mc_list);
+
+out:
+ kfree(query_ctx);
+
+ return ret;
+}
+
int mlx5_query_nic_vport_mac_list(struct mlx5_core_dev *dev,
u16 vport,
enum mlx5_list_type list_type,
- u8 addr_list[][ETH_ALEN],
- int *list_size)
+ u8 (**addr_list)[ETH_ALEN],
+ int *addr_list_size)
{
u32 in[MLX5_ST_SZ_DW(query_nic_vport_context_in)] = {0};
+ int allowed_list_size;
void *nic_vport_ctx;
int max_list_size;
- int req_list_size;
int out_sz;
void *out;
int err;
int i;
- req_list_size = *list_size;
+ if (!addr_list || !addr_list_size)
+ return -EINVAL;
- max_list_size = list_type == MLX5_NVPRT_LIST_TYPE_UC ?
- 1 << MLX5_CAP_GEN(dev, log_max_current_uc_list) :
- 1 << MLX5_CAP_GEN(dev, log_max_current_mc_list);
+ *addr_list = NULL;
+ *addr_list_size = 0;
- if (req_list_size > max_list_size) {
- mlx5_core_warn(dev, "Requested list size (%d) > (%d) max_list_size\n",
- req_list_size, max_list_size);
- req_list_size = max_list_size;
- }
+ max_list_size = mlx5_vport_max_mac_list_size(dev, vport, list_type);
+ if (max_list_size < 0)
+ return max_list_size;
out_sz = MLX5_ST_SZ_BYTES(query_nic_vport_context_out) +
- req_list_size * MLX5_ST_SZ_BYTES(mac_address_layout);
+ max_list_size * MLX5_ST_SZ_BYTES(mac_address_layout);
out = kvzalloc(out_sz, GFP_KERNEL);
if (!out)
@@ -371,16 +399,24 @@ int mlx5_query_nic_vport_mac_list(struct mlx5_core_dev *dev,
nic_vport_ctx = MLX5_ADDR_OF(query_nic_vport_context_out, out,
nic_vport_context);
- req_list_size = MLX5_GET(nic_vport_context, nic_vport_ctx,
- allowed_list_size);
+ allowed_list_size = MLX5_GET(nic_vport_context, nic_vport_ctx,
+ allowed_list_size);
+ if (!allowed_list_size)
+ goto out;
+
+ *addr_list = kcalloc(allowed_list_size, ETH_ALEN, GFP_KERNEL);
+ if (!*addr_list) {
+ err = -ENOMEM;
+ goto out;
+ }
- *list_size = req_list_size;
- for (i = 0; i < req_list_size; i++) {
+ for (i = 0; i < allowed_list_size; i++) {
u8 *mac_addr = MLX5_ADDR_OF(nic_vport_context,
nic_vport_ctx,
current_uc_mac_address[i]) + 2;
- ether_addr_copy(addr_list[i], mac_addr);
+ ether_addr_copy((*addr_list)[i], mac_addr);
}
+ *addr_list_size = allowed_list_size;
out:
kvfree(out);
return err;
diff --git a/include/linux/mlx5/vport.h b/include/linux/mlx5/vport.h
index dfa2fe32217af0..282ed54422826d 100644
--- a/include/linux/mlx5/vport.h
+++ b/include/linux/mlx5/vport.h
@@ -102,8 +102,8 @@ int mlx5_query_hca_vport_node_guid(struct mlx5_core_dev *dev,
int mlx5_query_nic_vport_mac_list(struct mlx5_core_dev *dev,
u16 vport,
enum mlx5_list_type list_type,
- u8 addr_list[][ETH_ALEN],
- int *list_size);
+ u8 (**mac_list)[ETH_ALEN],
+ int *mac_list_size);
int mlx5_modify_nic_vport_mac_list(struct mlx5_core_dev *dev,
enum mlx5_list_type list_type,
u8 addr_list[][ETH_ALEN],
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 203/522] dm cache policy smq: check allocation under invalidate lock
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 202/522] netfilter: bridge: make ebt_snat ARP rewrite writable Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 204/522] net/sched: act_api: use RCU with deferred freeing for action lifecycle Greg Kroah-Hartman
` (319 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Mikulas Patocka,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
[ Upstream commit d3f0a606b9f278ece8a0df626ded9c4044071235 ]
commit 2d1f7b65f5de ("dm cache policy smq: fix missing locks in
invalidating cache blocks") added mq->lock around the destructive part of
smq_invalidate_mapping(), but left the e->allocated check outside the
critical section.
That leaves a check-then-act race. Two concurrent invalidators can both
observe e->allocated as true before either of them takes mq->lock. The
first invalidator that acquires the lock removes the entry from the
queues and hash table and then calls free_entry(), which clears
e->allocated and puts the entry back on the free list. The second
invalidator can then acquire mq->lock and continue with the stale result
of the unlocked check.
This can corrupt the SMQ queues or hash table by deleting an entry that
is no longer on those structures. It can also hit the allocation check in
free_entry() when the same entry is freed again.
Move the allocation check under mq->lock so the predicate and the
destructive operations are serialized by the same lock.
Fixes: 2d1f7b65f5de ("dm cache policy smq: fix missing locks in invalidating cache blocks")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-policy-smq.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/md/dm-cache-policy-smq.c b/drivers/md/dm-cache-policy-smq.c
index d4c2bc5c0ef457..38fe5c31699bc1 100644
--- a/drivers/md/dm-cache-policy-smq.c
+++ b/drivers/md/dm-cache-policy-smq.c
@@ -1588,18 +1588,22 @@ static int smq_invalidate_mapping(struct dm_cache_policy *p, dm_cblock_t cblock)
struct smq_policy *mq = to_smq_policy(p);
struct entry *e = get_entry(&mq->cache_alloc, from_cblock(cblock));
unsigned long flags;
-
- if (!e->allocated)
- return -ENODATA;
+ int r = 0;
spin_lock_irqsave(&mq->lock, flags);
+ if (!e->allocated) {
+ r = -ENODATA;
+ goto out;
+ }
// FIXME: what if this block has pending background work?
del_queue(mq, e);
h_remove(&mq->table, e);
free_entry(&mq->cache_alloc, e);
+
+out:
spin_unlock_irqrestore(&mq->lock, flags);
- return 0;
+ return r;
}
static uint32_t smq_get_hint(struct dm_cache_policy *p, dm_cblock_t cblock)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 120/378] net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 119/378] net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 121/378] net/mlx5: Use effective affinity mask for IRQ selection Greg Kroah-Hartman
` (258 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragos Tatulea, Tariq Toukan,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dragos Tatulea <dtatulea@nvidia.com>
[ Upstream commit b69004f5a6ad32da84d8aa5b23b9c0caafe6252e ]
In the XSK branch of mlx5e_xmit_xdp_buff(), when sq->xmit_xdp_frame()
returns false (e.g. XDPSQ is full), the function returns without
unmapping the DMA address or freeing the xdp_frame allocated by
xdp_convert_zc_to_xdp_frame(). The xdpi_fifo push only happens on
success, so the completion path cannot recover these entries.
With CONFIG_DMA_API_DEBUG=y, the leak surfaces on driver unbind:
DMA-API: pci 0000:08:00.0: device driver has pending DMA
allocations while released from device [count=1116]
One of leaked entries details: [device address=0x000000010ffd7028]
[size=1534 bytes] [mapped with DMA_TO_DEVICE] [mapped as phy]
WARNING: kernel/dma/debug.c:881 at dma_debug_device_change+0x127/0x180
...
DMA-API: Mapped at:
debug_dma_map_phys+0x4b/0xd0
dma_map_phys+0xfd/0x2d0
mlx5e_xdp_handle+0x5ae/0xac0 [mlx5_core]
mlx5e_xsk_skb_from_cqe_mpwrq_linear+0xc4/0x170 [mlx5_core]
mlx5e_handle_rx_cqe_mpwrq+0xc1/0x290 [mlx5_core]
Add the missing unmap + xdp_return_frame, matching the cleanup already
done in mlx5e_xdp_xmit(). has_frags is rejected earlier in this branch,
so no per-frag unmap is needed.
Fixes: 84a0a2310d6d ("net/mlx5e: XDP_TX from UMEM support")
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260604135446.456119-1-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c
index 80f9fc10877ad9..7b335da1d0cd22 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c
@@ -102,9 +102,15 @@ mlx5e_xmit_xdp_buff(struct mlx5e_xdpsq *sq, struct mlx5e_rq *rq,
xdptxd->dma_addr = dma_addr;
- if (unlikely(!INDIRECT_CALL_2(sq->xmit_xdp_frame, mlx5e_xmit_xdp_frame_mpwqe,
- mlx5e_xmit_xdp_frame, sq, xdptxd, 0, NULL)))
+ if (unlikely(!INDIRECT_CALL_2(sq->xmit_xdp_frame,
+ mlx5e_xmit_xdp_frame_mpwqe,
+ mlx5e_xmit_xdp_frame,
+ sq, xdptxd, 0, NULL))) {
+ dma_unmap_single(sq->pdev, dma_addr, xdptxd->len,
+ DMA_TO_DEVICE);
+ xdp_return_frame(xdpf);
return false;
+ }
/* xmit_mode == MLX5E_XDP_XMIT_MODE_FRAME */
mlx5e_xdpi_fifo_push(&sq->db.xdpi_fifo,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 204/522] net/sched: act_api: use RCU with deferred freeing for action lifecycle
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 203/522] dm cache policy smq: check allocation under invalidate lock Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 205/522] 6lowpan: fix off-by-one in multicast context address compression Greg Kroah-Hartman
` (318 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Kyle Zeng,
Victor Nogueira, syzbot, Jamal Hadi Salim, Pedro Tammela,
Eric Dumazet, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit 5057e1aca011e51ef51498c940ef96f3d3e8a305 ]
When NEWTFILTER and DELFILTER are run concurrently it is possible to create a
race with an associated action.
Let's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:
0: mutex_lock() <-- holds the idr lock
0: rcu_read_lock()
0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR)
0: mutex_unlock() <-- releases the idr lock
1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held
1: idr_remove(idr, index) <-- Action removed from IDR
1: mutex_unlock() <-- mutex released allowing us to delete the action
1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral
0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory
This patch fixes the race condition between NEWTFILTER and DELFILTER by
adding struct rcu_head to tc_action used in the deferral and introducing a
call_rcu() in the delete path to defer the final kfree().
Note: this is a revert of commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu")
but also modernization/simplification to directly use kfree_rcu().
Let's illustrate the new restored code path:
0: rcu_read_lock()
1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held
1: idr_remove(idr, index)
1: mutex_unlock()
1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period
0: p = idr_find(idr, index)
0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0
1: rcu_read_unlock() <-- release so freeing can run after grace period
After CPU1 calls idr_remove(), the object is no longer reachable through the IDR.
CPU0's subsequent idr_find() will return NULL, and even if it still held a
stale pointer, the immediate kfree() is now deferred until after the RCU grace
period, so no UAF can occur.
Fixes: d7fb60b9cafb ("net_sched: get rid of tcfa_rcu")
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Reported-by: Kyle Zeng <kylebot@openai.com>
Tested-by: Victor Nogueira <victor@mojatatu.com>
Tested-by: syzbot@syzkaller.appspotmail.com
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Tested-by: Kyle Zeng <kylebot@openai.com>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Link: https://patch.msgid.link/20260531160812.68020-1-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/act_api.h | 1 +
net/sched/act_api.c | 7 +------
2 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/include/net/act_api.h b/include/net/act_api.h
index 31e8d8f8bcd7eb..55e3b5ec1d92d8 100644
--- a/include/net/act_api.h
+++ b/include/net/act_api.h
@@ -42,6 +42,7 @@ struct tc_action {
struct tc_cookie __rcu *act_cookie;
struct tcf_chain __rcu *goto_chain;
u32 tcfa_flags;
+ struct rcu_head tcfa_rcu;
u8 hw_stats;
u8 used_hw_stats;
bool used_hw_stats_valid;
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index b75e22756c4b09..47f0d4c3dc487f 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -111,11 +111,6 @@ struct tcf_chain *tcf_action_set_ctrlact(struct tc_action *a, int action,
}
EXPORT_SYMBOL(tcf_action_set_ctrlact);
-/* XXX: For standalone actions, we don't need a RCU grace period either, because
- * actions are always connected to filters and filters are already destroyed in
- * RCU callbacks, so after a RCU grace period actions are already disconnected
- * from filters. Readers later can not find us.
- */
static void free_tcf(struct tc_action *p)
{
struct tcf_chain *chain = rcu_dereference_protected(p->goto_chain, 1);
@@ -128,7 +123,7 @@ static void free_tcf(struct tc_action *p)
if (chain)
tcf_chain_put_by_act(chain);
- kfree(p);
+ kfree_rcu(p, tcfa_rcu);
}
static void offload_action_hw_count_set(struct tc_action *act,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 121/378] net/mlx5: Use effective affinity mask for IRQ selection
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 120/378] net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 122/378] ipv6: sit: reload inner IPv6 header after GSO offloads Greg Kroah-Hartman
` (257 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shay Drory, Fushuai Wang,
Tariq Toukan, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fushuai Wang <wangfushuai@baidu.com>
[ Upstream commit a7767290e77ca2e926b49f8bfa29daa12262c612 ]
When a sf is created after a CPU has been taken offline, the IRQ pool may
contain IRQs with affinity masks that include the offline CPU. Since only
online CPUs should be considered for IRQ placement, cpumask_subset() check
would fail because the iter_mask contains offline CPUs that are not present
in req_mask, causing sf creation to fail.
This is an example:
1. When mlx5 driver loads, it initializes the IRQ pools.
For sf_ctrl_pool with ≤64 sf:
- xa_num_irqs = {N, N} (There is only one slot)
2. When the first SF is created:
- The ctrl IRQ is allocated with mask=cpu_online_mask={0-191}
2. We take CPU 20 offline
3. Existing ctl irq still have mask={0-191}
4. Create a new SF:
- req_mask={0-19,21-191}
- iter_mask={0-191}
- {0-191} is NOT a subset of {0-19,21-191}
- least_loaded_irq=NULL
5. Try to allocate a new irq via irq_pool_request_irq()
6. xa_alloc() fails because the pool is full(There is only one slot)
7. sf creation fails with error
Use irq_get_effective_affinity_mask() instead, which returns the IRQ's
actual effective affinity that already excludes offline CPUs.
Fixes: 061f5b23588a ("net/mlx5: SF, Use all available cpu for setting cpu affinity")
Suggested-by: Shay Drory <shayd@nvidia.com>
Signed-off-by: Fushuai Wang <wangfushuai@baidu.com>
Reviewed-by: Shay Drory <shayd@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260605102112.91772-1-fushuai.wang@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/irq_affinity.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/irq_affinity.c b/drivers/net/ethernet/mellanox/mlx5/core/irq_affinity.c
index 994fe83da4bed8..a0bb8ee44e3550 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/irq_affinity.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/irq_affinity.c
@@ -105,9 +105,12 @@ irq_pool_find_least_loaded(struct mlx5_irq_pool *pool, const struct cpumask *req
lockdep_assert_held(&pool->lock);
xa_for_each_range(&pool->irqs, index, iter, start, end) {
- struct cpumask *iter_mask = mlx5_irq_get_affinity_mask(iter);
int iter_refcount = mlx5_irq_read_locked(iter);
+ const struct cpumask *iter_mask;
+ iter_mask = irq_get_effective_affinity_mask(mlx5_irq_get_irq(iter));
+ if (!iter_mask)
+ continue;
if (!cpumask_subset(iter_mask, req_mask))
/* skip IRQs with a mask which is not subset of req_mask */
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 205/522] 6lowpan: fix off-by-one in multicast context address compression
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 204/522] net/sched: act_api: use RCU with deferred freeing for action lifecycle Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 206/522] drm/imx: Fix three kernel-doc warnings in dcss-scaler.c Greg Kroah-Hartman
` (317 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yizhou Zhao, Yuxiang Yang, Ao Wang,
Xuewei Feng, Qi Li, Ke Xu, Alexander Aring, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
[ Upstream commit 2a58899d11009bffc7b4b32a571858f381121837 ]
The second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses
&data[1] as destination and &ipaddr->s6_addr[11] as source, but
both should be offset by one: &data[2] and &ipaddr->s6_addr[12]
respectively.
This off-by-one has two consequences:
1. data[1] is overwritten with s6_addr[11], corrupting the RIID
field in the compressed multicast address
2. data[5] is never written, so uninitialized kernel stack memory
is transmitted over the network via lowpan_push_hc_data(),
leaking kernel stack contents
The correct inline data layout must match what the decompression
function lowpan_uncompress_multicast_ctx_daddr() expects:
data[0..1] = s6_addr[1..2] (flags/scope + RIID)
data[2..5] = s6_addr[12..15] (group ID)
Also zero-initialize the data array as a defensive measure against
similar bugs in the future.
Fixes: 5609c185f24d ("6lowpan: iphc: add support for stateful compression")
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Acked-by: Alexander Aring <aahringo@redhat.com>
Link: https://patch.msgid.link/20260527081806.42747-1-zhaoyz24@mails.tsinghua.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/6lowpan/iphc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/6lowpan/iphc.c b/net/6lowpan/iphc.c
index 52fad5dad9f715..d762c49e722fae 100644
--- a/net/6lowpan/iphc.c
+++ b/net/6lowpan/iphc.c
@@ -1086,12 +1086,12 @@ static u8 lowpan_iphc_mcast_ctx_addr_compress(u8 **hc_ptr,
const struct lowpan_iphc_ctx *ctx,
const struct in6_addr *ipaddr)
{
- u8 data[6];
+ u8 data[6] = {};
/* flags/scope, reserved (RIID) */
memcpy(data, &ipaddr->s6_addr[1], 2);
/* group ID */
- memcpy(&data[1], &ipaddr->s6_addr[11], 4);
+ memcpy(&data[2], &ipaddr->s6_addr[12], 4);
lowpan_push_hc_data(hc_ptr, data, 6);
return LOWPAN_IPHC_DAM_00;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 122/378] ipv6: sit: reload inner IPv6 header after GSO offloads
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 121/378] net/mlx5: Use effective affinity mask for IRQ selection Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 123/378] net: openvswitch: fix possible kfree_skb of ERR_PTR Greg Kroah-Hartman
` (256 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Zeng, Eric Dumazet,
syzbot+6eb9ca986d80f6f88cf9, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Zeng <kylebot@openai.com>
[ Upstream commit f0e42f0c4337b1f220de1ddd63f47197c7dee4de ]
ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function
entry and continues using it after iptunnel_handle_offloads().
For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone().
When the skb header is cloned, skb_header_unclone() can call
pskb_expand_head(), which may move the skb head. The pskb_expand_head()
contract requires pointers into the skb header to be reloaded after the
call.
If the later skb_realloc_headroom() branch is not taken, SIT uses the
stale iph6 pointer to read the inner hop limit and DS field. That can
read from a freed skb head after the old head's remaining clone is
released.
Reload iph6 after the offload helper succeeds and before subsequent
reads from the inner IPv6 header. Keep the existing reload after
skb_realloc_headroom(), since that branch can also replace the skb.
Fixes: 14909664e4e1 ("sit: Setup and TX path for sit/UDP foo-over-udp encapsulation")
Signed-off-by: Kyle Zeng <kylebot@openai.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+6eb9ca986d80f6f88cf9@syzkaller.appspotmail.com
Link: https://patch.msgid.link/20260605073448.6524-1-kylebot@openai.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/sit.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 6a7b8abb047727..7c317c105bdcbe 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -960,6 +960,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
ip_rt_put(rt);
goto tx_error;
}
+ iph6 = ipv6_hdr(skb);
if (df) {
mtu = dst4_mtu(&rt->dst) - t_hlen;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 206/522] drm/imx: Fix three kernel-doc warnings in dcss-scaler.c
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 205/522] 6lowpan: fix off-by-one in multicast context address compression Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 207/522] pcnet32: stop holding device spin lock during napi_complete_done Greg Kroah-Hartman
` (316 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yicong Hui, Laurentiu Palcu,
Liu Ying, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yicong Hui <yiconghui@gmail.com>
[ Upstream commit ae0383e5a9a4b12d68c76c4769857def4665deff ]
Fix the following W=1 kerneldoc warnings by adding the missing parameter
descriptions for @phase0_identity and @nn_interpolation in
dcss_scaler_filter_design() and @phase0_identity in
dcss_scaler_gaussian_filter()
Warning: drivers/gpu/drm/imx/dcss/dcss-scaler.c:173 function parameter 'phase0_identity' not described in 'dcss_scaler_gaussian_filter'
Warning: drivers/gpu/drm/imx/dcss/dcss-scaler.c:270 function parameter 'phase0_identity' not described in 'dcss_scaler_filter_design'
Warning: drivers/gpu/drm/imx/dcss/dcss-scaler.c:270 function parameter 'nn_interpolation' not described in 'dcss_scaler_filter_design'
Fixes: 9021c317b770 ("drm/imx: Add initial support for DCSS on iMX8MQ")
Signed-off-by: Yicong Hui <yiconghui@gmail.com>
Reviewed-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
Link: https://patch.msgid.link/20260406180013.2442096-1-yiconghui@gmail.com
Signed-off-by: Liu Ying <victor.liu@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/imx/dcss/dcss-scaler.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/imx/dcss/dcss-scaler.c b/drivers/gpu/drm/imx/dcss/dcss-scaler.c
index 47852b9dd5eaa2..d2a89a99bd71cf 100644
--- a/drivers/gpu/drm/imx/dcss/dcss-scaler.c
+++ b/drivers/gpu/drm/imx/dcss/dcss-scaler.c
@@ -166,6 +166,7 @@ static int exp_approx_q(int x)
* dcss_scaler_gaussian_filter() - Generate gaussian prototype filter.
* @fc_q: fixed-point cutoff frequency normalized to range [0, 1]
* @use_5_taps: indicates whether to use 5 taps or 7 taps
+ * @phase0_identity: whether to override phase 0 coefficients with identity filter
* @coef: output filter coefficients
*/
static void dcss_scaler_gaussian_filter(int fc_q, bool use_5_taps,
@@ -262,7 +263,9 @@ static void dcss_scaler_nearest_neighbor_filter(bool use_5_taps,
* @src_length: length of input
* @dst_length: length of output
* @use_5_taps: 0 for 7 taps per phase, 1 for 5 taps
+ * @phase0_identity: whether to override phase 0 coefficients with identity filter
* @coef: output coefficients
+ * @nn_interpolation: whether to use nearest neighbor instead of gaussian filter
*/
static void dcss_scaler_filter_design(int src_length, int dst_length,
bool use_5_taps, bool phase0_identity,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 123/378] net: openvswitch: fix possible kfree_skb of ERR_PTR
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 122/378] ipv6: sit: reload inner IPv6 header after GSO offloads Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 124/378] r8152: handle the return value of usb_reset_device() Greg Kroah-Hartman
` (255 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Moreno, Aaron Conole,
Eelco Chaudron, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Moreno <amorenoz@redhat.com>
[ Upstream commit ee30dd2909d8b98619f4341c70ec8dc8e155ab02 ]
After the patch in the "Fixes" tag, the allocation of the "reply" skb
can happen either before or after locking the ovs_mutex.
However, error cleanups still follow the classical reversed order,
assuming "reply" is allocated before locking: it is freed after unlocking.
If "reply" allocation happens after locking the mutex and it fails,
"reply" is left with an ERR_PTR, and execution jumps to the correspondent
cleanup stage which will try to free an invalid pointer.
Fix this by setting the pointer to NULL after having saved its error
value.
Fixes: 893f139b9a6c ("openvswitch: Minimize ovs_flow_cmd_new|set critical sections.")
Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Link: https://patch.msgid.link/20260604121946.942164-1-amorenoz@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/datapath.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index bbbde50fc6498f..f0164817d9b723 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -1316,6 +1316,7 @@ static int ovs_flow_cmd_set(struct sk_buff *skb, struct genl_info *info)
if (IS_ERR(reply)) {
error = PTR_ERR(reply);
+ reply = NULL;
goto err_unlock_ovs;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 207/522] pcnet32: stop holding device spin lock during napi_complete_done
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 206/522] drm/imx: Fix three kernel-doc warnings in dcss-scaler.c Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 208/522] net: Annotate sk->sk_write_space() for UDP SOCKMAP Greg Kroah-Hartman
` (315 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Oscar Maes,
Alexander Lobakin, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oscar Maes <oscmaes92@gmail.com>
[ Upstream commit 73bf3cca7de6a73f53b6a52dc3b1c82ae5667a4d ]
napi_complete_done may call gro_flush_normal (though not currently, as GRO
is unsupported at the moment), which may result in packet TX. This will
eventually result in calling pcnet32_start_xmit - resulting in a deadlock
while trying to re-acquire the already locked spin lock.
It is safe to split the spinlock block into two, because the hardware
registers are still protected from concurrent access, and the two blocks
perform unrelated operations that don't need to happen atomically.
Fixes: 5b2ec6f2be51 ("pcnet32: use napi_complete_done()")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Oscar Maes <oscmaes92@gmail.com>
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Link: https://patch.msgid.link/20260528140320.5556-1-oscmaes92@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/pcnet32.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/amd/pcnet32.c b/drivers/net/ethernet/amd/pcnet32.c
index 72db9f9e7beeae..81cb83caf62a15 100644
--- a/drivers/net/ethernet/amd/pcnet32.c
+++ b/drivers/net/ethernet/amd/pcnet32.c
@@ -1403,8 +1403,10 @@ static int pcnet32_poll(struct napi_struct *napi, int budget)
pcnet32_restart(dev, CSR0_START);
netif_wake_queue(dev);
}
+ spin_unlock_irqrestore(&lp->lock, flags);
if (work_done < budget && napi_complete_done(napi, work_done)) {
+ spin_lock_irqsave(&lp->lock, flags);
/* clear interrupt masks */
val = lp->a->read_csr(ioaddr, CSR3);
val &= 0x00ff;
@@ -1412,9 +1414,9 @@ static int pcnet32_poll(struct napi_struct *napi, int budget)
/* Set interrupt enable. */
lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN);
+ spin_unlock_irqrestore(&lp->lock, flags);
}
- spin_unlock_irqrestore(&lp->lock, flags);
return work_done;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 124/378] r8152: handle the return value of usb_reset_device()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 123/378] net: openvswitch: fix possible kfree_skb of ERR_PTR Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 125/378] gpio: zynq: fix runtime PM leak on remove Greg Kroah-Hartman
` (254 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chih Kai Hsu, Hayes Wang,
Andrew Lunn, Paolo Abeni, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chih Kai Hsu <hsu.chih.kai@realtek.com>
[ Upstream commit 19440600e729d4f74a42591a872099cf25c7d28a ]
If usb_reset_device() returns a negative error code, stop the
process of probing.
Fixes: 10c3271712f5 ("r8152: disable the ECM mode")
Signed-off-by: Chih Kai Hsu <hsu.chih.kai@realtek.com>
Reviewed-by: Hayes Wang <hayeswang@realtek.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20260604092247.27158-450-nic_swsd@realtek.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/r8152.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index f69e7e1ab7788d..240265746990ec 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -9775,7 +9775,12 @@ static int rtl8152_probe_once(struct usb_interface *intf,
struct net_device *netdev;
int ret;
- usb_reset_device(udev);
+ ret = usb_reset_device(udev);
+ if (ret < 0) {
+ dev_err(&intf->dev, "USB reset failed, errno=%d\n", ret);
+ return ret;
+ }
+
netdev = alloc_etherdev(sizeof(struct r8152));
if (!netdev) {
dev_err(&intf->dev, "Out of memory\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 208/522] net: Annotate sk->sk_write_space() for UDP SOCKMAP.
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 207/522] pcnet32: stop holding device spin lock during napi_complete_done Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 209/522] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr Greg Kroah-Hartman
` (314 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Jakub Sitnicki,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit b748765019fe9e9234660327090fc1a9665cdbdd ]
UDP TX skb->destructor() is sock_wfree(), and UDP holds lock_sock()
only for UDP_CORK / MSG_MORE sendmsg().
Otherwise, sk->sk_write_space() may be read locklessly while SOCKMAP
rewrites sk->sk_write_space().
Let's use WRITE_ONCE() and READ_ONCE() for sk->sk_write_space().
Note that the write side is annotated by commit 2ef2b20cf4e0
("net: annotate data-races around sk->sk_{data_ready,write_space}").
Fixes: 7b98cd42b049 ("bpf: sockmap: Add UDP support")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Link: https://patch.msgid.link/20260529193941.3897256-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/sock.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/core/sock.c b/net/core/sock.c
index 6c178b47426669..62411c8870e855 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2433,8 +2433,12 @@ void sock_wfree(struct sk_buff *skb)
bool free;
if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) {
+ void (*sk_write_space)(struct sock *sk);
+
+ sk_write_space = READ_ONCE(sk->sk_write_space);
+
if (sock_flag(sk, SOCK_RCU_FREE) &&
- sk->sk_write_space == sock_def_write_space) {
+ sk_write_space == sock_def_write_space) {
rcu_read_lock();
free = refcount_sub_and_test(len, &sk->sk_wmem_alloc);
sock_def_write_space_wfree(sk);
@@ -2449,7 +2453,7 @@ void sock_wfree(struct sk_buff *skb)
* after sk_write_space() call
*/
WARN_ON(refcount_sub_and_test(len - 1, &sk->sk_wmem_alloc));
- sk->sk_write_space(sk);
+ sk_write_space(sk);
len = 1;
}
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 125/378] gpio: zynq: fix runtime PM leak on remove
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 124/378] r8152: handle the return value of usb_reset_device() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 126/378] gpio: rockchip: fix generic IRQ chip " Greg Kroah-Hartman
` (253 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ruoyu Wang, Bartosz Golaszewski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruoyu Wang <ruoyuw560@gmail.com>
[ Upstream commit 6edb934de9bda3b7abcec856eaee6fc8b4278dd1 ]
pm_runtime_get_sync() increments the runtime PM usage counter even when it
returns an error. zynq_gpio_remove() uses it to keep the controller active
while removing the GPIO chip, but never drops the usage counter again.
Balance the get with pm_runtime_put_noidle() after disabling runtime PM.
Fixes: 3242ba117e9b ("gpio: Add driver for Zynq GPIO controller")
Signed-off-by: Ruoyu Wang <ruoyuw560@gmail.com>
Link: https://patch.msgid.link/20260609073313.5-1-ruoyuw560@gmail.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-zynq.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpio/gpio-zynq.c b/drivers/gpio/gpio-zynq.c
index 571e366624d2af..fafca91128b2e6 100644
--- a/drivers/gpio/gpio-zynq.c
+++ b/drivers/gpio/gpio-zynq.c
@@ -1014,6 +1014,7 @@ static void zynq_gpio_remove(struct platform_device *pdev)
gpiochip_remove(&gpio->chip);
device_set_wakeup_capable(&pdev->dev, 0);
pm_runtime_disable(&pdev->dev);
+ pm_runtime_put_noidle(&pdev->dev);
}
static struct platform_driver zynq_gpio_driver = {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 209/522] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 208/522] net: Annotate sk->sk_write_space() for UDP SOCKMAP Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 210/522] net: lan743x: permit VLAN-tagged packets up to configured MTU Greg Kroah-Hartman
` (313 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yizhou Zhao, Yuxiang Yang, Ao Wang,
Xuewei Feng, Qi Li, Ke Xu, Simon Horman, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
[ Upstream commit 16e408e607a94b646fb14a2a98422c6877ae4b3c ]
The receive-side GARP attribute parser computes dlen with reversed
operands:
dlen = sizeof(*ga) - ga->len;
ga->len is the on-wire attribute length and includes the GARP attribute
header. For normal attributes with data, ga->len is larger than
sizeof(*ga), so the subtraction underflows in unsigned arithmetic.
The resulting value is later passed to garp_attr_lookup(), whose length
argument is u8. After truncation, the parsed data length usually no
longer matches the length stored for locally registered attributes, so
received Join/Leave events are ignored. This breaks the GARP receive path
for common attributes, such as GVRP VLAN registration attributes.
Compute the data length as the attribute length minus the header length.
Fixes: eca9ebac651f ("net: Add GARP applicant-only participant")
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260527083200.42861-1-zhaoyz24@mails.tsinghua.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/802/garp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/802/garp.c b/net/802/garp.c
index fc9eb02a912f81..f8037227e6dd66 100644
--- a/net/802/garp.c
+++ b/net/802/garp.c
@@ -452,7 +452,7 @@ static int garp_pdu_parse_attr(struct garp_applicant *app, struct sk_buff *skb,
if (!pskb_may_pull(skb, ga->len))
return -1;
skb_pull(skb, ga->len);
- dlen = sizeof(*ga) - ga->len;
+ dlen = ga->len - sizeof(*ga);
if (attrtype > app->app->maxattr)
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 126/378] gpio: rockchip: fix generic IRQ chip leak on remove
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 125/378] gpio: zynq: fix runtime PM leak on remove Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 127/378] net: mctp: usb: fix race between urb completion and rx_retry cancellation Greg Kroah-Hartman
` (252 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marco Scardovi, Bartosz Golaszewski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marco Scardovi <scardracs@disroot.org>
[ Upstream commit 1c1e0fc88d6ef65bf15d517853251f75ab9d18c3 ]
The driver allocates domain generic chips using
irq_alloc_domain_generic_chips() during probe. However, on driver
remove/teardown, the generic chips are not automatically freed when the
IRQ domain is removed because the domain flags do not include
IRQ_DOMAIN_FLAG_DESTROY_GC.
This causes both the domain generic chips structure and the associated
generic chips to be leaked. Additionally, the generic chips remain on
the global gc_list and may later be visited by generic IRQ chip suspend,
resume, or shutdown callbacks after the GPIO bank has been removed,
potentially resulting in a use-after-free and kernel crash.
Fix the resource leak by explicitly calling
irq_domain_remove_generic_chips() before removing the IRQ domain in
rockchip_gpio_remove().
Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio")
Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Marco Scardovi <scardracs@disroot.org>
Link: https://patch.msgid.link/20260607230504.35392-2-scardracs@disroot.org
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-rockchip.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpio/gpio-rockchip.c b/drivers/gpio/gpio-rockchip.c
index 1ef0ba956cfd8c..46dd9085d9c8cd 100644
--- a/drivers/gpio/gpio-rockchip.c
+++ b/drivers/gpio/gpio-rockchip.c
@@ -802,8 +802,10 @@ static void rockchip_gpio_remove(struct platform_device *pdev)
struct rockchip_pin_bank *bank = platform_get_drvdata(pdev);
irq_set_chained_handler_and_data(bank->irq, NULL, NULL);
- if (bank->domain)
+ if (bank->domain) {
+ irq_domain_remove_generic_chips(bank->domain);
irq_domain_remove(bank->domain);
+ }
gpiochip_remove(&bank->gpio_chip);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 210/522] net: lan743x: permit VLAN-tagged packets up to configured MTU
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 209/522] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 211/522] net: fec: fix pinctrl default state restore order on resume Greg Kroah-Hartman
` (312 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Thompson, Thangaraj Samynathan,
Nicolai Buchwitz, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Thompson <davthompson@nvidia.com>
[ Upstream commit 8173d22b211f615015f7b35f48ab11a6dd78dc99 ]
VLAN-tagged interfaces on lan743x devices were previously unreachable via
SSH and failed to respond to large ping packets (e.g. "ping -s 1469" given
MTU=1500). In these scenarios, "ethtool -S" reports non-zero "RX Oversize
Frame Errors". According to Microchip AN2948, the MAC_RX FSE (VLAN field
size enforcement) bit determines whether frames with VLAN tags exceeding
the base MTU plus tag length are discarded.
The driver must set the MAC_RX.FSE bit before setting MAC_RX.RXEN to allow
VLAN-tagged frames up to the interface MTU, preventing them from being
treated as oversized. As a result, both the base and VLAN-tagged interfaces
can use the same MTU without receive errors.
Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver")
Signed-off-by: David Thompson <davthompson@nvidia.com>
Reviewed-by: Thangaraj Samynathan <Thangaraj.s@microchip.com>
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Tested-by: Nicolai Buchwitz <nb@tipi-net.de> # lan7430 on arm64 (RevPi
Link: https://patch.msgid.link/20260529210300.433135-1-davthompson@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microchip/lan743x_main.c | 32 +++++++++++++++++++
drivers/net/ethernet/microchip/lan743x_main.h | 1 +
2 files changed, 33 insertions(+)
diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c
index 5dacc786db4559..c51d316ccdfb86 100644
--- a/drivers/net/ethernet/microchip/lan743x_main.c
+++ b/drivers/net/ethernet/microchip/lan743x_main.c
@@ -1271,6 +1271,36 @@ static void lan743x_mac_set_address(struct lan743x_adapter *adapter,
"MAC address set to %pM\n", addr);
}
+static void lan743x_mac_rx_enable_fse(struct lan743x_adapter *adapter)
+{
+ u32 mac_rx;
+ bool rxen;
+
+ mac_rx = lan743x_csr_read(adapter, MAC_RX);
+ if (mac_rx & MAC_RX_FSE_)
+ return;
+
+ rxen = mac_rx & MAC_RX_RXEN_;
+ if (rxen) {
+ mac_rx &= ~MAC_RX_RXEN_;
+ lan743x_csr_write(adapter, MAC_RX, mac_rx);
+ lan743x_csr_wait_for_bit(adapter, MAC_RX, MAC_RX_RXD_,
+ 1, 1000, 20000, 100);
+ }
+
+ /* Per AN2948, hardware prevents modification of the FSE bit while the
+ * MAC receiver is enabled (RXEN bit set). Use separate register write
+ * to assert the FSE bit before enabling the RXEN bit in MAC_RX
+ */
+ mac_rx |= MAC_RX_FSE_;
+ lan743x_csr_write(adapter, MAC_RX, mac_rx);
+
+ if (rxen) {
+ mac_rx |= MAC_RX_RXEN_;
+ lan743x_csr_write(adapter, MAC_RX, mac_rx);
+ }
+}
+
static int lan743x_mac_init(struct lan743x_adapter *adapter)
{
bool mac_address_valid = true;
@@ -1310,6 +1340,8 @@ static int lan743x_mac_init(struct lan743x_adapter *adapter)
lan743x_mac_set_address(adapter, adapter->mac_address);
eth_hw_addr_set(netdev, adapter->mac_address);
+ lan743x_mac_rx_enable_fse(adapter);
+
return 0;
}
diff --git a/drivers/net/ethernet/microchip/lan743x_main.h b/drivers/net/ethernet/microchip/lan743x_main.h
index c0d209f36188a1..9f20c727a7e137 100644
--- a/drivers/net/ethernet/microchip/lan743x_main.h
+++ b/drivers/net/ethernet/microchip/lan743x_main.h
@@ -180,6 +180,7 @@
#define MAC_RX (0x104)
#define MAC_RX_MAX_SIZE_SHIFT_ (16)
#define MAC_RX_MAX_SIZE_MASK_ (0x3FFF0000)
+#define MAC_RX_FSE_ BIT(2)
#define MAC_RX_RXD_ BIT(1)
#define MAC_RX_RXEN_ BIT(0)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 127/378] net: mctp: usb: fix race between urb completion and rx_retry cancellation
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 126/378] gpio: rockchip: fix generic IRQ chip " Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 128/378] net: mctp: usb: dont fail mctp_usb_rx_queue on a deferred submission Greg Kroah-Hartman
` (251 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeremy Kerr, Paolo Abeni,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Kerr <jk@codeconstruct.com.au>
[ Upstream commit 54665dce982689e2fd99b32e9a0dcc204fda8a51 ]
It's possible that sequencing between setting ->stopped and cancelling
the rx_retry work (in ndo_stop) could leave us with an urb queued:
T1: ndo_stop T2: rx_retry_work
------------ ----------------
LD: ->stopped => false
ST: ->stopped <= true
usb_kill_urb()
mctp_usb_rx_queue()
usb_submit_urb()
cancel_delayed_work_sync()
That urb completion can then re-schedule rx_retry_work.
Strenghen the sequencing between the stop (preventing another requeue)
and the cancel by updating both atomically under a new rx lock. After
setting ->rx_stopped, and cancelling pending work, we know that the
requeue cannot occur, so all that's left is killing any pending urb.
Fixes: 0791c0327a6e ("net: mctp: Add MCTP USB transport driver")
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Link: https://patch.msgid.link/20260608-dev-mctp-usb-rx-requeue-v2-1-29a3aa507609@codeconstruct.com.au
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/mctp/mctp-usb.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/drivers/net/mctp/mctp-usb.c b/drivers/net/mctp/mctp-usb.c
index 3b5dff14417747..cf6f6a93a45112 100644
--- a/drivers/net/mctp/mctp-usb.c
+++ b/drivers/net/mctp/mctp-usb.c
@@ -22,7 +22,6 @@
struct mctp_usb {
struct usb_device *usbdev;
struct usb_interface *intf;
- bool stopped;
struct net_device *netdev;
@@ -32,6 +31,9 @@ struct mctp_usb {
struct urb *tx_urb;
struct urb *rx_urb;
+ /* enforces atomic access to rx_stopped and requeuing the retry work */
+ spinlock_t rx_lock;
+ bool rx_stopped;
struct delayed_work rx_retry_work;
};
@@ -122,6 +124,7 @@ static const unsigned long RX_RETRY_DELAY = HZ / 4;
static int mctp_usb_rx_queue(struct mctp_usb *mctp_usb, gfp_t gfp)
{
+ unsigned long flags;
struct sk_buff *skb;
int rc;
@@ -147,7 +150,10 @@ static int mctp_usb_rx_queue(struct mctp_usb *mctp_usb, gfp_t gfp)
return rc;
err_retry:
- schedule_delayed_work(&mctp_usb->rx_retry_work, RX_RETRY_DELAY);
+ spin_lock_irqsave(&mctp_usb->rx_lock, flags);
+ if (!mctp_usb->rx_stopped)
+ schedule_delayed_work(&mctp_usb->rx_retry_work, RX_RETRY_DELAY);
+ spin_unlock_irqrestore(&mctp_usb->rx_lock, flags);
return rc;
}
@@ -248,9 +254,6 @@ static void mctp_usb_rx_retry_work(struct work_struct *work)
struct mctp_usb *mctp_usb = container_of(work, struct mctp_usb,
rx_retry_work.work);
- if (READ_ONCE(mctp_usb->stopped))
- return;
-
mctp_usb_rx_queue(mctp_usb, GFP_KERNEL);
}
@@ -258,7 +261,7 @@ static int mctp_usb_open(struct net_device *dev)
{
struct mctp_usb *mctp_usb = netdev_priv(dev);
- WRITE_ONCE(mctp_usb->stopped, false);
+ WRITE_ONCE(mctp_usb->rx_stopped, false);
netif_start_queue(dev);
@@ -268,17 +271,21 @@ static int mctp_usb_open(struct net_device *dev)
static int mctp_usb_stop(struct net_device *dev)
{
struct mctp_usb *mctp_usb = netdev_priv(dev);
+ unsigned long flags;
netif_stop_queue(dev);
/* prevent RX submission retry */
- WRITE_ONCE(mctp_usb->stopped, true);
+ spin_lock_irqsave(&mctp_usb->rx_lock, flags);
+ mctp_usb->rx_stopped = true;
+ cancel_delayed_work(&mctp_usb->rx_retry_work);
+ spin_unlock_irqrestore(&mctp_usb->rx_lock, flags);
+
+ flush_delayed_work(&mctp_usb->rx_retry_work);
usb_kill_urb(mctp_usb->rx_urb);
usb_kill_urb(mctp_usb->tx_urb);
- cancel_delayed_work_sync(&mctp_usb->rx_retry_work);
-
return 0;
}
@@ -331,6 +338,7 @@ static int mctp_usb_probe(struct usb_interface *intf,
dev->netdev = netdev;
dev->usbdev = interface_to_usbdev(intf);
dev->intf = intf;
+ spin_lock_init(&dev->rx_lock);
usb_set_intfdata(intf, dev);
dev->ep_in = ep_in->bEndpointAddress;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 211/522] net: fec: fix pinctrl default state restore order on resume
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 210/522] net: lan743x: permit VLAN-tagged packets up to configured MTU Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 212/522] Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() Greg Kroah-Hartman
` (311 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tapio Reijonen, Wei Fang,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tapio Reijonen <tapio.reijonen@vaisala.com>
[ Upstream commit b455410146bf723c7ebcb49ecd5becc0d6611482 ]
In fec_resume(), fec_enet_clk_enable() is called before
pinctrl_pm_select_default_state() in the non-WoL path, inverting the
ordering used in fec_suspend() which correctly switches to the sleep
pinctrl state before disabling clocks.
For PHYs with the PHY_RST_AFTER_CLK_EN flag (e.g. TI DP83848 or
SMSC LAN87xx), fec_enet_clk_enable() triggers a hardware reset pulse
via the phy-reset GPIO. With the GPIO pin still in sleep pinctrl state
at that point, the GPIO write has no physical effect and the PHY never
receives the required reset after clock enable, leading to unreliable
link establishment after system resume.
Fix by restoring the default pinctrl state before enabling clocks,
making resume the proper mirror of suspend. The call is made
unconditionally: fec_suspend() only switches to the sleep pinctrl state
on the non-WoL path and leaves the pins in the default state when WoL
is enabled, so on a WoL resume the device is already in the default
state and pinctrl_pm_select_default_state() is a no-op.
Fixes: de40ed31b3c5 ("net: fec: add Wake-on-LAN support")
Signed-off-by: Tapio Reijonen <tapio.reijonen@vaisala.com>
Reviewed-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20260529-b4-fec-resume-pinctrl-order-v3-1-6eda0f592fca@vaisala.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fec_main.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index e9c4945d0c2713..d1510af6aff1b5 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -4322,6 +4322,7 @@ static int __maybe_unused fec_resume(struct device *dev)
if (fep->rpm_active)
pm_runtime_force_resume(dev);
+ pinctrl_pm_select_default_state(&fep->pdev->dev);
ret = fec_enet_clk_enable(ndev, true);
if (ret) {
rtnl_unlock();
@@ -4338,8 +4339,6 @@ static int __maybe_unused fec_resume(struct device *dev)
val &= ~(FEC_ECR_MAGICEN | FEC_ECR_SLEEP);
writel(val, fep->hwp + FEC_ECNTRL);
fep->wol_flag &= ~FEC_WOL_FLAG_SLEEP_ON;
- } else {
- pinctrl_pm_select_default_state(&fep->pdev->dev);
}
fec_restart(ndev);
netif_tx_lock_bh(ndev);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 128/378] net: mctp: usb: dont fail mctp_usb_rx_queue on a deferred submission
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 127/378] net: mctp: usb: fix race between urb completion and rx_retry cancellation Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 129/378] esp: fix page frag reference leak on skb_to_sgvec failure Greg Kroah-Hartman
` (250 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeremy Kerr, Paolo Abeni,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Kerr <jk@codeconstruct.com.au>
[ Upstream commit 881a3113b74964918cdd72747e3bc119c02b0c0c ]
In the ndo_open path, a deferred queue open will report a failure, and
so the netdev will not be ndo_stop()ed, leaving us with the rx_retry
work potentially pending.
Don't report a deferred queue as an error, as we are still operational.
This means we use the ndo_stop() path for future cleanup, which handles
rx_retry_work cancellation.
Fixes: 0791c0327a6e ("net: mctp: Add MCTP USB transport driver")
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Link: https://patch.msgid.link/20260608-dev-mctp-usb-rx-requeue-v2-2-29a3aa507609@codeconstruct.com.au
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/mctp/mctp-usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/mctp/mctp-usb.c b/drivers/net/mctp/mctp-usb.c
index cf6f6a93a45112..fade65f2f26995 100644
--- a/drivers/net/mctp/mctp-usb.c
+++ b/drivers/net/mctp/mctp-usb.c
@@ -154,7 +154,7 @@ static int mctp_usb_rx_queue(struct mctp_usb *mctp_usb, gfp_t gfp)
if (!mctp_usb->rx_stopped)
schedule_delayed_work(&mctp_usb->rx_retry_work, RX_RETRY_DELAY);
spin_unlock_irqrestore(&mctp_usb->rx_lock, flags);
- return rc;
+ return 0;
}
static void mctp_usb_in_complete(struct urb *urb)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 212/522] Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 211/522] net: fec: fix pinctrl default state restore order on resume Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 213/522] Bluetooth: MGMT: validate advertising TLV before type checks Greg Kroah-Hartman
` (310 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Cen, Luiz Augusto von Dentz,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
[ Upstream commit 43c441edacf953b39517a44f5e5e10a93618b226 ]
rfcomm_get_sock_by_channel() scans rfcomm_sk_list under the list lock,
but returns the selected listener after dropping that lock without
taking a reference. rfcomm_connect_ind() then locks the listener,
queues a child socket on it, and may notify it after unlocking it.
The buggy scenario involves two paths, with each column showing the
order within that path:
rfcomm_connect_ind(): listener close:
1. Find parent in 1. close() enters
rfcomm_get_sock_by_channel() rfcomm_sock_release().
2. Drop rfcomm_sk_list.lock 2. rfcomm_sock_shutdown()
without pinning parent. closes the listener.
3. Call lock_sock(parent) and 3. rfcomm_sock_kill()
bt_accept_enqueue(parent, unlinks and puts parent.
sk, true).
4. Read parent flags and may 4. parent can be freed.
call sk_state_change().
If close wins the race, parent can be freed before
rfcomm_connect_ind() reaches lock_sock(), bt_accept_enqueue(), or the
deferred-setup callback.
Take a reference on the listener before leaving rfcomm_sk_list.lock.
After lock_sock() succeeds, recheck that it is still in BT_LISTEN
before queueing a child, cache the deferred-setup bit while the parent
is locked, and drop the reference after the last parent use.
KASAN reported a slab-use-after-free in lock_sock_nested() from
rfcomm_connect_ind(), with the freeing stack going through
rfcomm_sock_kill() and rfcomm_sock_release().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/rfcomm/sock.c | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index bc2b22c2b3aec7..d72cdcd2e2bb11 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -122,7 +122,7 @@ static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
}
/* Find socket with channel and source bdaddr.
- * Returns closest match.
+ * Returns closest match with an extra reference held.
*/
static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
{
@@ -136,15 +136,25 @@ static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *
if (rfcomm_pi(sk)->channel == channel) {
/* Exact match. */
- if (!bacmp(&rfcomm_pi(sk)->src, src))
+ if (!bacmp(&rfcomm_pi(sk)->src, src)) {
+ sock_hold(sk);
break;
+ }
/* Closest match */
- if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
+ if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY)) {
+ if (sk1)
+ sock_put(sk1);
+
sk1 = sk;
+ sock_hold(sk1);
+ }
}
}
+ if (sk && sk1)
+ sock_put(sk1);
+
read_unlock(&rfcomm_sk_list.lock);
return sk ? sk : sk1;
@@ -941,6 +951,7 @@ int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc *
{
struct sock *sk, *parent;
bdaddr_t src, dst;
+ bool defer_setup = false;
int result = 0;
BT_DBG("session %p channel %d", s, channel);
@@ -954,6 +965,11 @@ int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc *
lock_sock(parent);
+ if (parent->sk_state != BT_LISTEN)
+ goto done;
+
+ defer_setup = test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags);
+
/* Check for backlog size */
if (sk_acceptq_is_full(parent)) {
BT_DBG("backlog full %d", parent->sk_ack_backlog);
@@ -981,9 +997,11 @@ int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc *
done:
release_sock(parent);
- if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
+ if (defer_setup)
parent->sk_state_change(parent);
+ sock_put(parent);
+
return result;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 129/378] esp: fix page frag reference leak on skb_to_sgvec failure
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 7.0 128/378] net: mctp: usb: dont fail mctp_usb_rx_queue on a deferred submission Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 130/378] ASoC: SOF: amd: fix for ipc flags check Greg Kroah-Hartman
` (249 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alessandro Schino, Steffen Klassert,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alessandro Schino <7991aleschino@gmail.com>
[ Upstream commit 2982e599fff6faa21c8df147d96fc7af6c1a2f24 ]
In esp_output_tail(), when esp->inplace is false, the old skb page frags
are replaced with a new page from the xfrm page_frag cache. The source
scatterlist (sg) is built from the old frags before the replacement, and
esp_ssg_unref() is responsible for releasing the old page references
after the crypto operation completes.
However, if the second skb_to_sgvec() call (which builds the destination
scatterlist from the new page) fails, the code jumps to error_free which
only calls kfree(tmp). The old page frag references captured in the
source scatterlist are never released:
1. sg[] is built from old frags via skb_to_sgvec() (no extra get_page)
2. nr_frags is set to 1 and frag[0] is replaced with the new page
3. Second skb_to_sgvec() fails -> goto error_free
4. kfree(tmp) frees the sg[] memory but old frags are not unref'd
5. kfree_skb() only releases frag[0] (the new page), not the old ones
Fix this by adding a bool parameter to esp_ssg_unref() that, when true,
unconditionally unrefs the source scatterlist frags without checking
req->src and req->dst, since those fields are not yet initialized by
aead_request_set_crypt() at the point of the error. Existing callers
pass false to preserve the original behavior.
The same issue exists in both esp4 and esp6 as the code is identical.
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Alessandro Schino <7991aleschino@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Stable-dep-of: 26aad08a9289 ("esp: fix page frag reference leak on skb_to_sgvec failure")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/esp4.c | 17 +++++++++++------
net/ipv6/esp6.c | 17 +++++++++++------
2 files changed, 22 insertions(+), 12 deletions(-)
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 513c8215c947f1..dfc81ee969ae03 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -96,7 +96,7 @@ static inline struct scatterlist *esp_req_sg(struct crypto_aead *aead,
__alignof__(struct scatterlist));
}
-static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb)
+static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb, bool already_unref)
{
struct crypto_aead *aead = x->data;
int extralen = 0;
@@ -113,10 +113,13 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb)
/* Unref skb_frag_pages in the src scatterlist if necessary.
* Skip the first sg which comes from skb->data.
*/
- if (req->src != req->dst)
- for (sg = sg_next(req->src); sg; sg = sg_next(sg))
+ if (already_unref || req->src != req->dst) {
+ struct scatterlist *src = already_unref ? esp_req_sg(aead, req) : req->src;
+
+ for (sg = sg_next(src); sg; sg = sg_next(sg))
skb_page_unref(page_to_netmem(sg_page(sg)),
skb->pp_recycle);
+ }
}
#ifdef CONFIG_INET_ESPINTCP
@@ -220,7 +223,7 @@ static void esp_output_done(void *data, int err)
}
tmp = ESP_SKB_CB(skb)->tmp;
- esp_ssg_unref(x, tmp, skb);
+ esp_ssg_unref(x, tmp, skb, false);
kfree(tmp);
if (xo && (xo->flags & XFRM_DEV_RESUME)) {
@@ -569,8 +572,10 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
err = skb_to_sgvec(skb, dsg,
(unsigned char *)esph - skb->data,
assoclen + ivlen + esp->clen + alen);
- if (unlikely(err < 0))
+ if (unlikely(err < 0)) {
+ esp_ssg_unref(x, tmp, skb, true);
goto error_free;
+ }
}
if ((x->props.flags & XFRM_STATE_ESN))
@@ -602,7 +607,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
}
if (sg != dsg)
- esp_ssg_unref(x, tmp, skb);
+ esp_ssg_unref(x, tmp, skb, false);
if (!err && x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP)
err = esp_output_tail_tcp(x, skb);
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 57481e423e59e6..296b57926abb98 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -113,7 +113,7 @@ static inline struct scatterlist *esp_req_sg(struct crypto_aead *aead,
__alignof__(struct scatterlist));
}
-static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb)
+static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb, bool already_unref)
{
struct crypto_aead *aead = x->data;
int extralen = 0;
@@ -130,10 +130,13 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb)
/* Unref skb_frag_pages in the src scatterlist if necessary.
* Skip the first sg which comes from skb->data.
*/
- if (req->src != req->dst)
- for (sg = sg_next(req->src); sg; sg = sg_next(sg))
+ if (already_unref || req->src != req->dst) {
+ struct scatterlist *src = already_unref ? esp_req_sg(aead, req) : req->src;
+
+ for (sg = sg_next(src); sg; sg = sg_next(sg))
skb_page_unref(page_to_netmem(sg_page(sg)),
skb->pp_recycle);
+ }
}
#ifdef CONFIG_INET6_ESPINTCP
@@ -254,7 +257,7 @@ static void esp_output_done(void *data, int err)
}
tmp = ESP_SKB_CB(skb)->tmp;
- esp_ssg_unref(x, tmp, skb);
+ esp_ssg_unref(x, tmp, skb, false);
kfree(tmp);
esp_output_encap_csum(skb);
@@ -600,8 +603,10 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
err = skb_to_sgvec(skb, dsg,
(unsigned char *)esph - skb->data,
assoclen + ivlen + esp->clen + alen);
- if (unlikely(err < 0))
+ if (unlikely(err < 0)) {
+ esp_ssg_unref(x, tmp, skb, true);
goto error_free;
+ }
}
if ((x->props.flags & XFRM_STATE_ESN))
@@ -634,7 +639,7 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
}
if (sg != dsg)
- esp_ssg_unref(x, tmp, skb);
+ esp_ssg_unref(x, tmp, skb, false);
if (!err && x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP)
err = esp_output_tail_tcp(x, skb);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 213/522] Bluetooth: MGMT: validate advertising TLV before type checks
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 6.1 212/522] Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 214/522] Bluetooth: RFCOMM: validate skb length in MCC handlers Greg Kroah-Hartman
` (309 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Menzel, Zhang Cen,
Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
[ Upstream commit de23fb62259aa01d294f77238ae3b835eb674413 ]
tlv_data_is_valid() reads each advertising data field length from
data[i], then inspects data[i + 1] for managed EIR types before
checking that the current field still fits inside the supplied buffer.
A malformed field whose length byte is the last byte of the buffer can
therefore make the parser read one byte past the advertising data.
KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING
request reached that path:
BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid()
Read of size 1
Call trace:
tlv_data_is_valid()
add_advertising()
hci_mgmt_cmd()
hci_sock_sendmsg()
Move the existing element-length check before any type-octet inspection
so each non-empty element is proven to contain its type byte before the
parser looks at data[i + 1].
Fixes: 2bb36870e8cb ("Bluetooth: Unify advertising instance flags check")
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/mgmt.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index dd7d12418e0738..cc058c77d2e252 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -8602,6 +8602,12 @@ static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
if (!cur_len)
continue;
+ /* If the current field length would exceed the total data
+ * length, then it's invalid.
+ */
+ if (i + cur_len >= len)
+ return false;
+
if (data[i + 1] == EIR_FLAGS &&
(!is_adv_data || flags_managed(adv_flags)))
return false;
@@ -8618,12 +8624,6 @@ static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
if (data[i + 1] == EIR_APPEARANCE &&
appearance_managed(adv_flags))
return false;
-
- /* If the current field length would exceed the total data
- * length, then it's invalid.
- */
- if (i + cur_len >= len)
- return false;
}
return true;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 130/378] ASoC: SOF: amd: fix for ipc flags check
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 129/378] esp: fix page frag reference leak on skb_to_sgvec failure Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 131/378] sctp: fix uninit-value in __sctp_rcv_asconf_lookup() Greg Kroah-Hartman
` (248 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vijendar Mukunda, Umang Jain,
Mark Brown, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
[ Upstream commit 6042c91df60e825625bc7d5c5c3b5a87b91d5805 ]
Firmware will set dsp_ack to 1 when firmware sends response for the IPC
command issued by host. Similarly dsp_msg flag will be updated to 1.
During ACP D0 entry, the value read from the sof_dsp_ack_write scratch
flag can be uninitialized. A non-zero garbage value is treated as a
pending DSP IPC ack before SOF_FW_BOOT_COMPLETE, causing a spurious
"IPC reply before FW_BOOT_COMPLETE" log.
Fix the condition checks for ipc flags.
Fixes: 738a2b5e2cc9 ("ASoC: SOF: amd: Add IPC support for ACP IP block")
Link: https://github.com/thesofproject/linux/pull/5642
Signed-off-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
Tested-by: Umang Jain <uajain@igalia.com>
Link: https://patch.msgid.link/20260609160938.3717513-1-Vijendar.Mukunda@amd.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/amd/acp-ipc.c | 4 ++--
sound/soc/sof/amd/acp.h | 2 ++
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/sound/soc/sof/amd/acp-ipc.c b/sound/soc/sof/amd/acp-ipc.c
index 3cd4674dd80075..94025bc799ea40 100644
--- a/sound/soc/sof/amd/acp-ipc.c
+++ b/sound/soc/sof/amd/acp-ipc.c
@@ -181,14 +181,14 @@ irqreturn_t acp_sof_ipc_irq_thread(int irq, void *context)
}
dsp_msg = snd_sof_dsp_read(sdev, ACP_DSP_BAR, ACP_SCRATCH_REG_0 + dsp_msg_write);
- if (dsp_msg) {
+ if (dsp_msg == ACP_DSP_MSG_SET) {
snd_sof_ipc_msgs_rx(sdev);
acp_dsp_ipc_host_done(sdev);
ipc_irq = true;
}
dsp_ack = snd_sof_dsp_read(sdev, ACP_DSP_BAR, ACP_SCRATCH_REG_0 + dsp_ack_write);
- if (dsp_ack) {
+ if (dsp_ack == ACP_DSP_ACK_SET) {
if (likely(sdev->fw_state == SOF_FW_BOOT_COMPLETE)) {
guard(spinlock_irq)(&sdev->ipc_lock);
diff --git a/sound/soc/sof/amd/acp.h b/sound/soc/sof/amd/acp.h
index 2b7ea8c6410602..7bcb76676a984a 100644
--- a/sound/soc/sof/amd/acp.h
+++ b/sound/soc/sof/amd/acp.h
@@ -116,6 +116,8 @@
#define ACP_SRAM_PAGE_COUNT 128
#define ACP6X_SDW_MAX_MANAGER_COUNT 2
#define ACP70_SDW_MAX_MANAGER_COUNT ACP6X_SDW_MAX_MANAGER_COUNT
+#define ACP_DSP_MSG_SET 1
+#define ACP_DSP_ACK_SET 1
enum clock_source {
ACP_CLOCK_96M = 0,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 214/522] Bluetooth: RFCOMM: validate skb length in MCC handlers
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 213/522] Bluetooth: MGMT: validate advertising TLV before type checks Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 215/522] Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling Greg Kroah-Hartman
` (308 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muhammad Bilal, SeungJu Cheon,
Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeungJu Cheon <suunj1331@gmail.com>
[ Upstream commit 23882b828c3c8c51d0c946446a396b10abb3b16b ]
The RFCOMM MCC handlers cast skb->data to protocol-specific structs
without validating skb->len first. A malicious remote device can send
truncated MCC frames and trigger out-of-bounds reads in these handlers.
Fix this by using skb_pull_data() to validate and access the required
data before dereferencing it.
rfcomm_recv_rpn() requires special handling since ETSI TS 07.10 allows
1-byte RPN requests. Handle this by validating only the DLCI byte first,
and validating the full struct only when len > 1.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Suggested-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/rfcomm/core.c | 67 +++++++++++++++++++++++++++----------
1 file changed, 49 insertions(+), 18 deletions(-)
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 4f54c7df3a94f8..374187def190da 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1427,10 +1427,15 @@ static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
{
- struct rfcomm_pn *pn = (void *) skb->data;
+ struct rfcomm_pn *pn;
struct rfcomm_dlc *d;
- u8 dlci = pn->dlci;
+ u8 dlci;
+
+ pn = skb_pull_data(skb, sizeof(*pn));
+ if (!pn)
+ return -EILSEQ;
+ dlci = pn->dlci;
BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
if (!dlci)
@@ -1479,8 +1484,8 @@ static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
{
- struct rfcomm_rpn *rpn = (void *) skb->data;
- u8 dlci = __get_dlci(rpn->dlci);
+ struct rfcomm_rpn *rpn;
+ u8 dlci;
u8 bit_rate = 0;
u8 data_bits = 0;
@@ -1491,15 +1496,16 @@ static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_
u8 xoff_char = 0;
u16 rpn_mask = RFCOMM_RPN_PM_ALL;
- BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
- dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
- rpn->xon_char, rpn->xoff_char, rpn->param_mask);
+ if (len == 1) {
+ rpn = skb_pull_data(skb, 1);
+ if (!rpn)
+ return -EILSEQ;
- if (!cr)
- return 0;
+ dlci = __get_dlci(rpn->dlci);
+
+ if (!cr)
+ return 0;
- if (len == 1) {
- /* This is a request, return default (according to ETSI TS 07.10) settings */
bit_rate = RFCOMM_RPN_BR_9600;
data_bits = RFCOMM_RPN_DATA_8;
stop_bits = RFCOMM_RPN_STOP_1;
@@ -1510,6 +1516,19 @@ static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_
goto rpn_out;
}
+ rpn = skb_pull_data(skb, sizeof(*rpn));
+ if (!rpn)
+ return -EILSEQ;
+
+ dlci = __get_dlci(rpn->dlci);
+
+ BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
+ dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
+ rpn->xon_char, rpn->xoff_char, rpn->param_mask);
+
+ if (!cr)
+ return 0;
+
/* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
* no parity, no flow control lines, normal XON/XOFF chars */
@@ -1585,9 +1604,14 @@ static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_
static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
{
- struct rfcomm_rls *rls = (void *) skb->data;
- u8 dlci = __get_dlci(rls->dlci);
+ struct rfcomm_rls *rls;
+ u8 dlci;
+ rls = skb_pull_data(skb, sizeof(*rls));
+ if (!rls)
+ return -EILSEQ;
+
+ dlci = __get_dlci(rls->dlci);
BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
if (!cr)
@@ -1604,10 +1628,15 @@ static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb
static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
{
- struct rfcomm_msc *msc = (void *) skb->data;
+ struct rfcomm_msc *msc;
struct rfcomm_dlc *d;
- u8 dlci = __get_dlci(msc->dlci);
+ u8 dlci;
+
+ msc = skb_pull_data(skb, sizeof(*msc));
+ if (!msc)
+ return -EILSEQ;
+ dlci = __get_dlci(msc->dlci);
BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
d = rfcomm_dlc_get(s, dlci);
@@ -1640,17 +1669,19 @@ static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb
static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
{
- struct rfcomm_mcc *mcc = (void *) skb->data;
+ struct rfcomm_mcc *mcc;
u8 type, cr, len;
+ mcc = skb_pull_data(skb, sizeof(*mcc));
+ if (!mcc)
+ return -EILSEQ;
+
cr = __test_cr(mcc->type);
type = __get_mcc_type(mcc->type);
len = __get_mcc_len(mcc->len);
BT_DBG("%p type 0x%x cr %d", s, type, cr);
- skb_pull(skb, 2);
-
switch (type) {
case RFCOMM_PN:
rfcomm_recv_pn(s, cr, skb);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 131/378] sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 130/378] ASoC: SOF: amd: fix for ipc flags check Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 132/378] ip6_vti: set netns_immutable on the fallback device Greg Kroah-Hartman
` (247 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Xin Long,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit f8373d7090b745728de66308deeecc67e8d319ce ]
__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF
chunk can hold the ADDIP header and a parameter header, then calls
af->from_addr_param(), which reads the full address (16 bytes for IPv6)
trusting the parameter's declared length.
An unauthenticated peer can send a truncated trailing ASCONF chunk that
declares an IPv6 address parameter but stops after the 4-byte parameter
header; reached from the no-association lookup path, from_addr_param() then
reads uninitialized bytes past the parameter.
Impact: an unauthenticated SCTP peer makes the receive path read up to 16
bytes of uninitialized memory past a truncated ASCONF address parameter.
The sibling __sctp_rcv_init_lookup() bounds parameters with
sctp_walk_params(); this path open-codes the fetch and omits the bound.
Verify the whole address parameter lies within the chunk before
from_addr_param() reads it, the same class of fix as commit 51e5ad549c43
("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").
Fixes: df2185771439 ("[SCTP]: Update association lookup to look at ASCONF chunks as well")
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260608122234.459098-1-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/input.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/sctp/input.c b/net/sctp/input.c
index e119e460ccde0b..864741fae4187e 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -1204,6 +1204,14 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
/* Skip over the ADDIP header and find the Address parameter */
param = (union sctp_addr_param *)(asconf + 1);
+ /* The whole address parameter must lie within the chunk before
+ * af->from_addr_param() reads the variable-length address; otherwise a
+ * truncated trailing ASCONF chunk lets it read uninitialized bytes past
+ * the parameter.
+ */
+ if (sizeof(*asconf) + ntohs(param->p.length) > ntohs(ch->length))
+ return NULL;
+
af = sctp_get_af_specific(param_type2af(param->p.type));
if (unlikely(!af))
return NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 215/522] Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 214/522] Bluetooth: RFCOMM: validate skb length in MCC handlers Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 216/522] Bluetooth: bnep: reject short frames before parsing Greg Kroah-Hartman
` (307 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dudu Lu, Luiz Augusto von Dentz,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dudu Lu <phx0fer@gmail.com>
[ Upstream commit 72b8deccff17a7644e0367e1aaf1a36cfb014324 ]
In bnep_rx_frame(), the BNEP_FILTER_NET_TYPE_SET and
BNEP_FILTER_MULTI_ADDR_SET extension header parsing has two bugs:
1) The 2-byte length field is read with *(u16 *)(skb->data + 1), which
performs a native-endian read. The BNEP protocol specifies this field
in big-endian (network byte order), and the same file correctly uses
get_unaligned_be16() for the identical fields in
bnep_ctrl_set_netfilter() and bnep_ctrl_set_mcfilter().
2) The length is multiplied by 2, but unlike BNEP_SETUP_CONN_REQ where
the length byte counts UUID pairs (requiring * 2 for two UUIDs per
entry), the filter extension length field already represents the total
data size in bytes. This is confirmed by bnep_ctrl_set_netfilter()
which reads the same field as a byte count and divides by 4 to get
the number of filter entries.
The bogus * 2 means skb_pull advances twice as far as it should,
either dropping valid data from the next header or causing the pull
to fail entirely when the doubled length exceeds the remaining skb.
Fix by splitting the pull into two steps: first use skb_pull_data() to
safely pull and validate the 3-byte fixed header (ctrl type + length),
then pull the variable-length data using the properly decoded length.
Fixes: bf8b9a9cb77b ("Bluetooth: bnep: Add support to extended headers of control frames")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/bnep/core.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index e125afe573fcf2..9d804b08de88e0 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -330,11 +330,18 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
goto badframe;
break;
case BNEP_FILTER_MULTI_ADDR_SET:
- case BNEP_FILTER_NET_TYPE_SET:
- /* Pull: ctrl type (1 b), len (2 b), data (len bytes) */
- if (!skb_pull(skb, 3 + *(u16 *)(skb->data + 1) * 2))
+ case BNEP_FILTER_NET_TYPE_SET: {
+ u8 *hdr;
+
+ /* Pull ctrl type (1 b) + len (2 b) */
+ hdr = skb_pull_data(skb, 3);
+ if (!hdr)
+ goto badframe;
+ /* Pull data (len bytes); length is big-endian */
+ if (!skb_pull(skb, get_unaligned_be16(&hdr[1])))
goto badframe;
break;
+ }
default:
kfree_skb(skb);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 132/378] ip6_vti: set netns_immutable on the fallback device.
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 131/378] sctp: fix uninit-value in __sctp_rcv_asconf_lookup() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 133/378] sctp: validate embedded INIT chunk and address list lengths in cookie Greg Kroah-Hartman
` (246 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Noam Rathaus, Eric Dumazet,
Steffen Klassert, Nicolas Dichtel, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d289d5307762d1838aaece22c6b6fcad9e8865f9 ]
john1988 and Noam Rathaus reported that vti6_init_net() does not set the
netns_immutable flag on the per-netns fallback tunnel device (ip6_vti0).
Other similar tunnel drivers (like ip6_tunnel, sit, ip6_gre, and ip_tunnel)
correctly set this flag during their fallback device initialization to
prevent them from being moved to another network namespace.
Fixes: 61220ab34948 ("vti6: Enable namespace changing")
Reported-by: Noam Rathaus <noamr@ssd-disclosure.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Link: https://patch.msgid.link/20260608155918.787644-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_vti.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index df793c8bfffb0a..d2b74a6f2cf62d 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -1159,6 +1159,7 @@ static int __net_init vti6_init_net(struct net *net)
goto err_alloc_dev;
dev_net_set(ip6n->fb_tnl_dev, net);
ip6n->fb_tnl_dev->rtnl_link_ops = &vti6_link_ops;
+ ip6n->fb_tnl_dev->netns_immutable = true;
err = vti6_fb_tnl_dev_init(ip6n->fb_tnl_dev);
if (err < 0)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 216/522] Bluetooth: bnep: reject short frames before parsing
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 215/522] Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 217/522] Bluetooth: fix memory leak in error path of hci_alloc_dev() Greg Kroah-Hartman
` (306 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Cen, Luiz Augusto von Dentz,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
[ Upstream commit 6770d3a8acdf9151769180cc3710346c4cfbe6f0 ]
A BNEP peer can send a short BNEP SDU. bnep_rx_frame() reads the
packet type byte immediately and, for control packets, reads the control
opcode and setup UUID-size byte before proving that those bytes are
present. bnep_rx_control() also dereferences the control opcode without
rejecting an empty control payload.
Use skb_pull_data() for the fixed fields in bnep_rx_frame() so a NULL
return gates each dereference. Split the control handler so the frame
path can pass an opcode that has already been pulled, and keep the
byte-buffer wrapper for extension control payloads.
For BNEP_SETUP_CONN_REQ, name the UUID-size byte before pulling the
setup payload. struct bnep_setup_conn_req carries destination and source
service UUIDs after that byte, each uuid_size bytes, so the parser now
documents that tuple explicitly instead of leaving the pull length as an
opaque multiplication.
Validation reproduced this kernel report:
KASAN slab-out-of-bounds in bnep_rx_frame.isra.0+0x130c/0x1790
The buggy address belongs to the object at ffff88800c0f7908 which belongs
to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes to the right of allocated 1-byte
region [ffff88800c0f7908, ffff88800c0f7909)
Read of size 1
Call trace:
dump_stack_lvl+0xb3/0x140 (?:?)
print_address_description+0x57/0x3a0 (?:?)
bnep_rx_frame+0x130c/0x1790 (net/bluetooth/bnep/core.c:306)
print_report+0xb9/0x2b0 (?:?)
__virt_addr_valid+0x1ba/0x3a0 (?:?)
srso_alias_return_thunk+0x5/0xfbef5 (?:?)
kasan_addr_to_slab+0x21/0x60 (?:?)
kasan_report+0xe0/0x110 (?:?)
process_one_work+0xfce/0x17e0 (kernel/workqueue.c:3200)
worker_thread+0x65c/0xe40 (?:?)
__kthread_parkme+0x184/0x230 (?:?)
kthread+0x35e/0x470 (?:?)
_raw_spin_unlock_irq+0x28/0x50 (?:?)
ret_from_fork+0x586/0x870 (?:?)
__switch_to+0x74f/0xdc0 (?:?)
ret_from_fork_asm+0x1a/0x30 (?:?)
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/bnep/core.c | 57 ++++++++++++++++++++++++---------------
1 file changed, 36 insertions(+), 21 deletions(-)
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index 9d804b08de88e0..45d0f84652fc60 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -206,14 +206,11 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
return 0;
}
-static int bnep_rx_control(struct bnep_session *s, void *data, int len)
+static int bnep_rx_control_cmd(struct bnep_session *s, u8 cmd, void *data,
+ int len)
{
- u8 cmd = *(u8 *)data;
int err = 0;
- data++;
- len--;
-
switch (cmd) {
case BNEP_CMD_NOT_UNDERSTOOD:
case BNEP_SETUP_CONN_RSP:
@@ -254,6 +251,14 @@ static int bnep_rx_control(struct bnep_session *s, void *data, int len)
return err;
}
+static int bnep_rx_control(struct bnep_session *s, void *data, int len)
+{
+ if (len < 1)
+ return -EILSEQ;
+
+ return bnep_rx_control_cmd(s, *(u8 *)data, data + 1, len - 1);
+}
+
static int bnep_rx_extension(struct bnep_session *s, struct sk_buff *skb)
{
struct bnep_ext_hdr *h;
@@ -299,19 +304,26 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
{
struct net_device *dev = s->dev;
struct sk_buff *nskb;
+ u8 *data;
u8 type, ctrl_type;
dev->stats.rx_bytes += skb->len;
- type = *(u8 *) skb->data;
- skb_pull(skb, 1);
- ctrl_type = *(u8 *)skb->data;
+ data = skb_pull_data(skb, sizeof(type));
+ if (!data)
+ goto badframe;
+ type = *data;
if ((type & BNEP_TYPE_MASK) >= sizeof(__bnep_rx_hlen))
goto badframe;
if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) {
- if (bnep_rx_control(s, skb->data, skb->len) < 0) {
+ data = skb_pull_data(skb, sizeof(ctrl_type));
+ if (!data)
+ goto badframe;
+ ctrl_type = *data;
+
+ if (bnep_rx_control_cmd(s, ctrl_type, skb->data, skb->len) < 0) {
dev->stats.tx_errors++;
kfree_skb(skb);
return 0;
@@ -324,24 +336,27 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
/* Verify and pull ctrl message since it's already processed */
switch (ctrl_type) {
- case BNEP_SETUP_CONN_REQ:
- /* Pull: ctrl type (1 b), len (1 b), data (len bytes) */
- if (!skb_pull(skb, 2 + *(u8 *)(skb->data + 1) * 2))
+ case BNEP_SETUP_CONN_REQ: {
+ u8 uuid_size;
+
+ /* Pull uuid_size and the dst/src service UUIDs. */
+ data = skb_pull_data(skb, sizeof(uuid_size));
+ if (!data)
+ goto badframe;
+ uuid_size = *data;
+ if (!skb_pull(skb, uuid_size + uuid_size))
goto badframe;
break;
+ }
case BNEP_FILTER_MULTI_ADDR_SET:
- case BNEP_FILTER_NET_TYPE_SET: {
- u8 *hdr;
-
- /* Pull ctrl type (1 b) + len (2 b) */
- hdr = skb_pull_data(skb, 3);
- if (!hdr)
+ case BNEP_FILTER_NET_TYPE_SET:
+ /* Pull: len (2 b), data (len bytes) */
+ data = skb_pull_data(skb, sizeof(u16));
+ if (!data)
goto badframe;
- /* Pull data (len bytes); length is big-endian */
- if (!skb_pull(skb, get_unaligned_be16(&hdr[1])))
+ if (!skb_pull(skb, get_unaligned_be16(data)))
goto badframe;
break;
- }
default:
kfree_skb(skb);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 133/378] sctp: validate embedded INIT chunk and address list lengths in cookie
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 132/378] ip6_vti: set netns_immutable on the fallback device Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 134/378] net: guard timestamp cmsgs to real error queue skbs Greg Kroah-Hartman
` (245 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko, Xin Long, Jakub Kicinski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 6f4c80a2a7e6d06753b89a578b710a2499a5e62b ]
sctp_unpack_cookie() only checked that the embedded INIT chunk length
did not exceed the remaining cookie payload, but did not ensure that the
INIT chunk is large enough to contain a complete INIT header.
A malformed COOKIE_ECHO can therefore carry a truncated INIT chunk whose
length field is smaller than sizeof(struct sctp_init_chunk). Later,
sctp_process_init() accesses INIT parameters unconditionally, which may
lead to out-of-bounds reads.
In addition, raw_addr_list_len is not fully validated against the
remaining cookie payload. When cookie authentication is disabled, an
attacker can supply an oversized raw_addr_list_len and cause
sctp_raw_to_bind_addrs() to read beyond the end of the cookie. The
address parser also lacks sufficient bounds checks for parameter headers
and lengths, allowing malformed address parameters to trigger
out-of-bounds reads.
Fix this by:
- requiring the embedded INIT chunk length to be at least sizeof(struct
sctp_init_chunk);
- validating that the INIT chunk and raw address list together fit
within the cookie payload;
- verifying sufficient data exists for each address parameter header and
payload before parsing it.
Note that sctp_verify_init() must be called after sctp_unpack_cookie()
and before sctp_process_init() when cookie authentication is disabled.
This will be addressed in a separate patch.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/75af23a89adf881a0895d511775e4770da367cbf.1780873427.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/bind_addr.c | 11 ++++++++++-
net/sctp/sm_make_chunk.c | 9 +++++++--
2 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c
index 75e3e61d494e0f..31737f144c7f03 100644
--- a/net/sctp/bind_addr.c
+++ b/net/sctp/bind_addr.c
@@ -275,6 +275,16 @@ int sctp_raw_to_bind_addrs(struct sctp_bind_addr *bp, __u8 *raw_addr_list,
param = (struct sctp_paramhdr *)raw_addr_list;
rawaddr = (union sctp_addr_param *)raw_addr_list;
+ if (addrs_len < sizeof(*param)) {
+ retval = -EINVAL;
+ goto out_err;
+ }
+ len = ntohs(param->length);
+ if (addrs_len < len) {
+ retval = -EINVAL;
+ goto out_err;
+ }
+
af = sctp_get_af_specific(param_type2af(param->type));
if (unlikely(!af) ||
!af->from_addr_param(&addr, rawaddr, htons(port), 0)) {
@@ -291,7 +301,6 @@ int sctp_raw_to_bind_addrs(struct sctp_bind_addr *bp, __u8 *raw_addr_list,
goto out_err;
next:
- len = ntohs(param->length);
addrs_len -= len;
raw_addr_list += len;
}
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 9014b095f52ddb..51affa4fd396b7 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1731,8 +1731,8 @@ struct sctp_association *sctp_unpack_cookie(
struct sk_buff *skb = chunk->skb;
struct sctp_cookie *bear_cookie;
struct sctp_chunkhdr *ch;
+ unsigned int len, chlen;
enum sctp_scope scope;
- unsigned int len;
ktime_t kt;
/* Header size is static data prior to the actual cookie, including
@@ -1761,7 +1761,12 @@ struct sctp_association *sctp_unpack_cookie(
bear_cookie = &cookie->c;
ch = (struct sctp_chunkhdr *)(bear_cookie + 1);
- if (ntohs(ch->length) > len - fixed_size)
+ chlen = ntohs(ch->length);
+ if (chlen < sizeof(struct sctp_init_chunk))
+ goto malformed;
+ if (chlen > len - fixed_size)
+ goto malformed;
+ if (bear_cookie->raw_addr_list_len > len - fixed_size - chlen)
goto malformed;
/* Verify the cookie's MAC, if cookie authentication is enabled. */
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 217/522] Bluetooth: fix memory leak in error path of hci_alloc_dev()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 216/522] Bluetooth: bnep: reject short frames before parsing Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 218/522] Bluetooth: MGMT: Fix backward compatibility with userspace Greg Kroah-Hartman
` (305 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+535ecc844591e50588a5,
Bharath Reddy, Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bharath Reddy <kbreddy.rpbc@gmail.com>
[ Upstream commit 37b3009bf5976e8ab77c8b9a9bc3bbd7ff49e37f ]
Early failures in Bluetooth HCI UART configuration leak SRCU percpu
memory.
When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).
Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.
Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.
Reported-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
Tested-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Fixes: 1d6123102e9f ("Bluetooth: hci_core: Fix use-after-free in vhci_flush()")
Signed-off-by: Bharath Reddy <kbreddy.rpbc@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sysfs.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index cc7d4a8ed8ce24..b1886e517a78bc 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -81,10 +81,12 @@ static void bt_host_release(struct device *dev)
{
struct hci_dev *hdev = to_hci_dev(dev);
- if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
+ if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
hci_release_dev(hdev);
- else
+ } else {
+ cleanup_srcu_struct(&hdev->srcu);
kfree(hdev);
+ }
module_put(THIS_MODULE);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 134/378] net: guard timestamp cmsgs to real error queue skbs
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 133/378] sctp: validate embedded INIT chunk and address list lengths in cookie Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 135/378] net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion Greg Kroah-Hartman
` (244 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Zeng, Kuniyuki Iwashima,
Willem de Bruijn, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Zeng <kylebot@openai.com>
[ Upstream commit 1ee90b77b727df903033db873c75caac5c27ec98 ]
skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb
from sk_error_queue. That assumption is not true for AF_PACKET sockets:
outgoing packet taps are also delivered to packet sockets with
skb->pkt_type == PACKET_OUTGOING, but their skb->cb is owned by AF_PACKET
instead of struct sock_exterr_skb.
If such an skb is received with timestamping enabled, the generic
timestamp cmsg path can read AF_PACKET control-buffer state as
sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop
counter overlaps opt_stats. An odd drop count makes the path emit
SCM_TIMESTAMPING_OPT_STATS with skb->len and skb->data. For non-linear
skbs this copies past the linear head and can trigger hardened usercopy or
disclose adjacent heap contents.
Keep skb_is_err_queue() local to net/socket.c, but make it verify that
the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor
installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal
receive ownership and no longer pass as error-queue skbs, while legitimate
sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free
ownership.
Fixes: 8605330aac5a ("tcp: fix SCM_TIMESTAMPING_OPT_STATS for normal skbs")
Signed-off-by: Kyle Zeng <kylebot@openai.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260607021819.49698-1-kylebot@openai.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/sock.h | 1 +
net/core/skbuff.c | 6 +++---
net/socket.c | 11 ++++++-----
3 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/include/net/sock.h b/include/net/sock.h
index 6c9a83016e9551..24aab97f1bcae7 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1853,6 +1853,7 @@ struct sk_buff *sock_omalloc(struct sock *sk, unsigned long size,
gfp_t priority);
void skb_orphan_partial(struct sk_buff *skb);
void sock_rfree(struct sk_buff *skb);
+void sock_rmem_free(struct sk_buff *skb);
void sock_efree(struct sk_buff *skb);
#ifdef CONFIG_INET
void sock_edemux(struct sk_buff *skb);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 9edad9b88433bb..6bee1a9d128bf2 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -5474,7 +5474,7 @@ int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer)
}
EXPORT_SYMBOL_GPL(skb_cow_data);
-static void sock_rmem_free(struct sk_buff *skb)
+void sock_rmem_free(struct sk_buff *skb)
{
struct sock *sk = skb->sk;
@@ -5483,8 +5483,8 @@ static void sock_rmem_free(struct sk_buff *skb)
static void skb_set_err_queue(struct sk_buff *skb)
{
- /* pkt_type of skbs received on local sockets is never PACKET_OUTGOING.
- * So, it is safe to (mis)use it to mark skbs on the error queue.
+ /* The error-queue test in skb_is_err_queue() matches this marker
+ * with the sock_rmem_free destructor installed by sock_queue_err_skb().
*/
skb->pkt_type = PACKET_OUTGOING;
BUILD_BUG_ON(PACKET_OUTGOING == 0);
diff --git a/net/socket.c b/net/socket.c
index 05952188127f5b..86dc88f5b76983 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -792,12 +792,13 @@ EXPORT_SYMBOL(kernel_sendmsg);
static bool skb_is_err_queue(const struct sk_buff *skb)
{
- /* pkt_type of skbs enqueued on the error queue are set to
- * PACKET_OUTGOING in skb_set_err_queue(). This is only safe to do
- * in recvmsg, since skbs received on a local socket will never
- * have a pkt_type of PACKET_OUTGOING.
+ /* Error-queue skbs are marked as PACKET_OUTGOING in
+ * skb_set_err_queue() and use the destructor installed by
+ * sock_queue_err_skb(). PACKET_OUTGOING alone is not unique:
+ * AF_PACKET outgoing taps use the same pkt_type.
*/
- return skb->pkt_type == PACKET_OUTGOING;
+ return skb->pkt_type == PACKET_OUTGOING &&
+ skb->destructor == sock_rmem_free;
}
/* On transmit, software and hardware timestamps are returned independently.
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 218/522] Bluetooth: MGMT: Fix backward compatibility with userspace
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 217/522] Bluetooth: fix memory leak in error path of hci_alloc_dev() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 219/522] ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options Greg Kroah-Hartman
` (304 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 149324fc762c2a7acef9c26790566f81f475e51f ]
bluetoothd has a bug with makes it send extra bytes as part of
MGMT_OP_ADD_EXT_ADV_DATA which are now being checked to be the
exact the expected length, relax this so only when the expected
length is greater than the data length to cause an error since
that would result in accessing invalid memory, otherwise just
ignore the extra bytes.
Link: https://lore.kernel.org/linux-bluetooth/20260602204749.210857-1-luiz.dentz@gmail.com/T/#u
Fixes: d3f7d17960ed ("Bluetooth: MGMT: validate Add Extended Advertising Data length")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/mgmt.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index cc058c77d2e252..cd494f5ebb4dba 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -9079,8 +9079,9 @@ static int add_ext_adv_data(struct sock *sk, struct hci_dev *hdev, void *data,
BT_DBG("%s", hdev->name);
- expected_len = struct_size(cp, data, cp->adv_data_len + cp->scan_rsp_len);
- if (expected_len != data_len)
+ expected_len = struct_size(cp, data, cp->adv_data_len +
+ cp->scan_rsp_len);
+ if (expected_len > data_len)
return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
MGMT_STATUS_INVALID_PARAMS);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 135/378] net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 134/378] net: guard timestamp cmsgs to real error queue skbs Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 136/378] tun: zero the whole vnet header in tun_put_user() Greg Kroah-Hartman
` (243 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Allison Henderson, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 34080db3e70ddf94c38512ad2331e3c3afca6cc1 ]
rds_ib_xmit_atomic() always programs a masked atomic opcode
(IB_WR_MASKED_ATOMIC_CMP_AND_SWP or IB_WR_MASKED_ATOMIC_FETCH_AND_ADD)
for every RDS atomic cmsg. But the completion-side switch in
rds_ib_send_unmap_op() only handles the non-masked opcodes, so a masked
atomic completion falls through to default and returns rm == NULL while
send->s_op is left set. rds_ib_send_cqe_handler() then dereferences the
NULL rm via rm->m_final_op, oopsing in softirq context. An unprivileged
AF_RDS sendmsg() of an atomic cmsg over an active RDS/IB connection
triggers it; on hardware that natively accepts masked atomics (mlx4,
mlx5) no extra setup is needed.
RDS/IB: rds_ib_send_unmap_op: unexpected opcode 0xd in WR!
Oops: general protection fault [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000190-0x0000000000000197]
RIP: rds_ib_send_cqe_handler+0x25c/0xb10 (net/rds/ib_send.c:282)
Call Trace:
<IRQ>
rds_ib_send_cqe_handler (net/rds/ib_send.c:282)
poll_scq (net/rds/ib_cm.c:274)
rds_ib_tasklet_fn_send (net/rds/ib_cm.c:294)
tasklet_action_common (kernel/softirq.c:943)
handle_softirqs (kernel/softirq.c:573)
run_ksoftirqd (kernel/softirq.c:479)
</IRQ>
Kernel panic - not syncing: Fatal exception in interrupt
Handle the masked atomic opcodes in the same case as the non-masked
ones: they map to the same struct rds_message.atomic union member, so
the existing container_of()/rds_ib_send_unmap_atomic() body is correct
for them.
Fixes: 20c72bd5f5f9 ("RDS: Implement masked atomic operations")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/20260606192447.1179255-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/ib_send.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/rds/ib_send.c b/net/rds/ib_send.c
index fcd04c29f543e6..d6be95542119f6 100644
--- a/net/rds/ib_send.c
+++ b/net/rds/ib_send.c
@@ -170,6 +170,8 @@ static struct rds_message *rds_ib_send_unmap_op(struct rds_ib_connection *ic,
break;
case IB_WR_ATOMIC_FETCH_AND_ADD:
case IB_WR_ATOMIC_CMP_AND_SWP:
+ case IB_WR_MASKED_ATOMIC_FETCH_AND_ADD:
+ case IB_WR_MASKED_ATOMIC_CMP_AND_SWP:
if (send->s_op) {
rm = container_of(send->s_op, struct rds_message, atomic);
rds_ib_send_unmap_atomic(ic, send->s_op, wc_status);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 219/522] ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 218/522] Bluetooth: MGMT: Fix backward compatibility with userspace Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 220/522] ptp: vclock: Switch from RCU to SRCU Greg Kroah-Hartman
` (303 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tamir Shahar, Amit Klein,
Eric Dumazet, David Ahern, Ido Schimmel, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d3915a1f5a4bc0ac911032903c3c6ab8df9fcc7c ]
This patch restricts setting Loose Source and Record Route (LSRR)
and Strict Source and Record Route (SSRR) IP options to users
with CAP_NET_RAW capability.
This prevents unprivileged applications from forcing packets to route
through attacker-controlled nodes to leak TCP ISN and possibly other
protocol information.
While LSRR and SSRR are commonly filtered in many network environments,
they may still be supported and forwarded along some network paths.
RFC 7126 (Recommendations on Filtering of IPv4 Packets Containing
IPv4 Options) recommend to drop these options in 4.3 and 4.4.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Tamir Shahar <tamirthesis@gmail.com>
Reported-by: Amit Klein <aksecurity@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260602161547.2642155-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_options.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index d898e1523a453e..7a60bbf4bee3aa 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -530,6 +530,10 @@ int ip_options_get(struct net *net, struct ip_options_rcu **optp,
kfree(opt);
return -EINVAL;
}
+ if (opt->opt.srr && !ns_capable(net->user_ns, CAP_NET_RAW)) {
+ kfree(opt);
+ return -EPERM;
+ }
kfree(*optp);
*optp = opt;
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 136/378] tun: zero the whole vnet header in tun_put_user()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 135/378] net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 137/378] ptp: ocp: fix resource freeing order Greg Kroah-Hartman
` (242 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weiming Shi, Xiang Mei,
Willem de Bruijn, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit 7f2fcff15e99bb852f6967396ed12b38376e2c8d ]
tun_put_user() declares an on-stack struct virtio_net_hdr_v1_hash_tunnel
without zeroing it. For a non-tunnel skb, virtio_net_hdr_tnl_from_skb()
only initializes the first 10 bytes (sizeof(struct virtio_net_hdr)),
leaving bytes 10..23 (num_buffers and the hash/tunnel fields) as stack
garbage.
An unprivileged user can set the vnet header size to 24 with
TUNSETVNETHDRSZ, so __tun_vnet_hdr_put() copies all 24 bytes of the
partially-initialized struct to userspace, leaking 14 bytes of kernel
stack on every read of a non-tunnel packet.
Fix it the same way tun_get_user() already does by zeroing the whole
header right after declaration.
Fixes: 288f30435132 ("tun: enable gso over UDP tunnel support.")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260607054428.3050243-1-xmei5@asu.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/tun.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index ca0ae5df73af78..a0bd803e5fb4d5 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2068,6 +2068,7 @@ static ssize_t tun_put_user(struct tun_struct *tun,
struct virtio_net_hdr_v1_hash_tunnel hdr;
struct virtio_net_hdr *gso;
+ memset(&hdr, 0, sizeof(hdr));
ret = tun_vnet_hdr_tnl_from_skb(tun->flags, tun->dev, skb,
&hdr);
if (ret)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 220/522] ptp: vclock: Switch from RCU to SRCU
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 219/522] ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 221/522] octeontx2-af: npc: Fix CPT channel mask in npc_install_flow Greg Kroah-Hartman
` (302 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Zeitz, Kurt Kanzenbach,
Sebastian Andrzej Siewior, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kurt Kanzenbach <kurt@linutronix.de>
[ Upstream commit 672bd0519e27c357c43b7f8c0d653fce3817d06e ]
The usage of PTP vClocks leads immediately to the following issues with
ptp4l with LOCKDEP and DEBUG_ATOMIC_SLEEP enabled: "BUG: sleeping function
called from invalid context".
ptp_convert_timestamp() acquires a mutex_t within a RCU read section. This
is illegal, because acquiring a mutex_t can result in voluntary scheduling
request which is not allowed within a RCU read section.
Replace the RCU usage with SRCU where sleeping is allowed.
Reported-by: Florian Zeitz <florian.zeitz@schettke.com>
Closes: https://lore.kernel.org/all/00a8cce8-410e-4038-98af-49be6d93d7bd@schettke.com/
Fixes: 67d93ffc0f3c ("ptp: vclock: use mutex to fix "sleep on atomic" bug")
Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://patch.msgid.link/20260529-vclock_rcu-v2-1-02a5531fab92@linutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ptp/ptp_vclock.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/ptp/ptp_vclock.c b/drivers/ptp/ptp_vclock.c
index dcf752c9e04506..eb57338a32414a 100644
--- a/drivers/ptp/ptp_vclock.c
+++ b/drivers/ptp/ptp_vclock.c
@@ -19,6 +19,8 @@ static DEFINE_SPINLOCK(vclock_hash_lock);
static DEFINE_READ_MOSTLY_HASHTABLE(vclock_hash, 8);
+DEFINE_STATIC_SRCU(vclock_srcu);
+
static void ptp_vclock_hash_add(struct ptp_vclock *vclock)
{
spin_lock(&vclock_hash_lock);
@@ -37,7 +39,7 @@ static void ptp_vclock_hash_del(struct ptp_vclock *vclock)
spin_unlock(&vclock_hash_lock);
- synchronize_rcu();
+ synchronize_srcu(&vclock_srcu);
}
static int ptp_vclock_adjfine(struct ptp_clock_info *ptp, long scaled_ppm)
@@ -269,14 +271,16 @@ ktime_t ptp_convert_timestamp(const ktime_t *hwtstamp, int vclock_index)
{
unsigned int hash = vclock_index % HASH_SIZE(vclock_hash);
struct ptp_vclock *vclock;
- u64 ns;
u64 vclock_ns = 0;
+ int srcu_idx;
+ u64 ns;
ns = ktime_to_ns(*hwtstamp);
- rcu_read_lock();
+ srcu_idx = srcu_read_lock(&vclock_srcu);
- hlist_for_each_entry_rcu(vclock, &vclock_hash[hash], vclock_hash_node) {
+ hlist_for_each_entry_srcu(vclock, &vclock_hash[hash], vclock_hash_node,
+ srcu_read_lock_held(&vclock_srcu)) {
if (vclock->clock->index != vclock_index)
continue;
@@ -287,7 +291,7 @@ ktime_t ptp_convert_timestamp(const ktime_t *hwtstamp, int vclock_index)
break;
}
- rcu_read_unlock();
+ srcu_read_unlock(&vclock_srcu, srcu_idx);
return ns_to_ktime(vclock_ns);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 137/378] ptp: ocp: fix resource freeing order
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 136/378] tun: zero the whole vnet header in tun_put_user() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 138/378] ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() Greg Kroah-Hartman
` (241 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vadim Fedorenko, Jakub Kicinski,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vadim Fedorenko <vadim.fedorenko@linux.dev>
[ Upstream commit 627366c51145a07f675b1800fb5ea2ec960bd900 ]
Commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable
events") added a call to ptp_disable_all_events() which changes the
configuration of pins if they support EXTTS events. In ptp_ocp_detach()
pins resources are freed before ptp_clock_unregister() and it leads to
use-after-free during driver removal. Fix it by changing the order of
free/unregister calls. To avoid irq handler running on the other core
while ptp device unregistering, call synchronize_irq() after HW is
configured to stop producing irqs and no irqs are in-flight.
Fixes: a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable events")
Signed-off-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20260608155952.240304-1-vadim.fedorenko@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ptp/ptp_ocp.c | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/drivers/ptp/ptp_ocp.c b/drivers/ptp/ptp_ocp.c
index d88ab2f86b1bf6..fcfa671bd6897c 100644
--- a/drivers/ptp/ptp_ocp.c
+++ b/drivers/ptp/ptp_ocp.c
@@ -2216,8 +2216,13 @@ ptp_ocp_ts_enable(void *priv, u32 req, bool enable)
iowrite32(1, ®->intr_mask);
iowrite32(1, ®->intr);
} else {
+ int irq_vec = pci_irq_vector(bp->pdev, ext->irq_vec);
+
iowrite32(0, ®->intr_mask);
iowrite32(0, ®->enable);
+ ioread32(®->intr_mask);
+ if (irq_vec > 0)
+ synchronize_irq(irq_vec);
}
return 0;
@@ -4558,6 +4563,22 @@ ptp_ocp_detach(struct ptp_ocp *bp)
ptp_ocp_detach_sysfs(bp);
ptp_ocp_attr_group_del(bp);
timer_delete_sync(&bp->watchdog);
+ /* Disable interrupts on all timestampers */
+ if (bp->ts0)
+ ptp_ocp_ts_enable(bp->ts0, 0, false);
+ if (bp->ts1)
+ ptp_ocp_ts_enable(bp->ts1, 0, false);
+ if (bp->ts2)
+ ptp_ocp_ts_enable(bp->ts2, 0, false);
+ if (bp->ts3)
+ ptp_ocp_ts_enable(bp->ts3, 0, false);
+ if (bp->ts4)
+ ptp_ocp_ts_enable(bp->ts4, 0, false);
+ if (bp->pps)
+ ptp_ocp_ts_enable(bp->pps, ~0, false);
+ if (bp->ptp)
+ ptp_clock_unregister(bp->ptp);
+ kfree(bp->ptp_info.pin_config);
ptp_ocp_unregister_ext(bp->ts0);
ptp_ocp_unregister_ext(bp->ts1);
ptp_ocp_unregister_ext(bp->ts2);
@@ -4575,9 +4596,6 @@ ptp_ocp_detach(struct ptp_ocp *bp)
clk_hw_unregister_fixed_rate(bp->i2c_clk);
if (bp->n_irqs)
pci_free_irq_vectors(bp->pdev);
- if (bp->ptp)
- ptp_clock_unregister(bp->ptp);
- kfree(bp->ptp_info.pin_config);
device_unregister(&bp->dev);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 221/522] octeontx2-af: npc: Fix CPT channel mask in npc_install_flow
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 220/522] ptp: vclock: Switch from RCU to SRCU Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 222/522] vxlan: vnifilter: send notification on VNI add Greg Kroah-Hartman
` (301 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naveen Mamindlapalli,
Nithin Dabilpuram, Ratheesh Kannoth, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nithin Dabilpuram <ndabilpuram@marvell.com>
[ Upstream commit 1d31eb27e570daa04f5373345f9ac98c95863be9 ]
Use the CPT-aware NIX channel mask in the npc_install_flow path so that
when the host PF installs steering rules in kernel for a VF used from
userspace (e.g. DPDK), MCAM entries see the same channel mask semantics as
other RX paths.
Fixes: 56bcef528bd8 ("octeontx2-af: Use npc_install_flow API for promisc and broadcast entries")
Cc: Naveen Mamindlapalli <naveenm@marvell.com>
Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
Link: https://patch.msgid.link/20260602045853.1558530-1-rkannoth@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/marvell/octeontx2/af/rvu.h | 1 +
.../ethernet/marvell/octeontx2/af/rvu_npc.c | 32 +++++++++----------
.../marvell/octeontx2/af/rvu_npc_fs.c | 2 +-
3 files changed, 18 insertions(+), 17 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.h b/drivers/net/ethernet/marvell/octeontx2/af/rvu.h
index fc0f3398a556bb..86ef67745ebdf7 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.h
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.h
@@ -895,6 +895,7 @@ int rvu_cpt_lf_teardown(struct rvu *rvu, u16 pcifunc, int blkaddr, int lf,
int slot);
int rvu_cpt_ctx_flush(struct rvu *rvu, u16 pcifunc);
int rvu_cpt_init(struct rvu *rvu);
+u32 rvu_get_cpt_chan_mask(struct rvu *rvu);
#define NDC_AF_BANK_MASK GENMASK_ULL(7, 0)
#define NDC_AF_BANK_LINE_MASK GENMASK_ULL(31, 16)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
index 9b8a6046e6dff0..65ad7476e60983 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
@@ -609,6 +609,19 @@ static u64 npc_get_mcam_action(struct rvu *rvu, struct npc_mcam *mcam,
NPC_AF_MCAMEX_BANKX_ACTION(index, bank));
}
+u32 rvu_get_cpt_chan_mask(struct rvu *rvu)
+{
+ /* For cn10k the upper two bits of the channel number are
+ * cpt channel number. with masking out these bits in the
+ * mcam entry, same entry used for NIX will allow packets
+ * received from cpt for parsing.
+ */
+ if (!is_rvu_otx2(rvu))
+ return NIX_CHAN_CPT_X2P_MASK;
+ else
+ return 0xFFFu;
+}
+
void rvu_npc_install_ucast_entry(struct rvu *rvu, u16 pcifunc,
int nixlf, u64 chan, u8 *mac_addr)
{
@@ -652,7 +665,7 @@ void rvu_npc_install_ucast_entry(struct rvu *rvu, u16 pcifunc,
eth_broadcast_addr((u8 *)&req.mask.dmac);
req.features = BIT_ULL(NPC_DMAC);
req.channel = chan;
- req.chan_mask = 0xFFFU;
+ req.chan_mask = rvu_get_cpt_chan_mask(rvu);
req.intf = pfvf->nix_rx_intf;
req.op = action.op;
req.hdr.pcifunc = 0; /* AF is requester */
@@ -722,11 +735,7 @@ void rvu_npc_install_promisc_entry(struct rvu *rvu, u16 pcifunc,
* mcam entry, same entry used for NIX will allow packets
* received from cpt for parsing.
*/
- if (!is_rvu_otx2(rvu)) {
- req.chan_mask = NIX_CHAN_CPT_X2P_MASK;
- } else {
- req.chan_mask = 0xFFFU;
- }
+ req.chan_mask = rvu_get_cpt_chan_mask(rvu);
if (chan_cnt > 1) {
if (!is_power_of_2(chan_cnt)) {
@@ -915,16 +924,7 @@ void rvu_npc_install_allmulti_entry(struct rvu *rvu, u16 pcifunc, int nixlf,
ether_addr_copy(req.mask.dmac, mac_addr);
req.features = BIT_ULL(NPC_DMAC);
- /* For cn10k the upper two bits of the channel number are
- * cpt channel number. with masking out these bits in the
- * mcam entry, same entry used for NIX will allow packets
- * received from cpt for parsing.
- */
- if (!is_rvu_otx2(rvu))
- req.chan_mask = NIX_CHAN_CPT_X2P_MASK;
- else
- req.chan_mask = 0xFFFU;
-
+ req.chan_mask = rvu_get_cpt_chan_mask(rvu);
req.channel = chan;
req.intf = pfvf->nix_rx_intf;
req.entry = index;
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c
index 80d6aa3f14c11f..b79b28192a5764 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c
@@ -1320,7 +1320,7 @@ int rvu_mbox_handler_npc_install_flow(struct rvu *rvu,
/* ignore chan_mask in case pf func is not AF, revisit later */
if (!is_pffunc_af(req->hdr.pcifunc))
- req->chan_mask = 0xFFF;
+ req->chan_mask = rvu_get_cpt_chan_mask(rvu);
err = npc_check_unsupported_flows(rvu, req->features, req->intf);
if (err)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 138/378] ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 137/378] ptp: ocp: fix resource freeing order Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 139/378] rds: mark snapshot pages dirty in rds_info_getsockopt() Greg Kroah-Hartman
` (240 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Steffen Klassert,
Nicolas Dichtel, Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9 ]
In vti6_tnl_lookup(), when an exact match for a tunnel fails,
the code falls back to searching for wildcard tunnels:
- Tunnels matching the packet's local address, with any remote address
wildcard remote).
- Tunnels matching the packet's remote address, with any local address
(wildcard local).
However, vti6 stores all these different types of tunnels in the same
hash table (ip6n->tnls_r_l) prone to hash collisions.
The bug is that the fallback search loops in vti6_tnl_lookup() were
missing checks to ensure that the candidate tunnel actually has
a wildcard address.
Fixes: fbe68ee87522 ("vti6: Add a lookup method for tunnels with wildcard endpoints.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Link: https://patch.msgid.link/20260608164613.933023-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_vti.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index d2b74a6f2cf62d..d871cab6938d36 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -106,6 +106,7 @@ vti6_tnl_lookup(struct net *net, const struct in6_addr *remote,
hash = HASH(&any, local);
for_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) {
if (ipv6_addr_equal(local, &t->parms.laddr) &&
+ ipv6_addr_any(&t->parms.raddr) &&
(t->dev->flags & IFF_UP))
return t;
}
@@ -113,6 +114,7 @@ vti6_tnl_lookup(struct net *net, const struct in6_addr *remote,
hash = HASH(remote, &any);
for_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) {
if (ipv6_addr_equal(remote, &t->parms.raddr) &&
+ ipv6_addr_any(&t->parms.laddr) &&
(t->dev->flags & IFF_UP))
return t;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 222/522] vxlan: vnifilter: send notification on VNI add
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 221/522] octeontx2-af: npc: Fix CPT channel mask in npc_install_flow Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 223/522] vxlan: vnifilter: fix spurious notification on VNI update Greg Kroah-Hartman
` (300 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chirag Shah, Andy Roulin,
Petr Machata, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Roulin <aroulin@nvidia.com>
[ Upstream commit aa6ca1c5c338907817374b59f7551fd855a88754 ]
When a new VNI is added to a vxlan device with vnifilter enabled,
no RTM_NEWTUNNEL notification is sent to userspace. This means
'bridge monitor vni' never shows VNI add events, even though
VNI delete events are reported correctly.
The bug is in vxlan_vni_add(), where the notification is guarded by
'if (changed)'. The 'changed' flag is set by vxlan_vni_update_group()
only when the multicast group or remote IP is modified, but for a
new VNI added without a group (e.g. in L3 VxLAN interface scenarios),
the function returns early without setting changed=true. Since this
is a new VNI, the notification should be sent unconditionally.
The notification is not guarded by the return value of
vxlan_vni_update_group() because, at this point, the VNI has already
been inserted into the hash table and list with no rollback on error.
The VNI will be visible in 'bridge vni show' regardless, so userspace
should be informed. This is consistent with vxlan_vni_del() which also
notifies unconditionally.
The 'if (changed)' guard remains correct in vxlan_vni_update(), which
handles the case where a VNI already exists and is being re-added --
there, we only want to notify if the group/remote actually changed.
Reproducer:
# ip link add vxlan100 type vxlan dstport 4789 local 10.0.0.1 \
nolearning external vnifilter
# ip link set vxlan100 up
# bridge monitor vni &
# bridge vni add vni 1000 dev vxlan100 # no notification
# bridge vni delete vni 1000 dev vxlan100 # notification received
Fixes: f9c4bb0b245c ("vxlan: vni filtering support on collect metadata device")
Reported-by: Chirag Shah <chirag@nvidia.com>
Signed-off-by: Andy Roulin <aroulin@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Link: https://patch.msgid.link/20260602185138.253265-2-aroulin@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vxlan/vxlan_vnifilter.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/vxlan/vxlan_vnifilter.c b/drivers/net/vxlan/vxlan_vnifilter.c
index c6d4fae958ca80..ca866740a955d0 100644
--- a/drivers/net/vxlan/vxlan_vnifilter.c
+++ b/drivers/net/vxlan/vxlan_vnifilter.c
@@ -769,8 +769,7 @@ static int vxlan_vni_add(struct vxlan_dev *vxlan,
err = vxlan_vni_update_group(vxlan, vninode, group, true, &changed,
extack);
- if (changed)
- vxlan_vnifilter_notify(vxlan, vninode, RTM_NEWTUNNEL);
+ vxlan_vnifilter_notify(vxlan, vninode, RTM_NEWTUNNEL);
return err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 139/378] rds: mark snapshot pages dirty in rds_info_getsockopt()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 138/378] ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 140/378] spi: rzv2h-rspi: Fix SPDR read access width for 16-bit RX Greg Kroah-Hartman
` (239 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Allison Henderson,
Jakub Kicinski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 512db8267b73a220a64180d95ab5eebe7c4964a8 ]
rds_info_getsockopt() pins the destination user pages with FOLL_WRITE and
the RDS_INFO_* producers memcpy the snapshot into them through
kmap_atomic(). Because that copy goes through the kernel direct map, the
dirty bit on the user PTE is never set, so unpin_user_pages() releases the
pages without marking them dirty. A file-backed destination page can then
be reclaimed without writeback, silently discarding the copied data.
Use unpin_user_pages_dirty_lock() with make_dirty=true so the modified
pages are marked dirty before they are unpinned.
Fixes: a8c879a7ee98 ("RDS: Info and stats")
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/20260608-rds_fix-v1-1-006c88543408@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/info.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/rds/info.c b/net/rds/info.c
index f1b29994934a03..17061f6ff74e58 100644
--- a/net/rds/info.c
+++ b/net/rds/info.c
@@ -235,7 +235,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval,
out:
if (pages)
- unpin_user_pages(pages, nr_pages);
+ unpin_user_pages_dirty_lock(pages, nr_pages, true);
kfree(pages);
return ret;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 223/522] vxlan: vnifilter: fix spurious notification on VNI update
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 222/522] vxlan: vnifilter: send notification on VNI add Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 224/522] ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() Greg Kroah-Hartman
` (299 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Roulin, Petr Machata,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Roulin <aroulin@nvidia.com>
[ Upstream commit 84683b5b60c7274e2c8f7f413d39d78d3db5540f ]
When a VNI is re-added with the same attributes (e.g. same group or no
group), vxlan_vni_update() sends a spurious RTM_NEWTUNNEL notification
even though nothing changed.
The bug is that 'if (changed)' tests whether the pointer is non-NULL,
not the bool value it points to. Since every caller passes a valid
pointer, the condition is always true and the notification fires
unconditionally.
Fix by dereferencing the pointer: 'if (*changed)'.
Reproducer:
# ip link add vxlan100 type vxlan dstport 4789 local 10.0.0.1 \
nolearning external vnifilter
# ip link set vxlan100 up
# bridge monitor vni &
# bridge vni add vni 1000 dev vxlan100
# bridge vni add vni 1000 dev vxlan100 # spurious notification
Fixes: f9c4bb0b245c ("vxlan: vni filtering support on collect metadata device")
Signed-off-by: Andy Roulin <aroulin@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Link: https://patch.msgid.link/20260602185138.253265-3-aroulin@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vxlan/vxlan_vnifilter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/vxlan/vxlan_vnifilter.c b/drivers/net/vxlan/vxlan_vnifilter.c
index ca866740a955d0..abf96d60eb30d5 100644
--- a/drivers/net/vxlan/vxlan_vnifilter.c
+++ b/drivers/net/vxlan/vxlan_vnifilter.c
@@ -671,7 +671,7 @@ static int vxlan_vni_update(struct vxlan_dev *vxlan,
if (ret)
return ret;
- if (changed)
+ if (*changed)
vxlan_vnifilter_notify(vxlan, vninode, RTM_NEWTUNNEL);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 140/378] spi: rzv2h-rspi: Fix SPDR read access width for 16-bit RX
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 139/378] rds: mark snapshot pages dirty in rds_info_getsockopt() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 141/378] netfilter: revalidate bridge ports Greg Kroah-Hartman
` (238 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Felix Gu,
Geert Uytterhoeven, Fabrizio Castro, Mark Brown, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 310628484ef06f95c5589374fade917a5689787b ]
The RZ/V2H hardware manual (section 7.5.2.2.1) specifies that read access
size for the SPI Data Register (SPDR) are fixed at 32 bits. The
RZV2H_RSPI_RX macro for the 16-bit data path used readw(), violating
this requirement.
Switch to readl() for the 16-bit RX path to conform to the hardware
specification.
Fixes: 8b61c8919dff ("spi: Add driver for the RZ/V2H(P) RSPI IP")
Suggested-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
Link: https://patch.msgid.link/20260610-rzv2h-rspi-v2-1-40c80b4a2c90@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-rzv2h-rspi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-rzv2h-rspi.c b/drivers/spi/spi-rzv2h-rspi.c
index 53c44799fab71d..6fc81ccbcad5a2 100644
--- a/drivers/spi/spi-rzv2h-rspi.c
+++ b/drivers/spi/spi-rzv2h-rspi.c
@@ -133,8 +133,9 @@ static inline void rzv2h_rspi_rx_##type(struct rzv2h_rspi_priv *rspi, \
RZV2H_RSPI_TX(writel, u32)
RZV2H_RSPI_TX(writew, u16)
RZV2H_RSPI_TX(writeb, u8)
+/* The read access size for RSPI_SPDR is fixed at 32 bits */
RZV2H_RSPI_RX(readl, u32)
-RZV2H_RSPI_RX(readw, u16)
+RZV2H_RSPI_RX(readl, u16)
RZV2H_RSPI_RX(readl, u8)
static void rzv2h_rspi_reg_rmw(const struct rzv2h_rspi_priv *rspi,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 224/522] ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 223/522] vxlan: vnifilter: fix spurious notification on VNI update Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 225/522] net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr Greg Kroah-Hartman
` (298 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f13c19f75e1097abd116,
Eric Dumazet, Miquel Raynal, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 3a5f3f7aff18bcc36a57839cf50cf0cc8de707f3 ]
The aoe driver (or similar) generates a non-IPv6 packet
(e.g., ETH_P_AOE) and queues it for transmission via dev_queue_xmit()
on a 6LoWPAN interface (configured by the user or test case).
Since the packet is not IPv6, the 6LoWPAN header_ops->create function
(lowpan_header_create or header_create) returns early without initializing
the lowpan_addr_info structure in the skb headroom.
In the transmit function (lowpan_xmit), the driver calls lowpan_header
(or setup_header) which unconditionally copies and uses the lowpan_addr_info
from the headroom, which contains uninitialized data.
Fix this by dropping non IPv6 packets.
A similar fix is needed in net/bluetooth/6lowpan.c bt_xmit().
Fixes: 4dc315e267fe ("ieee802154: 6lowpan: move transmit functionality")
Reported-by: syzbot+f13c19f75e1097abd116@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6a1fd763.278b5b03.2bcf39.0049.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://patch.msgid.link/20260603072955.4032221-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ieee802154/6lowpan/tx.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/ieee802154/6lowpan/tx.c b/net/ieee802154/6lowpan/tx.c
index 0c07662b44c0ca..4df76ff50699ed 100644
--- a/net/ieee802154/6lowpan/tx.c
+++ b/net/ieee802154/6lowpan/tx.c
@@ -255,6 +255,11 @@ netdev_tx_t lowpan_xmit(struct sk_buff *skb, struct net_device *ldev)
pr_debug("package xmit\n");
+ if (skb->protocol != htons(ETH_P_IPV6)) {
+ kfree_skb(skb);
+ return NET_XMIT_DROP;
+ }
+
WARN_ON_ONCE(skb->len > IPV6_MIN_MTU);
/* We must take a copy of the skb before we modify/replace the ipv6
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 141/378] netfilter: revalidate bridge ports
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 140/378] spi: rzv2h-rspi: Fix SPDR read access width for 16-bit RX Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 142/378] netfilter: nf_conntrack: destroy stale expectfn expectations on unregister Greg Kroah-Hartman
` (237 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Zhou, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit ccb9fd4b87538ccf19ccff78ee26700526d94867 ]
ebt_redirect_tg() dereferences br_port_get_rcu() return without a
NULL check, causing a kernel panic when the bridge port has been
removed between the original hook invocation and an NFQUEUE
reinject.
A mere NULL check isn't sufficient, however. As sashiko review
points out userspace can not only remove the port from the bridge,
it could also place the device in a different virtual device, e.g.
macvlan.
If this happens, we must drop the packet, there is no way for us to
reinject it into the bridge path.
Switch to _upper API, we don't need the bridge port structure.
Also, this fix keeps another bug intact:
Both nfnetlink_log and nfnetlink_queue use CONFIG_BRIDGE_NETFILTER
too aggressive, which prevents certain logging features when queueing
in bridge family: NETFILTER_FAMILY_BRIDGE can be enabled while the old
CONFIG_BRIDGE_NETFILTER cruft is off.
Fixes tag is a common ancestor, this was always broken.
Fixes: f350a0a87374 ("bridge: use rx_handler_data pointer to store net_bridge_port pointer")
Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Assisted-by: Claude:claude-sonnet-4-6
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/ebt_dnat.c | 4 +-
net/bridge/netfilter/ebt_redirect.c | 16 +++++---
net/netfilter/nfnetlink_log.c | 23 +++++++++--
net/netfilter/nfnetlink_queue.c | 64 +++++++++++++++++++++++++----
4 files changed, 89 insertions(+), 18 deletions(-)
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 3fda71a8579d13..73f185cccd63df 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -39,7 +39,9 @@ ebt_dnat_tg(struct sk_buff *skb, const struct xt_action_param *par)
dev = xt_in(par);
break;
case NF_BR_PRE_ROUTING:
- dev = br_port_get_rcu(xt_in(par))->br->dev;
+ dev = netdev_master_upper_dev_get_rcu(xt_in(par));
+ if (!dev) /* bridge port removed? */
+ return EBT_DROP;
break;
default:
dev = NULL;
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index 307790562b4929..83486cd4d564b1 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -24,12 +24,18 @@ ebt_redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
if (skb_ensure_writable(skb, 0))
return EBT_DROP;
- if (xt_hooknum(par) != NF_BR_BROUTING)
- /* rcu_read_lock()ed by nf_hook_thresh */
- ether_addr_copy(eth_hdr(skb)->h_dest,
- br_port_get_rcu(xt_in(par))->br->dev->dev_addr);
- else
+ if (xt_hooknum(par) != NF_BR_BROUTING) {
+ const struct net_device *dev;
+
+ dev = netdev_master_upper_dev_get_rcu(xt_in(par));
+ if (!dev)
+ return EBT_DROP;
+
+ ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr);
+ } else {
ether_addr_copy(eth_hdr(skb)->h_dest, xt_in(par)->dev_addr);
+ }
+
skb->pkt_type = PACKET_HOST;
return info->target;
}
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 0db908518b2fa2..f9bfc34d9ad355 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -450,6 +450,23 @@ static int nfulnl_put_bridge(struct nfulnl_instance *inst, const struct sk_buff
return -1;
}
+#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
+static int nflog_put_master_ifindex(struct sk_buff *nlskb, int attr,
+ const struct net_device *dev)
+{
+ const struct net_device *upper;
+
+ if (dev && !netif_is_bridge_port(dev))
+ return 0;
+
+ upper = netdev_master_upper_dev_get_rcu((struct net_device *)dev);
+ if (upper && nla_put_be32(nlskb, attr, htonl(upper->ifindex)))
+ return -EMSGSIZE;
+
+ return 0;
+}
+#endif
+
/* This is an inline function, we don't really care about a long
* list of arguments */
static inline int
@@ -504,8 +521,7 @@ __build_packet_message(struct nfnl_log_net *log,
/* rcu_read_lock()ed by nf_hook_thresh or
* nf_log_packet.
*/
- nla_put_be32(inst->skb, NFULA_IFINDEX_INDEV,
- htonl(br_port_get_rcu(indev)->br->dev->ifindex)))
+ nflog_put_master_ifindex(inst->skb, NFULA_IFINDEX_INDEV, indev))
goto nla_put_failure;
} else {
int physinif;
@@ -541,8 +557,7 @@ __build_packet_message(struct nfnl_log_net *log,
/* rcu_read_lock()ed by nf_hook_thresh or
* nf_log_packet.
*/
- nla_put_be32(inst->skb, NFULA_IFINDEX_OUTDEV,
- htonl(br_port_get_rcu(outdev)->br->dev->ifindex)))
+ nflog_put_master_ifindex(inst->skb, NFULA_IFINDEX_OUTDEV, outdev))
goto nla_put_failure;
} else {
struct net_device *physoutdev;
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 0529a19ca9a838..69038d946fc243 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -426,10 +426,47 @@ static bool nf_ct_drop_unconfirmed(const struct nf_queue_entry *entry, bool *is_
return false;
}
+static bool nf_bridge_port_valid(const struct net_device *dev)
+{
+ if (!dev)
+ return true;
+
+ return netif_is_bridge_port(dev);
+}
+
+/* queued skbs leave rcu protection. We bump device refcount so that
+ * the device cannot go away. However, while packet was out the port
+ * could have been removed from the bridge.
+ *
+ * Ensure in+outdev are still part of a bridge at reinject time.
+ *
+ * The device rx_handler_data could even be pointing at data that is
+ * not a net_bridge_port structure.
+ */
+static bool nf_bridge_ports_valid(const struct nf_queue_entry *entry)
+{
+#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
+ if (!nf_bridge_port_valid(entry->physin) ||
+ !nf_bridge_port_valid(entry->physout))
+ return false;
+#endif
+ if (entry->state.pf != PF_BRIDGE)
+ return true;
+
+ if (!nf_bridge_port_valid(entry->state.in) ||
+ !nf_bridge_port_valid(entry->state.out))
+ return false;
+
+ return true;
+}
+
static void nfqnl_reinject(struct nf_queue_entry *entry, unsigned int verdict)
{
const struct nf_ct_hook *ct_hook;
+ if (!nf_bridge_ports_valid(entry))
+ verdict = NF_DROP;
+
if (verdict == NF_ACCEPT ||
verdict == NF_REPEAT ||
verdict == NF_STOP) {
@@ -622,6 +659,23 @@ static int nf_queue_checksum_help(struct sk_buff *entskb)
return skb_checksum_help(entskb);
}
+#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
+static int nfqnl_put_master_ifindex(struct sk_buff *nlskb, int attr,
+ const struct net_device *dev)
+{
+ const struct net_device *upper;
+
+ if (dev && !netif_is_bridge_port(dev))
+ return 0;
+
+ upper = netdev_master_upper_dev_get_rcu((struct net_device *)dev);
+ if (upper && nla_put_be32(nlskb, attr, htonl(upper->ifindex)))
+ return -EMSGSIZE;
+
+ return 0;
+}
+#endif
+
static struct sk_buff *
nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
struct nf_queue_entry *entry,
@@ -757,10 +811,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
* netfilter_bridge) */
if (nla_put_be32(skb, NFQA_IFINDEX_PHYSINDEV,
htonl(indev->ifindex)) ||
- /* this is the bridge group "brX" */
- /* rcu_read_lock()ed by __nf_queue */
- nla_put_be32(skb, NFQA_IFINDEX_INDEV,
- htonl(br_port_get_rcu(indev)->br->dev->ifindex)))
+ nfqnl_put_master_ifindex(skb, NFQA_IFINDEX_INDEV, indev))
goto nla_put_failure;
} else {
int physinif;
@@ -791,10 +842,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
* netfilter_bridge) */
if (nla_put_be32(skb, NFQA_IFINDEX_PHYSOUTDEV,
htonl(outdev->ifindex)) ||
- /* this is the bridge group "brX" */
- /* rcu_read_lock()ed by __nf_queue */
- nla_put_be32(skb, NFQA_IFINDEX_OUTDEV,
- htonl(br_port_get_rcu(outdev)->br->dev->ifindex)))
+ nfqnl_put_master_ifindex(skb, NFQA_IFINDEX_OUTDEV, outdev))
goto nla_put_failure;
} else {
int physoutif;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 225/522] net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 224/522] ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 226/522] sctp: purge outqueue on stale COOKIE-ECHO handling Greg Kroah-Hartman
` (297 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yizhou Zhao, Yuxiang Yang, Ao Wang,
Xuewei Feng, Qi Li, Ke Xu, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
[ Upstream commit 7561c7fbc694308da73300f036719e63e42bf0b4 ]
In mrp_pdu_parse_vecattr(), vector attribute events are encoded three
per byte and valen tracks the number of events left to process.
The parser decrements valen after processing the first and second events
from each event byte, but not after processing the third one. When valen
is exactly a multiple of three, the loop continues after the last valid
event and consumes the next byte as a new event byte, applying a
spurious event to the MRP applicant state.
Additionally, when valen is zero the parser unconditionally consumes
attrlen bytes as FirstValue and advances the offset, even though per
IEEE 802.1ak a VectorAttribute with only a LeaveAllEvent has valen of
zero and no FirstValue or Vector fields. This corrupts the offset for
subsequent PDU parsing.
Also, when valen exceeds three the loop crosses byte boundaries but
the attribute value is not incremented between the last event of one
byte and the first event of the next. This causes the first event of
the next byte to use the same attribute value as the third event
rather than the next consecutive value.
Decrement valen after processing the third event, skip FirstValue
consumption when valen is zero, and increment the attribute value at
the end of each loop iteration.
Fixes: febf018d2234 ("net/802: Implement Multiple Registration Protocol (MRP)")
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Link: https://patch.msgid.link/20260603060016.21522-1-zhaoyz24@mails.tsinghua.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/802/mrp.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/802/mrp.c b/net/802/mrp.c
index 6c927d4b35f06e..dea0fd28cbed88 100644
--- a/net/802/mrp.c
+++ b/net/802/mrp.c
@@ -702,6 +702,12 @@ static int mrp_pdu_parse_vecattr(struct mrp_applicant *app,
valen = be16_to_cpu(get_unaligned(&mrp_cb(skb)->vah->lenflags) &
MRP_VECATTR_HDR_LEN_MASK);
+ /* If valen is 0, only a LeaveAllEvent is present; FirstValue and
+ * Vector fields are absent per IEEE 802.1ak.
+ */
+ if (valen == 0)
+ return 0;
+
/* The VectorAttribute structure in a PDU carries event information
* about one or more attributes having consecutive values. Only the
* value for the first attribute is contained in the structure. So
@@ -752,6 +758,9 @@ static int mrp_pdu_parse_vecattr(struct mrp_applicant *app,
vaevents %= __MRP_VECATTR_EVENT_MAX;
vaevent = vaevents;
mrp_pdu_parse_vecattr_event(app, skb, vaevent);
+ valen--;
+ mrp_attrvalue_inc(mrp_cb(skb)->attrvalue,
+ mrp_cb(skb)->mh->attrlen);
}
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 142/378] netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 141/378] netfilter: revalidate bridge ports Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 143/378] netfilter: x_tables: avoid leaking percpu counter pointers Greg Kroah-Hartman
` (236 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Pablo Neira Ayuso, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit c3009418f9fa1dcb3eb86f4d8c92583537b5faa3 ]
NAT helpers such as nf_nat_h323 store a raw pointer to module text in
exp->expectfn (e.g. ip_nat_q931_expect). nf_ct_helper_expectfn_unregister()
only unlinks the callback descriptor and never walks the expectation table,
so an expectation pending at module removal survives with a dangling
exp->expectfn into freed module text.
When the expected connection arrives, init_conntrack() invokes
exp->expectfn(), now a stale pointer into the unloaded module. Reproduced
on a KASAN build by loading the H.323 helpers, creating a Q.931
expectation, unloading nf_nat_h323, then connecting to the expected port:
Oops: int3: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:0xffffffffa06102d1
init_conntrack.isra.0 (net/netfilter/nf_conntrack_core.c:1862)
nf_conntrack_in (net/netfilter/nf_conntrack_core.c:2049)
ipv4_conntrack_local (net/netfilter/nf_conntrack_proto.c:223)
nf_hook_slow (net/netfilter/core.c:619)
__ip_local_out (net/ipv4/ip_output.c:120)
__tcp_transmit_skb (net/ipv4/tcp_output.c:1715)
tcp_connect (net/ipv4/tcp_output.c:4374)
tcp_v4_connect (net/ipv4/tcp_ipv4.c:345)
__sys_connect (net/socket.c:2167)
Modules linked in: nf_conntrack_h323 [last unloaded: nf_nat_h323]
Reaching the dangling state requires CAP_SYS_MODULE in the initial user
namespace to remove a NAT helper that still has live expectations, so this
is a robustness fix; leaving an expectation pointing at freed text is wrong
regardless.
Add nf_ct_helper_expectfn_destroy(), which walks the expectation table and
drops every expectation whose ->expectfn matches the descriptor being torn
down. Call it from each NAT helper's exit path after the existing RCU grace
period, so no expectation outlives the code it points at and no extra
synchronize_rcu() is introduced. With the fix, the same reproducer runs to
completion without the Oops.
Fixes: f587de0e2feb ("[NETFILTER]: nf_conntrack/nf_nat: add H.323 helper port")
Reported-by: Xiang Mei <xmei5@asu.edu>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_conntrack_helper.h | 1 +
net/ipv4/netfilter/nf_nat_h323.c | 2 ++
net/netfilter/nf_conntrack_helper.c | 19 +++++++++++++++++++
net/netfilter/nf_nat_core.c | 2 ++
net/netfilter/nf_nat_sip.c | 1 +
5 files changed, 25 insertions(+)
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index de2f956abf3480..24cf3d2d97450f 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -155,6 +155,7 @@ void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct,
void nf_ct_helper_expectfn_register(struct nf_ct_helper_expectfn *n);
void nf_ct_helper_expectfn_unregister(struct nf_ct_helper_expectfn *n);
+void nf_ct_helper_expectfn_destroy(const struct nf_ct_helper_expectfn *n);
struct nf_ct_helper_expectfn *
nf_ct_helper_expectfn_find_by_name(const char *name);
struct nf_ct_helper_expectfn *
diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c
index faee20af485613..10e1b0837731b7 100644
--- a/net/ipv4/netfilter/nf_nat_h323.c
+++ b/net/ipv4/netfilter/nf_nat_h323.c
@@ -555,6 +555,8 @@ static void __exit nf_nat_h323_fini(void)
nf_ct_helper_expectfn_unregister(&q931_nat);
nf_ct_helper_expectfn_unregister(&callforwarding_nat);
synchronize_rcu();
+ nf_ct_helper_expectfn_destroy(&q931_nat);
+ nf_ct_helper_expectfn_destroy(&callforwarding_nat);
}
/****************************************************************************/
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index b594cd244fe1d4..ea0cdb7ec91512 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -283,6 +283,25 @@ void nf_ct_helper_expectfn_unregister(struct nf_ct_helper_expectfn *n)
}
EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_unregister);
+static bool expect_iter_expectfn(struct nf_conntrack_expect *exp, void *data)
+{
+ const struct nf_ct_helper_expectfn *n = data;
+
+ /* Relies on registered expectfn descriptors having unique ->expectfn
+ * pointers, which holds for the in-tree NAT helpers.
+ */
+ return exp->expectfn == n->expectfn;
+}
+
+/* Destroy expectations still pointing at @n->expectfn; call after the
+ * caller's RCU grace period so none outlives the (often modular) callback.
+ */
+void nf_ct_helper_expectfn_destroy(const struct nf_ct_helper_expectfn *n)
+{
+ nf_ct_expect_iterate_destroy(expect_iter_expectfn, (void *)n);
+}
+EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_destroy);
+
/* Caller should hold the rcu lock */
struct nf_ct_helper_expectfn *
nf_ct_helper_expectfn_find_by_name(const char *name)
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index b30ca94c2bb7ff..4f41311b868b47 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -1347,6 +1347,7 @@ static int __init nf_nat_init(void)
RCU_INIT_POINTER(nf_nat_hook, NULL);
nf_ct_helper_expectfn_unregister(&follow_master_nat);
synchronize_net();
+ nf_ct_helper_expectfn_destroy(&follow_master_nat);
unregister_pernet_subsys(&nat_net_ops);
kvfree(nf_nat_bysource);
}
@@ -1364,6 +1365,7 @@ static void __exit nf_nat_cleanup(void)
RCU_INIT_POINTER(nf_nat_hook, NULL);
synchronize_net();
+ nf_ct_helper_expectfn_destroy(&follow_master_nat);
kvfree(nf_nat_bysource);
unregister_pernet_subsys(&nat_net_ops);
}
diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c
index 9fbfc6bff0c221..00838c0cc5bb28 100644
--- a/net/netfilter/nf_nat_sip.c
+++ b/net/netfilter/nf_nat_sip.c
@@ -655,6 +655,7 @@ static void __exit nf_nat_sip_fini(void)
RCU_INIT_POINTER(nf_nat_sip_hooks, NULL);
nf_ct_helper_expectfn_unregister(&sip_nat);
synchronize_rcu();
+ nf_ct_helper_expectfn_destroy(&sip_nat);
}
static const struct nf_nat_sip_hooks sip_hooks = {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 226/522] sctp: purge outqueue on stale COOKIE-ECHO handling
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 225/522] net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 227/522] ipmi: Fix rcu_read_unlock to srcu_read_unlock in handle_read_event_rsp Greg Kroah-Hartman
` (296 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Zhengchuan Liang, Xin Liu, Yuqi Xu, Ren Wei, Xin Long,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit e374b22e9b07b72a25909621464ff74096151bfb ]
sctp_stream_update() is only invoked when the association is moved into
COOKIE_WAIT during association setup/reconfiguration. In this path, the
outbound stream scheduler state (stream->out_curr) is expected to be
clean, since no user data should have been transmitted yet unless the
state machine has already partially progressed.
However, a corner case exists in sctp_sf_do_5_2_6_stale(): when a
Stale Cookie ERROR is received, the association is rolled back from
COOKIE_ECHOED to COOKIE_WAIT. In this scenario, user data may already
have been queued and even bundled with the COOKIE-ECHO chunk.
During the rollback, sctp_stream_update() frees the old stream table
and installs a new one, but it does not invalidate stream->out_curr.
As a result, out_curr may still point to a freed sctp_stream_out
entry from the previous stream state.
Later, SCTP scheduler dequeue paths (FCFS, RR, PRIO, etc.) rely on
stream->out_curr->ext, which can lead to use-after-free once the old
stream state has been released via sctp_stream_free().
This results in crashes such as (reported by Yuqi):
BUG: KASAN: slab-use-after-free in sctp_sched_fcfs_dequeue+0x13a/0x140
Read of size 8 at addr ff1100004d4d3208 by task mini_poc/9312
CPU: 1 UID: 1001 PID: 9312 Comm: mini_poc Not tainted
7.1.0-rc1-00305-gbd3a4795d574 #5 PREEMPT(full)
sctp_sched_fcfs_dequeue+0x13a/0x140
sctp_outq_flush+0x1603/0x33e0
sctp_do_sm+0x31c9/0x5d30
sctp_assoc_bh_rcv+0x392/0x6f0
sctp_inq_push+0x1db/0x270
sctp_rcv+0x138d/0x3c10
Fix this by fully purging the association outqueue when handling the
Stale Cookie case. This ensures all pending transmit and retransmit
state is dropped, and any scheduler cached pointers are invalidated,
making it safe to rebuild stream state during COOKIE_WAIT restart.
Updating only stream->out_curr would be insufficient, since queued
and retransmittable data would still reference the old stream state and
trigger later use-after-free in dequeue paths.
Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reported-by: Yuqi Xu <xuyq21@lenovo.com>
Reported-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/94318159b9052907a6cbb7256aee8b5f8dfbfccb.1780510304.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/sm_statefuns.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 1685f73602d5e3..f5dc7822d220f2 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -2599,11 +2599,7 @@ static enum sctp_disposition sctp_sf_do_5_2_6_stale(
*/
sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
- /* If we've sent any data bundled with COOKIE-ECHO we will need to
- * resend
- */
- sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
- SCTP_TRANSPORT(asoc->peer.primary_path));
+ sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
/* Cast away the const modifier, as we want to just
* rerun it through as a sideffect.
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 143/378] netfilter: x_tables: avoid leaking percpu counter pointers
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 142/378] netfilter: nf_conntrack: destroy stale expectfn expectations on unregister Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 144/378] netfilter: nf_log: validate MAC header was set before dumping it Greg Kroah-Hartman
` (235 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Zeng, Pablo Neira Ayuso,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Zeng <kylebot@openai.com>
[ Upstream commit f7f2fbb0e893a0238dc464f8d8c0f5609bec584f ]
The native and compat get-entries paths copy the fixed rule entry header
from the kernelized rule blob to userspace before overwriting the entry's
counter fields with a sanitized counter snapshot.
On SMP kernels, entry->counters.pcnt contains the percpu allocation
address used by x_tables rule counters. A caller can provide a userspace
buffer that faults during the initial fixed-header copy after pcnt has
been copied but before the later sanitized counter copy runs. The syscall
then returns -EFAULT while leaving the raw percpu pointer in userspace.
Copy only the fixed entry prefix before counters from the kernelized rule
blob, then copy the sanitized counter snapshot into the counter field.
Apply this ordering to the IPv4, IPv6, and ARP native and compat
get-entries implementations so a fault cannot expose the internal percpu
counter pointer.
Fixes: 71ae0dff02d7 ("netfilter: xtables: use percpu rule counters")
Signed-off-by: Kyle Zeng <kylebot@openai.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/arp_tables.c | 15 ++++++---------
net/ipv4/netfilter/ip_tables.c | 15 ++++++---------
net/ipv6/netfilter/ip6_tables.c | 15 ++++++---------
3 files changed, 18 insertions(+), 27 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index ad2259678c7854..0ea513bf77fb6a 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -702,14 +702,12 @@ static int copy_entries_to_user(unsigned int total_size,
const struct xt_entry_target *t;
e = loc_cpu_entry + off;
- if (copy_to_user(userptr + off, e, sizeof(*e))) {
- ret = -EFAULT;
- goto free_counters;
- }
- if (copy_to_user(userptr + off
+ if (copy_to_user(userptr + off, e,
+ offsetof(struct arpt_entry, counters)) ||
+ copy_to_user(userptr + off
+ offsetof(struct arpt_entry, counters),
&counters[num],
- sizeof(counters[num])) != 0) {
+ sizeof(counters[num]))) {
ret = -EFAULT;
goto free_counters;
}
@@ -1327,9 +1325,8 @@ static int compat_copy_entry_to_user(struct arpt_entry *e, void __user **dstptr,
origsize = *size;
ce = *dstptr;
- if (copy_to_user(ce, e, sizeof(struct arpt_entry)) != 0 ||
- copy_to_user(&ce->counters, &counters[i],
- sizeof(counters[i])) != 0)
+ if (copy_to_user(ce, e, offsetof(struct compat_arpt_entry, counters)) ||
+ copy_to_user(&ce->counters, &counters[i], sizeof(counters[i])))
return -EFAULT;
*dstptr += sizeof(struct compat_arpt_entry);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 5cbdb0815857f4..ca8ff0ae6cdb9f 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -832,14 +832,12 @@ copy_entries_to_user(unsigned int total_size,
const struct xt_entry_target *t;
e = loc_cpu_entry + off;
- if (copy_to_user(userptr + off, e, sizeof(*e))) {
- ret = -EFAULT;
- goto free_counters;
- }
- if (copy_to_user(userptr + off
+ if (copy_to_user(userptr + off, e,
+ offsetof(struct ipt_entry, counters)) ||
+ copy_to_user(userptr + off
+ offsetof(struct ipt_entry, counters),
&counters[num],
- sizeof(counters[num])) != 0) {
+ sizeof(counters[num]))) {
ret = -EFAULT;
goto free_counters;
}
@@ -1228,9 +1226,8 @@ compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
origsize = *size;
ce = *dstptr;
- if (copy_to_user(ce, e, sizeof(struct ipt_entry)) != 0 ||
- copy_to_user(&ce->counters, &counters[i],
- sizeof(counters[i])) != 0)
+ if (copy_to_user(ce, e, offsetof(struct compat_ipt_entry, counters)) ||
+ copy_to_user(&ce->counters, &counters[i], sizeof(counters[i])))
return -EFAULT;
*dstptr += sizeof(struct compat_ipt_entry);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 9d9c3763f2f5e9..e34d5ba1460ca7 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -848,14 +848,12 @@ copy_entries_to_user(unsigned int total_size,
const struct xt_entry_target *t;
e = loc_cpu_entry + off;
- if (copy_to_user(userptr + off, e, sizeof(*e))) {
- ret = -EFAULT;
- goto free_counters;
- }
- if (copy_to_user(userptr + off
+ if (copy_to_user(userptr + off, e,
+ offsetof(struct ip6t_entry, counters)) ||
+ copy_to_user(userptr + off
+ offsetof(struct ip6t_entry, counters),
&counters[num],
- sizeof(counters[num])) != 0) {
+ sizeof(counters[num]))) {
ret = -EFAULT;
goto free_counters;
}
@@ -1244,9 +1242,8 @@ compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
origsize = *size;
ce = *dstptr;
- if (copy_to_user(ce, e, sizeof(struct ip6t_entry)) != 0 ||
- copy_to_user(&ce->counters, &counters[i],
- sizeof(counters[i])) != 0)
+ if (copy_to_user(ce, e, offsetof(struct compat_ip6t_entry, counters)) ||
+ copy_to_user(&ce->counters, &counters[i], sizeof(counters[i])))
return -EFAULT;
*dstptr += sizeof(struct compat_ip6t_entry);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 227/522] ipmi: Fix rcu_read_unlock to srcu_read_unlock in handle_read_event_rsp
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 226/522] sctp: purge outqueue on stale COOKIE-ECHO handling Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 228/522] signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() Greg Kroah-Hartman
` (295 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rui Qi, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rui Qi <qirui.001@bytedance.com>
Fix a bug where rcu_read_unlock() was used instead of srcu_read_unlock()
in handle_read_event_rsp() when ipmi_alloc_recv_msg() fails.
This mismatch leads to an SRCU read-side critical section imbalance: the
entry uses srcu_read_lock(&intf->users_srcu) but the error path
incorrectly calls rcu_read_unlock(), which is a no-op for SRCU and
leaves the SRCU lock held.
The offending code was restructured in mainline by commit 3be997d5a64a
("ipmi:msghandler: Remove srcu from the ipmi user structure"), which
replaced the SRCU locking with a mutex in this function, effectively
eliminating the mismatch. However, that commit is part of a larger
SRCU removal series that is not suitable for stable backport. This
minimal fix addresses the SRCU imbalance for 6.12 and earlier stable
branches that still carry the original locking scheme.
Fixes: e86ee2d44b44 ("ipmi: Rework locking and shutdown for hot remove")
Cc: stable@vger.kernel.org
Signed-off-by: Rui Qi <qirui.001@bytedance.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ipmi_msghandler.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index 8bc8da7f70bb8e..62d39ea9f00836 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -4396,7 +4396,7 @@ static int handle_read_event_rsp(struct ipmi_smi *intf,
recv_msg = ipmi_alloc_recv_msg(user);
if (IS_ERR(recv_msg)) {
- rcu_read_unlock();
+ srcu_read_unlock(&intf->users_srcu, index);
list_for_each_entry_safe(recv_msg, recv_msg2, &msgs,
link) {
list_del(&recv_msg->link);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 144/378] netfilter: nf_log: validate MAC header was set before dumping it
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 143/378] netfilter: x_tables: avoid leaking percpu counter pointers Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 145/378] netfilter: nft_exthdr: fix register tracking for F_PRESENT flag Greg Kroah-Hartman
` (234 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weiming Shi, Xiang Mei,
Pablo Neira Ayuso, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit a84b6fedbc97078788be78dbdd7517d143ad1a77 ]
The fallback path of dump_mac_header() guards the MAC header access
only with "skb->mac_header != skb->network_header", without checking
skb_mac_header_was_set(). When the MAC header is unset, mac_header is
0xffff, so the test passes and skb_mac_header(skb) returns
skb->head + 0xffff, ~64 KiB past the buffer; the loop then reads
dev->hard_header_len bytes out of bounds into the kernel log.
This is reachable via the netdev logger: nf_log_unknown_packet() calls
dump_mac_header() unconditionally, and an skb sent through AF_PACKET
with PACKET_QDISC_BYPASS reaches the egress hook with mac_header still
unset (__dev_queue_xmit(), which would reset it, is bypassed).
Add the skb_mac_header_was_set() check the ARPHRD_ETHER path already
uses, and replace the open-coded MAC header length test with
skb_mac_header_len(). Only skbs with an unset MAC header are affected;
valid ones are dumped as before.
BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831)
Read of size 1 at addr ffff88800ea49d3f by task exploit/148
Call Trace:
kasan_report (mm/kasan/report.c:595)
dump_mac_header (net/netfilter/nf_log_syslog.c:831)
nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963)
nf_log_packet (net/netfilter/nf_log.c:260)
nft_log_eval (net/netfilter/nft_log.c:60)
nft_do_chain (net/netfilter/nf_tables_core.c:285)
nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307)
nf_hook_slow (net/netfilter/core.c:619)
nf_hook_direct_egress (net/packet/af_packet.c:257)
packet_xmit (net/packet/af_packet.c:280)
packet_sendmsg (net/packet/af_packet.c:3114)
__sys_sendto (net/socket.c:2265)
Fixes: 7eb9282cd0ef ("netfilter: ipt_LOG/ip6t_LOG: add option to print decoded MAC header")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_log_syslog.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_log_syslog.c b/net/netfilter/nf_log_syslog.c
index 41503847d9d7fb..c0462d403157a9 100644
--- a/net/netfilter/nf_log_syslog.c
+++ b/net/netfilter/nf_log_syslog.c
@@ -801,8 +801,8 @@ static void dump_mac_header(struct nf_log_buf *m,
fallback:
nf_log_buf_add(m, "MAC=");
- if (dev->hard_header_len &&
- skb->mac_header != skb->network_header) {
+ if (dev->hard_header_len && skb_mac_header_was_set(skb) &&
+ skb_mac_header_len(skb) != 0) {
const unsigned char *p = skb_mac_header(skb);
unsigned int i;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 228/522] signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 227/522] ipmi: Fix rcu_read_unlock to srcu_read_unlock in handle_read_event_rsp Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 229/522] time: Fix off-by-one in settimeofday() usec validation Greg Kroah-Hartman
` (294 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b109633ea805cac54a61,
Aleksandr Nogikh, Christian Brauner (Amutable), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandr Nogikh <nogikh@google.com>
[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ]
When a multi-threaded process receives a stop signal (e.g., SIGSTOP),
do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all
threads and sets signal->group_stop_count to the number of threads. If
one of the threads concurrently calls execve(), de_thread() invokes
zap_other_threads() to kill all other threads. zap_other_threads()
aborts the pending group stop by resetting signal->group_stop_count to 0
and clears the JOBCTL_PENDING_MASK for all other threads. However, it
fails to clear the job control flags for the calling thread.
When execve() completes, the calling thread returns to user mode and
checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag,
it calls do_signal_stop(), which invokes task_participate_group_stop().
Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the
already-zero signal->group_stop_count, triggering a warning:
sig->group_stop_count == 0
WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373
task_participate_group_stop+0x215/0x2d0
Call Trace:
<TASK>
do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619
get_signal+0xa8c/0x1330 kernel/signal.c:2884
arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98
do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Fix this race condition by clearing the JOBCTL_PENDING_MASK for the
calling thread in zap_other_threads(), ensuring it does not retain any
stale job control state after the thread group is destroyed. This aligns
with other functions that tear down a thread group and abort group
stops, such as zap_process() and complete_signal(), which correctly
clear these flags for all threads including the current one.
Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop")
Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot
Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61
Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3
Signed-off-by: Aleksandr Nogikh <nogikh@google.com>
Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/signal.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/signal.c b/kernel/signal.c
index 723c84d162ddba..98dbe713829ec3 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1371,6 +1371,7 @@ int zap_other_threads(struct task_struct *p)
int count = 0;
p->signal->group_stop_count = 0;
+ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK);
while_each_thread(p, t) {
task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 145/378] netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 144/378] netfilter: nf_log: validate MAC header was set before dumping it Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 146/378] net: mvpp2: sync RX data at the hardware packet offset Greg Kroah-Hartman
` (233 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Zhou, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 772cecf198da732faebb5dcfc46d66a505be8495 ]
nft_exthdr_init() passes user-controlled priv->len to
nft_parse_register_store(), which marks that many bytes in the
register bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT
is set, the eval paths write only 1 byte (nft_reg_store8) or
4 bytes (*dest = 0 on TCP/DCCP error path). When len > 4,
registers beyond the first are never written, retaining
uninitialized stack data from nft_regs.
Bail out if userspace requests too much data when F_PRESENT is set.
Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Fixes: c078ca3b0c5b ("netfilter: nft_exthdr: Add support for existence check")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_exthdr.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index 7eedf4e3ae9c75..9471328802d3b7 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -532,6 +532,9 @@ static int nft_exthdr_init(const struct nft_ctx *ctx,
return err;
}
+ if ((flags & NFT_EXTHDR_F_PRESENT) && len != 1)
+ return -EINVAL;
+
priv->type = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
priv->offset = offset;
priv->len = len;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 229/522] time: Fix off-by-one in settimeofday() usec validation
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 228/522] signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 230/522] ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams Greg Kroah-Hartman
` (293 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naveen Kumar Chaudhary,
Thomas Gleixner, John Stultz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ]
The validation check uses '>' instead of '>=' when comparing tv_usec
against USEC_PER_SEC, allowing the value 1000000 through. After
conversion to nanoseconds (*= 1000), this produces tv_nsec ==
NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be
less than NSEC_PER_SEC.
Use '>=' to reject tv_usec values that are not in the valid range of
0 to 999999.
Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()")
Signed-off-by: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Acked-by: John Stultz <jstultz@google.com>
Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/time.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/time/time.c b/kernel/time/time.c
index 170f1f8a0046ce..0e0b54fb34905e 100644
--- a/kernel/time/time.c
+++ b/kernel/time/time.c
@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv,
get_user(new_ts.tv_nsec, &tv->tv_usec))
return -EFAULT;
- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0)
+ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0)
return -EINVAL;
new_ts.tv_nsec *= NSEC_PER_USEC;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 146/378] net: mvpp2: sync RX data at the hardware packet offset
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 145/378] netfilter: nft_exthdr: fix register tracking for F_PRESENT flag Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 147/378] net: mvpp2: limit XDP frame size to the RX buffer Greg Kroah-Hartman
` (232 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Til Kaiser, Paolo Abeni, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Til Kaiser <mail@tk154.de>
[ Upstream commit 180235600934bef6add3be637c296d6cf3272e67 ]
mvpp2 programs the RX queue packet offset, so hardware writes received
data at dma_addr + MVPP2_SKB_HEADROOM. The current CPU sync starts at
dma_addr and only covers rx_bytes + MVPP2_MH_SIZE bytes, which syncs the
unused headroom and misses the same number of bytes at the packet tail.
On non-coherent DMA systems this can leave the CPU reading stale cache
contents for the end of the received frame.
Use dma_sync_single_range_for_cpu() with MVPP2_SKB_HEADROOM as the range
offset so the sync covers the Marvell header and packet data actually
written by hardware.
Fixes: e1921168bbd4 ("mvpp2: sync only the received frame")
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://patch.msgid.link/20260607134943.21996-2-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index f442b874bb5933..92a701f4fe3f57 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -3946,9 +3946,10 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
dma_dir = DMA_FROM_DEVICE;
}
- dma_sync_single_for_cpu(dev->dev.parent, dma_addr,
- rx_bytes + MVPP2_MH_SIZE,
- dma_dir);
+ dma_sync_single_range_for_cpu(dev->dev.parent, dma_addr,
+ MVPP2_SKB_HEADROOM,
+ rx_bytes + MVPP2_MH_SIZE,
+ dma_dir);
/* Buffer header not supported */
if (rx_status & MVPP2_RXD_BUF_HDR)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 230/522] ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 229/522] time: Fix off-by-one in settimeofday() usec validation Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 231/522] fs/ntfs3: Return error for inconsistent extended attributes Greg Kroah-Hartman
` (292 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jian Zhou, Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
[ Upstream commit 88fe2e3658726cb21ff2dcf9770bf672f9b9d31b ]
snd_pcm_drain() uses init_waitqueue_entry which does not clear
entry.prev/next, and add_wait_queue with a conditional
remove_wait_queue that is skipped when to_check is no longer
in the group after concurrent UNLINK. The orphaned wait entry
remains on the unlinked substream sleep queue. On the next
drain iteration, add_wait_queue adds the entry to a new queue
while still linked on the old one, corrupting both lists. A
subsequent wake_up dereferences NULL at the func pointer
(mapped from the spinlock at offset 0 of the misinterpreted
wait_queue_head_t), causing a kernel panic.
Replace init_waitqueue_entry/add_wait_queue/conditional
remove_wait_queue with init_wait_entry/prepare_to_wait/
finish_wait. init_wait_entry clears prev/next via
INIT_LIST_HEAD on each iteration and sets
autoremove_wake_function which auto-removes the entry on
wake-up. finish_wait safely handles both the already-removed
and still-queued cases.
Fixes: 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain")
Signed-off-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Link: https://patch.msgid.link/20260604142559.3840881-1-eilaimemedsnaimel@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/pcm_native.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index 7be5f25612b954..2ed9abb911a7aa 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -2178,9 +2178,8 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
drain_no_period_wakeup = to_check->no_period_wakeup;
drain_rate = to_check->rate;
drain_bufsz = to_check->buffer_size;
- init_waitqueue_entry(&wait, current);
- set_current_state(TASK_INTERRUPTIBLE);
- add_wait_queue(&to_check->sleep, &wait);
+ init_wait_entry(&wait, 0);
+ prepare_to_wait(&to_check->sleep, &wait, TASK_INTERRUPTIBLE);
snd_pcm_stream_unlock_irq(substream);
if (drain_no_period_wakeup)
tout = MAX_SCHEDULE_TIMEOUT;
@@ -2198,7 +2197,7 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
group = snd_pcm_stream_group_ref(substream);
snd_pcm_group_for_each_entry(s, substream) {
if (s->runtime == to_check) {
- remove_wait_queue(&to_check->sleep, &wait);
+ finish_wait(&to_check->sleep, &wait);
break;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 147/378] net: mvpp2: limit XDP frame size to the RX buffer
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 146/378] net: mvpp2: sync RX data at the hardware packet offset Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 148/378] net: mvpp2: refill RX buffers before XDP or skb use Greg Kroah-Hartman
` (231 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Til Kaiser, Paolo Abeni, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Til Kaiser <mail@tk154.de>
[ Upstream commit f3c6aa078927e6fe8121c9c591ddee8716c5305a ]
mvpp2 has short and long BM pools, and short pool buffers can be smaller
than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with
PAGE_SIZE as frame size.
XDP helpers use frame_sz to validate tail growth and to derive the hard
end of the data area. Advertising PAGE_SIZE for short buffers can let
bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting
memory or later tripping skb tailroom checks.
Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches
the actual buffer backing the packet.
Fixes: 07dd0a7aae7f ("mvpp2: add basic XDP support")
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://patch.msgid.link/20260607134943.21996-3-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index 92a701f4fe3f57..3372ed27cc8d67 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -3979,7 +3979,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
else
xdp_rxq = &rxq->xdp_rxq_long;
- xdp_init_buff(&xdp, PAGE_SIZE, xdp_rxq);
+ xdp_init_buff(&xdp, bm_pool->frag_size, xdp_rxq);
xdp_prepare_buff(&xdp, data,
MVPP2_MH_SIZE + MVPP2_SKB_HEADROOM,
rx_bytes, true);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 231/522] fs/ntfs3: Return error for inconsistent extended attributes
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 230/522] ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 232/522] usb: gadget: f_ncm: Fix net_device lifecycle with device_move Greg Kroah-Hartman
` (291 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edward Lo, Konstantin Komarov,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Lo <loyuantsung@gmail.com>
[ Upstream commit c9db0ff04649aa0b45f497183c957fe260f229f6 ]
ntfs_read_ea is called when we want to read extended attributes. There
are some sanity checks for the validity of the EAs. However, it fails to
return a proper error code for the inconsistent attributes, which might
lead to unpredicted memory accesses after return.
[ 138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0
[ 138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199
[ 138.931132]
[ 138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4
[ 138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 138.947327] Call Trace:
[ 138.949557] <TASK>
[ 138.951539] dump_stack_lvl+0x4d/0x67
[ 138.956834] print_report+0x16f/0x4a6
[ 138.960798] ? ntfs_set_ea+0x453/0xbf0
[ 138.964437] ? kasan_complete_mode_report_info+0x7d/0x200
[ 138.969793] ? ntfs_set_ea+0x453/0xbf0
[ 138.973523] kasan_report+0xb8/0x140
[ 138.976740] ? ntfs_set_ea+0x453/0xbf0
[ 138.980578] __asan_store4+0x76/0xa0
[ 138.984669] ntfs_set_ea+0x453/0xbf0
[ 138.988115] ? __pfx_ntfs_set_ea+0x10/0x10
[ 138.993390] ? kernel_text_address+0xd3/0xe0
[ 138.998270] ? __kernel_text_address+0x16/0x50
[ 139.002121] ? unwind_get_return_address+0x3e/0x60
[ 139.005659] ? __pfx_stack_trace_consume_entry+0x10/0x10
[ 139.010177] ? arch_stack_walk+0xa2/0x100
[ 139.013657] ? filter_irq_stacks+0x27/0x80
[ 139.017018] ntfs_setxattr+0x405/0x440
[ 139.022151] ? __pfx_ntfs_setxattr+0x10/0x10
[ 139.026569] ? kvmalloc_node+0x2d/0x120
[ 139.030329] ? kasan_save_stack+0x41/0x60
[ 139.033883] ? kasan_save_stack+0x2a/0x60
[ 139.037338] ? kasan_set_track+0x29/0x40
[ 139.040163] ? kasan_save_alloc_info+0x1f/0x30
[ 139.043588] ? __kasan_kmalloc+0x8b/0xa0
[ 139.047255] ? __kmalloc_node+0x68/0x150
[ 139.051264] ? kvmalloc_node+0x2d/0x120
[ 139.055301] ? vmemdup_user+0x2b/0xa0
[ 139.058584] __vfs_setxattr+0x121/0x170
[ 139.062617] ? __pfx___vfs_setxattr+0x10/0x10
[ 139.066282] __vfs_setxattr_noperm+0x97/0x300
[ 139.070061] __vfs_setxattr_locked+0x145/0x170
[ 139.073580] vfs_setxattr+0x137/0x2a0
[ 139.076641] ? __pfx_vfs_setxattr+0x10/0x10
[ 139.080223] ? __kasan_check_write+0x18/0x20
[ 139.084234] do_setxattr+0xce/0x150
[ 139.087768] setxattr+0x126/0x140
[ 139.091250] ? __pfx_setxattr+0x10/0x10
[ 139.094948] ? __virt_addr_valid+0xcb/0x140
[ 139.097838] ? __call_rcu_common.constprop.0+0x1c7/0x330
[ 139.102688] ? debug_smp_processor_id+0x1b/0x30
[ 139.105985] ? kasan_quarantine_put+0x5b/0x190
[ 139.109980] ? putname+0x84/0xa0
[ 139.113886] ? __kasan_slab_free+0x11e/0x1b0
[ 139.117961] ? putname+0x84/0xa0
[ 139.121316] ? preempt_count_sub+0x1c/0xd0
[ 139.124427] ? __mnt_want_write+0xae/0x100
[ 139.127836] ? mnt_want_write+0x8f/0x150
[ 139.130954] path_setxattr+0x164/0x180
[ 139.133998] ? __pfx_path_setxattr+0x10/0x10
[ 139.137853] ? __pfx_ksys_pwrite64+0x10/0x10
[ 139.141299] ? debug_smp_processor_id+0x1b/0x30
[ 139.145714] ? fpregs_assert_state_consistent+0x6b/0x80
[ 139.150796] __x64_sys_setxattr+0x71/0x90
[ 139.155407] do_syscall_64+0x3f/0x90
[ 139.159035] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 139.163843] RIP: 0033:0x7f108cae4469
[ 139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088
[ 139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc
[ 139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469
[ 139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6
[ 139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618
[ 139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0
[ 139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15: 0000000000000000
Signed-off-by: Edward Lo <loyuantsung@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/xattr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
index 2e4eea854bda59..7dc650b0b832c2 100644
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -140,6 +140,7 @@ static int ntfs_read_ea(struct ntfs_inode *ni, struct EA_FULL **ea,
memset(Add2Ptr(ea_p, size), 0, add_bytes);
+ err = -EINVAL;
/* Check all attributes for consistency. */
for (off = 0; off < size; off += ea_size) {
const struct EA_FULL *ef = Add2Ptr(ea_p, off);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 148/378] net: mvpp2: refill RX buffers before XDP or skb use
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 147/378] net: mvpp2: limit XDP frame size to the RX buffer Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 149/378] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS Greg Kroah-Hartman
` (230 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Til Kaiser, Paolo Abeni, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Til Kaiser <mail@tk154.de>
[ Upstream commit 5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6 ]
The RX error path returns the current descriptor buffer to the hardware
BM pool. That is only valid while the driver still owns the buffer.
mvpp2_rx_refill() can fail after the current buffer has been handed to
XDP or attached to an skb. In those cases mvpp2_run_xdp() may have
recycled, redirected, or queued the page for XDP_TX, and an skb free also
retires the data buffer. Returning such a buffer to BM lets hardware DMA
into memory that is no longer owned by the RX ring.
Refill the BM pool before handing the current buffer to XDP or to the
skb. If the allocation fails there, drop the packet and return the
still-owned current buffer to BM, preserving the pool depth. Once the
refill succeeds, later local drops retire/free the current buffer instead
of returning it to BM.
Fixes: 07dd0a7aae7f ("mvpp2: add basic XDP support")
Fixes: d6526926de73 ("net: mvpp2: fix memory leak in mvpp2_rx")
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://patch.msgid.link/20260607134943.21996-4-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/marvell/mvpp2/mvpp2_main.c | 43 +++++++++++--------
1 file changed, 24 insertions(+), 19 deletions(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index 3372ed27cc8d67..481daafdc1cbc7 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -3971,6 +3971,12 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
else
frag_size = bm_pool->frag_size;
+ err = mvpp2_rx_refill(port, bm_pool, pp, pool);
+ if (err) {
+ netdev_err(port->dev, "failed to refill BM pools\n");
+ goto err_drop_frame;
+ }
+
if (xdp_prog) {
struct xdp_rxq_info *xdp_rxq;
@@ -3988,12 +3994,6 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
if (ret) {
xdp_ret |= ret;
- err = mvpp2_rx_refill(port, bm_pool, pp, pool);
- if (err) {
- netdev_err(port->dev, "failed to refill BM pools\n");
- goto err_drop_frame;
- }
-
ps.rx_packets++;
ps.rx_bytes += rx_bytes;
continue;
@@ -4008,8 +4008,21 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
skb = slab_build_skb(data);
if (!skb) {
netdev_warn(port->dev, "skb build failed\n");
- goto err_drop_frame;
+ if (pp) {
+ page_pool_put_page(pp, virt_to_head_page(data),
+ rx_bytes + MVPP2_MH_SIZE,
+ true);
+ } else {
+ dma_unmap_single_attrs(dev->dev.parent, dma_addr,
+ bm_pool->buf_size,
+ DMA_FROM_DEVICE,
+ DMA_ATTR_SKIP_CPU_SYNC);
+ mvpp2_frag_free(bm_pool, pp, data);
+ }
+ goto err_drop_frame_retired;
}
+ if (pp)
+ skb_mark_for_recycle(skb);
/* If we have RX hardware timestamping enabled, grab the
* timestamp from the queue and convert.
@@ -4020,16 +4033,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
skb_hwtstamps(skb));
}
- err = mvpp2_rx_refill(port, bm_pool, pp, pool);
- if (err) {
- netdev_err(port->dev, "failed to refill BM pools\n");
- dev_kfree_skb_any(skb);
- goto err_drop_frame;
- }
-
- if (pp)
- skb_mark_for_recycle(skb);
- else
+ if (!pp)
dma_unmap_single_attrs(dev->dev.parent, dma_addr,
bm_pool->buf_size, DMA_FROM_DEVICE,
DMA_ATTR_SKIP_CPU_SYNC);
@@ -4048,13 +4052,14 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
continue;
err_drop_frame:
- dev->stats.rx_errors++;
- mvpp2_rx_error(port, rx_desc);
/* Return the buffer to the pool */
if (rx_status & MVPP2_RXD_BUF_HDR)
mvpp2_buff_hdr_pool_put(port, rx_desc, pool, rx_status);
else
mvpp2_bm_pool_put(port, pool, dma_addr, phys_addr);
+err_drop_frame_retired:
+ dev->stats.rx_errors++;
+ mvpp2_rx_error(port, rx_desc);
}
if (xdp_ret & MVPP2_XDP_REDIR)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 232/522] usb: gadget: f_ncm: Fix net_device lifecycle with device_move
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 231/522] fs/ntfs3: Return error for inconsistent extended attributes Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 233/522] usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo Greg Kroah-Hartman
` (290 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Kuen-Han Tsai,
Jianqiang kang, Carlos Llamas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuen-Han Tsai <khtsai@google.com>
[ Upstream commit ec35c1969650e7cb6c8a91020e568ed46e3551b0 ]
The network device outlived its parent gadget device during
disconnection, resulting in dangling sysfs links and null pointer
dereference problems.
A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1]
was reverted due to power management ordering concerns and a NO-CARRIER
regression.
A subsequent attempt to defer net_device allocation to bind [2] broke
1:1 mapping between function instance and network device, making it
impossible for configfs to report the resolved interface name. This
results in a regression where the DHCP server fails on pmOS.
Use device_move to reparent the net_device between the gadget device and
/sys/devices/virtual/ across bind/unbind cycles. This preserves the
network interface across USB reconnection, allowing the DHCP server to
retain their binding.
Introduce gether_attach_gadget()/gether_detach_gadget() helpers and use
__free(detach_gadget) macro to undo attachment on bind failure. The
bind_count ensures device_move executes only on the first bind.
[1] https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel@crapouillou.net/
[2] https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit.cz/
Fixes: 40d133d7f542 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility")
Cc: stable <stable@kernel.org>
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://patch.msgid.link/20260309-f-ncm-revert-v2-7-ea2afbc7d9b2@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Use no_free_ptr() since retain_and_null_ptr() is unavailable in Linux 6.1. ]
Signed-off-by: Jianqiang kang <jianqkang@sina.cn>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/f_ncm.c | 35 ++++++++++++++++++---------
drivers/usb/gadget/function/u_ether.c | 22 +++++++++++++++++
drivers/usb/gadget/function/u_ether.h | 26 ++++++++++++++++++++
drivers/usb/gadget/function/u_ncm.h | 2 +-
4 files changed, 73 insertions(+), 12 deletions(-)
diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c
index addd016ffbb3f7..5e240cafbe9ee8 100644
--- a/drivers/usb/gadget/function/f_ncm.c
+++ b/drivers/usb/gadget/function/f_ncm.c
@@ -1440,6 +1440,7 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f)
struct f_ncm_opts *ncm_opts;
struct usb_os_desc_table *os_desc_table __free(kfree) = NULL;
+ struct net_device *net __free(detach_gadget) = NULL;
struct usb_request *request __free(free_usb_request) = NULL;
if (!can_support_ecm(cdev->gadget))
@@ -1453,16 +1454,18 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f)
return -ENOMEM;
}
- mutex_lock(&ncm_opts->lock);
- gether_set_gadget(ncm_opts->net, cdev->gadget);
- if (!ncm_opts->bound)
- status = gether_register_netdev(ncm_opts->net);
- mutex_unlock(&ncm_opts->lock);
-
- if (status)
- return status;
-
- ncm_opts->bound = true;
+ scoped_guard(mutex, &ncm_opts->lock)
+ if (ncm_opts->bind_count == 0) {
+ if (!device_is_registered(&ncm_opts->net->dev)) {
+ gether_set_gadget(ncm_opts->net, cdev->gadget);
+ status = gether_register_netdev(ncm_opts->net);
+ } else
+ status = gether_attach_gadget(ncm_opts->net, cdev->gadget);
+
+ if (status)
+ return status;
+ net = ncm_opts->net;
+ }
ncm_string_defs[1].s = ncm->ethaddr;
@@ -1562,6 +1565,9 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f)
}
ncm->notify_req = no_free_ptr(request);
+ ncm_opts->bind_count++;
+ no_free_ptr(net);
+
DBG(cdev, "CDC Network: %s speed IN/%s OUT/%s NOTIFY/%s\n",
gadget_is_superspeed(c->cdev->gadget) ? "super" :
gadget_is_dualspeed(c->cdev->gadget) ? "dual" : "full",
@@ -1610,7 +1616,7 @@ static void ncm_free_inst(struct usb_function_instance *f)
struct f_ncm_opts *opts;
opts = container_of(f, struct f_ncm_opts, func_inst);
- if (opts->bound)
+ if (device_is_registered(&opts->net->dev))
gether_cleanup(netdev_priv(opts->net));
else
free_netdev(opts->net);
@@ -1672,9 +1678,12 @@ static void ncm_free(struct usb_function *f)
static void ncm_unbind(struct usb_configuration *c, struct usb_function *f)
{
struct f_ncm *ncm = func_to_ncm(f);
+ struct f_ncm_opts *ncm_opts;
DBG(c->cdev, "ncm unbind\n");
+ ncm_opts = container_of(f->fi, struct f_ncm_opts, func_inst);
+
hrtimer_cancel(&ncm->task_timer);
kfree(f->os_desc_table);
@@ -1690,6 +1699,10 @@ static void ncm_unbind(struct usb_configuration *c, struct usb_function *f)
kfree(ncm->notify_req->buf);
usb_ep_free_request(ncm->notify, ncm->notify_req);
+
+ ncm_opts->bind_count--;
+ if (ncm_opts->bind_count == 0)
+ gether_detach_gadget(ncm_opts->net);
}
static struct usb_function *ncm_alloc(struct usb_function_instance *fi)
diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
index e84178bffe7803..e972de236be5e2 100644
--- a/drivers/usb/gadget/function/u_ether.c
+++ b/drivers/usb/gadget/function/u_ether.c
@@ -910,6 +910,28 @@ void gether_set_gadget(struct net_device *net, struct usb_gadget *g)
}
EXPORT_SYMBOL_GPL(gether_set_gadget);
+int gether_attach_gadget(struct net_device *net, struct usb_gadget *g)
+{
+ int ret;
+
+ ret = device_move(&net->dev, &g->dev, DPM_ORDER_DEV_AFTER_PARENT);
+ if (ret)
+ return ret;
+
+ gether_set_gadget(net, g);
+ return 0;
+}
+EXPORT_SYMBOL_GPL(gether_attach_gadget);
+
+void gether_detach_gadget(struct net_device *net)
+{
+ struct eth_dev *dev = netdev_priv(net);
+
+ device_move(&net->dev, NULL, DPM_ORDER_NONE);
+ dev->gadget = NULL;
+}
+EXPORT_SYMBOL_GPL(gether_detach_gadget);
+
int gether_set_dev_addr(struct net_device *net, const char *dev_addr)
{
struct eth_dev *dev;
diff --git a/drivers/usb/gadget/function/u_ether.h b/drivers/usb/gadget/function/u_ether.h
index 40144546d1b07f..3e12d60053c136 100644
--- a/drivers/usb/gadget/function/u_ether.h
+++ b/drivers/usb/gadget/function/u_ether.h
@@ -149,6 +149,32 @@ static inline struct net_device *gether_setup_default(void)
*/
void gether_set_gadget(struct net_device *net, struct usb_gadget *g);
+/**
+ * gether_attach_gadget - Reparent net_device to the gadget device.
+ * @net: The network device to reparent.
+ * @g: The target USB gadget device to parent to.
+ *
+ * This function moves the network device to be a child of the USB gadget
+ * device in the device hierarchy. This is typically done when the function
+ * is bound to a configuration.
+ *
+ * Returns 0 on success, or a negative error code on failure.
+ */
+int gether_attach_gadget(struct net_device *net, struct usb_gadget *g);
+
+/**
+ * gether_detach_gadget - Detach net_device from its gadget parent.
+ * @net: The network device to detach.
+ *
+ * This function moves the network device to be a child of the virtual
+ * devices parent, effectively detaching it from the USB gadget device
+ * hierarchy. This is typically done when the function is unbound
+ * from a configuration but the instance is not yet freed.
+ */
+void gether_detach_gadget(struct net_device *net);
+
+DEFINE_FREE(detach_gadget, struct net_device *, if (_T) gether_detach_gadget(_T))
+
/**
* gether_set_dev_addr - initialize an ethernet-over-usb link with eth address
* @net: device representing this link
diff --git a/drivers/usb/gadget/function/u_ncm.h b/drivers/usb/gadget/function/u_ncm.h
index 5408854d84072d..297e5087872f3f 100644
--- a/drivers/usb/gadget/function/u_ncm.h
+++ b/drivers/usb/gadget/function/u_ncm.h
@@ -18,7 +18,7 @@
struct f_ncm_opts {
struct usb_function_instance func_inst;
struct net_device *net;
- bool bound;
+ int bind_count;
struct config_group *ncm_interf_group;
struct usb_os_desc ncm_os_desc;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 149/378] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 148/378] net: mvpp2: refill RX buffers before XDP or skb use Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 150/378] net: txgbe: initialize module info buffer Greg Kroah-Hartman
` (229 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Til Kaiser, Paolo Abeni, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Til Kaiser <mail@tk154.de>
[ Upstream commit 77a6b90ce56bc982dcfa94229b8e28e6abb16e95 ]
When an XDP program uses bpf_xdp_adjust_head() or bpf_xdp_adjust_tail()
and then returns XDP_PASS, mvpp2 still builds the skb from fixed offsets
derived from the original RX descriptor. Packet geometry changes made by
the XDP program are therefore discarded before the skb reaches the stack.
Update rx_offset and rx_bytes from xdp.data and xdp.data_end for
XDP_PASS. This makes skb_reserve() and skb_put() reflect the packet seen
by XDP, and makes RX byte accounting for XDP_PASS follow the length of the
skb passed to the network stack.
Keep a separate rx_sync_size for page-pool recycling on skb allocation
failure, which must stay tied to the received buffer range.
Non-PASS verdicts continue to account the descriptor length because no skb
is passed up in those cases.
Fixes: 07dd0a7aae7f ("mvpp2: add basic XDP support")
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://patch.msgid.link/20260607134943.21996-5-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/marvell/mvpp2/mvpp2_main.c | 21 +++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index 481daafdc1cbc7..ccc24a1301f22d 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -3917,10 +3917,10 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
struct mvpp2_bm_pool *bm_pool;
struct page_pool *pp = NULL;
struct sk_buff *skb;
- unsigned int frag_size;
+ unsigned int frag_size, rx_sync_size;
dma_addr_t dma_addr;
phys_addr_t phys_addr;
- int pool, rx_bytes, err, ret;
+ int pool, rx_bytes, rx_offset, err, ret;
struct page *page;
void *data;
@@ -3933,6 +3933,8 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
rx_status = mvpp2_rxdesc_status_get(port, rx_desc);
rx_bytes = mvpp2_rxdesc_size_get(port, rx_desc);
rx_bytes -= MVPP2_MH_SIZE;
+ rx_sync_size = rx_bytes + MVPP2_MH_SIZE;
+ rx_offset = MVPP2_MH_SIZE + MVPP2_SKB_HEADROOM;
dma_addr = mvpp2_rxdesc_dma_addr_get(port, rx_desc);
pool = (rx_status & MVPP2_RXD_BM_POOL_ID_MASK) >>
@@ -3948,7 +3950,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
dma_sync_single_range_for_cpu(dev->dev.parent, dma_addr,
MVPP2_SKB_HEADROOM,
- rx_bytes + MVPP2_MH_SIZE,
+ rx_sync_size,
dma_dir);
/* Buffer header not supported */
@@ -3999,6 +4001,14 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
continue;
}
+ rx_sync_size = max_t(unsigned int, rx_sync_size,
+ xdp.data_end - xdp.data_hard_start -
+ MVPP2_SKB_HEADROOM);
+
+ /* Update offset and length to reflect any XDP adjustments. */
+ rx_offset = xdp.data - data;
+ rx_bytes = xdp.data_end - xdp.data;
+
metasize = xdp.data - xdp.data_meta;
}
@@ -4010,8 +4020,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
netdev_warn(port->dev, "skb build failed\n");
if (pp) {
page_pool_put_page(pp, virt_to_head_page(data),
- rx_bytes + MVPP2_MH_SIZE,
- true);
+ rx_sync_size, true);
} else {
dma_unmap_single_attrs(dev->dev.parent, dma_addr,
bm_pool->buf_size,
@@ -4041,7 +4050,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
ps.rx_packets++;
ps.rx_bytes += rx_bytes;
- skb_reserve(skb, MVPP2_MH_SIZE + MVPP2_SKB_HEADROOM);
+ skb_reserve(skb, rx_offset);
skb_put(skb, rx_bytes);
if (metasize)
skb_metadata_set(skb, metasize);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 233/522] usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 232/522] usb: gadget: f_ncm: Fix net_device lifecycle with device_move Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 234/522] net: skbuff: fix missing zerocopy reference in pskb_carve helpers Greg Kroah-Hartman
` (289 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett, stable, Kuen-Han Tsai,
Carlos Llamas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuen-Han Tsai <khtsai@google.com>
[ Upstream commit e002e92e88e12457373ed096b18716d97e7bbb20 ]
Commit ec35c1969650 ("usb: gadget: f_ncm: Fix net_device lifecycle with
device_move") reparents the gadget device to /sys/devices/virtual during
unbind, clearing the gadget pointer. If the userspace tool queries on
the surviving interface during this detached window, this leads to a
NULL pointer dereference.
Unable to handle kernel NULL pointer dereference
Call trace:
eth_get_drvinfo+0x50/0x90
ethtool_get_drvinfo+0x5c/0x1f0
__dev_ethtool+0xaec/0x1fe0
dev_ethtool+0x134/0x2e0
dev_ioctl+0x338/0x560
Add a NULL check for dev->gadget in eth_get_drvinfo(). When detached,
skip copying the fw_version and bus_info strings, which is natively
handled by ethtool_get_drvinfo for empty strings.
Suggested-by: Val Packett <val@packett.cool>
Reported-by: Val Packett <val@packett.cool>
Closes: https://lore.kernel.org/linux-usb/10890524-cf83-4a71-b879-93e2b2cc1fcc@packett.cool/
Fixes: ec35c1969650 ("usb: gadget: f_ncm: Fix net_device lifecycle with device_move")
Cc: stable <stable@kernel.org>
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://patch.msgid.link/20260316-eth-null-deref-v1-1-07005f33be85@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/u_ether.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
index e972de236be5e2..83dfc5008b689e 100644
--- a/drivers/usb/gadget/function/u_ether.c
+++ b/drivers/usb/gadget/function/u_ether.c
@@ -147,8 +147,10 @@ static void eth_get_drvinfo(struct net_device *net, struct ethtool_drvinfo *p)
strscpy(p->driver, "g_ether", sizeof(p->driver));
strscpy(p->version, UETH__VERSION, sizeof(p->version));
- strscpy(p->fw_version, dev->gadget->name, sizeof(p->fw_version));
- strscpy(p->bus_info, dev_name(&dev->gadget->dev), sizeof(p->bus_info));
+ if (dev->gadget) {
+ strscpy(p->fw_version, dev->gadget->name, sizeof(p->fw_version));
+ strscpy(p->bus_info, dev_name(&dev->gadget->dev), sizeof(p->bus_info));
+ }
}
/* REVISIT can also support:
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 150/378] net: txgbe: initialize module info buffer
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 149/378] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 151/378] net: txgbe: distinguish module types by checking identifier Greg Kroah-Hartman
` (228 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiawen Wu, Paolo Abeni, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiawen Wu <jiawenwu@trustnetic.com>
[ Upstream commit 0487cfca46517ff6699c72dc1a8872b0af3c31a9 ]
The module info buffer should be initialized to 0 before the firmware
returns information. Otherwise, there is a risk that the buffer field
not filled by the firmware is random value.
Fixes: 343929799ace ("net: txgbe: Support to handle GPIO IRQs for AML devices")
Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
Link: https://patch.msgid.link/20260608070842.36504-2-jiawenwu@trustnetic.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c
index f0514251d4f342..a7e81f9e1be148 100644
--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c
+++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c
@@ -335,7 +335,7 @@ static int txgbe_qsfp_to_linkmodes(struct wx *wx, struct txgbe_sff_id *id)
int txgbe_identify_module(struct wx *wx)
{
- struct txgbe_hic_get_module_info buffer;
+ struct txgbe_hic_get_module_info buffer = { 0 };
struct txgbe_sff_id *id;
int err = 0;
u32 mod_abs;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 234/522] net: skbuff: fix missing zerocopy reference in pskb_carve helpers
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 233/522] usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 235/522] tap: free page on error paths in tap_get_user_xdp() Greg Kroah-Hartman
` (288 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Minh Nguyen, Willem de Bruijn,
Paolo Abeni, Salvatore Bonaccorso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minh Nguyen <minhnguyen.080505@gmail.com>
commit 98d0912e9f841e5529a5b89a972805f34cb1c69d upstream.
pskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy
the old skb_shared_info header into a new buffer via memcpy(), which
includes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs.
Neither function calls net_zcopy_get() for the new shinfo, creating an
unaccounted holder: every skb_shared_info with destructor_arg set will
call skb_zcopy_clear() once when freed, but the corresponding
net_zcopy_get() was never called for the new copy. Repeated calls
drive uarg->refcnt to zero prematurely, freeing ubuf_info_msgzc while
TX skbs still hold live destructor_arg pointers.
KASAN reports use-after-free on a freed ubuf_info_msgzc:
BUG: KASAN: slab-use-after-free in skb_release_data+0x77b/0x810
Read of size 8 at addr ffff88801574d3e8 by task poc/220
Call Trace:
skb_release_data+0x77b/0x810
kfree_skb_list_reason+0x13e/0x610
skb_release_data+0x4cd/0x810
sk_skb_reason_drop+0xf3/0x340
skb_queue_purge_reason+0x282/0x440
rds_tcp_inc_free+0x1e/0x30
rds_recvmsg+0x354/0x1780
__sys_recvmsg+0xdf/0x180
Allocated by task 219:
msg_zerocopy_realloc+0x157/0x7b0
tcp_sendmsg_locked+0x2892/0x3ba0
Freed by task 219:
ip_recv_error+0x74a/0xb10
tcp_recvmsg+0x475/0x530
The skb consuming the late access still referenced the same uarg via
shinfo->destructor_arg copied by pskb_carve_inside_nonlinear() without
a refcount bump. This has been verified to be reliably exploitable: a
working proof-of-concept achieves full root privilege escalation from
an unprivileged local user on a default kernel configuration.
The fix follows the pattern of pskb_expand_head() which has the same
memcpy/cloned structure. For pskb_carve_inside_header(), net_zcopy_get()
is placed after skb_orphan_frags() succeeds, so the orphan error path
needs no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is
placed after all failure points and just before skb_release_data(), so
no error path needs cleanup at all -- matching pskb_expand_head() more
closely and avoiding the need for a balancing net_zcopy_put().
Fixes: 6fa01ccd8830 ("skbuff: Add pskb_extract() helper function")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-sonnet-4-6
Signed-off-by: Minh Nguyen <minhnguyen.080505@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260526041240.329462-1-minhnguyen.080505@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[Salvatore Bonaccorso: Backport for context changes, as 6.1.y has not
511a3eda2f8d ("net: dropreason: propagate drop_reason to
skb_release_data()")].
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skbuff.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 41b2aaed7a14aa..f1f5b2b25f8522 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -6247,6 +6247,8 @@ static int pskb_carve_inside_header(struct sk_buff *skb, const u32 off,
kfree(data);
return -ENOMEM;
}
+ if (skb_zcopy(skb))
+ net_zcopy_get(skb_zcopy(skb));
for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
skb_frag_ref(skb, i);
if (skb_has_frag_list(skb))
@@ -6396,6 +6398,8 @@ static int pskb_carve_inside_nonlinear(struct sk_buff *skb, const u32 off,
kfree(data);
return -ENOMEM;
}
+ if (skb_zcopy(skb))
+ net_zcopy_get(skb_zcopy(skb));
skb_release_data(skb);
skb->head = data;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 151/378] net: txgbe: distinguish module types by checking identifier
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 150/378] net: txgbe: initialize module info buffer Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 152/378] net: txgbe: initialize PHY interface to 0 Greg Kroah-Hartman
` (227 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiawen Wu, Paolo Abeni, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiawen Wu <jiawenwu@trustnetic.com>
[ Upstream commit f2df54ddbfb04a006ee326a5d8270434a414e0af ]
Rework txgbe_identify_module() to validate module identifiers through
explicit type checks instead of relying on transceiver_type heuristics.
When using the SFP module, transceiver_type could be a random value,
because it was read from an invalid register.
Fixes: 57d39faed4c9 ("net: txgbe: improve functions of AML 40G devices")
Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
Link: https://patch.msgid.link/20260608070842.36504-3-jiawenwu@trustnetic.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c
index a7e81f9e1be148..bdac654a236465 100644
--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c
+++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c
@@ -357,18 +357,16 @@ int txgbe_identify_module(struct wx *wx)
}
id = &buffer.id;
- if (id->identifier != TXGBE_SFF_IDENTIFIER_SFP &&
- id->identifier != TXGBE_SFF_IDENTIFIER_QSFP &&
- id->identifier != TXGBE_SFF_IDENTIFIER_QSFP_PLUS &&
- id->identifier != TXGBE_SFF_IDENTIFIER_QSFP28) {
- wx_err(wx, "Invalid module\n");
- return -ENODEV;
- }
-
- if (id->transceiver_type == 0xFF)
+ if (id->identifier == TXGBE_SFF_IDENTIFIER_SFP)
return txgbe_sfp_to_linkmodes(wx, id);
- return txgbe_qsfp_to_linkmodes(wx, id);
+ if (id->identifier == TXGBE_SFF_IDENTIFIER_QSFP ||
+ id->identifier == TXGBE_SFF_IDENTIFIER_QSFP_PLUS ||
+ id->identifier == TXGBE_SFF_IDENTIFIER_QSFP28)
+ return txgbe_qsfp_to_linkmodes(wx, id);
+
+ wx_err(wx, "Invalid module\n");
+ return -EINVAL;
}
void txgbe_setup_link(struct wx *wx)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 235/522] tap: free page on error paths in tap_get_user_xdp()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 234/522] net: skbuff: fix missing zerocopy reference in pskb_carve helpers Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 236/522] KVM: arm64: Remove VPIPT I-cache handling Greg Kroah-Hartman
` (287 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Dongli Zhang,
Willem de Bruijn, Jakub Kicinski, Harshit Mogalapalli,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2 ]
tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL,
and returns -ENOMEM when build_skb() fails. Both paths jump to the err
label without freeing the page that vhost_net_build_xdp() allocated for
the frame. tap_sendmsg() discards the per-buffer return value and always
returns 0, so vhost_tx_batch() takes the success path and never frees
the page; each rejected frame in a batch leaks one page-frag chunk.
Free the page on both error paths, before the skb is built. This is the
tap counterpart of the same leak in tun_xdp_one().
Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()")
Fixes: ed7f2afdd0e0 ("tap: add missing verification for short frame")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Dongli Zhang <dongli.zhang@oracle.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260521163230.1478627-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2)
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/tap.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index f8e7b163810de6..15ab71f5288ac3 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -1157,6 +1157,7 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp)
int err, depth;
if (unlikely(xdp->data_end - xdp->data < ETH_HLEN)) {
+ put_page(virt_to_head_page(xdp->data));
err = -EINVAL;
goto err;
}
@@ -1166,6 +1167,7 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp)
skb = build_skb(xdp->data_hard_start, buflen);
if (!skb) {
+ put_page(virt_to_head_page(xdp->data));
err = -ENOMEM;
goto err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 152/378] net: txgbe: initialize PHY interface to 0
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 151/378] net: txgbe: distinguish module types by checking identifier Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 153/378] ipv6: Fix a potential NPD in cleanup_prefix_route() Greg Kroah-Hartman
` (226 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiawen Wu, Paolo Abeni, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiawen Wu <jiawenwu@trustnetic.com>
[ Upstream commit 47f848aac4e79bdb197f849fa86e71fff1ad36ef ]
DECLARE_PHY_INTERFACE_MASK() does not guarantee zeroed contents. Add a
new macro DECLARE_PHY_INTERFACE_MASK_ZERO(), make the stack variable to
be zeroed before setting supported interfaces.
Fixes: 57d39faed4c9 ("net: txgbe: improve functions of AML 40G devices")
Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
Link: https://patch.msgid.link/20260608070842.36504-4-jiawenwu@trustnetic.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c | 4 ++--
drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 3 +++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c
index bdac654a236465..8fc32df8e49a44 100644
--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c
+++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c
@@ -204,7 +204,7 @@ int txgbe_set_phy_link(struct wx *wx)
static int txgbe_sfp_to_linkmodes(struct wx *wx, struct txgbe_sff_id *id)
{
__ETHTOOL_DECLARE_LINK_MODE_MASK(modes) = { 0, };
- DECLARE_PHY_INTERFACE_MASK(interfaces);
+ DECLARE_PHY_INTERFACE_MASK_ZERO(interfaces);
struct txgbe *txgbe = wx->priv;
if (id->cable_tech & TXGBE_SFF_DA_PASSIVE_CABLE) {
@@ -271,7 +271,7 @@ static int txgbe_sfp_to_linkmodes(struct wx *wx, struct txgbe_sff_id *id)
static int txgbe_qsfp_to_linkmodes(struct wx *wx, struct txgbe_sff_id *id)
{
__ETHTOOL_DECLARE_LINK_MODE_MASK(modes) = { 0, };
- DECLARE_PHY_INTERFACE_MASK(interfaces);
+ DECLARE_PHY_INTERFACE_MASK_ZERO(interfaces);
struct txgbe *txgbe = wx->priv;
if (id->transceiver_type & TXGBE_SFF_ETHERNET_40G_CR4) {
diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h
index 6b05f32b4a0109..877234e3fdc2b6 100644
--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h
+++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h
@@ -315,6 +315,9 @@ void txgbe_up(struct wx *wx);
int txgbe_setup_tc(struct net_device *dev, u8 tc);
void txgbe_do_reset(struct net_device *netdev);
+#define DECLARE_PHY_INTERFACE_MASK_ZERO(name) \
+ unsigned long name[PHY_INTERFACE_MODE_MAX] = { 0, }
+
#define TXGBE_LINK_SPEED_UNKNOWN 0
#define TXGBE_LINK_SPEED_10GB_FULL 4
#define TXGBE_LINK_SPEED_25GB_FULL 0x10
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 236/522] KVM: arm64: Remove VPIPT I-cache handling
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 235/522] tap: free page on error paths in tap_get_user_xdp() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 237/522] arm64: tlb: Allow XZR argument to TLBI ops Greg Kroah-Hartman
` (286 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zenghui Yu, Anshuman Khandual,
Marc Zyngier, Mark Rutland, Will Deacon, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit ced242ba9d7cb3571f6e0f165f643cb832d52148 upstream.
We have some special handling for VPIPT I-cache in critical parts
of the cache and TLB maintenance. Remove it.
Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20231204143606.1806432-2-maz@kernel.org
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: Backport to v6.1.y. VPIPT HW was never built; this is all dead code]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/kvm_mmu.h | 4 ++--
arch/arm64/kvm/hyp/nvhe/tlb.c | 35 --------------------------------
arch/arm64/kvm/hyp/vhe/tlb.c | 13 ------------
3 files changed, 2 insertions(+), 50 deletions(-)
diff --git a/arch/arm64/include/asm/kvm_mmu.h b/arch/arm64/include/asm/kvm_mmu.h
index 7784081088e78f..1495fcddd98e58 100644
--- a/arch/arm64/include/asm/kvm_mmu.h
+++ b/arch/arm64/include/asm/kvm_mmu.h
@@ -214,8 +214,8 @@ static inline void __invalidate_icache_guest_page(void *va, size_t size)
if (icache_is_aliasing()) {
/* any kind of VIPT cache */
icache_inval_all_pou();
- } else if (is_kernel_in_hyp_mode() || !icache_is_vpipt()) {
- /* PIPT or VPIPT at EL2 (see comment in __kvm_tlb_flush_vmid_ipa) */
+ } else {
+ /* PIPT */
icache_inval_pou((unsigned long)va, (unsigned long)va + size);
}
}
diff --git a/arch/arm64/kvm/hyp/nvhe/tlb.c b/arch/arm64/kvm/hyp/nvhe/tlb.c
index d296d617f58963..291789df24e3ee 100644
--- a/arch/arm64/kvm/hyp/nvhe/tlb.c
+++ b/arch/arm64/kvm/hyp/nvhe/tlb.c
@@ -84,28 +84,6 @@ void __kvm_tlb_flush_vmid_ipa(struct kvm_s2_mmu *mmu,
dsb(ish);
isb();
- /*
- * If the host is running at EL1 and we have a VPIPT I-cache,
- * then we must perform I-cache maintenance at EL2 in order for
- * it to have an effect on the guest. Since the guest cannot hit
- * I-cache lines allocated with a different VMID, we don't need
- * to worry about junk out of guest reset (we nuke the I-cache on
- * VMID rollover), but we do need to be careful when remapping
- * executable pages for the same guest. This can happen when KSM
- * takes a CoW fault on an executable page, copies the page into
- * a page that was previously mapped in the guest and then needs
- * to invalidate the guest view of the I-cache for that page
- * from EL1. To solve this, we invalidate the entire I-cache when
- * unmapping a page from a guest if we have a VPIPT I-cache but
- * the host is running at EL1. As above, we could do better if
- * we had the VA.
- *
- * The moral of this story is: if you have a VPIPT I-cache, then
- * you should be running with VHE enabled.
- */
- if (icache_is_vpipt())
- icache_inval_all_pou();
-
__tlb_switch_to_host(&cxt);
}
@@ -144,18 +122,5 @@ void __kvm_flush_vm_context(void)
{
dsb(ishst);
__tlbi(alle1is);
-
- /*
- * VIPT and PIPT caches are not affected by VMID, so no maintenance
- * is necessary across a VMID rollover.
- *
- * VPIPT caches constrain lookup and maintenance to the active VMID,
- * so we need to invalidate lines with a stale VMID to avoid an ABA
- * race after multiple rollovers.
- *
- */
- if (icache_is_vpipt())
- asm volatile("ic ialluis");
-
dsb(ish);
}
diff --git a/arch/arm64/kvm/hyp/vhe/tlb.c b/arch/arm64/kvm/hyp/vhe/tlb.c
index 24cef9b87f9e9c..fc3fcd29ccc306 100644
--- a/arch/arm64/kvm/hyp/vhe/tlb.c
+++ b/arch/arm64/kvm/hyp/vhe/tlb.c
@@ -146,18 +146,5 @@ void __kvm_flush_vm_context(void)
{
dsb(ishst);
__tlbi(alle1is);
-
- /*
- * VIPT and PIPT caches are not affected by VMID, so no maintenance
- * is necessary across a VMID rollover.
- *
- * VPIPT caches constrain lookup and maintenance to the active VMID,
- * so we need to invalidate lines with a stale VMID to avoid an ABA
- * race after multiple rollovers.
- *
- */
- if (icache_is_vpipt())
- asm volatile("ic ialluis");
-
dsb(ish);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 153/378] ipv6: Fix a potential NPD in cleanup_prefix_route()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 152/378] net: txgbe: initialize PHY interface to 0 Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 154/378] ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions Greg Kroah-Hartman
` (225 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Zhou, David Ahern, Ido Schimmel,
Paolo Abeni, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit b70c687b7cf267fb08586667a3946c8851cad672 ]
addrconf_get_prefix_route() can return the fib6_null_entry sentinel
entry which has a NULL fib6_table pointer. Therefore, before setting the
route's expiration time, check that we are not working with this entry,
as otherwise a NPD will be triggered [1].
Note that the other callers of addrconf_get_prefix_route() are not
susceptible to this bug:
1. addrconf_prefix_rcv(): Requests a route with the 'RTF_ADDRCONF |
RTF_PREFIX_RT' flags which are not set on fib6_null_entry.
2. modify_prefix_route(): Fixed by commit a747e02430df ("ipv6: avoid
possible NULL deref in modify_prefix_route()").
3. __ipv6_ifa_notify(): Calls ip6_del_rt() which specifically checks for
fib6_null_entry and returns an error.
[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
[...]
Call Trace:
<TASK>
__kasan_check_byte (mm/kasan/common.c:573)
lock_acquire.part.0 (kernel/locking/lockdep.c:5842 (discriminator 1))
_raw_spin_lock_bh (kernel/locking/spinlock.c:182 (discriminator 1))
cleanup_prefix_route (net/ipv6/addrconf.c:1280)
ipv6_del_addr (net/ipv6/addrconf.c:1342)
inet6_addr_del.isra.0 (net/ipv6/addrconf.c:3119)
inet6_rtm_deladdr (net/ipv6/addrconf.c:4812)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6997)
netlink_rcv_skb (net/netlink/af_netlink.c:2555)
netlink_unicast (net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1899)
__sock_sendmsg (net/socket.c:802 (discriminator 4))
____sys_sendmsg (net/socket.c:2698)
___sys_sendmsg (net/socket.c:2752)
__sys_sendmsg (net/socket.c:2784)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
Fixes: 5eb902b8e719 ("net/ipv6: Remove expired routes with a separated list of routes.")
Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Reviewed-by: David Ahern <dahern@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260609145448.768318-1-idosch@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/addrconf.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index e5276be71062a3..8f8fdc9cfce224 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1264,6 +1264,7 @@ static void
cleanup_prefix_route(struct inet6_ifaddr *ifp, unsigned long expires,
bool del_rt, bool del_peer)
{
+ struct net *net = dev_net(ifp->idev->dev);
struct fib6_table *table;
struct fib6_info *f6i;
@@ -1272,9 +1273,10 @@ cleanup_prefix_route(struct inet6_ifaddr *ifp, unsigned long expires,
ifp->idev->dev, 0, RTF_DEFAULT, true);
if (f6i) {
if (del_rt)
- ip6_del_rt(dev_net(ifp->idev->dev), f6i, false);
+ ip6_del_rt(net, f6i, false);
else {
- if (!(f6i->fib6_flags & RTF_EXPIRES)) {
+ if (f6i != net->ipv6.fib6_null_entry &&
+ !(f6i->fib6_flags & RTF_EXPIRES)) {
table = f6i->fib6_table;
spin_lock_bh(&table->tb6_lock);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 237/522] arm64: tlb: Allow XZR argument to TLBI ops
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 236/522] KVM: arm64: Remove VPIPT I-cache handling Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 238/522] arm64: tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Greg Kroah-Hartman
` (285 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Marc Zyngier, Oliver Upton, Ryan Roberts, Will Deacon,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit bfd9c931d19aa59fb8371d557774fa169b15db9a upstream.
The TLBI instruction accepts XZR as a register argument, and for TLBI
operations with a register argument, there is no functional difference
between using XZR or another GPR which contains zeroes. Operations
without a register argument are encoded as if XZR were used.
Allow the __TLBI_1() macro to use XZR when a register argument is all
zeroes.
Today this only results in a trivial code saving in
__do_compat_cache_op()'s workaround for Neoverse-N1 erratum #1542419. In
subsequent patches this pattern will be used more generally.
There should be no functional change as a result of this patch.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oupton@kernel.org>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Mark: Backport to v6.1.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/tlbflush.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/include/asm/tlbflush.h b/arch/arm64/include/asm/tlbflush.h
index 412a3b9a3c25dc..2626a45849c241 100644
--- a/arch/arm64/include/asm/tlbflush.h
+++ b/arch/arm64/include/asm/tlbflush.h
@@ -37,12 +37,12 @@
: : )
#define __TLBI_1(op, arg) asm (ARM64_ASM_PREAMBLE \
- "tlbi " #op ", %0\n" \
+ "tlbi " #op ", %x0\n" \
ALTERNATIVE("nop\n nop", \
- "dsb ish\n tlbi " #op ", %0", \
+ "dsb ish\n tlbi " #op ", %x0", \
ARM64_WORKAROUND_REPEAT_TLBI, \
CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \
- : : "r" (arg))
+ : : "rZ" (arg))
#define __TLBI_N(op, arg, n, ...) __TLBI_##n(op, arg)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 154/378] ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 153/378] ipv6: Fix a potential NPD in cleanup_prefix_route() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 155/378] clk: qcom: x1e80100-dispcc: Stop disp_cc_mdss_mdp_clk_src from getting parked Greg Kroah-Hartman
` (224 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kean Ren, Charles Keepax, Mark Brown,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kean Ren <rh_king@163.com>
[ Upstream commit e4c60a1d4b6ccc66aefb3789cd908d4f9482eefd ]
sdca_dev_unregister_functions() iterates over all SDCA function
descriptors and calls sdca_dev_unregister() on each func_dev without
checking for NULL. When a function registration has failed partway
through, or the device cleanup races with probe deferral, func_dev
entries may be NULL, leading to a kernel oops:
BUG: kernel NULL pointer dereference, address: 0000000000000040
RIP: 0010:device_del+0x1e/0x3e0
Call Trace:
sdca_dev_unregister_functions+0x37/0x60 [snd_soc_sdca]
release_nodes+0x35/0xb0
devres_release_all+0x90/0x100
device_unbind_cleanup+0xe/0x80
device_release_driver_internal+0x1c1/0x200
bus_remove_device+0xc6/0x130
device_del+0x161/0x3e0
device_unregister+0x17/0x60
sdw_delete_slave+0xb6/0xd0 [soundwire_bus]
sdw_bus_master_delete+0x1e/0x50 [soundwire_bus]
...
sof_probe_work+0x19/0x30 [snd_sof]
This was observed on a Lenovo ThinkPad X1 Carbon G14 (Panther Lake)
with the SOF audio driver probe failing due to missing Panther Lake
firmware, causing the subsequent cleanup of SoundWire devices to
trigger the crash.
Fix this with three changes:
1) Add a NULL guard in sdca_dev_unregister() so that callers do not
need to pre-validate the pointer (defense in depth).
2) In sdca_dev_unregister_functions(), skip NULL func_dev entries
and clear func_dev to NULL after unregistration, making the
function idempotent and safe against double-invocation.
3) In sdca_dev_register_functions(), roll back all previously
registered functions when a later one fails, so the function
array is never left in a partially-populated state.
Fixes: 4496d1c65bad ("ASoC: SDCA: add function devices")
Signed-off-by: Kean Ren <rh_king@163.com>
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/20260611023757.1553960-1-rh_king@163.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sdca/sdca_function_device.c | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/sound/soc/sdca/sdca_function_device.c b/sound/soc/sdca/sdca_function_device.c
index feacfbc6a51880..b5ca98283a8895 100644
--- a/sound/soc/sdca/sdca_function_device.c
+++ b/sound/soc/sdca/sdca_function_device.c
@@ -82,6 +82,9 @@ static struct sdca_dev *sdca_dev_register(struct device *parent,
static void sdca_dev_unregister(struct sdca_dev *sdev)
{
+ if (!sdev)
+ return;
+
auxiliary_device_delete(&sdev->auxdev);
auxiliary_device_uninit(&sdev->auxdev);
}
@@ -90,14 +93,24 @@ int sdca_dev_register_functions(struct sdw_slave *slave)
{
struct sdca_device_data *sdca_data = &slave->sdca_data;
int i;
+ int ret;
for (i = 0; i < sdca_data->num_functions; i++) {
struct sdca_dev *func_dev;
func_dev = sdca_dev_register(&slave->dev,
&sdca_data->function[i]);
- if (IS_ERR(func_dev))
- return PTR_ERR(func_dev);
+ if (IS_ERR(func_dev)) {
+ ret = PTR_ERR(func_dev);
+ /*
+ * Unregister functions that were successfully
+ * registered before this failure. This also
+ * sets func_dev to NULL so the caller will not
+ * try to unregister them again.
+ */
+ sdca_dev_unregister_functions(slave);
+ return ret;
+ }
sdca_data->function[i].func_dev = func_dev;
}
@@ -111,7 +124,12 @@ void sdca_dev_unregister_functions(struct sdw_slave *slave)
struct sdca_device_data *sdca_data = &slave->sdca_data;
int i;
- for (i = 0; i < sdca_data->num_functions; i++)
+ for (i = 0; i < sdca_data->num_functions; i++) {
+ if (!sdca_data->function[i].func_dev)
+ continue;
+
sdca_dev_unregister(sdca_data->function[i].func_dev);
+ sdca_data->function[i].func_dev = NULL;
+ }
}
EXPORT_SYMBOL_NS(sdca_dev_unregister_functions, "SND_SOC_SDCA");
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 238/522] arm64: tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 237/522] arm64: tlb: Allow XZR argument to TLBI ops Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 239/522] iomap: dont revert iov_iter on partially completed buffered writes Greg Kroah-Hartman
` (284 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Marc Zyngier, Oliver Upton, Ryan Roberts, Will Deacon,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit a8f78680ee6bf795086384e8aea159a52814f827 upstream.
The ARM64_WORKAROUND_REPEAT_TLBI workaround is used to mitigate several
errata where broadcast TLBI;DSB sequences don't provide all the
architecturally required synchronization. The workaround performs more
work than necessary, and can have significant overhead. This patch
optimizes the workaround, as explained below.
The workaround was originally added for Qualcomm Falkor erratum 1009 in
commit:
d9ff80f83ecb ("arm64: Work around Falkor erratum 1009")
As noted in the message for that commit, the workaround is applied even
in cases where it is not strictly necessary.
The workaround was later reused without changes for:
* Arm Cortex-A76 erratum #1286807
SDEN v33: https://developer.arm.com/documentation/SDEN-885749/33-0/
* Arm Cortex-A55 erratum #2441007
SDEN v16: https://developer.arm.com/documentation/SDEN-859338/1600/
* Arm Cortex-A510 erratum #2441009
SDEN v19: https://developer.arm.com/documentation/SDEN-1873351/1900/
The important details to note are as follows:
1. All relevant errata only affect the ordering and/or completion of
memory accesses which have been translated by an invalidated TLB
entry. The actual invalidation of TLB entries is unaffected.
2. The existing workaround is applied to both broadcast and local TLB
invalidation, whereas for all relevant errata it is only necessary to
apply a workaround for broadcast invalidation.
3. The existing workaround replaces every TLBI with a TLBI;DSB;TLBI
sequence, whereas for all relevant errata it is only necessary to
execute a single additional TLBI;DSB sequence after any number of
TLBIs are completed by a DSB.
For example, for a sequence of batched TLBIs:
TLBI <op1>[, <arg1>]
TLBI <op2>[, <arg2>]
TLBI <op3>[, <arg3>]
DSB ISH
... the existing workaround will expand this to:
TLBI <op1>[, <arg1>]
DSB ISH // additional
TLBI <op1>[, <arg1>] // additional
TLBI <op2>[, <arg2>]
DSB ISH // additional
TLBI <op2>[, <arg2>] // additional
TLBI <op3>[, <arg3>]
DSB ISH // additional
TLBI <op3>[, <arg3>] // additional
DSB ISH
... whereas it is sufficient to have:
TLBI <op1>[, <arg1>]
TLBI <op2>[, <arg2>]
TLBI <op3>[, <arg3>]
DSB ISH
TLBI <opX>[, <argX>] // additional
DSB ISH // additional
Using a single additional TBLI and DSB at the end of the sequence can
have significantly lower overhead as each DSB which completes a TLBI
must synchronize with other PEs in the system, with potential
performance effects both locally and system-wide.
4. The existing workaround repeats each specific TLBI operation, whereas
for all relevant errata it is sufficient for the additional TLBI to
use *any* operation which will be broadcast, regardless of which
translation regime or stage of translation the operation applies to.
For example, for a single TLBI:
TLBI ALLE2IS
DSB ISH
... the existing workaround will expand this to:
TLBI ALLE2IS
DSB ISH
TLBI ALLE2IS // additional
DSB ISH // additional
... whereas it is sufficient to have:
TLBI ALLE2IS
DSB ISH
TLBI VALE1IS, XZR // additional
DSB ISH // additional
As the additional TLBI doesn't have to match a specific earlier TLBI,
the additional TLBI can be implemented in separate code, with no
memory of the earlier TLBIs. The additional TLBI can also use a
cheaper TLBI operation.
5. The existing workaround is applied to both Stage-1 and Stage-2 TLB
invalidation, whereas for all relevant errata it is only necessary to
apply a workaround for Stage-1 invalidation.
Architecturally, TLBI operations which invalidate only Stage-2
information (e.g. IPAS2E1IS) are not required to invalidate TLB
entries which combine information from Stage-1 and Stage-2
translation table entries, and consequently may not complete memory
accesses translated by those combined entries. In these cases,
completion of memory accesses is only guaranteed after subsequent
invalidation of Stage-1 information (e.g. VMALLE1IS).
Taking the above points into account, this patch reworks the workaround
logic to reduce overhead:
* New __tlbi_sync_s1ish() and __tlbi_sync_s1ish_hyp() functions are
added and used in place of any dsb(ish) which is used to complete
broadcast Stage-1 TLB maintenance. When the
ARM64_WORKAROUND_REPEAT_TLBI workaround is enabled, these helpers will
execute an additional TLBI;DSB sequence.
For consistency, it might make sense to add __tlbi_sync_*() helpers
for local and stage 2 maintenance. For now I've left those with
open-coded dsb() to keep the diff small.
* The duplication of TLBIs in __TLBI_0() and __TLBI_1() is removed. This
is no longer needed as the necessary synchronization will happen in
__tlbi_sync_s1ish() or __tlbi_sync_s1ish_hyp().
* The additional TLBI operation is chosen to have minimal impact:
- __tlbi_sync_s1ish() uses "TLBI VALE1IS, XZR". This is only used at
EL1 or at EL2 with {E2H,TGE}=={1,1}, where it will target an unused
entry for the reserved ASID in the kernel's own translation regime,
and have no adverse affect.
- __tlbi_sync_s1ish_hyp() uses "TLBI VALE2IS, XZR". This is only used
in hyp code, where it will target an unused entry in the hyp code's
TTBR0 mapping, and should have no adverse effect.
* As __TLBI_0() and __TLBI_1() no longer replace each TLBI with a
TLBI;DSB;TLBI sequence, batching TLBIs is worthwhile, and there's no
need for arch_tlbbatch_should_defer() to consider
ARM64_WORKAROUND_REPEAT_TLBI.
When building defconfig with GCC 15.1.0, compared to v6.19-rc1, this
patch saves ~1KiB of text, makes the vmlinux ~42KiB smaller, and makes
the resulting Image 64KiB smaller:
| [mark@lakrids:~/src/linux]% size vmlinux-*
| text data bss dec hex filename
| 21179831 19660919 708216 41548966 279fca6 vmlinux-after
| 21181075 19660903 708216 41550194 27a0172 vmlinux-before
| [mark@lakrids:~/src/linux]% ls -l vmlinux-*
| -rwxr-xr-x 1 mark mark 157771472 Feb 4 12:05 vmlinux-after
| -rwxr-xr-x 1 mark mark 157815432 Feb 4 12:05 vmlinux-before
| [mark@lakrids:~/src/linux]% ls -l Image-*
| -rw-r--r-- 1 mark mark 41007616 Feb 4 12:05 Image-after
| -rw-r--r-- 1 mark mark 41073152 Feb 4 12:05 Image-before
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oupton@kernel.org>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Mark: Backport to v6.1.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/tlbflush.h | 48 ++++++++++++++++++++++---------
arch/arm64/kernel/sys_compat.c | 2 +-
arch/arm64/kvm/hyp/nvhe/tlb.c | 6 ++--
arch/arm64/kvm/hyp/pgtable.c | 2 +-
arch/arm64/kvm/hyp/vhe/tlb.c | 6 ++--
5 files changed, 42 insertions(+), 22 deletions(-)
diff --git a/arch/arm64/include/asm/tlbflush.h b/arch/arm64/include/asm/tlbflush.h
index 2626a45849c241..289c3948d5b08a 100644
--- a/arch/arm64/include/asm/tlbflush.h
+++ b/arch/arm64/include/asm/tlbflush.h
@@ -30,18 +30,10 @@
*/
#define __TLBI_0(op, arg) asm (ARM64_ASM_PREAMBLE \
"tlbi " #op "\n" \
- ALTERNATIVE("nop\n nop", \
- "dsb ish\n tlbi " #op, \
- ARM64_WORKAROUND_REPEAT_TLBI, \
- CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \
: : )
#define __TLBI_1(op, arg) asm (ARM64_ASM_PREAMBLE \
"tlbi " #op ", %x0\n" \
- ALTERNATIVE("nop\n nop", \
- "dsb ish\n tlbi " #op ", %x0", \
- ARM64_WORKAROUND_REPEAT_TLBI, \
- CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \
: : "rZ" (arg))
#define __TLBI_N(op, arg, n, ...) __TLBI_##n(op, arg)
@@ -158,6 +150,34 @@ static inline unsigned long get_trans_granule(void)
#define __TLBI_RANGE_NUM(pages, scale) \
((((pages) >> (5 * (scale) + 1)) & TLBI_RANGE_MASK) - 1)
+#define __repeat_tlbi_sync(op, arg...) \
+do { \
+ if (!alternative_has_feature_unlikely(ARM64_WORKAROUND_REPEAT_TLBI)) \
+ break; \
+ __tlbi(op, ##arg); \
+ dsb(ish); \
+} while (0)
+
+/*
+ * Complete broadcast TLB maintenance issued by the host which invalidates
+ * stage 1 information in the host's own translation regime.
+ */
+static inline void __tlbi_sync_s1ish(void)
+{
+ dsb(ish);
+ __repeat_tlbi_sync(vale1is, 0);
+}
+
+/*
+ * Complete broadcast TLB maintenance issued by hyp code which invalidates
+ * stage 1 translation information in any translation regime.
+ */
+static inline void __tlbi_sync_s1ish_hyp(void)
+{
+ dsb(ish);
+ __repeat_tlbi_sync(vale2is, 0);
+}
+
/*
* TLB Invalidation
* ================
@@ -239,7 +259,7 @@ static inline void flush_tlb_all(void)
{
dsb(ishst);
__tlbi(vmalle1is);
- dsb(ish);
+ __tlbi_sync_s1ish();
isb();
}
@@ -251,7 +271,7 @@ static inline void flush_tlb_mm(struct mm_struct *mm)
asid = __TLBI_VADDR(0, ASID(mm));
__tlbi(aside1is, asid);
__tlbi_user(aside1is, asid);
- dsb(ish);
+ __tlbi_sync_s1ish();
}
static inline void flush_tlb_page_nosync(struct vm_area_struct *vma,
@@ -269,7 +289,7 @@ static inline void flush_tlb_page(struct vm_area_struct *vma,
unsigned long uaddr)
{
flush_tlb_page_nosync(vma, uaddr);
- dsb(ish);
+ __tlbi_sync_s1ish();
}
/*
@@ -357,7 +377,7 @@ static inline void __flush_tlb_range(struct vm_area_struct *vma,
}
scale++;
}
- dsb(ish);
+ __tlbi_sync_s1ish();
}
static inline void flush_tlb_range(struct vm_area_struct *vma,
@@ -386,7 +406,7 @@ static inline void flush_tlb_kernel_range(unsigned long start, unsigned long end
dsb(ishst);
for (addr = start; addr < end; addr += 1 << (PAGE_SHIFT - 12))
__tlbi(vaale1is, addr);
- dsb(ish);
+ __tlbi_sync_s1ish();
isb();
}
@@ -400,7 +420,7 @@ static inline void __flush_tlb_kernel_pgtable(unsigned long kaddr)
dsb(ishst);
__tlbi(vaae1is, addr);
- dsb(ish);
+ __tlbi_sync_s1ish();
isb();
}
#endif
diff --git a/arch/arm64/kernel/sys_compat.c b/arch/arm64/kernel/sys_compat.c
index df14336c3a29cf..2bc2ac91d79e39 100644
--- a/arch/arm64/kernel/sys_compat.c
+++ b/arch/arm64/kernel/sys_compat.c
@@ -37,7 +37,7 @@ __do_compat_cache_op(unsigned long start, unsigned long end)
* We pick the reserved-ASID to minimise the impact.
*/
__tlbi(aside1is, __TLBI_VADDR(0, 0));
- dsb(ish);
+ __tlbi_sync_s1ish();
}
ret = caches_clean_inval_user_pou(start, start + chunk);
diff --git a/arch/arm64/kvm/hyp/nvhe/tlb.c b/arch/arm64/kvm/hyp/nvhe/tlb.c
index 291789df24e3ee..76973e3b48a076 100644
--- a/arch/arm64/kvm/hyp/nvhe/tlb.c
+++ b/arch/arm64/kvm/hyp/nvhe/tlb.c
@@ -81,7 +81,7 @@ void __kvm_tlb_flush_vmid_ipa(struct kvm_s2_mmu *mmu,
*/
dsb(ish);
__tlbi(vmalle1is);
- dsb(ish);
+ __tlbi_sync_s1ish_hyp();
isb();
__tlb_switch_to_host(&cxt);
@@ -97,7 +97,7 @@ void __kvm_tlb_flush_vmid(struct kvm_s2_mmu *mmu)
__tlb_switch_to_guest(mmu, &cxt);
__tlbi(vmalls12e1is);
- dsb(ish);
+ __tlbi_sync_s1ish_hyp();
isb();
__tlb_switch_to_host(&cxt);
@@ -122,5 +122,5 @@ void __kvm_flush_vm_context(void)
{
dsb(ishst);
__tlbi(alle1is);
- dsb(ish);
+ __tlbi_sync_s1ish_hyp();
}
diff --git a/arch/arm64/kvm/hyp/pgtable.c b/arch/arm64/kvm/hyp/pgtable.c
index f0167dc7438f8a..d2838de92b4796 100644
--- a/arch/arm64/kvm/hyp/pgtable.c
+++ b/arch/arm64/kvm/hyp/pgtable.c
@@ -486,7 +486,7 @@ static int hyp_unmap_walker(u64 addr, u64 end, u32 level, kvm_pte_t *ptep,
data->unmapped += granule;
}
- dsb(ish);
+ __tlbi_sync_s1ish_hyp();
isb();
mm_ops->put_page(ptep);
diff --git a/arch/arm64/kvm/hyp/vhe/tlb.c b/arch/arm64/kvm/hyp/vhe/tlb.c
index fc3fcd29ccc306..59aa22b48e9538 100644
--- a/arch/arm64/kvm/hyp/vhe/tlb.c
+++ b/arch/arm64/kvm/hyp/vhe/tlb.c
@@ -105,7 +105,7 @@ void __kvm_tlb_flush_vmid_ipa(struct kvm_s2_mmu *mmu,
*/
dsb(ish);
__tlbi(vmalle1is);
- dsb(ish);
+ __tlbi_sync_s1ish_hyp();
isb();
__tlb_switch_to_host(&cxt);
@@ -121,7 +121,7 @@ void __kvm_tlb_flush_vmid(struct kvm_s2_mmu *mmu)
__tlb_switch_to_guest(mmu, &cxt);
__tlbi(vmalls12e1is);
- dsb(ish);
+ __tlbi_sync_s1ish_hyp();
isb();
__tlb_switch_to_host(&cxt);
@@ -146,5 +146,5 @@ void __kvm_flush_vm_context(void)
{
dsb(ishst);
__tlbi(alle1is);
- dsb(ish);
+ __tlbi_sync_s1ish_hyp();
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 155/378] clk: qcom: x1e80100-dispcc: Stop disp_cc_mdss_mdp_clk_src from getting parked
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 154/378] ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 156/378] clk: samsung: gs101: Fix missing USI7_USI DIV clock in peric0_clk_regs Greg Kroah-Hartman
` (223 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Hans de Goede,
Bjorn Andersson, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <johannes.goede@oss.qualcomm.com>
[ Upstream commit bc27dbefae6ed11376d991a2921eff806ffef67c ]
Parking disp_cc_mdss_mdp_clk_src at 19.2MHz causing the EFI GOP framebuffer
to stop functioning. The EFI GOP framebuffer should keep working until
the msm display driver loads, to help with boot debugging and to ensure
display output when the msm module is not in the initramfs.
Switch disp_cc_mdss_mdp_clk_src over to clk_rcg2_shared_no_init_park_ops
to keep the EFI GOP working after binding the x1e80100-dispcc driver.
Suggested-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Fixes: 01a0a6cc8cfd ("clk: qcom: Park shared RCGs upon registration")
Link: https://lore.kernel.org/r/20260425123351.6292-1-johannes.goede@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-x1e80100.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/qcom/dispcc-x1e80100.c b/drivers/clk/qcom/dispcc-x1e80100.c
index aa7fd43969f9c8..cd45bedf26494c 100644
--- a/drivers/clk/qcom/dispcc-x1e80100.c
+++ b/drivers/clk/qcom/dispcc-x1e80100.c
@@ -580,7 +580,7 @@ static struct clk_rcg2 disp_cc_mdss_mdp_clk_src = {
.parent_data = disp_cc_parent_data_6,
.num_parents = ARRAY_SIZE(disp_cc_parent_data_6),
.flags = CLK_SET_RATE_PARENT,
- .ops = &clk_rcg2_shared_ops,
+ .ops = &clk_rcg2_shared_no_init_park_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 239/522] iomap: dont revert iov_iter on partially completed buffered writes
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 238/522] arm64: tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 240/522] xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Greg Kroah-Hartman
` (283 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gregg Leventhal, Eric Hagberg,
Brian Foster, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Foster <bfoster@redhat.com>
Gregg reports that the iomap retry behavior for nonblocking (nowait)
append writes is broken. The problem occurs when an append write is
first submitted in non-blocking mode (i.e. via io_uring), partially
completes before hitting -EAGAIN, and then is resubmitted from
blocking context.
The specific problem is that at least one iteration of the loop in
iomap_write_iter() completes in non-blocking context and thus has
bumped i_size. The next iteration hits -EAGAIN, reverts the iov_iter
and returns. io_uring retries the entire append write from blocking
context, but since i_size has already been increased, the data that
was partially written on the first attempt is rewritten at the new
i_size. This is essentially an intra-write data corruption since the
data written to the file does not reflect the write from userspace.
This problem is already fixed on master as of commit 1a1a3b574b97
("iomap: advance the iter directly on buffered writes"). That commit
was primarily intended to clean up iomap iter state tracking, but it
also happened to remove the iov_iter revert and thus accidentally
fix this problem as well. Without the revert, iomap will commit
partial progress internally and loop once more before it more than
likely hits -EAGAIN and returns partial progress consistent with the
inode updates. This means the blocking retry from io_uring will pick
up where the first attempt left off at the current i_size and
perform the remainder of the write correctly.
Cc: <stable@vger.kernel.org>
Fixes: 18e419f6e80a ("iomap: Return -EAGAIN from iomap_write_iter()")
Reported-by: Gregg Leventhal <gleventhal@janestreet.com>
Reported-by: Eric Hagberg <ehagberg@janestreet.com>
Signed-off-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/iomap/buffered-io.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
index c3408ba636632a..243cb2ec76ed2e 100644
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -821,10 +821,6 @@ static loff_t iomap_write_iter(struct iomap_iter *iter, struct iov_iter *i)
length -= status;
} while (iov_iter_count(i) && length);
- if (status == -EAGAIN) {
- iov_iter_revert(i, written);
- return -EAGAIN;
- }
return written ? written : status;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 156/378] clk: samsung: gs101: Fix missing USI7_USI DIV clock in peric0_clk_regs
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 155/378] clk: qcom: x1e80100-dispcc: Stop disp_cc_mdss_mdp_clk_src from getting parked Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 157/378] clk: qcom: dispcc-sc8280xp: Dont park mdp_clk_src at registration time Greg Kroah-Hartman
` (222 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuan-Wei Chiu, Peter Griffin,
Tudor Ambarus, Krzysztof Kozlowski, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuan-Wei Chiu <visitorckw@gmail.com>
[ Upstream commit 78ee734b36284d82454e87a92094fdb926985b47 ]
In the peric0_clk_regs array, the divider register offset for USI6 was
accidentally listed twice, while the divider for USI7 was omitted.
Missing this DIV register causes the USI7 clock divider setting to be
lost and reset to its hardware default value during a suspend/resume
cycle.
Replace the duplicated USI6 DIV entry with the correct USI7 DIV
register.
Fixes: 893f133a040b ("clk: samsung: gs101: add support for cmu_peric0")
Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
Reviewed-by: Peter Griffin <peter.griffin@linaro.org>
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Link: https://patch.msgid.link/20260505171457.1960837-1-visitorckw@gmail.com
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/samsung/clk-gs101.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/samsung/clk-gs101.c b/drivers/clk/samsung/clk-gs101.c
index 44a8ecd332fddc..b439b7ae30ea39 100644
--- a/drivers/clk/samsung/clk-gs101.c
+++ b/drivers/clk/samsung/clk-gs101.c
@@ -3921,7 +3921,7 @@ static const unsigned long peric0_clk_regs[] __initconst = {
CLK_CON_DIV_DIV_CLK_PERIC0_USI4_USI,
CLK_CON_DIV_DIV_CLK_PERIC0_USI5_USI,
CLK_CON_DIV_DIV_CLK_PERIC0_USI6_USI,
- CLK_CON_DIV_DIV_CLK_PERIC0_USI6_USI,
+ CLK_CON_DIV_DIV_CLK_PERIC0_USI7_USI,
CLK_CON_DIV_DIV_CLK_PERIC0_USI8_USI,
CLK_CON_BUF_CLKBUF_PERIC0_IP,
CLK_CON_GAT_CLK_BLK_PERIC0_UID_PERIC0_CMU_PERIC0_IPCLKPORT_PCLK,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 240/522] xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 239/522] iomap: dont revert iov_iter on partially completed buffered writes Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 241/522] netlabel: validate unlabeled address and mask attribute lengths Greg Kroah-Hartman
` (282 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanghyun Park, Steffen Klassert,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanghyun Park <sanghyun.park.cnu@gmail.com>
[ Upstream commit 7f2d76c9c03257c0782afef9d95321fa04096f60 ]
Fix the race by pruning the bin while still holding xfrm_policy_lock,
before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since
the lock is already held. The wrapper xfrm_policy_inexact_prune_bin()
becomes unused and is removed.
Race:
CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO)
========================== ==========================
xfrm_policy_bysel_ctx():
spin_lock_bh(xfrm_policy_lock)
bin = xfrm_policy_inexact_lookup()
__xfrm_policy_unlink(pol)
spin_unlock_bh(xfrm_policy_lock)
xfrm_policy_kill(ret)
// wide window, lock not held
xfrm_hash_rebuild():
spin_lock_bh(xfrm_policy_lock)
__xfrm_policy_inexact_flush():
kfree_rcu(bin) // bin freed
spin_unlock_bh(xfrm_policy_lock)
xfrm_policy_inexact_prune_bin(bin)
// UAF: bin is freed
Fixes: 6be3b0db6db8 ("xfrm: policy: add inexact policy search tree infrastructure")
Signed-off-by: Sanghyun Park <sanghyun.park.cnu@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_policy.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index cebbb47f701f47..aeb994f96192cd 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1124,15 +1124,6 @@ static void __xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b, bool
}
}
-static void xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b)
-{
- struct net *net = read_pnet(&b->k.net);
-
- spin_lock_bh(&net->xfrm.xfrm_policy_lock);
- __xfrm_policy_inexact_prune_bin(b, false);
- spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
-}
-
static void __xfrm_policy_inexact_flush(struct net *net)
{
struct xfrm_pol_inexact_bin *bin, *t;
@@ -1723,12 +1714,12 @@ xfrm_policy_bysel_ctx(struct net *net, const struct xfrm_mark *mark, u32 if_id,
}
ret = pol;
}
+ if (bin && delete)
+ __xfrm_policy_inexact_prune_bin(bin, false);
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
if (ret && delete)
xfrm_policy_kill(ret);
- if (bin && delete)
- xfrm_policy_inexact_prune_bin(bin);
return ret;
}
EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 157/378] clk: qcom: dispcc-sc8280xp: Dont park mdp_clk_src at registration time
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 156/378] clk: samsung: gs101: Fix missing USI7_USI DIV clock in peric0_clk_regs Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 158/378] drm/i915/edp: Check supported link rates DPCD read Greg Kroah-Hartman
` (221 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengyu Luo,
Jérôme de Bretagne, Bjorn Andersson, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengyu Luo <mitltlatltl@gmail.com>
[ Upstream commit 5285b046757844435d1db96c1b5c3a6621b2979a ]
Parking disp{0,1}_cc_mdss_mdp_clk_src clk broke simplefb on HUAWEI
Gaokun3, the image will stuck at grey for seconds until msm takes
over framebuffer. Use clk_rcg2_shared_no_init_park_ops to skip it.
Signed-off-by: Pengyu Luo <mitltlatltl@gmail.com>
Tested-by: Jérôme de Bretagne <jerome.debretagne@gmail.com>
Fixes: 01a0a6cc8cfd ("clk: qcom: Park shared RCGs upon registration")
Link: https://lore.kernel.org/r/20260303150152.90685-1-mitltlatltl@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sc8280xp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/qcom/dispcc-sc8280xp.c b/drivers/clk/qcom/dispcc-sc8280xp.c
index e91dfed0f37e9b..acc927c2142ab5 100644
--- a/drivers/clk/qcom/dispcc-sc8280xp.c
+++ b/drivers/clk/qcom/dispcc-sc8280xp.c
@@ -977,7 +977,7 @@ static struct clk_rcg2 disp0_cc_mdss_mdp_clk_src = {
.name = "disp0_cc_mdss_mdp_clk_src",
.parent_data = disp0_cc_parent_data_5,
.num_parents = ARRAY_SIZE(disp0_cc_parent_data_5),
- .ops = &clk_rcg2_shared_ops,
+ .ops = &clk_rcg2_shared_no_init_park_ops,
},
};
@@ -991,7 +991,7 @@ static struct clk_rcg2 disp1_cc_mdss_mdp_clk_src = {
.name = "disp1_cc_mdss_mdp_clk_src",
.parent_data = disp1_cc_parent_data_5,
.num_parents = ARRAY_SIZE(disp1_cc_parent_data_5),
- .ops = &clk_rcg2_shared_ops,
+ .ops = &clk_rcg2_shared_no_init_park_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 241/522] netlabel: validate unlabeled address and mask attribute lengths
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 240/522] xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 242/522] ASoC: wm_adsp: Fix NULL dereference when removing firmware controls Greg Kroah-Hartman
` (281 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenguang Zhao, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenguang Zhao <zhaochenguang@kylinos.cn>
[ Upstream commit 9772589b57e44aedc240211c5c3f7a684a034d3a ]
netlbl_unlabel_addrinfo_get() used the address attribute length to
determine whether the attribute data could be read as an IPv4 or IPv6
address, but did not independently validate the corresponding mask
attribute length. A crafted Generic Netlink request could therefore
provide a valid IPv4/IPv6 address attribute with a shorter mask
attribute, which would later be read as a full struct in_addr or
struct in6_addr.
NLA_BINARY policy lengths are maximum lengths by default, so use
NLA_POLICY_EXACT_LEN() for the unlabeled IPv4/IPv6 address and mask
attributes. This rejects short attributes during policy validation and
also exposes the exact length requirements through policy introspection.
Fixes: 8cc44579d1bd ("NetLabel: Introduce static network labels for unlabeled connections")
Signed-off-by: Chenguang Zhao <zhaochenguang@kylinos.cn>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlabel/netlabel_unlabeled.c | 30 ++++++++++--------------------
1 file changed, 10 insertions(+), 20 deletions(-)
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 9996883bf2b78d..6007cb000da678 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -114,14 +114,14 @@ static struct genl_family netlbl_unlabel_gnl_family;
/* NetLabel Netlink attribute policy */
static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
[NLBL_UNLABEL_A_ACPTFLG] = { .type = NLA_U8 },
- [NLBL_UNLABEL_A_IPV6ADDR] = { .type = NLA_BINARY,
- .len = sizeof(struct in6_addr) },
- [NLBL_UNLABEL_A_IPV6MASK] = { .type = NLA_BINARY,
- .len = sizeof(struct in6_addr) },
- [NLBL_UNLABEL_A_IPV4ADDR] = { .type = NLA_BINARY,
- .len = sizeof(struct in_addr) },
- [NLBL_UNLABEL_A_IPV4MASK] = { .type = NLA_BINARY,
- .len = sizeof(struct in_addr) },
+ [NLBL_UNLABEL_A_IPV6ADDR] =
+ NLA_POLICY_EXACT_LEN(sizeof(struct in6_addr)),
+ [NLBL_UNLABEL_A_IPV6MASK] =
+ NLA_POLICY_EXACT_LEN(sizeof(struct in6_addr)),
+ [NLBL_UNLABEL_A_IPV4ADDR] =
+ NLA_POLICY_EXACT_LEN(sizeof(struct in_addr)),
+ [NLBL_UNLABEL_A_IPV4MASK] =
+ NLA_POLICY_EXACT_LEN(sizeof(struct in_addr)),
[NLBL_UNLABEL_A_IFACE] = { .type = NLA_NUL_STRING,
.len = IFNAMSIZ - 1 },
[NLBL_UNLABEL_A_SECCTX] = { .type = NLA_BINARY }
@@ -764,24 +764,14 @@ static int netlbl_unlabel_addrinfo_get(struct genl_info *info,
void **mask,
u32 *len)
{
- u32 addr_len;
-
if (info->attrs[NLBL_UNLABEL_A_IPV4ADDR] &&
info->attrs[NLBL_UNLABEL_A_IPV4MASK]) {
- addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
- if (addr_len != sizeof(struct in_addr) &&
- addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV4MASK]))
- return -EINVAL;
- *len = addr_len;
+ *len = sizeof(struct in_addr);
*addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
*mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4MASK]);
return 0;
} else if (info->attrs[NLBL_UNLABEL_A_IPV6ADDR]) {
- addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
- if (addr_len != sizeof(struct in6_addr) &&
- addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV6MASK]))
- return -EINVAL;
- *len = addr_len;
+ *len = sizeof(struct in6_addr);
*addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
*mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6MASK]);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 158/378] drm/i915/edp: Check supported link rates DPCD read
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 157/378] clk: qcom: dispcc-sc8280xp: Dont park mdp_clk_src at registration time Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 159/378] drm/virtio: Fix driver removal with disabled KMS Greg Kroah-Hartman
` (220 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikita Zhandarovich, Jani Nikula,
Tvrtko Ursulin, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
[ Upstream commit 2673cefa99ca918e7ac5b0388ff578a83656c896 ]
intel_edp_set_sink_rates() reads DP_SUPPORTED_LINK_RATES into a local
stack array and then parses the array unconditionally. If the read
fails, the array contents are not valid and may result in bogus sink
link rates being used.
Use drm_dp_dpcd_read_data() and clear the sink rate array on failure,
so the existing parser falls back to the default sink rate handling.
Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.
Fixes: 68f357cb7347 ("drm/i915/dp: generate and cache sink rate array for all DP, not just eDP 1.4")
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patch.msgid.link/20260529145759.1640646-1-n.zhandarovich@fintech.ru
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
(cherry picked from commit bd61c7756b34157e093028225a69383b4b1203cc)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_dp.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c
index d52205d714eee6..afd4169ac0a6c0 100644
--- a/drivers/gpu/drm/i915/display/intel_dp.c
+++ b/drivers/gpu/drm/i915/display/intel_dp.c
@@ -4533,10 +4533,17 @@ intel_edp_set_sink_rates(struct intel_dp *intel_dp)
if (intel_dp->edp_dpcd[0] >= DP_EDP_14) {
__le16 sink_rates[DP_MAX_SUPPORTED_RATES];
+ int ret;
int i;
- drm_dp_dpcd_read(&intel_dp->aux, DP_SUPPORTED_LINK_RATES,
- sink_rates, sizeof(sink_rates));
+ ret = drm_dp_dpcd_read_data(&intel_dp->aux,
+ DP_SUPPORTED_LINK_RATES,
+ sink_rates, sizeof(sink_rates));
+ if (ret < 0) {
+ drm_dbg_kms(display->drm,
+ "Unable to read eDP supported link rates, using default rates\n");
+ memset(sink_rates, 0, sizeof(sink_rates));
+ }
for (i = 0; i < ARRAY_SIZE(sink_rates); i++) {
int rate;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 242/522] ASoC: wm_adsp: Fix NULL dereference when removing firmware controls
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 241/522] netlabel: validate unlabeled address and mask attribute lengths Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 243/522] tcp: restrict SO_ATTACH_FILTER to priv users Greg Kroah-Hartman
` (280 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Fitzgerald, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Fitzgerald <rf@opensource.cirrus.com>
[ Upstream commit 7d3fb78b550301e43fdc60312aed733069694426 ]
In wm_adsp_control_remove() check that the priv pointer is not NULL
before attempting to cleanup what it points to.
When cs_dsp creates a control it calls wm_adsp_control_add_cb() so that
wm_adsp can create its own private control data. There are two cases
where private data is not created:
1. The control is a SYSTEM control, so an ALSA control is not created.
2. The codec driver has registered a control_add() callback that
hides the control, so wm_adsp_control_add() is not called.
When cs_dsp_remove destroys its control list it calls
wm_adsp_control_remove() for each control. But wm_adsp_control_remove()
was attempting to cleanup the private data pointed to by cs_ctl->priv
without checking the pointer for NULL.
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Fixes: 0700bc2fb94c ("ASoC: wm_adsp: Separate generic cs_dsp_coeff_ctl handling")
Link: https://patch.msgid.link/20260604101244.1402862-1-rf@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/wm_adsp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c
index 47a4c363227ccd..bc9798ea5a25e2 100644
--- a/sound/soc/codecs/wm_adsp.c
+++ b/sound/soc/codecs/wm_adsp.c
@@ -666,6 +666,9 @@ static void wm_adsp_control_remove(struct cs_dsp_coeff_ctl *cs_ctl)
{
struct wm_coeff_ctl *ctl = cs_ctl->priv;
+ if (!ctl)
+ return;
+
cancel_work_sync(&ctl->work);
kfree(ctl->name);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 159/378] drm/virtio: Fix driver removal with disabled KMS
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 158/378] drm/i915/edp: Check supported link rates DPCD read Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 160/378] drm/vc4: fix krealloc() memory leak Greg Kroah-Hartman
` (219 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Osipenko, Ryosuke Yasuoka,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Osipenko <dmitry.osipenko@collabora.com>
[ Upstream commit f329e8325e054bd6d84d10904f8dd51137281b92 ]
DRM atomic and modesetting aren't initialized if virtio-gpu driver built
with disabled KMS, leading to access of uninitialized data on driver
removal/unbinding and crashing kernel. Fix it by skipping shutting down
atomic core with unavailable KMS.
Fixes: 72122c69d717 ("drm/virtio: Add option to disable KMS support")
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Tested-by: Ryosuke Yasuoka <ryasuoka@redhat.com>
Reviewed-by: Ryosuke Yasuoka <ryasuoka@redhat.com>
Link: https://patch.msgid.link/20260604122743.13383-1-dmitry.osipenko@collabora.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/virtio/virtgpu_drv.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.c b/drivers/gpu/drm/virtio/virtgpu_drv.c
index a5ce96fb8a1d24..9af740bda83593 100644
--- a/drivers/gpu/drm/virtio/virtgpu_drv.c
+++ b/drivers/gpu/drm/virtio/virtgpu_drv.c
@@ -124,7 +124,10 @@ static void virtio_gpu_remove(struct virtio_device *vdev)
struct drm_device *dev = vdev->priv;
drm_dev_unplug(dev);
- drm_atomic_helper_shutdown(dev);
+
+ if (drm_core_check_feature(dev, DRIVER_ATOMIC))
+ drm_atomic_helper_shutdown(dev);
+
virtio_gpu_deinit(dev);
drm_dev_put(dev);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 243/522] tcp: restrict SO_ATTACH_FILTER to priv users
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 242/522] ASoC: wm_adsp: Fix NULL dereference when removing firmware controls Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 244/522] net/mlx4: avoid GCC 10 __bad_copy_from() false positive Greg Kroah-Hartman
` (279 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Tamir Shahar,
Amit Klein, Willem de Bruijn, Alexei Starovoitov, Daniel Borkmann,
Andrii Nakryiko, Martin KaFai Lau, Eduard Zingerman,
Kumar Kartikeya Dwivedi, Song Liu, Yonghong Song, Jiri Olsa,
John Fastabend, Stanislav Fomichev, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 5d39580f68e6ddeedd15e587282207489dfb3da2 ]
This patch restricts the use of SO_ATTACH_FILTER (cBPF) on TCP sockets
to users with CAP_NET_ADMIN capability.
This blocks potential side-channel attack where an unprivileged application
attaches a filter to leak TCP sequence/acknowledgment numbers.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Tamir Shahar <tamirthesis@gmail.com>
Reported-by: Amit Klein <aksecurity@gmail.com>
Cc: Willem de Bruijn <willemb@google.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Andrii Nakryiko <andrii@kernel.org>
Cc: Martin KaFai Lau <martin.lau@linux.dev>
Cc: Eduard Zingerman <eddyz87@gmail.com>
Cc: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Cc: Song Liu <song@kernel.org>
Cc: Yonghong Song <yonghong.song@linux.dev>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Stanislav Fomichev <sdf@fomichev.me>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/sock.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/core/sock.c b/net/core/sock.c
index 62411c8870e855..5f79f0b78321c8 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1294,6 +1294,11 @@ int sk_setsockopt(struct sock *sk, int level, int optname,
case SO_ATTACH_FILTER: {
struct sock_fprog fprog;
+ if (sk_is_tcp(sk) &&
+ !sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+ ret = -EPERM;
+ break;
+ }
ret = copy_bpf_fprog_from_user(&fprog, optval, optlen);
if (!ret)
ret = sk_attach_filter(&fprog, sk);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 160/378] drm/vc4: fix krealloc() memory leak
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 159/378] drm/virtio: Fix driver removal with disabled KMS Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 161/378] drm/colorop: Remove read-only comments from interpolation fields Greg Kroah-Hartman
` (218 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander A. Klimov,
Maíra Canal, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander A. Klimov <grandmaster@al2klimov.de>
[ Upstream commit 5d563a5da8717629ae72f9eadf1e0e340bd1658b ]
Don't just overwrite the original pointer passed to krealloc()
with its return value without checking latter:
MEM = krealloc(MEM, SZ, GFP);
If krealloc() returns NULL, that erases the pointer
to the still allocated memory, hence leaks this memory.
Instead, use a temporary variable, check it's not NULL
and only then assign it to the original pointer:
TMP = krealloc(MEM, SZ, GFP);
if (!TMP) return;
MEM = TMP;
While on it, use krealloc_array().
Fixes: 6d45c81d229d ("drm/vc4: Add support for branching in shader validation.")
Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Link: https://patch.msgid.link/20260606123817.37222-1-grandmaster@al2klimov.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vc4/vc4_validate_shaders.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/vc4/vc4_validate_shaders.c b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
index d48cf76983c09b..66502a6a4a8e7b 100644
--- a/drivers/gpu/drm/vc4/vc4_validate_shaders.c
+++ b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
@@ -290,15 +290,16 @@ static bool require_uniform_address_uniform(struct vc4_validated_shader_info *va
{
uint32_t o = validated_shader->num_uniform_addr_offsets;
uint32_t num_uniforms = validated_shader->uniforms_size / 4;
+ u32 *offsets;
- validated_shader->uniform_addr_offsets =
- krealloc(validated_shader->uniform_addr_offsets,
- (o + 1) *
- sizeof(*validated_shader->uniform_addr_offsets),
- GFP_KERNEL);
- if (!validated_shader->uniform_addr_offsets)
+ offsets = krealloc_array(validated_shader->uniform_addr_offsets,
+ o + 1,
+ sizeof(*validated_shader->uniform_addr_offsets),
+ GFP_KERNEL);
+ if (!offsets)
return false;
+ validated_shader->uniform_addr_offsets = offsets;
validated_shader->uniform_addr_offsets[o] = num_uniforms;
validated_shader->num_uniform_addr_offsets++;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 244/522] net/mlx4: avoid GCC 10 __bad_copy_from() false positive
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 243/522] tcp: restrict SO_ATTACH_FILTER to priv users Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 245/522] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove Greg Kroah-Hartman
` (278 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yao Sang, Jacob Keller,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yao Sang <sangyao@kylinos.cn>
[ Upstream commit 2365343f4aad3e1b1e7a2e87e98cf66d5e590589 ]
mlx4_init_user_cqes() fills a scratch buffer with the CQE
initialization pattern and then copies from that buffer to userspace.
In the single-copy path, the copy length is array_size(entries,
cqe_size), but the scratch buffer is allocated with PAGE_SIZE. GCC 10
does not carry the branch invariant strongly enough through the object
size checks and falsely triggers __bad_copy_from().
Size the scratch buffer to the actual copy length for the active path,
keep array_size() for the single-copy case, and retain a WARN_ON_ONCE()
guard for the PAGE_SIZE invariant before allocating the buffer.
Fixes: f69bf5dee7ef ("net/mlx4: Use array_size() helper in copy_to_user()")
Signed-off-by: Yao Sang <sangyao@kylinos.cn>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx4/cq.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c
index 4d4f9cf9facb87..fb83d8af8dcb9c 100644
--- a/drivers/net/ethernet/mellanox/mlx4/cq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
@@ -290,6 +290,7 @@ static void mlx4_cq_free_icm(struct mlx4_dev *dev, int cqn)
static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
{
int entries_per_copy = PAGE_SIZE / cqe_size;
+ size_t copy_bytes;
void *init_ents;
int err = 0;
int i;
@@ -314,8 +315,14 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
buf += PAGE_SIZE;
}
} else {
+ copy_bytes = array_size(entries, cqe_size);
+ if (WARN_ON_ONCE(copy_bytes > PAGE_SIZE)) {
+ err = -EINVAL;
+ goto out;
+ }
+
err = copy_to_user((void __user *)buf, init_ents,
- array_size(entries, cqe_size)) ?
+ copy_bytes) ?
-EFAULT : 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 161/378] drm/colorop: Remove read-only comments from interpolation fields
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 160/378] drm/vc4: fix krealloc() memory leak Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 162/378] drm/colorop: make lut(1/3)d_interpolation props correctly behave as mutable Greg Kroah-Hartman
` (217 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chaitanya Kumar Borah, Alex Hung,
Melissa Wen, Melissa Wen, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Hung <alex.hung@amd.com>
[ Upstream commit e480228cf65583040c894bb9cc02e1d5b328cee0 ]
The lut1d_interpolation and lut3d_interpolation fields and their
associated properties were marked as read-only, but userspace
can set them via drm_atomic_colorop_set_property().
Fixes: 7fa3ee8c0a79 ("drm/colorop: Define LUT_1D interpolation")
Fixes: db971856bbe0 ("drm/colorop: Add 3D LUT support to color pipeline")
Reviewed-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Fixes: 9ba25915efba ("drm/amd/display: Add support for sRGB EOTF in DEGAM block")
Signed-off-by: Melissa Wen <mwen@igalia.com>
Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
Link: https://patch.msgid.link/20260609110420.1298352-2-mwen@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/drm/drm_colorop.h | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/include/drm/drm_colorop.h b/include/drm/drm_colorop.h
index a3a32f9f918c73..5bcb510e56c0a7 100644
--- a/include/drm/drm_colorop.h
+++ b/include/drm/drm_colorop.h
@@ -296,7 +296,6 @@ struct drm_colorop {
/**
* @lut1d_interpolation:
*
- * Read-only
* Interpolation for DRM_COLOROP_1D_LUT
*/
enum drm_colorop_lut1d_interpolation_type lut1d_interpolation;
@@ -304,7 +303,6 @@ struct drm_colorop {
/**
* @lut3d_interpolation:
*
- * Read-only
* Interpolation for DRM_COLOROP_3D_LUT
*/
enum drm_colorop_lut3d_interpolation_type lut3d_interpolation;
@@ -312,7 +310,7 @@ struct drm_colorop {
/**
* @lut1d_interpolation_property:
*
- * Read-only property for DRM_COLOROP_1D_LUT interpolation
+ * Property for DRM_COLOROP_1D_LUT interpolation
*/
struct drm_property *lut1d_interpolation_property;
@@ -340,7 +338,7 @@ struct drm_colorop {
/**
* @lut3d_interpolation_property:
*
- * Read-only property for DRM_COLOROP_3D_LUT interpolation
+ * Property for DRM_COLOROP_3D_LUT interpolation
*/
struct drm_property *lut3d_interpolation_property;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 245/522] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 244/522] net/mlx4: avoid GCC 10 __bad_copy_from() false positive Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 246/522] ipv6: sit: reload inner IPv6 header after GSO offloads Greg Kroah-Hartman
` (277 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mingyu Wang, Simon Horman,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
[ Upstream commit a2171131ecda1ed61a594a1eb715e75fdad0fef5 ]
In qrtr_port_remove(), the socket reference count is decremented via
__sock_put() before the port is removed from the qrtr_ports XArray and
before the RCU grace period elapses.
This breaks the fundamental RCU update paradigm. It exposes a race
window where a concurrent RCU reader (such as qrtr_reset_ports() or
qrtr_port_lookup()) can obtain a pointer to the socket from the XArray,
and attempt to call sock_hold() on a socket whose reference count has
already dropped to zero.
This exact race condition was hit during syzkaller fuzzing, leading to
the following refcount saturation warning and a potential Use-After-Free:
refcount_t: saturated; leaking memory.
WARNING: CPU: 3 PID: 1273 at lib/refcount.c:22 refcount_warn_saturate+0xae/0x1d0
Modules linked in: qrtr(+) bochs drm_shmem_helper ...
Call Trace:
<TASK>
qrtr_reset_ports net/qrtr/af_qrtr.c:768 [inline] [qrtr]
__qrtr_bind.isra.0+0x48b/0x570 net/qrtr/af_qrtr.c:805 [qrtr]
qrtr_bind+0x17d/0x210 net/qrtr/af_qrtr.c:901 [qrtr]
kernel_bind+0xe4/0x120 net/socket.c:3592
qrtr_ns_init+0x1a6/0x380 net/qrtr/ns.c:715 [qrtr]
qrtr_proto_init+0x3b/0xff0 net/qrtr/af_qrtr.c:169 [qrtr]
do_one_initcall+0xf5/0x5e0 init/main.c:1283
...
</TASK>
Fix this by deferring the reference count decrement until after the
xa_erase() and the synchronize_rcu() complete.
(Note: The v1 of this patch incorrectly replaced __sock_put() with
sock_put(). As Simon Horman pointed out, the callers of qrtr_port_remove()
still hold a reference to the socket, so freeing the socket memory here
would lead to a subsequent UAF in the caller. Thus, the __sock_put() is
kept, but only repositioned to close the RCU race.)
Fixes: bdabad3e363d ("net: Add Qualcomm IPC router")
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260604064801.1180388-1-w15303746062@163.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/qrtr/af_qrtr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c
index 3831eb25e240ae..8cedf26d78ee02 100644
--- a/net/qrtr/af_qrtr.c
+++ b/net/qrtr/af_qrtr.c
@@ -702,13 +702,13 @@ static void qrtr_port_remove(struct qrtr_sock *ipc)
if (port == QRTR_PORT_CTRL)
port = 0;
- __sock_put(&ipc->sk);
-
xa_erase(&qrtr_ports, port);
/* Ensure that if qrtr_port_lookup() did enter the RCU read section we
* wait for it to up increment the refcount */
synchronize_rcu();
+
+ __sock_put(&ipc->sk);
}
/* Assign port number to socket.
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 162/378] drm/colorop: make lut(1/3)d_interpolation props correctly behave as mutable
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 161/378] drm/colorop: Remove read-only comments from interpolation fields Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 163/378] drm/atomic: track individual colorop updates Greg Kroah-Hartman
` (216 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chaitanya Kumar Borah, Alex Hung,
Melissa Wen, Melissa Wen, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Melissa Wen <mwen@igalia.com>
[ Upstream commit 94ff735296d371045fce163451a3d65e44ac4729 ]
As interpolation props are actually mutable props, any changes should be
handled by drm_colorop_state. Move their enum and make it correctly
behaves as mutable.
Fixes: 7fa3ee8c0a79 ("drm/colorop: Define LUT_1D interpolation")
Fixes: db971856bbe0 ("drm/colorop: Add 3D LUT support to color pipeline")
Reviewed-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Fixes: 9ba25915efba ("drm/amd/display: Add support for sRGB EOTF in DEGAM block")
Signed-off-by: Melissa Wen <mwen@igalia.com>
Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
Link: https://patch.msgid.link/20260609110420.1298352-3-mwen@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_atomic.c | 4 ++--
drivers/gpu/drm/drm_atomic_uapi.c | 8 ++++----
drivers/gpu/drm/drm_colorop.c | 16 ++++++++++++++--
include/drm/drm_colorop.h | 28 ++++++++++++++--------------
4 files changed, 34 insertions(+), 22 deletions(-)
diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c
index ec7534227f66d4..b31bb3f9b11aae 100644
--- a/drivers/gpu/drm/drm_atomic.c
+++ b/drivers/gpu/drm/drm_atomic.c
@@ -829,7 +829,7 @@ static void drm_atomic_colorop_print_state(struct drm_printer *p,
case DRM_COLOROP_1D_LUT:
drm_printf(p, "\tsize=%d\n", colorop->size);
drm_printf(p, "\tinterpolation=%s\n",
- drm_get_colorop_lut1d_interpolation_name(colorop->lut1d_interpolation));
+ drm_get_colorop_lut1d_interpolation_name(state->lut1d_interpolation));
drm_printf(p, "\tdata blob id=%d\n", state->data ? state->data->base.id : 0);
break;
case DRM_COLOROP_CTM_3X4:
@@ -841,7 +841,7 @@ static void drm_atomic_colorop_print_state(struct drm_printer *p,
case DRM_COLOROP_3D_LUT:
drm_printf(p, "\tsize=%d\n", colorop->size);
drm_printf(p, "\tinterpolation=%s\n",
- drm_get_colorop_lut3d_interpolation_name(colorop->lut3d_interpolation));
+ drm_get_colorop_lut3d_interpolation_name(state->lut3d_interpolation));
drm_printf(p, "\tdata blob id=%d\n", state->data ? state->data->base.id : 0);
break;
default:
diff --git a/drivers/gpu/drm/drm_atomic_uapi.c b/drivers/gpu/drm/drm_atomic_uapi.c
index 87de41fb445931..aefcf58e4f0399 100644
--- a/drivers/gpu/drm/drm_atomic_uapi.c
+++ b/drivers/gpu/drm/drm_atomic_uapi.c
@@ -747,13 +747,13 @@ static int drm_atomic_colorop_set_property(struct drm_colorop *colorop,
if (property == colorop->bypass_property) {
state->bypass = val;
} else if (property == colorop->lut1d_interpolation_property) {
- colorop->lut1d_interpolation = val;
+ state->lut1d_interpolation = val;
} else if (property == colorop->curve_1d_type_property) {
state->curve_1d_type = val;
} else if (property == colorop->multiplier_property) {
state->multiplier = val;
} else if (property == colorop->lut3d_interpolation_property) {
- colorop->lut3d_interpolation = val;
+ state->lut3d_interpolation = val;
} else if (property == colorop->data_property) {
return drm_atomic_color_set_data_property(colorop, state,
property, val);
@@ -778,7 +778,7 @@ drm_atomic_colorop_get_property(struct drm_colorop *colorop,
else if (property == colorop->bypass_property)
*val = state->bypass;
else if (property == colorop->lut1d_interpolation_property)
- *val = colorop->lut1d_interpolation;
+ *val = state->lut1d_interpolation;
else if (property == colorop->curve_1d_type_property)
*val = state->curve_1d_type;
else if (property == colorop->multiplier_property)
@@ -786,7 +786,7 @@ drm_atomic_colorop_get_property(struct drm_colorop *colorop,
else if (property == colorop->size_property)
*val = colorop->size;
else if (property == colorop->lut3d_interpolation_property)
- *val = colorop->lut3d_interpolation;
+ *val = state->lut3d_interpolation;
else if (property == colorop->data_property)
*val = (state->data) ? state->data->base.id : 0;
else
diff --git a/drivers/gpu/drm/drm_colorop.c b/drivers/gpu/drm/drm_colorop.c
index 27139862b12086..6751add3cba96c 100644
--- a/drivers/gpu/drm/drm_colorop.c
+++ b/drivers/gpu/drm/drm_colorop.c
@@ -321,7 +321,6 @@ int drm_plane_colorop_curve_1d_lut_init(struct drm_device *dev, struct drm_color
colorop->lut1d_interpolation_property = prop;
drm_object_attach_property(&colorop->base, prop, interpolation);
- colorop->lut1d_interpolation = interpolation;
/* data */
ret = drm_colorop_create_data_prop(dev, colorop);
@@ -417,7 +416,6 @@ int drm_plane_colorop_3dlut_init(struct drm_device *dev, struct drm_colorop *col
colorop->lut3d_interpolation_property = prop;
drm_object_attach_property(&colorop->base, prop, interpolation);
- colorop->lut3d_interpolation = interpolation;
/* data */
ret = drm_colorop_create_data_prop(dev, colorop);
@@ -496,6 +494,20 @@ static void __drm_colorop_state_reset(struct drm_colorop_state *colorop_state,
&val);
colorop_state->curve_1d_type = val;
}
+
+ if (colorop->lut1d_interpolation_property) {
+ if (!drm_object_property_get_default_value(&colorop->base,
+ colorop->lut1d_interpolation_property,
+ &val))
+ colorop_state->lut1d_interpolation = val;
+ }
+
+ if (colorop->lut3d_interpolation_property) {
+ if (!drm_object_property_get_default_value(&colorop->base,
+ colorop->lut3d_interpolation_property,
+ &val))
+ colorop_state->lut3d_interpolation = val;
+ }
}
/**
diff --git a/include/drm/drm_colorop.h b/include/drm/drm_colorop.h
index 5bcb510e56c0a7..272ebff2de72e2 100644
--- a/include/drm/drm_colorop.h
+++ b/include/drm/drm_colorop.h
@@ -183,6 +183,20 @@ struct drm_colorop_state {
*/
struct drm_property_blob *data;
+ /**
+ * @lut1d_interpolation:
+ *
+ * Interpolation for DRM_COLOROP_1D_LUT
+ */
+ enum drm_colorop_lut1d_interpolation_type lut1d_interpolation;
+
+ /**
+ * @lut3d_interpolation:
+ *
+ * Interpolation for DRM_COLOROP_3D_LUT
+ */
+ enum drm_colorop_lut3d_interpolation_type lut3d_interpolation;
+
/** @state: backpointer to global drm_atomic_state */
struct drm_atomic_state *state;
};
@@ -293,20 +307,6 @@ struct drm_colorop {
*/
uint32_t size;
- /**
- * @lut1d_interpolation:
- *
- * Interpolation for DRM_COLOROP_1D_LUT
- */
- enum drm_colorop_lut1d_interpolation_type lut1d_interpolation;
-
- /**
- * @lut3d_interpolation:
- *
- * Interpolation for DRM_COLOROP_3D_LUT
- */
- enum drm_colorop_lut3d_interpolation_type lut3d_interpolation;
-
/**
* @lut1d_interpolation_property:
*
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 246/522] ipv6: sit: reload inner IPv6 header after GSO offloads
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 245/522] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 247/522] net: openvswitch: fix possible kfree_skb of ERR_PTR Greg Kroah-Hartman
` (276 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Zeng, Eric Dumazet,
syzbot+6eb9ca986d80f6f88cf9, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Zeng <kylebot@openai.com>
[ Upstream commit f0e42f0c4337b1f220de1ddd63f47197c7dee4de ]
ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function
entry and continues using it after iptunnel_handle_offloads().
For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone().
When the skb header is cloned, skb_header_unclone() can call
pskb_expand_head(), which may move the skb head. The pskb_expand_head()
contract requires pointers into the skb header to be reloaded after the
call.
If the later skb_realloc_headroom() branch is not taken, SIT uses the
stale iph6 pointer to read the inner hop limit and DS field. That can
read from a freed skb head after the old head's remaining clone is
released.
Reload iph6 after the offload helper succeeds and before subsequent
reads from the inner IPv6 header. Keep the existing reload after
skb_realloc_headroom(), since that branch can also replace the skb.
Fixes: 14909664e4e1 ("sit: Setup and TX path for sit/UDP foo-over-udp encapsulation")
Signed-off-by: Kyle Zeng <kylebot@openai.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+6eb9ca986d80f6f88cf9@syzkaller.appspotmail.com
Link: https://patch.msgid.link/20260605073448.6524-1-kylebot@openai.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/sit.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index eb4c8e2a2b12e0..aa88a41034d920 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -965,6 +965,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
ip_rt_put(rt);
goto tx_error;
}
+ iph6 = ipv6_hdr(skb);
if (df) {
mtu = dst_mtu(&rt->dst) - t_hlen;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 163/378] drm/atomic: track individual colorop updates
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 162/378] drm/colorop: make lut(1/3)d_interpolation props correctly behave as mutable Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 164/378] drm/amd/display: use plane color_mgmt_changed to track colorop changes Greg Kroah-Hartman
` (215 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chaitanya Kumar Borah, Alex Hung,
Melissa Wen, Melissa Wen, Sasha Levin, Harry Wentland
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Melissa Wen <mwen@igalia.com>
[ Upstream commit 2e235e2a2784b12b735321e5b42240ca51c49b0f ]
As we do for CRTC color mgmt properties, use color_mgmt_changed flag to
track any value changes in the color pipeline of a given plane, so that
drivers can update color blocks as soon as plane color pipeline or
individual colorop values change. Since we're here, only announce and
track changes to plane COLOR_PIPELINE prop if its value is actually
changing.
Fixes: 8c5ea1745f4c ("drm/colorop: Add BYPASS property")
Fixes: 7fa3ee8c0a79 ("drm/colorop: Define LUT_1D interpolation")
Fixes: 41651f9d42eb ("drm/colorop: Add 1D Curve subtype")
Fixes: 3410108037d5 ("drm/colorop: Add multiplier type")
Fixes: db971856bbe0 ("drm/colorop: Add 3D LUT support to color pipeline")
Fixes: e5719e7f1900 ("drm/colorop: Add 3x4 CTM type")
Fixes: 99a4e4f08abe ("drm/colorop: Add 1D Curve Custom LUT type")
Fixes: 2afc3184f3b3 ("drm/plane: Add COLOR PIPELINE property")
Reviewed-by: Harry Wentland <harry.wentland@amd.com> #v1
Reviewed-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Fixes: 9ba25915efba ("drm/amd/display: Add support for sRGB EOTF in DEGAM block")
Signed-off-by: Melissa Wen <mwen@igalia.com>
Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
Link: https://patch.msgid.link/20260609110420.1298352-4-mwen@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_atomic_uapi.c | 64 ++++++++++++++++++++++++-------
include/drm/drm_atomic_uapi.h | 4 +-
2 files changed, 54 insertions(+), 14 deletions(-)
diff --git a/drivers/gpu/drm/drm_atomic_uapi.c b/drivers/gpu/drm/drm_atomic_uapi.c
index aefcf58e4f0399..97bbf91f3c7975 100644
--- a/drivers/gpu/drm/drm_atomic_uapi.c
+++ b/drivers/gpu/drm/drm_atomic_uapi.c
@@ -265,13 +265,19 @@ EXPORT_SYMBOL(drm_atomic_set_fb_for_plane);
*
* Helper function to select the color pipeline on a plane by setting
* it to the first drm_colorop element of the pipeline.
+ *
+ * Return: true if plane color pipeline value changed, false otherwise.
*/
-void
+bool
drm_atomic_set_colorop_for_plane(struct drm_plane_state *plane_state,
struct drm_colorop *colorop)
{
struct drm_plane *plane = plane_state->plane;
+ /* Color pipeline didn't change */
+ if (plane_state->color_pipeline == colorop)
+ return false;
+
if (colorop)
drm_dbg_atomic(plane->dev,
"Set [COLOROP:%d] for [PLANE:%d:%s] state %p\n",
@@ -283,6 +289,8 @@ drm_atomic_set_colorop_for_plane(struct drm_plane_state *plane_state,
plane->base.id, plane->name, plane_state);
plane_state->color_pipeline = colorop;
+
+ return true;
}
EXPORT_SYMBOL(drm_atomic_set_colorop_for_plane);
@@ -600,7 +608,7 @@ static int drm_atomic_plane_set_property(struct drm_plane *plane,
if (val && !colorop)
return -EACCES;
- drm_atomic_set_colorop_for_plane(state, colorop);
+ state->color_mgmt_changed |= drm_atomic_set_colorop_for_plane(state, colorop);
} else if (property == config->prop_fb_damage_clips) {
ret = drm_property_replace_blob_from_id(dev,
&state->fb_damage_clips,
@@ -709,11 +717,11 @@ drm_atomic_plane_get_property(struct drm_plane *plane,
static int drm_atomic_color_set_data_property(struct drm_colorop *colorop,
struct drm_colorop_state *state,
struct drm_property *property,
- uint64_t val)
+ uint64_t val,
+ bool *replaced)
{
ssize_t elem_size = -1;
ssize_t size = -1;
- bool replaced = false;
switch (colorop->type) {
case DRM_COLOROP_1D_LUT:
@@ -735,28 +743,45 @@ static int drm_atomic_color_set_data_property(struct drm_colorop *colorop,
&state->data,
val,
-1, size, elem_size,
- &replaced);
+ replaced);
}
static int drm_atomic_colorop_set_property(struct drm_colorop *colorop,
struct drm_colorop_state *state,
struct drm_file *file_priv,
struct drm_property *property,
- uint64_t val)
+ uint64_t val,
+ bool *replaced)
{
if (property == colorop->bypass_property) {
- state->bypass = val;
+ if (state->bypass != val) {
+ state->bypass = val;
+ *replaced = true;
+ }
} else if (property == colorop->lut1d_interpolation_property) {
- state->lut1d_interpolation = val;
+ if (state->lut1d_interpolation != val) {
+ state->lut1d_interpolation = val;
+ *replaced = true;
+ }
} else if (property == colorop->curve_1d_type_property) {
- state->curve_1d_type = val;
+ if (state->curve_1d_type != val) {
+ state->curve_1d_type = val;
+ *replaced = true;
+ }
} else if (property == colorop->multiplier_property) {
- state->multiplier = val;
+ if (state->multiplier != val) {
+ state->multiplier = val;
+ *replaced = true;
+ }
} else if (property == colorop->lut3d_interpolation_property) {
- state->lut3d_interpolation = val;
+ if (state->lut3d_interpolation != val) {
+ state->lut3d_interpolation = val;
+ *replaced = true;
+ }
} else if (property == colorop->data_property) {
return drm_atomic_color_set_data_property(colorop, state,
- property, val);
+ property, val,
+ replaced);
} else {
drm_dbg_atomic(colorop->dev,
"[COLOROP:%d:%d] unknown property [PROP:%d:%s]\n",
@@ -1271,8 +1296,10 @@ int drm_atomic_set_property(struct drm_atomic_state *state,
break;
}
case DRM_MODE_OBJECT_COLOROP: {
+ struct drm_plane_state *plane_state;
struct drm_colorop *colorop = obj_to_colorop(obj);
struct drm_colorop_state *colorop_state;
+ bool replaced = false;
colorop_state = drm_atomic_get_colorop_state(state, colorop);
if (IS_ERR(colorop_state)) {
@@ -1281,7 +1308,18 @@ int drm_atomic_set_property(struct drm_atomic_state *state,
}
ret = drm_atomic_colorop_set_property(colorop, colorop_state,
- file_priv, prop, prop_value);
+ file_priv, prop, prop_value,
+ &replaced);
+ if (ret || !replaced)
+ break;
+
+ plane_state = drm_atomic_get_plane_state(state, colorop->plane);
+ if (IS_ERR(plane_state)) {
+ ret = PTR_ERR(plane_state);
+ break;
+ }
+ plane_state->color_mgmt_changed |= replaced;
+
break;
}
default:
diff --git a/include/drm/drm_atomic_uapi.h b/include/drm/drm_atomic_uapi.h
index 4363155233267b..4e7e78f711e26a 100644
--- a/include/drm/drm_atomic_uapi.h
+++ b/include/drm/drm_atomic_uapi.h
@@ -29,6 +29,8 @@
#ifndef DRM_ATOMIC_UAPI_H_
#define DRM_ATOMIC_UAPI_H_
+#include <linux/types.h>
+
struct drm_crtc_state;
struct drm_display_mode;
struct drm_property_blob;
@@ -50,7 +52,7 @@ drm_atomic_set_crtc_for_plane(struct drm_plane_state *plane_state,
struct drm_crtc *crtc);
void drm_atomic_set_fb_for_plane(struct drm_plane_state *plane_state,
struct drm_framebuffer *fb);
-void drm_atomic_set_colorop_for_plane(struct drm_plane_state *plane_state,
+bool drm_atomic_set_colorop_for_plane(struct drm_plane_state *plane_state,
struct drm_colorop *colorop);
int __must_check
drm_atomic_set_crtc_for_connector(struct drm_connector_state *conn_state,
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 247/522] net: openvswitch: fix possible kfree_skb of ERR_PTR
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 246/522] ipv6: sit: reload inner IPv6 header after GSO offloads Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 248/522] r8152: reduce the control transfer of rtl8152_get_version() Greg Kroah-Hartman
` (275 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Moreno, Aaron Conole,
Eelco Chaudron, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Moreno <amorenoz@redhat.com>
[ Upstream commit ee30dd2909d8b98619f4341c70ec8dc8e155ab02 ]
After the patch in the "Fixes" tag, the allocation of the "reply" skb
can happen either before or after locking the ovs_mutex.
However, error cleanups still follow the classical reversed order,
assuming "reply" is allocated before locking: it is freed after unlocking.
If "reply" allocation happens after locking the mutex and it fails,
"reply" is left with an ERR_PTR, and execution jumps to the correspondent
cleanup stage which will try to free an invalid pointer.
Fix this by setting the pointer to NULL after having saved its error
value.
Fixes: 893f139b9a6c ("openvswitch: Minimize ovs_flow_cmd_new|set critical sections.")
Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Link: https://patch.msgid.link/20260604121946.942164-1-amorenoz@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/datapath.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index c751d6b36febd1..0c0d89470145a1 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -1263,6 +1263,7 @@ static int ovs_flow_cmd_set(struct sk_buff *skb, struct genl_info *info)
if (IS_ERR(reply)) {
error = PTR_ERR(reply);
+ reply = NULL;
goto err_unlock_ovs;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 164/378] drm/amd/display: use plane color_mgmt_changed to track colorop changes
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 163/378] drm/atomic: track individual colorop updates Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 165/378] drm/xe: fix refcount leak in xe_range_fence_insert() Greg Kroah-Hartman
` (214 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harry Wentland, Alex Hung,
Melissa Wen, Melissa Wen, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Melissa Wen <mwen@igalia.com>
[ Upstream commit d79716401a954677a93c4dd51fec65beccb38296 ]
Ensure the driver tracks changes in any colorop property of a plane
color pipeline by using the same mechanism of CRTC color management and
update plane color blocks when any colorop property changes. It fixes an
issue observed on gamescope settings for night mode which is done via
shaper/3D-LUT updates.
Fixes: 9ba25915efba ("drm/amd/display: Add support for sRGB EOTF in DEGAM block")
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Melissa Wen <mwen@igalia.com>
Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
Link: https://patch.msgid.link/20260609110420.1298352-5-mwen@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index 0aee65503642d7..2d0c818cace25c 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -10016,7 +10016,7 @@ static void amdgpu_dm_commit_planes(struct drm_atomic_state *state,
continue;
bundle->surface_updates[planes_count].surface = dc_plane;
- if (new_pcrtc_state->color_mgmt_changed) {
+ if (new_pcrtc_state->color_mgmt_changed || new_plane_state->color_mgmt_changed) {
bundle->surface_updates[planes_count].gamma = &dc_plane->gamma_correction;
bundle->surface_updates[planes_count].in_transfer_func = &dc_plane->in_transfer_func;
bundle->surface_updates[planes_count].gamut_remap_matrix = &dc_plane->gamut_remap_matrix;
@@ -11756,6 +11756,10 @@ static bool should_reset_plane(struct drm_atomic_state *state,
if (new_crtc_state->color_mgmt_changed)
return true;
+ /* Plane color pipeline or its colorop changes. */
+ if (new_plane_state->color_mgmt_changed)
+ return true;
+
/*
* On zpos change, planes need to be reordered by removing and re-adding
* them one by one to the dc state, in order of descending zpos.
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 248/522] r8152: reduce the control transfer of rtl8152_get_version()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 247/522] net: openvswitch: fix possible kfree_skb of ERR_PTR Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 249/522] r8152: Block future register access if register access fails Greg Kroah-Hartman
` (274 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hayes Wang, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hayes Wang <hayeswang@realtek.com>
[ Upstream commit 02767440e1dda9861a11ca1dbe0f19a760b1d5c2 ]
Reduce the control transfer by moving calling rtl8152_get_version() in
rtl8152_probe(). This could prevent from calling rtl8152_get_version()
for unnecessary situations. For example, after setting config #2 for the
device, there are two interfaces and rtl8152_probe() may be called
twice. However, we don't need to call rtl8152_get_version() for this
situation.
Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 19440600e729 ("r8152: handle the return value of usb_reset_device()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/r8152.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 98e30291b0500b..f730f6a797e767 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -9640,20 +9640,21 @@ static int rtl8152_probe(struct usb_interface *intf,
const struct usb_device_id *id)
{
struct usb_device *udev = interface_to_usbdev(intf);
- u8 version = rtl8152_get_version(intf);
struct r8152 *tp;
struct net_device *netdev;
+ u8 version;
int ret;
- if (version == RTL_VER_UNKNOWN)
- return -ENODEV;
-
if (intf->cur_altsetting->desc.bInterfaceClass != USB_CLASS_VENDOR_SPEC)
return -ENODEV;
if (!rtl_check_vendor_ok(intf))
return -ENODEV;
+ version = rtl8152_get_version(intf);
+ if (version == RTL_VER_UNKNOWN)
+ return -ENODEV;
+
usb_reset_device(udev);
netdev = alloc_etherdev(sizeof(struct r8152));
if (!netdev) {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 165/378] drm/xe: fix refcount leak in xe_range_fence_insert()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 164/378] drm/amd/display: use plane color_mgmt_changed to track colorop changes Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 166/378] drm/xe: fix job timeout recovery for unstarted jobs and kernel queues Greg Kroah-Hartman
` (213 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Liang, Matthew Brost,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
[ Upstream commit ba36786b21d19082e696eda85bfcd49e7071944a ]
xe_range_fence_insert() acquires a reference on fence via
dma_fence_get() and stores it in rfence->fence. It then calls
dma_fence_add_callback() and handles two cases: when the callback
is successfully registered (err == 0) the fence is transferred to
the tree for later cleanup; when the fence is already signaled
(err == -ENOENT) it manually drops the extra reference with
dma_fence_put(fence).
However, dma_fence_add_callback() can fail with other errors
(e.g. -EINVAL) and in that case the code falls through to the free:
label without releasing the acquired reference, leaking it.
Fix the leak by adding an else branch that calls dma_fence_put()
before jumping to free: for any error other than -ENOENT.
Fixes: 845f64bdbfc9 ("drm/xe: Introduce a range-fence utility")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20260610172705.3450560-1-matthew.brost@intel.com
(cherry picked from commit 98c4a4201290823c2c5c7ba21692bd9a64b61021)
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_range_fence.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/xe/xe_range_fence.c b/drivers/gpu/drm/xe/xe_range_fence.c
index 372378e89e9892..3d8fa194a7b0eb 100644
--- a/drivers/gpu/drm/xe/xe_range_fence.c
+++ b/drivers/gpu/drm/xe/xe_range_fence.c
@@ -77,6 +77,8 @@ int xe_range_fence_insert(struct xe_range_fence_tree *tree,
} else if (err == 0) {
xe_range_fence_tree_insert(rfence, &tree->root);
return 0;
+ } else {
+ dma_fence_put(fence);
}
free:
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 249/522] r8152: Block future register access if register access fails
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 248/522] r8152: reduce the control transfer of rtl8152_get_version() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 250/522] r8152: handle the return value of usb_reset_device() Greg Kroah-Hartman
` (273 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Douglas Anderson, Grant Grundler,
David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
[ Upstream commit d9962b0d42029bcb40fe3c38bce06d1870fa4df4 ]
Even though the functions to read/write registers can fail, most of
the places in the r8152 driver that read/write register values don't
check error codes. The lack of error code checking is problematic in
at least two ways.
The first problem is that the r8152 driver often uses code patterns
similar to this:
x = read_register()
x = x | SOME_BIT;
write_register(x);
...with the above pattern, if the read_register() fails and returns
garbage then we'll end up trying to write modified garbage back to the
Realtek adapter. If the write_register() succeeds that's bad. Note
that as of commit f53a7ad18959 ("r8152: Set memory to all 0xFFs on
failed reg reads") the "garbage" returned by read_register() will at
least be consistent garbage, but it is still garbage.
It turns out that this problem is very serious. Writing garbage to
some of the hardware registers on the Ethernet adapter can put the
adapter in such a bad state that it needs to be power cycled (fully
unplugged and plugged in again) before it can enumerate again.
The second problem is that the r8152 driver generally has functions
that are long sequences of register writes. Assuming everything will
be OK if a random register write fails in the middle isn't a great
assumption.
One might wonder if the above two problems are real. You could ask if
we would really have a successful write after a failed read. It turns
out that the answer appears to be "yes, this can happen". In fact,
we've seen at least two distinct failure modes where this happens.
On a sc7180-trogdor Chromebook if you drop into kdb for a while and
then resume, you can see:
1. We get a "Tx timeout"
2. The "Tx timeout" queues up a USB reset.
3. In rtl8152_pre_reset() we try to reinit the hardware.
4. The first several (2-9) register accesses fail with a timeout, then
things recover.
The above test case was actually fixed by the patch ("r8152: Increase
USB control msg timeout to 5000ms as per spec") but at least shows
that we really can see successful calls after failed ones.
On a different (AMD) based Chromebook with a particular adapter, we
found that during reboot tests we'd also sometimes get a transitory
failure. In this case we saw -EPIPE being returned sometimes. Retrying
worked, but retrying is not always safe for all register accesses
since reading/writing some registers might have side effects (like
registers that clear on read).
Let's fully lock out all register access if a register access fails.
When we do this, we'll try to queue up a USB reset and try to unlock
register access after the reset. This is slightly tricker than it
sounds since the r8152 driver has an optimized reset sequence that
only works reliably after probe happens. In order to handle this, we
avoid the optimized reset if probe didn't finish. Instead, we simply
retry the probe routine in this case.
When locking out access, we'll use the existing infrastructure that
the driver was using when it detected we were unplugged. This keeps us
from getting stuck in delay loops in some parts of the driver.
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Grant Grundler <grundler@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 19440600e729 ("r8152: handle the return value of usb_reset_device()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/r8152.c | 207 ++++++++++++++++++++++++++++++++++------
1 file changed, 176 insertions(+), 31 deletions(-)
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index f730f6a797e767..e8a69d3d418379 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -772,6 +772,9 @@ enum rtl8152_flags {
SCHEDULE_TASKLET,
GREEN_ETHERNET,
RX_EPROTO,
+ IN_PRE_RESET,
+ PROBED_WITH_NO_ERRORS,
+ PROBE_SHOULD_RETRY,
};
#define DEVICE_ID_LENOVO_USB_C_TRAVEL_HUB 0x721e
@@ -952,6 +955,8 @@ struct r8152 {
u8 version;
u8 duplex;
u8 autoneg;
+
+ unsigned int reg_access_reset_count;
};
/**
@@ -1199,6 +1204,96 @@ static unsigned int agg_buf_sz = 16384;
#define RTL_LIMITED_TSO_SIZE (size_to_mtu(agg_buf_sz) - sizeof(struct tx_desc))
+/* If register access fails then we block access and issue a reset. If this
+ * happens too many times in a row without a successful access then we stop
+ * trying to reset and just leave access blocked.
+ */
+#define REGISTER_ACCESS_MAX_RESETS 3
+
+static void rtl_set_inaccessible(struct r8152 *tp)
+{
+ set_bit(RTL8152_INACCESSIBLE, &tp->flags);
+ smp_mb__after_atomic();
+}
+
+static void rtl_set_accessible(struct r8152 *tp)
+{
+ clear_bit(RTL8152_INACCESSIBLE, &tp->flags);
+ smp_mb__after_atomic();
+}
+
+static
+int r8152_control_msg(struct r8152 *tp, unsigned int pipe, __u8 request,
+ __u8 requesttype, __u16 value, __u16 index, void *data,
+ __u16 size, const char *msg_tag)
+{
+ struct usb_device *udev = tp->udev;
+ int ret;
+
+ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags))
+ return -ENODEV;
+
+ ret = usb_control_msg(udev, pipe, request, requesttype,
+ value, index, data, size,
+ USB_CTRL_GET_TIMEOUT);
+
+ /* No need to issue a reset to report an error if the USB device got
+ * unplugged; just return immediately.
+ */
+ if (ret == -ENODEV)
+ return ret;
+
+ /* If the write was successful then we're done */
+ if (ret >= 0) {
+ tp->reg_access_reset_count = 0;
+ return ret;
+ }
+
+ dev_err(&udev->dev,
+ "Failed to %s %d bytes at %#06x/%#06x (%d)\n",
+ msg_tag, size, value, index, ret);
+
+ /* Block all future register access until we reset. Much of the code
+ * in the driver doesn't check for errors. Notably, many parts of the
+ * driver do a read/modify/write of a register value without
+ * confirming that the read succeeded. Writing back modified garbage
+ * like this can fully wedge the adapter, requiring a power cycle.
+ */
+ rtl_set_inaccessible(tp);
+
+ /* If probe hasn't yet finished, then we'll request a retry of the
+ * whole probe routine if we get any control transfer errors. We
+ * never have to clear this bit since we free/reallocate the whole "tp"
+ * structure if we retry probe.
+ */
+ if (!test_bit(PROBED_WITH_NO_ERRORS, &tp->flags)) {
+ set_bit(PROBE_SHOULD_RETRY, &tp->flags);
+ return ret;
+ }
+
+ /* Failing to access registers in pre-reset is not surprising since we
+ * wouldn't be resetting if things were behaving normally. The register
+ * access we do in pre-reset isn't truly mandatory--we're just reusing
+ * the disable() function and trying to be nice by powering the
+ * adapter down before resetting it. Thus, if we're in pre-reset,
+ * we'll return right away and not try to queue up yet another reset.
+ * We know the post-reset is already coming.
+ */
+ if (test_bit(IN_PRE_RESET, &tp->flags))
+ return ret;
+
+ if (tp->reg_access_reset_count < REGISTER_ACCESS_MAX_RESETS) {
+ usb_queue_reset_device(tp->intf);
+ tp->reg_access_reset_count++;
+ } else if (tp->reg_access_reset_count == REGISTER_ACCESS_MAX_RESETS) {
+ dev_err(&udev->dev,
+ "Tried to reset %d times; giving up.\n",
+ REGISTER_ACCESS_MAX_RESETS);
+ }
+
+ return ret;
+}
+
static
int get_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data)
{
@@ -1209,9 +1304,10 @@ int get_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data)
if (!tmp)
return -ENOMEM;
- ret = usb_control_msg(tp->udev, tp->pipe_ctrl_in,
- RTL8152_REQ_GET_REGS, RTL8152_REQT_READ,
- value, index, tmp, size, USB_CTRL_GET_TIMEOUT);
+ ret = r8152_control_msg(tp, tp->pipe_ctrl_in,
+ RTL8152_REQ_GET_REGS, RTL8152_REQT_READ,
+ value, index, tmp, size, "read");
+
if (ret < 0)
memset(data, 0xff, size);
else
@@ -1232,9 +1328,9 @@ int set_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data)
if (!tmp)
return -ENOMEM;
- ret = usb_control_msg(tp->udev, tp->pipe_ctrl_out,
- RTL8152_REQ_SET_REGS, RTL8152_REQT_WRITE,
- value, index, tmp, size, USB_CTRL_SET_TIMEOUT);
+ ret = r8152_control_msg(tp, tp->pipe_ctrl_out,
+ RTL8152_REQ_SET_REGS, RTL8152_REQT_WRITE,
+ value, index, tmp, size, "write");
kfree(tmp);
@@ -1243,10 +1339,8 @@ int set_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data)
static void rtl_set_unplug(struct r8152 *tp)
{
- if (tp->udev->state == USB_STATE_NOTATTACHED) {
- set_bit(RTL8152_INACCESSIBLE, &tp->flags);
- smp_mb__after_atomic();
- }
+ if (tp->udev->state == USB_STATE_NOTATTACHED)
+ rtl_set_inaccessible(tp);
}
static int generic_ocp_read(struct r8152 *tp, u16 index, u16 size,
@@ -8295,7 +8389,7 @@ static int rtl8152_pre_reset(struct usb_interface *intf)
struct r8152 *tp = usb_get_intfdata(intf);
struct net_device *netdev;
- if (!tp)
+ if (!tp || !test_bit(PROBED_WITH_NO_ERRORS, &tp->flags))
return 0;
netdev = tp->netdev;
@@ -8310,7 +8404,9 @@ static int rtl8152_pre_reset(struct usb_interface *intf)
napi_disable(&tp->napi);
if (netif_carrier_ok(netdev)) {
mutex_lock(&tp->control);
+ set_bit(IN_PRE_RESET, &tp->flags);
tp->rtl_ops.disable(tp);
+ clear_bit(IN_PRE_RESET, &tp->flags);
mutex_unlock(&tp->control);
}
@@ -8323,9 +8419,11 @@ static int rtl8152_post_reset(struct usb_interface *intf)
struct net_device *netdev;
struct sockaddr sa;
- if (!tp)
+ if (!tp || !test_bit(PROBED_WITH_NO_ERRORS, &tp->flags))
return 0;
+ rtl_set_accessible(tp);
+
/* reset the MAC address in case of policy change */
if (determine_ethernet_addr(tp, &sa) >= 0) {
rtnl_lock();
@@ -9527,17 +9625,29 @@ static u8 __rtl_get_hw_ver(struct usb_device *udev)
__le32 *tmp;
u8 version;
int ret;
+ int i;
tmp = kmalloc(sizeof(*tmp), GFP_KERNEL);
if (!tmp)
return 0;
- ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
- RTL8152_REQ_GET_REGS, RTL8152_REQT_READ,
- PLA_TCR0, MCU_TYPE_PLA, tmp, sizeof(*tmp),
- USB_CTRL_GET_TIMEOUT);
- if (ret > 0)
- ocp_data = (__le32_to_cpu(*tmp) >> 16) & VERSION_MASK;
+ /* Retry up to 3 times in case there is a transitory error. We do this
+ * since retrying a read of the version is always safe and this
+ * function doesn't take advantage of r8152_control_msg().
+ */
+ for (i = 0; i < 3; i++) {
+ ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
+ RTL8152_REQ_GET_REGS, RTL8152_REQT_READ,
+ PLA_TCR0, MCU_TYPE_PLA, tmp, sizeof(*tmp),
+ USB_CTRL_GET_TIMEOUT);
+ if (ret > 0) {
+ ocp_data = (__le32_to_cpu(*tmp) >> 16) & VERSION_MASK;
+ break;
+ }
+ }
+
+ if (i != 0 && ret > 0)
+ dev_warn(&udev->dev, "Needed %d retries to read version\n", i);
kfree(tmp);
@@ -9636,25 +9746,14 @@ static bool rtl8152_supports_lenovo_macpassthru(struct usb_device *udev)
return 0;
}
-static int rtl8152_probe(struct usb_interface *intf,
- const struct usb_device_id *id)
+static int rtl8152_probe_once(struct usb_interface *intf,
+ const struct usb_device_id *id, u8 version)
{
struct usb_device *udev = interface_to_usbdev(intf);
struct r8152 *tp;
struct net_device *netdev;
- u8 version;
int ret;
- if (intf->cur_altsetting->desc.bInterfaceClass != USB_CLASS_VENDOR_SPEC)
- return -ENODEV;
-
- if (!rtl_check_vendor_ok(intf))
- return -ENODEV;
-
- version = rtl8152_get_version(intf);
- if (version == RTL_VER_UNKNOWN)
- return -ENODEV;
-
usb_reset_device(udev);
netdev = alloc_etherdev(sizeof(struct r8152));
if (!netdev) {
@@ -9818,10 +9917,20 @@ static int rtl8152_probe(struct usb_interface *intf,
else
device_set_wakeup_enable(&udev->dev, false);
+ /* If we saw a control transfer error while probing then we may
+ * want to try probe() again. Consider this an error.
+ */
+ if (test_bit(PROBE_SHOULD_RETRY, &tp->flags))
+ goto out2;
+
+ set_bit(PROBED_WITH_NO_ERRORS, &tp->flags);
netif_info(tp, probe, netdev, "%s\n", DRIVER_VERSION);
return 0;
+out2:
+ unregister_netdev(netdev);
+
out1:
tasklet_kill(&tp->tx_tl);
cancel_delayed_work_sync(&tp->hw_phy_work);
@@ -9830,10 +9939,46 @@ static int rtl8152_probe(struct usb_interface *intf,
rtl8152_release_firmware(tp);
usb_set_intfdata(intf, NULL);
out:
+ if (test_bit(PROBE_SHOULD_RETRY, &tp->flags))
+ ret = -EAGAIN;
+
free_netdev(netdev);
return ret;
}
+#define RTL8152_PROBE_TRIES 3
+
+static int rtl8152_probe(struct usb_interface *intf,
+ const struct usb_device_id *id)
+{
+ u8 version;
+ int ret;
+ int i;
+
+ if (intf->cur_altsetting->desc.bInterfaceClass != USB_CLASS_VENDOR_SPEC)
+ return -ENODEV;
+
+ if (!rtl_check_vendor_ok(intf))
+ return -ENODEV;
+
+ version = rtl8152_get_version(intf);
+ if (version == RTL_VER_UNKNOWN)
+ return -ENODEV;
+
+ for (i = 0; i < RTL8152_PROBE_TRIES; i++) {
+ ret = rtl8152_probe_once(intf, id, version);
+ if (ret != -EAGAIN)
+ break;
+ }
+ if (ret == -EAGAIN) {
+ dev_err(&intf->dev,
+ "r8152 failed probe after %d tries; giving up\n", i);
+ return -ENODEV;
+ }
+
+ return ret;
+}
+
static void rtl8152_disconnect(struct usb_interface *intf)
{
struct r8152 *tp = usb_get_intfdata(intf);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 166/378] drm/xe: fix job timeout recovery for unstarted jobs and kernel queues
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 165/378] drm/xe: fix refcount leak in xe_range_fence_insert() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 167/378] accel/amdxdna: Fix mm_struct reference leak in aie2_populate_range() Greg Kroah-Hartman
` (212 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Auld, Matthew Brost,
Sanjay Yadav, Himal Prasad Ghimiray, Rodrigo Vivi, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Vivi <rodrigo.vivi@intel.com>
[ Upstream commit 347ccc0453fca2c669e8dc8a72000e76ca4adf10 ]
A job that GuC never scheduled (never started) indicates a GuC
scheduling failure; previously such jobs were silently errored out
instead of triggering a GT reset to recover. Trigger a GT reset and
resubmit them, but only when the queue was not already killed or banned:
an unstarted job on an already banned queue is the ban working as
intended and must neither clear the ban nor kick off a reset, otherwise
a banned userspace queue could be resurrected and spam GT resets.
Kernel queues are always recovered this way and wedge the device once
recovery attempts are exhausted, since kernel work must not silently
fail. A started job that times out on a userspace VM bind queue stays
banned rather than being reset and retried.
The queue is banned early in the timeout handler to signal the G2H
scheduling-done handler so it wakes the disable-scheduling waiter;
without it the waiter sleeps the full 5s timeout. When a reset is
warranted the ban is cleared before rearming so that
guc_exec_queue_start() can resubmit jobs after the GT reset - a
still-banned queue would block resubmission and cause an infinite TDR
loop. The already-banned case is gated out before this point via
skip_timeout_check, so it is unaffected.
v2: (Himal) Do it for any queue type, not just kernel/migration
v3: - (Sashiko and Sanjay): don't clear the ban / GT reset for already
killed/banned queues on unstarted-job timeout
- Update commit message
- (Matt) Add Fixes tag
Fixes: fe05cee4d953 ("drm/xe: Don't short circuit TDR on jobs not started")
Cc: Matthew Auld <matthew.auld@intel.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Sanjay Yadav <sanjay.kumar.yadav@intel.com>
Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>
Assisted-by: GitHub-Copilot:claude-sonnet-4.6
Assisted-by: GitHub-Copilot:claude-opus-4.8
Tested-by: Sanjay Yadav <sanjay.kumar.yadav@intel.com>
Reviewed-by: Sanjay Yadav <sanjay.kumar.yadav@intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: Himal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>
Link: https://patch.msgid.link/20260610152548.404575-3-rodrigo.vivi@intel.com
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
(cherry picked from commit b1107d085e7e8ed15ba6f80c102528a9c8a6cb0e)
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_guc_submit.c | 49 +++++++++++++++++++++---------
1 file changed, 35 insertions(+), 14 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c
index e948f40fa17896..6365eca9816092 100644
--- a/drivers/gpu/drm/xe/xe_guc_submit.c
+++ b/drivers/gpu/drm/xe/xe_guc_submit.c
@@ -159,6 +159,11 @@ static void set_exec_queue_banned(struct xe_exec_queue *q)
atomic_or(EXEC_QUEUE_STATE_BANNED, &q->guc->state);
}
+static void clear_exec_queue_banned(struct xe_exec_queue *q)
+{
+ atomic_andnot(EXEC_QUEUE_STATE_BANNED, &q->guc->state);
+}
+
static bool exec_queue_suspended(struct xe_exec_queue *q)
{
return atomic_read(&q->guc->state) & EXEC_QUEUE_STATE_SUSPENDED;
@@ -1326,7 +1331,8 @@ static bool check_timeout(struct xe_exec_queue *q, struct xe_sched_job *job)
xe_sched_job_seqno(job), xe_sched_job_lrc_seqno(job),
q->guc->id);
- return xe_sched_invalidate_job(job, 2);
+ /* GuC never scheduled this job - let the caller trigger a GT reset. */
+ return true;
}
ctx_timestamp = lower_32_bits(xe_lrc_timestamp(q->lrc[0]));
@@ -1423,6 +1429,21 @@ static void disable_scheduling(struct xe_exec_queue *q, bool immediate)
G2H_LEN_DW_SCHED_CONTEXT_MODE_SET, 1);
}
+/*
+ * Recover via GT reset for a kernel queue, or for a GuC scheduling failure (job
+ * never started) on a queue that was not already killed or banned. An already
+ * banned queue must stay banned, so its unstarted jobs do not clear the ban or
+ * trigger a reset.
+ */
+static bool timeout_needs_gt_reset(struct xe_exec_queue *q, struct xe_sched_job *job,
+ bool skip_timeout_check)
+{
+ if (q->flags & EXEC_QUEUE_FLAG_KERNEL)
+ return true;
+
+ return !skip_timeout_check && !xe_sched_job_started(job);
+}
+
static enum drm_gpu_sched_stat
guc_exec_queue_timedout_job(struct drm_sched_job *drm_job)
{
@@ -1573,19 +1594,19 @@ guc_exec_queue_timedout_job(struct drm_sched_job *drm_job)
xe_sched_job_seqno(job), xe_sched_job_lrc_seqno(job),
q->guc->id, q->flags);
- /*
- * Kernel jobs should never fail, nor should VM jobs if they do
- * somethings has gone wrong and the GT needs a reset
- */
- xe_gt_WARN(q->gt, q->flags & EXEC_QUEUE_FLAG_KERNEL,
- "Kernel-submitted job timed out\n");
- xe_gt_WARN(q->gt, q->flags & EXEC_QUEUE_FLAG_VM && !exec_queue_killed(q),
- "VM job timed out on non-killed execqueue\n");
- if (!wedged && (q->flags & EXEC_QUEUE_FLAG_KERNEL ||
- (q->flags & EXEC_QUEUE_FLAG_VM && !exec_queue_killed(q)))) {
- if (!xe_sched_invalidate_job(job, 2)) {
- xe_gt_reset_async(q->gt);
- goto rearm;
+ if (!wedged) {
+ if (timeout_needs_gt_reset(q, job, skip_timeout_check)) {
+ if (!xe_sched_invalidate_job(job, 2)) {
+ clear_exec_queue_banned(q);
+ xe_gt_reset_async(q->gt);
+ goto rearm;
+ }
+ if (q->flags & EXEC_QUEUE_FLAG_KERNEL) {
+ xe_gt_WARN(q->gt, true, "Kernel-submitted job timed out\n");
+ xe_device_declare_wedged(gt_to_xe(q->gt));
+ }
+ } else if (q->flags & EXEC_QUEUE_FLAG_VM && !exec_queue_killed(q)) {
+ xe_gt_WARN(q->gt, true, "VM job timed out on non-killed execqueue\n");
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 250/522] r8152: handle the return value of usb_reset_device()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 249/522] r8152: Block future register access if register access fails Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 251/522] sctp: fix uninit-value in __sctp_rcv_asconf_lookup() Greg Kroah-Hartman
` (272 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chih Kai Hsu, Hayes Wang,
Andrew Lunn, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chih Kai Hsu <hsu.chih.kai@realtek.com>
[ Upstream commit 19440600e729d4f74a42591a872099cf25c7d28a ]
If usb_reset_device() returns a negative error code, stop the
process of probing.
Fixes: 10c3271712f5 ("r8152: disable the ECM mode")
Signed-off-by: Chih Kai Hsu <hsu.chih.kai@realtek.com>
Reviewed-by: Hayes Wang <hayeswang@realtek.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20260604092247.27158-450-nic_swsd@realtek.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/r8152.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index e8a69d3d418379..c0f7a15e406fee 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -9754,7 +9754,12 @@ static int rtl8152_probe_once(struct usb_interface *intf,
struct net_device *netdev;
int ret;
- usb_reset_device(udev);
+ ret = usb_reset_device(udev);
+ if (ret < 0) {
+ dev_err(&intf->dev, "USB reset failed, errno=%d\n", ret);
+ return ret;
+ }
+
netdev = alloc_etherdev(sizeof(struct r8152));
if (!netdev) {
dev_err(&intf->dev, "Out of memory\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 167/378] accel/amdxdna: Fix mm_struct reference leak in aie2_populate_range()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 166/378] drm/xe: fix job timeout recovery for unstarted jobs and kernel queues Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 168/378] namespace: restrict OPEN_TREE_NAMESPACE/FSMOUNT_NAMESPACE to directories Greg Kroah-Hartman
` (211 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello (AMD), Lizhi Hou,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lizhi Hou <lizhi.hou@amd.com>
[ Upstream commit 2f41af638c92bac6f1f9275ea2d1901baef578f3 ]
aie2_populate_range() jumps back to the again label without calling
mmput(mm), leaking a reference to the mm_struct.
Add the missing mmput() before jumping to again.
Fixes: e486147c912f ("accel/amdxdna: Add BO import and export")
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Link: https://patch.msgid.link/20260610151127.2994185-1-lizhi.hou@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/accel/amdxdna/aie2_ctx.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/accel/amdxdna/aie2_ctx.c b/drivers/accel/amdxdna/aie2_ctx.c
index c0d348884f7494..4c7264c6e6e76f 100644
--- a/drivers/accel/amdxdna/aie2_ctx.c
+++ b/drivers/accel/amdxdna/aie2_ctx.c
@@ -928,6 +928,7 @@ static int aie2_populate_range(struct amdxdna_gem_obj *abo)
if (ret == -EBUSY) {
amdxdna_umap_put(mapp);
+ mmput(mm);
goto again;
}
@@ -938,11 +939,13 @@ static int aie2_populate_range(struct amdxdna_gem_obj *abo)
if (mmu_interval_read_retry(&mapp->notifier, mapp->range.notifier_seq)) {
up_write(&xdna->notifier_lock);
amdxdna_umap_put(mapp);
+ mmput(mm);
goto again;
}
mapp->invalid = false;
up_write(&xdna->notifier_lock);
amdxdna_umap_put(mapp);
+ mmput(mm);
goto again;
put_mm:
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 251/522] sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 250/522] r8152: handle the return value of usb_reset_device() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 252/522] net: guard timestamp cmsgs to real error queue skbs Greg Kroah-Hartman
` (271 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Xin Long,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit f8373d7090b745728de66308deeecc67e8d319ce ]
__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF
chunk can hold the ADDIP header and a parameter header, then calls
af->from_addr_param(), which reads the full address (16 bytes for IPv6)
trusting the parameter's declared length.
An unauthenticated peer can send a truncated trailing ASCONF chunk that
declares an IPv6 address parameter but stops after the 4-byte parameter
header; reached from the no-association lookup path, from_addr_param() then
reads uninitialized bytes past the parameter.
Impact: an unauthenticated SCTP peer makes the receive path read up to 16
bytes of uninitialized memory past a truncated ASCONF address parameter.
The sibling __sctp_rcv_init_lookup() bounds parameters with
sctp_walk_params(); this path open-codes the fetch and omits the bound.
Verify the whole address parameter lies within the chunk before
from_addr_param() reads it, the same class of fix as commit 51e5ad549c43
("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").
Fixes: df2185771439 ("[SCTP]: Update association lookup to look at ASCONF chunks as well")
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260608122234.459098-1-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/input.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 182898cb754a52..70530cbe57d0a7 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -1197,6 +1197,14 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
/* Skip over the ADDIP header and find the Address parameter */
param = (union sctp_addr_param *)(asconf + 1);
+ /* The whole address parameter must lie within the chunk before
+ * af->from_addr_param() reads the variable-length address; otherwise a
+ * truncated trailing ASCONF chunk lets it read uninitialized bytes past
+ * the parameter.
+ */
+ if (sizeof(*asconf) + ntohs(param->p.length) > ntohs(ch->length))
+ return NULL;
+
af = sctp_get_af_specific(param_type2af(param->p.type));
if (unlikely(!af))
return NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 168/378] namespace: restrict OPEN_TREE_NAMESPACE/FSMOUNT_NAMESPACE to directories
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 167/378] accel/amdxdna: Fix mm_struct reference leak in aie2_populate_range() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 169/378] netfilter: nft_tunnel: fix use-after-free on object destroy Greg Kroah-Hartman
` (210 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Al Viro, Christian Brauner, Jan Kara,
stable, Jann Horn, Linus Torvalds
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 805d5a2b792819171be100c50c9ddafa0f8c2231 upstream.
open_tree(..., OPEN_TREE_NAMESPACE) and
fsmount(..., FSMOUNT_NAMESPACE, ...) currently work on non-directories,
like regular files. That's bad for two reasons:
- It ends up mounting a regular file over the inherited namespace root,
which is a directory; mounting a non-directory over a directory is
normally explicitly forbidden, see for example do_move_mount()
- It causes setns() on the new namespace to set the cwd to a regular
file, which the rest of VFS does not expect
Fix it by restricting create_new_namespace() (which is used by both of
these flags) to directories.
Leave the behavior for OPEN_TREE_CLONE as-is, that seems unproblematic.
Fixes: 9b8a0ba68246 ("mount: add OPEN_TREE_NAMESPACE")
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/namespace.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -3098,6 +3098,9 @@ static struct mnt_namespace *create_new_
unsigned int copy_flags = 0;
bool locked = false;
+ if (unlikely(!d_can_lookup(path->dentry)))
+ return ERR_PTR(-ENOTDIR);
+
if (user_ns != ns->user_ns)
copy_flags |= CL_SLAVE;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 252/522] net: guard timestamp cmsgs to real error queue skbs
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 251/522] sctp: fix uninit-value in __sctp_rcv_asconf_lookup() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 253/522] net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion Greg Kroah-Hartman
` (270 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Zeng, Kuniyuki Iwashima,
Willem de Bruijn, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Zeng <kylebot@openai.com>
[ Upstream commit 1ee90b77b727df903033db873c75caac5c27ec98 ]
skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb
from sk_error_queue. That assumption is not true for AF_PACKET sockets:
outgoing packet taps are also delivered to packet sockets with
skb->pkt_type == PACKET_OUTGOING, but their skb->cb is owned by AF_PACKET
instead of struct sock_exterr_skb.
If such an skb is received with timestamping enabled, the generic
timestamp cmsg path can read AF_PACKET control-buffer state as
sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop
counter overlaps opt_stats. An odd drop count makes the path emit
SCM_TIMESTAMPING_OPT_STATS with skb->len and skb->data. For non-linear
skbs this copies past the linear head and can trigger hardened usercopy or
disclose adjacent heap contents.
Keep skb_is_err_queue() local to net/socket.c, but make it verify that
the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor
installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal
receive ownership and no longer pass as error-queue skbs, while legitimate
sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free
ownership.
Fixes: 8605330aac5a ("tcp: fix SCM_TIMESTAMPING_OPT_STATS for normal skbs")
Signed-off-by: Kyle Zeng <kylebot@openai.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260607021819.49698-1-kylebot@openai.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/sock.h | 1 +
net/core/skbuff.c | 6 +++---
net/socket.c | 11 ++++++-----
3 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/include/net/sock.h b/include/net/sock.h
index 2d34dd5941e795..1e7096e9bc4842 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1945,6 +1945,7 @@ struct sk_buff *sock_omalloc(struct sock *sk, unsigned long size,
gfp_t priority);
void skb_orphan_partial(struct sk_buff *skb);
void sock_rfree(struct sk_buff *skb);
+void sock_rmem_free(struct sk_buff *skb);
void sock_efree(struct sk_buff *skb);
#ifdef CONFIG_INET
void sock_edemux(struct sk_buff *skb);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index f1f5b2b25f8522..f41dd20991c3df 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4810,7 +4810,7 @@ int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer)
}
EXPORT_SYMBOL_GPL(skb_cow_data);
-static void sock_rmem_free(struct sk_buff *skb)
+void sock_rmem_free(struct sk_buff *skb)
{
struct sock *sk = skb->sk;
@@ -4819,8 +4819,8 @@ static void sock_rmem_free(struct sk_buff *skb)
static void skb_set_err_queue(struct sk_buff *skb)
{
- /* pkt_type of skbs received on local sockets is never PACKET_OUTGOING.
- * So, it is safe to (mis)use it to mark skbs on the error queue.
+ /* The error-queue test in skb_is_err_queue() matches this marker
+ * with the sock_rmem_free destructor installed by sock_queue_err_skb().
*/
skb->pkt_type = PACKET_OUTGOING;
BUILD_BUG_ON(PACKET_OUTGOING == 0);
diff --git a/net/socket.c b/net/socket.c
index 701389e2f22b3a..f2b4cf9b09a322 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -807,12 +807,13 @@ EXPORT_SYMBOL(kernel_sendmsg_locked);
static bool skb_is_err_queue(const struct sk_buff *skb)
{
- /* pkt_type of skbs enqueued on the error queue are set to
- * PACKET_OUTGOING in skb_set_err_queue(). This is only safe to do
- * in recvmsg, since skbs received on a local socket will never
- * have a pkt_type of PACKET_OUTGOING.
+ /* Error-queue skbs are marked as PACKET_OUTGOING in
+ * skb_set_err_queue() and use the destructor installed by
+ * sock_queue_err_skb(). PACKET_OUTGOING alone is not unique:
+ * AF_PACKET outgoing taps use the same pkt_type.
*/
- return skb->pkt_type == PACKET_OUTGOING;
+ return skb->pkt_type == PACKET_OUTGOING &&
+ skb->destructor == sock_rmem_free;
}
/* On transmit, software and hardware timestamps are returned independently.
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 169/378] netfilter: nft_tunnel: fix use-after-free on object destroy
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 168/378] namespace: restrict OPEN_TREE_NAMESPACE/FSMOUNT_NAMESPACE to directories Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 170/378] netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register Greg Kroah-Hartman
` (209 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tristan Madani,
Fernando Fernandez Mancera, Florian Westphal, Pablo Neira Ayuso
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristan Madani <tristan@talencesecurity.com>
commit c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a upstream.
nft_tunnel_obj_destroy() calls metadata_dst_free() which directly
kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets
that took a reference via dst_hold() in nft_tunnel_obj_eval() and
are still queued (e.g. in a netem qdisc) are left with a dangling
pointer. When these packets are eventually dequeued, dst_release()
operates on freed memory.
Replace metadata_dst_free() with dst_release() so the metadata_dst
is freed only after all references are dropped. The dst subsystem
already handles metadata_dst cleanup in dst_destroy() when
DST_METADATA is set.
Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nft_tunnel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -702,7 +702,7 @@ static void nft_tunnel_obj_destroy(const
{
struct nft_tunnel_obj *priv = nft_obj_data(obj);
- metadata_dst_free(priv->md);
+ dst_release(&priv->md->dst);
}
static struct nft_object_type nft_tunnel_obj_type;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 253/522] net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 252/522] net: guard timestamp cmsgs to real error queue skbs Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 254/522] ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() Greg Kroah-Hartman
` (269 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Allison Henderson, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 34080db3e70ddf94c38512ad2331e3c3afca6cc1 ]
rds_ib_xmit_atomic() always programs a masked atomic opcode
(IB_WR_MASKED_ATOMIC_CMP_AND_SWP or IB_WR_MASKED_ATOMIC_FETCH_AND_ADD)
for every RDS atomic cmsg. But the completion-side switch in
rds_ib_send_unmap_op() only handles the non-masked opcodes, so a masked
atomic completion falls through to default and returns rm == NULL while
send->s_op is left set. rds_ib_send_cqe_handler() then dereferences the
NULL rm via rm->m_final_op, oopsing in softirq context. An unprivileged
AF_RDS sendmsg() of an atomic cmsg over an active RDS/IB connection
triggers it; on hardware that natively accepts masked atomics (mlx4,
mlx5) no extra setup is needed.
RDS/IB: rds_ib_send_unmap_op: unexpected opcode 0xd in WR!
Oops: general protection fault [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000190-0x0000000000000197]
RIP: rds_ib_send_cqe_handler+0x25c/0xb10 (net/rds/ib_send.c:282)
Call Trace:
<IRQ>
rds_ib_send_cqe_handler (net/rds/ib_send.c:282)
poll_scq (net/rds/ib_cm.c:274)
rds_ib_tasklet_fn_send (net/rds/ib_cm.c:294)
tasklet_action_common (kernel/softirq.c:943)
handle_softirqs (kernel/softirq.c:573)
run_ksoftirqd (kernel/softirq.c:479)
</IRQ>
Kernel panic - not syncing: Fatal exception in interrupt
Handle the masked atomic opcodes in the same case as the non-masked
ones: they map to the same struct rds_message.atomic union member, so
the existing container_of()/rds_ib_send_unmap_atomic() body is correct
for them.
Fixes: 20c72bd5f5f9 ("RDS: Implement masked atomic operations")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/20260606192447.1179255-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/ib_send.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/rds/ib_send.c b/net/rds/ib_send.c
index 4190b90ff3b18a..1909cd440a4b66 100644
--- a/net/rds/ib_send.c
+++ b/net/rds/ib_send.c
@@ -170,6 +170,8 @@ static struct rds_message *rds_ib_send_unmap_op(struct rds_ib_connection *ic,
break;
case IB_WR_ATOMIC_FETCH_AND_ADD:
case IB_WR_ATOMIC_CMP_AND_SWP:
+ case IB_WR_MASKED_ATOMIC_FETCH_AND_ADD:
+ case IB_WR_MASKED_ATOMIC_CMP_AND_SWP:
if (send->s_op) {
rm = container_of(send->s_op, struct rds_message, atomic);
rds_ib_send_unmap_atomic(ic, send->s_op, wc_status);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 170/378] netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 169/378] netfilter: nft_tunnel: fix use-after-free on object destroy Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 171/378] tee: shm: fix shm leak in register_shm_helper() Greg Kroah-Hartman
` (208 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Davide Ornaghi, Pablo Neira Ayuso
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davide Ornaghi <d.ornaghi97@gmail.com>
commit c7d573551f9286100a055ef696cde6af54549677 upstream.
NFT_META_BRI_IIFHWADDR declares its destination register with
len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to
two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does
memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and
leaving the upper 2 bytes of the second register as uninitialised
nft_do_chain() stack. A downstream load of that register span leaks
those stale bytes to userspace.
Zero the second register before the memcpy so the full declared span is
written.
Fixes: cbd2257dc96e ("netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support")
Cc: stable@vger.kernel.org
Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bridge/netfilter/nft_meta_bridge.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/bridge/netfilter/nft_meta_bridge.c
+++ b/net/bridge/netfilter/nft_meta_bridge.c
@@ -64,6 +64,8 @@ static void nft_meta_bridge_get_eval(con
if (!br_dev)
goto err;
+ /* ETH_ALEN (6) is shorter than the destination register span (8) */
+ dest[1] = 0;
memcpy(dest, br_dev->dev_addr, ETH_ALEN);
return;
default:
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 254/522] ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 253/522] net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 255/522] rds: mark snapshot pages dirty in rds_info_getsockopt() Greg Kroah-Hartman
` (268 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Steffen Klassert,
Nicolas Dichtel, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9 ]
In vti6_tnl_lookup(), when an exact match for a tunnel fails,
the code falls back to searching for wildcard tunnels:
- Tunnels matching the packet's local address, with any remote address
wildcard remote).
- Tunnels matching the packet's remote address, with any local address
(wildcard local).
However, vti6 stores all these different types of tunnels in the same
hash table (ip6n->tnls_r_l) prone to hash collisions.
The bug is that the fallback search loops in vti6_tnl_lookup() were
missing checks to ensure that the candidate tunnel actually has
a wildcard address.
Fixes: fbe68ee87522 ("vti6: Add a lookup method for tunnels with wildcard endpoints.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Link: https://patch.msgid.link/20260608164613.933023-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_vti.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index ead8f1ecd8271b..8808067df5168c 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -105,6 +105,7 @@ vti6_tnl_lookup(struct net *net, const struct in6_addr *remote,
hash = HASH(&any, local);
for_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) {
if (ipv6_addr_equal(local, &t->parms.laddr) &&
+ ipv6_addr_any(&t->parms.raddr) &&
(t->dev->flags & IFF_UP))
return t;
}
@@ -112,6 +113,7 @@ vti6_tnl_lookup(struct net *net, const struct in6_addr *remote,
hash = HASH(remote, &any);
for_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) {
if (ipv6_addr_equal(remote, &t->parms.raddr) &&
+ ipv6_addr_any(&t->parms.laddr) &&
(t->dev->flags & IFF_UP))
return t;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 171/378] tee: shm: fix shm leak in register_shm_helper()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 170/378] netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 172/378] Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend Greg Kroah-Hartman
` (207 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, lvc-project, Georgiy Osokin,
Sumit Garg, Jens Wiklander
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Georgiy Osokin <g.osokin@auroraos.dev>
commit 26682f5efc276e3ad96d102019472bfbf03833b2 upstream.
register_shm_helper() allocates shm before calling
iov_iter_npages(). If iov_iter_npages() returns 0, the function
jumps to err_ctx_put and leaks shm.
This can be triggered by TEE_IOC_SHM_REGISTER with
struct tee_ioctl_shm_register_data where length is 0.
Jump to err_free_shm instead.
Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration")
Cc: stable@vger.kernel.org
Cc: lvc-project@linuxtesting.org
Signed-off-by: Georgiy Osokin <g.osokin@auroraos.dev>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tee/tee_shm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tee/tee_shm.c
+++ b/drivers/tee/tee_shm.c
@@ -435,7 +435,7 @@ register_shm_helper(struct tee_context *
num_pages = iov_iter_npages(iter, INT_MAX);
if (!num_pages) {
ret = ERR_PTR(-ENOMEM);
- goto err_ctx_put;
+ goto err_free_shm;
}
shm->pages = kzalloc_objs(*shm->pages, num_pages);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 255/522] rds: mark snapshot pages dirty in rds_info_getsockopt()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 254/522] ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 256/522] netfilter: nf_conntrack: destroy stale expectfn expectations on unregister Greg Kroah-Hartman
` (267 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Allison Henderson,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 512db8267b73a220a64180d95ab5eebe7c4964a8 ]
rds_info_getsockopt() pins the destination user pages with FOLL_WRITE and
the RDS_INFO_* producers memcpy the snapshot into them through
kmap_atomic(). Because that copy goes through the kernel direct map, the
dirty bit on the user PTE is never set, so unpin_user_pages() releases the
pages without marking them dirty. A file-backed destination page can then
be reclaimed without writeback, silently discarding the copied data.
Use unpin_user_pages_dirty_lock() with make_dirty=true so the modified
pages are marked dirty before they are unpinned.
Fixes: a8c879a7ee98 ("RDS: Info and stats")
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/20260608-rds_fix-v1-1-006c88543408@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/info.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/rds/info.c b/net/rds/info.c
index b6b46a8214a0a5..b3ee5f8238c44d 100644
--- a/net/rds/info.c
+++ b/net/rds/info.c
@@ -235,7 +235,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval,
out:
if (pages)
- unpin_user_pages(pages, nr_pages);
+ unpin_user_pages_dirty_lock(pages, nr_pages, true);
kfree(pages);
return ret;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 172/378] Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 171/378] tee: shm: fix shm leak in register_shm_helper() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 173/378] Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig Greg Kroah-Hartman
` (206 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Zhengchuan Liang,
Xin Liu, Yuqi Xu, Ren Wei, Luiz Augusto von Dentz
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuqi Xu <xuyq21@lenovo.com>
commit 5c65b96b549ea2dcfde497436bf9e048deb87758 upstream.
Existing advertising instances can already hold the maximum extended
advertising payload. When hci_adv_bcast_annoucement() prepends the
Broadcast Announcement service data to that payload, the combined data
may no longer fit in the temporary buffer used to rebuild the
advertising data.
Reject that case before copying the existing payload and report the
failure through the device log. This keeps the existing advertising
data intact and avoids overrunning the temporary buffer.
Fixes: 5725bc608252 ("Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_sync.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -1725,6 +1725,11 @@ static int hci_adv_bcast_annoucement(str
/* Generate Broadcast ID */
get_random_bytes(bid, sizeof(bid));
len = eir_append_service_data(ad, 0, 0x1852, bid, sizeof(bid));
+ if (adv->adv_data_len > sizeof(ad) - len) {
+ bt_dev_err(hdev, "No room for Broadcast Announcement");
+ return -EINVAL;
+ }
+
memcpy(ad + len, adv->adv_data, adv->adv_data_len);
hci_set_adv_instance_data(hdev, adv->instance, len + adv->adv_data_len,
ad, 0, NULL);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 256/522] netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 255/522] rds: mark snapshot pages dirty in rds_info_getsockopt() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 257/522] netfilter: x_tables: avoid leaking percpu counter pointers Greg Kroah-Hartman
` (266 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit c3009418f9fa1dcb3eb86f4d8c92583537b5faa3 ]
NAT helpers such as nf_nat_h323 store a raw pointer to module text in
exp->expectfn (e.g. ip_nat_q931_expect). nf_ct_helper_expectfn_unregister()
only unlinks the callback descriptor and never walks the expectation table,
so an expectation pending at module removal survives with a dangling
exp->expectfn into freed module text.
When the expected connection arrives, init_conntrack() invokes
exp->expectfn(), now a stale pointer into the unloaded module. Reproduced
on a KASAN build by loading the H.323 helpers, creating a Q.931
expectation, unloading nf_nat_h323, then connecting to the expected port:
Oops: int3: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:0xffffffffa06102d1
init_conntrack.isra.0 (net/netfilter/nf_conntrack_core.c:1862)
nf_conntrack_in (net/netfilter/nf_conntrack_core.c:2049)
ipv4_conntrack_local (net/netfilter/nf_conntrack_proto.c:223)
nf_hook_slow (net/netfilter/core.c:619)
__ip_local_out (net/ipv4/ip_output.c:120)
__tcp_transmit_skb (net/ipv4/tcp_output.c:1715)
tcp_connect (net/ipv4/tcp_output.c:4374)
tcp_v4_connect (net/ipv4/tcp_ipv4.c:345)
__sys_connect (net/socket.c:2167)
Modules linked in: nf_conntrack_h323 [last unloaded: nf_nat_h323]
Reaching the dangling state requires CAP_SYS_MODULE in the initial user
namespace to remove a NAT helper that still has live expectations, so this
is a robustness fix; leaving an expectation pointing at freed text is wrong
regardless.
Add nf_ct_helper_expectfn_destroy(), which walks the expectation table and
drops every expectation whose ->expectfn matches the descriptor being torn
down. Call it from each NAT helper's exit path after the existing RCU grace
period, so no expectation outlives the code it points at and no extra
synchronize_rcu() is introduced. With the fix, the same reproducer runs to
completion without the Oops.
Fixes: f587de0e2feb ("[NETFILTER]: nf_conntrack/nf_nat: add H.323 helper port")
Reported-by: Xiang Mei <xmei5@asu.edu>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_conntrack_helper.h | 1 +
net/ipv4/netfilter/nf_nat_h323.c | 2 ++
net/netfilter/nf_conntrack_helper.c | 19 +++++++++++++++++++
net/netfilter/nf_nat_core.c | 2 ++
net/netfilter/nf_nat_sip.c | 1 +
5 files changed, 25 insertions(+)
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index 9939c366f720d4..2435039434ea9d 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -152,6 +152,7 @@ void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct,
void nf_ct_helper_expectfn_register(struct nf_ct_helper_expectfn *n);
void nf_ct_helper_expectfn_unregister(struct nf_ct_helper_expectfn *n);
+void nf_ct_helper_expectfn_destroy(const struct nf_ct_helper_expectfn *n);
struct nf_ct_helper_expectfn *
nf_ct_helper_expectfn_find_by_name(const char *name);
struct nf_ct_helper_expectfn *
diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c
index faee20af485613..10e1b0837731b7 100644
--- a/net/ipv4/netfilter/nf_nat_h323.c
+++ b/net/ipv4/netfilter/nf_nat_h323.c
@@ -555,6 +555,8 @@ static void __exit nf_nat_h323_fini(void)
nf_ct_helper_expectfn_unregister(&q931_nat);
nf_ct_helper_expectfn_unregister(&callforwarding_nat);
synchronize_rcu();
+ nf_ct_helper_expectfn_destroy(&q931_nat);
+ nf_ct_helper_expectfn_destroy(&callforwarding_nat);
}
/****************************************************************************/
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 6a2ad31ac62f12..8e72c3d4db4ad1 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -286,6 +286,25 @@ void nf_ct_helper_expectfn_unregister(struct nf_ct_helper_expectfn *n)
}
EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_unregister);
+static bool expect_iter_expectfn(struct nf_conntrack_expect *exp, void *data)
+{
+ const struct nf_ct_helper_expectfn *n = data;
+
+ /* Relies on registered expectfn descriptors having unique ->expectfn
+ * pointers, which holds for the in-tree NAT helpers.
+ */
+ return exp->expectfn == n->expectfn;
+}
+
+/* Destroy expectations still pointing at @n->expectfn; call after the
+ * caller's RCU grace period so none outlives the (often modular) callback.
+ */
+void nf_ct_helper_expectfn_destroy(const struct nf_ct_helper_expectfn *n)
+{
+ nf_ct_expect_iterate_destroy(expect_iter_expectfn, (void *)n);
+}
+EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_destroy);
+
/* Caller should hold the rcu lock */
struct nf_ct_helper_expectfn *
nf_ct_helper_expectfn_find_by_name(const char *name)
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 6b683ff015b9cc..cf7c06b79d5614 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -1157,6 +1157,7 @@ static int __init nf_nat_init(void)
RCU_INIT_POINTER(nf_nat_hook, NULL);
nf_ct_helper_expectfn_unregister(&follow_master_nat);
synchronize_net();
+ nf_ct_helper_expectfn_destroy(&follow_master_nat);
unregister_pernet_subsys(&nat_net_ops);
kvfree(nf_nat_bysource);
}
@@ -1174,6 +1175,7 @@ static void __exit nf_nat_cleanup(void)
RCU_INIT_POINTER(nf_nat_hook, NULL);
synchronize_net();
+ nf_ct_helper_expectfn_destroy(&follow_master_nat);
kvfree(nf_nat_bysource);
unregister_pernet_subsys(&nat_net_ops);
}
diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c
index 9fbfc6bff0c221..00838c0cc5bb28 100644
--- a/net/netfilter/nf_nat_sip.c
+++ b/net/netfilter/nf_nat_sip.c
@@ -655,6 +655,7 @@ static void __exit nf_nat_sip_fini(void)
RCU_INIT_POINTER(nf_nat_sip_hooks, NULL);
nf_ct_helper_expectfn_unregister(&sip_nat);
synchronize_rcu();
+ nf_ct_helper_expectfn_destroy(&sip_nat);
}
static const struct nf_nat_sip_hooks sip_hooks = {
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 173/378] Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 172/378] Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 174/378] soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get() Greg Kroah-Hartman
` (205 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz,
Michael Bommarito, Luiz Augusto von Dentz
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit dd214733544427587a95f66dbf3adff072568990 upstream.
net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR
signaling packets up to the channel MTU and dispatches each command
without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer
within radio range can send a fixed-channel CID 0x0001 packet that is
larger than MTUsig and contains many L2CAP_ECHO_REQ commands before
pairing. In a real-radio stock-kernel run, one 681-byte signaling
packet containing 168 zero-length ECHO_REQ commands made the target
transmit 168 ECHO_RSP frames over about 220 ms.
Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can
force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling
packet containing packed ECHO_REQ commands.
Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and
reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP
carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched.
The Bluetooth Core spec wording for MTUExceeded says the reject
identifier shall match the first request command in the packet, and
that packets containing only responses shall be silently discarded.
Linux intentionally deviates from that prescription: silently
discarding desynchronizes the peer because the remote stack never
learns its responses were dropped, and locating the first request
command requires walking command headers past MTUsig, i.e. processing
bytes from a packet we have already decided is too large to process.
We therefore always emit one reject and use the identifier from the
first command header, a single fixed-offset byte read.
The unrestricted BR/EDR signaling parser and ECHO_REQ response path both
trace to the initial git import; no later introducing commit is
available for a Fixes tag.
Cc: stable@vger.kernel.org
Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Link: https://lore.kernel.org/r/20260518002800.1361430-1-michael.bommarito@gmail.com
Link: https://lore.kernel.org/r/20260520135034.1060859-1-michael.bommarito@gmail.com
Link: https://lore.kernel.org/r/20260521000555.3712030-1-michael.bommarito@gmail.com
Assisted-by: Claude:claude-opus-4-7
Assisted-by: Codex:gpt-5-5-xhigh
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/bluetooth/l2cap.h | 1
net/bluetooth/l2cap_core.c | 46 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 47 insertions(+)
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -33,6 +33,7 @@
/* L2CAP defaults */
#define L2CAP_DEFAULT_MTU 672
#define L2CAP_DEFAULT_MIN_MTU 48
+#define L2CAP_SIG_MTU 48 /* BR/EDR signaling MTU */
#define L2CAP_DEFAULT_FLUSH_TO 0xFFFF
#define L2CAP_EFS_DEFAULT_FLUSH_TO 0xFFFFFFFF
#define L2CAP_DEFAULT_TX_WINDOW 63
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5651,6 +5651,15 @@ static inline void l2cap_sig_send_rej(st
l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
}
+static inline void l2cap_sig_send_mtu_rej(struct l2cap_conn *conn, u8 ident)
+{
+ struct l2cap_cmd_rej_mtu rej;
+
+ rej.reason = cpu_to_le16(L2CAP_REJ_MTU_EXCEEDED);
+ rej.max_mtu = cpu_to_le16(L2CAP_SIG_MTU);
+ l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
+}
+
static inline void l2cap_sig_channel(struct l2cap_conn *conn,
struct sk_buff *skb)
{
@@ -5663,6 +5672,43 @@ static inline void l2cap_sig_channel(str
if (hcon->type != ACL_LINK)
goto drop;
+ /*
+ * Bluetooth Core v5.4, Vol 3, Part A, Section 4: the BR/EDR
+ * signaling channel has a fixed signaling MTU (MTUsig) whose
+ * minimum and default is 48 octets. Section 4.1 says that on
+ * an MTUExceeded command reject the identifier "shall match
+ * the first request command in the L2CAP packet" and that
+ * packets containing only response commands "shall be
+ * silently discarded".
+ *
+ * Linux intentionally deviates from that prescription:
+ *
+ * 1. Silently discarding desynchronizes the peer. The
+ * remote stack never learns its responses were dropped,
+ * so any state machine waiting on a paired response
+ * stalls until its own timer fires.
+ *
+ * 2. Locating "the first request command" requires walking
+ * command headers past MTUsig, i.e. processing bytes
+ * from a packet we have already decided is too large to
+ * process.
+ *
+ * Reject every over-MTUsig signaling packet with one
+ * L2CAP_REJ_MTU_EXCEEDED command reject. The reject's
+ * reason field is what tells the peer that the whole packet
+ * was discarded; the identifier value is informational, so
+ * we use the identifier from the first command header, a
+ * single fixed-offset byte read.
+ */
+ if (skb->len > L2CAP_SIG_MTU) {
+ u8 ident = skb->data[1];
+
+ BT_DBG("signaling packet exceeds MTU: %u > %u",
+ skb->len, L2CAP_SIG_MTU);
+ l2cap_sig_send_mtu_rej(conn, ident);
+ goto drop;
+ }
+
while (skb->len >= L2CAP_CMD_HDR_SIZE) {
u16 len;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 257/522] netfilter: x_tables: avoid leaking percpu counter pointers
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 256/522] netfilter: nf_conntrack: destroy stale expectfn expectations on unregister Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 258/522] netfilter: nf_log: validate MAC header was set before dumping it Greg Kroah-Hartman
` (265 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Zeng, Pablo Neira Ayuso,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Zeng <kylebot@openai.com>
[ Upstream commit f7f2fbb0e893a0238dc464f8d8c0f5609bec584f ]
The native and compat get-entries paths copy the fixed rule entry header
from the kernelized rule blob to userspace before overwriting the entry's
counter fields with a sanitized counter snapshot.
On SMP kernels, entry->counters.pcnt contains the percpu allocation
address used by x_tables rule counters. A caller can provide a userspace
buffer that faults during the initial fixed-header copy after pcnt has
been copied but before the later sanitized counter copy runs. The syscall
then returns -EFAULT while leaving the raw percpu pointer in userspace.
Copy only the fixed entry prefix before counters from the kernelized rule
blob, then copy the sanitized counter snapshot into the counter field.
Apply this ordering to the IPv4, IPv6, and ARP native and compat
get-entries implementations so a fault cannot expose the internal percpu
counter pointer.
Fixes: 71ae0dff02d7 ("netfilter: xtables: use percpu rule counters")
Signed-off-by: Kyle Zeng <kylebot@openai.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/arp_tables.c | 15 ++++++---------
net/ipv4/netfilter/ip_tables.c | 15 ++++++---------
net/ipv6/netfilter/ip6_tables.c | 15 ++++++---------
3 files changed, 18 insertions(+), 27 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 564054123772a1..eeb48265208a2b 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -702,14 +702,12 @@ static int copy_entries_to_user(unsigned int total_size,
const struct xt_entry_target *t;
e = loc_cpu_entry + off;
- if (copy_to_user(userptr + off, e, sizeof(*e))) {
- ret = -EFAULT;
- goto free_counters;
- }
- if (copy_to_user(userptr + off
+ if (copy_to_user(userptr + off, e,
+ offsetof(struct arpt_entry, counters)) ||
+ copy_to_user(userptr + off
+ offsetof(struct arpt_entry, counters),
&counters[num],
- sizeof(counters[num])) != 0) {
+ sizeof(counters[num]))) {
ret = -EFAULT;
goto free_counters;
}
@@ -1327,9 +1325,8 @@ static int compat_copy_entry_to_user(struct arpt_entry *e, void __user **dstptr,
origsize = *size;
ce = *dstptr;
- if (copy_to_user(ce, e, sizeof(struct arpt_entry)) != 0 ||
- copy_to_user(&ce->counters, &counters[i],
- sizeof(counters[i])) != 0)
+ if (copy_to_user(ce, e, offsetof(struct compat_arpt_entry, counters)) ||
+ copy_to_user(&ce->counters, &counters[i], sizeof(counters[i])))
return -EFAULT;
*dstptr += sizeof(struct compat_arpt_entry);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index a6208efcfccfce..055d5e28a44f46 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -834,14 +834,12 @@ copy_entries_to_user(unsigned int total_size,
const struct xt_entry_target *t;
e = loc_cpu_entry + off;
- if (copy_to_user(userptr + off, e, sizeof(*e))) {
- ret = -EFAULT;
- goto free_counters;
- }
- if (copy_to_user(userptr + off
+ if (copy_to_user(userptr + off, e,
+ offsetof(struct ipt_entry, counters)) ||
+ copy_to_user(userptr + off
+ offsetof(struct ipt_entry, counters),
&counters[num],
- sizeof(counters[num])) != 0) {
+ sizeof(counters[num]))) {
ret = -EFAULT;
goto free_counters;
}
@@ -1230,9 +1228,8 @@ compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
origsize = *size;
ce = *dstptr;
- if (copy_to_user(ce, e, sizeof(struct ipt_entry)) != 0 ||
- copy_to_user(&ce->counters, &counters[i],
- sizeof(counters[i])) != 0)
+ if (copy_to_user(ce, e, offsetof(struct compat_ipt_entry, counters)) ||
+ copy_to_user(&ce->counters, &counters[i], sizeof(counters[i])))
return -EFAULT;
*dstptr += sizeof(struct compat_ipt_entry);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index b844e519da1b4e..333115dff69ae7 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -850,14 +850,12 @@ copy_entries_to_user(unsigned int total_size,
const struct xt_entry_target *t;
e = loc_cpu_entry + off;
- if (copy_to_user(userptr + off, e, sizeof(*e))) {
- ret = -EFAULT;
- goto free_counters;
- }
- if (copy_to_user(userptr + off
+ if (copy_to_user(userptr + off, e,
+ offsetof(struct ip6t_entry, counters)) ||
+ copy_to_user(userptr + off
+ offsetof(struct ip6t_entry, counters),
&counters[num],
- sizeof(counters[num])) != 0) {
+ sizeof(counters[num]))) {
ret = -EFAULT;
goto free_counters;
}
@@ -1246,9 +1244,8 @@ compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
origsize = *size;
ce = *dstptr;
- if (copy_to_user(ce, e, sizeof(struct ip6t_entry)) != 0 ||
- copy_to_user(&ce->counters, &counters[i],
- sizeof(counters[i])) != 0)
+ if (copy_to_user(ce, e, offsetof(struct compat_ip6t_entry, counters)) ||
+ copy_to_user(&ce->counters, &counters[i], sizeof(counters[i])))
return -EFAULT;
*dstptr += sizeof(struct compat_ip6t_entry);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 174/378] soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 173/378] Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 175/378] mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison Greg Kroah-Hartman
` (204 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sumit Garg, Manivannan Sadhasivam,
Bjorn Andersson
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
commit d922113ef91e6e7e8065e9070f349365341ba32e upstream.
The current platform driver design causes probe ordering races with
consumers (UFS, eMMC) due to ICE's dependency on SCM firmware calls. If ICE
probe fails (missing ICE SCM or DT registers), devm_of_qcom_ice_get() loops
with -EPROBE_DEFER, leaving consumers non-functional even when ICE should
be gracefully disabled. devm_of_qcom_ice_get() doesn't know if the ICE
driver probe has failed due to above reasons or it is waiting for the SCM
driver.
Moreover, there is no devlink dependency between ICE and consumer drivers
as 'qcom,ice' is not considered as a DT 'supplier'. So the consumer drivers
have no idea of when the ICE driver is going to probe.
To address these issues, store the error pointer in a global xarray with
ice node phandle as a key during probe in addition to the valid ice pointer
and synchronize both qcom_ice_probe() and of_qcom_ice_get() using a mutex.
If the xarray entry is NULL, then it implies that the driver is not
probed yet, so return -EPROBE_DEFER. If it has any error pointer, return
that error pointer directly. Otherwise, add the devlink as usual and return
the valid pointer to the consumer.
Xarray is used instead of platform drvdata, since driver core frees the
drvdata during probe failure. So it cannot be used to pass the error
pointer to the consumers.
Note that this change only fixes the standalone ICE DT node bindings and
not the ones with 'ice' range embedded in the consumer nodes, where there
is no issue.
Fixes: 2afbf43a4aec ("soc: qcom: Make the Qualcomm UFS/SDCC ICE a dedicated driver")
Reported-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Tested-by: Sumit Garg <sumit.garg@oss.qualcomm.com> # OP-TEE as TZ
Acked-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Cc: stable@vger.kernel.org # 6.4
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260518-qcom-ice-fix-v7-1-2a595382185b@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/qcom/ice.c | 38 +++++++++++++++++++++++++++++++-------
1 file changed, 31 insertions(+), 7 deletions(-)
--- a/drivers/soc/qcom/ice.c
+++ b/drivers/soc/qcom/ice.c
@@ -16,6 +16,7 @@
#include <linux/of.h>
#include <linux/of_platform.h>
#include <linux/platform_device.h>
+#include <linux/xarray.h>
#include <linux/firmware/qcom/qcom_scm.h>
@@ -114,6 +115,9 @@ struct qcom_ice {
u8 hwkm_version;
};
+static DEFINE_XARRAY(ice_handles);
+static DEFINE_MUTEX(ice_mutex);
+
static bool qcom_ice_check_supported(struct qcom_ice *ice)
{
u32 regval = qcom_ice_readl(ice, QCOM_ICE_REG_VERSION);
@@ -644,6 +648,8 @@ static struct qcom_ice *of_qcom_ice_get(
return qcom_ice_create(&pdev->dev, base);
}
+ guard(mutex)(&ice_mutex);
+
/*
* If the consumer node does not provider an 'ice' reg range
* (legacy DT binding), then it must at least provide a phandle
@@ -660,12 +666,13 @@ static struct qcom_ice *of_qcom_ice_get(
return ERR_PTR(-ENODEV);
}
- ice = platform_get_drvdata(pdev);
- if (!ice) {
- dev_err(dev, "Cannot get ice instance from %s\n",
- dev_name(&pdev->dev));
+ ice = xa_load(&ice_handles, pdev->dev.of_node->phandle);
+ if (IS_ERR_OR_NULL(ice)) {
platform_device_put(pdev);
- return ERR_PTR(-EPROBE_DEFER);
+ if (!ice)
+ return ERR_PTR(-EPROBE_DEFER);
+ else
+ return ice;
}
link = device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_SUPPLIER);
@@ -729,24 +736,40 @@ EXPORT_SYMBOL_GPL(devm_of_qcom_ice_get);
static int qcom_ice_probe(struct platform_device *pdev)
{
+ unsigned long phandle = pdev->dev.of_node->phandle;
struct qcom_ice *engine;
void __iomem *base;
+ guard(mutex)(&ice_mutex);
+
base = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(base)) {
dev_warn(&pdev->dev, "ICE registers not found\n");
+ /* Store the error pointer for devm_of_qcom_ice_get() */
+ xa_store(&ice_handles, phandle, (__force void *)base, GFP_KERNEL);
return PTR_ERR(base);
}
engine = qcom_ice_create(&pdev->dev, base);
- if (IS_ERR(engine))
+ if (IS_ERR(engine)) {
+ /* Store the error pointer for devm_of_qcom_ice_get() */
+ xa_store(&ice_handles, phandle, engine, GFP_KERNEL);
return PTR_ERR(engine);
+ }
- platform_set_drvdata(pdev, engine);
+ xa_store(&ice_handles, phandle, engine, GFP_KERNEL);
return 0;
}
+static void qcom_ice_remove(struct platform_device *pdev)
+{
+ unsigned long phandle = pdev->dev.of_node->phandle;
+
+ guard(mutex)(&ice_mutex);
+ xa_store(&ice_handles, phandle, NULL, GFP_KERNEL);
+}
+
static const struct of_device_id qcom_ice_of_match_table[] = {
{ .compatible = "qcom,inline-crypto-engine" },
{ },
@@ -755,6 +778,7 @@ MODULE_DEVICE_TABLE(of, qcom_ice_of_matc
static struct platform_driver qcom_ice_driver = {
.probe = qcom_ice_probe,
+ .remove = qcom_ice_remove,
.driver = {
.name = "qcom-ice",
.of_match_table = qcom_ice_of_match_table,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 258/522] netfilter: nf_log: validate MAC header was set before dumping it
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 257/522] netfilter: x_tables: avoid leaking percpu counter pointers Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 259/522] netfilter: nft_exthdr: fix register tracking for F_PRESENT flag Greg Kroah-Hartman
` (264 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weiming Shi, Xiang Mei,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit a84b6fedbc97078788be78dbdd7517d143ad1a77 ]
The fallback path of dump_mac_header() guards the MAC header access
only with "skb->mac_header != skb->network_header", without checking
skb_mac_header_was_set(). When the MAC header is unset, mac_header is
0xffff, so the test passes and skb_mac_header(skb) returns
skb->head + 0xffff, ~64 KiB past the buffer; the loop then reads
dev->hard_header_len bytes out of bounds into the kernel log.
This is reachable via the netdev logger: nf_log_unknown_packet() calls
dump_mac_header() unconditionally, and an skb sent through AF_PACKET
with PACKET_QDISC_BYPASS reaches the egress hook with mac_header still
unset (__dev_queue_xmit(), which would reset it, is bypassed).
Add the skb_mac_header_was_set() check the ARPHRD_ETHER path already
uses, and replace the open-coded MAC header length test with
skb_mac_header_len(). Only skbs with an unset MAC header are affected;
valid ones are dumped as before.
BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831)
Read of size 1 at addr ffff88800ea49d3f by task exploit/148
Call Trace:
kasan_report (mm/kasan/report.c:595)
dump_mac_header (net/netfilter/nf_log_syslog.c:831)
nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963)
nf_log_packet (net/netfilter/nf_log.c:260)
nft_log_eval (net/netfilter/nft_log.c:60)
nft_do_chain (net/netfilter/nf_tables_core.c:285)
nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307)
nf_hook_slow (net/netfilter/core.c:619)
nf_hook_direct_egress (net/packet/af_packet.c:257)
packet_xmit (net/packet/af_packet.c:280)
packet_sendmsg (net/packet/af_packet.c:3114)
__sys_sendto (net/socket.c:2265)
Fixes: 7eb9282cd0ef ("netfilter: ipt_LOG/ip6t_LOG: add option to print decoded MAC header")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_log_syslog.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_log_syslog.c b/net/netfilter/nf_log_syslog.c
index 58402226045e84..09b9152e9e5492 100644
--- a/net/netfilter/nf_log_syslog.c
+++ b/net/netfilter/nf_log_syslog.c
@@ -799,8 +799,8 @@ static void dump_mac_header(struct nf_log_buf *m,
fallback:
nf_log_buf_add(m, "MAC=");
- if (dev->hard_header_len &&
- skb->mac_header != skb->network_header) {
+ if (dev->hard_header_len && skb_mac_header_was_set(skb) &&
+ skb_mac_header_len(skb) != 0) {
const unsigned char *p = skb_mac_header(skb);
unsigned int i;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 175/378] mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 174/378] soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 176/378] Revert "drm/xe/nvls: Define GuC firmware for NVL-S" Greg Kroah-Hartman
` (203 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wupeng Ma, Oscar Salvador (SUSE),
Muchun Song, Kefeng Wang, Miaohe Lin, David Hildenbrand,
Liam Howlett, Lorenzo Stoakes, Michal Hocko, Mike Rapoport,
Naoya Horiguchi, Suren Baghdasaryan, Vlastimil Babka,
Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wupeng Ma <mawupeng1@huawei.com>
commit 3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e upstream.
Two concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can
trigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock
when racing with a concurrent unmap:
thread#0 thread#1
-------- --------
madvise(folio, MADV_HWPOISON)
-> poisons the folio successfully
madvise(folio, MADV_HWPOISON) unmap(folio)
try_memory_failure_hugetlb
get_huge_page_for_hwpoison
spin_lock_irq(&hugetlb_lock) <- held
__get_huge_page_for_hwpoison
hugetlb_update_hwpoison()
-> MF_HUGETLB_FOLIO_PRE_POISONED
goto out:
folio_put()
refcount: 1 -> 0
free_huge_folio()
spin_lock_irqsave(&hugetlb_lock)
-> AA DEADLOCK!
The out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop
the GUP reference while the hugetlb_lock is still held by the hugetlb.c
wrapper get_huge_page_for_hwpoison(). If concurrent unmap has released
the page table mapping reference, folio_put() drops the folio refcount to
zero, triggering free_huge_folio() which attempts to re-acquire the
non-recursive hugetlb_lock.
Fix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper
into get_huge_page_for_hwpoison(). Place spin_unlock_irq() before the
folio_put() at the out: label so the folio is always released outside the
lock.
[akpm@linux-foundation.org: fix race, rename label per Miaohe]
Link: https://sashiko.dev/#/patchset/20260522010305.4099834-1-mawupeng1@huawei.com
Link: https://lore.kernel.org/f39f405e-4b4b-8f79-70fe-a2b5b62114eb@huawei.com
Link: https://lore.kernel.org/20260522010305.4099834-1-mawupeng1@huawei.com
Fixes: 405ce051236c ("mm/hwpoison: fix race between hugetlb free/demotion and memory_failure_hugetlb()")
Signed-off-by: Wupeng Ma <mawupeng1@huawei.com>
Acked-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
Acked-by: Muchun Song <muchun.song@linux.dev>
Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Acked-by: Miaohe Lin <linmiaohe@huawei.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/hugetlb.h | 8 --------
include/linux/mm.h | 8 --------
mm/hugetlb.c | 11 -----------
mm/memory-failure.c | 19 ++++++++++---------
4 files changed, 10 insertions(+), 36 deletions(-)
--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -153,8 +153,6 @@ long hugetlb_unreserve_pages(struct inod
long freed);
bool folio_isolate_hugetlb(struct folio *folio, struct list_head *list);
int get_hwpoison_hugetlb_folio(struct folio *folio, bool *hugetlb, bool unpoison);
-int get_huge_page_for_hwpoison(unsigned long pfn, int flags,
- bool *migratable_cleared);
void folio_putback_hugetlb(struct folio *folio);
void move_hugetlb_state(struct folio *old_folio, struct folio *new_folio, int reason);
void hugetlb_fix_reserve_counts(struct inode *inode);
@@ -420,12 +418,6 @@ static inline int get_hwpoison_hugetlb_f
{
return 0;
}
-
-static inline int get_huge_page_for_hwpoison(unsigned long pfn, int flags,
- bool *migratable_cleared)
-{
- return 0;
-}
static inline void folio_putback_hugetlb(struct folio *folio)
{
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -4601,8 +4601,6 @@ extern int soft_offline_page(unsigned lo
*/
extern const struct attribute_group memory_failure_attr_group;
extern void memory_failure_queue(unsigned long pfn, int flags);
-extern int __get_huge_page_for_hwpoison(unsigned long pfn, int flags,
- bool *migratable_cleared);
void num_poisoned_pages_inc(unsigned long pfn);
void num_poisoned_pages_sub(unsigned long pfn, long i);
#else
@@ -4610,12 +4608,6 @@ static inline void memory_failure_queue(
{
}
-static inline int __get_huge_page_for_hwpoison(unsigned long pfn, int flags,
- bool *migratable_cleared)
-{
- return 0;
-}
-
static inline void num_poisoned_pages_inc(unsigned long pfn)
{
}
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -7160,17 +7160,6 @@ int get_hwpoison_hugetlb_folio(struct fo
return ret;
}
-int get_huge_page_for_hwpoison(unsigned long pfn, int flags,
- bool *migratable_cleared)
-{
- int ret;
-
- spin_lock_irq(&hugetlb_lock);
- ret = __get_huge_page_for_hwpoison(pfn, flags, migratable_cleared);
- spin_unlock_irq(&hugetlb_lock);
- return ret;
-}
-
/**
* folio_putback_hugetlb - unisolate a hugetlb folio
* @folio: the isolated hugetlb folio
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1966,20 +1966,19 @@ void folio_clear_hugetlb_hwpoison(struct
folio_free_raw_hwp(folio, true);
}
-/*
- * Called from hugetlb code with hugetlb_lock held.
- */
-int __get_huge_page_for_hwpoison(unsigned long pfn, int flags,
+static int get_huge_page_for_hwpoison(unsigned long pfn, int flags,
bool *migratable_cleared)
{
struct page *page = pfn_to_page(pfn);
- struct folio *folio = page_folio(page);
+ struct folio *folio;
bool count_increased = false;
int ret, rc;
+ spin_lock_irq(&hugetlb_lock);
+ folio = page_folio(page);
if (!folio_test_hugetlb(folio)) {
ret = MF_HUGETLB_NON_HUGEPAGE;
- goto out;
+ goto out_unlock;
} else if (flags & MF_COUNT_INCREASED) {
ret = MF_HUGETLB_IN_USED;
count_increased = true;
@@ -1995,13 +1994,13 @@ int __get_huge_page_for_hwpoison(unsigne
} else {
ret = MF_HUGETLB_RETRY;
if (!(flags & MF_NO_RETRY))
- goto out;
+ goto out_unlock;
}
rc = hugetlb_update_hwpoison(folio, page);
if (rc >= MF_HUGETLB_FOLIO_PRE_POISONED) {
ret = rc;
- goto out;
+ goto out_unlock;
}
/*
@@ -2013,8 +2012,10 @@ int __get_huge_page_for_hwpoison(unsigne
*migratable_cleared = true;
}
+ spin_unlock_irq(&hugetlb_lock);
return ret;
-out:
+out_unlock:
+ spin_unlock_irq(&hugetlb_lock);
if (count_increased)
folio_put(folio);
return ret;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 259/522] netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 258/522] netfilter: nf_log: validate MAC header was set before dumping it Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 260/522] net: mvpp2: sync RX data at the hardware packet offset Greg Kroah-Hartman
` (263 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Zhou, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 772cecf198da732faebb5dcfc46d66a505be8495 ]
nft_exthdr_init() passes user-controlled priv->len to
nft_parse_register_store(), which marks that many bytes in the
register bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT
is set, the eval paths write only 1 byte (nft_reg_store8) or
4 bytes (*dest = 0 on TCP/DCCP error path). When len > 4,
registers beyond the first are never written, retaining
uninitialized stack data from nft_regs.
Bail out if userspace requests too much data when F_PRESENT is set.
Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Fixes: c078ca3b0c5b ("netfilter: nft_exthdr: Add support for existence check")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_exthdr.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index 60d18bd60d821e..a7cb4dd6205e9f 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -531,6 +531,9 @@ static int nft_exthdr_init(const struct nft_ctx *ctx,
return err;
}
+ if ((flags & NFT_EXTHDR_F_PRESENT) && len != 1)
+ return -EINVAL;
+
priv->type = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
priv->offset = offset;
priv->len = len;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 176/378] Revert "drm/xe/nvls: Define GuC firmware for NVL-S"
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 175/378] mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 177/378] accel/ivpu: Add bounds check for firmware runtime memory Greg Kroah-Hartman
` (202 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniele Ceraolo Spurio,
Julia Filipchuk, Rodrigo Vivi, Matt Roper
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
commit 42445de1765547f56f48d107c0b8f3482c98458e upstream.
This reverts commit 4e88de313ff4d1c67b644b1f39f9fb4089711b71.
The early GuC FW definition meant for our CI branch was accidentally
merged to the drm-xe-next branch instead. This GuC FW will never be
released to linux-firmware, so we do not want the definition to be
available in the mainline Linux codebase.
Fixes: 4e88de313ff4 ("drm/xe/nvls: Define GuC firmware for NVL-S")
Signed-off-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
Cc: Julia Filipchuk <julia.filipchuk@intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: Matt Roper <matthew.d.roper@intel.com>
Cc: stable@vger.kernel.org # v7.0+
Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patch.msgid.link/20260529193558.185436-11-daniele.ceraolospurio@intel.com
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
(cherry picked from commit 65b8e0ac86e48cfc9128c04dfc53ea3395d030dd)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_uc_fw.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/gpu/drm/xe/xe_uc_fw.c
+++ b/drivers/gpu/drm/xe/xe_uc_fw.c
@@ -115,7 +115,6 @@ struct fw_blobs_by_type {
#define XE_GT_TYPE_ANY XE_GT_TYPE_UNINITIALIZED
#define XE_GUC_FIRMWARE_DEFS(fw_def, mmp_ver, major_ver) \
- fw_def(NOVALAKE_S, GT_TYPE_ANY, mmp_ver(xe, guc, nvl, 70, 55, 4)) \
fw_def(PANTHERLAKE, GT_TYPE_ANY, major_ver(xe, guc, ptl, 70, 54, 0)) \
fw_def(BATTLEMAGE, GT_TYPE_ANY, major_ver(xe, guc, bmg, 70, 54, 0)) \
fw_def(LUNARLAKE, GT_TYPE_ANY, major_ver(xe, guc, lnl, 70, 53, 0)) \
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 260/522] net: mvpp2: sync RX data at the hardware packet offset
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 259/522] netfilter: nft_exthdr: fix register tracking for F_PRESENT flag Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 261/522] net: mvpp2: limit XDP frame size to the RX buffer Greg Kroah-Hartman
` (262 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Til Kaiser, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Til Kaiser <mail@tk154.de>
[ Upstream commit 180235600934bef6add3be637c296d6cf3272e67 ]
mvpp2 programs the RX queue packet offset, so hardware writes received
data at dma_addr + MVPP2_SKB_HEADROOM. The current CPU sync starts at
dma_addr and only covers rx_bytes + MVPP2_MH_SIZE bytes, which syncs the
unused headroom and misses the same number of bytes at the packet tail.
On non-coherent DMA systems this can leave the CPU reading stale cache
contents for the end of the received frame.
Use dma_sync_single_range_for_cpu() with MVPP2_SKB_HEADROOM as the range
offset so the sync covers the Marvell header and packet data actually
written by hardware.
Fixes: e1921168bbd4 ("mvpp2: sync only the received frame")
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://patch.msgid.link/20260607134943.21996-2-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index b42c2c498faa2e..62d72f5ed01295 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -3948,9 +3948,10 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
dma_dir = DMA_FROM_DEVICE;
}
- dma_sync_single_for_cpu(dev->dev.parent, dma_addr,
- rx_bytes + MVPP2_MH_SIZE,
- dma_dir);
+ dma_sync_single_range_for_cpu(dev->dev.parent, dma_addr,
+ MVPP2_SKB_HEADROOM,
+ rx_bytes + MVPP2_MH_SIZE,
+ dma_dir);
/* Buffer header not supported */
if (rx_status & MVPP2_RXD_BUF_HDR)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 177/378] accel/ivpu: Add bounds check for firmware runtime memory
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 176/378] Revert "drm/xe/nvls: Define GuC firmware for NVL-S" Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 178/378] accel/ivpu: Add bounds checks for firmware log indices Greg Kroah-Hartman
` (201 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrzej Kacprowski, Karol Wachowski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
commit 1d0b597facdd3c0239c88e8797c1014e1ea0ef15 upstream.
Validate that the firmware runtime memory specified in the image
header is properly aligned and sized to hold the firmware image.
This prevents errors during memory allocation and image transfer.
Fixes: 2007e210b6a1 ("accel/ivpu: Split FW runtime and global memory buffers")
Cc: stable@vger.kernel.org # v7.0+
Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Link: https://patch.msgid.link/20260529120853.135876-1-andrzej.kacprowski@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/ivpu/ivpu_fw.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/drivers/accel/ivpu/ivpu_fw.c b/drivers/accel/ivpu/ivpu_fw.c
index 107f8ad31050..33c50779c06b 100644
--- a/drivers/accel/ivpu/ivpu_fw.c
+++ b/drivers/accel/ivpu/ivpu_fw.c
@@ -259,6 +259,22 @@ static int ivpu_fw_parse(struct ivpu_device *vdev)
return -EINVAL;
}
+ if (!PAGE_ALIGNED(runtime_addr)) {
+ ivpu_err(vdev, "Runtime address 0x%llx not page aligned\n", runtime_addr);
+ return -EINVAL;
+ }
+
+ if (!PAGE_ALIGNED(runtime_size)) {
+ ivpu_err(vdev, "Runtime size %llu not page aligned\n", runtime_size);
+ return -EINVAL;
+ }
+
+ if (runtime_size < image_size) {
+ ivpu_err(vdev, "Runtime size too small: %llu, image size: %llu\n",
+ runtime_size, image_size);
+ return -EINVAL;
+ }
+
if (!ivpu_is_within_range(image_load_addr, image_size, &vdev->hw->ranges.runtime)) {
ivpu_err(vdev, "Invalid firmware load address: 0x%llx and size %llu\n",
image_load_addr, image_size);
--
2.54.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 261/522] net: mvpp2: limit XDP frame size to the RX buffer
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 260/522] net: mvpp2: sync RX data at the hardware packet offset Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 262/522] net: mvpp2: Add metadata support for xdp mode Greg Kroah-Hartman
` (261 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Til Kaiser, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Til Kaiser <mail@tk154.de>
[ Upstream commit f3c6aa078927e6fe8121c9c591ddee8716c5305a ]
mvpp2 has short and long BM pools, and short pool buffers can be smaller
than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with
PAGE_SIZE as frame size.
XDP helpers use frame_sz to validate tail growth and to derive the hard
end of the data area. Advertising PAGE_SIZE for short buffers can let
bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting
memory or later tripping skb tailroom checks.
Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches
the actual buffer backing the packet.
Fixes: 07dd0a7aae7f ("mvpp2: add basic XDP support")
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://patch.msgid.link/20260607134943.21996-3-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index 62d72f5ed01295..8403fc4e9e7176 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -3981,7 +3981,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
else
xdp_rxq = &rxq->xdp_rxq_long;
- xdp_init_buff(&xdp, PAGE_SIZE, xdp_rxq);
+ xdp_init_buff(&xdp, bm_pool->frag_size, xdp_rxq);
xdp_prepare_buff(&xdp, data,
MVPP2_MH_SIZE + MVPP2_SKB_HEADROOM,
rx_bytes, false);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 178/378] accel/ivpu: Add bounds checks for firmware log indices
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 177/378] accel/ivpu: Add bounds check for firmware runtime memory Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 179/378] firmware: stratix10-svc: Dont fail probe when async ops unsupported Greg Kroah-Hartman
` (200 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrzej Kacprowski, Karol Wachowski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
commit dd1311bcf0e62f0c515115f46a3813370f4a4bb1 upstream.
Add validation that read and write indices in the firmware log buffer
are within valid bounds (< data_size) before using them. If
out-of-bounds indices are encountered (from firmware), clamp them to
safe values instead of proceeding with invalid offsets.
This prevents potential out-of-bounds buffer access when firmware
supplies invalid log indices.
Fixes: 1fc1251149a7 ("accel/ivpu: Refactor functions in ivpu_fw_log.c")
Cc: stable@vger.kernel.org # v6.18+
Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Link: https://patch.msgid.link/20260529115842.135378-1-andrzej.kacprowski@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/ivpu/ivpu_fw_log.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/accel/ivpu/ivpu_fw_log.c
+++ b/drivers/accel/ivpu/ivpu_fw_log.c
@@ -98,6 +98,11 @@ static void fw_log_print_buffer(struct v
u32 log_start = only_new_msgs ? READ_ONCE(log->read_index) : 0;
u32 log_end = READ_ONCE(log->write_index);
+ if (log_start >= data_size)
+ log_start = 0;
+ if (log_end > data_size)
+ log_end = data_size;
+
if (log->wrap_count == log->read_wrap_count) {
if (log_end <= log_start) {
drm_printf(p, "==== %s \"%s\" log empty ====\n", prefix, log->name);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 262/522] net: mvpp2: Add metadata support for xdp mode
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 261/522] net: mvpp2: limit XDP frame size to the RX buffer Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 263/522] net: mvpp2: refill RX buffers before XDP or skb use Greg Kroah-Hartman
` (260 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Kubiak, Lorenzo Bianconi,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 9a45e193c88a55a536d7fd0ebfa29823d588c2cf ]
Set metadata size building the skb from xdp_buff in mvpp2 driver
mvpp2 driver sets xdp headroom to:
MVPP2_MH_SIZE + MVPP2_SKB_HEADROOM
where
MVPP2_MH_SIZE 2
MVPP2_SKB_HEADROOM min(max(XDP_PACKET_HEADROOM, NET_SKB_PAD), 224)
so the headroom is large enough to contain xdp_frame and xdp metadata.
Please note this patch is just compiled tested.
Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20250318-mvneta-xdp-meta-v2-2-b6075778f61f@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 77a6b90ce56b ("net: mvpp2: build skb from XDP-adjusted data on XDP_PASS")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index 8403fc4e9e7176..4c299d8bb2392c 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -3915,13 +3915,13 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
while (rx_done < rx_todo) {
struct mvpp2_rx_desc *rx_desc = mvpp2_rxq_next_desc_get(rxq);
+ u32 rx_status, timestamp, metasize = 0;
struct mvpp2_bm_pool *bm_pool;
struct page_pool *pp = NULL;
struct sk_buff *skb;
unsigned int frag_size;
dma_addr_t dma_addr;
phys_addr_t phys_addr;
- u32 rx_status, timestamp;
int pool, rx_bytes, err, ret;
struct page *page;
void *data;
@@ -3984,7 +3984,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
xdp_init_buff(&xdp, bm_pool->frag_size, xdp_rxq);
xdp_prepare_buff(&xdp, data,
MVPP2_MH_SIZE + MVPP2_SKB_HEADROOM,
- rx_bytes, false);
+ rx_bytes, true);
ret = mvpp2_run_xdp(port, xdp_prog, &xdp, pp, &ps);
@@ -4000,6 +4000,8 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
ps.rx_bytes += rx_bytes;
continue;
}
+
+ metasize = xdp.data - xdp.data_meta;
}
skb = build_skb(data, frag_size);
@@ -4036,6 +4038,8 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
skb_reserve(skb, MVPP2_MH_SIZE + MVPP2_SKB_HEADROOM);
skb_put(skb, rx_bytes);
+ if (metasize)
+ skb_metadata_set(skb, metasize);
skb->ip_summed = mvpp2_rx_csum(port, rx_status);
skb->protocol = eth_type_trans(skb, dev);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 179/378] firmware: stratix10-svc: Dont fail probe when async ops unsupported
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 178/378] accel/ivpu: Add bounds checks for firmware log indices Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 180/378] firmware: stratix10-svc: Return -EOPNOTSUPP when ATF async unsupported Greg Kroah-Hartman
` (199 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
Muhammad Amirul Asyraf Mohamad Jamian, Dinh Nguyen
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Amirul Asyraf Mohamad Jamian <muhammad.amirul.asyraf.mohamad.jamian@altera.com>
commit 371aa062219a0af108fb8992f0759d1bac1e8c91 upstream.
When the ATF version is too old to support SIP SVC v3 asynchronous
operations (e.g. ATF 2.5), stratix10_svc_async_init() returns
-EOPNOTSUPP. The probe function currently treats any non-zero return
as fatal and aborts, logging:
stratix10-svc firmware:svc: Intel Service Layer Driver: ATF version \
is not compatible for async operation
stratix10-svc firmware:svc: probe with driver stratix10-svc failed \
with error -95
This prevents the SVC driver from loading entirely, causing all
dependent client drivers (hwmon, RSU, FCS) to also fail to probe even
though they can operate correctly via the synchronous V1 SMC path.
Fix this by treating -EOPNOTSUPP from stratix10_svc_async_init() as a
non-fatal degraded condition. The driver loads in sync-only mode and
logs:
stratix10-svc firmware:svc: Intel Service Layer Driver Initialized \
(sync-only mode)
Fixes: bcb9f4f07061 ("firmware: stratix10-svc: Add support for async communication")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Amirul Asyraf Mohamad Jamian <muhammad.amirul.asyraf.mohamad.jamian@altera.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/stratix10-svc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/firmware/stratix10-svc.c
+++ b/drivers/firmware/stratix10-svc.c
@@ -1952,10 +1952,14 @@ static int stratix10_svc_drv_probe(struc
init_completion(&controller->complete_status);
ret = stratix10_svc_async_init(controller);
- if (ret) {
+ if (ret == -EOPNOTSUPP) {
+ dev_info(dev, "Intel Service Layer Driver Initialized (sync-only mode)\n");
+ } else if (ret) {
dev_dbg(dev, "Intel Service Layer Driver: Error on stratix10_svc_async_init %d\n",
ret);
goto err_destroy_pool;
+ } else {
+ dev_info(dev, "Intel Service Layer Driver Initialized\n");
}
fifo_size = sizeof(struct stratix10_svc_data) * SVC_NUM_DATA_IN_FIFO;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 263/522] net: mvpp2: refill RX buffers before XDP or skb use
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 262/522] net: mvpp2: Add metadata support for xdp mode Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 264/522] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS Greg Kroah-Hartman
` (259 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Til Kaiser, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Til Kaiser <mail@tk154.de>
[ Upstream commit 5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6 ]
The RX error path returns the current descriptor buffer to the hardware
BM pool. That is only valid while the driver still owns the buffer.
mvpp2_rx_refill() can fail after the current buffer has been handed to
XDP or attached to an skb. In those cases mvpp2_run_xdp() may have
recycled, redirected, or queued the page for XDP_TX, and an skb free also
retires the data buffer. Returning such a buffer to BM lets hardware DMA
into memory that is no longer owned by the RX ring.
Refill the BM pool before handing the current buffer to XDP or to the
skb. If the allocation fails there, drop the packet and return the
still-owned current buffer to BM, preserving the pool depth. Once the
refill succeeds, later local drops retire/free the current buffer instead
of returning it to BM.
Fixes: 07dd0a7aae7f ("mvpp2: add basic XDP support")
Fixes: d6526926de73 ("net: mvpp2: fix memory leak in mvpp2_rx")
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://patch.msgid.link/20260607134943.21996-4-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 77a6b90ce56b ("net: mvpp2: build skb from XDP-adjusted data on XDP_PASS")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/marvell/mvpp2/mvpp2_main.c | 43 +++++++++++--------
1 file changed, 24 insertions(+), 19 deletions(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index 4c299d8bb2392c..fc16e577a10376 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -3973,6 +3973,12 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
else
frag_size = bm_pool->frag_size;
+ err = mvpp2_rx_refill(port, bm_pool, pp, pool);
+ if (err) {
+ netdev_err(port->dev, "failed to refill BM pools\n");
+ goto err_drop_frame;
+ }
+
if (xdp_prog) {
struct xdp_rxq_info *xdp_rxq;
@@ -3990,12 +3996,6 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
if (ret) {
xdp_ret |= ret;
- err = mvpp2_rx_refill(port, bm_pool, pp, pool);
- if (err) {
- netdev_err(port->dev, "failed to refill BM pools\n");
- goto err_drop_frame;
- }
-
ps.rx_packets++;
ps.rx_bytes += rx_bytes;
continue;
@@ -4007,8 +4007,21 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
skb = build_skb(data, frag_size);
if (!skb) {
netdev_warn(port->dev, "skb build failed\n");
- goto err_drop_frame;
+ if (pp) {
+ page_pool_put_page(pp, virt_to_head_page(data),
+ rx_bytes + MVPP2_MH_SIZE,
+ true);
+ } else {
+ dma_unmap_single_attrs(dev->dev.parent, dma_addr,
+ bm_pool->buf_size,
+ DMA_FROM_DEVICE,
+ DMA_ATTR_SKIP_CPU_SYNC);
+ mvpp2_frag_free(bm_pool, pp, data);
+ }
+ goto err_drop_frame_retired;
}
+ if (pp)
+ skb_mark_for_recycle(skb);
/* If we have RX hardware timestamping enabled, grab the
* timestamp from the queue and convert.
@@ -4019,16 +4032,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
skb_hwtstamps(skb));
}
- err = mvpp2_rx_refill(port, bm_pool, pp, pool);
- if (err) {
- netdev_err(port->dev, "failed to refill BM pools\n");
- dev_kfree_skb_any(skb);
- goto err_drop_frame;
- }
-
- if (pp)
- skb_mark_for_recycle(skb);
- else
+ if (!pp)
dma_unmap_single_attrs(dev->dev.parent, dma_addr,
bm_pool->buf_size, DMA_FROM_DEVICE,
DMA_ATTR_SKIP_CPU_SYNC);
@@ -4047,13 +4051,14 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
continue;
err_drop_frame:
- dev->stats.rx_errors++;
- mvpp2_rx_error(port, rx_desc);
/* Return the buffer to the pool */
if (rx_status & MVPP2_RXD_BUF_HDR)
mvpp2_buff_hdr_pool_put(port, rx_desc, pool, rx_status);
else
mvpp2_bm_pool_put(port, pool, dma_addr, phys_addr);
+err_drop_frame_retired:
+ dev->stats.rx_errors++;
+ mvpp2_rx_error(port, rx_desc);
}
if (xdp_ret & MVPP2_XDP_REDIR)
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 180/378] firmware: stratix10-svc: Return -EOPNOTSUPP when ATF async unsupported
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 179/378] firmware: stratix10-svc: Dont fail probe when async ops unsupported Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 181/378] firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe Greg Kroah-Hartman
` (198 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anders Hedlund, Mahesh Rao,
Muhammad Amirul Asyraf Mohamad Jamian, Dinh Nguyen
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Amirul Asyraf Mohamad Jamian <muhammad.amirul.asyraf.mohamad.jamian@altera.com>
commit 3e529f57931417120fab700afeef6e49553250d5 upstream.
Add a 'supported' flag to struct stratix10_async_ctrl to indicate
whether the secure firmware supports SIP SVC v3 asynchronous
communication. When the ATF version check in stratix10_svc_async_init()
fails, set supported=false and return -EOPNOTSUPP instead of -EINVAL.
This allows callers to distinguish between "async not supported by this
ATF version" (-EOPNOTSUPP) and "programming error / bad argument"
(-EINVAL), and take appropriate action (e.g. fall back to synchronous
V1 SMC path) rather than treating both as fatal.
Also update stratix10_svc_add_async_client() to return -EOPNOTSUPP
immediately when async is not supported, rather than -EINVAL from the
!actrl->initialized check, so client drivers receive a consistent and
meaningful error code.
This patch is a prerequisite for the following fix and must be applied
together with it to correctly restore functionality on old ATF versions.
Fixes: bcb9f4f07061 ("firmware: stratix10-svc: Add support for async communication")
Cc: stable@vger.kernel.org
Suggested-by: Anders Hedlund <anders.hedlund@windriver.com>
Signed-off-by: Mahesh Rao <mahesh.rao@altera.com>
Signed-off-by: Muhammad Amirul Asyraf Mohamad Jamian <muhammad.amirul.asyraf.mohamad.jamian@altera.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/stratix10-svc.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/firmware/stratix10-svc.c b/drivers/firmware/stratix10-svc.c
index e9e35d67ef96..8a4f18602f36 100644
--- a/drivers/firmware/stratix10-svc.c
+++ b/drivers/firmware/stratix10-svc.c
@@ -212,6 +212,7 @@ struct stratix10_async_chan {
/**
* struct stratix10_async_ctrl - Control structure for Stratix10
* asynchronous operations
+ * @supported: Flag indicating whether the system supports async operations
* @initialized: Flag indicating whether the control structure has
* been initialized
* @invoke_fn: Function pointer for invoking Stratix10 service calls
@@ -228,6 +229,7 @@ struct stratix10_async_chan {
*/
struct stratix10_async_ctrl {
+ bool supported;
bool initialized;
void (*invoke_fn)(struct stratix10_async_ctrl *actrl,
const struct arm_smccc_1_2_regs *args,
@@ -1103,6 +1105,7 @@ EXPORT_SYMBOL_GPL(stratix10_svc_request_channel_byname);
* Return: 0 on success, or a negative error code on failure:
* -EINVAL if the channel is NULL or the async controller is
* not initialized.
+ * -EOPNOTSUPP if async operations are not supported.
* -EALREADY if the async channel is already allocated.
* -ENOMEM if memory allocation fails.
* Other negative values if ID allocation fails.
@@ -1121,6 +1124,9 @@ int stratix10_svc_add_async_client(struct stratix10_svc_chan *chan,
ctrl = chan->ctrl;
actrl = &ctrl->actrl;
+ if (!actrl->supported)
+ return -EOPNOTSUPP;
+
if (!actrl->initialized) {
dev_err(ctrl->dev, "Async controller not initialized\n");
return -EINVAL;
@@ -1562,6 +1568,7 @@ static inline void stratix10_smc_1_2(struct stratix10_async_ctrl *actrl,
* initialized, -ENOMEM if memory allocation fails,
* -EADDRINUSE if the client ID is already reserved, or other
* negative error codes on failure.
+ * -EOPNOTSUPP if system doesn't support async operations.
*/
static int stratix10_svc_async_init(struct stratix10_svc_controller *controller)
{
@@ -1585,10 +1592,12 @@ static int stratix10_svc_async_init(struct stratix10_svc_controller *controller)
!(res.a1 > ASYNC_ATF_MINIMUM_MAJOR_VERSION ||
(res.a1 == ASYNC_ATF_MINIMUM_MAJOR_VERSION &&
res.a2 >= ASYNC_ATF_MINIMUM_MINOR_VERSION))) {
- dev_err(dev,
- "Intel Service Layer Driver: ATF version is not compatible for async operation\n");
- return -EINVAL;
+ dev_info(dev,
+ "Intel Service Layer Driver: ATF version is not compatible for async operation\n");
+ actrl->supported = false;
+ return -EOPNOTSUPP;
}
+ actrl->supported = true;
actrl->invoke_fn = stratix10_smc_1_2;
--
2.54.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 264/522] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 263/522] net: mvpp2: refill RX buffers before XDP or skb use Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 265/522] netfilter: ctnetlink: ensure safe access to master conntrack Greg Kroah-Hartman
` (258 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Til Kaiser, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Til Kaiser <mail@tk154.de>
[ Upstream commit 77a6b90ce56bc982dcfa94229b8e28e6abb16e95 ]
When an XDP program uses bpf_xdp_adjust_head() or bpf_xdp_adjust_tail()
and then returns XDP_PASS, mvpp2 still builds the skb from fixed offsets
derived from the original RX descriptor. Packet geometry changes made by
the XDP program are therefore discarded before the skb reaches the stack.
Update rx_offset and rx_bytes from xdp.data and xdp.data_end for
XDP_PASS. This makes skb_reserve() and skb_put() reflect the packet seen
by XDP, and makes RX byte accounting for XDP_PASS follow the length of the
skb passed to the network stack.
Keep a separate rx_sync_size for page-pool recycling on skb allocation
failure, which must stay tied to the received buffer range.
Non-PASS verdicts continue to account the descriptor length because no skb
is passed up in those cases.
Fixes: 07dd0a7aae7f ("mvpp2: add basic XDP support")
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://patch.msgid.link/20260607134943.21996-5-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/marvell/mvpp2/mvpp2_main.c | 21 +++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index fc16e577a10376..675616142c4f47 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -3919,10 +3919,10 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
struct mvpp2_bm_pool *bm_pool;
struct page_pool *pp = NULL;
struct sk_buff *skb;
- unsigned int frag_size;
+ unsigned int frag_size, rx_sync_size;
dma_addr_t dma_addr;
phys_addr_t phys_addr;
- int pool, rx_bytes, err, ret;
+ int pool, rx_bytes, rx_offset, err, ret;
struct page *page;
void *data;
@@ -3935,6 +3935,8 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
rx_status = mvpp2_rxdesc_status_get(port, rx_desc);
rx_bytes = mvpp2_rxdesc_size_get(port, rx_desc);
rx_bytes -= MVPP2_MH_SIZE;
+ rx_sync_size = rx_bytes + MVPP2_MH_SIZE;
+ rx_offset = MVPP2_MH_SIZE + MVPP2_SKB_HEADROOM;
dma_addr = mvpp2_rxdesc_dma_addr_get(port, rx_desc);
pool = (rx_status & MVPP2_RXD_BM_POOL_ID_MASK) >>
@@ -3950,7 +3952,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
dma_sync_single_range_for_cpu(dev->dev.parent, dma_addr,
MVPP2_SKB_HEADROOM,
- rx_bytes + MVPP2_MH_SIZE,
+ rx_sync_size,
dma_dir);
/* Buffer header not supported */
@@ -4001,6 +4003,14 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
continue;
}
+ rx_sync_size = max_t(unsigned int, rx_sync_size,
+ xdp.data_end - xdp.data_hard_start -
+ MVPP2_SKB_HEADROOM);
+
+ /* Update offset and length to reflect any XDP adjustments. */
+ rx_offset = xdp.data - data;
+ rx_bytes = xdp.data_end - xdp.data;
+
metasize = xdp.data - xdp.data_meta;
}
@@ -4009,8 +4019,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
netdev_warn(port->dev, "skb build failed\n");
if (pp) {
page_pool_put_page(pp, virt_to_head_page(data),
- rx_bytes + MVPP2_MH_SIZE,
- true);
+ rx_sync_size, true);
} else {
dma_unmap_single_attrs(dev->dev.parent, dma_addr,
bm_pool->buf_size,
@@ -4040,7 +4049,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
ps.rx_packets++;
ps.rx_bytes += rx_bytes;
- skb_reserve(skb, MVPP2_MH_SIZE + MVPP2_SKB_HEADROOM);
+ skb_reserve(skb, rx_offset);
skb_put(skb, rx_bytes);
if (metasize)
skb_metadata_set(skb, metasize);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 181/378] firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 180/378] firmware: stratix10-svc: Return -EOPNOTSUPP when ATF async unsupported Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 182/378] accel/ivpu: Add buffer overflow check in MS get_info_ioctl Greg Kroah-Hartman
` (197 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Dinh Nguyen
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dinh Nguyen <dinguyen@kernel.org>
commit bfd2eb9bba548a8f63c3339bb1fb9a2031a42d86 upstream.
rsu_send_msg() can return -ETIMEDOUT when
wait_for_completion_interruptible_timeout() fires while the SMC call is still
pending. In stratix10_rsu_probe(), the error paths for COMMAND_RSU_DCMF_VERSION,
COMMAND_RSU_DCMF_STATUS, COMMAND_RSU_MAX_RETRY and COMMAND_RSU_GET_SPT_TABLE
call stratix10_svc_free_channel() - which sets chan->scl to NULL - but then
fall through and queue the next request on the same channel. The next svc
kthread that runs will dereference pdata->chan->scl in its receive callback
path, triggering a NULL pointer dereference identical to the one fixed by
commit c45f7263100c ("firmware: stratix10-rsu: Fix NULL pointer dereference
when RSU is disabled") for the COMMAND_RSU_STATUS path.
Apply the same cleanup pattern to the remaining failure paths: remove the
async client, free the channel, and return early so no further messages are
queued on a channel whose scl has been cleared.
While at it, clean up stratix10_rsu_probe() in two ways without changing
behavior:
- Drop redundant zero-initialization of fields already cleared by
devm_kzalloc(): client.receive_cb, status.* and spt0/1_address
(INVALID_SPT_ADDRESS is 0x0).
- Replace five identical 3-line error-cleanup blocks
(stratix10_svc_remove_async_client() + stratix10_svc_free_channel() +
return ret) with goto labels (remove_async_client, free_channel),
matching the standard kernel resource-unwinding pattern and making it
easier to extend the probe sequence without forgetting matching
cleanup.
Also move init_completion() next to mutex_init() so sync-primitive
initialization is grouped before anything that could trigger a
callback.
Fixes: 15847537b623 ("firmware: stratix10-rsu: Migrate RSU driver to use stratix10 asynchronous framework.")
Cc: stable@kernel.org
Assisted-by: Claude:claude-4.7-opus-high Cursor
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
v2: Add a minor clean-up of the function stratix10_rsu_probe() to have a
centralize exit for all the rsu_send_async_msg() and rsu_send_msg().
---
drivers/firmware/stratix10-rsu.c | 45 +++++++++++++++++----------------------
1 file changed, 20 insertions(+), 25 deletions(-)
--- a/drivers/firmware/stratix10-rsu.c
+++ b/drivers/firmware/stratix10-rsu.c
@@ -723,15 +723,9 @@ static int stratix10_rsu_probe(struct pl
return -ENOMEM;
priv->client.dev = dev;
- priv->client.receive_cb = NULL;
priv->client.priv = priv;
- priv->status.current_image = 0;
- priv->status.fail_image = 0;
- priv->status.error_location = 0;
- priv->status.error_details = 0;
- priv->status.version = 0;
- priv->status.state = 0;
priv->retry_counter = INVALID_RETRY_COUNTER;
+ priv->max_retry = INVALID_RETRY_COUNTER;
priv->dcmf_version.dcmf0 = INVALID_DCMF_VERSION;
priv->dcmf_version.dcmf1 = INVALID_DCMF_VERSION;
priv->dcmf_version.dcmf2 = INVALID_DCMF_VERSION;
@@ -740,11 +734,11 @@ static int stratix10_rsu_probe(struct pl
priv->dcmf_status.dcmf1 = INVALID_DCMF_STATUS;
priv->dcmf_status.dcmf2 = INVALID_DCMF_STATUS;
priv->dcmf_status.dcmf3 = INVALID_DCMF_STATUS;
- priv->max_retry = INVALID_RETRY_COUNTER;
- priv->spt0_address = INVALID_SPT_ADDRESS;
- priv->spt1_address = INVALID_SPT_ADDRESS;
+ /* spt0/1_address and status fields default to 0 from kzalloc */
mutex_init(&priv->lock);
+ init_completion(&priv->completion);
+
priv->chan = stratix10_svc_request_channel_byname(&priv->client,
SVC_CLIENT_RSU);
if (IS_ERR(priv->chan)) {
@@ -756,11 +750,9 @@ static int stratix10_rsu_probe(struct pl
ret = stratix10_svc_add_async_client(priv->chan, false);
if (ret) {
dev_err(dev, "failed to add async client\n");
- stratix10_svc_free_channel(priv->chan);
- return ret;
+ goto free_channel;
}
- init_completion(&priv->completion);
platform_set_drvdata(pdev, priv);
/* get the initial state from firmware */
@@ -768,41 +760,44 @@ static int stratix10_rsu_probe(struct pl
rsu_async_status_callback);
if (ret) {
dev_err(dev, "Error, getting RSU status %i\n", ret);
- stratix10_svc_remove_async_client(priv->chan);
- stratix10_svc_free_channel(priv->chan);
- return ret;
+ goto remove_async_client;
}
/* get DCMF version from firmware */
- ret = rsu_send_msg(priv, COMMAND_RSU_DCMF_VERSION,
- 0, rsu_dcmf_version_callback);
+ ret = rsu_send_msg(priv, COMMAND_RSU_DCMF_VERSION, 0,
+ rsu_dcmf_version_callback);
if (ret) {
dev_err(dev, "Error, getting DCMF version %i\n", ret);
- stratix10_svc_free_channel(priv->chan);
+ goto remove_async_client;
}
- ret = rsu_send_msg(priv, COMMAND_RSU_DCMF_STATUS,
- 0, rsu_dcmf_status_callback);
+ ret = rsu_send_msg(priv, COMMAND_RSU_DCMF_STATUS, 0,
+ rsu_dcmf_status_callback);
if (ret) {
dev_err(dev, "Error, getting DCMF status %i\n", ret);
- stratix10_svc_free_channel(priv->chan);
+ goto remove_async_client;
}
ret = rsu_send_msg(priv, COMMAND_RSU_MAX_RETRY, 0,
rsu_max_retry_callback);
if (ret) {
dev_err(dev, "Error, getting RSU max retry %i\n", ret);
- stratix10_svc_free_channel(priv->chan);
+ goto remove_async_client;
}
-
ret = rsu_send_async_msg(dev, priv, COMMAND_RSU_GET_SPT_TABLE, 0,
rsu_async_get_spt_table_callback);
if (ret) {
dev_err(dev, "Error, getting SPT table %i\n", ret);
- stratix10_svc_free_channel(priv->chan);
+ goto remove_async_client;
}
+ return 0;
+
+remove_async_client:
+ stratix10_svc_remove_async_client(priv->chan);
+free_channel:
+ stratix10_svc_free_channel(priv->chan);
return ret;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 265/522] netfilter: ctnetlink: ensure safe access to master conntrack
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 264/522] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 266/522] drm/vc4: fix krealloc() memory leak Greg Kroah-Hartman
` (257 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Mark Bundschuh, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5 ]
Holding reference on the expectation is not sufficient, the master
conntrack object can just go away, making exp->master invalid.
To access exp->master safely:
- Grab the nf_conntrack_expect_lock, this gets serialized with
clean_from_lists() which also holds this lock when the master
conntrack goes away.
- Hold reference on master conntrack via nf_conntrack_find_get().
Not so easy since the master tuple to look up for the master conntrack
is not available in the existing problematic paths.
This patch goes for extending the nf_conntrack_expect_lock section
to address this issue for simplicity, in the cases that are described
below this is just slightly extending the lock section.
The add expectation command already holds a reference to the master
conntrack from ctnetlink_create_expect().
However, the delete expectation command needs to grab the spinlock
before looking up for the expectation. Expand the existing spinlock
section to address this to cover the expectation lookup. Note that,
the nf_ct_expect_iterate_net() calls already grabs the spinlock while
iterating over the expectation table, which is correct.
The get expectation command needs to grab the spinlock to ensure master
conntrack does not go away. This also expands the existing spinlock
section to cover the expectation lookup too. I needed to move the
netlink skb allocation out of the spinlock to keep it GFP_KERNEL.
For the expectation events, the IPEXP_DESTROY event is already delivered
under the spinlock, just move the delivery of IPEXP_NEW under the
spinlock too because the master conntrack event cache is reached through
exp->master.
While at it, add lockdep notations to help identify what codepaths need
to grab the spinlock.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[ fix timer_delete -> del_timer in diff context lines since 8fa7292
("treewide: Switch/rename to timer_delete[_sync]()") landed in 6.15 ]
Signed-off-by: Mark Bundschuh <mkbund@amazon.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_conntrack_core.h | 5 ++++
net/netfilter/nf_conntrack_ecache.c | 2 ++
net/netfilter/nf_conntrack_expect.c | 10 +++++++-
net/netfilter/nf_conntrack_netlink.c | 28 +++++++++++++++--------
4 files changed, 35 insertions(+), 10 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index a36f87af415c22..8ea16b0ba1c982 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -84,6 +84,11 @@ void nf_conntrack_lock(spinlock_t *lock);
extern spinlock_t nf_conntrack_expect_lock;
+static inline void lockdep_nfct_expect_lock_held(void)
+{
+ lockdep_assert_held(&nf_conntrack_expect_lock);
+}
+
/* ctnetlink code shared by both ctnetlink and nf_conntrack_bpf */
static inline void __nf_ct_set_timeout(struct nf_conn *ct, u64 timeout)
diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
index 69948e1d6974e3..6526bdcca580fd 100644
--- a/net/netfilter/nf_conntrack_ecache.c
+++ b/net/netfilter/nf_conntrack_ecache.c
@@ -237,6 +237,8 @@ void nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
struct nf_ct_event_notifier *notify;
struct nf_conntrack_ecache *e;
+ lockdep_nfct_expect_lock_held();
+
rcu_read_lock();
notify = rcu_dereference(net->ct.nf_conntrack_event_cb);
if (!notify)
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 70bcddfc17ccc2..379711ea5ab67e 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -51,6 +51,7 @@ void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp,
struct net *net = nf_ct_exp_net(exp);
struct nf_conntrack_net *cnet;
+ lockdep_nfct_expect_lock_held();
WARN_ON(!master_help);
WARN_ON(timer_pending(&exp->timeout));
@@ -118,6 +119,8 @@ nf_ct_exp_equal(const struct nf_conntrack_tuple *tuple,
bool nf_ct_remove_expect(struct nf_conntrack_expect *exp)
{
+ lockdep_nfct_expect_lock_held();
+
if (del_timer(&exp->timeout)) {
nf_ct_unlink_expect(exp);
nf_ct_expect_put(exp);
@@ -177,6 +180,8 @@ nf_ct_find_expectation(struct net *net,
struct nf_conntrack_expect *i, *exp = NULL;
unsigned int h;
+ lockdep_nfct_expect_lock_held();
+
if (!cnet->expect_count)
return NULL;
@@ -459,6 +464,8 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect,
unsigned int h;
int ret = 0;
+ lockdep_nfct_expect_lock_held();
+
if (!master_help) {
ret = -ESHUTDOWN;
goto out;
@@ -515,8 +522,9 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
nf_ct_expect_insert(expect);
- spin_unlock_bh(&nf_conntrack_expect_lock);
nf_ct_expect_event_report(IPEXP_NEW, expect, portid, report);
+ spin_unlock_bh(&nf_conntrack_expect_lock);
+
return 0;
out:
spin_unlock_bh(&nf_conntrack_expect_lock);
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index bcbd77608365a9..f6e9d9bc18864a 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -3330,31 +3330,37 @@ static int ctnetlink_get_expect(struct sk_buff *skb,
if (err < 0)
return err;
+ skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ if (!skb2)
+ return -ENOMEM;
+
+ spin_lock_bh(&nf_conntrack_expect_lock);
exp = nf_ct_expect_find_get(info->net, &zone, &tuple);
- if (!exp)
+ if (!exp) {
+ spin_unlock_bh(&nf_conntrack_expect_lock);
+ kfree_skb(skb2);
return -ENOENT;
+ }
if (cda[CTA_EXPECT_ID]) {
__be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
if (id != nf_expect_get_id(exp)) {
nf_ct_expect_put(exp);
+ spin_unlock_bh(&nf_conntrack_expect_lock);
+ kfree_skb(skb2);
return -ENOENT;
}
}
- skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
- if (!skb2) {
- nf_ct_expect_put(exp);
- return -ENOMEM;
- }
-
rcu_read_lock();
err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid,
info->nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,
exp);
rcu_read_unlock();
nf_ct_expect_put(exp);
+ spin_unlock_bh(&nf_conntrack_expect_lock);
+
if (err <= 0) {
kfree_skb(skb2);
return -ENOMEM;
@@ -3401,22 +3407,26 @@ static int ctnetlink_del_expect(struct sk_buff *skb,
if (err < 0)
return err;
+ spin_lock_bh(&nf_conntrack_expect_lock);
+
/* bump usage count to 2 */
exp = nf_ct_expect_find_get(info->net, &zone, &tuple);
- if (!exp)
+ if (!exp) {
+ spin_unlock_bh(&nf_conntrack_expect_lock);
return -ENOENT;
+ }
if (cda[CTA_EXPECT_ID]) {
__be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
if (id != nf_expect_get_id(exp)) {
nf_ct_expect_put(exp);
+ spin_unlock_bh(&nf_conntrack_expect_lock);
return -ENOENT;
}
}
/* after list removal, usage count == 1 */
- spin_lock_bh(&nf_conntrack_expect_lock);
if (del_timer(&exp->timeout)) {
nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid,
nlmsg_report(info->nlh));
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 182/378] accel/ivpu: Add buffer overflow check in MS get_info_ioctl
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 181/378] firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 183/378] accel/ivpu: Fix signed integer truncation in IPC receive Greg Kroah-Hartman
` (196 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrzej Kacprowski, Karol Wachowski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
commit fb176425837693f50c5c9fc8db6fbb04af22bd0a upstream.
Add validation that the info size returned from the metric stream info
query is not exceeded when checked against the allocated buffer size.
If the firmware returns a size larger than the buffer, reject the
operation with -EOVERFLOW instead of proceeding with an incorrect
buffer copy.
Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support")
Cc: stable@vger.kernel.org # v6.18+
Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Link: https://patch.msgid.link/20260529120841.135852-1-andrzej.kacprowski@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/ivpu/ivpu_ms.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/accel/ivpu/ivpu_ms.c
+++ b/drivers/accel/ivpu/ivpu_ms.c
@@ -291,6 +291,13 @@ int ivpu_ms_get_info_ioctl(struct drm_de
if (ret)
goto unlock;
+ if (info_size > ivpu_bo_size(bo)) {
+ ivpu_warn_ratelimited(vdev, "MS info overflow: %#llx > %#zx\n",
+ info_size, ivpu_bo_size(bo));
+ ret = -EOVERFLOW;
+ goto unlock;
+ }
+
if (args->buffer_size < info_size) {
ret = -ENOSPC;
goto unlock;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 266/522] drm/vc4: fix krealloc() memory leak
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 265/522] netfilter: ctnetlink: ensure safe access to master conntrack Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 267/522] netfilter: nft_tunnel: fix use-after-free on object destroy Greg Kroah-Hartman
` (256 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander A. Klimov,
Maíra Canal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander A. Klimov <grandmaster@al2klimov.de>
[ Upstream commit 5d563a5da8717629ae72f9eadf1e0e340bd1658b ]
Don't just overwrite the original pointer passed to krealloc()
with its return value without checking latter:
MEM = krealloc(MEM, SZ, GFP);
If krealloc() returns NULL, that erases the pointer
to the still allocated memory, hence leaks this memory.
Instead, use a temporary variable, check it's not NULL
and only then assign it to the original pointer:
TMP = krealloc(MEM, SZ, GFP);
if (!TMP) return;
MEM = TMP;
While on it, use krealloc_array().
Fixes: 6d45c81d229d ("drm/vc4: Add support for branching in shader validation.")
Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Link: https://patch.msgid.link/20260606123817.37222-1-grandmaster@al2klimov.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vc4/vc4_validate_shaders.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/vc4/vc4_validate_shaders.c b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
index 9745f8810eca6d..c2c6767ae55862 100644
--- a/drivers/gpu/drm/vc4/vc4_validate_shaders.c
+++ b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
@@ -288,15 +288,16 @@ static bool require_uniform_address_uniform(struct vc4_validated_shader_info *va
{
uint32_t o = validated_shader->num_uniform_addr_offsets;
uint32_t num_uniforms = validated_shader->uniforms_size / 4;
+ u32 *offsets;
- validated_shader->uniform_addr_offsets =
- krealloc(validated_shader->uniform_addr_offsets,
- (o + 1) *
- sizeof(*validated_shader->uniform_addr_offsets),
- GFP_KERNEL);
- if (!validated_shader->uniform_addr_offsets)
+ offsets = krealloc_array(validated_shader->uniform_addr_offsets,
+ o + 1,
+ sizeof(*validated_shader->uniform_addr_offsets),
+ GFP_KERNEL);
+ if (!offsets)
return false;
+ validated_shader->uniform_addr_offsets = offsets;
validated_shader->uniform_addr_offsets[o] = num_uniforms;
validated_shader->num_uniform_addr_offsets++;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 183/378] accel/ivpu: Fix signed integer truncation in IPC receive
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 182/378] accel/ivpu: Add buffer overflow check in MS get_info_ioctl Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 184/378] tracing: Fix CFI violation in probestub being called by tprobes Greg Kroah-Hartman
` (195 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrzej Kacprowski, Karol Wachowski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
commit d9faef564438d1e4579c692c046603e7ada7bdf4 upstream.
Fix potential buffer overflow where firmware-supplied data_size is cast
to signed int before being used in min_t(). Large unsigned values
(>= 0x80000000) become negative, causing unsigned wraparound and
oversized memcpy operations that can overflow the stack buffer.
Change min_t(int, ...) to min() as both values are unsigned and can be
handled by min() without explicit cast.
Fixes: 3b434a3445ff ("accel/ivpu: Use threaded IRQ to handle JOB done messages")
Cc: stable@vger.kernel.org # v6.12+
Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Link: https://patch.msgid.link/20260601161643.229342-1-andrzej.kacprowski@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/ivpu/ivpu_ipc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/accel/ivpu/ivpu_ipc.c
+++ b/drivers/accel/ivpu/ivpu_ipc.c
@@ -276,7 +276,7 @@ int ivpu_ipc_receive(struct ivpu_device
if (ipc_buf)
memcpy(ipc_buf, rx_msg->ipc_hdr, sizeof(*ipc_buf));
if (rx_msg->jsm_msg) {
- u32 size = min_t(int, rx_msg->ipc_hdr->data_size, sizeof(*jsm_msg));
+ u32 size = min(rx_msg->ipc_hdr->data_size, sizeof(*jsm_msg));
if (rx_msg->jsm_msg->result != VPU_JSM_STATUS_SUCCESS) {
ivpu_err(vdev, "IPC resp result error: %d\n", rx_msg->jsm_msg->result);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 267/522] netfilter: nft_tunnel: fix use-after-free on object destroy
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 266/522] drm/vc4: fix krealloc() memory leak Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 268/522] Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend Greg Kroah-Hartman
` (255 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tristan Madani,
Fernando Fernandez Mancera, Florian Westphal, Pablo Neira Ayuso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristan Madani <tristan@talencesecurity.com>
commit c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a upstream.
nft_tunnel_obj_destroy() calls metadata_dst_free() which directly
kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets
that took a reference via dst_hold() in nft_tunnel_obj_eval() and
are still queued (e.g. in a netem qdisc) are left with a dangling
pointer. When these packets are eventually dequeued, dst_release()
operates on freed memory.
Replace metadata_dst_free() with dst_release() so the metadata_dst
is freed only after all references are dropped. The dst subsystem
already handles metadata_dst cleanup in dst_destroy() when
DST_METADATA is set.
Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nft_tunnel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -699,7 +699,7 @@ static void nft_tunnel_obj_destroy(const
{
struct nft_tunnel_obj *priv = nft_obj_data(obj);
- metadata_dst_free(priv->md);
+ dst_release(&priv->md->dst);
}
static struct nft_object_type nft_tunnel_obj_type;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 184/378] tracing: Fix CFI violation in probestub being called by tprobes
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 183/378] accel/ivpu: Fix signed integer truncation in IPC receive Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 185/378] tracing/probes: Point the error offset correctly for eprobe argument error Greg Kroah-Hartman
` (194 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu (Google),
Eva Kurchatova, Steven Rostedt
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eva Kurchatova <eva.kurchatova@virtuozzo.com>
commit 0652a3daa78723f955b1ebeb621665ce72bec53e upstream.
The probestub is a function to allow tprobes to hook to a tracepoint to
gain access to its parameters. The function itself is only referenced by
the tracepoint structure which lives in the __tracepoint section. objtool
explicitly ignores that section and when processing functions in the
kernel, if it detects one that has no references it will seal it to have
its ENDBR stripped on boot up.
This means when a tprobe is attached to the sched_wakeup tracepoint, when it
is triggered it will call __probestub_sched_wakeup and due to the missing
ENDBR on a CFI-enabled machine it will take a #CP exception.
Fix this by adding CFI_NOSEAL annotation to probestub declaration.
Cc: stable@vger.kernel.org
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Link: https://patch.msgid.link/20260603153147.573589-1-eva.kurchatova@virtuozzo.com
Fixes: d5173f753750 ("objtool: Exclude __tracepoints data from ENDBR checks")
Signed-off-by: Eva Kurchatova <eva.kurchatova@virtuozzo.com>
[ Updated change log ]
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/tracepoint.h | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/include/linux/tracepoint.h
+++ b/include/linux/tracepoint.h
@@ -20,6 +20,7 @@
#include <linux/rcupdate_trace.h>
#include <linux/tracepoint-defs.h>
#include <linux/static_call.h>
+#include <linux/cfi.h>
struct module;
struct tracepoint;
@@ -380,6 +381,13 @@ static inline struct tracepoint *tracepo
void __probestub_##_name(void *__data, proto) \
{ \
} \
+ /* \
+ * Annotate the probestub 'CFI_NOSEAL' to stop objtool from \
+ * requesting the kernel remove the ENDBR, because the only \
+ * references to the function are in the __tracepoint section, \
+ * that objtool doesn't scan. \
+ */ \
+ CFI_NOSEAL(__probestub_##_name); \
DEFINE_STATIC_CALL(tp_func_##_name, __traceiter_##_name); \
DEFINE_RUST_DO_TRACE(_name, TP_PROTO(proto), TP_ARGS(args))
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 268/522] Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 267/522] netfilter: nft_tunnel: fix use-after-free on object destroy Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 269/522] Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig Greg Kroah-Hartman
` (254 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Zhengchuan Liang,
Xin Liu, Yuqi Xu, Ren Wei, Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuqi Xu <xuyq21@lenovo.com>
commit 5c65b96b549ea2dcfde497436bf9e048deb87758 upstream.
Existing advertising instances can already hold the maximum extended
advertising payload. When hci_adv_bcast_annoucement() prepends the
Broadcast Announcement service data to that payload, the combined data
may no longer fit in the temporary buffer used to rebuild the
advertising data.
Reject that case before copying the existing payload and report the
failure through the device log. This keeps the existing advertising
data intact and avoids overrunning the temporary buffer.
Fixes: 5725bc608252 ("Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_sync.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -1706,6 +1706,11 @@ static int hci_adv_bcast_annoucement(str
/* Generate Broadcast ID */
get_random_bytes(bid, sizeof(bid));
len = eir_append_service_data(ad, 0, 0x1852, bid, sizeof(bid));
+ if (adv->adv_data_len > sizeof(ad) - len) {
+ bt_dev_err(hdev, "No room for Broadcast Announcement");
+ return -EINVAL;
+ }
+
memcpy(ad + len, adv->adv_data, adv->adv_data_len);
hci_set_adv_instance_data(hdev, adv->instance, len + adv->adv_data_len,
ad, 0, NULL);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 185/378] tracing/probes: Point the error offset correctly for eprobe argument error
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 184/378] tracing: Fix CFI violation in probestub being called by tprobes Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 186/378] cgroup/cpuset: Use effective_xcpus in partcmd_update add/del mask calculation Greg Kroah-Hartman
` (193 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu (Google),
Steven Rostedt
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
commit 85e0f27dd1396307913ffc5745b0c05137e9beac upstream.
Fix to point the error offset correctly for eprobe argument error.
In the cleanup commit 1b8b0cd754cd ("tracing/probes: Move event parameter
fetching code to common parser"), due to incorrect backward compatibility
aimed at conforming to the test specifications, the error location was set
to 0 when a non-existent formal parameter was specified for Eprobe.
However, this should be corrected in both the test and the implementation
to point correct error position.
Link: https://lore.kernel.org/all/177967567399.209006.1451571244515632097.stgit@devnote2/
Fixes: 1b8b0cd754cd ("tracing/probes: Move event parameter fetching code to common parser")
Cc: stable@vger.kernel.org
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_probe.c | 2 --
tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc | 2 +-
2 files changed, 1 insertion(+), 3 deletions(-)
--- a/kernel/trace/trace_probe.c
+++ b/kernel/trace/trace_probe.c
@@ -962,8 +962,6 @@ static int parse_probe_vars(char *orig_a
code->op = FETCH_OP_COMM;
return 0;
}
- /* backward compatibility */
- ctx->offset = 0;
goto inval;
}
--- a/tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc
+++ b/tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc
@@ -20,7 +20,7 @@ check_error 'e:foo/^12345678901234567890
check_error 'e:foo/^bar.1 syscalls/sys_enter_openat' # BAD_EVENT_NAME
check_error 'e:foo/bar syscalls/sys_enter_openat arg=^dfd' # BAD_FETCH_ARG
-check_error 'e:foo/bar syscalls/sys_enter_openat ^arg=$foo' # BAD_ATTACH_ARG
+check_error 'e:foo/bar syscalls/sys_enter_openat arg=^$foo' # BAD_ATTACH_ARG
if grep -q '<attached-group>\.<attached-event>.*\[if <filter>\]' README; then
check_error 'e:foo/bar syscalls/sys_enter_openat if ^' # NO_EP_FILTER
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 269/522] Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 268/522] Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 270/522] mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation Greg Kroah-Hartman
` (253 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz,
Michael Bommarito, Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit dd214733544427587a95f66dbf3adff072568990 upstream.
net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR
signaling packets up to the channel MTU and dispatches each command
without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer
within radio range can send a fixed-channel CID 0x0001 packet that is
larger than MTUsig and contains many L2CAP_ECHO_REQ commands before
pairing. In a real-radio stock-kernel run, one 681-byte signaling
packet containing 168 zero-length ECHO_REQ commands made the target
transmit 168 ECHO_RSP frames over about 220 ms.
Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can
force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling
packet containing packed ECHO_REQ commands.
Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and
reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP
carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched.
The Bluetooth Core spec wording for MTUExceeded says the reject
identifier shall match the first request command in the packet, and
that packets containing only responses shall be silently discarded.
Linux intentionally deviates from that prescription: silently
discarding desynchronizes the peer because the remote stack never
learns its responses were dropped, and locating the first request
command requires walking command headers past MTUsig, i.e. processing
bytes from a packet we have already decided is too large to process.
We therefore always emit one reject and use the identifier from the
first command header, a single fixed-offset byte read.
The unrestricted BR/EDR signaling parser and ECHO_REQ response path both
trace to the initial git import; no later introducing commit is
available for a Fixes tag.
Cc: stable@vger.kernel.org
Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Link: https://lore.kernel.org/r/20260518002800.1361430-1-michael.bommarito@gmail.com
Link: https://lore.kernel.org/r/20260520135034.1060859-1-michael.bommarito@gmail.com
Link: https://lore.kernel.org/r/20260521000555.3712030-1-michael.bommarito@gmail.com
Assisted-by: Claude:claude-opus-4-7
Assisted-by: Codex:gpt-5-5-xhigh
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/bluetooth/l2cap.h | 1
net/bluetooth/l2cap_core.c | 46 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 47 insertions(+)
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -33,6 +33,7 @@
/* L2CAP defaults */
#define L2CAP_DEFAULT_MTU 672
#define L2CAP_DEFAULT_MIN_MTU 48
+#define L2CAP_SIG_MTU 48 /* BR/EDR signaling MTU */
#define L2CAP_DEFAULT_FLUSH_TO 0xFFFF
#define L2CAP_EFS_DEFAULT_FLUSH_TO 0xFFFFFFFF
#define L2CAP_DEFAULT_TX_WINDOW 63
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6640,6 +6640,15 @@ static inline void l2cap_sig_send_rej(st
l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
}
+static inline void l2cap_sig_send_mtu_rej(struct l2cap_conn *conn, u8 ident)
+{
+ struct l2cap_cmd_rej_mtu rej;
+
+ rej.reason = cpu_to_le16(L2CAP_REJ_MTU_EXCEEDED);
+ rej.max_mtu = cpu_to_le16(L2CAP_SIG_MTU);
+ l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
+}
+
static inline void l2cap_sig_channel(struct l2cap_conn *conn,
struct sk_buff *skb)
{
@@ -6652,6 +6661,43 @@ static inline void l2cap_sig_channel(str
if (hcon->type != ACL_LINK)
goto drop;
+ /*
+ * Bluetooth Core v5.4, Vol 3, Part A, Section 4: the BR/EDR
+ * signaling channel has a fixed signaling MTU (MTUsig) whose
+ * minimum and default is 48 octets. Section 4.1 says that on
+ * an MTUExceeded command reject the identifier "shall match
+ * the first request command in the L2CAP packet" and that
+ * packets containing only response commands "shall be
+ * silently discarded".
+ *
+ * Linux intentionally deviates from that prescription:
+ *
+ * 1. Silently discarding desynchronizes the peer. The
+ * remote stack never learns its responses were dropped,
+ * so any state machine waiting on a paired response
+ * stalls until its own timer fires.
+ *
+ * 2. Locating "the first request command" requires walking
+ * command headers past MTUsig, i.e. processing bytes
+ * from a packet we have already decided is too large to
+ * process.
+ *
+ * Reject every over-MTUsig signaling packet with one
+ * L2CAP_REJ_MTU_EXCEEDED command reject. The reject's
+ * reason field is what tells the peer that the whole packet
+ * was discarded; the identifier value is informational, so
+ * we use the identifier from the first command header, a
+ * single fixed-offset byte read.
+ */
+ if (skb->len > L2CAP_SIG_MTU) {
+ u8 ident = skb->data[1];
+
+ BT_DBG("signaling packet exceeds MTU: %u > %u",
+ skb->len, L2CAP_SIG_MTU);
+ l2cap_sig_send_mtu_rej(conn, ident);
+ goto drop;
+ }
+
while (skb->len >= L2CAP_CMD_HDR_SIZE) {
u16 len;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 186/378] cgroup/cpuset: Use effective_xcpus in partcmd_update add/del mask calculation
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 185/378] tracing/probes: Point the error offset correctly for eprobe argument error Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 187/378] Revert "drm/xe: Skip exec queue schedule toggle if queue is idle during suspend" Greg Kroah-Hartman
` (192 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Guopeng, Sun Shaojie,
Waiman Long, Tejun Heo
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sun Shaojie <sunshaojie@kylinos.cn>
commit 0a68853de27b522bca2b9934127277185374a24f upstream.
When sibling CPU exclusion occurs, a partition's user_xcpus may contain
CPUs that were never actually granted to it. These CPUs are present in
user_xcpus(cs) but not in cs->effective_xcpus.
The partcmd_update path in update_parent_effective_cpumask() uses
user_xcpus(cs) (via the local variable xcpus) to compute the addmask
(CPUs to return to parent) and delmask (CPUs to request from parent).
This is incorrect:
1) When newmask removes a CPU that was previously excluded by a
sibling, addmask incorrectly includes that CPU and tries to return
it to the parent even though the partition never actually owned it,
causing CPU overlap with sibling partitions and triggering warnings
in generate_sched_domains().
2) When newmask adds a previously excluded CPU that is now available,
delmask fails to request it from the parent because user_xcpus(cs)
already includes it.
Fix this by using cs->effective_xcpus instead of user_xcpus(cs) in all
partcmd_update paths that calculate addmask or delmask, including the
PERR_NOCPUS error handling paths.
Reproducers:
Example 1 - Removing a sibling-excluded CPU incorrectly returns it:
# cd /sys/fs/cgroup
# echo "0-1" > a1/cpuset.cpus
# echo "root" > a1/cpuset.cpus.partition
# echo "0-2" > b1/cpuset.cpus
# echo "root" > b1/cpuset.cpus.partition
# echo "2" > b1/cpuset.cpus
# cat cpuset.cpus.effective
# Actual: 0-1,3 Expected: 3
Example 2 - Expanding to a previously excluded CPU fails to request it:
# cd /sys/fs/cgroup
# echo "0-1" > a1/cpuset.cpus
# echo "root" > a1/cpuset.cpus.partition
# echo "0-2" > b1/cpuset.cpus
# echo "root" > b1/cpuset.cpus.partition
# echo "member" > a1/cpuset.cpus.partition
# echo "1-2" > b1/cpuset.cpus
# cat cpuset.cpus.effective
# Actual: 0-1,3 Expected: 0,3
Fixes: 2a3602030d80 ("cgroup/cpuset: Don't invalidate sibling partitions on cpuset.cpus conflict")
Cc: stable@vger.kernel.org # v7.0+
Suggested-by: Zhang Guopeng <zhangguopeng@kylinos.cn>
Signed-off-by: Sun Shaojie <sunshaojie@kylinos.cn>
Reviewed-by: Waiman Long <longman@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/cgroup/cpuset.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
index 5c33ab20cc20..c9e14fda3d6f 100644
--- a/kernel/cgroup/cpuset.c
+++ b/kernel/cgroup/cpuset.c
@@ -1811,9 +1811,9 @@ static int update_parent_effective_cpumask(struct cpuset *cs, int cmd,
* Compute add/delete mask to/from effective_cpus
*
* For valid partition:
- * addmask = exclusive_cpus & ~newmask
+ * addmask = effective_xcpus & ~newmask
* & parent->effective_xcpus
- * delmask = newmask & ~exclusive_cpus
+ * delmask = newmask & ~effective_xcpus
* & parent->effective_xcpus
*
* For invalid partition:
@@ -1825,11 +1825,11 @@ static int update_parent_effective_cpumask(struct cpuset *cs, int cmd,
deleting = cpumask_and(tmp->delmask,
newmask, parent->effective_xcpus);
} else {
- cpumask_andnot(tmp->addmask, xcpus, newmask);
+ cpumask_andnot(tmp->addmask, cs->effective_xcpus, newmask);
adding = cpumask_and(tmp->addmask, tmp->addmask,
parent->effective_xcpus);
- cpumask_andnot(tmp->delmask, newmask, xcpus);
+ cpumask_andnot(tmp->delmask, newmask, cs->effective_xcpus);
deleting = cpumask_and(tmp->delmask, tmp->delmask,
parent->effective_xcpus);
}
@@ -1868,7 +1868,7 @@ static int update_parent_effective_cpumask(struct cpuset *cs, int cmd,
part_error = PERR_NOCPUS;
deleting = false;
adding = cpumask_and(tmp->addmask,
- xcpus, parent->effective_xcpus);
+ cs->effective_xcpus, parent->effective_xcpus);
}
} else {
/*
@@ -1890,7 +1890,8 @@ static int update_parent_effective_cpumask(struct cpuset *cs, int cmd,
part_error = PERR_NOCPUS;
if (is_partition_valid(cs))
adding = cpumask_and(tmp->addmask,
- xcpus, parent->effective_xcpus);
+ cs->effective_xcpus,
+ parent->effective_xcpus);
} else if (is_partition_invalid(cs) && !cpumask_empty(xcpus) &&
cpumask_subset(xcpus, parent->effective_xcpus)) {
struct cgroup_subsys_state *css;
--
2.54.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 270/522] mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 269/522] Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 271/522] drm/i915/gem: Fix phys BO pread/pwrite with offset Greg Kroah-Hartman
` (252 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Inochi Amaoto, Gabriel Somlo,
Ulf Hansson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Inochi Amaoto <inochiama@gmail.com>
commit b837e38c255dd9f8b53511d52e87f1fda32b3dfe upstream.
The previous clock uses roundup_pow_of_two() to calculate the core
clock frequency. It does not meet the actual hardware meaning.
The actual frequency is calculated by "ref_clk / ((div >> 1) << 1)".
Fix the clock divider calculation.
Fixes: 92e099104729 ("mmc: Add driver for LiteX's LiteSDCard interface")
Signed-off-by: Inochi Amaoto <inochiama@gmail.com>
Reviewed-by: Gabriel Somlo <gsomlo@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulfh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/litex_mmc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/mmc/host/litex_mmc.c
+++ b/drivers/mmc/host/litex_mmc.c
@@ -16,6 +16,7 @@
#include <linux/interrupt.h>
#include <linux/iopoll.h>
#include <linux/litex.h>
+#include <linux/math.h>
#include <linux/mod_devicetable.h>
#include <linux/module.h>
#include <linux/platform_device.h>
@@ -436,11 +437,10 @@ static void litex_mmc_setclk(struct lite
struct device *dev = mmc_dev(host->mmc);
u32 div;
- div = freq ? host->ref_clk / freq : 256U;
- div = roundup_pow_of_two(div);
+ div = freq ? DIV_ROUND_UP(host->ref_clk, freq) : 256U;
div = clamp(div, 2U, 256U);
dev_dbg(dev, "sd_clk_freq=%d: set to %d via div=%d\n",
- freq, host->ref_clk / div, div);
+ freq, host->ref_clk / ((div + 1) & ~1U), div);
litex_write16(host->sdphy + LITEX_PHY_CLOCKERDIV, div);
host->sd_clk = freq;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 187/378] Revert "drm/xe: Skip exec queue schedule toggle if queue is idle during suspend"
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 186/378] cgroup/cpuset: Use effective_xcpus in partcmd_update add/del mask calculation Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 188/378] rust: x86: support Rust >= 1.98.0 target spec Greg Kroah-Hartman
` (191 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Hellstrom,
Tangudu Tilak Tirumalesh, Daniele Ceraolo Spurio, Rodrigo Vivi
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tangudu Tilak Tirumalesh <tilak.tirumalesh.tangudu@intel.com>
commit fa7c84726dc217ce0c183926ef9411636c7a2213 upstream.
This reverts commit 8533051ce92015e9cc6f75e0d52119b9d91610b6.
The idle-skip optimization bypasses GuC suspend, so the GPU may not
perform the context switch that flushes TLB entries for invalidated
userptr VMAs. In LR/preempt-fence VM mode, this can lead to missed TLB
invalidation and page faults during userptr invalidation tests.
Restore unconditional schedule toggling on suspend so the context-switch
TLB flush is always performed.
This optimization will be reintroduced with a fix that does not skip
suspend in LR/preempt-fence VM mode.
Fixes: 8533051ce920 ("drm/xe: Skip exec queue schedule toggle if queue is idle during suspend")
Cc: stable@vger.kernel.org # v7.0+
Suggested-by: Thomas Hellstrom <thomas.hellstrom@linux.intel.com>
Signed-off-by: Tangudu Tilak Tirumalesh <tilak.tirumalesh.tangudu@intel.com>
Reviewed-by: Thomas Hellstrom <thomas.hellstrom@linux.intel.com>
Signed-off-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
Link: https://patch.msgid.link/20260603065217.3131066-2-tilak.tirumalesh.tangudu@intel.com
(cherry picked from commit 6a1e7934d9a6cf46aecae00a99c2603d1295e170)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_exec_queue.h | 17 ---------
drivers/gpu/drm/xe/xe_guc_submit.c | 55 +-------------------------------
drivers/gpu/drm/xe/xe_hw_engine_group.c | 10 +----
3 files changed, 5 insertions(+), 77 deletions(-)
--- a/drivers/gpu/drm/xe/xe_exec_queue.h
+++ b/drivers/gpu/drm/xe/xe_exec_queue.h
@@ -161,21 +161,4 @@ int xe_exec_queue_contexts_hwsp_rebase(s
struct xe_lrc *xe_exec_queue_lrc(struct xe_exec_queue *q);
-/**
- * xe_exec_queue_idle_skip_suspend() - Can exec queue skip suspend
- * @q: The exec_queue
- *
- * If an exec queue is not parallel and is idle, the suspend steps can be
- * skipped in the submission backend immediatley signaling the suspend fence.
- * Parallel queues cannot skip this step due to limitations in the submission
- * backend.
- *
- * Return: True if exec queue is idle and can skip suspend steps, False
- * otherwise
- */
-static inline bool xe_exec_queue_idle_skip_suspend(struct xe_exec_queue *q)
-{
- return !xe_exec_queue_is_parallel(q) && xe_exec_queue_is_idle(q);
-}
-
#endif
--- a/drivers/gpu/drm/xe/xe_guc_submit.c
+++ b/drivers/gpu/drm/xe/xe_guc_submit.c
@@ -72,7 +72,6 @@ exec_queue_to_guc(struct xe_exec_queue *
#define EXEC_QUEUE_STATE_WEDGED (1 << 8)
#define EXEC_QUEUE_STATE_BANNED (1 << 9)
#define EXEC_QUEUE_STATE_PENDING_RESUME (1 << 10)
-#define EXEC_QUEUE_STATE_IDLE_SKIP_SUSPEND (1 << 11)
static bool exec_queue_registered(struct xe_exec_queue *q)
{
@@ -224,21 +223,6 @@ static void clear_exec_queue_pending_res
atomic_and(~EXEC_QUEUE_STATE_PENDING_RESUME, &q->guc->state);
}
-static bool exec_queue_idle_skip_suspend(struct xe_exec_queue *q)
-{
- return atomic_read(&q->guc->state) & EXEC_QUEUE_STATE_IDLE_SKIP_SUSPEND;
-}
-
-static void set_exec_queue_idle_skip_suspend(struct xe_exec_queue *q)
-{
- atomic_or(EXEC_QUEUE_STATE_IDLE_SKIP_SUSPEND, &q->guc->state);
-}
-
-static void clear_exec_queue_idle_skip_suspend(struct xe_exec_queue *q)
-{
- atomic_and(~EXEC_QUEUE_STATE_IDLE_SKIP_SUSPEND, &q->guc->state);
-}
-
static bool exec_queue_killed_or_banned_or_wedged(struct xe_exec_queue *q)
{
return (atomic_read(&q->guc->state) &
@@ -1110,7 +1094,7 @@ static void submit_exec_queue(struct xe_
if (!job->restore_replay || job->last_replay) {
if (xe_exec_queue_is_parallel(q))
wq_item_append(q);
- else if (!exec_queue_idle_skip_suspend(q))
+ else
xe_lrc_set_ring_tail(lrc, lrc->ring.tail);
job->last_replay = false;
}
@@ -1781,10 +1765,9 @@ static void __guc_exec_queue_process_msg
{
struct xe_exec_queue *q = msg->private_data;
struct xe_guc *guc = exec_queue_to_guc(q);
- bool idle_skip_suspend = xe_exec_queue_idle_skip_suspend(q);
- if (!idle_skip_suspend && guc_exec_queue_allowed_to_change_state(q) &&
- !exec_queue_suspended(q) && exec_queue_enabled(q)) {
+ if (guc_exec_queue_allowed_to_change_state(q) && !exec_queue_suspended(q) &&
+ exec_queue_enabled(q)) {
wait_event(guc->ct.wq, vf_recovery(guc) ||
((q->guc->resume_time != RESUME_PENDING ||
xe_guc_read_stopped(guc)) && !exec_queue_pending_disable(q)));
@@ -1803,33 +1786,11 @@ static void __guc_exec_queue_process_msg
disable_scheduling(q, false);
}
} else if (q->guc->suspend_pending) {
- if (idle_skip_suspend)
- set_exec_queue_idle_skip_suspend(q);
set_exec_queue_suspended(q);
suspend_fence_signal(q);
}
}
-static void sched_context(struct xe_exec_queue *q)
-{
- struct xe_guc *guc = exec_queue_to_guc(q);
- struct xe_lrc *lrc = q->lrc[0];
- u32 action[] = {
- XE_GUC_ACTION_SCHED_CONTEXT,
- q->guc->id,
- };
-
- xe_gt_assert(guc_to_gt(guc), !xe_exec_queue_is_parallel(q));
- xe_gt_assert(guc_to_gt(guc), !exec_queue_destroyed(q));
- xe_gt_assert(guc_to_gt(guc), exec_queue_registered(q));
- xe_gt_assert(guc_to_gt(guc), !exec_queue_pending_disable(q));
-
- trace_xe_exec_queue_submit(q);
-
- xe_lrc_set_ring_tail(lrc, lrc->ring.tail);
- xe_guc_ct_send(&guc->ct, action, ARRAY_SIZE(action), 0, 0);
-}
-
static void __guc_exec_queue_process_msg_resume(struct xe_sched_msg *msg)
{
struct xe_exec_queue *q = msg->private_data;
@@ -1837,22 +1798,12 @@ static void __guc_exec_queue_process_msg
if (guc_exec_queue_allowed_to_change_state(q)) {
clear_exec_queue_suspended(q);
if (!exec_queue_enabled(q)) {
- if (exec_queue_idle_skip_suspend(q)) {
- struct xe_lrc *lrc = q->lrc[0];
-
- clear_exec_queue_idle_skip_suspend(q);
- xe_lrc_set_ring_tail(lrc, lrc->ring.tail);
- }
q->guc->resume_time = RESUME_PENDING;
set_exec_queue_pending_resume(q);
enable_scheduling(q);
- } else if (exec_queue_idle_skip_suspend(q)) {
- clear_exec_queue_idle_skip_suspend(q);
- sched_context(q);
}
} else {
clear_exec_queue_suspended(q);
- clear_exec_queue_idle_skip_suspend(q);
}
}
--- a/drivers/gpu/drm/xe/xe_hw_engine_group.c
+++ b/drivers/gpu/drm/xe/xe_hw_engine_group.c
@@ -207,21 +207,15 @@ static int xe_hw_engine_group_suspend_fa
lockdep_assert_held_write(&group->mode_sem);
list_for_each_entry(q, &group->exec_queue_list, hw_engine_group_link) {
- bool idle_skip_suspend;
if (!xe_vm_in_fault_mode(q->vm))
continue;
- idle_skip_suspend = xe_exec_queue_idle_skip_suspend(q);
- if (!idle_skip_suspend && has_deps)
+ if (has_deps)
return -EAGAIN;
xe_gt_stats_incr(q->gt, XE_GT_STATS_ID_HW_ENGINE_GROUP_SUSPEND_LR_QUEUE_COUNT, 1);
- if (idle_skip_suspend)
- xe_gt_stats_incr(q->gt,
- XE_GT_STATS_ID_HW_ENGINE_GROUP_SKIP_LR_QUEUE_COUNT, 1);
-
- need_resume |= !idle_skip_suspend;
+ need_resume = true;
q->ops->suspend(q);
gt = q->gt;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 271/522] drm/i915/gem: Fix phys BO pread/pwrite with offset
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 270/522] mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 272/522] ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL Greg Kroah-Hartman
` (251 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Tvrtko Ursulin, Simona Vetter, Jani Nikula, Rodrigo Vivi,
Joonas Lahtinen, Tvrtko Ursulin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
commit d21ad938398bca695a511307de38a65889e3b354 upstream.
sg_page() returns struct page pointer not (void *) so the scaling
of pread/pwrite is wrong for phys BO and wrong parts of BO would be
accessed if non-zero offset is used.
Last impacted platform with overlay or cursor planes using phys
mapping was Gen3/945G/Lakeport.
Reported-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Fixes: c6790dc22312 ("drm/i915: Wean off drm_pci_alloc/drm_pci_free")
Cc: <stable@vger.kernel.org> # v4.5+
Cc: Tvrtko Ursulin <tursulin@ursulin.net>
Cc: Simona Vetter <simona@ffwll.ch>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Link: https://patch.msgid.link/20260610060314.26111-1-joonas.lahtinen@linux.intel.com
(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gem/i915_gem_phys.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/i915/gem/i915_gem_phys.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_phys.c
@@ -17,6 +17,17 @@
#include "i915_gem_tiling.h"
#include "i915_scatterlist.h"
+/* Abuse scatterlist to store pointer instead of struct page. */
+static inline void __set_phys_vaddr(struct scatterlist *sg, void *vaddr)
+{
+ sg_assign_page(sg, (struct page *)vaddr);
+}
+
+static inline void *__get_phys_vaddr(struct scatterlist *sg)
+{
+ return (void *)sg_page(sg);
+}
+
static int i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj)
{
struct address_space *mapping = obj->base.filp->f_mapping;
@@ -53,7 +64,7 @@ static int i915_gem_object_get_pages_phy
sg->offset = 0;
sg->length = obj->base.size;
- sg_assign_page(sg, (struct page *)vaddr);
+ __set_phys_vaddr(sg, vaddr);
sg_dma_address(sg) = dma;
sg_dma_len(sg) = obj->base.size;
@@ -97,7 +108,7 @@ i915_gem_object_put_pages_phys(struct dr
struct sg_table *pages)
{
dma_addr_t dma = sg_dma_address(pages->sgl);
- void *vaddr = sg_page(pages->sgl);
+ void *vaddr = __get_phys_vaddr(pages->sgl);
__i915_gem_object_release_shmem(obj, pages, false);
@@ -140,7 +151,7 @@ i915_gem_object_put_pages_phys(struct dr
int i915_gem_object_pwrite_phys(struct drm_i915_gem_object *obj,
const struct drm_i915_gem_pwrite *args)
{
- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset;
+ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset;
char __user *user_data = u64_to_user_ptr(args->data_ptr);
struct drm_i915_private *i915 = to_i915(obj->base.dev);
int err;
@@ -171,7 +182,7 @@ int i915_gem_object_pwrite_phys(struct d
int i915_gem_object_pread_phys(struct drm_i915_gem_object *obj,
const struct drm_i915_gem_pread *args)
{
- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset;
+ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset;
char __user *user_data = u64_to_user_ptr(args->data_ptr);
int err;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 188/378] rust: x86: support Rust >= 1.98.0 target spec
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 187/378] Revert "drm/xe: Skip exec queue schedule toggle if queue is idle during suspend" Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 189/378] ARM: Do not select HAVE_RUST when KASAN is enabled Greg Kroah-Hartman
` (190 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ralf Jung, Alice Ryhl, Miguel Ojeda
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miguel Ojeda <ojeda@kernel.org>
commit 905b06d32a52afe32fcf5f30cf298c9ea6359f11 upstream.
Starting with Rust 1.98.0 (expected 2026-08-20), the target spec will not
support `x86-softfloat` anymore [1]. Instead, `softfloat` should be used,
which is an alias. Otherwise, one gets:
error: error loading target specification: rustc-abi: invalid rustc abi: 'x86-softfloat'. allowed values: 'x86-sse2', 'softfloat' at line 3 column 32
|
= help: run `rustc --print target-list` for a list of built-in targets
Thus conditionally use one or the other depending on the version.
The alias has existed since Rust 1.95.0 (released 2026-04-16) [2], but
use the newer version instead to avoid changing how the build works for
existing compilers, at least until more testing takes place.
Cc: Ralf Jung <post@ralfj.de>
Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs).
Link: https://github.com/rust-lang/rust/pull/157151 [1]
Link: https://github.com/rust-lang/rust/pull/151154 [2]
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260530114925.260754-1-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
scripts/generate_rust_target.rs | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/scripts/generate_rust_target.rs
+++ b/scripts/generate_rust_target.rs
@@ -196,7 +196,9 @@ fn main() {
}
} else if cfg.has("X86_64") {
ts.push("arch", "x86_64");
- if cfg.rustc_version_atleast(1, 86, 0) {
+ if cfg.rustc_version_atleast(1, 98, 0) {
+ ts.push("rustc-abi", "softfloat");
+ } else if cfg.rustc_version_atleast(1, 86, 0) {
ts.push("rustc-abi", "x86-softfloat");
}
ts.push(
@@ -236,7 +238,9 @@ fn main() {
panic!("32-bit x86 only works under UML");
}
ts.push("arch", "x86");
- if cfg.rustc_version_atleast(1, 86, 0) {
+ if cfg.rustc_version_atleast(1, 98, 0) {
+ ts.push("rustc-abi", "softfloat");
+ } else if cfg.rustc_version_atleast(1, 86, 0) {
ts.push("rustc-abi", "x86-softfloat");
}
ts.push(
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 272/522] ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 271/522] drm/i915/gem: Fix phys BO pread/pwrite with offset Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 273/522] xfrm: espintcp: do not reuse an in-progress partial send Greg Kroah-Hartman
` (250 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gil Portnoy, Namjae Jeon,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gil Portnoy <dddhkts1@gmail.com>
commit f580d27e8928828693df44ba2db0fffdbe11dfea upstream.
A deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on
conn->async_requests via setup_async_work(), with cancel_fn =
smb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock.
When the request is cancelled, the worker frees the file_lock with
locks_free_lock() and takes the cancelled early-exit, which "goto out"s and never
reaches release_async_work() -- the only site that unlinks the work from
conn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays
matchable on async_requests with a live cancel_fn pointing at the freed file_lock,
until connection teardown finally runs release_async_work().
smb2_cancel() fires cancel_fn unconditionally with no state guard, so a second
SMB2_CANCEL for the same AsyncId, arriving in that window, re-runs
smb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free:
BUG: KASAN: slab-use-after-free in __locks_delete_block
__locks_delete_block
locks_delete_block
ksmbd_vfs_posix_lock_unblock
smb2_remove_blocked_lock
smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn
handle_ksmbd_work
Allocated by ...: locks_alloc_lock <- smb2_lock
Freed by ...: locks_free_lock <- smb2_lock (cancelled branch)
... cache file_lock_cache of size 192
Reproduced on mainline with KASAN by an authenticated SMB client.
Skip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback
cannot be fired a second time.
Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -6810,6 +6810,17 @@ int smb2_cancel(struct ksmbd_work *work)
le64_to_cpu(hdr->Id.AsyncId))
continue;
+ /*
+ * A cancelled deferred byte-range lock frees its
+ * file_lock and takes the smb2_lock() early-exit that
+ * skips release_async_work(), so the work stays on
+ * conn->async_requests with a live cancel_fn pointing
+ * at the freed file_lock. Re-firing it on a second
+ * SMB2_CANCEL is a use-after-free.
+ */
+ if (iter->state == KSMBD_WORK_CANCELLED)
+ break;
+
ksmbd_debug(SMB,
"smb2 with AsyncId %llu cancelled command = 0x%x\n",
le64_to_cpu(hdr->Id.AsyncId),
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 189/378] ARM: Do not select HAVE_RUST when KASAN is enabled
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 7.0 188/378] rust: x86: support Rust >= 1.98.0 target spec Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 190/378] rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES Greg Kroah-Hartman
` (189 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Christian Schrefl,
Miguel Ojeda
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 84a0f7caafc679f763d3868635837e22bb89651a upstream.
When KASAN is enabled, such as with allmodconfig, the build fails when
building the Rust code with:
error: kernel-address sanitizer is not supported for this target
error: aborting due to 1 previous error
make[4]: *** [rust/Makefile:654: rust/core.o] Error 1
The arm-unknown-linux-gnueabi target does not support KASAN, so avoid
saying Rust is supported when it is enabled.
Cc: stable@vger.kernel.org
Fixes: ccb8ce526807 ("ARM: 9441/1: rust: Enable Rust support for ARMv7")
Link: https://github.com/Rust-for-Linux/linux/issues/1234
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Christian Schrefl <chrisi.schrefl@gmail.com>
Link: https://patch.msgid.link/20260511-arm-avoid-rust-with-kasan-v1-1-24d55f4a900b@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -135,7 +135,7 @@ config ARM
select MMU_GATHER_RCU_TABLE_FREE if SMP && ARM_LPAE
select HAVE_REGS_AND_STACK_ACCESS_API
select HAVE_RSEQ
- select HAVE_RUST if CPU_LITTLE_ENDIAN && CPU_32v7
+ select HAVE_RUST if CPU_LITTLE_ENDIAN && CPU_32v7 && !KASAN
select HAVE_STACKPROTECTOR
select HAVE_SYSCALL_TRACEPOINTS
select HAVE_UID16
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 273/522] xfrm: espintcp: do not reuse an in-progress partial send
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 6.1 272/522] ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 274/522] USB: serial: io_ti: fix heap overflow in get_manuf_info() Greg Kroah-Hartman
` (249 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Zhengchuan Liang, Xin Liu, Wyatt Feng, Ren Wei,
Steffen Klassert
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wyatt Feng <bronzed_45_vested@icloud.com>
commit c381039ade2e161ab08c0eda73c4f8b9a7115928 upstream.
espintcp keeps a single in-flight transmit in ctx->partial.
Before building a new sk_msg, espintcp_sendmsg() first tries to flush
that state through espintcp_push_msgs().
For blocking callers, espintcp_push_msgs() may return success even when
the previous partial send is still pending. espintcp_sendmsg() would
then reinitialize emsg->skmsg and reuse ctx->partial while the old
transfer still owns that state.
Do not rebuild the send message when ctx->partial is still in progress.
If espintcp_push_msgs() returns with emsg->len still set, fail the new
send instead of overwriting the live partial state.
This is a memory-safety fix: reusing the live partial-send state can
leave a stale offset attached to a new sk_msg and lead to an out-of-
bounds read in the send path.
tcp_sendmsg_locked() already handles waiting for send buffer memory, so
the fix here is just to preserve espintcp's one-message-at-a-time
transmit state.
Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/espintcp.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/xfrm/espintcp.c
+++ b/net/xfrm/espintcp.c
@@ -340,6 +340,10 @@ static int espintcp_sendmsg(struct sock
err = -ENOBUFS;
goto unlock;
}
+ if (emsg->len) {
+ err = -ENOBUFS;
+ goto unlock;
+ }
sk_msg_init(&emsg->skmsg);
while (1) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 190/378] rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 189/378] ARM: Do not select HAVE_RUST when KASAN is enabled Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 191/378] rust: kasan/kbuild: fix rustc-option when cross-compiling Greg Kroah-Hartman
` (188 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Bo Ye, Isaac Manjarres,
Alice Ryhl, Miguel Ojeda, Sami Tolvanen
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Ryhl <aliceryhl@google.com>
commit ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c upstream.
Due to a rustc bug [1] the -Cforce-unwind-tables=y flag only emits the
uwtable annotation for functions, but not for the module. This means
that compiler-generated functions such as 'asan.module_ctor' do not
receive the uwtable annotation.
When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, this leads to boot
failures because the dwarf information emitted for the kasan
constructors is wrong, which causes the SCS boot patching code to
patch the constructor in an illegal manner. Specifically, the paciasp
instruction is patched, but the autiasp instruction is not. This
mismatch leads to a crash when the constructor is called during boot.
==================================================================
BUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90
Read of size 8 at addr ffffffe3cc7eb488 by task swapper/0/1
Specifically the faulting instruction is the (*fn)() to invoke the
constructor in do_ctors() of the init/main.c file.
Once the fix lands in rustc, this flag can be made conditional on the
rustc version. Note that passing the flag on a rustc with the fix
present has no effect.
[ The fix [1] has landed for Rust 1.98.0 (expected release on
2026-08-20).
Thus add a version check as discussed.
- Miguel ]
Fixes: d077242d68a3 ("rust: support for shadow call stack sanitizer")
Cc: stable@kernel.org
Link: https://github.com/rust-lang/rust/pull/156973 [1]
Reported-by: Bo Ye <bo.ye@mediatek.com>
Debugged-by: Isaac Manjarres <isaacmanjarres@google.com>
Debugged-by: Sami Tolvanen <samitolvanen@google.com>
Tested-by: Isaac Manjarres <isaacmanjarres@google.com>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260527-uwtable-module-flag-v1-1-caa41342be4b@google.com
[ Adjusted link and comment. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/Makefile | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/arm64/Makefile
+++ b/arch/arm64/Makefile
@@ -63,6 +63,9 @@ else
KBUILD_CFLAGS += -fasynchronous-unwind-tables
KBUILD_AFLAGS += -fasynchronous-unwind-tables
KBUILD_RUSTFLAGS += -Cforce-unwind-tables=y -Zuse-sync-unwind=n
+# Work around rustc bug on compilers without
+# https://github.com/rust-lang/rust/pull/156973.
+KBUILD_RUSTFLAGS += $(if $(call rustc-min-version,109800),,-Zllvm_module_flag=uwtable:u32:2:max)
endif
ifeq ($(CONFIG_STACKPROTECTOR_PER_TASK),y)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 274/522] USB: serial: io_ti: fix heap overflow in get_manuf_info()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 273/522] xfrm: espintcp: do not reuse an in-progress partial send Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 275/522] USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() Greg Kroah-Hartman
` (248 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adrian Korwel, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Korwel <adriank20047@gmail.com>
commit 183c1076eca43bbb3e7bdf597456f91d81c73e74 upstream.
get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.
The Size field comes from the device and is only validated (in
check_i2c_image()) to make sure the descriptor fits within
TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size.
A malicious USB device can therefore set Size to any value up to 16377,
causing a heap overflow of up to 16367 bytes when plugged into a host
running this driver.
valid_csum() is called after read_rom() and also iterates
buffer[0..Size-1], compounding the out-of-bounds access.
Fix by rejecting descriptors with unexpected length before calling
read_rom().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
[ johan: amend commit message; also check for short descriptors ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/io_ti.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -773,6 +773,12 @@ static int get_manuf_info(struct edgepor
}
/* Read the descriptor data */
+ if (le16_to_cpu(rom_desc->Size) != sizeof(struct edge_ti_manuf_descriptor)) {
+ dev_err(dev, "unexpected Edge descriptor length: %u\n",
+ le16_to_cpu(rom_desc->Size));
+ status = -EINVAL;
+ goto exit;
+ }
status = read_rom(serial, start_address+sizeof(struct ti_i2c_desc),
le16_to_cpu(rom_desc->Size), buffer);
if (status)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 191/378] rust: kasan/kbuild: fix rustc-option when cross-compiling
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 190/378] rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 192/378] mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation Greg Kroah-Hartman
` (187 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alice Ryhl, Miguel Ojeda
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Ryhl <aliceryhl@google.com>
commit 4a44b17406cb5a93f90af3df9392b3a45eb336fb upstream.
The Makefile version of rustc-option currently checks whether the option
exists for the host target instead of the target actually being compiled
for. It was done this way in commit 46e24a545cdb ("rust: kasan/kbuild:
fix missing flags on first build") to avoid a circular dependency on
target.json. However, because of this, rustc-option currently does not
function when cross-compiling from x86_64 to aarch64 if
CONFIG_SHADOW_CALL_STACK is enabled. This is because KBUILD_RUSTFLAGS
contains -Zfixed-x18 under this configuration. Since that flag does not
exist on the host target, rustc-option runs into a compilation failure
every time, leading to all flags being rejected as unsupported.
To fix this, update rustc-option to pass a --target parameter so that
the host target is not used. For targets using target.json, use a
built-in target that is as close as possible to the target created with
target.json to avoid the circular dependency on target.json.
One scenario where this causes a boot failure:
* Cross-compiled from x86_64 to aarch64.
* With CONFIG_SHADOW_CALL_STACK=y
* With CONFIG_KASAN_SW_TAGS=y
* With CONFIG_KASAN_INLINE=n
Then the resulting kernel image will fail to boot when it first calls
into Rust code with a crash along the lines of "Unable to handle kernel
paging request at virtual address 0ffffffc08541796". This is because the
call threshold is not specified, so rustc will inline kasan operations,
but the kasan shadow offset is not specified, which leads to the inlined
kasan instructions being incorrect.
Note that the -Zsanitizer=kernel-hwaddress parameter itself does not
lead to a rustc-option failure despite being aarch64-specific because
RUSTFLAGS_KASAN has not yet been added to KBUILD_RUSTFLAGS when
rustc-option is evaluated by the kasan Makefile.
Cc: stable@vger.kernel.org
Fixes: 46e24a545cdb ("rust: kasan/kbuild: fix missing flags on first build")
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260507-rustc-option-cross-v2-1-2f650a49c2b5@google.com
[ Edited slightly:
- Reset variable to avoid using the environment.
- Use a simply expanded variable flavor for simplicity.
- Export variable so that behavior in sub-`make`s is consistent.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This matches other variables. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
---
Makefile | 3 ++-
arch/x86/Makefile | 4 ++++
arch/x86/Makefile.um | 8 ++++++++
scripts/Makefile.compiler | 2 +-
4 files changed, 15 insertions(+), 2 deletions(-)
--- a/Makefile
+++ b/Makefile
@@ -606,6 +606,7 @@ KBUILD_RUSTFLAGS := $(rust_common_flags)
-Crelocation-model=static \
-Zfunction-sections=n \
-Wclippy::float_arithmetic
+KBUILD_RUSTFLAGS_OPTION_CHKS :=
KBUILD_AFLAGS_KERNEL :=
KBUILD_CFLAGS_KERNEL :=
@@ -642,7 +643,7 @@ export KBUILD_USERCFLAGS KBUILD_USERLDFL
export KBUILD_CPPFLAGS NOSTDINC_FLAGS LINUXINCLUDE OBJCOPYFLAGS KBUILD_LDFLAGS
export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE
-export KBUILD_RUSTFLAGS RUSTFLAGS_KERNEL RUSTFLAGS_MODULE
+export KBUILD_RUSTFLAGS RUSTFLAGS_KERNEL RUSTFLAGS_MODULE KBUILD_RUSTFLAGS_OPTION_CHKS
export KBUILD_AFLAGS AFLAGS_KERNEL AFLAGS_MODULE
export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_RUSTFLAGS_MODULE KBUILD_LDFLAGS_MODULE
export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL KBUILD_RUSTFLAGS_KERNEL
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -81,6 +81,10 @@ KBUILD_CFLAGS += -mno-sse -mno-mmx -mno-
KBUILD_RUSTFLAGS += --target=$(objtree)/scripts/target.json
KBUILD_RUSTFLAGS += -Ctarget-feature=-sse,-sse2,-sse3,-ssse3,-sse4.1,-sse4.2,-avx,-avx2
+# The target.json file is not available when invoking rustc-option, so use the
+# built-in target when checking whether flags are supported instead.
+KBUILD_RUSTFLAGS_OPTION_CHKS += --target=x86_64-unknown-none
+
#
# CFLAGS for compiling floating point code inside the kernel.
#
--- a/arch/x86/Makefile.um
+++ b/arch/x86/Makefile.um
@@ -14,6 +14,14 @@ endif
KBUILD_RUSTFLAGS += --target=$(objtree)/scripts/target.json
+# The target.json file is not available when invoking rustc-option, so use the
+# built-in target when checking whether flags are supported instead.
+ifeq ($(CONFIG_X86_32),y)
+KBUILD_RUSTFLAGS_OPTION_CHKS += --target=i686-unknown-linux-gnu
+else
+KBUILD_RUSTFLAGS_OPTION_CHKS += --target=x86_64-unknown-linux-gnu
+endif
+
ifeq ($(CONFIG_X86_32),y)
START := 0x8048000
--- a/scripts/Makefile.compiler
+++ b/scripts/Makefile.compiler
@@ -80,7 +80,7 @@ ld-option = $(call try-run, $(LD) $(KBUI
# TODO: remove RUSTC_BOOTSTRAP=1 when we raise the minimum GNU Make version to 4.4
__rustc-option = $(call try-run,\
echo '$(pound)![allow(missing_docs)]$(pound)![feature(no_core)]$(pound)![no_core]' | RUSTC_BOOTSTRAP=1\
- $(1) --sysroot=/dev/null $(filter-out --sysroot=/dev/null --target=%,$(2)) $(3)\
+ $(1) --sysroot=/dev/null $(KBUILD_RUSTFLAGS_OPTION_CHKS) $(filter-out --sysroot=/dev/null --target=%target.json,$(2)) $(3)\
--crate-type=rlib --out-dir=$(TMPOUT) --emit=obj=- - >/dev/null,$(3),$(4))
# rustc-option
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 275/522] USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 274/522] USB: serial: io_ti: fix heap overflow in get_manuf_info() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 276/522] USB: serial: option: add usb-id for Dell Wireless DW5826e-m Greg Kroah-Hartman
` (247 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adrian Korwel, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Korwel <adriank20047@gmail.com>
commit 0fd2b00b2d3d05e3eaa13342b3dfb0fa85c226ae upstream.
build_i2c_fw_hdr() allocates a fixed-size buffer of
(16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then
copies le16_to_cpu(img_header->Length) bytes into it without
validating that Length fits within the available space after the
firmware record header.
img_header->Length is a __le16 from the firmware file and can be
up to 65535. check_fw_sanity() validates the total firmware size
but not img_header->Length specifically.
Fix by rejecting images where img_header->Length exceeds the
available destination space.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/io_ti.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -844,6 +844,11 @@ static int build_i2c_fw_hdr(u8 *header,
/* Pointer to fw_down memory image */
img_header = (struct ti_i2c_image_header *)&fw->data[4];
+ if (le16_to_cpu(img_header->Length) >
+ buffer_size - sizeof(struct ti_i2c_firmware_rec)) {
+ kfree(buffer);
+ return -EINVAL;
+ }
memcpy(buffer + sizeof(struct ti_i2c_firmware_rec),
&fw->data[4 + sizeof(struct ti_i2c_image_header)],
le16_to_cpu(img_header->Length));
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 192/378] mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 191/378] rust: kasan/kbuild: fix rustc-option when cross-compiling Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 193/378] cfi: Include uaccess.h for get_kernel_nofault() Greg Kroah-Hartman
` (186 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Inochi Amaoto, Gabriel Somlo,
Ulf Hansson
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Inochi Amaoto <inochiama@gmail.com>
commit b837e38c255dd9f8b53511d52e87f1fda32b3dfe upstream.
The previous clock uses roundup_pow_of_two() to calculate the core
clock frequency. It does not meet the actual hardware meaning.
The actual frequency is calculated by "ref_clk / ((div >> 1) << 1)".
Fix the clock divider calculation.
Fixes: 92e099104729 ("mmc: Add driver for LiteX's LiteSDCard interface")
Signed-off-by: Inochi Amaoto <inochiama@gmail.com>
Reviewed-by: Gabriel Somlo <gsomlo@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulfh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/litex_mmc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/mmc/host/litex_mmc.c
+++ b/drivers/mmc/host/litex_mmc.c
@@ -16,6 +16,7 @@
#include <linux/interrupt.h>
#include <linux/iopoll.h>
#include <linux/litex.h>
+#include <linux/math.h>
#include <linux/mod_devicetable.h>
#include <linux/module.h>
#include <linux/platform_device.h>
@@ -436,11 +437,10 @@ static void litex_mmc_setclk(struct lite
struct device *dev = mmc_dev(host->mmc);
u32 div;
- div = freq ? host->ref_clk / freq : 256U;
- div = roundup_pow_of_two(div);
+ div = freq ? DIV_ROUND_UP(host->ref_clk, freq) : 256U;
div = clamp(div, 2U, 256U);
dev_dbg(dev, "sd_clk_freq=%d: set to %d via div=%d\n",
- freq, host->ref_clk / div, div);
+ freq, host->ref_clk / ((div + 1) & ~1U), div);
litex_write16(host->sdphy + LITEX_PHY_CLOCKERDIV, div);
host->sd_clk = freq;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 276/522] USB: serial: option: add usb-id for Dell Wireless DW5826e-m
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 275/522] USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 277/522] USB: serial: kl5kusb105: fix bulk-out buffer overflow Greg Kroah-Hartman
` (246 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jack Wu, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jack Wu <jackbb_wu@compal.com>
commit 1938fb9fe38c4f04a3f30bea44f8071c80a63be4 upstream.
Add support for Dell DW5826e-m with USB-id 0x413c:0x81ea
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 8 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=413c ProdID=81ea Rev= 5.04
S: Manufacturer=DELL
S: Product=DW5826e-m Qualcomm Snapdragon X12 Global LTE-A
S: SerialNumber=358988870177734
C:* #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
A: FirstIf#=12 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I:* If#=12 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#=13 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#=13 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Signed-off-by: Jack Wu <jackbb_wu@compal.com>
Reviewed-by: Lars Melin <larsm17@gmail>
Cc: stable@vger.kernel.org
[ johan: reserve also interface 4 ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -202,6 +202,7 @@ static void option_instat_callback(struc
#define DELL_PRODUCT_5821E_ESIM 0x81e0
#define DELL_PRODUCT_5829E_ESIM 0x81e4
#define DELL_PRODUCT_5829E 0x81e6
+#define DELL_PRODUCT_5826E_ESIM 0x81ea
#define DELL_PRODUCT_FM101R_ESIM 0x8213
#define DELL_PRODUCT_FM101R 0x8215
@@ -1123,6 +1124,8 @@ static const struct usb_device_id option
.driver_info = RSVD(0) | RSVD(6) },
{ USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5829E_ESIM),
.driver_info = RSVD(0) | RSVD(6) },
+ { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_5826E_ESIM, 0xff),
+ .driver_info = RSVD(1) | RSVD(4) },
{ USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_FM101R, 0xff) },
{ USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_FM101R_ESIM, 0xff) },
{ USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_E100A) }, /* ADU-E100, ADU-310 */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 193/378] cfi: Include uaccess.h for get_kernel_nofault()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 192/378] mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 194/378] mshv: add a missing padding field Greg Kroah-Hartman
` (185 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor,
Masami Hiramatsu (Google), Sami Tolvanen, Linus Torvalds
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 979c294509f9248fe1e7c358d582fb37dd5ca12d upstream.
After commit 0652a3daa787 ("tracing: Fix CFI violation in probestub
being called by tprobes"), there are many build errors when building
ARCH=arm multi_v7_defconfig + CONFIG_CFI=y like:
In file included from drivers/base/devres.c:17:
In file included from drivers/base/trace.h:16:
In file included from include/linux/tracepoint.h:23:
include/linux/cfi.h:44:6: error: call to undeclared function 'get_kernel_nofault'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
44 | if (get_kernel_nofault(hash, func - cfi_get_offset()))
| ^
1 error generated.
get_kernel_nofault() is called in the generic version of
cfi_get_func_hash() but nothing ensures uaccess.h is always included for
a proper expansion and prototype. Include uaccess.h in cfi.h to clear
up the errors.
Cc: stable@vger.kernel.org
Fixes: 0652a3daa787 ("tracing: Fix CFI violation in probestub being called by tprobes")
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/cfi.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/linux/cfi.h b/include/linux/cfi.h
index 1fd22ea6eba4..0f220d29225c 100644
--- a/include/linux/cfi.h
+++ b/include/linux/cfi.h
@@ -9,6 +9,7 @@
#include <linux/bug.h>
#include <linux/module.h>
+#include <linux/uaccess.h>
#include <asm/cfi.h>
#ifdef CONFIG_CFI
--
2.54.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 277/522] USB: serial: kl5kusb105: fix bulk-out buffer overflow
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 276/522] USB: serial: option: add usb-id for Dell Wireless DW5826e-m Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 278/522] ALSA: timer: Fix UAF at snd_timer_user_params() Greg Kroah-Hartman
` (245 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, HyeongJun An, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: HyeongJun An <sammiee5311@gmail.com>
commit 96d47e40bf9db4a9efd5c8fb53287a508d165f14 upstream.
klsi_105_prepare_write_buffer() is called by the generic write path
with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
stores a two-byte length header at the start of the buffer and copies
the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
passes the full buffer size as the number of bytes to copy:
count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
size, &port->lock);
When the fifo holds at least size bytes, size bytes are copied starting
two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
the header as safe_serial already does.
Writing bulk_out_size or more bytes to the tty triggers a slab
out-of-bounds write, observed with KASAN by emulating the device with
dummy_hcd and raw-gadget:
BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0
Write of size 64 at addr ffff888112c62202 by task python3
kfifo_copy_out
klsi_105_prepare_write_buffer [kl5kusb105]
usb_serial_generic_write_start [usbserial]
Allocated by task 139:
usb_serial_probe [usbserial]
The buggy address is located 2 bytes inside of allocated 64-byte region
The out-of-bounds write no longer occurs with this change applied.
Fixes: 60b3013cdaf3 ("USB: kl5usb105: reimplement using generic framework")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/kl5kusb105.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/serial/kl5kusb105.c
+++ b/drivers/usb/serial/kl5kusb105.c
@@ -331,8 +331,8 @@ static int klsi_105_prepare_write_buffer
unsigned char *buf = dest;
int count;
- count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size,
- &port->lock);
+ count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
+ size - KLSI_HDR_LEN, &port->lock);
put_unaligned_le16(count, buf);
return count + KLSI_HDR_LEN;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 194/378] mshv: add a missing padding field
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 193/378] cfi: Include uaccess.h for get_kernel_nofault() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 195/378] KVM: Dont WARN if memory is dirtied without a vCPU when the VM is dying Greg Kroah-Hartman
` (184 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doru Blânzeanu, Magnus Kulke,
stable, Easwar Hariharan, Wei Liu
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Liu <wei.liu@kernel.org>
commit 48fcc895403cc97aa6c776cb65e6aa11290c0b44 upstream.
That was missed when importing the header.
Reported-by: Doru Blânzeanu <dblanzeanu@linux.microsoft.com>
Reported-by: Magnus Kulke <magnuskulke@linux.microsoft.com>
Fixes: e68bda71a2384 ("hyperv: Add new Hyper-V headers in include/hyperv")
Cc: stable@kernel.org
Reviewed-by: Easwar Hariharan <easwar.hariharan@linux.microsoft.com>
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/hyperv/hvhdk.h | 1 +
1 file changed, 1 insertion(+)
--- a/include/hyperv/hvhdk.h
+++ b/include/hyperv/hvhdk.h
@@ -79,6 +79,7 @@ struct hv_vp_register_page {
u64 registers[18];
};
+ u8 reserved[8];
/* Volatile XMM registers (HV_X64_REGISTER_CLASS_XMM) */
union {
struct {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 278/522] ALSA: timer: Fix UAF at snd_timer_user_params()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 277/522] USB: serial: kl5kusb105: fix bulk-out buffer overflow Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 279/522] drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() Greg Kroah-Hartman
` (244 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kyle Zeng, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 053a401b592be424fea9d57c789f66cd5d8cec11 upstream.
At releasing a timer object, e.g. when a userspace timer
(CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it
tries to detach the timer instances and release the resources.
However, it's still possible that other in-flight tasks are holding
the timer instance where the to-be-deleted timer object is associated,
and this may lead to racy accesses.
Fortunately, most of ioctls dealing with the timer instance list
already have the protection with register_mutex, and this also avoids
such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the
concurrent ioctl may lead to use-after-free.
This patch just adds the guard with register_mutex to protect
snd_timer_user_params() for covering the code path as a quick
workaround. It's no hot-path but rather a rarely issued ioctl, so the
performance penalty doesn't matter.
Reported-by: Kyle Zeng <kylebot@openai.com>
Tested-by: Kyle Zeng <kylebot@openai.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260606161145.1933447-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1842,6 +1842,7 @@ static int snd_timer_user_params(struct
struct snd_timer *t;
int err;
+ guard(mutex)(®ister_mutex);
tu = file->private_data;
if (!tu->timeri)
return -EBADFD;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 195/378] KVM: Dont WARN if memory is dirtied without a vCPU when the VM is dying
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 194/378] mshv: add a missing padding field Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 196/378] KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA Greg Kroah-Hartman
` (183 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Roth, Sean Christopherson,
Paolo Bonzini
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 8618004d3e897c0f1b71d9a9ab860461289bb89a upstream.
When marking a page dirty, complain about not having a running/loaded vCPU
if and only if the VM is still alive, i.e. its refcount is non-zero. This
will allow fixing a memory leak for x86 SEV-ES guests without hitting what
is effectively a false positive on the WARN.
For some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page
across an exit to userspace, and typically unmaps the page on the next
KVM_RUN. But if userspace never calls KVM_RUN after such an exit, then KVM
needs to unmap the page when the vCPU is destroyed, which in turn triggers
the WARN about not having a running vCPU.
Alternatively, SEV-ES could temporarily load the vCPU to suppress the WARN,
as is done in nested_vmx_free_vcpu() (but for completely unrelated reasons;
suppressing WARN from nested_put_vmcs12_pages() is pure happenstance). But
loading a vCPU during destruction is gross (ideally nVMX code would be
cleaned up), risks complicating the SEV-ES code (KVM would need to ensure
the temporarily load()+put() only runs when the vCPU isn't already loaded),
and is ultimately pointless.
The motivation for the WARN is to guard against KVM dirtying guest memory
without pushing the corresponding GFN to the active vCPU's dirty ring, e.g.
to ensure userspace doesn't miss a dirty page. But for the VM's refcount
to reach zero, there can't be _any_ userspace mappings to the dirty ring,
as mapping the dirty ring requires doing mmap() on the vCPU FD. I.e. if
userspace had a valid mapping for the dirty ring, then the vCPU file and
thus the owning VM would still be alive. And so since userspace can't
possibly reach the dirty ring, whether or not KVM technically "misses" a
push to the dirty ring is irrelevant.
Reported-by: Michael Roth <michael.roth@amd.com>
Cc: stable@vger.kernel.org
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-15-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <20260529183549.1104619-15-pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
virt/kvm/kvm_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -3527,7 +3527,8 @@ void mark_page_dirty_in_slot(struct kvm
if (WARN_ON_ONCE(vcpu && vcpu->kvm != kvm))
return;
- WARN_ON_ONCE(!vcpu && !kvm_arch_allow_write_without_running_vcpu(kvm));
+ WARN_ON_ONCE(!vcpu && refcount_read(&kvm->users_count) &&
+ !kvm_arch_allow_write_without_running_vcpu(kvm));
#endif
if (memslot && kvm_slot_dirty_track_enabled(memslot)) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 279/522] drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 278/522] ALSA: timer: Fix UAF at snd_timer_user_params() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 280/522] RDMA/srp: bound SRP_RSP sense copy by the received length Greg Kroah-Hartman
` (243 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit 49c3da65961fe9857c831d47fa1989084e87514a upstream.
[Why & How]
gpio_bitshift is a uint8_t read directly from the VBIOS GPIO pin table.
If the value is >= 32, the expression "1 << gpio_bitshift" triggers
undefined behaviour in C (shift count exceeds type width). On x86 the
shift is silently masked to 5 bits, producing an incorrect GPIO mask
that may cause wrong MMIO register bits to be toggled.
Validate gpio_bitshift before use and return BP_RESULT_BADBIOSTABLE for
out-of-range values.
Fixes: ae79c310b1a6 ("drm/amd/display: Add DCE12 bios parser support")
Assisted-by: Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit eadf438ab8d370b9d19acee9359918c85afeb80d)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
@@ -700,8 +700,10 @@ static enum bp_result bios_parser_get_gp
info->offset_en = info->offset + 1;
info->offset_mask = info->offset - 1;
- info->mask = (uint32_t) (1 <<
- header->gpio_pin[i].gpio_bitshift);
+ if (header->gpio_pin[i].gpio_bitshift >= 32)
+ return BP_RESULT_BADBIOSTABLE;
+
+ info->mask = 1u << header->gpio_pin[i].gpio_bitshift;
info->mask_y = info->mask + 2;
info->mask_en = info->mask + 1;
info->mask_mask = info->mask - 1;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 196/378] KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 195/378] KVM: Dont WARN if memory is dirtied without a vCPU when the VM is dying Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 197/378] KVM: arm64: nv: Fix handling of XN[0] when !FEAT_XNX Greg Kroah-Hartman
` (182 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Michael Roth,
Sean Christopherson, Paolo Bonzini
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit f041dc80de4abbdd0909d871bf64f3f87d2350ff upstream.
Decouple synchronizing the GHCB SA from freeing/unpinning the SA, so that
the free/unpin path can be reused when freeing a vCPU.
Opportunistically add a WARN to harden KVM against stomping over (and thus
leaking) an already-allocated scratch area.
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-17-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <20260529183549.1104619-17-pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 27 ++++++++++++++-------------
1 file changed, 14 insertions(+), 13 deletions(-)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3547,20 +3547,17 @@ void sev_es_unmap_ghcb(struct vcpu_svm *
if (!svm->sev_es.ghcb)
return;
- if (svm->sev_es.ghcb_sa_free) {
- /*
- * The scratch area lives outside the GHCB, so there is a
- * buffer that, depending on the operation performed, may
- * need to be synced, then freed.
- */
- if (svm->sev_es.ghcb_sa_sync) {
- kvm_write_guest(svm->vcpu.kvm,
- svm->sev_es.sw_scratch,
- svm->sev_es.ghcb_sa,
- svm->sev_es.ghcb_sa_len);
- svm->sev_es.ghcb_sa_sync = false;
- }
+ /*
+ * If the scratch area lives outside the GHCB, there's a buffer that,
+ * depending on the operation performed, may need to be synced.
+ */
+ if (svm->sev_es.ghcb_sa_sync) {
+ kvm_write_guest(svm->vcpu.kvm, svm->sev_es.sw_scratch,
+ svm->sev_es.ghcb_sa, svm->sev_es.ghcb_sa_len);
+ svm->sev_es.ghcb_sa_sync = false;
+ }
+ if (svm->sev_es.ghcb_sa_free) {
kvfree(svm->sev_es.ghcb_sa);
svm->sev_es.ghcb_sa = NULL;
svm->sev_es.ghcb_sa_free = false;
@@ -3640,6 +3637,8 @@ static int setup_vmgexit_scratch(struct
goto e_scratch;
}
+ WARN_ON_ONCE(svm->sev_es.ghcb_sa_sync || svm->sev_es.ghcb_sa_free);
+
if ((scratch_gpa_beg & PAGE_MASK) == control->ghcb_gpa) {
/* Scratch area begins within GHCB */
ghcb_scratch_beg = control->ghcb_gpa +
@@ -3661,6 +3660,8 @@ static int setup_vmgexit_scratch(struct
scratch_va = (void *)svm->sev_es.ghcb;
scratch_va += (scratch_gpa_beg - control->ghcb_gpa);
+ svm->sev_es.ghcb_sa_sync = false;
+ svm->sev_es.ghcb_sa_free = false;
svm->sev_es.ghcb_sa_len = ghcb_scratch_end - scratch_gpa_beg;
} else {
/* GHCB v2 requires the scratch area to be within the GHCB. */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 280/522] RDMA/srp: bound SRP_RSP sense copy by the received length
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 279/522] drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 281/522] udp: clear skb->dev before running a sockmap verdict Greg Kroah-Hartman
` (242 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Bart Van Assche,
Jason Gunthorpe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 13e91fd076306f5d0cdfa14f53d69e37274723c4 upstream.
srp_process_rsp() copies sense data from rsp->data + resp_data_len,
where resp_data_len is the full 32-bit value supplied by the SRP target
and is never checked against the number of bytes actually received
(wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so
at most 96 bytes are copied, but the source offset is not bounded.
A malicious or compromised SRP target on the InfiniBand/RoCE fabric that
the initiator has logged into can return an SRP_RSP with
SRP_RSP_FLAG_SNSVALID set and a large resp_data_len. The receive buffer
is allocated at the target-chosen max_ti_iu_len, so the source of the
sense copy lands past the bytes actually received; with resp_data_len
near 0xFFFFFFFF it is gigabytes past the buffer and the read faults.
Copy the sense data only if it has not been truncated, that is, only if
the response header, the response data, and the sense region fit within
the bytes actually received; otherwise drop the sense and log. The
in-tree iSER and NVMe-RDMA receive paths already bound their parse by
wc->byte_len; this brings ib_srp into line with them.
Fixes: aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator")
Link: https://patch.msgid.link/r/20260602220457.2542840-1-michael.bommarito@gmail.com
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/ulp/srp/ib_srp.c | 30 ++++++++++++++++++++++++------
1 file changed, 24 insertions(+), 6 deletions(-)
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -1935,7 +1935,8 @@ static int srp_post_recv(struct srp_rdma
return ib_post_recv(ch->qp, &wr, NULL);
}
-static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp)
+static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp,
+ u32 byte_len)
{
struct srp_target_port *target = ch->target;
struct srp_request *req;
@@ -1976,10 +1977,27 @@ static void srp_process_rsp(struct srp_r
scmnd->result = rsp->status;
if (rsp->flags & SRP_RSP_FLAG_SNSVALID) {
- memcpy(scmnd->sense_buffer, rsp->data +
- be32_to_cpu(rsp->resp_data_len),
- min_t(int, be32_to_cpu(rsp->sense_data_len),
- SCSI_SENSE_BUFFERSIZE));
+ u32 resp_len = be32_to_cpu(rsp->resp_data_len);
+ u32 sense_len = be32_to_cpu(rsp->sense_data_len);
+
+ /*
+ * The sense data starts resp_data_len bytes past the
+ * response data area; both lengths come from the
+ * target-controlled response. Copy the sense data
+ * only if it has not been truncated, that is, only if
+ * the full sense region fits within the bytes actually
+ * received. Otherwise the copy source would run past
+ * the receive buffer (sized to the target-chosen
+ * max_ti_iu_len), reading out of bounds.
+ */
+ if (sizeof(*rsp) + (u64)resp_len + sense_len <= byte_len)
+ memcpy(scmnd->sense_buffer,
+ rsp->data + resp_len,
+ min(sense_len, SCSI_SENSE_BUFFERSIZE));
+ else
+ shost_printk(KERN_ERR, target->scsi_host,
+ "dropping truncated sense data (resp_data_len %u sense_data_len %u, %u bytes received)\n",
+ resp_len, sense_len, byte_len);
}
if (unlikely(rsp->flags & SRP_RSP_FLAG_DIUNDER))
@@ -2089,7 +2107,7 @@ static void srp_recv_done(struct ib_cq *
switch (opcode) {
case SRP_RSP:
- srp_process_rsp(ch, iu->buf);
+ srp_process_rsp(ch, iu->buf, wc->byte_len);
break;
case SRP_CRED_REQ:
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 197/378] KVM: arm64: nv: Fix handling of XN[0] when !FEAT_XNX
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 196/378] KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 198/378] KVM: arm64: Correctly identify executable PTEs at stage-2 Greg Kroah-Hartman
` (181 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wei-Lin Chang, Oliver Upton,
Marc Zyngier
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Upton <oupton@kernel.org>
commit 49b32ddb87a3a109afecea89e55d70f73956b8bc upstream.
XN has already been extracted from its bitfield position so using
FIELD_PREP() on the mask that clears XN[0] is completely broken, having
the effect of unconditionally granting execute permissions...
Fix the obvious mistake by manipulating the right bit.
Cc: stable@vger.kernel.org
Fixes: d93febe2ed2e ("KVM: arm64: nv: Forward FEAT_XNX permissions to the shadow stage-2")
Reviewed-by: Wei-Lin Chang <weilin.chang@arm.com>
Signed-off-by: Oliver Upton <oupton@kernel.org>
Link: https://patch.msgid.link/20260602165901.52800-2-oupton@kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/kvm_nested.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/include/asm/kvm_nested.h
+++ b/arch/arm64/include/asm/kvm_nested.h
@@ -131,7 +131,7 @@ static inline bool kvm_s2_trans_exec_el0
u8 xn = FIELD_GET(KVM_PTE_LEAF_ATTR_HI_S2_XN, trans->desc);
if (!kvm_has_xnx(kvm))
- xn &= FIELD_PREP(KVM_PTE_LEAF_ATTR_HI_S2_XN, 0b10);
+ xn &= 0b10;
switch (xn) {
case 0b00:
@@ -147,7 +147,7 @@ static inline bool kvm_s2_trans_exec_el1
u8 xn = FIELD_GET(KVM_PTE_LEAF_ATTR_HI_S2_XN, trans->desc);
if (!kvm_has_xnx(kvm))
- xn &= FIELD_PREP(KVM_PTE_LEAF_ATTR_HI_S2_XN, 0b10);
+ xn &= 0b10;
switch (xn) {
case 0b00:
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 281/522] udp: clear skb->dev before running a sockmap verdict
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 280/522] RDMA/srp: bound SRP_RSP sense copy by the received length Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 282/522] ARM: socfpga: Fix OF node refcount leak in SMP setup Greg Kroah-Hartman
` (241 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sechang Lim, Jiayuan Chen,
Eric Dumazet, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sechang Lim <rhkrqnwk98@gmail.com>
commit 3c94f241f776562c489876ff506f366224565c21 upstream.
On the UDP receive path skb->dev is repurposed as dev_scratch (the
truesize/state cache set by udp_set_dev_scratch()), through the
union { struct net_device *dev; unsigned long dev_scratch; } in sk_buff.
When a UDP socket is in a sockmap, sk_data_ready is
sk_psock_verdict_data_ready(), which calls udp_read_skb() -> recv_actor()
(sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq.
If that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp,
bpf_skc_lookup_tcp), bpf_skc_lookup() does:
if (skb->dev)
caller_net = dev_net(skb->dev);
skb->dev still holds the dev_scratch value (a non-NULL integer), so dev_net()
dereferences it as a struct net_device * and the kernel takes a general
protection fault on a non-canonical address in softirq:
Oops: general protection fault, probably for non-canonical address 0x1010000800004a0
CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full)
RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline]
RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047
Call Trace:
<IRQ>
bpf_prog_4675cb904b7071f8+0x12e/0x14e
bpf_prog_run_pin_on_cpu+0xc6/0x1f0
sk_psock_verdict_recv+0x1ba/0x350
udp_read_skb+0x31a/0x370
sk_psock_verdict_data_ready+0x2e3/0x600
__udp_enqueue_schedule_skb+0x4c8/0x650
udpv6_queue_rcv_one_skb+0x3ec/0x740
udp6_unicast_rcv_skb+0x11d/0x140
ip6_protocol_deliver_rcu+0x61e/0x950
ip6_input_finish+0xa9/0x150
NF_HOOK+0x286/0x2f0
ip6_input+0x117/0x220
NF_HOOK+0x286/0x2f0
__netif_receive_skb+0x85/0x200
process_backlog+0x374/0x9a0
__napi_poll+0x4f/0x1c0
net_rx_action+0x3b0/0x770
handle_softirqs+0x15a/0x460
do_softirq+0x57/0x80
</IRQ>
The rmem charge that dev_scratch accounted for is released by skb_recv_udp() on
dequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear
skb->dev so bpf_skc_lookup() falls back to sock_net(skb->sk), which
skb_set_owner_sk_safe() set just above.
Fixes: 965b57b469a5 ("net: Introduce a new proto_ops ->read_skb()")
Cc: stable@vger.kernel.org
Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260603162737.697215-1-rhkrqnwk98@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/udp.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1822,6 +1822,14 @@ try_again:
}
WARN_ON_ONCE(!skb_set_owner_sk_safe(skb, sk));
+
+ /*
+ * skb->dev still aliases the UDP rx dev_scratch (its charge was freed
+ * on dequeue above); a sockmap verdict program may deref it via
+ * bpf_sk_lookup_*(), so clear it -> bpf_skc_lookup() uses skb->sk
+ */
+ skb->dev = NULL;
+
return recv_actor(sk, skb);
}
EXPORT_SYMBOL(udp_read_skb);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 198/378] KVM: arm64: Correctly identify executable PTEs at stage-2
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 197/378] KVM: arm64: nv: Fix handling of XN[0] when !FEAT_XNX Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 199/378] KVM: arm64: Restore POR_EL0 access to host EL0 Greg Kroah-Hartman
` (180 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Upton, Wei-Lin Chang,
Marc Zyngier
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Upton <oupton@kernel.org>
commit 17f073f78fc43280891ecde8f8ec3f84f98bb37c upstream.
KVM invalidates the I-cache before installing an executable PTE on
implementations without DIC. Unfortunately, support for FEAT_XNX
broke this check as KVM_PTE_LEAF_ATTR_HI_S2_XN was expanded to a
bitfield.
Fix it by reusing kvm_pgtable_stage2_pte_prot() and testing the abstract
permission bits instead.
Fixes: 2608563b466b ("KVM: arm64: Add support for FEAT_XNX stage-2 permissions")
Reported-by: Sashiko (gemini/gemini-3.1-pro-preview)
Signed-off-by: Oliver Upton <oupton@kernel.org>
Reviewed-by: Wei-Lin Chang <weilin.chang@arm.com>
Link: https://patch.msgid.link/20260602165901.52800-3-oupton@kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/hyp/pgtable.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/arm64/kvm/hyp/pgtable.c
+++ b/arch/arm64/kvm/hyp/pgtable.c
@@ -923,7 +923,9 @@ static bool stage2_pte_cacheable(struct
static bool stage2_pte_executable(kvm_pte_t pte)
{
- return kvm_pte_valid(pte) && !(pte & KVM_PTE_LEAF_ATTR_HI_S2_XN);
+ enum kvm_pgtable_prot prot = kvm_pgtable_stage2_pte_prot(pte);
+
+ return prot & (KVM_PGTABLE_PROT_UX | KVM_PGTABLE_PROT_PX);
}
static u64 stage2_map_walker_phys_addr(const struct kvm_pgtable_visit_ctx *ctx,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 282/522] ARM: socfpga: Fix OF node refcount leak in SMP setup
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 281/522] udp: clear skb->dev before running a sockmap verdict Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 283/522] ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O Greg Kroah-Hartman
` (240 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuho Choi, Dinh Nguyen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuho Choi <dbgh9129@gmail.com>
commit 63838c323924fe4a78b2323bd45aa1030f72ca60 upstream.
socfpga_smp_prepare_cpus() looks up the Cortex-A9 SCU node with
of_find_compatible_node(), which returns a node reference that must be
released with of_node_put().
The function maps the SCU registers and then returns without dropping
that reference, leaking the node on both the success path and the
of_iomap() failure path.
Drop the reference once the mapping attempt is complete. The returned
MMIO mapping does not depend on keeping the device node reference held.
Fixes: 122694a0c712 ("ARM: socfpga: use of_iomap to map the SCU")
Cc: stable@vger.kernel.org
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mach-socfpga/platsmp.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/mach-socfpga/platsmp.c
+++ b/arch/arm/mach-socfpga/platsmp.c
@@ -78,6 +78,7 @@ static void __init socfpga_smp_prepare_c
}
socfpga_scu_base_addr = of_iomap(np, 0);
+ of_node_put(np);
if (!socfpga_scu_base_addr)
return;
scu_enable(socfpga_scu_base_addr);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 199/378] KVM: arm64: Restore POR_EL0 access to host EL0
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 198/378] KVM: arm64: Correctly identify executable PTEs at stage-2 Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 200/378] drm/i915/gem: Fix phys BO pread/pwrite with offset Greg Kroah-Hartman
` (179 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joey Gouly, Marc Zyngier
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joey Gouly <joey.gouly@arm.com>
commit cbaffe843a942c0d3102e0f9bce0e72b029b2594 upstream.
CPTR_EL2.E0POE was being cleared in __deactivate_cptr_traps_vhe(), which meant
that any accesses to POR_EL0 from host EL0 would trap and be reported to
userspace as an Illegal instruction. This would happen after running any VM,
regardless if it used POE or not.
Signed-off-by: Joey Gouly <joey.gouly@arm.com>
Link: https://sashiko.dev/#/patchset/20260602155430.2088142-1-maz@kernel.org?part=1
Link: https://patch.msgid.link/20260604105434.2297268-1-joey.gouly@arm.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger,kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/hyp/include/hyp/switch.h | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/kvm/hyp/include/hyp/switch.h
+++ b/arch/arm64/kvm/hyp/include/hyp/switch.h
@@ -181,6 +181,8 @@ static inline void __deactivate_cptr_tra
val |= CPACR_EL1_ZEN;
if (cpus_have_final_cap(ARM64_SME))
val |= CPACR_EL1_SMEN;
+ if (cpus_have_final_cap(ARM64_HAS_S1POE))
+ val |= CPACR_EL1_E0POE;
write_sysreg(val, cpacr_el1);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 283/522] ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 282/522] ARM: socfpga: Fix OF node refcount leak in SMP setup Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 284/522] ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow Greg Kroah-Hartman
` (239 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Karl Mehltretter, Linus Walleij,
Russell King
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karl Mehltretter <kmehltretter@gmail.com>
commit d59ed803715a71fb9582e139d648ece8d66dc743 upstream.
For CPUs before ARMv6, __raw_readw() and __raw_writew() are implemented
as C volatile halfword accesses so the compiler can generate an access
sequence that is safe for those machines. With KASAN enabled, those C
accesses are instrumented as normal memory accesses.
That is not valid for MMIO. On ARM926/VersatilePB with KASAN enabled,
PL011 probing traps in __asan_store2() while registering the UART, because
the instrumented writew() tries to check KASAN shadow for an MMIO address.
Keep the existing volatile halfword access, but move the ARMv5 definitions
into __no_kasan_or_inline functions so raw MMIO halfword accesses are not
instrumented by KASAN. The ARMv6-and-newer inline assembly path is
unchanged.
Fixes: 421015713b30 ("ARM: 9017/2: Enable KASan for ARM")
Cc: stable@vger.kernel.org # v5.11+
Signed-off-by: Karl Mehltretter <kmehltretter@gmail.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/include/asm/io.h | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/arch/arm/include/asm/io.h
+++ b/arch/arm/include/asm/io.h
@@ -56,8 +56,19 @@ void __raw_readsl(const volatile void __
* the bus. Rather than special-case the machine, just let the compiler
* generate the access for CPUs prior to ARMv6.
*/
-#define __raw_readw(a) (__chk_io_ptr(a), *(volatile unsigned short __force *)(a))
-#define __raw_writew(v,a) ((void)(__chk_io_ptr(a), *(volatile unsigned short __force *)(a) = (v)))
+#define __raw_writew __raw_writew
+static __no_kasan_or_inline void __raw_writew(u16 val, volatile void __iomem *addr)
+{
+ __chk_io_ptr(addr);
+ *(volatile unsigned short __force *)addr = val;
+}
+
+#define __raw_readw __raw_readw
+static __no_kasan_or_inline u16 __raw_readw(const volatile void __iomem *addr)
+{
+ __chk_io_ptr(addr);
+ return *(const volatile unsigned short __force *)addr;
+}
#else
/*
* When running under a hypervisor, we want to avoid I/O accesses with
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 200/378] drm/i915/gem: Fix phys BO pread/pwrite with offset
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 199/378] KVM: arm64: Restore POR_EL0 access to host EL0 Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 201/378] hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf Greg Kroah-Hartman
` (178 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Tvrtko Ursulin, Simona Vetter, Jani Nikula, Rodrigo Vivi,
Joonas Lahtinen, Tvrtko Ursulin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
commit d21ad938398bca695a511307de38a65889e3b354 upstream.
sg_page() returns struct page pointer not (void *) so the scaling
of pread/pwrite is wrong for phys BO and wrong parts of BO would be
accessed if non-zero offset is used.
Last impacted platform with overlay or cursor planes using phys
mapping was Gen3/945G/Lakeport.
Reported-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Fixes: c6790dc22312 ("drm/i915: Wean off drm_pci_alloc/drm_pci_free")
Cc: <stable@vger.kernel.org> # v4.5+
Cc: Tvrtko Ursulin <tursulin@ursulin.net>
Cc: Simona Vetter <simona@ffwll.ch>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Link: https://patch.msgid.link/20260610060314.26111-1-joonas.lahtinen@linux.intel.com
(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gem/i915_gem_phys.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/i915/gem/i915_gem_phys.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_phys.c
@@ -18,6 +18,17 @@
#include "i915_gem_tiling.h"
#include "i915_scatterlist.h"
+/* Abuse scatterlist to store pointer instead of struct page. */
+static inline void __set_phys_vaddr(struct scatterlist *sg, void *vaddr)
+{
+ sg_assign_page(sg, (struct page *)vaddr);
+}
+
+static inline void *__get_phys_vaddr(struct scatterlist *sg)
+{
+ return (void *)sg_page(sg);
+}
+
static int i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj)
{
struct address_space *mapping = obj->base.filp->f_mapping;
@@ -58,7 +69,7 @@ static int i915_gem_object_get_pages_phy
sg->offset = 0;
sg->length = obj->base.size;
- sg_assign_page(sg, (struct page *)vaddr);
+ __set_phys_vaddr(sg, vaddr);
sg_dma_address(sg) = dma;
sg_dma_len(sg) = obj->base.size;
@@ -99,7 +110,7 @@ i915_gem_object_put_pages_phys(struct dr
struct sg_table *pages)
{
dma_addr_t dma = sg_dma_address(pages->sgl);
- void *vaddr = sg_page(pages->sgl);
+ void *vaddr = __get_phys_vaddr(pages->sgl);
__i915_gem_object_release_shmem(obj, pages, false);
@@ -139,7 +150,7 @@ i915_gem_object_put_pages_phys(struct dr
int i915_gem_object_pwrite_phys(struct drm_i915_gem_object *obj,
const struct drm_i915_gem_pwrite *args)
{
- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset;
+ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset;
char __user *user_data = u64_to_user_ptr(args->data_ptr);
struct drm_i915_private *i915 = to_i915(obj->base.dev);
int err;
@@ -170,7 +181,7 @@ int i915_gem_object_pwrite_phys(struct d
int i915_gem_object_pread_phys(struct drm_i915_gem_object *obj,
const struct drm_i915_gem_pread *args)
{
- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset;
+ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset;
char __user *user_data = u64_to_user_ptr(args->data_ptr);
int err;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 284/522] ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 283/522] ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 285/522] mptcp: fix retransmission loop when csum is enabled Greg Kroah-Hartman
` (238 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Karl Mehltretter, Linus Walleij,
Russell King
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karl Mehltretter <kmehltretter@gmail.com>
commit 77a1f6883dc6e837bb2cb30b9b02e2f94338e2c6 upstream.
Commit 44e9a3bb76e5 ("ARM: 9430/1: entry: Do a dummy read from
VMAP shadow") added a dummy read from the KASAN VMAP stack shadow in
__switch_to(). The read uses ldr, but the KASAN shadow address is
byte-granular and is not guaranteed to be word aligned.
ARMv5 faults unaligned word loads. With CONFIG_KASAN_VMALLOC and
CONFIG_VMAP_STACK enabled, ARM926/VersatilePB crashes in __switch_to()
with an alignment exception before reaching init.
Use ldrb for the dummy shadow access. The code only needs to fault in the
shadow mapping if the stack shadow is missing, so a byte load is sufficient
and matches the granularity of KASAN shadow memory.
Fixes: 44e9a3bb76e5 ("ARM: 9430/1: entry: Do a dummy read from VMAP shadow")
Cc: stable@vger.kernel.org # v6.13+
Signed-off-by: Karl Mehltretter <kmehltretter@gmail.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/kernel/entry-armv.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/kernel/entry-armv.S
+++ b/arch/arm/kernel/entry-armv.S
@@ -793,7 +793,7 @@ ENTRY(__switch_to)
@ are using KASAN
mov_l r2, KASAN_SHADOW_OFFSET
add r2, r2, ip, lsr #KASAN_SHADOW_SCALE_SHIFT
- ldr r2, [r2]
+ ldrb r2, [r2]
#endif
#endif
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 201/378] hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 200/378] drm/i915/gem: Fix phys BO pread/pwrite with offset Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 202/378] pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init Greg Kroah-Hartman
` (177 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Anton Leontev, Paolo Abeni
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Leontev <leontyevantony@gmail.com>
commit 004e9ecfe6c5384f9e0b2f6f6389d42ec22789af upstream.
netvsc_copy_to_send_buf() copies page buffer entries into the VMBus
send buffer using phys_to_virt() on the entry PFN. Entries for the
RNDIS header and the skb linear data come from kmalloc'd memory and
are always in the kernel direct map, but entries for skb fragments
reference page cache or user pages, which on 32-bit x86 with
CONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page
phys_to_virt() returns an address outside the direct map and the
subsequent memcpy() faults on the transmit softirq path, which is
fatal.
Map the pages with kmap_local_page() instead, handling two properties
of the page buffer entries:
- pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity,
not a native PFN. Reconstruct the physical address first and derive
the native page from it, so the mapping stays correct where
PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages).
- Since commit 41a6328b2c55 ("hv_netvsc: Preserve contiguous PFN
grouping in the page buffer array"), an entry describes a full
physically contiguous fragment and pb[i].len can exceed PAGE_SIZE,
while kmap_local_page() maps a single page. Copy page by page,
splitting at native page boundaries.
The copy path only handles packets smaller than the send section size
(6144 bytes by default); larger packets take the cp_partial path where
only the RNDIS header is copied. So entries here are bounded by the
section size and a copy is split at most once on 4K-page systems. On
!CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and
no mapping work is added.
Fixes: c25aaf814a63 ("hyperv: Enable sendbuf mechanism on the send path")
Cc: stable@vger.kernel.org
Signed-off-by: Anton Leontev <leontyevantony@gmail.com>
Link: https://patch.msgid.link/20260604165938.32033-1-leontyevantony@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/hyperv/netvsc.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
--- a/drivers/net/hyperv/netvsc.c
+++ b/drivers/net/hyperv/netvsc.c
@@ -12,6 +12,7 @@
#include <linux/sched.h>
#include <linux/wait.h>
#include <linux/mm.h>
+#include <linux/highmem.h>
#include <linux/delay.h>
#include <linux/io.h>
#include <linux/slab.h>
@@ -965,12 +966,22 @@ static void netvsc_copy_to_send_buf(stru
}
for (i = 0; i < page_count; i++) {
- char *src = phys_to_virt(pb[i].pfn << HV_HYP_PAGE_SHIFT);
- u32 offset = pb[i].offset;
+ phys_addr_t paddr = (pb[i].pfn << HV_HYP_PAGE_SHIFT) +
+ pb[i].offset;
u32 len = pb[i].len;
- memcpy(dest, (src + offset), len);
- dest += len;
+ while (len) {
+ struct page *page = phys_to_page(paddr);
+ u32 off = offset_in_page(paddr);
+ u32 chunk = min_t(u32, len, PAGE_SIZE - off);
+ char *src = kmap_local_page(page);
+
+ memcpy(dest, src + off, chunk);
+ kunmap_local(src);
+ dest += chunk;
+ paddr += chunk;
+ len -= chunk;
+ }
}
if (padding)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 285/522] mptcp: fix retransmission loop when csum is enabled
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 284/522] ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 286/522] mptcp: close TOCTOU race while computing rcv_wnd Greg Kroah-Hartman
` (237 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit d1918b36edcaed0ec4ef6888b2358c6b1ddcff47 upstream.
Sashiko noted that retransmission with csum enabled can actually
transmit new data, but currently the relevant code does not update
accordingly snd_nxt.
The may cause incoming ack drop and an endless retransmission loop.
Address the issue incrementing snd_nxt as needed.
Fixes: 4e14867d5e91 ("mptcp: tune re-injections for csum enabled mode")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-2-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2752,6 +2752,10 @@ static void __mptcp_retrans(struct sock
release_sock(ssk);
+ /* With csum enabled retransmission can send new data. */
+ if (after64(dfrag->already_sent + dfrag->data_seq, msk->snd_nxt))
+ WRITE_ONCE(msk->snd_nxt, dfrag->already_sent + dfrag->data_seq);
+
reset_timer:
mptcp_check_and_set_pending(sk);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 202/378] pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 201/378] hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 203/378] ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL Greg Kroah-Hartman
` (176 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Judith Mendez, Linus Walleij
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Judith Mendez <jm@ti.com>
commit 8473c3a197b57ff01396f7a2ec6ddf65383820d4 upstream.
Regmap initialization triggers regcache_maple_populate() which attempts
SPI read to populate cache. SPI read requires mcp->dev and mcp->addr to
be set, without them, NULL pointer dereference occurs during probe.
Move initialization before mcp23s08_spi_regmap_init() call.
Cc: stable@vger.kernel.org
Fixes: f9f4fda15e72 ("pinctrl: mcp23s08: init reg_defaults from HW at probe and switch cache type")
Signed-off-by: Judith Mendez <jm@ti.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/pinctrl-mcp23s08_spi.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/pinctrl/pinctrl-mcp23s08_spi.c
+++ b/drivers/pinctrl/pinctrl-mcp23s08_spi.c
@@ -10,6 +10,7 @@
#include "pinctrl-mcp23s08.h"
#define MCP_MAX_DEV_PER_CS 8
+#define MCP23S08_SPI_BASE 0x40
/*
* A given spi_device can represent up to eight mcp23sxx chips
@@ -173,6 +174,8 @@ static int mcp23s08_probe(struct spi_dev
for_each_set_bit(addr, &spi_present_mask, MCP_MAX_DEV_PER_CS) {
data->mcp[addr] = &data->chip[--chips];
data->mcp[addr]->irq = spi->irq;
+ data->mcp[addr]->dev = dev;
+ data->mcp[addr]->addr = MCP23S08_SPI_BASE | (addr << 1);
ret = mcp23s08_spi_regmap_init(data->mcp[addr], dev, addr, info);
if (ret)
@@ -184,7 +187,7 @@ static int mcp23s08_probe(struct spi_dev
if (!data->mcp[addr]->pinctrl_desc.name)
return -ENOMEM;
- ret = mcp23s08_probe_one(data->mcp[addr], dev, 0x40 | (addr << 1),
+ ret = mcp23s08_probe_one(data->mcp[addr], dev, MCP23S08_SPI_BASE | (addr << 1),
info->type, -1);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 286/522] mptcp: close TOCTOU race while computing rcv_wnd
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 285/522] mptcp: fix retransmission loop when csum is enabled Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 287/522] mptcp: allow subflow rcv wnd to shrink Greg Kroah-Hartman
` (236 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 8ab24fdebc369c0dfb90f82c1650b1e66662bb45 upstream.
The MPTCP output path access locklessly the MPTCP-level ack_seq
in multiple times, using possibly different values for the data_ack
in the DSS option and to compute the announced rcv wnd for the same
packet.
Refactor the cote to avoid inconsistencies which may confuse the
peer. Also ensure that the MPTCP level rcv wnd is updated only when
the egress packet actually contains a DSS ack.
Fixes: fa3fe2b15031 ("mptcp: track window announced to peer")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-3-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/options.c | 36 ++++++++++++++++++------------------
1 file changed, 18 insertions(+), 18 deletions(-)
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -568,7 +568,6 @@ static bool mptcp_established_options_ds
struct mptcp_ext *mpext;
unsigned int ack_size;
bool ret = false;
- u64 ack_seq;
opts->csum_reqd = READ_ONCE(msk->csum_enabled);
mpext = skb ? mptcp_get_ext(skb) : NULL;
@@ -600,14 +599,11 @@ static bool mptcp_established_options_ds
return ret;
}
- ack_seq = READ_ONCE(msk->ack_seq);
if (READ_ONCE(msk->use_64bit_ack)) {
ack_size = TCPOLEN_MPTCP_DSS_ACK64;
- opts->ext_copy.data_ack = ack_seq;
opts->ext_copy.ack64 = 1;
} else {
ack_size = TCPOLEN_MPTCP_DSS_ACK32;
- opts->ext_copy.data_ack32 = (uint32_t)ack_seq;
opts->ext_copy.ack64 = 0;
}
opts->ext_copy.use_ack = 1;
@@ -1273,19 +1269,14 @@ bool mptcp_incoming_options(struct sock
return true;
}
-static void mptcp_set_rwin(struct tcp_sock *tp, struct tcphdr *th)
+static u64 mptcp_set_rwin(struct mptcp_sock *msk, struct tcp_sock *tp,
+ struct tcphdr *th, u64 ack_seq)
{
const struct sock *ssk = (const struct sock *)tp;
- struct mptcp_subflow_context *subflow;
- u64 ack_seq, rcv_wnd_old, rcv_wnd_new;
- struct mptcp_sock *msk;
+ u64 rcv_wnd_old, rcv_wnd_new;
u32 new_win;
u64 win;
- subflow = mptcp_subflow_ctx(ssk);
- msk = mptcp_sk(subflow->conn);
-
- ack_seq = READ_ONCE(msk->ack_seq);
rcv_wnd_new = ack_seq + tp->rcv_wnd;
rcv_wnd_old = atomic64_read(&msk->rcv_wnd_sent);
@@ -1337,7 +1328,7 @@ raise_win:
update_wspace:
WRITE_ONCE(msk->old_wspace, tp->rcv_wnd);
- subflow->rcv_wnd_sent = rcv_wnd_new;
+ return rcv_wnd_new;
}
static void mptcp_track_rwin(struct tcp_sock *tp)
@@ -1449,13 +1440,25 @@ void mptcp_write_options(struct tcphdr *
*ptr++ = mptcp_option(MPTCPOPT_DSS, len, 0, flags);
if (mpext->use_ack) {
+ struct mptcp_sock *msk;
+ u64 ack_seq;
+
+ /* DSS option is set only by mptcp_established_options,
+ * the caller is __tcp_transmit_skb() and ssk is always
+ * not NULL.
+ */
+ subflow = mptcp_subflow_ctx(ssk);
+ msk = mptcp_sk(subflow->conn);
+ ack_seq = READ_ONCE(msk->ack_seq);
if (mpext->ack64) {
- put_unaligned_be64(mpext->data_ack, ptr);
+ put_unaligned_be64(ack_seq, ptr);
ptr += 2;
} else {
- put_unaligned_be32(mpext->data_ack32, ptr);
+ put_unaligned_be32(ack_seq, ptr);
ptr += 1;
}
+ subflow->rcv_wnd_sent = mptcp_set_rwin(msk, tp, th,
+ ack_seq);
}
if (mpext->use_map) {
@@ -1684,9 +1687,6 @@ mp_capable_done:
i += 4;
}
}
-
- if (tp)
- mptcp_set_rwin(tp, th);
}
__be32 mptcp_get_reset_option(const struct sk_buff *skb)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 203/378] ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 202/378] pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 204/378] xfrm: espintcp: do not reuse an in-progress partial send Greg Kroah-Hartman
` (175 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gil Portnoy, Namjae Jeon,
Steve French
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gil Portnoy <dddhkts1@gmail.com>
commit f580d27e8928828693df44ba2db0fffdbe11dfea upstream.
A deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on
conn->async_requests via setup_async_work(), with cancel_fn =
smb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock.
When the request is cancelled, the worker frees the file_lock with
locks_free_lock() and takes the cancelled early-exit, which "goto out"s and never
reaches release_async_work() -- the only site that unlinks the work from
conn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays
matchable on async_requests with a live cancel_fn pointing at the freed file_lock,
until connection teardown finally runs release_async_work().
smb2_cancel() fires cancel_fn unconditionally with no state guard, so a second
SMB2_CANCEL for the same AsyncId, arriving in that window, re-runs
smb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free:
BUG: KASAN: slab-use-after-free in __locks_delete_block
__locks_delete_block
locks_delete_block
ksmbd_vfs_posix_lock_unblock
smb2_remove_blocked_lock
smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn
handle_ksmbd_work
Allocated by ...: locks_alloc_lock <- smb2_lock
Freed by ...: locks_free_lock <- smb2_lock (cancelled branch)
... cache file_lock_cache of size 192
Reproduced on mainline with KASAN by an authenticated SMB client.
Skip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback
cannot be fired a second time.
Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -7327,6 +7327,17 @@ int smb2_cancel(struct ksmbd_work *work)
le64_to_cpu(hdr->Id.AsyncId))
continue;
+ /*
+ * A cancelled deferred byte-range lock frees its
+ * file_lock and takes the smb2_lock() early-exit that
+ * skips release_async_work(), so the work stays on
+ * conn->async_requests with a live cancel_fn pointing
+ * at the freed file_lock. Re-firing it on a second
+ * SMB2_CANCEL is a use-after-free.
+ */
+ if (iter->state == KSMBD_WORK_CANCELLED)
+ break;
+
ksmbd_debug(SMB,
"smb2 with AsyncId %llu cancelled command = 0x%x\n",
le64_to_cpu(hdr->Id.AsyncId),
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 287/522] mptcp: allow subflow rcv wnd to shrink
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 286/522] mptcp: close TOCTOU race while computing rcv_wnd Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 288/522] mptcp: sockopt: check timestamping ret value Greg Kroah-Hartman
` (235 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit da23be77e1292cd611e736c3aa17da633d7ddce7 upstream.
In MPTCP connection, the `window` field in the TCP header refers to the
MPTCP-level rcv_nxt and it's right edge should not move backward. Such
constraint is enforced at DSS option generation time.
At the same time, the TCP stack ensures independently that the TCP-level
rcv wnd right's edge does not move backward. That in turn causes artificial
inflating of the MPTCP rcv window when the incoming data is acked at the
TCP level and is OoO in the MPTCP sequence space (or lands in the backlog).
As a consequence, the incoming traffic can exceed the receiver rcvbuf size
even when the sender is not misbehaving.
Prevent such scenario forcibly allowing the TCP subflow to shrink the
TCP-level rcv wnd regardless of the current netns setting.
Fixes: f3589be0c420 ("mptcp: never shrink offered window")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-4-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/options.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -564,6 +564,7 @@ static bool mptcp_established_options_ds
{
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
struct mptcp_sock *msk = mptcp_sk(subflow->conn);
+ struct tcp_sock *tp = tcp_sk(sk);
unsigned int dss_size = 0;
struct mptcp_ext *mpext;
unsigned int ack_size;
@@ -613,6 +614,12 @@ static bool mptcp_established_options_ds
if (dss_size == 0)
ack_size += TCPOLEN_MPTCP_DSS_BASE;
+ /* The caller is __tcp_transmit_skb(), and will compute the new rcv
+ * wnd soon: ensure that the window can shrink.
+ */
+ if (skb)
+ tp->rcv_wnd = tp->rcv_nxt - tp->rcv_wup;
+
dss_size += ack_size;
*size = ALIGN(dss_size, 4);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 204/378] xfrm: espintcp: do not reuse an in-progress partial send
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 203/378] ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 205/378] xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags() Greg Kroah-Hartman
` (174 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Zhengchuan Liang, Xin Liu, Wyatt Feng, Ren Wei,
Steffen Klassert
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wyatt Feng <bronzed_45_vested@icloud.com>
commit c381039ade2e161ab08c0eda73c4f8b9a7115928 upstream.
espintcp keeps a single in-flight transmit in ctx->partial.
Before building a new sk_msg, espintcp_sendmsg() first tries to flush
that state through espintcp_push_msgs().
For blocking callers, espintcp_push_msgs() may return success even when
the previous partial send is still pending. espintcp_sendmsg() would
then reinitialize emsg->skmsg and reuse ctx->partial while the old
transfer still owns that state.
Do not rebuild the send message when ctx->partial is still in progress.
If espintcp_push_msgs() returns with emsg->len still set, fail the new
send instead of overwriting the live partial state.
This is a memory-safety fix: reusing the live partial-send state can
leave a stale offset attached to a new sk_msg and lead to an out-of-
bounds read in the send path.
tcp_sendmsg_locked() already handles waiting for send buffer memory, so
the fix here is just to preserve espintcp's one-message-at-a-time
transmit state.
Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/espintcp.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/xfrm/espintcp.c
+++ b/net/xfrm/espintcp.c
@@ -349,6 +349,10 @@ static int espintcp_sendmsg(struct sock
err = -ENOBUFS;
goto unlock;
}
+ if (emsg->len) {
+ err = -ENOBUFS;
+ goto unlock;
+ }
sk_msg_init(&emsg->skmsg);
while (1) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 288/522] mptcp: sockopt: check timestamping ret value
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 287/522] mptcp: allow subflow rcv wnd to shrink Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 289/522] wifi: nl80211: reject oversized EMA RNR lists Greg Kroah-Hartman
` (234 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Willem de Bruijn, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 57132affbc89c02e1bf73fdf5724311bdc9a29da upstream.
sock_set_timestamping() can fail for different reasons. The returned
value should then be checked.
If sock_set_timestamping() fails for at least one subflow, the first
error is now reported to the userspace, similar to what is done with
other socket options.
Fixes: 9061f24bf82e ("mptcp: sockopt: propagate timestamp request to subflows")
Cc: stable@vger.kernel.org
Reported-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Closes: https://lore.kernel.org/willemdebruijn.kernel.178a41a53d041@gmail.com
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-7-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/sockopt.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/mptcp/sockopt.c
+++ b/net/mptcp/sockopt.c
@@ -233,15 +233,19 @@ static int mptcp_setsockopt_sol_socket_t
mptcp_for_each_subflow(msk, subflow) {
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
+ int err;
lock_sock(ssk);
- sock_set_timestamping(ssk, optname, timestamping);
+ err = sock_set_timestamping(ssk, optname, timestamping);
release_sock(ssk);
+
+ if (err < 0 && ret == 0)
+ ret = err;
}
release_sock(sk);
- return 0;
+ return ret;
}
static int mptcp_setsockopt_sol_socket_linger(struct mptcp_sock *msk, sockptr_t optval,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 205/378] xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 204/378] xfrm: espintcp: do not reuse an in-progress partial send Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 206/378] xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state() Greg Kroah-Hartman
` (173 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takao Sato, Steffen Klassert
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takao Sato <takaosato1997@gmail.com>
commit e9096a5a170e7ecd6467bc2e08668ec39897cda7 upstream.
iptfs_consume_frags() transfers paged fragments from one socket buffer
to another but fails to propagate the SKBFL_SHARED_FRAG flag. This is
the same class of bug that was fixed in skb_try_coalesce() for
CVE-2026-46300: when fragments backed by read-only page-cache pages are
merged, the marker indicating their shared nature must be preserved so
that ESP can decide correctly whether in-place encryption is safe.
Apply the same two-line fix used in skb_try_coalesce() to
iptfs_consume_frags().
Fixes: b96ba312e21c ("xfrm: iptfs: share page fragments of inner packets")
Cc: stable@vger.kernel.org # 6.14+
Signed-off-by: Takao Sato <takaosato1997@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_iptfs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/xfrm/xfrm_iptfs.c
+++ b/net/xfrm/xfrm_iptfs.c
@@ -2170,6 +2170,8 @@ static void iptfs_consume_frags(struct s
memcpy(&toi->frags[toi->nr_frags], fromi->frags,
sizeof(fromi->frags[0]) * fromi->nr_frags);
toi->nr_frags += fromi->nr_frags;
+ if (fromi->nr_frags)
+ toi->flags |= fromi->flags & SKBFL_SHARED_FRAG;
fromi->nr_frags = 0;
from->data_len = 0;
from->len = 0;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 289/522] wifi: nl80211: reject oversized EMA RNR lists
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 288/522] mptcp: sockopt: check timestamping ret value Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 290/522] vsock/vmci: fix sk_ack_backlog leak on failed handshake Greg Kroah-Hartman
` (233 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Zhengchuan Liang,
Xin Liu, Yuqi Xu, Ren Wei, Johannes Berg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuqi Xu <xuyuqiabc@gmail.com>
commit 4cd92957e8f8cc4ebfe8a5d4203c14c592fde6b1 upstream.
nl80211_parse_rnr_elems() stores the parsed element count in a
u8-backed cfg80211_rnr_elems::cnt field and uses that count to size
the flexible array allocation.
Reject nested NL80211_ATTR_EMA_RNR_ELEMS input once the count reaches
255, before incrementing it again. This keeps the parser aligned with
the data structure it fills and matches the existing bound check used
by nl80211_parse_mbssid_elems().
Fixes: dbbb27e183b1 ("cfg80211: support RNR for EMA AP")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:gpt-5.4
Signed-off-by: Yuqi Xu <xuyuqiabc@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/20260529152542.1412734-1-n05ec@lzu.edu.cn
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/nl80211.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -5478,6 +5478,9 @@ nl80211_parse_rnr_elems(struct wiphy *wi
if (ret)
return ERR_PTR(ret);
+ if (num_elems >= 255)
+ return ERR_PTR(-EINVAL);
+
num_elems++;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 206/378] xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 205/378] xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 207/378] USB: serial: io_ti: fix heap overflow in get_manuf_info() Greg Kroah-Hartman
` (172 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Hopps, Steffen Klassert,
Tristan Madani
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristan Madani <tristmd@gmail.com>
commit c8a8a75b733467b00c08b91a38dbaf207a08ed6e upstream.
iptfs_destroy_state() calls hrtimer_cancel() while holding a spinlock
that the timer callback also acquires, leading to an ABBA deadlock on
SMP systems.
For the output timer (iptfs_timer):
- iptfs_destroy_state() holds x->lock, calls hrtimer_cancel()
- iptfs_delay_timer() callback takes x->lock
For the drop timer (drop_timer):
- iptfs_destroy_state() holds drop_lock, calls hrtimer_cancel()
- iptfs_drop_timer() callback takes drop_lock
Both timers use HRTIMER_MODE_REL_SOFT, so their callbacks run in softirq
context. When hrtimer_cancel() is called for a soft timer that is
currently executing on another CPU, hrtimer_cancel_wait_running() spins
on softirq_expiry_lock -- the same lock held by the softirq running the
callback. If the callback is blocked waiting for the spinlock held by
the caller of hrtimer_cancel(), a circular dependency forms:
CPU 0: holds lock_A -> waits for softirq_expiry_lock
CPU 1: holds softirq_expiry_lock -> waits for lock_A
Fix by calling hrtimer_cancel() before acquiring the respective locks.
hrtimer_cancel() is safe to call without holding any lock and will wait
for any in-progress callback to complete. For the output timer, the
lock is still acquired afterwards to drain the packet queue. For the
drop timer, the lock/unlock pair is removed entirely since it only
existed to serialize with the timer callback, which hrtimer_cancel()
already guarantees.
Found by source code audit.
Fixes: 4b3faf610cc6 ("xfrm: iptfs: add new iptfs xfrm mode impl")
Cc: Christian Hopps <chopps@labn.net>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_iptfs.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/net/xfrm/xfrm_iptfs.c
+++ b/net/xfrm/xfrm_iptfs.c
@@ -2730,8 +2730,9 @@ static void iptfs_destroy_state(struct x
if (!xtfs)
return;
- spin_lock_bh(&xtfs->x->lock);
hrtimer_cancel(&xtfs->iptfs_timer);
+
+ spin_lock_bh(&xtfs->x->lock);
__skb_queue_head_init(&list);
skb_queue_splice_init(&xtfs->queue, &list);
spin_unlock_bh(&xtfs->x->lock);
@@ -2739,9 +2740,7 @@ static void iptfs_destroy_state(struct x
while ((skb = __skb_dequeue(&list)))
kfree_skb(skb);
- spin_lock_bh(&xtfs->drop_lock);
hrtimer_cancel(&xtfs->drop_timer);
- spin_unlock_bh(&xtfs->drop_lock);
if (xtfs->ra_newskb)
kfree_skb(xtfs->ra_newskb);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 290/522] vsock/vmci: fix sk_ack_backlog leak on failed handshake
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 289/522] wifi: nl80211: reject oversized EMA RNR lists Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 291/522] bnxt_en: Fix NULL pointer dereference Greg Kroah-Hartman
` (232 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raf Dickson, Stefano Garzarella,
Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raf Dickson <rafdog35@gmail.com>
commit c05fa14db43ebef3bd862ca9d073981c0358b3f0 upstream.
When vmci_transport_recv_connecting_server() returns an error,
vmci_transport_recv_listen() calls vsock_remove_pending() but never
calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented
permanently.
Repeated handshake failures (malformed packets, queue pair alloc
failure, event subscribe failure) cause sk_ack_backlog to climb
toward sk_max_ack_backlog. Once it reaches the limit the listener
permanently refuses all new connections with -ECONNREFUSED, a
silent denial of service requiring a process restart to recover.
The two existing sk_acceptq_removed() calls in af_vsock.c do not
cover this path: line 764 checks vsock_is_pending() which returns
false after vsock_remove_pending(), and line 1889 is only reached
on successful accept().
Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on
the error path.
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Cc: stable@vger.kernel.org
Signed-off-by: Raf Dickson <rafdog35@gmail.com>
Acked-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260526104356.469928-1-rafdog35@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/vmci_transport.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -972,8 +972,10 @@ static int vmci_transport_recv_listen(st
err = -EINVAL;
}
- if (err < 0)
+ if (err < 0) {
vsock_remove_pending(sk, pending);
+ sk_acceptq_removed(sk);
+ }
release_sock(pending);
vmci_transport_release_pending(pending);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 207/378] USB: serial: io_ti: fix heap overflow in get_manuf_info()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 206/378] xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 208/378] USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() Greg Kroah-Hartman
` (171 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adrian Korwel, Johan Hovold
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Korwel <adriank20047@gmail.com>
commit 183c1076eca43bbb3e7bdf597456f91d81c73e74 upstream.
get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.
The Size field comes from the device and is only validated (in
check_i2c_image()) to make sure the descriptor fits within
TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size.
A malicious USB device can therefore set Size to any value up to 16377,
causing a heap overflow of up to 16367 bytes when plugged into a host
running this driver.
valid_csum() is called after read_rom() and also iterates
buffer[0..Size-1], compounding the out-of-bounds access.
Fix by rejecting descriptors with unexpected length before calling
read_rom().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
[ johan: amend commit message; also check for short descriptors ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/io_ti.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -773,6 +773,12 @@ static int get_manuf_info(struct edgepor
}
/* Read the descriptor data */
+ if (le16_to_cpu(rom_desc->Size) != sizeof(struct edge_ti_manuf_descriptor)) {
+ dev_err(dev, "unexpected Edge descriptor length: %u\n",
+ le16_to_cpu(rom_desc->Size));
+ status = -EINVAL;
+ goto exit;
+ }
status = read_rom(serial, start_address+sizeof(struct ti_i2c_desc),
le16_to_cpu(rom_desc->Size), buffer);
if (status)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 291/522] bnxt_en: Fix NULL pointer dereference
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 290/522] vsock/vmci: fix sk_ack_backlog leak on failed handshake Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 292/522] IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN Greg Kroah-Hartman
` (231 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Meyer, Pavan Chebbi,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Meyer <kyle.meyer@hpe.com>
commit d930276f2cddd0b7294cac7a8fe7b877f6d9e08d upstream.
PCIe errors detected by a Root Port or Downstream Port cause error
recovery services to run on all subordinate devices regardless of
administrative state.
The .error_detected() callback, bnxt_io_error_detected(), disables
and synchronizes IRQs via bnxt_disable_int_sync(), which calls
bnxt_cp_num_to_irq_num() to map completion rings to IRQs using
bp->bnapi.
Since bp->bnapi is allocated on NIC open and freed on NIC close, PCIe
error recovery on a closed NIC can dereference a NULL pointer.
Check if bp->bnapi is NULL before disabling and synchronizing IRQs.
Fixes: e5811b8c09df ("bnxt_en: Add IRQ remapping logic.")
Cc: stable@vger.kernel.org
Signed-off-by: Kyle Meyer <kyle.meyer@hpe.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://patch.msgid.link/aiNM1CY2-StPilxW@hpe.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -4747,7 +4747,7 @@ static void bnxt_disable_int_sync(struct
{
int i;
- if (!bp->irq_tbl)
+ if (!bp->irq_tbl || !bp->bnapi)
return;
atomic_inc(&bp->intr_sem);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 208/378] USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 207/378] USB: serial: io_ti: fix heap overflow in get_manuf_info() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 209/378] USB: serial: option: add usb-id for Dell Wireless DW5826e-m Greg Kroah-Hartman
` (170 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adrian Korwel, Johan Hovold
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Korwel <adriank20047@gmail.com>
commit 0fd2b00b2d3d05e3eaa13342b3dfb0fa85c226ae upstream.
build_i2c_fw_hdr() allocates a fixed-size buffer of
(16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then
copies le16_to_cpu(img_header->Length) bytes into it without
validating that Length fits within the available space after the
firmware record header.
img_header->Length is a __le16 from the firmware file and can be
up to 65535. check_fw_sanity() validates the total firmware size
but not img_header->Length specifically.
Fix by rejecting images where img_header->Length exceeds the
available destination space.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/io_ti.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -844,6 +844,11 @@ static int build_i2c_fw_hdr(u8 *header,
/* Pointer to fw_down memory image */
img_header = (struct ti_i2c_image_header *)&fw->data[4];
+ if (le16_to_cpu(img_header->Length) >
+ buffer_size - sizeof(struct ti_i2c_firmware_rec)) {
+ kfree(buffer);
+ return -EINVAL;
+ }
memcpy(buffer + sizeof(struct ti_i2c_firmware_rec),
&fw->data[4 + sizeof(struct ti_i2c_image_header)],
le16_to_cpu(img_header->Length));
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 292/522] IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 291/522] bnxt_en: Fix NULL pointer dereference Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 293/522] pidfd: refuse access to tasks that have started exiting harder Greg Kroah-Hartman
` (230 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jason Gunthorpe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 29e7b925ae6df64894e82ab6419994dc25580a8a upstream.
In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done()
computes the login request payload length as wc->byte_len minus
ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int.
A remote iSER initiator can post a login Send work request carrying
fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows
and login_req_len becomes negative.
isert_rx_login_req() then reads that negative length back into a signed
int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the
min() is signed it keeps the negative value; the value is then passed as
the memcpy() length and sign-extended to a multi-gigabyte size_t. The
copy into the 8192-byte login->req_buf runs far out of bounds and
faults, crashing the target node. The login phase precedes iSCSI
authentication, so no credentials are required to reach this path.
Reject any login PDU shorter than ISER_HEADERS_LEN before the
subtraction, mirroring the existing early return on a failed work
completion, so login_req_len can never go negative. The upper bound was
already safe: a posted login buffer cannot deliver more than
ISER_RX_PAYLOAD_SIZE, so the difference stays at or below
MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing
lower bound needs to be added.
Fixes: b8d26b3be8b3 ("iser-target: Add iSCSI Extensions for RDMA (iSER) target driver")
Link: https://patch.msgid.link/r/20260602194642.2273217-1-michael.bommarito@gmail.com
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/ulp/isert/ib_isert.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -1389,6 +1389,12 @@ isert_login_recv_done(struct ib_cq *cq,
ib_dma_sync_single_for_cpu(ib_dev, isert_conn->login_desc->dma_addr,
ISER_RX_SIZE, DMA_FROM_DEVICE);
+ if (unlikely(wc->byte_len < ISER_HEADERS_LEN)) {
+ isert_dbg("login request length %u is too short\n",
+ wc->byte_len);
+ return;
+ }
+
isert_conn->login_req_len = wc->byte_len - ISER_HEADERS_LEN;
if (isert_conn->conn) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 209/378] USB: serial: option: add usb-id for Dell Wireless DW5826e-m
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 208/378] USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 210/378] USB: serial: kl5kusb105: fix bulk-out buffer overflow Greg Kroah-Hartman
` (169 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jack Wu, Johan Hovold
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jack Wu <jackbb_wu@compal.com>
commit 1938fb9fe38c4f04a3f30bea44f8071c80a63be4 upstream.
Add support for Dell DW5826e-m with USB-id 0x413c:0x81ea
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 8 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=413c ProdID=81ea Rev= 5.04
S: Manufacturer=DELL
S: Product=DW5826e-m Qualcomm Snapdragon X12 Global LTE-A
S: SerialNumber=358988870177734
C:* #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
A: FirstIf#=12 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I:* If#=12 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#=13 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#=13 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Signed-off-by: Jack Wu <jackbb_wu@compal.com>
Reviewed-by: Lars Melin <larsm17@gmail>
Cc: stable@vger.kernel.org
[ johan: reserve also interface 4 ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -202,6 +202,7 @@ static void option_instat_callback(struc
#define DELL_PRODUCT_5821E_ESIM 0x81e0
#define DELL_PRODUCT_5829E_ESIM 0x81e4
#define DELL_PRODUCT_5829E 0x81e6
+#define DELL_PRODUCT_5826E_ESIM 0x81ea
#define DELL_PRODUCT_FM101R_ESIM 0x8213
#define DELL_PRODUCT_FM101R 0x8215
@@ -1123,6 +1124,8 @@ static const struct usb_device_id option
.driver_info = RSVD(0) | RSVD(6) },
{ USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5829E_ESIM),
.driver_info = RSVD(0) | RSVD(6) },
+ { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_5826E_ESIM, 0xff),
+ .driver_info = RSVD(1) | RSVD(4) },
{ USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_FM101R, 0xff) },
{ USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_FM101R_ESIM, 0xff) },
{ USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_E100A) }, /* ADU-E100, ADU-310 */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 293/522] pidfd: refuse access to tasks that have started exiting harder
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 292/522] IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 294/522] fuse: reject fuse_notify() pagecache ops on directories Greg Kroah-Hartman
` (229 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Brauner (Amutable)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
commit 62c4d31d78294bd61cf3403626b789e854357177 upstream.
The recent ptrace fix closed a hole where someone could rely on task->mm
becoming NULL during do_exit() to bypass dumpability checks. This api
here leans on on the very same check and so inherits the fix.
But there is no good reason to let it succeed at all once the target has
entered do_exit(). PF_EXITING is set by exit_signals() at the very top
of do_exit(), before exit_mm() and exit_files() run. Once we observe it,
the task is committed to dying and exit_files() will release the fdtable
shortly.
Fixes: 8649c322f75c ("pid: Implement pidfd_getfd syscall")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260518-obgleich-petersilie-2d77ccccf9b9@brauner
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/pid.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -672,10 +672,12 @@ static struct file *__pidfd_fget(struct
if (ret)
return ERR_PTR(ret);
- if (ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS))
- file = fget_task(task, fd);
- else
+ if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS))
file = ERR_PTR(-EPERM);
+ else if (task->flags & PF_EXITING)
+ file = ERR_PTR(-ESRCH);
+ else
+ file = fget_task(task, fd);
up_read(&task->signal->exec_update_lock);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 210/378] USB: serial: kl5kusb105: fix bulk-out buffer overflow
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 209/378] USB: serial: option: add usb-id for Dell Wireless DW5826e-m Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 211/378] ALSA: timer: Forcibly close timer instances at closing Greg Kroah-Hartman
` (168 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, HyeongJun An, Johan Hovold
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: HyeongJun An <sammiee5311@gmail.com>
commit 96d47e40bf9db4a9efd5c8fb53287a508d165f14 upstream.
klsi_105_prepare_write_buffer() is called by the generic write path
with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
stores a two-byte length header at the start of the buffer and copies
the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
passes the full buffer size as the number of bytes to copy:
count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
size, &port->lock);
When the fifo holds at least size bytes, size bytes are copied starting
two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
the header as safe_serial already does.
Writing bulk_out_size or more bytes to the tty triggers a slab
out-of-bounds write, observed with KASAN by emulating the device with
dummy_hcd and raw-gadget:
BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0
Write of size 64 at addr ffff888112c62202 by task python3
kfifo_copy_out
klsi_105_prepare_write_buffer [kl5kusb105]
usb_serial_generic_write_start [usbserial]
Allocated by task 139:
usb_serial_probe [usbserial]
The buggy address is located 2 bytes inside of allocated 64-byte region
The out-of-bounds write no longer occurs with this change applied.
Fixes: 60b3013cdaf3 ("USB: kl5usb105: reimplement using generic framework")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/kl5kusb105.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/serial/kl5kusb105.c
+++ b/drivers/usb/serial/kl5kusb105.c
@@ -330,8 +330,8 @@ static int klsi_105_prepare_write_buffer
unsigned char *buf = dest;
int count;
- count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size,
- &port->lock);
+ count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
+ size - KLSI_HDR_LEN, &port->lock);
put_unaligned_le16(count, buf);
return count + KLSI_HDR_LEN;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 294/522] fuse: reject fuse_notify() pagecache ops on directories
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 293/522] pidfd: refuse access to tasks that have started exiting harder Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 295/522] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() Greg Kroah-Hartman
` (228 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Miklos Szeredi,
Christian Brauner (Amutable)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 9c954499d43aefac01c5dfb57a82b13d2dcf4b94 upstream.
The operations FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE allow the
FUSE daemon to actively write/read pagecache contents.
For directories with FOPEN_CACHE_DIR, the pagecache is used as
kernel-internal cache storage, and userspace is not supposed to have
direct access to this cache - in particular, fuse_parse_cache() will hit
WARN_ON() if the cache contains bogus data.
Reject FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE on anything other than
regular files with -EINVAL.
Fixes: 5d7bc7e8680c ("fuse: allow using readdir cache")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://patch.msgid.link/20260519-fuse-dir-pagecache-v2-1-5428fa48e175@google.com
Acked-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1593,6 +1593,10 @@ static int fuse_notify_store(struct fuse
inode = fuse_ilookup(fc, nodeid, NULL);
if (!inode)
goto out_up_killsb;
+ if (!S_ISREG(inode->i_mode)) {
+ err = -EINVAL;
+ goto out_iput;
+ }
mapping = inode->i_mapping;
index = outarg.offset >> PAGE_SHIFT;
@@ -1764,7 +1768,10 @@ static int fuse_notify_retrieve(struct f
inode = fuse_ilookup(fc, nodeid, &fm);
if (inode) {
- err = fuse_retrieve(fm, inode, &outarg);
+ if (!S_ISREG(inode->i_mode))
+ err = -EINVAL;
+ else
+ err = fuse_retrieve(fm, inode, &outarg);
iput(inode);
}
up_read(&fc->killsb);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 211/378] ALSA: timer: Forcibly close timer instances at closing
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 210/378] USB: serial: kl5kusb105: fix bulk-out buffer overflow Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 212/378] ALSA: timer: Fix UAF at snd_timer_user_params() Greg Kroah-Hartman
` (167 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kyle Zeng, Takashi Iwai
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit da3039e91d1f835874ed6e9a33ea19ee80c2cb92 upstream.
When snd_timer object is freed via snd_timer_free() and still pending
snd_timer_instance objects are assigned to the timer object, it tries
to unlink all instances and just set NULL to each ti->timer, then
releases the resources immediately. The problem is, however, when
there are slave timer instances that are associated with a master
instance linked to this timer: namely, those slave instances still
point to the freed timer object although the master instance is
unlinked, which may lead to user-after-free. The bug can be easily
triggered particularly when a new userspace-driven timers
(CONFIG_SND_UTIMER) is involved, since it can create and delete the
timer object via a simple file open/close, while the other
applications may keep accessing to that timer.
This patch is an attempt to paper over the problem above: now instead
of just unlinking, call snd_timer_close[_locked]() forcibly for each
pending timer instance, so that all assigned slave timer instances are
properly detached, too. Since snd_timer_close() might be called later
by the driver that created that instance, the check of
SNDRV_TIMER_IFLG_DEAD is added at the beginning, too.
Reported-by: Kyle Zeng <kylebot@openai.com>
Tested-by: Kyle Zeng <kylebot@openai.com>
Fixes: 37745918e0e7 ("ALSA: timer: Introduce virtual userspace-driven timers")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260606161145.1933447-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/timer.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -422,6 +422,8 @@ static void snd_timer_close_locked(struc
if (timer) {
guard(spinlock_irq)(&timer->lock);
+ if (timeri->flags & SNDRV_TIMER_IFLG_DEAD)
+ return; /* already closed */
timeri->flags |= SNDRV_TIMER_IFLG_DEAD;
}
@@ -964,18 +966,18 @@ EXPORT_SYMBOL(snd_timer_new);
static int snd_timer_free(struct snd_timer *timer)
{
+ struct snd_timer_instance *ti, *n;
+
if (!timer)
return 0;
guard(mutex)(®ister_mutex);
if (! list_empty(&timer->open_list_head)) {
- struct list_head *p, *n;
- struct snd_timer_instance *ti;
- pr_warn("ALSA: timer %p is busy?\n", timer);
- list_for_each_safe(p, n, &timer->open_list_head) {
- list_del_init(p);
- ti = list_entry(p, struct snd_timer_instance, open_list);
- ti->timer = NULL;
+ list_for_each_entry_safe(ti, n, &timer->open_list_head, open_list) {
+ struct device *card_dev_to_put = NULL;
+
+ snd_timer_close_locked(ti, &card_dev_to_put);
+ put_device(card_dev_to_put);
}
}
list_del(&timer->device_list);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 295/522] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 294/522] fuse: reject fuse_notify() pagecache ops on directories Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 296/522] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter Greg Kroah-Hartman
` (227 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Zapolskiy, Konrad Dybcio,
Andi Shyti
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
commit 729ac5a4b966aac42e08a94dea966f4429008548 upstream.
On all modern platforms Qualcomm CCI controller provides two I2C masters,
and on particular boards only one I2C master may be initialized, and in
such cases the device unbinding or driver removal causes a NULL pointer
dereference, because cci_halt() is called for all two I2C masters, but
a completion is initialized only for the single enabled master:
% rmmod i2c-qcom-cci
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
<snip>
Call trace:
__wait_for_common+0x194/0x1a8 (P)
wait_for_completion_timeout+0x20/0x2c
cci_remove+0xc4/0x138 [i2c_qcom_cci]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
device_release_driver_internal+0x1c8/0x224
driver_detach+0x50/0x98
bus_remove_driver+0x6c/0xbc
driver_unregister+0x30/0x60
platform_driver_unregister+0x14/0x20
qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci]
....
Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver")
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Cc: <stable@vger.kernel.org> # v5.8+
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260515234121.1607425-2-vladimir.zapolskiy@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-qcom-cci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-qcom-cci.c
+++ b/drivers/i2c/busses/i2c-qcom-cci.c
@@ -684,8 +684,8 @@ static int cci_remove(struct platform_de
if (cci->master[i].cci) {
i2c_del_adapter(&cci->master[i].adap);
of_node_put(cci->master[i].adap.dev.of_node);
+ cci_halt(cci, i);
}
- cci_halt(cci, i);
}
disable_irq(cci->irq);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 212/378] ALSA: timer: Fix UAF at snd_timer_user_params()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 211/378] ALSA: timer: Forcibly close timer instances at closing Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 213/378] io_uring/wait: fix min_timeout behavior Greg Kroah-Hartman
` (166 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kyle Zeng, Takashi Iwai
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 053a401b592be424fea9d57c789f66cd5d8cec11 upstream.
At releasing a timer object, e.g. when a userspace timer
(CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it
tries to detach the timer instances and release the resources.
However, it's still possible that other in-flight tasks are holding
the timer instance where the to-be-deleted timer object is associated,
and this may lead to racy accesses.
Fortunately, most of ioctls dealing with the timer instance list
already have the protection with register_mutex, and this also avoids
such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the
concurrent ioctl may lead to use-after-free.
This patch just adds the guard with register_mutex to protect
snd_timer_user_params() for covering the code path as a quick
workaround. It's no hot-path but rather a rarely issued ioctl, so the
performance penalty doesn't matter.
Reported-by: Kyle Zeng <kylebot@openai.com>
Tested-by: Kyle Zeng <kylebot@openai.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260606161145.1933447-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1791,6 +1791,7 @@ static int snd_timer_user_params(struct
struct snd_timer *t;
int err;
+ guard(mutex)(®ister_mutex);
tu = file->private_data;
if (!tu->timeri)
return -EBADFD;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 296/522] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 295/522] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 297/522] i2c: tegra: Fix NOIRQ suspend/resume Greg Kroah-Hartman
` (226 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillermo Rodríguez,
Alain Volmat, Andi Shyti
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guillermo Rodríguez <guille.rodriguez@gmail.com>
commit a124579c0763da7bc408f4cd7e8f606cadc94855 upstream.
stm32f7_i2c_compute_timing() uses i2c_dev->analog_filter to pick
the analog filter delay, but i2c_dev->analog_filter is parsed from
the "i2c-analog-filter" DT property only after the compute_timing
loop in stm32f7_i2c_setup_timing(), so in practice the timing
calculations always ignore the analog filter. On an STM32MP1 board
with clock-frequency = <400000> and i2c-analog-filter set, measured
SCL frequency was ~382 kHz.
This also affects (widens) the computed SDADEL range. At high bus
clock speeds, this can select an SDADEL value that violates tVD;DAT
(data valid time).
Fix by parsing "i2c-analog-filter" before the compute_timing loop.
Fixes: 83c3408f7b9c ("i2c: stm32f7: support DT binding i2c-analog-filter")
Signed-off-by: Guillermo Rodríguez <guille.rodriguez@gmail.com>
Cc: <stable@vger.kernel.org> # v5.13+
Acked-by: Alain Volmat <alain.volmat@foss.st.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260526091210.20383-1-guille.rodriguez@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-stm32f7.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/i2c/busses/i2c-stm32f7.c
+++ b/drivers/i2c/busses/i2c-stm32f7.c
@@ -679,6 +679,9 @@ static int stm32f7_i2c_setup_timing(stru
if (!of_property_read_bool(i2c_dev->dev->of_node, "i2c-digital-filter"))
i2c_dev->dnf_dt = STM32F7_I2C_DNF_DEFAULT;
+ i2c_dev->analog_filter = of_property_read_bool(i2c_dev->dev->of_node,
+ "i2c-analog-filter");
+
do {
ret = stm32f7_i2c_compute_timing(i2c_dev, setup,
&i2c_dev->timing);
@@ -700,9 +703,6 @@ static int stm32f7_i2c_setup_timing(stru
return ret;
}
- i2c_dev->analog_filter = of_property_read_bool(i2c_dev->dev->of_node,
- "i2c-analog-filter");
-
dev_dbg(i2c_dev->dev, "I2C Speed(%i), Clk Source(%i)\n",
setup->speed_freq, setup->clock_src);
dev_dbg(i2c_dev->dev, "I2C Rise(%i) and Fall(%i) Time\n",
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 213/378] io_uring/wait: fix min_timeout behavior
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 212/378] ALSA: timer: Fix UAF at snd_timer_user_params() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 214/378] io_uring/kbuf: dont truncate end buffer for bundles Greg Kroah-Hartman
` (165 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tip ten Brink, Christian A. Ehrhardt,
Jens Axboe
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian A. Ehrhardt <lk@c--e.de>
commit 29fe1bd01b99714f3136f922230a643c2742cda9 upstream.
The wakeup condition if a min timeout is present and has expired is that
at least _one_ CQE was posted. Thus set the cq_tail target to
->cq_min_tail + 1. Without this commit a spurious wakeup can result in a
premature wakeup because io_should_wake() will return true even if _no_
CQE was posted at all.
Cc: Tip ten Brink <tip@tenbrinkmeijs.com>
Fixes: e15cb2200b93 ("io_uring: fix min_wait wakeups for SQPOLL")
Cc: stable@vger.kernel.org
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
Link: https://patch.msgid.link/20260606201120.1441447-1-lk@c--e.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/wait.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/io_uring/wait.c
+++ b/io_uring/wait.c
@@ -102,7 +102,7 @@ static enum hrtimer_restart io_cqring_mi
}
/* any generated CQE posted past this time should wake us up */
- iowq->cq_tail = iowq->cq_min_tail;
+ iowq->cq_tail = iowq->cq_min_tail + 1;
hrtimer_update_function(&iowq->t, io_cqring_timer_wakeup);
hrtimer_set_expires(timer, iowq->timeout);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 297/522] i2c: tegra: Fix NOIRQ suspend/resume
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 296/522] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 298/522] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) Greg Kroah-Hartman
` (225 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Akhil R, Jon Hunter, Andi Shyti
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhil R <akhilrajeev@nvidia.com>
commit 656646b3847ac6a21b074a813223feef2aadd6e2 upstream.
The Tegra I2C driver relies on runtime PM to wake up the controller before
each transfer. However, runtime PM is disabled between the system suspend
and NOIRQ suspend. If an I2C device initiates a transfer during this
window, the I2C controller fails to wake up and the transfer fails. To
handle this, the controller must be kept available for this period to
allow transfers.
Rework the I2C controller's system PM callbacks such that the controller
is resumed from runtime suspend during system suspend and it stays
RPM_ACTIVE throughout the suspend-resume cycle until it is runtime
suspended back in the system resume. The clocks are disabled in NOIRQ
suspend and enabled back in NOIRQ resume by calling the controller's
runtime PM functions directly.
Fixes: 8ebf15e9c869 ("i2c: tegra: Move suspend handling to NOIRQ phase")
Assisted-by: Cursor:claude-4.6-opus
Signed-off-by: Akhil R <akhilrajeev@nvidia.com>
Cc: <stable@vger.kernel.org> # v5.4+
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260518114013.62065-5-akhilrajeev@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-tegra.c | 53 +++++++++++++++++++++++------------------
1 file changed, 30 insertions(+), 23 deletions(-)
--- a/drivers/i2c/busses/i2c-tegra.c
+++ b/drivers/i2c/busses/i2c-tegra.c
@@ -1918,28 +1918,37 @@ static int __maybe_unused tegra_i2c_runt
static int __maybe_unused tegra_i2c_suspend(struct device *dev)
{
+ /*
+ * Bring the controller up and hold a usage count so it stays
+ * available until the noirq phase.
+ */
+ return pm_runtime_resume_and_get(dev);
+}
+
+static int __maybe_unused tegra_i2c_suspend_noirq(struct device *dev)
+{
struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev);
- int err;
i2c_mark_adapter_suspended(&i2c_dev->adapter);
- if (!pm_runtime_status_suspended(dev)) {
- err = tegra_i2c_runtime_suspend(dev);
- if (err)
- return err;
- }
-
- return 0;
+ /*
+ * Runtime PM is already disabled at this point, so invoke the
+ * runtime_suspend callback directly to put the controller down.
+ */
+ return tegra_i2c_runtime_suspend(dev);
}
-static int __maybe_unused tegra_i2c_resume(struct device *dev)
+static int __maybe_unused tegra_i2c_resume_noirq(struct device *dev)
{
struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev);
int err;
/*
- * We need to ensure that clocks are enabled so that registers can be
- * restored in tegra_i2c_init().
+ * Runtime PM is still disabled at this point, so invoke the
+ * runtime_resume callback directly to bring the controller back up
+ * before re-initializing the hardware. The adapter is then marked
+ * resumed so that consumers can issue transfers from their own
+ * resume_noirq() handlers and onwards.
*/
err = tegra_i2c_runtime_resume(dev);
if (err)
@@ -1949,24 +1958,22 @@ static int __maybe_unused tegra_i2c_resu
if (err)
return err;
- /*
- * In case we are runtime suspended, disable clocks again so that we
- * don't unbalance the clock reference counts during the next runtime
- * resume transition.
- */
- if (pm_runtime_status_suspended(dev)) {
- err = tegra_i2c_runtime_suspend(dev);
- if (err)
- return err;
- }
-
i2c_mark_adapter_resumed(&i2c_dev->adapter);
return 0;
}
+static int __maybe_unused tegra_i2c_resume(struct device *dev)
+{
+ pm_runtime_put(dev);
+
+ return 0;
+}
+
static const struct dev_pm_ops tegra_i2c_pm = {
- SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume)
+ SET_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume)
+ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend_noirq,
+ tegra_i2c_resume_noirq)
SET_RUNTIME_PM_OPS(tegra_i2c_runtime_suspend, tegra_i2c_runtime_resume,
NULL)
};
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 214/378] io_uring/kbuf: dont truncate end buffer for bundles
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 213/378] io_uring/wait: fix min_timeout behavior Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 215/378] io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries Greg Kroah-Hartman
` (164 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Federico Brasili, Jens Axboe
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
commit 70f4886bcbb929e88038c8807f1daf7fc587ae7c upstream.
If buffers have been peeked for a bundle receive, the kernel will
truncate the end buffer, if the available length is shorter than the
buffer itself. This is unnecessary, as applications iterating bundle
receives must always use the minimum size of the buffer length and the
remaining number of bytes in the bundle. The examples in liburing do
that as well, eg examples/proxy.c.
If the kernel does truncate this buffer AND the current transfer fails,
then the buffer will be left with a smaller size than what is otherwise
available.
Just remove the buffer truncation, as it's not necessary in the first
place.
Link: https://lore.kernel.org/io-uring/CAAEr8jbY60noGj1fw_k91UJRBkyiRVoS6=nLhZ7Svwidjn4CAA@mail.gmail.com/
Reported-by: Federico Brasili <federico.brasili@gmail.com>
Cc: stable@vger.kernel.org
Fixes: 35c8711c8fc4 ("io_uring/kbuf: add helpers for getting/peeking multiple buffers")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/kbuf.c | 1 -
1 file changed, 1 deletion(-)
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -305,7 +305,6 @@ static int io_ring_buffers_peek(struct i
arg->partial_map = 1;
if (iov != arg->iovs)
break;
- WRITE_ONCE(buf->len, len);
}
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 298/522] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK)
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 297/522] i2c: tegra: Fix NOIRQ suspend/resume Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 299/522] Input: atkbd - skip deactivate for HONOR BCC-Ns internal keyboard Greg Kroah-Hartman
` (224 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zeyu WANG, Dmitry Torokhov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zeyu WANG <zeyu.thomas.wang@gmail.com>
commit ad0979fe053e9f2db82da82188256ef6eb41095a upstream.
The Lenovo Yoga Air 14 (83QK) laptop keyboard becomes unresponsive
after the standard atkbd init sequence. Controlled testing on the
actual hardware shows the F5 (ATKBD_CMD_RESET_DIS / deactivate)
command specifically corrupts the EC state, causing zero IRQ1
interrupts after init.
Skipping only the deactivate command (while keeping F4 ENABLE)
resolves the issue completely: both keystroke input and CapsLock
LED toggle work correctly. The reverse test - skipping only F4
while keeping F5 - makes the problem worse (zero keystroke
interrupts), confirming F5 is the sole culprit.
Add a DMI quirk entry for LENOVO/83QK using the existing
atkbd_deactivate_fixup callback, consistent with the existing
entries for LG Electronics and HONOR FMB-P that address the
same EC F5 deactivate issue.
Signed-off-by: Zeyu WANG <zeyu.thomas.wang@gmail.com>
Link: https://patch.msgid.link/20260602170909.14725-1-zeyu.thomas.wang@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/keyboard/atkbd.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/input/keyboard/atkbd.c
+++ b/drivers/input/keyboard/atkbd.c
@@ -1924,6 +1924,14 @@ static const struct dmi_system_id atkbd_
},
.callback = atkbd_deactivate_fixup,
},
+ {
+ /* Lenovo Yoga Air 14 (83QK) */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "83QK"),
+ },
+ .callback = atkbd_deactivate_fixup,
+ },
{ }
};
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 215/378] io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 214/378] io_uring/kbuf: dont truncate end buffer for bundles Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 216/378] drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait() Greg Kroah-Hartman
` (163 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Clément Léger, Jens Axboe
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Clément Léger <cleger@meta.com>
commit ed46f39c47eb5530a9c161481a2080d3a869cfaf upstream.
When a bundle recv retries inside io_recv_finish(), the merge logic OR
the saved cflags from the previous iteration with the cflags returned by
the new iteration:
cflags = req->cqe.flags | (cflags & CQE_F_MASK);
Bits listed in CQE_F_MASK are inherited from the new iteration, and all
other bits (notably IORING_CQE_F_BUFFER and the buffer ID) come from the
saved cflags. Before this change CQE_F_MASK covered only
IORING_CQE_F_SOCK_NONEMPTY and IORING_CQE_F_MORE.
When using provided buffer rings (IOU_PBUF_RING_INC) with incremental
mode, and bundle recv, io_kbuf_inc_commit() can leave the head ring
entry partially consumed, __io_put_kbufs() then sets
IORING_CQE_F_BUF_MORE on the returned cflags so userspace knows the
buffer ID will be reused for subsequent completions.
Because IORING_CQE_F_BUF_MORE was not in CQE_F_MASK, the merge above
silently dropped it whenever the final retry iteration partially
consumed the buffer, and the subsequent req->cqe.flags = cflags &
~CQE_F_MASK save would have left a stale IORING_CQE_F_BUF_MORE in the
carried-over cflags had one been present. Userspace would then
wrongfully advance it ring head past an entry the kernel still uses.
Add IORING_CQE_F_BUF_MORE to CQE_F_MASK so it is both inherited from the
new iteration into the user-visible CQE and stripped from the saved
cflags between iterations.
Cc: stable@vger.kernel.org
Signed-off-by: Clément Léger <cleger@meta.com>
Assisted-by: Claude:claude-opus-4.6
Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental buffer consumption")
Link: https://patch.msgid.link/20260604160715.2482972-1-cleger@meta.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/net.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -838,7 +838,8 @@ int io_recvmsg_prep(struct io_kiocb *req
}
/* bits to clear in old and inherit in new cflags on bundle retry */
-#define CQE_F_MASK (IORING_CQE_F_SOCK_NONEMPTY|IORING_CQE_F_MORE)
+#define CQE_F_MASK (IORING_CQE_F_SOCK_NONEMPTY|IORING_CQE_F_MORE|\
+ IORING_CQE_F_BUF_MORE)
/*
* Finishes io_recv and io_recvmsg.
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 299/522] Input: atkbd - skip deactivate for HONOR BCC-Ns internal keyboard
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 298/522] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 300/522] ipc/shm: serialize orphan cleanup with shm_nattch updates Greg Kroah-Hartman
` (223 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hongfei Ren, stable,
Cryolitia PukNgae, Dmitry Torokhov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
commit fb402386af4cdce108ff991a796386de55439735 upstream.
After commit 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd -
do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID"), HONOR
BCC-N, aka HONOR MagicBook 14 2026's internal keyboard stops
working. Adding the atkbd_deactivate_fixup quirk fixes it.
DMI: HONOR BCC-N/BCC-N-PCB, BIOS 1.04 04/07/2026
Fixes: 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID")
Reported-by: Hongfei Ren <lcrhf@outlook.com>
Link: https://github.com/colorcube/Linux-on-Honor-Magicbook-14-Pro/issues/1#issuecomment-4562679891
Tested-by: Hongfei Ren <lcrhf@outlook.com>
Cc: stable@kernel.org
Signed-off-by: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
Link: https://patch.msgid.link/20260605-honor-v1-1-78e05e491193@linux.dev
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/keyboard/atkbd.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/input/keyboard/atkbd.c
+++ b/drivers/input/keyboard/atkbd.c
@@ -1932,6 +1932,13 @@ static const struct dmi_system_id atkbd_
},
.callback = atkbd_deactivate_fixup,
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "HONOR"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "BCC-N"),
+ },
+ .callback = atkbd_deactivate_fixup,
+ },
{ }
};
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 216/378] drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 215/378] io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 217/378] drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() Greg Kroah-Hartman
` (162 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Dmitry Osipenko
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 3f26bb732cc136ab20176697c92f32c9c84cb125 upstream.
dma_fence_unwrap_for_each() internally calls dma_fence_unwrap_first()
which does cursor->chain = dma_fence_get(head), taking an extra
reference. On normal loop completion, dma_fence_unwrap_next()
releases this via dma_fence_chain_walk() -> dma_fence_put().
When virtio_gpu_do_fence_wait() fails and the function returns early
from inside the loop, the cursor->chain reference is never released.
This is the only caller in the entire kernel that does an early return
inside dma_fence_unwrap_for_each.
Add dma_fence_put(itr.chain) before the early return.
Cc: stable@vger.kernel.org
Fixes: eba57fb5498f ("drm/virtio: Wait for each dma-fence of in-fence array individually")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Link: https://patch.msgid.link/20260607090303.92423-1-vulab@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/virtio/virtgpu_submit.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/virtio/virtgpu_submit.c
+++ b/drivers/gpu/drm/virtio/virtgpu_submit.c
@@ -65,8 +65,10 @@ static int virtio_gpu_dma_fence_wait(str
dma_fence_unwrap_for_each(f, &itr, fence) {
err = virtio_gpu_do_fence_wait(submit, f);
- if (err)
+ if (err) {
+ dma_fence_put(itr.chain);
return err;
+ }
}
return 0;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 300/522] ipc/shm: serialize orphan cleanup with shm_nattch updates
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 299/522] Input: atkbd - skip deactivate for HONOR BCC-Ns internal keyboard Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 301/522] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context Greg Kroah-Hartman
` (222 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Xin Liu, Yilin Zhu, Ren Wei, Christian Brauner, Jeongjun Park,
Kees Cook, Liam Howlett, Lorenzo Stoakes, Serge Hallyn,
Vasiliy Kulikov, Davidlohr Bueso, Oleg Nesterov, Serge Hallyn,
Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yilin Zhu <zylzyl2333@gmail.com>
commit 2e5c6f4fd4001562781e99bbfc7f1f0127187542 upstream.
shm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that
does not serialize all fields tested by shm_may_destroy(). In particular,
shm_nattch is updated while holding shm_perm.lock, and attach paths can do
that without holding the rwsem.
Do not decide that an orphaned segment is unused before taking the object
lock. Move the shm_may_destroy() check under shm_perm.lock, matching the
other destroy paths, and unlock the segment when it no longer qualifies
for removal.
Link: https://lore.kernel.org/9d97cc1031de2d0bace0edf3a668818aa2f4eca6.1777410234.git.zylzyl2333@gmail.com
Fixes: 4c677e2eefdb ("shm: optimize locking and ipc_namespace getting")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yilin Zhu <zylzyl2333@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jeongjun Park <aha310510@gmail.com>
Cc: Kees Cook <kees@kernel.org>
Cc: Liam Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Serge Hallyn <sergeh@kernel.org>
Cc: Vasiliy Kulikov <segoon@openwall.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
ipc/shm.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -415,15 +415,17 @@ static int shm_try_destroy_orphaned(int
* We want to destroy segments without users and with already
* exit'ed originating process.
*
- * As shp->* are changed under rwsem, it's safe to skip shp locking.
+ * shm_nattch can be changed under shm_perm.lock without holding the
+ * rwsem, so take the object lock before checking shm_may_destroy().
*/
if (!list_empty(&shp->shm_clist))
return 0;
- if (shm_may_destroy(shp)) {
- shm_lock_by_ptr(shp);
+ shm_lock_by_ptr(shp);
+ if (shm_may_destroy(shp))
shm_destroy(ns, shp);
- }
+ else
+ shm_unlock(shp);
return 0;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 217/378] drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 216/378] drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 218/378] mm/huge_memory: update file PMD counter before folio_put() Greg Kroah-Hartman
` (161 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit 49c3da65961fe9857c831d47fa1989084e87514a upstream.
[Why & How]
gpio_bitshift is a uint8_t read directly from the VBIOS GPIO pin table.
If the value is >= 32, the expression "1 << gpio_bitshift" triggers
undefined behaviour in C (shift count exceeds type width). On x86 the
shift is silently masked to 5 bits, producing an incorrect GPIO mask
that may cause wrong MMIO register bits to be toggled.
Validate gpio_bitshift before use and return BP_RESULT_BADBIOSTABLE for
out-of-range values.
Fixes: ae79c310b1a6 ("drm/amd/display: Add DCE12 bios parser support")
Assisted-by: Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit eadf438ab8d370b9d19acee9359918c85afeb80d)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
@@ -700,8 +700,10 @@ static enum bp_result bios_parser_get_gp
info->offset_en = info->offset + 1;
info->offset_mask = info->offset - 1;
- info->mask = (uint32_t) (1 <<
- header->gpio_pin[i].gpio_bitshift);
+ if (header->gpio_pin[i].gpio_bitshift >= 32)
+ return BP_RESULT_BADBIOSTABLE;
+
+ info->mask = 1u << header->gpio_pin[i].gpio_bitshift;
info->mask_y = info->mask + 2;
info->mask_en = info->mask + 1;
info->mask_mask = info->mask - 1;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 301/522] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 300/522] ipc/shm: serialize orphan cleanup with shm_nattch updates Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 302/522] misc: fastrpc: fix use-after-free race in fastrpc_map_create Greg Kroah-Hartman
` (221 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Anandu Krishnan E,
Srinivas Kandagatla
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
commit e85eb5feca8e254905ffa6c57a3c99c89a674a0f upstream.
There is a race between fastrpc_device_release() and the workqueue
that processes DSP responses. When the user closes the file descriptor,
fastrpc_device_release() frees the fastrpc_user structure. Concurrently,
an in-flight DSP invocation can complete and fastrpc_rpmsg_callback()
schedules context cleanup via schedule_work(&ctx->put_work). If the
workqueue runs fastrpc_context_free() in parallel with or after
fastrpc_device_release() has freed the user structure, it dereferences
the freed fastrpc_user. Depending on the state of the context at the
time of the race, any one of the following accesses can be hit:
1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...)
to strip the SID bits from the stored IOVA before passing the
physical address to dma_free_coherent().
2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to
reconstruct the source permission bitmask needed for the
qcom_scm_assign_mem() call that returns memory from the DSP VM
back to HLOS.
3. fastrpc_free_map() acquires map->fl->lock to safely remove the
map node from the fl->maps list.
The resulting use-after-free manifests as:
pc : fastrpc_buf_free+0x38/0x80 [fastrpc]
lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc]
fastrpc_context_free+0xa8/0x1b0 [fastrpc]
fastrpc_context_put_wq+0x78/0xa0 [fastrpc]
process_one_work+0x180/0x450
worker_thread+0x26c/0x388
Add kref-based reference counting to fastrpc_user. Have each invoke
context take a reference on the user at allocation time and release it
when the context is freed. Release the initial reference in
fastrpc_device_release() at file close. Move the teardown of the user
structure — freeing pending contexts, maps, mmaps, and the channel
context reference — into the kref release callback fastrpc_user_free(),
so that it runs only when the last reference is dropped, regardless of
whether that happens at device close or after the final in-flight
context completes.
Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter")
Cc: stable@kernel.org
Signed-off-by: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204528.116920-2-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/fastrpc.c | 75 +++++++++++++++++++++++++++++++++----------------
1 file changed, 52 insertions(+), 23 deletions(-)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -287,6 +287,8 @@ struct fastrpc_user {
spinlock_t lock;
/* lock for allocations */
struct mutex mutex;
+ /* Reference count */
+ struct kref refcount;
};
static void fastrpc_free_map(struct kref *ref)
@@ -430,15 +432,57 @@ static void fastrpc_channel_ctx_put(stru
kref_put(&cctx->refcount, fastrpc_channel_ctx_free);
}
+static void fastrpc_context_put(struct fastrpc_invoke_ctx *ctx);
+
+static void fastrpc_user_free(struct kref *ref)
+{
+ struct fastrpc_user *fl = container_of(ref, struct fastrpc_user, refcount);
+ struct fastrpc_invoke_ctx *ctx, *n;
+ struct fastrpc_map *map, *m;
+ struct fastrpc_buf *buf, *b;
+
+ if (fl->init_mem)
+ fastrpc_buf_free(fl->init_mem);
+
+ list_for_each_entry_safe(ctx, n, &fl->pending, node) {
+ list_del(&ctx->node);
+ fastrpc_context_put(ctx);
+ }
+
+ list_for_each_entry_safe(map, m, &fl->maps, node)
+ fastrpc_map_put(map);
+
+ list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
+ list_del(&buf->node);
+ fastrpc_buf_free(buf);
+ }
+
+ fastrpc_channel_ctx_put(fl->cctx);
+ mutex_destroy(&fl->mutex);
+ kfree(fl);
+}
+
+static void fastrpc_user_get(struct fastrpc_user *fl)
+{
+ kref_get(&fl->refcount);
+}
+
+static void fastrpc_user_put(struct fastrpc_user *fl)
+{
+ kref_put(&fl->refcount, fastrpc_user_free);
+}
+
static void fastrpc_context_free(struct kref *ref)
{
struct fastrpc_invoke_ctx *ctx;
struct fastrpc_channel_ctx *cctx;
+ struct fastrpc_user *fl;
unsigned long flags;
int i;
ctx = container_of(ref, struct fastrpc_invoke_ctx, refcount);
cctx = ctx->cctx;
+ fl = ctx->fl;
for (i = 0; i < ctx->nbufs; i++)
fastrpc_map_put(ctx->maps[i]);
@@ -454,6 +498,8 @@ static void fastrpc_context_free(struct
kfree(ctx->olaps);
kfree(ctx);
+ /* Release the reference taken in fastrpc_context_alloc() */
+ fastrpc_user_put(fl);
fastrpc_channel_ctx_put(cctx);
}
@@ -563,6 +609,8 @@ static struct fastrpc_invoke_ctx *fastrp
/* Released in fastrpc_context_put() */
fastrpc_channel_ctx_get(cctx);
+ /* Take a reference to user, released in fastrpc_context_free() */
+ fastrpc_user_get(user);
ctx->sc = sc;
ctx->retval = -1;
@@ -593,6 +641,7 @@ err_idr:
spin_lock(&user->lock);
list_del(&ctx->node);
spin_unlock(&user->lock);
+ fastrpc_user_put(user);
fastrpc_channel_ctx_put(cctx);
kfree(ctx->maps);
kfree(ctx->olaps);
@@ -1352,9 +1401,6 @@ static int fastrpc_device_release(struct
{
struct fastrpc_user *fl = (struct fastrpc_user *)file->private_data;
struct fastrpc_channel_ctx *cctx = fl->cctx;
- struct fastrpc_invoke_ctx *ctx, *n;
- struct fastrpc_map *map, *m;
- struct fastrpc_buf *buf, *b;
unsigned long flags;
fastrpc_release_current_dsp_process(fl);
@@ -1363,28 +1409,10 @@ static int fastrpc_device_release(struct
list_del(&fl->user);
spin_unlock_irqrestore(&cctx->lock, flags);
- if (fl->init_mem)
- fastrpc_buf_free(fl->init_mem);
-
- list_for_each_entry_safe(ctx, n, &fl->pending, node) {
- list_del(&ctx->node);
- fastrpc_context_put(ctx);
- }
-
- list_for_each_entry_safe(map, m, &fl->maps, node)
- fastrpc_map_put(map);
-
- list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
- list_del(&buf->node);
- fastrpc_buf_free(buf);
- }
-
fastrpc_session_free(cctx, fl->sctx);
- fastrpc_channel_ctx_put(cctx);
-
- mutex_destroy(&fl->mutex);
- kfree(fl);
file->private_data = NULL;
+ /* Release the reference taken in fastrpc_device_open */
+ fastrpc_user_put(fl);
return 0;
}
@@ -1429,6 +1457,7 @@ static int fastrpc_device_open(struct in
spin_lock_irqsave(&cctx->lock, flags);
list_add_tail(&fl->user, &cctx->users);
spin_unlock_irqrestore(&cctx->lock, flags);
+ kref_init(&fl->refcount);
return 0;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 218/378] mm/huge_memory: update file PMD counter before folio_put()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 217/378] drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 219/378] mm/damon/ops-common: call folio_test_lru() after folio_get() Greg Kroah-Hartman
` (160 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yin Tirui, Lorenzo Stoakes,
David Hildenbrand (arm), Lance Yang, Dev Jain, Baolin Wang,
Barry Song, Chen Jun, Kefeng Wang, Liam R. Howlett, Nico Pache,
Ryan Roberts, Vlastimil Babka, Yang Shi, Zi Yan, Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yin Tirui <yintirui@huawei.com>
commit 8d878059924f12c1bc24556a92ec56add74de3c8 upstream.
__split_huge_pmd_locked() updates the file/shmem RSS counter after
dropping the PMD mapping's folio reference. If folio_put() drops the last
reference, mm_counter_file() can later read freed folio state via
folio_test_swapbacked().
Move the counter update before folio_put().
Link: https://lore.kernel.org/20260526101337.1984081-1-yintirui@huawei.com
Fixes: fadae2953072 ("thp: use mm_file_counter to determine update which rss counter")
Signed-off-by: Yin Tirui <yintirui@huawei.com>
Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
Acked-by: David Hildenbrand (arm) <david@kernel.org>
Reviewed-by: Lance Yang <lance.yang@linux.dev>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Barry Song <baohua@kernel.org>
Cc: Chen Jun <chenjun102@huawei.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Nico Pache <npache@redhat.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: Yang Shi <yang.shi@linux.alibaba.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/huge_memory.c | 2 ++
1 file changed, 2 insertions(+)
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -3031,7 +3031,9 @@ static void __split_huge_pmd_locked(stru
if (!folio_test_referenced(folio) && pmd_young(old_pmd))
folio_set_referenced(folio);
folio_remove_rmap_pmd(folio, page, vma);
+ add_mm_counter(mm, mm_counter_file(folio), -HPAGE_PMD_NR);
folio_put(folio);
+ return;
}
add_mm_counter(mm, mm_counter_file(folio), -HPAGE_PMD_NR);
return;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 302/522] misc: fastrpc: fix use-after-free race in fastrpc_map_create
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 301/522] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 303/522] misc: fastrpc: fix DMA address corruption due to find_vma misuse Greg Kroah-Hartman
` (220 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhenghang Xiao, Srinivas Kandagatla
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenghang Xiao <kipreyyy@gmail.com>
commit 07ebe87915d8accdaba20c4f88c5ae430fe62fbb upstream.
fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The
caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero)
on this unprotected pointer. A concurrent MEM_UNMAP can free the map
between the lock release and the kref operation, resulting in a
use-after-free on the freed slab object.
Restore the take_ref parameter to fastrpc_map_lookup so the reference
is acquired atomically under fl->lock before the pointer is exposed to
the caller.
Fixes: 10df039834f8 ("misc: fastrpc: Skip reference for DMA handles")
Cc: stable@vger.kernel.org
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204528.116920-5-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/fastrpc.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -344,7 +344,7 @@ static int fastrpc_map_get(struct fastrp
static int fastrpc_map_lookup(struct fastrpc_user *fl, int fd,
- struct fastrpc_map **ppmap)
+ struct fastrpc_map **ppmap, bool take_ref)
{
struct fastrpc_map *map = NULL;
struct dma_buf *buf;
@@ -359,6 +359,12 @@ static int fastrpc_map_lookup(struct fas
if (map->fd != fd || map->buf != buf)
continue;
+ if (take_ref) {
+ ret = fastrpc_map_get(map);
+ if (ret)
+ break;
+ }
+
*ppmap = map;
ret = 0;
break;
@@ -830,19 +836,10 @@ get_err:
static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
u64 len, u32 attr, struct fastrpc_map **ppmap)
{
- struct fastrpc_session_ctx *sess = fl->sctx;
- int err = 0;
+ if (!fastrpc_map_lookup(fl, fd, ppmap, true))
+ return 0;
- if (!fastrpc_map_lookup(fl, fd, ppmap)) {
- if (!fastrpc_map_get(*ppmap))
- return 0;
- dev_dbg(sess->dev, "%s: Failed to get map fd=%d\n",
- __func__, fd);
- }
-
- err = fastrpc_map_attach(fl, fd, len, attr, ppmap);
-
- return err;
+ return fastrpc_map_attach(fl, fd, len, attr, ppmap);
}
/*
@@ -1109,7 +1106,7 @@ cleanup_fdlist:
for (i = 0; i < FASTRPC_MAX_FDLIST; i++) {
if (!fdlist[i])
break;
- if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap))
+ if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap, false))
fastrpc_map_put(mmap);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 219/378] mm/damon/ops-common: call folio_test_lru() after folio_get()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 218/378] mm/huge_memory: update file PMD counter before folio_put() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 220/378] mm/huge_memory: update file PUD counter before folio_put() Greg Kroah-Hartman
` (159 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Fernand Sieber,
Leonard Foerster, Shakeel Butt, Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit d6b8b02a27b3dd09ec12144322b3dac46d9bc9ef upstream.
damon_get_folio() speculatively calls folio_test_lru() before
folio_try_get(). The folio can get freed and reallocated to a tail page.
In the case, VM_BUG_ON_PGFLAGS() in const_folio_flags() can be triggered.
Remove the speculative call.
Also mark folio_test_lru() check right after folio_try_get() success as no
more unlikely.
The race should be rare. Also the problem can happen only if the kernel
has enabled CONFIG_DEBUG_VM_PGFLAGS. No real world report of this issue
has been made so far. This fix is based on only theoretical analysis.
That said, a bug is a bug. A similar issue was also fixed via commit
3203b3ab0fcf ("mm/filemap: don't call folio_test_locked() without a
reference in next_uptodate_folio()"). I don't expect this change will
make a meaningful impact to DAMON performance in the real world, though I
will be happy to be corrected from the real world reports.
The issue was discovered [1] by Sashiko.
Link: https://lore.kernel.org/20260525162256.8317-1-sj@kernel.org
Link: https://lore.kernel.org/20260517234112.89245-1-sj@kernel.org [1]
Fixes: 3f49584b262c ("mm/damon: implement primitives for the virtual memory address spaces")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Fernand Sieber <sieberf@amazon.com>
Cc: Leonard Foerster <foersleo@amazon.de>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: <stable@vger.kernel.org> # 5.15.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/ops-common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/mm/damon/ops-common.c
+++ b/mm/damon/ops-common.c
@@ -32,9 +32,9 @@ struct folio *damon_get_folio(unsigned l
return NULL;
folio = page_folio(page);
- if (!folio_test_lru(folio) || !folio_try_get(folio))
+ if (!folio_try_get(folio))
return NULL;
- if (unlikely(page_folio(page) != folio || !folio_test_lru(folio))) {
+ if (unlikely(page_folio(page) != folio) || !folio_test_lru(folio)) {
folio_put(folio);
folio = NULL;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 303/522] misc: fastrpc: fix DMA address corruption due to find_vma misuse
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 302/522] misc: fastrpc: fix use-after-free race in fastrpc_map_create Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 304/522] net/mlx5: Reorder completion before putting command entry in cmd_work_handler Greg Kroah-Hartman
` (219 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Dmitry Baryshkov, Srinivas Kandagatla
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit 464c6ad2aa16e1e1df9d559289199356493d1e00 upstream.
fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided
pointer and compute a DMA address offset. When the address falls in a gap
before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows,
corrupting the DMA address sent to the DSP.
Replace find_vma() with vma_lookup(), which returns NULL when the address
is not contained within any VMA.
Cc: stable@vger.kernel.org
Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204528.116920-3-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/fastrpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -994,7 +994,7 @@ static int fastrpc_get_args(u32 kernel,
pages[i].addr = ctx->maps[i]->phys;
mmap_read_lock(current->mm);
- vma = find_vma(current->mm, ctx->args[i].ptr);
+ vma = vma_lookup(current->mm, ctx->args[i].ptr);
if (vma)
pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) -
vma->vm_start;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 220/378] mm/huge_memory: update file PUD counter before folio_put()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 219/378] mm/damon/ops-common: call folio_test_lru() after folio_get() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 221/378] RDMA/core: Validate the passed in fops for ib_get_ucaps() Greg Kroah-Hartman
` (158 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yin Tirui, Lorenzo Stoakes,
David Hildenbrand (arm), Lance Yang, Dev Jain, Alistair Popple,
Baolin Wang, Barry Song, Chen Jun, Kefeng Wang, Liam R. Howlett,
Nico Pache, Ryan Roberts, Zi Yan, Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yin Tirui <yintirui@huawei.com>
commit 40990c87a26e371594475acdc560c93cfae308a1 upstream.
__split_huge_pud_locked() updates the file/shmem RSS counter after
dropping the PUD mapping's folio reference. If folio_put() drops the last
reference, mm_counter_file() can later read freed folio state via
folio_test_swapbacked().
Move the counter update before folio_put().
Link: https://lore.kernel.org/20260526101355.1984244-1-yintirui@huawei.com
Fixes: dbe54153296d ("mm/huge_memory: add vmf_insert_folio_pud()")
Signed-off-by: Yin Tirui <yintirui@huawei.com>
Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
Acked-by: David Hildenbrand (arm) <david@kernel.org>
Reviewed-by: Lance Yang <lance.yang@linux.dev>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Barry Song <baohua@kernel.org>
Cc: Chen Jun <chenjun102@huawei.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Nico Pache <npache@redhat.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/huge_memory.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -2913,9 +2913,9 @@ static void __split_huge_pud_locked(stru
if (!folio_test_referenced(folio) && pud_young(old_pud))
folio_set_referenced(folio);
folio_remove_rmap_pud(folio, page, vma);
- folio_put(folio);
add_mm_counter(vma->vm_mm, mm_counter_file(folio),
-HPAGE_PUD_NR);
+ folio_put(folio);
}
void __split_huge_pud(struct vm_area_struct *vma, pud_t *pud,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 304/522] net/mlx5: Reorder completion before putting command entry in cmd_work_handler
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 303/522] misc: fastrpc: fix DMA address corruption due to find_vma misuse Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 305/522] net: bonding: fix NULL pointer dereference in bond_do_ioctl() Greg Kroah-Hartman
` (218 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Kuratov, Md Haris Iqbal,
Moshe Shemesh, Tariq Toukan, Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Kuratov <kniv@yandex-team.ru>
commit 02896a7fa4cd3ec61d60ba30136841e4f04bdeac upstream.
Assuming callback != NULL && !page_queue, cmd_work_handler takes
command entry with refcnt == 1 from mlx5_cmd_invoke.
If either semaphore timeout or index allocation error happens,
it does final cmd_ent_put(ent). To avoid access to freed memory,
notify slotted completion before cmd_ent_put.
This is theoretical issue found by Svace static analyser.
Cc: stable@vger.kernel.org
Fixes: 485d65e135712 ("net/mlx5: Add a timeout to acquire the command queue semaphore")
Fixes: 0e2909c6bec90 ("net/mlx5: Fix variable not being completed when function returns")
Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru>
Reviewed-by: Md Haris Iqbal <haris.iqbal@linux.dev>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Acked-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260526162932.501584-1-kniv@yandex-team.ru
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
@@ -986,12 +986,13 @@ static void cmd_work_handler(struct work
ent->callback(-EBUSY, ent->context);
mlx5_free_cmd_msg(dev, ent->out);
free_msg(dev, ent->in);
+ complete(&ent->slotted);
cmd_ent_put(ent);
} else {
ent->ret = -EBUSY;
complete(&ent->done);
+ complete(&ent->slotted);
}
- complete(&ent->slotted);
return;
}
alloc_ret = cmd_alloc_index(cmd, ent);
@@ -1001,13 +1002,14 @@ static void cmd_work_handler(struct work
ent->callback(-EAGAIN, ent->context);
mlx5_free_cmd_msg(dev, ent->out);
free_msg(dev, ent->in);
+ complete(&ent->slotted);
cmd_ent_put(ent);
} else {
ent->ret = -EAGAIN;
complete(&ent->done);
+ complete(&ent->slotted);
}
up(&cmd->vars.sem);
- complete(&ent->slotted);
return;
}
} else {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 221/378] RDMA/core: Validate the passed in fops for ib_get_ucaps()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 220/378] mm/huge_memory: update file PUD counter before folio_put() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 222/378] RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc Greg Kroah-Hartman
` (157 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 4a1b1ac2744694a2ecd66a84bdb1445f4ef24bee upstream.
Sashiko pointed out it is not safe to rely only on the devt because
char/block alias so if the user finds a block device with the same dev_t
it can masquerade as a ucap cdev fd.
Test the f_ops to only accept authentic cdevs.
Link: https://patch.msgid.link/r/0-v1-fd9482545e37+1e25-ib_ucaps_fd_ops_jgg@nvidia.com
Cc: stable@vger.kernel.org
Fixes: 61e51682816d ("RDMA/uverbs: Introduce UCAP (User CAPabilities) API")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/ucaps.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/drivers/infiniband/core/ucaps.c
+++ b/drivers/infiniband/core/ucaps.c
@@ -82,14 +82,12 @@ static int get_ucap_from_devt(dev_t devt
static int get_devt_from_fd(unsigned int fd, dev_t *ret_dev)
{
- struct file *file;
+ CLASS(fd, f)(fd);
- file = fget(fd);
- if (!file)
+ if (fd_empty(f) || fd_file(f)->f_op != &ucaps_cdev_fops)
return -EBADF;
- *ret_dev = file_inode(file)->i_rdev;
- fput(file);
+ *ret_dev = file_inode(fd_file(f))->i_rdev;
return 0;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 305/522] net: bonding: fix NULL pointer dereference in bond_do_ioctl()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 304/522] net/mlx5: Reorder completion before putting command entry in cmd_work_handler Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 306/522] net: mv643xx: fix OF node refcount Greg Kroah-Hartman
` (217 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ZhaoJinming, Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhaoJinming <zhaojinming@uniontech.com>
commit a764b0e8317a863006e05732e1aefe821b9d8c2d upstream.
In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which
can return NULL if the requested interface name does not exist. However,
the subsequent slave_dbg() call is placed before the NULL check:
slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here
if (!slave_dev)
return -ENODEV;
The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt,
(slave_dev)->name, ...) which unconditionally dereferences slave_dev->name
before the NULL check is performed. This results in a NULL pointer
dereference kernel oops when a user calls bonding ioctl (e.g.
SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave
interface name.
This is reachable from userspace via the bonding ioctl interface with
CAP_NET_ADMIN capability, making it a potential local denial-of-service
vector.
Fix by moving the slave_dbg() call after the NULL check.
Fixes: e2a7420df2e0 ("bonding/main: convert to using slave printk macros")
Cc: stable@vger.kernel.org # v5.2+
Signed-off-by: ZhaoJinming <zhaojinming@uniontech.com>
Link: https://patch.msgid.link/20260601085649.4029067-1-zhaojinming@uniontech.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/bonding/bond_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -4623,11 +4623,11 @@ static int bond_do_ioctl(struct net_devi
slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
- slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev);
-
if (!slave_dev)
return -ENODEV;
+ slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev);
+
switch (cmd) {
case SIOCBONDENSLAVE:
res = bond_enslave(bond_dev, slave_dev, NULL);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 222/378] RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 221/378] RDMA/core: Validate the passed in fops for ib_get_ucaps() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 223/378] RDMA/srp: bound SRP_RSP sense copy by the received length Greg Kroah-Hartman
` (156 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Yishai Hadas,
Jason Gunthorpe
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yishai Hadas <yishaih@nvidia.com>
commit 323c98a4ff06aa28114f2bf658fb43eb3b536bbc upstream.
The cpu_id attribute supplied by user space through
UVERBS_ATTR_ALLOC_DMAH_CPU_ID is passed directly to cpumask_test_cpu()
without first verifying that the value is within the valid CPU range.
Passing such untrusted data to cpumask_test_cpu() may lead to an
out-of-bounds read of the underlying cpumask bitmap: the helper expands
to a test_bit() that indexes the bitmap by cpu_id / BITS_PER_LONG with
no bound check.
In addition, on kernels built with CONFIG_DEBUG_PER_CPU_MAPS it trips
the WARN_ON_ONCE() in cpumask_check(); combined with panic_on_warn this
turns a bad user input into a machine reboot.
Reject any cpu_id that is not smaller than nr_cpu_ids with -EINVAL
before it is used.
Reported by Smatch.
Fixes: d83edab562a4 ("RDMA/core: Introduce a DMAH object and its alloc/free APIs")
Link: https://patch.msgid.link/r/20260525142136.28165-1-yishaih@nvidia.com
Cc: stable@vger.kernel.org
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/ag68qoAW3P04J7pT@stanley.mountain/
Signed-off-by: Yishai Hadas <yishaih@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/uverbs_std_types_dmah.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/infiniband/core/uverbs_std_types_dmah.c
+++ b/drivers/infiniband/core/uverbs_std_types_dmah.c
@@ -47,6 +47,11 @@ static int UVERBS_HANDLER(UVERBS_METHOD_
if (ret)
goto err;
+ if (dmah->cpu_id >= nr_cpu_ids) {
+ ret = -EINVAL;
+ goto err;
+ }
+
if (!cpumask_test_cpu(dmah->cpu_id, current->cpus_ptr)) {
ret = -EPERM;
goto err;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 306/522] net: mv643xx: fix OF node refcount
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 305/522] net: bonding: fix NULL pointer dereference in bond_do_ioctl() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 307/522] net: rds: clear i_sends on setup unwind Greg Kroah-Hartman
` (216 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
commit 4aacf509e537a711fa71bca9f234e5eb6968850e upstream.
Platform devices created with platform_device_alloc() call
platform_device_release() when the last reference to the device's
kobject is dropped. This function calls of_node_put() unconditionally.
This works fine for devices created with platform_device_register_full()
but users of the split approach (platform_device_alloc() +
platform_device_add()) must bump the reference of the of_node they
assign manually. Add the missing call to of_node_get().
Cc: stable@vger.kernel.org
Fixes: 76723bca2802 ("net: mv643xx_eth: add DT parsing support")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Link: https://patch.msgid.link/20260602073414.22500-1-bartosz.golaszewski@oss.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
+++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
@@ -2781,7 +2781,7 @@ static int mv643xx_eth_shared_of_add_por
goto put_err;
}
ppdev->dev.coherent_dma_mask = DMA_BIT_MASK(32);
- ppdev->dev.of_node = pnp;
+ ppdev->dev.of_node = of_node_get(pnp);
ret = platform_device_add_resources(ppdev, &res, 1);
if (ret)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 223/378] RDMA/srp: bound SRP_RSP sense copy by the received length
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 222/378] RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 224/378] zram: fix use-after-free in zram_bvec_write_partial() Greg Kroah-Hartman
` (155 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Bart Van Assche,
Jason Gunthorpe
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 13e91fd076306f5d0cdfa14f53d69e37274723c4 upstream.
srp_process_rsp() copies sense data from rsp->data + resp_data_len,
where resp_data_len is the full 32-bit value supplied by the SRP target
and is never checked against the number of bytes actually received
(wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so
at most 96 bytes are copied, but the source offset is not bounded.
A malicious or compromised SRP target on the InfiniBand/RoCE fabric that
the initiator has logged into can return an SRP_RSP with
SRP_RSP_FLAG_SNSVALID set and a large resp_data_len. The receive buffer
is allocated at the target-chosen max_ti_iu_len, so the source of the
sense copy lands past the bytes actually received; with resp_data_len
near 0xFFFFFFFF it is gigabytes past the buffer and the read faults.
Copy the sense data only if it has not been truncated, that is, only if
the response header, the response data, and the sense region fit within
the bytes actually received; otherwise drop the sense and log. The
in-tree iSER and NVMe-RDMA receive paths already bound their parse by
wc->byte_len; this brings ib_srp into line with them.
Fixes: aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator")
Link: https://patch.msgid.link/r/20260602220457.2542840-1-michael.bommarito@gmail.com
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/ulp/srp/ib_srp.c | 30 ++++++++++++++++++++++++------
1 file changed, 24 insertions(+), 6 deletions(-)
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -1932,7 +1932,8 @@ static int srp_post_recv(struct srp_rdma
return ib_post_recv(ch->qp, &wr, NULL);
}
-static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp)
+static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp,
+ u32 byte_len)
{
struct srp_target_port *target = ch->target;
struct srp_request *req;
@@ -1973,10 +1974,27 @@ static void srp_process_rsp(struct srp_r
scmnd->result = rsp->status;
if (rsp->flags & SRP_RSP_FLAG_SNSVALID) {
- memcpy(scmnd->sense_buffer, rsp->data +
- be32_to_cpu(rsp->resp_data_len),
- min_t(int, be32_to_cpu(rsp->sense_data_len),
- SCSI_SENSE_BUFFERSIZE));
+ u32 resp_len = be32_to_cpu(rsp->resp_data_len);
+ u32 sense_len = be32_to_cpu(rsp->sense_data_len);
+
+ /*
+ * The sense data starts resp_data_len bytes past the
+ * response data area; both lengths come from the
+ * target-controlled response. Copy the sense data
+ * only if it has not been truncated, that is, only if
+ * the full sense region fits within the bytes actually
+ * received. Otherwise the copy source would run past
+ * the receive buffer (sized to the target-chosen
+ * max_ti_iu_len), reading out of bounds.
+ */
+ if (sizeof(*rsp) + (u64)resp_len + sense_len <= byte_len)
+ memcpy(scmnd->sense_buffer,
+ rsp->data + resp_len,
+ min(sense_len, SCSI_SENSE_BUFFERSIZE));
+ else
+ shost_printk(KERN_ERR, target->scsi_host,
+ "dropping truncated sense data (resp_data_len %u sense_data_len %u, %u bytes received)\n",
+ resp_len, sense_len, byte_len);
}
if (unlikely(rsp->flags & SRP_RSP_FLAG_DIUNDER))
@@ -2086,7 +2104,7 @@ static void srp_recv_done(struct ib_cq *
switch (opcode) {
case SRP_RSP:
- srp_process_rsp(ch, iu->buf);
+ srp_process_rsp(ch, iu->buf, wc->byte_len);
break;
case SRP_CRED_REQ:
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 307/522] net: rds: clear i_sends on setup unwind
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 306/522] net: mv643xx: fix OF node refcount Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 308/522] octeontx2-af: fix memory leak in rvu_setup_hw_resources() Greg Kroah-Hartman
` (215 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Zhengchuan Liang,
Xin Liu, Yuqi Xu, Ren Wei, Allison Henderson, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuqi Xu <xuyq21@lenovo.com>
commit 20cf0fb715c41111469577e85e35d15f099473e0 upstream.
The RDS IB connection teardown path is written so it can run during
partial startup and on repeated shutdown attempts. It uses NULL
pointers to distinguish resources that are still owned from resources
that have already been released.
When rds_ib_setup_qp() fails after allocating i_sends but before
allocating i_recvs, the sends_out path frees i_sends without clearing
the pointer. A later shutdown pass can still treat that stale pointer
as a live send ring allocation.
Clear i_sends after vfree() in the error unwind path so the existing
shutdown logic continues to use the correct ownership state.
Fixes: 3b12f73a5c29 ("rds: ib: add error handle")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/5a0f7624bb9845a7b67d26166a150b59e7f394ce.1779632468.git.xuyq21@lenovo.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rds/ib_cm.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/rds/ib_cm.c
+++ b/net/rds/ib_cm.c
@@ -656,6 +656,7 @@ static int rds_ib_setup_qp(struct rds_co
sends_out:
vfree(ic->i_sends);
+ ic->i_sends = NULL;
ack_dma_out:
rds_dma_hdr_free(rds_ibdev->dev, ic->i_ack, ic->i_ack_dma,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 224/378] zram: fix use-after-free in zram_bvec_write_partial()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 223/378] RDMA/srp: bound SRP_RSP sense copy by the received length Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 225/378] udp: clear skb->dev before running a sockmap verdict Greg Kroah-Hartman
` (154 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig,
Sergey Senozhatsky, Cunlong Li, Jens Axboe, Minchan Kim,
Yisheng Xie, Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cunlong Li <shenxiaogll@gmail.com>
commit 732fd9f0b9c1cdc6dfd77162ded60df005182cc0 upstream.
zram_read_page() picks the sync or async backing device read path based on
whether the parent bio is NULL. zram_bvec_write_partial() passes its
parent bio down, so for ZRAM_WB slots the read is dispatched
asynchronously and zram_read_page() returns 0 while the bio is still in
flight. The caller then runs memcpy_from_bvec(), zram_write_page() and
__free_page() on the buffer, leaving the async read to write into a freed
page.
zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d
("zram: fix synchronous reads") for the same reason; the write_partial
counterpart was missed.
Link: https://lore.kernel.org/20260528-zram-v3-1-cab86eef8764@gmail.com
Fixes: 8e654f8fbff5 ("zram: read page from backing device")
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Signed-off-by: Cunlong Li <shenxiaogll@gmail.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Yisheng Xie <xieyisheng1@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/zram/zram_drv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/block/zram/zram_drv.c
+++ b/drivers/block/zram/zram_drv.c
@@ -2321,7 +2321,7 @@ static int zram_bvec_write_partial(struc
if (!page)
return -ENOMEM;
- ret = zram_read_page(zram, page, index, bio);
+ ret = zram_read_page(zram, page, index, NULL);
if (!ret) {
memcpy_from_bvec(page_address(page) + offset, bvec);
ret = zram_write_page(zram, page, index);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 308/522] octeontx2-af: fix memory leak in rvu_setup_hw_resources()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 307/522] net: rds: clear i_sends on setup unwind Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 309/522] mmc: core: Fix host controller programming for fixed driver type Greg Kroah-Hartman
` (214 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dawei Feng, Zilin Guan, Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
commit 09a5bf856aa759513afc4afd233d15bcc711b84e upstream.
If rvu_npc_exact_init() fails in rvu_setup_hw_resources(), the function
returns directly instead of jumping to the error handling path. This
causes a resource leak for the previously initialized CGX, NPC, fwdata,
and MSI-X states.
Fix this by replacing the direct return with goto cgx_err to ensure
proper cleanup.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still present in
v7.1-rc6.
An x86_64 allyesconfig build showed no new warnings. As we do not have
access to Marvell OcteonTX2 RVU AF hardware to test with, no runtime
testing was able to be performed.
Fixes: 3571fe07a090 ("octeontx2-af: Drop rules for NPC MCAM")
Cc: stable@vger.kernel.org
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Link: https://patch.msgid.link/20260604143756.1524482-1-dawei.feng@seu.edu.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
@@ -1130,7 +1130,7 @@ cpt:
err = rvu_npc_exact_init(rvu);
if (err) {
dev_err(rvu->dev, "failed to initialize exact match table\n");
- return err;
+ goto cgx_err;
}
/* Assign MACs for CGX mapped functions */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 225/378] udp: clear skb->dev before running a sockmap verdict
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 224/378] zram: fix use-after-free in zram_bvec_write_partial() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 226/378] ARM: socfpga: Fix OF node refcount leak in SMP setup Greg Kroah-Hartman
` (153 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sechang Lim, Jiayuan Chen,
Eric Dumazet, Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sechang Lim <rhkrqnwk98@gmail.com>
commit 3c94f241f776562c489876ff506f366224565c21 upstream.
On the UDP receive path skb->dev is repurposed as dev_scratch (the
truesize/state cache set by udp_set_dev_scratch()), through the
union { struct net_device *dev; unsigned long dev_scratch; } in sk_buff.
When a UDP socket is in a sockmap, sk_data_ready is
sk_psock_verdict_data_ready(), which calls udp_read_skb() -> recv_actor()
(sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq.
If that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp,
bpf_skc_lookup_tcp), bpf_skc_lookup() does:
if (skb->dev)
caller_net = dev_net(skb->dev);
skb->dev still holds the dev_scratch value (a non-NULL integer), so dev_net()
dereferences it as a struct net_device * and the kernel takes a general
protection fault on a non-canonical address in softirq:
Oops: general protection fault, probably for non-canonical address 0x1010000800004a0
CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full)
RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline]
RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047
Call Trace:
<IRQ>
bpf_prog_4675cb904b7071f8+0x12e/0x14e
bpf_prog_run_pin_on_cpu+0xc6/0x1f0
sk_psock_verdict_recv+0x1ba/0x350
udp_read_skb+0x31a/0x370
sk_psock_verdict_data_ready+0x2e3/0x600
__udp_enqueue_schedule_skb+0x4c8/0x650
udpv6_queue_rcv_one_skb+0x3ec/0x740
udp6_unicast_rcv_skb+0x11d/0x140
ip6_protocol_deliver_rcu+0x61e/0x950
ip6_input_finish+0xa9/0x150
NF_HOOK+0x286/0x2f0
ip6_input+0x117/0x220
NF_HOOK+0x286/0x2f0
__netif_receive_skb+0x85/0x200
process_backlog+0x374/0x9a0
__napi_poll+0x4f/0x1c0
net_rx_action+0x3b0/0x770
handle_softirqs+0x15a/0x460
do_softirq+0x57/0x80
</IRQ>
The rmem charge that dev_scratch accounted for is released by skb_recv_udp() on
dequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear
skb->dev so bpf_skc_lookup() falls back to sock_net(skb->sk), which
skb_set_owner_sk_safe() set just above.
Fixes: 965b57b469a5 ("net: Introduce a new proto_ops ->read_skb()")
Cc: stable@vger.kernel.org
Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260603162737.697215-1-rhkrqnwk98@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/udp.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2061,6 +2061,14 @@ try_again:
}
WARN_ON_ONCE(!skb_set_owner_sk_safe(skb, sk));
+
+ /*
+ * skb->dev still aliases the UDP rx dev_scratch (its charge was freed
+ * on dequeue above); a sockmap verdict program may deref it via
+ * bpf_sk_lookup_*(), so clear it -> bpf_skc_lookup() uses skb->sk
+ */
+ skb->dev = NULL;
+
return recv_actor(sk, skb);
}
EXPORT_IPV6_MOD(udp_read_skb);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 309/522] mmc: core: Fix host controller programming for fixed driver type
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 308/522] octeontx2-af: fix memory leak in rvu_setup_hw_resources() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 310/522] mmc: litex_mmc: Set mandatory idle clocks before CMD0 Greg Kroah-Hartman
` (213 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kamal Dasu, Shawn Lin, Ulf Hansson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kamal Dasu <kamal.dasu@broadcom.com>
commit 5a52c5701a67d5176eb1afbf1bdaf7d6dfeec597 upstream.
When using the fixed-emmc-driver-type device tree property, the MMC core
correctly selects the driver strength for the card but fails to program
the host controller accordingly. This causes a mismatch where the card
uses the specified driver type while the host controller defaults to
Type B (since ios->drv_type remains zero).
Split the driver type programming logic to handle both fixed and dynamic
driver type selection paths. For fixed driver types, program the host
controller with the selected drive_strength value. For dynamic selection,
use the existing drv_type as before.
This ensures both the eMMC device and host controller use matching driver
strengths, preventing potential signal integrity issues.
Fixes: 6186d06c519e ("mmc: parse new binding for eMMC fixed driver type")
Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
Reviewed-by: Shawn Lin <shawn.lin@rock-chips.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/mmc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -1354,7 +1354,9 @@ static void mmc_select_driver_type(struc
card->drive_strength = drive_strength;
- if (drv_type)
+ if (fixed_drv_type >= 0 && drive_strength)
+ mmc_set_driver_type(card->host, drive_strength);
+ else if (drv_type)
mmc_set_driver_type(card->host, drv_type);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 226/378] ARM: socfpga: Fix OF node refcount leak in SMP setup
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 225/378] udp: clear skb->dev before running a sockmap verdict Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 227/378] ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O Greg Kroah-Hartman
` (152 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuho Choi, Dinh Nguyen
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuho Choi <dbgh9129@gmail.com>
commit 63838c323924fe4a78b2323bd45aa1030f72ca60 upstream.
socfpga_smp_prepare_cpus() looks up the Cortex-A9 SCU node with
of_find_compatible_node(), which returns a node reference that must be
released with of_node_put().
The function maps the SCU registers and then returns without dropping
that reference, leaking the node on both the success path and the
of_iomap() failure path.
Drop the reference once the mapping attempt is complete. The returned
MMIO mapping does not depend on keeping the device node reference held.
Fixes: 122694a0c712 ("ARM: socfpga: use of_iomap to map the SCU")
Cc: stable@vger.kernel.org
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mach-socfpga/platsmp.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/mach-socfpga/platsmp.c
+++ b/arch/arm/mach-socfpga/platsmp.c
@@ -78,6 +78,7 @@ static void __init socfpga_smp_prepare_c
}
socfpga_scu_base_addr = of_iomap(np, 0);
+ of_node_put(np);
if (!socfpga_scu_base_addr)
return;
scu_enable(socfpga_scu_base_addr);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 310/522] mmc: litex_mmc: Set mandatory idle clocks before CMD0
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 309/522] mmc: core: Fix host controller programming for fixed driver type Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 311/522] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC Greg Kroah-Hartman
` (212 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Inochi Amaoto, Gabriel Somlo,
Ulf Hansson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Inochi Amaoto <inochiama@gmail.com>
commit 99982b743e5ba72bd1f5de0e03e3b96ae70b1e51 upstream.
The litex_mmc driver assumes the card is already probed in the BIOS
and skip the phy initialization. This will cause the command fail
like the following when the old card is unplugged and then insert
a new card:
[ 62.923593] litex-mmc f0004000.mmc: Command (cmd 8) error, status -110
[ 62.949717] litex-mmc f0004000.mmc: Command (cmd 55) error, status -110
[ 62.976606] litex-mmc f0004000.mmc: Command (cmd 55) error, status -110
[ 63.002516] litex-mmc f0004000.mmc: Command (cmd 55) error, status -110
[ 63.028442] litex-mmc f0004000.mmc: Command (cmd 55) error, status -110
Add required clock settings and initialization for the CMD 0, so it can
probe the new card.
Fixes: 92e099104729 ("mmc: Add driver for LiteX's LiteSDCard interface")
Signed-off-by: Inochi Amaoto <inochiama@gmail.com>
Reviewed-by: Gabriel Somlo <gsomlo@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulfh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/litex_mmc.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/mmc/host/litex_mmc.c
+++ b/drivers/mmc/host/litex_mmc.c
@@ -69,6 +69,9 @@
#define SD_SLEEP_US 5
#define SD_TIMEOUT_US 20000
+#define SD_INIT_DELAY_US 1000
+#define SD_INIT_CLK_HZ 400000
+
#define SDIRQ_CARD_DETECT 1
#define SDIRQ_SD_TO_MEM_DONE 2
#define SDIRQ_MEM_TO_SD_DONE 4
@@ -450,6 +453,17 @@ static void litex_mmc_set_ios(struct mmc
struct litex_mmc_host *host = mmc_priv(mmc);
/*
+ * The SD specification requires at least 74 idle clocks before CMD0.
+ * These dummy cycles is generated by writing LITEX_PHY_INITIALIZE.
+ */
+ if (ios->chip_select == MMC_CS_HIGH) {
+ litex_mmc_setclk(host, SD_INIT_CLK_HZ);
+ litex_write8(host->sdphy + LITEX_PHY_INITIALIZE, 1);
+ fsleep(SD_INIT_DELAY_US);
+ return;
+ }
+
+ /*
* NOTE: Ignore any ios->bus_width updates; they occur right after
* the mmc core sends its own acmd6 bus-width change notification,
* which is redundant since we snoop on the command flow and inject
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 227/378] ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 226/378] ARM: socfpga: Fix OF node refcount leak in SMP setup Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 228/378] ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow Greg Kroah-Hartman
` (151 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Karl Mehltretter, Linus Walleij,
Russell King
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karl Mehltretter <kmehltretter@gmail.com>
commit d59ed803715a71fb9582e139d648ece8d66dc743 upstream.
For CPUs before ARMv6, __raw_readw() and __raw_writew() are implemented
as C volatile halfword accesses so the compiler can generate an access
sequence that is safe for those machines. With KASAN enabled, those C
accesses are instrumented as normal memory accesses.
That is not valid for MMIO. On ARM926/VersatilePB with KASAN enabled,
PL011 probing traps in __asan_store2() while registering the UART, because
the instrumented writew() tries to check KASAN shadow for an MMIO address.
Keep the existing volatile halfword access, but move the ARMv5 definitions
into __no_kasan_or_inline functions so raw MMIO halfword accesses are not
instrumented by KASAN. The ARMv6-and-newer inline assembly path is
unchanged.
Fixes: 421015713b30 ("ARM: 9017/2: Enable KASan for ARM")
Cc: stable@vger.kernel.org # v5.11+
Signed-off-by: Karl Mehltretter <kmehltretter@gmail.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/include/asm/io.h | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/arch/arm/include/asm/io.h
+++ b/arch/arm/include/asm/io.h
@@ -56,8 +56,19 @@ void __raw_readsl(const volatile void __
* the bus. Rather than special-case the machine, just let the compiler
* generate the access for CPUs prior to ARMv6.
*/
-#define __raw_readw(a) (__chk_io_ptr(a), *(volatile unsigned short __force *)(a))
-#define __raw_writew(v,a) ((void)(__chk_io_ptr(a), *(volatile unsigned short __force *)(a) = (v)))
+#define __raw_writew __raw_writew
+static __no_kasan_or_inline void __raw_writew(u16 val, volatile void __iomem *addr)
+{
+ __chk_io_ptr(addr);
+ *(volatile unsigned short __force *)addr = val;
+}
+
+#define __raw_readw __raw_readw
+static __no_kasan_or_inline u16 __raw_readw(const volatile void __iomem *addr)
+{
+ __chk_io_ptr(addr);
+ return *(const volatile unsigned short __force *)addr;
+}
#else
/*
* When running under a hypervisor, we want to avoid I/O accesses with
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 311/522] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 310/522] mmc: litex_mmc: Set mandatory idle clocks before CMD0 Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 312/522] mmc: sdhci: add signal voltage switch in sdhci_resume_host Greg Kroah-Hartman
` (211 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lad Prabhakar, Wolfram Sang,
Geert Uytterhoeven, Ulf Hansson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
commit f48ee49726ee4ab545fd2dc644f169c0809b19b3 upstream.
The RZ/G2H (R8A774E1) SoC was previously handled via the generic
"renesas,rcar-gen3-sdhi" fallback compatible string. However, because
the SDHI IP on RZ/G2H is identical with the R-Car H3-N (R8A77951), it
requires the specific quirks and configuration defined in
`of_r8a7795_compatible` rather than the generic Gen3 data.
Add the explicit "renesas,sdhi-r8a774e1" match entry to map it correctly.
Note that the DT binding file renesas,sdhi.yaml does not need an update
as the entry for this SoC is already present.
Fixes: 31941342888d ("arm64: dts: renesas: r8a774e1: Add SDHI nodes")
Cc: stable@vger.kernel.org
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Ulf Hansson <ulfh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/renesas_sdhi_internal_dmac.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c
+++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c
@@ -269,6 +269,7 @@ static const struct renesas_sdhi_of_data
static const struct of_device_id renesas_sdhi_internal_dmac_of_match[] = {
{ .compatible = "renesas,sdhi-r7s9210", .data = &of_rza2_compatible, },
{ .compatible = "renesas,sdhi-mmc-r8a77470", .data = &of_rcar_gen3_compatible, },
+ { .compatible = "renesas,sdhi-r8a774e1", .data = &of_r8a7795_compatible, },
{ .compatible = "renesas,sdhi-r8a7795", .data = &of_r8a7795_compatible, },
{ .compatible = "renesas,sdhi-r8a77961", .data = &of_r8a77961_compatible, },
{ .compatible = "renesas,sdhi-r8a77965", .data = &of_r8a77965_compatible, },
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 228/378] ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 227/378] ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 229/378] arm64: mm: call pagetable dtor when freeing hot-removed page tables Greg Kroah-Hartman
` (150 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Karl Mehltretter, Linus Walleij,
Russell King
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karl Mehltretter <kmehltretter@gmail.com>
commit 77a1f6883dc6e837bb2cb30b9b02e2f94338e2c6 upstream.
Commit 44e9a3bb76e5 ("ARM: 9430/1: entry: Do a dummy read from
VMAP shadow") added a dummy read from the KASAN VMAP stack shadow in
__switch_to(). The read uses ldr, but the KASAN shadow address is
byte-granular and is not guaranteed to be word aligned.
ARMv5 faults unaligned word loads. With CONFIG_KASAN_VMALLOC and
CONFIG_VMAP_STACK enabled, ARM926/VersatilePB crashes in __switch_to()
with an alignment exception before reaching init.
Use ldrb for the dummy shadow access. The code only needs to fault in the
shadow mapping if the stack shadow is missing, so a byte load is sufficient
and matches the granularity of KASAN shadow memory.
Fixes: 44e9a3bb76e5 ("ARM: 9430/1: entry: Do a dummy read from VMAP shadow")
Cc: stable@vger.kernel.org # v6.13+
Signed-off-by: Karl Mehltretter <kmehltretter@gmail.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/kernel/entry-armv.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/kernel/entry-armv.S
+++ b/arch/arm/kernel/entry-armv.S
@@ -567,7 +567,7 @@ ENTRY(__switch_to)
@ are using KASAN
mov_l r2, KASAN_SHADOW_OFFSET
add r2, r2, ip, lsr #KASAN_SHADOW_SCALE_SHIFT
- ldr r2, [r2]
+ ldrb r2, [r2]
#endif
#endif
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 312/522] mmc: sdhci: add signal voltage switch in sdhci_resume_host
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 311/522] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 313/522] sctp: diag: reject stale associations in dump_one path Greg Kroah-Hartman
` (210 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jisheng Zhang, Adrian Hunter,
Ulf Hansson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jisheng Zhang <jszhang@kernel.org>
commit f595e8e77a51eee35e331f69321766593a845ef2 upstream.
I met one suspend/resume issue with sdr104 capable sdio wifi card (with
"keep-power-in-suspend" set in DT property):
After resuming from suspend to ram, the sdio wifi card stops working.
Further debug shows that although ios shows the sdio card is at sdr104
mode, the voltage is still at 3V3. This is due to missing the calling
of ->start_signal_voltage_switch() in sdhci_resume_host().
Fix this issue by adding ->start_signal_voltage_switch() in
sdhci_resume_host(). This also matches what we do for
sdhci_runtime_resume_host().
Then the question is: why this issue hasn't reported and fixed for so
long time. IMHO, several reasons: Some host controllers just kick off
the runtime resume for system resume, so they benefit from the well
supported runtime pm code; Some platforms just use the old sdio wifi
card which doesn't need signal voltage switch at all, the default
voltage is 3v3 after resuming.
Fixes: 6308d2905bd3 ("mmc: sdhci: add quirk for keeping card power during suspend")
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulfh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -3823,6 +3823,7 @@ int sdhci_resume_host(struct sdhci_host
host->pwr = 0;
host->clock = 0;
host->reinit_uhs = true;
+ mmc->ops->start_signal_voltage_switch(mmc, &mmc->ios);
mmc->ops->set_ios(mmc, &mmc->ios);
} else {
sdhci_init(host, (mmc->pm_flags & MMC_PM_KEEP_POWER));
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 229/378] arm64: mm: call pagetable dtor when freeing hot-removed page tables
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 228/378] ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 230/378] mptcp: fix missing wakeups in edge scenarios Greg Kroah-Hartman
` (149 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alistair Popple, Catalin Marinas,
David Hildenbrand, Will Deacon, Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alistair Popple <apopple@nvidia.com>
commit c594b83457ccdee76d458416fb3bc9348a37592f upstream.
Since 5e8eb9aeeda3 ("arm64: mm: always call PTE/PMD ctor in
__create_pgd_mapping()") page-table allocation on ARM64 always calls
pagetable_{pte,pmd,pud,p4d}_ctor(). This sets the page_type to
PGTY_table, increments NR_PAGETABLE and possible allocates a PTL. However
the matching pagetable_dtor() calls were never added.
With DEBUG_VM enabled on kernel versions prior to v6.17 without
2dfcd1608f3a9 ("mm/page_alloc: let page freeing clear any set page type")
this leads to the following warning when freeing these pages due to
page->page_type sharing page->_mapcount:
BUG: Bad page state in process ... pfn:284fbb
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x284fbb
flags: 0x17fffc000000000(node=0|zone=2|lastcpupid=0x1ffff)
page_type: f2(table)
page dumped because: nonzero mapcount
Call trace:
bad_page+0x13c/0x160
__free_frozen_pages+0x6cc/0x860
___free_pages+0xf4/0x180
free_pages+0x54/0x80
free_hotplug_page_range.part.0+0x58/0x90
free_empty_tables+0x438/0x500
__remove_pgd_mapping.constprop.0+0x60/0xa8
arch_remove_memory+0x48/0x80
try_remove_memory+0x158/0x1d8
offline_and_remove_memory+0x138/0x180
It can also lead to leaking the ptl allocation if ALLOC_SPLIT_PTLOCKS is
defined and incorrect NR_PAGETABLE stats. Fix this by calling
pagetable_dtor() in free_hotplug_pgtable_page() prior to freeing the page
to undo the effects of calling pagetable_*_ctor().
Link: https://lore.kernel.org/20260521032730.2104017-1-apopple@nvidia.com
Fixes: 5e8eb9aeeda3 ("arm64: mm: always call PTE/PMD ctor in __create_pgd_mapping()")
Signed-off-by: Alistair Popple <apopple@nvidia.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Will Deacon <will@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/mm/mmu.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -1445,6 +1445,7 @@ static void free_hotplug_page_range(stru
static void free_hotplug_pgtable_page(struct page *page)
{
+ pagetable_dtor(page_ptdesc(page));
free_hotplug_page_range(page, PAGE_SIZE, NULL);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 313/522] sctp: diag: reject stale associations in dump_one path
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 312/522] mmc: sdhci: add signal voltage switch in sdhci_resume_host Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 314/522] sctp: stream: fully roll back denied add-stream state Greg Kroah-Hartman
` (209 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Zhengchuan Liang, Xin Liu, Zhao Zhang, Ren Wei,
Xin Long, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Zhang <zzhan461@ucr.edu>
commit 5eba3e48d78edd7551b992cb7ba687019b3a78da upstream.
The SCTP exact sock_diag lookup can hold a transport reference, block on
lock_sock(sk), and then resume after sctp_association_free() has marked
the association dead and freed its bind address list.
When that happens, inet_assoc_attr_size() and
inet_diag_msg_sctpasoc_fill() can still dereference association state
that is no longer valid for reporting. In particular,
inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a
real sctp_sockaddr_entry and trigger an out-of-bounds read from
unrelated association memory.
Reject the association after taking the socket lock if it has been
reaped or detached from the endpoint, and report the lookup as stale.
This keeps the exact dump-one path from formatting torn association
state.
Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Zhao Zhang <zzhan461@ucr.edu>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/fac6043fa20a2ff68e12958c431836f692c51268.1780113823.git.zzhan461@ucr.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/diag.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
--- a/net/sctp/diag.c
+++ b/net/sctp/diag.c
@@ -266,15 +266,15 @@ static int sctp_sock_dump_one(struct sct
lock_sock(sk);
- rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL);
- if (!rep) {
- release_sock(sk);
- return -ENOMEM;
+ if (ep != assoc->ep || assoc->base.dead) {
+ err = -ESTALE;
+ goto out_unlock;
}
- if (ep != assoc->ep) {
- err = -EAGAIN;
- goto out;
+ rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL);
+ if (!rep) {
+ err = -ENOMEM;
+ goto out_unlock;
}
err = inet_sctp_diag_fill(sk, assoc, rep, req, sk_user_ns(NETLINK_CB(skb).sk),
@@ -289,8 +289,9 @@ static int sctp_sock_dump_one(struct sct
return nlmsg_unicast(sock_net(skb->sk)->diag_nlsk, rep, NETLINK_CB(skb).portid);
out:
- release_sock(sk);
kfree_skb(rep);
+out_unlock:
+ release_sock(sk);
return err;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 230/378] mptcp: fix missing wakeups in edge scenarios
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 229/378] arm64: mm: call pagetable dtor when freeing hot-removed page tables Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 231/378] mptcp: fix retransmission loop when csum is enabled Greg Kroah-Hartman
` (148 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 9d8d28738f24b75616d6ca7a27cb4aed88520343 upstream.
The mptcp_recvmsg() can fill MPTCP socket receive queue via
mptcp_move_skbs(), but currently does not try to wakeup any listener,
because the same process is going to check the receive queue soon.
When multiple threads are reading from the same fd, the above can
cause stall. Add the missing wakeup.
Fixes: 6771bfd9ee24 ("mptcp: update mptcp ack sequence from work queue")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-1-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2256,6 +2256,10 @@ static bool mptcp_move_skbs(struct sock
mptcp_backlog_spooled(sk, moved, &skbs);
}
mptcp_data_unlock(sk);
+
+ if (enqueued && mptcp_epollin_ready(sk))
+ sk->sk_data_ready(sk);
+
return enqueued;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 314/522] sctp: stream: fully roll back denied add-stream state
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 313/522] sctp: diag: reject stale associations in dump_one path Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 315/522] thunderbolt: Reject zero-length property entries in validator Greg Kroah-Hartman
` (208 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Zhengchuan Liang, Xin Liu, Wyatt Feng, Ren Wei,
Xin Long, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wyatt Feng <bronzed_45_vested@icloud.com>
commit a5f8a90ac9f77c678a9781c0a464b635e0d63e49 upstream.
When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and
then lowers outcnt. That leaves removed stream metadata behind, so a
later re-add can reuse a stale ext and hit a null-pointer dereference in
the scheduler get path.
Fix the rollback by tearing down the removed stream state the same way
other stream resizes do. Unschedule the current scheduler state, drop
the removed stream ext state with sctp_stream_outq_migrate(), and then
reschedule the remaining streams.
This keeps scheduler-private RR/FC/PRIO lists consistent while fully
rolling back denied outgoing stream additions.
Fixes: 637784ade221 ("sctp: introduce priority based stream scheduler")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/d78954ecd94954653ee299400e98d74a03a6f7d3.1780603399.git.bronzed_45_vested@icloud.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/stream.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/net/sctp/stream.c
+++ b/net/sctp/stream.c
@@ -1038,6 +1038,7 @@ struct sctp_chunk *sctp_process_strreset
stsn, rtsn, GFP_ATOMIC);
} else if (req->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS) {
struct sctp_strreset_addstrm *addstrm;
+ const struct sctp_sched_ops *sched;
__u16 number;
addstrm = (struct sctp_strreset_addstrm *)req;
@@ -1048,7 +1049,10 @@ struct sctp_chunk *sctp_process_strreset
for (i = number; i < stream->outcnt; i++)
SCTP_SO(stream, i)->state = SCTP_STREAM_OPEN;
} else {
- sctp_stream_shrink_out(stream, number);
+ sched = sctp_sched_ops_from_stream(stream);
+ sched->unsched_all(stream);
+ sctp_stream_outq_migrate(stream, NULL, number);
+ sched->sched_all(stream);
stream->outcnt = number;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 231/378] mptcp: fix retransmission loop when csum is enabled
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 230/378] mptcp: fix missing wakeups in edge scenarios Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 232/378] mptcp: close TOCTOU race while computing rcv_wnd Greg Kroah-Hartman
` (147 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit d1918b36edcaed0ec4ef6888b2358c6b1ddcff47 upstream.
Sashiko noted that retransmission with csum enabled can actually
transmit new data, but currently the relevant code does not update
accordingly snd_nxt.
The may cause incoming ack drop and an endless retransmission loop.
Address the issue incrementing snd_nxt as needed.
Fixes: 4e14867d5e91 ("mptcp: tune re-injections for csum enabled mode")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-2-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2852,6 +2852,10 @@ static void __mptcp_retrans(struct sock
msk->bytes_retrans += len;
dfrag->already_sent = max(dfrag->already_sent, len);
+ /* With csum enabled retransmission can send new data. */
+ if (after64(dfrag->already_sent + dfrag->data_seq, msk->snd_nxt))
+ WRITE_ONCE(msk->snd_nxt, dfrag->already_sent + dfrag->data_seq);
+
reset_timer:
mptcp_check_and_set_pending(sk);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 315/522] thunderbolt: Reject zero-length property entries in validator
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 314/522] sctp: stream: fully roll back denied add-stream state Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 316/522] thunderbolt: Bound root directory content to block size Greg Kroah-Hartman
` (207 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit cff8eb65d1eafe7793e54b4d0cf6bf831644630b upstream.
tb_property_entry_valid() accepts entries with length == 0 for
DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes
validation but causes an underflow in the null-termination logic:
property->value.text[property->length * 4 - 1] = '\0';
When property->length is 0 this writes to offset -1 relative to
the allocation.
Reject zero-length entries early in the validator since they have no
valid representation in the XDomain property protocol.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -59,6 +59,8 @@ static bool tb_property_entry_valid(cons
case TB_PROPERTY_TYPE_DIRECTORY:
case TB_PROPERTY_TYPE_DATA:
case TB_PROPERTY_TYPE_TEXT:
+ if (!entry->length)
+ return false;
if (entry->length > block_len)
return false;
if (check_add_overflow(entry->value, entry->length, &end) ||
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 232/378] mptcp: close TOCTOU race while computing rcv_wnd
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 231/378] mptcp: fix retransmission loop when csum is enabled Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 233/378] mptcp: allow subflow rcv wnd to shrink Greg Kroah-Hartman
` (146 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 8ab24fdebc369c0dfb90f82c1650b1e66662bb45 upstream.
The MPTCP output path access locklessly the MPTCP-level ack_seq
in multiple times, using possibly different values for the data_ack
in the DSS option and to compute the announced rcv wnd for the same
packet.
Refactor the cote to avoid inconsistencies which may confuse the
peer. Also ensure that the MPTCP level rcv wnd is updated only when
the egress packet actually contains a DSS ack.
Fixes: fa3fe2b15031 ("mptcp: track window announced to peer")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-3-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/options.c | 36 ++++++++++++++++++------------------
1 file changed, 18 insertions(+), 18 deletions(-)
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -570,7 +570,6 @@ static bool mptcp_established_options_ds
struct mptcp_ext *mpext;
unsigned int ack_size;
bool ret = false;
- u64 ack_seq;
opts->csum_reqd = READ_ONCE(msk->csum_enabled);
mpext = skb ? mptcp_get_ext(skb) : NULL;
@@ -601,14 +600,11 @@ static bool mptcp_established_options_ds
return ret;
}
- ack_seq = READ_ONCE(msk->ack_seq);
if (READ_ONCE(msk->use_64bit_ack)) {
ack_size = TCPOLEN_MPTCP_DSS_ACK64;
- opts->ext_copy.data_ack = ack_seq;
opts->ext_copy.ack64 = 1;
} else {
ack_size = TCPOLEN_MPTCP_DSS_ACK32;
- opts->ext_copy.data_ack32 = (uint32_t)ack_seq;
opts->ext_copy.ack64 = 0;
}
opts->ext_copy.use_ack = 1;
@@ -1296,19 +1292,14 @@ bool mptcp_incoming_options(struct sock
return true;
}
-static void mptcp_set_rwin(struct tcp_sock *tp, struct tcphdr *th)
+static u64 mptcp_set_rwin(struct mptcp_sock *msk, struct tcp_sock *tp,
+ struct tcphdr *th, u64 ack_seq)
{
const struct sock *ssk = (const struct sock *)tp;
- struct mptcp_subflow_context *subflow;
- u64 ack_seq, rcv_wnd_old, rcv_wnd_new;
- struct mptcp_sock *msk;
+ u64 rcv_wnd_old, rcv_wnd_new;
u32 new_win;
u64 win;
- subflow = mptcp_subflow_ctx(ssk);
- msk = mptcp_sk(subflow->conn);
-
- ack_seq = READ_ONCE(msk->ack_seq);
rcv_wnd_new = ack_seq + tp->rcv_wnd;
rcv_wnd_old = atomic64_read(&msk->rcv_wnd_sent);
@@ -1360,7 +1351,7 @@ raise_win:
update_wspace:
WRITE_ONCE(msk->old_wspace, tp->rcv_wnd);
- subflow->rcv_wnd_sent = rcv_wnd_new;
+ return rcv_wnd_new;
}
static void mptcp_track_rwin(struct tcp_sock *tp)
@@ -1472,13 +1463,25 @@ void mptcp_write_options(struct tcphdr *
*ptr++ = mptcp_option(MPTCPOPT_DSS, len, 0, flags);
if (mpext->use_ack) {
+ struct mptcp_sock *msk;
+ u64 ack_seq;
+
+ /* DSS option is set only by mptcp_established_options,
+ * the caller is __tcp_transmit_skb() and ssk is always
+ * not NULL.
+ */
+ subflow = mptcp_subflow_ctx(ssk);
+ msk = mptcp_sk(subflow->conn);
+ ack_seq = READ_ONCE(msk->ack_seq);
if (mpext->ack64) {
- put_unaligned_be64(mpext->data_ack, ptr);
+ put_unaligned_be64(ack_seq, ptr);
ptr += 2;
} else {
- put_unaligned_be32(mpext->data_ack32, ptr);
+ put_unaligned_be32(ack_seq, ptr);
ptr += 1;
}
+ subflow->rcv_wnd_sent = mptcp_set_rwin(msk, tp, th,
+ ack_seq);
}
if (mpext->use_map) {
@@ -1706,9 +1709,6 @@ mp_capable_done:
i += 4;
}
}
-
- if (tp)
- mptcp_set_rwin(tp, th);
}
__be32 mptcp_get_reset_option(const struct sk_buff *skb)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 316/522] thunderbolt: Bound root directory content to block size
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 315/522] thunderbolt: Reject zero-length property entries in validator Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 317/522] thunderbolt: Clamp XDomain response data copy to allocation size Greg Kroah-Hartman
` (206 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 65423079c7420e3dbf9a7aa345c243a3f5752e5d upstream.
__tb_property_parse_dir() does not check that content_offset +
content_len fits within block_len for the root directory case.
When rootdir->length equals or exceeds block_len - 2, the entry
loop reads past the allocated property block.
Add a bounds check after computing content_offset and content_len
to reject directories whose content extends past the block.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -181,6 +181,10 @@ static struct tb_property_dir *__tb_prop
if (is_root) {
content_offset = dir_offset + 2;
content_len = dir_len;
+ if (content_offset + content_len > block_len) {
+ tb_property_free_dir(dir);
+ return NULL;
+ }
} else {
if (dir_len < 4) {
tb_property_free_dir(dir);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 233/378] mptcp: allow subflow rcv wnd to shrink
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 232/378] mptcp: close TOCTOU race while computing rcv_wnd Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 234/378] mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation Greg Kroah-Hartman
` (145 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit da23be77e1292cd611e736c3aa17da633d7ddce7 upstream.
In MPTCP connection, the `window` field in the TCP header refers to the
MPTCP-level rcv_nxt and it's right edge should not move backward. Such
constraint is enforced at DSS option generation time.
At the same time, the TCP stack ensures independently that the TCP-level
rcv wnd right's edge does not move backward. That in turn causes artificial
inflating of the MPTCP rcv window when the incoming data is acked at the
TCP level and is OoO in the MPTCP sequence space (or lands in the backlog).
As a consequence, the incoming traffic can exceed the receiver rcvbuf size
even when the sender is not misbehaving.
Prevent such scenario forcibly allowing the TCP subflow to shrink the
TCP-level rcv wnd regardless of the current netns setting.
Fixes: f3589be0c420 ("mptcp: never shrink offered window")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-4-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/options.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -566,6 +566,7 @@ static bool mptcp_established_options_ds
{
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
struct mptcp_sock *msk = mptcp_sk(subflow->conn);
+ struct tcp_sock *tp = tcp_sk(sk);
unsigned int dss_size = 0;
struct mptcp_ext *mpext;
unsigned int ack_size;
@@ -614,6 +615,12 @@ static bool mptcp_established_options_ds
if (dss_size == 0)
ack_size += TCPOLEN_MPTCP_DSS_BASE;
+ /* The caller is __tcp_transmit_skb(), and will compute the new rcv
+ * wnd soon: ensure that the window can shrink.
+ */
+ if (skb)
+ tp->rcv_wnd = tp->rcv_nxt - tp->rcv_wup;
+
dss_size += ack_size;
*size = ALIGN(dss_size, 4);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 317/522] thunderbolt: Clamp XDomain response data copy to allocation size
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 316/522] thunderbolt: Bound root directory content to block size Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 318/522] thunderbolt: Validate XDomain request packet size before type cast Greg Kroah-Hartman
` (205 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 322e93448d908434ae5545660fcbe8f5a7a8e141 upstream.
tb_xdp_properties_request() derives the per-packet copy length from
the response header without checking that it fits in the previously
allocated data buffer. A malicious peer can set its length field
larger than the declared data_length, causing memcpy to write past
the kcalloc allocation.
Clamp the per-packet copy length so that the cumulative offset
never exceeds data_len.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/xdomain.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/thunderbolt/xdomain.c
+++ b/drivers/thunderbolt/xdomain.c
@@ -393,6 +393,8 @@ static int tb_xdp_properties_request(str
}
}
+ if (req.offset + len > data_len)
+ len = data_len - req.offset;
memcpy(data + req.offset, res->data, len * 4);
req.offset += len;
} while (!data_len || req.offset < data_len);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 234/378] mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 233/378] mptcp: allow subflow rcv wnd to shrink Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 235/378] mptcp: check desc->count in read_sock Greg Kroah-Hartman
` (144 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tao Cui, Matthieu Baerts (NGI0),
Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tao Cui <cuitao@kylinos.cn>
commit 14e9fea30b68fc75b2b3d97396a7e6adb544bd2a upstream.
The userspace PM increments extra_subflows after __mptcp_subflow_connect()
succeeds, but __mptcp_subflow_connect() calls mptcp_pm_close_subflow()
on failure to roll back the pre-increment done by the kernel PM's fill_*()
helpers. Because the userspace PM hasn't incremented yet at that point,
this decrement is spurious and causes extra_subflows to underflow.
Fix it by aligning the userspace PM with the kernel PM: increment
extra_subflows before calling __mptcp_subflow_connect(), so the existing
error path in subflow.c correctly rolls it back on failure. Also simplify
the error handling by taking pm.lock only when needed for cleanup.
Fixes: 77e4b94a3de6 ("mptcp: update userspace pm infos")
Cc: stable@vger.kernel.org
Signed-off-by: Tao Cui <cuitao@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-5-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_userspace.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/net/mptcp/pm_userspace.c
+++ b/net/mptcp/pm_userspace.c
@@ -408,19 +408,21 @@ int mptcp_pm_nl_subflow_create_doit(stru
local.flags = entry.flags;
local.ifindex = entry.ifindex;
+ spin_lock_bh(&msk->pm.lock);
+ msk->pm.extra_subflows++;
+ spin_unlock_bh(&msk->pm.lock);
+
lock_sock(sk);
err = __mptcp_subflow_connect(sk, &local, &addr_r);
release_sock(sk);
- if (err)
+ if (err) {
GENL_SET_ERR_MSG_FMT(info, "connect error: %d", err);
- spin_lock_bh(&msk->pm.lock);
- if (err)
+ spin_lock_bh(&msk->pm.lock);
mptcp_userspace_pm_delete_local_addr(msk, &entry);
- else
- msk->pm.extra_subflows++;
- spin_unlock_bh(&msk->pm.lock);
+ spin_unlock_bh(&msk->pm.lock);
+ }
create_err:
sock_put(sk);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 318/522] thunderbolt: Validate XDomain request packet size before type cast
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 317/522] thunderbolt: Clamp XDomain response data copy to allocation size Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 319/522] thunderbolt: Limit XDomain response copy to actual frame size Greg Kroah-Hartman
` (204 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit a504b9f2797b739e0304d537e8aa4ce883ecce39 upstream.
tb_xdp_handle_request() casts the received packet buffer to
protocol-specific structs without verifying that the allocation
is large enough for the target type. A peer can send a minimal
XDomain packet that passes the generic header length check but is
shorter than the struct accessed after the cast, causing out-of-
bounds reads from the kmemdup allocation.
Plumb the packet length through xdomain_request_work and validate
it against the expected struct size before each cast.
Fixes: 8e1de7042596 ("thunderbolt: Add support for XDomain lane bonding")
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/xdomain.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/thunderbolt/xdomain.c
+++ b/drivers/thunderbolt/xdomain.c
@@ -54,6 +54,7 @@ static const char * const state_names[]
struct xdomain_request_work {
struct work_struct work;
struct tb_xdp_header *pkg;
+ size_t pkg_len;
struct tb *tb;
};
@@ -732,6 +733,7 @@ static void tb_xdp_handle_request(struct
struct xdomain_request_work *xw = container_of(work, typeof(*xw), work);
const struct tb_xdp_header *pkg = xw->pkg;
const struct tb_xdomain_header *xhdr = &pkg->xd_hdr;
+ size_t pkg_len = xw->pkg_len;
struct tb *tb = xw->tb;
struct tb_ctl *ctl = tb->ctl;
struct tb_xdomain *xd;
@@ -763,7 +765,7 @@ static void tb_xdp_handle_request(struct
switch (pkg->type) {
case PROPERTIES_REQUEST:
tb_dbg(tb, "%llx: received XDomain properties request\n", route);
- if (xd) {
+ if (xd && pkg_len >= sizeof(struct tb_xdp_properties)) {
ret = tb_xdp_properties_response(tb, ctl, xd, sequence,
(const struct tb_xdp_properties *)pkg);
}
@@ -817,7 +819,8 @@ static void tb_xdp_handle_request(struct
tb_dbg(tb, "%llx: received XDomain link state change request\n",
route);
- if (xd && xd->state == XDOMAIN_STATE_BONDING_UUID_HIGH) {
+ if (xd && xd->state == XDOMAIN_STATE_BONDING_UUID_HIGH &&
+ pkg_len >= sizeof(struct tb_xdp_link_state_change)) {
const struct tb_xdp_link_state_change *lsc =
(const struct tb_xdp_link_state_change *)pkg;
@@ -869,6 +872,7 @@ tb_xdp_schedule_request(struct tb *tb, c
kfree(xw);
return false;
}
+ xw->pkg_len = size;
xw->tb = tb_domain_get(tb);
schedule_work(&xw->work);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 235/378] mptcp: check desc->count in read_sock
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 234/378] mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 236/378] mptcp: sockopt: check timestamping ret value Greg Kroah-Hartman
` (143 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geliang Tang, Gang Yan,
Matthieu Baerts (NGI0), Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gang Yan <yangang@kylinos.cn>
commit c378b1a6f8dd3e02eb08661f4d5d50f236eead03 upstream.
__tcp_read_sock() checks desc->count after each skb is consumed and
breaks the loop when it reaches 0. The MPTCP variant lacks this check.
This is a functional bug, other subsystems also rely on this check:
TLS strparser sets desc->count to 0 once a full TLS record is assembled
and depends on this break to stop reading.
Add the same desc->count check to __mptcp_read_sock(), mirroring
__tcp_read_sock().
Fixes: 250d9766a984 ("mptcp: implement .read_sock")
Cc: stable@vger.kernel.org
Co-developed-by: Geliang Tang <geliang@kernel.org>
Signed-off-by: Geliang Tang <geliang@kernel.org>
Signed-off-by: Gang Yan <yangang@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-9-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -4411,6 +4411,8 @@ static int __mptcp_read_sock(struct sock
}
mptcp_eat_recv_skb(sk, skb);
+ if (!desc->count)
+ break;
}
if (noack)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 319/522] thunderbolt: Limit XDomain response copy to actual frame size
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 318/522] thunderbolt: Validate XDomain request packet size before type cast Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 320/522] slimbus: qcom-ngd-ctrl: fix OF node refcount Greg Kroah-Hartman
` (203 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb upstream.
tb_xdomain_copy() copies req->response_size bytes from the received
packet buffer regardless of the actual frame size. When a short
response arrives, this reads past the valid frame data in the DMA
pool buffer into stale contents from previous transactions.
Use the minimum of frame size and expected response size for the
copy length.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/xdomain.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/thunderbolt/xdomain.c
+++ b/drivers/thunderbolt/xdomain.c
@@ -122,7 +122,9 @@ static bool tb_xdomain_match(const struc
static bool tb_xdomain_copy(struct tb_cfg_request *req,
const struct ctl_pkg *pkg)
{
- memcpy(req->response, pkg->buffer, req->response_size);
+ size_t len = min_t(size_t, pkg->frame.size, req->response_size);
+
+ memcpy(req->response, pkg->buffer, len);
req->result.err = 0;
return true;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 236/378] mptcp: sockopt: check timestamping ret value
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 235/378] mptcp: check desc->count in read_sock Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 237/378] mptcp: sockopt: set sockopt on all subflows Greg Kroah-Hartman
` (142 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Willem de Bruijn, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 57132affbc89c02e1bf73fdf5724311bdc9a29da upstream.
sock_set_timestamping() can fail for different reasons. The returned
value should then be checked.
If sock_set_timestamping() fails for at least one subflow, the first
error is now reported to the userspace, similar to what is done with
other socket options.
Fixes: 9061f24bf82e ("mptcp: sockopt: propagate timestamp request to subflows")
Cc: stable@vger.kernel.org
Reported-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Closes: https://lore.kernel.org/willemdebruijn.kernel.178a41a53d041@gmail.com
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-7-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/sockopt.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/mptcp/sockopt.c
+++ b/net/mptcp/sockopt.c
@@ -235,15 +235,19 @@ static int mptcp_setsockopt_sol_socket_t
mptcp_for_each_subflow(msk, subflow) {
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
+ int err;
lock_sock(ssk);
- sock_set_timestamping(ssk, optname, timestamping);
+ err = sock_set_timestamping(ssk, optname, timestamping);
release_sock(ssk);
+
+ if (err < 0 && ret == 0)
+ ret = err;
}
release_sock(sk);
- return 0;
+ return ret;
}
static int mptcp_setsockopt_sol_socket_linger(struct mptcp_sock *msk, sockptr_t optval,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 320/522] slimbus: qcom-ngd-ctrl: fix OF node refcount
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 319/522] thunderbolt: Limit XDomain response copy to actual frame size Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 321/522] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock Greg Kroah-Hartman
` (202 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski,
Srinivas Kandagatla
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
commit 120134fe75c6b0ae38f14eb8b548ad1e5761f912 upstream.
Platform devices created with platform_device_alloc() call
platform_device_release() when the last reference to the device's
kobject is dropped. This function calls of_node_put() unconditionally.
This works fine for devices created with platform_device_register_full()
but users of the split approach (platform_device_alloc() +
platform_device_add()) must bump the reference of the of_node they
assign manually. Add the missing call to of_node_get().
Cc: stable@vger.kernel.org
Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204421.116824-2-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/slimbus/qcom-ngd-ctrl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/slimbus/qcom-ngd-ctrl.c
+++ b/drivers/slimbus/qcom-ngd-ctrl.c
@@ -1472,7 +1472,7 @@ static int of_qcom_slim_ngd_register(str
of_node_put(node);
return ret;
}
- ngd->pdev->dev.of_node = node;
+ ngd->pdev->dev.of_node = of_node_get(node);
ctrl->ngd = ngd;
ret = platform_device_add(ngd->pdev);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 237/378] mptcp: sockopt: set sockopt on all subflows
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 236/378] mptcp: sockopt: check timestamping ret value Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 238/378] selftests: mptcp: add test for extra_subflows underflow on userspace PM Greg Kroah-Hartman
` (141 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 7690137e70ab0fb1f8b5a30e6f087f8ee908b680 upstream.
The mptcp_setsockopt_all_sf(), currently used only with TCP_MAXSEG,
stopped when one subflow returned an error.
Even if it is not wrong, this is different from the other helpers trying
to set the option on all subflows, and then returning an error if at
least one of them had an issue.
Follow this behaviour, for a question of uniformity.
Fixes: 51c5fd09e1b4 ("mptcp: add TCP_MAXSEG sockopt support")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-8-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/sockopt.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/net/mptcp/sockopt.c
+++ b/net/mptcp/sockopt.c
@@ -811,10 +811,11 @@ static int mptcp_setsockopt_all_sf(struc
mptcp_for_each_subflow(msk, subflow) {
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
+ int err;
- ret = tcp_setsockopt(ssk, level, optname, optval, optlen);
- if (ret)
- break;
+ err = tcp_setsockopt(ssk, level, optname, optval, optlen);
+ if (err < 0 && ret == 0)
+ ret = err;
}
if (!ret)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 321/522] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 320/522] slimbus: qcom-ngd-ctrl: fix OF node refcount Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 322/522] drm/amdgpu: restart the CS if some parts of the VM are still invalidated Greg Kroah-Hartman
` (201 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bjorn Andersson, Srinivas Kandagatla
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
commit 55f2ea9ff83cc27a85526b14bc9b32f96a08d6ec upstream.
During the SSR/PDR down notification the tx_lock is taken with the
intent to provide synchronization with active DMA transfers.
But during this period qcom_slim_ngd_down() is invoked, which ends up in
slim_report_absent(), which takes the slim_controller lock. In multiple
other codepaths these two locks are taken in the opposite order (i.e.
slim_controller then tx_lock).
The result is a lockdep splat, and a possible deadlock:
rprocctl/449 is trying to acquire lock:
ffff00009793e620 (&ctrl->lock){+.+.}-{4:4}, at: slim_report_absent (drivers/slimbus/core.c:322) slimbus
but task is already holding lock:
ffff00009793fb50 (&ctrl->tx_lock){+.+.}-{4:4}, at: qcom_slim_ngd_ssr_pdr_notify (drivers/slimbus/qcom-ngd-ctrl.c:1475) slim_qcom_ngd_ctrl
which lock already depends on the new lock.
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ctrl->tx_lock);
lock(&ctrl->lock);
lock(&ctrl->tx_lock);
lock(&ctrl->lock);
The assumption is that the comment refers to the desire to not call
qcom_slim_ngd_exit_dma() while we have an ongoing DMA TX transaction.
But any such transaction is initiated and completed within a single
qcom_slim_ngd_xfer_msg().
Prior to calling qcom_slim_ngd_exit_dma() the slim_controller is torn
down, all child devices are notified that the slimbus is gone and the
child devices are removed.
Stop taking the tx_lock in qcom_slim_ngd_ssr_pdr_notify() to avoid the
deadlock.
Fixes: a899d324863a ("slimbus: qcom-ngd-ctrl: add Sub System Restart support")
Cc: stable@vger.kernel.org
Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204421.116824-9-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/slimbus/qcom-ngd-ctrl.c | 3 ---
1 file changed, 3 deletions(-)
--- a/drivers/slimbus/qcom-ngd-ctrl.c
+++ b/drivers/slimbus/qcom-ngd-ctrl.c
@@ -1394,15 +1394,12 @@ static int qcom_slim_ngd_ssr_pdr_notify(
switch (action) {
case QCOM_SSR_BEFORE_SHUTDOWN:
case SERVREG_SERVICE_STATE_DOWN:
- /* Make sure the last dma xfer is finished */
- mutex_lock(&ctrl->tx_lock);
if (ctrl->state != QCOM_SLIM_NGD_CTRL_DOWN) {
pm_runtime_get_noresume(ctrl->ctrl.dev);
ctrl->state = QCOM_SLIM_NGD_CTRL_DOWN;
qcom_slim_ngd_down(ctrl);
qcom_slim_ngd_exit_dma(ctrl);
}
- mutex_unlock(&ctrl->tx_lock);
break;
case QCOM_SSR_AFTER_POWERUP:
case SERVREG_SERVICE_STATE_UP:
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 238/378] selftests: mptcp: add test for extra_subflows underflow on userspace PM
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 237/378] mptcp: sockopt: set sockopt on all subflows Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 239/378] mptcp: add-addr: always drop other suboptions Greg Kroah-Hartman
` (140 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tao Cui, Matthieu Baerts (NGI0),
Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tao Cui <cuitao@kylinos.cn>
commit 06fd2bec7aebf393288e4b78924482fe170caabc upstream.
Add a test to verify that when userspace PM fails to create a subflow
(e.g. using an unreachable address), the extra_subflows counter is not
decremented below zero.
Fixes: 77e4b94a3de6 ("mptcp: update userspace pm infos")
Cc: stable@vger.kernel.org
Signed-off-by: Tao Cui <cuitao@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-6-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 ++++
1 file changed, 4 insertions(+)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -4069,6 +4069,10 @@ userspace_tests()
chk_rm_nr 0 1
chk_mptcp_info subflows 0 subflows 0
chk_subflows_total 1 1
+ # check counters are not affected by errors at creation time
+ userspace_pm_add_sf $ns2 10.0.12.2 10 2>/dev/null
+ chk_mptcp_info subflows 0 subflows 0
+ chk_subflows_total 1 1
kill_events_pids
mptcp_lib_kill_group_wait $tests_pid
fi
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 322/522] drm/amdgpu: restart the CS if some parts of the VM are still invalidated
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 321/522] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 323/522] drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size Greg Kroah-Hartman
` (200 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Vitaly Prosyak,
Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian König <christian.koenig@amd.com>
commit 40396ffdf6120e2380706c59e1a84d7e765a37b6 upstream.
Make sure that we only submit work with full up to date VM page tables.
Backport to 7.1 and older.
Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
Tested-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 59720bfd8c6dbebeb8d5a7ab64241b007efd9213)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -1227,6 +1227,7 @@ static int amdgpu_cs_submit(struct amdgp
{
struct amdgpu_fpriv *fpriv = p->filp->driver_priv;
struct amdgpu_job *leader = p->gang_leader;
+ struct amdgpu_vm *vm = &fpriv->vm;
struct amdgpu_bo_list_entry *e;
unsigned int i;
uint64_t seq;
@@ -1268,7 +1269,8 @@ static int amdgpu_cs_submit(struct amdgp
r |= !amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm, e->range);
e->range = NULL;
}
- if (r) {
+
+ if (r || !list_empty(&vm->invalidated)) {
r = -EAGAIN;
mutex_unlock(&p->adev->notifier_lock);
return r;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 239/378] mptcp: add-addr: always drop other suboptions
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 238/378] selftests: mptcp: add test for extra_subflows underflow on userspace PM Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 240/378] xfs: fix error returns in CoW fork repair Greg Kroah-Hartman
` (139 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matthieu Baerts (NGI0),
Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit bd34fa0257261b76964df1c98f44b3cb4ee14620 upstream.
When an ADD_ADDR needs to be sent, it could be prepared if there is
enough remaining space and even if the packet is not a pure ACK. But it
would be dropped soon after.
Indeed, in mptcp_pm_add_addr_signal(), there is enough space to fit a
DSS of 20 octets and an ADD_ADDR echo containing an IPv4 address on 8
octets for example. In this case, the packet would be prepared, the
MPTCP_ADD_ADDR_ECHO bit would be removed from pm->addr_signal, but the
option would be silently dropped in mptcp_established_options_add_addr()
not to override DSS info in the union from 'struct mptcp_out_options',
and also because mptcp_write_options() will enforce mutually exclusion
with DSS.
Instead, don't even try to send an ADD_ADDR if it is not a pure ACK.
Retry for each new packet until a pure-ACK is emitted. That's fine to do
that, because each time an ADD_ADDR (echo) is scheduled, a pure ACK is
queued.
This also simplifies the code, and the skb checks can be done earlier,
before the lock.
Note: also, since commit 6d0060f600ad ("mptcp: Write MPTCP DSS headers
to outgoing data packets"), opts->ahmac would not have been set to 0
when other suboptions were not dropped, and when sending an ADD_ADDR
echo. That would have resulted in sending an ADD_ADDR using garbage
info, where there was not enough space, instead of an echo one without
the ADD_ADDR HMAC.
Fixes: 1bff1e43a30e ("mptcp: optimize out option generation")
Cc: stable@vger.kernel.org
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-11-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/options.c | 30 +++++++-----------------------
net/mptcp/pm.c | 15 ++++-----------
net/mptcp/protocol.h | 7 +++----
3 files changed, 14 insertions(+), 38 deletions(-)
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -661,7 +661,6 @@ static bool mptcp_established_options_ad
{
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
struct mptcp_sock *msk = mptcp_sk(subflow->conn);
- bool drop_other_suboptions = false;
unsigned int opt_size = *size;
struct mptcp_addr_info addr;
bool echo;
@@ -672,36 +671,20 @@ static bool mptcp_established_options_ad
*/
if (!mptcp_pm_should_add_signal(msk) ||
(opts->suboptions & (OPTION_MPTCP_MPJ_ACK | OPTION_MPTCP_MPC_ACK)) ||
- !mptcp_pm_add_addr_signal(msk, skb, opt_size, remaining, &addr,
- &echo, &drop_other_suboptions))
+ !skb || !skb_is_tcp_pure_ack(skb) ||
+ !mptcp_pm_add_addr_signal(msk, opt_size, remaining, &addr, &echo))
return false;
- /*
- * Later on, mptcp_write_options() will enforce mutually exclusion with
- * DSS, bail out if such option is set and we can't drop it.
- */
- if (drop_other_suboptions)
- remaining += opt_size;
- else if (opts->suboptions & OPTION_MPTCP_DSS)
- return false;
+ remaining += opt_size;
len = mptcp_add_addr_len(addr.family, echo, !!addr.port);
if (remaining < len)
return false;
*size = len;
- if (drop_other_suboptions) {
- pr_debug("drop other suboptions\n");
- opts->suboptions = 0;
-
- /* note that e.g. DSS could have written into the memory
- * aliased by ahmac, we must reset the field here
- * to avoid appending the hmac even for ADD_ADDR echo
- * options
- */
- opts->ahmac = 0;
- *size -= opt_size;
- }
+ pr_debug("drop other suboptions\n");
+ opts->suboptions = 0;
+ *size -= opt_size;
opts->addr = addr;
opts->suboptions |= OPTION_MPTCP_ADD_ADDR;
if (!echo) {
@@ -711,6 +694,7 @@ static bool mptcp_established_options_ad
&opts->addr);
} else {
MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_ECHOADDTX);
+ opts->ahmac = 0;
}
pr_debug("addr_id=%d, ahmac=%llu, echo=%d, port=%d\n",
opts->addr.id, opts->ahmac, echo, ntohs(opts->addr.port));
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -887,10 +887,9 @@ void mptcp_pm_mp_fail_received(struct so
}
}
-bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, const struct sk_buff *skb,
- unsigned int opt_size, unsigned int remaining,
- struct mptcp_addr_info *addr, bool *echo,
- bool *drop_other_suboptions)
+bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, unsigned int opt_size,
+ unsigned int remaining,
+ struct mptcp_addr_info *addr, bool *echo)
{
bool skip_add_addr = false;
int ret = false;
@@ -908,10 +907,7 @@ bool mptcp_pm_add_addr_signal(struct mpt
* plain dup-ack from TCP perspective. The other MPTCP-relevant info,
* if any, will be carried by the 'original' TCP ack
*/
- if (skb && skb_is_tcp_pure_ack(skb)) {
- remaining += opt_size;
- *drop_other_suboptions = true;
- }
+ remaining += opt_size;
*echo = mptcp_pm_should_add_signal_echo(msk);
if (*echo) {
@@ -929,9 +925,6 @@ bool mptcp_pm_add_addr_signal(struct mpt
if (remaining < mptcp_add_addr_len(family, *echo, port)) {
struct net *net = sock_net((struct sock *)msk);
- if (!*drop_other_suboptions)
- goto out_unlock;
-
if (*echo) {
MPTCP_INC_STATS(net, MPTCP_MIB_ECHOADDTXDROP);
} else {
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -1228,10 +1228,9 @@ static inline int mptcp_rm_addr_len(cons
return TCPOLEN_MPTCP_RM_ADDR_BASE + roundup(rm_list->nr - 1, 4) + 1;
}
-bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, const struct sk_buff *skb,
- unsigned int opt_size, unsigned int remaining,
- struct mptcp_addr_info *addr, bool *echo,
- bool *drop_other_suboptions);
+bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, unsigned int opt_size,
+ unsigned int remaining,
+ struct mptcp_addr_info *addr, bool *echo);
bool mptcp_pm_rm_addr_signal(struct mptcp_sock *msk, unsigned int remaining,
struct mptcp_rm_list *rm_list);
int mptcp_pm_get_local_id(struct mptcp_sock *msk, struct sock_common *skc);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 323/522] drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 322/522] drm/amdgpu: restart the CS if some parts of the VM are still invalidated Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 324/522] drm/amd/display: Clamp VBIOS HDMI retimer register count to array size Greg Kroah-Hartman
` (199 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit f0f3981c43b32cadfe373d636d9e9ca522bb3702 upstream.
[Why & How]
During HDCP 2.x repeater authentication over HDMI, the driver reads the
sink's RxStatus register and extracts a 10-bit message size field (max
value 1023). This value is used as the read length for the ReceiverID
list without being clamped to the size of the destination buffer
rx_id_list[177]. A malicious HDMI repeater could advertise a message
size larger than the buffer, causing an out-of-bounds write during the
I2C read.
Clamp the read length in mod_hdcp_read_rx_id_list() to the size of the
rx_id_list buffer, matching the approach already used in the DP branch.
Fixes: eff682f83c9c ("drm/amd/display: Add DDC handles for HDCP2.2")
Assisted-by: Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 229212219e4247d9486f8ba41ef087358490be09)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
+++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
@@ -533,7 +533,8 @@ enum mod_hdcp_status mod_hdcp_read_rx_id
} else {
status = read(hdcp, MOD_HDCP_MESSAGE_ID_READ_REPEATER_AUTH_SEND_RECEIVERID_LIST,
hdcp->auth.msg.hdcp2.rx_id_list,
- hdcp->auth.msg.hdcp2.rx_id_list_size);
+ MIN(hdcp->auth.msg.hdcp2.rx_id_list_size,
+ sizeof(hdcp->auth.msg.hdcp2.rx_id_list)));
}
return status;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 240/378] xfs: fix error returns in CoW fork repair
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 239/378] mptcp: add-addr: always drop other suboptions Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 241/378] xfs: fix rtgroup cleanup " Greg Kroah-Hartman
` (138 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yingjie Gao, Darrick J. Wong,
Carlos Maiolino
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yingjie Gao <gaoyingjie@uniontech.com>
commit fcf4faba9f986b3bb528da11913c9ec5d6e8f689 upstream.
xrep_cow_find_bad() returns success after the cleanup labels even if
AG setup, btree queries, or bitmap updates failed. This can make
repair continue with an incomplete bad-file-offset bitmap instead of
stopping at the original error.
The force-rebuild path has a related cleanup problem. If
xrep_cow_mark_file_range() fails, the function returns directly and
skips the scrub AG context and perag cleanup.
Let the force-rebuild path fall through to the existing cleanup code
and return the saved error after cleanup.
Fixes: dbbdbd008632 ("xfs: repair problems in CoW forks")
Cc: <stable@vger.kernel.org> # v6.8
Signed-off-by: Yingjie Gao <gaoyingjie@uniontech.com>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/scrub/cow_repair.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/fs/xfs/scrub/cow_repair.c
+++ b/fs/xfs/scrub/cow_repair.c
@@ -300,18 +300,15 @@ xrep_cow_find_bad(
* on the debugging knob, replace everything in the CoW fork.
*/
if ((sc->sm->sm_flags & XFS_SCRUB_IFLAG_FORCE_REBUILD) ||
- XFS_TEST_ERROR(sc->mp, XFS_ERRTAG_FORCE_SCRUB_REPAIR)) {
+ XFS_TEST_ERROR(sc->mp, XFS_ERRTAG_FORCE_SCRUB_REPAIR))
error = xrep_cow_mark_file_range(xc, xc->irec.br_startblock,
xc->irec.br_blockcount);
- if (error)
- return error;
- }
out_sa:
xchk_ag_free(sc, &sc->sa);
out_pag:
xfs_perag_put(pag);
- return 0;
+ return error;
}
/*
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 324/522] drm/amd/display: Clamp VBIOS HDMI retimer register count to array size
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 323/522] drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 325/522] drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs Greg Kroah-Hartman
` (198 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit fb0707ce00eef4e2d60c3020e1c0432739703e4a upstream.
[Why & How]
The VBIOS integrated info tables (v1_11 and v2_1) contain HdmiRegNum and
Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C
register settings into fixed-size arrays (dp*_ext_hdmi_reg_settings[9]
and dp*_ext_hdmi_6g_reg_settings[3]). These u8 fields are not validated
before use, so a malformed VBIOS can specify values up to 255, causing an
out-of-bounds heap write during driver probe.
Clamp each register count to the destination array size using min_t()
before the copy loops, in both get_integrated_info_v11() and
get_integrated_info_v2_1().
Assisted-by: GitHub Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 48 ++++++++++++++-------
1 file changed, 32 insertions(+), 16 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
@@ -2520,14 +2520,16 @@ static enum bp_result get_integrated_inf
info_v11->extdispconninfo.checksum;
info->dp0_ext_hdmi_slv_addr = info_v11->dp0_retimer_set.HdmiSlvAddr;
- info->dp0_ext_hdmi_reg_num = info_v11->dp0_retimer_set.HdmiRegNum;
+ info->dp0_ext_hdmi_reg_num = min_t(u8, info_v11->dp0_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp0_ext_hdmi_reg_settings));
for (i = 0; i < info->dp0_ext_hdmi_reg_num; i++) {
info->dp0_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v11->dp0_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp0_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v11->dp0_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp0_ext_hdmi_6g_reg_num = info_v11->dp0_retimer_set.Hdmi6GRegNum;
+ info->dp0_ext_hdmi_6g_reg_num = min_t(u8, info_v11->dp0_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp0_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp0_ext_hdmi_6g_reg_num; i++) {
info->dp0_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v11->dp0_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2536,14 +2538,16 @@ static enum bp_result get_integrated_inf
}
info->dp1_ext_hdmi_slv_addr = info_v11->dp1_retimer_set.HdmiSlvAddr;
- info->dp1_ext_hdmi_reg_num = info_v11->dp1_retimer_set.HdmiRegNum;
+ info->dp1_ext_hdmi_reg_num = min_t(u8, info_v11->dp1_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp1_ext_hdmi_reg_settings));
for (i = 0; i < info->dp1_ext_hdmi_reg_num; i++) {
info->dp1_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v11->dp1_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp1_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v11->dp1_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp1_ext_hdmi_6g_reg_num = info_v11->dp1_retimer_set.Hdmi6GRegNum;
+ info->dp1_ext_hdmi_6g_reg_num = min_t(u8, info_v11->dp1_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp1_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp1_ext_hdmi_6g_reg_num; i++) {
info->dp1_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v11->dp1_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2552,14 +2556,16 @@ static enum bp_result get_integrated_inf
}
info->dp2_ext_hdmi_slv_addr = info_v11->dp2_retimer_set.HdmiSlvAddr;
- info->dp2_ext_hdmi_reg_num = info_v11->dp2_retimer_set.HdmiRegNum;
+ info->dp2_ext_hdmi_reg_num = min_t(u8, info_v11->dp2_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp2_ext_hdmi_reg_settings));
for (i = 0; i < info->dp2_ext_hdmi_reg_num; i++) {
info->dp2_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v11->dp2_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp2_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v11->dp2_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp2_ext_hdmi_6g_reg_num = info_v11->dp2_retimer_set.Hdmi6GRegNum;
+ info->dp2_ext_hdmi_6g_reg_num = min_t(u8, info_v11->dp2_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp2_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp2_ext_hdmi_6g_reg_num; i++) {
info->dp2_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v11->dp2_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2568,14 +2574,16 @@ static enum bp_result get_integrated_inf
}
info->dp3_ext_hdmi_slv_addr = info_v11->dp3_retimer_set.HdmiSlvAddr;
- info->dp3_ext_hdmi_reg_num = info_v11->dp3_retimer_set.HdmiRegNum;
+ info->dp3_ext_hdmi_reg_num = min_t(u8, info_v11->dp3_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp3_ext_hdmi_reg_settings));
for (i = 0; i < info->dp3_ext_hdmi_reg_num; i++) {
info->dp3_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v11->dp3_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp3_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v11->dp3_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp3_ext_hdmi_6g_reg_num = info_v11->dp3_retimer_set.Hdmi6GRegNum;
+ info->dp3_ext_hdmi_6g_reg_num = min_t(u8, info_v11->dp3_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp3_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp3_ext_hdmi_6g_reg_num; i++) {
info->dp3_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v11->dp3_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2725,14 +2733,16 @@ static enum bp_result get_integrated_inf
info->ext_disp_conn_info.checksum =
info_v2_1->extdispconninfo.checksum;
info->dp0_ext_hdmi_slv_addr = info_v2_1->dp0_retimer_set.HdmiSlvAddr;
- info->dp0_ext_hdmi_reg_num = info_v2_1->dp0_retimer_set.HdmiRegNum;
+ info->dp0_ext_hdmi_reg_num = min_t(u8, info_v2_1->dp0_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp0_ext_hdmi_reg_settings));
for (i = 0; i < info->dp0_ext_hdmi_reg_num; i++) {
info->dp0_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v2_1->dp0_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp0_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v2_1->dp0_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp0_ext_hdmi_6g_reg_num = info_v2_1->dp0_retimer_set.Hdmi6GRegNum;
+ info->dp0_ext_hdmi_6g_reg_num = min_t(u8, info_v2_1->dp0_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp0_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp0_ext_hdmi_6g_reg_num; i++) {
info->dp0_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v2_1->dp0_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2740,14 +2750,16 @@ static enum bp_result get_integrated_inf
info_v2_1->dp0_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegVal;
}
info->dp1_ext_hdmi_slv_addr = info_v2_1->dp1_retimer_set.HdmiSlvAddr;
- info->dp1_ext_hdmi_reg_num = info_v2_1->dp1_retimer_set.HdmiRegNum;
+ info->dp1_ext_hdmi_reg_num = min_t(u8, info_v2_1->dp1_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp1_ext_hdmi_reg_settings));
for (i = 0; i < info->dp1_ext_hdmi_reg_num; i++) {
info->dp1_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v2_1->dp1_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp1_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v2_1->dp1_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp1_ext_hdmi_6g_reg_num = info_v2_1->dp1_retimer_set.Hdmi6GRegNum;
+ info->dp1_ext_hdmi_6g_reg_num = min_t(u8, info_v2_1->dp1_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp1_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp1_ext_hdmi_6g_reg_num; i++) {
info->dp1_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v2_1->dp1_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2755,14 +2767,16 @@ static enum bp_result get_integrated_inf
info_v2_1->dp1_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegVal;
}
info->dp2_ext_hdmi_slv_addr = info_v2_1->dp2_retimer_set.HdmiSlvAddr;
- info->dp2_ext_hdmi_reg_num = info_v2_1->dp2_retimer_set.HdmiRegNum;
+ info->dp2_ext_hdmi_reg_num = min_t(u8, info_v2_1->dp2_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp2_ext_hdmi_reg_settings));
for (i = 0; i < info->dp2_ext_hdmi_reg_num; i++) {
info->dp2_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v2_1->dp2_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp2_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v2_1->dp2_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp2_ext_hdmi_6g_reg_num = info_v2_1->dp2_retimer_set.Hdmi6GRegNum;
+ info->dp2_ext_hdmi_6g_reg_num = min_t(u8, info_v2_1->dp2_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp2_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp2_ext_hdmi_6g_reg_num; i++) {
info->dp2_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v2_1->dp2_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2770,14 +2784,16 @@ static enum bp_result get_integrated_inf
info_v2_1->dp2_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegVal;
}
info->dp3_ext_hdmi_slv_addr = info_v2_1->dp3_retimer_set.HdmiSlvAddr;
- info->dp3_ext_hdmi_reg_num = info_v2_1->dp3_retimer_set.HdmiRegNum;
+ info->dp3_ext_hdmi_reg_num = min_t(u8, info_v2_1->dp3_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp3_ext_hdmi_reg_settings));
for (i = 0; i < info->dp3_ext_hdmi_reg_num; i++) {
info->dp3_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v2_1->dp3_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp3_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v2_1->dp3_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp3_ext_hdmi_6g_reg_num = info_v2_1->dp3_retimer_set.Hdmi6GRegNum;
+ info->dp3_ext_hdmi_6g_reg_num = min_t(u8, info_v2_1->dp3_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp3_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp3_ext_hdmi_6g_reg_num; i++) {
info->dp3_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v2_1->dp3_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 241/378] xfs: fix rtgroup cleanup in CoW fork repair
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 240/378] xfs: fix error returns in CoW fork repair Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 242/378] wifi: iwlwifi: pcie: simplify the resume flow if fast resume is not used Greg Kroah-Hartman
` (137 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yingjie Gao, Darrick J. Wong,
Carlos Maiolino
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yingjie Gao <gaoyingjie@uniontech.com>
commit c3e073894379532c00cca7ba5762e18fafe29da8 upstream.
xrep_cow_find_bad_rt() initializes scrub rtgroup state before the
force-rebuild path calls xrep_cow_mark_file_range(). If that call
fails, the code jumps directly to out_rtg, which skips the scrub
rtgroup cleanup and only drops the local rtgroup reference.
Remove the unnecessary jump so the function falls through to out_sr,
ensuring the realtime cursors, lock state, and sr->rtg reference are
released before returning.
Fixes: fd97fe111208 ("xfs: fix CoW forks for realtime files")
Cc: <stable@vger.kernel.org> # v6.14
Signed-off-by: Yingjie Gao <gaoyingjie@uniontech.com>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/scrub/cow_repair.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/fs/xfs/scrub/cow_repair.c
+++ b/fs/xfs/scrub/cow_repair.c
@@ -382,12 +382,9 @@ xrep_cow_find_bad_rt(
* CoW fork and then scan for staging extents in the refcountbt.
*/
if ((sc->sm->sm_flags & XFS_SCRUB_IFLAG_FORCE_REBUILD) ||
- XFS_TEST_ERROR(sc->mp, XFS_ERRTAG_FORCE_SCRUB_REPAIR)) {
+ XFS_TEST_ERROR(sc->mp, XFS_ERRTAG_FORCE_SCRUB_REPAIR))
error = xrep_cow_mark_file_range(xc, xc->irec.br_startblock,
xc->irec.br_blockcount);
- if (error)
- goto out_rtg;
- }
out_sr:
xchk_rtgroup_btcur_free(&sc->sr);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 325/522] drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 324/522] drm/amd/display: Clamp VBIOS HDMI retimer register count to array size Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 326/522] drm/amd/display: Use krealloc_array() in dal_vector_reserve() Greg Kroah-Hartman
` (197 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit adf67034b1f61f7119295208085bfd43f85f56af upstream.
[Why & How]
dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc
without checking for NULL. A connector can be connected but not bound to
any CRTC (e.g. after hot-plug before the next atomic commit), causing a
kernel crash when writing to the sdp_message debugfs node.
The function also ignores the user-provided size argument and always
passes 36 bytes to copy_from_user(), reading past the user buffer when
size < 36.
Fix both issues by:
- Returning -ENODEV when connector->base.state or state->crtc is NULL
- Clamping write_size to min(size, sizeof(data))
Fixes: c7ba3653e977 ("drm/amd/display: Generic SDP message access in amdgpu")
Assisted-by: Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -1053,8 +1053,13 @@ static ssize_t dp_sdp_message_debugfs_wr
if (size == 0)
return 0;
+ if (!connector->base.state || !connector->base.state->crtc)
+ return -ENODEV;
+
acrtc_state = to_dm_crtc_state(connector->base.state->crtc->state);
+ write_size = min_t(size_t, size, sizeof(data));
+
r = copy_from_user(data, buf, write_size);
write_size -= r;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 242/378] wifi: iwlwifi: pcie: simplify the resume flow if fast resume is not used
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 241/378] xfs: fix rtgroup cleanup " Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 243/378] wifi: nl80211: reject oversized EMA RNR lists Greg Kroah-Hartman
` (136 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Emmanuel Grumbach, Miri Korenblit
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
commit 093305d801fae6ff9b8bb531fd78b579794c4f80 upstream.
In most distributions, NetworkManager shuts the device down before
entering system suspend, so fast suspend is typically not used.
On older devices, resume currently tries to grab NIC access to infer
whether the device was powered off while suspended. That probe is only
meaningful for the fast-suspend path where the device is expected to
remain alive.
Unfortunately, for unclear reasons, grabbing NIC access was harmful as
reported in the bugzilla ticket below.
Workaround this issue by simply not grabbing NIC access if fast suspend
is not used.
Cc: stable@vger.kernel.org
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221501
Assisted-by: GitHub Copilot:gpt-5.3-codex
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Link: https://patch.msgid.link/20260531133005.e2ed9e0cd44f.If283625983a843933e0c01561a421daff184e9e9@changeid
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 56 ++++++++++++++------------
1 file changed, 32 insertions(+), 24 deletions(-)
--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
@@ -1225,33 +1225,41 @@ static int _iwl_pci_resume(struct device
if (!trans->op_mode)
return 0;
- /*
- * Scratch value was altered, this means the device was powered off, we
- * need to reset it completely.
- * Note: MAC (bits 0:7) will be cleared upon suspend even with wowlan,
- * but not bits [15:8]. So if we have bits set in lower word, assume
- * the device is alive.
- * Alternatively, if the scratch value is 0xFFFFFFFF, then we no longer
- * have access to the device and consider it powered off.
- * For older devices, just try silently to grab the NIC.
- */
- if (trans->mac_cfg->device_family >= IWL_DEVICE_FAMILY_BZ) {
- u32 scratch = iwl_read32(trans, CSR_FUNC_SCRATCH);
-
- if (!(scratch & CSR_FUNC_SCRATCH_POWER_OFF_MASK) ||
- scratch == ~0U)
- device_was_powered_off = true;
- } else {
+ if (test_bit(STATUS_DEVICE_ENABLED, &trans->status)) {
/*
- * bh are re-enabled by iwl_trans_pcie_release_nic_access,
- * so re-enable them if _iwl_trans_pcie_grab_nic_access fails.
+ * Scratch value was altered, this means the device was powered
+ * off, we need to reset it completely.
+ * Note: MAC (bits 0:7) will be cleared upon suspend even with
+ * wowlan, but not bits [15:8]. So if we have bits set in lower
+ * word, assume the device is alive.
+ * Alternatively, if the scratch value is 0xFFFFFFFF, then we
+ * no longer have access to the device and consider it powered
+ * off.
+ * For older devices, just try silently to grab the NIC.
*/
- local_bh_disable();
- if (_iwl_trans_pcie_grab_nic_access(trans, true)) {
- iwl_trans_pcie_release_nic_access(trans);
+ if (trans->mac_cfg->device_family >= IWL_DEVICE_FAMILY_BZ) {
+ u32 scratch = iwl_read32(trans, CSR_FUNC_SCRATCH);
+
+ if (!(scratch & CSR_FUNC_SCRATCH_POWER_OFF_MASK) ||
+ scratch == ~0U) {
+ IWL_DEBUG_WOWLAN(trans,
+ "Scratch 0x%08x indicates device was powered off\n",
+ scratch);
+ device_was_powered_off = true;
+ }
} else {
- device_was_powered_off = true;
- local_bh_enable();
+ /*
+ * bh are re-enabled by iwl_trans_pcie_release_nic_access,
+ * so re-enable them if _iwl_trans_pcie_grab_nic_access
+ * fails.
+ */
+ local_bh_disable();
+ if (_iwl_trans_pcie_grab_nic_access(trans, true)) {
+ iwl_trans_pcie_release_nic_access(trans);
+ } else {
+ device_was_powered_off = true;
+ local_bh_enable();
+ }
}
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 326/522] drm/amd/display: Use krealloc_array() in dal_vector_reserve()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 325/522] drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 327/522] fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling Greg Kroah-Hartman
` (196 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit da48bc4461b8a5ebfb9264c9b191a701d8e99009 upstream.
[Why & How]
dal_vector_reserve() computes the allocation size as
"capacity * vector->struct_size" using uint32_t arithmetic, which can
silently wrap to a small value on overflow. This would cause krealloc to
return a smaller buffer than expected, leading to heap overflows on
subsequent vector appends.
Replace krealloc() with krealloc_array() which performs an internal
overflow check and returns NULL on wrap, preventing the issue.
Fixes: 2004f45ef83f ("drm/amd/display: Use kernel alloc/free")
Assisted-by: Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 37668568641ccc4cc1dbca4923d0a16609dd5707)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/basics/vector.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/basics/vector.c
+++ b/drivers/gpu/drm/amd/display/dc/basics/vector.c
@@ -289,8 +289,8 @@ bool dal_vector_reserve(struct vector *v
if (capacity <= vector->capacity)
return true;
- new_container = krealloc(vector->container,
- capacity * vector->struct_size, GFP_KERNEL);
+ new_container = krealloc_array(vector->container,
+ capacity, vector->struct_size, GFP_KERNEL);
if (new_container) {
vector->container = new_container;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 243/378] wifi: nl80211: reject oversized EMA RNR lists
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 242/378] wifi: iwlwifi: pcie: simplify the resume flow if fast resume is not used Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 244/378] vsock/vmci: fix sk_ack_backlog leak on failed handshake Greg Kroah-Hartman
` (135 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Zhengchuan Liang,
Xin Liu, Yuqi Xu, Ren Wei, Johannes Berg
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuqi Xu <xuyuqiabc@gmail.com>
commit 4cd92957e8f8cc4ebfe8a5d4203c14c592fde6b1 upstream.
nl80211_parse_rnr_elems() stores the parsed element count in a
u8-backed cfg80211_rnr_elems::cnt field and uses that count to size
the flexible array allocation.
Reject nested NL80211_ATTR_EMA_RNR_ELEMS input once the count reaches
255, before incrementing it again. This keeps the parser aligned with
the data structure it fills and matches the existing bound check used
by nl80211_parse_mbssid_elems().
Fixes: dbbb27e183b1 ("cfg80211: support RNR for EMA AP")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:gpt-5.4
Signed-off-by: Yuqi Xu <xuyuqiabc@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/20260529152542.1412734-1-n05ec@lzu.edu.cn
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/nl80211.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -6154,6 +6154,9 @@ nl80211_parse_rnr_elems(struct wiphy *wi
if (ret)
return ERR_PTR(ret);
+ if (num_elems >= 255)
+ return ERR_PTR(-EINVAL);
+
num_elems++;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 327/522] fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 326/522] drm/amd/display: Use krealloc_array() in dal_vector_reserve() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 328/522] mm/hugetlb: avoid false positive lockdep assertion Greg Kroah-Hartman
` (195 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeff Layton, Mingyu Wang,
Christian Brauner (Amutable)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
commit 00633c4683828acd5256fa8d5163f440d74bbe71 upstream.
A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in
send_sigio() and send_sigurg() when a process group receives a signal.
When FASYNC is configured for a process group (PIDTYPE_PGID), both
functions use read_lock(&tasklist_lock) to traverse the task list.
However, they are frequently called from softirq context:
- send_sigio() via input_inject_event -> kill_fasync
- send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ)
The deadlock is caused by the rwlock writer fairness mechanism:
1. CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait().
2. CPU 1 (process context) attempts write_lock(&tasklist_lock) in
fork() or exit() and spins, which blocks all new readers.
3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception).
4. The softirq calls send_sigurg() and attempts to acquire
read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting.
Since PID hashing and do_each_pid_task() traversals are already
RCU-protected, the read_lock on tasklist_lock is no longer strictly
required for safe traversal. Fix this by replacing tasklist_lock with
rcu_read_lock(), aligning the process group signaling path with the
single-PID path. This also mitigates a potential remote denial of
service vector via TCP URG packets.
Lockdep splat:
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
[...]
Chain exists of:
&dev->event_lock --> &f_owner->lock --> tasklist_lock
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(tasklist_lock);
local_irq_disable();
lock(&dev->event_lock);
lock(&f_owner->lock);
<Interrupt>
lock(&dev->event_lock);
*** DEADLOCK ***
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
Link: https://patch.msgid.link/20260523135210.590928-1-w15303746062@163.com
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fcntl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/fcntl.c
+++ b/fs/fcntl.c
@@ -781,11 +781,11 @@ void send_sigio(struct fown_struct *fown
send_sigio_to_task(p, fown, fd, band, type);
rcu_read_unlock();
} else {
- read_lock(&tasklist_lock);
+ rcu_read_lock();
do_each_pid_task(pid, type, p) {
send_sigio_to_task(p, fown, fd, band, type);
} while_each_pid_task(pid, type, p);
- read_unlock(&tasklist_lock);
+ rcu_read_unlock();
}
out_unlock_fown:
read_unlock_irqrestore(&fown->lock, flags);
@@ -822,11 +822,11 @@ int send_sigurg(struct fown_struct *fown
send_sigurg_to_task(p, fown, type);
rcu_read_unlock();
} else {
- read_lock(&tasklist_lock);
+ rcu_read_lock();
do_each_pid_task(pid, type, p) {
send_sigurg_to_task(p, fown, type);
} while_each_pid_task(pid, type, p);
- read_unlock(&tasklist_lock);
+ rcu_read_unlock();
}
out_unlock_fown:
read_unlock_irqrestore(&fown->lock, flags);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 244/378] vsock/vmci: fix sk_ack_backlog leak on failed handshake
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 243/378] wifi: nl80211: reject oversized EMA RNR lists Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 245/378] timers/migration: Fix livelock in tmigr_handle_remote_up() Greg Kroah-Hartman
` (134 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raf Dickson, Stefano Garzarella,
Paolo Abeni
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raf Dickson <rafdog35@gmail.com>
commit c05fa14db43ebef3bd862ca9d073981c0358b3f0 upstream.
When vmci_transport_recv_connecting_server() returns an error,
vmci_transport_recv_listen() calls vsock_remove_pending() but never
calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented
permanently.
Repeated handshake failures (malformed packets, queue pair alloc
failure, event subscribe failure) cause sk_ack_backlog to climb
toward sk_max_ack_backlog. Once it reaches the limit the listener
permanently refuses all new connections with -ECONNREFUSED, a
silent denial of service requiring a process restart to recover.
The two existing sk_acceptq_removed() calls in af_vsock.c do not
cover this path: line 764 checks vsock_is_pending() which returns
false after vsock_remove_pending(), and line 1889 is only reached
on successful accept().
Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on
the error path.
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Cc: stable@vger.kernel.org
Signed-off-by: Raf Dickson <rafdog35@gmail.com>
Acked-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260526104356.469928-1-rafdog35@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/vmci_transport.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -980,8 +980,10 @@ static int vmci_transport_recv_listen(st
err = -EINVAL;
}
- if (err < 0)
+ if (err < 0) {
vsock_remove_pending(sk, pending);
+ sk_acceptq_removed(sk);
+ }
release_sock(pending);
vmci_transport_release_pending(pending);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 328/522] mm/hugetlb: avoid false positive lockdep assertion
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 327/522] fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 329/522] mm/damon/ops-common: call folio_test_lru() after folio_get() Greg Kroah-Hartman
` (194 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes,
David Hildenbrand (Arm), Oscar Salvador, Jann Horn, Muchun Song,
Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <ljs@kernel.org>
[ Upstream commit b4aea43cd37afad714b5684fe9fdfcb0e78dba26 ]
Commit 081056dc00a2 ("mm/hugetlb: unshare page tables during VMA split,
not before") changed the locking model around hugetlbfs PMD unsharing on
VMA split, but did not update the function which asserts the locks,
hugetlb_vma_assert_locked().
This function asserts that either the hugetlb VMA lock is held (if a
shared mapping) or that the reservation map lock is held (if private).
If you get an unfortunate race between something which results in one of
these locks being released and a hugetlb VMA split and you have
CONFIG_LOCKDEP enabled, you can therefore see a false positive assertion
arise when there is in fact no issue.
Since this change introduced a new take_locks parameter to
hugetlb_unshare_pmds(), which, when set to false, indicates that locking
is sufficient, simply pass this to the unsharing logic and predicate the
lock assertions on this.
This is safe, as we already asserted the file rmap lock and the VMA write
lock prior to this (implying exclusive mmap write lock), so we cannot be
raced by either rmap or page fault page table walkers which the asserted
locks are intended to protect against (we don't mind GUP-fast).
Separate out huge_pmd_unshare() into __huge_pmd_unshare() to add a
check_locks parameter, and update hugetlb_unshare_pmds() to pass this
parameter to it.
This leaves all other callers of huge_pmd_unshare() still correctly
asserting the locks.
The below reproducer will trigger the assert in a kernel with
CONFIG_LOCKDEP enabled by racing process teardown (which will release the
hugetlb lock) against a hugetlb split.
void execute_one(void)
{
void *ptr;
pid_t pid;
/*
* Create a hugetlb mapping spanning a PUD entry.
*
* We force the hugetlb page allocation with populate and
* noreserve.
*
* |---------------------|
* | |
* |---------------------|
* 0 PUD boundary
*/
ptr = mmap(0, PUD_SIZE, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_SHARED | MAP_ANON |
MAP_NORESERVE | MAP_HUGETLB | MAP_POPULATE,
-1, 0);
if (ptr == MAP_FAILED) {
perror("mmap");
exit(EXIT_FAILURE);
}
/*
* Fork but with a bogus stack pointer so we try to execute code in
* a non-VM_EXEC VMA, causing segfault + teardown via exit_mmap().
*
* The clone will cause PMD page table sharing between the
* processes first via:
* copy_process() -> ... -> huge_pte_alloc() -> huge_pmd_share()
*
* Then tear down and release the hugetlb 'VMA' lock via:
* exit_mmap() -> ... -> vma_close() -> hugetlb_vma_lock_free()
*/
pid = syscall(__NR_clone, 0, 2 * PMD_SIZE, 0, 0, 0);
if (pid < 0) {
perror("clone");
exit(EXIT_FAILURE);
} if (pid == 0) {
/* Pop stack... */
return;
}
/*
* We are the parent process.
*
* Race the child process's teardown with a PMD unshare.
*
* We do this by triggering:
*
* __split_vma() -> hugetlb_split() -> hugetlb_unshare_pmds()
*
* Which, importantly, doesn't hold the hugetlb VMA lock (nor can
* it), meaning we assert in hugetlb_vma_assert_locked().
*
* .
* |----------.----------|
* | . |
* |----------.----------|
* 0 . PUD boundary
*/
mmap(0, PUD_SIZE / 2, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
}
int main(void)
{
int i;
/* Kick off fork children. */
for (i = 0; i < NUM_FORKS; i++) {
pid_t pid = fork();
if (pid < 0) {
perror("fork");
exit(EXIT_FAILURE);
}
/* Fork children do their work and exit. */
if (!pid) {
int j;
for (j = 0; j < NUM_ITERS; j++)
execute_one();
return EXIT_SUCCESS;
}
}
/* If we succeeded, wait on children. */
for (i = 0; i < NUM_FORKS; i++)
wait(NULL);
return EXIT_SUCCESS;
}
[ljs@kernel.org: account for the !CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING case]
Link: https://lore.kernel.org/agWZsPGYid08uU6O@lucifer
Link: https://lore.kernel.org/20260513085658.45264-1-ljs@kernel.org
Fixes: 081056dc00a2 ("mm/hugetlb: unshare page tables during VMA split, not before")
Signed-off-by: Lorenzo Stoakes <ljs@kernel.org>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Acked-by: Oscar Salvador <osalvador@suse.de>
Cc: Jann Horn <jannh@google.com>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Lorenzo Stoakes <ljs@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/hugetlb.c | 56 ++++++++++++++++++++++++++++++++++------------------
1 file changed, 37 insertions(+), 19 deletions(-)
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 161f95473c2ac2..6585389f93199d 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -94,6 +94,9 @@ static int hugetlb_acct_memory(struct hstate *h, long delta);
static void hugetlb_vma_lock_free(struct vm_area_struct *vma);
static void hugetlb_vma_lock_alloc(struct vm_area_struct *vma);
static void __hugetlb_vma_unlock_write_free(struct vm_area_struct *vma);
+static int __huge_pmd_unshare(struct mmu_gather *tlb,
+ struct vm_area_struct *vma, unsigned long addr, pte_t *ptep,
+ bool check_locks);
static void hugetlb_unshare_pmds(struct vm_area_struct *vma,
unsigned long start, unsigned long end, bool take_locks);
static struct resv_map *vma_resv_map(struct vm_area_struct *vma);
@@ -7116,6 +7119,31 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
return pte;
}
+static int __huge_pmd_unshare(struct mmu_gather *tlb,
+ struct vm_area_struct *vma, unsigned long addr, pte_t *ptep,
+ bool check_locks)
+{
+ unsigned long sz = huge_page_size(hstate_vma(vma));
+ struct mm_struct *mm = vma->vm_mm;
+ pgd_t *pgd = pgd_offset(mm, addr);
+ p4d_t *p4d = p4d_offset(pgd, addr);
+ pud_t *pud = pud_offset(p4d, addr);
+
+ if (sz != PMD_SIZE)
+ return 0;
+ if (!atomic_read(&virt_to_page(ptep)->pt_share_count))
+ return 0;
+ i_mmap_assert_write_locked(vma->vm_file->f_mapping);
+ if (check_locks)
+ hugetlb_vma_assert_locked(vma);
+ pud_clear(pud);
+
+ tlb_unshare_pmd_ptdesc(tlb, virt_to_page(ptep), addr);
+
+ mm_dec_nr_pmds(mm);
+ return 1;
+}
+
/**
* huge_pmd_unshare - Unmap a pmd table if it is shared by multiple users
* @tlb: the current mmu_gather.
@@ -7135,24 +7163,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
int huge_pmd_unshare(struct mmu_gather *tlb, struct vm_area_struct *vma,
unsigned long addr, pte_t *ptep)
{
- unsigned long sz = huge_page_size(hstate_vma(vma));
- struct mm_struct *mm = vma->vm_mm;
- pgd_t *pgd = pgd_offset(mm, addr);
- p4d_t *p4d = p4d_offset(pgd, addr);
- pud_t *pud = pud_offset(p4d, addr);
-
- i_mmap_assert_write_locked(vma->vm_file->f_mapping);
- hugetlb_vma_assert_locked(vma);
- if (sz != PMD_SIZE)
- return 0;
- if (!atomic_read(&virt_to_page(ptep)->pt_share_count))
- return 0;
-
- pud_clear(pud);
- tlb_unshare_pmd_ptdesc(tlb, virt_to_page(ptep), addr);
-
- mm_dec_nr_pmds(mm);
- return 1;
+ return __huge_pmd_unshare(tlb, vma, addr, ptep, /*check_locks=*/true);
}
/*
@@ -7186,6 +7197,13 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
return NULL;
}
+static int __huge_pmd_unshare(struct mmu_gather *tlb,
+ struct vm_area_struct *vma, unsigned long addr, pte_t *ptep,
+ bool check_locks)
+{
+ return 0;
+}
+
int huge_pmd_unshare(struct mmu_gather *tlb, struct vm_area_struct *vma,
unsigned long addr, pte_t *ptep)
{
@@ -7569,7 +7587,7 @@ static void hugetlb_unshare_pmds(struct vm_area_struct *vma,
if (!ptep)
continue;
ptl = huge_pte_lock(h, mm, ptep);
- huge_pmd_unshare(&tlb, vma, address, ptep);
+ __huge_pmd_unshare(&tlb, vma, address, ptep, take_locks);
spin_unlock(ptl);
}
huge_pmd_unshare_flush(&tlb, vma);
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 245/378] timers/migration: Fix livelock in tmigr_handle_remote_up()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 244/378] vsock/vmci: fix sk_ack_backlog leak on failed handshake Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 246/378] spi: qcom-geni: Fix cs_change handling on the last transfer Greg Kroah-Hartman
` (133 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alon Kariv, Amit Matityahu,
Thomas Gleixner
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amit Matityahu <amitmat@amazon.com>
commit d486b4934a8e504376b85cdb3766f306d57aff5b upstream.
tmigr_handle_remote_cpu() skips timer_expire_remote() when cpu ==
smp_processor_id(), assuming the local softirq path already handled this
CPU's timers.
This assumption is wrong because jiffies can advance after the handling of
the CPU's global timers in run_timer_base(BASE_GLOBAL) and before
tmigr_handle_remote() evaluates the expiry times.
As a consequence a timer which expires after the CPU local timer wheel
advanced and becomes expired in the remote handling is ignored and the
callback is never invoked and removed from the timer wheel.
What's worse is that fetch_next_timer_interrupt_remote() keeps reporting it
as expired, and the event is re-queued with expires == now on each
iteration. The goto-again loop spins indefinitely.
Fix this by calling timer_expire_remote() unconditionally. That's minimal
overhead for the common case as __run_timer_base() returns immediately if
there is nothing to expire in the local wheel.
[ tglx: Amend change log and add a comment ]
Fixes: 7ee988770326 ("timers: Implement the hierarchical pull model")
Reported-by: Alon Kariv <alonka@amazon.com>
Signed-off-by: Amit Matityahu <amitmat@amazon.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260603170139.33628-1-amitmat@amazon.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/timer_migration.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/kernel/time/timer_migration.c
+++ b/kernel/time/timer_migration.c
@@ -978,8 +978,12 @@ static void tmigr_handle_remote_cpu(unsi
/* Drop the lock to allow the remote CPU to exit idle */
raw_spin_unlock_irq(&tmc->lock);
- if (cpu != smp_processor_id())
- timer_expire_remote(cpu);
+ /*
+ * This can't exclude the local CPU because jiffies might have advanced
+ * after the timer softirq invoked run_timer_base(BASE_GLOBAL) and the
+ * point where the jiffies snapshot @jif was taken in tmigr_handle_remote().
+ */
+ timer_expire_remote(cpu);
/*
* Lock ordering needs to be preserved - timer_base locks before tmigr
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 329/522] mm/damon/ops-common: call folio_test_lru() after folio_get()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 328/522] mm/hugetlb: avoid false positive lockdep assertion Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 330/522] mm/huge_memory: update file PMD counter before folio_put() Greg Kroah-Hartman
` (193 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Fernand Sieber,
Leonard Foerster, Shakeel Butt, Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
[ Upstream commit d6b8b02a27b3dd09ec12144322b3dac46d9bc9ef ]
damon_get_folio() speculatively calls folio_test_lru() before
folio_try_get(). The folio can get freed and reallocated to a tail page.
In the case, VM_BUG_ON_PGFLAGS() in const_folio_flags() can be triggered.
Remove the speculative call.
Also mark folio_test_lru() check right after folio_try_get() success as no
more unlikely.
The race should be rare. Also the problem can happen only if the kernel
has enabled CONFIG_DEBUG_VM_PGFLAGS. No real world report of this issue
has been made so far. This fix is based on only theoretical analysis.
That said, a bug is a bug. A similar issue was also fixed via commit
3203b3ab0fcf ("mm/filemap: don't call folio_test_locked() without a
reference in next_uptodate_folio()"). I don't expect this change will
make a meaningful impact to DAMON performance in the real world, though I
will be happy to be corrected from the real world reports.
The issue was discovered [1] by Sashiko.
Link: https://lore.kernel.org/20260525162256.8317-1-sj@kernel.org
Link: https://lore.kernel.org/20260517234112.89245-1-sj@kernel.org [1]
Fixes: 3f49584b262c ("mm/damon: implement primitives for the virtual memory address spaces")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Fernand Sieber <sieberf@amazon.com>
Cc: Leonard Foerster <foersleo@amazon.de>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: <stable@vger.kernel.org> # 5.15.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/damon/ops-common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/mm/damon/ops-common.c b/mm/damon/ops-common.c
index 0b75a8d5c70684..cea4401e95a35e 100644
--- a/mm/damon/ops-common.c
+++ b/mm/damon/ops-common.c
@@ -23,10 +23,10 @@ struct page *damon_get_page(unsigned long pfn)
{
struct page *page = pfn_to_online_page(pfn);
- if (!page || !PageLRU(page) || !get_page_unless_zero(page))
+ if (!page || !get_page_unless_zero(page))
return NULL;
- if (unlikely(!PageLRU(page))) {
+ if (!PageLRU(page)) {
put_page(page);
page = NULL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 246/378] spi: qcom-geni: Fix cs_change handling on the last transfer
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 245/378] timers/migration: Fix livelock in tmigr_handle_remote_up() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 247/378] staging: rtl8723bs: fix buffer over-read in rtw_update_protection Greg Kroah-Hartman
` (132 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Marek, Viken Dadhaniya,
Mark Brown
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
commit 5ac5ec84734fd338867055d4d7b650f18a023cb0 upstream.
TPM TIS SPI probe fails with:
tpm_tis_spi: probe of spi11.0 failed with error -110
TPM TIS SPI sets cs_change=1 on single-transfer messages to keep CS
asserted across the header, wait-state, and data phases of a transaction.
CS deassertion between these phases violates the TCG SPI flow control
specification.
This bug was introduced by commit b99181cdf9fa ("spi-geni-qcom: remove
manual CS control"), which replaced manual CS control with automatic CS
control via the FRAGMENTATION bit. The FRAGMENTATION bit controls CS
behavior after a transfer: when set to 1, CS remains asserted; when
cleared to 0, CS is deasserted.
The commit correctly sets FRAGMENTATION for non-last transfers with
cs_change=0 to keep CS asserted between chained transfers, but misses the
case where cs_change=1 is set on the last transfer. When cs_change=1 on
the last transfer, the client requests CS to remain asserted after the
message completes, so FRAGMENTATION must be set to 1 in this case as well.
Fix setup_se_xfer() to set FRAGMENTATION when cs_change=1 on the last
transfer.
Also fix the same missing case in setup_gsi_xfer() and correct it to
write 1 instead of the raw bitmask FRAGMENTATION (value 4) to
peripheral.fragmentation. This field is a 1-bit boolean consumed by
gpi_create_spi_tre() via u32_encode_bits(..., TRE_SPI_GO_FRAG). Writing 4
to a 1-bit field causes u32_encode_bits() to mask it to 0, silently
disabling the FRAGMENTATION bit in the GPI TRE regardless of the
cs_change logic.
Fixes: b99181cdf9fa ("spi-geni-qcom: remove manual CS control")
Cc: stable@vger.kernel.org
Reviewed-by: Jonathan Marek <jonathan@marek.ca>
Signed-off-by: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
Link: https://patch.msgid.link/20260609-fix-spi-fragmentation-bit-logic-v2-1-e18efc255563@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-geni-qcom.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/drivers/spi/spi-geni-qcom.c b/drivers/spi/spi-geni-qcom.c
index d5fb0edc8e0c..23c6d3a37341 100644
--- a/drivers/spi/spi-geni-qcom.c
+++ b/drivers/spi/spi-geni-qcom.c
@@ -440,10 +440,15 @@ static int setup_gsi_xfer(struct spi_transfer *xfer, struct spi_geni_master *mas
return ret;
}
- if (!xfer->cs_change) {
- if (!list_is_last(&xfer->transfer_list, &spi->cur_msg->transfers))
- peripheral.fragmentation = FRAGMENTATION;
- }
+ /*
+ * Set fragmentation to keep CS asserted after this transfer when:
+ * - non-last transfer with cs_change=0: keep CS asserted between chained transfers
+ * - last transfer with cs_change=1: keep CS asserted after the message
+ * (e.g. TPM TIS SPI uses cs_change=1 on single-transfer messages to
+ * keep CS asserted across header, wait-state and data phases)
+ */
+ peripheral.fragmentation = list_is_last(&xfer->transfer_list, &spi->cur_msg->transfers) ?
+ xfer->cs_change : !xfer->cs_change;
if (peripheral.cmd & SPI_RX) {
dmaengine_slave_config(mas->rx, &config);
@@ -849,10 +854,16 @@ static int setup_se_xfer(struct spi_transfer *xfer,
mas->cur_xfer_mode = GENI_SE_DMA;
geni_se_select_mode(se, mas->cur_xfer_mode);
- if (!xfer->cs_change) {
- if (!list_is_last(&xfer->transfer_list, &spi->cur_msg->transfers))
- m_params = FRAGMENTATION;
- }
+ /*
+ * Set FRAGMENTATION to keep CS asserted after this transfer when:
+ * - non-last transfer with cs_change=0: keep CS asserted between chained transfers
+ * - last transfer with cs_change=1: keep CS asserted after the message
+ * (e.g. TPM TIS SPI uses cs_change=1 on single-transfer messages to
+ * keep CS asserted across header, wait-state and data phases)
+ */
+ if (list_is_last(&xfer->transfer_list, &spi->cur_msg->transfers) ?
+ xfer->cs_change : !xfer->cs_change)
+ m_params = FRAGMENTATION;
/*
* Lock around right before we start the transfer since our
--
2.54.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 330/522] mm/huge_memory: update file PMD counter before folio_put()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 329/522] mm/damon/ops-common: call folio_test_lru() after folio_get() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 331/522] f2fs: use kfree() instead of kvfree() to free some memory Greg Kroah-Hartman
` (192 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yin Tirui, Lorenzo Stoakes,
David Hildenbrand (arm), Lance Yang, Dev Jain, Baolin Wang,
Barry Song, Chen Jun, Kefeng Wang, Liam R. Howlett, Nico Pache,
Ryan Roberts, Vlastimil Babka, Yang Shi, Zi Yan, Andrew Morton,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yin Tirui <yintirui@huawei.com>
[ Upstream commit 8d878059924f12c1bc24556a92ec56add74de3c8 ]
__split_huge_pmd_locked() updates the file/shmem RSS counter after
dropping the PMD mapping's folio reference. If folio_put() drops the last
reference, mm_counter_file() can later read freed folio state via
folio_test_swapbacked().
Move the counter update before folio_put().
Link: https://lore.kernel.org/20260526101337.1984081-1-yintirui@huawei.com
Fixes: fadae2953072 ("thp: use mm_file_counter to determine update which rss counter")
Signed-off-by: Yin Tirui <yintirui@huawei.com>
Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
Acked-by: David Hildenbrand (arm) <david@kernel.org>
Reviewed-by: Lance Yang <lance.yang@linux.dev>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Barry Song <baohua@kernel.org>
Cc: Chen Jun <chenjun102@huawei.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Nico Pache <npache@redhat.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: Yang Shi <yang.shi@linux.alibaba.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ changed folio API calls (folio_remove_rmap_pmd/mm_counter_file(folio)/folio_put) to page-based equivalents (page_remove_rmap/mm_counter_file(page)/put_page) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/huge_memory.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index 2c118713f77126..7023bdf4896055 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -2085,7 +2085,9 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
if (!PageReferenced(page) && pmd_young(old_pmd))
SetPageReferenced(page);
page_remove_rmap(page, vma, true);
+ add_mm_counter(mm, mm_counter_file(page), -HPAGE_PMD_NR);
put_page(page);
+ return;
}
add_mm_counter(mm, mm_counter_file(page), -HPAGE_PMD_NR);
return;
--
2.53.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 7.0 247/378] staging: rtl8723bs: fix buffer over-read in rtw_update_protection
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 246/378] spi: qcom-geni: Fix cs_change handling on the last transfer Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 248/378] staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtraction Greg Kroah-Hartman
` (131 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luka Gejak, Salman Alghamdi
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salman Alghamdi <me@cipherat.com>
commit 514ab98364595007d4557ecc85d7e5f012c504d3 upstream.
rtw_update_protection() is called with a pointer offset into the
ies buffer but the full ie_length is passed, causing a potential
buffer over-read.
Fixes: e945c43df60b ("Staging: rtl8723bs: Delete dead code from update_current_network()")
Fixes: d3fcee1b78a5 ("staging: rtl8723bs: fix camel case in struct wlan_bssid_ex")
Reported-by: Luka Gejak <luka.gejak@linux.dev>
Closes: https://lore.kernel.org/linux-staging/DI2H39EAAFBZ.3KI5NWN02AQ2S@linux.dev
Cc: stable@vger.kernel.org
Signed-off-by: Salman Alghamdi <me@cipherat.com>
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Link: https://patch.msgid.link/20260508222649.23989-1-me@cipherat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_mlme.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
@@ -471,8 +471,11 @@ static void update_current_network(struc
if (check_fwstate(pmlmepriv, _FW_LINKED) && (is_same_network(&pmlmepriv->cur_network.network, pnetwork, 0))) {
update_network(&pmlmepriv->cur_network.network, pnetwork, adapter, true);
+ if (pmlmepriv->cur_network.network.ie_length < sizeof(struct ndis_802_11_fix_ie))
+ return;
+
rtw_update_protection(adapter, (pmlmepriv->cur_network.network.ies) + sizeof(struct ndis_802_11_fix_ie),
- pmlmepriv->cur_network.network.ie_length);
+ pmlmepriv->cur_network.network.ie_length - sizeof(struct ndis_802_11_fix_ie));
}
}
@@ -1081,8 +1084,11 @@ static void rtw_joinbss_update_network(s
break;
}
+ if (cur_network->network.ie_length < sizeof(struct ndis_802_11_fix_ie))
+ return;
+
rtw_update_protection(padapter, (cur_network->network.ies) + sizeof(struct ndis_802_11_fix_ie),
- (cur_network->network.ie_length));
+ (cur_network->network.ie_length - sizeof(struct ndis_802_11_fix_ie)));
rtw_update_ht_cap(padapter, cur_network->network.ies, cur_network->network.ie_length, (u8) cur_network->network.configuration.ds_config);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 331/522] f2fs: use kfree() instead of kvfree() to free some memory
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 330/522] mm/huge_memory: update file PMD counter before folio_put() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 332/522] f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally Greg Kroah-Hartman
` (191 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiazi Li, peixuan.qiu, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiazi Li <jqqlijiazi@gmail.com>
[ Upstream commit e9705c61b1dbe7bac9dc189de434994d8a76b191 ]
options in f2fs_fill_super is alloc by kstrdup:
options = kstrdup((const char *)data, GFP_KERNEL)
sit_bitmap[_mir], nat_bitmap[_mir] are alloc by kmemdup:
sit_i->sit_bitmap = kmemdup(src_bitmap, sit_bitmap_size, GFP_KERNEL);
sit_i->sit_bitmap_mir = kmemdup(src_bitmap,
sit_bitmap_size, GFP_KERNEL);
nm_i->nat_bitmap = kmemdup(version_bitmap, nm_i->bitmap_size,
GFP_KERNEL);
nm_i->nat_bitmap_mir = kmemdup(version_bitmap, nm_i->bitmap_size,
GFP_KERNEL);
write_io is alloc by f2fs_kmalloc:
sbi->write_io[i] = f2fs_kmalloc(sbi,
array_size(n, sizeof(struct f2fs_bio_info))
Use kfree is more efficient.
Signed-off-by: Jiazi Li <jqqlijiazi@gmail.com>
Signed-off-by: peixuan.qiu <peixuan.qiu@transsion.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Stable-dep-of: 6af249c996f7 ("f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/node.c | 4 ++--
fs/f2fs/segment.c | 4 ++--
fs/f2fs/super.c | 8 ++++----
3 files changed, 8 insertions(+), 8 deletions(-)
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -3433,10 +3433,10 @@ void f2fs_destroy_node_manager(struct f2
}
kvfree(nm_i->free_nid_count);
- kvfree(nm_i->nat_bitmap);
+ kfree(nm_i->nat_bitmap);
kvfree(nm_i->nat_bits);
#ifdef CONFIG_F2FS_CHECK_FS
- kvfree(nm_i->nat_bitmap_mir);
+ kfree(nm_i->nat_bitmap_mir);
#endif
sbi->nm_info = NULL;
kfree(nm_i);
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -5180,9 +5180,9 @@ static void destroy_sit_info(struct f2fs
kvfree(sit_i->dirty_sentries_bitmap);
SM_I(sbi)->sit_info = NULL;
- kvfree(sit_i->sit_bitmap);
+ kfree(sit_i->sit_bitmap);
#ifdef CONFIG_F2FS_CHECK_FS
- kvfree(sit_i->sit_bitmap_mir);
+ kfree(sit_i->sit_bitmap_mir);
kvfree(sit_i->invalid_segmap);
#endif
kfree(sit_i);
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1683,7 +1683,7 @@ static void f2fs_put_super(struct super_
destroy_percpu_info(sbi);
f2fs_destroy_iostat(sbi);
for (i = 0; i < NR_PAGE_TYPE; i++)
- kvfree(sbi->write_io[i]);
+ kfree(sbi->write_io[i]);
#if IS_ENABLED(CONFIG_UNICODE)
utf8_unload(sb->s_encoding);
#endif
@@ -4548,7 +4548,7 @@ reset_checkpoint:
if (err)
goto sync_free_meta;
}
- kvfree(options);
+ kfree(options);
/* recover broken superblock */
if (recovery) {
@@ -4627,7 +4627,7 @@ free_iostat:
f2fs_destroy_iostat(sbi);
free_bio_info:
for (i = 0; i < NR_PAGE_TYPE; i++)
- kvfree(sbi->write_io[i]);
+ kfree(sbi->write_io[i]);
#if IS_ENABLED(CONFIG_UNICODE)
utf8_unload(sb->s_encoding);
@@ -4639,7 +4639,7 @@ free_options:
kfree(F2FS_OPTION(sbi).s_qf_names[i]);
#endif
fscrypt_free_dummy_policy(&F2FS_OPTION(sbi).dummy_enc_policy);
- kvfree(options);
+ kfree(options);
free_sb_buf:
kfree(raw_super);
free_sbi:
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 248/378] staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtraction
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 247/378] staging: rtl8723bs: fix buffer over-read in rtw_update_protection Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 249/378] ASoC: fsl_sai: Fix 32 slots TDM broken by integer shift UB in xMR write Greg Kroah-Hartman
` (130 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Salman Alghamdi, Luka Gejak
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salman Alghamdi <me@cipherat.com>
commit 88e994c57a79f62d5338231d8d37ee8dd98baffe upstream.
Add guards to ensure ie_length is large enough before subtracting
fixed IE offsets to prevent unsigned integer underflow.
Fixes: 2038fe84b8bd ("staging: rtl8723bs: fix spacing around operators")
Fixes: d3fcee1b78a5 ("staging: rtl8723bs: fix camel case in struct wlan_bssid_ex")
Closes: https://lore.kernel.org/linux-staging/DI2H39EAAFBZ.3KI5NWN02AQ2S@linux.dev/
Cc: stable <stable@kernel.org>
Signed-off-by: Salman Alghamdi <me@cipherat.com>
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Link: https://patch.msgid.link/20260513203455.31792-1-me@cipherat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_mlme.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
@@ -612,6 +612,8 @@ int rtw_is_desired_network(struct adapte
privacy = pnetwork->network.privacy;
if (check_fwstate(pmlmepriv, WIFI_UNDER_WPS)) {
+ if (pnetwork->network.ie_length < _FIXED_IE_LENGTH_)
+ return false;
if (rtw_get_wps_ie(pnetwork->network.ies + _FIXED_IE_LENGTH_, pnetwork->network.ie_length - _FIXED_IE_LENGTH_, NULL, &wps_ielen))
return true;
else
@@ -625,11 +627,15 @@ int rtw_is_desired_network(struct adapte
bselected = false;
if (psecuritypriv->ndisauthtype == Ndis802_11AuthModeWPA2PSK) {
- p = rtw_get_ie(pnetwork->network.ies + _BEACON_IE_OFFSET_, WLAN_EID_RSN, &ie_len, (pnetwork->network.ie_length - _BEACON_IE_OFFSET_));
- if (p && ie_len > 0)
- bselected = true;
- else
+ if (pnetwork->network.ie_length < _BEACON_IE_OFFSET_) {
bselected = false;
+ } else {
+ p = rtw_get_ie(pnetwork->network.ies + _BEACON_IE_OFFSET_, WLAN_EID_RSN, &ie_len, (pnetwork->network.ie_length - _BEACON_IE_OFFSET_));
+ if (p && ie_len > 0)
+ bselected = true;
+ else
+ bselected = false;
+ }
}
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 332/522] f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 331/522] f2fs: use kfree() instead of kvfree() to free some memory Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 333/522] f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() Greg Kroah-Hartman
` (190 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+62538b67389ee582837a,
Chao Yu, Jaegeuk Kim, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 6af249c996f7d73a3435f9e577956fa259347d18 ]
Syzbot reported a f2fs bug as below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:1900!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 6527 Comm: syz.5.110 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:f2fs_issue_discard_timeout+0x59b/0x5a0 fs/f2fs/segment.c:1900
Code: d9 80 e1 07 80 c1 03 38 c1 0f 8c d6 fe ff ff 48 89 df e8 a8 5e fa fd e9 c9 fe ff ff e8 4e 46 94 fd 90 0f 0b e8 46 46 94 fd 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
RSP: 0018:ffffc9000494f940 EFLAGS: 00010283
RAX: ffffffff843009ca RBX: 0000000000000001 RCX: 0000000000080000
RDX: ffffc9001ca78000 RSI: 00000000000029f3 RDI: 00000000000029f4
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed100893a431 R12: 1ffff1100893a430
R13: 1ffff1100c2b702c R14: dffffc0000000000 R15: ffff8880449d2160
FS: 00007ffa35fed6c0(0000) GS:ffff88812643d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2b68634000 CR3: 0000000039f62000 CR4: 00000000003526f0
Call Trace:
<TASK>
__f2fs_remount fs/f2fs/super.c:2960 [inline]
f2fs_reconfigure+0x108a/0x1710 fs/f2fs/super.c:5443
reconfigure_super+0x227/0x8a0 fs/super.c:1080
do_remount fs/namespace.c:3391 [inline]
path_mount+0xdc5/0x10e0 fs/namespace.c:4151
do_mount fs/namespace.c:4172 [inline]
__do_sys_mount fs/namespace.c:4361 [inline]
__se_sys_mount+0x31d/0x420 fs/namespace.c:4338
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ffa37dbda0a
The root cause is there will be race condition in between f2fs_ioc_fitrim()
and f2fs_remount():
- f2fs_remount - f2fs_ioc_fitrim
- f2fs_issue_discard_timeout
- __issue_discard_cmd
- __drop_discard_cmd
- __wait_all_discard_cmd
- f2fs_trim_fs
- f2fs_write_checkpoint
- f2fs_clear_prefree_segments
- f2fs_issue_discard
- __issue_discard_async
- __queue_discard_cmd
- __update_discard_tree_range
- __insert_discard_cmd
- __create_discard_cmd
: atomic_inc(&dcc->discard_cmd_cnt);
- sanity check on dcc->discard_cmd_cnt (expect discard_cmd_cnt to be zero)
This will only happen when fitrim races w/ remount rw, if we remount to
readonly filesystem, remount will wait until mnt_pcp.mnt_writers to zero,
that means fitrim is not in process at that time.
Cc: stable@kernel.org
Fixes: 2482c4325dfe ("f2fs: detect bug_on in f2fs_wait_discard_bios")
Reported-by: syzbot+62538b67389ee582837a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/69b07d7c.050a0220.8df7.09a1.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ adapted `f2fs_remount` call to pass `*flags & SB_RDONLY` for the old mount API ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 2 +-
fs/f2fs/segment.c | 6 +++---
fs/f2fs/super.c | 10 ++++++++--
3 files changed, 12 insertions(+), 6 deletions(-)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -3638,7 +3638,7 @@ bool f2fs_is_checkpointed_data(struct f2
int f2fs_start_discard_thread(struct f2fs_sb_info *sbi);
void f2fs_drop_discard_cmd(struct f2fs_sb_info *sbi);
void f2fs_stop_discard_thread(struct f2fs_sb_info *sbi);
-bool f2fs_issue_discard_timeout(struct f2fs_sb_info *sbi);
+bool f2fs_issue_discard_timeout(struct f2fs_sb_info *sbi, bool need_check);
void f2fs_clear_prefree_segments(struct f2fs_sb_info *sbi,
struct cp_control *cpc);
void f2fs_dirty_to_prefree(struct f2fs_sb_info *sbi);
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -1659,7 +1659,7 @@ void f2fs_stop_discard_thread(struct f2f
}
/* This comes from f2fs_put_super */
-bool f2fs_issue_discard_timeout(struct f2fs_sb_info *sbi)
+bool f2fs_issue_discard_timeout(struct f2fs_sb_info *sbi, bool need_check)
{
struct discard_cmd_control *dcc = SM_I(sbi)->dcc_info;
struct discard_policy dpolicy;
@@ -1673,7 +1673,7 @@ bool f2fs_issue_discard_timeout(struct f
/* just to make sure there is no pending discard commands */
__wait_all_discard_cmd(sbi, NULL);
- f2fs_bug_on(sbi, atomic_read(&dcc->discard_cmd_cnt));
+ f2fs_bug_on(sbi, need_check && atomic_read(&dcc->discard_cmd_cnt));
return dropped;
}
@@ -2119,7 +2119,7 @@ static void destroy_discard_cmd_control(
* fill_super(), it needs to give a chance to handle them.
*/
if (unlikely(atomic_read(&dcc->discard_cmd_cnt)))
- f2fs_issue_discard_timeout(sbi);
+ f2fs_issue_discard_timeout(sbi, true);
kfree(dcc);
SM_I(sbi)->dcc_info = NULL;
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1619,7 +1619,7 @@ static void f2fs_put_super(struct super_
}
/* be sure to wait for any on-going discard commands */
- dropped = f2fs_issue_discard_timeout(sbi);
+ dropped = f2fs_issue_discard_timeout(sbi, true);
if ((f2fs_hw_support_discard(sbi) || f2fs_hw_should_discard(sbi)) &&
!sbi->discard_blks && !dropped) {
@@ -2452,8 +2452,14 @@ static int f2fs_remount(struct super_blo
} else {
dcc = SM_I(sbi)->dcc_info;
f2fs_stop_discard_thread(sbi);
+ /*
+ * f2fs_ioc_fitrim() won't race w/ "remount ro"
+ * so it's safe to check discard_cmd_cnt in
+ * f2fs_issue_discard_timeout().
+ */
if (atomic_read(&dcc->discard_cmd_cnt))
- f2fs_issue_discard_timeout(sbi);
+ f2fs_issue_discard_timeout(sbi,
+ *flags & SB_RDONLY);
need_restart_discard = true;
}
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 249/378] ASoC: fsl_sai: Fix 32 slots TDM broken by integer shift UB in xMR write
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 7.0 248/378] staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtraction Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 250/378] bnxt_en: Fix NULL pointer dereference Greg Kroah-Hartman
` (129 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chancel Liu, Shengjiu Wang,
Mark Brown
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chancel Liu <chancel.liu@nxp.com>
commit 4790af1cc2e8871fb31f28c66e42b9a949a23992 upstream.
When configuring 32 slots TDM (channels == slots == 32), the xMR
(Mask Register) write used:
~0UL - ((1 << min(channels, slots)) - 1)
The literal "1" is a signed 32-bit int. Shifting it by 32 positions is
undefined behaviour which may set this register to 0xFFFFFFFF, masking
all 32 slots.
Use GENMASK_U32() macro instead. For 32 slots this produces a zero mask:
~GENMASK_U32(31, 0) = ~0xFFFFFFFF = 0x00000000
Behaviour for fewer than 32 slots is unchanged.
Fixes: 770f58d7d2c5 ("ASoC: fsl_sai: Support multiple data channel enable bits")
Cc: stable@vger.kernel.org
Signed-off-by: Chancel Liu <chancel.liu@nxp.com>
Reviewed-by: Shengjiu Wang <shengjiu.wang@gmail.com>
Link: https://patch.msgid.link/20260601083327.1535185-1-chancel.liu@oss.nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/fsl/fsl_sai.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/fsl/fsl_sai.c
+++ b/sound/soc/fsl/fsl_sai.c
@@ -747,7 +747,7 @@ static int fsl_sai_hw_params(struct snd_
FSL_SAI_CR4_FSD_MSTR, FSL_SAI_CR4_FSD_MSTR);
regmap_write(sai->regmap, FSL_SAI_xMR(tx),
- ~0UL - ((1 << min(channels, slots)) - 1));
+ ~GENMASK_U32(min(channels, slots) - 1, 0));
return 0;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 333/522] f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 6.1 332/522] f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 334/522] ksmbd: require minimum ACE size in smb_check_perm_dacl() Greg Kroah-Hartman
` (189 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+6e4cb1cac5efc96ea0ca,
Yongpeng Yang, Chao Yu, Jaegeuk Kim, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
[ Upstream commit 2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53 ]
The xfstests case "generic/107" and syzbot have both reported a NULL
pointer dereference.
The concurrent scenario that triggers the panic is as follows:
F2FS_WB_CP_DATA write callback umount
- f2fs_write_checkpoint
- f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA)
- blk_mq_end_request
- bio_endio
- f2fs_write_end_io
: dec_page_count(sbi, F2FS_WB_CP_DATA)
: wake_up(&sbi->cp_wait)
- kill_f2fs_super
- kill_block_super
- f2fs_put_super
: iput(sbi->node_inode)
: sbi->node_inode = NULL
: f2fs_in_warm_node_list
- is_node_folio // sbi->node_inode is NULL and panic
The root cause is that f2fs_put_super() calls iput(sbi->node_inode) and
sets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] is
decremented to zero. As a result, f2fs_in_warm_node_list() may
dereference a NULL node_inode when checking whether a folio belongs to
the node inode, leading to a panic.
This patch fixes the issue by calling f2fs_in_warm_node_list() before
decrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing the
use-after-free condition.
Cc: stable@kernel.org
Fixes: 50fa53eccf9f ("f2fs: fix to avoid broken of dnode block list")
Reported-by: syzbot+6e4cb1cac5efc96ea0ca@syzkaller.appspotmail.com
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ folio => page ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/data.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -356,6 +356,8 @@ static void f2fs_write_end_io(struct bio
f2fs_bug_on(sbi, page->mapping == NODE_MAPPING(sbi) &&
page->index != nid_of_node(page));
+ if (f2fs_in_warm_node_list(sbi, page))
+ f2fs_del_fsync_node_entry(sbi, page);
dec_page_count(sbi, type);
@@ -367,8 +369,6 @@ static void f2fs_write_end_io(struct bio
wq_has_sleeper(&sbi->cp_wait))
wake_up(&sbi->cp_wait);
- if (f2fs_in_warm_node_list(sbi, page))
- f2fs_del_fsync_node_entry(sbi, page);
clear_page_private_gcing(page);
end_page_writeback(page);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 250/378] bnxt_en: Fix NULL pointer dereference
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 249/378] ASoC: fsl_sai: Fix 32 slots TDM broken by integer shift UB in xMR write Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 251/378] Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs Greg Kroah-Hartman
` (128 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Meyer, Pavan Chebbi,
Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Meyer <kyle.meyer@hpe.com>
commit d930276f2cddd0b7294cac7a8fe7b877f6d9e08d upstream.
PCIe errors detected by a Root Port or Downstream Port cause error
recovery services to run on all subordinate devices regardless of
administrative state.
The .error_detected() callback, bnxt_io_error_detected(), disables
and synchronizes IRQs via bnxt_disable_int_sync(), which calls
bnxt_cp_num_to_irq_num() to map completion rings to IRQs using
bp->bnapi.
Since bp->bnapi is allocated on NIC open and freed on NIC close, PCIe
error recovery on a closed NIC can dereference a NULL pointer.
Check if bp->bnapi is NULL before disabling and synchronizing IRQs.
Fixes: e5811b8c09df ("bnxt_en: Add IRQ remapping logic.")
Cc: stable@vger.kernel.org
Signed-off-by: Kyle Meyer <kyle.meyer@hpe.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://patch.msgid.link/aiNM1CY2-StPilxW@hpe.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -5656,7 +5656,7 @@ static void bnxt_disable_int_sync(struct
{
int i;
- if (!bp->irq_tbl)
+ if (!bp->irq_tbl || !bp->bnapi)
return;
atomic_inc(&bp->intr_sem);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 334/522] ksmbd: require minimum ACE size in smb_check_perm_dacl()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 333/522] f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 335/522] smb: client: validate the whole DACL before rewriting it in cifsacl Greg Kroah-Hartman
` (188 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Namjae Jeon,
Steve French, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit d07b26f39246a82399661936dd0c853983cfade7 ]
Both ACE-walk loops in smb_check_perm_dacl() only guard against an
under-sized remaining buffer, not against an ACE whose declared
`ace->size` is smaller than the struct it claims to describe:
if (offsetof(struct smb_ace, access_req) > aces_size)
break;
ace_size = le16_to_cpu(ace->size);
if (ace_size > aces_size)
break;
The first check only requires the 4-byte ACE header to be in bounds;
it does not require access_req (4 bytes at offset 4) to be readable.
An attacker who has set a crafted DACL on a file they own can declare
ace->size == 4 with aces_size == 4, pass both checks, and then
granted |= le32_to_cpu(ace->access_req); /* upper loop */
compare_sids(&sid, &ace->sid); /* lower loop */
reads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid at
offset 8 (OOB by up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES
* 4 bytes).
Tighten both loops to require
ace_size >= offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE
which is the smallest valid on-wire ACE layout (4-byte header +
4-byte access_req + 8-byte sid base with zero sub-auths). Also
reject ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIES
before letting compare_sids() dereference sub_auth[] entries.
parse_sec_desc() already enforces an equivalent check (lines 441-448);
smb_check_perm_dacl() simply grew weaker validation over time.
Reachability: authenticated SMB client with permission to set an ACL
on a file. On a subsequent CREATE against that file, the kernel
walks the stored DACL via smb_check_perm_dacl() and triggers the
OOB read. Not pre-auth, and the OOB read is not reflected to the
attacker, but KASAN reports and kernel state corruption are
possible.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ changed le16_to_cpu to le32_to_cpu for num_aces field which is __le32 ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smbacl.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -1297,10 +1297,13 @@ int smb_check_perm_dacl(struct ksmbd_con
ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
aces_size = acl_size - sizeof(struct smb_acl);
for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) {
- if (offsetof(struct smb_ace, access_req) > aces_size)
+ if (offsetof(struct smb_ace, sid) +
+ aces_size < CIFS_SID_BASE_SIZE)
break;
ace_size = le16_to_cpu(ace->size);
- if (ace_size > aces_size)
+ if (ace_size > aces_size ||
+ ace_size < offsetof(struct smb_ace, sid) +
+ CIFS_SID_BASE_SIZE)
break;
aces_size -= ace_size;
granted |= le32_to_cpu(ace->access_req);
@@ -1318,13 +1321,19 @@ int smb_check_perm_dacl(struct ksmbd_con
ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
aces_size = acl_size - sizeof(struct smb_acl);
for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) {
- if (offsetof(struct smb_ace, access_req) > aces_size)
+ if (offsetof(struct smb_ace, sid) +
+ aces_size < CIFS_SID_BASE_SIZE)
break;
ace_size = le16_to_cpu(ace->size);
- if (ace_size > aces_size)
+ if (ace_size > aces_size ||
+ ace_size < offsetof(struct smb_ace, sid) +
+ CIFS_SID_BASE_SIZE)
break;
aces_size -= ace_size;
+ if (ace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES)
+ break;
+
if (!compare_sids(&sid, &ace->sid) ||
!compare_sids(&sid_unix_NFS_mode, &ace->sid)) {
found = 1;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 251/378] Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 250/378] bnxt_en: Fix NULL pointer dereference Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 252/378] fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh() Greg Kroah-Hartman
` (127 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Kelley, Krister Johansen,
Matthew Ruffell, Dexuan Cui, Wei Liu
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dexuan Cui <decui@microsoft.com>
commit 016a25e4b0df4d77e7c258edee4aaf982e4ee809 upstream.
If vmbus_reserve_fb() in the kdump/kexec kernel fails to properly reserve
the framebuffer MMIO range (which is below 4GB) due to a Gen2 VM's
screen.lfb_base being zero [1], there is an MMIO conflict between the
drivers hyperv-drm and pci-hyperv: when the driver pci-hyperv's
hv_allocate_config_window() calls vmbus_allocate_mmio() to get an
MMIO range, typically it gets a 32-bit MMIO range that overlaps with the
framebuffer MMIO range, and later hv_pci_enter_d0() fails with an
error message "PCI Pass-through VSP failed D0 Entry with status" since
the host thinks that PCI devices must not use MMIO space that the
host has assigned to the framebuffer.
This is especially an issue if pci-hyperv is built-in and hyperv-drm is
built as a module. Consequently, the kdump/kexec kernel fails to detect
PCI devices via pci-hyperv, and may fail to mount the root file system,
which may reside in a NVMe disk. The issue described here has existed
for SR-IOV VF NICs since day one of the pci-hyperv driver, and has been
worked around on x64 when possible. With the recent introduction of
ARM64 VMs that boot from NVMe, there is no workaround, so we need a
formal fix.
On Gen2 VMs, if the screen.lfb_base is 0 in the kdump/kexec kernel [1],
fall back to the low MMIO base, which should be equal to the framebuffer
MMIO base [2] (the statement is true according to my testing on x64
Windows Server 2016, and on x64 and ARM64 Windows Server 2025 and on
Azure. I checked with the Hyper-V team and they said the statement should
continue to be true for Gen2 VMs). In the first kernel, screen.lfb_base
is not 0; if the user specifies a very high resolution, it's not enough
to only reserve 8MB: let's always reserve half of the space below 4GB,
but cap the reservation to 128MB, which is the required framebuffer size
of the highest resolution 7680*4320 supported by Hyper-V.
While at it, fix the comparison "end > VTPM_BASE_ADDRESS" by changing
the > to >=. Here the 'end' is an inclusive end (typically, it's
0xFFFF_FFFF for the low MMIO range).
Note: vmbus_reserve_fb() now also reserves an MMIO range at the beginning
of the low MMIO range on CVMs, which have no framebuffers (the
'screen.lfb_base' in vmbus_reserve_fb() is 0 for CVMs), just in case the
host might treat the beginning of the low MMIO range specially [3]. BTW,
the OpenHCL kernel is not affected by the change, because that kernel
boots with DeviceTree rather than ACPI (so vmbus_reserve_fb() won't run
there), and there is no framebuffer device for that kernel.
Note: normally Gen1 VMs don't have the MMIO conflict issue because the
framebuffer MMIO range (which is hardcoded to base=4GB-128MB and
size=64MB for Gen1 VMs by the host) is always reported via the legacy PCI
graphics device's BAR, so the kdump/kexec kernel can reserve the 64MB
MMIO range; however, if the VM is configured to use a very high resolution
and the required framebuffer size exceeds 64MB (AFAIK, in practice, this
isn't a typical configuration by users), the hyperv-drm driver may need to
allocate an MMIO range above 4GB and change the framebuffer MMIO location
to the allocated MMIO range -- in this case, there can still be issues [4]
which can't be easily fixed: any possible affected Gen1 users would have
to use a resolution whose framebuffer size is <= 64MB, or switch to Gen2
VMs.
[1] https://lore.kernel.org/all/SA1PR21MB692176C1BC53BFC9EAE5CF8EBF51A@SA1PR21MB6921.namprd21.prod.outlook.com/
[2] https://lore.kernel.org/all/SA1PR21MB69218F955B62DFF62E3E88D2BF222@SA1PR21MB6921.namprd21.prod.outlook.com/
[3] https://lore.kernel.org/all/SN6PR02MB415726B17D5A6027CD1717E8D4342@SN6PR02MB4157.namprd02.prod.outlook.com/
[4] https://lore.kernel.org/all/SA1PR21MB69213486F821CA5A2C793C81BF342@SA1PR21MB6921.namprd21.prod.outlook.com/
Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs")
CC: stable@vger.kernel.org
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Tested-by: Krister Johansen <kjlx@templeofstupid.com>
Tested-by: Matthew Ruffell <matthew.ruffell@canonical.com>
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hv/vmbus_drv.c | 29 ++++++++++++++++++++++++++---
1 file changed, 26 insertions(+), 3 deletions(-)
--- a/drivers/hv/vmbus_drv.c
+++ b/drivers/hv/vmbus_drv.c
@@ -2332,8 +2332,8 @@ static acpi_status vmbus_walk_resources(
return AE_NO_MEMORY;
/* If this range overlaps the virtual TPM, truncate it. */
- if (end > VTPM_BASE_ADDRESS && start < VTPM_BASE_ADDRESS)
- end = VTPM_BASE_ADDRESS;
+ if (end >= VTPM_BASE_ADDRESS && start < VTPM_BASE_ADDRESS)
+ end = VTPM_BASE_ADDRESS - 1;
new_res->name = "hyperv mmio";
new_res->flags = IORESOURCE_MEM;
@@ -2400,6 +2400,7 @@ static void vmbus_mmio_remove(void)
static void __maybe_unused vmbus_reserve_fb(void)
{
resource_size_t start = 0, size;
+ resource_size_t low_mmio_base;
struct pci_dev *pdev;
if (efi_enabled(EFI_BOOT)) {
@@ -2407,6 +2408,24 @@ static void __maybe_unused vmbus_reserve
if (IS_ENABLED(CONFIG_SYSFB)) {
start = sysfb_primary_display.screen.lfb_base;
size = max_t(__u32, sysfb_primary_display.screen.lfb_size, 0x800000);
+
+ low_mmio_base = hyperv_mmio->start;
+ if (!low_mmio_base || upper_32_bits(low_mmio_base) ||
+ (start && start < low_mmio_base)) {
+ pr_warn("Unexpected low mmio base %pa\n", &low_mmio_base);
+ } else {
+ /*
+ * If the kdump/kexec or CVM kernel's lfb_base
+ * is 0, fall back to the low mmio base.
+ */
+ if (!start)
+ start = low_mmio_base;
+ /*
+ * Reserve half of the space below 4GB for high
+ * resolutions, but cap the reservation to 128MB.
+ */
+ size = min((SZ_4G - start) / 2, SZ_128M);
+ }
}
} else {
/* Gen1 VM: get FB base from PCI */
@@ -2427,8 +2446,10 @@ static void __maybe_unused vmbus_reserve
pci_dev_put(pdev);
}
- if (!start)
+ if (!start) {
+ pr_warn("Unexpected framebuffer mmio base of zero\n");
return;
+ }
/*
* Make a claim for the frame buffer in the resource tree under the
@@ -2438,6 +2459,8 @@ static void __maybe_unused vmbus_reserve
*/
for (; !fb_mmio && (size >= 0x100000); size >>= 1)
fb_mmio = __request_region(hyperv_mmio, start, size, fb_mmio_name, 0);
+
+ pr_info("hv_mmio=%pR,%pR fb=%pR\n", hyperv_mmio, hyperv_mmio->sibling, fb_mmio);
}
/**
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 335/522] smb: client: validate the whole DACL before rewriting it in cifsacl
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 334/522] ksmbd: require minimum ACE size in smb_check_perm_dacl() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 336/522] LoongArch: Add spectre boundry for syscall dispatch table Greg Kroah-Hartman
` (187 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steve French,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit 0a8cf165566ba55a39fd0f4de172119dd646d39a ]
build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a
server-supplied dacloffset and then use the incoming ACL to rebuild the
chmod/chown security descriptor.
The original fix only checked that the struct smb_acl header fits before
reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate
header-field OOB read, but the rewrite helpers still walk ACEs based on
pdacl->num_aces with no structural validation of the incoming DACL body.
A malicious server can return a truncated DACL that still contains a
header, claims one or more ACEs, and then drive
replace_sids_and_copy_aces() or set_chmod_dacl() past the validated
extent while they compare or copy attacker-controlled ACEs.
Factor the DACL structural checks into validate_dacl(), extend them to
validate each ACE against the DACL bounds, and use the shared validator
before the chmod/chown rebuild paths. parse_dacl() reuses the same
validator so the read-side parser and write-side rewrite paths agree on
what constitutes a well-formed incoming DACL.
Fixes: bc3e9dd9d104 ("cifs: Change SIDs in ACEs while transferring file ownership.")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ renamed smb_acl/smb_ace/smb_sid/smb_ntsd to cifs_* and widened num_aces from u16 to u32 for 6.1's __le32 field ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsacl.c | 95 ++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 85 insertions(+), 10 deletions(-)
--- a/fs/smb/client/cifsacl.c
+++ b/fs/smb/client/cifsacl.c
@@ -753,6 +753,78 @@ static void dump_ace(struct cifs_ace *pa
}
#endif
+static int validate_dacl(struct cifs_acl *pdacl, char *end_of_acl)
+{
+ int i, ace_hdr_size, ace_size, min_ace_size;
+ u16 dacl_size;
+ u32 num_aces;
+ char *acl_base, *end_of_dacl;
+ struct cifs_ace *pace;
+
+ if (!pdacl)
+ return 0;
+
+ if (end_of_acl < (char *)pdacl + sizeof(struct cifs_acl)) {
+ cifs_dbg(VFS, "ACL too small to parse DACL\n");
+ return -EINVAL;
+ }
+
+ dacl_size = le16_to_cpu(pdacl->size);
+ if (dacl_size < sizeof(struct cifs_acl) ||
+ end_of_acl < (char *)pdacl + dacl_size) {
+ cifs_dbg(VFS, "ACL too small to parse DACL\n");
+ return -EINVAL;
+ }
+
+ num_aces = le32_to_cpu(pdacl->num_aces);
+ if (!num_aces)
+ return 0;
+
+ ace_hdr_size = offsetof(struct cifs_ace, sid) +
+ offsetof(struct cifs_sid, sub_auth);
+ min_ace_size = ace_hdr_size + sizeof(__le32);
+ if (num_aces > (dacl_size - sizeof(struct cifs_acl)) / min_ace_size) {
+ cifs_dbg(VFS, "ACL too small to parse DACL\n");
+ return -EINVAL;
+ }
+
+ end_of_dacl = (char *)pdacl + dacl_size;
+ acl_base = (char *)pdacl;
+ ace_size = sizeof(struct cifs_acl);
+
+ for (i = 0; i < num_aces; ++i) {
+ if (end_of_dacl - acl_base < ace_size) {
+ cifs_dbg(VFS, "ACL too small to parse ACE\n");
+ return -EINVAL;
+ }
+
+ pace = (struct cifs_ace *)(acl_base + ace_size);
+ acl_base = (char *)pace;
+
+ if (end_of_dacl - acl_base < ace_hdr_size ||
+ pace->sid.num_subauth == 0 ||
+ pace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES) {
+ cifs_dbg(VFS, "ACL too small to parse ACE\n");
+ return -EINVAL;
+ }
+
+ ace_size = ace_hdr_size + sizeof(__le32) * pace->sid.num_subauth;
+ if (end_of_dacl - acl_base < ace_size ||
+ le16_to_cpu(pace->size) < ace_size) {
+ cifs_dbg(VFS, "ACL too small to parse ACE\n");
+ return -EINVAL;
+ }
+
+ ace_size = le16_to_cpu(pace->size);
+ if (end_of_dacl - acl_base < ace_size) {
+ cifs_dbg(VFS, "ACL too small to parse ACE\n");
+ return -EINVAL;
+ }
+ }
+
+ return 0;
+}
+
static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
struct cifs_fattr *fattr, bool mode_from_special_sid)
@@ -760,7 +832,7 @@ static void parse_dacl(struct cifs_acl *
int i;
int num_aces = 0;
int acl_size;
- char *acl_base;
+ char *acl_base, *end_of_dacl;
struct cifs_ace **ppace;
/* BB need to add parm so we can store the SID BB */
@@ -772,11 +844,8 @@ static void parse_dacl(struct cifs_acl *
return;
}
- /* validate that we do not go past end of acl */
- if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {
- cifs_dbg(VFS, "ACL too small to parse DACL\n");
+ if (validate_dacl(pdacl, end_of_acl))
return;
- }
cifs_dbg(NOISY, "DACL revision %d size %d num aces %d\n",
le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
@@ -787,6 +856,7 @@ static void parse_dacl(struct cifs_acl *
user/group/other have no permissions */
fattr->cf_mode &= ~(0777);
+ end_of_dacl = (char *)pdacl + le16_to_cpu(pdacl->size);
acl_base = (char *)pdacl;
acl_size = sizeof(struct cifs_acl);
@@ -804,7 +874,7 @@ static void parse_dacl(struct cifs_acl *
for (i = 0; i < num_aces; ++i) {
ppace[i] = (struct cifs_ace *) (acl_base + acl_size);
#ifdef CONFIG_CIFS_DEBUG2
- dump_ace(ppace[i], end_of_acl);
+ dump_ace(ppace[i], end_of_dacl);
#endif
if (mode_from_special_sid &&
ppace[i]->sid.num_subauth >= 3 &&
@@ -1263,10 +1333,9 @@ static int build_sec_desc(struct cifs_nt
dacloffset = le32_to_cpu(pntsd->dacloffset);
if (dacloffset) {
dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
- if (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) {
- cifs_dbg(VFS, "Server returned illegal ACL size\n");
- return -EINVAL;
- }
+ rc = validate_dacl(dacl_ptr, end_of_acl);
+ if (rc)
+ return rc;
}
owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
@@ -1630,6 +1699,12 @@ id_mode_to_cifs_acl(struct inode *inode,
dacloffset = le32_to_cpu(pntsd->dacloffset);
if (dacloffset) {
dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
+ rc = validate_dacl(dacl_ptr, (char *)pntsd + secdesclen);
+ if (rc) {
+ kfree(pntsd);
+ cifs_put_tlink(tlink);
+ return rc;
+ }
if (mode_from_sid)
nsecdesclen +=
le32_to_cpu(dacl_ptr->num_aces) * sizeof(struct cifs_ace);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 252/378] fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 251/378] Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 253/378] hv: utils: handle and propagate errors in kvp_register Greg Kroah-Hartman
` (126 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jann Horn,
Christian Brauner (Amutable)
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 40ab6644b99685755f740b872c00ef40d9aa870e upstream.
may_decode_fh() accesses mount::mnt_ns without holding any locks; that
means the mount can concurrently be unmounted, and the mnt_namespace can
concurrently be freed after an RCU grace period.
This race can happens as follows, assuming that the mount point was
created by open_tree(..., OPEN_TREE_CLONE):
thread 1 thread 2 RCU
__do_sys_open_by_handle_at
do_handle_open
handle_to_path
may_decode_fh
is_mounted
[mount::mnt_ns access]
[mount::mnt_ns access]
__do_sys_close
fput_close_sync
__fput
dissolve_on_fput
umount_tree
class_namespace_excl_destructor
namespace_unlock
free_mnt_ns
mnt_ns_tree_remove
call_rcu(mnt_ns_release_rcu)
mnt_ns_release_rcu
mnt_ns_release
kfree
[mnt_namespace::user_ns access] **UAF**
Fix it by taking rcu_read_lock() around the mount::mnt_ns access, like
in __prepend_path().
Additionally, document the semantics of mount::mnt_ns, and use WRITE_ONCE()
for writers that can race with lockless readers.
This bug is unreachable unless one of the following is set:
- CONFIG_PREEMPTION
- CONFIG_RCU_STRICT_GRACE_PERIOD
because it requires an RCU grace period to happen during a syscall without
an explicit preemption.
This doesn't seem to have interesting security impact; worst-case, it could
leak the result of an integer comparison to userspace (from the level
check in cap_capable()), cause an endless loop, or crash the kernel by
dereferencing an invalid address.
Fixes: 620c266f3949 ("fhandle: relax open_by_handle_at() permission checks")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://patch.msgid.link/20260603-vfs-fhandle-uaf-fix-v2-1-d05db76a5084@google.com
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fhandle.c | 16 ++++++++++++++--
fs/mount.h | 10 +++++++++-
fs/namespace.c | 6 +++---
3 files changed, 26 insertions(+), 6 deletions(-)
--- a/fs/fhandle.c
+++ b/fs/fhandle.c
@@ -285,6 +285,19 @@ static int do_handle_to_path(struct file
return 0;
}
+static bool capable_wrt_mount(struct mount *mount)
+{
+ struct mnt_namespace *mnt_ns;
+
+ /*
+ * For ->mnt_ns access.
+ * The following READ_ONCE() is semantically rcu_dereference().
+ */
+ guard(rcu)();
+ mnt_ns = READ_ONCE(mount->mnt_ns);
+ return ns_capable(mnt_ns->user_ns, CAP_SYS_ADMIN);
+}
+
static inline int may_decode_fh(struct handle_to_path_ctx *ctx,
unsigned int o_flags)
{
@@ -320,8 +333,7 @@ static inline int may_decode_fh(struct h
if (ns_capable(root->mnt->mnt_sb->s_user_ns, CAP_SYS_ADMIN))
ctx->flags = HANDLE_CHECK_PERMS;
else if (is_mounted(root->mnt) &&
- ns_capable(real_mount(root->mnt)->mnt_ns->user_ns,
- CAP_SYS_ADMIN) &&
+ capable_wrt_mount(real_mount(root->mnt)) &&
!has_locked_children(real_mount(root->mnt), root->dentry))
ctx->flags = HANDLE_CHECK_PERMS | HANDLE_CHECK_SUBTREE;
else
--- a/fs/mount.h
+++ b/fs/mount.h
@@ -71,7 +71,15 @@ struct mount {
struct hlist_head mnt_slave_list;/* list of slave mounts */
struct hlist_node mnt_slave; /* slave list entry */
struct mount *mnt_master; /* slave is on master->mnt_slave_list */
- struct mnt_namespace *mnt_ns; /* containing namespace */
+ /*
+ * Containing namespace (active or deactivating, non-refcounted).
+ * Normally protected by namespace_sem.
+ * Can also be accessed locklessly under RCU. RCU readers can't rely on
+ * the namespace still being active, but implicitly hold a passive
+ * reference (because an RCU delay happens between a namespace being
+ * deactivated and the corresponding passive refcount drop).
+ */
+ struct mnt_namespace *mnt_ns;
struct mountpoint *mnt_mp; /* where is it mounted */
union {
struct hlist_node mnt_mp_list; /* list mounts with the same mountpoint */
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1079,7 +1079,7 @@ static void mnt_add_to_ns(struct mnt_nam
bool mnt_first_node = true, mnt_last_node = true;
WARN_ON(mnt_ns_attached(mnt));
- mnt->mnt_ns = ns;
+ WRITE_ONCE(mnt->mnt_ns, ns);
while (*link) {
parent = *link;
if (mnt->mnt_id_unique < node_to_mount(parent)->mnt_id_unique) {
@@ -1434,7 +1434,7 @@ EXPORT_SYMBOL(mntget);
void mnt_make_shortterm(struct vfsmount *mnt)
{
if (mnt)
- real_mount(mnt)->mnt_ns = NULL;
+ WRITE_ONCE(real_mount(mnt)->mnt_ns, NULL);
}
/**
@@ -1806,7 +1806,7 @@ static void umount_tree(struct mount *mn
ns->nr_mounts--;
__touch_mnt_namespace(ns);
}
- p->mnt_ns = NULL;
+ WRITE_ONCE(p->mnt_ns, NULL);
if (how & UMOUNT_SYNC)
p->mnt.mnt_flags |= MNT_SYNC_UMOUNT;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 336/522] LoongArch: Add spectre boundry for syscall dispatch table
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 335/522] smb: client: validate the whole DACL before rewriting it in cifsacl Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 337/522] arm64/mm: Enable batched TLB flush in unmap_hotplug_range() Greg Kroah-Hartman
` (186 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Huacai Chen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 0c965d2784fbbd7f8e3b96d875c9cfdf7c00da3d ]
The LoongArch syscall number is directly controlled by userspace, but
does not have a array_index_nospec() boundry to prevent access past the
syscall function pointer tables.
Cc: stable@vger.kernel.org
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/syscall.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/loongarch/kernel/syscall.c
+++ b/arch/loongarch/kernel/syscall.c
@@ -9,6 +9,7 @@
#include <linux/entry-common.h>
#include <linux/errno.h>
#include <linux/linkage.h>
+#include <linux/nospec.h>
#include <linux/syscalls.h>
#include <linux/unistd.h>
@@ -54,7 +55,7 @@ void noinstr do_syscall(struct pt_regs *
nr = syscall_enter_from_user_mode(regs, nr);
if (nr < NR_syscalls) {
- syscall_fn = sys_call_table[nr];
+ syscall_fn = sys_call_table[array_index_nospec(nr, NR_syscalls)];
regs->regs[4] = syscall_fn(regs->orig_a0, regs->regs[5], regs->regs[6],
regs->regs[7], regs->regs[8], regs->regs[9]);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 253/378] hv: utils: handle and propagate errors in kvp_register
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 252/378] fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 254/378] IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN Greg Kroah-Hartman
` (125 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Long Li, Wei Liu
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 3fcf923302a8f5c0dc3af3d2ca2657cb5fae4297 upstream.
Make kvp_register() return an error code instead of silently ignoring
failures, and propagate the error from kvp_handle_handshake() instead of
returning success.
This propagates both kzalloc_obj() and hvutil_transport_send() failures
to kvp_handle_handshake() and thus to kvp_on_msg().
Fixes: 245ba56a52a3 ("Staging: hv: Implement key/value pair (KVP)")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Reviewed-by: Long Li <longli@microsoft.com>
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hv/hv_kvp.c | 27 ++++++++++++++-------------
1 file changed, 14 insertions(+), 13 deletions(-)
--- a/drivers/hv/hv_kvp.c
+++ b/drivers/hv/hv_kvp.c
@@ -93,7 +93,7 @@ static void kvp_send_key(struct work_str
static void kvp_respond_to_host(struct hv_kvp_msg *msg, int error);
static void kvp_timeout_func(struct work_struct *dummy);
static void kvp_host_handshake_func(struct work_struct *dummy);
-static void kvp_register(int);
+static int kvp_register(int);
static DECLARE_DELAYED_WORK(kvp_timeout_work, kvp_timeout_func);
static DECLARE_DELAYED_WORK(kvp_host_handshake_work, kvp_host_handshake_func);
@@ -127,24 +127,26 @@ static void kvp_register_done(void)
hv_poll_channel(kvp_transaction.recv_channel, kvp_poll_wrapper);
}
-static void
+static int
kvp_register(int reg_value)
{
struct hv_kvp_msg *kvp_msg;
char *version;
+ int ret;
kvp_msg = kzalloc_obj(*kvp_msg);
+ if (!kvp_msg)
+ return -ENOMEM;
- if (kvp_msg) {
- version = kvp_msg->body.kvp_register.version;
- kvp_msg->kvp_hdr.operation = reg_value;
- strcpy(version, HV_DRV_VERSION);
-
- hvutil_transport_send(hvt, kvp_msg, sizeof(*kvp_msg),
- kvp_register_done);
- kfree(kvp_msg);
- }
+ version = kvp_msg->body.kvp_register.version;
+ kvp_msg->kvp_hdr.operation = reg_value;
+ strcpy(version, HV_DRV_VERSION);
+
+ ret = hvutil_transport_send(hvt, kvp_msg, sizeof(*kvp_msg),
+ kvp_register_done);
+ kfree(kvp_msg);
+ return ret;
}
static void kvp_timeout_func(struct work_struct *dummy)
@@ -186,9 +188,8 @@ static int kvp_handle_handshake(struct h
*/
pr_debug("KVP: userspace daemon ver. %d connected\n",
msg->kvp_hdr.operation);
- kvp_register(dm_reg_value);
- return 0;
+ return kvp_register(dm_reg_value);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 337/522] arm64/mm: Enable batched TLB flush in unmap_hotplug_range()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 336/522] LoongArch: Add spectre boundry for syscall dispatch table Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 338/522] lib: test_hmm: evict device pages on file close to avoid use-after-free Greg Kroah-Hartman
` (185 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Will Deacon, linux-arm-kernel,
linux-kernel, David Hildenbrand (Arm), Ryan Roberts,
Anshuman Khandual, Catalin Marinas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anshuman Khandual <anshuman.khandual@arm.com>
[ Upstream commit 48478b9f791376b4b89018d7afdfd06865498f65 ]
During a memory hot remove operation, both linear and vmemmap mappings for
the memory range being removed, get unmapped via unmap_hotplug_range() but
mapped pages get freed only for vmemmap mapping. This is just a sequential
operation where each table entry gets cleared, followed by a leaf specific
TLB flush, and then followed by memory free operation when applicable.
This approach was simple and uniform both for vmemmap and linear mappings.
But linear mapping might contain CONT marked block memory where it becomes
necessary to first clear out all entire in the range before a TLB flush.
This is as per the architecture requirement. Hence batch all TLB flushes
during the table tear down walk and finally do it in unmap_hotplug_range().
Prior to this fix, it was hypothetically possible for a speculative access
to a higher address in the contiguous block to fill the TLB with shattered
entries for the entire contiguous range after a lower address had already
been cleared and invalidated. Due to the table entries being shattered, the
subsequent TLB invalidation for the higher address would not then clear the
TLB entries for the lower address, meaning stale TLB entries could persist.
Besides it also helps in improving the performance via TLBI range operation
along with reduced synchronization instructions. The time spent executing
unmap_hotplug_range() improved 97% measured over a 2GB memory hot removal
in KVM guest.
This scheme is not applicable during vmemmap mapping tear down where memory
needs to be freed and hence a TLB flush is required after clearing out page
table entry.
Cc: Will Deacon <will@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Closes: https://lore.kernel.org/all/aWZYXhrT6D2M-7-N@willie-the-truck/
Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove")
Cc: stable@vger.kernel.org
Reviewed-by: David Hildenbrand (Arm) <david@kernel.org>
Reviewed-by: Ryan Roberts <ryan.roberts@arm.com>
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ replaced `__pte_clear()` with `pte_clear()` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/mm/mmu.c | 36 ++++++++++++++++++++----------------
1 file changed, 20 insertions(+), 16 deletions(-)
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -925,10 +925,14 @@ static void unmap_hotplug_pte_range(pmd_
WARN_ON(!pte_present(pte));
pte_clear(&init_mm, addr, ptep);
- flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
- if (free_mapped)
+ if (free_mapped) {
+ /* CONT blocks are not supported in the vmemmap */
+ WARN_ON(pte_cont(pte));
+ flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
free_hotplug_page_range(pte_page(pte),
PAGE_SIZE, altmap);
+ }
+ /* unmap_hotplug_range() flushes TLB for !free_mapped */
} while (addr += PAGE_SIZE, addr < end);
}
@@ -949,15 +953,14 @@ static void unmap_hotplug_pmd_range(pud_
WARN_ON(!pmd_present(pmd));
if (pmd_sect(pmd)) {
pmd_clear(pmdp);
-
- /*
- * One TLBI should be sufficient here as the PMD_SIZE
- * range is mapped with a single block entry.
- */
- flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
- if (free_mapped)
+ if (free_mapped) {
+ /* CONT blocks are not supported in the vmemmap */
+ WARN_ON(pmd_cont(pmd));
+ flush_tlb_kernel_range(addr, addr + PMD_SIZE);
free_hotplug_page_range(pmd_page(pmd),
PMD_SIZE, altmap);
+ }
+ /* unmap_hotplug_range() flushes TLB for !free_mapped */
continue;
}
WARN_ON(!pmd_table(pmd));
@@ -982,15 +985,12 @@ static void unmap_hotplug_pud_range(p4d_
WARN_ON(!pud_present(pud));
if (pud_sect(pud)) {
pud_clear(pudp);
-
- /*
- * One TLBI should be sufficient here as the PUD_SIZE
- * range is mapped with a single block entry.
- */
- flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
- if (free_mapped)
+ if (free_mapped) {
+ flush_tlb_kernel_range(addr, addr + PUD_SIZE);
free_hotplug_page_range(pud_page(pud),
PUD_SIZE, altmap);
+ }
+ /* unmap_hotplug_range() flushes TLB for !free_mapped */
continue;
}
WARN_ON(!pud_table(pud));
@@ -1020,6 +1020,7 @@ static void unmap_hotplug_p4d_range(pgd_
static void unmap_hotplug_range(unsigned long addr, unsigned long end,
bool free_mapped, struct vmem_altmap *altmap)
{
+ unsigned long start = addr;
unsigned long next;
pgd_t *pgdp, pgd;
@@ -1041,6 +1042,9 @@ static void unmap_hotplug_range(unsigned
WARN_ON(!pgd_present(pgd));
unmap_hotplug_p4d_range(pgdp, addr, next, free_mapped, altmap);
} while (addr = next, addr < end);
+
+ if (!free_mapped)
+ flush_tlb_kernel_range(start, end);
}
static void free_empty_pte_table(pmd_t *pmdp, unsigned long addr,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 254/378] IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 253/378] hv: utils: handle and propagate errors in kvp_register Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 255/378] inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush Greg Kroah-Hartman
` (124 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jason Gunthorpe
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 29e7b925ae6df64894e82ab6419994dc25580a8a upstream.
In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done()
computes the login request payload length as wc->byte_len minus
ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int.
A remote iSER initiator can post a login Send work request carrying
fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows
and login_req_len becomes negative.
isert_rx_login_req() then reads that negative length back into a signed
int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the
min() is signed it keeps the negative value; the value is then passed as
the memcpy() length and sign-extended to a multi-gigabyte size_t. The
copy into the 8192-byte login->req_buf runs far out of bounds and
faults, crashing the target node. The login phase precedes iSCSI
authentication, so no credentials are required to reach this path.
Reject any login PDU shorter than ISER_HEADERS_LEN before the
subtraction, mirroring the existing early return on a failed work
completion, so login_req_len can never go negative. The upper bound was
already safe: a posted login buffer cannot deliver more than
ISER_RX_PAYLOAD_SIZE, so the difference stays at or below
MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing
lower bound needs to be added.
Fixes: b8d26b3be8b3 ("iser-target: Add iSCSI Extensions for RDMA (iSER) target driver")
Link: https://patch.msgid.link/r/20260602194642.2273217-1-michael.bommarito@gmail.com
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/ulp/isert/ib_isert.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -1383,6 +1383,12 @@ isert_login_recv_done(struct ib_cq *cq,
ib_dma_sync_single_for_cpu(ib_dev, isert_conn->login_desc->dma_addr,
ISER_RX_SIZE, DMA_FROM_DEVICE);
+ if (unlikely(wc->byte_len < ISER_HEADERS_LEN)) {
+ isert_dbg("login request length %u is too short\n",
+ wc->byte_len);
+ return;
+ }
+
isert_conn->login_req_len = wc->byte_len - ISER_HEADERS_LEN;
if (isert_conn->conn) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 338/522] lib: test_hmm: evict device pages on file close to avoid use-after-free
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 337/522] arm64/mm: Enable batched TLB flush in unmap_hotplug_range() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 339/522] wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() Greg Kroah-Hartman
` (184 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alistair Popple, Zenghui Yu,
Balbir Singh, David Hildenbrand, Jason Gunthorpe, Leon Romanovsky,
Liam Howlett, Lorenzo Stoakes (Oracle), Michal Hocko,
Mike Rapoport, Suren Baghdasaryan, Matthew Brost, Andrew Morton,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alistair Popple <apopple@nvidia.com>
[ Upstream commit 744dd97752ef1076a8d8672bb0d8aa2c7abc1144 ]
Patch series "Minor hmm_test fixes and cleanups".
Two bugfixes a cleanup for the HMM kernel selftests. These were mostly
reported by Zenghui Yu with special thanks to Lorenzo for analysing and
pointing out the problems.
This patch (of 3):
When dmirror_fops_release() is called it frees the dmirror struct but
doesn't migrate device private pages back to system memory first. This
leaves those pages with a dangling zone_device_data pointer to the freed
dmirror.
If a subsequent fault occurs on those pages (eg. during coredump) the
dmirror_devmem_fault() callback dereferences the stale pointer causing a
kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64,
where a test failure triggered SIGABRT and the resulting coredump walked
the VMAs faulting in the stale device private pages.
Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in
dmirror_fops_release() to migrate all device private pages back to system
memory before freeing the dmirror struct. The function is moved earlier
in the file to avoid a forward declaration.
Link: https://lore.kernel.org/20260331063445.3551404-1-apopple@nvidia.com
Link: https://lore.kernel.org/20260331063445.3551404-2-apopple@nvidia.com
Fixes: b2ef9f5a5cb3 ("mm/hmm/test: add selftest driver for HMM")
Signed-off-by: Alistair Popple <apopple@nvidia.com>
Reported-by: Zenghui Yu <zenghui.yu@linux.dev>
Closes: https://lore.kernel.org/linux-mm/8bd0396a-8997-4d2e-a13f-5aac033083d7@linux.dev/
Reviewed-by: Balbir Singh <balbirs@nvidia.com>
Tested-by: Zenghui Yu <zenghui.yu@linux.dev>
Cc: David Hildenbrand <david@kernel.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Zenghui Yu <zenghui.yu@linux.dev>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ kept the existing simpler `dmirror_device_evict_chunk()` body instead of the upstream compound-folio version ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/test_hmm.c | 86 ++++++++++++++++++++++++++++++++-------------------------
1 file changed, 49 insertions(+), 37 deletions(-)
--- a/lib/test_hmm.c
+++ b/lib/test_hmm.c
@@ -183,11 +183,60 @@ static int dmirror_fops_open(struct inod
return 0;
}
+static void dmirror_device_evict_chunk(struct dmirror_chunk *chunk)
+{
+ unsigned long start_pfn = chunk->pagemap.range.start >> PAGE_SHIFT;
+ unsigned long end_pfn = chunk->pagemap.range.end >> PAGE_SHIFT;
+ unsigned long npages = end_pfn - start_pfn + 1;
+ unsigned long i;
+ unsigned long *src_pfns;
+ unsigned long *dst_pfns;
+
+ src_pfns = kvcalloc(npages, sizeof(*src_pfns), GFP_KERNEL | __GFP_NOFAIL);
+ dst_pfns = kvcalloc(npages, sizeof(*dst_pfns), GFP_KERNEL | __GFP_NOFAIL);
+
+ migrate_device_range(src_pfns, start_pfn, npages);
+ for (i = 0; i < npages; i++) {
+ struct page *dpage, *spage;
+
+ spage = migrate_pfn_to_page(src_pfns[i]);
+ if (!spage || !(src_pfns[i] & MIGRATE_PFN_MIGRATE))
+ continue;
+
+ if (WARN_ON(!is_device_private_page(spage) &&
+ !is_device_coherent_page(spage)))
+ continue;
+ spage = BACKING_PAGE(spage);
+ dpage = alloc_page(GFP_HIGHUSER_MOVABLE | __GFP_NOFAIL);
+ lock_page(dpage);
+ copy_highpage(dpage, spage);
+ dst_pfns[i] = migrate_pfn(page_to_pfn(dpage));
+ if (src_pfns[i] & MIGRATE_PFN_WRITE)
+ dst_pfns[i] |= MIGRATE_PFN_WRITE;
+ }
+ migrate_device_pages(src_pfns, dst_pfns, npages);
+ migrate_device_finalize(src_pfns, dst_pfns, npages);
+ kvfree(src_pfns);
+ kvfree(dst_pfns);
+}
+
static int dmirror_fops_release(struct inode *inode, struct file *filp)
{
struct dmirror *dmirror = filp->private_data;
+ struct dmirror_device *mdevice = dmirror->mdevice;
+ int i;
mmu_interval_notifier_remove(&dmirror->notifier);
+
+ if (mdevice->devmem_chunks) {
+ for (i = 0; i < mdevice->devmem_count; i++) {
+ struct dmirror_chunk *devmem =
+ mdevice->devmem_chunks[i];
+
+ dmirror_device_evict_chunk(devmem);
+ }
+ }
+
xa_destroy(&dmirror->pt);
kfree(dmirror);
return 0;
@@ -1223,43 +1272,6 @@ static int dmirror_snapshot(struct dmirr
return ret;
}
-static void dmirror_device_evict_chunk(struct dmirror_chunk *chunk)
-{
- unsigned long start_pfn = chunk->pagemap.range.start >> PAGE_SHIFT;
- unsigned long end_pfn = chunk->pagemap.range.end >> PAGE_SHIFT;
- unsigned long npages = end_pfn - start_pfn + 1;
- unsigned long i;
- unsigned long *src_pfns;
- unsigned long *dst_pfns;
-
- src_pfns = kvcalloc(npages, sizeof(*src_pfns), GFP_KERNEL | __GFP_NOFAIL);
- dst_pfns = kvcalloc(npages, sizeof(*dst_pfns), GFP_KERNEL | __GFP_NOFAIL);
-
- migrate_device_range(src_pfns, start_pfn, npages);
- for (i = 0; i < npages; i++) {
- struct page *dpage, *spage;
-
- spage = migrate_pfn_to_page(src_pfns[i]);
- if (!spage || !(src_pfns[i] & MIGRATE_PFN_MIGRATE))
- continue;
-
- if (WARN_ON(!is_device_private_page(spage) &&
- !is_device_coherent_page(spage)))
- continue;
- spage = BACKING_PAGE(spage);
- dpage = alloc_page(GFP_HIGHUSER_MOVABLE | __GFP_NOFAIL);
- lock_page(dpage);
- copy_highpage(dpage, spage);
- dst_pfns[i] = migrate_pfn(page_to_pfn(dpage));
- if (src_pfns[i] & MIGRATE_PFN_WRITE)
- dst_pfns[i] |= MIGRATE_PFN_WRITE;
- }
- migrate_device_pages(src_pfns, dst_pfns, npages);
- migrate_device_finalize(src_pfns, dst_pfns, npages);
- kvfree(src_pfns);
- kvfree(dst_pfns);
-}
-
/* Removes free pages from the free list so they can't be re-allocated */
static void dmirror_remove_free_pages(struct dmirror_chunk *devmem)
{
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 255/378] inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 254/378] IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 256/378] ovl: keep err zero after successful ovl_cache_get() Greg Kroah-Hartman
` (123 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Hyunwoo Kim,
Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
commit 32594b09854970d7ba83eb2dc8c69a2edd158c8e upstream.
On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and
flushes every fragment queue that is not yet complete using
inet_frag_queue_flush(). That helper frees all the skbs queued on the
fragment queue but does not set INET_FRAG_COMPLETE, and leaves
q->fragments_tail and q->last_run_head pointing at the freed skbs.
The queue itself stays in the rhashtable.
fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups,
but it cannot stop a fragment that already obtained the queue through
inet_frag_find() earlier and stalled just before taking the queue lock.
Once that fragment resumes after the flush and takes the queue lock,
it passes the INET_FRAG_COMPLETE check and then dereferences the freed
fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of
that pointer and, on the append path, writes ->next_frag, causing a
slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly
share the same flush path and are affected as well.
Reset rb_fragments, fragments_tail and last_run_head in
inet_frag_queue_flush() so a flushed queue no longer points at the
freed skbs. A fragment that resumes after the flush and takes the
queue lock then finds an empty queue and starts a new run instead of
dereferencing the freed fragments_tail. ip_frag_reinit() already
performed this reset after its own flush, so drop the now duplicate
code there.
Cc: stable@vger.kernel.org
Fixes: 006a5035b495 ("inet: frags: flush pending skbs in fqdir_pre_exit()")
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Link: https://patch.msgid.link/ah6ukYq5G98LshdA@v4bel
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/inet_fragment.c | 3 +++
net/ipv4/ip_fragment.c | 3 ---
2 files changed, 3 insertions(+), 3 deletions(-)
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -328,6 +328,9 @@ void inet_frag_queue_flush(struct inet_f
reason = reason ?: SKB_DROP_REASON_FRAG_REASM_TIMEOUT;
sum = inet_frag_rbtree_purge(&q->rb_fragments, reason);
sub_frag_mem_limit(q->fqdir, sum);
+ q->rb_fragments = RB_ROOT;
+ q->fragments_tail = NULL;
+ q->last_run_head = NULL;
}
EXPORT_SYMBOL(inet_frag_queue_flush);
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -250,9 +250,6 @@ static int ip_frag_reinit(struct ipq *qp
qp->q.flags = 0;
qp->q.len = 0;
qp->q.meat = 0;
- qp->q.rb_fragments = RB_ROOT;
- qp->q.fragments_tail = NULL;
- qp->q.last_run_head = NULL;
qp->iif = 0;
qp->ecn = 0;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 339/522] wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 338/522] lib: test_hmm: evict device pages on file close to avoid use-after-free Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 340/522] spi: imx: Convert to platform remove callback returning void Greg Kroah-Hartman
` (183 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Hodges, Johannes Berg,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Hodges <git@danielhodges.dev>
[ Upstream commit ae5e95d4157481693be2317e3ffcd84e36010cbb ]
The mwifiex_adapter_cleanup() function uses timer_delete()
(non-synchronous) for the wakeup_timer before the adapter structure is
freed. This is incorrect because timer_delete() does not wait for any
running timer callback to complete.
If the wakeup_timer callback (wakeup_timer_fn) is executing when
mwifiex_adapter_cleanup() is called, the callback will continue to
access adapter fields (adapter->hw_status, adapter->if_ops.card_reset,
etc.) which may be freed by mwifiex_free_adapter() called later in the
mwifiex_remove_card() path.
Use timer_delete_sync() instead to ensure any running timer callback has
completed before returning.
Fixes: 4636187da60b ("mwifiex: add wakeup timer based recovery mechanism")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Hodges <git@danielhodges.dev>
Link: https://patch.msgid.link/20260206194401.2346-1-git@danielhodges.dev
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[ changed `timer_delete_sync()` to `del_timer_sync()` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/marvell/mwifiex/init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/marvell/mwifiex/init.c
+++ b/drivers/net/wireless/marvell/mwifiex/init.c
@@ -388,7 +388,7 @@ static void mwifiex_invalidate_lists(str
static void
mwifiex_adapter_cleanup(struct mwifiex_adapter *adapter)
{
- del_timer(&adapter->wakeup_timer);
+ del_timer_sync(&adapter->wakeup_timer);
cancel_delayed_work_sync(&adapter->devdump_work);
mwifiex_cancel_all_pending_cmd(adapter);
wake_up_interruptible(&adapter->cmd_wait_q.wait);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 256/378] ovl: keep err zero after successful ovl_cache_get()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 255/378] inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 257/378] pidfd: refuse access to tasks that have started exiting harder Greg Kroah-Hartman
` (122 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+a16fb0cce329a320661c,
Nirmoy Das, Christian Brauner
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nirmoy Das <nirmoyd@nvidia.com>
commit 1711b6ed6953cee5940ca4c3a6e77f1b3798cee2 upstream.
ovl_iterate_merged() stores PTR_ERR(cache) in err before checking
IS_ERR(cache). On success err holds the truncated cache pointer and
can be returned as a bogus non-zero error.
The syzbot reproducer reaches this through overlay-on-overlay readdir:
getdents64
iterate_dir(outer overlay file)
ovl_iterate_merged()
ovl_cache_get()
ovl_dir_read_merged()
ovl_dir_read()
iterate_dir(inner overlay file)
ovl_iterate_merged()
Only compute PTR_ERR(cache) on the error path.
Fixes: d25e4b739f83 ("ovl: refactor ovl_iterate() and port to cred guard")
Reported-by: syzbot+a16fb0cce329a320661c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a16fb0cce329a320661c
Cc: stable@vger.kernel.org
Signed-off-by: Nirmoy Das <nirmoyd@nvidia.com>
Link: https://patch.msgid.link/20260514144258.3068715-1-nirmoyd@nvidia.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/overlayfs/readdir.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/fs/overlayfs/readdir.c
+++ b/fs/overlayfs/readdir.c
@@ -838,15 +838,14 @@ static int ovl_iterate_merged(struct fil
struct ovl_dir_file *od = file->private_data;
struct dentry *dentry = file->f_path.dentry;
struct ovl_cache_entry *p;
- int err = 0;
+ int err;
if (!od->cache) {
struct ovl_dir_cache *cache;
cache = ovl_cache_get(dentry);
- err = PTR_ERR(cache);
if (IS_ERR(cache))
- return err;
+ return PTR_ERR(cache);
od->cache = cache;
ovl_seek_cursor(od, ctx->pos);
@@ -869,7 +868,7 @@ static int ovl_iterate_merged(struct fil
od->cursor = p->l_node.next;
ctx->pos++;
}
- return err;
+ return 0;
}
static bool ovl_need_adjust_d_ino(struct file *file)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 340/522] spi: imx: Convert to platform remove callback returning void
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 339/522] wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 341/522] spi: imx: fix use-after-free on unbind Greg Kroah-Hartman
` (182 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 423e548127223d597bb65a149ebcb3c50ea08846 ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is (mostly) ignored
and this typically results in resource leaks. To improve here there is a
quest to make the remove callback return void. In the first step of this
quest all drivers are converted to .remove_new() which already returns
void.
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20230306065733.2170662-3-u.kleine-koenig@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 1c78c2002380 ("spi: imx: fix use-after-free on unbind")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-imx.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -1879,7 +1879,7 @@ out_controller_put:
return ret;
}
-static int spi_imx_remove(struct platform_device *pdev)
+static void spi_imx_remove(struct platform_device *pdev)
{
struct spi_controller *controller = platform_get_drvdata(pdev);
struct spi_imx_data *spi_imx = spi_controller_get_devdata(controller);
@@ -1898,8 +1898,6 @@ static int spi_imx_remove(struct platfor
pm_runtime_disable(spi_imx->dev);
spi_imx_sdma_exit(spi_imx);
-
- return 0;
}
static int __maybe_unused spi_imx_runtime_resume(struct device *dev)
@@ -1961,7 +1959,7 @@ static struct platform_driver spi_imx_dr
.pm = &imx_spi_pm,
},
.probe = spi_imx_probe,
- .remove = spi_imx_remove,
+ .remove_new = spi_imx_remove,
};
module_platform_driver(spi_imx_driver);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 257/378] pidfd: refuse access to tasks that have started exiting harder
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 256/378] ovl: keep err zero after successful ovl_cache_get() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 258/378] s390: Remove GENERIC_LOCKBREAK Kconfig option Greg Kroah-Hartman
` (121 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Brauner (Amutable)
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
commit 62c4d31d78294bd61cf3403626b789e854357177 upstream.
The recent ptrace fix closed a hole where someone could rely on task->mm
becoming NULL during do_exit() to bypass dumpability checks. This api
here leans on on the very same check and so inherits the fix.
But there is no good reason to let it succeed at all once the target has
entered do_exit(). PF_EXITING is set by exit_signals() at the very top
of do_exit(), before exit_mm() and exit_files() run. Once we observe it,
the task is committed to dying and exit_files() will release the fdtable
shortly.
Fixes: 8649c322f75c ("pid: Implement pidfd_getfd syscall")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260518-obgleich-petersilie-2d77ccccf9b9@brauner
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/pid.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -878,10 +878,12 @@ static struct file *__pidfd_fget(struct
if (ret)
return ERR_PTR(ret);
- if (ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS))
- file = fget_task(task, fd);
- else
+ if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS))
file = ERR_PTR(-EPERM);
+ else if (task->flags & PF_EXITING)
+ file = ERR_PTR(-ESRCH);
+ else
+ file = fget_task(task, fd);
up_read(&task->signal->exec_update_lock);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 341/522] spi: imx: fix use-after-free on unbind
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 340/522] spi: imx: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 342/522] thermal: core: Fix thermal zone governor cleanup issues Greg Kroah-Hartman
` (181 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde, Johan Hovold,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 1c78c2002380a1fe31bfb01a3d5f29809e55a096 ]
The SPI subsystem frees the controller and any subsystem allocated
driver data as part of deregistration (unless the allocation is device
managed).
Take another reference before deregistering the controller so that the
driver data is not freed until the driver is done with it.
Fixes: 307c897db762 ("spi: spi-imx: replace struct spi_imx_data::bitbang by pointer to struct spi_controller")
Cc: stable@vger.kernel.org # 5.19
Acked-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260324082326.901043-2-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-imx.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -1885,6 +1885,8 @@ static void spi_imx_remove(struct platfo
struct spi_imx_data *spi_imx = spi_controller_get_devdata(controller);
int ret;
+ spi_controller_get(controller);
+
spi_unregister_controller(controller);
ret = pm_runtime_get_sync(spi_imx->dev);
@@ -1898,6 +1900,8 @@ static void spi_imx_remove(struct platfo
pm_runtime_disable(spi_imx->dev);
spi_imx_sdma_exit(spi_imx);
+
+ spi_controller_put(controller);
}
static int __maybe_unused spi_imx_runtime_resume(struct device *dev)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 258/378] s390: Remove GENERIC_LOCKBREAK Kconfig option
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 257/378] pidfd: refuse access to tasks that have started exiting harder Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 259/378] accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate() Greg Kroah-Hartman
` (120 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Massimiliano Pellizzer,
Sven Schnelle, Heiko Carstens, Alexander Gordeev
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
commit 1f57f68c4dd101e5e8ffc9ffa6428f45bcdd776a upstream.
s390 selects GENERIC_LOCKBREAK if PREEMPT is enabled. Reason is a historic
18 years old commit [1] which fixed a compile error for PREEMPT enabled
kernels. Back than only PREEMPT_NONE and PREEMPT_VOLUNTARY kernels were
considered to be important for s390. PREEMPT should "just work".
However, since recently PREEMPT is always enabled [2], which also causes
GENERIC_LOCKBREAK to be always enabled. For some workloads this leads to
massive performance degradation; e.g. a simple kernel compile on machines
with many CPUs may take up to four times longer.
To fix this just remove the GENERIC_LOCKBREAK from s390's Kconfig, since
the compile error from 18 years ago does not exist anymore.
[1] commit b6b40c532a36 ("[S390] Define GENERIC_LOCKBREAK.")
[2] commit 7dadeaa6e851 ("sched: Further restrict the preemption modes")
Cc: stable@vger.kernel.org
Reported-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Reviewed-by: Sven Schnelle <svens@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/Kconfig | 3 ---
1 file changed, 3 deletions(-)
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -29,9 +29,6 @@ config GENERIC_BUG
config GENERIC_BUG_RELATIVE_POINTERS
def_bool y
-config GENERIC_LOCKBREAK
- def_bool y if PREEMPTION
-
config AUDIT_ARCH
def_bool y
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 342/522] thermal: core: Fix thermal zone governor cleanup issues
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 341/522] spi: imx: fix use-after-free on unbind Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 343/522] ALSA: aoa: Use guard() for mutex locks Greg Kroah-Hartman
` (180 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
[ Upstream commit 41ff66baf81c6541f4f985dd7eac4494d03d9440 ]
If thermal_zone_device_register_with_trips() fails after adding
a thermal governor to the thermal zone being registered, the
governor is not removed from it as appropriate which may lead to
a memory leak.
In turn, thermal_zone_device_unregister() calls thermal_set_governor()
without acquiring the thermal zone lock beforehand which may race with
a governor update via sysfs and may lead to a use-after-free in that
case.
Address these issues by adding two thermal_set_governor() calls, one to
thermal_release() to remove the governor from the given thermal zone,
and one to the thermal zone registration error path to cover failures
preceding the thermal zone device registration.
Fixes: e33df1d2f3a0 ("thermal: let governors have private data for each thermal zone")
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/5092923.31r3eYUQgx@rafael.j.wysocki
[ adapted context for missing mutex_destroy/complete ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/thermal_core.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
@@ -756,6 +756,7 @@ static void thermal_release(struct devic
sizeof("thermal_zone") - 1)) {
tz = to_thermal_zone(dev);
thermal_zone_destroy_device_groups(tz);
+ thermal_set_governor(tz, NULL);
kfree(tz);
} else if (!strncmp(dev_name(dev), "cooling_device",
sizeof("cooling_device") - 1)) {
@@ -1260,8 +1261,10 @@ thermal_zone_device_register_with_trips(
/* sys I/F */
/* Add nodes that are always present via .groups */
result = thermal_zone_create_device_groups(tz, mask);
- if (result)
+ if (result) {
+ thermal_set_governor(tz, NULL);
goto remove_id;
+ }
/* A new thermal zone needs to be updated anyway. */
atomic_set(&tz->need_update, 1);
@@ -1396,8 +1399,6 @@ void thermal_zone_device_unregister(stru
cancel_delayed_work_sync(&tz->poll_queue);
- thermal_set_governor(tz, NULL);
-
thermal_remove_hwmon_sysfs(tz);
ida_free(&thermal_tz_ida, tz->id);
ida_destroy(&tz->ida);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 259/378] accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 258/378] s390: Remove GENERIC_LOCKBREAK Kconfig option Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 260/378] accel/ethosu: fix IFM region index out-of-bounds in command stream parser Greg Kroah-Hartman
` (119 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal, Rob Herring (Arm)
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit c0837b9cf6eabbad8b8cbddaff1a46a6d0a2e29d upstream.
The command stream parsing loop increments the index variable a second
time when a 64-bit command word is encountered (bit 14 set), but does
not re-check the loop bound before writing the second word:
for (i = 0; i < size / 4; i++) {
bocmds[i] = cmds[0];
if (cmd & 0x4000) {
i++;
bocmds[i] = cmds[1]; /* unchecked */
}
}
The buffer bocmds is backed by a DMA allocation of exactly size bytes
from drm_gem_dma_create(ddev, size), giving valid indices [0, size/4-1].
When i == size/4 - 1 on entry to an iteration and bit 14 of cmds[0] is
set, bocmds[size/4-1] is written in bounds, i is then incremented to
size/4, and bocmds[size/4] writes four bytes past the end of the
allocation.
Userspace controls both the buffer contents and the size argument via
the ioctl, making this a userspace-triggerable heap out-of-bounds write.
Fix by checking the incremented index against the buffer bound before
the second write and returning -EINVAL if the buffer is too small to
contain the extended command.
Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Link: https://patch.msgid.link/20260523190843.33977-1-meatuni001@gmail.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/ethosu/ethosu_gem.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/accel/ethosu/ethosu_gem.c
+++ b/drivers/accel/ethosu/ethosu_gem.c
@@ -387,6 +387,8 @@ static int ethosu_gem_cmdstream_copy_and
return -EFAULT;
i++;
+ if (i >= size / 4)
+ return -EINVAL;
bocmds[i] = cmds[1];
addr = cmd_to_addr(cmds);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 343/522] ALSA: aoa: Use guard() for mutex locks
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 342/522] thermal: core: Fix thermal zone governor cleanup issues Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 344/522] ALSA: aoa: i2sbus: clear stale prepared state Greg Kroah-Hartman
` (179 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 1cb6ecbb372002ef9e531c5377e5f60122411e40 ]
Replace the manual mutex lock/unlock pairs with guard() for code
simplification.
Only code refactoring, and no behavior change.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20250829151335.7342-14-tiwai@suse.de
Stable-dep-of: 5ed060d54915 ("ALSA: aoa: i2sbus: clear stale prepared state")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/aoa/codecs/onyx.c | 104 +++++++++++-------------------------
sound/aoa/codecs/tas.c | 113 +++++++++++++---------------------------
sound/aoa/core/gpio-feature.c | 20 ++-----
sound/aoa/core/gpio-pmf.c | 26 +++------
sound/aoa/soundbus/i2sbus/pcm.c | 76 ++++++++------------------
5 files changed, 112 insertions(+), 227 deletions(-)
--- a/sound/aoa/codecs/onyx.c
+++ b/sound/aoa/codecs/onyx.c
@@ -121,10 +121,9 @@ static int onyx_snd_vol_get(struct snd_k
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
s8 l, r;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DAC_ATTEN_LEFT, &l);
onyx_read_register(onyx, ONYX_REG_DAC_ATTEN_RIGHT, &r);
- mutex_unlock(&onyx->mutex);
ucontrol->value.integer.value[0] = l + VOLUME_RANGE_SHIFT;
ucontrol->value.integer.value[1] = r + VOLUME_RANGE_SHIFT;
@@ -145,15 +144,13 @@ static int onyx_snd_vol_put(struct snd_k
ucontrol->value.integer.value[1] > -1 + VOLUME_RANGE_SHIFT)
return -EINVAL;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DAC_ATTEN_LEFT, &l);
onyx_read_register(onyx, ONYX_REG_DAC_ATTEN_RIGHT, &r);
if (l + VOLUME_RANGE_SHIFT == ucontrol->value.integer.value[0] &&
- r + VOLUME_RANGE_SHIFT == ucontrol->value.integer.value[1]) {
- mutex_unlock(&onyx->mutex);
+ r + VOLUME_RANGE_SHIFT == ucontrol->value.integer.value[1])
return 0;
- }
onyx_write_register(onyx, ONYX_REG_DAC_ATTEN_LEFT,
ucontrol->value.integer.value[0]
@@ -161,7 +158,6 @@ static int onyx_snd_vol_put(struct snd_k
onyx_write_register(onyx, ONYX_REG_DAC_ATTEN_RIGHT,
ucontrol->value.integer.value[1]
- VOLUME_RANGE_SHIFT);
- mutex_unlock(&onyx->mutex);
return 1;
}
@@ -197,9 +193,8 @@ static int onyx_snd_inputgain_get(struct
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
u8 ig;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_ADC_CONTROL, &ig);
- mutex_unlock(&onyx->mutex);
ucontrol->value.integer.value[0] =
(ig & ONYX_ADC_PGA_GAIN_MASK) + INPUTGAIN_RANGE_SHIFT;
@@ -216,14 +211,13 @@ static int onyx_snd_inputgain_put(struct
if (ucontrol->value.integer.value[0] < 3 + INPUTGAIN_RANGE_SHIFT ||
ucontrol->value.integer.value[0] > 28 + INPUTGAIN_RANGE_SHIFT)
return -EINVAL;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_ADC_CONTROL, &v);
n = v;
n &= ~ONYX_ADC_PGA_GAIN_MASK;
n |= (ucontrol->value.integer.value[0] - INPUTGAIN_RANGE_SHIFT)
& ONYX_ADC_PGA_GAIN_MASK;
onyx_write_register(onyx, ONYX_REG_ADC_CONTROL, n);
- mutex_unlock(&onyx->mutex);
return n != v;
}
@@ -251,9 +245,8 @@ static int onyx_snd_capture_source_get(s
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
s8 v;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_ADC_CONTROL, &v);
- mutex_unlock(&onyx->mutex);
ucontrol->value.enumerated.item[0] = !!(v&ONYX_ADC_INPUT_MIC);
@@ -264,13 +257,12 @@ static void onyx_set_capture_source(stru
{
s8 v;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_ADC_CONTROL, &v);
v &= ~ONYX_ADC_INPUT_MIC;
if (mic)
v |= ONYX_ADC_INPUT_MIC;
onyx_write_register(onyx, ONYX_REG_ADC_CONTROL, v);
- mutex_unlock(&onyx->mutex);
}
static int onyx_snd_capture_source_put(struct snd_kcontrol *kcontrol,
@@ -311,9 +303,8 @@ static int onyx_snd_mute_get(struct snd_
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
u8 c;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DAC_CONTROL, &c);
- mutex_unlock(&onyx->mutex);
ucontrol->value.integer.value[0] = !(c & ONYX_MUTE_LEFT);
ucontrol->value.integer.value[1] = !(c & ONYX_MUTE_RIGHT);
@@ -328,9 +319,9 @@ static int onyx_snd_mute_put(struct snd_
u8 v = 0, c = 0;
int err = -EBUSY;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
if (onyx->analog_locked)
- goto out_unlock;
+ return -EBUSY;
onyx_read_register(onyx, ONYX_REG_DAC_CONTROL, &v);
c = v;
@@ -341,9 +332,6 @@ static int onyx_snd_mute_put(struct snd_
c |= ONYX_MUTE_RIGHT;
err = onyx_write_register(onyx, ONYX_REG_DAC_CONTROL, c);
- out_unlock:
- mutex_unlock(&onyx->mutex);
-
return !err ? (v != c) : err;
}
@@ -372,9 +360,8 @@ static int onyx_snd_single_bit_get(struc
u8 address = (pv >> 8) & 0xff;
u8 mask = pv & 0xff;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, address, &c);
- mutex_unlock(&onyx->mutex);
ucontrol->value.integer.value[0] = !!(c & mask) ^ polarity;
@@ -393,11 +380,10 @@ static int onyx_snd_single_bit_put(struc
u8 address = (pv >> 8) & 0xff;
u8 mask = pv & 0xff;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
if (spdiflock && onyx->spdif_locked) {
/* even if alsamixer doesn't care.. */
- err = -EBUSY;
- goto out_unlock;
+ return -EBUSY;
}
onyx_read_register(onyx, address, &v);
c = v;
@@ -406,9 +392,6 @@ static int onyx_snd_single_bit_put(struc
c |= mask;
err = onyx_write_register(onyx, address, c);
- out_unlock:
- mutex_unlock(&onyx->mutex);
-
return !err ? (v != c) : err;
}
@@ -489,7 +472,7 @@ static int onyx_spdif_get(struct snd_kco
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
u8 v;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DIG_INFO1, &v);
ucontrol->value.iec958.status[0] = v & 0x3e;
@@ -501,7 +484,6 @@ static int onyx_spdif_get(struct snd_kco
onyx_read_register(onyx, ONYX_REG_DIG_INFO4, &v);
ucontrol->value.iec958.status[4] = v & 0x0f;
- mutex_unlock(&onyx->mutex);
return 0;
}
@@ -512,7 +494,7 @@ static int onyx_spdif_put(struct snd_kco
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
u8 v;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DIG_INFO1, &v);
v = (v & ~0x3e) | (ucontrol->value.iec958.status[0] & 0x3e);
onyx_write_register(onyx, ONYX_REG_DIG_INFO1, v);
@@ -527,7 +509,6 @@ static int onyx_spdif_put(struct snd_kco
onyx_read_register(onyx, ONYX_REG_DIG_INFO4, &v);
v = (v & ~0x0f) | (ucontrol->value.iec958.status[4] & 0x0f);
onyx_write_register(onyx, ONYX_REG_DIG_INFO4, v);
- mutex_unlock(&onyx->mutex);
return 1;
}
@@ -672,14 +653,13 @@ static int onyx_usable(struct codec_info
struct onyx *onyx = cii->codec_data;
int spdif_enabled, analog_enabled;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DIG_INFO4, &v);
spdif_enabled = !!(v & ONYX_SPDIF_ENABLE);
onyx_read_register(onyx, ONYX_REG_DAC_CONTROL, &v);
analog_enabled =
(v & (ONYX_MUTE_RIGHT|ONYX_MUTE_LEFT))
!= (ONYX_MUTE_RIGHT|ONYX_MUTE_LEFT);
- mutex_unlock(&onyx->mutex);
switch (ti->tag) {
case 0: return 1;
@@ -695,9 +675,8 @@ static int onyx_prepare(struct codec_inf
{
u8 v;
struct onyx *onyx = cii->codec_data;
- int err = -EBUSY;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
#ifdef SNDRV_PCM_FMTBIT_COMPRESSED_16BE
if (substream->runtime->format == SNDRV_PCM_FMTBIT_COMPRESSED_16BE) {
@@ -706,10 +685,9 @@ static int onyx_prepare(struct codec_inf
if (onyx_write_register(onyx,
ONYX_REG_DAC_CONTROL,
v | ONYX_MUTE_RIGHT | ONYX_MUTE_LEFT))
- goto out_unlock;
+ return -EBUSY;
onyx->analog_locked = 1;
- err = 0;
- goto out_unlock;
+ return 0;
}
#endif
switch (substream->runtime->rate) {
@@ -719,8 +697,7 @@ static int onyx_prepare(struct codec_inf
/* these rates are ok for all outputs */
/* FIXME: program spdif channel control bits here so that
* userspace doesn't have to if it only plays pcm! */
- err = 0;
- goto out_unlock;
+ return 0;
default:
/* got some rate that the digital output can't do,
* so disable and lock it */
@@ -728,16 +705,12 @@ static int onyx_prepare(struct codec_inf
if (onyx_write_register(onyx,
ONYX_REG_DIG_INFO4,
v & ~ONYX_SPDIF_ENABLE))
- goto out_unlock;
+ return -EBUSY;
onyx->spdif_locked = 1;
- err = 0;
- goto out_unlock;
+ return 0;
}
- out_unlock:
- mutex_unlock(&onyx->mutex);
-
- return err;
+ return -EBUSY;
}
static int onyx_open(struct codec_info_item *cii,
@@ -745,9 +718,8 @@ static int onyx_open(struct codec_info_i
{
struct onyx *onyx = cii->codec_data;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx->open_count++;
- mutex_unlock(&onyx->mutex);
return 0;
}
@@ -757,11 +729,10 @@ static int onyx_close(struct codec_info_
{
struct onyx *onyx = cii->codec_data;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx->open_count--;
if (!onyx->open_count)
onyx->spdif_locked = onyx->analog_locked = 0;
- mutex_unlock(&onyx->mutex);
return 0;
}
@@ -771,7 +742,7 @@ static int onyx_switch_clock(struct code
{
struct onyx *onyx = cii->codec_data;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
/* this *MUST* be more elaborate later... */
switch (what) {
case CLOCK_SWITCH_PREPARE_SLAVE:
@@ -783,7 +754,6 @@ static int onyx_switch_clock(struct code
default: /* silence warning */
break;
}
- mutex_unlock(&onyx->mutex);
return 0;
}
@@ -794,27 +764,21 @@ static int onyx_suspend(struct codec_inf
{
struct onyx *onyx = cii->codec_data;
u8 v;
- int err = -ENXIO;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
if (onyx_read_register(onyx, ONYX_REG_CONTROL, &v))
- goto out_unlock;
+ return -ENXIO;
onyx_write_register(onyx, ONYX_REG_CONTROL, v | ONYX_ADPSV | ONYX_DAPSV);
/* Apple does a sleep here but the datasheet says to do it on resume */
- err = 0;
- out_unlock:
- mutex_unlock(&onyx->mutex);
-
- return err;
+ return 0;
}
static int onyx_resume(struct codec_info_item *cii)
{
struct onyx *onyx = cii->codec_data;
u8 v;
- int err = -ENXIO;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
/* reset codec */
onyx->codec.gpio->methods->set_hw_reset(onyx->codec.gpio, 0);
@@ -826,17 +790,13 @@ static int onyx_resume(struct codec_info
/* take codec out of suspend (if it still is after reset) */
if (onyx_read_register(onyx, ONYX_REG_CONTROL, &v))
- goto out_unlock;
+ return -ENXIO;
onyx_write_register(onyx, ONYX_REG_CONTROL, v & ~(ONYX_ADPSV | ONYX_DAPSV));
/* FIXME: should divide by sample rate, but 8k is the lowest we go */
msleep(2205000/8000);
/* reset all values */
onyx_register_init(onyx);
- err = 0;
- out_unlock:
- mutex_unlock(&onyx->mutex);
-
- return err;
+ return 0;
}
#endif /* CONFIG_PM */
--- a/sound/aoa/codecs/tas.c
+++ b/sound/aoa/codecs/tas.c
@@ -235,10 +235,9 @@ static int tas_snd_vol_get(struct snd_kc
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->cached_volume_l;
ucontrol->value.integer.value[1] = tas->cached_volume_r;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -254,18 +253,15 @@ static int tas_snd_vol_put(struct snd_kc
ucontrol->value.integer.value[1] > 177)
return -EINVAL;
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
if (tas->cached_volume_l == ucontrol->value.integer.value[0]
- && tas->cached_volume_r == ucontrol->value.integer.value[1]) {
- mutex_unlock(&tas->mtx);
+ && tas->cached_volume_r == ucontrol->value.integer.value[1])
return 0;
- }
tas->cached_volume_l = ucontrol->value.integer.value[0];
tas->cached_volume_r = ucontrol->value.integer.value[1];
if (tas->hw_enabled)
tas_set_volume(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -285,10 +281,9 @@ static int tas_snd_mute_get(struct snd_k
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = !tas->mute_l;
ucontrol->value.integer.value[1] = !tas->mute_r;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -297,18 +292,15 @@ static int tas_snd_mute_put(struct snd_k
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
if (tas->mute_l == !ucontrol->value.integer.value[0]
- && tas->mute_r == !ucontrol->value.integer.value[1]) {
- mutex_unlock(&tas->mtx);
+ && tas->mute_r == !ucontrol->value.integer.value[1])
return 0;
- }
tas->mute_l = !ucontrol->value.integer.value[0];
tas->mute_r = !ucontrol->value.integer.value[1];
if (tas->hw_enabled)
tas_set_volume(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -337,10 +329,9 @@ static int tas_snd_mixer_get(struct snd_
struct tas *tas = snd_kcontrol_chip(kcontrol);
int idx = kcontrol->private_value;
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->mixer_l[idx];
ucontrol->value.integer.value[1] = tas->mixer_r[idx];
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -351,19 +342,16 @@ static int tas_snd_mixer_put(struct snd_
struct tas *tas = snd_kcontrol_chip(kcontrol);
int idx = kcontrol->private_value;
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
if (tas->mixer_l[idx] == ucontrol->value.integer.value[0]
- && tas->mixer_r[idx] == ucontrol->value.integer.value[1]) {
- mutex_unlock(&tas->mtx);
+ && tas->mixer_r[idx] == ucontrol->value.integer.value[1])
return 0;
- }
tas->mixer_l[idx] = ucontrol->value.integer.value[0];
tas->mixer_r[idx] = ucontrol->value.integer.value[1];
if (tas->hw_enabled)
tas_set_mixer(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -396,9 +384,8 @@ static int tas_snd_drc_range_get(struct
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->drc_range;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -411,16 +398,13 @@ static int tas_snd_drc_range_put(struct
ucontrol->value.integer.value[0] > TAS3004_DRC_MAX)
return -EINVAL;
- mutex_lock(&tas->mtx);
- if (tas->drc_range == ucontrol->value.integer.value[0]) {
- mutex_unlock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
+ if (tas->drc_range == ucontrol->value.integer.value[0])
return 0;
- }
tas->drc_range = ucontrol->value.integer.value[0];
if (tas->hw_enabled)
tas3004_set_drc(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -440,9 +424,8 @@ static int tas_snd_drc_switch_get(struct
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->drc_enabled;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -451,16 +434,13 @@ static int tas_snd_drc_switch_put(struct
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
- if (tas->drc_enabled == ucontrol->value.integer.value[0]) {
- mutex_unlock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
+ if (tas->drc_enabled == ucontrol->value.integer.value[0])
return 0;
- }
tas->drc_enabled = !!ucontrol->value.integer.value[0];
if (tas->hw_enabled)
tas3004_set_drc(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -486,9 +466,8 @@ static int tas_snd_capture_source_get(st
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.enumerated.item[0] = !!(tas->acr & TAS_ACR_INPUT_B);
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -500,7 +479,7 @@ static int tas_snd_capture_source_put(st
if (ucontrol->value.enumerated.item[0] > 1)
return -EINVAL;
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
oldacr = tas->acr;
/*
@@ -512,13 +491,10 @@ static int tas_snd_capture_source_put(st
if (ucontrol->value.enumerated.item[0])
tas->acr |= TAS_ACR_INPUT_B | TAS_ACR_B_MONAUREAL |
TAS_ACR_B_MON_SEL_RIGHT;
- if (oldacr == tas->acr) {
- mutex_unlock(&tas->mtx);
+ if (oldacr == tas->acr)
return 0;
- }
if (tas->hw_enabled)
tas_write_reg(tas, TAS_REG_ACR, 1, &tas->acr);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -557,9 +533,8 @@ static int tas_snd_treble_get(struct snd
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->treble;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -571,16 +546,13 @@ static int tas_snd_treble_put(struct snd
if (ucontrol->value.integer.value[0] < TAS3004_TREBLE_MIN ||
ucontrol->value.integer.value[0] > TAS3004_TREBLE_MAX)
return -EINVAL;
- mutex_lock(&tas->mtx);
- if (tas->treble == ucontrol->value.integer.value[0]) {
- mutex_unlock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
+ if (tas->treble == ucontrol->value.integer.value[0])
return 0;
- }
tas->treble = ucontrol->value.integer.value[0];
if (tas->hw_enabled)
tas_set_treble(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -608,9 +580,8 @@ static int tas_snd_bass_get(struct snd_k
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->bass;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -622,16 +593,13 @@ static int tas_snd_bass_put(struct snd_k
if (ucontrol->value.integer.value[0] < TAS3004_BASS_MIN ||
ucontrol->value.integer.value[0] > TAS3004_BASS_MAX)
return -EINVAL;
- mutex_lock(&tas->mtx);
- if (tas->bass == ucontrol->value.integer.value[0]) {
- mutex_unlock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
+ if (tas->bass == ucontrol->value.integer.value[0])
return 0;
- }
tas->bass = ucontrol->value.integer.value[0];
if (tas->hw_enabled)
tas_set_bass(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -722,13 +690,13 @@ static int tas_switch_clock(struct codec
break;
case CLOCK_SWITCH_SLAVE:
/* Clocks are back, re-init the codec */
- mutex_lock(&tas->mtx);
- tas_reset_init(tas);
- tas_set_volume(tas);
- tas_set_mixer(tas);
- tas->hw_enabled = 1;
- tas->codec.gpio->methods->all_amps_restore(tas->codec.gpio);
- mutex_unlock(&tas->mtx);
+ scoped_guard(mutex, &tas->mtx) {
+ tas_reset_init(tas);
+ tas_set_volume(tas);
+ tas_set_mixer(tas);
+ tas->hw_enabled = 1;
+ tas->codec.gpio->methods->all_amps_restore(tas->codec.gpio);
+ }
break;
default:
/* doesn't happen as of now */
@@ -743,23 +711,21 @@ static int tas_switch_clock(struct codec
* our i2c device is suspended, and then take note of that! */
static int tas_suspend(struct tas *tas)
{
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
tas->hw_enabled = 0;
tas->acr |= TAS_ACR_ANALOG_PDOWN;
tas_write_reg(tas, TAS_REG_ACR, 1, &tas->acr);
- mutex_unlock(&tas->mtx);
return 0;
}
static int tas_resume(struct tas *tas)
{
/* reset codec */
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
tas_reset_init(tas);
tas_set_volume(tas);
tas_set_mixer(tas);
tas->hw_enabled = 1;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -802,14 +768,13 @@ static int tas_init_codec(struct aoa_cod
return -EINVAL;
}
- mutex_lock(&tas->mtx);
- if (tas_reset_init(tas)) {
- printk(KERN_ERR PFX "tas failed to initialise\n");
- mutex_unlock(&tas->mtx);
- return -ENXIO;
+ scoped_guard(mutex, &tas->mtx) {
+ if (tas_reset_init(tas)) {
+ printk(KERN_ERR PFX "tas failed to initialise\n");
+ return -ENXIO;
+ }
+ tas->hw_enabled = 1;
}
- tas->hw_enabled = 1;
- mutex_unlock(&tas->mtx);
if (tas->codec.soundbus_dev->attach_codec(tas->codec.soundbus_dev,
aoa_get_card(),
--- a/sound/aoa/core/gpio-feature.c
+++ b/sound/aoa/core/gpio-feature.c
@@ -212,10 +212,9 @@ static void ftr_handle_notify(struct wor
struct gpio_notification *notif =
container_of(work, struct gpio_notification, work.work);
- mutex_lock(¬if->mutex);
+ guard(mutex)(¬if->mutex);
if (notif->notify)
notif->notify(notif->data);
- mutex_unlock(¬if->mutex);
}
static void gpio_enable_dual_edge(int gpio)
@@ -341,19 +340,17 @@ static int ftr_set_notify(struct gpio_ru
if (!irq)
return -ENODEV;
- mutex_lock(¬if->mutex);
+ guard(mutex)(¬if->mutex);
old = notif->notify;
- if (!old && !notify) {
- err = 0;
- goto out_unlock;
- }
+ if (!old && !notify)
+ return 0;
if (old && notify) {
if (old == notify && notif->data == data)
err = 0;
- goto out_unlock;
+ return err;
}
if (old && !notify)
@@ -362,16 +359,13 @@ static int ftr_set_notify(struct gpio_ru
if (!old && notify) {
err = request_irq(irq, ftr_handle_notify_irq, 0, name, notif);
if (err)
- goto out_unlock;
+ return err;
}
notif->notify = notify;
notif->data = data;
- err = 0;
- out_unlock:
- mutex_unlock(¬if->mutex);
- return err;
+ return 0;
}
static int ftr_get_detect(struct gpio_runtime *rt,
--- a/sound/aoa/core/gpio-pmf.c
+++ b/sound/aoa/core/gpio-pmf.c
@@ -74,10 +74,9 @@ static void pmf_handle_notify(struct wor
struct gpio_notification *notif =
container_of(work, struct gpio_notification, work.work);
- mutex_lock(¬if->mutex);
+ guard(mutex)(¬if->mutex);
if (notif->notify)
notif->notify(notif->data);
- mutex_unlock(¬if->mutex);
}
static void pmf_gpio_init(struct gpio_runtime *rt)
@@ -154,19 +153,17 @@ static int pmf_set_notify(struct gpio_ru
return -EINVAL;
}
- mutex_lock(¬if->mutex);
+ guard(mutex)(¬if->mutex);
old = notif->notify;
- if (!old && !notify) {
- err = 0;
- goto out_unlock;
- }
+ if (!old && !notify)
+ return 0;
if (old && notify) {
if (old == notify && notif->data == data)
err = 0;
- goto out_unlock;
+ return err;
}
if (old && !notify) {
@@ -178,10 +175,8 @@ static int pmf_set_notify(struct gpio_ru
if (!old && notify) {
irq_client = kzalloc(sizeof(struct pmf_irq_client),
GFP_KERNEL);
- if (!irq_client) {
- err = -ENOMEM;
- goto out_unlock;
- }
+ if (!irq_client)
+ return -ENOMEM;
irq_client->data = notif;
irq_client->handler = pmf_handle_notify_irq;
irq_client->owner = THIS_MODULE;
@@ -192,17 +187,14 @@ static int pmf_set_notify(struct gpio_ru
printk(KERN_ERR "snd-aoa: gpio layer failed to"
" register %s irq (%d)\n", name, err);
kfree(irq_client);
- goto out_unlock;
+ return err;
}
notif->gpio_private = irq_client;
}
notif->notify = notify;
notif->data = data;
- err = 0;
- out_unlock:
- mutex_unlock(¬if->mutex);
- return err;
+ return 0;
}
static int pmf_get_detect(struct gpio_runtime *rt,
--- a/sound/aoa/soundbus/i2sbus/pcm.c
+++ b/sound/aoa/soundbus/i2sbus/pcm.c
@@ -79,11 +79,10 @@ static int i2sbus_pcm_open(struct i2sbus
u64 formats = 0;
unsigned int rates = 0;
struct transfer_info v;
- int result = 0;
int bus_factor = 0, sysclock_factor = 0;
int found_this;
- mutex_lock(&i2sdev->lock);
+ guard(mutex)(&i2sdev->lock);
get_pcm_info(i2sdev, in, &pi, &other);
@@ -92,8 +91,7 @@ static int i2sbus_pcm_open(struct i2sbus
if (pi->active) {
/* alsa messed up */
- result = -EBUSY;
- goto out_unlock;
+ return -EBUSY;
}
/* we now need to assign the hw */
@@ -117,10 +115,8 @@ static int i2sbus_pcm_open(struct i2sbus
ti++;
}
}
- if (!masks_inited || !bus_factor || !sysclock_factor) {
- result = -ENODEV;
- goto out_unlock;
- }
+ if (!masks_inited || !bus_factor || !sysclock_factor)
+ return -ENODEV;
/* bus dependent stuff */
hw->info = SNDRV_PCM_INFO_MMAP | SNDRV_PCM_INFO_MMAP_VALID |
SNDRV_PCM_INFO_INTERLEAVED | SNDRV_PCM_INFO_RESUME |
@@ -194,15 +190,12 @@ static int i2sbus_pcm_open(struct i2sbus
hw->periods_max = MAX_DBDMA_COMMANDS;
err = snd_pcm_hw_constraint_integer(pi->substream->runtime,
SNDRV_PCM_HW_PARAM_PERIODS);
- if (err < 0) {
- result = err;
- goto out_unlock;
- }
+ if (err < 0)
+ return err;
list_for_each_entry(cii, &sdev->codec_list, list) {
if (cii->codec->open) {
err = cii->codec->open(cii, pi->substream);
if (err) {
- result = err;
/* unwind */
found_this = 0;
list_for_each_entry_reverse(rev,
@@ -214,14 +207,12 @@ static int i2sbus_pcm_open(struct i2sbus
if (rev == cii)
found_this = 1;
}
- goto out_unlock;
+ return err;
}
}
}
- out_unlock:
- mutex_unlock(&i2sdev->lock);
- return result;
+ return 0;
}
#undef CHECK_RATE
@@ -232,7 +223,7 @@ static int i2sbus_pcm_close(struct i2sbu
struct pcm_info *pi;
int err = 0, tmp;
- mutex_lock(&i2sdev->lock);
+ guard(mutex)(&i2sdev->lock);
get_pcm_info(i2sdev, in, &pi, NULL);
@@ -246,7 +237,6 @@ static int i2sbus_pcm_close(struct i2sbu
pi->substream = NULL;
pi->active = 0;
- mutex_unlock(&i2sdev->lock);
return err;
}
@@ -330,33 +320,26 @@ static int i2sbus_pcm_prepare(struct i2s
int input_16bit;
struct pcm_info *pi, *other;
int cnt;
- int result = 0;
unsigned int cmd, stopaddr;
- mutex_lock(&i2sdev->lock);
+ guard(mutex)(&i2sdev->lock);
get_pcm_info(i2sdev, in, &pi, &other);
- if (pi->dbdma_ring.running) {
- result = -EBUSY;
- goto out_unlock;
- }
+ if (pi->dbdma_ring.running)
+ return -EBUSY;
if (pi->dbdma_ring.stopping)
i2sbus_wait_for_stop(i2sdev, pi);
- if (!pi->substream || !pi->substream->runtime) {
- result = -EINVAL;
- goto out_unlock;
- }
+ if (!pi->substream || !pi->substream->runtime)
+ return -EINVAL;
runtime = pi->substream->runtime;
pi->active = 1;
if (other->active &&
((i2sdev->format != runtime->format)
- || (i2sdev->rate != runtime->rate))) {
- result = -EINVAL;
- goto out_unlock;
- }
+ || (i2sdev->rate != runtime->rate)))
+ return -EINVAL;
i2sdev->format = runtime->format;
i2sdev->rate = runtime->rate;
@@ -412,10 +395,8 @@ static int i2sbus_pcm_prepare(struct i2s
bi.bus_factor = cii->codec->bus_factor;
break;
}
- if (!bi.bus_factor) {
- result = -ENODEV;
- goto out_unlock;
- }
+ if (!bi.bus_factor)
+ return -ENODEV;
input_16bit = 1;
break;
case SNDRV_PCM_FORMAT_S32_BE:
@@ -426,8 +407,7 @@ static int i2sbus_pcm_prepare(struct i2s
input_16bit = 0;
break;
default:
- result = -EINVAL;
- goto out_unlock;
+ return -EINVAL;
}
/* we assume all sysclocks are the same! */
list_for_each_entry(cii, &i2sdev->sound.codec_list, list) {
@@ -438,10 +418,8 @@ static int i2sbus_pcm_prepare(struct i2s
if (clock_and_divisors(bi.sysclock_factor,
bi.bus_factor,
runtime->rate,
- &sfr) < 0) {
- result = -EINVAL;
- goto out_unlock;
- }
+ &sfr) < 0)
+ return -EINVAL;
switch (bi.bus_factor) {
case 32:
sfr |= I2S_SF_SERIAL_FORMAT_I2S_32X;
@@ -457,10 +435,8 @@ static int i2sbus_pcm_prepare(struct i2s
int err = 0;
if (cii->codec->prepare)
err = cii->codec->prepare(cii, &bi, pi->substream);
- if (err) {
- result = err;
- goto out_unlock;
- }
+ if (err)
+ return err;
}
/* codecs are fine with it, so set our clocks */
if (input_16bit)
@@ -476,7 +452,7 @@ static int i2sbus_pcm_prepare(struct i2s
/* not locking these is fine since we touch them only in this function */
if (in_le32(&i2sdev->intfregs->serial_format) == sfr
&& in_le32(&i2sdev->intfregs->data_word_sizes) == dws)
- goto out_unlock;
+ return 0;
/* let's notify the codecs about clocks going away.
* For now we only do mastering on the i2s cell... */
@@ -514,9 +490,7 @@ static int i2sbus_pcm_prepare(struct i2s
if (cii->codec->switch_clock)
cii->codec->switch_clock(cii, CLOCK_SWITCH_SLAVE);
- out_unlock:
- mutex_unlock(&i2sdev->lock);
- return result;
+ return 0;
}
#ifdef CONFIG_PM
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 260/378] accel/ethosu: fix IFM region index out-of-bounds in command stream parser
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 259/378] accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 261/378] accel/ethosu: fix wrong weight index in NPU_SET_SCALE1_LENGTH on U85 Greg Kroah-Hartman
` (118 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal, Rob Herring (Arm)
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit 00f547e0dfecf83014fb32bcba587c6b684c1362 upstream.
NPU_SET_IFM_REGION extracts the region index with param & 0x7f, giving
a maximum value of 127. However region_size[] and output_region[] in
struct ethosu_validated_cmdstream_info are both sized to
NPU_BASEP_REGION_MAX (8), giving valid indices [0..7].
Every other region assignment in the same switch uses param & 0x7:
NPU_SET_OFM_REGION: st.ofm.region = param & 0x7;
NPU_SET_IFM2_REGION: st.ifm2.region = param & 0x7;
NPU_SET_WEIGHT_REGION: st.weight[0].region = param & 0x7;
NPU_SET_SCALE_REGION: st.scale[0].region = param & 0x7;
The 0x7f mask on IFM is inconsistent and appears to be a typo.
feat_matrix_length() and calc_sizes() use the region index directly
as an array subscript into the kzalloc'd info struct:
info->region_size[fm->region] = max(...);
A userspace caller supplying NPU_SET_IFM_REGION with param > 7 causes
a write up to 127*8 = 1016 bytes past the start of region_size[],
corrupting adjacent kernel heap data.
Fix by applying the same & 0x7 mask used by all other region
assignments.
Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Link: https://patch.msgid.link/20260523195159.55801-1-meatuni001@gmail.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/ethosu/ethosu_gem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/accel/ethosu/ethosu_gem.c
+++ b/drivers/accel/ethosu/ethosu_gem.c
@@ -466,7 +466,7 @@ static int ethosu_gem_cmdstream_copy_and
st.ifm.broadcast = param;
break;
case NPU_SET_IFM_REGION:
- st.ifm.region = param & 0x7f;
+ st.ifm.region = param & 0x7;
break;
case NPU_SET_IFM_WIDTH0_M1:
st.ifm.width0 = param;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 344/522] ALSA: aoa: i2sbus: clear stale prepared state
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 343/522] ALSA: aoa: Use guard() for mutex locks Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 345/522] media: rc: ttusbir: respect DMA coherency rules Greg Kroah-Hartman
` (178 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Cássio Gabriel, Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 5ed060d5491597490fb53ec69da3edc4b1e8c165 ]
The i2sbus PCM code uses pi->active to constrain the sibling stream to
an already prepared duplex format and rate in i2sbus_pcm_open().
That state is set from i2sbus_pcm_prepare(), but the current code only
clears it on close. As a result, the sibling stream can inherit stale
constraints after the prepared state has been torn down.
Clear pi->active when hw_params() or hw_free() tears down the prepared
state, and set it again only after prepare succeeds.
Replace the stale FIXME in the duplex constraint comment with a description
of the current driver behavior: i2sbus still programs a single shared
transport configuration for both directions, so mixed formats are not
supported in duplex mode.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202604010125.AvkWBYKI-lkp@intel.com/
Fixes: f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260331-aoa-i2sbus-clear-stale-active-v2-1-3764ae2889a1@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/aoa/soundbus/i2sbus/pcm.c | 55 ++++++++++++++++++++++++++++++++--------
1 file changed, 44 insertions(+), 11 deletions(-)
--- a/sound/aoa/soundbus/i2sbus/pcm.c
+++ b/sound/aoa/soundbus/i2sbus/pcm.c
@@ -165,17 +165,16 @@ static int i2sbus_pcm_open(struct i2sbus
* currently in use (if any). */
hw->rate_min = 5512;
hw->rate_max = 192000;
- /* if the other stream is active, then we can only
- * support what it is currently using.
- * FIXME: I lied. This comment is wrong. We can support
- * anything that works with the same serial format, ie.
- * when recording 24 bit sound we can well play 16 bit
- * sound at the same time iff using the same transfer mode.
+ /* If the other stream is already prepared, keep this stream
+ * on the same duplex format and rate.
+ *
+ * i2sbus_pcm_prepare() still programs one shared transport
+ * configuration for both directions, so mixed duplex formats
+ * are not supported here.
*/
if (other->active) {
- /* FIXME: is this guaranteed by the alsa api? */
hw->formats &= pcm_format_to_bits(i2sdev->format);
- /* see above, restrict rates to the one we already have */
+ /* Restrict rates to the one already in use. */
hw->rate_min = i2sdev->rate;
hw->rate_max = i2sdev->rate;
}
@@ -283,6 +282,23 @@ void i2sbus_wait_for_stop_both(struct i2
}
#endif
+static void i2sbus_pcm_clear_active(struct i2sbus_dev *i2sdev, int in)
+{
+ struct pcm_info *pi;
+
+ guard(mutex)(&i2sdev->lock);
+
+ get_pcm_info(i2sdev, in, &pi, NULL);
+ pi->active = 0;
+}
+
+static inline int i2sbus_hw_params(struct snd_pcm_substream *substream,
+ struct snd_pcm_hw_params *params, int in)
+{
+ i2sbus_pcm_clear_active(snd_pcm_substream_chip(substream), in);
+ return 0;
+}
+
static inline int i2sbus_hw_free(struct snd_pcm_substream *substream, int in)
{
struct i2sbus_dev *i2sdev = snd_pcm_substream_chip(substream);
@@ -291,14 +307,27 @@ static inline int i2sbus_hw_free(struct
get_pcm_info(i2sdev, in, &pi, NULL);
if (pi->dbdma_ring.stopping)
i2sbus_wait_for_stop(i2sdev, pi);
+ i2sbus_pcm_clear_active(i2sdev, in);
return 0;
}
+static int i2sbus_playback_hw_params(struct snd_pcm_substream *substream,
+ struct snd_pcm_hw_params *params)
+{
+ return i2sbus_hw_params(substream, params, 0);
+}
+
static int i2sbus_playback_hw_free(struct snd_pcm_substream *substream)
{
return i2sbus_hw_free(substream, 0);
}
+static int i2sbus_record_hw_params(struct snd_pcm_substream *substream,
+ struct snd_pcm_hw_params *params)
+{
+ return i2sbus_hw_params(substream, params, 1);
+}
+
static int i2sbus_record_hw_free(struct snd_pcm_substream *substream)
{
return i2sbus_hw_free(substream, 1);
@@ -335,7 +364,6 @@ static int i2sbus_pcm_prepare(struct i2s
return -EINVAL;
runtime = pi->substream->runtime;
- pi->active = 1;
if (other->active &&
((i2sdev->format != runtime->format)
|| (i2sdev->rate != runtime->rate)))
@@ -450,9 +478,11 @@ static int i2sbus_pcm_prepare(struct i2s
/* early exit if already programmed correctly */
/* not locking these is fine since we touch them only in this function */
- if (in_le32(&i2sdev->intfregs->serial_format) == sfr
- && in_le32(&i2sdev->intfregs->data_word_sizes) == dws)
+ if (in_le32(&i2sdev->intfregs->serial_format) == sfr &&
+ in_le32(&i2sdev->intfregs->data_word_sizes) == dws) {
+ pi->active = 1;
return 0;
+ }
/* let's notify the codecs about clocks going away.
* For now we only do mastering on the i2s cell... */
@@ -490,6 +520,7 @@ static int i2sbus_pcm_prepare(struct i2s
if (cii->codec->switch_clock)
cii->codec->switch_clock(cii, CLOCK_SWITCH_SLAVE);
+ pi->active = 1;
return 0;
}
@@ -746,6 +777,7 @@ static snd_pcm_uframes_t i2sbus_playback
static const struct snd_pcm_ops i2sbus_playback_ops = {
.open = i2sbus_playback_open,
.close = i2sbus_playback_close,
+ .hw_params = i2sbus_playback_hw_params,
.hw_free = i2sbus_playback_hw_free,
.prepare = i2sbus_playback_prepare,
.trigger = i2sbus_playback_trigger,
@@ -814,6 +846,7 @@ static snd_pcm_uframes_t i2sbus_record_p
static const struct snd_pcm_ops i2sbus_record_ops = {
.open = i2sbus_record_open,
.close = i2sbus_record_close,
+ .hw_params = i2sbus_record_hw_params,
.hw_free = i2sbus_record_hw_free,
.prepare = i2sbus_record_prepare,
.trigger = i2sbus_record_trigger,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 261/378] accel/ethosu: fix wrong weight index in NPU_SET_SCALE1_LENGTH on U85
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 260/378] accel/ethosu: fix IFM region index out-of-bounds in command stream parser Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 262/378] accel/ethosu: fix arithmetic issues in dma_length() Greg Kroah-Hartman
` (117 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal, Rob Herring (Arm)
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit e703843f242b28e35ac79408de571ae110c740b5 upstream.
On non-U65 hardware (e.g. U85), opcode 0x4093 is NPU_SET_WEIGHT2_LENGTH.
The BASE handler for the same opcode correctly assigns to
st.weight[2].base, but the LENGTH handler mistakenly assigns cmds[1]
to st.weight[1].length instead of st.weight[2].length.
This leaves weight[2].length at its initialised sentinel value of
0xffffffff and corrupts weight[1].length with the user-supplied value,
breaking the software bounds-check state for both weight buffers on U85.
Fix the index to match the BASE handler.
Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Link: https://patch.msgid.link/20260523210840.92039-3-meatuni001@gmail.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/ethosu/ethosu_gem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/accel/ethosu/ethosu_gem.c
+++ b/drivers/accel/ethosu/ethosu_gem.c
@@ -601,7 +601,7 @@ static int ethosu_gem_cmdstream_copy_and
if (ethosu_is_u65(edev))
st.scale[1].length = cmds[1];
else
- st.weight[1].length = cmds[1];
+ st.weight[2].length = cmds[1];
break;
case NPU_SET_WEIGHT3_BASE:
st.weight[3].base = addr;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 345/522] media: rc: ttusbir: respect DMA coherency rules
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 344/522] ALSA: aoa: i2sbus: clear stale prepared state Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 346/522] ALSA: aoa: Skip devices with no codecs in i2sbus_resume() Greg Kroah-Hartman
` (177 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Sean Young,
Hans Verkuil, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit 50acaad3d202c064779db8dc3d010007347f59c7 ]
Buffers must not share a cache line with other data structures.
Allocate separately.
Fixes: 0938069fa0897 ("[media] rc: Add support for the TechnoTrend USB IR Receiver")
Cc: stable@vger.kernel.org
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[ kept kzalloc(sizeof(*tt), GFP_KERNEL) instead of kzalloc_obj() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/ttusbir.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/drivers/media/rc/ttusbir.c
+++ b/drivers/media/rc/ttusbir.c
@@ -32,7 +32,7 @@ struct ttusbir {
struct led_classdev led;
struct urb *bulk_urb;
- uint8_t bulk_buffer[5];
+ u8 *bulk_buffer;
int bulk_out_endp, iso_in_endp;
bool led_on, is_led_on;
atomic_t led_complete;
@@ -186,13 +186,16 @@ static int ttusbir_probe(struct usb_inte
struct rc_dev *rc;
int i, j, ret;
int altsetting = -1;
+ u8 *buffer;
tt = kzalloc(sizeof(*tt), GFP_KERNEL);
+ buffer = kzalloc(5, GFP_KERNEL);
rc = rc_allocate_device(RC_DRIVER_IR_RAW);
- if (!tt || !rc) {
+ if (!tt || !rc || buffer) {
ret = -ENOMEM;
goto out;
}
+ tt->bulk_buffer = buffer;
/* find the correct alt setting */
for (i = 0; i < intf->num_altsetting && altsetting == -1; i++) {
@@ -281,8 +284,8 @@ static int ttusbir_probe(struct usb_inte
tt->bulk_buffer[3] = 0x01;
usb_fill_bulk_urb(tt->bulk_urb, tt->udev, usb_sndbulkpipe(tt->udev,
- tt->bulk_out_endp), tt->bulk_buffer, sizeof(tt->bulk_buffer),
- ttusbir_bulk_complete, tt);
+ tt->bulk_out_endp), tt->bulk_buffer, 5,
+ ttusbir_bulk_complete, tt);
tt->led.name = "ttusbir:green:power";
tt->led.default_trigger = "rc-feedback";
@@ -351,6 +354,7 @@ out:
kfree(tt);
}
rc_free_device(rc);
+ kfree(buffer);
return ret;
}
@@ -373,6 +377,7 @@ static void ttusbir_disconnect(struct us
}
usb_kill_urb(tt->bulk_urb);
usb_free_urb(tt->bulk_urb);
+ kfree(tt->bulk_buffer);
usb_set_intfdata(intf, NULL);
kfree(tt);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 262/378] accel/ethosu: fix arithmetic issues in dma_length()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 261/378] accel/ethosu: fix wrong weight index in NPU_SET_SCALE1_LENGTH on U85 Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 263/378] accel/ethosu: reject DMA commands with uninitialized length Greg Kroah-Hartman
` (116 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal, Rob Herring (Arm)
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit ee6d9b6e51626f259c6f0e38d94f91be4fd14754 upstream.
dma_length() derives DMA region usage from command stream values and
updates region_size[]:
len = ((len + stride[0]) * size0 + stride[1]) * size1
region_size[region] = max(..., len + dma->offset)
Several arithmetic issues can corrupt the derived region size:
- signed stride values may underflow when added to len
- intermediate multiplications may overflow
- len + dma->offset may overflow during region_size updates
- dma_length() error returns were not validated by the caller
region_size[] is later used by ethosu_job.c to validate command stream
accesses against GEM buffer sizes. Arithmetic wraparound can therefore
under-report region usage and bypass the bounds validation.
Fix by validating signed additions, using overflow helpers for
multiplications and offset updates, and propagating dma_length()
failures to the caller.
Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Link: https://patch.msgid.link/20260524103710.47397-1-meatuni001@gmail.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/ethosu/ethosu_gem.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
--- a/drivers/accel/ethosu/ethosu_gem.c
+++ b/drivers/accel/ethosu/ethosu_gem.c
@@ -2,6 +2,7 @@
/* Copyright 2025 Arm, Ltd. */
#include <linux/err.h>
+#include <linux/overflow.h>
#include <linux/slab.h>
#include <drm/ethosu_accel.h>
@@ -164,16 +165,26 @@ static u64 dma_length(struct ethosu_vali
u64 len = dma->len;
if (mode >= 1) {
+ if (dma->stride[0] < 0 && (u64)(-dma->stride[0]) > len)
+ return U64_MAX;
len += dma->stride[0];
- len *= dma_st->size0;
+ if (check_mul_overflow(len, (u64)dma_st->size0, &len))
+ return U64_MAX;
}
if (mode == 2) {
+ if (dma->stride[1] < 0 && (u64)(-dma->stride[1]) > len)
+ return U64_MAX;
len += dma->stride[1];
- len *= dma_st->size1;
+ if (check_mul_overflow(len, (u64)dma_st->size1, &len))
+ return U64_MAX;
+ }
+ if (dma->region >= 0) {
+ u64 end;
+
+ if (check_add_overflow(len, dma->offset, &end))
+ return U64_MAX;
+ info->region_size[dma->region] = max(info->region_size[dma->region], end);
}
- if (dma->region >= 0)
- info->region_size[dma->region] = max(info->region_size[dma->region],
- len + dma->offset);
return len;
}
@@ -397,6 +408,8 @@ static int ethosu_gem_cmdstream_copy_and
case NPU_OP_DMA_START:
srclen = dma_length(info, &st.dma, &st.dma.src);
dstlen = dma_length(info, &st.dma, &st.dma.dst);
+ if (srclen == U64_MAX || dstlen == U64_MAX)
+ return -EINVAL;
if (st.dma.dst.region >= 0)
info->output_region[st.dma.dst.region] = true;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 346/522] ALSA: aoa: Skip devices with no codecs in i2sbus_resume()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 345/522] media: rc: ttusbir: respect DMA coherency rules Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 347/522] media: rc: igorplugusb: heed coherency rules Greg Kroah-Hartman
` (176 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit fd7df93013c5118812e63a52635dc6c3a805a1de ]
In i2sbus_resume(), skip devices with an empty codec list, which avoids
using an uninitialized 'sysclock_factor' in the 32-bit format path in
i2sbus_pcm_prepare().
In i2sbus_pcm_prepare(), replace two list_for_each_entry() loops with a
single list_first_entry() now that the codec list is guaranteed to be
non-empty by all callers.
Fixes: f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Link: https://patch.msgid.link/20260310102921.210109-3-thorsten.blum@linux.dev
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/aoa/soundbus/i2sbus/core.c | 3 +++
sound/aoa/soundbus/i2sbus/pcm.c | 16 +++++-----------
2 files changed, 8 insertions(+), 11 deletions(-)
--- a/sound/aoa/soundbus/i2sbus/core.c
+++ b/sound/aoa/soundbus/i2sbus/core.c
@@ -411,6 +411,9 @@ static int i2sbus_resume(struct macio_de
int err, ret = 0;
list_for_each_entry(i2sdev, &control->list, item) {
+ if (list_empty(&i2sdev->sound.codec_list))
+ continue;
+
/* reset i2s bus format etc. */
i2sbus_pcm_prepare_both(i2sdev);
--- a/sound/aoa/soundbus/i2sbus/pcm.c
+++ b/sound/aoa/soundbus/i2sbus/pcm.c
@@ -411,6 +411,9 @@ static int i2sbus_pcm_prepare(struct i2s
/* set stop command */
command->command = cpu_to_le16(DBDMA_STOP);
+ cii = list_first_entry(&i2sdev->sound.codec_list,
+ struct codec_info_item, list);
+
/* ok, let's set the serial format and stuff */
switch (runtime->format) {
/* 16 bit formats */
@@ -418,13 +421,7 @@ static int i2sbus_pcm_prepare(struct i2s
case SNDRV_PCM_FORMAT_U16_BE:
/* FIXME: if we add different bus factors we need to
* do more here!! */
- bi.bus_factor = 0;
- list_for_each_entry(cii, &i2sdev->sound.codec_list, list) {
- bi.bus_factor = cii->codec->bus_factor;
- break;
- }
- if (!bi.bus_factor)
- return -ENODEV;
+ bi.bus_factor = cii->codec->bus_factor;
input_16bit = 1;
break;
case SNDRV_PCM_FORMAT_S32_BE:
@@ -438,10 +435,7 @@ static int i2sbus_pcm_prepare(struct i2s
return -EINVAL;
}
/* we assume all sysclocks are the same! */
- list_for_each_entry(cii, &i2sdev->sound.codec_list, list) {
- bi.sysclock_factor = cii->codec->sysclock_factor;
- break;
- }
+ bi.sysclock_factor = cii->codec->sysclock_factor;
if (clock_and_divisors(bi.sysclock_factor,
bi.bus_factor,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 263/378] accel/ethosu: reject DMA commands with uninitialized length
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 262/378] accel/ethosu: fix arithmetic issues in dma_length() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 264/378] accel/ethosu: reject NPU_OP_RESIZE commands from userspace Greg Kroah-Hartman
` (115 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal, Rob Herring (Arm)
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit d9d021218162b6c4fe0bdf42b2b340f1aae23a12 upstream.
cmd_state_init() initializes the command state with memset(0xff),
leaving dma->len at U64_MAX to signal missing setup. The only setter
is NPU_SET_DMA0_LEN; if userspace omits this command and issues
NPU_OP_DMA_START, dma->len remains U64_MAX.
In dma_length(), a positive stride added to U64_MAX wraps to a small
value. With size0 == 1, check_mul_overflow() does not trigger and
dma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check
then passes, region_size[] stays 0, and the bounds check in
ethosu_job.c is bypassed, allowing hardware to execute DMA with stale
physical addresses.
Fix by checking for U64_MAX at the start of dma_length() before any
arithmetic, consistent with the sentinel value used throughout the
driver to detect uninitialized fields.
Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Link: https://patch.msgid.link/20260524130319.12747-1-meatuni001@gmail.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/ethosu/ethosu_gem.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/accel/ethosu/ethosu_gem.c
+++ b/drivers/accel/ethosu/ethosu_gem.c
@@ -164,6 +164,9 @@ static u64 dma_length(struct ethosu_vali
s8 mode = dma_st->mode;
u64 len = dma->len;
+ if (len == U64_MAX)
+ return U64_MAX;
+
if (mode >= 1) {
if (dma->stride[0] < 0 && (u64)(-dma->stride[0]) > len)
return U64_MAX;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 347/522] media: rc: igorplugusb: heed coherency rules
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 346/522] ALSA: aoa: Skip devices with no codecs in i2sbus_resume() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 348/522] sched: Use u64 for bandwidth ratio calculations Greg Kroah-Hartman
` (175 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Sean Young,
Hans Verkuil, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit eac69475b01fe1e861dfe3960b57fa95671c132e ]
In a control request, the USB request structure
can be subject to DMA on some HCs. Hence it must obey
the rules for DMA coherency. Allocate it separately.
Fixes: b1c97193c6437 ("[media] rc: port IgorPlug-USB to rc-core")
Cc: stable@vger.kernel.org
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[ replaced kzalloc_obj(*ir->request, GFP_KERNEL) with kzalloc(sizeof(*ir->request), GFP_KERNEL) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/igorplugusb.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
--- a/drivers/media/rc/igorplugusb.c
+++ b/drivers/media/rc/igorplugusb.c
@@ -34,7 +34,7 @@ struct igorplugusb {
struct device *dev;
struct urb *urb;
- struct usb_ctrlrequest request;
+ struct usb_ctrlrequest *request;
struct timer_list timer;
@@ -122,7 +122,7 @@ static void igorplugusb_cmd(struct igorp
{
int ret;
- ir->request.bRequest = cmd;
+ ir->request->bRequest = cmd;
ir->urb->transfer_flags = 0;
ret = usb_submit_urb(ir->urb, GFP_ATOMIC);
if (ret && ret != -EPERM)
@@ -164,13 +164,17 @@ static int igorplugusb_probe(struct usb_
if (!ir)
return -ENOMEM;
+ ir->request = kzalloc(sizeof(*ir->request), GFP_KERNEL);
+ if (!ir->request)
+ goto fail;
+
ir->dev = &intf->dev;
timer_setup(&ir->timer, igorplugusb_timer, 0);
- ir->request.bRequest = GET_INFRACODE;
- ir->request.bRequestType = USB_TYPE_VENDOR | USB_DIR_IN;
- ir->request.wLength = cpu_to_le16(MAX_PACKET);
+ ir->request->bRequest = GET_INFRACODE;
+ ir->request->bRequestType = USB_TYPE_VENDOR | USB_DIR_IN;
+ ir->request->wLength = cpu_to_le16(MAX_PACKET);
ir->urb = usb_alloc_urb(0, GFP_KERNEL);
if (!ir->urb)
@@ -228,6 +232,7 @@ fail:
usb_free_urb(ir->urb);
rc_free_device(ir->rc);
kfree(ir->buf_in);
+ kfree(ir->request);
return ret;
}
@@ -243,6 +248,7 @@ static void igorplugusb_disconnect(struc
usb_unpoison_urb(ir->urb);
usb_free_urb(ir->urb);
kfree(ir->buf_in);
+ kfree(ir->request);
}
static const struct usb_device_id igorplugusb_table[] = {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 264/378] accel/ethosu: reject NPU_OP_RESIZE commands from userspace
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 263/378] accel/ethosu: reject DMA commands with uninitialized length Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 265/378] fs/qnx6: fix pointer arithmetic in directory iteration Greg Kroah-Hartman
` (114 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal, Rob Herring (Arm)
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit ef911805d86a05363d3ec2fa9835a41def83bb7e upstream.
NPU_OP_RESIZE is a U85-only command that the driver does not yet
implement. The existing WARN_ON(1) placeholder fires unconditionally
whenever userspace submits this command via DRM_IOCTL_ETHOSU_GEM_CREATE,
causing unbounded kernel log spam.
If panic_on_warn is set the kernel panics, giving any unprivileged user
with access to the DRM device a trivial denial-of-service primitive.
Replace the WARN_ON(1) with an explicit -EINVAL return so the ioctl
rejects the command before it reaches hardware.
Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Link: https://patch.msgid.link/20260523210840.92039-2-meatuni001@gmail.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/ethosu/ethosu_gem.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/accel/ethosu/ethosu_gem.c
+++ b/drivers/accel/ethosu/ethosu_gem.c
@@ -449,8 +449,7 @@ static int ethosu_gem_cmdstream_copy_and
return ret;
break;
case NPU_OP_RESIZE: // U85 only
- WARN_ON(1); // TODO
- break;
+ return -EINVAL;
case NPU_SET_KERNEL_WIDTH_M1:
st.ifm.width = param;
break;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 348/522] sched: Use u64 for bandwidth ratio calculations
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 347/522] media: rc: igorplugusb: heed coherency rules Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 349/522] net: qrtr: ns: Limit the maximum number of lookups Greg Kroah-Hartman
` (174 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joseph Salisbury,
Peter Zijlstra (Intel), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Salisbury <joseph.salisbury@oracle.com>
[ Upstream commit c6e80201e057dfb7253385e60bf541121bf5dc33 ]
to_ratio() computes BW_SHIFT-scaled bandwidth ratios from u64 period and
runtime values, but it returns unsigned long. tg_rt_schedulable() also
stores the current group limit and the accumulated child sum in unsigned
long.
On 32-bit builds, large bandwidth ratios can be truncated and the RT
group sum can wrap when enough siblings are present. That can let an
overcommitted RT hierarchy pass the schedulability check, and it also
narrows the helper result for other callers.
Return u64 from to_ratio() and use u64 for the RT group totals so
bandwidth ratios are preserved and compared at full width on both 32-bit
and 64-bit builds.
Fixes: b40b2e8eb521 ("sched: rt: multi level group constraints")
Assisted-by: Codex:GPT-5
Signed-off-by: Joseph Salisbury <joseph.salisbury@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260403210014.2713404-1-joseph.salisbury@oracle.com
[ dropped `extern` keyword from `to_ratio()` declaration ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/core.c | 2 +-
kernel/sched/rt.c | 2 +-
kernel/sched/sched.h | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4692,7 +4692,7 @@ void sched_post_fork(struct task_struct
uclamp_post_fork(p);
}
-unsigned long to_ratio(u64 period, u64 runtime)
+u64 to_ratio(u64 period, u64 runtime)
{
if (runtime == RUNTIME_INF)
return BW_UNIT;
--- a/kernel/sched/rt.c
+++ b/kernel/sched/rt.c
@@ -2768,7 +2768,7 @@ static int tg_rt_schedulable(struct task
{
struct rt_schedulable_data *d = data;
struct task_group *child;
- unsigned long total, sum = 0;
+ u64 total, sum = 0;
u64 period, runtime;
period = ktime_to_ns(tg->rt_bandwidth.rt_period);
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -2371,7 +2371,7 @@ extern void init_dl_inactive_task_timer(
#define RATIO_SHIFT 8
#define MAX_BW_BITS (64 - BW_SHIFT)
#define MAX_BW ((1ULL << MAX_BW_BITS) - 1)
-unsigned long to_ratio(u64 period, u64 runtime);
+u64 to_ratio(u64 period, u64 runtime);
extern void init_entity_runnable_average(struct sched_entity *se);
extern void post_init_entity_util_avg(struct task_struct *p);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 265/378] fs/qnx6: fix pointer arithmetic in directory iteration
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 264/378] accel/ethosu: reject NPU_OP_RESIZE commands from userspace Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 266/378] fuse: reject fuse_notify() pagecache ops on directories Greg Kroah-Hartman
` (113 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arpith Kalaginanavoor,
Christian Brauner (Amutable)
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arpith Kalaginanavoor <arpithk@nvidia.com>
commit 89c4a1167f3a0a0efd2ec3e1801036d2eb65ae1a upstream.
The conversion to qnx6_get_folio() in commit b2aa61556fcf
("qnx6: Convert qnx6_get_page() to qnx6_get_folio()")
introduced a regression in directory iteration. The pointer 'de'
and the 'limit' address were calculated using byte offsets from
a char pointer without scaling by the size of a QNX6 directory
entry.
This causes the driver to read from incorrect memory offsets,
leading to "invalid direntry size" errors and premature
termination of directory scans.
Fix this by casting 'kaddr' to 'struct qnx6_dir_entry *' before
applying the offset and last_entry(...) increments. This allows the
compiler to correctly scale the pointer arithmetic by the 32-byte
stride of the directory entry structure.
Fixes: b2aa61556fcf ("qnx6: Convert qnx6_get_page() to qnx6_get_folio()")
Cc: stable@vger.kernel.org
Signed-off-by: Arpith Kalaginanavoor <arpithk@nvidia.com>
Link: https://patch.msgid.link/20260526123858.1683035-1-arpithk@nvidia.com
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/qnx6/dir.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/qnx6/dir.c
+++ b/fs/qnx6/dir.c
@@ -132,16 +132,16 @@ static int qnx6_readdir(struct file *fil
struct qnx6_dir_entry *de;
struct folio *folio;
char *kaddr = qnx6_get_folio(inode, n, &folio);
- char *limit;
+ struct qnx6_dir_entry *limit;
if (IS_ERR(kaddr)) {
pr_err("%s(): read failed\n", __func__);
ctx->pos = (n + 1) << PAGE_SHIFT;
return PTR_ERR(kaddr);
}
- de = (struct qnx6_dir_entry *)(kaddr + offset);
- limit = kaddr + last_entry(inode, n);
- for (; (char *)de < limit; de++, ctx->pos += QNX6_DIR_ENTRY_SIZE) {
+ de = (struct qnx6_dir_entry *)kaddr + offset;
+ limit = (struct qnx6_dir_entry *)kaddr + last_entry(inode, n);
+ for (; de < limit; de++, ctx->pos += QNX6_DIR_ENTRY_SIZE) {
int size = de->de_size;
u32 no_inode = fs32_to_cpu(sbi, de->de_inode);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 349/522] net: qrtr: ns: Limit the maximum number of lookups
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 348/522] sched: Use u64 for bandwidth ratio calculations Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 350/522] net: qrtr: ns: Change servers radix tree to xarray Greg Kroah-Hartman
` (173 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
[ Upstream commit 5640227d9a21c6a8be249a10677b832e7f40dc55 ]
Current code does no bound checking on the number of lookups a client can
perform. Though the code restricts the lookups to local clients, there is
still a possibility of a malicious local client sending a flood of
NEW_LOOKUP messages over the same socket.
Fix this issue by limiting the maximum number of lookups to 64 globally.
Since the nameserver allows only atmost one local observer, this global
lookup count will ensure that the lookups stay within the limit.
Note that, limit of 64 is chosen based on the current platform
requirements. If requirement changes in the future, this limit can be
increased.
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-qrtr-fix-v3-2-00a8a5ff2b51@oss.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ adapted comment block to only mention QRTR_NS_MAX_LOOKUPS and kept kzalloc() instead of kzalloc_obj() due to missing prerequisite commits ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/qrtr/ns.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -21,6 +21,7 @@ static struct {
struct socket *sock;
struct sockaddr_qrtr bcast_sq;
struct list_head lookups;
+ u32 lookup_count;
struct workqueue_struct *workqueue;
struct work_struct work;
void (*saved_data_ready)(struct sock *sk);
@@ -69,6 +70,11 @@ struct qrtr_node {
struct radix_tree_root servers;
};
+/* Max lookup limit is chosen based on the current platform requirements. If the
+ * requirement changes in the future, this value can be increased.
+ */
+#define QRTR_NS_MAX_LOOKUPS 64
+
static struct qrtr_node *node_get(unsigned int node_id)
{
struct qrtr_node *node;
@@ -457,6 +463,7 @@ static int ctrl_cmd_del_client(struct so
list_del(&lookup->li);
kfree(lookup);
+ qrtr_ns.lookup_count--;
}
/* Remove the server belonging to this port but don't broadcast
@@ -590,6 +597,11 @@ static int ctrl_cmd_new_lookup(struct so
if (from->sq_node != qrtr_ns.local_node)
return -EINVAL;
+ if (qrtr_ns.lookup_count >= QRTR_NS_MAX_LOOKUPS) {
+ pr_err_ratelimited("QRTR client node exceeds max lookup limit!\n");
+ return -ENOSPC;
+ }
+
lookup = kzalloc(sizeof(*lookup), GFP_KERNEL);
if (!lookup)
return -ENOMEM;
@@ -598,6 +610,7 @@ static int ctrl_cmd_new_lookup(struct so
lookup->service = service;
lookup->instance = instance;
list_add_tail(&lookup->li, &qrtr_ns.lookups);
+ qrtr_ns.lookup_count++;
memset(&filter, 0, sizeof(filter));
filter.service = service;
@@ -664,6 +677,7 @@ static void ctrl_cmd_del_lookup(struct s
list_del(&lookup->li);
kfree(lookup);
+ qrtr_ns.lookup_count--;
}
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 266/378] fuse: reject fuse_notify() pagecache ops on directories
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 265/378] fs/qnx6: fix pointer arithmetic in directory iteration Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 267/378] fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios Greg Kroah-Hartman
` (112 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Miklos Szeredi,
Christian Brauner (Amutable)
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 9c954499d43aefac01c5dfb57a82b13d2dcf4b94 upstream.
The operations FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE allow the
FUSE daemon to actively write/read pagecache contents.
For directories with FOPEN_CACHE_DIR, the pagecache is used as
kernel-internal cache storage, and userspace is not supposed to have
direct access to this cache - in particular, fuse_parse_cache() will hit
WARN_ON() if the cache contains bogus data.
Reject FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE on anything other than
regular files with -EINVAL.
Fixes: 5d7bc7e8680c ("fuse: allow using readdir cache")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://patch.msgid.link/20260519-fuse-dir-pagecache-v2-1-5428fa48e175@google.com
Acked-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1797,6 +1797,10 @@ static int fuse_notify_store(struct fuse
inode = fuse_ilookup(fc, nodeid, NULL);
if (!inode)
goto out_up_killsb;
+ if (!S_ISREG(inode->i_mode)) {
+ err = -EINVAL;
+ goto out_iput;
+ }
mapping = inode->i_mapping;
index = outarg.offset >> PAGE_SHIFT;
@@ -1976,7 +1980,10 @@ static int fuse_notify_retrieve(struct f
inode = fuse_ilookup(fc, nodeid, &fm);
if (inode) {
- err = fuse_retrieve(fm, inode, &outarg);
+ if (!S_ISREG(inode->i_mode))
+ err = -EINVAL;
+ else
+ err = fuse_retrieve(fm, inode, &outarg);
iput(inode);
}
up_read(&fc->killsb);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 350/522] net: qrtr: ns: Change servers radix tree to xarray
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 349/522] net: qrtr: ns: Limit the maximum number of lookups Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 351/522] net: qrtr: ns: Free the node during ctrl_cmd_bye() Greg Kroah-Hartman
` (172 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Lew, Vignesh Viswanathan,
Simon Horman, David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vignesh Viswanathan <quic_viswanat@quicinc.com>
[ Upstream commit 608a147a88728f84bbd2efdde3d4984339f1d872 ]
There is a use after free scenario while iterating through the servers
radix tree despite the ns being a single threaded process. This can
happen when the radix tree APIs are not synchronized with the
rcu_read_lock() APIs.
Convert the radix tree for servers to xarray to take advantage of the
built in rcu lock usage provided by xarray.
Signed-off-by: Chris Lew <quic_clew@quicinc.com>
Signed-off-by: Vignesh Viswanathan <quic_viswanat@quicinc.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 68efba36446a ("net: qrtr: ns: Free the node during ctrl_cmd_bye()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/qrtr/ns.c | 133 ++++++++++------------------------------------------------
1 file changed, 24 insertions(+), 109 deletions(-)
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -67,7 +67,7 @@ struct qrtr_server {
struct qrtr_node {
unsigned int id;
- struct radix_tree_root servers;
+ struct xarray servers;
};
/* Max lookup limit is chosen based on the current platform requirements. If the
@@ -89,6 +89,7 @@ static struct qrtr_node *node_get(unsign
return NULL;
node->id = node_id;
+ xa_init(&node->servers);
if (radix_tree_insert(&nodes, node_id, node)) {
kfree(node);
@@ -199,40 +200,23 @@ static void lookup_notify(struct sockadd
static int announce_servers(struct sockaddr_qrtr *sq)
{
- struct radix_tree_iter iter;
struct qrtr_server *srv;
struct qrtr_node *node;
- void __rcu **slot;
+ unsigned long index;
int ret;
node = node_get(qrtr_ns.local_node);
if (!node)
return 0;
- rcu_read_lock();
/* Announce the list of servers registered in this node */
- radix_tree_for_each_slot(slot, &node->servers, &iter, 0) {
- srv = radix_tree_deref_slot(slot);
- if (!srv)
- continue;
- if (radix_tree_deref_retry(srv)) {
- slot = radix_tree_iter_retry(&iter);
- continue;
- }
- slot = radix_tree_iter_resume(slot, &iter);
- rcu_read_unlock();
-
+ xa_for_each(&node->servers, index, srv) {
ret = service_announce_new(sq, srv);
if (ret < 0) {
pr_err("failed to announce new service\n");
return ret;
}
-
- rcu_read_lock();
}
-
- rcu_read_unlock();
-
return 0;
}
@@ -262,14 +246,17 @@ static struct qrtr_server *server_add(un
goto err;
/* Delete the old server on the same port */
- old = radix_tree_lookup(&node->servers, port);
+ old = xa_store(&node->servers, port, srv, GFP_KERNEL);
if (old) {
- radix_tree_delete(&node->servers, port);
- kfree(old);
+ if (xa_is_err(old)) {
+ pr_err("failed to add server [0x%x:0x%x] ret:%d\n",
+ srv->service, srv->instance, xa_err(old));
+ goto err;
+ } else {
+ kfree(old);
+ }
}
- radix_tree_insert(&node->servers, port, srv);
-
trace_qrtr_ns_server_add(srv->service, srv->instance,
srv->node, srv->port);
@@ -286,11 +273,11 @@ static int server_del(struct qrtr_node *
struct qrtr_server *srv;
struct list_head *li;
- srv = radix_tree_lookup(&node->servers, port);
+ srv = xa_load(&node->servers, port);
if (!srv)
return -ENOENT;
- radix_tree_delete(&node->servers, port);
+ xa_erase(&node->servers, port);
/* Broadcast the removal of local servers */
if (srv->node == qrtr_ns.local_node && bcast)
@@ -350,13 +337,12 @@ static int ctrl_cmd_hello(struct sockadd
static int ctrl_cmd_bye(struct sockaddr_qrtr *from)
{
struct qrtr_node *local_node;
- struct radix_tree_iter iter;
struct qrtr_ctrl_pkt pkt;
struct qrtr_server *srv;
struct sockaddr_qrtr sq;
struct msghdr msg = { };
struct qrtr_node *node;
- void __rcu **slot;
+ unsigned long index;
struct kvec iv;
int ret;
@@ -367,22 +353,9 @@ static int ctrl_cmd_bye(struct sockaddr_
if (!node)
return 0;
- rcu_read_lock();
/* Advertise removal of this client to all servers of remote node */
- radix_tree_for_each_slot(slot, &node->servers, &iter, 0) {
- srv = radix_tree_deref_slot(slot);
- if (!srv)
- continue;
- if (radix_tree_deref_retry(srv)) {
- slot = radix_tree_iter_retry(&iter);
- continue;
- }
- slot = radix_tree_iter_resume(slot, &iter);
- rcu_read_unlock();
+ xa_for_each(&node->servers, index, srv)
server_del(node, srv->port, true);
- rcu_read_lock();
- }
- rcu_read_unlock();
/* Advertise the removal of this client to all local servers */
local_node = node_get(qrtr_ns.local_node);
@@ -393,18 +366,7 @@ static int ctrl_cmd_bye(struct sockaddr_
pkt.cmd = cpu_to_le32(QRTR_TYPE_BYE);
pkt.client.node = cpu_to_le32(from->sq_node);
- rcu_read_lock();
- radix_tree_for_each_slot(slot, &local_node->servers, &iter, 0) {
- srv = radix_tree_deref_slot(slot);
- if (!srv)
- continue;
- if (radix_tree_deref_retry(srv)) {
- slot = radix_tree_iter_retry(&iter);
- continue;
- }
- slot = radix_tree_iter_resume(slot, &iter);
- rcu_read_unlock();
-
+ xa_for_each(&local_node->servers, index, srv) {
sq.sq_family = AF_QIPCRTR;
sq.sq_node = srv->node;
sq.sq_port = srv->port;
@@ -417,11 +379,7 @@ static int ctrl_cmd_bye(struct sockaddr_
pr_err("failed to send bye cmd\n");
return ret;
}
- rcu_read_lock();
}
-
- rcu_read_unlock();
-
return 0;
}
@@ -429,7 +387,6 @@ static int ctrl_cmd_del_client(struct so
unsigned int node_id, unsigned int port)
{
struct qrtr_node *local_node;
- struct radix_tree_iter iter;
struct qrtr_lookup *lookup;
struct qrtr_ctrl_pkt pkt;
struct msghdr msg = { };
@@ -438,7 +395,7 @@ static int ctrl_cmd_del_client(struct so
struct qrtr_node *node;
struct list_head *tmp;
struct list_head *li;
- void __rcu **slot;
+ unsigned long index;
struct kvec iv;
int ret;
@@ -484,18 +441,7 @@ static int ctrl_cmd_del_client(struct so
pkt.client.node = cpu_to_le32(node_id);
pkt.client.port = cpu_to_le32(port);
- rcu_read_lock();
- radix_tree_for_each_slot(slot, &local_node->servers, &iter, 0) {
- srv = radix_tree_deref_slot(slot);
- if (!srv)
- continue;
- if (radix_tree_deref_retry(srv)) {
- slot = radix_tree_iter_retry(&iter);
- continue;
- }
- slot = radix_tree_iter_resume(slot, &iter);
- rcu_read_unlock();
-
+ xa_for_each(&local_node->servers, index, srv) {
sq.sq_family = AF_QIPCRTR;
sq.sq_node = srv->node;
sq.sq_port = srv->port;
@@ -508,11 +454,7 @@ static int ctrl_cmd_del_client(struct so
pr_err("failed to send del client cmd\n");
return ret;
}
- rcu_read_lock();
}
-
- rcu_read_unlock();
-
return 0;
}
@@ -585,13 +527,12 @@ static int ctrl_cmd_del_server(struct so
static int ctrl_cmd_new_lookup(struct sockaddr_qrtr *from,
unsigned int service, unsigned int instance)
{
- struct radix_tree_iter node_iter;
struct qrtr_server_filter filter;
- struct radix_tree_iter srv_iter;
struct qrtr_lookup *lookup;
+ struct qrtr_server *srv;
struct qrtr_node *node;
- void __rcu **node_slot;
- void __rcu **srv_slot;
+ unsigned long node_idx;
+ unsigned long srv_idx;
/* Accept only local observers */
if (from->sq_node != qrtr_ns.local_node)
@@ -616,40 +557,14 @@ static int ctrl_cmd_new_lookup(struct so
filter.service = service;
filter.instance = instance;
- rcu_read_lock();
- radix_tree_for_each_slot(node_slot, &nodes, &node_iter, 0) {
- node = radix_tree_deref_slot(node_slot);
- if (!node)
- continue;
- if (radix_tree_deref_retry(node)) {
- node_slot = radix_tree_iter_retry(&node_iter);
- continue;
- }
- node_slot = radix_tree_iter_resume(node_slot, &node_iter);
-
- radix_tree_for_each_slot(srv_slot, &node->servers,
- &srv_iter, 0) {
- struct qrtr_server *srv;
-
- srv = radix_tree_deref_slot(srv_slot);
- if (!srv)
- continue;
- if (radix_tree_deref_retry(srv)) {
- srv_slot = radix_tree_iter_retry(&srv_iter);
- continue;
- }
-
+ xa_for_each(&nodes, node_idx, node) {
+ xa_for_each(&node->servers, srv_idx, srv) {
if (!server_match(srv, &filter))
continue;
- srv_slot = radix_tree_iter_resume(srv_slot, &srv_iter);
-
- rcu_read_unlock();
lookup_notify(from, srv, true);
- rcu_read_lock();
}
}
- rcu_read_unlock();
/* Empty notification, to indicate end of listing */
lookup_notify(from, NULL, true);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 267/378] fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 266/378] fuse: reject fuse_notify() pagecache ops on directories Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 268/378] futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock Greg Kroah-Hartman
` (111 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jann Horn, Miklos Szeredi,
Christian Brauner (Amutable)
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 4e3d1b2c48ca6c55f1e9ca7f8dccc76f120f276c upstream.
FUSE_NOTIFY_RETRIEVE must be limited to uptodate folios; !uptodate folios
can contain uninitialized data.
Since FUSE_NOTIFY_RETRIEVE is intended to only return data that is already
in the page cache and not wait for data from the FUSE daemon, treat
!uptodate folios as if they weren't present.
This only has security impact on systems that don't enable automatic
zero-initialization of all page allocations via
CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1.
Cc: stable@kernel.org
Fixes: 2d45ba381a74 ("fuse: add retrieve request")
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://patch.msgid.link/20260519-fuse-retrieve-uptodate-v1-1-a7a1912a37f9@google.com
Acked-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1927,6 +1927,10 @@ static int fuse_retrieve(struct fuse_mou
folio = filemap_get_folio(mapping, index);
if (IS_ERR(folio))
break;
+ if (!folio_test_uptodate(folio)) {
+ folio_put(folio);
+ break;
+ }
folio_offset = ((index - folio->index) << PAGE_SHIFT) + offset;
nr_bytes = min(folio_size(folio) - folio_offset, num);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 351/522] net: qrtr: ns: Free the node during ctrl_cmd_bye()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 350/522] net: qrtr: ns: Change servers radix tree to xarray Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 352/522] net: mctp: fix dont require received header reserved bits to be zero Greg Kroah-Hartman
` (171 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
[ Upstream commit 68efba36446a7774ea5b971257ade049272a07ac ]
A node sends the BYE packet when it is about to go down. So the nameserver
should advertise the removal of the node to all remote and local observers
and free the node finally. But currently, the nameserver doesn't free the
node memory even after processing the BYE packet. This causes the node
memory to leak.
Hence, remove the node from Xarray list and free the node memory during
both success and failure case of ctrl_cmd_bye().
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-qrtr-fix-v3-3-00a8a5ff2b51@oss.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/qrtr/ns.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -344,7 +344,7 @@ static int ctrl_cmd_bye(struct sockaddr_
struct qrtr_node *node;
unsigned long index;
struct kvec iv;
- int ret;
+ int ret = 0;
iv.iov_base = &pkt;
iv.iov_len = sizeof(pkt);
@@ -359,8 +359,10 @@ static int ctrl_cmd_bye(struct sockaddr_
/* Advertise the removal of this client to all local servers */
local_node = node_get(qrtr_ns.local_node);
- if (!local_node)
- return 0;
+ if (!local_node) {
+ ret = 0;
+ goto delete_node;
+ }
memset(&pkt, 0, sizeof(pkt));
pkt.cmd = cpu_to_le32(QRTR_TYPE_BYE);
@@ -377,10 +379,18 @@ static int ctrl_cmd_bye(struct sockaddr_
ret = kernel_sendmsg(qrtr_ns.sock, &msg, &iv, 1, sizeof(pkt));
if (ret < 0) {
pr_err("failed to send bye cmd\n");
- return ret;
+ goto delete_node;
}
}
- return 0;
+
+ /* Ignore -ENODEV */
+ ret = 0;
+
+delete_node:
+ xa_erase(&nodes, from->sq_node);
+ kfree(node);
+
+ return ret;
}
static int ctrl_cmd_del_client(struct sockaddr_qrtr *from,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 268/378] futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 267/378] fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 269/378] i2c: imx-lpi2c: fix resource leaks switching to devm_dma_request_chan() Greg Kroah-Hartman
` (110 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jian Zhou, Thomas Gleixner
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
commit 74e144274af39935b0f410c0ee4d2b91c3730414 upstream.
When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the
target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting
waiter->task.
The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences
the NULL waiter->task, causing a kernel crash.
Add a self-deadlock check for non-top waiters before calling
rt_mutex_start_proxy_lock(), analogous to the top-waiter check in
futex_lock_pi_atomic().
Fixes: 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 ("rtmutex: Use waiter::task instead of current in remove_waiter()")
Signed-off-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/futex/requeue.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/kernel/futex/requeue.c
+++ b/kernel/futex/requeue.c
@@ -643,6 +643,12 @@ retry_private:
continue;
}
+ /* Self-deadlock: non-top waiter already owns the PI futex. */
+ if (rt_mutex_owner(&pi_state->pi_mutex) == this->task) {
+ ret = -EDEADLK;
+ break;
+ }
+
ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex,
this->rt_waiter,
this->task);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 352/522] net: mctp: fix dont require received header reserved bits to be zero
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 351/522] net: qrtr: ns: Free the node during ctrl_cmd_bye() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 353/522] net: qrtr: ns: Limit the total number of nodes Greg Kroah-Hartman
` (170 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Zhaoming, Jeremy Kerr,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuan Zhaoming <yuanzm2@lenovo.com>
[ Upstream commit a663bac71a2f0b3ac6c373168ca57b2a6e6381aa ]
>From the MCTP Base specification (DSP0236 v1.2.1), the first byte of
the MCTP header contains a 4 bit reserved field, and 4 bit version.
On our current receive path, we require those 4 reserved bits to be
zero, but the 9500-8i card is non-conformant, and may set these
reserved bits.
DSP0236 states that the reserved bits must be written as zero, and
ignored when read. While the device might not conform to the former,
we should accept these message to conform to the latter.
Relax our check on the MCTP version byte to allow non-zero bits in the
reserved field.
Fixes: 889b7da23abf ("mctp: Add initial routing framework")
Signed-off-by: Yuan Zhaoming <yuanzm2@lenovo.com>
Cc: stable@vger.kernel.org
Acked-by: Jeremy Kerr <jk@codeconstruct.com.au>
Link: https://patch.msgid.link/20260417141340.5306-1-yuanzhaoming901030@126.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/mctp.h | 3 +++
net/mctp/route.c | 8 ++++++--
2 files changed, 9 insertions(+), 2 deletions(-)
--- a/include/net/mctp.h
+++ b/include/net/mctp.h
@@ -26,6 +26,9 @@ struct mctp_hdr {
#define MCTP_VER_MIN 1
#define MCTP_VER_MAX 1
+/* Definitions for ver field */
+#define MCTP_HDR_VER_MASK GENMASK(3, 0)
+
/* Definitions for flags_seq_tag field */
#define MCTP_HDR_FLAG_SOM BIT(7)
#define MCTP_HDR_FLAG_EOM BIT(6)
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -335,6 +335,7 @@ static int mctp_route_input(struct mctp_
unsigned long f;
u8 tag, flags;
int rc;
+ u8 ver;
msk = NULL;
rc = -EINVAL;
@@ -357,7 +358,8 @@ static int mctp_route_input(struct mctp_
mh = mctp_hdr(skb);
skb_pull(skb, sizeof(struct mctp_hdr));
- if (mh->ver != 1)
+ ver = mh->ver & MCTP_HDR_VER_MASK;
+ if (ver < MCTP_VER_MIN || ver > MCTP_VER_MAX)
goto out;
flags = mh->flags_seq_tag & (MCTP_HDR_FLAG_SOM | MCTP_HDR_FLAG_EOM);
@@ -1124,6 +1126,7 @@ static int mctp_pkttype_receive(struct s
struct mctp_skb_cb *cb;
struct mctp_route *rt;
struct mctp_hdr *mh;
+ u8 ver;
rcu_read_lock();
mdev = __mctp_dev_get(dev);
@@ -1141,7 +1144,8 @@ static int mctp_pkttype_receive(struct s
/* We have enough for a header; decode and route */
mh = mctp_hdr(skb);
- if (mh->ver < MCTP_VER_MIN || mh->ver > MCTP_VER_MAX)
+ ver = mh->ver & MCTP_HDR_VER_MASK;
+ if (ver < MCTP_VER_MIN || ver > MCTP_VER_MAX)
goto err_drop;
/* source must be valid unicast or null; drop reserved ranges and
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 269/378] i2c: imx-lpi2c: fix resource leaks switching to devm_dma_request_chan()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 268/378] futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 270/378] i2c: imx: fix clock and pinctrl state inconsistency in runtime PM Greg Kroah-Hartman
` (109 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Carlos Song, Frank Li, Andi Shyti
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Song <carlos.song@nxp.com>
commit 695fcefd4a81466ef9c529790b4e96f1ea2ba051 upstream.
The LPI2C driver requests DMA channels using dma_request_chan(), but
never releases them in lpi2c_imx_remove(), resulting in DMA channel
leaks every time the driver is unloaded.
Additionally, when lpi2c_dma_init() successfully requests the TX DMA
channel but fails to request the RX DMA channel, the probe falls back
to PIO mode and completes successfully. Since probe succeeds, the devres
framework will not trigger any cleanup, leaving the TX DMA channel and
the memory allocated for the dma structure held for the lifetime of the
device even though DMA is never used.
Switch to devm_dma_request_chan() to let the device core manage DMA
channel lifetime automatically. Wrap all allocations within a devres
group so that devres_release_group() can release all partially acquired
resources when DMA init fails and probe continues in PIO mode.
Fixes: a09c8b3f9047 ("i2c: imx-lpi2c: add eDMA mode support for LPI2C")
Signed-off-by: Carlos Song <carlos.song@nxp.com>
Cc: <stable@vger.kernel.org> # v6.14+
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260520093323.2882070-1-carlos.song@oss.nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-imx-lpi2c.c | 53 ++++++++++++++++++++++---------------
1 file changed, 32 insertions(+), 21 deletions(-)
--- a/drivers/i2c/busses/i2c-imx-lpi2c.c
+++ b/drivers/i2c/busses/i2c-imx-lpi2c.c
@@ -1383,55 +1383,66 @@ static int lpi2c_imx_init_recovery_info(
return 0;
}
-static void dma_exit(struct device *dev, struct lpi2c_imx_dma *dma)
-{
- if (dma->chan_rx)
- dma_release_channel(dma->chan_rx);
-
- if (dma->chan_tx)
- dma_release_channel(dma->chan_tx);
-
- devm_kfree(dev, dma);
-}
-
static int lpi2c_dma_init(struct device *dev, dma_addr_t phy_addr)
{
struct lpi2c_imx_struct *lpi2c_imx = dev_get_drvdata(dev);
struct lpi2c_imx_dma *dma;
+ void *group;
int ret;
- dma = devm_kzalloc(dev, sizeof(*dma), GFP_KERNEL);
- if (!dma)
+ /*
+ * Open a devres group so that all resources allocated within
+ * this function can be released together if DMA init fails but
+ * probe continues in PIO mode.
+ */
+ group = devres_open_group(dev, NULL, GFP_KERNEL);
+ if (!group)
return -ENOMEM;
+ dma = devm_kzalloc(dev, sizeof(*dma), GFP_KERNEL);
+ if (!dma) {
+ ret = -ENOMEM;
+ goto release_group;
+ }
+
dma->phy_addr = phy_addr;
/* Prepare for TX DMA: */
- dma->chan_tx = dma_request_chan(dev, "tx");
+ dma->chan_tx = devm_dma_request_chan(dev, "tx");
if (IS_ERR(dma->chan_tx)) {
ret = PTR_ERR(dma->chan_tx);
if (ret != -ENODEV && ret != -EPROBE_DEFER)
dev_err(dev, "can't request DMA tx channel (%d)\n", ret);
- dma->chan_tx = NULL;
- goto dma_exit;
+ goto release_group;
}
/* Prepare for RX DMA: */
- dma->chan_rx = dma_request_chan(dev, "rx");
+ dma->chan_rx = devm_dma_request_chan(dev, "rx");
if (IS_ERR(dma->chan_rx)) {
ret = PTR_ERR(dma->chan_rx);
if (ret != -ENODEV && ret != -EPROBE_DEFER)
dev_err(dev, "can't request DMA rx channel (%d)\n", ret);
- dma->chan_rx = NULL;
- goto dma_exit;
+ goto release_group;
}
+ /*
+ * DMA init succeeded. Remove the group marker but keep all resources
+ * bound to the device, they will be freed at device removal.
+ */
+ devres_remove_group(dev, group);
+
lpi2c_imx->can_use_dma = true;
lpi2c_imx->dma = dma;
return 0;
-dma_exit:
- dma_exit(dev, dma);
+release_group:
+ /*
+ * DMA init failed. Release ALL resources allocated inside this
+ * group (dma memory, TX channel if already acquired, etc.) so
+ * that a successful PIO-mode probe does not hold unused resources
+ * for the entire device lifetime.
+ */
+ devres_release_group(dev, group);
return ret;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 353/522] net: qrtr: ns: Limit the total number of nodes
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 352/522] net: mctp: fix dont require received header reserved bits to be zero Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 354/522] net: bridge: use a stable FDB dst snapshot in RCU readers Greg Kroah-Hartman
` (169 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
[ Upstream commit 27d5e84e810b0849d08b9aec68e48570461ce313 ]
Currently, the nameserver doesn't limit the number of nodes it handles.
This can be an attack vector if a malicious client starts registering
random nodes, leading to memory exhaustion.
Hence, limit the maximum number of nodes to 64. Note that, limit of 64 is
chosen based on the current platform requirements. If requirement changes
in the future, this limit can be increased.
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-qrtr-fix-v3-4-00a8a5ff2b51@oss.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ dropped node_count-- hunk since ctrl_cmd_bye() has no delete_node ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/qrtr/ns.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -75,6 +75,16 @@ struct qrtr_node {
*/
#define QRTR_NS_MAX_LOOKUPS 64
+/* Max nodes, server, lookup limits are chosen based on the current platform
+ * requirements. If the requirement changes in the future, these values can be
+ * increased.
+ */
+#define QRTR_NS_MAX_NODES 64
+#define QRTR_NS_MAX_SERVERS 256
+#define QRTR_NS_MAX_LOOKUPS 64
+
+static u8 node_count;
+
static struct qrtr_node *node_get(unsigned int node_id)
{
struct qrtr_node *node;
@@ -83,6 +93,11 @@ static struct qrtr_node *node_get(unsign
if (node)
return node;
+ if (node_count >= QRTR_NS_MAX_NODES) {
+ pr_err_ratelimited("QRTR clients exceed max node limit!\n");
+ return NULL;
+ }
+
/* If node didn't exist, allocate and insert it to the tree */
node = kzalloc(sizeof(*node), GFP_KERNEL);
if (!node)
@@ -96,6 +111,8 @@ static struct qrtr_node *node_get(unsign
return NULL;
}
+ node_count++;
+
return node;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 270/378] i2c: imx: fix clock and pinctrl state inconsistency in runtime PM
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 269/378] i2c: imx-lpi2c: fix resource leaks switching to devm_dma_request_chan() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 271/378] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() Greg Kroah-Hartman
` (108 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Carlos Song, Frank Li, Andi Shyti
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Song <carlos.song@nxp.com>
commit 8783fb8031799f1230997c16df8c8dce9fcd1841 upstream.
In i2c_imx_runtime_suspend(), the clock is disabled before switching
the pinctrl state to sleep. If pinctrl_pm_select_sleep_state() fails,
the runtime suspend is aborted but the clock remains disabled, causing
a system crash when the hardware is subsequently accessed.
Fix this by switching the pinctrl state before disabling the clock so
that a pinctrl failure leaves the clock enabled and the hardware
accessible.
In i2c_imx_runtime_resume(), restore the pinctrl state back to sleep
if clk_enable() fails to keep the consistent.
Fixes: 576eba03c994 ("i2c: imx: switch different pinctrl state in different system power status")
Signed-off-by: Carlos Song <carlos.song@nxp.com>
Cc: <stable@vger.kernel.org> # v6.14+
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260521065038.2954998-1-carlos.song@oss.nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-imx.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/drivers/i2c/busses/i2c-imx.c
+++ b/drivers/i2c/busses/i2c-imx.c
@@ -1892,9 +1892,15 @@ static void i2c_imx_remove(struct platfo
static int i2c_imx_runtime_suspend(struct device *dev)
{
struct imx_i2c_struct *i2c_imx = dev_get_drvdata(dev);
+ int ret;
+
+ ret = pinctrl_pm_select_sleep_state(dev);
+ if (ret)
+ return ret;
clk_disable(i2c_imx->clk);
- return pinctrl_pm_select_sleep_state(dev);
+
+ return 0;
}
static int i2c_imx_runtime_resume(struct device *dev)
@@ -1907,10 +1913,13 @@ static int i2c_imx_runtime_resume(struct
return ret;
ret = clk_enable(i2c_imx->clk);
- if (ret)
+ if (ret) {
dev_err(dev, "can't enable I2C clock, ret=%d\n", ret);
+ pinctrl_pm_select_sleep_state(dev);
+ return ret;
+ }
- return ret;
+ return 0;
}
static int i2c_imx_suspend(struct device *dev)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 354/522] net: bridge: use a stable FDB dst snapshot in RCU readers
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 353/522] net: qrtr: ns: Limit the total number of nodes Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 355/522] spi: fix resource leaks on device setup failure Greg Kroah-Hartman
` (168 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yifan Wu, Juefei Pu,
Yuan Tan, Xin Liu, Ren Wei, Zhengchuan Liang, Ren Wei,
Ido Schimmel, Nikolay Aleksandrov, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
[ Upstream commit df4601653201de21b487c3e7fffd464790cab808 ]
Local FDB entries can be rewritten in place by `fdb_delete_local()`, which
updates `f->dst` to another port or to `NULL` while keeping the entry
alive. Several bridge RCU readers inspect `f->dst`, including
`br_fdb_fillbuf()` through the `brforward_read()` sysfs path.
These readers currently load `f->dst` multiple times and can therefore
observe inconsistent values across the check and later dereference.
In `br_fdb_fillbuf()`, this means a concurrent local-FDB update can change
`f->dst` after the NULL check and before the `port_no` dereference,
leading to a NULL-ptr-deref.
Fix this by taking a single `READ_ONCE()` snapshot of `f->dst` in each
affected RCU reader and using that snapshot for the rest of the access
sequence. Also publish the in-place `f->dst` updates in `fdb_delete_local()`
with `WRITE_ONCE()` so the readers and writer use matching access patterns.
Fixes: 960b589f86c7 ("bridge: Properly check if local fdb entry can be deleted in br_fdb_change_mac_address")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/6570fabb85ecadb8baaf019efe856f407711c7b9.1776043229.git.zcliangcn@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ kept combined `BR_PROXYARP_WIFI | BR_NEIGH_SUPPRESS` check and `cb->args[2]` instead of `br_is_neigh_suppress_enabled()` helper and `ctx->fdb_idx` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bridge/br_arp_nd_proxy.c | 8 +++++---
net/bridge/br_fdb.c | 28 ++++++++++++++++++----------
2 files changed, 23 insertions(+), 13 deletions(-)
--- a/net/bridge/br_arp_nd_proxy.c
+++ b/net/bridge/br_arp_nd_proxy.c
@@ -199,11 +199,12 @@ void br_do_proxy_suppress_arp(struct sk_
f = br_fdb_find_rcu(br, n->ha, vid);
if (f) {
+ const struct net_bridge_port *dst = READ_ONCE(f->dst);
bool replied = false;
if ((p && (p->flags & BR_PROXYARP)) ||
- (f->dst && (f->dst->flags & (BR_PROXYARP_WIFI |
- BR_NEIGH_SUPPRESS)))) {
+ (dst && (dst->flags & (BR_PROXYARP_WIFI |
+ BR_NEIGH_SUPPRESS)))) {
if (!vid)
br_arp_send(br, p, skb->dev, sip, tip,
sha, n->ha, sha, 0, 0);
@@ -463,9 +464,10 @@ void br_do_suppress_nd(struct sk_buff *s
f = br_fdb_find_rcu(br, n->ha, vid);
if (f) {
+ const struct net_bridge_port *dst = READ_ONCE(f->dst);
bool replied = false;
- if (f->dst && (f->dst->flags & BR_NEIGH_SUPPRESS)) {
+ if (dst && (dst->flags & BR_NEIGH_SUPPRESS)) {
if (vid != 0)
br_nd_send(br, p, skb, n,
skb->vlan_proto,
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -239,6 +239,7 @@ struct net_device *br_fdb_find_port(cons
const unsigned char *addr,
__u16 vid)
{
+ const struct net_bridge_port *dst;
struct net_bridge_fdb_entry *f;
struct net_device *dev = NULL;
struct net_bridge *br;
@@ -251,8 +252,11 @@ struct net_device *br_fdb_find_port(cons
br = netdev_priv(br_dev);
rcu_read_lock();
f = br_fdb_find_rcu(br, addr, vid);
- if (f && f->dst)
- dev = f->dst->dev;
+ if (f) {
+ dst = READ_ONCE(f->dst);
+ if (dst)
+ dev = dst->dev;
+ }
rcu_read_unlock();
return dev;
@@ -342,7 +346,7 @@ static void fdb_delete_local(struct net_
vg = nbp_vlan_group(op);
if (op != p && ether_addr_equal(op->dev->dev_addr, addr) &&
(!vid || br_vlan_find(vg, vid))) {
- f->dst = op;
+ WRITE_ONCE(f->dst, op);
clear_bit(BR_FDB_ADDED_BY_USER, &f->flags);
return;
}
@@ -353,7 +357,7 @@ static void fdb_delete_local(struct net_
/* Maybe bridge device has same hw addr? */
if (p && ether_addr_equal(br->dev->dev_addr, addr) &&
(!vid || (v && br_vlan_should_use(v)))) {
- f->dst = NULL;
+ WRITE_ONCE(f->dst, NULL);
clear_bit(BR_FDB_ADDED_BY_USER, &f->flags);
return;
}
@@ -783,6 +787,7 @@ int br_fdb_test_addr(struct net_device *
int br_fdb_fillbuf(struct net_bridge *br, void *buf,
unsigned long maxnum, unsigned long skip)
{
+ const struct net_bridge_port *dst;
struct net_bridge_fdb_entry *f;
struct __fdb_entry *fe = buf;
int num = 0;
@@ -798,7 +803,8 @@ int br_fdb_fillbuf(struct net_bridge *br
continue;
/* ignore pseudo entry for local MAC address */
- if (!f->dst)
+ dst = READ_ONCE(f->dst);
+ if (!dst)
continue;
if (skip) {
@@ -810,8 +816,8 @@ int br_fdb_fillbuf(struct net_bridge *br
memcpy(fe->mac_addr, f->key.addr.addr, ETH_ALEN);
/* due to ABI compat need to split into hi/lo */
- fe->port_no = f->dst->port_no;
- fe->port_hi = f->dst->port_no >> 8;
+ fe->port_no = dst->port_no;
+ fe->port_hi = dst->port_no >> 8;
fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags);
if (!test_bit(BR_FDB_STATIC, &f->flags))
@@ -924,9 +930,11 @@ int br_fdb_dump(struct sk_buff *skb,
rcu_read_lock();
hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) {
+ const struct net_bridge_port *dst = READ_ONCE(f->dst);
+
if (*idx < cb->args[2])
goto skip;
- if (filter_dev && (!f->dst || f->dst->dev != filter_dev)) {
+ if (filter_dev && (!dst || dst->dev != filter_dev)) {
if (filter_dev != dev)
goto skip;
/* !f->dst is a special case for bridge
@@ -934,10 +942,10 @@ int br_fdb_dump(struct sk_buff *skb,
* Therefore need a little more filtering
* we only want to dump the !f->dst case
*/
- if (f->dst)
+ if (dst)
goto skip;
}
- if (!filter_dev && f->dst)
+ if (!filter_dev && dst)
goto skip;
err = fdb_fill_info(skb, br, f,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 271/378] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 270/378] i2c: imx: fix clock and pinctrl state inconsistency in runtime PM Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 272/378] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter Greg Kroah-Hartman
` (107 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Zapolskiy, Konrad Dybcio,
Andi Shyti
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
commit 729ac5a4b966aac42e08a94dea966f4429008548 upstream.
On all modern platforms Qualcomm CCI controller provides two I2C masters,
and on particular boards only one I2C master may be initialized, and in
such cases the device unbinding or driver removal causes a NULL pointer
dereference, because cci_halt() is called for all two I2C masters, but
a completion is initialized only for the single enabled master:
% rmmod i2c-qcom-cci
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
<snip>
Call trace:
__wait_for_common+0x194/0x1a8 (P)
wait_for_completion_timeout+0x20/0x2c
cci_remove+0xc4/0x138 [i2c_qcom_cci]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
device_release_driver_internal+0x1c8/0x224
driver_detach+0x50/0x98
bus_remove_driver+0x6c/0xbc
driver_unregister+0x30/0x60
platform_driver_unregister+0x14/0x20
qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci]
....
Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver")
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Cc: <stable@vger.kernel.org> # v5.8+
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260515234121.1607425-2-vladimir.zapolskiy@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-qcom-cci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-qcom-cci.c
+++ b/drivers/i2c/busses/i2c-qcom-cci.c
@@ -663,8 +663,8 @@ static void cci_remove(struct platform_d
if (cci->master[i].cci) {
i2c_del_adapter(&cci->master[i].adap);
of_node_put(cci->master[i].adap.dev.of_node);
+ cci_halt(cci, i);
}
- cci_halt(cci, i);
}
disable_irq(cci->irq);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 355/522] spi: fix resource leaks on device setup failure
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 354/522] net: bridge: use a stable FDB dst snapshot in RCU readers Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 356/522] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Greg Kroah-Hartman
` (167 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Saravana Kannan, Johan Hovold,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit db357034f7e0cf23f233f414a8508312dfe8fbbe ]
Make sure to call controller cleanup() if spi_setup() fails while
registering a device to avoid leaking any resources allocated by
setup().
Fixes: c7299fea6769 ("spi: Fix spi device unregister flow")
Cc: stable@vger.kernel.org # 5.13
Cc: Saravana Kannan <saravanak@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410154907.129248-2-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ adjusted context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi.c | 61 ++++++++++++++++++++++++++++++++----------------------
1 file changed, 37 insertions(+), 24 deletions(-)
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -42,6 +42,8 @@ EXPORT_TRACEPOINT_SYMBOL(spi_transfer_st
#include "internals.h"
+static int __spi_setup(struct spi_device *spi, bool initial_setup);
+
static DEFINE_IDR(spi_master_idr);
static void spidev_release(struct device *dev)
@@ -666,7 +668,7 @@ static int __spi_add_device(struct spi_d
* normally rely on the device being setup. Devices
* using SPI_CS_HIGH can't coexist well otherwise...
*/
- status = spi_setup(spi);
+ status = __spi_setup(spi, true);
if (status < 0) {
dev_err(dev, "can't setup %s, status %d\n",
dev_name(&spi->dev), status);
@@ -3688,27 +3690,7 @@ static int spi_set_cs_timing(struct spi_
return status;
}
-/**
- * spi_setup - setup SPI mode and clock rate
- * @spi: the device whose settings are being modified
- * Context: can sleep, and no requests are queued to the device
- *
- * SPI protocol drivers may need to update the transfer mode if the
- * device doesn't work with its default. They may likewise need
- * to update clock rates or word sizes from initial values. This function
- * changes those settings, and must be called from a context that can sleep.
- * Except for SPI_CS_HIGH, which takes effect immediately, the changes take
- * effect the next time the device is selected and data is transferred to
- * or from it. When this function returns, the spi device is deselected.
- *
- * Note that this call will fail if the protocol driver specifies an option
- * that the underlying controller or its driver does not support. For
- * example, not all hardware supports wire transfers using nine bit words,
- * LSB-first wire encoding, or active-high chipselects.
- *
- * Return: zero on success, else a negative error code.
- */
-int spi_setup(struct spi_device *spi)
+static int __spi_setup(struct spi_device *spi, bool initial_setup)
{
unsigned bad_bits, ugly_bits;
int status = 0;
@@ -3787,7 +3769,7 @@ int spi_setup(struct spi_device *spi)
status = spi_set_cs_timing(spi);
if (status) {
mutex_unlock(&spi->controller->io_mutex);
- return status;
+ goto err_cleanup;
}
if (spi->controller->auto_runtime_pm && spi->controller->set_cs) {
@@ -3796,7 +3778,7 @@ int spi_setup(struct spi_device *spi)
mutex_unlock(&spi->controller->io_mutex);
dev_err(&spi->controller->dev, "Failed to power device: %d\n",
status);
- return status;
+ goto err_cleanup;
}
/*
@@ -3833,6 +3815,37 @@ int spi_setup(struct spi_device *spi)
status);
return status;
+
+err_cleanup:
+ if (initial_setup)
+ spi_cleanup(spi);
+
+ return status;
+}
+
+/**
+ * spi_setup - setup SPI mode and clock rate
+ * @spi: the device whose settings are being modified
+ * Context: can sleep, and no requests are queued to the device
+ *
+ * SPI protocol drivers may need to update the transfer mode if the
+ * device doesn't work with its default. They may likewise need
+ * to update clock rates or word sizes from initial values. This function
+ * changes those settings, and must be called from a context that can sleep.
+ * Except for SPI_CS_HIGH, which takes effect immediately, the changes take
+ * effect the next time the device is selected and data is transferred to
+ * or from it. When this function returns, the SPI device is deselected.
+ *
+ * Note that this call will fail if the protocol driver specifies an option
+ * that the underlying controller or its driver does not support. For
+ * example, not all hardware supports wire transfers using nine bit words,
+ * LSB-first wire encoding, or active-high chipselects.
+ *
+ * Return: zero on success, else a negative error code.
+ */
+int spi_setup(struct spi_device *spi)
+{
+ return __spi_setup(spi, false);
}
EXPORT_SYMBOL_GPL(spi_setup);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 272/378] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 271/378] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 273/378] i2c: tegra: Fix NOIRQ suspend/resume Greg Kroah-Hartman
` (106 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillermo Rodríguez,
Alain Volmat, Andi Shyti
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guillermo Rodríguez <guille.rodriguez@gmail.com>
commit a124579c0763da7bc408f4cd7e8f606cadc94855 upstream.
stm32f7_i2c_compute_timing() uses i2c_dev->analog_filter to pick
the analog filter delay, but i2c_dev->analog_filter is parsed from
the "i2c-analog-filter" DT property only after the compute_timing
loop in stm32f7_i2c_setup_timing(), so in practice the timing
calculations always ignore the analog filter. On an STM32MP1 board
with clock-frequency = <400000> and i2c-analog-filter set, measured
SCL frequency was ~382 kHz.
This also affects (widens) the computed SDADEL range. At high bus
clock speeds, this can select an SDADEL value that violates tVD;DAT
(data valid time).
Fix by parsing "i2c-analog-filter" before the compute_timing loop.
Fixes: 83c3408f7b9c ("i2c: stm32f7: support DT binding i2c-analog-filter")
Signed-off-by: Guillermo Rodríguez <guille.rodriguez@gmail.com>
Cc: <stable@vger.kernel.org> # v5.13+
Acked-by: Alain Volmat <alain.volmat@foss.st.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260526091210.20383-1-guille.rodriguez@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-stm32f7.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/i2c/busses/i2c-stm32f7.c
+++ b/drivers/i2c/busses/i2c-stm32f7.c
@@ -694,6 +694,9 @@ static int stm32f7_i2c_setup_timing(stru
if (!of_property_read_bool(i2c_dev->dev->of_node, "i2c-digital-filter"))
i2c_dev->dnf_dt = STM32F7_I2C_DNF_DEFAULT;
+ i2c_dev->analog_filter = of_property_read_bool(i2c_dev->dev->of_node,
+ "i2c-analog-filter");
+
do {
ret = stm32f7_i2c_compute_timing(i2c_dev, setup,
&i2c_dev->timing);
@@ -715,9 +718,6 @@ static int stm32f7_i2c_setup_timing(stru
return ret;
}
- i2c_dev->analog_filter = of_property_read_bool(i2c_dev->dev->of_node,
- "i2c-analog-filter");
-
dev_dbg(i2c_dev->dev, "I2C Speed(%i), Clk Source(%i)\n",
setup->speed_freq, setup->clock_src);
dev_dbg(i2c_dev->dev, "I2C Rise(%i) and Fall(%i) Time\n",
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 356/522] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 355/522] spi: fix resource leaks on device setup failure Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 357/522] xfs: fix a resource leak in xfs_alloc_buftarg() Greg Kroah-Hartman
` (166 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Helge Deller,
linux-fbdev, dri-devel, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
[ Upstream commit 9ded47ad003f09a94b6a710b5c47f4aa5ceb7429 ]
Hold state of deferred I/O in struct fb_deferred_io_state. Allocate an
instance as part of initializing deferred I/O and remove it only after
the final mapping has been closed. If the fb_info and the contained
deferred I/O meanwhile goes away, clear struct fb_deferred_io_state.info
to invalidate the mapping. Any access will then result in a SIGBUS
signal.
Fixes a long-standing problem, where a device hot-unplug happens while
user space still has an active mapping of the graphics memory. The hot-
unplug frees the instance of struct fb_info. Accessing the memory will
operate on undefined state.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 60b59beafba8 ("fbdev: mm: Deferred IO support")
Cc: Helge Deller <deller@gmx.de>
Cc: linux-fbdev@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: stable@vger.kernel.org # v2.6.22+
Signed-off-by: Helge Deller <deller@gmx.de>
[ context + _obj() conversion ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fb_defio.c | 164 +++++++++++++++++++++++++++++++-----
include/linux/fb.h | 4
2 files changed, 145 insertions(+), 23 deletions(-)
--- a/drivers/video/fbdev/core/fb_defio.c
+++ b/drivers/video/fbdev/core/fb_defio.c
@@ -23,6 +23,75 @@
#include <linux/rmap.h>
#include <linux/pagemap.h>
+/*
+ * struct fb_deferred_io_state
+ */
+
+struct fb_deferred_io_state {
+ struct kref ref;
+
+ struct mutex lock; /* mutex that protects the pageref list */
+ /* fields protected by lock */
+ struct fb_info *info;
+};
+
+static struct fb_deferred_io_state *fb_deferred_io_state_alloc(void)
+{
+ struct fb_deferred_io_state *fbdefio_state;
+
+ fbdefio_state = kzalloc(sizeof(*fbdefio_state), GFP_KERNEL);
+ if (!fbdefio_state)
+ return NULL;
+
+ kref_init(&fbdefio_state->ref);
+ mutex_init(&fbdefio_state->lock);
+
+ return fbdefio_state;
+}
+
+static void fb_deferred_io_state_release(struct fb_deferred_io_state *fbdefio_state)
+{
+ mutex_destroy(&fbdefio_state->lock);
+
+ kfree(fbdefio_state);
+}
+
+static void fb_deferred_io_state_get(struct fb_deferred_io_state *fbdefio_state)
+{
+ kref_get(&fbdefio_state->ref);
+}
+
+static void __fb_deferred_io_state_release(struct kref *ref)
+{
+ struct fb_deferred_io_state *fbdefio_state =
+ container_of(ref, struct fb_deferred_io_state, ref);
+
+ fb_deferred_io_state_release(fbdefio_state);
+}
+
+static void fb_deferred_io_state_put(struct fb_deferred_io_state *fbdefio_state)
+{
+ kref_put(&fbdefio_state->ref, __fb_deferred_io_state_release);
+}
+
+/*
+ * struct vm_operations_struct
+ */
+
+static void fb_deferred_io_vm_open(struct vm_area_struct *vma)
+{
+ struct fb_deferred_io_state *fbdefio_state = vma->vm_private_data;
+
+ fb_deferred_io_state_get(fbdefio_state);
+}
+
+static void fb_deferred_io_vm_close(struct vm_area_struct *vma)
+{
+ struct fb_deferred_io_state *fbdefio_state = vma->vm_private_data;
+
+ fb_deferred_io_state_put(fbdefio_state);
+}
+
static struct page *fb_deferred_io_page(struct fb_info *info, unsigned long offs)
{
void *screen_base = (void __force *) info->screen_base;
@@ -93,17 +162,31 @@ static void fb_deferred_io_pageref_put(s
/* this is to find and return the vmalloc-ed fb pages */
static vm_fault_t fb_deferred_io_fault(struct vm_fault *vmf)
{
+ struct fb_info *info;
unsigned long offset;
struct page *page;
- struct fb_info *info = vmf->vma->vm_private_data;
+ vm_fault_t ret;
+ struct fb_deferred_io_state *fbdefio_state = vmf->vma->vm_private_data;
+
+ mutex_lock(&fbdefio_state->lock);
+
+ info = fbdefio_state->info;
+ if (!info) {
+ ret = VM_FAULT_SIGBUS; /* our device is gone */
+ goto err_mutex_unlock;
+ }
offset = vmf->pgoff << PAGE_SHIFT;
- if (offset >= info->fix.smem_len)
- return VM_FAULT_SIGBUS;
+ if (offset >= info->fix.smem_len) {
+ ret = VM_FAULT_SIGBUS;
+ goto err_mutex_unlock;
+ }
page = fb_deferred_io_page(info, offset);
- if (!page)
- return VM_FAULT_SIGBUS;
+ if (!page) {
+ ret = VM_FAULT_SIGBUS;
+ goto err_mutex_unlock;
+ }
get_page(page);
@@ -115,8 +198,15 @@ static vm_fault_t fb_deferred_io_fault(s
BUG_ON(!page->mapping);
page->index = vmf->pgoff; /* for page_mkclean() */
+ mutex_unlock(&fbdefio_state->lock);
+
vmf->page = page;
+
return 0;
+
+err_mutex_unlock:
+ mutex_unlock(&fbdefio_state->lock);
+ return ret;
}
int fb_deferred_io_fsync(struct file *file, loff_t start, loff_t end, int datasync)
@@ -143,15 +233,24 @@ EXPORT_SYMBOL_GPL(fb_deferred_io_fsync);
* Adds a page to the dirty list. Call this from struct
* vm_operations_struct.page_mkwrite.
*/
-static vm_fault_t fb_deferred_io_track_page(struct fb_info *info, unsigned long offset,
- struct page *page)
+static vm_fault_t fb_deferred_io_track_page(struct fb_deferred_io_state *fbdefio_state,
+ unsigned long offset, struct page *page)
{
- struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct fb_info *info;
+ struct fb_deferred_io *fbdefio;
struct fb_deferred_io_pageref *pageref;
vm_fault_t ret;
/* protect against the workqueue changing the page list */
- mutex_lock(&fbdefio->lock);
+ mutex_lock(&fbdefio_state->lock);
+
+ info = fbdefio_state->info;
+ if (!info) {
+ ret = VM_FAULT_SIGBUS; /* our device is gone */
+ goto err_mutex_unlock;
+ }
+
+ fbdefio = info->fbdefio;
/* first write in this cycle, notify the driver */
if (fbdefio->first_io && list_empty(&fbdefio->pagereflist))
@@ -173,14 +272,14 @@ static vm_fault_t fb_deferred_io_track_p
*/
lock_page(pageref->page);
- mutex_unlock(&fbdefio->lock);
+ mutex_unlock(&fbdefio_state->lock);
/* come back after delay to process the deferred IO */
schedule_delayed_work(&info->deferred_work, fbdefio->delay);
return VM_FAULT_LOCKED;
err_mutex_unlock:
- mutex_unlock(&fbdefio->lock);
+ mutex_unlock(&fbdefio_state->lock);
return ret;
}
@@ -198,25 +297,28 @@ err_mutex_unlock:
* Returns:
* VM_FAULT_LOCKED on success, or a VM_FAULT error otherwise.
*/
-static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_info *info, struct vm_fault *vmf)
+static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_deferred_io_state *fbdefio_state,
+ struct vm_fault *vmf)
{
unsigned long offset = vmf->pgoff << PAGE_SHIFT;
struct page *page = vmf->page;
file_update_time(vmf->vma->vm_file);
- return fb_deferred_io_track_page(info, offset, page);
+ return fb_deferred_io_track_page(fbdefio_state, offset, page);
}
/* vm_ops->page_mkwrite handler */
static vm_fault_t fb_deferred_io_mkwrite(struct vm_fault *vmf)
{
- struct fb_info *info = vmf->vma->vm_private_data;
+ struct fb_deferred_io_state *fbdefio_state = vmf->vma->vm_private_data;
- return fb_deferred_io_page_mkwrite(info, vmf);
+ return fb_deferred_io_page_mkwrite(fbdefio_state, vmf);
}
static const struct vm_operations_struct fb_deferred_io_vm_ops = {
+ .open = fb_deferred_io_vm_open,
+ .close = fb_deferred_io_vm_close,
.fault = fb_deferred_io_fault,
.page_mkwrite = fb_deferred_io_mkwrite,
};
@@ -231,7 +333,10 @@ int fb_deferred_io_mmap(struct fb_info *
vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
if (!(info->flags & FBINFO_VIRTFB))
vma->vm_flags |= VM_IO;
- vma->vm_private_data = info;
+ vma->vm_private_data = info->fbdefio_state;
+
+ fb_deferred_io_state_get(info->fbdefio_state); /* released in vma->vm_ops->close() */
+
return 0;
}
EXPORT_SYMBOL_GPL(fb_deferred_io_mmap);
@@ -242,9 +347,10 @@ static void fb_deferred_io_work(struct w
struct fb_info *info = container_of(work, struct fb_info, deferred_work.work);
struct fb_deferred_io_pageref *pageref, *next;
struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct fb_deferred_io_state *fbdefio_state = info->fbdefio_state;
/* here we mkclean the pages, then do all deferred IO */
- mutex_lock(&fbdefio->lock);
+ mutex_lock(&fbdefio_state->lock);
list_for_each_entry(pageref, &fbdefio->pagereflist, list) {
struct page *cur = pageref->page;
lock_page(cur);
@@ -259,12 +365,13 @@ static void fb_deferred_io_work(struct w
list_for_each_entry_safe(pageref, next, &fbdefio->pagereflist, list)
fb_deferred_io_pageref_put(pageref, info);
- mutex_unlock(&fbdefio->lock);
+ mutex_unlock(&fbdefio_state->lock);
}
int fb_deferred_io_init(struct fb_info *info)
{
struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct fb_deferred_io_state *fbdefio_state;
struct fb_deferred_io_pageref *pagerefs;
unsigned long npagerefs, i;
int ret;
@@ -274,7 +381,11 @@ int fb_deferred_io_init(struct fb_info *
if (WARN_ON(!info->fix.smem_len))
return -EINVAL;
- mutex_init(&fbdefio->lock);
+ fbdefio_state = fb_deferred_io_state_alloc();
+ if (!fbdefio_state)
+ return -ENOMEM;
+ fbdefio_state->info = info;
+
INIT_DELAYED_WORK(&info->deferred_work, fb_deferred_io_work);
INIT_LIST_HEAD(&fbdefio->pagereflist);
if (fbdefio->delay == 0) /* set a default of 1 s */
@@ -293,10 +404,12 @@ int fb_deferred_io_init(struct fb_info *
info->npagerefs = npagerefs;
info->pagerefs = pagerefs;
+ info->fbdefio_state = fbdefio_state;
+
return 0;
err:
- mutex_destroy(&fbdefio->lock);
+ fb_deferred_io_state_release(fbdefio_state);
return ret;
}
EXPORT_SYMBOL_GPL(fb_deferred_io_init);
@@ -337,11 +450,18 @@ EXPORT_SYMBOL_GPL(fb_deferred_io_release
void fb_deferred_io_cleanup(struct fb_info *info)
{
- struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct fb_deferred_io_state *fbdefio_state = info->fbdefio_state;
fb_deferred_io_lastclose(info);
+ info->fbdefio_state = NULL;
+
+ mutex_lock(&fbdefio_state->lock);
+ fbdefio_state->info = NULL;
+ mutex_unlock(&fbdefio_state->lock);
+
+ fb_deferred_io_state_put(fbdefio_state);
+
kvfree(info->pagerefs);
- mutex_destroy(&fbdefio->lock);
}
EXPORT_SYMBOL_GPL(fb_deferred_io_cleanup);
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -213,12 +213,13 @@ struct fb_deferred_io {
unsigned long delay;
bool sort_pagereflist; /* sort pagelist by offset */
int open_count; /* number of opened files; protected by fb_info lock */
- struct mutex lock; /* mutex that protects the pageref list */
struct list_head pagereflist; /* list of pagerefs for touched pages */
/* callback */
void (*first_io)(struct fb_info *info);
void (*deferred_io)(struct fb_info *info, struct list_head *pagelist);
};
+
+struct fb_deferred_io_state;
#endif
/*
@@ -479,6 +480,7 @@ struct fb_info {
unsigned long npagerefs;
struct fb_deferred_io_pageref *pagerefs;
struct fb_deferred_io *fbdefio;
+ struct fb_deferred_io_state *fbdefio_state;
#endif
const struct fb_ops *fbops;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 273/378] i2c: tegra: Fix NOIRQ suspend/resume
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 272/378] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 274/378] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) Greg Kroah-Hartman
` (105 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Akhil R, Jon Hunter, Andi Shyti
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhil R <akhilrajeev@nvidia.com>
commit 656646b3847ac6a21b074a813223feef2aadd6e2 upstream.
The Tegra I2C driver relies on runtime PM to wake up the controller before
each transfer. However, runtime PM is disabled between the system suspend
and NOIRQ suspend. If an I2C device initiates a transfer during this
window, the I2C controller fails to wake up and the transfer fails. To
handle this, the controller must be kept available for this period to
allow transfers.
Rework the I2C controller's system PM callbacks such that the controller
is resumed from runtime suspend during system suspend and it stays
RPM_ACTIVE throughout the suspend-resume cycle until it is runtime
suspended back in the system resume. The clocks are disabled in NOIRQ
suspend and enabled back in NOIRQ resume by calling the controller's
runtime PM functions directly.
Fixes: 8ebf15e9c869 ("i2c: tegra: Move suspend handling to NOIRQ phase")
Assisted-by: Cursor:claude-4.6-opus
Signed-off-by: Akhil R <akhilrajeev@nvidia.com>
Cc: <stable@vger.kernel.org> # v5.4+
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260518114013.62065-5-akhilrajeev@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-tegra.c | 53 +++++++++++++++++++++++------------------
1 file changed, 30 insertions(+), 23 deletions(-)
--- a/drivers/i2c/busses/i2c-tegra.c
+++ b/drivers/i2c/busses/i2c-tegra.c
@@ -2147,28 +2147,37 @@ static int __maybe_unused tegra_i2c_runt
static int __maybe_unused tegra_i2c_suspend(struct device *dev)
{
+ /*
+ * Bring the controller up and hold a usage count so it stays
+ * available until the noirq phase.
+ */
+ return pm_runtime_resume_and_get(dev);
+}
+
+static int __maybe_unused tegra_i2c_suspend_noirq(struct device *dev)
+{
struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev);
- int err;
i2c_mark_adapter_suspended(&i2c_dev->adapter);
- if (!pm_runtime_status_suspended(dev)) {
- err = tegra_i2c_runtime_suspend(dev);
- if (err)
- return err;
- }
-
- return 0;
+ /*
+ * Runtime PM is already disabled at this point, so invoke the
+ * runtime_suspend callback directly to put the controller down.
+ */
+ return tegra_i2c_runtime_suspend(dev);
}
-static int __maybe_unused tegra_i2c_resume(struct device *dev)
+static int __maybe_unused tegra_i2c_resume_noirq(struct device *dev)
{
struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev);
int err;
/*
- * We need to ensure that clocks are enabled so that registers can be
- * restored in tegra_i2c_init().
+ * Runtime PM is still disabled at this point, so invoke the
+ * runtime_resume callback directly to bring the controller back up
+ * before re-initializing the hardware. The adapter is then marked
+ * resumed so that consumers can issue transfers from their own
+ * resume_noirq() handlers and onwards.
*/
err = tegra_i2c_runtime_resume(dev);
if (err)
@@ -2178,24 +2187,22 @@ static int __maybe_unused tegra_i2c_resu
if (err)
return err;
- /*
- * In case we are runtime suspended, disable clocks again so that we
- * don't unbalance the clock reference counts during the next runtime
- * resume transition.
- */
- if (pm_runtime_status_suspended(dev)) {
- err = tegra_i2c_runtime_suspend(dev);
- if (err)
- return err;
- }
-
i2c_mark_adapter_resumed(&i2c_dev->adapter);
return 0;
}
+static int __maybe_unused tegra_i2c_resume(struct device *dev)
+{
+ pm_runtime_put(dev);
+
+ return 0;
+}
+
static const struct dev_pm_ops tegra_i2c_pm = {
- SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume)
+ SET_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume)
+ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend_noirq,
+ tegra_i2c_resume_noirq)
SET_RUNTIME_PM_OPS(tegra_i2c_runtime_suspend, tegra_i2c_runtime_resume,
NULL)
};
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 357/522] xfs: fix a resource leak in xfs_alloc_buftarg()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 356/522] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 358/522] udf: fix partition descriptor append bookkeeping Greg Kroah-Hartman
` (165 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Darrick J. Wong,
Carlos Maiolino, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
[ Upstream commit 29a7b2614357393b176ef06ba5bc3ff5afc8df69 ]
In the error path, call fs_put_dax() to drop the DAX
device reference.
Fixes: 6f643c57d57c ("xfs: implement ->notify_failure() for XFS")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
[ kept `kmem_free(btp)` and `return NULL` instead of `kfree(btp)`/`ERR_PTR(error)` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_buf.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/xfs/xfs_buf.c
+++ b/fs/xfs/xfs_buf.c
@@ -2036,6 +2036,7 @@ error_pcpu:
error_lru:
list_lru_destroy(&btp->bt_lru);
error_free:
+ fs_put_dax(btp->bt_daxdev, mp);
kmem_free(btp);
return NULL;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 274/378] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK)
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 273/378] i2c: tegra: Fix NOIRQ suspend/resume Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 275/378] Input: atkbd - skip deactivate for HONOR BCC-Ns internal keyboard Greg Kroah-Hartman
` (104 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zeyu WANG, Dmitry Torokhov
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zeyu WANG <zeyu.thomas.wang@gmail.com>
commit ad0979fe053e9f2db82da82188256ef6eb41095a upstream.
The Lenovo Yoga Air 14 (83QK) laptop keyboard becomes unresponsive
after the standard atkbd init sequence. Controlled testing on the
actual hardware shows the F5 (ATKBD_CMD_RESET_DIS / deactivate)
command specifically corrupts the EC state, causing zero IRQ1
interrupts after init.
Skipping only the deactivate command (while keeping F4 ENABLE)
resolves the issue completely: both keystroke input and CapsLock
LED toggle work correctly. The reverse test - skipping only F4
while keeping F5 - makes the problem worse (zero keystroke
interrupts), confirming F5 is the sole culprit.
Add a DMI quirk entry for LENOVO/83QK using the existing
atkbd_deactivate_fixup callback, consistent with the existing
entries for LG Electronics and HONOR FMB-P that address the
same EC F5 deactivate issue.
Signed-off-by: Zeyu WANG <zeyu.thomas.wang@gmail.com>
Link: https://patch.msgid.link/20260602170909.14725-1-zeyu.thomas.wang@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/keyboard/atkbd.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/input/keyboard/atkbd.c
+++ b/drivers/input/keyboard/atkbd.c
@@ -1944,6 +1944,14 @@ static const struct dmi_system_id atkbd_
},
.callback = atkbd_deactivate_fixup,
},
+ {
+ /* Lenovo Yoga Air 14 (83QK) */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "83QK"),
+ },
+ .callback = atkbd_deactivate_fixup,
+ },
{ }
};
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 358/522] udf: fix partition descriptor append bookkeeping
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 357/522] xfs: fix a resource leak in xfs_alloc_buftarg() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 359/522] hfsplus: fix uninit-value by validating catalog record size Greg Kroah-Hartman
` (164 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Seohyeon Maeng, Jan Kara,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seohyeon Maeng <bioloidgp@gmail.com>
[ Upstream commit 08841b06fa64d8edbd1a21ca6e613420c90cc4b8 ]
Mounting a crafted UDF image with repeated partition descriptors can
trigger a heap out-of-bounds write in part_descs_loc[].
handle_partition_descriptor() deduplicates entries by partition number,
but appended slots never record partnum. As a result duplicate
Partition Descriptors are appended repeatedly and num_part_descs keeps
growing.
Once the table is full, the growth path still sizes the allocation from
partnum even though inserts are indexed by num_part_descs. If partnum is
already aligned to PART_DESC_ALLOC_STEP, ALIGN(partnum, step) can keep
the old capacity and the next append writes past the end of the table.
Store partnum in the appended slot and size growth from the next append
count so deduplication and capacity tracking follow the same model.
Fixes: ee4af50ca94f ("udf: Fix mounting of Win7 created UDF filesystems")
Cc: stable@vger.kernel.org
Signed-off-by: Seohyeon Maeng <bioloidgp@gmail.com>
Link: https://patch.msgid.link/20260310081652.21220-1-bioloidgp@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
[ replaced kzalloc_objs() helper with equivalent kcalloc() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/super.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1657,8 +1657,9 @@ static struct udf_vds_record *handle_par
return &(data->part_descs_loc[i].rec);
if (data->num_part_descs >= data->size_part_descs) {
struct part_desc_seq_scan_data *new_loc;
- unsigned int new_size = ALIGN(partnum, PART_DESC_ALLOC_STEP);
+ unsigned int new_size;
+ new_size = data->num_part_descs + PART_DESC_ALLOC_STEP;
new_loc = kcalloc(new_size, sizeof(*new_loc), GFP_KERNEL);
if (!new_loc)
return ERR_PTR(-ENOMEM);
@@ -1668,6 +1669,7 @@ static struct udf_vds_record *handle_par
data->part_descs_loc = new_loc;
data->size_part_descs = new_size;
}
+ data->part_descs_loc[data->num_part_descs].partnum = partnum;
return &(data->part_descs_loc[data->num_part_descs++].rec);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 275/378] Input: atkbd - skip deactivate for HONOR BCC-Ns internal keyboard
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 274/378] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 276/378] iomap: avoid potential null folio->mapping deref during error reporting Greg Kroah-Hartman
` (103 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hongfei Ren, stable,
Cryolitia PukNgae, Dmitry Torokhov
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
commit fb402386af4cdce108ff991a796386de55439735 upstream.
After commit 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd -
do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID"), HONOR
BCC-N, aka HONOR MagicBook 14 2026's internal keyboard stops
working. Adding the atkbd_deactivate_fixup quirk fixes it.
DMI: HONOR BCC-N/BCC-N-PCB, BIOS 1.04 04/07/2026
Fixes: 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID")
Reported-by: Hongfei Ren <lcrhf@outlook.com>
Link: https://github.com/colorcube/Linux-on-Honor-Magicbook-14-Pro/issues/1#issuecomment-4562679891
Tested-by: Hongfei Ren <lcrhf@outlook.com>
Cc: stable@kernel.org
Signed-off-by: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
Link: https://patch.msgid.link/20260605-honor-v1-1-78e05e491193@linux.dev
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/keyboard/atkbd.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/input/keyboard/atkbd.c
+++ b/drivers/input/keyboard/atkbd.c
@@ -1952,6 +1952,13 @@ static const struct dmi_system_id atkbd_
},
.callback = atkbd_deactivate_fixup,
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "HONOR"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "BCC-N"),
+ },
+ .callback = atkbd_deactivate_fixup,
+ },
{ }
};
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 359/522] hfsplus: fix uninit-value by validating catalog record size
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 358/522] udf: fix partition descriptor append bookkeeping Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 360/522] hfsplus: fix held lock freed on hfsplus_fill_super() Greg Kroah-Hartman
` (163 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d80abb5b890d39261e72,
Viacheslav Dubeyko, Charalampos Mitrodimas, Deepanshu Kartikey,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit b6b592275aeff184aa82fcf6abccd833fb71b393 ]
Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The
root cause is that hfs_brec_read() doesn't validate that the on-disk
record size matches the expected size for the record type being read.
When mounting a corrupted filesystem, hfs_brec_read() may read less data
than expected. For example, when reading a catalog thread record, the
debug output showed:
HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26
HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!
hfs_brec_read() only validates that entrylength is not greater than the
buffer size, but doesn't check if it's less than expected. It successfully
reads 26 bytes into a 520-byte structure and returns success, leaving 494
bytes uninitialized.
This uninitialized data in tmp.thread.nodeName then gets copied by
hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering
the KMSAN warning when the uninitialized bytes are used as array indices
in case_fold().
Fix by introducing hfsplus_brec_read_cat() wrapper that:
1. Calls hfs_brec_read() to read the data
2. Validates the record size based on the type field:
- Fixed size for folder and file records
- Variable size for thread records (depends on string length)
3. Returns -EIO if size doesn't match expected
For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading
nodeName.length to avoid reading uninitialized data at call sites that
don't zero-initialize the entry structure.
Also initialize the tmp variable in hfsplus_find_cat() as defensive
programming to ensure no uninitialized data even if validation is
bypassed.
Reported-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Tested-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Tested-by: Viacheslav Dubeyko <slava@dubeyko.com>
Suggested-by: Charalampos Mitrodimas <charmitro@posteo.net>
Link: https://lore.kernel.org/all/20260120051114.1281285-1-kartikey406@gmail.com/ [v1]
Link: https://lore.kernel.org/all/20260121063109.1830263-1-kartikey406@gmail.com/ [v2]
Link: https://lore.kernel.org/all/20260212014233.2422046-1-kartikey406@gmail.com/ [v3]
Link: https://lore.kernel.org/all/20260214002100.436125-1-kartikey406@gmail.com/T/ [v4]
Link: https://lore.kernel.org/all/20260221061626.15853-1-kartikey406@gmail.com/T/ [v5]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20260307010302.41547-1-kartikey406@gmail.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Stable-dep-of: 90c500e4fd83 ("hfsplus: fix held lock freed on hfsplus_fill_super()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfsplus/bfind.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++
fs/hfsplus/catalog.c | 4 +--
fs/hfsplus/dir.c | 2 -
fs/hfsplus/hfsplus_fs.h | 9 ++++++++
fs/hfsplus/super.c | 2 -
5 files changed, 64 insertions(+), 4 deletions(-)
--- a/fs/hfsplus/bfind.c
+++ b/fs/hfsplus/bfind.c
@@ -287,3 +287,54 @@ out:
fd->bnode = bnode;
return res;
}
+
+/**
+ * hfsplus_brec_read_cat - read and validate a catalog record
+ * @fd: find data structure
+ * @entry: pointer to catalog entry to read into
+ *
+ * Reads a catalog record and validates its size matches the expected
+ * size based on the record type.
+ *
+ * Returns 0 on success, or negative error code on failure.
+ */
+int hfsplus_brec_read_cat(struct hfs_find_data *fd, hfsplus_cat_entry *entry)
+{
+ int res;
+ u32 expected_size;
+
+ res = hfs_brec_read(fd, entry, sizeof(hfsplus_cat_entry));
+ if (res)
+ return res;
+
+ /* Validate catalog record size based on type */
+ switch (be16_to_cpu(entry->type)) {
+ case HFSPLUS_FOLDER:
+ expected_size = sizeof(struct hfsplus_cat_folder);
+ break;
+ case HFSPLUS_FILE:
+ expected_size = sizeof(struct hfsplus_cat_file);
+ break;
+ case HFSPLUS_FOLDER_THREAD:
+ case HFSPLUS_FILE_THREAD:
+ /* Ensure we have at least the fixed fields before reading nodeName.length */
+ if (fd->entrylength < HFSPLUS_MIN_THREAD_SZ) {
+ pr_err("thread record too short (got %u)\n", fd->entrylength);
+ return -EIO;
+ }
+ expected_size = hfsplus_cat_thread_size(&entry->thread);
+ break;
+ default:
+ pr_err("unknown catalog record type %d\n",
+ be16_to_cpu(entry->type));
+ return -EIO;
+ }
+
+ if (fd->entrylength != expected_size) {
+ pr_err("catalog record size mismatch (type %d, got %u, expected %u)\n",
+ be16_to_cpu(entry->type), fd->entrylength, expected_size);
+ return -EIO;
+ }
+
+ return 0;
+}
--- a/fs/hfsplus/catalog.c
+++ b/fs/hfsplus/catalog.c
@@ -194,12 +194,12 @@ static int hfsplus_fill_cat_thread(struc
int hfsplus_find_cat(struct super_block *sb, u32 cnid,
struct hfs_find_data *fd)
{
- hfsplus_cat_entry tmp;
+ hfsplus_cat_entry tmp = {0};
int err;
u16 type;
hfsplus_cat_build_key_with_cnid(sb, fd->search_key, cnid);
- err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
+ err = hfsplus_brec_read_cat(fd, &tmp);
if (err)
return err;
--- a/fs/hfsplus/dir.c
+++ b/fs/hfsplus/dir.c
@@ -49,7 +49,7 @@ static struct dentry *hfsplus_lookup(str
if (unlikely(err < 0))
goto fail;
again:
- err = hfs_brec_read(&fd, &entry, sizeof(entry));
+ err = hfsplus_brec_read_cat(&fd, &entry);
if (err) {
if (err == -ENOENT) {
hfs_find_exit(&fd);
--- a/fs/hfsplus/hfsplus_fs.h
+++ b/fs/hfsplus/hfsplus_fs.h
@@ -535,6 +535,15 @@ int hfsplus_submit_bio(struct super_bloc
void **data, blk_opf_t opf);
int hfsplus_read_wrapper(struct super_block *sb);
+static inline u32 hfsplus_cat_thread_size(const struct hfsplus_cat_thread *thread)
+{
+ return offsetof(struct hfsplus_cat_thread, nodeName) +
+ offsetof(struct hfsplus_unistr, unicode) +
+ be16_to_cpu(thread->nodeName.length) * sizeof(hfsplus_unichr);
+}
+
+int hfsplus_brec_read_cat(struct hfs_find_data *fd, hfsplus_cat_entry *entry);
+
/*
* time helpers: convert between 1904-base and 1970-base timestamps
*
--- a/fs/hfsplus/super.c
+++ b/fs/hfsplus/super.c
@@ -541,7 +541,7 @@ static int hfsplus_fill_super(struct sup
err = hfsplus_cat_build_key(sb, fd.search_key, HFSPLUS_ROOT_CNID, &str);
if (unlikely(err < 0))
goto out_put_root;
- if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
+ if (!hfsplus_brec_read_cat(&fd, &entry)) {
hfs_find_exit(&fd);
if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
err = -EIO;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 276/378] iomap: avoid potential null folio->mapping deref during error reporting
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 275/378] Input: atkbd - skip deactivate for HONOR BCC-Ns internal keyboard Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 277/378] iommu/dma: Do not try to iommu_map a 0 length region in swiotlb Greg Kroah-Hartman
` (102 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam Sun, Joanne Koong,
Darrick J. Wong, Christian Brauner (Amutable)
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
commit 2eea7f44b9c8b42fd7d3a1a87c06a7cd1b99c327 upstream.
When a buffered read fails, iomap_finish_folio_read() reports the error
with fserror_report_io(folio->mapping->host, ...). This is called after
ifs->read_bytes_pending has been decremented by the bytes attempted to
be read.
For a folio split across multiple read completions, the folio is only
guaranteed to stay locked while read_bytes_pending > 0. Once
iomap_finish_folio_read() decrements read_bytes_pending, another
in-flight read can complete and end the read on the folio, which unlocks
it. This allows truncate logic to run and detach the folio (set
folio->mapping to NULL). The error reporting path then can dereference a
NULL folio->mapping. As reported by Sam Sun, this is the race that can
occur:
CPU0: failed completion CPU1: final completion CPU2: truncate
----------------------- ---------------------- --------------
read_bytes_pending -= len
finished = false
/* preempted before
fserror_report_io() */
read_bytes_pending -= len
finished = true
folio_end_read()
truncate clears
folio->mapping
fserror_report_io(
folio->mapping->host, ...)
^ NULL deref
Fix this by reporting the error first before decrementing
ifs->read_bytes_pending.
Fixes: a9d573ee88af ("iomap: report file I/O errors to the VFS")
Cc: stable@vger.kernel.org
Reported-by: Sam Sun <samsun1006219@gmail.com>
Closes: https://lore.kernel.org/linux-fsdevel/CAEkJfYPhWdd59RKmuNLJg-bkypHz7xiOwaWyNVu3A8CUqQCnvg@mail.gmail.com/
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Link: https://patch.msgid.link/20260604011858.2297561-1-joannelkoong@gmail.com
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/iomap/buffered-io.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
index d7b648421a70..d55b936e6986 100644
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -400,6 +400,11 @@ void iomap_finish_folio_read(struct folio *folio, size_t off, size_t len,
bool uptodate = !error;
bool finished = true;
+ if (error)
+ fserror_report_io(folio->mapping->host, FSERR_BUFFERED_READ,
+ folio_pos(folio) + off, len, error,
+ GFP_ATOMIC);
+
if (ifs) {
unsigned long flags;
@@ -411,11 +416,6 @@ void iomap_finish_folio_read(struct folio *folio, size_t off, size_t len,
spin_unlock_irqrestore(&ifs->state_lock, flags);
}
- if (error)
- fserror_report_io(folio->mapping->host, FSERR_BUFFERED_READ,
- folio_pos(folio) + off, len, error,
- GFP_ATOMIC);
-
if (finished)
folio_end_read(folio, uptodate);
}
--
2.54.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 360/522] hfsplus: fix held lock freed on hfsplus_fill_super()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 359/522] hfsplus: fix uninit-value by validating catalog record size Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 361/522] crypto: nx - Avoid -Wflex-array-member-not-at-end warning Greg Kroah-Hartman
` (162 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Viacheslav Dubeyko,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 90c500e4fd83fa33c09bc7ee23b6d9cc487ac733 ]
hfsplus_fill_super() calls hfs_find_init() to initialize a search
structure, which acquires tree->tree_lock. If the subsequent call to
hfsplus_cat_build_key() fails, the function jumps to the out_put_root
error label without releasing the lock. The later cleanup path then
frees the tree data structure with the lock still held, triggering a
held lock freed warning.
Fix this by adding the missing hfs_find_exit(&fd) call before jumping
to the out_put_root error label. This ensures that tree->tree_lock is
properly released on the error path.
The bug was originally detected on v6.13-rc1 using an experimental
static analysis tool we are developing, and we have verified that the
issue persists in the latest mainline kernel. The tool is specifically
designed to detect memory management issues. It is currently under active
development and not yet publicly available.
We confirmed the bug by runtime testing under QEMU with x86_64 defconfig,
lockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we
used GDB to dynamically shrink the max_unistr_len parameter to 1 before
hfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally
return -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and
exercises the faulty error path. The following warning was observed
during mount:
=========================
WARNING: held lock freed!
7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted
-------------------------
mount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there!
ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0
2 locks held by mount/174:
#0: ffff888103f960e0 (&type->s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40
#1: ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0
stack backtrace:
CPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x82/0xd0
debug_check_no_locks_freed+0x13a/0x180
kfree+0x16b/0x510
? hfsplus_fill_super+0xcb4/0x18a0
hfsplus_fill_super+0xcb4/0x18a0
? __pfx_hfsplus_fill_super+0x10/0x10
? srso_return_thunk+0x5/0x5f
? bdev_open+0x65f/0xc30
? srso_return_thunk+0x5/0x5f
? pointer+0x4ce/0xbf0
? trace_contention_end+0x11c/0x150
? __pfx_pointer+0x10/0x10
? srso_return_thunk+0x5/0x5f
? bdev_open+0x79b/0xc30
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? vsnprintf+0x6da/0x1270
? srso_return_thunk+0x5/0x5f
? __mutex_unlock_slowpath+0x157/0x740
? __pfx_vsnprintf+0x10/0x10
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? mark_held_locks+0x49/0x80
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? irqentry_exit+0x17b/0x5e0
? trace_irq_disable.constprop.0+0x116/0x150
? __pfx_hfsplus_fill_super+0x10/0x10
? __pfx_hfsplus_fill_super+0x10/0x10
get_tree_bdev_flags+0x302/0x580
? __pfx_get_tree_bdev_flags+0x10/0x10
? vfs_parse_fs_qstr+0x129/0x1a0
? __pfx_vfs_parse_fs_qstr+0x3/0x10
vfs_get_tree+0x89/0x320
fc_mount+0x10/0x1d0
path_mount+0x5c5/0x21c0
? __pfx_path_mount+0x10/0x10
? trace_irq_enable.constprop.0+0x116/0x150
? trace_irq_enable.constprop.0+0x116/0x150
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? kmem_cache_free+0x307/0x540
? user_path_at+0x51/0x60
? __x64_sys_mount+0x212/0x280
? srso_return_thunk+0x5/0x5f
__x64_sys_mount+0x212/0x280
? __pfx___x64_sys_mount+0x10/0x10
? srso_return_thunk+0x5/0x5f
? trace_irq_enable.constprop.0+0x116/0x150
? srso_return_thunk+0x5/0x5f
do_syscall_64+0x111/0x680
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ffacad55eae
Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8
RSP: 002b:00007fff1ab55718 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffacad55eae
RDX: 000055740c64e5b0 RSI: 000055740c64e630 RDI: 000055740c651ab0
RBP: 000055740c64e380 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000055740c64e5b0 R14: 000055740c651ab0 R15: 000055740c64e380
</TASK>
After applying this patch, the warning no longer appears.
Fixes: 89ac9b4d3d1a ("hfsplus: fix longname handling")
CC: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Tested-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfsplus/super.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/hfsplus/super.c
+++ b/fs/hfsplus/super.c
@@ -539,8 +539,10 @@ static int hfsplus_fill_super(struct sup
if (err)
goto out_put_root;
err = hfsplus_cat_build_key(sb, fd.search_key, HFSPLUS_ROOT_CNID, &str);
- if (unlikely(err < 0))
+ if (unlikely(err < 0)) {
+ hfs_find_exit(&fd);
goto out_put_root;
+ }
if (!hfsplus_brec_read_cat(&fd, &entry)) {
hfs_find_exit(&fd);
if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 277/378] iommu/dma: Do not try to iommu_map a 0 length region in swiotlb
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 276/378] iomap: avoid potential null folio->mapping deref during error reporting Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 278/378] ipc/shm: serialize orphan cleanup with shm_nattch updates Greg Kroah-Hartman
` (101 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Lord, Jason Gunthorpe,
Christoph Hellwig, Leon Romanovsky, Samiullah Khawaja,
Marek Szyprowski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 6ec91df8aff77e2e8fe3179c1f3fc15b43a40ba3 upstream.
iommu_dma_iova_link_swiotlb() processes a mapping that is unaligned in three
parts, the head, middle and trailer. If the middle is empty because there
are no aligned pages it will call down to iommu_map() with a 0 size
which the iommupt implementation will fail as illegal.
It then tries to do an error unwind and starts from the wrong spot
corrupting the mapping so the eventual destruction triggers a WARN_ON.
Check for 0 length and avoid mapping and use offset not 0 as the starting
point to unlink.
This is frequently triggered by using some kinds of thunderbolt NVMe
drives that trigger forced SWIOTLB for unaligned memory. NVMe seems to
pass in oddly aligned buffers for the passthrough commands from smartctl
that hit this condition.
Cc: stable@vger.kernel.org
Fixes: 433a76207dcf ("dma-mapping: Implement link/unlink ranges API")
Reported-by: Mark Lord <mlord@pobox.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Reviewed-by: Samiullah Khawaja <skhawaja@google.com>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/r/0-v1-8536728bc89f+469-swiotlb_warn_jgg@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/dma-iommu.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
--- a/drivers/iommu/dma-iommu.c
+++ b/drivers/iommu/dma-iommu.c
@@ -1895,12 +1895,18 @@ static int iommu_dma_iova_link_swiotlb(s
return 0;
}
+ /*
+ * After removing the partial head and tail, there may be no aligned
+ * middle left to map. The tail still gets bounced below.
+ */
size -= iova_end_pad;
- error = __dma_iova_link(dev, addr + mapped, phys + mapped, size, dir,
- attrs);
- if (error)
- goto out_unmap;
- mapped += size;
+ if (size) {
+ error = __dma_iova_link(dev, addr + mapped, phys + mapped,
+ size, dir, attrs);
+ if (error)
+ goto out_unmap;
+ mapped += size;
+ }
if (iova_end_pad) {
error = iommu_dma_iova_bounce_and_link(dev, addr + mapped,
@@ -1913,7 +1919,8 @@ static int iommu_dma_iova_link_swiotlb(s
return 0;
out_unmap:
- dma_iova_unlink(dev, state, 0, mapped, dir, attrs);
+ if (mapped)
+ dma_iova_unlink(dev, state, offset, mapped, dir, attrs);
return error;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 361/522] crypto: nx - Avoid -Wflex-array-member-not-at-end warning
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 360/522] hfsplus: fix held lock freed on hfsplus_fill_super() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 362/522] crypto: nx - Migrate to scomp API Greg Kroah-Hartman
` (161 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gustavo A. R. Silva, Herbert Xu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
[ Upstream commit 1e6b251ce1759392666856908113dd5d7cea044d ]
-Wflex-array-member-not-at-end is coming in GCC-14, and we are getting
ready to enable it globally. So, we are deprecating flexible-array
members in the middle of another structure.
There is currently an object (`header`) in `struct nx842_crypto_ctx`
that contains a flexible structure (`struct nx842_crypto_header`):
struct nx842_crypto_ctx {
...
struct nx842_crypto_header header;
struct nx842_crypto_header_group group[NX842_CRYPTO_GROUP_MAX];
...
};
So, in order to avoid ending up with a flexible-array member in the
middle of another struct, we use the `struct_group_tagged()` helper to
separate the flexible array from the rest of the members in the flexible
structure:
struct nx842_crypto_header {
struct_group_tagged(nx842_crypto_header_hdr, hdr,
... the rest of the members
);
struct nx842_crypto_header_group group[];
} __packed;
With the change described above, we can now declare an object of the
type of the tagged struct, without embedding the flexible array in the
middle of another struct:
struct nx842_crypto_ctx {
...
struct nx842_crypto_header_hdr header;
struct nx842_crypto_header_group group[NX842_CRYPTO_GROUP_MAX];
...
} __packed;
We also use `container_of()` whenever we need to retrieve a pointer to
the flexible structure, through which we can access the flexible
array if needed.
So, with these changes, fix the following warning:
In file included from drivers/crypto/nx/nx-842.c:55:
drivers/crypto/nx/nx-842.h:174:36: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
174 | struct nx842_crypto_header header;
| ^~~~~~
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: adb3faf2db1a ("crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/nx/nx-842.c | 6 ++++--
drivers/crypto/nx/nx-842.h | 10 ++++++----
2 files changed, 10 insertions(+), 6 deletions(-)
--- a/drivers/crypto/nx/nx-842.c
+++ b/drivers/crypto/nx/nx-842.c
@@ -251,7 +251,9 @@ int nx842_crypto_compress(struct crypto_
u8 *dst, unsigned int *dlen)
{
struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
- struct nx842_crypto_header *hdr = &ctx->header;
+ struct nx842_crypto_header *hdr =
+ container_of(&ctx->header,
+ struct nx842_crypto_header, hdr);
struct nx842_crypto_param p;
struct nx842_constraints c = *ctx->driver->constraints;
unsigned int groups, hdrsize, h;
@@ -490,7 +492,7 @@ int nx842_crypto_decompress(struct crypt
}
memcpy(&ctx->header, src, hdr_len);
- hdr = &ctx->header;
+ hdr = container_of(&ctx->header, struct nx842_crypto_header, hdr);
for (n = 0; n < hdr->groups; n++) {
/* ignore applies to last group */
--- a/drivers/crypto/nx/nx-842.h
+++ b/drivers/crypto/nx/nx-842.h
@@ -157,9 +157,11 @@ struct nx842_crypto_header_group {
} __packed;
struct nx842_crypto_header {
- __be16 magic; /* NX842_CRYPTO_MAGIC */
- __be16 ignore; /* decompressed end bytes to ignore */
- u8 groups; /* total groups in this header */
+ struct_group_tagged(nx842_crypto_header_hdr, hdr,
+ __be16 magic; /* NX842_CRYPTO_MAGIC */
+ __be16 ignore; /* decompressed end bytes to ignore */
+ u8 groups; /* total groups in this header */
+ );
struct nx842_crypto_header_group group[];
} __packed;
@@ -171,7 +173,7 @@ struct nx842_crypto_ctx {
u8 *wmem;
u8 *sbounce, *dbounce;
- struct nx842_crypto_header header;
+ struct nx842_crypto_header_hdr header;
struct nx842_crypto_header_group group[NX842_CRYPTO_GROUP_MAX];
struct nx842_driver *driver;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 278/378] ipc/shm: serialize orphan cleanup with shm_nattch updates
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 277/378] iommu/dma: Do not try to iommu_map a 0 length region in swiotlb Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 279/378] locking/rtmutex: Skip remove_waiter() when waiter is not enqueued Greg Kroah-Hartman
` (100 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Xin Liu, Yilin Zhu, Ren Wei, Christian Brauner, Jeongjun Park,
Kees Cook, Liam Howlett, Lorenzo Stoakes, Serge Hallyn,
Vasiliy Kulikov, Davidlohr Bueso, Oleg Nesterov, Serge Hallyn,
Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yilin Zhu <zylzyl2333@gmail.com>
commit 2e5c6f4fd4001562781e99bbfc7f1f0127187542 upstream.
shm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that
does not serialize all fields tested by shm_may_destroy(). In particular,
shm_nattch is updated while holding shm_perm.lock, and attach paths can do
that without holding the rwsem.
Do not decide that an orphaned segment is unused before taking the object
lock. Move the shm_may_destroy() check under shm_perm.lock, matching the
other destroy paths, and unlock the segment when it no longer qualifies
for removal.
Link: https://lore.kernel.org/9d97cc1031de2d0bace0edf3a668818aa2f4eca6.1777410234.git.zylzyl2333@gmail.com
Fixes: 4c677e2eefdb ("shm: optimize locking and ipc_namespace getting")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yilin Zhu <zylzyl2333@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jeongjun Park <aha310510@gmail.com>
Cc: Kees Cook <kees@kernel.org>
Cc: Liam Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Serge Hallyn <sergeh@kernel.org>
Cc: Vasiliy Kulikov <segoon@openwall.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
ipc/shm.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -418,15 +418,17 @@ static int shm_try_destroy_orphaned(int
* We want to destroy segments without users and with already
* exit'ed originating process.
*
- * As shp->* are changed under rwsem, it's safe to skip shp locking.
+ * shm_nattch can be changed under shm_perm.lock without holding the
+ * rwsem, so take the object lock before checking shm_may_destroy().
*/
if (!list_empty(&shp->shm_clist))
return 0;
- if (shm_may_destroy(shp)) {
- shm_lock_by_ptr(shp);
+ shm_lock_by_ptr(shp);
+ if (shm_may_destroy(shp))
shm_destroy(ns, shp);
- }
+ else
+ shm_unlock(shp);
return 0;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 362/522] crypto: nx - Migrate to scomp API
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 361/522] crypto: nx - Avoid -Wflex-array-member-not-at-end warning Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 363/522] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx Greg Kroah-Hartman
` (160 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel, Herbert Xu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ardb@kernel.org>
[ Upstream commit 980b5705f4e73f567e405cd18337cc32fd51cf79 ]
The only remaining user of 842 compression has been migrated to the
acomp compression API, and so the NX hardware driver has to follow suit,
given that no users of the obsolete 'comp' API remain, and it is going
to be removed.
So migrate the NX driver code to scomp. These will be wrapped and
exposed as acomp implementation via the crypto subsystem's
acomp-to-scomp adaptation layer.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: adb3faf2db1a ("crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/nx/nx-842.c | 33 +++++++++++++++++++--------------
drivers/crypto/nx/nx-842.h | 14 ++++++++------
drivers/crypto/nx/nx-common-powernv.c | 31 +++++++++++++++----------------
drivers/crypto/nx/nx-common-pseries.c | 33 ++++++++++++++++-----------------
4 files changed, 58 insertions(+), 53 deletions(-)
--- a/drivers/crypto/nx/nx-842.c
+++ b/drivers/crypto/nx/nx-842.c
@@ -101,9 +101,13 @@ static int update_param(struct nx842_cry
return 0;
}
-int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver)
+void *nx842_crypto_alloc_ctx(struct nx842_driver *driver)
{
- struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
+ struct nx842_crypto_ctx *ctx;
+
+ ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
+ if (!ctx)
+ return ERR_PTR(-ENOMEM);
spin_lock_init(&ctx->lock);
ctx->driver = driver;
@@ -114,22 +118,23 @@ int nx842_crypto_init(struct crypto_tfm
kfree(ctx->wmem);
free_page((unsigned long)ctx->sbounce);
free_page((unsigned long)ctx->dbounce);
- return -ENOMEM;
+ kfree(ctx);
+ return ERR_PTR(-ENOMEM);
}
- return 0;
+ return ctx;
}
-EXPORT_SYMBOL_GPL(nx842_crypto_init);
+EXPORT_SYMBOL_GPL(nx842_crypto_alloc_ctx);
-void nx842_crypto_exit(struct crypto_tfm *tfm)
+void nx842_crypto_free_ctx(void *p)
{
- struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
+ struct nx842_crypto_ctx *ctx = p;
kfree(ctx->wmem);
free_page((unsigned long)ctx->sbounce);
free_page((unsigned long)ctx->dbounce);
}
-EXPORT_SYMBOL_GPL(nx842_crypto_exit);
+EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx);
static void check_constraints(struct nx842_constraints *c)
{
@@ -246,11 +251,11 @@ nospc:
return update_param(p, slen, dskip + dlen);
}
-int nx842_crypto_compress(struct crypto_tfm *tfm,
+int nx842_crypto_compress(struct crypto_scomp *tfm,
const u8 *src, unsigned int slen,
- u8 *dst, unsigned int *dlen)
+ u8 *dst, unsigned int *dlen, void *pctx)
{
- struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
+ struct nx842_crypto_ctx *ctx = pctx;
struct nx842_crypto_header *hdr =
container_of(&ctx->header,
struct nx842_crypto_header, hdr);
@@ -431,11 +436,11 @@ usesw:
return update_param(p, slen + padding, dlen);
}
-int nx842_crypto_decompress(struct crypto_tfm *tfm,
+int nx842_crypto_decompress(struct crypto_scomp *tfm,
const u8 *src, unsigned int slen,
- u8 *dst, unsigned int *dlen)
+ u8 *dst, unsigned int *dlen, void *pctx)
{
- struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
+ struct nx842_crypto_ctx *ctx = pctx;
struct nx842_crypto_header *hdr;
struct nx842_crypto_param p;
struct nx842_constraints c = *ctx->driver->constraints;
--- a/drivers/crypto/nx/nx-842.h
+++ b/drivers/crypto/nx/nx-842.h
@@ -101,6 +101,8 @@
#define LEN_ON_SIZE(pa, size) ((size) - ((pa) & ((size) - 1)))
#define LEN_ON_PAGE(pa) LEN_ON_SIZE(pa, PAGE_SIZE)
+struct crypto_scomp;
+
static inline unsigned long nx842_get_pa(void *addr)
{
if (!is_vmalloc_addr(addr))
@@ -179,13 +181,13 @@ struct nx842_crypto_ctx {
struct nx842_driver *driver;
};
-int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver);
-void nx842_crypto_exit(struct crypto_tfm *tfm);
-int nx842_crypto_compress(struct crypto_tfm *tfm,
+void *nx842_crypto_alloc_ctx(struct nx842_driver *driver);
+void nx842_crypto_free_ctx(void *ctx);
+int nx842_crypto_compress(struct crypto_scomp *tfm,
const u8 *src, unsigned int slen,
- u8 *dst, unsigned int *dlen);
-int nx842_crypto_decompress(struct crypto_tfm *tfm,
+ u8 *dst, unsigned int *dlen, void *ctx);
+int nx842_crypto_decompress(struct crypto_scomp *tfm,
const u8 *src, unsigned int slen,
- u8 *dst, unsigned int *dlen);
+ u8 *dst, unsigned int *dlen, void *ctx);
#endif /* __NX_842_H__ */
--- a/drivers/crypto/nx/nx-common-powernv.c
+++ b/drivers/crypto/nx/nx-common-powernv.c
@@ -9,6 +9,7 @@
#include "nx-842.h"
+#include <crypto/internal/scompress.h>
#include <linux/timer.h>
#include <asm/prom.h>
@@ -1034,23 +1035,21 @@ static struct nx842_driver nx842_powernv
.decompress = nx842_powernv_decompress,
};
-static int nx842_powernv_crypto_init(struct crypto_tfm *tfm)
+static void *nx842_powernv_crypto_alloc_ctx(void)
{
- return nx842_crypto_init(tfm, &nx842_powernv_driver);
+ return nx842_crypto_alloc_ctx(&nx842_powernv_driver);
}
-static struct crypto_alg nx842_powernv_alg = {
- .cra_name = "842",
- .cra_driver_name = "842-nx",
- .cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_COMPRESS,
- .cra_ctxsize = sizeof(struct nx842_crypto_ctx),
- .cra_module = THIS_MODULE,
- .cra_init = nx842_powernv_crypto_init,
- .cra_exit = nx842_crypto_exit,
- .cra_u = { .compress = {
- .coa_compress = nx842_crypto_compress,
- .coa_decompress = nx842_crypto_decompress } }
+static struct scomp_alg nx842_powernv_alg = {
+ .base.cra_name = "842",
+ .base.cra_driver_name = "842-nx",
+ .base.cra_priority = 300,
+ .base.cra_module = THIS_MODULE,
+
+ .alloc_ctx = nx842_powernv_crypto_alloc_ctx,
+ .free_ctx = nx842_crypto_free_ctx,
+ .compress = nx842_crypto_compress,
+ .decompress = nx842_crypto_decompress,
};
static __init int nx_compress_powernv_init(void)
@@ -1110,7 +1109,7 @@ static __init int nx_compress_powernv_in
nx842_powernv_exec = nx842_exec_vas;
}
- ret = crypto_register_alg(&nx842_powernv_alg);
+ ret = crypto_register_scomp(&nx842_powernv_alg);
if (ret) {
nx_delete_coprocs();
return ret;
@@ -1131,7 +1130,7 @@ static void __exit nx_compress_powernv_e
if (!nx842_ct)
vas_unregister_api_powernv();
- crypto_unregister_alg(&nx842_powernv_alg);
+ crypto_unregister_scomp(&nx842_powernv_alg);
nx_delete_coprocs();
}
--- a/drivers/crypto/nx/nx-common-pseries.c
+++ b/drivers/crypto/nx/nx-common-pseries.c
@@ -11,6 +11,7 @@
#include <asm/vio.h>
#include <asm/hvcall.h>
#include <asm/vas.h>
+#include <crypto/internal/scompress.h>
#include "nx-842.h"
#include "nx_csbcpb.h" /* struct nx_csbcpb */
@@ -1006,23 +1007,21 @@ static struct nx842_driver nx842_pseries
.decompress = nx842_pseries_decompress,
};
-static int nx842_pseries_crypto_init(struct crypto_tfm *tfm)
+static void *nx842_pseries_crypto_alloc_ctx(void)
{
- return nx842_crypto_init(tfm, &nx842_pseries_driver);
+ return nx842_crypto_alloc_ctx(&nx842_pseries_driver);
}
-static struct crypto_alg nx842_pseries_alg = {
- .cra_name = "842",
- .cra_driver_name = "842-nx",
- .cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_COMPRESS,
- .cra_ctxsize = sizeof(struct nx842_crypto_ctx),
- .cra_module = THIS_MODULE,
- .cra_init = nx842_pseries_crypto_init,
- .cra_exit = nx842_crypto_exit,
- .cra_u = { .compress = {
- .coa_compress = nx842_crypto_compress,
- .coa_decompress = nx842_crypto_decompress } }
+static struct scomp_alg nx842_pseries_alg = {
+ .base.cra_name = "842",
+ .base.cra_driver_name = "842-nx",
+ .base.cra_priority = 300,
+ .base.cra_module = THIS_MODULE,
+
+ .alloc_ctx = nx842_pseries_crypto_alloc_ctx,
+ .free_ctx = nx842_crypto_free_ctx,
+ .compress = nx842_crypto_compress,
+ .decompress = nx842_crypto_decompress,
};
static int nx842_probe(struct vio_dev *viodev,
@@ -1070,7 +1069,7 @@ static int nx842_probe(struct vio_dev *v
if (ret)
goto error;
- ret = crypto_register_alg(&nx842_pseries_alg);
+ ret = crypto_register_scomp(&nx842_pseries_alg);
if (ret) {
dev_err(&viodev->dev, "could not register comp alg: %d\n", ret);
goto error;
@@ -1118,7 +1117,7 @@ static void nx842_remove(struct vio_dev
if (caps_feat)
sysfs_remove_group(&viodev->dev.kobj, &nxcop_caps_attr_group);
- crypto_unregister_alg(&nx842_pseries_alg);
+ crypto_unregister_scomp(&nx842_pseries_alg);
spin_lock_irqsave(&devdata_mutex, flags);
old_devdata = rcu_dereference_check(devdata,
@@ -1250,7 +1249,7 @@ static void __exit nx842_pseries_exit(vo
vas_unregister_api_pseries();
- crypto_unregister_alg(&nx842_pseries_alg);
+ crypto_unregister_scomp(&nx842_pseries_alg);
spin_lock_irqsave(&devdata_mutex, flags);
old_devdata = rcu_dereference_check(devdata,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 279/378] locking/rtmutex: Skip remove_waiter() when waiter is not enqueued
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 278/378] ipc/shm: serialize orphan cleanup with shm_nattch updates Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 280/378] memcg: use round-robin victim selection in refill_stock Greg Kroah-Hartman
` (99 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+78147abe6c524f183ee9,
Davidlohr Bueso, Thomas Gleixner
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davidlohr Bueso <dave@stgolabs.net>
commit 40a25d59e85b3c8709ac2424d44f65610467871e upstream.
syzbot triggered the following splat in remove_waiter() via
FUTEX_CMP_REQUEUE_PI:
KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f]
class_raw_spinlock_constructor
remove_waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561
rt_mutex_start_proxy_lock+0x103/0x120
futex_requeue+0x10e4/0x20d0
__x64_sys_futex+0x34f/0x4d0
task_blocks_on_rt_mutex() does not arm the waiter upon deadlock detection,
leaving waiter->task nil, where 3bfdc63936dd ("rtmutex: Use waiter::task instead
of current in remove_waiter()") made this fatal.
Furthermore, rt_mutex_start_proxy_lock() should not be calling into remove_waiter()
upon a successfully grabbing the rtmutex. 1a1fb985f2e2 ("futex: Handle early deadlock
return correctly"), moved the remove_waiter() out of __rt_mutex_start_proxy_lock()
(where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to
account for try_to_take_rt_mutex().
Fixes: 3bfdc63936dd ("rtmutex: Use waiter::task instead of current in remove_waiter()")
Reported-by: syzbot+78147abe6c524f183ee9@syzkaller.appspotmail.com
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/all/69f114ac.050a0220.ac8b.0003.GAE@google.com/
Link: https://patch.msgid.link/20260507112913.1019537-1-dave@stgolabs.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/locking/rtmutex.c | 3 +++
kernel/locking/rtmutex_api.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1548,6 +1548,9 @@ static void __sched remove_waiter(struct
lockdep_assert_held(&lock->wait_lock);
+ if (!waiter_task) /* never enqueued */
+ return;
+
scoped_guard(raw_spinlock, &waiter_task->pi_lock) {
rt_mutex_dequeue(lock, waiter);
waiter_task->pi_blocked_on = NULL;
--- a/kernel/locking/rtmutex_api.c
+++ b/kernel/locking/rtmutex_api.c
@@ -365,7 +365,7 @@ int __sched rt_mutex_start_proxy_lock(st
raw_spin_lock_irq(&lock->wait_lock);
ret = __rt_mutex_start_proxy_lock(lock, waiter, task, &wake_q);
- if (unlikely(ret))
+ if (unlikely(ret < 0))
remove_waiter(lock, waiter);
preempt_disable();
raw_spin_unlock_irq(&lock->wait_lock);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 363/522] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 362/522] crypto: nx - Migrate to scomp API Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 364/522] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
` (159 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit adb3faf2db1a66d0f015b44ac909a32dfc7f2f9c ]
The bounce buffers are allocated with __get_free_pages() using
BOUNCE_BUFFER_ORDER (order 2 = 4 pages), but both the allocation error
path and nx842_crypto_free_ctx() release the buffers with free_page().
Use free_pages() with the matching order instead.
Fixes: ed70b479c2c0 ("crypto: nx - add hardware 842 crypto comp alg")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/nx/nx-842.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/crypto/nx/nx-842.c
+++ b/drivers/crypto/nx/nx-842.c
@@ -116,8 +116,8 @@ void *nx842_crypto_alloc_ctx(struct nx84
ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER);
if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) {
kfree(ctx->wmem);
- free_page((unsigned long)ctx->sbounce);
- free_page((unsigned long)ctx->dbounce);
+ free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER);
+ free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER);
kfree(ctx);
return ERR_PTR(-ENOMEM);
}
@@ -131,8 +131,8 @@ void nx842_crypto_free_ctx(void *p)
struct nx842_crypto_ctx *ctx = p;
kfree(ctx->wmem);
- free_page((unsigned long)ctx->sbounce);
- free_page((unsigned long)ctx->dbounce);
+ free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER);
+ free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER);
}
EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 280/378] memcg: use round-robin victim selection in refill_stock
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 279/378] locking/rtmutex: Skip remove_waiter() when waiter is not enqueued Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 281/378] memory: atmel-ebi: Allow deferred probing Greg Kroah-Hartman
` (98 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shakeel Butt, Harry Yoo,
Michal Hocko, Johannes Weiner, Muchun Song, Roman Gushchin,
Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shakeel Butt <shakeel.butt@linux.dev>
commit c0cafe24d3f6534294c4b2bc2d47734ff7cbd313 upstream.
Harry Yoo reported that get_random_u32_below() is not safe to call in the
nmi context and memcg charge draining can happen in nmi context.
More specifically get_random_u32_below() is neither reentrant- nor
NMI-safe: it acquires a per-cpu local_lock via local_lock_irqsave() on the
batched_entropy_u32 state. An NMI that lands on a CPU mid-update of the
ChaCha batch state and recurses into the random subsystem would corrupt
that state. The memcg_stock local_trylock prevents re-entry on the percpu
stock itself, but cannot protect an unrelated subsystem's per-cpu lock.
Replace the random pick with a per-cpu round-robin counter stored in
memcg_stock_pcp and serialized by the same local_trylock that already
guards cached[] and nr_pages[]. No atomics, no random calls, no extra
locks needed.
Link: https://lore.kernel.org/20260521223751.3794625-1-shakeel.butt@linux.dev
Fixes: f735eebe55f8f ("memcg: multi-memcg percpu charge cache")
Signed-off-by: Shakeel Butt <shakeel.butt@linux.dev>
Reported-by: Harry Yoo <harry@kernel.org>
Closes: https://lore.kernel.org/4e20f643-6983-4b6e-b12d-c6c4eb20ae0c@kernel.org/
Acked-by: Harry Yoo (Oracle) <harry@kernel.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memcontrol.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -1799,6 +1799,7 @@ struct memcg_stock_pcp {
struct work_struct work;
unsigned long flags;
+ uint8_t drain_idx;
};
static DEFINE_PER_CPU_ALIGNED(struct memcg_stock_pcp, memcg_stock) = {
@@ -1982,7 +1983,9 @@ static void refill_stock(struct mem_cgro
if (!success) {
i = empty_slot;
if (i == -1) {
- i = get_random_u32_below(NR_MEMCG_STOCK);
+ i = stock->drain_idx++;
+ if (stock->drain_idx == NR_MEMCG_STOCK)
+ stock->drain_idx = 0;
drain_stock(stock, i);
}
css_get(&memcg->css);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 364/522] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 363/522] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 365/522] ceph: only d_add() negative dentries when they are unhashed Greg Kroah-Hartman
` (158 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo, Gao Xiang,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab ]
Some crafted images can have illegal (!partial_decoding &&
m_llen < m_plen) extents, and the LZ4 inplace decompression path
can be wrongly hit, but it cannot handle (outpages < inpages)
properly: "outpages - inpages" wraps to a large value and
the subsequent rq->out[] access reads past the decompressed_pages
array.
However, such crafted cases can correctly result in a corruption
report in the normal LZ4 non-inplace path.
Let's add an additional check to fix this for backporting.
Reproducible image (base64-encoded gzipped blob):
H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g
dilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i
PNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz
2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w
ywAAAAAAAADwu14ATsEYtgBQAAA=
$ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt
$ dd if=/mnt/data of=/dev/null bs=4096 count=1
Fixes: 598162d05080 ("erofs: support decompress big pcluster for lz4 backend")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
[ inverted condition to early-out `goto docopy` form and used `ctx->inpages`/`ctx->outpages` instead of `rq->` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/erofs/decompressor.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -133,6 +133,7 @@ static void *z_erofs_lz4_handle_overlap(
if (rq->inplace_io) {
omargin = PAGE_ALIGN(ctx->oend) - ctx->oend;
if (rq->partial_decoding || !may_inplace ||
+ ctx->outpages < ctx->inpages ||
omargin < LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize))
goto docopy;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 281/378] memory: atmel-ebi: Allow deferred probing
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 280/378] memcg: use round-robin victim selection in refill_stock Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 282/378] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context Greg Kroah-Hartman
` (97 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Alexander Dahl,
Krzysztof Kozlowski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Dahl <ada@thorsis.com>
commit 754d60ad1c91895be0bc7d771fbf9fb3c9448640 upstream.
After removing of_platform_default_populate() calls the atmel-ebi driver
was affected by deferred probing. platform_driver_probe() is
incompatible with deferred probing. This led to atmel-ebi driver
eventually not being probed on at91 sam9x60-curiosity and other sam9x60
based boards. Subsequently the nand-controller driver (nand-controller
being a child node of ebi) on that platform was not probed and thus raw
NAND flash was inaccessible, preventing devices to boot with rootfs on
raw NAND flash (e.g. with UBI/UBIFS).
Fixes: 0b0f7e6539a7 ("ARM: at91: remove unnecessary of_platform_default_populate calls")
Cc: stable@vger.kernel.org
Suggested-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Link: https://patch.msgid.link/20260429125930.844790-1-ada@thorsis.com
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/memory/atmel-ebi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/memory/atmel-ebi.c b/drivers/memory/atmel-ebi.c
index 8db970da9af9..1e8e8aba2542 100644
--- a/drivers/memory/atmel-ebi.c
+++ b/drivers/memory/atmel-ebi.c
@@ -628,10 +628,11 @@ static __maybe_unused int atmel_ebi_resume(struct device *dev)
static SIMPLE_DEV_PM_OPS(atmel_ebi_pm_ops, NULL, atmel_ebi_resume);
static struct platform_driver atmel_ebi_driver = {
+ .probe = atmel_ebi_probe,
.driver = {
.name = "atmel-ebi",
.of_match_table = atmel_ebi_id_table,
.pm = &atmel_ebi_pm_ops,
},
};
-builtin_platform_driver_probe(atmel_ebi_driver, atmel_ebi_probe);
+builtin_platform_driver(atmel_ebi_driver);
--
2.54.0
^ permalink raw reply related [flat|nested] 906+ messages in thread
* [PATCH 6.1 365/522] ceph: only d_add() negative dentries when they are unhashed
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 364/522] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 366/522] printk: add print_hex_dump_devel() Greg Kroah-Hartman
` (157 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Kellermann, Viacheslav Dubeyko,
Ilya Dryomov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Kellermann <max.kellermann@ionos.com>
[ Upstream commit 803447f93d75ab6e40c85e6d12b5630d281d70d6 ]
Ceph can call d_add(dentry, NULL) on a negative dentry that is already
present in the primary dcache hash.
In the current VFS that is not safe. d_add() goes through __d_add()
to __d_rehash(), which unconditionally reinserts dentry->d_hash into
the hlist_bl bucket. If the dentry is already hashed, reinserting the
same node can corrupt the bucket, including creating a self-loop.
Once that happens, __d_lookup() can spin forever in the hlist_bl walk,
typically looping only on the d_name.hash mismatch check and
eventually triggering RCU stall reports like this one:
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 87-....: (2100 ticks this GP) idle=3a4c/1/0x4000000000000000 softirq=25003319/25003319 fqs=829
rcu: (t=2101 jiffies g=79058445 q=698988 ncpus=192)
CPU: 87 UID: 2952868916 PID: 3933303 Comm: php-cgi8.3 Not tainted 6.18.17-i1-amd #950 NONE
Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.6 09/22/2023
RIP: 0010:__d_lookup+0x46/0xb0
Code: c1 e8 07 48 8d 04 c2 48 8b 00 49 89 fc 49 89 f5 48 89 c3 48 83 e3 fe 48 83 f8 01 77 0f eb 2d 0f 1f 44 00 00 48 8b 1b 48 85 db <74> 20 39 6b 18 75 f3 48 8d 7b 78 e8 ba 85 d0 00 4c 39 63 10 74 1f
RSP: 0018:ff745a70c8253898 EFLAGS: 00000282
RAX: ff26e470054cb208 RBX: ff26e470054cb208 RCX: 000000006e958966
RDX: ff26e48267340000 RSI: ff745a70c82539b0 RDI: ff26e458f74655c0
RBP: 000000006e958966 R08: 0000000000000180 R09: 9cd08d909b919a89
R10: ff26e458f74655c0 R11: 0000000000000000 R12: ff26e458f74655c0
R13: ff745a70c82539b0 R14: d0d0d0d0d0d0d0d0 R15: 2f2f2f2f2f2f2f2f
FS: 00007f5770896980(0000) GS:ff26e482c5d88000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5764de50c0 CR3: 000000a72abb5001 CR4: 0000000000771ef0
PKRU: 55555554
Call Trace:
<TASK>
lookup_fast+0x9f/0x100
walk_component+0x1f/0x150
link_path_walk+0x20e/0x3d0
path_lookupat+0x68/0x180
filename_lookup+0xdc/0x1e0
vfs_statx+0x6c/0x140
vfs_fstatat+0x67/0xa0
__do_sys_newfstatat+0x24/0x60
do_syscall_64+0x6a/0x230
entry_SYSCALL_64_after_hwframe+0x76/0x7e
This is reachable with reused cached negative dentries. A Ceph lookup
or atomic_open can be handed a negative dentry that is already hashed,
and fs/ceph/dir.c then hits one of two paths that incorrectly assume
"negative" also means "unhashed":
- ceph_finish_lookup():
MDS reply is -ENOENT with no trace
-> d_add(dentry, NULL)
- ceph_lookup():
local ENOENT fast path for a complete directory with shared caps
-> d_add(dentry, NULL)
Both paths can therefore re-add an already-hashed negative dentry.
Ceph already uses the correct pattern elsewhere: ceph_fill_trace() only
calls d_add(dn, NULL) for a negative null-dentry reply when d_unhashed(dn)
is true.
Fix both fs/ceph/dir.c sites the same way: only call d_add() for a
negative dentry when it is actually unhashed. If the negative dentry
is already hashed, leave it in place and reuse it as-is.
This preserves the existing behavior for unhashed dentries while
avoiding d_hash list corruption for reused hashed negatives.
Cc: stable@vger.kernel.org
Fixes: 2817b000b02c ("ceph: directory operations")
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
[ kept existing dout() debug call instead of upstream's doutc() form when adding the d_unhashed() guard around d_add() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/dir.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
@@ -721,7 +721,8 @@ struct dentry *ceph_finish_lookup(struct
d_drop(dentry);
err = -ENOENT;
} else {
- d_add(dentry, NULL);
+ if (d_unhashed(dentry))
+ d_add(dentry, NULL);
}
}
}
@@ -777,7 +778,8 @@ static struct dentry *ceph_lookup(struct
__ceph_touch_fmode(ci, mdsc, CEPH_FILE_MODE_RD);
spin_unlock(&ci->i_ceph_lock);
dout(" dir %p complete, -ENOENT\n", dir);
- d_add(dentry, NULL);
+ if (d_unhashed(dentry))
+ d_add(dentry, NULL);
di->lease_shared_gen = atomic_read(&ci->i_shared_gen);
return NULL;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 282/378] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 281/378] memory: atmel-ebi: Allow deferred probing Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 283/378] misc: fastrpc: fix use-after-free race in fastrpc_map_create Greg Kroah-Hartman
` (96 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Anandu Krishnan E,
Srinivas Kandagatla
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
commit e85eb5feca8e254905ffa6c57a3c99c89a674a0f upstream.
There is a race between fastrpc_device_release() and the workqueue
that processes DSP responses. When the user closes the file descriptor,
fastrpc_device_release() frees the fastrpc_user structure. Concurrently,
an in-flight DSP invocation can complete and fastrpc_rpmsg_callback()
schedules context cleanup via schedule_work(&ctx->put_work). If the
workqueue runs fastrpc_context_free() in parallel with or after
fastrpc_device_release() has freed the user structure, it dereferences
the freed fastrpc_user. Depending on the state of the context at the
time of the race, any one of the following accesses can be hit:
1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...)
to strip the SID bits from the stored IOVA before passing the
physical address to dma_free_coherent().
2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to
reconstruct the source permission bitmask needed for the
qcom_scm_assign_mem() call that returns memory from the DSP VM
back to HLOS.
3. fastrpc_free_map() acquires map->fl->lock to safely remove the
map node from the fl->maps list.
The resulting use-after-free manifests as:
pc : fastrpc_buf_free+0x38/0x80 [fastrpc]
lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc]
fastrpc_context_free+0xa8/0x1b0 [fastrpc]
fastrpc_context_put_wq+0x78/0xa0 [fastrpc]
process_one_work+0x180/0x450
worker_thread+0x26c/0x388
Add kref-based reference counting to fastrpc_user. Have each invoke
context take a reference on the user at allocation time and release it
when the context is freed. Release the initial reference in
fastrpc_device_release() at file close. Move the teardown of the user
structure — freeing pending contexts, maps, mmaps, and the channel
context reference — into the kref release callback fastrpc_user_free(),
so that it runs only when the last reference is dropped, regardless of
whether that happens at device close or after the final in-flight
context completes.
Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter")
Cc: stable@kernel.org
Signed-off-by: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204528.116920-2-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/fastrpc.c | 75 +++++++++++++++++++++++++++++++++----------------
1 file changed, 52 insertions(+), 23 deletions(-)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -310,6 +310,8 @@ struct fastrpc_user {
spinlock_t lock;
/* lock for allocations */
struct mutex mutex;
+ /* Reference count */
+ struct kref refcount;
};
/* Extract SMMU PA from consolidated IOVA */
@@ -497,15 +499,57 @@ static void fastrpc_channel_ctx_put(stru
kref_put(&cctx->refcount, fastrpc_channel_ctx_free);
}
+static void fastrpc_context_put(struct fastrpc_invoke_ctx *ctx);
+
+static void fastrpc_user_free(struct kref *ref)
+{
+ struct fastrpc_user *fl = container_of(ref, struct fastrpc_user, refcount);
+ struct fastrpc_invoke_ctx *ctx, *n;
+ struct fastrpc_map *map, *m;
+ struct fastrpc_buf *buf, *b;
+
+ if (fl->init_mem)
+ fastrpc_buf_free(fl->init_mem);
+
+ list_for_each_entry_safe(ctx, n, &fl->pending, node) {
+ list_del(&ctx->node);
+ fastrpc_context_put(ctx);
+ }
+
+ list_for_each_entry_safe(map, m, &fl->maps, node)
+ fastrpc_map_put(map);
+
+ list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
+ list_del(&buf->node);
+ fastrpc_buf_free(buf);
+ }
+
+ fastrpc_channel_ctx_put(fl->cctx);
+ mutex_destroy(&fl->mutex);
+ kfree(fl);
+}
+
+static void fastrpc_user_get(struct fastrpc_user *fl)
+{
+ kref_get(&fl->refcount);
+}
+
+static void fastrpc_user_put(struct fastrpc_user *fl)
+{
+ kref_put(&fl->refcount, fastrpc_user_free);
+}
+
static void fastrpc_context_free(struct kref *ref)
{
struct fastrpc_invoke_ctx *ctx;
struct fastrpc_channel_ctx *cctx;
+ struct fastrpc_user *fl;
unsigned long flags;
int i;
ctx = container_of(ref, struct fastrpc_invoke_ctx, refcount);
cctx = ctx->cctx;
+ fl = ctx->fl;
for (i = 0; i < ctx->nbufs; i++)
fastrpc_map_put(ctx->maps[i]);
@@ -521,6 +565,8 @@ static void fastrpc_context_free(struct
kfree(ctx->olaps);
kfree(ctx);
+ /* Release the reference taken in fastrpc_context_alloc() */
+ fastrpc_user_put(fl);
fastrpc_channel_ctx_put(cctx);
}
@@ -628,6 +674,8 @@ static struct fastrpc_invoke_ctx *fastrp
/* Released in fastrpc_context_put() */
fastrpc_channel_ctx_get(cctx);
+ /* Take a reference to user, released in fastrpc_context_free() */
+ fastrpc_user_get(user);
ctx->sc = sc;
ctx->retval = -1;
@@ -658,6 +706,7 @@ err_idr:
spin_lock(&user->lock);
list_del(&ctx->node);
spin_unlock(&user->lock);
+ fastrpc_user_put(user);
fastrpc_channel_ctx_put(cctx);
kfree(ctx->maps);
kfree(ctx->olaps);
@@ -1579,9 +1628,6 @@ static int fastrpc_device_release(struct
{
struct fastrpc_user *fl = (struct fastrpc_user *)file->private_data;
struct fastrpc_channel_ctx *cctx = fl->cctx;
- struct fastrpc_invoke_ctx *ctx, *n;
- struct fastrpc_map *map, *m;
- struct fastrpc_buf *buf, *b;
unsigned long flags;
fastrpc_release_current_dsp_process(fl);
@@ -1590,28 +1636,10 @@ static int fastrpc_device_release(struct
list_del(&fl->user);
spin_unlock_irqrestore(&cctx->lock, flags);
- if (fl->init_mem)
- fastrpc_buf_free(fl->init_mem);
-
- list_for_each_entry_safe(ctx, n, &fl->pending, node) {
- list_del(&ctx->node);
- fastrpc_context_put(ctx);
- }
-
- list_for_each_entry_safe(map, m, &fl->maps, node)
- fastrpc_map_put(map);
-
- list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
- list_del(&buf->node);
- fastrpc_buf_free(buf);
- }
-
fastrpc_session_free(cctx, fl->sctx);
- fastrpc_channel_ctx_put(cctx);
-
- mutex_destroy(&fl->mutex);
- kfree(fl);
file->private_data = NULL;
+ /* Release the reference taken in fastrpc_device_open */
+ fastrpc_user_put(fl);
return 0;
}
@@ -1655,6 +1683,7 @@ static int fastrpc_device_open(struct in
spin_lock_irqsave(&cctx->lock, flags);
list_add_tail(&fl->user, &cctx->users);
spin_unlock_irqrestore(&cctx->lock, flags);
+ kref_init(&fl->refcount);
return 0;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 366/522] printk: add print_hex_dump_devel()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 365/522] ceph: only d_add() negative dentries when they are unhashed Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 367/522] crypto: caam - guard HMAC key hex dumps in hash_digest_key Greg Kroah-Hartman
` (156 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Herbert Xu, Thorsten Blum,
John Ogness, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit d134feeb5df33fbf77f482f52a366a44642dba09 ]
Add print_hex_dump_devel() as the hex dump equivalent of pr_devel(),
which emits output only when DEBUG is enabled, but keeps call sites
compiled otherwise.
Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Reviewed-by: John Ogness <john.ogness@linutronix.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: 177730a273b1 ("crypto: caam - guard HMAC key hex dumps in hash_digest_key")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/printk.h | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/include/linux/printk.h
+++ b/include/linux/printk.h
@@ -747,6 +747,19 @@ static inline void print_hex_dump_debug(
}
#endif
+#if defined(DEBUG)
+#define print_hex_dump_devel(prefix_str, prefix_type, rowsize, \
+ groupsize, buf, len, ascii) \
+ print_hex_dump(KERN_DEBUG, prefix_str, prefix_type, rowsize, \
+ groupsize, buf, len, ascii)
+#else
+static inline void print_hex_dump_devel(const char *prefix_str, int prefix_type,
+ int rowsize, int groupsize,
+ const void *buf, size_t len, bool ascii)
+{
+}
+#endif
+
/**
* print_hex_dump_bytes - shorthand form of print_hex_dump_debug() with default
* params
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 283/378] misc: fastrpc: fix use-after-free race in fastrpc_map_create
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 282/378] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 284/378] misc: fastrpc: fix DMA address corruption due to find_vma misuse Greg Kroah-Hartman
` (95 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhenghang Xiao, Srinivas Kandagatla
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenghang Xiao <kipreyyy@gmail.com>
commit 07ebe87915d8accdaba20c4f88c5ae430fe62fbb upstream.
fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The
caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero)
on this unprotected pointer. A concurrent MEM_UNMAP can free the map
between the lock release and the kref operation, resulting in a
use-after-free on the freed slab object.
Restore the take_ref parameter to fastrpc_map_lookup so the reference
is acquired atomically under fl->lock before the pointer is exposed to
the caller.
Fixes: 10df039834f8 ("misc: fastrpc: Skip reference for DMA handles")
Cc: stable@vger.kernel.org
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204528.116920-5-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/fastrpc.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -388,7 +388,7 @@ static int fastrpc_map_get(struct fastrp
static int fastrpc_map_lookup(struct fastrpc_user *fl, int fd,
- struct fastrpc_map **ppmap)
+ struct fastrpc_map **ppmap, bool take_ref)
{
struct fastrpc_map *map = NULL;
struct dma_buf *buf;
@@ -403,6 +403,12 @@ static int fastrpc_map_lookup(struct fas
if (map->fd != fd || map->buf != buf)
continue;
+ if (take_ref) {
+ ret = fastrpc_map_get(map);
+ if (ret)
+ break;
+ }
+
*ppmap = map;
ret = 0;
break;
@@ -920,19 +926,10 @@ get_err:
static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
u64 len, u32 attr, struct fastrpc_map **ppmap)
{
- struct fastrpc_session_ctx *sess = fl->sctx;
- int err = 0;
+ if (!fastrpc_map_lookup(fl, fd, ppmap, true))
+ return 0;
- if (!fastrpc_map_lookup(fl, fd, ppmap)) {
- if (!fastrpc_map_get(*ppmap))
- return 0;
- dev_dbg(sess->dev, "%s: Failed to get map fd=%d\n",
- __func__, fd);
- }
-
- err = fastrpc_map_attach(fl, fd, len, attr, ppmap);
-
- return err;
+ return fastrpc_map_attach(fl, fd, len, attr, ppmap);
}
/*
@@ -1202,7 +1199,7 @@ cleanup_fdlist:
for (i = 0; i < FASTRPC_MAX_FDLIST; i++) {
if (!fdlist[i])
break;
- if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap))
+ if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap, false))
fastrpc_map_put(mmap);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 367/522] crypto: caam - guard HMAC key hex dumps in hash_digest_key
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 366/522] printk: add print_hex_dump_devel() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 368/522] net: stmmac: avoid shadowing global buf_sz Greg Kroah-Hartman
` (155 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit 177730a273b18e195263ed953853273e901b5064 ]
Use print_hex_dump_devel() for dumping sensitive HMAC key bytes in
hash_digest_key() to avoid leaking secrets at runtime when
CONFIG_DYNAMIC_DEBUG is enabled.
Fixes: 045e36780f11 ("crypto: caam - ahash hmac support")
Fixes: 3f16f6c9d632 ("crypto: caam/qi2 - add support for ahash algorithms")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/caam/caamalg_qi2.c | 4 ++--
drivers/crypto/caam/caamhash.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/crypto/caam/caamalg_qi2.c
+++ b/drivers/crypto/caam/caamalg_qi2.c
@@ -3264,7 +3264,7 @@ static int hash_digest_key(struct caam_h
dpaa2_fl_set_addr(out_fle, key_dma);
dpaa2_fl_set_len(out_fle, digestsize);
- print_hex_dump_debug("key_in@" __stringify(__LINE__)": ",
+ print_hex_dump_devel("key_in@" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, *keylen, 1);
print_hex_dump_debug("shdesc@" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, desc, desc_bytes(desc),
@@ -3284,7 +3284,7 @@ static int hash_digest_key(struct caam_h
/* in progress */
wait_for_completion(&result.completion);
ret = result.err;
- print_hex_dump_debug("digested key@" __stringify(__LINE__)": ",
+ print_hex_dump_devel("digested key@" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key,
digestsize, 1);
}
--- a/drivers/crypto/caam/caamhash.c
+++ b/drivers/crypto/caam/caamhash.c
@@ -390,7 +390,7 @@ static int hash_digest_key(struct caam_h
append_seq_store(desc, digestsize, LDST_CLASS_2_CCB |
LDST_SRCDST_BYTE_CONTEXT);
- print_hex_dump_debug("key_in@"__stringify(__LINE__)": ",
+ print_hex_dump_devel("key_in@"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, *keylen, 1);
print_hex_dump_debug("jobdesc@"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, desc, desc_bytes(desc),
@@ -405,7 +405,7 @@ static int hash_digest_key(struct caam_h
wait_for_completion(&result.completion);
ret = result.err;
- print_hex_dump_debug("digested key@"__stringify(__LINE__)": ",
+ print_hex_dump_devel("digested key@"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key,
digestsize, 1);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 284/378] misc: fastrpc: fix DMA address corruption due to find_vma misuse
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 283/378] misc: fastrpc: fix use-after-free race in fastrpc_map_create Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 285/378] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Greg Kroah-Hartman
` (94 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Dmitry Baryshkov, Srinivas Kandagatla
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit 464c6ad2aa16e1e1df9d559289199356493d1e00 upstream.
fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided
pointer and compute a DMA address offset. When the address falls in a gap
before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows,
corrupting the DMA address sent to the DSP.
Replace find_vma() with vma_lookup(), which returns NULL when the address
is not contained within any VMA.
Cc: stable@vger.kernel.org
Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204528.116920-3-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/fastrpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -1087,7 +1087,7 @@ static int fastrpc_get_args(u32 kernel,
pages[i].addr = ctx->maps[i]->dma_addr;
mmap_read_lock(current->mm);
- vma = find_vma(current->mm, ctx->args[i].ptr);
+ vma = vma_lookup(current->mm, ctx->args[i].ptr);
if (vma)
pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) -
vma->vm_start;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 368/522] net: stmmac: avoid shadowing global buf_sz
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 367/522] crypto: caam - guard HMAC key hex dumps in hash_digest_key Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 369/522] net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() Greg Kroah-Hartman
` (154 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Russell King (Oracle), Furong Xu,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>
[ Upstream commit 876cfb20e8892143c0c967b3657074f9131f9b5f ]
stmmac_rx() declares a local variable named "buf_sz" but there is also
a global variable for a module parameter which is called the same. To
avoid confusion, rename the local variable.
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Reviewed-by: Furong Xu <0x1207@gmail.com>
Link: https://patch.msgid.link/E1tpswi-005U6C-Py@rmk-PC.armlinux.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 0bb05e6adfa9 ("net: stmmac: Prevent NULL deref when RX memory exhausted")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -5235,10 +5235,10 @@ static int stmmac_rx(struct stmmac_priv
struct stmmac_xdp_buff ctx;
unsigned long flags;
int xdp_status = 0;
- int buf_sz;
+ int bufsz;
dma_dir = page_pool_get_dma_dir(rx_q->page_pool);
- buf_sz = DIV_ROUND_UP(priv->dma_conf.dma_buf_sz, PAGE_SIZE) * PAGE_SIZE;
+ bufsz = DIV_ROUND_UP(priv->dma_conf.dma_buf_sz, PAGE_SIZE) * PAGE_SIZE;
limit = min(priv->dma_conf.dma_rx_size - 1, (unsigned int)limit);
if (netif_msg_rx_status(priv)) {
@@ -5353,7 +5353,7 @@ read_again:
dma_sync_single_for_cpu(priv->device, buf->addr,
buf1_len, dma_dir);
- xdp_init_buff(&ctx.xdp, buf_sz, &rx_q->xdp_rxq);
+ xdp_init_buff(&ctx.xdp, bufsz, &rx_q->xdp_rxq);
xdp_prepare_buff(&ctx.xdp, page_address(buf->page),
buf->page_offset, buf1_len, false);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 285/378] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 284/378] misc: fastrpc: fix DMA address corruption due to find_vma misuse Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 286/378] firmware: samsung: acpm: Fix mailbox channel leak on probe error Greg Kroah-Hartman
` (93 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mukesh Ojha, Bjorn Andersson,
Srinivas Kandagatla
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
commit 5401fb4fe10fac6134c308495df18ed74aebb9c4 upstream.
A NULL pointer dereference was observed on Hawi at boot when the DSP
sends a glink message before fastrpc_rpmsg_probe() has completed
initialization:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178
pc : _raw_spin_lock_irqsave+0x34/0x8c
lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
...
Call trace:
_raw_spin_lock_irqsave+0x34/0x8c (P)
fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
qcom_glink_native_rx+0x538/0x6a4
qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem]
The faulting address 0x178 corresponds to the lock variable inside
struct fastrpc_channel_ctx, confirming that cctx is NULL when
fastrpc_rpmsg_callback() attempts to take the spinlock.
There are two issues here. First, dev_set_drvdata() is called before
spin_lock_init() and idr_init(), leaving a window where the callback
can retrieve a valid cctx pointer but operate on an uninitialized
spinlock. Second, the rpmsg channel becomes live as soon as the driver
is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata()
is called at all, resulting in dev_get_drvdata() returning NULL.
Fix both issues by moving all cctx initialization ahead of
dev_set_drvdata() so the structure is fully initialized before it
becomes visible to the callback, and add a NULL check in
fastrpc_rpmsg_callback() as a guard against any remaining window.
Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model")
Cc: stable@vger.kernel.org
Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204528.116920-4-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/fastrpc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -2457,7 +2457,6 @@ static int fastrpc_rpmsg_probe(struct rp
kref_init(&data->refcount);
- dev_set_drvdata(&rpdev->dev, data);
rdev->dma_mask = &data->dma_mask;
dma_set_mask_and_coherent(rdev, DMA_BIT_MASK(32));
INIT_LIST_HEAD(&data->users);
@@ -2466,6 +2465,7 @@ static int fastrpc_rpmsg_probe(struct rp
idr_init(&data->ctx_idr);
data->domain_id = domain_id;
data->rpdev = rpdev;
+ dev_set_drvdata(&rpdev->dev, data);
err = of_platform_populate(rdev->of_node, NULL, NULL, rdev);
if (err)
@@ -2539,6 +2539,9 @@ static int fastrpc_rpmsg_callback(struct
if (len < sizeof(*rsp))
return -EINVAL;
+ if (!cctx)
+ return -ENODEV;
+
ctxid = ((rsp->ctx & FASTRPC_CTXID_MASK) >> 4);
spin_lock_irqsave(&cctx->lock, flags);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 369/522] net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 368/522] net: stmmac: avoid shadowing global buf_sz Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 370/522] net: stmmac: Prevent NULL deref when RX memory exhausted Greg Kroah-Hartman
` (153 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Russell King (Oracle),
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>
[ Upstream commit 6b4286e0550814cdc4b897f881ec1fa8b0313227 ]
STMMAC_GET_ENTRY() doesn't describe what this macro is doing - it is
incrementing the provided index for the circular array of descriptors.
Replace "GET" with "NEXT" as this better describes the action here.
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://patch.msgid.link/E1w2vba-0000000DbWo-1oL5@rmk-PC.armlinux.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 0bb05e6adfa9 ("net: stmmac: Prevent NULL deref when RX memory exhausted")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/chain_mode.c | 2 -
drivers/net/ethernet/stmicro/stmmac/common.h | 2 -
drivers/net/ethernet/stmicro/stmmac/ring_mode.c | 2 -
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 26 +++++++++++-----------
4 files changed, 16 insertions(+), 16 deletions(-)
--- a/drivers/net/ethernet/stmicro/stmmac/chain_mode.c
+++ b/drivers/net/ethernet/stmicro/stmmac/chain_mode.c
@@ -47,7 +47,7 @@ static int jumbo_frm(struct stmmac_tx_qu
while (len != 0) {
tx_q->tx_skbuff[entry] = NULL;
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
desc = tx_q->dma_tx + entry;
if (len > bmax) {
--- a/drivers/net/ethernet/stmicro/stmmac/common.h
+++ b/drivers/net/ethernet/stmicro/stmmac/common.h
@@ -53,7 +53,7 @@
#define DMA_MIN_RX_SIZE 64
#define DMA_MAX_RX_SIZE 1024
#define DMA_DEFAULT_RX_SIZE 512
-#define STMMAC_GET_ENTRY(x, size) ((x + 1) & (size - 1))
+#define STMMAC_NEXT_ENTRY(x, size) ((x + 1) & (size - 1))
#undef FRAME_FILTER_DEBUG
/* #define FRAME_FILTER_DEBUG */
--- a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
+++ b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
@@ -51,7 +51,7 @@ static int jumbo_frm(struct stmmac_tx_qu
stmmac_prepare_tx_desc(priv, desc, 1, bmax, csum,
STMMAC_RING_MODE, 0, false, skb->len);
tx_q->tx_skbuff[entry] = NULL;
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
if (priv->extend_desc)
desc = (struct dma_desc *)(tx_q->dma_etx + entry);
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -2503,7 +2503,7 @@ static bool stmmac_xdp_xmit_zc(struct st
stmmac_enable_dma_transmission(priv, priv->ioaddr);
- tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
+ tx_q->cur_tx = STMMAC_NEXT_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
entry = tx_q->cur_tx;
}
flags = u64_stats_update_begin_irqsave(&txq_stats->syncp);
@@ -2660,7 +2660,7 @@ static int stmmac_tx_clean(struct stmmac
stmmac_release_tx_desc(priv, p, priv->mode);
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
}
tx_q->dirty_tx = entry;
@@ -3976,7 +3976,7 @@ static bool stmmac_vlan_insert(struct st
return false;
stmmac_set_tx_owner(priv, p);
- tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
+ tx_q->cur_tx = STMMAC_NEXT_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
return true;
}
@@ -4004,7 +4004,7 @@ static void stmmac_tso_allocator(struct
while (tmp_len > 0) {
dma_addr_t curr_addr;
- tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx,
+ tx_q->cur_tx = STMMAC_NEXT_ENTRY(tx_q->cur_tx,
priv->dma_conf.dma_tx_size);
WARN_ON(tx_q->tx_skbuff[tx_q->cur_tx]);
@@ -4137,7 +4137,7 @@ static netdev_tx_t stmmac_tso_xmit(struc
stmmac_set_mss(priv, mss_desc, mss);
tx_q->mss = mss;
- tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx,
+ tx_q->cur_tx = STMMAC_NEXT_ENTRY(tx_q->cur_tx,
priv->dma_conf.dma_tx_size);
WARN_ON(tx_q->tx_skbuff[tx_q->cur_tx]);
}
@@ -4262,7 +4262,7 @@ static netdev_tx_t stmmac_tso_xmit(struc
* ndo_start_xmit will fill this descriptor the next time it's
* called and stmmac_tx_clean may clean up to this descriptor.
*/
- tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
+ tx_q->cur_tx = STMMAC_NEXT_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
if (unlikely(stmmac_tx_avail(priv, queue) <= (MAX_SKB_FRAGS + 1))) {
netif_dbg(priv, hw, priv->dev, "%s: stop transmitted packets\n",
@@ -4420,7 +4420,7 @@ static netdev_tx_t stmmac_xmit(struct sk
int len = skb_frag_size(frag);
bool last_segment = (i == (nfrags - 1));
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
WARN_ON(tx_q->tx_skbuff[entry]);
if (likely(priv->extend_desc))
@@ -4490,7 +4490,7 @@ static netdev_tx_t stmmac_xmit(struct sk
* ndo_start_xmit will fill this descriptor the next time it's
* called and stmmac_tx_clean may clean up to this descriptor.
*/
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
tx_q->cur_tx = entry;
if (netif_msg_pktdata(priv)) {
@@ -4660,7 +4660,7 @@ static inline void stmmac_rx_refill(stru
dma_wmb();
stmmac_set_rx_owner(priv, p, use_rx_wd);
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_rx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_rx_size);
}
rx_q->dirty_rx = entry;
rx_q->rx_tail_addr = rx_q->dma_rx_phy +
@@ -4787,7 +4787,7 @@ static int stmmac_xdp_xmit_xdpf(struct s
stmmac_enable_dma_transmission(priv, priv->ioaddr);
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
tx_q->cur_tx = entry;
return STMMAC_XDP_TX;
@@ -5018,7 +5018,7 @@ static bool stmmac_rx_refill_zc(struct s
dma_wmb();
stmmac_set_rx_owner(priv, rx_desc, use_rx_wd);
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_rx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_rx_size);
}
if (rx_desc) {
@@ -5103,7 +5103,7 @@ read_again:
break;
/* Prefetch the next RX descriptor */
- rx_q->cur_rx = STMMAC_GET_ENTRY(rx_q->cur_rx,
+ rx_q->cur_rx = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
priv->dma_conf.dma_rx_size);
next_entry = rx_q->cur_rx;
@@ -5295,7 +5295,7 @@ read_again:
if (unlikely(status & dma_own))
break;
- rx_q->cur_rx = STMMAC_GET_ENTRY(rx_q->cur_rx,
+ rx_q->cur_rx = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
priv->dma_conf.dma_rx_size);
next_entry = rx_q->cur_rx;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 286/378] firmware: samsung: acpm: Fix mailbox channel leak on probe error
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 285/378] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 287/378] net/mlx5: Reorder completion before putting command entry in cmd_work_handler Greg Kroah-Hartman
` (92 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Krzysztof Kozlowski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@linaro.org>
commit b66829b17f6385cc9ffbcbe2476d532d2e3121ad upstream.
Sashiko identified the leak at [1].
The ACPM driver allocates hardware mailbox channels using
`mbox_request_channel()` during `acpm_channels_init()`. However, the
driver lacked a `.remove` callback and did not free these channels on
subsequent error paths inside `acpm_probe()`.
Additionally, if `acpm_achan_alloc_cmds()` failed during the channel
initialization loop, the function returned immediately, bypassing the
manual cleanup and permanently leaking any channels successfully
requested in previous loop iterations.
Fix this by modifying `acpm_free_mbox_chans()` to match the `devres`
action signature and registering it via `devm_add_action_or_reset()`.
Cc: stable@vger.kernel.org
Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver")
Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%40linaro.org [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Link: https://patch.msgid.link/20260505-acpm-fixes-sashiko-reports-v5-2-43b5ee7f1674@linaro.org
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/samsung/exynos-acpm.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/firmware/samsung/exynos-acpm.c
+++ b/drivers/firmware/samsung/exynos-acpm.c
@@ -526,10 +526,11 @@ static int acpm_achan_alloc_cmds(struct
/**
* acpm_free_mbox_chans() - free mailbox channels.
- * @acpm: pointer to driver data.
+ * @data: pointer to driver data.
*/
-static void acpm_free_mbox_chans(struct acpm_info *acpm)
+static void acpm_free_mbox_chans(void *data)
{
+ struct acpm_info *acpm = data;
int i;
for (i = 0; i < acpm->num_chans; i++)
@@ -557,6 +558,10 @@ static int acpm_channels_init(struct acp
if (!acpm->chans)
return -ENOMEM;
+ ret = devm_add_action_or_reset(dev, acpm_free_mbox_chans, acpm);
+ if (ret)
+ return dev_err_probe(dev, ret, "Failed to add mbox free action.\n");
+
chans_shmem = acpm->sram_base + readl(&shmem->chans);
for (i = 0; i < acpm->num_chans; i++) {
@@ -578,10 +583,8 @@ static int acpm_channels_init(struct acp
cl->dev = dev;
achan->chan = mbox_request_channel(cl, 0);
- if (IS_ERR(achan->chan)) {
- acpm_free_mbox_chans(acpm);
+ if (IS_ERR(achan->chan))
return PTR_ERR(achan->chan);
- }
}
return 0;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 370/522] net: stmmac: Prevent NULL deref when RX memory exhausted
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 369/522] net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 371/522] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() Greg Kroah-Hartman
` (152 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Russell King, Sam Edwards,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Edwards <cfsworks@gmail.com>
[ Upstream commit 0bb05e6adfa99a2ea1fee1125cc0953409f83ed8 ]
The CPU receives frames from the MAC through conventional DMA: the CPU
allocates buffers for the MAC, then the MAC fills them and returns
ownership to the CPU. For each hardware RX queue, the CPU and MAC
coordinate through a shared ring array of DMA descriptors: one
descriptor per DMA buffer. Each descriptor includes the buffer's
physical address and a status flag ("OWN") indicating which side owns
the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set
the flag and the MAC is only allowed to clear it, and both must move
through the ring in sequence: thus the ring is used for both
"submissions" and "completions."
In the stmmac driver, stmmac_rx() bookmarks its position in the ring
with the `cur_rx` index. The main receive loop in that function checks
for rx_descs[cur_rx].own=0, gives the corresponding buffer to the
network stack (NULLing the pointer), and increments `cur_rx` modulo the
ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its
position with `dirty_rx`, allocates fresh buffers and rearms the
descriptors (setting OWN=1). If it fails any allocation, it simply stops
early (leaving OWN=0) and will retry where it left off when next called.
This means descriptors have a three-stage lifecycle (terms my own):
- `empty` (OWN=1, buffer valid)
- `full` (OWN=0, buffer valid and populated)
- `dirty` (OWN=0, buffer NULL)
But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In
the past (see 'Fixes:'), there was a bug where the loop could cycle
`cur_rx` all the way back to the first descriptor it dirtied, resulting
in a NULL dereference when mistaken for `full`. The aforementioned
commit resolved that *specific* failure by capping the loop's iteration
limit at `dma_rx_size - 1`, but this is only a partial fix: if the
previous stmmac_rx_refill() didn't complete, then there are leftover
`dirty` descriptors that the loop might encounter without needing to
cycle fully around. The current code therefore panics (see 'Closes:')
when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to
catch up to `dirty_rx`.
Fix this by explicitly checking, before advancing `cur_rx`, if the next
entry is dirty; exit the loop if so. This prevents processing of the
final, used descriptor until stmmac_rx_refill() succeeds, but
fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix
intended: so remove the clamp as well. Since stmmac_rx_zc() is a
copy-paste-and-tweak of stmmac_rx() and the code structure is identical,
any fix to stmmac_rx() will also need a corresponding fix for
stmmac_rx_zc(). Therefore, apply the same check there.
In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the
MAC sets OWN=0 on the final descriptor, it will be unable to send any
further DMA-complete IRQs until it's given more `empty` descriptors.
Currently, the driver simply *hopes* that the next stmmac_rx_refill()
succeeds, risking an indefinite stall of the receive process if not. But
this is not a regression, so it can be addressed in a future change.
Fixes: b6cb4541853c7 ("net: stmmac: avoid rx queue overrun")
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221010
Cc: stable@vger.kernel.org
Suggested-by: Russell King <linux@armlinux.org.uk>
Signed-off-by: Sam Edwards <CFSworks@gmail.com>
Link: https://patch.msgid.link/20260422044503.5349-1-CFSworks@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -5103,9 +5103,12 @@ read_again:
break;
/* Prefetch the next RX descriptor */
- rx_q->cur_rx = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
- priv->dma_conf.dma_rx_size);
- next_entry = rx_q->cur_rx;
+ next_entry = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
+ priv->dma_conf.dma_rx_size);
+ if (unlikely(next_entry == rx_q->dirty_rx))
+ break;
+
+ rx_q->cur_rx = next_entry;
if (priv->extend_desc)
np = (struct dma_desc *)(rx_q->dma_erx + next_entry);
@@ -5239,7 +5242,6 @@ static int stmmac_rx(struct stmmac_priv
dma_dir = page_pool_get_dma_dir(rx_q->page_pool);
bufsz = DIV_ROUND_UP(priv->dma_conf.dma_buf_sz, PAGE_SIZE) * PAGE_SIZE;
- limit = min(priv->dma_conf.dma_rx_size - 1, (unsigned int)limit);
if (netif_msg_rx_status(priv)) {
void *rx_head;
@@ -5295,9 +5297,12 @@ read_again:
if (unlikely(status & dma_own))
break;
- rx_q->cur_rx = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
- priv->dma_conf.dma_rx_size);
- next_entry = rx_q->cur_rx;
+ next_entry = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
+ priv->dma_conf.dma_rx_size);
+ if (unlikely(next_entry == rx_q->dirty_rx))
+ break;
+
+ rx_q->cur_rx = next_entry;
if (priv->extend_desc)
np = (struct dma_desc *)(rx_q->dma_erx + next_entry);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 287/378] net/mlx5: Reorder completion before putting command entry in cmd_work_handler
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 286/378] firmware: samsung: acpm: Fix mailbox channel leak on probe error Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 288/378] net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues() Greg Kroah-Hartman
` (91 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Kuratov, Md Haris Iqbal,
Moshe Shemesh, Tariq Toukan, Paolo Abeni
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Kuratov <kniv@yandex-team.ru>
commit 02896a7fa4cd3ec61d60ba30136841e4f04bdeac upstream.
Assuming callback != NULL && !page_queue, cmd_work_handler takes
command entry with refcnt == 1 from mlx5_cmd_invoke.
If either semaphore timeout or index allocation error happens,
it does final cmd_ent_put(ent). To avoid access to freed memory,
notify slotted completion before cmd_ent_put.
This is theoretical issue found by Svace static analyser.
Cc: stable@vger.kernel.org
Fixes: 485d65e135712 ("net/mlx5: Add a timeout to acquire the command queue semaphore")
Fixes: 0e2909c6bec90 ("net/mlx5: Fix variable not being completed when function returns")
Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru>
Reviewed-by: Md Haris Iqbal <haris.iqbal@linux.dev>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Acked-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260526162932.501584-1-kniv@yandex-team.ru
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
@@ -1001,12 +1001,13 @@ static void cmd_work_handler(struct work
ent->callback(-EBUSY, ent->context);
mlx5_free_cmd_msg(dev, ent->out);
free_msg(dev, ent->in);
+ complete(&ent->slotted);
cmd_ent_put(ent);
} else {
ent->ret = -EBUSY;
complete(&ent->done);
+ complete(&ent->slotted);
}
- complete(&ent->slotted);
return;
}
alloc_ret = cmd_alloc_index(cmd, ent);
@@ -1016,13 +1017,14 @@ static void cmd_work_handler(struct work
ent->callback(-EAGAIN, ent->context);
mlx5_free_cmd_msg(dev, ent->out);
free_msg(dev, ent->in);
+ complete(&ent->slotted);
cmd_ent_put(ent);
} else {
ent->ret = -EAGAIN;
complete(&ent->done);
+ complete(&ent->slotted);
}
up(&cmd->vars.sem);
- complete(&ent->slotted);
return;
}
} else {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 371/522] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 370/522] net: stmmac: Prevent NULL deref when RX memory exhausted Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 372/522] wifi: mac80211: remove station if connection prep fails Greg Kroah-Hartman
` (151 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
David Carlier, Steven Rostedt (Google), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit fad217e16fded7f3c09f8637b0f6a224d58b5f2e ]
When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func()
invokes the subsystem's ext->regfunc() before attempting to install the
new probe via func_add(). If func_add() then fails (for example, when
allocate_probes() cannot allocate a new probe array under memory pressure
and returns -ENOMEM), the function returns the error without calling the
matching ext->unregfunc(), leaving the side effects of regfunc() behind
with no installed probe to justify them.
For syscall tracepoints this is particularly unpleasant: syscall_regfunc()
bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task.
After a leaked failure, the refcount is stuck at a non-zero value with no
consumer, and every task continues paying the syscall trace entry/exit
overhead until reboot. Other subsystems providing regfunc()/unregfunc()
pairs exhibit similarly scoped persistent state.
Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the
func_add() error path, gated on the same condition used there so the
unwind is symmetric with the registration.
Fixes: 8cf868affdc4 ("tracing: Have the reg function allow to fail")
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/20260413190601.21993-1-devnexen@gmail.com
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
[ changed `tp->ext->unregfunc` to `tp->unregfunc` to match older struct layout ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/tracepoint.c | 2 ++
1 file changed, 2 insertions(+)
--- a/kernel/tracepoint.c
+++ b/kernel/tracepoint.c
@@ -337,6 +337,8 @@ static int tracepoint_add_func(struct tr
lockdep_is_held(&tracepoints_mutex));
old = func_add(&tp_funcs, func, prio);
if (IS_ERR(old)) {
+ if (tp->unregfunc && !static_key_enabled(&tp->key))
+ tp->unregfunc();
WARN_ON_ONCE(warn && PTR_ERR(old) != -ENOMEM);
return PTR_ERR(old);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 288/378] net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 287/378] net/mlx5: Reorder completion before putting command entry in cmd_work_handler Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 289/378] net: bonding: fix NULL pointer dereference in bond_do_ioctl() Greg Kroah-Hartman
` (90 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ZhaoJinming, Lorenzo Bianconi,
Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhaoJinming <zhaojinming@uniontech.com>
commit f9f25118faa4dd2b6e3d14a03d123bbdbd59925d upstream.
of_reserved_mem_lookup() may return NULL if the reserved memory region
referenced by the "memory-region" phandle is not found in the reserved
memory table (e.g. due to a misconfigured DTS or a removed
memory-region node). The current code dereferences the returned
pointer without checking for NULL, leading to a kernel NULL pointer
dereference at the following lines:
dma_addr = rmem->base; // line 1156
num_desc = div_u64(rmem->size, buf_size); // line 1160
Add a NULL check after of_reserved_mem_lookup() and return -ENODEV if
the lookup fails, which is consistent with the existing error handling
for of_parse_phandle() failure in the same code block.
Fixes: 3a1ce9e3d01b ("net: airoha: Add the capability to allocate hwfd buffers via reserved-memory")
Cc: stable@vger.kernel.org
Signed-off-by: ZhaoJinming <zhaojinming@uniontech.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -1153,6 +1153,9 @@ static int airoha_qdma_init_hfwd_queues(
rmem = of_reserved_mem_lookup(np);
of_node_put(np);
+ if (!rmem)
+ return -ENODEV;
+
dma_addr = rmem->base;
/* Compute the number of hw descriptors according to the
* reserved memory size and the payload buffer size
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 372/522] wifi: mac80211: remove station if connection prep fails
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 371/522] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 373/522] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Greg Kroah-Hartman
` (150 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miriam Rachel Korenblit,
Johannes Berg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 283fc9e44ff5b5ac967439b4951b80bd4299f4e4 ]
If connection preparation fails for MLO connections, then the
interface is completely reset to non-MLD. In this case, we must
not keep the station since it's related to the link of the vif
being removed. Delete an existing station. Any "new_sta" is
already being removed, so that doesn't need changes.
This fixes a use-after-free/double-free in debugfs if that's
enabled, because a vif going from MLD (and to MLD, but that's
not relevant here) recreates its entire debugfs.
Cc: stable@vger.kernel.org
Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link")
Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260505151533.c4e52deb06ad.Iafe56cec7de8512626169496b134bce3a6c17010@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[ used sta_info_destroy_addr() instead of __sta_info_destroy() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/mlme.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -6586,7 +6586,7 @@ static int ieee80211_prep_connection(str
struct ieee80211_bss *bss = (void *)cbss->priv;
struct sta_info *new_sta = NULL;
struct ieee80211_link_data *link;
- bool have_sta = false;
+ struct sta_info *have_sta = NULL;
bool mlo;
int err;
@@ -6751,6 +6751,8 @@ static int ieee80211_prep_connection(str
out_err:
ieee80211_link_release_channel(&sdata->deflink);
+ if (mlo && have_sta)
+ WARN_ON(sta_info_destroy_addr(sdata, ap_mld_addr));
ieee80211_vif_set_links(sdata, 0);
return err;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 289/378] net: bonding: fix NULL pointer dereference in bond_do_ioctl()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 288/378] net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 290/378] net: mv643xx: fix OF node refcount Greg Kroah-Hartman
` (89 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ZhaoJinming, Paolo Abeni
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhaoJinming <zhaojinming@uniontech.com>
commit a764b0e8317a863006e05732e1aefe821b9d8c2d upstream.
In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which
can return NULL if the requested interface name does not exist. However,
the subsequent slave_dbg() call is placed before the NULL check:
slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here
if (!slave_dev)
return -ENODEV;
The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt,
(slave_dev)->name, ...) which unconditionally dereferences slave_dev->name
before the NULL check is performed. This results in a NULL pointer
dereference kernel oops when a user calls bonding ioctl (e.g.
SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave
interface name.
This is reachable from userspace via the bonding ioctl interface with
CAP_NET_ADMIN capability, making it a potential local denial-of-service
vector.
Fix by moving the slave_dbg() call after the NULL check.
Fixes: e2a7420df2e0 ("bonding/main: convert to using slave printk macros")
Cc: stable@vger.kernel.org # v5.2+
Signed-off-by: ZhaoJinming <zhaojinming@uniontech.com>
Link: https://patch.msgid.link/20260601085649.4029067-1-zhaojinming@uniontech.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/bonding/bond_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -4623,11 +4623,11 @@ static int bond_do_ioctl(struct net_devi
slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
- slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev);
-
if (!slave_dev)
return -ENODEV;
+ slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev);
+
switch (cmd) {
case SIOCBONDENSLAVE:
res = bond_enslave(bond_dev, slave_dev, NULL);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 373/522] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 372/522] wifi: mac80211: remove station if connection prep fails Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 374/522] usb: dwc3: Move GUID programming after PHY initialization Greg Kroah-Hartman
` (149 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Arend van Spriel,
Johannes Berg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
[ Upstream commit c623b63580880cc742255eaed3d79804c1b91143 ]
Watchdog task might end between send_sig() and kthread_stop() calls, what
results in the use-after-free issue. Fix this by increasing watchdog task
reference count before calling send_sig() and dropping it by switching to
kthread_stop_put().
Cc: stable@vger.kernel.org
Fixes: 373c83a801f1 ("brcmfmac: stop watchdog before detach and free everything")
Fixes: a9ffda88be74 ("brcm80211: fmac: abstract bus_stop interface function pointer")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Link: https://patch.msgid.link/20260416093339.2066829-1-m.szyprowski@samsung.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[ replaced kthread_stop_put() with open-coded kthread_stop() + put_task_struct() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
@@ -2477,8 +2477,10 @@ static void brcmf_sdio_bus_stop(struct d
brcmf_dbg(TRACE, "Enter\n");
if (bus->watchdog_tsk) {
+ get_task_struct(bus->watchdog_tsk);
send_sig(SIGTERM, bus->watchdog_tsk, 1);
kthread_stop(bus->watchdog_tsk);
+ put_task_struct(bus->watchdog_tsk);
bus->watchdog_tsk = NULL;
}
@@ -4549,8 +4551,10 @@ void brcmf_sdio_remove(struct brcmf_sdio
if (bus) {
/* Stop watchdog task */
if (bus->watchdog_tsk) {
+ get_task_struct(bus->watchdog_tsk);
send_sig(SIGTERM, bus->watchdog_tsk, 1);
kthread_stop(bus->watchdog_tsk);
+ put_task_struct(bus->watchdog_tsk);
bus->watchdog_tsk = NULL;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 290/378] net: mv643xx: fix OF node refcount
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 289/378] net: bonding: fix NULL pointer dereference in bond_do_ioctl() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 291/378] net: phonet: free phonet_device after RCU grace period Greg Kroah-Hartman
` (88 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
commit 4aacf509e537a711fa71bca9f234e5eb6968850e upstream.
Platform devices created with platform_device_alloc() call
platform_device_release() when the last reference to the device's
kobject is dropped. This function calls of_node_put() unconditionally.
This works fine for devices created with platform_device_register_full()
but users of the split approach (platform_device_alloc() +
platform_device_add()) must bump the reference of the of_node they
assign manually. Add the missing call to of_node_get().
Cc: stable@vger.kernel.org
Fixes: 76723bca2802 ("net: mv643xx_eth: add DT parsing support")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Link: https://patch.msgid.link/20260602073414.22500-1-bartosz.golaszewski@oss.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
+++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
@@ -2780,7 +2780,7 @@ static int mv643xx_eth_shared_of_add_por
goto put_err;
}
ppdev->dev.coherent_dma_mask = DMA_BIT_MASK(32);
- ppdev->dev.of_node = pnp;
+ ppdev->dev.of_node = of_node_get(pnp);
ret = platform_device_add_resources(ppdev, &res, 1);
if (ret)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 374/522] usb: dwc3: Move GUID programming after PHY initialization
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 373/522] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 375/522] net: ipv4: stop checking crypto_ahash_alignmask Greg Kroah-Hartman
` (148 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Pritam Manohar Sutar,
Selvarasu Ganesan, Thinh Nguyen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Selvarasu Ganesan <selvarasu.g@samsung.com>
[ Upstream commit aad35f9c926ec220b0742af1ada45666ae667956 ]
The Linux Version Code is currently written to the GUID register before
PHY initialization. Certain PHY implementations (such as Synopsys eUSB
PHY performing link_sw_reset) clear the GUID register to its default
value during initialization, causing the kernel version information to
be lost.
Move the GUID register programming to occur after PHY initialization
completes to ensure the Linux version information persists.
Fixes: fa0ea13e9f1c ("usb: dwc3: core: write LINUX_VERSION_CODE to our GUID register")
Cc: stable <stable@kernel.org>
Reported-by: Pritam Manohar Sutar <pritam.sutar@samsung.com>
Signed-off-by: Selvarasu Ganesan <selvarasu.g@samsung.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20260417063314.2359-1-selvarasu.g@samsung.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ adapted dwc3_writel(dwc, ...) to dwc3_writel(dwc->regs, ...) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/core.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -1239,12 +1239,6 @@ static int dwc3_core_init(struct dwc3 *d
hw_mode = DWC3_GHWPARAMS0_MODE(dwc->hwparams.hwparams0);
- /*
- * Write Linux Version Code to our GUID register so it's easy to figure
- * out which kernel version a bug was found.
- */
- dwc3_writel(dwc->regs, DWC3_GUID, LINUX_VERSION_CODE);
-
ret = dwc3_phy_setup(dwc);
if (ret)
goto err0;
@@ -1284,6 +1278,12 @@ static int dwc3_core_init(struct dwc3 *d
if (ret)
goto err1;
+ /*
+ * Write Linux Version Code to our GUID register so it's easy to figure
+ * out which kernel version a bug was found.
+ */
+ dwc3_writel(dwc->regs, DWC3_GUID, LINUX_VERSION_CODE);
+
dwc3_core_setup_global_control(dwc);
dwc3_core_num_eps(dwc);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 291/378] net: phonet: free phonet_device after RCU grace period
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 290/378] net: mv643xx: fix OF node refcount Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 292/378] net: rds: clear i_sends on setup unwind Greg Kroah-Hartman
` (87 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Santosh Kalluri,
Rémi Denis-Courmont, Simon Horman, Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Santosh Kalluri <santosh.kalluri129@gmail.com>
commit 71de0177b28da751f407581a4515cf4d762f6296 upstream.
phonet_device_destroy() removes a phonet_device from the per-net device
list with list_del_rcu(), but frees it immediately. RCU readers walking
the same list can still hold a pointer to the object after it has been
removed, leading to a slab-use-after-free.
Use kfree_rcu(), matching the lifetime rule already used by
phonet_address_del() for the same object type.
Fixes: eeb74a9d45f7 ("Phonet: convert devices list to RCU")
Cc: stable@vger.kernel.org
Signed-off-by: Santosh Kalluri <santosh.kalluri129@gmail.com>
Acked-by: Rémi Denis-Courmont <remi@remlab.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/phonet/pn_dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/phonet/pn_dev.c
+++ b/net/phonet/pn_dev.c
@@ -108,7 +108,7 @@ static void phonet_device_destroy(struct
for_each_set_bit(addr, pnd->addrs, 64)
phonet_address_notify(net, RTM_DELADDR, ifindex, addr);
- kfree(pnd);
+ kfree_rcu(pnd, rcu);
}
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 375/522] net: ipv4: stop checking crypto_ahash_alignmask
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 374/522] usb: dwc3: Move GUID programming after PHY initialization Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 376/522] net: ipv6: " Greg Kroah-Hartman
` (147 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Herbert Xu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
[ Upstream commit e77f5dd701381cef35b9ea8b6dea6e62c8a7f9f3 ]
Now that the alignmask for ahash and shash algorithms is always 0,
crypto_ahash_alignmask() always returns 0 and will be removed. In
preparation for this, stop checking crypto_ahash_alignmask() in ah4.c.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: ec54093e6a8f ("xfrm: ah: account for ESN high bits in async callbacks")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ah4.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -27,9 +27,7 @@ static void *ah_alloc_tmp(struct crypto_
{
unsigned int len;
- len = size + crypto_ahash_digestsize(ahash) +
- (crypto_ahash_alignmask(ahash) &
- ~(crypto_tfm_ctx_alignment() - 1));
+ len = size + crypto_ahash_digestsize(ahash);
len = ALIGN(len, crypto_tfm_ctx_alignment());
@@ -46,10 +44,9 @@ static inline u8 *ah_tmp_auth(void *tmp,
return tmp + offset;
}
-static inline u8 *ah_tmp_icv(struct crypto_ahash *ahash, void *tmp,
- unsigned int offset)
+static inline u8 *ah_tmp_icv(void *tmp, unsigned int offset)
{
- return PTR_ALIGN((u8 *)tmp + offset, crypto_ahash_alignmask(ahash) + 1);
+ return tmp + offset;
}
static inline struct ahash_request *ah_tmp_req(struct crypto_ahash *ahash,
@@ -129,7 +126,7 @@ static void ah_output_done(struct crypto
int ihl = ip_hdrlen(skb);
iph = AH_SKB_CB(skb)->tmp;
- icv = ah_tmp_icv(ahp->ahash, iph, ihl);
+ icv = ah_tmp_icv(iph, ihl);
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
top_iph->tos = iph->tos;
@@ -182,7 +179,7 @@ static int ah_output(struct xfrm_state *
if (!iph)
goto out;
seqhi = (__be32 *)((char *)iph + ihl);
- icv = ah_tmp_icv(ahash, seqhi, seqhi_len);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
req = ah_tmp_req(ahash, icv);
sg = ah_req_sg(ahash, req);
seqhisg = sg + nfrags;
@@ -279,7 +276,7 @@ static void ah_input_done(struct crypto_
work_iph = AH_SKB_CB(skb)->tmp;
auth_data = ah_tmp_auth(work_iph, ihl);
- icv = ah_tmp_icv(ahp->ahash, auth_data, ahp->icv_trunc_len);
+ icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
if (err)
@@ -374,7 +371,7 @@ static int ah_input(struct xfrm_state *x
seqhi = (__be32 *)((char *)work_iph + ihl);
auth_data = ah_tmp_auth(seqhi, seqhi_len);
- icv = ah_tmp_icv(ahash, auth_data, ahp->icv_trunc_len);
+ icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
req = ah_tmp_req(ahash, icv);
sg = ah_req_sg(ahash, req);
seqhisg = sg + nfrags;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 292/378] net: rds: clear i_sends on setup unwind
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 291/378] net: phonet: free phonet_device after RCU grace period Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 293/378] net: sfp: initialize i2c_block_size at adapter configure time Greg Kroah-Hartman
` (86 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Zhengchuan Liang,
Xin Liu, Yuqi Xu, Ren Wei, Allison Henderson, Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuqi Xu <xuyq21@lenovo.com>
commit 20cf0fb715c41111469577e85e35d15f099473e0 upstream.
The RDS IB connection teardown path is written so it can run during
partial startup and on repeated shutdown attempts. It uses NULL
pointers to distinguish resources that are still owned from resources
that have already been released.
When rds_ib_setup_qp() fails after allocating i_sends but before
allocating i_recvs, the sends_out path frees i_sends without clearing
the pointer. A later shutdown pass can still treat that stale pointer
as a live send ring allocation.
Clear i_sends after vfree() in the error unwind path so the existing
shutdown logic continues to use the correct ownership state.
Fixes: 3b12f73a5c29 ("rds: ib: add error handle")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/5a0f7624bb9845a7b67d26166a150b59e7f394ce.1779632468.git.xuyq21@lenovo.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rds/ib_cm.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/rds/ib_cm.c
+++ b/net/rds/ib_cm.c
@@ -656,6 +656,7 @@ static int rds_ib_setup_qp(struct rds_co
sends_out:
vfree(ic->i_sends);
+ ic->i_sends = NULL;
ack_dma_out:
rds_dma_hdr_free(rds_ibdev->dev, ic->i_ack, ic->i_ack_dma,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 376/522] net: ipv6: stop checking crypto_ahash_alignmask
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 375/522] net: ipv4: stop checking crypto_ahash_alignmask Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 377/522] xfrm: ah: account for ESN high bits in async callbacks Greg Kroah-Hartman
` (146 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Herbert Xu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
[ Upstream commit 0a6bfaa0e695facb072f2fedfb55df37c4483b50 ]
Now that the alignmask for ahash and shash algorithms is always 0,
crypto_ahash_alignmask() always returns 0 and will be removed. In
preparation for this, stop checking crypto_ahash_alignmask() in ah6.c.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: ec54093e6a8f ("xfrm: ah: account for ESN high bits in async callbacks")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ah6.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -79,9 +79,7 @@ static void *ah_alloc_tmp(struct crypto_
{
unsigned int len;
- len = size + crypto_ahash_digestsize(ahash) +
- (crypto_ahash_alignmask(ahash) &
- ~(crypto_tfm_ctx_alignment() - 1));
+ len = size + crypto_ahash_digestsize(ahash);
len = ALIGN(len, crypto_tfm_ctx_alignment());
@@ -103,10 +101,9 @@ static inline u8 *ah_tmp_auth(u8 *tmp, u
return tmp + offset;
}
-static inline u8 *ah_tmp_icv(struct crypto_ahash *ahash, void *tmp,
- unsigned int offset)
+static inline u8 *ah_tmp_icv(void *tmp, unsigned int offset)
{
- return PTR_ALIGN((u8 *)tmp + offset, crypto_ahash_alignmask(ahash) + 1);
+ return tmp + offset;
}
static inline struct ahash_request *ah_tmp_req(struct crypto_ahash *ahash,
@@ -327,7 +324,7 @@ static void ah6_output_done(struct crypt
iph_base = AH_SKB_CB(skb)->tmp;
iph_ext = ah_tmp_ext(iph_base);
- icv = ah_tmp_icv(ahp->ahash, iph_ext, extlen);
+ icv = ah_tmp_icv(iph_ext, extlen);
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
memcpy(top_iph, iph_base, IPV6HDR_BASELEN);
@@ -384,7 +381,7 @@ static int ah6_output(struct xfrm_state
iph_ext = ah_tmp_ext(iph_base);
seqhi = (__be32 *)((char *)iph_ext + extlen);
- icv = ah_tmp_icv(ahash, seqhi, seqhi_len);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
req = ah_tmp_req(ahash, icv);
sg = ah_req_sg(ahash, req);
seqhisg = sg + nfrags;
@@ -480,7 +477,7 @@ static void ah6_input_done(struct crypto
work_iph = AH_SKB_CB(skb)->tmp;
auth_data = ah_tmp_auth(work_iph, hdr_len);
- icv = ah_tmp_icv(ahp->ahash, auth_data, ahp->icv_trunc_len);
+ icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
if (err)
@@ -588,7 +585,7 @@ static int ah6_input(struct xfrm_state *
auth_data = ah_tmp_auth((u8 *)work_iph, hdr_len);
seqhi = (__be32 *)(auth_data + ahp->icv_trunc_len);
- icv = ah_tmp_icv(ahash, seqhi, seqhi_len);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
req = ah_tmp_req(ahash, icv);
sg = ah_req_sg(ahash, req);
seqhisg = sg + nfrags;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 293/378] net: sfp: initialize i2c_block_size at adapter configure time
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 292/378] net: rds: clear i_sends on setup unwind Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 294/378] nvmem: core: fix use-after-free bugs in error paths Greg Kroah-Hartman
` (85 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jonas Jelonek, Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Jelonek <jelonek.jonas@gmail.com>
commit 56d0885514491e5ed8f7593400879ab77c52504c upstream.
sfp->i2c_block_size is only assigned in sfp_sm_mod_probe(), which runs
from the state machine timer after SFP_F_PRESENT has been set. Between
those two points, sfp_module_eeprom() (the ethtool -m callback) gates
only on SFP_F_PRESENT and can be entered with i2c_block_size still at
its kzalloc'd value of 0.
On a pure-I2C adapter, sfp_i2c_read() then issues an i2c_transfer()
with msgs[1].len = 0 inside a loop that subtracts this_len from len
each iteration; on adapters that succeed a zero-length read the loop
never advances, spinning while holding rtnl_lock.
This was previously addressed by initializing i2c_block_size in
sfp_alloc() (commit 813c2dd78618), but the initialization was dropped
when i2c_block_size was split from i2c_max_block_size.
Initialize sfp->i2c_block_size from sfp->i2c_max_block_size in
sfp_i2c_configure(), so the field is valid as soon as the adapter is
known. sfp_sm_mod_probe() still reassigns it on each module insertion
to recover from a per-module clamp to 1 (sfp_id_needs_byte_io).
Fixes: 7662abf4db94 ("net: phy: sfp: Add support for SMBus module access")
Cc: stable@vger.kernel.org
Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
Link: https://patch.msgid.link/20260528205242.971410-2-jelonek.jonas@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/phy/sfp.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/phy/sfp.c
+++ b/drivers/net/phy/sfp.c
@@ -820,6 +820,7 @@ static int sfp_i2c_configure(struct sfp
return -EINVAL;
}
+ sfp->i2c_block_size = sfp->i2c_max_block_size;
return 0;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 377/522] xfrm: ah: account for ESN high bits in async callbacks
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 376/522] net: ipv6: " Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 378/522] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete Greg Kroah-Hartman
` (145 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steffen Klassert,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit ec54093e6a8f87e800bb6aa15eb7fc1e33faa524 ]
AH allocates its temporary auth/ICV layout differently when ESN is enabled:
the async ahash setup appends a 4-byte seqhi slot before the ICV or
auth_data area, but the async completion callbacks still reconstruct the
temporary layout as if seqhi were absent.
With an async AH implementation selected, that makes AH copy or compare
the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH
with ESN and forced async hmac(sha1), ping fails with 100% packet loss,
and the callback logs show the pre-fix drift:
ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24
ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36
Reconstruct the callback-side layout the same way the setup path built it
by skipping the ESN seqhi slot before locating the saved auth_data or ICV.
Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV
computation, so the async callbacks must account for the seqhi slot.
Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows
the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24
expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o
build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the
change has not been tested against a real async hardware AH engine.
Fixes: d4d573d0334d ("{IPv4,xfrm} Add ESN support for AH egress part")
Fixes: d8b2a8600b0e ("{IPv4,xfrm} Add ESN support for AH ingress part")
Fixes: 26dd70c3fad3 ("{IPv6,xfrm} Add ESN support for AH egress part")
Fixes: 8d6da6f32557 ("{IPv6,xfrm} Add ESN support for AH ingress part")
Cc: stable@vger.kernel.org
Assisted-by: Codex:gpt-5-4
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ah4.c | 14 ++++++++++++--
net/ipv6/ah6.c | 14 ++++++++++++--
2 files changed, 24 insertions(+), 4 deletions(-)
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -124,9 +124,14 @@ static void ah_output_done(struct crypto
struct iphdr *top_iph = ip_hdr(skb);
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
int ihl = ip_hdrlen(skb);
+ int seqhi_len = 0;
+ __be32 *seqhi;
+ if (x->props.flags & XFRM_STATE_ESN)
+ seqhi_len = sizeof(*seqhi);
iph = AH_SKB_CB(skb)->tmp;
- icv = ah_tmp_icv(iph, ihl);
+ seqhi = (__be32 *)((char *)iph + ihl);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
top_iph->tos = iph->tos;
@@ -270,12 +275,17 @@ static void ah_input_done(struct crypto_
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
int ihl = ip_hdrlen(skb);
int ah_hlen = (ah->hdrlen + 2) << 2;
+ int seqhi_len = 0;
+ __be32 *seqhi;
if (err)
goto out;
+ if (x->props.flags & XFRM_STATE_ESN)
+ seqhi_len = sizeof(*seqhi);
work_iph = AH_SKB_CB(skb)->tmp;
- auth_data = ah_tmp_auth(work_iph, ihl);
+ seqhi = (__be32 *)((char *)work_iph + ihl);
+ auth_data = ah_tmp_auth(seqhi, seqhi_len);
icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -317,14 +317,19 @@ static void ah6_output_done(struct crypt
struct ipv6hdr *top_iph = ipv6_hdr(skb);
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
struct tmp_ext *iph_ext;
+ int seqhi_len = 0;
+ __be32 *seqhi;
extlen = skb_network_header_len(skb) - sizeof(struct ipv6hdr);
if (extlen)
extlen += sizeof(*iph_ext);
+ if (x->props.flags & XFRM_STATE_ESN)
+ seqhi_len = sizeof(*seqhi);
iph_base = AH_SKB_CB(skb)->tmp;
iph_ext = ah_tmp_ext(iph_base);
- icv = ah_tmp_icv(iph_ext, extlen);
+ seqhi = (__be32 *)((char *)iph_ext + extlen);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
memcpy(top_iph, iph_base, IPV6HDR_BASELEN);
@@ -471,13 +476,18 @@ static void ah6_input_done(struct crypto
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
int hdr_len = skb_network_header_len(skb);
int ah_hlen = ipv6_authlen(ah);
+ int seqhi_len = 0;
+ __be32 *seqhi;
if (err)
goto out;
+ if (x->props.flags & XFRM_STATE_ESN)
+ seqhi_len = sizeof(*seqhi);
work_iph = AH_SKB_CB(skb)->tmp;
auth_data = ah_tmp_auth(work_iph, hdr_len);
- icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
+ seqhi = (__be32 *)(auth_data + ahp->icv_trunc_len);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
if (err)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 294/378] nvmem: core: fix use-after-free bugs in error paths
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 293/378] net: sfp: initialize i2c_block_size at adapter configure time Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 295/378] nvmem: layouts: onie-tlv: fix hang on unknown types Greg Kroah-Hartman
` (84 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski,
Srinivas Kandagatla
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
commit 5b6b6fc491899d583eaa75344e094796ae9b530b upstream.
Fix several instances of error paths in which we call
__nvmem_device_put() - which may end up freeing the underlying memory
and other resources - and then keep on using the nvmem structure. Always
put the reference to the nvmem device as the last step before returning
the error code.
Cc: stable@vger.kernel.org
Fixes: 7ae6478b304b ("nvmem: core: rework nvmem cell instance creation")
Fixes: e888d445ac33 ("nvmem: resolve cells from DT at registration time")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204340.116743-3-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvmem/core.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
--- a/drivers/nvmem/core.c
+++ b/drivers/nvmem/core.c
@@ -1468,18 +1468,16 @@ struct nvmem_cell *of_nvmem_cell_get(str
cell_entry = nvmem_find_cell_entry_by_node(nvmem, cell_np);
of_node_put(cell_np);
if (!cell_entry) {
- __nvmem_device_put(nvmem);
nvmem_layout_module_put(nvmem);
- if (nvmem->layout)
- return ERR_PTR(-EPROBE_DEFER);
- else
- return ERR_PTR(-ENOENT);
+ ret = nvmem->layout ? -EPROBE_DEFER : -ENOENT;
+ __nvmem_device_put(nvmem);
+ return ERR_PTR(ret);
}
cell = nvmem_create_cell(cell_entry, id, cell_index);
if (IS_ERR(cell)) {
- __nvmem_device_put(nvmem);
nvmem_layout_module_put(nvmem);
+ __nvmem_device_put(nvmem);
}
return cell;
@@ -1593,8 +1591,8 @@ void nvmem_cell_put(struct nvmem_cell *c
kfree_const(cell->id);
kfree(cell);
- __nvmem_device_put(nvmem);
nvmem_layout_module_put(nvmem);
+ __nvmem_device_put(nvmem);
}
EXPORT_SYMBOL_GPL(nvmem_cell_put);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 378/522] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 377/522] xfrm: ah: account for ESN high bits in async callbacks Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 379/522] spi: synquacer: Convert to platform remove callback returning void Greg Kroah-Hartman
` (144 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Kosiorek, Steffen Klassert,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Kosiorek <mkosiorek121@gmail.com>
[ Upstream commit 14acf9652e5690de3c7486c6db5fb8dafd0a32a3 ]
KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s
hlist_del_rcu calls under syzkaller load on linux-6.12.y stable
(reproduced on 6.12.47, also reachable via the same code path on
torvalds/master and on the ipsec tree). Nine unique signatures cluster
in the xfrm_state lifecycle, the load-bearing one being:
BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]
BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]
BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c
Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435
Workqueue: netns cleanup_net
Call Trace:
__hlist_del / hlist_del_rcu
__xfrm_state_delete
xfrm_state_delete
xfrm_state_flush
xfrm_state_fini
ops_exit_list
cleanup_net
The other observed signatures hit the same slab object from
__xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB
write variant of __xfrm_state_delete, all on the byseq/byspi
hash chains.
__xfrm_state_delete() guards its byseq and byspi unhashes with
value-based predicates:
if (x->km.seq)
hlist_del_rcu(&x->byseq);
if (x->id.spi)
hlist_del_rcu(&x->byspi);
while everywhere else in the file (e.g. state_cache, state_cache_input)
the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets
x->id.spi = newspi inside xfrm_state_lock and then immediately inserts
into byspi, but a path that observes x->id.spi != 0 outside of
xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently
with whether x is actually on the list. The same holds for x->km.seq
versus byseq, and the bydst/bysrc unhashes have no predicate at all,
so a second __xfrm_state_delete() on the same object writes through
LIST_POISON pprev.
The defensive change here:
- Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,
bysrc, byseq and byspi so a second deletion is a no-op rather
than a write through LIST_POISON pprev. The byseq/byspi nodes
are already initialised in xfrm_state_alloc().
- Test hlist_unhashed() rather than the value predicate for
byseq/byspi, so the unhash decision tracks list state rather than
mutable scalar fields.
Empirical verification: applied this patch on top of v6.12.47, rebuilt,
and re-ran the same syzkaller harness for 1h16m on a previously-crashy
configuration that produced ~100 hits each of slab-use-after-free
Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in
__xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at
~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo
confirms the xfrm_state slab is actively allocated and freed during
the run (~143 KiB resident), so the fuzzer is still exercising those
code paths -- they just no longer crash.
Reproduction:
- Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV
- syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db
- 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal
- 9 unique signatures collected in ~9h, all within xfrm_state
lifecycle
Fixes: fe9f1d8779cb ("xfrm: add state hashtable keyed by seq")
Fixes: 7b4dc3600e48 ("[XFRM]: Do not add a state whose SPI is zero to the SPI hash.")
Reported-by: Michal Kosiorek <mkosiorek121@gmail.com>
Tested-by: Michal Kosiorek <mkosiorek121@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Michal Kosiorek <mkosiorek121@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
[ dropped state_cache/state_cache_input unhash hunks and xfrm_nat_keepalive_state_updated() call ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_state.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -682,12 +682,12 @@ int __xfrm_state_delete(struct xfrm_stat
x->km.state = XFRM_STATE_DEAD;
spin_lock(&net->xfrm.xfrm_state_lock);
list_del(&x->km.all);
- hlist_del_rcu(&x->bydst);
- hlist_del_rcu(&x->bysrc);
- if (x->km.seq)
- hlist_del_rcu(&x->byseq);
- if (x->id.spi)
- hlist_del_rcu(&x->byspi);
+ hlist_del_init_rcu(&x->bydst);
+ hlist_del_init_rcu(&x->bysrc);
+ if (!hlist_unhashed(&x->byseq))
+ hlist_del_init_rcu(&x->byseq);
+ if (!hlist_unhashed(&x->byspi))
+ hlist_del_init_rcu(&x->byspi);
net->xfrm.state_num--;
spin_unlock(&net->xfrm.xfrm_state_lock);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 295/378] nvmem: layouts: onie-tlv: fix hang on unknown types
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 294/378] nvmem: core: fix use-after-free bugs in error paths Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 296/378] octeontx2-af: fix memory leak in rvu_setup_hw_resources() Greg Kroah-Hartman
` (83 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Andre Heider, Miquel Raynal,
Srinivas Kandagatla
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andre Heider <a.heider@gmail.com>
commit ea41020b9018e31c2ea7e9d89021e3e6d7470883 upstream.
The EEPROM on my board has a vendor specific entry of type 0x41. When
stumbling upon that, this driver hangs in an endless loop.
Fix it by keep incrementing the offset on unknown entries, so the loop
will eventually stop.
Fixes: d3c0d12f6474 ("nvmem: layouts: onie-tlv: Add new layout driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Andre Heider <a.heider@gmail.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204340.116743-2-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvmem/layouts/onie-tlv.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/nvmem/layouts/onie-tlv.c
+++ b/drivers/nvmem/layouts/onie-tlv.c
@@ -119,7 +119,7 @@ static int onie_tlv_add_cells(struct dev
cell.name = onie_tlv_cell_name(tlv.type);
if (!cell.name)
- continue;
+ goto next;
cell.offset = hdr_len + offset + sizeof(tlv.type) + sizeof(tlv.len);
cell.bytes = tlv.len;
@@ -132,6 +132,7 @@ static int onie_tlv_add_cells(struct dev
return ret;
}
+next:
offset += sizeof(tlv) + tlv.len;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 379/522] spi: synquacer: Convert to platform remove callback returning void
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 378/522] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 380/522] spi: synquacer: switch to use modern name Greg Kroah-Hartman
` (143 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 1972cdc47df737f5b90ac2132080004f5e413e91 ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is (mostly) ignored
and this typically results in resource leaks. To improve here there is a
quest to make the remove callback return void. In the first step of this
quest all drivers are converted to .remove_new() which already returns
void.
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20230303172041.2103336-78-u.kleine-koenig@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 75d849c3452e ("spi: syncuacer: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-synquacer.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-synquacer.c
+++ b/drivers/spi/spi-synquacer.c
@@ -735,7 +735,7 @@ put_spi:
return ret;
}
-static int synquacer_spi_remove(struct platform_device *pdev)
+static void synquacer_spi_remove(struct platform_device *pdev)
{
struct spi_master *master = platform_get_drvdata(pdev);
struct synquacer_spi *sspi = spi_master_get_devdata(master);
@@ -743,8 +743,6 @@ static int synquacer_spi_remove(struct p
pm_runtime_disable(sspi->dev);
clk_disable_unprepare(sspi->clk);
-
- return 0;
}
static int __maybe_unused synquacer_spi_suspend(struct device *dev)
@@ -820,7 +818,7 @@ static struct platform_driver synquacer_
.acpi_match_table = ACPI_PTR(synquacer_hsspi_acpi_ids),
},
.probe = synquacer_spi_probe,
- .remove = synquacer_spi_remove,
+ .remove_new = synquacer_spi_remove,
};
module_platform_driver(synquacer_spi_driver);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 296/378] octeontx2-af: fix memory leak in rvu_setup_hw_resources()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 295/378] nvmem: layouts: onie-tlv: fix hang on unknown types Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 297/378] pinctrl: mcp23s08: Read spi-present-mask as u8 not u32 Greg Kroah-Hartman
` (82 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dawei Feng, Zilin Guan, Paolo Abeni
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
commit 09a5bf856aa759513afc4afd233d15bcc711b84e upstream.
If rvu_npc_exact_init() fails in rvu_setup_hw_resources(), the function
returns directly instead of jumping to the error handling path. This
causes a resource leak for the previously initialized CGX, NPC, fwdata,
and MSI-X states.
Fix this by replacing the direct return with goto cgx_err to ensure
proper cleanup.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still present in
v7.1-rc6.
An x86_64 allyesconfig build showed no new warnings. As we do not have
access to Marvell OcteonTX2 RVU AF hardware to test with, no runtime
testing was able to be performed.
Fixes: 3571fe07a090 ("octeontx2-af: Drop rules for NPC MCAM")
Cc: stable@vger.kernel.org
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Link: https://patch.msgid.link/20260604143756.1524482-1-dawei.feng@seu.edu.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
@@ -1135,7 +1135,7 @@ cpt:
err = rvu_npc_exact_init(rvu);
if (err) {
dev_err(rvu->dev, "failed to initialize exact match table\n");
- return err;
+ goto cgx_err;
}
/* Assign MACs for CGX mapped functions */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 380/522] spi: synquacer: switch to use modern name
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 379/522] spi: synquacer: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 381/522] spi: syncuacer: fix controller deregistration Greg Kroah-Hartman
` (142 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 3524d1b727a66712f02f92807219a3650e5cf910 ]
Change legacy name master to modern name host or controller.
No functional changed.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://msgid.link/r/20231128093031.3707034-10-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 75d849c3452e ("spi: syncuacer: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-synquacer.c | 84 ++++++++++++++++++++++----------------------
1 file changed, 42 insertions(+), 42 deletions(-)
--- a/drivers/spi/spi-synquacer.c
+++ b/drivers/spi/spi-synquacer.c
@@ -225,11 +225,11 @@ static int write_fifo(struct synquacer_s
return 0;
}
-static int synquacer_spi_config(struct spi_master *master,
+static int synquacer_spi_config(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *xfer)
{
- struct synquacer_spi *sspi = spi_master_get_devdata(master);
+ struct synquacer_spi *sspi = spi_controller_get_devdata(host);
unsigned int speed, mode, bpw, cs, bus_width, transfer_mode;
u32 rate, val, div;
@@ -263,7 +263,7 @@ static int synquacer_spi_config(struct s
}
sspi->transfer_mode = transfer_mode;
- rate = master->max_speed_hz;
+ rate = host->max_speed_hz;
div = DIV_ROUND_UP(rate, speed);
if (div > 254) {
@@ -350,11 +350,11 @@ static int synquacer_spi_config(struct s
return 0;
}
-static int synquacer_spi_transfer_one(struct spi_master *master,
+static int synquacer_spi_transfer_one(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *xfer)
{
- struct synquacer_spi *sspi = spi_master_get_devdata(master);
+ struct synquacer_spi *sspi = spi_controller_get_devdata(host);
int ret;
int status = 0;
u32 words;
@@ -378,7 +378,7 @@ static int synquacer_spi_transfer_one(st
if (bpw == 8 && !(xfer->len % 4) && !(spi->mode & SPI_LSB_FIRST))
xfer->bits_per_word = 32;
- ret = synquacer_spi_config(master, spi, xfer);
+ ret = synquacer_spi_config(host, spi, xfer);
/* restore */
xfer->bits_per_word = bpw;
@@ -482,7 +482,7 @@ static int synquacer_spi_transfer_one(st
static void synquacer_spi_set_cs(struct spi_device *spi, bool enable)
{
- struct synquacer_spi *sspi = spi_master_get_devdata(spi->master);
+ struct synquacer_spi *sspi = spi_controller_get_devdata(spi->controller);
u32 val;
val = readl(sspi->regs + SYNQUACER_HSSPI_REG_DMSTART);
@@ -517,11 +517,11 @@ static int synquacer_spi_wait_status_upd
return -EBUSY;
}
-static int synquacer_spi_enable(struct spi_master *master)
+static int synquacer_spi_enable(struct spi_controller *host)
{
u32 val;
int status;
- struct synquacer_spi *sspi = spi_master_get_devdata(master);
+ struct synquacer_spi *sspi = spi_controller_get_devdata(host);
/* Disable module */
writel(0, sspi->regs + SYNQUACER_HSSPI_REG_MCTRL);
@@ -601,18 +601,18 @@ static irqreturn_t sq_spi_tx_handler(int
static int synquacer_spi_probe(struct platform_device *pdev)
{
struct device_node *np = pdev->dev.of_node;
- struct spi_master *master;
+ struct spi_controller *host;
struct synquacer_spi *sspi;
int ret;
int rx_irq, tx_irq;
- master = spi_alloc_master(&pdev->dev, sizeof(*sspi));
- if (!master)
+ host = spi_alloc_host(&pdev->dev, sizeof(*sspi));
+ if (!host)
return -ENOMEM;
- platform_set_drvdata(pdev, master);
+ platform_set_drvdata(pdev, host);
- sspi = spi_master_get_devdata(master);
+ sspi = spi_controller_get_devdata(host);
sspi->dev = &pdev->dev;
init_completion(&sspi->transfer_done);
@@ -625,7 +625,7 @@ static int synquacer_spi_probe(struct pl
sspi->clk_src_type = SYNQUACER_HSSPI_CLOCK_SRC_IHCLK; /* Default */
device_property_read_u32(&pdev->dev, "socionext,ihclk-rate",
- &master->max_speed_hz); /* for ACPI */
+ &host->max_speed_hz); /* for ACPI */
if (dev_of_node(&pdev->dev)) {
if (device_property_match_string(&pdev->dev,
@@ -655,21 +655,21 @@ static int synquacer_spi_probe(struct pl
goto put_spi;
}
- master->max_speed_hz = clk_get_rate(sspi->clk);
+ host->max_speed_hz = clk_get_rate(sspi->clk);
}
- if (!master->max_speed_hz) {
+ if (!host->max_speed_hz) {
dev_err(&pdev->dev, "missing clock source\n");
ret = -EINVAL;
goto disable_clk;
}
- master->min_speed_hz = master->max_speed_hz / 254;
+ host->min_speed_hz = host->max_speed_hz / 254;
sspi->aces = device_property_read_bool(&pdev->dev,
"socionext,set-aces");
sspi->rtm = device_property_read_bool(&pdev->dev, "socionext,use-rtm");
- master->num_chipselect = SYNQUACER_HSSPI_NUM_CHIP_SELECT;
+ host->num_chipselect = SYNQUACER_HSSPI_NUM_CHIP_SELECT;
rx_irq = platform_get_irq(pdev, 0);
if (rx_irq <= 0) {
@@ -699,27 +699,27 @@ static int synquacer_spi_probe(struct pl
goto disable_clk;
}
- master->dev.of_node = np;
- master->dev.fwnode = pdev->dev.fwnode;
- master->auto_runtime_pm = true;
- master->bus_num = pdev->id;
-
- master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_TX_DUAL | SPI_RX_DUAL |
- SPI_TX_QUAD | SPI_RX_QUAD;
- master->bits_per_word_mask = SPI_BPW_MASK(32) | SPI_BPW_MASK(24) |
- SPI_BPW_MASK(16) | SPI_BPW_MASK(8);
+ host->dev.of_node = np;
+ host->dev.fwnode = pdev->dev.fwnode;
+ host->auto_runtime_pm = true;
+ host->bus_num = pdev->id;
+
+ host->mode_bits = SPI_CPOL | SPI_CPHA | SPI_TX_DUAL | SPI_RX_DUAL |
+ SPI_TX_QUAD | SPI_RX_QUAD;
+ host->bits_per_word_mask = SPI_BPW_MASK(32) | SPI_BPW_MASK(24) |
+ SPI_BPW_MASK(16) | SPI_BPW_MASK(8);
- master->set_cs = synquacer_spi_set_cs;
- master->transfer_one = synquacer_spi_transfer_one;
+ host->set_cs = synquacer_spi_set_cs;
+ host->transfer_one = synquacer_spi_transfer_one;
- ret = synquacer_spi_enable(master);
+ ret = synquacer_spi_enable(host);
if (ret)
goto disable_clk;
pm_runtime_set_active(sspi->dev);
pm_runtime_enable(sspi->dev);
- ret = devm_spi_register_master(sspi->dev, master);
+ ret = devm_spi_register_controller(sspi->dev, host);
if (ret)
goto disable_pm;
@@ -730,15 +730,15 @@ disable_pm:
disable_clk:
clk_disable_unprepare(sspi->clk);
put_spi:
- spi_master_put(master);
+ spi_controller_put(host);
return ret;
}
static void synquacer_spi_remove(struct platform_device *pdev)
{
- struct spi_master *master = platform_get_drvdata(pdev);
- struct synquacer_spi *sspi = spi_master_get_devdata(master);
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct synquacer_spi *sspi = spi_controller_get_devdata(host);
pm_runtime_disable(sspi->dev);
@@ -747,11 +747,11 @@ static void synquacer_spi_remove(struct
static int __maybe_unused synquacer_spi_suspend(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
- struct synquacer_spi *sspi = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(dev);
+ struct synquacer_spi *sspi = spi_controller_get_devdata(host);
int ret;
- ret = spi_master_suspend(master);
+ ret = spi_controller_suspend(host);
if (ret)
return ret;
@@ -763,8 +763,8 @@ static int __maybe_unused synquacer_spi_
static int __maybe_unused synquacer_spi_resume(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
- struct synquacer_spi *sspi = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(dev);
+ struct synquacer_spi *sspi = spi_controller_get_devdata(host);
int ret;
if (!pm_runtime_suspended(dev)) {
@@ -778,7 +778,7 @@ static int __maybe_unused synquacer_spi_
return ret;
}
- ret = synquacer_spi_enable(master);
+ ret = synquacer_spi_enable(host);
if (ret) {
clk_disable_unprepare(sspi->clk);
dev_err(dev, "failed to enable spi (%d)\n", ret);
@@ -786,7 +786,7 @@ static int __maybe_unused synquacer_spi_
}
}
- ret = spi_master_resume(master);
+ ret = spi_controller_resume(host);
if (ret < 0)
clk_disable_unprepare(sspi->clk);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 297/378] pinctrl: mcp23s08: Read spi-present-mask as u8 not u32
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 296/378] octeontx2-af: fix memory leak in rvu_setup_hw_resources() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 298/378] mm/cma: fix reserved page leak on activation failure Greg Kroah-Hartman
` (81 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Judith Mendez, Linus Walleij
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Judith Mendez <jm@ti.com>
commit b0c13ec17438577f90b379d448dfed1233e2c0a4 upstream.
The binding (microchip,mcp23s08) specifies microchip,spi-present-mask
as uint8, but driver would read u32, causing type mismatch. Use
device_property_read_u8 to match binding spec, hardware (8 chips max),
& prevent probe failure.
Cc: stable@vger.kernel.org
Fixes: 3ad8d3ec6d87 ("dt-bindings: pinctrl: convert pinctrl-mcp23s08.txt to yaml format")
Signed-off-by: Judith Mendez <jm@ti.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/pinctrl-mcp23s08_spi.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/pinctrl/pinctrl-mcp23s08_spi.c
+++ b/drivers/pinctrl/pinctrl-mcp23s08_spi.c
@@ -144,13 +144,13 @@ static int mcp23s08_probe(struct spi_dev
unsigned int addr;
int chips;
int ret;
- u32 v;
+ u8 v;
info = spi_get_device_match_data(spi);
- ret = device_property_read_u32(dev, "microchip,spi-present-mask", &v);
+ ret = device_property_read_u8(dev, "microchip,spi-present-mask", &v);
if (ret) {
- ret = device_property_read_u32(dev, "mcp,spi-present-mask", &v);
+ ret = device_property_read_u8(dev, "mcp,spi-present-mask", &v);
if (ret) {
dev_err(dev, "missing spi-present-mask");
return ret;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 381/522] spi: syncuacer: fix controller deregistration
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 380/522] spi: synquacer: switch to use modern name Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 382/522] spi: sun4i: Convert to platform remove callback returning void Greg Kroah-Hartman
` (141 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masahisa Kojima, Johan Hovold,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 75d849c3452e9611de031db45b3149ba9a99035f ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: b0823ee35cf9 ("spi: Add spi driver for Socionext SynQuacer platform")
Cc: stable@vger.kernel.org # 5.3
Cc: Masahisa Kojima <masahisa.kojima@linaro.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-21-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-synquacer.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-synquacer.c
+++ b/drivers/spi/spi-synquacer.c
@@ -719,7 +719,7 @@ static int synquacer_spi_probe(struct pl
pm_runtime_set_active(sspi->dev);
pm_runtime_enable(sspi->dev);
- ret = devm_spi_register_controller(sspi->dev, host);
+ ret = spi_register_controller(host);
if (ret)
goto disable_pm;
@@ -740,9 +740,15 @@ static void synquacer_spi_remove(struct
struct spi_controller *host = platform_get_drvdata(pdev);
struct synquacer_spi *sspi = spi_controller_get_devdata(host);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
pm_runtime_disable(sspi->dev);
clk_disable_unprepare(sspi->clk);
+
+ spi_controller_put(host);
}
static int __maybe_unused synquacer_spi_suspend(struct device *dev)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 298/378] mm/cma: fix reserved page leak on activation failure
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 297/378] pinctrl: mcp23s08: Read spi-present-mask as u8 not u32 Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 299/378] mm/cma_debug: fix invalid accesses for inactive CMA areas Greg Kroah-Hartman
` (80 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muchun Song, Oscar Salvador (SUSE),
Usama Arif, David Hildenbrand, Frank van der Linden,
Liam R. Howlett, Lorenzo Stoakes, Michal Hocko, Mike Rapoport,
Suren Baghdasaryan, Vlastimil Babka, Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muchun Song <songmuchun@bytedance.com>
commit 00739e4dd46dde2b39dd9dd19a27e3c8af4ca0d0 upstream.
If cma_activate_area() fails after allocating only part of the range
bitmaps, the cleanup path still has to release the reserved pages when
CMA_RESERVE_PAGES_ON_ERROR is clear.
That is still worth doing even in this __init path. A bitmap_zalloc()
failure does not necessarily mean the system cannot make further progress:
freeing the reserved CMA pages can return a substantial amount of memory
to the buddy allocator and may relieve the temporary memory shortage that
caused the allocation failure in the first place.
However, the cleanup path currently uses the bitmap-freeing bound for page
release as well. That is only correct for ranges whose bitmap allocation
already succeeded. The failed range and all later ranges still keep their
reserved pages, so a partial bitmap allocation failure can permanently
leak them.
Fix this by releasing reserved pages for all ranges. Use the saved
early_pfn[] value for ranges whose bitmap allocation already succeeded and
for the failed range, and use cmr->early_pfn for later ranges whose bitmap
allocation was never attempted.
Link: https://lore.kernel.org/20260523060123.2207992-1-songmuchun@bytedance.com
Fixes: c009da4258f9 ("mm, cma: support multiple contiguous ranges, if requested")
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Reviewed-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
Acked-by: Usama Arif <usama.arif@linux.dev>
Cc: David Hildenbrand <david@kernel.org>
Cc: Frank van der Linden <fvdl@google.com>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/cma.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/mm/cma.c
+++ b/mm/cma.c
@@ -187,10 +187,13 @@ cleanup:
/* Expose all pages to the buddy, they are useless for CMA. */
if (!test_bit(CMA_RESERVE_PAGES_ON_ERROR, &cma->flags)) {
- for (r = 0; r < allocrange; r++) {
+ for (r = 0; r < cma->nranges; r++) {
+ unsigned long start_pfn;
+
cmr = &cma->ranges[r];
+ start_pfn = r <= allocrange ? early_pfn[r] : cmr->early_pfn;
end_pfn = cmr->base_pfn + cmr->count;
- for (pfn = early_pfn[r]; pfn < end_pfn; pfn++)
+ for (pfn = start_pfn; pfn < end_pfn; pfn++)
free_reserved_page(pfn_to_page(pfn));
}
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 382/522] spi: sun4i: Convert to platform remove callback returning void
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 381/522] spi: syncuacer: fix controller deregistration Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 383/522] spi: sun4i: switch to use modern name Greg Kroah-Hartman
` (140 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Andre Przywara, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit b7b949458ac391963e56ae354b73fee63016dcee ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is (mostly) ignored
and this typically results in resource leaks. To improve here there is a
quest to make the remove callback return void. In the first step of this
quest all drivers are converted to .remove_new() which already returns
void.
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Reviewed-by: Andre Przywara <andre.przywara@arm.com>
Link: https://lore.kernel.org/r/20230303172041.2103336-75-u.kleine-koenig@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 42108a2f03e0 ("spi: sun4i: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sun4i.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-sun4i.c
+++ b/drivers/spi/spi-sun4i.c
@@ -519,11 +519,9 @@ err_free_master:
return ret;
}
-static int sun4i_spi_remove(struct platform_device *pdev)
+static void sun4i_spi_remove(struct platform_device *pdev)
{
pm_runtime_force_suspend(&pdev->dev);
-
- return 0;
}
static const struct of_device_id sun4i_spi_match[] = {
@@ -539,7 +537,7 @@ static const struct dev_pm_ops sun4i_spi
static struct platform_driver sun4i_spi_driver = {
.probe = sun4i_spi_probe,
- .remove = sun4i_spi_remove,
+ .remove_new = sun4i_spi_remove,
.driver = {
.name = "sun4i-spi",
.of_match_table = sun4i_spi_match,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 299/378] mm/cma_debug: fix invalid accesses for inactive CMA areas
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 298/378] mm/cma: fix reserved page leak on activation failure Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 300/378] mm/damon/lru_sort: handle ctx allocation failure Greg Kroah-Hartman
` (79 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muchun Song,
Mike Rapoport (Microsoft), Oscar Salvador (SUSE),
David Hildenbrand (Arm), Dmitry Safonov, Frank van der Linden,
Liam R. Howlett, Lorenzo Stoakes, Michal Hocko, Michal Nazarewicz,
Stefan Strogin, Suren Baghdasaryan, Vlastimil Babka,
Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muchun Song <songmuchun@bytedance.com>
commit c0ca59beb5252ea2bd4fdaef009d003dedc2030e upstream.
cma_activate_area() can fail after allocating range bitmaps. Its cleanup
path frees those bitmaps, but only clears cma->count and
cma->available_count. It leaves cma->nranges and each range's count in
place, so cma_debugfs_init() can still register debugfs files for an area
that never activated successfully.
That exposes two problems. Reading the bitmap file can make debugfs walk
a freed range bitmap and trigger an invalid memory access. Reading
maxchunk can also take cma->lock even though that lock is initialized only
on the successful activation path.
Fix this by creating debugfs entries only for CMA areas that reached
CMA_ACTIVATED.
c009da4258f9 introduced the invalid access to bitmap file. 2e32b947606d
introduced the invalid access to cma->lock. This change applies to both
issues. So I added two Fixes tags.
Link: https://lore.kernel.org/20260520061025.3971821-1-songmuchun@bytedance.com
Fixes: c009da4258f9 ("mm, cma: support multiple contiguous ranges, if requested")
Fixes: 2e32b947606d ("mm: cma: add functions to get region pages counters")
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Acked-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Cc: Dmitry Safonov <0x7f454c46@gmail.com>
Cc: Frank van der Linden <fvdl@google.com>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Michal Nazarewicz <mina86@mina86.com>
Cc: Stefan Strogin <stefan.strogin@gmail.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/cma_debug.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/mm/cma_debug.c
+++ b/mm/cma_debug.c
@@ -205,7 +205,8 @@ static int __init cma_debugfs_init(void)
cma_debugfs_root = debugfs_create_dir("cma", NULL);
for (i = 0; i < cma_area_count; i++)
- cma_debugfs_add_one(&cma_areas[i], cma_debugfs_root);
+ if (test_bit(CMA_ACTIVATED, &cma_areas[i].flags))
+ cma_debugfs_add_one(&cma_areas[i], cma_debugfs_root);
return 0;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 383/522] spi: sun4i: switch to use modern name
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 382/522] spi: sun4i: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 384/522] spi: sun4i: fix controller deregistration Greg Kroah-Hartman
` (139 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 6d232cc8a7e59af0c083319827541966a68817a0 ]
Change legacy name master to modern name host or controller.
No functional changed.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://msgid.link/r/20231128093031.3707034-7-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 42108a2f03e0 ("spi: sun4i: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sun4i.c | 72 ++++++++++++++++++++++++------------------------
1 file changed, 36 insertions(+), 36 deletions(-)
--- a/drivers/spi/spi-sun4i.c
+++ b/drivers/spi/spi-sun4i.c
@@ -75,7 +75,7 @@
#define SUN4I_FIFO_STA_TF_CNT_BITS 16
struct sun4i_spi {
- struct spi_master *master;
+ struct spi_controller *host;
void __iomem *base_addr;
struct clk *hclk;
struct clk *mclk;
@@ -161,7 +161,7 @@ static inline void sun4i_spi_fill_fifo(s
static void sun4i_spi_set_cs(struct spi_device *spi, bool enable)
{
- struct sun4i_spi *sspi = spi_master_get_devdata(spi->master);
+ struct sun4i_spi *sspi = spi_controller_get_devdata(spi->controller);
u32 reg;
reg = sun4i_spi_read(sspi, SUN4I_CTL_REG);
@@ -201,11 +201,11 @@ static size_t sun4i_spi_max_transfer_siz
return SUN4I_MAX_XFER_SIZE - 1;
}
-static int sun4i_spi_transfer_one(struct spi_master *master,
+static int sun4i_spi_transfer_one(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *tfr)
{
- struct sun4i_spi *sspi = spi_master_get_devdata(master);
+ struct sun4i_spi *sspi = spi_controller_get_devdata(host);
unsigned int mclk_rate, div, timeout;
unsigned int start, end, tx_time;
unsigned int tx_len = 0;
@@ -334,7 +334,7 @@ static int sun4i_spi_transfer_one(struct
msecs_to_jiffies(tx_time));
end = jiffies;
if (!timeout) {
- dev_warn(&master->dev,
+ dev_warn(&host->dev,
"%s: timeout transferring %u bytes@%iHz for %i(%i)ms",
dev_name(&spi->dev), tfr->len, tfr->speed_hz,
jiffies_to_msecs(end - start), tx_time);
@@ -389,8 +389,8 @@ static irqreturn_t sun4i_spi_handler(int
static int sun4i_spi_runtime_resume(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
- struct sun4i_spi *sspi = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(dev);
+ struct sun4i_spi *sspi = spi_controller_get_devdata(host);
int ret;
ret = clk_prepare_enable(sspi->hclk);
@@ -418,8 +418,8 @@ out:
static int sun4i_spi_runtime_suspend(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
- struct sun4i_spi *sspi = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(dev);
+ struct sun4i_spi *sspi = spi_controller_get_devdata(host);
clk_disable_unprepare(sspi->mclk);
clk_disable_unprepare(sspi->hclk);
@@ -429,62 +429,62 @@ static int sun4i_spi_runtime_suspend(str
static int sun4i_spi_probe(struct platform_device *pdev)
{
- struct spi_master *master;
+ struct spi_controller *host;
struct sun4i_spi *sspi;
int ret = 0, irq;
- master = spi_alloc_master(&pdev->dev, sizeof(struct sun4i_spi));
- if (!master) {
- dev_err(&pdev->dev, "Unable to allocate SPI Master\n");
+ host = spi_alloc_host(&pdev->dev, sizeof(struct sun4i_spi));
+ if (!host) {
+ dev_err(&pdev->dev, "Unable to allocate SPI Host\n");
return -ENOMEM;
}
- platform_set_drvdata(pdev, master);
- sspi = spi_master_get_devdata(master);
+ platform_set_drvdata(pdev, host);
+ sspi = spi_controller_get_devdata(host);
sspi->base_addr = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(sspi->base_addr)) {
ret = PTR_ERR(sspi->base_addr);
- goto err_free_master;
+ goto err_free_host;
}
irq = platform_get_irq(pdev, 0);
if (irq < 0) {
ret = -ENXIO;
- goto err_free_master;
+ goto err_free_host;
}
ret = devm_request_irq(&pdev->dev, irq, sun4i_spi_handler,
0, "sun4i-spi", sspi);
if (ret) {
dev_err(&pdev->dev, "Cannot request IRQ\n");
- goto err_free_master;
+ goto err_free_host;
}
- sspi->master = master;
- master->max_speed_hz = 100 * 1000 * 1000;
- master->min_speed_hz = 3 * 1000;
- master->set_cs = sun4i_spi_set_cs;
- master->transfer_one = sun4i_spi_transfer_one;
- master->num_chipselect = 4;
- master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH | SPI_LSB_FIRST;
- master->bits_per_word_mask = SPI_BPW_MASK(8);
- master->dev.of_node = pdev->dev.of_node;
- master->auto_runtime_pm = true;
- master->max_transfer_size = sun4i_spi_max_transfer_size;
+ sspi->host = host;
+ host->max_speed_hz = 100 * 1000 * 1000;
+ host->min_speed_hz = 3 * 1000;
+ host->set_cs = sun4i_spi_set_cs;
+ host->transfer_one = sun4i_spi_transfer_one;
+ host->num_chipselect = 4;
+ host->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH | SPI_LSB_FIRST;
+ host->bits_per_word_mask = SPI_BPW_MASK(8);
+ host->dev.of_node = pdev->dev.of_node;
+ host->auto_runtime_pm = true;
+ host->max_transfer_size = sun4i_spi_max_transfer_size;
sspi->hclk = devm_clk_get(&pdev->dev, "ahb");
if (IS_ERR(sspi->hclk)) {
dev_err(&pdev->dev, "Unable to acquire AHB clock\n");
ret = PTR_ERR(sspi->hclk);
- goto err_free_master;
+ goto err_free_host;
}
sspi->mclk = devm_clk_get(&pdev->dev, "mod");
if (IS_ERR(sspi->mclk)) {
dev_err(&pdev->dev, "Unable to acquire module clock\n");
ret = PTR_ERR(sspi->mclk);
- goto err_free_master;
+ goto err_free_host;
}
init_completion(&sspi->done);
@@ -496,16 +496,16 @@ static int sun4i_spi_probe(struct platfo
ret = sun4i_spi_runtime_resume(&pdev->dev);
if (ret) {
dev_err(&pdev->dev, "Couldn't resume the device\n");
- goto err_free_master;
+ goto err_free_host;
}
pm_runtime_set_active(&pdev->dev);
pm_runtime_enable(&pdev->dev);
pm_runtime_idle(&pdev->dev);
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = devm_spi_register_controller(&pdev->dev, host);
if (ret) {
- dev_err(&pdev->dev, "cannot register SPI master\n");
+ dev_err(&pdev->dev, "cannot register SPI host\n");
goto err_pm_disable;
}
@@ -514,8 +514,8 @@ static int sun4i_spi_probe(struct platfo
err_pm_disable:
pm_runtime_disable(&pdev->dev);
sun4i_spi_runtime_suspend(&pdev->dev);
-err_free_master:
- spi_master_put(master);
+err_free_host:
+ spi_controller_put(host);
return ret;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 300/378] mm/damon/lru_sort: handle ctx allocation failure
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 299/378] mm/cma_debug: fix invalid accesses for inactive CMA areas Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 301/378] mm/damon/reclaim: " Greg Kroah-Hartman
` (78 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit ab04340b5ae5d52c1d46b750538febcde9d889e7 upstream.
DAMON_LRU_SORT allocates the damon_ctx object for its kdamond in its init
function. damon_lru_sort_enabled_store() wrongly assumes the allocation
will always succeed once tried. If the damon_ctx allocation was failed,
therefore, code execution reaches to damon_commit_ctx() while 'ctx' is
NULL. As a result, it dereferences the NULL 'ctx' pointer. Avoid the
NULL dereference by returning -ENOMEM if 'ctx' is NULL.
Link: https://lore.kernel.org/20260529000104.7006-3-sj@kernel.org
Fixes: c4a8e662c839 ("mm/damon/lru_sort: use damon_initialized()")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 6.18.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/lru_sort.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/mm/damon/lru_sort.c
+++ b/mm/damon/lru_sort.c
@@ -442,6 +442,10 @@ static int damon_lru_sort_enabled_store(
if (!damon_initialized())
return 0;
+ /* damon_modules_new_paddr_ctx_target() in the init function failed. */
+ if (!ctx)
+ return -ENOMEM;
+
return damon_lru_sort_turn(enabled);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 384/522] spi: sun4i: fix controller deregistration
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 383/522] spi: sun4i: switch to use modern name Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 385/522] spi: Convert to SPI_CONTROLLER_HALF_DUPLEX Greg Kroah-Hartman
` (138 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Ripard, Johan Hovold,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 42108a2f03e0fdeabe9d02d085bdb058baa1189f ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: b5f6517948cc ("spi: sunxi: Add Allwinner A10 SPI controller driver")
Cc: stable@vger.kernel.org # 3.15
Cc: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-19-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sun4i.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-sun4i.c
+++ b/drivers/spi/spi-sun4i.c
@@ -503,7 +503,7 @@ static int sun4i_spi_probe(struct platfo
pm_runtime_enable(&pdev->dev);
pm_runtime_idle(&pdev->dev);
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (ret) {
dev_err(&pdev->dev, "cannot register SPI host\n");
goto err_pm_disable;
@@ -521,7 +521,15 @@ err_free_host:
static void sun4i_spi_remove(struct platform_device *pdev)
{
+ struct spi_controller *host = platform_get_drvdata(pdev);
+
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
pm_runtime_force_suspend(&pdev->dev);
+
+ spi_controller_put(host);
}
static const struct of_device_id sun4i_spi_match[] = {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 301/378] mm/damon/reclaim: handle ctx allocation failure
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 300/378] mm/damon/lru_sort: handle ctx allocation failure Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 302/378] mm/huge_memory: use correct flags for device private PMD entry Greg Kroah-Hartman
` (77 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 7e2ed8a29427af534bf2cb9b8bc51762b8b6e654 upstream.
Patch series "mm/damon/{reclaim,lru_sort}: handle ctx allocation failures".
DAMON_RECLAIM and DAMON_LRU_SORT could dereference NULL pointers if their
damon_ctx object allocations fail. The bugs are expected to happen
infrequently because the allocations are arguably too small to fail on
common setups. But theoretically they are possible and the consequences
are bad. Fix those.
The issues were discovered [1] by Sashiko.
This patch (of 2):
DAMON_RECLAIM allocates the damon_ctx object for its kdamond in its init
function. damon_reclaim_enabled_store() wrongly assumes the allocation
will always succeed once tried. If the damon_ctx allocation was failed,
therefore, code execution reaches to damon_commit_ctx() while 'ctx' is
NULL. As a result, it dereferences the NULL 'ctx' pointer. Avoid the
NULL dereference by returning -ENOMEM if 'ctx' is NULL.
Link: https://lore.kernel.org/20260529000104.7006-2-sj@kernel.org
Link: https://lore.kernel.org/20260419014800.877-1-sj@kernel.org [1]
Fixes: 3f7a914ab9a5 ("mm/damon/reclaim: use damon_initialized()")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 6.18.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/reclaim.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/mm/damon/reclaim.c
+++ b/mm/damon/reclaim.c
@@ -344,6 +344,10 @@ static int damon_reclaim_enabled_store(c
if (!damon_initialized())
return 0;
+ /* damon_modules_new_paddr_ctx_target() in the init function failed. */
+ if (!ctx)
+ return -ENOMEM;
+
return damon_reclaim_turn(enabled);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 385/522] spi: Convert to SPI_CONTROLLER_HALF_DUPLEX
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 384/522] spi: sun4i: fix controller deregistration Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 386/522] spi: spi-ti-qspi: Convert to platform remove callback returning void Greg Kroah-Hartman
` (137 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 7a2b552c8e0e5bb280558f6c120140f5f06323bc ]
Convert the users under SPI subsystem to SPI_CONTROLLER_HALF_DUPLEX.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20230710154932.68377-15-andriy.shevchenko@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0c18a1bacbb1 ("spi: ti-qspi: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-amd.c | 2 +-
drivers/spi/spi-cavium-thunderx.c | 2 +-
drivers/spi/spi-falcon.c | 2 +-
drivers/spi/spi-lp8841-rtc.c | 2 +-
drivers/spi/spi-mxs.c | 2 +-
drivers/spi/spi-omap-uwire.c | 2 +-
drivers/spi/spi-pic32-sqi.c | 2 +-
drivers/spi/spi-qcom-qspi.c | 2 +-
drivers/spi/spi-rockchip-sfc.c | 2 +-
drivers/spi/spi-sprd-adi.c | 2 +-
drivers/spi/spi-ti-qspi.c | 2 +-
drivers/spi/spi-xcomm.c | 2 +-
12 files changed, 12 insertions(+), 12 deletions(-)
--- a/drivers/spi/spi-amd.c
+++ b/drivers/spi/spi-amd.c
@@ -404,7 +404,7 @@ static int amd_spi_probe(struct platform
master->bus_num = 0;
master->num_chipselect = 4;
master->mode_bits = 0;
- master->flags = SPI_MASTER_HALF_DUPLEX;
+ master->flags = SPI_CONTROLLER_HALF_DUPLEX;
master->max_speed_hz = AMD_SPI_MAX_HZ;
master->min_speed_hz = AMD_SPI_MIN_HZ;
master->setup = amd_spi_master_setup;
--- a/drivers/spi/spi-cavium-thunderx.c
+++ b/drivers/spi/spi-cavium-thunderx.c
@@ -64,7 +64,7 @@ static int thunderx_spi_probe(struct pci
p->sys_freq = SYS_FREQ_DEFAULT;
dev_info(dev, "Set system clock to %u\n", p->sys_freq);
- master->flags = SPI_MASTER_HALF_DUPLEX;
+ master->flags = SPI_CONTROLLER_HALF_DUPLEX;
master->num_chipselect = 4;
master->mode_bits = SPI_CPHA | SPI_CPOL | SPI_CS_HIGH |
SPI_LSB_FIRST | SPI_3WIRE;
--- a/drivers/spi/spi-falcon.c
+++ b/drivers/spi/spi-falcon.c
@@ -401,7 +401,7 @@ static int falcon_sflash_probe(struct pl
priv->master = master;
master->mode_bits = SPI_MODE_3;
- master->flags = SPI_MASTER_HALF_DUPLEX;
+ master->flags = SPI_CONTROLLER_HALF_DUPLEX;
master->setup = falcon_sflash_setup;
master->transfer_one_message = falcon_sflash_xfer_one;
master->dev.of_node = pdev->dev.of_node;
--- a/drivers/spi/spi-lp8841-rtc.c
+++ b/drivers/spi/spi-lp8841-rtc.c
@@ -191,7 +191,7 @@ spi_lp8841_rtc_probe(struct platform_dev
return -ENOMEM;
platform_set_drvdata(pdev, master);
- master->flags = SPI_MASTER_HALF_DUPLEX;
+ master->flags = SPI_CONTROLLER_HALF_DUPLEX;
master->mode_bits = SPI_CS_HIGH | SPI_3WIRE | SPI_LSB_FIRST;
master->bus_num = pdev->id;
--- a/drivers/spi/spi-mxs.c
+++ b/drivers/spi/spi-mxs.c
@@ -573,7 +573,7 @@ static int mxs_spi_probe(struct platform
master->mode_bits = SPI_CPOL | SPI_CPHA;
master->num_chipselect = 3;
master->dev.of_node = np;
- master->flags = SPI_MASTER_HALF_DUPLEX;
+ master->flags = SPI_CONTROLLER_HALF_DUPLEX;
master->auto_runtime_pm = true;
spi = spi_master_get_devdata(master);
--- a/drivers/spi/spi-omap-uwire.c
+++ b/drivers/spi/spi-omap-uwire.c
@@ -491,7 +491,7 @@ static int uwire_probe(struct platform_d
/* the spi->mode bits understood by this driver: */
master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH;
master->bits_per_word_mask = SPI_BPW_RANGE_MASK(1, 16);
- master->flags = SPI_MASTER_HALF_DUPLEX;
+ master->flags = SPI_CONTROLLER_HALF_DUPLEX;
master->bus_num = 2; /* "official" */
master->num_chipselect = 4;
--- a/drivers/spi/spi-pic32-sqi.c
+++ b/drivers/spi/spi-pic32-sqi.c
@@ -648,7 +648,7 @@ static int pic32_sqi_probe(struct platfo
master->dev.of_node = pdev->dev.of_node;
master->mode_bits = SPI_MODE_3 | SPI_MODE_0 | SPI_TX_DUAL |
SPI_RX_DUAL | SPI_TX_QUAD | SPI_RX_QUAD;
- master->flags = SPI_MASTER_HALF_DUPLEX;
+ master->flags = SPI_CONTROLLER_HALF_DUPLEX;
master->can_dma = pic32_sqi_can_dma;
master->bits_per_word_mask = SPI_BPW_RANGE_MASK(8, 32);
master->transfer_one_message = pic32_sqi_one_message;
--- a/drivers/spi/spi-qcom-qspi.c
+++ b/drivers/spi/spi-qcom-qspi.c
@@ -523,7 +523,7 @@ static int qcom_qspi_probe(struct platfo
master->mode_bits = SPI_MODE_0 |
SPI_TX_DUAL | SPI_RX_DUAL |
SPI_TX_QUAD | SPI_RX_QUAD;
- master->flags = SPI_MASTER_HALF_DUPLEX;
+ master->flags = SPI_CONTROLLER_HALF_DUPLEX;
master->prepare_message = qcom_qspi_prepare_message;
master->transfer_one = qcom_qspi_transfer_one;
master->handle_err = qcom_qspi_handle_err;
--- a/drivers/spi/spi-rockchip-sfc.c
+++ b/drivers/spi/spi-rockchip-sfc.c
@@ -566,7 +566,7 @@ static int rockchip_sfc_probe(struct pla
if (!master)
return -ENOMEM;
- master->flags = SPI_MASTER_HALF_DUPLEX;
+ master->flags = SPI_CONTROLLER_HALF_DUPLEX;
master->mem_ops = &rockchip_sfc_mem_ops;
master->dev.of_node = pdev->dev.of_node;
master->mode_bits = SPI_TX_QUAD | SPI_TX_DUAL | SPI_RX_QUAD | SPI_RX_DUAL;
--- a/drivers/spi/spi-sprd-adi.c
+++ b/drivers/spi/spi-sprd-adi.c
@@ -570,7 +570,7 @@ static int sprd_adi_probe(struct platfor
ctlr->dev.of_node = pdev->dev.of_node;
ctlr->bus_num = pdev->id;
ctlr->num_chipselect = num_chipselect;
- ctlr->flags = SPI_MASTER_HALF_DUPLEX;
+ ctlr->flags = SPI_CONTROLLER_HALF_DUPLEX;
ctlr->bits_per_word_mask = 0;
ctlr->transfer_one = sprd_adi_transfer_one;
--- a/drivers/spi/spi-ti-qspi.c
+++ b/drivers/spi/spi-ti-qspi.c
@@ -770,7 +770,7 @@ static int ti_qspi_probe(struct platform
master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_RX_DUAL | SPI_RX_QUAD;
- master->flags = SPI_MASTER_HALF_DUPLEX;
+ master->flags = SPI_CONTROLLER_HALF_DUPLEX;
master->setup = ti_qspi_setup;
master->auto_runtime_pm = true;
master->transfer_one_message = ti_qspi_start_transfer_one;
--- a/drivers/spi/spi-xcomm.c
+++ b/drivers/spi/spi-xcomm.c
@@ -219,7 +219,7 @@ static int spi_xcomm_probe(struct i2c_cl
master->num_chipselect = 16;
master->mode_bits = SPI_CPHA | SPI_CPOL | SPI_3WIRE;
master->bits_per_word_mask = SPI_BPW_MASK(8);
- master->flags = SPI_MASTER_HALF_DUPLEX;
+ master->flags = SPI_CONTROLLER_HALF_DUPLEX;
master->transfer_one_message = spi_xcomm_transfer_one;
master->dev.of_node = i2c->dev.of_node;
i2c_set_clientdata(i2c, master);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 302/378] mm/huge_memory: use correct flags for device private PMD entry
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 301/378] mm/damon/reclaim: " Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 303/378] mm/hugetlb: avoid false positive lockdep assertion Greg Kroah-Hartman
` (76 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes,
David Hildenbrand (Arm), Dev Jain, Balbir Singh, Baolin Wang,
Oscar Salvador (SUSE), Barry Song, Lance Yang, Zi Yan,
Liam R. Howlett, Nico Pache, Ryan Roberts, SeongJae Park,
Wei Yang, Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <ljs@kernel.org>
commit 43e7f189769c512c843184a8a5892ac779a6bd90 upstream.
Commit 65edfda6f3f2 ("mm/rmap: extend rmap and migration support
device-private entries") updated set_pmd_migration_entry() to use
pmdp_huge_get_and_clear() in the softleaf case, but made no further
adjustments to the function itself.
Therefore this function continues to incorrectly use pmd_write(),
pmd_soft_dirty() and pmd_uffd_wp() to determine whether the installed
migration entry should be marked writable, softdirty or uffd-wp
respectively.
Whilst all are incorrect, the most problematic of these is pmd_write(), as
this can lead to corrupted rmap state.
On x86-64 _PAGE_SWP_SOFT_DIRTY is aliased to _PAGE_RW. So calling
pmd_write() on a softleaf will return the softdirty state encoded in the
entry, assuming CONFIG_MEM_SOFT_DIRTY was enabled.
This was observed when running the hmm.hmm_device_private.anon_write_child
selftest:
1. The test faults in a range then migrates it such that a device-private
THP range is established.
2. The parent then migrates it to a device-private writable PMD entry whose
folio is entirely AnonExclusive with entire_mapcount=1, softdirty set
(accidentally correct write state).
3. The parent forks and the PMD entries are set to device-private read only
entries, entire_mapcount=2, softdirty still set.
4. [BUG] The child writes to the range then migrates to RAM - intending to
install non-writable migration entries - but replacing parent and child
PMD mappings with WRITABLE entries due to misinterpreting the softdirty
bit.
5. In remove_migration_pmd(), if !softleaf_is_migration_read(entry) we
set the RMAP_EXCLUSIVE flag when calling folio_add_anon_rmap_pmd() for
both parent and child, which are therefore AnonExclusive.
6. [SPLAT] Child sets migrated folio entire_mapcount=1, parent sets
entire_mapcount=2 and we end up with an AnonExclusive folio with
entire_mapcount=2! Assert fires in __folio_add_anon_rmap():
VM_WARN_ON_FOLIO(folio_test_large(folio) &&
folio_entire_mapcount(folio) > 1 &&
PageAnonExclusive(cur_page), folio)
This patch fixes the issue by correctly referencing the softleaf entry
fields for writable, softdirty and uffd-wp in set_pmd_migration_entry().
It also only updates A/D flags if the entry is present as these are
otherwise not meaningful for a softleaf entry.
This patch also flips the if (!present) { ... } else { ... } logic in
set_pmd_migration_entry() so it is easier to understand, and adds some
comments to make things clearer.
I was able to bisect this to commit 775465fd26a3 ("lib/test_hmm: add zone
device private THP test infrastructure") which first exposes this bug as
it was the commit that permitted test_hmm to generate the test.
However commit 65edfda6f3f2 ("mm/rmap: extend rmap and migration support
device-private entries") is the commit that actually enabled this
behaviour.
Link: https://lore.kernel.org/20260601083044.57132-1-ljs@kernel.org
Fixes: 65edfda6f3f2 ("mm/rmap: extend rmap and migration support device-private entries")
Signed-off-by: Lorenzo Stoakes <ljs@kernel.org>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Reviewed-by: Balbir Singh <balbirs@nvidia.com>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Reviewed-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
Reviewed-by: Barry Song <baohua@kernel.org>
Reviewed-by: Lance Yang <lance.yang@linux.dev>
Reviewed-by: Zi Yan <ziy@nvidia.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Nico Pache <npache@redhat.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: SeongJae Park <sj@kernel.org>
Cc: Wei Yang <richard.weiyang@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/huge_memory.c | 45 +++++++++++++++++++++++++++++++++------------
1 file changed, 33 insertions(+), 12 deletions(-)
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -4873,7 +4873,7 @@ int set_pmd_migration_entry(struct page_
struct vm_area_struct *vma = pvmw->vma;
struct mm_struct *mm = vma->vm_mm;
unsigned long address = pvmw->address;
- bool anon_exclusive;
+ bool anon_exclusive, present, writable, softdirty, uffd_wp;
pmd_t pmdval;
swp_entry_t entry;
pmd_t pmdswp;
@@ -4881,12 +4881,26 @@ int set_pmd_migration_entry(struct page_
if (!(pvmw->pmd && !pvmw->pte))
return 0;
- flush_cache_range(vma, address, address + HPAGE_PMD_SIZE);
- if (unlikely(!pmd_present(*pvmw->pmd)))
- pmdval = pmdp_huge_get_and_clear(vma->vm_mm, address, pvmw->pmd);
- else
+ present = pmd_present(*pvmw->pmd);
+ if (likely(present)) {
+ flush_cache_range(vma, address, address + HPAGE_PMD_SIZE);
+
pmdval = pmdp_invalidate(vma, address, pvmw->pmd);
+ writable = pmd_write(pmdval);
+ softdirty = pmd_soft_dirty(pmdval);
+ uffd_wp = pmd_uffd_wp(pmdval);
+ } else {
+ softleaf_t old_entry;
+
+ pmdval = pmdp_huge_get_and_clear(vma->vm_mm, address, pvmw->pmd);
+ old_entry = softleaf_from_pmd(pmdval);
+
+ writable = softleaf_is_device_private_write(old_entry);
+ softdirty = pmd_swp_soft_dirty(pmdval);
+ uffd_wp = pmd_swp_uffd_wp(pmdval);
+ }
+
/* See folio_try_share_anon_rmap_pmd(): invalidate PMD first. */
anon_exclusive = folio_test_anon(folio) && PageAnonExclusive(page);
if (anon_exclusive && folio_try_share_anon_rmap_pmd(folio, page)) {
@@ -4894,24 +4908,31 @@ int set_pmd_migration_entry(struct page_
return -EBUSY;
}
- if (pmd_dirty(pmdval))
- folio_mark_dirty(folio);
- if (pmd_write(pmdval))
+ /* Determine type of migration entry. */
+ if (writable)
entry = make_writable_migration_entry(page_to_pfn(page));
else if (anon_exclusive)
entry = make_readable_exclusive_migration_entry(page_to_pfn(page));
else
entry = make_readable_migration_entry(page_to_pfn(page));
- if (pmd_young(pmdval))
+
+ /* Set A/D bits as necessary. */
+ if (present && pmd_young(pmdval))
entry = make_migration_entry_young(entry);
- if (pmd_dirty(pmdval))
+ if (present && pmd_dirty(pmdval)) {
+ folio_mark_dirty(folio);
entry = make_migration_entry_dirty(entry);
+ }
+
+ /* Set PMD. */
pmdswp = swp_entry_to_pmd(entry);
- if (pmd_soft_dirty(pmdval))
+ if (softdirty)
pmdswp = pmd_swp_mksoft_dirty(pmdswp);
- if (pmd_uffd_wp(pmdval))
+ if (uffd_wp)
pmdswp = pmd_swp_mkuffd_wp(pmdswp);
set_pmd_at(mm, address, pvmw->pmd, pmdswp);
+
+ /* Migration entry installed: cleanup rmap, folio. */
folio_remove_rmap_pmd(folio, page, vma);
folio_put(folio);
trace_set_migration_pmd(address, pmd_val(pmdswp));
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 386/522] spi: spi-ti-qspi: Convert to platform remove callback returning void
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 385/522] spi: Convert to SPI_CONTROLLER_HALF_DUPLEX Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 387/522] spi: spi-ti-qspi: switch to use modern name Greg Kroah-Hartman
` (136 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 2f2802d1a59d79a3d00cb429841db502c2bbc3df ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is ignored (apart
from emitting a warning) and this typically results in resource leaks.
To improve here there is a quest to make the remove callback return
void. In the first step of this quest all drivers are converted to
.remove_new(), which already returns void. Eventually after all drivers
are converted, .remove_new() will be renamed to .remove().
Add an error message to the error path that returned an error before to
replace the core's error message with more information. Apart from the
different wording of the error message, this patch doesn't introduce a
semantic difference.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20231105172649.3738556-2-u.kleine-koenig@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0c18a1bacbb1 ("spi: ti-qspi: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-ti-qspi.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/drivers/spi/spi-ti-qspi.c
+++ b/drivers/spi/spi-ti-qspi.c
@@ -909,21 +909,22 @@ free_master:
return ret;
}
-static int ti_qspi_remove(struct platform_device *pdev)
+static void ti_qspi_remove(struct platform_device *pdev)
{
struct ti_qspi *qspi = platform_get_drvdata(pdev);
int rc;
rc = spi_master_suspend(qspi->master);
- if (rc)
- return rc;
+ if (rc) {
+ dev_alert(&pdev->dev, "spi_master_suspend() failed (%pe)\n",
+ ERR_PTR(rc));
+ return;
+ }
pm_runtime_put_sync(&pdev->dev);
pm_runtime_disable(&pdev->dev);
ti_qspi_dma_cleanup(qspi);
-
- return 0;
}
static const struct dev_pm_ops ti_qspi_pm_ops = {
@@ -932,7 +933,7 @@ static const struct dev_pm_ops ti_qspi_p
static struct platform_driver ti_qspi_driver = {
.probe = ti_qspi_probe,
- .remove = ti_qspi_remove,
+ .remove_new = ti_qspi_remove,
.driver = {
.name = "ti-qspi",
.pm = &ti_qspi_pm_ops,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 303/378] mm/hugetlb: avoid false positive lockdep assertion
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 302/378] mm/huge_memory: use correct flags for device private PMD entry Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 304/378] mm/hugetlb: restore reservation on error in hugetlb folio copy paths Greg Kroah-Hartman
` (75 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes,
David Hildenbrand (Arm), Oscar Salvador, Jann Horn, Muchun Song,
Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <ljs@kernel.org>
commit b4aea43cd37afad714b5684fe9fdfcb0e78dba26 upstream.
Commit 081056dc00a2 ("mm/hugetlb: unshare page tables during VMA split,
not before") changed the locking model around hugetlbfs PMD unsharing on
VMA split, but did not update the function which asserts the locks,
hugetlb_vma_assert_locked().
This function asserts that either the hugetlb VMA lock is held (if a
shared mapping) or that the reservation map lock is held (if private).
If you get an unfortunate race between something which results in one of
these locks being released and a hugetlb VMA split and you have
CONFIG_LOCKDEP enabled, you can therefore see a false positive assertion
arise when there is in fact no issue.
Since this change introduced a new take_locks parameter to
hugetlb_unshare_pmds(), which, when set to false, indicates that locking
is sufficient, simply pass this to the unsharing logic and predicate the
lock assertions on this.
This is safe, as we already asserted the file rmap lock and the VMA write
lock prior to this (implying exclusive mmap write lock), so we cannot be
raced by either rmap or page fault page table walkers which the asserted
locks are intended to protect against (we don't mind GUP-fast).
Separate out huge_pmd_unshare() into __huge_pmd_unshare() to add a
check_locks parameter, and update hugetlb_unshare_pmds() to pass this
parameter to it.
This leaves all other callers of huge_pmd_unshare() still correctly
asserting the locks.
The below reproducer will trigger the assert in a kernel with
CONFIG_LOCKDEP enabled by racing process teardown (which will release the
hugetlb lock) against a hugetlb split.
void execute_one(void)
{
void *ptr;
pid_t pid;
/*
* Create a hugetlb mapping spanning a PUD entry.
*
* We force the hugetlb page allocation with populate and
* noreserve.
*
* |---------------------|
* | |
* |---------------------|
* 0 PUD boundary
*/
ptr = mmap(0, PUD_SIZE, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_SHARED | MAP_ANON |
MAP_NORESERVE | MAP_HUGETLB | MAP_POPULATE,
-1, 0);
if (ptr == MAP_FAILED) {
perror("mmap");
exit(EXIT_FAILURE);
}
/*
* Fork but with a bogus stack pointer so we try to execute code in
* a non-VM_EXEC VMA, causing segfault + teardown via exit_mmap().
*
* The clone will cause PMD page table sharing between the
* processes first via:
* copy_process() -> ... -> huge_pte_alloc() -> huge_pmd_share()
*
* Then tear down and release the hugetlb 'VMA' lock via:
* exit_mmap() -> ... -> vma_close() -> hugetlb_vma_lock_free()
*/
pid = syscall(__NR_clone, 0, 2 * PMD_SIZE, 0, 0, 0);
if (pid < 0) {
perror("clone");
exit(EXIT_FAILURE);
} if (pid == 0) {
/* Pop stack... */
return;
}
/*
* We are the parent process.
*
* Race the child process's teardown with a PMD unshare.
*
* We do this by triggering:
*
* __split_vma() -> hugetlb_split() -> hugetlb_unshare_pmds()
*
* Which, importantly, doesn't hold the hugetlb VMA lock (nor can
* it), meaning we assert in hugetlb_vma_assert_locked().
*
* .
* |----------.----------|
* | . |
* |----------.----------|
* 0 . PUD boundary
*/
mmap(0, PUD_SIZE / 2, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
}
int main(void)
{
int i;
/* Kick off fork children. */
for (i = 0; i < NUM_FORKS; i++) {
pid_t pid = fork();
if (pid < 0) {
perror("fork");
exit(EXIT_FAILURE);
}
/* Fork children do their work and exit. */
if (!pid) {
int j;
for (j = 0; j < NUM_ITERS; j++)
execute_one();
return EXIT_SUCCESS;
}
}
/* If we succeeded, wait on children. */
for (i = 0; i < NUM_FORKS; i++)
wait(NULL);
return EXIT_SUCCESS;
}
[ljs@kernel.org: account for the !CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING case]
Link: https://lore.kernel.org/agWZsPGYid08uU6O@lucifer
Link: https://lore.kernel.org/20260513085658.45264-1-ljs@kernel.org
Fixes: 081056dc00a2 ("mm/hugetlb: unshare page tables during VMA split, not before")
Signed-off-by: Lorenzo Stoakes <ljs@kernel.org>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Acked-by: Oscar Salvador <osalvador@suse.de>
Cc: Jann Horn <jannh@google.com>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/hugetlb.c | 56 +++++++++++++++++++++++++++++++++++++-------------------
1 file changed, 37 insertions(+), 19 deletions(-)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -118,6 +118,9 @@ static int hugetlb_acct_memory(struct hs
static void hugetlb_vma_lock_free(struct vm_area_struct *vma);
static void hugetlb_vma_lock_alloc(struct vm_area_struct *vma);
static void __hugetlb_vma_unlock_write_free(struct vm_area_struct *vma);
+static int __huge_pmd_unshare(struct mmu_gather *tlb,
+ struct vm_area_struct *vma, unsigned long addr, pte_t *ptep,
+ bool check_locks);
static void hugetlb_unshare_pmds(struct vm_area_struct *vma,
unsigned long start, unsigned long end, bool take_locks);
static struct resv_map *vma_resv_map(struct vm_area_struct *vma);
@@ -6910,6 +6913,31 @@ out:
return pte;
}
+static int __huge_pmd_unshare(struct mmu_gather *tlb,
+ struct vm_area_struct *vma, unsigned long addr, pte_t *ptep,
+ bool check_locks)
+{
+ unsigned long sz = huge_page_size(hstate_vma(vma));
+ struct mm_struct *mm = vma->vm_mm;
+ pgd_t *pgd = pgd_offset(mm, addr);
+ p4d_t *p4d = p4d_offset(pgd, addr);
+ pud_t *pud = pud_offset(p4d, addr);
+
+ if (sz != PMD_SIZE)
+ return 0;
+ if (!ptdesc_pmd_is_shared(virt_to_ptdesc(ptep)))
+ return 0;
+ i_mmap_assert_write_locked(vma->vm_file->f_mapping);
+ if (check_locks)
+ hugetlb_vma_assert_locked(vma);
+ pud_clear(pud);
+
+ tlb_unshare_pmd_ptdesc(tlb, virt_to_ptdesc(ptep), addr);
+
+ mm_dec_nr_pmds(mm);
+ return 1;
+}
+
/**
* huge_pmd_unshare - Unmap a pmd table if it is shared by multiple users
* @tlb: the current mmu_gather.
@@ -6929,24 +6957,7 @@ out:
int huge_pmd_unshare(struct mmu_gather *tlb, struct vm_area_struct *vma,
unsigned long addr, pte_t *ptep)
{
- unsigned long sz = huge_page_size(hstate_vma(vma));
- struct mm_struct *mm = vma->vm_mm;
- pgd_t *pgd = pgd_offset(mm, addr);
- p4d_t *p4d = p4d_offset(pgd, addr);
- pud_t *pud = pud_offset(p4d, addr);
-
- if (sz != PMD_SIZE)
- return 0;
- if (!ptdesc_pmd_is_shared(virt_to_ptdesc(ptep)))
- return 0;
- i_mmap_assert_write_locked(vma->vm_file->f_mapping);
- hugetlb_vma_assert_locked(vma);
- pud_clear(pud);
-
- tlb_unshare_pmd_ptdesc(tlb, virt_to_ptdesc(ptep), addr);
-
- mm_dec_nr_pmds(mm);
- return 1;
+ return __huge_pmd_unshare(tlb, vma, addr, ptep, /*check_locks=*/true);
}
/*
@@ -6980,6 +6991,13 @@ pte_t *huge_pmd_share(struct mm_struct *
return NULL;
}
+static int __huge_pmd_unshare(struct mmu_gather *tlb,
+ struct vm_area_struct *vma, unsigned long addr, pte_t *ptep,
+ bool check_locks)
+{
+ return 0;
+}
+
int huge_pmd_unshare(struct mmu_gather *tlb, struct vm_area_struct *vma,
unsigned long addr, pte_t *ptep)
{
@@ -7277,7 +7295,7 @@ static void hugetlb_unshare_pmds(struct
if (!ptep)
continue;
ptl = huge_pte_lock(h, mm, ptep);
- huge_pmd_unshare(&tlb, vma, address, ptep);
+ __huge_pmd_unshare(&tlb, vma, address, ptep, take_locks);
spin_unlock(ptl);
}
huge_pmd_unshare_flush(&tlb, vma);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 387/522] spi: spi-ti-qspi: switch to use modern name
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 386/522] spi: spi-ti-qspi: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 388/522] spi: ti-qspi: fix controller deregistration Greg Kroah-Hartman
` (135 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 9d93c8d97b4cdb5edddb4c5530881c90eecb7e44 ]
Change legacy name master to modern name host or controller.
No functional changed.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://msgid.link/r/20231128093031.3707034-16-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0c18a1bacbb1 ("spi: ti-qspi: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-ti-qspi.c | 88 +++++++++++++++++++++++-----------------------
1 file changed, 44 insertions(+), 44 deletions(-)
--- a/drivers/spi/spi-ti-qspi.c
+++ b/drivers/spi/spi-ti-qspi.c
@@ -41,7 +41,7 @@ struct ti_qspi {
/* list synchronization */
struct mutex list_lock;
- struct spi_master *master;
+ struct spi_controller *host;
void __iomem *base;
void __iomem *mmap_base;
size_t mmap_size;
@@ -138,20 +138,20 @@ static inline void ti_qspi_write(struct
static int ti_qspi_setup(struct spi_device *spi)
{
- struct ti_qspi *qspi = spi_master_get_devdata(spi->master);
+ struct ti_qspi *qspi = spi_controller_get_devdata(spi->controller);
int ret;
- if (spi->master->busy) {
- dev_dbg(qspi->dev, "master busy doing other transfers\n");
+ if (spi->controller->busy) {
+ dev_dbg(qspi->dev, "host busy doing other transfers\n");
return -EBUSY;
}
- if (!qspi->master->max_speed_hz) {
+ if (!qspi->host->max_speed_hz) {
dev_err(qspi->dev, "spi max frequency not defined\n");
return -EINVAL;
}
- spi->max_speed_hz = min(spi->max_speed_hz, qspi->master->max_speed_hz);
+ spi->max_speed_hz = min(spi->max_speed_hz, qspi->host->max_speed_hz);
ret = pm_runtime_resume_and_get(qspi->dev);
if (ret < 0) {
@@ -527,7 +527,7 @@ static int ti_qspi_dma_xfer_sg(struct ti
static void ti_qspi_enable_memory_map(struct spi_device *spi)
{
- struct ti_qspi *qspi = spi_master_get_devdata(spi->master);
+ struct ti_qspi *qspi = spi_controller_get_devdata(spi->controller);
ti_qspi_write(qspi, MM_SWITCH, QSPI_SPI_SWITCH_REG);
if (qspi->ctrl_base) {
@@ -541,7 +541,7 @@ static void ti_qspi_enable_memory_map(st
static void ti_qspi_disable_memory_map(struct spi_device *spi)
{
- struct ti_qspi *qspi = spi_master_get_devdata(spi->master);
+ struct ti_qspi *qspi = spi_controller_get_devdata(spi->controller);
ti_qspi_write(qspi, 0, QSPI_SPI_SWITCH_REG);
if (qspi->ctrl_base)
@@ -555,7 +555,7 @@ static void ti_qspi_setup_mmap_read(stru
u8 data_nbits, u8 addr_width,
u8 dummy_bytes)
{
- struct ti_qspi *qspi = spi_master_get_devdata(spi->master);
+ struct ti_qspi *qspi = spi_controller_get_devdata(spi->controller);
u32 memval = opcode;
switch (data_nbits) {
@@ -577,7 +577,7 @@ static void ti_qspi_setup_mmap_read(stru
static int ti_qspi_adjust_op_size(struct spi_mem *mem, struct spi_mem_op *op)
{
- struct ti_qspi *qspi = spi_controller_get_devdata(mem->spi->master);
+ struct ti_qspi *qspi = spi_controller_get_devdata(mem->spi->controller);
size_t max_len;
if (op->data.dir == SPI_MEM_DATA_IN) {
@@ -607,7 +607,7 @@ static int ti_qspi_adjust_op_size(struct
static int ti_qspi_exec_mem_op(struct spi_mem *mem,
const struct spi_mem_op *op)
{
- struct ti_qspi *qspi = spi_master_get_devdata(mem->spi->master);
+ struct ti_qspi *qspi = spi_controller_get_devdata(mem->spi->controller);
u32 from = 0;
int ret = 0;
@@ -634,10 +634,10 @@ static int ti_qspi_exec_mem_op(struct sp
struct sg_table sgt;
if (virt_addr_valid(op->data.buf.in) &&
- !spi_controller_dma_map_mem_op_data(mem->spi->master, op,
+ !spi_controller_dma_map_mem_op_data(mem->spi->controller, op,
&sgt)) {
ret = ti_qspi_dma_xfer_sg(qspi, sgt, from);
- spi_controller_dma_unmap_mem_op_data(mem->spi->master,
+ spi_controller_dma_unmap_mem_op_data(mem->spi->controller,
op, &sgt);
} else {
ret = ti_qspi_dma_bounce_buffer(qspi, from,
@@ -659,10 +659,10 @@ static const struct spi_controller_mem_o
.adjust_op_size = ti_qspi_adjust_op_size,
};
-static int ti_qspi_start_transfer_one(struct spi_master *master,
+static int ti_qspi_start_transfer_one(struct spi_controller *host,
struct spi_message *m)
{
- struct ti_qspi *qspi = spi_master_get_devdata(master);
+ struct ti_qspi *qspi = spi_controller_get_devdata(host);
struct spi_device *spi = m->spi;
struct spi_transfer *t;
int status = 0, ret;
@@ -721,7 +721,7 @@ static int ti_qspi_start_transfer_one(st
ti_qspi_write(qspi, qspi->cmd | QSPI_INVAL, QSPI_SPI_CMD_REG);
m->status = status;
- spi_finalize_current_message(master);
+ spi_finalize_current_message(host);
return status;
}
@@ -757,33 +757,33 @@ MODULE_DEVICE_TABLE(of, ti_qspi_match);
static int ti_qspi_probe(struct platform_device *pdev)
{
struct ti_qspi *qspi;
- struct spi_master *master;
+ struct spi_controller *host;
struct resource *r, *res_mmap;
struct device_node *np = pdev->dev.of_node;
u32 max_freq;
int ret = 0, num_cs, irq;
dma_cap_mask_t mask;
- master = spi_alloc_master(&pdev->dev, sizeof(*qspi));
- if (!master)
+ host = spi_alloc_host(&pdev->dev, sizeof(*qspi));
+ if (!host)
return -ENOMEM;
- master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_RX_DUAL | SPI_RX_QUAD;
+ host->mode_bits = SPI_CPOL | SPI_CPHA | SPI_RX_DUAL | SPI_RX_QUAD;
- master->flags = SPI_CONTROLLER_HALF_DUPLEX;
- master->setup = ti_qspi_setup;
- master->auto_runtime_pm = true;
- master->transfer_one_message = ti_qspi_start_transfer_one;
- master->dev.of_node = pdev->dev.of_node;
- master->bits_per_word_mask = SPI_BPW_MASK(32) | SPI_BPW_MASK(16) |
- SPI_BPW_MASK(8);
- master->mem_ops = &ti_qspi_mem_ops;
+ host->flags = SPI_CONTROLLER_HALF_DUPLEX;
+ host->setup = ti_qspi_setup;
+ host->auto_runtime_pm = true;
+ host->transfer_one_message = ti_qspi_start_transfer_one;
+ host->dev.of_node = pdev->dev.of_node;
+ host->bits_per_word_mask = SPI_BPW_MASK(32) | SPI_BPW_MASK(16) |
+ SPI_BPW_MASK(8);
+ host->mem_ops = &ti_qspi_mem_ops;
if (!of_property_read_u32(np, "num-cs", &num_cs))
- master->num_chipselect = num_cs;
+ host->num_chipselect = num_cs;
- qspi = spi_master_get_devdata(master);
- qspi->master = master;
+ qspi = spi_controller_get_devdata(host);
+ qspi->host = host;
qspi->dev = &pdev->dev;
platform_set_drvdata(pdev, qspi);
@@ -793,7 +793,7 @@ static int ti_qspi_probe(struct platform
if (r == NULL) {
dev_err(&pdev->dev, "missing platform data\n");
ret = -ENODEV;
- goto free_master;
+ goto free_host;
}
}
@@ -813,7 +813,7 @@ static int ti_qspi_probe(struct platform
irq = platform_get_irq(pdev, 0);
if (irq < 0) {
ret = irq;
- goto free_master;
+ goto free_host;
}
mutex_init(&qspi->list_lock);
@@ -821,7 +821,7 @@ static int ti_qspi_probe(struct platform
qspi->base = devm_ioremap_resource(&pdev->dev, r);
if (IS_ERR(qspi->base)) {
ret = PTR_ERR(qspi->base);
- goto free_master;
+ goto free_host;
}
@@ -831,7 +831,7 @@ static int ti_qspi_probe(struct platform
"syscon-chipselects");
if (IS_ERR(qspi->ctrl_base)) {
ret = PTR_ERR(qspi->ctrl_base);
- goto free_master;
+ goto free_host;
}
ret = of_property_read_u32_index(np,
"syscon-chipselects",
@@ -839,7 +839,7 @@ static int ti_qspi_probe(struct platform
if (ret) {
dev_err(&pdev->dev,
"couldn't get ctrl_mod reg index\n");
- goto free_master;
+ goto free_host;
}
}
@@ -854,7 +854,7 @@ static int ti_qspi_probe(struct platform
pm_runtime_enable(&pdev->dev);
if (!of_property_read_u32(np, "spi-max-frequency", &max_freq))
- master->max_speed_hz = max_freq;
+ host->max_speed_hz = max_freq;
dma_cap_zero(mask);
dma_cap_set(DMA_MEMCPY, mask);
@@ -878,7 +878,7 @@ static int ti_qspi_probe(struct platform
qspi->rx_chan = NULL;
goto no_dma;
}
- master->dma_rx = qspi->rx_chan;
+ host->dma_rx = qspi->rx_chan;
init_completion(&qspi->transfer_complete);
if (res_mmap)
qspi->mmap_phys_base = (dma_addr_t)res_mmap->start;
@@ -891,21 +891,21 @@ no_dma:
"mmap failed with error %ld using PIO mode\n",
PTR_ERR(qspi->mmap_base));
qspi->mmap_base = NULL;
- master->mem_ops = NULL;
+ host->mem_ops = NULL;
}
}
qspi->mmap_enabled = false;
qspi->current_cs = -1;
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = devm_spi_register_controller(&pdev->dev, host);
if (!ret)
return 0;
ti_qspi_dma_cleanup(qspi);
pm_runtime_disable(&pdev->dev);
-free_master:
- spi_master_put(master);
+free_host:
+ spi_controller_put(host);
return ret;
}
@@ -914,9 +914,9 @@ static void ti_qspi_remove(struct platfo
struct ti_qspi *qspi = platform_get_drvdata(pdev);
int rc;
- rc = spi_master_suspend(qspi->master);
+ rc = spi_controller_suspend(qspi->host);
if (rc) {
- dev_alert(&pdev->dev, "spi_master_suspend() failed (%pe)\n",
+ dev_alert(&pdev->dev, "spi_controller_suspend() failed (%pe)\n",
ERR_PTR(rc));
return;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 304/378] mm/hugetlb: restore reservation on error in hugetlb folio copy paths
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 303/378] mm/hugetlb: avoid false positive lockdep assertion Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 305/378] mm/list_lru: drain before clearing xarray entry on reparent Greg Kroah-Hartman
` (74 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Muchun Song,
David Hildenbrand, Mina Almasry, Oscar Salvador, yuehaibing,
Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
commit 40c81856e622a9dc59294a90d169ac07ea25b0b0 upstream.
Two sites in mm/hugetlb.c allocate a hugetlb folio via
alloc_hugetlb_folio() (consuming a VMA reservation) and then call
copy_user_large_folio(), which became int-returning in commit 1cb9dc4b475c
("mm: hwpoison: support recovery from HugePage copy-on-write faults") and
can now fail (e.g. -EHWPOISON on a hwpoisoned source page). On the
failure path, folio_put() restores the global hugetlb pool count through
free_huge_folio(), but the per-VMA reservation map entry is left marked
consumed:
- hugetlb_mfill_atomic_pte() resubmission path (UFFDIO_COPY)
- copy_hugetlb_page_range() fork-time CoW path when
hugetlb_try_dup_anon_rmap() fails (rare: pinned hugetlb anon
folio under fork)
User-visible effect: on UFFDIO_COPY into a private hugetlb VMA where the
resubmission copy fails, the reservation for that address is leaked from
the VMA's reserve map. A subsequent fault at the same address takes the
no-reservation path, and under hugetlb pool pressure the task is SIGBUSed
at an address it had previously reserved. The fork-time CoW path leaks
the same way in the child VMA's reserve map, though it requires the much
rarer combination of pinned hugetlb anon page + hwpoisoned source.
Add the missing restore_reserve_on_error() call before folio_put() on both
error paths.
Link: https://lore.kernel.org/20260520044912.6751-1-devnexen@gmail.com
Fixes: 1cb9dc4b475c ("mm: hwpoison: support recovery from HugePage copy-on-write faults")
Signed-off-by: David Carlier <devnexen@gmail.com>
Reviewed-by: Muchun Song <muchun.song@linux.dev>
Cc: David Hildenbrand <david@kernel.org>
Cc: Mina Almasry <almasrymina@google.com>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: yuehaibing <yuehaibing@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/hugetlb.c | 2 ++
1 file changed, 2 insertions(+)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -4996,6 +4996,7 @@ again:
addr, dst_vma);
folio_put(pte_folio);
if (ret) {
+ restore_reserve_on_error(h, dst_vma, addr, new_folio);
folio_put(new_folio);
break;
}
@@ -6292,6 +6293,7 @@ int hugetlb_mfill_atomic_pte(pte_t *dst_
folio_put(*foliop);
*foliop = NULL;
if (ret) {
+ restore_reserve_on_error(h, dst_vma, dst_addr, folio);
folio_put(folio);
goto out;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 388/522] spi: ti-qspi: fix controller deregistration
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 387/522] spi: spi-ti-qspi: switch to use modern name Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 389/522] spi: zynq-qspi: Convert to platform remove callback returning void Greg Kroah-Hartman
` (134 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Johan Hovold, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 0c18a1bacbb1d8b8aa34d3d004a2cb8226c8b1ea ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Note that the controller is suspended before disabling and releasing
resources since commit 3ac066e2227c ("spi: spi-ti-qspi: Suspend the
queue before removing the device") which avoids issues like unclocked
accesses but prevents SPI device drivers from doing I/O during
deregistration.
Fixes: 3b3a80019ff1 ("spi: ti-qspi: one only one interrupt handler")
Cc: stable@vger.kernel.org # 3.13
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-24-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-ti-qspi.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
--- a/drivers/spi/spi-ti-qspi.c
+++ b/drivers/spi/spi-ti-qspi.c
@@ -897,7 +897,7 @@ no_dma:
qspi->mmap_enabled = false;
qspi->current_cs = -1;
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (!ret)
return 0;
@@ -912,19 +912,17 @@ free_host:
static void ti_qspi_remove(struct platform_device *pdev)
{
struct ti_qspi *qspi = platform_get_drvdata(pdev);
- int rc;
- rc = spi_controller_suspend(qspi->host);
- if (rc) {
- dev_alert(&pdev->dev, "spi_controller_suspend() failed (%pe)\n",
- ERR_PTR(rc));
- return;
- }
+ spi_controller_get(qspi->host);
+
+ spi_unregister_controller(qspi->host);
pm_runtime_put_sync(&pdev->dev);
pm_runtime_disable(&pdev->dev);
ti_qspi_dma_cleanup(qspi);
+
+ spi_controller_put(qspi->host);
}
static const struct dev_pm_ops ti_qspi_pm_ops = {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 305/378] mm/list_lru: drain before clearing xarray entry on reparent
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 304/378] mm/hugetlb: restore reservation on error in hugetlb folio copy paths Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 307/378] mmc: core: Fix host controller programming for fixed driver type Greg Kroah-Hartman
` (73 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shakeel Butt, Chris Mason,
Kairui Song, Muchun Song, Dave Chinner, Johannes Weiner,
Roman Gushchin, Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shakeel Butt <shakeel.butt@linux.dev>
commit 98733f3f0becb1ae0701d021c1748e974e5fa55c upstream.
memcg_reparent_list_lrus() clears the dying memcg's xarray entry with
xas_store(&xas, NULL) before reparenting its per-node lists into the
parent. This opens a window where a concurrent list_lru_del() arriving
for the dying memcg sees xa_load() == NULL, walks to the parent in
lock_list_lru_of_memcg(), takes the parent's per-node lock, and calls
list_del_init() on an item still physically linked on the dying memcg's
list.
If another in-flight thread holds the dying memcg's per-node lock at the
same moment (another list_lru_del, or a list_lru_walk_one running an
isolate callback), both threads modify ->next/->prev pointers on the same
physical list under different locks. Adjacent items can corrupt each
other's links.
Fix it by reversing the order: reparent each per-node list and mark the
child's list lru dead and then clear the xarray entry. Any concurrent
list_lru op that finds the still-set xarray entry either takes the dying
memcg's per-node lock (synchronizing with the drain) or sees LONG_MIN and
walks to the parent, where the items now live.
Link: https://lore.kernel.org/20260601161501.1444829-1-shakeel.butt@linux.dev
Fixes: fb56fdf8b9a2 ("mm/list_lru: split the lock to per-cgroup scope")
Signed-off-by: Shakeel Butt <shakeel.butt@linux.dev>
Reported-by: Chris Mason <clm@fb.com>
Reviewed-by: Kairui Song <kasong@tencent.com>
Acked-by: Muchun Song <muchun.song@linux.dev>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/list_lru.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
--- a/mm/list_lru.c
+++ b/mm/list_lru.c
@@ -472,26 +472,29 @@ void memcg_reparent_list_lrus(struct mem
mutex_lock(&list_lrus_mutex);
list_for_each_entry(lru, &memcg_list_lrus, list) {
struct list_lru_memcg *mlru;
- XA_STATE(xas, &lru->xa, memcg->kmemcg_id);
/*
- * Lock the Xarray to ensure no on going list_lru_memcg
- * allocation and further allocation will see css_is_dying().
+ * css_is_dying() check in memcg_list_lru_alloc() avoids
+ * allocating a new mlru since CSS_DYING is already set for this
+ * memcg a rcu grace period ago.
*/
- xas_lock_irq(&xas);
- mlru = xas_store(&xas, NULL);
- xas_unlock_irq(&xas);
+ mlru = xa_load(&lru->xa, memcg->kmemcg_id);
if (!mlru)
continue;
/*
- * With Xarray value set to NULL, holding the lru lock below
- * prevents list_lru_{add,del,isolate} from touching the lru,
- * safe to reparent.
+ * Reparent each per-node list and mark the child dead
+ * (LONG_MIN) before clearing xarray entry otherwise a
+ * concurrent list_lru_del() may corrupt the list if it arrives
+ * after xarray clear but before reparenting as
+ * lock_list_lru_of_memcg will acquire parent's lock while the
+ * item is still on child's list.
*/
for_each_node(i)
memcg_reparent_list_lru_one(lru, i, &mlru->node[i], parent);
+ xa_erase_irq(&lru->xa, memcg->kmemcg_id);
+
/*
* Here all list_lrus corresponding to the cgroup are guaranteed
* to remain empty, we can safely free this lru, any further
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 389/522] spi: zynq-qspi: Convert to platform remove callback returning void
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 388/522] spi: ti-qspi: fix controller deregistration Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 390/522] spi: spi-zynq: Do not check for 0 return after calling platform_get_irq() Greg Kroah-Hartman
` (133 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit ae9084b6458d34ebf3e377d0407ebe513e41ac71 ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is (mostly) ignored
and this typically results in resource leaks. To improve here there is a
quest to make the remove callback return void. In the first step of this
quest all drivers are converted to .remove_new() which already returns
void.
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20230303172041.2103336-87-u.kleine-koenig@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: c9c012706c9f ("spi: zynq-qspi: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-zynq-qspi.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -750,7 +750,7 @@ remove_master:
*
* Return: 0 on success and error value on failure
*/
-static int zynq_qspi_remove(struct platform_device *pdev)
+static void zynq_qspi_remove(struct platform_device *pdev)
{
struct zynq_qspi *xqspi = platform_get_drvdata(pdev);
@@ -758,8 +758,6 @@ static int zynq_qspi_remove(struct platf
clk_disable_unprepare(xqspi->refclk);
clk_disable_unprepare(xqspi->pclk);
-
- return 0;
}
static const struct of_device_id zynq_qspi_of_match[] = {
@@ -774,7 +772,7 @@ MODULE_DEVICE_TABLE(of, zynq_qspi_of_mat
*/
static struct platform_driver zynq_qspi_driver = {
.probe = zynq_qspi_probe,
- .remove = zynq_qspi_remove,
+ .remove_new = zynq_qspi_remove,
.driver = {
.name = "zynq-qspi",
.of_match_table = zynq_qspi_of_match,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 306/378] mm/mincore: handle non-swap entries before !CONFIG_SWAP guard
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
0 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Usama Arif, Pedro Falcato,
Kairui Song, Lorenzo Stoakes, Johannes Weiner, Baoquan He,
Chris Li, Jann Horn, Liam R. Howlett, Rik van Riel, Shakeel Butt,
Vlastimil Babka, Andrew Morton
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Usama Arif <usama.arif@linux.dev>
commit 0c25b8734367574e21aeb8468c2e522713134da7 upstream.
mincore_swap() also fields migration/hwpoison entries (and shmem
swapin-error entries), which can exist on !CONFIG_SWAP builds when
CONFIG_MIGRATION or CONFIG_MEMORY_FAILURE is enabled. The
!IS_ENABLED(CONFIG_SWAP) guard ran before the non-swap-entry early return,
so mincore_pte_range() can spuriously WARN and report these pages
nonresident on !CONFIG_SWAP kernels.
Move the guard below the non-swap-entry check so only true swap entries
trip the WARN, and migration/hwpoison entries take the existing "uptodate
/ non-shmem" path.
Link: https://lore.kernel.org/20260602172247.279421-1-usama.arif@linux.dev
Fixes: 1f2052755c15 ("mm/mincore: use a helper for checking the swap cache")
Signed-off-by: Usama Arif <usama.arif@linux.dev>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
Reviewed-by: Kairui Song <kasong@tencent.com>
Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Baoquan He <baoquan.he@linux.dev>
Cc: Chris Li <chrisl@kernel.org>
Cc: Jann Horn <jannh@google.com>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Rik van Riel <riel@surriel.com>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/mincore.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/mm/mincore.c
+++ b/mm/mincore.c
@@ -64,11 +64,6 @@ static unsigned char mincore_swap(swp_en
struct folio *folio = NULL;
unsigned char present = 0;
- if (!IS_ENABLED(CONFIG_SWAP)) {
- WARN_ON(1);
- return 0;
- }
-
/*
* Shmem mapping may contain swapin error entries, which are
* absent. Page table may contain migration or hwpoison
@@ -77,6 +72,11 @@ static unsigned char mincore_swap(swp_en
if (!softleaf_is_swap(entry))
return !shmem;
+ if (!IS_ENABLED(CONFIG_SWAP)) {
+ WARN_ON(1);
+ return 0;
+ }
+
/*
* Shmem mapping lookup is lockless, so we need to grab the swap
* device. mincore page table walk locks the PTL, and the swap
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 390/522] spi: spi-zynq: Do not check for 0 return after calling platform_get_irq()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 389/522] spi: zynq-qspi: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 391/522] spi: zynq-qspi: switch to use modern name Greg Kroah-Hartman
` (132 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ruan Jinjie, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruan Jinjie <ruanjinjie@huawei.com>
[ Upstream commit 3182d49aad5f1cd8acdcf7de0c5b651772edd32e ]
It is not possible for platform_get_irq() to return 0. Use the
return value from platform_get_irq().
Signed-off-by: Ruan Jinjie <ruanjinjie@huawei.com>
Link: https://lore.kernel.org/r/20230802094357.981100-1-ruanjinjie@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: c9c012706c9f ("spi: zynq-qspi: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-zynq-qspi.c | 4 ++--
drivers/spi/spi-zynqmp-gqspi.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -688,8 +688,8 @@ static int zynq_qspi_probe(struct platfo
}
xqspi->irq = platform_get_irq(pdev, 0);
- if (xqspi->irq <= 0) {
- ret = -ENXIO;
+ if (xqspi->irq < 0) {
+ ret = xqspi->irq;
goto clk_dis_all;
}
ret = devm_request_irq(&pdev->dev, xqspi->irq, zynq_qspi_irq,
--- a/drivers/spi/spi-zynqmp-gqspi.c
+++ b/drivers/spi/spi-zynqmp-gqspi.c
@@ -1164,8 +1164,8 @@ static int zynqmp_qspi_probe(struct plat
zynqmp_qspi_init_hw(xqspi);
xqspi->irq = platform_get_irq(pdev, 0);
- if (xqspi->irq <= 0) {
- ret = -ENXIO;
+ if (xqspi->irq < 0) {
+ ret = xqspi->irq;
goto clk_dis_all;
}
ret = devm_request_irq(&pdev->dev, xqspi->irq, zynqmp_qspi_irq,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 307/378] mmc: core: Fix host controller programming for fixed driver type
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 305/378] mm/list_lru: drain before clearing xarray entry on reparent Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 308/378] mmc: dw_mmc-rockchip: Add missing private data for very old controllers Greg Kroah-Hartman
` (72 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kamal Dasu, Shawn Lin, Ulf Hansson
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kamal Dasu <kamal.dasu@broadcom.com>
commit 5a52c5701a67d5176eb1afbf1bdaf7d6dfeec597 upstream.
When using the fixed-emmc-driver-type device tree property, the MMC core
correctly selects the driver strength for the card but fails to program
the host controller accordingly. This causes a mismatch where the card
uses the specified driver type while the host controller defaults to
Type B (since ios->drv_type remains zero).
Split the driver type programming logic to handle both fixed and dynamic
driver type selection paths. For fixed driver types, program the host
controller with the selected drive_strength value. For dynamic selection,
use the existing drv_type as before.
This ensures both the eMMC device and host controller use matching driver
strengths, preventing potential signal integrity issues.
Fixes: 6186d06c519e ("mmc: parse new binding for eMMC fixed driver type")
Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
Reviewed-by: Shawn Lin <shawn.lin@rock-chips.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/mmc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -1371,7 +1371,9 @@ static void mmc_select_driver_type(struc
card->drive_strength = drive_strength;
- if (drv_type)
+ if (fixed_drv_type >= 0 && drive_strength)
+ mmc_set_driver_type(card->host, drive_strength);
+ else if (drv_type)
mmc_set_driver_type(card->host, drv_type);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 391/522] spi: zynq-qspi: switch to use modern name
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 390/522] spi: spi-zynq: Do not check for 0 return after calling platform_get_irq() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 392/522] spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
` (131 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 178ebb0c505b0a35edb4fb2a0e23a1f29e1db14d ]
Change legacy name master/slave to modern name host/target or controller.
No functional changed.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://msgid.link/r/20231128093031.3707034-24-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: c9c012706c9f ("spi: zynq-qspi: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-zynq-qspi.c | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -54,10 +54,10 @@
#define ZYNQ_QSPI_CONFIG_MSTREN_MASK BIT(0) /* Master Mode */
/*
- * QSPI Configuration Register - Baud rate and slave select
+ * QSPI Configuration Register - Baud rate and target select
*
* These are the values used in the calculation of baud rate divisor and
- * setting the slave select.
+ * setting the target select.
*/
#define ZYNQ_QSPI_CONFIG_BAUD_DIV_MAX GENMASK(2, 0) /* Baud rate maximum */
#define ZYNQ_QSPI_CONFIG_BAUD_DIV_SHIFT 3 /* Baud rate divisor shift */
@@ -164,14 +164,14 @@ static inline void zynq_qspi_write(struc
*
* The default settings of the QSPI controller's configurable parameters on
* reset are
- * - Master mode
+ * - Host mode
* - Baud rate divisor is set to 2
* - Tx threshold set to 1l Rx threshold set to 32
* - Flash memory interface mode enabled
* - Size of the word to be transferred as 8 bit
* This function performs the following actions
* - Disable and clear all the interrupts
- * - Enable manual slave select
+ * - Enable manual target select
* - Enable manual start
* - Deselect all the chip select lines
* - Set the size of the word to be transferred as 32 bit
@@ -289,7 +289,7 @@ static void zynq_qspi_txfifo_op(struct z
*/
static void zynq_qspi_chipselect(struct spi_device *spi, bool assert)
{
- struct spi_controller *ctlr = spi->master;
+ struct spi_controller *ctlr = spi->controller;
struct zynq_qspi *xqspi = spi_controller_get_devdata(ctlr);
u32 config_reg;
@@ -377,7 +377,7 @@ static int zynq_qspi_config_op(struct zy
*/
static int zynq_qspi_setup_op(struct spi_device *spi)
{
- struct spi_controller *ctlr = spi->master;
+ struct spi_controller *ctlr = spi->controller;
struct zynq_qspi *qspi = spi_controller_get_devdata(ctlr);
int ret;
@@ -534,7 +534,7 @@ static irqreturn_t zynq_qspi_irq(int irq
static int zynq_qspi_exec_mem_op(struct spi_mem *mem,
const struct spi_mem_op *op)
{
- struct zynq_qspi *xqspi = spi_controller_get_devdata(mem->spi->master);
+ struct zynq_qspi *xqspi = spi_controller_get_devdata(mem->spi->controller);
int err = 0, i;
u8 *tmpbuf;
@@ -646,7 +646,7 @@ static int zynq_qspi_probe(struct platfo
struct zynq_qspi *xqspi;
u32 num_cs;
- ctlr = spi_alloc_master(&pdev->dev, sizeof(*xqspi));
+ ctlr = spi_alloc_host(&pdev->dev, sizeof(*xqspi));
if (!ctlr)
return -ENOMEM;
@@ -656,14 +656,14 @@ static int zynq_qspi_probe(struct platfo
xqspi->regs = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(xqspi->regs)) {
ret = PTR_ERR(xqspi->regs);
- goto remove_master;
+ goto remove_ctlr;
}
xqspi->pclk = devm_clk_get(&pdev->dev, "pclk");
if (IS_ERR(xqspi->pclk)) {
dev_err(&pdev->dev, "pclk clock not found.\n");
ret = PTR_ERR(xqspi->pclk);
- goto remove_master;
+ goto remove_ctlr;
}
init_completion(&xqspi->data_completion);
@@ -672,13 +672,13 @@ static int zynq_qspi_probe(struct platfo
if (IS_ERR(xqspi->refclk)) {
dev_err(&pdev->dev, "ref_clk clock not found.\n");
ret = PTR_ERR(xqspi->refclk);
- goto remove_master;
+ goto remove_ctlr;
}
ret = clk_prepare_enable(xqspi->pclk);
if (ret) {
dev_err(&pdev->dev, "Unable to enable APB clock.\n");
- goto remove_master;
+ goto remove_ctlr;
}
ret = clk_prepare_enable(xqspi->refclk);
@@ -724,7 +724,7 @@ static int zynq_qspi_probe(struct platfo
ret = devm_spi_register_controller(&pdev->dev, ctlr);
if (ret) {
- dev_err(&pdev->dev, "spi_register_master failed\n");
+ dev_err(&pdev->dev, "devm_spi_register_controller failed\n");
goto clk_dis_all;
}
@@ -734,7 +734,7 @@ clk_dis_all:
clk_disable_unprepare(xqspi->refclk);
clk_dis_pclk:
clk_disable_unprepare(xqspi->pclk);
-remove_master:
+remove_ctlr:
spi_controller_put(ctlr);
return ret;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 308/378] mmc: dw_mmc-rockchip: Add missing private data for very old controllers
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 307/378] mmc: core: Fix host controller programming for fixed driver type Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 309/378] mmc: litex_mmc: Set mandatory idle clocks before CMD0 Greg Kroah-Hartman
` (71 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Heiko Stuebner, Shawn Lin,
Ulf Hansson
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Stuebner <heiko@sntech.de>
commit 1e9a4850afa0ceb63984fb1a9f3e86d0fc4fd18f upstream.
The really old controllers (rk2928, rk3066, rk3188) do not support UHS
speeds at all, and thus never handled phase data.
For that reason it never had a parse_dt callback and no driver private
data at all.
Commit ff6f0286c896 ("mmc: dw_mmc-rockchip: Add memory clock auto-gating
support") makes the private data sort of mandatory, because the init
function checks whether phases are configured internally or through the
clock controller.
This results in the old SoCs then experiencing NULL-pointer dereferences
when they try to access that private-data struct.
While we could have if (priv) conditionals in all places, it's way less
cluttery to just give the old types their private-data struct.
Fixes: ff6f0286c896 ("mmc: dw_mmc-rockchip: Add memory clock auto-gating support")
Cc: stable@vger.kernel.org
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Acked-by: Shawn Lin <shawn.lin@rock-chips.com>
Signed-off-by: Ulf Hansson <ulfh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/dw_mmc-rockchip.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
--- a/drivers/mmc/host/dw_mmc-rockchip.c
+++ b/drivers/mmc/host/dw_mmc-rockchip.c
@@ -433,6 +433,22 @@ static int dw_mci_common_parse_dt(struct
return 0;
}
+static int dw_mci_rk2928_parse_dt(struct dw_mci *host)
+{
+ struct dw_mci_rockchip_priv_data *priv;
+ int err;
+
+ err = dw_mci_common_parse_dt(host);
+ if (err)
+ return err;
+
+ priv = host->priv;
+
+ priv->internal_phase = false;
+
+ return 0;
+}
+
static int dw_mci_rk3288_parse_dt(struct dw_mci *host)
{
struct dw_mci_rockchip_priv_data *priv;
@@ -506,6 +522,7 @@ static int dw_mci_rockchip_init(struct d
static const struct dw_mci_drv_data rk2928_drv_data = {
.init = dw_mci_rockchip_init,
+ .parse_dt = dw_mci_rk2928_parse_dt,
};
static const struct dw_mci_drv_data rk3288_drv_data = {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 392/522] spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 391/522] spi: zynq-qspi: switch to use modern name Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 393/522] spi: zynq-qspi: fix controller deregistration Greg Kroah-Hartman
` (130 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pei Xiao, Michal Simek, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit 1f8fd9490e3184e9a2394df2e682901a1d57ce71 ]
Replace devm_clk_get() followed by clk_prepare_enable() with
devm_clk_get_enabled() for both "pclk" and "ref_clk". This removes
the need for explicit clock enable and disable calls, as the managed
API automatically disables the clocks on device removal or probe
failure.
Remove the now-unnecessary clk_disable_unprepare() calls from the
probe error paths and the remove callback. Simplify error handling
by jumping directly to the remove_ctlr label.
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Acked-by: Michal Simek <michal.simek@amd.com>
Link: https://patch.msgid.link/24043625f89376da36feca2408f990a85be7ab36.1775555500.git.xiaopei01@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: c9c012706c9f ("spi: zynq-qspi: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-zynq-qspi.c | 42 ++++++------------------------------------
1 file changed, 6 insertions(+), 36 deletions(-)
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -379,21 +379,10 @@ static int zynq_qspi_setup_op(struct spi
{
struct spi_controller *ctlr = spi->controller;
struct zynq_qspi *qspi = spi_controller_get_devdata(ctlr);
- int ret;
if (ctlr->busy)
return -EBUSY;
- ret = clk_enable(qspi->refclk);
- if (ret)
- return ret;
-
- ret = clk_enable(qspi->pclk);
- if (ret) {
- clk_disable(qspi->refclk);
- return ret;
- }
-
zynq_qspi_write(qspi, ZYNQ_QSPI_ENABLE_OFFSET,
ZYNQ_QSPI_ENABLE_ENABLE_MASK);
@@ -659,7 +648,7 @@ static int zynq_qspi_probe(struct platfo
goto remove_ctlr;
}
- xqspi->pclk = devm_clk_get(&pdev->dev, "pclk");
+ xqspi->pclk = devm_clk_get_enabled(&pdev->dev, "pclk");
if (IS_ERR(xqspi->pclk)) {
dev_err(&pdev->dev, "pclk clock not found.\n");
ret = PTR_ERR(xqspi->pclk);
@@ -668,36 +657,24 @@ static int zynq_qspi_probe(struct platfo
init_completion(&xqspi->data_completion);
- xqspi->refclk = devm_clk_get(&pdev->dev, "ref_clk");
+ xqspi->refclk = devm_clk_get_enabled(&pdev->dev, "ref_clk");
if (IS_ERR(xqspi->refclk)) {
dev_err(&pdev->dev, "ref_clk clock not found.\n");
ret = PTR_ERR(xqspi->refclk);
goto remove_ctlr;
}
- ret = clk_prepare_enable(xqspi->pclk);
- if (ret) {
- dev_err(&pdev->dev, "Unable to enable APB clock.\n");
- goto remove_ctlr;
- }
-
- ret = clk_prepare_enable(xqspi->refclk);
- if (ret) {
- dev_err(&pdev->dev, "Unable to enable device clock.\n");
- goto clk_dis_pclk;
- }
-
xqspi->irq = platform_get_irq(pdev, 0);
if (xqspi->irq < 0) {
ret = xqspi->irq;
- goto clk_dis_all;
+ goto remove_ctlr;
}
ret = devm_request_irq(&pdev->dev, xqspi->irq, zynq_qspi_irq,
0, pdev->name, xqspi);
if (ret != 0) {
ret = -ENXIO;
dev_err(&pdev->dev, "request_irq failed\n");
- goto clk_dis_all;
+ goto remove_ctlr;
}
ret = of_property_read_u32(np, "num-cs",
@@ -707,7 +684,7 @@ static int zynq_qspi_probe(struct platfo
} else if (num_cs > ZYNQ_QSPI_MAX_NUM_CS) {
ret = -EINVAL;
dev_err(&pdev->dev, "only 2 chip selects are available\n");
- goto clk_dis_all;
+ goto remove_ctlr;
} else {
ctlr->num_chipselect = num_cs;
}
@@ -725,15 +702,11 @@ static int zynq_qspi_probe(struct platfo
ret = devm_spi_register_controller(&pdev->dev, ctlr);
if (ret) {
dev_err(&pdev->dev, "devm_spi_register_controller failed\n");
- goto clk_dis_all;
+ goto remove_ctlr;
}
return ret;
-clk_dis_all:
- clk_disable_unprepare(xqspi->refclk);
-clk_dis_pclk:
- clk_disable_unprepare(xqspi->pclk);
remove_ctlr:
spi_controller_put(ctlr);
@@ -755,9 +728,6 @@ static void zynq_qspi_remove(struct plat
struct zynq_qspi *xqspi = platform_get_drvdata(pdev);
zynq_qspi_write(xqspi, ZYNQ_QSPI_ENABLE_OFFSET, 0);
-
- clk_disable_unprepare(xqspi->refclk);
- clk_disable_unprepare(xqspi->pclk);
}
static const struct of_device_id zynq_qspi_of_match[] = {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 309/378] mmc: litex_mmc: Set mandatory idle clocks before CMD0
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 7.0 308/378] mmc: dw_mmc-rockchip: Add missing private data for very old controllers Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 310/378] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC Greg Kroah-Hartman
` (70 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Inochi Amaoto, Gabriel Somlo,
Ulf Hansson
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Inochi Amaoto <inochiama@gmail.com>
commit 99982b743e5ba72bd1f5de0e03e3b96ae70b1e51 upstream.
The litex_mmc driver assumes the card is already probed in the BIOS
and skip the phy initialization. This will cause the command fail
like the following when the old card is unplugged and then insert
a new card:
[ 62.923593] litex-mmc f0004000.mmc: Command (cmd 8) error, status -110
[ 62.949717] litex-mmc f0004000.mmc: Command (cmd 55) error, status -110
[ 62.976606] litex-mmc f0004000.mmc: Command (cmd 55) error, status -110
[ 63.002516] litex-mmc f0004000.mmc: Command (cmd 55) error, status -110
[ 63.028442] litex-mmc f0004000.mmc: Command (cmd 55) error, status -110
Add required clock settings and initialization for the CMD 0, so it can
probe the new card.
Fixes: 92e099104729 ("mmc: Add driver for LiteX's LiteSDCard interface")
Signed-off-by: Inochi Amaoto <inochiama@gmail.com>
Reviewed-by: Gabriel Somlo <gsomlo@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulfh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/litex_mmc.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/mmc/host/litex_mmc.c
+++ b/drivers/mmc/host/litex_mmc.c
@@ -69,6 +69,9 @@
#define SD_SLEEP_US 5
#define SD_TIMEOUT_US 20000
+#define SD_INIT_DELAY_US 1000
+#define SD_INIT_CLK_HZ 400000
+
#define SDIRQ_CARD_DETECT 1
#define SDIRQ_SD_TO_MEM_DONE 2
#define SDIRQ_MEM_TO_SD_DONE 4
@@ -450,6 +453,17 @@ static void litex_mmc_set_ios(struct mmc
struct litex_mmc_host *host = mmc_priv(mmc);
/*
+ * The SD specification requires at least 74 idle clocks before CMD0.
+ * These dummy cycles is generated by writing LITEX_PHY_INITIALIZE.
+ */
+ if (ios->chip_select == MMC_CS_HIGH) {
+ litex_mmc_setclk(host, SD_INIT_CLK_HZ);
+ litex_write8(host->sdphy + LITEX_PHY_INITIALIZE, 1);
+ fsleep(SD_INIT_DELAY_US);
+ return;
+ }
+
+ /*
* NOTE: Ignore any ios->bus_width updates; they occur right after
* the mmc core sends its own acmd6 bus-width change notification,
* which is redundant since we snoop on the command flow and inject
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 393/522] spi: zynq-qspi: fix controller deregistration
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 6.1 392/522] spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 394/522] spi: sun6i: " Greg Kroah-Hartman
` (129 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naga Sureshkumar Relli, Johan Hovold,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit c9c012706c9fa8ca6d129a9161caf92ab625a3fd ]
Make sure to deregister the controller before disabling it during driver
unbind.
Note that clocks were also disabled before the recent commit
1f8fd9490e31 ("spi: zynq-qspi: Simplify clock handling with
devm_clk_get_enabled()").
Fixes: 67dca5e580f1 ("spi: spi-mem: Add support for Zynq QSPI controller")
Cc: stable@vger.kernel.org # 5.2: 8eb2fd00f65a
Cc: stable@vger.kernel.org # 5.2
Cc: Naga Sureshkumar Relli <naga.sureshkumar.relli@xilinx.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-27-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-zynq-qspi.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -641,7 +641,7 @@ static int zynq_qspi_probe(struct platfo
xqspi = spi_controller_get_devdata(ctlr);
xqspi->dev = dev;
- platform_set_drvdata(pdev, xqspi);
+ platform_set_drvdata(pdev, ctlr);
xqspi->regs = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(xqspi->regs)) {
ret = PTR_ERR(xqspi->regs);
@@ -699,9 +699,9 @@ static int zynq_qspi_probe(struct platfo
/* QSPI controller initializations */
zynq_qspi_init_hw(xqspi, ctlr->num_chipselect);
- ret = devm_spi_register_controller(&pdev->dev, ctlr);
+ ret = spi_register_controller(ctlr);
if (ret) {
- dev_err(&pdev->dev, "devm_spi_register_controller failed\n");
+ dev_err(&pdev->dev, "failed to register controller\n");
goto remove_ctlr;
}
@@ -725,9 +725,16 @@ remove_ctlr:
*/
static void zynq_qspi_remove(struct platform_device *pdev)
{
- struct zynq_qspi *xqspi = platform_get_drvdata(pdev);
+ struct spi_controller *ctlr = platform_get_drvdata(pdev);
+ struct zynq_qspi *xqspi = spi_controller_get_devdata(ctlr);
+
+ spi_controller_get(ctlr);
+
+ spi_unregister_controller(ctlr);
zynq_qspi_write(xqspi, ZYNQ_QSPI_ENABLE_OFFSET, 0);
+
+ spi_controller_put(ctlr);
}
static const struct of_device_id zynq_qspi_of_match[] = {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 310/378] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 309/378] mmc: litex_mmc: Set mandatory idle clocks before CMD0 Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 311/378] mmc: sdhci-of-dwcmshc: Fix reset, clk, and SDIO support for Eswin EIC7700 Greg Kroah-Hartman
` (69 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lad Prabhakar, Wolfram Sang,
Geert Uytterhoeven, Ulf Hansson
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
commit f48ee49726ee4ab545fd2dc644f169c0809b19b3 upstream.
The RZ/G2H (R8A774E1) SoC was previously handled via the generic
"renesas,rcar-gen3-sdhi" fallback compatible string. However, because
the SDHI IP on RZ/G2H is identical with the R-Car H3-N (R8A77951), it
requires the specific quirks and configuration defined in
`of_r8a7795_compatible` rather than the generic Gen3 data.
Add the explicit "renesas,sdhi-r8a774e1" match entry to map it correctly.
Note that the DT binding file renesas,sdhi.yaml does not need an update
as the entry for this SoC is already present.
Fixes: 31941342888d ("arm64: dts: renesas: r8a774e1: Add SDHI nodes")
Cc: stable@vger.kernel.org
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Ulf Hansson <ulfh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/renesas_sdhi_internal_dmac.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c
+++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c
@@ -279,6 +279,7 @@ static const struct renesas_sdhi_of_data
static const struct of_device_id renesas_sdhi_internal_dmac_of_match[] = {
{ .compatible = "renesas,sdhi-r7s9210", .data = &of_rza2_compatible, },
{ .compatible = "renesas,sdhi-mmc-r8a77470", .data = &of_rcar_gen3_compatible, },
+ { .compatible = "renesas,sdhi-r8a774e1", .data = &of_r8a7795_compatible, },
{ .compatible = "renesas,sdhi-r8a7795", .data = &of_r8a7795_compatible, },
{ .compatible = "renesas,sdhi-r8a77961", .data = &of_r8a77961_compatible, },
{ .compatible = "renesas,sdhi-r8a77965", .data = &of_r8a77965_compatible, },
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 394/522] spi: sun6i: fix controller deregistration
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 393/522] spi: zynq-qspi: fix controller deregistration Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 395/522] spi: s3c64xx: Use devm_clk_get_enabled() Greg Kroah-Hartman
` (128 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Ripard, Johan Hovold,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit d874a1c33aee0d88fb4ba2f8aeadaa9f1965209a ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: 3558fe900e8a ("spi: sunxi: Add Allwinner A31 SPI controller driver")
Cc: stable@vger.kernel.org # 3.15
Cc: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-20-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ renamed spi_controller APIs to spi_master equivalents and kept int return type for sun6i_spi_remove ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sun6i.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-sun6i.c
+++ b/drivers/spi/spi-sun6i.c
@@ -688,7 +688,7 @@ static int sun6i_spi_probe(struct platfo
pm_runtime_set_active(&pdev->dev);
pm_runtime_enable(&pdev->dev);
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = spi_register_master(master);
if (ret) {
dev_err(&pdev->dev, "cannot register SPI master\n");
goto err_pm_disable;
@@ -714,12 +714,19 @@ static int sun6i_spi_remove(struct platf
{
struct spi_master *master = platform_get_drvdata(pdev);
+ spi_master_get(master);
+
+ spi_unregister_master(master);
+
pm_runtime_force_suspend(&pdev->dev);
if (master->dma_tx)
dma_release_channel(master->dma_tx);
if (master->dma_rx)
dma_release_channel(master->dma_rx);
+
+ spi_master_put(master);
+
return 0;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 311/378] mmc: sdhci-of-dwcmshc: Fix reset, clk, and SDIO support for Eswin EIC7700
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 310/378] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 312/378] mmc: sdhci: add signal voltage switch in sdhci_resume_host Greg Kroah-Hartman
` (68 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Huan He, Adrian Hunter, Ulf Hansson
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huan He <hehuan1@eswincomputing.com>
commit 8d4ae34e997062076a9098602eaca43353665bd9 upstream.
The EIC7700 code in sdhci-of-dwcmshc uses host->mmc->caps2 to select
different configuration paths for different card types. The current logic
distinguishes eMMC and SD, but does not handle SDIO separately.
Update the EIC7700 card-type checks so that eMMC, SD and SDIO are
distinguished explicitly.
Switch the reset path to dwcmshc_reset() so that pending interrupt state
is cleared consistently, and use sdhci_enable_clk() so the clock enable
sequence follows the standard SDHCI flow.
Fixes: 32b2633219d3 ("mmc: sdhci-of-dwcmshc: Add support for Eswin EIC7700")
Signed-off-by: Huan He <hehuan1@eswincomputing.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulfh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-of-dwcmshc.c | 44 ++++++++++++++++++------------------
1 file changed, 22 insertions(+), 22 deletions(-)
--- a/drivers/mmc/host/sdhci-of-dwcmshc.c
+++ b/drivers/mmc/host/sdhci-of-dwcmshc.c
@@ -251,6 +251,7 @@
#define PHY_DELAY_CODE_MAX 0x7f
#define PHY_DELAY_CODE_EMMC 0x17
#define PHY_DELAY_CODE_SD 0x55
+#define PHY_DELAY_CODE_SDIO 0x29
enum dwcmshc_rk_type {
DWCMSHC_RK3568,
@@ -1273,10 +1274,7 @@ static void sdhci_eic7700_set_clock(stru
clk_set_rate(pltfm_host->clk, clock);
clk = sdhci_readw(host, SDHCI_CLOCK_CONTROL);
- clk |= SDHCI_CLOCK_INT_EN;
- sdhci_writew(host, clk, SDHCI_CLOCK_CONTROL);
-
- dwcmshc_enable_card_clk(host);
+ sdhci_enable_clk(host, clk);
}
static void sdhci_eic7700_config_phy_delay(struct sdhci_host *host, int delay)
@@ -1337,7 +1335,7 @@ static void sdhci_eic7700_config_phy(str
static void sdhci_eic7700_reset(struct sdhci_host *host, u8 mask)
{
- sdhci_reset(host, mask);
+ dwcmshc_reset(host, mask);
/* after reset all, the phy's config will be clear */
if (mask == SDHCI_RESET_ALL)
@@ -1434,18 +1432,17 @@ static int sdhci_eic7700_phase_code_tuni
{
struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
struct dwcmshc_priv *priv = sdhci_pltfm_priv(pltfm_host);
- u32 sd_caps = MMC_CAP2_NO_MMC | MMC_CAP2_NO_SDIO;
+ u32 emmc_caps = MMC_CAP2_NO_SD | MMC_CAP2_NO_SDIO;
int phase_code = -1;
int code_range = -1;
- bool is_sd = false;
int code_min = -1;
int code_max = -1;
int cmd_error = 0;
+ bool is_emmc;
int ret = 0;
int i = 0;
- if ((host->mmc->caps2 & sd_caps) == sd_caps)
- is_sd = true;
+ is_emmc = (host->mmc->caps2 & emmc_caps) == emmc_caps;
for (i = 0; i <= MAX_PHASE_CODE; i++) {
/* Centered Phase code */
@@ -1454,8 +1451,8 @@ static int sdhci_eic7700_phase_code_tuni
host->ops->reset(host, SDHCI_RESET_CMD | SDHCI_RESET_DATA);
if (ret) {
- /* SD specific range tracking */
- if (is_sd && code_min != -1 && code_max != -1) {
+ /* SD/SDIO specific range tracking */
+ if (!is_emmc && code_min != -1 && code_max != -1) {
if (code_max - code_min > code_range) {
code_range = code_max - code_min;
phase_code = (code_min + code_max) / 2;
@@ -1466,17 +1463,17 @@ static int sdhci_eic7700_phase_code_tuni
code_max = -1;
}
/* EMMC breaks after first valid range */
- if (!is_sd && code_min != -1 && code_max != -1)
+ if (is_emmc && code_min != -1 && code_max != -1)
break;
} else {
/* Track valid phase code range */
if (code_min == -1) {
code_min = i;
- if (!is_sd)
+ if (is_emmc)
continue;
}
code_max = i;
- if (is_sd && i == MAX_PHASE_CODE) {
+ if (!is_emmc && i == MAX_PHASE_CODE) {
if (code_max - code_min > code_range) {
code_range = code_max - code_min;
phase_code = (code_min + code_max) / 2;
@@ -1486,19 +1483,19 @@ static int sdhci_eic7700_phase_code_tuni
}
/* Handle tuning failure case */
- if ((is_sd && phase_code == -1) ||
- (!is_sd && code_min == -1 && code_max == -1)) {
+ if ((!is_emmc && phase_code == -1) ||
+ (is_emmc && code_min == -1 && code_max == -1)) {
pr_err("%s: phase code tuning failed!\n", mmc_hostname(host->mmc));
sdhci_writew(host, 0, priv->vendor_specific_area1 + DWCMSHC_AT_STAT);
return -EIO;
}
- if (!is_sd)
+ if (is_emmc)
phase_code = (code_min + code_max) / 2;
sdhci_writew(host, phase_code, priv->vendor_specific_area1 + DWCMSHC_AT_STAT);
- /* SD specific final verification */
- if (is_sd) {
+ /* SD/SDIO specific final verification */
+ if (!is_emmc) {
ret = mmc_send_tuning(host->mmc, opcode, &cmd_error);
host->ops->reset(host, SDHCI_RESET_CMD | SDHCI_RESET_DATA);
if (ret) {
@@ -1596,9 +1593,9 @@ static void sdhci_eic7700_set_uhs_signal
static void sdhci_eic7700_set_uhs_wrapper(struct sdhci_host *host, unsigned int timing)
{
- u32 sd_caps = MMC_CAP2_NO_MMC | MMC_CAP2_NO_SDIO;
+ u32 emmc_caps = MMC_CAP2_NO_SD | MMC_CAP2_NO_SDIO;
- if ((host->mmc->caps2 & sd_caps) == sd_caps)
+ if ((host->mmc->caps2 & emmc_caps) != emmc_caps)
sdhci_set_uhs_signaling(host, timing);
else
sdhci_eic7700_set_uhs_signaling(host, timing);
@@ -1607,6 +1604,7 @@ static void sdhci_eic7700_set_uhs_wrappe
static int eic7700_init(struct device *dev, struct sdhci_host *host, struct dwcmshc_priv *dwc_priv)
{
u32 emmc_caps = MMC_CAP2_NO_SD | MMC_CAP2_NO_SDIO;
+ u32 sd_caps = MMC_CAP2_NO_MMC | MMC_CAP2_NO_SDIO;
unsigned int val, hsp_int_status, hsp_pwr_ctrl;
static const char * const clk_ids[] = {"axi"};
struct of_phandle_args args;
@@ -1661,8 +1659,10 @@ static int eic7700_init(struct device *d
if ((host->mmc->caps2 & emmc_caps) == emmc_caps)
dwc_priv->delay_line = PHY_DELAY_CODE_EMMC;
- else
+ else if ((host->mmc->caps2 & sd_caps) == sd_caps)
dwc_priv->delay_line = PHY_DELAY_CODE_SD;
+ else
+ dwc_priv->delay_line = PHY_DELAY_CODE_SDIO;
if (!of_property_read_u32(dev->of_node, "eswin,drive-impedance-ohms", &val))
priv->drive_impedance = eic7700_convert_drive_impedance_ohm(dev, val);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 395/522] spi: s3c64xx: Use devm_clk_get_enabled()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 394/522] spi: sun6i: " Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 396/522] spi: s3c64xx: fix NULL-deref on driver unbind Greg Kroah-Hartman
` (127 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andi Shyti, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andi Shyti <andi.shyti@kernel.org>
[ Upstream commit 20c475d21ed9326f7b1396c9bb8991b375cb6c50 ]
Replace the tuple devm_clk_get()/clk_prepare_enable() with the
single function devm_clk_get_enabled().
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20230531205550.568340-1-andi.shyti@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 45daacbead8a ("spi: s3c64xx: fix NULL-deref on driver unbind")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-s3c64xx.c | 39 +++++----------------------------------
1 file changed, 5 insertions(+), 34 deletions(-)
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -1189,46 +1189,28 @@ static int s3c64xx_spi_probe(struct plat
}
/* Setup clocks */
- sdd->clk = devm_clk_get(&pdev->dev, "spi");
+ sdd->clk = devm_clk_get_enabled(&pdev->dev, "spi");
if (IS_ERR(sdd->clk)) {
dev_err(&pdev->dev, "Unable to acquire clock 'spi'\n");
ret = PTR_ERR(sdd->clk);
goto err_deref_master;
}
- ret = clk_prepare_enable(sdd->clk);
- if (ret) {
- dev_err(&pdev->dev, "Couldn't enable clock 'spi'\n");
- goto err_deref_master;
- }
-
sprintf(clk_name, "spi_busclk%d", sci->src_clk_nr);
- sdd->src_clk = devm_clk_get(&pdev->dev, clk_name);
+ sdd->src_clk = devm_clk_get_enabled(&pdev->dev, clk_name);
if (IS_ERR(sdd->src_clk)) {
dev_err(&pdev->dev,
"Unable to acquire clock '%s'\n", clk_name);
ret = PTR_ERR(sdd->src_clk);
- goto err_disable_clk;
- }
-
- ret = clk_prepare_enable(sdd->src_clk);
- if (ret) {
- dev_err(&pdev->dev, "Couldn't enable clock '%s'\n", clk_name);
- goto err_disable_clk;
+ goto err_deref_master;
}
if (sdd->port_conf->clk_ioclk) {
- sdd->ioclk = devm_clk_get(&pdev->dev, "spi_ioclk");
+ sdd->ioclk = devm_clk_get_enabled(&pdev->dev, "spi_ioclk");
if (IS_ERR(sdd->ioclk)) {
dev_err(&pdev->dev, "Unable to acquire 'ioclk'\n");
ret = PTR_ERR(sdd->ioclk);
- goto err_disable_src_clk;
- }
-
- ret = clk_prepare_enable(sdd->ioclk);
- if (ret) {
- dev_err(&pdev->dev, "Couldn't enable clock 'ioclk'\n");
- goto err_disable_src_clk;
+ goto err_deref_master;
}
}
@@ -1277,11 +1259,6 @@ err_pm_put:
pm_runtime_disable(&pdev->dev);
pm_runtime_set_suspended(&pdev->dev);
- clk_disable_unprepare(sdd->ioclk);
-err_disable_src_clk:
- clk_disable_unprepare(sdd->src_clk);
-err_disable_clk:
- clk_disable_unprepare(sdd->clk);
err_deref_master:
spi_master_put(master);
@@ -1302,12 +1279,6 @@ static int s3c64xx_spi_remove(struct pla
dma_release_channel(sdd->tx_dma.ch);
}
- clk_disable_unprepare(sdd->ioclk);
-
- clk_disable_unprepare(sdd->src_clk);
-
- clk_disable_unprepare(sdd->clk);
-
pm_runtime_put_noidle(&pdev->dev);
pm_runtime_disable(&pdev->dev);
pm_runtime_set_suspended(&pdev->dev);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 312/378] mmc: sdhci: add signal voltage switch in sdhci_resume_host
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 311/378] mmc: sdhci-of-dwcmshc: Fix reset, clk, and SDIO support for Eswin EIC7700 Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 313/378] pmdomain: imx: fix OF node refcount Greg Kroah-Hartman
` (67 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jisheng Zhang, Adrian Hunter,
Ulf Hansson
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jisheng Zhang <jszhang@kernel.org>
commit f595e8e77a51eee35e331f69321766593a845ef2 upstream.
I met one suspend/resume issue with sdr104 capable sdio wifi card (with
"keep-power-in-suspend" set in DT property):
After resuming from suspend to ram, the sdio wifi card stops working.
Further debug shows that although ios shows the sdio card is at sdr104
mode, the voltage is still at 3V3. This is due to missing the calling
of ->start_signal_voltage_switch() in sdhci_resume_host().
Fix this issue by adding ->start_signal_voltage_switch() in
sdhci_resume_host(). This also matches what we do for
sdhci_runtime_resume_host().
Then the question is: why this issue hasn't reported and fixed for so
long time. IMHO, several reasons: Some host controllers just kick off
the runtime resume for system resume, so they benefit from the well
supported runtime pm code; Some platforms just use the old sdio wifi
card which doesn't need signal voltage switch at all, the default
voltage is 3v3 after resuming.
Fixes: 6308d2905bd3 ("mmc: sdhci: add quirk for keeping card power during suspend")
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulfh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -3836,6 +3836,7 @@ int sdhci_resume_host(struct sdhci_host
host->pwr = 0;
host->clock = 0;
host->reinit_uhs = true;
+ mmc->ops->start_signal_voltage_switch(mmc, &mmc->ios);
mmc->ops->set_ios(mmc, &mmc->ios);
} else {
sdhci_init(host, (mmc->pm_flags & MMC_PM_KEEP_POWER));
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 396/522] spi: s3c64xx: fix NULL-deref on driver unbind
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 395/522] spi: s3c64xx: Use devm_clk_get_enabled() Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 397/522] mtd: spi-nor: core: fix implicit declaration warning Greg Kroah-Hartman
` (126 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adithya K V, Johan Hovold,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 45daacbead8a009844bd5dba6cfa731332184d17 ]
A change moving DMA channel allocation from probe() back to
s3c64xx_spi_prepare_transfer() failed to remove the corresponding
deallocation from remove().
Drop the bogus DMA channel release from remove() to avoid triggering a
NULL-pointer dereference on driver unbind.
This issue was flagged by Sashiko when reviewing a controller
deregistration fix.
Fixes: f52b03c70744 ("spi: s3c64xx: requests spi-dma channel only during data transfer")
Cc: stable@vger.kernel.org # 6.0
Cc: Adithya K V <adithya.kv@samsung.com>
Link: https://sashiko.dev/#/patchset/20260410081757.503099-1-johan%40kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410094925.518343-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-s3c64xx.c | 5 -----
1 file changed, 5 deletions(-)
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -1274,11 +1274,6 @@ static int s3c64xx_spi_remove(struct pla
writel(0, sdd->regs + S3C64XX_SPI_INT_EN);
- if (!is_polling(sdd)) {
- dma_release_channel(sdd->rx_dma.ch);
- dma_release_channel(sdd->tx_dma.ch);
- }
-
pm_runtime_put_noidle(&pdev->dev);
pm_runtime_disable(&pdev->dev);
pm_runtime_set_suspended(&pdev->dev);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 313/378] pmdomain: imx: fix OF node refcount
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 312/378] mmc: sdhci: add signal voltage switch in sdhci_resume_host Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 314/378] pmdomain: ti_sci: add wakeup constraint to parent devices of wakeup source Greg Kroah-Hartman
` (66 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Ulf Hansson
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
commit fba0510cd62666951dcc0221527edc0c47ae6599 upstream.
for_each_child_of_node_scoped() decrements the reference count of the
nod after each iteration. Assigning it without incrementing the refcount
to a dynamically allocated platform device will result in a double put
in platform_device_release(). Add the missing call to of_node_get().
Cc: stable@vger.kernel.org
Fixes: 3e4d109ee8fc ("pmdomain: imx: gpc: Simplify with scoped for each OF child loop")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Ulf Hansson <ulfh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pmdomain/imx/gpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pmdomain/imx/gpc.c
+++ b/drivers/pmdomain/imx/gpc.c
@@ -487,7 +487,7 @@ static int imx_gpc_probe(struct platform
domain->ipg_rate_mhz = ipg_rate_mhz;
pd_pdev->dev.parent = &pdev->dev;
- pd_pdev->dev.of_node = np;
+ pd_pdev->dev.of_node = of_node_get(np);
pd_pdev->dev.fwnode = of_fwnode_handle(np);
ret = platform_device_add(pd_pdev);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 397/522] mtd: spi-nor: core: fix implicit declaration warning
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 396/522] spi: s3c64xx: fix NULL-deref on driver unbind Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 398/522] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Greg Kroah-Hartman
` (125 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zeng Heng, Tudor Ambarus,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zeng Heng <zengheng4@huawei.com>
[ Upstream commit 25e3f30601a368642678744fc8a9b1dce183c7bc ]
spi-nor/core.c needs to include linux/delay.h,
or it would raise below compile warning:
drivers/mtd/spi-nor/core.c: In function ‘spi_nor_soft_reset’:
drivers/mtd/spi-nor/core.c:2779:2: error: implicit declaration of function ‘usleep_range’ [-Werror=implicit-function-declaration]
2779 | usleep_range(SPI_NOR_SRST_SLEEP_MIN, SPI_NOR_SRST_SLEEP_MAX);
| ^~~~~~~~~~~~
Fixes: d73ee7534cc5 ("mtd: spi-nor: core: perform a Soft Reset on shutdown")
Signed-off-by: Zeng Heng <zengheng4@huawei.com>
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Link: https://lore.kernel.org/r/20220923031457.56103-1-zengheng4@huawei.com
Stable-dep-of: e47029b977e7 ("mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mtd/spi-nor/core.c
+++ b/drivers/mtd/spi-nor/core.c
@@ -16,6 +16,7 @@
#include <linux/math64.h>
#include <linux/sizes.h>
#include <linux/slab.h>
+#include <linux/delay.h>
#include <linux/mtd/mtd.h>
#include <linux/of_platform.h>
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 314/378] pmdomain: ti_sci: add wakeup constraint to parent devices of wakeup source
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 313/378] pmdomain: imx: fix OF node refcount Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 315/378] rtase: Avoid sleeping in get_stats64() Greg Kroah-Hartman
` (65 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vitor Soares, Kendall Willis,
Sebin Francis, Ulf Hansson
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kendall Willis <k-willis@ti.com>
commit 4db207599acfc9d676340daa2dc6b52bfca17db4 upstream.
Set wakeup constraint for any device in a wakeup path. All parent devices
of a wakeup device should not be turned off during suspend. This ensures
the wakeup device is kept on while the system is suspended.
Cc: stable@vger.kernel.org
Fixes: 9d8aa0dd3be4 ("pmdomain: ti_sci: add wakeup constraint management")
Reported-by: Vitor Soares <vitor.soares@toradex.com>
Closes: https://lore.kernel.org/linux-pm/c0fe43a2339c802e9ce5900092cd530a2ba17a6b.camel@gmail.com/
Signed-off-by: Kendall Willis <k-willis@ti.com>
Reviewed-by: Sebin Francis <sebin.francis@ti.com>
Signed-off-by: Ulf Hansson <ulfh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pmdomain/ti/ti_sci_pm_domains.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pmdomain/ti/ti_sci_pm_domains.c
+++ b/drivers/pmdomain/ti/ti_sci_pm_domains.c
@@ -86,7 +86,7 @@ static inline void ti_sci_pd_set_wkup_co
const struct ti_sci_handle *ti_sci = pd->parent->ti_sci;
int ret;
- if (device_may_wakeup(dev)) {
+ if (device_may_wakeup(dev) || device_wakeup_path(dev)) {
/*
* If device can wakeup using IO daisy chain wakeups,
* we do not want to set a constraint.
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 398/522] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (396 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 397/522] mtd: spi-nor: core: fix implicit declaration warning Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 399/522] spi: tegra114: fix controller deregistration Greg Kroah-Hartman
` (124 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Takahiro Kuwano,
Michael Walle, Pratyush Yadav, Miquel Raynal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@linaro.org>
[ Upstream commit e47029b977e747cb3a9174308fd55762cce70147 ]
Sashiko noticed an out-of-bounds read [1].
In spi_nor_params_show(), the snor_f_names array is passed to
spi_nor_print_flags() using sizeof(snor_f_names).
Since snor_f_names is an array of pointers, sizeof() returns the total
number of bytes occupied by the pointers
(element_count * sizeof(void *))
rather than the element count itself. On 64-bit systems, this makes the
passed length 8x larger than intended.
Inside spi_nor_print_flags(), the 'names_len' argument is used to
bounds-check the 'names' array access. An out-of-bounds read occurs
if a flag bit is set that exceeds the array's actual element count
but is within the inflated byte-size count.
Correct this by using ARRAY_SIZE() to pass the actual number of
string pointers in the array.
Cc: stable@vger.kernel.org
Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs")
Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Reviewed-by: Takahiro Kuwano <takahiro.kuwano@infineon.com>
Reviewed-by: Michael Walle <mwalle@kernel.org>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
[ adjusted include-block context to keep 6.1.y's existing non-alphabetical header order while still adding `#include <linux/array_size.h>` at the top ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/debugfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/mtd/spi-nor/debugfs.c
+++ b/drivers/mtd/spi-nor/debugfs.c
@@ -1,5 +1,6 @@
// SPDX-License-Identifier: GPL-2.0
+#include <linux/array_size.h>
#include <linux/mtd/spi-nor.h>
#include <linux/spi/spi.h>
#include <linux/spi/spi-mem.h>
@@ -91,7 +92,8 @@ static int spi_nor_params_show(struct se
seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes);
seq_puts(s, "flags\t\t");
- spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names));
+ spi_nor_print_flags(s, nor->flags, snor_f_names,
+ ARRAY_SIZE(snor_f_names));
seq_puts(s, "\n");
seq_puts(s, "\nopcodes\n");
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 315/378] rtase: Avoid sleeping in get_stats64()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 314/378] pmdomain: ti_sci: add wakeup constraint to parent devices of wakeup source Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 316/378] rtase: Reset TX subqueue when clearing TX ring Greg Kroah-Hartman
` (64 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Justin Lai, Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Lai <justinlai0215@realtek.com>
commit 9fc237f8d49f06d05f0f8e80361047b718894e81 upstream.
The .ndo_get_stats64 callback must not sleep because it can be
called when reading /proc/net/dev.
rtase_get_stats64() calls rtase_dump_tally_counter(), which polls
the tally counter dump bit with read_poll_timeout(). This may
sleep while waiting for the hardware counter dump to complete.
Use read_poll_timeout_atomic() instead to avoid sleeping in the
get_stats64() path.
Fixes: 079600489960 ("rtase: Implement net_device_ops")
Cc: stable@vger.kernel.org
Signed-off-by: Justin Lai <justinlai0215@realtek.com>
Link: https://patch.msgid.link/20260603061816.31356-1-justinlai0215@realtek.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/realtek/rtase/rtase_main.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/realtek/rtase/rtase_main.c
+++ b/drivers/net/ethernet/realtek/rtase/rtase_main.c
@@ -1563,8 +1563,9 @@ static void rtase_dump_tally_counter(con
rtase_w32(tp, RTASE_DTCCR0, cmd);
rtase_w32(tp, RTASE_DTCCR0, cmd | RTASE_COUNTER_DUMP);
- err = read_poll_timeout(rtase_r32, val, !(val & RTASE_COUNTER_DUMP),
- 10, 250, false, tp, RTASE_DTCCR0);
+ err = read_poll_timeout_atomic(rtase_r32, val,
+ !(val & RTASE_COUNTER_DUMP),
+ 10, 250, false, tp, RTASE_DTCCR0);
if (err == -ETIMEDOUT)
netdev_err(tp->dev, "error occurred in dump tally counter\n");
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 399/522] spi: tegra114: fix controller deregistration
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (397 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 398/522] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 400/522] spi: tegra20-sflash: " Greg Kroah-Hartman
` (123 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jingoo Han, Johan Hovold, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 9c9c27ff2058142d8f800de3186d6864184958de ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: 5c8096439600 ("spi: tegra114: use devm_spi_register_master()")
Cc: stable@vger.kernel.org # 3.13
Cc: Jingoo Han <jg1.han@samsung.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-22-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ renamed spi_controller/host APIs to spi_master/master equivalents and placed spi_master_put() before the existing return 0 in remove ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-tegra114.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-tegra114.c
+++ b/drivers/spi/spi-tegra114.c
@@ -1415,7 +1415,7 @@ static int tegra_spi_probe(struct platfo
}
master->dev.of_node = pdev->dev.of_node;
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = spi_register_master(master);
if (ret < 0) {
dev_err(&pdev->dev, "can not register to master err %d\n", ret);
goto exit_free_irq;
@@ -1441,6 +1441,10 @@ static int tegra_spi_remove(struct platf
struct spi_master *master = platform_get_drvdata(pdev);
struct tegra_spi_data *tspi = spi_master_get_devdata(master);
+ spi_master_get(master);
+
+ spi_unregister_master(master);
+
free_irq(tspi->irq, tspi);
if (tspi->tx_dma_chan)
@@ -1453,6 +1457,8 @@ static int tegra_spi_remove(struct platf
if (!pm_runtime_status_suspended(&pdev->dev))
tegra_spi_runtime_suspend(&pdev->dev);
+ spi_master_put(master);
+
return 0;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 316/378] rtase: Reset TX subqueue when clearing TX ring
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 315/378] rtase: Avoid sleeping in get_stats64() Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 317/378] rxrpc: Fix the ACK parser to extract the SACK table for parsing Greg Kroah-Hartman
` (63 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Lai, Alexander Lobakin,
Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Lai <justinlai0215@realtek.com>
commit ab1ecaabe74b7d86c38ab2ab44bd56cdcc33645a upstream.
rtase_tx_clear() clears the TX ring and resets the ring indexes.
However, the TX queue state and BQL accounting are not reset at
the same time.
This may leave __QUEUE_STATE_STACK_XOFF asserted after
rtase_sw_reset(), preventing new TX packets from being scheduled.
Reset the TX subqueue when clearing the TX ring so the TX queue
state and BQL accounting are restored together.
Fixes: 5a2a2f15244c ("rtase: Implement the rtase_down function")
Cc: stable@vger.kernel.org
Signed-off-by: Justin Lai <justinlai0215@realtek.com>
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Link: https://patch.msgid.link/20260602114659.12335-1-justinlai0215@realtek.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/realtek/rtase/rtase_main.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/ethernet/realtek/rtase/rtase_main.c
+++ b/drivers/net/ethernet/realtek/rtase/rtase_main.c
@@ -239,6 +239,8 @@ static void rtase_tx_clear(struct rtase_
rtase_tx_clear_range(ring, ring->dirty_idx, RTASE_NUM_DESC);
ring->cur_idx = 0;
ring->dirty_idx = 0;
+
+ netdev_tx_reset_subqueue(tp->dev, i);
}
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 400/522] spi: tegra20-sflash: fix controller deregistration
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (398 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 399/522] spi: tegra114: fix controller deregistration Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 401/522] spi: uniphier: Convert to platform remove callback returning void Greg Kroah-Hartman
` (122 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jingoo Han, Johan Hovold, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit ad7310e983327f939dd6c4e801eab13238992572 ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: f12f7318c44a ("spi: tegra20-sflash: use devm_spi_register_master()")
Cc: stable@vger.kernel.org # 3.13
Cc: Jingoo Han <jg1.han@samsung.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-23-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ renamed spi_controller/host APIs to spi_master/master equivalents and switched devm_spi_register_master to spi_register_master ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-tegra20-sflash.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-tegra20-sflash.c
+++ b/drivers/spi/spi-tegra20-sflash.c
@@ -506,7 +506,7 @@ static int tegra_sflash_probe(struct pla
pm_runtime_put(&pdev->dev);
master->dev.of_node = pdev->dev.of_node;
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = spi_register_master(master);
if (ret < 0) {
dev_err(&pdev->dev, "can not register to master err %d\n", ret);
goto exit_pm_disable;
@@ -529,12 +529,18 @@ static int tegra_sflash_remove(struct pl
struct spi_master *master = platform_get_drvdata(pdev);
struct tegra_sflash_data *tsd = spi_master_get_devdata(master);
+ spi_master_get(master);
+
+ spi_unregister_master(master);
+
free_irq(tsd->irq, tsd);
pm_runtime_disable(&pdev->dev);
if (!pm_runtime_status_suspended(&pdev->dev))
tegra_sflash_runtime_suspend(&pdev->dev);
+ spi_master_put(master);
+
return 0;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 317/378] rxrpc: Fix the ACK parser to extract the SACK table for parsing
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 316/378] rtase: Reset TX subqueue when clearing TX ring Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 318/378] sctp: diag: reject stale associations in dump_one path Greg Kroah-Hartman
` (62 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, David Howells,
Marc Dionne, Jeffrey Altman, Eric Dumazet, David S. Miller,
Jakub Kicinski, Paolo Abeni, Simon Horman, linux-afs, netdev,
stable
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit 333b6d5bb9f87827ac2639c737bf9613dbae7253 upstream.
Fix modification of the received skbuff in rxrpc_input_soft_acks() and a
potential incorrect access of the buffer in a fragmented UDP packet (the
packet would probably have to be deliberately pre-generated as fragmented)
when AF_RXRPC tries to extract the contents of the SACK table by copying
out the contents of the SACK table into a buffer before attempting to parse
AF_RXRPC assumes that it can just call skb_condense() and then validly
access the SACK table from skb->data and that it will be a flat buffer -
but skb_condense() can silently fail to do anything under some
circumstances.
Note that whilst rxrpc_input_soft_acks() should be able to parse extended
ACKs, the rest of AF_RXRPC doesn't currently support that.
Further, there's then no need to call skb_condense() in rxrpc_input_ack(),
so don't.
Fixes: d57a3a151660 ("rxrpc: Save last ACK's SACK table rather than marking txbufs")
Reported-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://lore.kernel.org/r/20260513180907.2061972-1-michael.bommarito@gmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: netdev@vger.kernel.org
cc: stable@kernel.org
Link: https://patch.msgid.link/105362.1780573560@warthog.procyon.org.uk
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/input.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
--- a/net/rxrpc/input.c
+++ b/net/rxrpc/input.c
@@ -963,23 +963,34 @@ static void rxrpc_input_soft_acks(struct
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
struct rxrpc_txqueue *tq = call->tx_queue;
unsigned long extracted = ~0UL;
- unsigned int nr = 0;
+ unsigned int nr = 0, nsack;
rxrpc_seq_t seq = call->acks_hard_ack + 1;
rxrpc_seq_t lowest_nak = seq + sp->ack.nr_acks;
- u8 *acks = skb->data + sizeof(struct rxrpc_wire_header) + sizeof(struct rxrpc_ackpacket);
+ u8 sack[256] __aligned(sizeof(unsigned long));
+ u8 *acks = sack;
_enter("%x,%x,%u", tq->qbase, seq, sp->ack.nr_acks);
while (after(seq, tq->qbase + RXRPC_NR_TXQUEUE - 1))
tq = tq->next;
+ /* Extract an individual SACK table. A normal SACK table is up to 255
+ * bytes with 1 ACK flag per byte, but an extended SACK table can be up
+ * to 256 bytes with up to 8 ACK/NACK flags per byte. The ACK flags go
+ * across all bit 0's then all bit 1's, then all bit 2's, ...
+ */
+ memset(sack, 0, sizeof(sack));
+ nsack = umin(sp->ack.nr_acks, 256);
+ if (skb_copy_bits(skb,
+ sizeof(struct rxrpc_wire_header) + sizeof(struct rxrpc_ackpacket),
+ sack, nsack) < 0)
+ return;
+
for (unsigned int i = 0; i < sp->ack.nr_acks; i++) {
/* Decant ACKs until we hit a txqueue boundary. */
+ if ((i & 255) == 0)
+ acks = sack;
shiftr_adv_rotr(acks, extracted);
- if (i == 256) {
- acks -= i;
- i = 0;
- }
seq++;
nr++;
if ((seq & RXRPC_TXQ_MASK) != 0)
@@ -1117,9 +1128,6 @@ static void rxrpc_input_ack(struct rxrpc
skb_copy_bits(skb, ioffset, &trailer, sizeof(trailer)) < 0)
return rxrpc_proto_abort(call, 0, rxrpc_badmsg_short_ack_trailer);
- if (nr_acks > 0)
- skb_condense(skb);
-
call->acks_latest_ts = ktime_get_real();
call->acks_hard_ack = hard_ack;
call->acks_prev_seq = prev_pkt;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 401/522] spi: uniphier: Convert to platform remove callback returning void
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (399 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 400/522] spi: tegra20-sflash: " Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 402/522] spi: uniphier: switch to use modern name Greg Kroah-Hartman
` (121 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 1b13d196d2813dadc1947940dbd4aaad6ae21c02 ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is (mostly) ignored
and this typically results in resource leaks. To improve here there is a
quest to make the remove callback return void. In the first step of this
quest all drivers are converted to .remove_new() which already returns
void.
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20230303172041.2103336-84-u.kleine-koenig@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0245435f7772 ("spi: uniphier: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-uniphier.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-uniphier.c
+++ b/drivers/spi/spi-uniphier.c
@@ -775,7 +775,7 @@ out_master_put:
return ret;
}
-static int uniphier_spi_remove(struct platform_device *pdev)
+static void uniphier_spi_remove(struct platform_device *pdev)
{
struct spi_master *master = platform_get_drvdata(pdev);
struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
@@ -786,8 +786,6 @@ static int uniphier_spi_remove(struct pl
dma_release_channel(master->dma_rx);
clk_disable_unprepare(priv->clk);
-
- return 0;
}
static const struct of_device_id uniphier_spi_match[] = {
@@ -798,7 +796,7 @@ MODULE_DEVICE_TABLE(of, uniphier_spi_mat
static struct platform_driver uniphier_spi_driver = {
.probe = uniphier_spi_probe,
- .remove = uniphier_spi_remove,
+ .remove_new = uniphier_spi_remove,
.driver = {
.name = "uniphier-spi",
.of_match_table = uniphier_spi_match,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 318/378] sctp: diag: reject stale associations in dump_one path
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 317/378] rxrpc: Fix the ACK parser to extract the SACK table for parsing Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 319/378] sctp: stream: fully roll back denied add-stream state Greg Kroah-Hartman
` (61 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Zhengchuan Liang, Xin Liu, Zhao Zhang, Ren Wei,
Xin Long, Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Zhang <zzhan461@ucr.edu>
commit 5eba3e48d78edd7551b992cb7ba687019b3a78da upstream.
The SCTP exact sock_diag lookup can hold a transport reference, block on
lock_sock(sk), and then resume after sctp_association_free() has marked
the association dead and freed its bind address list.
When that happens, inet_assoc_attr_size() and
inet_diag_msg_sctpasoc_fill() can still dereference association state
that is no longer valid for reporting. In particular,
inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a
real sctp_sockaddr_entry and trigger an out-of-bounds read from
unrelated association memory.
Reject the association after taking the socket lock if it has been
reaped or detached from the endpoint, and report the lookup as stale.
This keeps the exact dump-one path from formatting torn association
state.
Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Zhao Zhang <zzhan461@ucr.edu>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/fac6043fa20a2ff68e12958c431836f692c51268.1780113823.git.zzhan461@ucr.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/diag.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
--- a/net/sctp/diag.c
+++ b/net/sctp/diag.c
@@ -266,15 +266,15 @@ static int sctp_sock_dump_one(struct sct
lock_sock(sk);
- rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL);
- if (!rep) {
- release_sock(sk);
- return -ENOMEM;
+ if (ep != assoc->ep || assoc->base.dead) {
+ err = -ESTALE;
+ goto out_unlock;
}
- if (ep != assoc->ep) {
- err = -EAGAIN;
- goto out;
+ rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL);
+ if (!rep) {
+ err = -ENOMEM;
+ goto out_unlock;
}
err = inet_sctp_diag_fill(sk, assoc, rep, req, sk_user_ns(NETLINK_CB(skb).sk),
@@ -289,8 +289,9 @@ static int sctp_sock_dump_one(struct sct
return nlmsg_unicast(sock_net(skb->sk)->diag_nlsk, rep, NETLINK_CB(skb).portid);
out:
- release_sock(sk);
kfree_skb(rep);
+out_unlock:
+ release_sock(sk);
return err;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 402/522] spi: uniphier: switch to use modern name
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (400 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 401/522] spi: uniphier: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 403/522] spi: uniphier: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
` (120 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 4c2ee0991013ca8a32bb093a017d460204790112 ]
Change legacy name master to modern name host or controller.
No functional changed.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://msgid.link/r/20231128093031.3707034-19-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0245435f7772 ("spi: uniphier: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-uniphier.c | 198 ++++++++++++++++++++++-----------------------
1 file changed, 99 insertions(+), 99 deletions(-)
--- a/drivers/spi/spi-uniphier.c
+++ b/drivers/spi/spi-uniphier.c
@@ -26,7 +26,7 @@ struct uniphier_spi_priv {
void __iomem *base;
dma_addr_t base_dma_addr;
struct clk *clk;
- struct spi_master *master;
+ struct spi_controller *host;
struct completion xfer_done;
int error;
@@ -127,7 +127,7 @@ static inline void uniphier_spi_irq_disa
static void uniphier_spi_set_mode(struct spi_device *spi)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(spi->master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(spi->controller);
u32 val1, val2;
/*
@@ -180,7 +180,7 @@ static void uniphier_spi_set_mode(struct
static void uniphier_spi_set_transfer_size(struct spi_device *spi, int size)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(spi->master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(spi->controller);
u32 val;
val = readl(priv->base + SSI_TXWDS);
@@ -198,7 +198,7 @@ static void uniphier_spi_set_transfer_si
static void uniphier_spi_set_baudrate(struct spi_device *spi,
unsigned int speed)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(spi->master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(spi->controller);
u32 val, ckdiv;
/*
@@ -217,7 +217,7 @@ static void uniphier_spi_set_baudrate(st
static void uniphier_spi_setup_transfer(struct spi_device *spi,
struct spi_transfer *t)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(spi->master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(spi->controller);
u32 val;
priv->error = 0;
@@ -333,7 +333,7 @@ static void uniphier_spi_fill_tx_fifo(st
static void uniphier_spi_set_cs(struct spi_device *spi, bool enable)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(spi->master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(spi->controller);
u32 val;
val = readl(priv->base + SSI_FPS);
@@ -346,16 +346,16 @@ static void uniphier_spi_set_cs(struct s
writel(val, priv->base + SSI_FPS);
}
-static bool uniphier_spi_can_dma(struct spi_master *master,
+static bool uniphier_spi_can_dma(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *t)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
unsigned int bpw = bytes_per_word(priv->bits_per_word);
- if ((!master->dma_tx && !master->dma_rx)
- || (!master->dma_tx && t->tx_buf)
- || (!master->dma_rx && t->rx_buf))
+ if ((!host->dma_tx && !host->dma_rx)
+ || (!host->dma_tx && t->tx_buf)
+ || (!host->dma_rx && t->rx_buf))
return false;
return DIV_ROUND_UP(t->len, bpw) > SSI_FIFO_DEPTH;
@@ -363,33 +363,33 @@ static bool uniphier_spi_can_dma(struct
static void uniphier_spi_dma_rxcb(void *data)
{
- struct spi_master *master = data;
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct spi_controller *host = data;
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
int state = atomic_fetch_andnot(SSI_DMA_RX_BUSY, &priv->dma_busy);
uniphier_spi_irq_disable(priv, SSI_IE_RXRE);
if (!(state & SSI_DMA_TX_BUSY))
- spi_finalize_current_transfer(master);
+ spi_finalize_current_transfer(host);
}
static void uniphier_spi_dma_txcb(void *data)
{
- struct spi_master *master = data;
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct spi_controller *host = data;
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
int state = atomic_fetch_andnot(SSI_DMA_TX_BUSY, &priv->dma_busy);
uniphier_spi_irq_disable(priv, SSI_IE_TXRE);
if (!(state & SSI_DMA_RX_BUSY))
- spi_finalize_current_transfer(master);
+ spi_finalize_current_transfer(host);
}
-static int uniphier_spi_transfer_one_dma(struct spi_master *master,
+static int uniphier_spi_transfer_one_dma(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *t)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
struct dma_async_tx_descriptor *rxdesc = NULL, *txdesc = NULL;
int buswidth;
@@ -412,23 +412,23 @@ static int uniphier_spi_transfer_one_dma
.src_maxburst = SSI_FIFO_BURST_NUM,
};
- dmaengine_slave_config(master->dma_rx, &rxconf);
+ dmaengine_slave_config(host->dma_rx, &rxconf);
rxdesc = dmaengine_prep_slave_sg(
- master->dma_rx,
+ host->dma_rx,
t->rx_sg.sgl, t->rx_sg.nents,
DMA_DEV_TO_MEM, DMA_PREP_INTERRUPT | DMA_CTRL_ACK);
if (!rxdesc)
goto out_err_prep;
rxdesc->callback = uniphier_spi_dma_rxcb;
- rxdesc->callback_param = master;
+ rxdesc->callback_param = host;
uniphier_spi_irq_enable(priv, SSI_IE_RXRE);
atomic_or(SSI_DMA_RX_BUSY, &priv->dma_busy);
dmaengine_submit(rxdesc);
- dma_async_issue_pending(master->dma_rx);
+ dma_async_issue_pending(host->dma_rx);
}
if (priv->tx_buf) {
@@ -439,23 +439,23 @@ static int uniphier_spi_transfer_one_dma
.dst_maxburst = SSI_FIFO_BURST_NUM,
};
- dmaengine_slave_config(master->dma_tx, &txconf);
+ dmaengine_slave_config(host->dma_tx, &txconf);
txdesc = dmaengine_prep_slave_sg(
- master->dma_tx,
+ host->dma_tx,
t->tx_sg.sgl, t->tx_sg.nents,
DMA_MEM_TO_DEV, DMA_PREP_INTERRUPT | DMA_CTRL_ACK);
if (!txdesc)
goto out_err_prep;
txdesc->callback = uniphier_spi_dma_txcb;
- txdesc->callback_param = master;
+ txdesc->callback_param = host;
uniphier_spi_irq_enable(priv, SSI_IE_TXRE);
atomic_or(SSI_DMA_TX_BUSY, &priv->dma_busy);
dmaengine_submit(txdesc);
- dma_async_issue_pending(master->dma_tx);
+ dma_async_issue_pending(host->dma_tx);
}
/* signal that we need to wait for completion */
@@ -463,17 +463,17 @@ static int uniphier_spi_transfer_one_dma
out_err_prep:
if (rxdesc)
- dmaengine_terminate_sync(master->dma_rx);
+ dmaengine_terminate_sync(host->dma_rx);
return -EINVAL;
}
-static int uniphier_spi_transfer_one_irq(struct spi_master *master,
+static int uniphier_spi_transfer_one_irq(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *t)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
- struct device *dev = master->dev.parent;
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
+ struct device *dev = host->dev.parent;
unsigned long time_left;
reinit_completion(&priv->xfer_done);
@@ -495,11 +495,11 @@ static int uniphier_spi_transfer_one_irq
return priv->error;
}
-static int uniphier_spi_transfer_one_poll(struct spi_master *master,
+static int uniphier_spi_transfer_one_poll(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *t)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
int loop = SSI_POLL_TIMEOUT_US * 10;
while (priv->tx_bytes) {
@@ -520,14 +520,14 @@ static int uniphier_spi_transfer_one_pol
return 0;
irq_transfer:
- return uniphier_spi_transfer_one_irq(master, spi, t);
+ return uniphier_spi_transfer_one_irq(host, spi, t);
}
-static int uniphier_spi_transfer_one(struct spi_master *master,
+static int uniphier_spi_transfer_one(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *t)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
unsigned long threshold;
bool use_dma;
@@ -537,9 +537,9 @@ static int uniphier_spi_transfer_one(str
uniphier_spi_setup_transfer(spi, t);
- use_dma = master->can_dma ? master->can_dma(master, spi, t) : false;
+ use_dma = host->can_dma ? host->can_dma(host, spi, t) : false;
if (use_dma)
- return uniphier_spi_transfer_one_dma(master, spi, t);
+ return uniphier_spi_transfer_one_dma(host, spi, t);
/*
* If the transfer operation will take longer than
@@ -548,33 +548,33 @@ static int uniphier_spi_transfer_one(str
threshold = DIV_ROUND_UP(SSI_POLL_TIMEOUT_US * priv->speed_hz,
USEC_PER_SEC * BITS_PER_BYTE);
if (t->len > threshold)
- return uniphier_spi_transfer_one_irq(master, spi, t);
+ return uniphier_spi_transfer_one_irq(host, spi, t);
else
- return uniphier_spi_transfer_one_poll(master, spi, t);
+ return uniphier_spi_transfer_one_poll(host, spi, t);
}
-static int uniphier_spi_prepare_transfer_hardware(struct spi_master *master)
+static int uniphier_spi_prepare_transfer_hardware(struct spi_controller *host)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
writel(SSI_CTL_EN, priv->base + SSI_CTL);
return 0;
}
-static int uniphier_spi_unprepare_transfer_hardware(struct spi_master *master)
+static int uniphier_spi_unprepare_transfer_hardware(struct spi_controller *host)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
writel(0, priv->base + SSI_CTL);
return 0;
}
-static void uniphier_spi_handle_err(struct spi_master *master,
+static void uniphier_spi_handle_err(struct spi_controller *host,
struct spi_message *msg)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
u32 val;
/* stop running spi transfer */
@@ -587,12 +587,12 @@ static void uniphier_spi_handle_err(stru
uniphier_spi_irq_disable(priv, SSI_IE_ALL_MASK);
if (atomic_read(&priv->dma_busy) & SSI_DMA_TX_BUSY) {
- dmaengine_terminate_async(master->dma_tx);
+ dmaengine_terminate_async(host->dma_tx);
atomic_andnot(SSI_DMA_TX_BUSY, &priv->dma_busy);
}
if (atomic_read(&priv->dma_busy) & SSI_DMA_RX_BUSY) {
- dmaengine_terminate_async(master->dma_rx);
+ dmaengine_terminate_async(host->dma_rx);
atomic_andnot(SSI_DMA_RX_BUSY, &priv->dma_busy);
}
}
@@ -641,7 +641,7 @@ done:
static int uniphier_spi_probe(struct platform_device *pdev)
{
struct uniphier_spi_priv *priv;
- struct spi_master *master;
+ struct spi_controller *host;
struct resource *res;
struct dma_slave_caps caps;
u32 dma_tx_burst = 0, dma_rx_burst = 0;
@@ -649,20 +649,20 @@ static int uniphier_spi_probe(struct pla
int irq;
int ret;
- master = spi_alloc_master(&pdev->dev, sizeof(*priv));
- if (!master)
+ host = spi_alloc_host(&pdev->dev, sizeof(*priv));
+ if (!host)
return -ENOMEM;
- platform_set_drvdata(pdev, master);
+ platform_set_drvdata(pdev, host);
- priv = spi_master_get_devdata(master);
- priv->master = master;
+ priv = spi_controller_get_devdata(host);
+ priv->host = host;
priv->is_save_param = false;
priv->base = devm_platform_get_and_ioremap_resource(pdev, 0, &res);
if (IS_ERR(priv->base)) {
ret = PTR_ERR(priv->base);
- goto out_master_put;
+ goto out_host_put;
}
priv->base_dma_addr = res->start;
@@ -670,12 +670,12 @@ static int uniphier_spi_probe(struct pla
if (IS_ERR(priv->clk)) {
dev_err(&pdev->dev, "failed to get clock\n");
ret = PTR_ERR(priv->clk);
- goto out_master_put;
+ goto out_host_put;
}
ret = clk_prepare_enable(priv->clk);
if (ret)
- goto out_master_put;
+ goto out_host_put;
irq = platform_get_irq(pdev, 0);
if (irq < 0) {
@@ -694,35 +694,35 @@ static int uniphier_spi_probe(struct pla
clk_rate = clk_get_rate(priv->clk);
- master->max_speed_hz = DIV_ROUND_UP(clk_rate, SSI_MIN_CLK_DIVIDER);
- master->min_speed_hz = DIV_ROUND_UP(clk_rate, SSI_MAX_CLK_DIVIDER);
- master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH | SPI_LSB_FIRST;
- master->dev.of_node = pdev->dev.of_node;
- master->bus_num = pdev->id;
- master->bits_per_word_mask = SPI_BPW_RANGE_MASK(1, 32);
-
- master->set_cs = uniphier_spi_set_cs;
- master->transfer_one = uniphier_spi_transfer_one;
- master->prepare_transfer_hardware
+ host->max_speed_hz = DIV_ROUND_UP(clk_rate, SSI_MIN_CLK_DIVIDER);
+ host->min_speed_hz = DIV_ROUND_UP(clk_rate, SSI_MAX_CLK_DIVIDER);
+ host->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH | SPI_LSB_FIRST;
+ host->dev.of_node = pdev->dev.of_node;
+ host->bus_num = pdev->id;
+ host->bits_per_word_mask = SPI_BPW_RANGE_MASK(1, 32);
+
+ host->set_cs = uniphier_spi_set_cs;
+ host->transfer_one = uniphier_spi_transfer_one;
+ host->prepare_transfer_hardware
= uniphier_spi_prepare_transfer_hardware;
- master->unprepare_transfer_hardware
+ host->unprepare_transfer_hardware
= uniphier_spi_unprepare_transfer_hardware;
- master->handle_err = uniphier_spi_handle_err;
- master->can_dma = uniphier_spi_can_dma;
+ host->handle_err = uniphier_spi_handle_err;
+ host->can_dma = uniphier_spi_can_dma;
- master->num_chipselect = 1;
- master->flags = SPI_CONTROLLER_MUST_RX | SPI_CONTROLLER_MUST_TX;
+ host->num_chipselect = 1;
+ host->flags = SPI_CONTROLLER_MUST_RX | SPI_CONTROLLER_MUST_TX;
- master->dma_tx = dma_request_chan(&pdev->dev, "tx");
- if (IS_ERR_OR_NULL(master->dma_tx)) {
- if (PTR_ERR(master->dma_tx) == -EPROBE_DEFER) {
+ host->dma_tx = dma_request_chan(&pdev->dev, "tx");
+ if (IS_ERR_OR_NULL(host->dma_tx)) {
+ if (PTR_ERR(host->dma_tx) == -EPROBE_DEFER) {
ret = -EPROBE_DEFER;
goto out_disable_clk;
}
- master->dma_tx = NULL;
+ host->dma_tx = NULL;
dma_tx_burst = INT_MAX;
} else {
- ret = dma_get_slave_caps(master->dma_tx, &caps);
+ ret = dma_get_slave_caps(host->dma_tx, &caps);
if (ret) {
dev_err(&pdev->dev, "failed to get TX DMA capacities: %d\n",
ret);
@@ -731,16 +731,16 @@ static int uniphier_spi_probe(struct pla
dma_tx_burst = caps.max_burst;
}
- master->dma_rx = dma_request_chan(&pdev->dev, "rx");
- if (IS_ERR_OR_NULL(master->dma_rx)) {
- if (PTR_ERR(master->dma_rx) == -EPROBE_DEFER) {
+ host->dma_rx = dma_request_chan(&pdev->dev, "rx");
+ if (IS_ERR_OR_NULL(host->dma_rx)) {
+ if (PTR_ERR(host->dma_rx) == -EPROBE_DEFER) {
ret = -EPROBE_DEFER;
goto out_release_dma;
}
- master->dma_rx = NULL;
+ host->dma_rx = NULL;
dma_rx_burst = INT_MAX;
} else {
- ret = dma_get_slave_caps(master->dma_rx, &caps);
+ ret = dma_get_slave_caps(host->dma_rx, &caps);
if (ret) {
dev_err(&pdev->dev, "failed to get RX DMA capacities: %d\n",
ret);
@@ -749,41 +749,41 @@ static int uniphier_spi_probe(struct pla
dma_rx_burst = caps.max_burst;
}
- master->max_dma_len = min(dma_tx_burst, dma_rx_burst);
+ host->max_dma_len = min(dma_tx_burst, dma_rx_burst);
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = devm_spi_register_controller(&pdev->dev, host);
if (ret)
goto out_release_dma;
return 0;
out_release_dma:
- if (!IS_ERR_OR_NULL(master->dma_rx)) {
- dma_release_channel(master->dma_rx);
- master->dma_rx = NULL;
- }
- if (!IS_ERR_OR_NULL(master->dma_tx)) {
- dma_release_channel(master->dma_tx);
- master->dma_tx = NULL;
+ if (!IS_ERR_OR_NULL(host->dma_rx)) {
+ dma_release_channel(host->dma_rx);
+ host->dma_rx = NULL;
+ }
+ if (!IS_ERR_OR_NULL(host->dma_tx)) {
+ dma_release_channel(host->dma_tx);
+ host->dma_tx = NULL;
}
out_disable_clk:
clk_disable_unprepare(priv->clk);
-out_master_put:
- spi_master_put(master);
+out_host_put:
+ spi_controller_put(host);
return ret;
}
static void uniphier_spi_remove(struct platform_device *pdev)
{
- struct spi_master *master = platform_get_drvdata(pdev);
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
- if (master->dma_tx)
- dma_release_channel(master->dma_tx);
- if (master->dma_rx)
- dma_release_channel(master->dma_rx);
+ if (host->dma_tx)
+ dma_release_channel(host->dma_tx);
+ if (host->dma_rx)
+ dma_release_channel(host->dma_rx);
clk_disable_unprepare(priv->clk);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 319/378] sctp: stream: fully roll back denied add-stream state
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 318/378] sctp: diag: reject stale associations in dump_one path Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 320/378] thunderbolt: Reject zero-length property entries in validator Greg Kroah-Hartman
` (60 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Zhengchuan Liang, Xin Liu, Wyatt Feng, Ren Wei,
Xin Long, Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wyatt Feng <bronzed_45_vested@icloud.com>
commit a5f8a90ac9f77c678a9781c0a464b635e0d63e49 upstream.
When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and
then lowers outcnt. That leaves removed stream metadata behind, so a
later re-add can reuse a stale ext and hit a null-pointer dereference in
the scheduler get path.
Fix the rollback by tearing down the removed stream state the same way
other stream resizes do. Unschedule the current scheduler state, drop
the removed stream ext state with sctp_stream_outq_migrate(), and then
reschedule the remaining streams.
This keeps scheduler-private RR/FC/PRIO lists consistent while fully
rolling back denied outgoing stream additions.
Fixes: 637784ade221 ("sctp: introduce priority based stream scheduler")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/d78954ecd94954653ee299400e98d74a03a6f7d3.1780603399.git.bronzed_45_vested@icloud.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/stream.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/net/sctp/stream.c
+++ b/net/sctp/stream.c
@@ -1038,6 +1038,7 @@ struct sctp_chunk *sctp_process_strreset
stsn, rtsn, GFP_ATOMIC);
} else if (req->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS) {
struct sctp_strreset_addstrm *addstrm;
+ const struct sctp_sched_ops *sched;
__u16 number;
addstrm = (struct sctp_strreset_addstrm *)req;
@@ -1048,7 +1049,10 @@ struct sctp_chunk *sctp_process_strreset
for (i = number; i < stream->outcnt; i++)
SCTP_SO(stream, i)->state = SCTP_STREAM_OPEN;
} else {
- sctp_stream_shrink_out(stream, number);
+ sched = sctp_sched_ops_from_stream(stream);
+ sched->unsched_all(stream);
+ sctp_stream_outq_migrate(stream, NULL, number);
+ sched->sched_all(stream);
stream->outcnt = number;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 403/522] spi: uniphier: Simplify clock handling with devm_clk_get_enabled()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (401 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 402/522] spi: uniphier: switch to use modern name Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 404/522] spi: uniphier: fix controller deregistration Greg Kroah-Hartman
` (119 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pei Xiao, Kunihiko Hayashi,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit fdca270f8f87cae2eb5b619234b9dd11a863ce6b ]
Replace devm_clk_get() followed by clk_prepare_enable() with
devm_clk_get_enabled() for the clock. This removes the need for
explicit clock enable and disable calls, as the managed API automatically
handles clock disabling on device removal or probe failure.
Remove the now-unnecessary clk_disable_unprepare() calls from the probe
error path and the remove callback. Adjust error labels accordingly.
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Reviewed-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Link: https://patch.msgid.link/b2deeefd4ef1a4bce71116aabfcb7e81400f6d37.1775546948.git.xiaopei01@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0245435f7772 ("spi: uniphier: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-uniphier.c | 18 ++++--------------
1 file changed, 4 insertions(+), 14 deletions(-)
--- a/drivers/spi/spi-uniphier.c
+++ b/drivers/spi/spi-uniphier.c
@@ -666,28 +666,24 @@ static int uniphier_spi_probe(struct pla
}
priv->base_dma_addr = res->start;
- priv->clk = devm_clk_get(&pdev->dev, NULL);
+ priv->clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(priv->clk)) {
dev_err(&pdev->dev, "failed to get clock\n");
ret = PTR_ERR(priv->clk);
goto out_host_put;
}
- ret = clk_prepare_enable(priv->clk);
- if (ret)
- goto out_host_put;
-
irq = platform_get_irq(pdev, 0);
if (irq < 0) {
ret = irq;
- goto out_disable_clk;
+ goto out_host_put;
}
ret = devm_request_irq(&pdev->dev, irq, uniphier_spi_handler,
0, "uniphier-spi", priv);
if (ret) {
dev_err(&pdev->dev, "failed to request IRQ\n");
- goto out_disable_clk;
+ goto out_host_put;
}
init_completion(&priv->xfer_done);
@@ -717,7 +713,7 @@ static int uniphier_spi_probe(struct pla
if (IS_ERR_OR_NULL(host->dma_tx)) {
if (PTR_ERR(host->dma_tx) == -EPROBE_DEFER) {
ret = -EPROBE_DEFER;
- goto out_disable_clk;
+ goto out_host_put;
}
host->dma_tx = NULL;
dma_tx_burst = INT_MAX;
@@ -767,9 +763,6 @@ out_release_dma:
host->dma_tx = NULL;
}
-out_disable_clk:
- clk_disable_unprepare(priv->clk);
-
out_host_put:
spi_controller_put(host);
return ret;
@@ -778,14 +771,11 @@ out_host_put:
static void uniphier_spi_remove(struct platform_device *pdev)
{
struct spi_controller *host = platform_get_drvdata(pdev);
- struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
if (host->dma_tx)
dma_release_channel(host->dma_tx);
if (host->dma_rx)
dma_release_channel(host->dma_rx);
-
- clk_disable_unprepare(priv->clk);
}
static const struct of_device_id uniphier_spi_match[] = {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 320/378] thunderbolt: Reject zero-length property entries in validator
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 319/378] sctp: stream: fully roll back denied add-stream state Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 321/378] thunderbolt: Bound root directory content to block size Greg Kroah-Hartman
` (59 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit cff8eb65d1eafe7793e54b4d0cf6bf831644630b upstream.
tb_property_entry_valid() accepts entries with length == 0 for
DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes
validation but causes an underflow in the null-termination logic:
property->value.text[property->length * 4 - 1] = '\0';
When property->length is 0 this writes to offset -1 relative to
the allocation.
Reject zero-length entries early in the validator since they have no
valid representation in the XDomain property protocol.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -60,6 +60,8 @@ static bool tb_property_entry_valid(cons
case TB_PROPERTY_TYPE_DIRECTORY:
case TB_PROPERTY_TYPE_DATA:
case TB_PROPERTY_TYPE_TEXT:
+ if (!entry->length)
+ return false;
if (entry->length > block_len)
return false;
if (check_add_overflow(entry->value, entry->length, &end) ||
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 404/522] spi: uniphier: fix controller deregistration
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (402 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 403/522] spi: uniphier: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 405/522] mm/hugetlb_cma: round up per_node before logging it Greg Kroah-Hartman
` (118 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Keiji Hayashibara, Johan Hovold,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 0245435f777264ac45945ed2f325dd095a41d1af ]
Make sure to deregister the controller before releasing underlying
resources like DMA during driver unbind.
Note that clocks were also disabled before the recent commit
fdca270f8f87 ("spi: uniphier: Simplify clock handling with
devm_clk_get_enabled()").
Fixes: 5ba155a4d4cc ("spi: add SPI controller driver for UniPhier SoC")
Cc: stable@vger.kernel.org # 4.19
Cc: Keiji Hayashibara <hayashibara.keiji@socionext.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-25-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-uniphier.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-uniphier.c
+++ b/drivers/spi/spi-uniphier.c
@@ -747,7 +747,7 @@ static int uniphier_spi_probe(struct pla
host->max_dma_len = min(dma_tx_burst, dma_rx_burst);
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (ret)
goto out_release_dma;
@@ -772,10 +772,16 @@ static void uniphier_spi_remove(struct p
{
struct spi_controller *host = platform_get_drvdata(pdev);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
if (host->dma_tx)
dma_release_channel(host->dma_tx);
if (host->dma_rx)
dma_release_channel(host->dma_rx);
+
+ spi_controller_put(host);
}
static const struct of_device_id uniphier_spi_match[] = {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 321/378] thunderbolt: Bound root directory content to block size
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 320/378] thunderbolt: Reject zero-length property entries in validator Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 322/378] thunderbolt: Clamp XDomain response data copy to allocation size Greg Kroah-Hartman
` (58 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 65423079c7420e3dbf9a7aa345c243a3f5752e5d upstream.
__tb_property_parse_dir() does not check that content_offset +
content_len fits within block_len for the root directory case.
When rootdir->length equals or exceeds block_len - 2, the entry
loop reads past the allocated property block.
Add a bounds check after computing content_offset and content_len
to reject directories whose content extends past the block.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -187,6 +187,10 @@ static struct tb_property_dir *__tb_prop
if (is_root) {
content_offset = dir_offset + 2;
content_len = dir_len;
+ if (content_offset + content_len > block_len) {
+ tb_property_free_dir(dir);
+ return NULL;
+ }
} else {
if (dir_len < 4) {
tb_property_free_dir(dir);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 405/522] mm/hugetlb_cma: round up per_node before logging it
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (403 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 404/522] spi: uniphier: fix controller deregistration Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 406/522] net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler Greg Kroah-Hartman
` (117 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sang-Heon Jeon, Muchun Song,
David Hildenbrand, Oscar Salvador, Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sang-Heon Jeon <ekffu200098@gmail.com>
[ Upstream commit 8f5ce56b76303c55b78a87af996e2e0f8535f979 ]
When the user requests a total hugetlb CMA size without per-node
specification, hugetlb_cma_reserve() computes per_node from
hugetlb_cma_size and the number of nodes that have memory
per_node = DIV_ROUND_UP(hugetlb_cma_size,
nodes_weight(hugetlb_bootmem_nodes));
The reservation loop later computes
size = round_up(min(per_node, hugetlb_cma_size - reserved),
PAGE_SIZE << order);
So the actually reserved per_node size is multiple of (PAGE_SIZE <<
order), but the logged per_node is not rounded up, so it may be smaller
than the actual reserved size.
For example, as the existing comment describes, if a 3 GB area is
requested on a machine with 4 NUMA nodes that have memory, 1 GB is
allocated on the first three nodes, but the printed log is
hugetlb_cma: reserve 3072 MiB, up to 768 MiB per node
Round per_node up to (PAGE_SIZE << order) before logging so that the
printed log always matches the actual reserved size. No functional change
to the actual reservation size, as the following case analysis shows
1. remaining (hugetlb_cma_size - reserved) >= rounded per_node
- AS-IS: min() picks unrounded per_node;
round_up() returns rounded per_node
- TO-BE: min() picks rounded per_node;
round_up() returns rounded per_node (no-op)
2. remaining < unrounded per_node
- AS-IS: min() picks remaining;
round_up() returns round_up(remaining)
- TO-BE: min() picks remaining;
round_up() returns round_up(remaining)
3. unrounded per_node <= remaining < rounded per_node
- AS-IS: min() picks unrounded per_node;
round_up() returns rounded per_node
- TO-BE: min() picks remaining;
round_up() returns round_up(remaining) equals rounded per_node
Link: https://lore.kernel.org/20260422143353.852257-1-ekffu200098@gmail.com
Fixes: cf11e85fc08c ("mm: hugetlb: optionally allocate gigantic hugepages using cma") # 5.7
Signed-off-by: Sang-Heon Jeon <ekffu200098@gmail.com>
Reviewed-by: Muchun Song <muchun.song@linux.dev>
Cc: David Hildenbrand <david@kernel.org>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ applied the single-line addition to mm/hugetlb.c since mm/hugetlb_cma.c didn't exist yet in 6.12 ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/hugetlb.c | 1 +
1 file changed, 1 insertion(+)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -7705,6 +7705,7 @@ void __init hugetlb_cma_reserve(int orde
* let's allocate 1 GB on first three nodes and ignore the last one.
*/
per_node = DIV_ROUND_UP(hugetlb_cma_size, nr_online_nodes);
+ per_node = round_up(per_node, PAGE_SIZE << order);
pr_info("hugetlb_cma: reserve %lu MiB, up to %lu MiB per node\n",
hugetlb_cma_size / SZ_1M, per_node / SZ_1M);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 322/378] thunderbolt: Clamp XDomain response data copy to allocation size
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 321/378] thunderbolt: Bound root directory content to block size Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 323/378] thunderbolt: Validate XDomain request packet size before type cast Greg Kroah-Hartman
` (57 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 322e93448d908434ae5545660fcbe8f5a7a8e141 upstream.
tb_xdp_properties_request() derives the per-packet copy length from
the response header without checking that it fits in the previously
allocated data buffer. A malicious peer can set its length field
larger than the declared data_length, causing memcpy to write past
the kcalloc allocation.
Clamp the per-packet copy length so that the cumulative offset
never exceeds data_len.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/xdomain.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/thunderbolt/xdomain.c
+++ b/drivers/thunderbolt/xdomain.c
@@ -393,6 +393,8 @@ static int tb_xdp_properties_request(str
}
}
+ if (req.offset + len > data_len)
+ len = data_len - req.offset;
memcpy(data + req.offset, res->data, len * 4);
req.offset += len;
} while (!data_len || req.offset < data_len);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 406/522] net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (404 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 405/522] mm/hugetlb_cma: round up per_node before logging it Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 407/522] spi: microchip-core-qspi: Convert to platform remove callback returning void Greg Kroah-Hartman
` (116 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pavitra Jha, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavitra Jha <jhapavitra98@gmail.com>
[ Upstream commit 0e7c074cfcd9bd93765505f9eb8b42f03ed2a744 ]
t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as
a loop bound over port_msg->data[] without checking that the message buffer
contains sufficient data. A modem sending port_count=65535 in a 12-byte
buffer triggers a slab-out-of-bounds read of up to 262140 bytes.
Add a sizeof(*port_msg) check before accessing the port message header
fields to guard against undersized messages.
Add a struct_size() check after extracting port_count and before the loop.
In t7xx_parse_host_rt_data(), guard the rt_feature header read with a
remaining-buffer check before accessing data_len, validate feat_data_len
against the actual remaining buffer to prevent OOB reads and signed
integer overflow on offset.
Pass msg_len from both call sites: skb->len at the DPMAIF path after
skb_pull(), and the validated feat_data_len at the handshake path.
Fixes: da45d2566a1d ("net: wwan: t7xx: Add control port")
Cc: stable@vger.kernel.org
Signed-off-by: Pavitra Jha <jhapavitra98@gmail.com>
Link: https://patch.msgid.link/20260501110713.145563-1-jhapavitra98@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wwan/t7xx/t7xx_modem_ops.c | 17 +++++++++++++++--
drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c | 18 ++++++++++++++++--
drivers/net/wwan/t7xx/t7xx_port_proxy.h | 2 +-
3 files changed, 32 insertions(+), 5 deletions(-)
--- a/drivers/net/wwan/t7xx/t7xx_modem_ops.c
+++ b/drivers/net/wwan/t7xx/t7xx_modem_ops.c
@@ -415,8 +415,20 @@ static int t7xx_parse_host_rt_data(struc
offset = sizeof(struct feature_query);
for (i = 0; i < FEATURE_COUNT && offset < data_length; i++) {
+ size_t remaining = data_length - offset;
+ size_t feat_data_len, feat_total;
+
+ if (remaining < sizeof(*rt_feature))
+ break;
+
rt_feature = data + offset;
- offset += sizeof(*rt_feature) + le32_to_cpu(rt_feature->data_len);
+ feat_data_len = le32_to_cpu(rt_feature->data_len);
+
+ if (feat_data_len > remaining - sizeof(*rt_feature))
+ break;
+
+ feat_total = sizeof(*rt_feature) + feat_data_len;
+ offset += feat_total;
ft_spt_cfg = FIELD_GET(FEATURE_MSK, core->feature_set[i]);
if (ft_spt_cfg != MTK_FEATURE_MUST_BE_SUPPORTED)
@@ -427,7 +439,8 @@ static int t7xx_parse_host_rt_data(struc
return -EINVAL;
if (i == RT_ID_MD_PORT_ENUM)
- t7xx_port_enum_msg_handler(ctl->md, rt_feature->data);
+ t7xx_port_enum_msg_handler(ctl->md, rt_feature->data,
+ feat_data_len);
}
return 0;
--- a/drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c
+++ b/drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c
@@ -117,6 +117,7 @@ static int fsm_ee_message_handler(struct
* t7xx_port_enum_msg_handler() - Parse the port enumeration message to create/remove nodes.
* @md: Modem context.
* @msg: Message.
+ * @msg_len: Length of @msg in bytes.
*
* Used to control create/remove device node.
*
@@ -124,12 +125,18 @@ static int fsm_ee_message_handler(struct
* * 0 - Success.
* * -EFAULT - Message check failure.
*/
-int t7xx_port_enum_msg_handler(struct t7xx_modem *md, void *msg)
+int t7xx_port_enum_msg_handler(struct t7xx_modem *md, void *msg, size_t msg_len)
{
struct device *dev = &md->t7xx_dev->pdev->dev;
unsigned int version, port_count, i;
struct port_msg *port_msg = msg;
+ if (msg_len < sizeof(*port_msg)) {
+ dev_err(dev, "Port enum msg too short for header: need %zu, have %zu\n",
+ sizeof(*port_msg), msg_len);
+ return -EINVAL;
+ }
+
version = FIELD_GET(PORT_MSG_VERSION, le32_to_cpu(port_msg->info));
if (version != PORT_ENUM_VER ||
le32_to_cpu(port_msg->head_pattern) != PORT_ENUM_HEAD_PATTERN ||
@@ -141,6 +148,13 @@ int t7xx_port_enum_msg_handler(struct t7
}
port_count = FIELD_GET(PORT_MSG_PRT_CNT, le32_to_cpu(port_msg->info));
+
+ if (msg_len < struct_size(port_msg, data, port_count)) {
+ dev_err(dev, "Port enum msg too short: need %zu, have %zu\n",
+ struct_size(port_msg, data, port_count), msg_len);
+ return -EINVAL;
+ }
+
for (i = 0; i < port_count; i++) {
u32 port_info = le32_to_cpu(port_msg->data[i]);
unsigned int ch_id;
@@ -187,7 +201,7 @@ static int control_msg_handler(struct t7
case CTL_ID_PORT_ENUM:
skb_pull(skb, sizeof(*ctrl_msg_h));
- ret = t7xx_port_enum_msg_handler(ctl->md, (struct port_msg *)skb->data);
+ ret = t7xx_port_enum_msg_handler(ctl->md, (struct port_msg *)skb->data, skb->len);
if (!ret)
ret = port_ctl_send_msg_to_md(port, CTL_ID_PORT_ENUM, 0);
else
--- a/drivers/net/wwan/t7xx/t7xx_port_proxy.h
+++ b/drivers/net/wwan/t7xx/t7xx_port_proxy.h
@@ -91,7 +91,7 @@ void t7xx_port_proxy_reset(struct port_p
void t7xx_port_proxy_uninit(struct port_proxy *port_prox);
int t7xx_port_proxy_init(struct t7xx_modem *md);
void t7xx_port_proxy_md_status_notify(struct port_proxy *port_prox, unsigned int state);
-int t7xx_port_enum_msg_handler(struct t7xx_modem *md, void *msg);
+int t7xx_port_enum_msg_handler(struct t7xx_modem *md, void *msg, size_t msg_len);
int t7xx_port_proxy_chl_enable_disable(struct port_proxy *port_prox, unsigned int ch_id,
bool en_flag);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 323/378] thunderbolt: Validate XDomain request packet size before type cast
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 322/378] thunderbolt: Clamp XDomain response data copy to allocation size Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 324/378] thunderbolt: Limit XDomain response copy to actual frame size Greg Kroah-Hartman
` (56 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit a504b9f2797b739e0304d537e8aa4ce883ecce39 upstream.
tb_xdp_handle_request() casts the received packet buffer to
protocol-specific structs without verifying that the allocation
is large enough for the target type. A peer can send a minimal
XDomain packet that passes the generic header length check but is
shorter than the struct accessed after the cast, causing out-of-
bounds reads from the kmemdup allocation.
Plumb the packet length through xdomain_request_work and validate
it against the expected struct size before each cast.
Fixes: 8e1de7042596 ("thunderbolt: Add support for XDomain lane bonding")
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/xdomain.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/thunderbolt/xdomain.c
+++ b/drivers/thunderbolt/xdomain.c
@@ -55,6 +55,7 @@ static const char * const state_names[]
struct xdomain_request_work {
struct work_struct work;
struct tb_xdp_header *pkg;
+ size_t pkg_len;
struct tb *tb;
};
@@ -733,6 +734,7 @@ static void tb_xdp_handle_request(struct
struct xdomain_request_work *xw = container_of(work, typeof(*xw), work);
const struct tb_xdp_header *pkg = xw->pkg;
const struct tb_xdomain_header *xhdr = &pkg->xd_hdr;
+ size_t pkg_len = xw->pkg_len;
struct tb *tb = xw->tb;
struct tb_ctl *ctl = tb->ctl;
struct tb_xdomain *xd;
@@ -764,7 +766,7 @@ static void tb_xdp_handle_request(struct
switch (pkg->type) {
case PROPERTIES_REQUEST:
tb_dbg(tb, "%llx: received XDomain properties request\n", route);
- if (xd) {
+ if (xd && pkg_len >= sizeof(struct tb_xdp_properties)) {
ret = tb_xdp_properties_response(tb, ctl, xd, sequence,
(const struct tb_xdp_properties *)pkg);
}
@@ -818,7 +820,8 @@ static void tb_xdp_handle_request(struct
tb_dbg(tb, "%llx: received XDomain link state change request\n",
route);
- if (xd && xd->state == XDOMAIN_STATE_BONDING_UUID_HIGH) {
+ if (xd && xd->state == XDOMAIN_STATE_BONDING_UUID_HIGH &&
+ pkg_len >= sizeof(struct tb_xdp_link_state_change)) {
const struct tb_xdp_link_state_change *lsc =
(const struct tb_xdp_link_state_change *)pkg;
@@ -870,6 +873,7 @@ tb_xdp_schedule_request(struct tb *tb, c
kfree(xw);
return false;
}
+ xw->pkg_len = size;
xw->tb = tb_domain_get(tb);
schedule_work(&xw->work);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 407/522] spi: microchip-core-qspi: Convert to platform remove callback returning void
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (405 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 406/522] net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 408/522] spi: microchip-core-qspi: Use helper function devm_clk_get_enabled() Greg Kroah-Hartman
` (115 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Conor Dooley,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit e4cf312d6db2941b8267de6e094312afc1b523ee ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is (mostly) ignored
and this typically results in resource leaks. To improve here there is a
quest to make the remove callback return void. In the first step of this
quest all drivers are converted to .remove_new() which already returns
void.
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://lore.kernel.org/r/20230303172041.2103336-37-u.kleine-koenig@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: e6464140d439 ("spi: microchip-core-qspi: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-microchip-core-qspi.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-microchip-core-qspi.c
+++ b/drivers/spi/spi-microchip-core-qspi.c
@@ -567,7 +567,7 @@ out:
return ret;
}
-static int mchp_coreqspi_remove(struct platform_device *pdev)
+static void mchp_coreqspi_remove(struct platform_device *pdev)
{
struct mchp_coreqspi *qspi = platform_get_drvdata(pdev);
u32 control = readl_relaxed(qspi->regs + REG_CONTROL);
@@ -576,8 +576,6 @@ static int mchp_coreqspi_remove(struct p
control &= ~CONTROL_ENABLE;
writel_relaxed(control, qspi->regs + REG_CONTROL);
clk_disable_unprepare(qspi->clk);
-
- return 0;
}
static const struct of_device_id mchp_coreqspi_of_match[] = {
@@ -592,7 +590,7 @@ static struct platform_driver mchp_coreq
.name = "microchip,coreqspi",
.of_match_table = mchp_coreqspi_of_match,
},
- .remove = mchp_coreqspi_remove,
+ .remove_new = mchp_coreqspi_remove,
};
module_platform_driver(mchp_coreqspi_driver);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 324/378] thunderbolt: Limit XDomain response copy to actual frame size
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 323/378] thunderbolt: Validate XDomain request packet size before type cast Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 325/378] slimbus: qcom-ngd-ctrl: fix OF node refcount Greg Kroah-Hartman
` (55 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb upstream.
tb_xdomain_copy() copies req->response_size bytes from the received
packet buffer regardless of the actual frame size. When a short
response arrives, this reads past the valid frame data in the DMA
pool buffer into stale contents from previous transactions.
Use the minimum of frame size and expected response size for the
copy length.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/xdomain.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/thunderbolt/xdomain.c
+++ b/drivers/thunderbolt/xdomain.c
@@ -123,7 +123,9 @@ static bool tb_xdomain_match(const struc
static bool tb_xdomain_copy(struct tb_cfg_request *req,
const struct ctl_pkg *pkg)
{
- memcpy(req->response, pkg->buffer, req->response_size);
+ size_t len = min_t(size_t, pkg->frame.size, req->response_size);
+
+ memcpy(req->response, pkg->buffer, len);
req->result.err = 0;
return true;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 408/522] spi: microchip-core-qspi: Use helper function devm_clk_get_enabled()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (406 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 407/522] spi: microchip-core-qspi: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 409/522] spi: microchip-core-qspi: fix controller deregistration Greg Kroah-Hartman
` (114 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Cameron, Li Zetao,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Zetao <lizetao1@huawei.com>
[ Upstream commit e922f3fff21445117e9196bd8e940ad8e15ca8c7 ]
Since commit 7ef9651e9792 ("clk: Provide new devm_clk helpers for prepared
and enabled clocks"), devm_clk_get() and clk_prepare_enable() can now be
replaced by devm_clk_get_enabled() when driver enables (and possibly
prepares) the clocks for the whole lifetime of the device. Moreover, it is
no longer necessary to unprepare and disable the clocks explicitly.
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Li Zetao <lizetao1@huawei.com>
Link: https://lore.kernel.org/r/20230823133938.1359106-18-lizetao1@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: e6464140d439 ("spi: microchip-core-qspi: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-microchip-core-qspi.c | 29 +++++++----------------------
1 file changed, 7 insertions(+), 22 deletions(-)
--- a/drivers/spi/spi-microchip-core-qspi.c
+++ b/drivers/spi/spi-microchip-core-qspi.c
@@ -519,30 +519,23 @@ static int mchp_coreqspi_probe(struct pl
return dev_err_probe(&pdev->dev, PTR_ERR(qspi->regs),
"failed to map registers\n");
- qspi->clk = devm_clk_get(&pdev->dev, NULL);
+ qspi->clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(qspi->clk))
return dev_err_probe(&pdev->dev, PTR_ERR(qspi->clk),
"could not get clock\n");
- ret = clk_prepare_enable(qspi->clk);
- if (ret)
- return dev_err_probe(&pdev->dev, ret,
- "failed to enable clock\n");
-
init_completion(&qspi->data_completion);
mutex_init(&qspi->op_lock);
qspi->irq = platform_get_irq(pdev, 0);
- if (qspi->irq < 0) {
- ret = qspi->irq;
- goto out;
- }
+ if (qspi->irq < 0)
+ return qspi->irq;
ret = devm_request_irq(&pdev->dev, qspi->irq, mchp_coreqspi_isr,
IRQF_SHARED, pdev->name, qspi);
if (ret) {
dev_err(&pdev->dev, "request_irq failed %d\n", ret);
- goto out;
+ return ret;
}
ctlr->bits_per_word_mask = SPI_BPW_MASK(8);
@@ -553,18 +546,11 @@ static int mchp_coreqspi_probe(struct pl
ctlr->dev.of_node = np;
ret = devm_spi_register_controller(&pdev->dev, ctlr);
- if (ret) {
- dev_err_probe(&pdev->dev, ret,
- "spi_register_controller failed\n");
- goto out;
- }
+ if (ret)
+ return dev_err_probe(&pdev->dev, ret,
+ "spi_register_controller failed\n");
return 0;
-
-out:
- clk_disable_unprepare(qspi->clk);
-
- return ret;
}
static void mchp_coreqspi_remove(struct platform_device *pdev)
@@ -575,7 +561,6 @@ static void mchp_coreqspi_remove(struct
mchp_coreqspi_disable_ints(qspi);
control &= ~CONTROL_ENABLE;
writel_relaxed(control, qspi->regs + REG_CONTROL);
- clk_disable_unprepare(qspi->clk);
}
static const struct of_device_id mchp_coreqspi_of_match[] = {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 325/378] slimbus: qcom-ngd-ctrl: fix OF node refcount
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 324/378] thunderbolt: Limit XDomain response copy to actual frame size Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 326/378] slimbus: qcom-ngd-ctrl: Fix up platform_driver registration Greg Kroah-Hartman
` (54 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski,
Srinivas Kandagatla
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
commit 120134fe75c6b0ae38f14eb8b548ad1e5761f912 upstream.
Platform devices created with platform_device_alloc() call
platform_device_release() when the last reference to the device's
kobject is dropped. This function calls of_node_put() unconditionally.
This works fine for devices created with platform_device_register_full()
but users of the split approach (platform_device_alloc() +
platform_device_add()) must bump the reference of the of_node they
assign manually. Add the missing call to of_node_get().
Cc: stable@vger.kernel.org
Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204421.116824-2-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/slimbus/qcom-ngd-ctrl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/slimbus/qcom-ngd-ctrl.c
+++ b/drivers/slimbus/qcom-ngd-ctrl.c
@@ -1542,7 +1542,7 @@ static int of_qcom_slim_ngd_register(str
kfree(ngd);
return ret;
}
- ngd->pdev->dev.of_node = node;
+ ngd->pdev->dev.of_node = of_node_get(node);
ctrl->ngd = ngd;
ret = platform_device_add(ngd->pdev);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 409/522] spi: microchip-core-qspi: fix controller deregistration
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (407 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 408/522] spi: microchip-core-qspi: Use helper function devm_clk_get_enabled() Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 410/522] fbcon: Avoid OOB font access if console rotation fails Greg Kroah-Hartman
` (113 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naga Sureshkumar Relli, Johan Hovold,
Conor Dooley, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit e6464140d439f2d42f072eb422a5b1fec470c5a6 ]
Make sure to deregister the controller before disabling underlying
resources like interrupts during driver unbind.
Fixes: 8596124c4c1b ("spi: microchip-core-qspi: Add support for microchip fpga qspi controllers")
Cc: stable@vger.kernel.org # 6.1
Cc: Naga Sureshkumar Relli <nagasuresh.relli@microchip.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://patch.msgid.link/20260409120419.388546-19-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-microchip-core-qspi.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-microchip-core-qspi.c
+++ b/drivers/spi/spi-microchip-core-qspi.c
@@ -512,7 +512,7 @@ static int mchp_coreqspi_probe(struct pl
"unable to allocate master for QSPI controller\n");
qspi = spi_controller_get_devdata(ctlr);
- platform_set_drvdata(pdev, qspi);
+ platform_set_drvdata(pdev, ctlr);
qspi->regs = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(qspi->regs))
@@ -545,7 +545,7 @@ static int mchp_coreqspi_probe(struct pl
SPI_TX_DUAL | SPI_TX_QUAD;
ctlr->dev.of_node = np;
- ret = devm_spi_register_controller(&pdev->dev, ctlr);
+ ret = spi_register_controller(ctlr);
if (ret)
return dev_err_probe(&pdev->dev, ret,
"spi_register_controller failed\n");
@@ -555,9 +555,13 @@ static int mchp_coreqspi_probe(struct pl
static void mchp_coreqspi_remove(struct platform_device *pdev)
{
- struct mchp_coreqspi *qspi = platform_get_drvdata(pdev);
- u32 control = readl_relaxed(qspi->regs + REG_CONTROL);
+ struct spi_controller *ctlr = platform_get_drvdata(pdev);
+ struct mchp_coreqspi *qspi = spi_controller_get_devdata(ctlr);
+ u32 control;
+ spi_unregister_controller(ctlr);
+
+ control = readl_relaxed(qspi->regs + REG_CONTROL);
mchp_coreqspi_disable_ints(qspi);
control &= ~CONTROL_ENABLE;
writel_relaxed(control, qspi->regs + REG_CONTROL);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 326/378] slimbus: qcom-ngd-ctrl: Fix up platform_driver registration
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 325/378] slimbus: qcom-ngd-ctrl: fix OF node refcount Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 327/378] slimbus: qcom-ngd-ctrl: Fix probe error path ordering Greg Kroah-Hartman
` (53 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Mukesh Ojha,
Bjorn Andersson, Srinivas Kandagatla
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
commit 8663e8334d7b6007f5d8a4e5dd270246f35107a6 upstream.
Device drivers should not invoke platform_driver_register()/unregister()
in their probe and remove paths. They should further not rely on
platform_driver_unregister() as their only means of "deleting" their
child devices.
Introduce a helper to unregister the child device and move the
platform_driver_register()/unregister() to module_init()/exit().
Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
Cc: stable@vger.kernel.org
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204421.116824-3-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/slimbus/qcom-ngd-ctrl.c | 36 +++++++++++++++++++++++++++++++++---
1 file changed, 33 insertions(+), 3 deletions(-)
--- a/drivers/slimbus/qcom-ngd-ctrl.c
+++ b/drivers/slimbus/qcom-ngd-ctrl.c
@@ -1560,6 +1560,13 @@ static int of_qcom_slim_ngd_register(str
return -ENODEV;
}
+static void qcom_slim_ngd_unregister(struct qcom_slim_ngd_ctrl *ctrl)
+{
+ struct qcom_slim_ngd *ngd = ctrl->ngd;
+
+ platform_device_del(ngd->pdev);
+}
+
static int qcom_slim_ngd_probe(struct platform_device *pdev)
{
struct device *dev = &pdev->dev;
@@ -1662,7 +1669,6 @@ static int qcom_slim_ngd_ctrl_probe(stru
goto err_pdr_lookup;
}
- platform_driver_register(&qcom_slim_ngd_driver);
return of_qcom_slim_ngd_register(dev, ctrl);
err_pdr_alloc:
@@ -1676,7 +1682,9 @@ err_pdr_lookup:
static void qcom_slim_ngd_ctrl_remove(struct platform_device *pdev)
{
- platform_driver_unregister(&qcom_slim_ngd_driver);
+ struct qcom_slim_ngd_ctrl *ctrl = platform_get_drvdata(pdev);
+
+ qcom_slim_ngd_unregister(ctrl);
}
static void qcom_slim_ngd_remove(struct platform_device *pdev)
@@ -1752,6 +1760,28 @@ static struct platform_driver qcom_slim_
},
};
-module_platform_driver(qcom_slim_ngd_ctrl_driver);
+static int qcom_slim_ngd_init(void)
+{
+ int ret;
+
+ ret = platform_driver_register(&qcom_slim_ngd_driver);
+ if (ret)
+ return ret;
+
+ ret = platform_driver_register(&qcom_slim_ngd_ctrl_driver);
+ if (ret)
+ platform_driver_unregister(&qcom_slim_ngd_driver);
+
+ return ret;
+}
+
+static void qcom_slim_ngd_exit(void)
+{
+ platform_driver_unregister(&qcom_slim_ngd_ctrl_driver);
+ platform_driver_unregister(&qcom_slim_ngd_driver);
+}
+
+module_init(qcom_slim_ngd_init);
+module_exit(qcom_slim_ngd_exit);
MODULE_LICENSE("GPL v2");
MODULE_DESCRIPTION("Qualcomm SLIMBus NGD controller");
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 410/522] fbcon: Avoid OOB font access if console rotation fails
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (408 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 409/522] spi: microchip-core-qspi: fix controller deregistration Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 411/522] spi: topcliff-pch: Convert to platform remove callback returning void Greg Kroah-Hartman
` (112 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Helge Deller,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
[ Upstream commit e4ef723d8975a2694cc90733a6b888a5e2841842 ]
Clear the font buffer if the reallocation during console rotation fails
in fbcon_rotate_font(). The putcs implementations for the rotated buffer
will return early in this case. See [1] for an example.
Currently, fbcon_rotate_font() keeps the old buffer, which is too small
for the rotated font. Printing to the rotated console with a high-enough
character code will overflow the font buffer.
v2:
- fix typos in commit message
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 6cc50e1c5b57 ("[PATCH] fbcon: Console Rotation - Add support to rotate font bitmap")
Cc: stable@vger.kernel.org # v2.6.15+
Link: https://elixir.bootlin.com/linux/v6.19/source/drivers/video/fbdev/core/fbcon_ccw.c#L144 # [1]
Signed-off-by: Helge Deller <deller@gmx.de>
[ renamed `par` to `ops` to match the 6.12 local pointer name ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fbcon_rotate.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/video/fbdev/core/fbcon_rotate.c
+++ b/drivers/video/fbdev/core/fbcon_rotate.c
@@ -46,6 +46,10 @@ static int fbcon_rotate_font(struct fb_i
info->fbops->fb_sync(info);
if (ops->fd_size < d_cellsize * len) {
+ kfree(ops->fontbuffer);
+ ops->fontbuffer = NULL;
+ ops->fd_size = 0;
+
dst = kmalloc_array(len, d_cellsize, GFP_KERNEL);
if (dst == NULL) {
@@ -54,7 +58,6 @@ static int fbcon_rotate_font(struct fb_i
}
ops->fd_size = d_cellsize * len;
- kfree(ops->fontbuffer);
ops->fontbuffer = dst;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 327/378] slimbus: qcom-ngd-ctrl: Fix probe error path ordering
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 326/378] slimbus: qcom-ngd-ctrl: Fix up platform_driver registration Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 328/378] slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd Greg Kroah-Hartman
` (52 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Mukesh Ojha,
Bjorn Andersson, Srinivas Kandagatla
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
commit 2c22ff152d380ec3d3af099fa05d0ac5ca9b4c1e upstream.
qcom_slim_ngd_ctrl_probe() first registers the SSR callback then
allocates the PDR context, as such the error path needs to come in
opposite order to allow us to unroll each step.
Fixes: 16f14551d0df ("slimbus: qcom-ngd: cleanup in probe error path")
Cc: stable@vger.kernel.org
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204421.116824-4-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/slimbus/qcom-ngd-ctrl.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/drivers/slimbus/qcom-ngd-ctrl.c
+++ b/drivers/slimbus/qcom-ngd-ctrl.c
@@ -1660,22 +1660,21 @@ static int qcom_slim_ngd_ctrl_probe(stru
if (IS_ERR(ctrl->pdr)) {
ret = dev_err_probe(dev, PTR_ERR(ctrl->pdr),
"Failed to init PDR handle\n");
- goto err_pdr_alloc;
+ goto err_unregister_ssr;
}
pds = pdr_add_lookup(ctrl->pdr, "avs/audio", "msm/adsp/audio_pd");
if (IS_ERR(pds) && PTR_ERR(pds) != -EALREADY) {
ret = dev_err_probe(dev, PTR_ERR(pds), "pdr add lookup failed\n");
- goto err_pdr_lookup;
+ goto err_pdr_release;
}
return of_qcom_slim_ngd_register(dev, ctrl);
-err_pdr_alloc:
- qcom_unregister_ssr_notifier(ctrl->notifier, &ctrl->nb);
-
-err_pdr_lookup:
+err_pdr_release:
pdr_handle_release(ctrl->pdr);
+err_unregister_ssr:
+ qcom_unregister_ssr_notifier(ctrl->notifier, &ctrl->nb);
return ret;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 411/522] spi: topcliff-pch: Convert to platform remove callback returning void
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (409 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 410/522] fbcon: Avoid OOB font access if console rotation fails Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 412/522] btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak Greg Kroah-Hartman
` (111 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit b082694f18bdff807b42a3bccc62c3a524168f23 ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is (mostly) ignored
and this typically results in resource leaks. To improve here there is a
quest to make the remove callback return void. In the first step of this
quest all drivers are converted to .remove_new() which already returns
void.
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20230303172041.2103336-83-u.kleine-koenig@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 5d6f477d6fc0 ("spi: topcliff-pch: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-topcliff-pch.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-topcliff-pch.c
+++ b/drivers/spi/spi-topcliff-pch.c
@@ -1396,7 +1396,7 @@ err_pci_iomap:
return ret;
}
-static int pch_spi_pd_remove(struct platform_device *plat_dev)
+static void pch_spi_pd_remove(struct platform_device *plat_dev)
{
struct pch_spi_board_data *board_dat = dev_get_platdata(&plat_dev->dev);
struct pch_spi_data *data = platform_get_drvdata(plat_dev);
@@ -1434,8 +1434,6 @@ static int pch_spi_pd_remove(struct plat
pci_iounmap(board_dat->pdev, data->io_remap_addr);
spi_unregister_master(data->master);
-
- return 0;
}
#ifdef CONFIG_PM
static int pch_spi_pd_suspend(struct platform_device *pd_dev,
@@ -1516,7 +1514,7 @@ static struct platform_driver pch_spi_pd
.name = "pch-spi",
},
.probe = pch_spi_pd_probe,
- .remove = pch_spi_pd_remove,
+ .remove_new = pch_spi_pd_remove,
.suspend = pch_spi_pd_suspend,
.resume = pch_spi_pd_resume
};
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 328/378] slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 327/378] slimbus: qcom-ngd-ctrl: Fix probe error path ordering Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 329/378] slimbus: qcom-ngd-ctrl: Initialize controller resources in controller Greg Kroah-Hartman
` (51 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mukesh Ojha, Bjorn Andersson,
Srinivas Kandagatla
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
commit 2a9d50e9ea406e0c8735938484adc20515ef1b47 upstream.
When the remoteproc starts in parallel with the NGD driver being probed,
or the remoteproc is already up when the PDR lookup is being registered,
or in the theoretical event that we get an interrupt from the hardware,
these callbacks will operate on uninitialized data. This result in
issues to boot the affected boards.
One such example can be seen in the following fault, where
qcom_slim_ngd_ssr_pdr_notify() schedules work on the NULL ngd_up_work.
[ 21.858578] ------------[ cut here ]------------
[ 21.858745] WARNING: kernel/workqueue.c:2338 at __queue_work+0x5e0/0x790, CPU#2: kworker/2:2/116
...
[ 21.859251] Call trace:
[ 21.859255] __queue_work+0x5e0/0x790 (P)
[ 21.859265] queue_work_on+0x6c/0xf0
[ 21.859273] qcom_slim_ngd_ssr_pdr_notify+0x110/0x150 [slim_qcom_ngd_ctrl]
[ 21.859304] qcom_slim_ngd_ssr_notify+0x24/0x40 [slim_qcom_ngd_ctrl]
[ 21.859318] notifier_call_chain+0xa4/0x230
[ 21.859329] srcu_notifier_call_chain+0x64/0xb8
[ 21.859338] ssr_notify_start+0x40/0x78 [qcom_common]
[ 21.859355] rproc_start+0x130/0x230
[ 21.859367] rproc_boot+0x3d4/0x518
...
Move the enablement of interrupts, and the registration of SSR and PDR
until after the NGD device has been registered.
This could be further refined by moving initialization to the control
driver probe and by removing the platform driver model from the picture.
Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
Cc: stable@vger.kernel.org
Reviewed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204421.116824-6-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/slimbus/qcom-ngd-ctrl.c | 47 ++++++++++++++++++++++------------------
1 file changed, 27 insertions(+), 20 deletions(-)
--- a/drivers/slimbus/qcom-ngd-ctrl.c
+++ b/drivers/slimbus/qcom-ngd-ctrl.c
@@ -1609,6 +1609,7 @@ static int qcom_slim_ngd_ctrl_probe(stru
{
struct device *dev = &pdev->dev;
struct qcom_slim_ngd_ctrl *ctrl;
+ int irq;
int ret;
struct pdr_service *pds;
@@ -1622,20 +1623,16 @@ static int qcom_slim_ngd_ctrl_probe(stru
if (IS_ERR(ctrl->base))
return PTR_ERR(ctrl->base);
- ret = platform_get_irq(pdev, 0);
- if (ret < 0)
- return ret;
-
- ret = devm_request_irq(dev, ret, qcom_slim_ngd_interrupt,
- IRQF_TRIGGER_HIGH, "slim-ngd", ctrl);
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0)
+ return irq;
+
+ ret = devm_request_irq(dev, irq, qcom_slim_ngd_interrupt,
+ IRQF_TRIGGER_HIGH | IRQF_NO_AUTOEN,
+ "slim-ngd", ctrl);
if (ret)
return dev_err_probe(&pdev->dev, ret, "request IRQ failed\n");
- ctrl->nb.notifier_call = qcom_slim_ngd_ssr_notify;
- ctrl->notifier = qcom_register_ssr_notifier("lpass", &ctrl->nb);
- if (IS_ERR(ctrl->notifier))
- return PTR_ERR(ctrl->notifier);
-
ctrl->dev = dev;
ctrl->framer.rootfreq = SLIM_ROOT_FREQ >> 3;
ctrl->framer.superfreq =
@@ -1657,24 +1654,34 @@ static int qcom_slim_ngd_ctrl_probe(stru
init_completion(&ctrl->qmi_up);
ctrl->pdr = pdr_handle_alloc(slim_pd_status, ctrl);
- if (IS_ERR(ctrl->pdr)) {
- ret = dev_err_probe(dev, PTR_ERR(ctrl->pdr),
- "Failed to init PDR handle\n");
- goto err_unregister_ssr;
- }
+ if (IS_ERR(ctrl->pdr))
+ return dev_err_probe(dev, PTR_ERR(ctrl->pdr), "Failed to init PDR handle\n");
+
+ ret = of_qcom_slim_ngd_register(dev, ctrl);
+ if (ret)
+ goto err_pdr_release;
pds = pdr_add_lookup(ctrl->pdr, "avs/audio", "msm/adsp/audio_pd");
if (IS_ERR(pds) && PTR_ERR(pds) != -EALREADY) {
ret = dev_err_probe(dev, PTR_ERR(pds), "pdr add lookup failed\n");
- goto err_pdr_release;
+ goto err_unregister_ngd;
}
- return of_qcom_slim_ngd_register(dev, ctrl);
+ ctrl->nb.notifier_call = qcom_slim_ngd_ssr_notify;
+ ctrl->notifier = qcom_register_ssr_notifier("lpass", &ctrl->nb);
+ if (IS_ERR(ctrl->notifier)) {
+ ret = PTR_ERR(ctrl->notifier);
+ goto err_unregister_ngd;
+ }
+
+ enable_irq(irq);
+
+ return 0;
+err_unregister_ngd:
+ qcom_slim_ngd_unregister(ctrl);
err_pdr_release:
pdr_handle_release(ctrl->pdr);
-err_unregister_ssr:
- qcom_unregister_ssr_notifier(ctrl->notifier, &ctrl->nb);
return ret;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 412/522] btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (410 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 411/522] spi: topcliff-pch: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 413/522] tracing/probes: Limit size of event probe to 3K Greg Kroah-Hartman
` (110 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yochai Eisenrich, David Sterba,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yochai Eisenrich <yochaie@sweet.security>
[ Upstream commit 973e57c726c1f8e77259d1c8e519519f1e9aea77 ]
btrfs_ioctl_space_info() has a TOCTOU race between two passes over the
block group RAID type lists. The first pass counts entries to determine
the allocation size, then the second pass fills the buffer. The
groups_sem rwlock is released between passes, allowing concurrent block
group removal to reduce the entry count.
When the second pass fills fewer entries than the first pass counted,
copy_to_user() copies the full alloc_size bytes including trailing
uninitialized kmalloc bytes to userspace.
Fix by copying only total_spaces entries (the actually-filled count from
the second pass) instead of alloc_size bytes, and switch to kzalloc so
any future copy size mismatch cannot leak heap data.
Fixes: 7fde62bffb57 ("Btrfs: buffer results in the space_info ioctl")
CC: stable@vger.kernel.org # 3.0
Signed-off-by: Yochai Eisenrich <echelonh@gmail.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ adapted upstream's `return -EFAULT;` to stable's `ret = -EFAULT;` fall-through to existing `out:` cleanup label ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3977,7 +3977,7 @@ static long btrfs_ioctl_space_info(struc
return -ENOMEM;
space_args.total_spaces = 0;
- dest = kmalloc(alloc_size, GFP_KERNEL);
+ dest = kzalloc(alloc_size, GFP_KERNEL);
if (!dest)
return -ENOMEM;
dest_orig = dest;
@@ -4033,7 +4033,8 @@ static long btrfs_ioctl_space_info(struc
user_dest = (struct btrfs_ioctl_space_info __user *)
(arg + sizeof(struct btrfs_ioctl_space_args));
- if (copy_to_user(user_dest, dest_orig, alloc_size))
+ if (copy_to_user(user_dest, dest_orig,
+ space_args.total_spaces * sizeof(*dest_orig)))
ret = -EFAULT;
kfree(dest_orig);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 329/378] slimbus: qcom-ngd-ctrl: Initialize controller resources in controller
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 328/378] slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 330/378] slimbus: qcom-ngd-ctrl: Correct PDR and SSR cleanup ownership Greg Kroah-Hartman
` (50 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Mukesh Ojha,
Bjorn Andersson, Srinivas Kandagatla
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
commit 07c564ea5fb859b7381429de935d5df4781947c6 upstream.
The work structs and work queue are controller resources, create and
destroy them in the controller context. Creating them as part of the
child device's probe path seems to be okay now that the controller's
probe has been updated, but if for some reason the child does not probe
successfully a SSR or PDR notification will schedule_work() on an
uninitialized "ngd_up_work".
Move the initialization of these controller resources to the controller
probe function to avoid any issues, and to clarify the ownership.
Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
Cc: stable@vger.kernel.org
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204421.116824-7-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/slimbus/qcom-ngd-ctrl.c | 38 ++++++++++++++++----------------------
1 file changed, 16 insertions(+), 22 deletions(-)
--- a/drivers/slimbus/qcom-ngd-ctrl.c
+++ b/drivers/slimbus/qcom-ngd-ctrl.c
@@ -1582,25 +1582,8 @@ static int qcom_slim_ngd_probe(struct pl
pm_runtime_enable(dev);
pm_runtime_get_noresume(dev);
ret = qcom_slim_ngd_qmi_svc_event_init(ctrl);
- if (ret) {
+ if (ret)
dev_err(&pdev->dev, "QMI service registration failed:%d", ret);
- return ret;
- }
-
- INIT_WORK(&ctrl->m_work, qcom_slim_ngd_master_worker);
- INIT_WORK(&ctrl->ngd_up_work, qcom_slim_ngd_up_worker);
- ctrl->mwq = create_singlethread_workqueue("ngd_master");
- if (!ctrl->mwq) {
- dev_err(&pdev->dev, "Failed to start master worker\n");
- ret = -ENOMEM;
- goto wq_err;
- }
-
- return 0;
-wq_err:
- qcom_slim_ngd_qmi_svc_event_deinit(&ctrl->qmi);
- if (ctrl->mwq)
- destroy_workqueue(ctrl->mwq);
return ret;
}
@@ -1653,9 +1636,18 @@ static int qcom_slim_ngd_ctrl_probe(stru
init_completion(&ctrl->qmi.qmi_comp);
init_completion(&ctrl->qmi_up);
+ INIT_WORK(&ctrl->m_work, qcom_slim_ngd_master_worker);
+ INIT_WORK(&ctrl->ngd_up_work, qcom_slim_ngd_up_worker);
+
+ ctrl->mwq = create_singlethread_workqueue("ngd_master");
+ if (!ctrl->mwq)
+ return dev_err_probe(dev, -ENOMEM, "Failed to start master worker\n");
+
ctrl->pdr = pdr_handle_alloc(slim_pd_status, ctrl);
- if (IS_ERR(ctrl->pdr))
- return dev_err_probe(dev, PTR_ERR(ctrl->pdr), "Failed to init PDR handle\n");
+ if (IS_ERR(ctrl->pdr)) {
+ ret = dev_err_probe(dev, PTR_ERR(ctrl->pdr), "Failed to init PDR handle\n");
+ goto err_destroy_mwq;
+ }
ret = of_qcom_slim_ngd_register(dev, ctrl);
if (ret)
@@ -1682,6 +1674,8 @@ err_unregister_ngd:
qcom_slim_ngd_unregister(ctrl);
err_pdr_release:
pdr_handle_release(ctrl->pdr);
+err_destroy_mwq:
+ destroy_workqueue(ctrl->mwq);
return ret;
}
@@ -1691,6 +1685,8 @@ static void qcom_slim_ngd_ctrl_remove(st
struct qcom_slim_ngd_ctrl *ctrl = platform_get_drvdata(pdev);
qcom_slim_ngd_unregister(ctrl);
+
+ destroy_workqueue(ctrl->mwq);
}
static void qcom_slim_ngd_remove(struct platform_device *pdev)
@@ -1703,8 +1699,6 @@ static void qcom_slim_ngd_remove(struct
qcom_slim_ngd_enable(ctrl, false);
qcom_slim_ngd_exit_dma(ctrl);
qcom_slim_ngd_qmi_svc_event_deinit(&ctrl->qmi);
- if (ctrl->mwq)
- destroy_workqueue(ctrl->mwq);
kfree(ctrl->ngd);
ctrl->ngd = NULL;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 413/522] tracing/probes: Limit size of event probe to 3K
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (411 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 412/522] btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 414/522] btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type() Greg Kroah-Hartman
` (109 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers,
Masami Hiramatsu (Google), Steven Rostedt, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit b2aa3b4d64e460ac606f386c24e7d8a873ce6f1a ]
There currently isn't a max limit an event probe can be. One could make an
event greater than PAGE_SIZE, which makes the event useless because if
it's bigger than the max event that can be recorded into the ring buffer,
then it will never be recorded.
A event probe should never need to be greater than 3K, so make that the
max size. As long as the max is less than the max that can be recorded
onto the ring buffer, it should be fine.
Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Fixes: 93ccae7a22274 ("tracing/kprobes: Support basic types on dynamic events")
Link: https://patch.msgid.link/20260428122302.706610ba@gandalf.local.home
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
[ changed `ctx->offset` to `offset` and `goto fail` to `goto out` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_probe.c | 6 ++++++
kernel/trace/trace_probe.h | 4 +++-
2 files changed, 9 insertions(+), 1 deletion(-)
--- a/kernel/trace/trace_probe.c
+++ b/kernel/trace/trace_probe.c
@@ -651,6 +651,12 @@ static int traceprobe_parse_probe_arg_bo
parg->offset = *size;
*size += parg->type->size * (parg->count ?: 1);
+ if (*size > MAX_PROBE_EVENT_SIZE) {
+ ret = -E2BIG;
+ trace_probe_log_err(offset, EVENT_TOO_BIG);
+ goto out;
+ }
+
ret = -ENOMEM;
if (parg->count) {
len = strlen(parg->type->fmttype) + 6;
--- a/kernel/trace/trace_probe.h
+++ b/kernel/trace/trace_probe.h
@@ -33,6 +33,7 @@
#define MAX_ARRAY_LEN 64
#define MAX_ARG_NAME_LEN 32
#define MAX_STRING_SIZE PATH_MAX
+#define MAX_PROBE_EVENT_SIZE 3072
/* Reserved field names */
#define FIELD_STRING_IP "__probe_ip"
@@ -458,7 +459,8 @@ extern int traceprobe_define_arg_fields(
C(NO_EVENT_INFO, "This requires both group and event name to attach"),\
C(BAD_ATTACH_EVENT, "Attached event does not exist"),\
C(BAD_ATTACH_ARG, "Attached event does not have this field"),\
- C(NO_EP_FILTER, "No filter rule after 'if'"),
+ C(NO_EP_FILTER, "No filter rule after 'if'"), \
+ C(EVENT_TOO_BIG, "Event too big (too many fields?)"),
#undef C
#define C(a, b) TP_ERR_##a
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 330/378] slimbus: qcom-ngd-ctrl: Correct PDR and SSR cleanup ownership
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 329/378] slimbus: qcom-ngd-ctrl: Initialize controller resources in controller Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 331/378] slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD Greg Kroah-Hartman
` (49 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Mukesh Ojha,
Bjorn Andersson, Srinivas Kandagatla
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
commit 960b53a3f76fa214c2fc493734ae7b3c5e713bbf upstream.
PDR and SSR callbacks are registred from the controller probe function,
but currently released from the child device's remove function.
The remove() function should only be unwinding what was done in the
same device's probe() function.
Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
Cc: stable@vger.kernel.org
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204421.116824-5-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/slimbus/qcom-ngd-ctrl.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/slimbus/qcom-ngd-ctrl.c
+++ b/drivers/slimbus/qcom-ngd-ctrl.c
@@ -1684,6 +1684,9 @@ static void qcom_slim_ngd_ctrl_remove(st
{
struct qcom_slim_ngd_ctrl *ctrl = platform_get_drvdata(pdev);
+ pdr_handle_release(ctrl->pdr);
+ qcom_unregister_ssr_notifier(ctrl->notifier, &ctrl->nb);
+
qcom_slim_ngd_unregister(ctrl);
destroy_workqueue(ctrl->mwq);
@@ -1694,8 +1697,6 @@ static void qcom_slim_ngd_remove(struct
struct qcom_slim_ngd_ctrl *ctrl = platform_get_drvdata(pdev);
pm_runtime_disable(&pdev->dev);
- pdr_handle_release(ctrl->pdr);
- qcom_unregister_ssr_notifier(ctrl->notifier, &ctrl->nb);
qcom_slim_ngd_enable(ctrl, false);
qcom_slim_ngd_exit_dma(ctrl);
qcom_slim_ngd_qmi_svc_event_deinit(&ctrl->qmi);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 414/522] btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (412 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 413/522] tracing/probes: Limit size of event probe to 3K Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 415/522] btrfs: fix double free in create_space_info_sub_group() error path Greg Kroah-Hartman
` (108 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Filipe Manana,
David Sterba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 771af6ff72e0ed0eb8bf97e5ae4fa5094e0c5d1d ]
We don't need it since we can grab fs_info from the given space_info.
So remove the fs_info argument.
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: a7449edf9614 ("btrfs: fix double free in create_space_info_sub_group() error path")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/space-info.c | 4 ++--
fs/btrfs/sysfs.c | 5 ++---
fs/btrfs/sysfs.h | 3 +--
3 files changed, 5 insertions(+), 7 deletions(-)
--- a/fs/btrfs/space-info.c
+++ b/fs/btrfs/space-info.c
@@ -259,7 +259,7 @@ static int create_space_info_sub_group(s
sub_group->parent = parent;
sub_group->subgroup_id = id;
- ret = btrfs_sysfs_add_space_info_type(fs_info, sub_group);
+ ret = btrfs_sysfs_add_space_info_type(sub_group);
if (ret) {
kfree(sub_group);
parent->sub_group[index] = NULL;
@@ -288,7 +288,7 @@ static int create_space_info(struct btrf
goto out_free;
}
- ret = btrfs_sysfs_add_space_info_type(info, space_info);
+ ret = btrfs_sysfs_add_space_info_type(space_info);
if (ret)
return ret;
--- a/fs/btrfs/sysfs.c
+++ b/fs/btrfs/sysfs.c
@@ -1618,13 +1618,12 @@ static const char *alloc_name(struct btr
* Create a sysfs entry for a space info type at path
* /sys/fs/btrfs/UUID/allocation/TYPE
*/
-int btrfs_sysfs_add_space_info_type(struct btrfs_fs_info *fs_info,
- struct btrfs_space_info *space_info)
+int btrfs_sysfs_add_space_info_type(struct btrfs_space_info *space_info)
{
int ret;
ret = kobject_init_and_add(&space_info->kobj, &space_info_ktype,
- fs_info->space_info_kobj, "%s",
+ space_info->fs_info->space_info_kobj, "%s",
alloc_name(space_info));
if (ret) {
kobject_put(&space_info->kobj);
--- a/fs/btrfs/sysfs.h
+++ b/fs/btrfs/sysfs.h
@@ -28,8 +28,7 @@ void __cold btrfs_exit_sysfs(void);
int btrfs_sysfs_add_mounted(struct btrfs_fs_info *fs_info);
void btrfs_sysfs_remove_mounted(struct btrfs_fs_info *fs_info);
void btrfs_sysfs_add_block_group_type(struct btrfs_block_group *cache);
-int btrfs_sysfs_add_space_info_type(struct btrfs_fs_info *fs_info,
- struct btrfs_space_info *space_info);
+int btrfs_sysfs_add_space_info_type(struct btrfs_space_info *space_info);
void btrfs_sysfs_remove_space_info(struct btrfs_space_info *space_info);
void btrfs_sysfs_update_devid(struct btrfs_device *device);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 331/378] slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 330/378] slimbus: qcom-ngd-ctrl: Correct PDR and SSR cleanup ownership Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 332/378] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock Greg Kroah-Hartman
` (48 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bjorn Andersson, Srinivas Kandagatla
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
commit 6a003446b725c44b9e3ffa111b0effbaa2d43085 upstream.
The pm_runtime_enable() and pm_runtime_use_autosuspend() calls are
supposed to be balanced on exit, add these calls.
Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
Cc: stable@vger.kernel.org
Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204421.116824-8-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/slimbus/qcom-ngd-ctrl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/slimbus/qcom-ngd-ctrl.c
+++ b/drivers/slimbus/qcom-ngd-ctrl.c
@@ -1582,8 +1582,11 @@ static int qcom_slim_ngd_probe(struct pl
pm_runtime_enable(dev);
pm_runtime_get_noresume(dev);
ret = qcom_slim_ngd_qmi_svc_event_init(ctrl);
- if (ret)
+ if (ret) {
dev_err(&pdev->dev, "QMI service registration failed:%d", ret);
+ pm_runtime_dont_use_autosuspend(dev);
+ pm_runtime_disable(dev);
+ }
return ret;
}
@@ -1696,6 +1699,7 @@ static void qcom_slim_ngd_remove(struct
{
struct qcom_slim_ngd_ctrl *ctrl = platform_get_drvdata(pdev);
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
pm_runtime_disable(&pdev->dev);
qcom_slim_ngd_enable(ctrl, false);
qcom_slim_ngd_exit_dma(ctrl);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 415/522] btrfs: fix double free in create_space_info_sub_group() error path
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (413 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 414/522] btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type() Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 416/522] pmdomain: core: Fix detach procedure for virtual devices in genpd Greg Kroah-Hartman
` (107 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Guangshuo Li,
David Sterba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
[ Upstream commit a7449edf96143f192606ec8647e3167e1ecbd728 ]
When kobject_init_and_add() fails, the call chain is:
create_space_info_sub_group()
-> btrfs_sysfs_add_space_info_type()
-> kobject_init_and_add()
-> failure
-> kobject_put(&sub_group->kobj)
-> space_info_release()
-> kfree(sub_group)
Then control returns to create_space_info_sub_group(), where:
btrfs_sysfs_add_space_info_type() returns error
-> kfree(sub_group)
Thus, sub_group is freed twice.
Keep parent->sub_group[index] = NULL for the failure path, but after
btrfs_sysfs_add_space_info_type() has called kobject_put(), let the
kobject release callback handle the cleanup.
Fixes: f92ee31e031c ("btrfs: introduce btrfs_space_info sub-group")
CC: stable@vger.kernel.org # 6.18+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/space-info.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/fs/btrfs/space-info.c
+++ b/fs/btrfs/space-info.c
@@ -260,10 +260,8 @@ static int create_space_info_sub_group(s
sub_group->subgroup_id = id;
ret = btrfs_sysfs_add_space_info_type(sub_group);
- if (ret) {
- kfree(sub_group);
+ if (ret)
parent->sub_group[index] = NULL;
- }
return ret;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 332/378] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 331/378] slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 333/378] drm/gem: Try to fix change_handle ioctl, attempt 4 Greg Kroah-Hartman
` (47 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bjorn Andersson, Srinivas Kandagatla
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
commit 55f2ea9ff83cc27a85526b14bc9b32f96a08d6ec upstream.
During the SSR/PDR down notification the tx_lock is taken with the
intent to provide synchronization with active DMA transfers.
But during this period qcom_slim_ngd_down() is invoked, which ends up in
slim_report_absent(), which takes the slim_controller lock. In multiple
other codepaths these two locks are taken in the opposite order (i.e.
slim_controller then tx_lock).
The result is a lockdep splat, and a possible deadlock:
rprocctl/449 is trying to acquire lock:
ffff00009793e620 (&ctrl->lock){+.+.}-{4:4}, at: slim_report_absent (drivers/slimbus/core.c:322) slimbus
but task is already holding lock:
ffff00009793fb50 (&ctrl->tx_lock){+.+.}-{4:4}, at: qcom_slim_ngd_ssr_pdr_notify (drivers/slimbus/qcom-ngd-ctrl.c:1475) slim_qcom_ngd_ctrl
which lock already depends on the new lock.
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ctrl->tx_lock);
lock(&ctrl->lock);
lock(&ctrl->tx_lock);
lock(&ctrl->lock);
The assumption is that the comment refers to the desire to not call
qcom_slim_ngd_exit_dma() while we have an ongoing DMA TX transaction.
But any such transaction is initiated and completed within a single
qcom_slim_ngd_xfer_msg().
Prior to calling qcom_slim_ngd_exit_dma() the slim_controller is torn
down, all child devices are notified that the slimbus is gone and the
child devices are removed.
Stop taking the tx_lock in qcom_slim_ngd_ssr_pdr_notify() to avoid the
deadlock.
Fixes: a899d324863a ("slimbus: qcom-ngd-ctrl: add Sub System Restart support")
Cc: stable@vger.kernel.org
Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204421.116824-9-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/slimbus/qcom-ngd-ctrl.c | 3 ---
1 file changed, 3 deletions(-)
--- a/drivers/slimbus/qcom-ngd-ctrl.c
+++ b/drivers/slimbus/qcom-ngd-ctrl.c
@@ -1471,15 +1471,12 @@ static int qcom_slim_ngd_ssr_pdr_notify(
switch (action) {
case QCOM_SSR_BEFORE_SHUTDOWN:
case SERVREG_SERVICE_STATE_DOWN:
- /* Make sure the last dma xfer is finished */
- mutex_lock(&ctrl->tx_lock);
if (ctrl->state != QCOM_SLIM_NGD_CTRL_DOWN) {
pm_runtime_get_noresume(ctrl->ctrl.dev);
ctrl->state = QCOM_SLIM_NGD_CTRL_DOWN;
qcom_slim_ngd_down(ctrl);
qcom_slim_ngd_exit_dma(ctrl);
}
- mutex_unlock(&ctrl->tx_lock);
break;
case QCOM_SSR_AFTER_POWERUP:
case SERVREG_SERVICE_STATE_UP:
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 416/522] pmdomain: core: Fix detach procedure for virtual devices in genpd
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (414 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 415/522] btrfs: fix double free in create_space_info_sub_group() error path Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 417/522] smb: client: validate dacloffset before building DACL pointers Greg Kroah-Hartman
` (106 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven,
Geert Uytterhoeven, Ulf Hansson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ulf Hansson <ulf.hansson@linaro.org>
[ Upstream commit 26735dfdd8930d9ef1fa92e590a9bf77726efdf6 ]
If a device is attached to a PM domain through genpd_dev_pm_attach_by_id(),
genpd calls pm_runtime_enable() for the corresponding virtual device that
it registers. While this avoids boilerplate code in drivers, there is no
corresponding call to pm_runtime_disable() in genpd_dev_pm_detach().
This means these virtual devices are typically detached from its genpd,
while runtime PM remains enabled for them, which is not how things are
designed to work. In worst cases it may lead to critical errors, like a
NULL pointer dereference bug in genpd_runtime_suspend(), which was recently
reported. For another case, we may end up keeping an unnecessary vote for a
performance state for the device.
To fix these problems, let's add this missing call to pm_runtime_disable()
in genpd_dev_pm_detach().
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Closes: https://lore.kernel.org/all/CAMuHMdWapT40hV3c+CSBqFOW05aWcV1a6v_NiJYgoYi0i9_PDQ@mail.gmail.com/
Fixes: 3c095f32a92b ("PM / Domains: Add support for multi PM domains per device to genpd")
Cc: stable@vger.kernel.org
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/power/domain.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/base/power/domain.c
+++ b/drivers/base/power/domain.c
@@ -2667,6 +2667,7 @@ static struct bus_type genpd_bus_type =
static void genpd_dev_pm_detach(struct device *dev, bool power_off)
{
struct generic_pm_domain *pd;
+ bool is_virt_dev;
unsigned int i;
int ret = 0;
@@ -2676,6 +2677,13 @@ static void genpd_dev_pm_detach(struct d
dev_dbg(dev, "removing from PM domain %s\n", pd->name);
+ /* Check if the device was created by genpd at attach. */
+ is_virt_dev = dev->bus == &genpd_bus_type;
+
+ /* Disable runtime PM if we enabled it at attach. */
+ if (is_virt_dev)
+ pm_runtime_disable(dev);
+
/* Drop the default performance state */
if (dev_gpd_data(dev)->default_pstate) {
dev_pm_genpd_set_performance_state(dev, 0);
@@ -2701,7 +2709,7 @@ static void genpd_dev_pm_detach(struct d
genpd_queue_power_off_work(pd);
/* Unregister the device if it was created by genpd. */
- if (dev->bus == &genpd_bus_type)
+ if (is_virt_dev)
device_unregister(dev);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 333/378] drm/gem: Try to fix change_handle ioctl, attempt 4
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 332/378] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 334/378] drm/i915: Fix color blob reference handling in intel_plane_state Greg Kroah-Hartman
` (46 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DARKNAVY (@DarkNavyOrg),
Simona Vetter, syzbot+d7c9eed171647e421013, Edward Adam Davis,
Dave Airlie, Maarten Lankhorst, Maxime Ripard, Thomas Zimmermann,
David Francis, Puttimet Thammasaeng, Christian Koenig,
Zhenghang Xiao
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simona Vetter <simona.vetter@ffwll.ch>
commit 1a4f03d22fb655e5f192244fb2c87d8066fcfca2 upstream.
[airlied: just added some comments on how to reenable]
On-list because the cat is out of the bag and we're clearly not good
enough to figure this out in private. The story thus far:
5e28b7b94408 ("drm: Set old handle to NULL before prime swap in
change_handle") tried to fix a race condition between the gem_close and
gem_change_handle ioctls, but got a few things wrong:
- There's a confusion with the local variable handle, which is actually
the new handle, and so the two-stage trick was actually applied to the
wrong idr slot. 7164d78559b0 ("drm/gem: fix race between
change_handle and handle_delete") tried to fix that by adding yet
another code block, but forgot to add the error handling. Which meant
we now have two paths, both kinda wrong.
- dc366607c41c ("drm: Replace old pointer to new idr") tried to apply
another fix, but inconsistently, again because of the handle confusion
- this would be the right fix (kinda, somewhat, it's a mess) if we'd
do the two-stage approach for the new handle. Except that wasn't the
intent of the original fix.
We also didn't have an igt merged for the original ioctl, which is a big
no-go. This was attempted to address off-list in the original bugfix,
and amd QA people claimed the bug was fixed now. Very clearly that's not
the case. Here's my attempt to sort this out:
- Rename the local variable to new_handle, the old aliasing with
args->handle is just too dangerously confusing.
- Merge the gem obj lookup with the two-stage idr_replace so that we
avoid getting ourselves confused there.
- This means we don't have a surplus temporary reference anymore, only
an inherited from the idr. A concurrent gem_close on the new_handle
could steal that. Fix that with the same two-stage approach
create_tail uses. This is a bit overkill as documented in the comment,
but I also don't trust my ability to understand this all correctly, so
go with the established pattern we have from other ioctls instead for
maximum paranoia.
- Adjust error paths. I've tried to make the error and success paths
common, because they are identical except for which handle is removed
and on which we call idr_replace to (re)install the object again. But
that made things messier to read, so I've left it at the more verbose
version, which unfortunately hides the symmetry in the entire code
flow a bit.
- While at it, also replace the 7 space indent with 1 tab.
And finally, because I flat out don't trust my abilities here at all
anymore:
- Disable the ioctl until we have the igt situation and everything else
sorted out on-list and with full consensus.
v2:
Sashiko noticed that I didn't handle the error path for idr_replace
correctly, it must be checked with IS_ERR_OR_NULL like in
gem_handle_delete. So yeah, definitely should just the existing paths
1:1 because this is endless amounts of tricky.
Also add the Fixes: line for the original ioctl, I forgot that too.
Reported-by: DARKNAVY (@DarkNavyOrg) <vr@darknavy.com>
Signed-off-by: Simona Vetter <simona.vetter@ffwll.ch>
Fixes: dc366607c41c ("drm: Replace old pointer to new idr")
Cc: syzbot+d7c9eed171647e421013@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Cc: Edward Adam Davis <eadavis@qq.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 5e28b7b94408 ("drm: Set old handle to NULL before prime swap in change_handle")
Cc: David Francis <David.Francis@amd.com>
Cc: Puttimet Thammasaeng <pwn8official@gmail.com>
Cc: Christian Koenig <Christian.Koenig@amd.com>
Fixes: 7164d78559b0 ("drm/gem: fix race between change_handle and handle_delete")
Cc: Zhenghang Xiao <kipreyyy@gmail.com>
Fixes: 5e28b7b94408 ("drm: Set old handle to NULL before prime swap in change_handle")
Reviewed-by: David Francis <David.Francis@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patch.msgid.link/20260604194437.1725314-1-simona.vetter@ffwll.ch
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_gem.c | 73 ++++++++++++++++++++------------------------
drivers/gpu/drm/drm_ioctl.c | 3 +
2 files changed, 36 insertions(+), 40 deletions(-)
--- a/drivers/gpu/drm/drm_gem.c
+++ b/drivers/gpu/drm/drm_gem.c
@@ -997,12 +997,25 @@ err:
return ret;
}
+/*
+ * This ioctl is disabled for security reasons but also it failed
+ * to follow process in terms of adding testing in igt and verifying
+ * all the corner cases which made fixing security bugs in it even
+ * harder than necessary.
+ *
+ * To re-enable this ioctl
+ * 1. land working IGT tests in igt-gpu-tools that cover
+ * all corner cases and race conditions.
+ * 2. handle idr_preload
+ * 3. handle == 0
+ * 4. handle == new_handle semantics definition.
+ */
int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data,
struct drm_file *file_priv)
{
struct drm_gem_change_handle *args = data;
- struct drm_gem_object *obj, *idrobj;
- int handle, ret;
+ struct drm_gem_object *obj;
+ int new_handle, ret;
if (!drm_core_check_feature(dev, DRIVER_GEM))
return -EOPNOTSUPP;
@@ -1010,52 +1023,36 @@ int drm_gem_change_handle_ioctl(struct d
/* idr_alloc() limitation. */
if (args->new_handle > INT_MAX)
return -EINVAL;
- handle = args->new_handle;
+ new_handle = args->new_handle;
- obj = drm_gem_object_lookup(file_priv, args->handle);
- if (!obj)
- return -ENOENT;
-
- if (args->handle == handle) {
- ret = 0;
- goto out;
- }
+ if (args->handle == new_handle)
+ return 0;
mutex_lock(&file_priv->prime.lock);
-
spin_lock(&file_priv->table_lock);
-
- /* When create_tail allocs an obj idr, it needs to first alloc as NULL,
- * then later replace with the correct object. This is not necessary
- * here, because the only operations that could race are drm_prime
- * bookkeeping, and we hold the prime lock.
- */
- ret = idr_alloc(&file_priv->object_idr, obj, handle, handle + 1,
+ ret = idr_alloc(&file_priv->object_idr, NULL, new_handle, new_handle + 1,
GFP_NOWAIT);
- if (ret < 0) {
- spin_unlock(&file_priv->table_lock);
- goto out_unlock;
- }
-
- idrobj = idr_replace(&file_priv->object_idr, NULL, handle);
- if (idrobj != obj) {
- idr_replace(&file_priv->object_idr, idrobj, handle);
- idr_remove(&file_priv->object_idr, args->new_handle);
- spin_unlock(&file_priv->table_lock);
- ret = -ENOENT;
- goto out_unlock;
- }
+ if (ret < 0) {
+ spin_unlock(&file_priv->table_lock);
+ goto out_unlock;
+ }
- idr_replace(&file_priv->object_idr, NULL, args->handle);
+ obj = idr_replace(&file_priv->object_idr, NULL, args->handle);
+ if (IS_ERR_OR_NULL(obj)) {
+ idr_remove(&file_priv->object_idr, new_handle);
+ spin_unlock(&file_priv->table_lock);
+ ret = -ENOENT;
+ goto out_unlock;
+ }
spin_unlock(&file_priv->table_lock);
if (obj->dma_buf) {
ret = drm_prime_add_buf_handle(&file_priv->prime, obj->dma_buf,
- handle);
+ new_handle);
if (ret < 0) {
spin_lock(&file_priv->table_lock);
- idr_remove(&file_priv->object_idr, handle);
+ idr_remove(&file_priv->object_idr, new_handle);
idr_replace(&file_priv->object_idr, obj, args->handle);
spin_unlock(&file_priv->table_lock);
goto out_unlock;
@@ -1068,14 +1065,12 @@ int drm_gem_change_handle_ioctl(struct d
spin_lock(&file_priv->table_lock);
idr_remove(&file_priv->object_idr, args->handle);
- idrobj = idr_replace(&file_priv->object_idr, obj, handle);
+ obj = idr_replace(&file_priv->object_idr, obj, new_handle);
spin_unlock(&file_priv->table_lock);
- WARN_ON(idrobj != NULL);
+ WARN_ON(obj != NULL);
out_unlock:
mutex_unlock(&file_priv->prime.lock);
-out:
- drm_gem_object_put(obj);
return ret;
}
--- a/drivers/gpu/drm/drm_ioctl.c
+++ b/drivers/gpu/drm/drm_ioctl.c
@@ -660,7 +660,8 @@ static const struct drm_ioctl_desc drm_i
DRM_IOCTL_DEF(DRM_IOCTL_GEM_CLOSE, drm_gem_close_ioctl, DRM_RENDER_ALLOW),
DRM_IOCTL_DEF(DRM_IOCTL_GEM_FLINK, drm_gem_flink_ioctl, DRM_AUTH),
DRM_IOCTL_DEF(DRM_IOCTL_GEM_OPEN, drm_gem_open_ioctl, DRM_AUTH),
- DRM_IOCTL_DEF(DRM_IOCTL_GEM_CHANGE_HANDLE, drm_gem_change_handle_ioctl, DRM_RENDER_ALLOW),
+ /* see drm_gem.c:drm_gem_change_handle_ioctl for why this is invalid */
+ DRM_IOCTL_DEF(DRM_IOCTL_GEM_CHANGE_HANDLE, drm_invalid_op, DRM_RENDER_ALLOW),
DRM_IOCTL_DEF(DRM_IOCTL_MODE_GETRESOURCES, drm_mode_getresources, 0),
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 417/522] smb: client: validate dacloffset before building DACL pointers
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (415 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 416/522] pmdomain: core: Fix detach procedure for virtual devices in genpd Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 418/522] smb: client: Use FullSessionKey for AES-256 encryption key derivation Greg Kroah-Hartman
` (105 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steve French,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit f98b48151cc502ada59d9778f0112d21f2586ca3 ]
parse_sec_desc(), build_sec_desc(), and the chown path in
id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd
before proving a DACL header fits inside the returned security
descriptor.
On 32-bit builds a malicious server can return dacloffset near
U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip
past the later pointer-based bounds checks. build_sec_desc() and
id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped
pointer in the chmod/chown rewrite paths.
Validate dacloffset numerically before building any DACL pointer and
reuse the same helper at the three DACL entry points.
Fixes: bc3e9dd9d104 ("cifs: Change SIDs in ACEs while transferring file ownership.")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ renamed smb_ntsd/smb_acl structs to cifs_ntsd/cifs_acl and kept existing inline ACL size check instead of using missing validate_dacl() helper ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsacl.c | 35 ++++++++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
--- a/fs/smb/client/cifsacl.c
+++ b/fs/smb/client/cifsacl.c
@@ -1254,6 +1254,17 @@ static int parse_sid(struct cifs_sid *ps
return 0;
}
+static bool dacl_offset_valid(unsigned int acl_len, __u32 dacloffset)
+{
+ if (acl_len < sizeof(struct cifs_acl))
+ return false;
+
+ if (dacloffset < sizeof(struct cifs_ntsd))
+ return false;
+
+ return dacloffset <= acl_len - sizeof(struct cifs_acl);
+}
+
/* Convert CIFS ACL to POSIX form */
static int parse_sec_desc(struct cifs_sb_info *cifs_sb,
@@ -1274,7 +1285,6 @@ static int parse_sec_desc(struct cifs_sb
group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
le32_to_cpu(pntsd->gsidoffset));
dacloffset = le32_to_cpu(pntsd->dacloffset);
- dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
cifs_dbg(NOISY, "revision %d type 0x%x ooffset 0x%x goffset 0x%x sacloffset 0x%x dacloffset 0x%x\n",
pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset),
le32_to_cpu(pntsd->gsidoffset),
@@ -1305,11 +1315,18 @@ static int parse_sec_desc(struct cifs_sb
return rc;
}
- if (dacloffset)
+ if (dacloffset) {
+ if (!dacl_offset_valid(acl_len, dacloffset)) {
+ cifs_dbg(VFS, "Server returned illegal DACL offset\n");
+ return -EINVAL;
+ }
+
+ dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,
group_sid_ptr, fattr, get_mode_from_special_sid);
- else
+ } else {
cifs_dbg(FYI, "no ACL\n"); /* BB grant all or default perms? */
+ }
return rc;
}
@@ -1332,6 +1349,11 @@ static int build_sec_desc(struct cifs_nt
dacloffset = le32_to_cpu(pntsd->dacloffset);
if (dacloffset) {
+ if (!dacl_offset_valid(secdesclen, dacloffset)) {
+ cifs_dbg(VFS, "Server returned illegal DACL offset\n");
+ return -EINVAL;
+ }
+
dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
rc = validate_dacl(dacl_ptr, end_of_acl);
if (rc)
@@ -1698,6 +1720,12 @@ id_mode_to_cifs_acl(struct inode *inode,
nsecdesclen = sizeof(struct cifs_ntsd) + (sizeof(struct cifs_sid) * 2);
dacloffset = le32_to_cpu(pntsd->dacloffset);
if (dacloffset) {
+ if (!dacl_offset_valid(secdesclen, dacloffset)) {
+ cifs_dbg(VFS, "Server returned illegal DACL offset\n");
+ rc = -EINVAL;
+ goto id_mode_to_cifs_acl_exit;
+ }
+
dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
rc = validate_dacl(dacl_ptr, (char *)pntsd + secdesclen);
if (rc) {
@@ -1740,6 +1768,7 @@ id_mode_to_cifs_acl(struct inode *inode,
rc = ops->set_acl(pnntsd, nsecdesclen, inode, path, aclflag);
cifs_dbg(NOISY, "set_cifs_acl rc: %d\n", rc);
}
+id_mode_to_cifs_acl_exit:
cifs_put_tlink(tlink);
kfree(pnntsd);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 334/378] drm/i915: Fix color blob reference handling in intel_plane_state
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 333/378] drm/gem: Try to fix change_handle ioctl, attempt 4 Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 335/378] drm/amdkfd: fix NULL dereference in get_queue_ids() Greg Kroah-Hartman
` (45 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uma Shankar, Chaitanya Kumar Borah,
Tvrtko Ursulin, Pranay Samala
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
commit 26eb7c0a7ab09d83eec833db6a5a2bc60b9d4d9a upstream.
Take proper references for hw color blobs (degamma_lut, gamma_lut,
ctm, lut_3d) in intel_plane_duplicate_state() and drop them in
intel_plane_destroy_state().
v2:
- handle blobs in hw state clear
Cc: <stable@vger.kernel.org> #v6.19+
Fixes: 3b7476e786c2 ("drm/i915/color: Add framework to program PRE/POST CSC LUT")
Fixes: a78f1b6baf4d ("drm/i915/color: Add framework to program CSC")
Fixes: 65db7a1f9cf7 ("drm/i915/color: Add 3D LUT to color pipeline")
Reviewed-by: Pranay Samala <pranay.samala@intel.com> #v1
Reviewed-by: Uma Shankar <uma.shankar@intel.com>
Signed-off-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
Signed-off-by: Uma Shankar <uma.shankar@intel.com>
Link: https://patch.msgid.link/20260601082953.128539-4-chaitanya.kumar.borah@intel.com
(cherry picked from commit c6eea1925154b6697fe22b217faab9bb30635e6b)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_plane.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
--- a/drivers/gpu/drm/i915/display/intel_plane.c
+++ b/drivers/gpu/drm/i915/display/intel_plane.c
@@ -144,6 +144,15 @@ intel_plane_duplicate_state(struct drm_p
if (intel_state->hw.fb)
drm_framebuffer_get(intel_state->hw.fb);
+ if (intel_state->hw.degamma_lut)
+ drm_property_blob_get(intel_state->hw.degamma_lut);
+ if (intel_state->hw.gamma_lut)
+ drm_property_blob_get(intel_state->hw.gamma_lut);
+ if (intel_state->hw.ctm)
+ drm_property_blob_get(intel_state->hw.ctm);
+ if (intel_state->hw.lut_3d)
+ drm_property_blob_get(intel_state->hw.lut_3d);
+
return &intel_state->uapi;
}
@@ -167,6 +176,16 @@ intel_plane_destroy_state(struct drm_pla
__drm_atomic_helper_plane_destroy_state(&plane_state->uapi);
if (plane_state->hw.fb)
drm_framebuffer_put(plane_state->hw.fb);
+
+ if (plane_state->hw.degamma_lut)
+ drm_property_blob_put(plane_state->hw.degamma_lut);
+ if (plane_state->hw.gamma_lut)
+ drm_property_blob_put(plane_state->hw.gamma_lut);
+ if (plane_state->hw.ctm)
+ drm_property_blob_put(plane_state->hw.ctm);
+ if (plane_state->hw.lut_3d)
+ drm_property_blob_put(plane_state->hw.lut_3d);
+
kfree(plane_state);
}
@@ -317,6 +336,14 @@ static void intel_plane_clear_hw_state(s
{
if (plane_state->hw.fb)
drm_framebuffer_put(plane_state->hw.fb);
+ if (plane_state->hw.degamma_lut)
+ drm_property_blob_put(plane_state->hw.degamma_lut);
+ if (plane_state->hw.gamma_lut)
+ drm_property_blob_put(plane_state->hw.gamma_lut);
+ if (plane_state->hw.ctm)
+ drm_property_blob_put(plane_state->hw.ctm);
+ if (plane_state->hw.lut_3d)
+ drm_property_blob_put(plane_state->hw.lut_3d);
memset(&plane_state->hw, 0, sizeof(plane_state->hw));
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 418/522] smb: client: Use FullSessionKey for AES-256 encryption key derivation
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (416 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 417/522] smb: client: validate dacloffset before building DACL pointers Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 419/522] btrfs: fix missing last_unlink_trans update when removing a directory Greg Kroah-Hartman
` (104 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bharath SM, Piyush Sachdeva,
Piyush Sachdeva, Steve French, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Piyush Sachdeva <s.piyush1024@gmail.com>
[ Upstream commit 5be7a0cef3229fb3b63a07c0d289daf752545424 ]
When Kerberos authentication is used with AES-256 encryption (AES-256-CCM
or AES-256-GCM), the SMB3 encryption and decryption keys must be derived
using the full session key (Session.FullSessionKey) rather than just the
first 16 bytes (Session.SessionKey).
Per MS-SMB2 section 3.2.5.3.1, when Connection.Dialect is "3.1.1" and
Connection.CipherId is AES-256-CCM or AES-256-GCM, Session.FullSessionKey
must be set to the full cryptographic key from the GSS authentication
context. The encryption and decryption key derivation (SMBC2SCipherKey,
SMBS2CCipherKey) must use this FullSessionKey as the KDF input. The
signing key derivation continues to use Session.SessionKey (first 16
bytes) in all cases.
Previously, generate_key() hardcoded SMB2_NTLMV2_SESSKEY_SIZE (16) as the
HMAC-SHA256 key input length for all derivations. When Kerberos with
AES-256 provides a 32-byte session key, the KDF for encryption/decryption
was using only the first 16 bytes, producing keys that did not match the
server's, causing mount failures with sec=krb5 and require_gcm_256=1.
Add a full_key_size parameter to generate_key() and pass the appropriate
size from generate_smb3signingkey():
- Signing: always SMB2_NTLMV2_SESSKEY_SIZE (16 bytes)
- Encryption/Decryption: ses->auth_key.len when AES-256, otherwise 16
Also fix cifs_dump_full_key() to report the actual session key length for
AES-256 instead of hardcoded CIFS_SESS_KEY_SIZE, so that userspace tools
like Wireshark receive the correct key for decryption.
Cc: <stable@vger.kernel.org>
Reviewed-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Piyush Sachdeva <psachdeva@microsoft.com>
Signed-off-by: Piyush Sachdeva <s.piyush1024@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ adapted upstream's void/hmac_sha256_init_usingrawkey-based generate_key() to 6.12's int-return crypto_shash_* form while threading full_key_size through all callers. ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/ioctl.c | 2 +-
fs/smb/client/smb2transport.c | 32 +++++++++++++++++++++++++-------
2 files changed, 26 insertions(+), 8 deletions(-)
--- a/fs/smb/client/ioctl.c
+++ b/fs/smb/client/ioctl.c
@@ -279,7 +279,7 @@ search_end:
break;
case SMB2_ENCRYPTION_AES256_CCM:
case SMB2_ENCRYPTION_AES256_GCM:
- out.session_key_length = CIFS_SESS_KEY_SIZE;
+ out.session_key_length = ses->auth_key.len;
out.server_in_key_length = out.server_out_key_length = SMB3_GCM256_CRYPTKEY_SIZE;
break;
default:
--- a/fs/smb/client/smb2transport.c
+++ b/fs/smb/client/smb2transport.c
@@ -307,7 +307,8 @@ out:
}
static int generate_key(struct cifs_ses *ses, struct kvec label,
- struct kvec context, __u8 *key, unsigned int key_size)
+ struct kvec context, __u8 *key, unsigned int key_size,
+ unsigned int full_key_size)
{
unsigned char zero = 0x0;
__u8 i[4] = {0, 0, 0, 1};
@@ -328,7 +329,7 @@ static int generate_key(struct cifs_ses
}
rc = crypto_shash_setkey(server->secmech.hmacsha256->tfm,
- ses->auth_key.response, SMB2_NTLMV2_SESSKEY_SIZE);
+ ses->auth_key.response, full_key_size);
if (rc) {
cifs_server_dbg(VFS, "%s: Could not set with session key\n", __func__);
goto smb3signkey_ret;
@@ -403,6 +404,7 @@ generate_smb3signingkey(struct cifs_ses
struct TCP_Server_Info *server,
const struct derivation_triplet *ptriplet)
{
+ unsigned int full_key_size = SMB2_NTLMV2_SESSKEY_SIZE;
int rc;
bool is_binding = false;
int chan_index = 0;
@@ -431,17 +433,31 @@ generate_smb3signingkey(struct cifs_ses
rc = generate_key(ses, ptriplet->signing.label,
ptriplet->signing.context,
ses->chans[chan_index].signkey,
- SMB3_SIGN_KEY_SIZE);
+ SMB3_SIGN_KEY_SIZE,
+ SMB2_NTLMV2_SESSKEY_SIZE);
if (rc)
return rc;
} else {
rc = generate_key(ses, ptriplet->signing.label,
ptriplet->signing.context,
ses->smb3signingkey,
- SMB3_SIGN_KEY_SIZE);
+ SMB3_SIGN_KEY_SIZE,
+ SMB2_NTLMV2_SESSKEY_SIZE);
if (rc)
return rc;
+ /*
+ * Per MS-SMB2 3.2.5.3.1, signing key always uses Session.SessionKey
+ * (first 16 bytes). Encryption/decryption keys use
+ * Session.FullSessionKey when dialect is 3.1.1 and cipher is
+ * AES-256-CCM or AES-256-GCM, otherwise Session.SessionKey.
+ */
+
+ if (server->dialect == SMB311_PROT_ID &&
+ (server->cipher_type == SMB2_ENCRYPTION_AES256_CCM ||
+ server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
+ full_key_size = ses->auth_key.len;
+
/* safe to access primary channel, since it will never go away */
spin_lock(&ses->chan_lock);
memcpy(ses->chans[chan_index].signkey, ses->smb3signingkey,
@@ -451,13 +467,15 @@ generate_smb3signingkey(struct cifs_ses
rc = generate_key(ses, ptriplet->encryption.label,
ptriplet->encryption.context,
ses->smb3encryptionkey,
- SMB3_ENC_DEC_KEY_SIZE);
+ SMB3_ENC_DEC_KEY_SIZE,
+ full_key_size);
if (rc)
return rc;
rc = generate_key(ses, ptriplet->decryption.label,
ptriplet->decryption.context,
ses->smb3decryptionkey,
- SMB3_ENC_DEC_KEY_SIZE);
+ SMB3_ENC_DEC_KEY_SIZE,
+ full_key_size);
if (rc)
return rc;
}
@@ -472,7 +490,7 @@ generate_smb3signingkey(struct cifs_ses
&ses->Suid);
cifs_dbg(VFS, "Cipher type %d\n", server->cipher_type);
cifs_dbg(VFS, "Session Key %*ph\n",
- SMB2_NTLMV2_SESSKEY_SIZE, ses->auth_key.response);
+ (int)ses->auth_key.len, ses->auth_key.response);
cifs_dbg(VFS, "Signing Key %*ph\n",
SMB3_SIGN_KEY_SIZE, ses->smb3signingkey);
if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) ||
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 335/378] drm/amdkfd: fix NULL dereference in get_queue_ids()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 334/378] drm/i915: Fix color blob reference handling in intel_plane_state Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 336/378] drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11 Greg Kroah-Hartman
` (44 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal, Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit 2bd550b547deabef98bd3b017ff743b7c34d3a6d upstream.
When usr_queue_id_array is NULL and num_queues is non-zero,
get_queue_ids() returns NULL. The callers check only IS_ERR() on the
return value; since IS_ERR(NULL) == false the check passes, and
suspend_queues() calls q_array_invalidate() which immediately
dereferences NULL while iterating num_queues times.
Userspace can trigger this via kfd_ioctl_set_debug_trap() by supplying
num_queues > 0 with a zero queue_array_ptr, causing a kernel panic.
A NULL usr_queue_id_array with num_queues == 0 is a legitimate no-op
(q_array_invalidate never executes, and resume_queues already guards
all queue_ids dereferences behind a NULL check). Return ERR_PTR(-EINVAL)
only when num_queues is non-zero and the pointer is absent; both callers
already propagate IS_ERR() returns correctly to userspace.
Fixes: a70a93fa568b ("drm/amdkfd: add debug suspend and resume process queues operation")
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit f165a82cdf503884bb1797771c61b2fcc72113d4)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
@@ -3297,7 +3297,7 @@ static void copy_context_work_handler(st
static uint32_t *get_queue_ids(uint32_t num_queues, uint32_t *usr_queue_id_array)
{
if (!usr_queue_id_array)
- return NULL;
+ return num_queues ? ERR_PTR(-EINVAL) : NULL;
if (num_queues > KFD_MAX_NUM_OF_QUEUES_PER_PROCESS)
return ERR_PTR(-EINVAL);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 419/522] btrfs: fix missing last_unlink_trans update when removing a directory
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (417 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 418/522] smb: client: Use FullSessionKey for AES-256 encryption key derivation Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 420/522] mptcp: fastclose msk when linger time is 0 Greg Kroah-Hartman
` (103 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Slava0135, Filipe Manana,
David Sterba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 999757231c49376cd1a37308d2c8c4c9932571e1 ]
When removing a directory we are not updating its last_unlink_trans field,
which can result in incorrect fsync behaviour in case some one fsyncs the
directory after it was removed because it's holding a file descriptor on
it.
Example scenario:
mkdir /mnt/dir1
mkdir /mnt/dir1/dir2
mkdir /mnt/dir3
sync -f /mnt
# Do some change to the directory and fsync it.
chmod 700 /mnt/dir1
xfs_io -c fsync /mnt/dir1
# Move dir2 out of dir1 so that dir1 becomes empty.
mv /mnt/dir1/dir2 /mnt/dir3/
open fd on /mnt/dir1
call rmdir(2) on path "/mnt/dir1"
fsync fd
<trigger power failure>
When attempting to mount the filesystem, the log replay will fail with
an -EIO error and dmesg/syslog has the following:
[445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650
[445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm
[445771.627912] BTRFS info (device dm-0): start tree-log replay
[445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5
[445771.629453] memcg:ffff89f400351b00
[445771.629892] aops:btree_aops [btrfs] ino:1
[445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)
[445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8
[445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00
[445771.635029] page dumped because: eb page dump
[445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir
[445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5
[445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087
[445771.638094] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
[445771.638097] inode generation 3 transid 9 size 16 nbytes 16384
[445771.638098] block group 0 mode 40755 links 1 uid 0 gid 0
[445771.638100] rdev 0 sequence 2 flags 0x0
[445771.638102] atime 1775744884.0
[445771.660056] ctime 1775744885.645502983
[445771.660058] mtime 1775744885.645502983
[445771.660060] otime 1775744884.0
[445771.660062] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12
[445771.660064] index 0 name_len 2
[445771.660066] item 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34
[445771.660068] location key (259 1 0) type 2
[445771.660070] transid 9 data_len 0 name_len 4
[445771.660075] item 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34
[445771.660076] location key (257 1 0) type 2
[445771.660077] transid 9 data_len 0 name_len 4
[445771.660078] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34
[445771.660079] location key (257 1 0) type 2
[445771.660080] transid 9 data_len 0 name_len 4
[445771.660081] item 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34
[445771.660082] location key (259 1 0) type 2
[445771.660083] transid 9 data_len 0 name_len 4
[445771.660084] item 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160
[445771.660086] inode generation 9 transid 9 size 8 nbytes 0
[445771.660087] block group 0 mode 40777 links 1 uid 0 gid 0
[445771.660088] rdev 0 sequence 2 flags 0x0
[445771.660089] atime 1775744885.641174097
[445771.660090] ctime 1775744885.645502983
[445771.660091] mtime 1775744885.645502983
[445771.660105] otime 1775744885.641174097
[445771.660106] item 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14
[445771.660107] index 2 name_len 4
[445771.660108] item 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34
[445771.660109] location key (258 1 0) type 2
[445771.660110] transid 9 data_len 0 name_len 4
[445771.660111] item 9 key (257 DIR_INDEX 2) itemoff 15733 itemsize 34
[445771.660112] location key (258 1 0) type 2
[445771.660113] transid 9 data_len 0 name_len 4
[445771.660114] item 10 key (258 INODE_ITEM 0) itemoff 15573 itemsize 160
[445771.660115] inode generation 9 transid 10 size 0 nbytes 0
[445771.660116] block group 0 mode 40755 links 2 uid 0 gid 0
[445771.660117] rdev 0 sequence 0 flags 0x0
[445771.660118] atime 1775744885.645502983
[445771.660119] ctime 1775744885.645502983
[445771.660120] mtime 1775744885.645502983
[445771.660121] otime 1775744885.645502983
[445771.660122] item 11 key (258 INODE_REF 257) itemoff 15559 itemsize 14
[445771.660123] index 2 name_len 4
[445771.660124] item 12 key (258 INODE_REF 259) itemoff 15545 itemsize 14
[445771.660125] index 2 name_len 4
[445771.660126] item 13 key (259 INODE_ITEM 0) itemoff 15385 itemsize 160
[445771.660127] inode generation 9 transid 10 size 8 nbytes 0
[445771.660128] block group 0 mode 40755 links 1 uid 0 gid 0
[445771.660129] rdev 0 sequence 1 flags 0x0
[445771.660130] atime 1775744885.645502983
[445771.660130] ctime 1775744885.645502983
[445771.660131] mtime 1775744885.645502983
[445771.660132] otime 1775744885.645502983
[445771.660133] item 14 key (259 INODE_REF 256) itemoff 15371 itemsize 14
[445771.660134] index 3 name_len 4
[445771.660135] item 15 key (259 DIR_ITEM 2676584006) itemoff 15337 itemsize 34
[445771.660136] location key (258 1 0) type 2
[445771.660137] transid 10 data_len 0 name_len 4
[445771.660138] item 16 key (259 DIR_INDEX 2) itemoff 15303 itemsize 34
[445771.660139] location key (258 1 0) type 2
[445771.660140] transid 10 data_len 0 name_len 4
[445771.660144] BTRFS error (device dm-0): block=30408704 write time tree block corruption detected
[445771.661650] ------------[ cut here ]------------
[445771.662358] WARNING: fs/btrfs/disk-io.c:326 at btree_csum_one_bio+0x217/0x230 [btrfs], CPU#8: mount/3581087
[445771.663588] Modules linked in: btrfs f2fs xfs (...)
[445771.671229] CPU: 8 UID: 0 PID: 3581087 Comm: mount Tainted: G W 7.0.0-rc6-btrfs-next-230+ #2 PREEMPT(full)
[445771.672575] Tainted: [W]=WARN
[445771.672987] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[445771.674460] RIP: 0010:btree_csum_one_bio+0x217/0x230 [btrfs]
[445771.675222] Code: 89 44 24 (...)
[445771.677364] RSP: 0018:ffffd23882247660 EFLAGS: 00010246
[445771.678029] RAX: 0000000000000000 RBX: ffff89f6c51d1a90 RCX: 0000000000000000
[445771.678975] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff89f406020000
[445771.679983] RBP: ffff89f821204000 R08: 0000000000000000 R09: 00000000ffefffff
[445771.680905] R10: ffffd23882247448 R11: 0000000000000003 R12: ffffd23882247668
[445771.681978] R13: ffff89f458e40fc0 R14: ffff89f737f4f500 R15: ffff89f737f4f500
[445771.682912] FS: 00007f0447a98840(0000) GS:ffff89fb9771d000(0000) knlGS:0000000000000000
[445771.684393] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[445771.685230] CR2: 00007f0447bf1330 CR3: 000000017cb02002 CR4: 0000000000370ef0
[445771.686273] Call Trace:
[445771.686646] <TASK>
[445771.686969] btrfs_submit_bbio+0x83f/0x860 [btrfs]
[445771.687750] ? write_one_eb+0x28f/0x340 [btrfs]
[445771.688428] btree_writepages+0x2e3/0x550 [btrfs]
[445771.689180] ? kmem_cache_alloc_noprof+0x12a/0x490
[445771.689963] ? alloc_extent_state+0x19/0x120 [btrfs]
[445771.690801] ? kmem_cache_free+0x135/0x380
[445771.691328] ? preempt_count_add+0x69/0xa0
[445771.691831] ? set_extent_bit+0x252/0x8e0 [btrfs]
[445771.692468] ? xas_load+0x9/0xc0
[445771.692873] ? xas_find+0x14d/0x1a0
[445771.693304] do_writepages+0xc6/0x160
[445771.693756] filemap_writeback+0xb8/0xe0
[445771.694274] btrfs_write_marked_extents+0x61/0x170 [btrfs]
[445771.694999] btrfs_write_and_wait_transaction+0x4e/0xc0 [btrfs]
[445771.695818] btrfs_commit_transaction+0x5c8/0xd10 [btrfs]
[445771.696530] ? kmem_cache_free+0x135/0x380
[445771.697120] ? release_extent_buffer+0x34/0x160 [btrfs]
[445771.697786] btrfs_recover_log_trees+0x7be/0x7e0 [btrfs]
[445771.698525] ? __pfx_replay_one_buffer+0x10/0x10 [btrfs]
[445771.699206] open_ctree+0x11e5/0x1810 [btrfs]
[445771.699776] btrfs_get_tree.cold+0xb/0x162 [btrfs]
[445771.700463] ? fscontext_read+0x165/0x180
[445771.701146] ? rw_verify_area+0x50/0x180
[445771.701866] vfs_get_tree+0x25/0xd0
[445771.702491] vfs_cmd_create+0x59/0xe0
[445771.703125] __do_sys_fsconfig+0x303/0x610
[445771.703603] do_syscall_64+0xe9/0xf20
[445771.703974] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[445771.704700] RIP: 0033:0x7f0447cbd4aa
[445771.705108] Code: 73 01 c3 (...)
[445771.707263] RSP: 002b:00007ffc4e528318 EFLAGS: 00000246 ORIG_RAX: 00000000000001af
[445771.708107] RAX: ffffffffffffffda RBX: 00005561585d8c20 RCX: 00007f0447cbd4aa
[445771.708931] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003
[445771.709744] RBP: 00005561585d9120 R08: 0000000000000000 R09: 0000000000000000
[445771.710674] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[445771.711477] R13: 00007f0447e4f580 R14: 00007f0447e5126c R15: 00007f0447e36a23
[445771.712277] </TASK>
[445771.712541] ---[ end trace 0000000000000000 ]---
[445771.713382] BTRFS error (device dm-0): error while writing out transaction: -5
[445771.714679] BTRFS warning (device dm-0): Skipping commit of aborted transaction.
[445771.715562] BTRFS error (device dm-0 state A): Transaction aborted (error -5)
[445771.716459] BTRFS: error (device dm-0 state A) in cleanup_transaction:2068: errno=-5 IO failure
[445771.717936] BTRFS error (device dm-0 state EA): failed to recover log trees with error: -5
[445771.719681] BTRFS error (device dm-0 state EA): open_ctree failed: -5
The problem is that such a fsync should have result in a fallback to a
transaction commit, but that did not happen because through the
btrfs_rmdir() we never update the directory's last_unlink_trans field.
Any inode that had a link removed must have its last_unlink_trans updated
to the ID of transaction used for the operation, otherwise fsync and log
replay will not work correctly.
btrfs_rmdir() calls btrfs_unlink_inode() and through that call chain we
never call btrfs_record_unlink_dir() in order to update last_unlink_trans.
However btrfs_unlink(), which is used for unlinking regular files, calls
btrfs_record_unlink_dir() and then calls btrfs_unlink_inode(). So fix
this by moving the call to btrfs_record_unlink_dir() from btrfs_unlink()
to btrfs_unlink_inode().
A test case for fstests will follow soon.
Reported-by: Slava0135 <slava.kovalevskiy.2014@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/CAAJYhww5ov62Hm+n+tmhcL-e_4cBobg+OWogKjOJxVUXivC=MQ@mail.gmail.com/
CC: stable@vger.kernel.org
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ wrapped dir and inode arguments with BTRFS_I() since 6.1 btrfs_rmdir() uses struct inode * instead of struct btrfs_inode * ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4915,6 +4915,8 @@ static int btrfs_rmdir(struct inode *dir
if (err)
goto out;
+ btrfs_record_unlink_dir(trans, BTRFS_I(dir), BTRFS_I(inode), false);
+
/* now the directory is empty */
err = btrfs_unlink_inode(trans, BTRFS_I(dir), BTRFS_I(d_inode(dentry)),
&fname.disk_name);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 336/378] drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 335/378] drm/amdkfd: fix NULL dereference in get_queue_ids() Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 337/378] drm/xe/display: fix oops in suspend/shutdown without display Greg Kroah-Hartman
` (43 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrew Martin, Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Martin <andrew.martin@amd.com>
commit 352ea59028ea48a6fff77f19ae28f98f71946a80 upstream.
The v11 MQD manager incorrectly assigned the CP-compute variants of
checkpoint_mqd/restore_mqd for KFD_MQD_TYPE_SDMA queues. These functions
use sizeof(struct v11_compute_mqd) (2048 bytes) instead of sizeof(struct
v11_sdma_mqd) (512 bytes), causing a 1536-byte overflow.
During CRIU checkpoint of an SDMA queue on Navi3x:
- checkpoint_mqd() reads 2048 bytes from a 512-byte SDMA MQD buffer,
leaking 1536 bytes of adjacent GTT memory to userspace
During CRIU restore:
- restore_mqd() writes 2048 bytes into a 512-byte SDMA MQD buffer,
corrupting 1536 bytes of adjacent GTT memory (often the ring buffer
or neighboring MQDs)
This is a copy-paste regression unique to v11. All other ASIC backends
(cik, vi, v9, v10, v12) correctly use the SDMA-specific variants.
Add checkpoint_mqd_sdma() and restore_mqd_sdma() functions that properly
handle the smaller v11_sdma_mqd structure, matching the pattern used in
other MQD managers.
Fixes: cc009e613de6 ("drm/amdkfd: Add KFD support for soc21 v3")
Assisted-by: Claude:Sonnet 4-5
Signed-off-by: Andrew Martin <andrew.martin@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 6fa41db7ffdec97d62433adf03b7b9b759af8c2c)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v11.c | 49 +++++++++++++++++++----
1 file changed, 41 insertions(+), 8 deletions(-)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v11.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v11.c
@@ -320,8 +320,7 @@ static void checkpoint_mqd(struct mqd_ma
static void restore_mqd(struct mqd_manager *mm, void **mqd,
struct kfd_mem_obj *mqd_mem_obj, uint64_t *gart_addr,
- struct queue_properties *qp,
- const void *mqd_src,
+ struct queue_properties *qp, const void *mqd_src,
const void *ctl_stack_src, const u32 ctl_stack_size)
{
uint64_t addr;
@@ -337,14 +336,48 @@ static void restore_mqd(struct mqd_manag
*gart_addr = addr;
m->cp_hqd_pq_doorbell_control =
- qp->doorbell_off <<
- CP_HQD_PQ_DOORBELL_CONTROL__DOORBELL_OFFSET__SHIFT;
- pr_debug("cp_hqd_pq_doorbell_control 0x%x\n",
- m->cp_hqd_pq_doorbell_control);
+ qp->doorbell_off << CP_HQD_PQ_DOORBELL_CONTROL__DOORBELL_OFFSET__SHIFT;
+ pr_debug("cp_hqd_pq_doorbell_control 0x%x\n", m->cp_hqd_pq_doorbell_control);
qp->is_active = 0;
}
+static void checkpoint_mqd_sdma(struct mqd_manager *mm,
+ void *mqd,
+ void *mqd_dst,
+ void *ctl_stack_dst)
+{
+ struct v11_sdma_mqd *m;
+
+ m = get_sdma_mqd(mqd);
+
+ memcpy(mqd_dst, m, sizeof(struct v11_sdma_mqd));
+}
+
+static void restore_mqd_sdma(struct mqd_manager *mm, void **mqd,
+ struct kfd_mem_obj *mqd_mem_obj, uint64_t *gart_addr,
+ struct queue_properties *qp,
+ const void *mqd_src,
+ const void *ctl_stack_src,
+ const u32 ctl_stack_size)
+{
+ uint64_t addr;
+ struct v11_sdma_mqd *m;
+
+ m = (struct v11_sdma_mqd *) mqd_mem_obj->cpu_ptr;
+ addr = mqd_mem_obj->gpu_addr;
+
+ memcpy(m, mqd_src, sizeof(*m));
+
+ m->sdmax_rlcx_doorbell_offset =
+ qp->doorbell_off << SDMA0_QUEUE0_DOORBELL_OFFSET__OFFSET__SHIFT;
+
+ *mqd = m;
+ if (gart_addr)
+ *gart_addr = addr;
+
+ qp->is_active = 0;
+}
static void init_mqd_hiq(struct mqd_manager *mm, void **mqd,
struct kfd_mem_obj *mqd_mem_obj, uint64_t *gart_addr,
@@ -529,8 +562,8 @@ struct mqd_manager *mqd_manager_init_v11
mqd->update_mqd = update_mqd_sdma;
mqd->destroy_mqd = kfd_destroy_mqd_sdma;
mqd->is_occupied = kfd_is_occupied_sdma;
- mqd->checkpoint_mqd = checkpoint_mqd;
- mqd->restore_mqd = restore_mqd;
+ mqd->checkpoint_mqd = checkpoint_mqd_sdma;
+ mqd->restore_mqd = restore_mqd_sdma;
mqd->mqd_size = sizeof(struct v11_sdma_mqd);
mqd->mqd_stride = kfd_mqd_stride;
#if defined(CONFIG_DEBUG_FS)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 420/522] mptcp: fastclose msk when linger time is 0
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (418 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 419/522] btrfs: fix missing last_unlink_trans update when removing a directory Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 421/522] mptcp: pm: prio: skip closed subflows Greg Kroah-Hartman
` (102 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lance Tuller, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit f14d6e9c3678a067f304abba561e0c5446c7e845 ]
The SO_LINGER socket option has been supported for a while with MPTCP
sockets [1], but it didn't cause the equivalent of a TCP reset as
expected when enabled and its time was set to 0. This was causing some
behavioural differences with TCP where some connections were not
promptly stopped as expected.
To fix that, an extra condition is checked at close() time before
sending an MP_FASTCLOSE, the MPTCP equivalent of a TCP reset.
Note that backporting up to [1] will be difficult as more changes are
needed to be able to send MP_FASTCLOSE. It seems better to stop at [2],
which was supposed to already imitate TCP.
Validated with MPTCP packetdrill tests [3].
Fixes: 268b12387460 ("mptcp: setsockopt: support SO_LINGER") [1]
Fixes: d21f83485518 ("mptcp: use fastclose on more edge scenarios") [2]
Cc: stable@vger.kernel.org
Reported-by: Lance Tuller <lance@lance0.com>
Closes: https://github.com/lance0/xfr/pull/67
Link: https://github.com/multipath-tcp/packetdrill/pull/196 [3]
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260427-net-mptcp-misc-fixes-7-1-rc2-v1-3-7432b7f279fa@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ kept `mptcp_check_readable()` name and explicit `inet_sk_state_store(sk, TCP_CLOSE)` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -3158,7 +3158,8 @@ bool __mptcp_close(struct sock *sk, long
goto cleanup;
}
- if (mptcp_check_readable(msk)) {
+ if (mptcp_check_readable(msk) ||
+ (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime)) {
/* the msk has read data, do the MPTCP equivalent of TCP reset */
inet_sk_state_store(sk, TCP_CLOSE);
mptcp_do_fastclose(sk);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 337/378] drm/xe/display: fix oops in suspend/shutdown without display
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 336/378] drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11 Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 338/378] drm/xe/multi_queue: skip submit when primary queue is suspended Greg Kroah-Hartman
` (42 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suraj Kandpal, Jani Nikula,
Matthew Brost
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jani Nikula <jani.nikula@intel.com>
commit 68938cc08e23a94fd881e845837ff918de005ce7 upstream.
The xe driver keeps track of whether to probe display, and whether
display hardware is there, using xe->info.probe_display. It gets set to
false if there's no display after intel_display_device_probe(). However,
the display may also be disabled via fuses, detected at a later time in
intel_display_device_info_runtime_init().
In this case, the xe driver does for_each_intel_crtc() on uninitialized
mode config in xe_display_flush_cleanup_work(), leading to a NULL
pointer dereference, and generally calls display code with display info
cleared.
Check for intel_display_device_present() after
intel_display_device_info_runtime_init(), and reset
xe->info.probe_display as necessary. Also do unset_display_features()
for completeness, although display runtime init has already done
that. This will need to be unified across all cases later.
Move intel_display_device_info_runtime_init() call slightly earlier,
similar to i915, to avoid a bunch of unnecessary setup for no display
cases.
Note #1: The xe driver has no business doing low level display plumbing
like for_each_intel_crtc() to begin with. It all needs to happen in
display code.
Note #2: The actual bug is present already in commit 44e694958b95
("drm/xe/display: Implement display support"), but the oops was likely
introduced later at commit ddf6492e0e50 ("drm/xe/display: Make display
suspend/resume work on discrete").
Fixes: 44e694958b95 ("drm/xe/display: Implement display support")
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/work_items/7904
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/work_items/6150
Cc: stable@vger.kernel.org # v6.8+
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515160920.1082842-1-jani.nikula@intel.com
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
(cherry picked from commit 7c3eb9f47533220888a67266448185fd0775d4da)
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/display/xe_display.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/xe/display/xe_display.c
+++ b/drivers/gpu/drm/xe/display/xe_display.c
@@ -119,6 +119,15 @@ int xe_display_init_early(struct xe_devi
intel_display_driver_early_probe(display);
+ intel_display_device_info_runtime_init(display);
+
+ /* Display may have been disabled at runtime init */
+ if (!intel_display_device_present(display)) {
+ xe->info.probe_display = false;
+ unset_display_features(xe);
+ return 0;
+ }
+
/* Early display init.. */
intel_opregion_setup(display);
@@ -132,8 +141,6 @@ int xe_display_init_early(struct xe_devi
intel_bw_init_hw(display);
- intel_display_device_info_runtime_init(display);
-
err = intel_display_driver_probe_noirq(display);
if (err)
goto err_opregion;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 421/522] mptcp: pm: prio: skip closed subflows
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (419 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 420/522] mptcp: fastclose msk when linger time is 0 Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 422/522] mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 Greg Kroah-Hartman
` (101 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 166b78344031bf7ac9f55cb5282776cfd85f220e ]
When sending an MP_PRIO, closed subflows need to be skipped.
This fixes the case where the initial subflow got closed, re-opened
later, then an MP_PRIO is needed for the same local address.
Note that explicit MP_PRIO cannot be sent during the 3WHS, so it is fine
to use __mptcp_subflow_active().
Fixes: 067065422fcd ("mptcp: add the outgoing MP_PRIO support")
Cc: stable@vger.kernel.org
Fixes: b29fcfb54cd7 ("mptcp: full disconnect implementation")
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-9-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ applied to renamed function `mptcp_pm_nl_mp_prio_send_ack()` in `pm_netlink.c` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -924,6 +924,9 @@ int mptcp_pm_nl_mp_prio_send_ack(struct
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
struct mptcp_addr_info local, remote;
+ if (!__mptcp_subflow_active(subflow))
+ continue;
+
mptcp_local_address((struct sock_common *)ssk, &local);
if (!mptcp_addresses_equal(&local, addr, addr->port))
continue;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 338/378] drm/xe/multi_queue: skip submit when primary queue is suspended
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 337/378] drm/xe/display: fix oops in suspend/shutdown without display Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 339/378] drm/xe: Clear pending_disable before signaling suspend fence Greg Kroah-Hartman
` (41 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniele Ceraolo Spurio,
Niranjana Vishwanathapura, Rodrigo Vivi
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niranjana Vishwanathapura <niranjana.vishwanathapura@intel.com>
commit ec4cbdd163f9bb2a2bd44eb93ecf4a2fa0e912a9 upstream.
Return early in submit path when the multi-queue primary exec
queue is suspended to avoid submitting while suspended.
v2: Remove idle_skip_suspend fix as that feature is being
reverted here https://patchwork.freedesktop.org/series/167262/
Fixes: bc5775c59258 ("drm/xe/multi_queue: Add GuC interface for multi queue support")
Cc: stable@vger.kernel.org # v7.0+
Assisted-by: GitHub-Copilot:claude-sonnet-4.6
Reviewed-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
Signed-off-by: Niranjana Vishwanathapura <niranjana.vishwanathapura@intel.com>
Link: https://patch.msgid.link/20260603233946.863663-2-niranjana.vishwanathapura@intel.com
(cherry picked from commit b7fb55cc3364ca128cfff9d50649ffd4327cd01e)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_guc_submit.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/xe/xe_guc_submit.c
+++ b/drivers/gpu/drm/xe/xe_guc_submit.c
@@ -1104,9 +1104,12 @@ static void submit_exec_queue(struct xe_
/*
* All queues in a multi-queue group will use the primary queue
- * of the group to interface with GuC.
+ * of the group to interface with GuC. If primay is suspended,
+ * just return. Jobs will get scheduled once primary is resumed.
*/
q = xe_exec_queue_multi_queue_primary(q);
+ if (exec_queue_suspended(q))
+ return;
if (!exec_queue_enabled(q) && !exec_queue_suspended(q)) {
action[len++] = XE_GUC_ACTION_SCHED_CONTEXT_MODE_SET;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 422/522] mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (420 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 421/522] mptcp: pm: prio: skip closed subflows Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 423/522] mptcp: pm: ADD_ADDR rtx: allow " Greg Kroah-Hartman
` (100 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit b12014d2d36eaed4e4bec5f1ac7e91110eeb100d ]
When adding the ADD_ADDR to the list, the address including the IP, port
and ID are copied. On the other hand, when the endpoint corresponds to
the one from the initial subflow, the ID is set to 0, as specified by
the MPTCP protocol.
The issue is that the ID was reset after having copied the ID in the
ADD_ADDR entry. So the retransmission was done, but using a different ID
than the initial one.
Fixes: 8b8ed1b429f8 ("mptcp: pm: reuse ID 0 after delete and re-add")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-1-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ applied to net/mptcp/pm_netlink.c instead of upstream's pm_kernel.c ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -595,6 +595,8 @@ static void mptcp_pm_create_subflow_or_s
/* check first for announce */
if (msk->pm.add_addr_signaled < add_addr_signal_max) {
+ u8 endp_id;
+
/* due to racing events on both ends we can reach here while
* previous add address is still running: if we invoke now
* mptcp_pm_announce_addr(), that will fail and the
@@ -608,19 +610,20 @@ static void mptcp_pm_create_subflow_or_s
if (!select_signal_address(pernet, msk, &local))
goto subflow;
+ /* Special case for ID0: set the correct ID */
+ endp_id = local.addr.id;
+ if (endp_id == msk->mpc_endpoint_id)
+ local.addr.id = 0;
+
/* If the alloc fails, we are on memory pressure, not worth
* continuing, and trying to create subflows.
*/
if (!mptcp_pm_alloc_anno_list(msk, &local.addr))
return;
- __clear_bit(local.addr.id, msk->pm.id_avail_bitmap);
+ __clear_bit(endp_id, msk->pm.id_avail_bitmap);
msk->pm.add_addr_signaled++;
- /* Special case for ID0: set the correct ID */
- if (local.addr.id == msk->mpc_endpoint_id)
- local.addr.id = 0;
-
mptcp_pm_announce_addr(msk, &local.addr, false);
mptcp_pm_nl_addr_send_ack(msk);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 339/378] drm/xe: Clear pending_disable before signaling suspend fence
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 338/378] drm/xe/multi_queue: skip submit when primary queue is suspended Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 340/378] drm/v3d: Wait for pending L2T flush before cleaning caches Greg Kroah-Hartman
` (40 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tangudu Tilak Tirumalesh,
Thomas Hellstrom, Daniele Ceraolo Spurio, Rodrigo Vivi
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tangudu Tilak Tirumalesh <tilak.tirumalesh.tangudu@intel.com>
commit 54f2a0442a30fe7a0f6bc8345e81f8b2db8effbd upstream.
In the schedule-disable done path for suspend, we
signal the suspend fence before clearing pending_disable.
That wakeup can let suspend_wait complete and resume be queued
immediately. The resume path may then reach enable_scheduling()
while pending_disable is still set and hit the
!exec_queue_pending_disable(q) assertion.
Fix this by clearing pending_disable before signaling
the suspend fence, so any resumed transition observes a
consistent state.
Fixes: 87651f31ae4e ("drm/xe/guc_submit: fix race around suspend_pending")
Cc: stable@vger.kernel.org # v7.0+
Signed-off-by: Tangudu Tilak Tirumalesh <tilak.tirumalesh.tangudu@intel.com>
Reviewed-by: Thomas Hellstrom <thomas.hellstrom@linux.intel.com>
Signed-off-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
Link: https://patch.msgid.link/20260603065217.3131066-3-tilak.tirumalesh.tangudu@intel.com
(cherry picked from commit 4b1ae138b0e103d753773956a84eebc2edbf62c4)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_guc_submit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/xe/xe_guc_submit.c
+++ b/drivers/gpu/drm/xe/xe_guc_submit.c
@@ -2760,8 +2760,8 @@ static void handle_sched_done(struct xe_
xe_gt_assert(guc_to_gt(guc), exec_queue_pending_disable(q));
if (q->guc->suspend_pending) {
- suspend_fence_signal(q);
clear_exec_queue_pending_disable(q);
+ suspend_fence_signal(q);
} else {
if (exec_queue_banned(q)) {
smp_wmb();
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 423/522] mptcp: pm: ADD_ADDR rtx: allow ID 0
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (421 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 422/522] mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 424/522] mptcp: pm: ADD_ADDR rtx: fix potential data-race Greg Kroah-Hartman
` (99 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 03f324f3f1f7619a47b9c91282cb12775ab0a2f1 ]
ADD_ADDR can be sent for the ID 0, which corresponds to the local
address and port linked to the initial subflow.
Indeed, this address could be removed, and re-added later on, e.g. what
is done in the "delete re-add signal" MPTCP Join selftests. So no reason
to ignore it.
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-2-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ relocated the 3-line deletion from net/mptcp/pm.c to net/mptcp/pm_netlink.c ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 3 ---
1 file changed, 3 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -315,9 +315,6 @@ static void mptcp_pm_add_timer(struct ti
if (inet_sk_state_load(sk) == TCP_CLOSE)
return;
- if (!entry->addr.id)
- return;
-
if (mptcp_pm_should_add_signal_addr(msk)) {
sk_reset_timer(sk, timer, jiffies + TCP_RTO_MAX / 8);
goto out;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 340/378] drm/v3d: Wait for pending L2T flush before cleaning caches
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 339/378] drm/xe: Clear pending_disable before signaling suspend fence Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 341/378] drm/v3d: Fix global performance monitor reference counting Greg Kroah-Hartman
` (39 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maíra Canal, Iago Toral Quiroga
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
commit abf888b03a9805a3bc37948a0df443553b1c0910 upstream.
v3d_clean_caches() starts the cache-clean sequence by writing
V3D_L2TCACTL_TMUWCF to V3D_CTL_L2TCACTL and then polling for that bit to
clear. It does not, however, check for an L2T flush (L2TFLS) that may
still be in flight from a previous operation.
On pre-V3D 7.1 hardware, kicking off the TMU write-combiner flush while an
L2T flush is still pending can clobber bits in L2TCACTL and cause cache
inconsistencies.
Poll for L2TFLS to clear before writing L2TCACTL on V3D < 7.1, ensuring
any pending flush has completed before a new clean is issued.
Cc: stable@vger.kernel.org
Fixes: d223f98f0209 ("drm/v3d: Add support for compute shader dispatch.")
Link: https://patch.msgid.link/20260530-v3d-fix-rpi4-freezes-v1-1-c2c8307da6ce@igalia.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/v3d/v3d_gem.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/gpu/drm/v3d/v3d_gem.c
+++ b/drivers/gpu/drm/v3d/v3d_gem.c
@@ -213,6 +213,14 @@ v3d_clean_caches(struct v3d_dev *v3d)
trace_v3d_cache_clean_begin(dev);
+ /* GFXH-1897: Ensure pending flushes complete before writing L2TCACTL */
+ if (v3d->ver < V3D_GEN_71) {
+ if (wait_for(!(V3D_CORE_READ(core, V3D_CTL_L2TCACTL) &
+ V3D_L2TCACTL_L2TFLS), 100)) {
+ drm_err(dev, "Timeout waiting for L2T clean\n");
+ }
+ }
+
V3D_CORE_WRITE(core, V3D_CTL_L2TCACTL, V3D_L2TCACTL_TMUWCF);
if (wait_for(!(V3D_CORE_READ(core, V3D_CTL_L2TCACTL) &
V3D_L2TCACTL_TMUWCF), 100)) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 424/522] mptcp: pm: ADD_ADDR rtx: fix potential data-race
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (422 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 423/522] mptcp: pm: ADD_ADDR rtx: allow " Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 425/522] mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker Greg Kroah-Hartman
` (98 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 5cd6e0ad79d2615264f63929f8b457ad97ae550d ]
This mptcp_pm_add_timer() helper is executed as a timer callback in
softirq context. To avoid any data races, the socket lock needs to be
held with bh_lock_sock().
If the socket is in use, retry again soon after, similar to what is done
with the keepalive timer.
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-3-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -315,6 +315,13 @@ static void mptcp_pm_add_timer(struct ti
if (inet_sk_state_load(sk) == TCP_CLOSE)
return;
+ bh_lock_sock(sk);
+ if (sock_owned_by_user(sk)) {
+ /* Try again later. */
+ sk_reset_timer(sk, timer, jiffies + HZ / 20);
+ goto out;
+ }
+
if (mptcp_pm_should_add_signal_addr(msk)) {
sk_reset_timer(sk, timer, jiffies + TCP_RTO_MAX / 8);
goto out;
@@ -343,6 +350,7 @@ static void mptcp_pm_add_timer(struct ti
mptcp_pm_subflow_established(msk);
out:
+ bh_unlock_sock(sk);
__sock_put(sk);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 341/378] drm/v3d: Fix global performance monitor reference counting
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 340/378] drm/v3d: Wait for pending L2T flush before cleaning caches Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 342/378] drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups Greg Kroah-Hartman
` (38 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Iago Toral Quiroga, Maíra Canal
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
commit 6bf7e2affc6e62da7add393d7f352d4040f5bc27 upstream.
In the SET_GLOBAL ioctl, v3d_perfmon_find() bumps the reference count on
the perfmon it returns, but v3d_perfmon_set_global_ioctl() and
v3d_perfmon_delete() fail to release that reference on several paths:
1. v3d_perfmon_set_global_ioctl() leaks the reference on its error
paths.
2. CLEAR_GLOBAL leaks both the find reference and the reference
previously stashed in v3d->global_perfmon by the SET_GLOBAL ioctl
that configured it.
3. Destroying a perfmon that is the current global perfmon leaks the
reference stashed by the SET_GLOBAL ioctl.
Release each of these references explicitly.
Cc: stable@vger.kernel.org
Fixes: c6eabbab359c ("drm/v3d: Add DRM_IOCTL_V3D_PERFMON_SET_GLOBAL")
Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
Link: https://patch.msgid.link/20260531-v3d-perfmon-lifetime-v2-1-60ed4485a203@igalia.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/v3d/v3d_perfmon.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/v3d/v3d_perfmon.c
+++ b/drivers/gpu/drm/v3d/v3d_perfmon.c
@@ -313,8 +313,11 @@ static int v3d_perfmon_idr_del(int id, v
if (perfmon == v3d->active_perfmon)
v3d_perfmon_stop(v3d, perfmon, false);
- /* If the global perfmon is being destroyed, set it to NULL */
- cmpxchg(&v3d->global_perfmon, perfmon, NULL);
+ /* If the global perfmon is being destroyed, clean it and release
+ * the reference stashed in v3d_perfmon_set_global_ioctl().
+ */
+ if (cmpxchg(&v3d->global_perfmon, perfmon, NULL) == perfmon)
+ v3d_perfmon_put(perfmon);
v3d_perfmon_put(perfmon);
@@ -480,16 +483,27 @@ int v3d_perfmon_set_global_ioctl(struct
/* If the request is to clear the global performance monitor */
if (req->flags & DRM_V3D_PERFMON_CLEAR_GLOBAL) {
- if (!v3d->global_perfmon)
+ struct v3d_perfmon *old;
+
+ /* DRM_V3D_PERFMON_CLEAR_GLOBAL doesn't check if
+ * v3d->global_perfmon == perfmon. Therefore, there
+ * is no need to keep perfmon's reference.
+ */
+ v3d_perfmon_put(perfmon);
+
+ old = xchg(&v3d->global_perfmon, NULL);
+ if (!old)
return -EINVAL;
- xchg(&v3d->global_perfmon, NULL);
+ v3d_perfmon_put(old);
return 0;
}
- if (cmpxchg(&v3d->global_perfmon, NULL, perfmon))
+ if (cmpxchg(&v3d->global_perfmon, NULL, perfmon)) {
+ v3d_perfmon_put(perfmon);
return -EBUSY;
+ }
return 0;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 425/522] mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (423 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 424/522] mptcp: pm: ADD_ADDR rtx: fix potential data-race Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 426/522] f2fs: fix incorrect file address mapping when inline inode is unwritten Greg Kroah-Hartman
` (97 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 3cf12492891c4b5ff54dda404a2de4ec54c9e1b5 ]
When an ADD_ADDR needs to be retransmitted and another one has already
been prepared -- e.g. multiple ADD_ADDRs have been sent in a row and
need to be retransmitted later -- this additional retransmission will
need to wait.
In this case, the timer was reset to TCP_RTO_MAX / 8, which is ~15
seconds. This delay is unnecessary long: it should just be rescheduled
at the next opportunity, e.g. after the retransmission timeout.
Without this modification, some issues can be seen from time to time in
the selftests when multiple ADD_ADDRs are sent, and the host takes time
to process them, e.g. the "signal addresses, ADD_ADDR timeout" MPTCP
Join selftest, especially with a debug kernel config.
Note that on older kernels, 'timeout' is not available. It should be
enough to replace it by one second (HZ).
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-6-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ replaced `TCP_RTO_MAX / 8` with `HZ` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -323,7 +323,7 @@ static void mptcp_pm_add_timer(struct ti
}
if (mptcp_pm_should_add_signal_addr(msk)) {
- sk_reset_timer(sk, timer, jiffies + TCP_RTO_MAX / 8);
+ sk_reset_timer(sk, timer, jiffies + HZ);
goto out;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 342/378] drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 341/378] drm/v3d: Fix global performance monitor reference counting Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 343/378] drm/v3d: Skip CSD when it " Greg Kroah-Hartman
` (37 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jose Maria Casanova Crespo,
Iago Toral Quiroga, Maíra Canal
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
commit ae7676952790f421c40918e2586a2c9f12a682b6 upstream.
v3d_rewrite_csd_job_wg_counts_from_indirect() maps both the indirect
buffer and the workgroup buffer and is expected to release them before
returning. When any of the workgroup counts read from the buffer is zero,
the function bailed out early and skipped the cleanup, leaking the vaddr
mappings of both BOs.
Jump to the cleanup path instead of returning directly, so the mappings
are always dropped.
Cc: stable@vger.kernel.org
Fixes: 18b8413b25b7 ("drm/v3d: Create a CPU job extension for a indirect CSD job")
Suggested-by: Jose Maria Casanova Crespo <jmcasanova@igalia.com>
Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
Link: https://patch.msgid.link/20260602-v3d-fix-indirect-csd-v4-1-654309e32bc0@igalia.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/v3d/v3d_sched.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/v3d/v3d_sched.c
+++ b/drivers/gpu/drm/v3d/v3d_sched.c
@@ -429,7 +429,7 @@ v3d_rewrite_csd_job_wg_counts_from_indir
wg_counts = (uint32_t *)(bo->vaddr + indirect_csd->offset);
if (wg_counts[0] == 0 || wg_counts[1] == 0 || wg_counts[2] == 0)
- return;
+ goto unmap_bo;
args->cfg[0] = wg_counts[0] << V3D_CSD_CFG012_WG_COUNT_SHIFT;
args->cfg[1] = wg_counts[1] << V3D_CSD_CFG012_WG_COUNT_SHIFT;
@@ -454,6 +454,7 @@ v3d_rewrite_csd_job_wg_counts_from_indir
}
}
+unmap_bo:
v3d_put_bo_vaddr(indirect);
v3d_put_bo_vaddr(bo);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 426/522] f2fs: fix incorrect file address mapping when inline inode is unwritten
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (424 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 425/522] mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 427/522] f2fs: fix false alarm of lockdep on cp_global_sem lock Greg Kroah-Hartman
` (96 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yongpeng Yang, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
[ Upstream commit 68a0178981a0f493295afa29f8880246e561494c ]
When `fileinfo->fi_flags` does not have the `FIEMAP_FLAG_SYNC` bit set
and inline data has not been persisted yet, the physical address of the
extent is calculated incorrectly for unwritten inline inodes.
root@vm:/mnt/f2fs# dd if=/dev/zero of=data.3k bs=3k count=1
root@vm:/mnt/f2fs# f2fs_io fiemap 0 100 data.3k
Fiemap: offset = 0 len = 100
logical addr. physical addr. length flags
0 0000000000000000 00000ffffffff16c 0000000000000c00 00000301
This patch fixes the issue by checking if the inode's address is valid.
If the inline inode is unwritten, set the physical address to 0 and
mark the extent with `FIEMAP_EXTENT_UNKNOWN | FIEMAP_EXTENT_DELALLOC`
flags.
Cc: stable@kernel.org
Fixes: 67f8cf3cee6f ("f2fs: support fiemap for inline_data")
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ renamed `ifolio` to `ipage` in `inline_data_addr()` and `F2FS_INODE()` calls ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/inline.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/fs/f2fs/inline.c
+++ b/fs/f2fs/inline.c
@@ -774,7 +774,7 @@ int f2fs_read_inline_dir(struct file *fi
int f2fs_inline_data_fiemap(struct inode *inode,
struct fiemap_extent_info *fieinfo, __u64 start, __u64 len)
{
- __u64 byteaddr, ilen;
+ __u64 byteaddr = 0, ilen;
__u32 flags = FIEMAP_EXTENT_DATA_INLINE | FIEMAP_EXTENT_NOT_ALIGNED |
FIEMAP_EXTENT_LAST;
struct node_info ni;
@@ -807,9 +807,14 @@ int f2fs_inline_data_fiemap(struct inode
if (err)
goto out;
- byteaddr = (__u64)ni.blk_addr << inode->i_sb->s_blocksize_bits;
- byteaddr += (char *)inline_data_addr(inode, ipage) -
- (char *)F2FS_INODE(ipage);
+ if (__is_valid_data_blkaddr(ni.blk_addr)) {
+ byteaddr = (__u64)ni.blk_addr << inode->i_sb->s_blocksize_bits;
+ byteaddr += (char *)inline_data_addr(inode, ipage) -
+ (char *)F2FS_INODE(ipage);
+ } else {
+ f2fs_bug_on(F2FS_I_SB(inode), ni.blk_addr != NEW_ADDR);
+ flags |= FIEMAP_EXTENT_DELALLOC | FIEMAP_EXTENT_UNKNOWN;
+ }
err = fiemap_fill_next_extent(fieinfo, start, byteaddr, ilen, flags);
trace_f2fs_fiemap(inode, start, byteaddr, ilen, flags, err);
out:
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 343/378] drm/v3d: Skip CSD when it has zeroed workgroups
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 342/378] drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 344/378] drm/amdgpu: fix waiting for all submissions for userptrs Greg Kroah-Hartman
` (36 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jose Maria Casanova Crespo,
Iago Toral Quiroga, Maíra Canal
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
commit 7f93fad5ea0affc9e1505dd0f7596c0fdb496213 upstream.
A compute shader dispatch encodes its workgroup counts in the CFG0..CFG2
registers. Kicking off a dispatch with a zero count in any of the three
dimensions is invalid. First, the hardware will process 0 as 65536,
while the user-space driver exposes a maximum of 65535. Over that, a
submission with a zeroed workgroup dimension should be a no-op.
These zeroed counts can reach the dispatch path through an indirect CSD
job, whose workgroup counts are only known once the indirect buffer is
read and may legitimately be zero, but such scenario should only result in
a no-op.
Overwrite the indirect CSD job workgroup counts with the indirect BO
ones, even if they are zeroed, and don't submit the job to the hardware
when any of the workgroup counts is zero, so the job completes immediately
instead of running the shader.
Cc: stable@vger.kernel.org
Fixes: d223f98f0209 ("drm/v3d: Add support for compute shader dispatch.")
Suggested-by: Jose Maria Casanova Crespo <jmcasanova@igalia.com>
Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
Link: https://patch.msgid.link/20260602-v3d-fix-indirect-csd-v4-2-654309e32bc0@igalia.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/v3d/v3d_sched.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/v3d/v3d_sched.c
+++ b/drivers/gpu/drm/v3d/v3d_sched.c
@@ -378,6 +378,16 @@ v3d_csd_job_run(struct drm_sched_job *sc
return NULL;
}
+ /* The HW interprets a workgroup size of 0 as 65536; however, the
+ * user-space driver exposes a maximum of 65535. Therefore, a 0 in
+ * any dimension means that we have no workgroups and the compute
+ * shader should not be dispatched.
+ */
+ if (!V3D_GET_FIELD(job->args.cfg[0], V3D_CSD_QUEUED_CFG0_NUM_WGS_X) ||
+ !V3D_GET_FIELD(job->args.cfg[1], V3D_CSD_QUEUED_CFG1_NUM_WGS_Y) ||
+ !V3D_GET_FIELD(job->args.cfg[2], V3D_CSD_QUEUED_CFG2_NUM_WGS_Z))
+ return NULL;
+
v3d->queue[V3D_CSD].active_job = &job->base;
v3d_invalidate_caches(v3d);
@@ -428,13 +438,13 @@ v3d_rewrite_csd_job_wg_counts_from_indir
wg_counts = (uint32_t *)(bo->vaddr + indirect_csd->offset);
- if (wg_counts[0] == 0 || wg_counts[1] == 0 || wg_counts[2] == 0)
- goto unmap_bo;
-
args->cfg[0] = wg_counts[0] << V3D_CSD_CFG012_WG_COUNT_SHIFT;
args->cfg[1] = wg_counts[1] << V3D_CSD_CFG012_WG_COUNT_SHIFT;
args->cfg[2] = wg_counts[2] << V3D_CSD_CFG012_WG_COUNT_SHIFT;
+ if (wg_counts[0] == 0 || wg_counts[1] == 0 || wg_counts[2] == 0)
+ goto unmap_bo;
+
num_batches = DIV_ROUND_UP(indirect_csd->wg_size, 16) *
(wg_counts[0] * wg_counts[1] * wg_counts[2]);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 427/522] f2fs: fix false alarm of lockdep on cp_global_sem lock
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (425 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 426/522] f2fs: fix incorrect file address mapping when inline inode is unwritten Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 428/522] spi: st-ssc4: switch to use modern name Greg Kroah-Hartman
` (95 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Shinichiro Kawasaki, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 6a5e3de9c2bb0b691d16789a5d19e9276a09b308 ]
lockdep reported a potential deadlock:
a) TCMU device removal context:
- call del_gendisk() to get q->q_usage_counter
- call start_flush_work() to get work_completion of wb->dwork
b) f2fs writeback context:
- in wb_workfn(), which holds work_completion of wb->dwork
- call f2fs_balance_fs() to get sbi->gc_lock
c) f2fs vfs_write context:
- call f2fs_gc() to get sbi->gc_lock
- call f2fs_write_checkpoint() to get sbi->cp_global_sem
d) f2fs mount context:
- call recover_fsync_data() to get sbi->cp_global_sem
- call f2fs_check_and_fix_write_pointer() to call blkdev_report_zones()
that goes down to blk_mq_alloc_request and get q->q_usage_counter
Original callstack is in Closes tag.
However, I think this is a false alarm due to before mount returns
successfully (context d), we can not access file therein via vfs_write
(context c).
Let's introduce per-sb cp_global_sem_key, and assign the key for
cp_global_sem, so that lockdep can recognize cp_global_sem from
different super block correctly.
A lot of work are done by Shin'ichiro Kawasaki, thanks a lot for
the work.
Fixes: c426d99127b1 ("f2fs: Check write pointer consistency of open zones")
Cc: stable@kernel.org
Reported-and-tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Closes: https://lore.kernel.org/linux-f2fs-devel/20260218125237.3340441-1-shinichiro.kawasaki@wdc.com
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ re-anchored lockdep_register_key after init_f2fs_rwsem and placed lockdep_unregister_key before kfree(sbi) in f2fs_put_super instead of kill_f2fs_super ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 3 +++
fs/f2fs/super.c | 11 +++++++++++
2 files changed, 14 insertions(+)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -1853,6 +1853,9 @@ struct f2fs_sb_info {
spinlock_t iostat_lat_lock;
struct iostat_lat_info *iostat_io_lat;
#endif
+#ifdef CONFIG_DEBUG_LOCK_ALLOC
+ struct lock_class_key cp_global_sem_key;
+#endif
};
#ifdef CONFIG_F2FS_FAULT_INJECTION
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1687,6 +1687,9 @@ static void f2fs_put_super(struct super_
#if IS_ENABLED(CONFIG_UNICODE)
utf8_unload(sb->s_encoding);
#endif
+#ifdef CONFIG_DEBUG_LOCK_ALLOC
+ lockdep_unregister_key(&sbi->cp_global_sem_key);
+#endif
kfree(sbi);
}
@@ -4188,6 +4191,11 @@ try_onemore:
init_f2fs_rwsem(&sbi->gc_lock);
mutex_init(&sbi->writepages);
init_f2fs_rwsem(&sbi->cp_global_sem);
+#ifdef CONFIG_DEBUG_LOCK_ALLOC
+ lockdep_register_key(&sbi->cp_global_sem_key);
+ lockdep_set_class(&sbi->cp_global_sem.internal_rwsem,
+ &sbi->cp_global_sem_key);
+#endif
init_f2fs_rwsem(&sbi->node_write);
init_f2fs_rwsem(&sbi->node_change);
spin_lock_init(&sbi->stat_lock);
@@ -4651,6 +4659,9 @@ free_sb_buf:
free_sbi:
if (sbi->s_chksum_driver)
crypto_free_shash(sbi->s_chksum_driver);
+#ifdef CONFIG_DEBUG_LOCK_ALLOC
+ lockdep_unregister_key(&sbi->cp_global_sem_key);
+#endif
kfree(sbi);
/* give only one another chance */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 344/378] drm/amdgpu: fix waiting for all submissions for userptrs
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 343/378] drm/v3d: Skip CSD when it " Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 345/378] drm/amdgpu: restart the CS if some parts of the VM are still invalidated Greg Kroah-Hartman
` (35 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Vitaly Prosyak,
Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian König <christian.koenig@amd.com>
commit 58bafc666c484b21839a2d27e923ae1b2727a1df upstream.
Wait for all submissions when userptrs need to be invalidated by the MMU
notifier, not just the one the userptr was involved into.
Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
Tested-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 91250893cbaa25c86872deca95a540d08de1f91e)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c
@@ -67,6 +67,7 @@ static bool amdgpu_hmm_invalidate_gfx(st
{
struct amdgpu_bo *bo = container_of(mni, struct amdgpu_bo, notifier);
struct amdgpu_device *adev = amdgpu_ttm_adev(bo->tbo.bdev);
+ struct amdgpu_bo *vm_root = bo->vm_bo->vm->root.bo;
long r;
if (!mmu_notifier_range_blockable(range))
@@ -77,8 +78,9 @@ static bool amdgpu_hmm_invalidate_gfx(st
mmu_interval_set_seq(mni, cur_seq);
amdgpu_vm_bo_invalidate(bo, false);
- r = dma_resv_wait_timeout(bo->tbo.base.resv, DMA_RESV_USAGE_BOOKKEEP,
- false, MAX_SCHEDULE_TIMEOUT);
+ r = dma_resv_wait_timeout(vm_root->tbo.base.resv,
+ DMA_RESV_USAGE_BOOKKEEP, false,
+ MAX_SCHEDULE_TIMEOUT);
mutex_unlock(&adev->notifier_lock);
if (r <= 0)
DRM_ERROR("(%ld) failed to wait for user bo\n", r);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 428/522] spi: st-ssc4: switch to use modern name
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (426 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 427/522] f2fs: fix false alarm of lockdep on cp_global_sem lock Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 429/522] spi: st-ssc4: fix controller deregistration Greg Kroah-Hartman
` (94 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit e6b7e64cb11966b26646a362677ca5a08481157e ]
Change legacy name master/slave to modern name host/target or controller.
No functional changed.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://msgid.link/r/20231128093031.3707034-4-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 19857374010d ("spi: st-ssc4: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-st-ssc4.c | 70 +++++++++++++++++++++++-----------------------
1 file changed, 35 insertions(+), 35 deletions(-)
--- a/drivers/spi/spi-st-ssc4.c
+++ b/drivers/spi/spi-st-ssc4.c
@@ -6,7 +6,7 @@
* Patrice Chotard <patrice.chotard@st.com>
* Lee Jones <lee.jones@linaro.org>
*
- * SPI master mode controller driver, used in STMicroelectronics devices.
+ * SPI host mode controller driver, used in STMicroelectronics devices.
*/
#include <linux/clk.h>
@@ -115,10 +115,10 @@ static void ssc_read_rx_fifo(struct spi_
spi_st->words_remaining -= count;
}
-static int spi_st_transfer_one(struct spi_master *master,
+static int spi_st_transfer_one(struct spi_controller *host,
struct spi_device *spi, struct spi_transfer *t)
{
- struct spi_st *spi_st = spi_master_get_devdata(master);
+ struct spi_st *spi_st = spi_controller_get_devdata(host);
uint32_t ctl = 0;
/* Setup transfer */
@@ -165,7 +165,7 @@ static int spi_st_transfer_one(struct sp
if (ctl)
writel_relaxed(ctl, spi_st->base + SSC_CTL);
- spi_finalize_current_transfer(spi->master);
+ spi_finalize_current_transfer(spi->controller);
return t->len;
}
@@ -174,7 +174,7 @@ static int spi_st_transfer_one(struct sp
#define MODEBITS (SPI_CPOL | SPI_CPHA | SPI_LSB_FIRST | SPI_LOOP | SPI_CS_HIGH)
static int spi_st_setup(struct spi_device *spi)
{
- struct spi_st *spi_st = spi_master_get_devdata(spi->master);
+ struct spi_st *spi_st = spi_controller_get_devdata(spi->controller);
u32 spi_st_clk, sscbrg, var;
u32 hz = spi->max_speed_hz;
@@ -274,35 +274,35 @@ static irqreturn_t spi_st_irq(int irq, v
static int spi_st_probe(struct platform_device *pdev)
{
struct device_node *np = pdev->dev.of_node;
- struct spi_master *master;
+ struct spi_controller *host;
struct spi_st *spi_st;
int irq, ret = 0;
u32 var;
- master = spi_alloc_master(&pdev->dev, sizeof(*spi_st));
- if (!master)
+ host = spi_alloc_host(&pdev->dev, sizeof(*spi_st));
+ if (!host)
return -ENOMEM;
- master->dev.of_node = np;
- master->mode_bits = MODEBITS;
- master->setup = spi_st_setup;
- master->transfer_one = spi_st_transfer_one;
- master->bits_per_word_mask = SPI_BPW_MASK(8) | SPI_BPW_MASK(16);
- master->auto_runtime_pm = true;
- master->bus_num = pdev->id;
- master->use_gpio_descriptors = true;
- spi_st = spi_master_get_devdata(master);
+ host->dev.of_node = np;
+ host->mode_bits = MODEBITS;
+ host->setup = spi_st_setup;
+ host->transfer_one = spi_st_transfer_one;
+ host->bits_per_word_mask = SPI_BPW_MASK(8) | SPI_BPW_MASK(16);
+ host->auto_runtime_pm = true;
+ host->bus_num = pdev->id;
+ host->use_gpio_descriptors = true;
+ spi_st = spi_controller_get_devdata(host);
spi_st->clk = devm_clk_get(&pdev->dev, "ssc");
if (IS_ERR(spi_st->clk)) {
dev_err(&pdev->dev, "Unable to request clock\n");
ret = PTR_ERR(spi_st->clk);
- goto put_master;
+ goto put_host;
}
ret = clk_prepare_enable(spi_st->clk);
if (ret)
- goto put_master;
+ goto put_host;
init_completion(&spi_st->done);
@@ -324,7 +324,7 @@ static int spi_st_probe(struct platform_
var &= ~SSC_CTL_SR;
writel_relaxed(var, spi_st->base + SSC_CTL);
- /* Set SSC into slave mode before reconfiguring PIO pins */
+ /* Set SSC into target mode before reconfiguring PIO pins */
var = readl_relaxed(spi_st->base + SSC_CTL);
var &= ~SSC_CTL_MS;
writel_relaxed(var, spi_st->base + SSC_CTL);
@@ -347,11 +347,11 @@ static int spi_st_probe(struct platform_
pm_runtime_set_active(&pdev->dev);
pm_runtime_enable(&pdev->dev);
- platform_set_drvdata(pdev, master);
+ platform_set_drvdata(pdev, host);
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = devm_spi_register_controller(&pdev->dev, host);
if (ret) {
- dev_err(&pdev->dev, "Failed to register master\n");
+ dev_err(&pdev->dev, "Failed to register host\n");
goto rpm_disable;
}
@@ -361,15 +361,15 @@ rpm_disable:
pm_runtime_disable(&pdev->dev);
clk_disable:
clk_disable_unprepare(spi_st->clk);
-put_master:
- spi_master_put(master);
+put_host:
+ spi_controller_put(host);
return ret;
}
static int spi_st_remove(struct platform_device *pdev)
{
- struct spi_master *master = platform_get_drvdata(pdev);
- struct spi_st *spi_st = spi_master_get_devdata(master);
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct spi_st *spi_st = spi_controller_get_devdata(host);
pm_runtime_disable(&pdev->dev);
@@ -383,8 +383,8 @@ static int spi_st_remove(struct platform
#ifdef CONFIG_PM
static int spi_st_runtime_suspend(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
- struct spi_st *spi_st = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(dev);
+ struct spi_st *spi_st = spi_controller_get_devdata(host);
writel_relaxed(0, spi_st->base + SSC_IEN);
pinctrl_pm_select_sleep_state(dev);
@@ -396,8 +396,8 @@ static int spi_st_runtime_suspend(struct
static int spi_st_runtime_resume(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
- struct spi_st *spi_st = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(dev);
+ struct spi_st *spi_st = spi_controller_get_devdata(host);
int ret;
ret = clk_prepare_enable(spi_st->clk);
@@ -410,10 +410,10 @@ static int spi_st_runtime_resume(struct
#ifdef CONFIG_PM_SLEEP
static int spi_st_suspend(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
+ struct spi_controller *host = dev_get_drvdata(dev);
int ret;
- ret = spi_master_suspend(master);
+ ret = spi_controller_suspend(host);
if (ret)
return ret;
@@ -422,10 +422,10 @@ static int spi_st_suspend(struct device
static int spi_st_resume(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
+ struct spi_controller *host = dev_get_drvdata(dev);
int ret;
- ret = spi_master_resume(master);
+ ret = spi_controller_resume(host);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 345/378] drm/amdgpu: restart the CS if some parts of the VM are still invalidated
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 344/378] drm/amdgpu: fix waiting for all submissions for userptrs Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 346/378] drm/amdgpu: set noretry=1 as default for GFX 10.1.x (Navi10/12/14) Greg Kroah-Hartman
` (34 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Vitaly Prosyak,
Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian König <christian.koenig@amd.com>
commit 40396ffdf6120e2380706c59e1a84d7e765a37b6 upstream.
Make sure that we only submit work with full up to date VM page tables.
Backport to 7.1 and older.
Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
Tested-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 59720bfd8c6dbebeb8d5a7ab64241b007efd9213)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -1285,6 +1285,7 @@ static int amdgpu_cs_submit(struct amdgp
{
struct amdgpu_fpriv *fpriv = p->filp->driver_priv;
struct amdgpu_job *leader = p->gang_leader;
+ struct amdgpu_vm *vm = &fpriv->vm;
struct amdgpu_bo_list_entry *e;
struct drm_gem_object *gobj;
unsigned long index;
@@ -1330,7 +1331,8 @@ static int amdgpu_cs_submit(struct amdgp
amdgpu_hmm_range_free(e->range);
e->range = NULL;
}
- if (r) {
+
+ if (r || !list_empty(&vm->invalidated)) {
r = -EAGAIN;
mutex_unlock(&p->adev->notifier_lock);
return r;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 429/522] spi: st-ssc4: fix controller deregistration
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (427 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 428/522] spi: st-ssc4: switch to use modern name Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 430/522] spi: lantiq-ssc: " Greg Kroah-Hartman
` (93 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Jones, Johan Hovold, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 19857374010d06ca6a2f7c2c53464122eb804df0 ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: 9e862375c542 ("spi: Add new driver for STMicroelectronics' SPI Controller")
Cc: stable@vger.kernel.org # 4.0
Cc: Lee Jones <lee@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-18-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-st-ssc4.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-st-ssc4.c
+++ b/drivers/spi/spi-st-ssc4.c
@@ -349,7 +349,7 @@ static int spi_st_probe(struct platform_
platform_set_drvdata(pdev, host);
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (ret) {
dev_err(&pdev->dev, "Failed to register host\n");
goto rpm_disable;
@@ -371,10 +371,16 @@ static int spi_st_remove(struct platform
struct spi_controller *host = platform_get_drvdata(pdev);
struct spi_st *spi_st = spi_controller_get_devdata(host);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
pm_runtime_disable(&pdev->dev);
clk_disable_unprepare(spi_st->clk);
+ spi_controller_put(host);
+
pinctrl_pm_select_sleep_state(&pdev->dev);
return 0;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 346/378] drm/amdgpu: set noretry=1 as default for GFX 10.1.x (Navi10/12/14)
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 345/378] drm/amdgpu: restart the CS if some parts of the VM are still invalidated Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 347/378] drm/amdgpu: Fix incorrect VRAM GART mappings on non-4K page size systems Greg Kroah-Hartman
` (33 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Koenig, Alex Deucher,
Felix Kuehling, Vitaly Prosyak
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vitaly Prosyak <vitaly.prosyak@amd.com>
commit e47b0056a08dc70430ffc44bbf62197e7d1ff8ea upstream.
Problem:
While developing the amd_close_race IGT test (which intentionally triggers
execute permission faults by removing VM_PAGE_EXECUTABLE from GPU page table
entries), we discovered that on Navi10 (GFX 10.1.x) these faults produce
zero diagnostic output. The GPU simply hangs silently for ~10s until the
scheduler timeout fires. There is no way to distinguish an execute
permission fault from any other type of GPU hang.
Root cause:
GFX 10.1.x defaults to noretry=0, which sets
RETRY_PERMISSION_OR_INVALID_PAGE_FAULT=1 in the GFXHUB UTCL2 registers
(gfxhub_v2_0.c line 313). With this bit set, permission faults (valid PTE,
wrong R/W/X bits) are handled entirely within the UTCL1/UTCL2 hardware
loop: UTCL2 returns an XNACK to UTCL1, and UTCL1 re-requests the
translation indefinitely, expecting software to eventually fix the
permission bits (as happens in SVM/HMM recovery). No interrupt of any kind
reaches the IH ring.
This is different from invalid-page faults (V=0) which DO generate a retry
fault interrupt that the driver can escalate to a no-retry fault. Permission
faults with valid PTEs loop silently forever in hardware.
GFX 10.3+ already defaults to noretry=1, which makes permission faults
generate immediate L2 protection fault interrupts. GFX 10.1.x was
inadvertently left out of this default.
Fix:
Change the noretry=1 threshold from IP_VERSION(10, 3, 0) to
IP_VERSION(10, 1, 0) in amdgpu_gmc_noretry_set(). This is a one-line
change that aligns GFX 10.1.x behavior with GFX 10.3+ and all newer
generations.
With noretry=1, the existing non-retry fault handler
(gmc_v10_0_process_interrupt) already decodes and prints the full
GCVM_L2_PROTECTION_FAULT_STATUS register including PERMISSION_FAULTS,
faulting address, VMID, PASID, and process name. No additional logging
code is needed — the fix is purely routing permission faults to the
existing, fully-capable non-retry interrupt handler.
v2: Dropped GFX10-specific logging from gmc_v10_0.c and
kfd_int_process_v10.c (Felix Kuehling). v1 added logging in the retry
fault handler, but with noretry=1 permission faults take the non-retry
path — the v1 retry handler code was dead and would never execute.
Tested on Navi10 (GFX 10.1.10):
- Execute permission faults now produce immediate, clear output:
[gfxhub] page fault (src_id:0 ring:64 vmid:4 pasid:592)
Process amd_close_race pid 13380 thread amd_close_race pid 13384
in page at address 0x40001000 from client 0x1b (UTCL2)
GCVM_L2_PROTECTION_FAULT_STATUS:0x00700881
PERMISSION_FAULTS: 0x8
- No regressions with properly-mapped GPU workloads
Cc: Christian Koenig <christian.koenig@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Felix Kuehling <felix.kuehling@amd.com>
Signed-off-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit eb21edd24c40d81066753f8ac6f23bce15745395)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
@@ -1002,7 +1002,7 @@ void amdgpu_gmc_noretry_set(struct amdgp
gc_ver == IP_VERSION(9, 4, 3) ||
gc_ver == IP_VERSION(9, 4, 4) ||
gc_ver == IP_VERSION(9, 5, 0) ||
- gc_ver >= IP_VERSION(10, 3, 0));
+ gc_ver >= IP_VERSION(10, 1, 0));
if (!amdgpu_sriov_xnack_support(adev))
gmc->noretry = 1;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 430/522] spi: lantiq-ssc: fix controller deregistration
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (428 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 429/522] spi: st-ssc4: fix controller deregistration Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 431/522] cgroup/cpuset: Reset DL migration state on can_attach() failure Greg Kroah-Hartman
` (92 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hauke Mehrtens, Johan Hovold,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit b99206710d032c16b7f8b75e4bc18414d8e4b9f4 ]
Make sure to deregister the controller before releasing underlying
resources like clocks during driver unbind.
Fixes: 17f84b793c01 ("spi: lantiq-ssc: add support for Lantiq SSC SPI controller")
Cc: stable@vger.kernel.org # 4.11
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260409120419.388546-17-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ adapted spi_controller/host naming to spi_master/master and preserved the int-returning remove() with trailing return 0 ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-lantiq-ssc.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-lantiq-ssc.c
+++ b/drivers/spi/spi-lantiq-ssc.c
@@ -997,7 +997,7 @@ static int lantiq_ssc_probe(struct platf
"Lantiq SSC SPI controller (Rev %i, TXFS %u, RXFS %u, DMA %u)\n",
revision, spi->tx_fifo_size, spi->rx_fifo_size, supports_dma);
- err = devm_spi_register_master(dev, master);
+ err = spi_register_master(master);
if (err) {
dev_err(dev, "failed to register spi_master\n");
goto err_wq_destroy;
@@ -1021,6 +1021,10 @@ static int lantiq_ssc_remove(struct plat
{
struct lantiq_ssc_spi *spi = platform_get_drvdata(pdev);
+ spi_master_get(spi->master);
+
+ spi_unregister_master(spi->master);
+
lantiq_ssc_writel(spi, 0, LTQ_SPI_IRNEN);
lantiq_ssc_writel(spi, 0, LTQ_SPI_CLC);
rx_fifo_flush(spi);
@@ -1031,6 +1035,8 @@ static int lantiq_ssc_remove(struct plat
clk_disable_unprepare(spi->spi_clk);
clk_put(spi->fpi_clk);
+ spi_master_put(spi->master);
+
return 0;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 347/378] drm/amdgpu: Fix incorrect VRAM GART mappings on non-4K page size systems
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 346/378] drm/amdgpu: set noretry=1 as default for GFX 10.1.x (Navi10/12/14) Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 348/378] drm/amd/pm: apply SMU 13.0.10 workaround during MP1 unload Greg Kroah-Hartman
` (32 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf,
Christian König, Donet Tom, Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Donet Tom <donettom@linux.ibm.com>
commit ec4c462e2d8161b32038e21e7187f4a15fe1661d upstream.
When mapping VRAM pages into the GART page table,
amdgpu_gart_map_vram_range() assumes that the system page size is the
same as the GPU page size.
On systems with non-4K page sizes, multiple GPU pages can exist within
a single CPU page. As a result, the mappings are created incorrectly
because fewer page table entries are programmed than required.
Fix this by programming the mappings correctly for non-4K page size
systems.
Fixes: 237d623ae659 ("drm/amdgpu/gart: Add helper to bind VRAM pages (v2)")
Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Donet Tom <donettom@linux.ibm.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit a8f0bc22388f74e0cf4ed8b7d1846c580eaf44cc)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c
@@ -394,7 +394,8 @@ void amdgpu_gart_map_vram_range(struct a
uint64_t start_page, uint64_t num_pages,
uint64_t flags, void *dst)
{
- u32 i, idx;
+ u32 i, j, t, idx;
+ u64 page_base;
/* The SYSTEM flag indicates the pages aren't in VRAM. */
WARN_ON_ONCE(flags & AMDGPU_PTE_SYSTEM);
@@ -402,9 +403,12 @@ void amdgpu_gart_map_vram_range(struct a
if (!drm_dev_enter(adev_to_drm(adev), &idx))
return;
- for (i = 0; i < num_pages; ++i) {
- amdgpu_gmc_set_pte_pde(adev, dst,
- start_page + i, pa + AMDGPU_GPU_PAGE_SIZE * i, flags);
+ page_base = pa;
+ for (i = 0, t = 0; i < num_pages; i++) {
+ for (j = 0; j < AMDGPU_GPU_PAGES_IN_CPU_PAGE; j++, t++) {
+ amdgpu_gmc_set_pte_pde(adev, dst, start_page + t, page_base, flags);
+ page_base += AMDGPU_GPU_PAGE_SIZE;
+ }
}
drm_dev_exit(idx);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 431/522] cgroup/cpuset: Reset DL migration state on can_attach() failure
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (429 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 430/522] spi: lantiq-ssc: " Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 432/522] genetlink: Use internal flags for multicast groups Greg Kroah-Hartman
` (91 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guopeng Zhang, Tejun Heo,
Chen Ridong, Waiman Long, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guopeng Zhang <zhangguopeng@kylinos.cn>
[ Upstream commit 4a39eda5fdd867fc39f3c039714dd432cee00268 ]
cpuset_can_attach() accumulates temporary SCHED_DEADLINE migration
state in the destination cpuset while walking the taskset.
If a later task_can_attach() or security_task_setscheduler() check
fails, cgroup_migrate_execute() treats cpuset as the failing subsystem
and does not call cpuset_cancel_attach() for it. The partially
accumulated state is then left behind and can be consumed by a later
attach, corrupting cpuset DL task accounting and pending DL bandwidth
accounting.
Reset the pending DL migration state from the common error exit when
ret is non-zero. Successful can_attach() keeps the state for
cpuset_attach() or cpuset_cancel_attach().
Fixes: 2ef269ef1ac0 ("cgroup/cpuset: Free DL BW in case can_attach() fails")
Cc: stable@vger.kernel.org # v6.10+
Signed-off-by: Guopeng Zhang <zhangguopeng@kylinos.cn>
Signed-off-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Chen Ridong <chenridong@huaweicloud.com>
Reviewed-by: Waiman Long <longman@redhat.com>
[ omitted upstream context line `cs->dl_bw_cpu = cpu;` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/cgroup/cpuset.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/kernel/cgroup/cpuset.c
+++ b/kernel/cgroup/cpuset.c
@@ -2579,16 +2579,13 @@ static int cpuset_can_attach(struct cgro
int cpu = cpumask_any_and(cpu_active_mask, cs->effective_cpus);
if (unlikely(cpu >= nr_cpu_ids)) {
- reset_migrate_dl_data(cs);
ret = -EINVAL;
goto out_unlock;
}
ret = dl_bw_alloc(cpu, cs->sum_migrate_dl_bw);
- if (ret) {
- reset_migrate_dl_data(cs);
+ if (ret)
goto out_unlock;
- }
}
out_success:
@@ -3401,7 +3398,10 @@ static int cpuset_can_fork(struct task_s
* changes which zero cpus/mems_allowed.
*/
cs->attach_in_progress++;
+
out_unlock:
+ if (ret)
+ reset_migrate_dl_data(cs);
mutex_unlock(&cpuset_mutex);
return ret;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 348/378] drm/amd/pm: apply SMU 13.0.10 workaround during MP1 unload
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 347/378] drm/amdgpu: Fix incorrect VRAM GART mappings on non-4K page size systems Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 349/378] drm/amd/pm: fix smu13 power limit default/cap calculation Greg Kroah-Hartman
` (31 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Wang, Kenneth Feng,
Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Wang <kevinyang.wang@amd.com>
commit 2493d87bb4c31ec9ca7f0ef7257e33b8b175f913 upstream.
On SMU v13.0.10, sending PrepareMp1ForUnload with the default
parameter may leave the device in an inaccessible state. This can
affect runtime power management and partial PnP flows.
e.g: kexec, driver unload, boco/d3cold.
Pass the required workaround parameter 0x55, when preparing MP1 for
unload on SMU v13.0.10, keep the existing behavior for other SMU
versions.
Closes: https://gitlab.freedesktop.org/drm/amd/-/work_items/5133
Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
Reviewed-by: Kenneth Feng <kenneth.feng@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 4e8ee1afeedb8d24dd22cdd5ae9f98a6d76ebe4b)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
@@ -2801,11 +2801,19 @@ static void smu_v13_0_0_i2c_control_fini
static int smu_v13_0_0_set_mp1_state(struct smu_context *smu,
enum pp_mp1_state mp1_state)
{
+ uint32_t param;
int ret;
switch (mp1_state) {
case PP_MP1_STATE_UNLOAD:
- ret = smu_cmn_set_mp1_state(smu, mp1_state);
+ /*
+ * NOTE: Param 0x55 comes from PMFW 80.31.0, ignored in older versions.
+ * No PMFW version check required.
+ */
+ param = amdgpu_ip_version(smu->adev, MP1_HWIP, 0) == IP_VERSION(13, 0, 10) ?
+ 0x55 : 0x00;
+ ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_PrepareMp1ForUnload,
+ param, NULL);
break;
default:
/* Ignore others */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 432/522] genetlink: Use internal flags for multicast groups
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (430 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 431/522] cgroup/cpuset: Reset DL migration state on can_attach() failure Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 433/522] smb: client: require net admin for CIFS SWN netlink Greg Kroah-Hartman
` (90 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ido Schimmel, Mat Martineau,
Andy Shevchenko, David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit cd4d7263d58ab98fd4dee876776e4da6c328faa3 ]
As explained in commit e03781879a0d ("drop_monitor: Require
'CAP_SYS_ADMIN' when joining "events" group"), the "flags" field in the
multicast group structure reuses uAPI flags despite the field not being
exposed to user space. This makes it impossible to extend its use
without adding new uAPI flags, which is inappropriate for internal
kernel checks.
Solve this by adding internal flags (i.e., "GENL_MCAST_*") and convert
the existing users to use them instead of the uAPI flags.
Tested using the reproducers in commit 44ec98ea5ea9 ("psample: Require
'CAP_NET_ADMIN' when joining "packets" group") and commit e03781879a0d
("drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group").
No functional changes intended.
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: d1ebfce2c1d1 ("smb: client: require net admin for CIFS SWN netlink")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/genetlink.h | 9 ++++++---
net/core/drop_monitor.c | 2 +-
net/mptcp/pm_netlink.c | 2 +-
net/netlink/genetlink.c | 4 ++--
net/psample/psample.c | 2 +-
5 files changed, 11 insertions(+), 8 deletions(-)
--- a/include/net/genetlink.h
+++ b/include/net/genetlink.h
@@ -8,16 +8,19 @@
#define GENLMSG_DEFAULT_SIZE (NLMSG_DEFAULT_SIZE - GENL_HDRLEN)
+/* Binding to multicast group requires %CAP_NET_ADMIN */
+#define GENL_MCAST_CAP_NET_ADMIN BIT(0)
+/* Binding to multicast group requires %CAP_SYS_ADMIN */
+#define GENL_MCAST_CAP_SYS_ADMIN BIT(1)
+
/**
* struct genl_multicast_group - generic netlink multicast group
* @name: name of the multicast group, names are per-family
- * @flags: GENL_* flags (%GENL_ADMIN_PERM or %GENL_UNS_ADMIN_PERM)
- * @cap_sys_admin: whether %CAP_SYS_ADMIN is required for binding
+ * @flags: GENL_MCAST_* flags
*/
struct genl_multicast_group {
char name[GENL_NAMSIZ];
u8 flags;
- u8 cap_sys_admin:1;
};
struct genl_ops;
--- a/net/core/drop_monitor.c
+++ b/net/core/drop_monitor.c
@@ -181,7 +181,7 @@ out:
}
static const struct genl_multicast_group dropmon_mcgrps[] = {
- { .name = "events", .cap_sys_admin = 1 },
+ { .name = "events", .flags = GENL_MCAST_CAP_SYS_ADMIN, },
};
static void send_dm_alert(struct work_struct *work)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1313,7 +1313,7 @@ bool mptcp_pm_nl_is_backup(struct mptcp_
static const struct genl_multicast_group mptcp_pm_mcgrps[] = {
[MPTCP_PM_CMD_GRP_OFFSET] = { .name = MPTCP_PM_CMD_GRP_NAME, },
[MPTCP_PM_EV_GRP_OFFSET] = { .name = MPTCP_PM_EV_GRP_NAME,
- .flags = GENL_UNS_ADMIN_PERM,
+ .flags = GENL_MCAST_CAP_NET_ADMIN,
},
};
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -1431,10 +1431,10 @@ static int genl_bind(struct net *net, in
continue;
grp = &family->mcgrps[i];
- if ((grp->flags & GENL_UNS_ADMIN_PERM) &&
+ if ((grp->flags & GENL_MCAST_CAP_NET_ADMIN) &&
!ns_capable(net->user_ns, CAP_NET_ADMIN))
ret = -EPERM;
- if (grp->cap_sys_admin &&
+ if ((grp->flags & GENL_MCAST_CAP_SYS_ADMIN) &&
!ns_capable(net->user_ns, CAP_SYS_ADMIN))
ret = -EPERM;
--- a/net/psample/psample.c
+++ b/net/psample/psample.c
@@ -32,7 +32,7 @@ enum psample_nl_multicast_groups {
static const struct genl_multicast_group psample_nl_mcgrps[] = {
[PSAMPLE_NL_MCGRP_CONFIG] = { .name = PSAMPLE_NL_MCGRP_CONFIG_NAME },
[PSAMPLE_NL_MCGRP_SAMPLE] = { .name = PSAMPLE_NL_MCGRP_SAMPLE_NAME,
- .flags = GENL_UNS_ADMIN_PERM },
+ .flags = GENL_MCAST_CAP_NET_ADMIN, },
};
static struct genl_family psample_nl_family __ro_after_init;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 349/378] drm/amd/pm: fix smu13 power limit default/cap calculation
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 348/378] drm/amd/pm: apply SMU 13.0.10 workaround during MP1 unload Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 350/378] drm/amd/pm: mark metrics.energy_accumulator is invalid for smu 14.0.2 Greg Kroah-Hartman
` (30 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Wang, Kenneth Feng, Lijo Lazar,
Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Wang <kevinyang.wang@amd.com>
commit bb204f19e4a115f094a6a3c4d82fcf48862d0766 upstream.
smu_v13_0_0_get_power_limit() and smu_v13_0_7_get_power_limit() mix
runtime power_limit with PP table limits when reporting default/min/max.
When current power limit query succeeds, default_power_limit was set to the
runtime value instead of the PP table default, and min/max could be derived
from inconsistent bases (MsgLimits/runtime), leading to incorrect cap info.
Use SocketPowerLimitAc/Dc as the PP default base (pp_limit), keep
current_power_limit as runtime value, and derive min/max from pp_limit with
OD percentages.
Closes: https://gitlab.freedesktop.org/drm/amd/-/work_items/5227
Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
Reviewed-by: Kenneth Feng <kenneth.feng@amd.com>
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 1eaf26db95901ca70737503a89b831dd763c8453)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 32 ++++++++++---------
drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 32 ++++++++++---------
2 files changed, 35 insertions(+), 29 deletions(-)
--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
@@ -2390,28 +2390,30 @@ static int smu_v13_0_0_enable_mgpu_fan_b
}
static int smu_v13_0_0_get_power_limit(struct smu_context *smu,
- uint32_t *current_power_limit,
- uint32_t *default_power_limit,
- uint32_t *max_power_limit,
- uint32_t *min_power_limit)
+ uint32_t *current_power_limit,
+ uint32_t *default_power_limit,
+ uint32_t *max_power_limit,
+ uint32_t *min_power_limit)
{
struct smu_table_context *table_context = &smu->smu_table;
struct smu_13_0_0_powerplay_table *powerplay_table =
(struct smu_13_0_0_powerplay_table *)table_context->power_play_table;
PPTable_t *pptable = table_context->driver_pptable;
SkuTable_t *skutable = &pptable->SkuTable;
- uint32_t power_limit, od_percent_upper = 0, od_percent_lower = 0;
- uint32_t msg_limit = skutable->MsgLimits.Power[PPT_THROTTLER_PPT0][POWER_SOURCE_AC];
-
- if (smu_v13_0_get_current_power_limit(smu, &power_limit))
- power_limit = smu->adev->pm.ac_power ?
+ uint32_t pp_limit = smu->adev->pm.ac_power ?
skutable->SocketPowerLimitAc[PPT_THROTTLER_PPT0] :
skutable->SocketPowerLimitDc[PPT_THROTTLER_PPT0];
+ uint32_t power_limit = 0, od_percent_upper = 0, od_percent_lower = 0;
+ int ret;
+
+ if (current_power_limit) {
+ ret = smu_v13_0_get_current_power_limit(smu, &power_limit);
+ if (ret)
+ *current_power_limit = pp_limit;
+ }
- if (current_power_limit)
- *current_power_limit = power_limit;
if (default_power_limit)
- *default_power_limit = power_limit;
+ *default_power_limit = pp_limit;
if (powerplay_table) {
if (smu->od_enabled &&
@@ -2425,15 +2427,15 @@ static int smu_v13_0_0_get_power_limit(s
}
dev_dbg(smu->adev->dev, "od percent upper:%d, od percent lower:%d (default power: %d)\n",
- od_percent_upper, od_percent_lower, power_limit);
+ od_percent_upper, od_percent_lower, pp_limit);
if (max_power_limit) {
- *max_power_limit = msg_limit * (100 + od_percent_upper);
+ *max_power_limit = pp_limit * (100 + od_percent_upper);
*max_power_limit /= 100;
}
if (min_power_limit) {
- *min_power_limit = power_limit * (100 - od_percent_lower);
+ *min_power_limit = pp_limit * (100 - od_percent_lower);
*min_power_limit /= 100;
}
--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
@@ -2372,28 +2372,32 @@ static int smu_v13_0_7_enable_mgpu_fan_b
}
static int smu_v13_0_7_get_power_limit(struct smu_context *smu,
- uint32_t *current_power_limit,
- uint32_t *default_power_limit,
- uint32_t *max_power_limit,
- uint32_t *min_power_limit)
+ uint32_t *current_power_limit,
+ uint32_t *default_power_limit,
+ uint32_t *max_power_limit,
+ uint32_t *min_power_limit)
{
struct smu_table_context *table_context = &smu->smu_table;
struct smu_13_0_7_powerplay_table *powerplay_table =
(struct smu_13_0_7_powerplay_table *)table_context->power_play_table;
PPTable_t *pptable = table_context->driver_pptable;
SkuTable_t *skutable = &pptable->SkuTable;
- uint32_t power_limit, od_percent_upper = 0, od_percent_lower = 0;
- uint32_t msg_limit = skutable->MsgLimits.Power[PPT_THROTTLER_PPT0][POWER_SOURCE_AC];
-
- if (smu_v13_0_get_current_power_limit(smu, &power_limit))
- power_limit = smu->adev->pm.ac_power ?
+ uint32_t pp_limit = smu->adev->pm.ac_power ?
skutable->SocketPowerLimitAc[PPT_THROTTLER_PPT0] :
skutable->SocketPowerLimitDc[PPT_THROTTLER_PPT0];
+ uint32_t power_limit = 0, od_percent_upper = 0, od_percent_lower = 0;
+ int ret;
+
+ if (current_power_limit) {
+ ret = smu_v13_0_get_current_power_limit(smu, &power_limit);
+ if (ret)
+ power_limit = pp_limit;
- if (current_power_limit)
*current_power_limit = power_limit;
+ }
+
if (default_power_limit)
- *default_power_limit = power_limit;
+ *default_power_limit = pp_limit;
if (powerplay_table) {
if (smu->od_enabled &&
@@ -2407,15 +2411,15 @@ static int smu_v13_0_7_get_power_limit(s
}
dev_dbg(smu->adev->dev, "od percent upper:%d, od percent lower:%d (default power: %d)\n",
- od_percent_upper, od_percent_lower, power_limit);
+ od_percent_upper, od_percent_lower, pp_limit);
if (max_power_limit) {
- *max_power_limit = msg_limit * (100 + od_percent_upper);
+ *max_power_limit = pp_limit * (100 + od_percent_upper);
*max_power_limit /= 100;
}
if (min_power_limit) {
- *min_power_limit = power_limit * (100 - od_percent_lower);
+ *min_power_limit = pp_limit * (100 - od_percent_lower);
*min_power_limit /= 100;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 433/522] smb: client: require net admin for CIFS SWN netlink
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (431 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 432/522] genetlink: Use internal flags for multicast groups Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 434/522] Bluetooth: hci_qca: Convert timeout from jiffies to ms Greg Kroah-Hartman
` (89 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steve French,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit d1ebfce2c1d161186a82e77590bf7da2ea1bce91 ]
CIFS_GENL_CMD_SWN_NOTIFY is the userspace witness-notify command. The
intended sender is the cifs.witness helper, but the generic-netlink
operation currently has no capability flag, so any local process can send
RESOURCE_CHANGE or CLIENT_MOVE notifications to the in-kernel witness
handler.
The same family exposes CIFS_GENL_MCGRP_SWN without multicast-group
capability flags. Register messages sent to that group include the witness
registration id and, for NTLM-authenticated mounts, the username, domain,
and password attributes copied from the CIFS session. An unprivileged
local process should not be able to join that group and receive those
messages.
Require CAP_NET_ADMIN for incoming SWN_NOTIFY commands with
GENL_ADMIN_PERM, and require CAP_NET_ADMIN over the network namespace for
joining the SWN multicast group with GENL_MCAST_CAP_NET_ADMIN. The
cifs.witness service runs with the privileges needed for both operations.
Fixes: fed979a7e082 ("cifs: Set witness notification handler for messages from userspace daemon")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/netlink.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/smb/client/netlink.c
+++ b/fs/smb/client/netlink.c
@@ -33,13 +33,17 @@ static const struct nla_policy cifs_genl
static const struct genl_ops cifs_genl_ops[] = {
{
.cmd = CIFS_GENL_CMD_SWN_NOTIFY,
+ .flags = GENL_ADMIN_PERM,
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
.doit = cifs_swn_notify,
},
};
static const struct genl_multicast_group cifs_genl_mcgrps[] = {
- [CIFS_GENL_MCGRP_SWN] = { .name = CIFS_GENL_MCGRP_SWN_NAME },
+ [CIFS_GENL_MCGRP_SWN] = {
+ .name = CIFS_GENL_MCGRP_SWN_NAME,
+ .flags = GENL_MCAST_CAP_NET_ADMIN,
+ },
};
struct genl_family cifs_genl_family = {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 350/378] drm/amd/pm: mark metrics.energy_accumulator is invalid for smu 14.0.2
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 349/378] drm/amd/pm: fix smu13 power limit default/cap calculation Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 351/378] drm/amd/pm: smu_v14_0_0: use SoftMin for gfxclk in set_soft_freq_limited_range Greg Kroah-Hartman
` (29 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Wang, Asad Kamal, Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Wang <kevinyang.wang@amd.com>
commit ee193c5bbd5e2b56bbeb54ef554414b43a6fc896 upstream.
EnergyAccumulator is unsupported on SMU 14.0.2, mark it invalid.
Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
Reviewed-by: Asad Kamal <asad.kamal@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 646b05043eeed04b51c14aad22a400a8250af4b7)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
@@ -2150,7 +2150,6 @@ static ssize_t smu_v14_0_2_get_gpu_metri
metrics->Vcn1ActivityPercentage);
gpu_metrics->average_socket_power = metrics->AverageSocketPower;
- gpu_metrics->energy_accumulator = metrics->EnergyAccumulator;
if (metrics->AverageGfxActivity <= SMU_14_0_2_BUSY_THRESHOLD)
gpu_metrics->average_gfxclk_frequency = metrics->AverageGfxclkFrequencyPostDs;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 434/522] Bluetooth: hci_qca: Convert timeout from jiffies to ms
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (432 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 433/522] smb: client: require net admin for CIFS SWN netlink Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 435/522] mm/memory: fix spurious warning when unmapping device-private/exclusive pages Greg Kroah-Hartman
` (88 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Menzel, Bartosz Golaszewski,
Shuai Zhang, Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
[ Upstream commit 375ba7484132662a4a8c7547d088fb6275c00282 ]
Since the timer uses jiffies as its unit rather than ms, the timeout value
must be converted from ms to jiffies when configuring the timer. Otherwise,
the intended 8s timeout is incorrectly set to approximately 33s.
To improve readability, embed msecs_to_jiffies() directly in the macro
definitions and drop the _MS suffix from macros that now yield jiffies
values: MEMDUMP_TIMEOUT, FW_DOWNLOAD_TIMEOUT, IBS_DISABLE_SSR_TIMEOUT,
CMD_TRANS_TIMEOUT, and IBS_BTSOC_TX_IDLE_TIMEOUT.
IBS_WAKE_RETRANS_TIMEOUT_MS and IBS_HOST_TX_IDLE_TIMEOUT_MS are
intentionally left unchanged. Their values are stored in the struct fields
wake_retrans and tx_idle_delay, which hold ms values at runtime and can be
modified via debugfs. The msecs_to_jiffies() conversion happens at each
call site against the field value, so it cannot be embedded in the macro.
Wake timer depends on commit c347ca17d62a
Cc: stable@vger.kernel.org
Fixes: d841502c79e3 ("Bluetooth: hci_qca: Collect controller memory dump during SSR")
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Acked-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ adapted to `vmalloc`-based memdump path and older `qca_serdev_shutdown(struct device *dev)` signature ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_qca.c | 33 ++++++++++++++++-----------------
1 file changed, 16 insertions(+), 17 deletions(-)
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -46,13 +46,12 @@
#define HCI_MAX_IBS_SIZE 10
#define IBS_WAKE_RETRANS_TIMEOUT_MS 100
-#define IBS_BTSOC_TX_IDLE_TIMEOUT_MS 200
+#define IBS_BTSOC_TX_IDLE_TIMEOUT msecs_to_jiffies(200)
#define IBS_HOST_TX_IDLE_TIMEOUT_MS 2000
-#define CMD_TRANS_TIMEOUT_MS 100
-#define MEMDUMP_TIMEOUT_MS 8000
-#define IBS_DISABLE_SSR_TIMEOUT_MS \
- (MEMDUMP_TIMEOUT_MS + FW_DOWNLOAD_TIMEOUT_MS)
-#define FW_DOWNLOAD_TIMEOUT_MS 3000
+#define CMD_TRANS_TIMEOUT msecs_to_jiffies(100)
+#define MEMDUMP_TIMEOUT msecs_to_jiffies(8000)
+#define FW_DOWNLOAD_TIMEOUT msecs_to_jiffies(3000)
+#define IBS_DISABLE_SSR_TIMEOUT (MEMDUMP_TIMEOUT + FW_DOWNLOAD_TIMEOUT)
/* susclk rate */
#define SUSCLK_RATE_32KHZ 32768
@@ -1059,7 +1058,7 @@ static void qca_controller_memdump(struc
dump_size);
queue_delayed_work(qca->workqueue,
&qca->ctrl_memdump_timeout,
- msecs_to_jiffies(MEMDUMP_TIMEOUT_MS)
+ MEMDUMP_TIMEOUT
);
skb_pull(skb, sizeof(dump_size));
@@ -1327,7 +1326,7 @@ static int qca_set_baudrate(struct hci_d
if (hu->serdev)
serdev_device_wait_until_sent(hu->serdev,
- msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS));
+ CMD_TRANS_TIMEOUT);
/* Give the controller time to process the request */
switch (qca_soc_type(hu)) {
@@ -1358,8 +1357,8 @@ static inline void host_set_baudrate(str
static int qca_send_power_pulse(struct hci_uart *hu, bool on)
{
+ int timeout = CMD_TRANS_TIMEOUT;
int ret;
- int timeout = msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS);
u8 cmd = on ? QCA_WCN3990_POWERON_PULSE : QCA_WCN3990_POWEROFF_PULSE;
/* These power pulses are single byte command which are sent
@@ -1561,7 +1560,7 @@ static void qca_wait_for_dump_collection
struct qca_data *qca = hu->priv;
wait_on_bit_timeout(&qca->flags, QCA_MEMDUMP_COLLECTION,
- TASK_UNINTERRUPTIBLE, MEMDUMP_TIMEOUT_MS);
+ TASK_UNINTERRUPTIBLE, MEMDUMP_TIMEOUT);
clear_bit(QCA_MEMDUMP_COLLECTION, &qca->flags);
}
@@ -2390,7 +2389,7 @@ static void qca_serdev_remove(struct ser
static void qca_serdev_shutdown(struct device *dev)
{
int ret;
- int timeout = msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS);
+ int timeout = CMD_TRANS_TIMEOUT;
struct serdev_device *serdev = to_serdev_device(dev);
struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev);
struct hci_uart *hu = &qcadev->serdev_hu;
@@ -2448,7 +2447,7 @@ static int __maybe_unused qca_suspend(st
bool tx_pending = false;
int ret = 0;
u8 cmd;
- u32 wait_timeout = 0;
+ unsigned long wait_timeout = 0;
set_bit(QCA_SUSPENDING, &qca->flags);
@@ -2469,15 +2468,15 @@ static int __maybe_unused qca_suspend(st
if (test_bit(QCA_IBS_DISABLED, &qca->flags) ||
test_bit(QCA_SSR_TRIGGERED, &qca->flags)) {
wait_timeout = test_bit(QCA_SSR_TRIGGERED, &qca->flags) ?
- IBS_DISABLE_SSR_TIMEOUT_MS :
- FW_DOWNLOAD_TIMEOUT_MS;
+ IBS_DISABLE_SSR_TIMEOUT :
+ FW_DOWNLOAD_TIMEOUT;
/* QCA_IBS_DISABLED flag is set to true, During FW download
* and during memory dump collection. It is reset to false,
* After FW download complete.
*/
wait_on_bit_timeout(&qca->flags, QCA_IBS_DISABLED,
- TASK_UNINTERRUPTIBLE, msecs_to_jiffies(wait_timeout));
+ TASK_UNINTERRUPTIBLE, wait_timeout);
if (test_bit(QCA_IBS_DISABLED, &qca->flags)) {
bt_dev_err(hu->hdev, "SSR or FW download time out");
@@ -2529,7 +2528,7 @@ static int __maybe_unused qca_suspend(st
if (tx_pending) {
serdev_device_wait_until_sent(hu->serdev,
- msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS));
+ CMD_TRANS_TIMEOUT);
serial_clock_vote(HCI_IBS_TX_VOTE_CLOCK_OFF, hu);
}
@@ -2538,7 +2537,7 @@ static int __maybe_unused qca_suspend(st
*/
ret = wait_event_interruptible_timeout(qca->suspend_wait_q,
qca->rx_ibs_state == HCI_IBS_RX_ASLEEP,
- msecs_to_jiffies(IBS_BTSOC_TX_IDLE_TIMEOUT_MS));
+ IBS_BTSOC_TX_IDLE_TIMEOUT);
if (ret == 0) {
ret = -ETIMEDOUT;
goto error;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 351/378] drm/amd/pm: smu_v14_0_0: use SoftMin for gfxclk in set_soft_freq_limited_range
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 350/378] drm/amd/pm: mark metrics.energy_accumulator is invalid for smu 14.0.2 Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 352/378] drm/amd/display: Bound VBIOS record-chain walk loops Greg Kroah-Hartman
` (28 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Priya Hosur, Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Priya Hosur <Priya.Hosur@amd.com>
commit 03b70e0d8aa26bab89a0f1394c1c80a871925e42 upstream.
In smu_v14_0_0_set_soft_freq_limited_range(), the gfxclk floor is
programmed via SetHardMinGfxClk together with SetSoftMaxGfxClk. Under
power_dpm_force_performance_level=high this pins HardMin to peak gfxclk.
In PMFW arbitration HardMin has higher priority than SoftMax, so the
firmware thermal/PPT throttler cannot clamp gfxclk via SoftMax once
HardMin is set to peak. Replace SetHardMinGfxClk with SetSoftMinGfxclk
so the driver still requests peak performance but the firmware
throttler retains the ability to clamp gfxclk under thermal/PPT
pressure. SoftMax handling is unchanged and no other clock domains
are affected.
Signed-off-by: Priya Hosur <Priya.Hosur@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 3ea273267fd29cbf6d83ee72329f59eb5042605b)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_0_ppt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_0_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_0_ppt.c
@@ -1228,7 +1228,8 @@ static int smu_v14_0_0_set_soft_freq_lim
switch (clk_type) {
case SMU_GFXCLK:
case SMU_SCLK:
- msg_set_min = SMU_MSG_SetHardMinGfxClk;
+ /* SoftMin lets PMFW throttle gfxclk; HardMin would override SoftMax. */
+ msg_set_min = SMU_MSG_SetSoftMinGfxclk;
msg_set_max = SMU_MSG_SetSoftMaxGfxClk;
break;
case SMU_FCLK:
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 435/522] mm/memory: fix spurious warning when unmapping device-private/exclusive pages
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (433 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 434/522] Bluetooth: hci_qca: Convert timeout from jiffies to ms Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 436/522] Bluetooth: Init sk_peer_* on bt_sock_alloc Greg Kroah-Hartman
` (87 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alistair Popple,
Arsen Arsenović, Balbir Singh, David Hildenbrand,
Jason Gunthorpe, John Hubbard, Leon Romanovsky, Liam R. Howlett,
Lorenzo Stoakes, Peter Xu, Matthew Brost, Michal Hocko,
Mike Rapoport, Shuah Khan, Suren Baghdasaryan,
Thomas Hellström, Vlastimil Babka, Andrew Morton,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alistair Popple <apopple@nvidia.com>
[ Upstream commit be3f38d05cc5a7c3f13e51994c5dd043ab604d28 ]
Device private and exclusive entries are only supported for anonymous
folios. This condition is tested in __migrate_device_pages() and
make_device_exclusive() using folio_test_anon(). However the unmap path
tests this assumption using vma_is_anonymous().
This is wrong because whilst anonymous VMAs can only contain folios where
folio_test_anon() is true the opposite relation does not hold. A folio
for which folio_test_anon() is true does not imply vma_is_anonymous() is
true. Such a condition can occur if for example a folio is part of a
private filebacked mapping.
In this case vma_is_anonymous() is false as the mapping is filebacked, but
folio_test_anon() may be true, thus permitting devices to migrate the
folio to device private memory. This can lead to the following spurious
warnings during process teardown:
[ 772.737706] ------------[ cut here ]------------
[ 772.739201] WARNING: mm/memory.c:1754 at unmap_page_range.cold+0x26/0x18a, CPU#17: hmm-tests/2041
[ 772.742050] Modules linked in: test_hmm nvidia_uvm(O) nvidia(O)
[ 772.743959] CPU: 17 UID: 0 PID: 2041 Comm: hmm-tests Tainted: G W O 7.0.0+ #387 PREEMPT(full)
[ 772.747104] Tainted: [W]=WARN, [O]=OOT_MODULE
[ 772.748509] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[ 772.752117] RIP: 0010:unmap_page_range.cold+0x26/0x18a
[ 772.753780] Code: 7e fe ff ff 48 89 4c 24 78 4c 89 44 24 38 e8 f2 ff b1 00 48 8b 4c 24 78 4c 8b 44 24 38 48 8b 44 24 18 48 83 78 48 00 74 04 90 <0f> 0b 90 48 89 ca b8 ff ff 37 00 48 c1 ea 03 48 c1 e0 2a 80 3c 02
[ 772.759602] RSP: 0018:ffff888112607550 EFLAGS: 00010286
[ 772.761310] RAX: ffff88811bbf4dc0 RBX: dffffc0000000000 RCX: ffffea03e9bfffd8
[ 772.763583] RDX: 1ffff1102377e9c1 RSI: 0000000000000008 RDI: ffff88811bbf4e08
[ 772.765914] RBP: 0000000000000006 R08: ffff8881059f7448 R09: ffffed10224c0e68
[ 772.768184] R10: ffff888112607347 R11: 0000000000000001 R12: 0000000000000001
[ 772.770461] R13: ffffea03e9bfffc0 R14: ffff888112607908 R15: ffffea03e9bfffc0
[ 772.772782] FS: 00007f327caa2780(0000) GS:ffff888427b7d000(0000) knlGS:0000000000000000
[ 772.775328] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 772.777187] CR2: 00007f327ca89000 CR3: 00000001994d5000 CR4: 00000000000006f0
[ 772.779135] Call Trace:
[ 772.779792] <TASK>
[ 772.780317] ? dmirror_interval_invalidate+0x1a3/0x290 [test_hmm]
[ 772.781873] ? vm_normal_page_pud+0x2b0/0x2b0
[ 772.782992] ? __rwlock_init+0x150/0x150
[ 772.784006] ? lock_release+0x216/0x2b0
[ 772.785008] ? __mmu_notifier_invalidate_range_start+0x505/0x6e0
[ 772.786522] ? lock_release+0x216/0x2b0
[ 772.787498] ? unmap_single_vma+0xb6/0x210
[ 772.788573] unmap_vmas+0x27d/0x520
[ 772.789506] ? unmap_single_vma+0x210/0x210
[ 772.790607] ? mas_update_gap.part.0+0x620/0x620
[ 772.791834] unmap_region+0x19e/0x350
[ 772.792769] ? remove_vma+0x130/0x130
[ 772.793684] ? mas_alloc_nodes+0x1f2/0x300
[ 772.794730] vms_complete_munmap_vmas+0x8c1/0xe20
[ 772.795926] ? unmap_region+0x350/0x350
[ 772.796917] do_vmi_align_munmap+0x36a/0x4e0
[ 772.798018] ? lock_release+0x216/0x2b0
[ 772.799024] ? vma_shrink+0x620/0x620
[ 772.799983] do_vmi_munmap+0x150/0x2c0
[ 772.800939] __vm_munmap+0x161/0x2c0
[ 772.801872] ? expand_downwards+0xd60/0xd60
[ 772.802948] ? clockevents_program_event+0x1ef/0x540
[ 772.804217] ? lock_release+0x216/0x2b0
[ 772.805158] __x64_sys_munmap+0x59/0x80
[ 772.805776] do_syscall_64+0xfc/0x670
[ 772.806336] ? irqentry_exit+0xda/0x580
[ 772.806976] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 772.807772] RIP: 0033:0x7f327cbb2717
[ 772.808323] Code: 73 01 c3 48 8b 0d f9 76 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c9 76 0d 00 f7 d8 64 89 01 48
[ 772.811337] RSP: 002b:00007ffde7f57d38 EFLAGS: 00000202 ORIG_RAX: 000000000000000b
[ 772.812564] RAX: ffffffffffffffda RBX: 00007f327cc9c000 RCX: 00007f327cbb2717
[ 772.813733] RDX: 0000000000000000 RSI: 0000000000400000 RDI: 00007f327c289000
[ 772.814867] RBP: 0000000000421360 R08: 000000000000001a R09: 0000000000000000
[ 772.815991] R10: 0000000000000003 R11: 0000000000000202 R12: 00007ffde7f57d74
[ 772.817121] R13: 00007f327c689010 R14: 0000000000100000 R15: 00007f327c289000
[ 772.818272] </TASK>
[ 772.818614] irq event stamp: 0
[ 772.819159] hardirqs last enabled at (0): [<0000000000000000>] 0x0
[ 772.820174] hardirqs last disabled at (0): [<ffffffff82a57ab3>] copy_process+0x19f3/0x6440
[ 772.821511] softirqs last enabled at (0): [<ffffffff82a57b00>] copy_process+0x1a40/0x6440
[ 772.822869] softirqs last disabled at (0): [<0000000000000000>] 0x0
[ 772.823871] ---[ end trace 0000000000000000 ]---
Fix this by using the same check for folio_test_anon() in
zap_nonpresent_ptes(). Also add a hmm-test case for this.
Link: https://lore.kernel.org/20260501065116.2057242-1-apopple@nvidia.com
Fixes: 999dad824c39 ("mm/shmem: persist uffd-wp bit across zapping for file-backed")
Signed-off-by: Alistair Popple <apopple@nvidia.com>
Reported-by: Arsen Arsenović <aarsenovic@baylibre.com>
Reviewed-by: Balbir Singh <balbirs@nvidia.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Peter Xu <peterx@redhat.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ adapted `folio_test_anon(folio)` to `PageAnon(page)` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory.c | 2 -
tools/testing/selftests/vm/hmm-tests.c | 50 +++++++++++++++++++++++++++++++++
2 files changed, 51 insertions(+), 1 deletion(-)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -1471,7 +1471,7 @@ again:
* consider uffd-wp bit when zap. For more information,
* see zap_install_uffd_wp_if_needed().
*/
- WARN_ON_ONCE(!vma_is_anonymous(vma));
+ WARN_ON_ONCE(!PageAnon(page));
rss[mm_counter(page)]--;
if (is_device_private_entry(entry))
page_remove_rmap(page, vma, false);
--- a/tools/testing/selftests/vm/hmm-tests.c
+++ b/tools/testing/selftests/vm/hmm-tests.c
@@ -994,6 +994,56 @@ TEST_F(hmm, migrate)
}
/*
+ * Migrate private file memory to device private memory.
+ */
+TEST_F(hmm, migrate_file_private)
+{
+ struct hmm_buffer *buffer;
+ unsigned long npages;
+ unsigned long size;
+ unsigned long i;
+ int *ptr;
+ int ret;
+ int fd;
+
+ npages = ALIGN(HMM_BUFFER_SIZE, self->page_size) >> self->page_shift;
+ ASSERT_NE(npages, 0);
+ size = npages << self->page_shift;
+
+ fd = hmm_create_file(size);
+ ASSERT_GE(fd, 0);
+
+ buffer = malloc(sizeof(*buffer));
+ ASSERT_NE(buffer, NULL);
+
+ buffer->fd = fd;
+ buffer->size = size;
+ buffer->mirror = malloc(size);
+ ASSERT_NE(buffer->mirror, NULL);
+
+ buffer->ptr = mmap(NULL, size,
+ PROT_READ | PROT_WRITE,
+ MAP_PRIVATE,
+ buffer->fd, 0);
+ ASSERT_NE(buffer->ptr, MAP_FAILED);
+
+ /* Initialize buffer in system memory. */
+ for (i = 0, ptr = buffer->ptr; i < size / sizeof(*ptr); ++i)
+ ptr[i] = i;
+
+ /* Migrate memory to device. */
+ ret = hmm_migrate_sys_to_dev(self->fd, buffer, npages);
+ ASSERT_EQ(ret, 0);
+ ASSERT_EQ(buffer->cpages, npages);
+
+ /* Check what the device read. */
+ for (i = 0, ptr = buffer->mirror; i < size / sizeof(*ptr); ++i)
+ ASSERT_EQ(ptr[i], i);
+
+ hmm_buffer_free(buffer);
+}
+
+/*
* Migrate anonymous memory to device private memory and fault some of it back
* to system memory, then try migrating the resulting mix of system and device
* private memory to the device.
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 352/378] drm/amd/display: Bound VBIOS record-chain walk loops
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 351/378] drm/amd/pm: smu_v14_0_0: use SoftMin for gfxclk in set_soft_freq_limited_range Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 353/378] drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size Greg Kroah-Hartman
` (27 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit ff287df16a1a58aca78b08d1f3ee09fc44da0351 upstream.
[Why & How]
All record-chain walk loops in bios_parser.c and bios_parser2.c use
for(;;) and only terminate on a 0xFF record_type sentinel or zero
record_size. A malformed VBIOS image missing the terminator record
causes unbounded iteration at probe time, potentially hundreds of
thousands of iterations with record_size=1. In the final iterations
near the BIOS image boundary, struct casts beyond the 2-byte header
validated by GET_IMAGE can also read out of bounds.
Cap all 14 record-chain walk loops to BIOS_MAX_NUM_RECORD (256)
iterations. The atombios.h defines up to 22 distinct record types
and atomfirmware.h has 13. Assuming an average of less than 10
records per type (which is reasonable since most are connector-
based) 256 is a generous upper bound.
Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
Assisted-by: Copilot:claude-opus-4.6 Mythos
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 95700a3d660287ed657d6892f7be9ffc0e294a93)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/bios/bios_parser.c | 15 +++++---
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 27 ++++++++++-----
drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.h | 5 ++
3 files changed, 33 insertions(+), 14 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c
@@ -222,6 +222,7 @@ static enum bp_result bios_parser_get_i2
ATOM_COMMON_RECORD_HEADER *header;
ATOM_I2C_RECORD *record;
struct bios_parser *bp = BP_FROM_DCB(dcb);
+ int i;
if (!info)
return BP_RESULT_BADINPUT;
@@ -234,7 +235,7 @@ static enum bp_result bios_parser_get_i2
offset = le16_to_cpu(object->usRecordOffset)
+ bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(ATOM_COMMON_RECORD_HEADER, offset);
if (!header)
@@ -293,11 +294,12 @@ static enum bp_result bios_parser_get_de
{
ATOM_COMMON_RECORD_HEADER *header;
uint32_t offset;
+ int i;
offset = le16_to_cpu(object->usRecordOffset)
+ bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(ATOM_COMMON_RECORD_HEADER, offset);
if (!header)
@@ -948,6 +950,7 @@ static ATOM_HPD_INT_RECORD *get_hpd_reco
{
ATOM_COMMON_RECORD_HEADER *header;
uint32_t offset;
+ int i;
if (!object) {
BREAK_TO_DEBUGGER(); /* Invalid object */
@@ -957,7 +960,7 @@ static ATOM_HPD_INT_RECORD *get_hpd_reco
offset = le16_to_cpu(object->usRecordOffset)
+ bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(ATOM_COMMON_RECORD_HEADER, offset);
if (!header)
@@ -1652,6 +1655,7 @@ static ATOM_ENCODER_CAP_RECORD_V2 *get_e
{
ATOM_COMMON_RECORD_HEADER *header;
uint32_t offset;
+ int i;
if (!object) {
BREAK_TO_DEBUGGER(); /* Invalid object */
@@ -1661,7 +1665,7 @@ static ATOM_ENCODER_CAP_RECORD_V2 *get_e
offset = le16_to_cpu(object->usRecordOffset)
+ bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(ATOM_COMMON_RECORD_HEADER, offset);
if (!header)
@@ -2750,6 +2754,7 @@ static enum bp_result update_slot_layout
unsigned int record_offset)
{
unsigned int j;
+ unsigned int n;
struct bios_parser *bp;
ATOM_BRACKET_LAYOUT_RECORD *record;
ATOM_COMMON_RECORD_HEADER *record_header;
@@ -2759,7 +2764,7 @@ static enum bp_result update_slot_layout
record = NULL;
record_header = NULL;
- for (;;) {
+ for (n = 0; n < BIOS_MAX_NUM_RECORD; n++) {
record_header = GET_IMAGE(ATOM_COMMON_RECORD_HEADER, record_offset);
if (record_header == NULL) {
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
@@ -395,6 +395,7 @@ static enum bp_result bios_parser_get_i2
struct atom_i2c_record *record;
struct atom_i2c_record dummy_record = {0};
struct bios_parser *bp = BP_FROM_DCB(dcb);
+ int i;
if (!info)
return BP_RESULT_BADINPUT;
@@ -428,7 +429,7 @@ static enum bp_result bios_parser_get_i2
break;
}
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(struct atom_common_record_header, offset);
if (!header)
@@ -533,6 +534,7 @@ static struct atom_hpd_int_record *get_h
{
struct atom_common_record_header *header;
uint32_t offset;
+ int i;
if (!object) {
BREAK_TO_DEBUGGER(); /* Invalid object */
@@ -541,7 +543,7 @@ static struct atom_hpd_int_record *get_h
offset = object->disp_recordoffset + bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(struct atom_common_record_header, offset);
if (!header)
@@ -610,6 +612,7 @@ static struct atom_hpd_int_record *get_h
{
struct atom_common_record_header *header;
uint32_t offset;
+ int i;
if (!object) {
BREAK_TO_DEBUGGER(); /* Invalid object */
@@ -619,7 +622,7 @@ static struct atom_hpd_int_record *get_h
offset = le16_to_cpu(object->disp_recordoffset)
+ bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(struct atom_common_record_header, offset);
if (!header)
@@ -2188,6 +2191,7 @@ static struct atom_encoder_caps_record *
{
struct atom_common_record_header *header;
uint32_t offset;
+ int i;
if (!object) {
BREAK_TO_DEBUGGER(); /* Invalid object */
@@ -2196,7 +2200,7 @@ static struct atom_encoder_caps_record *
offset = object->encoder_recordoffset + bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(struct atom_common_record_header, offset);
if (!header)
@@ -2225,6 +2229,7 @@ static struct atom_disp_connector_caps_r
{
struct atom_common_record_header *header;
uint32_t offset;
+ int i;
if (!object) {
BREAK_TO_DEBUGGER(); /* Invalid object */
@@ -2233,7 +2238,7 @@ static struct atom_disp_connector_caps_r
offset = object->disp_recordoffset + bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(struct atom_common_record_header, offset);
if (!header)
@@ -2261,6 +2266,7 @@ static struct atom_connector_caps_record
{
struct atom_common_record_header *header;
uint32_t offset;
+ int i;
if (!object) {
BREAK_TO_DEBUGGER(); /* Invalid object */
@@ -2269,7 +2275,7 @@ static struct atom_connector_caps_record
offset = object->disp_recordoffset + bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(struct atom_common_record_header, offset);
if (!header)
@@ -2347,6 +2353,7 @@ static struct atom_connector_speed_recor
{
struct atom_common_record_header *header;
uint32_t offset;
+ int i;
if (!object) {
BREAK_TO_DEBUGGER(); /* Invalid object */
@@ -2355,7 +2362,7 @@ static struct atom_connector_speed_recor
offset = object->disp_recordoffset + bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(struct atom_common_record_header, offset);
if (!header)
@@ -3240,6 +3247,7 @@ static enum bp_result update_slot_layout
{
unsigned int record_offset;
unsigned int j;
+ unsigned int n;
struct atom_display_object_path_v2 *object;
struct atom_bracket_layout_record *record;
struct atom_common_record_header *record_header;
@@ -3261,7 +3269,7 @@ static enum bp_result update_slot_layout
(object->disp_recordoffset) +
(unsigned int)(bp->object_info_tbl_offset);
- for (;;) {
+ for (n = 0; n < BIOS_MAX_NUM_RECORD; n++) {
record_header = (struct atom_common_record_header *)
GET_IMAGE(struct atom_common_record_header,
@@ -3355,6 +3363,7 @@ static enum bp_result update_slot_layout
struct slot_layout_info *slot_layout_info)
{
unsigned int record_offset;
+ unsigned int n;
struct atom_display_object_path_v3 *object;
struct atom_bracket_layout_record_v2 *record;
struct atom_common_record_header *record_header;
@@ -3377,7 +3386,7 @@ static enum bp_result update_slot_layout
(object->disp_recordoffset) +
(unsigned int)(bp->object_info_tbl_offset);
- for (;;) {
+ for (n = 0; n < BIOS_MAX_NUM_RECORD; n++) {
record_header = (struct atom_common_record_header *)
GET_IMAGE(struct atom_common_record_header,
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.h
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.h
@@ -37,4 +37,9 @@ void bios_set_scratch_critical_state(str
#define GET_IMAGE(type, offset) ((type *) bios_get_image(&bp->base, offset, sizeof(type)))
+/* Upper bound on the number of records in a VBIOS record chain. Prevents
+ * unbounded looping if the VBIOS image is malformed and lacks a terminator.
+ */
+#define BIOS_MAX_NUM_RECORD 256
+
#endif
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 436/522] Bluetooth: Init sk_peer_* on bt_sock_alloc
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (434 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 435/522] mm/memory: fix spurious warning when unmapping device-private/exclusive pages Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 437/522] Bluetooth: serialize accept_q access Greg Kroah-Hartman
` (86 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 464c702fb9374ff8f3f816f24fb7ac719dd20e1e ]
This makes sure peer information is always available via sock when using
bt_sock_alloc.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Stable-dep-of: e83f5e24da74 ("Bluetooth: serialize accept_q access")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/af_bluetooth.c | 24 ++++++++++++++++++++++++
net/bluetooth/hidp/sock.c | 10 +---------
net/bluetooth/l2cap_sock.c | 19 -------------------
3 files changed, 25 insertions(+), 28 deletions(-)
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -157,6 +157,14 @@ struct sock *bt_sock_alloc(struct net *n
sk->sk_protocol = proto;
sk->sk_state = BT_OPEN;
+ /* Init peer information so it can be properly monitored */
+ if (!kern) {
+ spin_lock(&sk->sk_peer_lock);
+ sk->sk_peer_pid = get_pid(task_tgid(current));
+ sk->sk_peer_cred = get_current_cred();
+ spin_unlock(&sk->sk_peer_lock);
+ }
+
return sk;
}
EXPORT_SYMBOL(bt_sock_alloc);
@@ -201,6 +209,9 @@ EXPORT_SYMBOL(bt_sock_linked);
void bt_accept_enqueue(struct sock *parent, struct sock *sk, bool bh)
{
+ const struct cred *old_cred;
+ struct pid *old_pid;
+
BT_DBG("parent %p, sk %p", parent, sk);
sock_hold(sk);
@@ -213,6 +224,19 @@ void bt_accept_enqueue(struct sock *pare
list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q);
bt_sk(sk)->parent = parent;
+ /* Copy credentials from parent since for incoming connections the
+ * socket is allocated by the kernel.
+ */
+ spin_lock(&sk->sk_peer_lock);
+ old_pid = sk->sk_peer_pid;
+ old_cred = sk->sk_peer_cred;
+ sk->sk_peer_pid = get_pid(parent->sk_peer_pid);
+ sk->sk_peer_cred = get_cred(parent->sk_peer_cred);
+ spin_unlock(&sk->sk_peer_lock);
+
+ put_pid(old_pid);
+ put_cred(old_cred);
+
if (bh)
bh_unlock_sock(sk);
else
--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -256,21 +256,13 @@ static int hidp_sock_create(struct net *
if (sock->type != SOCK_RAW)
return -ESOCKTNOSUPPORT;
- sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hidp_proto, kern);
+ sk = bt_sock_alloc(net, sock, &hidp_proto, protocol, GFP_ATOMIC, kern);
if (!sk)
return -ENOMEM;
- sock_init_data(sock, sk);
-
sock->ops = &hidp_sock_ops;
-
sock->state = SS_UNCONNECTED;
- sock_reset_flag(sk, SOCK_ZAPPED);
-
- sk->sk_protocol = protocol;
- sk->sk_state = BT_OPEN;
-
bt_sock_link(&hidp_sk_list, sk);
return 0;
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -178,21 +178,6 @@ done:
return err;
}
-static void l2cap_sock_init_pid(struct sock *sk)
-{
- struct l2cap_chan *chan = l2cap_pi(sk)->chan;
-
- /* Only L2CAP_MODE_EXT_FLOWCTL ever need to access the PID in order to
- * group the channels being requested.
- */
- if (chan->mode != L2CAP_MODE_EXT_FLOWCTL)
- return;
-
- spin_lock(&sk->sk_peer_lock);
- sk->sk_peer_pid = get_pid(task_tgid(current));
- spin_unlock(&sk->sk_peer_lock);
-}
-
static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
int alen, int flags)
{
@@ -268,8 +253,6 @@ static int l2cap_sock_connect(struct soc
chan->mode != L2CAP_MODE_EXT_FLOWCTL)
chan->mode = L2CAP_MODE_LE_FLOWCTL;
- l2cap_sock_init_pid(sk);
-
err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
&la.l2_bdaddr, la.l2_bdaddr_type);
if (err)
@@ -325,8 +308,6 @@ static int l2cap_sock_listen(struct sock
goto done;
}
- l2cap_sock_init_pid(sk);
-
sk->sk_max_ack_backlog = backlog;
sk->sk_ack_backlog = 0;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 353/378] drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 352/378] drm/amd/display: Bound VBIOS record-chain walk loops Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 354/378] drm/amd/display: Clamp VBIOS HDMI retimer register count to array size Greg Kroah-Hartman
` (26 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit f0f3981c43b32cadfe373d636d9e9ca522bb3702 upstream.
[Why & How]
During HDCP 2.x repeater authentication over HDMI, the driver reads the
sink's RxStatus register and extracts a 10-bit message size field (max
value 1023). This value is used as the read length for the ReceiverID
list without being clamped to the size of the destination buffer
rx_id_list[177]. A malicious HDMI repeater could advertise a message
size larger than the buffer, causing an out-of-bounds write during the
I2C read.
Clamp the read length in mod_hdcp_read_rx_id_list() to the size of the
rx_id_list buffer, matching the approach already used in the DP branch.
Fixes: eff682f83c9c ("drm/amd/display: Add DDC handles for HDCP2.2")
Assisted-by: Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 229212219e4247d9486f8ba41ef087358490be09)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
+++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
@@ -529,7 +529,8 @@ enum mod_hdcp_status mod_hdcp_read_rx_id
} else {
status = read(hdcp, MOD_HDCP_MESSAGE_ID_READ_REPEATER_AUTH_SEND_RECEIVERID_LIST,
hdcp->auth.msg.hdcp2.rx_id_list,
- hdcp->auth.msg.hdcp2.rx_id_list_size);
+ MIN(hdcp->auth.msg.hdcp2.rx_id_list_size,
+ sizeof(hdcp->auth.msg.hdcp2.rx_id_list)));
}
return status;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 437/522] Bluetooth: serialize accept_q access
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (435 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 436/522] Bluetooth: Init sk_peer_* on bt_sock_alloc Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 438/522] net: hsr: defer node table free until after RCU readers Greg Kroah-Hartman
` (85 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Jiexun Wang, Ren Wei, Luiz Augusto von Dentz,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
[ Upstream commit e83f5e24da741fa9405aeeff00b08c5ee7c37b88 ]
bt_sock_poll() walks the accept queue without synchronization, while
child teardown can unlink the same socket and drop its last reference.
The unsynchronized accept queue walk has existed since the initial
Bluetooth import.
Protect accept_q with a dedicated lock for queue updates and polling.
Also rework bt_accept_dequeue() to take temporary child references under
the queue lock before dropping it and locking the child socket.
Fixes: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reported-by: Jann Horn <jannh@google.com>
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Reviewed-by: Jann Horn <jannh@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/bluetooth/bluetooth.h | 1
net/bluetooth/af_bluetooth.c | 87 ++++++++++++++++++++++++++++----------
2 files changed, 66 insertions(+), 22 deletions(-)
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -361,6 +361,7 @@ void baswap(bdaddr_t *dst, const bdaddr_
struct bt_sock {
struct sock sk;
struct list_head accept_q;
+ spinlock_t accept_q_lock; /* protects accept_q */
struct sock *parent;
unsigned long flags;
void (*skb_msg_name)(struct sk_buff *, void *, int *);
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -151,6 +151,7 @@ struct sock *bt_sock_alloc(struct net *n
sock_init_data(sock, sk);
INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
+ spin_lock_init(&bt_sk(sk)->accept_q_lock);
sock_reset_flag(sk, SOCK_ZAPPED);
@@ -211,6 +212,7 @@ void bt_accept_enqueue(struct sock *pare
{
const struct cred *old_cred;
struct pid *old_pid;
+ struct bt_sock *par = bt_sk(parent);
BT_DBG("parent %p, sk %p", parent, sk);
@@ -221,9 +223,13 @@ void bt_accept_enqueue(struct sock *pare
else
lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
- list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q);
bt_sk(sk)->parent = parent;
+ spin_lock_bh(&par->accept_q_lock);
+ list_add_tail(&bt_sk(sk)->accept_q, &par->accept_q);
+ sk_acceptq_added(parent);
+ spin_unlock_bh(&par->accept_q_lock);
+
/* Copy credentials from parent since for incoming connections the
* socket is allocated by the kernel.
*/
@@ -241,8 +247,6 @@ void bt_accept_enqueue(struct sock *pare
bh_unlock_sock(sk);
else
release_sock(sk);
-
- sk_acceptq_added(parent);
}
EXPORT_SYMBOL(bt_accept_enqueue);
@@ -251,45 +255,72 @@ EXPORT_SYMBOL(bt_accept_enqueue);
*/
void bt_accept_unlink(struct sock *sk)
{
+ struct sock *parent = bt_sk(sk)->parent;
+
BT_DBG("sk %p state %d", sk, sk->sk_state);
+ spin_lock_bh(&bt_sk(parent)->accept_q_lock);
list_del_init(&bt_sk(sk)->accept_q);
- sk_acceptq_removed(bt_sk(sk)->parent);
+ sk_acceptq_removed(parent);
+ spin_unlock_bh(&bt_sk(parent)->accept_q_lock);
bt_sk(sk)->parent = NULL;
sock_put(sk);
}
EXPORT_SYMBOL(bt_accept_unlink);
+static struct sock *bt_accept_get(struct sock *parent, struct sock *sk)
+{
+ struct bt_sock *bt = bt_sk(parent);
+ struct sock *next = NULL;
+
+ /* accept_q is modified from child teardown paths too, so take a
+ * temporary reference before dropping the queue lock.
+ */
+ spin_lock_bh(&bt->accept_q_lock);
+
+ if (sk) {
+ if (bt_sk(sk)->parent != parent)
+ goto out;
+
+ if (!list_is_last(&bt_sk(sk)->accept_q, &bt->accept_q)) {
+ next = &list_next_entry(bt_sk(sk), accept_q)->sk;
+ sock_hold(next);
+ }
+ } else if (!list_empty(&bt->accept_q)) {
+ next = &list_first_entry(&bt->accept_q,
+ struct bt_sock, accept_q)->sk;
+ sock_hold(next);
+ }
+
+out:
+ spin_unlock_bh(&bt->accept_q_lock);
+ return next;
+}
+
struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock)
{
- struct bt_sock *s, *n;
- struct sock *sk;
+ struct sock *sk, *next;
BT_DBG("parent %p", parent);
restart:
- list_for_each_entry_safe(s, n, &bt_sk(parent)->accept_q, accept_q) {
- sk = (struct sock *)s;
-
+ for (sk = bt_accept_get(parent, NULL); sk; sk = next) {
/* Prevent early freeing of sk due to unlink and sock_kill */
- sock_hold(sk);
lock_sock(sk);
/* Check sk has not already been unlinked via
* bt_accept_unlink() due to serialisation caused by sk locking
*/
- if (!bt_sk(sk)->parent) {
+ if (bt_sk(sk)->parent != parent) {
BT_DBG("sk %p, already unlinked", sk);
release_sock(sk);
sock_put(sk);
- /* Restart the loop as sk is no longer in the list
- * and also avoid a potential infinite loop because
- * list_for_each_entry_safe() is not thread safe.
- */
goto restart;
}
+ next = bt_accept_get(parent, sk);
+
/* sk is safely in the parent list so reduce reference count */
sock_put(sk);
@@ -317,6 +348,8 @@ restart:
sock_hold(sk);
release_sock(sk);
+ if (next)
+ sock_put(next);
return sk;
}
@@ -519,18 +552,28 @@ EXPORT_SYMBOL(bt_sock_stream_recvmsg);
static inline __poll_t bt_accept_poll(struct sock *parent)
{
- struct bt_sock *s, *n;
+ struct bt_sock *bt = bt_sk(parent);
+ struct bt_sock *s;
struct sock *sk;
+ __poll_t mask = 0;
+
+ spin_lock_bh(&bt->accept_q_lock);
+ list_for_each_entry(s, &bt->accept_q, accept_q) {
+ int state;
- list_for_each_entry_safe(s, n, &bt_sk(parent)->accept_q, accept_q) {
sk = (struct sock *)s;
- if (sk->sk_state == BT_CONNECTED ||
- (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags) &&
- sk->sk_state == BT_CONNECT2))
- return EPOLLIN | EPOLLRDNORM;
+ state = READ_ONCE(sk->sk_state);
+
+ if (state == BT_CONNECTED ||
+ (test_bit(BT_SK_DEFER_SETUP, &bt->flags) &&
+ state == BT_CONNECT2)) {
+ mask = EPOLLIN | EPOLLRDNORM;
+ break;
+ }
}
+ spin_unlock_bh(&bt->accept_q_lock);
- return 0;
+ return mask;
}
__poll_t bt_sock_poll(struct file *file, struct socket *sock,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 354/378] drm/amd/display: Clamp VBIOS HDMI retimer register count to array size
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 353/378] drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 355/378] drm/amd/display: add missing CSC entries for BT.2020 for DCE IPs Greg Kroah-Hartman
` (25 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit fb0707ce00eef4e2d60c3020e1c0432739703e4a upstream.
[Why & How]
The VBIOS integrated info tables (v1_11 and v2_1) contain HdmiRegNum and
Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C
register settings into fixed-size arrays (dp*_ext_hdmi_reg_settings[9]
and dp*_ext_hdmi_6g_reg_settings[3]). These u8 fields are not validated
before use, so a malformed VBIOS can specify values up to 255, causing an
out-of-bounds heap write during driver probe.
Clamp each register count to the destination array size using min_t()
before the copy loops, in both get_integrated_info_v11() and
get_integrated_info_v2_1().
Assisted-by: GitHub Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 48 ++++++++++++++-------
1 file changed, 32 insertions(+), 16 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
@@ -2602,14 +2602,16 @@ static enum bp_result get_integrated_inf
info_v11->extdispconninfo.checksum;
info->dp0_ext_hdmi_slv_addr = info_v11->dp0_retimer_set.HdmiSlvAddr;
- info->dp0_ext_hdmi_reg_num = info_v11->dp0_retimer_set.HdmiRegNum;
+ info->dp0_ext_hdmi_reg_num = min_t(u8, info_v11->dp0_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp0_ext_hdmi_reg_settings));
for (i = 0; i < info->dp0_ext_hdmi_reg_num; i++) {
info->dp0_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v11->dp0_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp0_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v11->dp0_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp0_ext_hdmi_6g_reg_num = info_v11->dp0_retimer_set.Hdmi6GRegNum;
+ info->dp0_ext_hdmi_6g_reg_num = min_t(u8, info_v11->dp0_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp0_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp0_ext_hdmi_6g_reg_num; i++) {
info->dp0_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v11->dp0_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2618,14 +2620,16 @@ static enum bp_result get_integrated_inf
}
info->dp1_ext_hdmi_slv_addr = info_v11->dp1_retimer_set.HdmiSlvAddr;
- info->dp1_ext_hdmi_reg_num = info_v11->dp1_retimer_set.HdmiRegNum;
+ info->dp1_ext_hdmi_reg_num = min_t(u8, info_v11->dp1_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp1_ext_hdmi_reg_settings));
for (i = 0; i < info->dp1_ext_hdmi_reg_num; i++) {
info->dp1_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v11->dp1_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp1_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v11->dp1_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp1_ext_hdmi_6g_reg_num = info_v11->dp1_retimer_set.Hdmi6GRegNum;
+ info->dp1_ext_hdmi_6g_reg_num = min_t(u8, info_v11->dp1_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp1_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp1_ext_hdmi_6g_reg_num; i++) {
info->dp1_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v11->dp1_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2634,14 +2638,16 @@ static enum bp_result get_integrated_inf
}
info->dp2_ext_hdmi_slv_addr = info_v11->dp2_retimer_set.HdmiSlvAddr;
- info->dp2_ext_hdmi_reg_num = info_v11->dp2_retimer_set.HdmiRegNum;
+ info->dp2_ext_hdmi_reg_num = min_t(u8, info_v11->dp2_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp2_ext_hdmi_reg_settings));
for (i = 0; i < info->dp2_ext_hdmi_reg_num; i++) {
info->dp2_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v11->dp2_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp2_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v11->dp2_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp2_ext_hdmi_6g_reg_num = info_v11->dp2_retimer_set.Hdmi6GRegNum;
+ info->dp2_ext_hdmi_6g_reg_num = min_t(u8, info_v11->dp2_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp2_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp2_ext_hdmi_6g_reg_num; i++) {
info->dp2_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v11->dp2_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2650,14 +2656,16 @@ static enum bp_result get_integrated_inf
}
info->dp3_ext_hdmi_slv_addr = info_v11->dp3_retimer_set.HdmiSlvAddr;
- info->dp3_ext_hdmi_reg_num = info_v11->dp3_retimer_set.HdmiRegNum;
+ info->dp3_ext_hdmi_reg_num = min_t(u8, info_v11->dp3_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp3_ext_hdmi_reg_settings));
for (i = 0; i < info->dp3_ext_hdmi_reg_num; i++) {
info->dp3_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v11->dp3_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp3_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v11->dp3_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp3_ext_hdmi_6g_reg_num = info_v11->dp3_retimer_set.Hdmi6GRegNum;
+ info->dp3_ext_hdmi_6g_reg_num = min_t(u8, info_v11->dp3_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp3_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp3_ext_hdmi_6g_reg_num; i++) {
info->dp3_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v11->dp3_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2807,14 +2815,16 @@ static enum bp_result get_integrated_inf
info->ext_disp_conn_info.checksum =
info_v2_1->extdispconninfo.checksum;
info->dp0_ext_hdmi_slv_addr = info_v2_1->dp0_retimer_set.HdmiSlvAddr;
- info->dp0_ext_hdmi_reg_num = info_v2_1->dp0_retimer_set.HdmiRegNum;
+ info->dp0_ext_hdmi_reg_num = min_t(u8, info_v2_1->dp0_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp0_ext_hdmi_reg_settings));
for (i = 0; i < info->dp0_ext_hdmi_reg_num; i++) {
info->dp0_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v2_1->dp0_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp0_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v2_1->dp0_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp0_ext_hdmi_6g_reg_num = info_v2_1->dp0_retimer_set.Hdmi6GRegNum;
+ info->dp0_ext_hdmi_6g_reg_num = min_t(u8, info_v2_1->dp0_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp0_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp0_ext_hdmi_6g_reg_num; i++) {
info->dp0_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v2_1->dp0_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2822,14 +2832,16 @@ static enum bp_result get_integrated_inf
info_v2_1->dp0_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegVal;
}
info->dp1_ext_hdmi_slv_addr = info_v2_1->dp1_retimer_set.HdmiSlvAddr;
- info->dp1_ext_hdmi_reg_num = info_v2_1->dp1_retimer_set.HdmiRegNum;
+ info->dp1_ext_hdmi_reg_num = min_t(u8, info_v2_1->dp1_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp1_ext_hdmi_reg_settings));
for (i = 0; i < info->dp1_ext_hdmi_reg_num; i++) {
info->dp1_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v2_1->dp1_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp1_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v2_1->dp1_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp1_ext_hdmi_6g_reg_num = info_v2_1->dp1_retimer_set.Hdmi6GRegNum;
+ info->dp1_ext_hdmi_6g_reg_num = min_t(u8, info_v2_1->dp1_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp1_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp1_ext_hdmi_6g_reg_num; i++) {
info->dp1_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v2_1->dp1_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2837,14 +2849,16 @@ static enum bp_result get_integrated_inf
info_v2_1->dp1_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegVal;
}
info->dp2_ext_hdmi_slv_addr = info_v2_1->dp2_retimer_set.HdmiSlvAddr;
- info->dp2_ext_hdmi_reg_num = info_v2_1->dp2_retimer_set.HdmiRegNum;
+ info->dp2_ext_hdmi_reg_num = min_t(u8, info_v2_1->dp2_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp2_ext_hdmi_reg_settings));
for (i = 0; i < info->dp2_ext_hdmi_reg_num; i++) {
info->dp2_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v2_1->dp2_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp2_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v2_1->dp2_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp2_ext_hdmi_6g_reg_num = info_v2_1->dp2_retimer_set.Hdmi6GRegNum;
+ info->dp2_ext_hdmi_6g_reg_num = min_t(u8, info_v2_1->dp2_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp2_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp2_ext_hdmi_6g_reg_num; i++) {
info->dp2_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v2_1->dp2_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2852,14 +2866,16 @@ static enum bp_result get_integrated_inf
info_v2_1->dp2_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegVal;
}
info->dp3_ext_hdmi_slv_addr = info_v2_1->dp3_retimer_set.HdmiSlvAddr;
- info->dp3_ext_hdmi_reg_num = info_v2_1->dp3_retimer_set.HdmiRegNum;
+ info->dp3_ext_hdmi_reg_num = min_t(u8, info_v2_1->dp3_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp3_ext_hdmi_reg_settings));
for (i = 0; i < info->dp3_ext_hdmi_reg_num; i++) {
info->dp3_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v2_1->dp3_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp3_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v2_1->dp3_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp3_ext_hdmi_6g_reg_num = info_v2_1->dp3_retimer_set.Hdmi6GRegNum;
+ info->dp3_ext_hdmi_6g_reg_num = min_t(u8, info_v2_1->dp3_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp3_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp3_ext_hdmi_6g_reg_num; i++) {
info->dp3_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v2_1->dp3_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 438/522] net: hsr: defer node table free until after RCU readers
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (436 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 437/522] Bluetooth: serialize accept_q access Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 439/522] ipv6: ioam: add NULL check for idev in ipv6_hop_ioam() Greg Kroah-Hartman
` (84 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit aaec7096f9961eb223b5b149abe9495525c205d9 ]
HSR node-list and node-status generic-netlink operations run under
rcu_read_lock(). They walk hsr->node_db through hsr_get_next_node() and
hsr_get_node_data(), but RTM_DELLINK teardown removes the same node table
with plain list_del() and frees each node immediately.
That lets a generic-netlink reader hold a struct hsr_node pointer across
hsr_dellink(). In a KASAN build, widening the reader window after
hsr_get_next_node() obtains the node reproduces a slab-use-after-free
when the reader copies node->macaddress_A; the freeing stack is
hsr_del_nodes() from hsr_dellink().
Use list_del_rcu() and defer the free through the existing
hsr_free_node_rcu() callback. This matches the lifetime rule used by the
HSR prune paths, which already delete nodes with list_del_rcu() and
call_rcu().
Fixes: b9a1e627405d ("hsr: implement dellink to clean up resources")
Cc: stable@vger.kernel.org # v5.3+
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260513233838.3064715-2-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ replaced `list_del`+`call_rcu(hsr_free_node_rcu)` with `list_del_rcu`+`kfree_rcu(node, rcu_head)` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/hsr/hsr_framereg.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/hsr/hsr_framereg.c
+++ b/net/hsr/hsr_framereg.c
@@ -121,8 +121,10 @@ void hsr_del_nodes(struct list_head *nod
struct hsr_node *node;
struct hsr_node *tmp;
- list_for_each_entry_safe(node, tmp, node_db, mac_list)
- kfree(node);
+ list_for_each_entry_safe(node, tmp, node_db, mac_list) {
+ list_del_rcu(&node->mac_list);
+ kfree_rcu(node, rcu_head);
+ }
}
void prp_handle_san_frame(bool san, enum hsr_port_type port,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 355/378] drm/amd/display: add missing CSC entries for BT.2020 for DCE IPs
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 354/378] drm/amd/display: Clamp VBIOS HDMI retimer register count to array size Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 356/378] drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs Greg Kroah-Hartman
` (24 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Leorize, Alex Hung, Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leorize <leorize+oss@disroot.org>
commit 6590fe323ce2807f5d9454e7fccf3fab875d4352 upstream.
DCE-based hardware does not have the CSC matrices for BT.2020, which
causes the driver to fallback to the GPU built-in matrices. This does
not appear to cause any issues for RGB sinks, but causes major color
artifacts for YCbCr ones (e.g. black becomes green).
This commit adds the missing CSC matrices (taken from DC common) to DCE
CSC tables, resolving the issue.
Closes: https://gitlab.freedesktop.org/drm/amd/-/work_items/3358
Closes: https://gitlab.freedesktop.org/drm/amd/-/work_items/5333
Assisted-by: oh-my-pi:GPT-5.5
Signed-off-by: Leorize <leorize+oss@disroot.org>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 51e6668ab4baf55b082c376318d51ef965757196)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/dce/dce_transform.c | 10 +++++++++-
drivers/gpu/drm/amd/display/dc/dce110/dce110_opp_csc_v.c | 10 +++++++++-
2 files changed, 18 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c
+++ b/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c
@@ -110,7 +110,15 @@ static const struct out_csc_color_matrix
{ COLOR_SPACE_YCBCR601_LIMITED, { 0xE00, 0xF447, 0xFDB9, 0x1000, 0x991,
0x12C9, 0x3A6, 0x200, 0xFB47, 0xF6B9, 0xE00, 0x1000} },
{ COLOR_SPACE_YCBCR709_LIMITED, { 0xE00, 0xF349, 0xFEB7, 0x1000, 0x6CE, 0x16E3,
- 0x24F, 0x200, 0xFCCB, 0xF535, 0xE00, 0x1000} }
+ 0x24F, 0x200, 0xFCCB, 0xF535, 0xE00, 0x1000} },
+{ COLOR_SPACE_2020_RGB_FULLRANGE,
+ { 0x2000, 0, 0, 0, 0, 0x2000, 0, 0, 0, 0, 0x2000, 0} },
+{ COLOR_SPACE_2020_RGB_LIMITEDRANGE,
+ { 0x1B67, 0, 0, 0x201, 0, 0x1B67, 0, 0x201, 0, 0, 0x1B67, 0x201} },
+{ COLOR_SPACE_2020_YCBCR_LIMITED, { 0x1000, 0xF149, 0xFEB7, 0x1004, 0x0868,
+ 0x15B2, 0x01E6, 0x201, 0xFB88, 0xF478, 0x1000, 0x1004} },
+{ COLOR_SPACE_2020_YCBCR_FULL, { 0x1000, 0xF149, 0xFEB7, 0x1004, 0x0868, 0x15B2,
+ 0x01E6, 0x201, 0xFB88, 0xF478, 0x1000, 0x1004} }
};
static bool setup_scaling_configuration(
--- a/drivers/gpu/drm/amd/display/dc/dce110/dce110_opp_csc_v.c
+++ b/drivers/gpu/drm/amd/display/dc/dce110/dce110_opp_csc_v.c
@@ -88,7 +88,15 @@ static const struct out_csc_color_matrix
{ COLOR_SPACE_YCBCR601_LIMITED, { 0xE00, 0xF447, 0xFDB9, 0x1000, 0x991,
0x12C9, 0x3A6, 0x200, 0xFB47, 0xF6B9, 0xE00, 0x1000} },
{ COLOR_SPACE_YCBCR709_LIMITED, { 0xE00, 0xF349, 0xFEB7, 0x1000, 0x6CE, 0x16E3,
- 0x24F, 0x200, 0xFCCB, 0xF535, 0xE00, 0x1000} }
+ 0x24F, 0x200, 0xFCCB, 0xF535, 0xE00, 0x1000} },
+{ COLOR_SPACE_2020_RGB_FULLRANGE,
+ { 0x2000, 0, 0, 0, 0, 0x2000, 0, 0, 0, 0, 0x2000, 0} },
+{ COLOR_SPACE_2020_RGB_LIMITEDRANGE,
+ { 0x1B67, 0, 0, 0x201, 0, 0x1B67, 0, 0x201, 0, 0, 0x1B67, 0x201} },
+{ COLOR_SPACE_2020_YCBCR_LIMITED, { 0x1000, 0xF149, 0xFEB7, 0x1004, 0x0868,
+ 0x15B2, 0x01E6, 0x201, 0xFB88, 0xF478, 0x1000, 0x1004} },
+{ COLOR_SPACE_2020_YCBCR_FULL, { 0x1000, 0xF149, 0xFEB7, 0x1004, 0x0868, 0x15B2,
+ 0x01E6, 0x201, 0xFB88, 0xF478, 0x1000, 0x1004} }
};
enum csc_color_mode {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 439/522] ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (437 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 438/522] net: hsr: defer node table free until after RCU readers Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 440/522] ice: fix VF queue configuration with low MTU values Greg Kroah-Hartman
` (83 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Iurman, Ido Schimmel,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Iurman <justin.iurman@gmail.com>
[ Upstream commit d4ea0dfd75011b78cebf3808f98ac4c4f51a6fb9 ]
Reported by Sashiko:
The function ipv6_hop_ioam() accesses
__in6_dev_get(skb->dev)->cnf.ioam6_enabled without validating the returned
idev pointer. Because addrconf_ifdown() can concurrently clear dev->ip6_ptr
via RCU, __in6_dev_get() can return NULL during interface teardown, which
could cause a NULL pointer dereference when processing an IOAM Hop-by-Hop
option.
Let's add a check and use SKB_DROP_REASON_IPV6DISABLED accordingly.
Fixes: 9ee11f0fff20 ("ipv6: ioam: Data plane support for Pre-allocated Trace")
Cc: stable@vger.kernel.org
Signed-off-by: Justin Iurman <justin.iurman@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260517183059.29140-1-justin.iurman@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ dropped READ_ONCE() wrapper from idev->cnf.ioam6_enabled ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/exthdrs.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -952,16 +952,27 @@ static bool ipv6_hop_ra(struct sk_buff *
static bool ipv6_hop_ioam(struct sk_buff *skb, int optoff)
{
+ enum skb_drop_reason drop_reason;
struct ioam6_trace_hdr *trace;
struct ioam6_namespace *ns;
+ struct inet6_dev *idev;
struct ioam6_hdr *hdr;
+ drop_reason = SKB_DROP_REASON_IP_INHDR;
+
/* Bad alignment (must be 4n-aligned) */
if (optoff & 3)
goto drop;
+ /* Does the device still have IPv6 configuration? */
+ idev = __in6_dev_get(skb->dev);
+ if (!idev) {
+ drop_reason = SKB_DROP_REASON_IPV6DISABLED;
+ goto drop;
+ }
+
/* Ignore if IOAM is not enabled on ingress */
- if (!__in6_dev_get(skb->dev)->cnf.ioam6_enabled)
+ if (!idev->cnf.ioam6_enabled)
goto ignore;
/* Truncated Option header */
@@ -1011,7 +1022,7 @@ ignore:
return true;
drop:
- kfree_skb_reason(skb, SKB_DROP_REASON_IP_INHDR);
+ kfree_skb_reason(skb, drop_reason);
return false;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 356/378] drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 355/378] drm/amd/display: add missing CSC entries for BT.2020 for DCE IPs Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 357/378] drm/amd/display: Fix out-of-bounds read in dp_get_eq_aux_rd_interval() Greg Kroah-Hartman
` (23 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit adf67034b1f61f7119295208085bfd43f85f56af upstream.
[Why & How]
dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc
without checking for NULL. A connector can be connected but not bound to
any CRTC (e.g. after hot-plug before the next atomic commit), causing a
kernel crash when writing to the sdp_message debugfs node.
The function also ignores the user-provided size argument and always
passes 36 bytes to copy_from_user(), reading past the user buffer when
size < 36.
Fix both issues by:
- Returning -ENODEV when connector->base.state or state->crtc is NULL
- Clamping write_size to min(size, sizeof(data))
Fixes: c7ba3653e977 ("drm/amd/display: Generic SDP message access in amdgpu")
Assisted-by: Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -1344,8 +1344,13 @@ static ssize_t dp_sdp_message_debugfs_wr
if (size == 0)
return 0;
+ if (!connector->base.state || !connector->base.state->crtc)
+ return -ENODEV;
+
acrtc_state = to_dm_crtc_state(connector->base.state->crtc->state);
+ write_size = min_t(size_t, size, sizeof(data));
+
r = copy_from_user(data, buf, write_size);
write_size -= r;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 440/522] ice: fix VF queue configuration with low MTU values
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (438 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 439/522] ipv6: ioam: add NULL check for idev in ipv6_hop_ioam() Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 441/522] mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient Greg Kroah-Hartman
` (82 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jose Ignacio Tornos Martinez,
Jacob Keller, Michal Swiatkowski, Paul Menzel, Rafal Romanowski,
Tony Nguyen, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
[ Upstream commit 3ba4dd024d26372733d1c02e13e076c6016e3320 ]
The ice driver's VF queue configuration validation rejects
databuffer_size values below 1024 bytes, which prevents VFs from
using MTU values below 871 bytes.
The iavf driver calculates databuffer_size based on the MTU using:
databuffer_size = ALIGN(MTU + LIBETH_RX_LL_LEN, 128)
where LIBETH_RX_LL_LEN = 26 (ETH_HLEN + 2*VLAN_HLEN + ETH_FCS_LEN).
For MTU values below 871:
MTU 870: 870 + 26 = 896, aligned to 128 = 896 (< 1024, rejected)
MTU 871: 871 + 26 = 897, aligned to 128 = 1024 (>= 1024, accepted)
The 1024-byte minimum seems unnecessarily restrictive, because the hardware
supports databuffer_size as low as 128 bytes (the alignment boundary),
which should allow MTU values down to the standard minimum of 68 bytes.
I haven't found the reason why the limit was configured in the commit
9c7dd7566d18 ("ice: add validation in OP_CONFIG_VSI_QUEUES VF message"), so
with no more information and since it is working, change the minimum
databuffer_size validation from 1024 to 128 bytes to allow standard low
MTU values while still preventing invalid configurations.
Fixes: 9c7dd7566d18 ("ice: add validation in OP_CONFIG_VSI_QUEUES VF message")
cc: stable@vger.kernel.org
Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Link: https://patch.msgid.link/20260515182419.1597859-3-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ applied the change to ice_virtchnl.c ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_virtchnl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/ice/ice_virtchnl.c
+++ b/drivers/net/ethernet/intel/ice/ice_virtchnl.c
@@ -1648,7 +1648,7 @@ static int ice_vc_cfg_qs_msg(struct ice_
if (qpi->rxq.databuffer_size != 0 &&
(qpi->rxq.databuffer_size > ((16 * 1024) - 128) ||
- qpi->rxq.databuffer_size < 1024))
+ qpi->rxq.databuffer_size < 128))
goto error_param;
vsi->rx_buf_len = qpi->rxq.databuffer_size;
vsi->rx_rings[i]->rx_buf_len = vsi->rx_buf_len;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 357/378] drm/amd/display: Fix out-of-bounds read in dp_get_eq_aux_rd_interval()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 356/378] drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 358/378] drm/amd/display: Use krealloc_array() in dal_vector_reserve() Greg Kroah-Hartman
` (22 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit e8b4d37eba05141ee01794fc6b7f2da808cee83b upstream.
[Why & How]
The aux_rd_interval array in struct dc_lttpr_caps is declared with
MAX_REPEATER_CNT - 1 (7) elements, indexed 0..6. However, the offset
parameter passed to dp_get_eq_aux_rd_interval() can be as large as
MAX_REPEATER_CNT (8) when a sink reports 8 LTTPR repeaters via DPCD.
This leads to an out-of-bounds read of aux_rd_interval[7] when offset
is 8.
Fix this by growing aux_rd_interval to MAX_REPEATER_CNT elements to
accommodate the full range of valid repeater counts defined by the DP
spec.
Assisted-by: GitHub Copilot:Claude claude-4-opus
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit a55a458a8df37a65ffda5cf721d554a8f74f6b04)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/dc_dp_types.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/dc_dp_types.h
+++ b/drivers/gpu/drm/amd/display/dc/dc_dp_types.h
@@ -1217,7 +1217,7 @@ struct dc_lttpr_caps {
union dp_main_link_channel_coding_lttpr_cap main_link_channel_coding;
union dp_128b_132b_supported_lttpr_link_rates supported_128b_132b_rates;
union dp_alpm_lttpr_cap alpm;
- uint8_t aux_rd_interval[MAX_REPEATER_CNT - 1];
+ uint8_t aux_rd_interval[MAX_REPEATER_CNT];
uint8_t lttpr_ieee_oui[3]; // Always read from closest LTTPR to host
uint8_t lttpr_device_id[6]; // Always read from closest LTTPR to host
};
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 441/522] mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (439 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 440/522] ice: fix VF queue configuration with low MTU values Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 442/522] selftests: mptcp: drop nanoseconds width specifier Greg Kroah-Hartman
` (81 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Xiasong, Matthieu Baerts (NGI0),
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Xiasong <lixiasong1@huawei.com>
[ Upstream commit 51e398a3b8961b26a8c0a4ba9a777c5339791707 ]
When TCP option space is insufficient (e.g., when sending ADD_ADDR with an
IPv6 address and port while tcp_timestamps is enabled), the original code
jumped to out_unlock without clearing the addr_signal flag. This caused
mptcp_pm_add_timer to keep rescheduling indefinitely, not sending ADD_ADDR,
preventing subsequent addresses in the endpoint list from being announced.
Handle this case by clearing the ADD_ADDR signal and skipping the matching
ADD_ADDR retransmission entry. The skip path cancels the matching timer
(with id check) and advances PM state progression, preserving forward
progress to subsequent PM work.
This cancellation is inherently best-effort. A concurrent add_timer
callback may already be running and may acquire pm.lock before the
cancel path updates entry state. In that case, one final ADD_ADDR
transmit attempt can still be executed.
Once the cancel path sets entry->retrans_times to ADD_ADDR_RETRANS_MAX,
the callback-side retrans_times check suppresses further ADD_ADDR
retransmissions.
Note that when an ADD_ADDR is being prepared, a pure-ACK is queued. On
the output side, it means that it is fine to skip non-pure-ACK packets,
when drop_other_suboptions is set: a pure-ACK will be processed soon
after.
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260515-net-mptcp-misc-fixes-7-1-rc4-v2-2-701e96419f2f@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 34 +++++++++++++++++++++++++++-------
net/mptcp/pm_netlink.c | 16 +++++++++++++---
2 files changed, 40 insertions(+), 10 deletions(-)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -340,6 +340,7 @@ bool mptcp_pm_add_addr_signal(struct mpt
struct mptcp_addr_info *addr, bool *echo,
bool *drop_other_suboptions)
{
+ bool skip_add_addr = false;
int ret = false;
u8 add_addr;
u8 family;
@@ -361,24 +362,43 @@ bool mptcp_pm_add_addr_signal(struct mpt
}
*echo = mptcp_pm_should_add_signal_echo(msk);
- port = !!(*echo ? msk->pm.remote.port : msk->pm.local.port);
-
- family = *echo ? msk->pm.remote.family : msk->pm.local.family;
- if (remaining < mptcp_add_addr_len(family, *echo, port))
- goto out_unlock;
-
if (*echo) {
*addr = msk->pm.remote;
add_addr = msk->pm.addr_signal & ~BIT(MPTCP_ADD_ADDR_ECHO);
+ port = !!msk->pm.remote.port;
+ family = msk->pm.remote.family;
} else {
*addr = msk->pm.local;
add_addr = msk->pm.addr_signal & ~BIT(MPTCP_ADD_ADDR_SIGNAL);
+ port = !!msk->pm.local.port;
+ family = msk->pm.local.family;
}
- WRITE_ONCE(msk->pm.addr_signal, add_addr);
+
+ if (remaining < mptcp_add_addr_len(family, *echo, port)) {
+ if (!*drop_other_suboptions)
+ goto out_unlock;
+
+ if (!*echo)
+ skip_add_addr = true;
+ goto drop_signal_mark;
+ }
+
ret = true;
+drop_signal_mark:
+ WRITE_ONCE(msk->pm.addr_signal, add_addr);
+
out_unlock:
spin_unlock_bh(&msk->pm.lock);
+
+ /* On pure-ACK option-space exhaustion, stop retrying this ADD_ADDR:
+ * clear the signal bit, cancel the matching retransmission timer, and
+ * let the PM state machine progress.
+ */
+ if (skip_add_addr) {
+ mptcp_pm_del_add_timer(msk, addr, true);
+ mptcp_pm_subflow_established(msk);
+ }
return ret;
}
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -333,7 +333,13 @@ static void mptcp_pm_add_timer(struct ti
spin_lock_bh(&msk->pm.lock);
- if (!mptcp_pm_should_add_signal_addr(msk)) {
+ /* The cancel path (mptcp_pm_del_add_timer()) can race with this
+ * callback. Once cancel updates retrans_times to MAX, suppress further
+ * retransmissions here. If this callback acquires pm.lock first, one
+ * final transmit attempt is still possible.
+ */
+ if (entry->retrans_times < ADD_ADDR_RETRANS_MAX &&
+ !mptcp_pm_should_add_signal_addr(msk)) {
pr_debug("retransmit ADD_ADDR id=%d\n", entry->addr.id);
mptcp_pm_announce_addr(msk, &entry->addr, false);
mptcp_pm_add_addr_send_ack(msk);
@@ -377,8 +383,12 @@ mptcp_pm_del_add_timer(struct mptcp_sock
/* Note: entry might have been removed by another thread.
* We hold rcu_read_lock() to ensure it is not freed under us.
*/
- if (stop_timer)
- sk_stop_timer_sync(sk, &entry->add_timer);
+ if (stop_timer) {
+ if (check_id)
+ sk_stop_timer(sk, &entry->add_timer);
+ else
+ sk_stop_timer_sync(sk, &entry->add_timer);
+ }
rcu_read_unlock();
return entry;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 358/378] drm/amd/display: Use krealloc_array() in dal_vector_reserve()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 357/378] drm/amd/display: Fix out-of-bounds read in dp_get_eq_aux_rd_interval() Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 359/378] fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling Greg Kroah-Hartman
` (21 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit da48bc4461b8a5ebfb9264c9b191a701d8e99009 upstream.
[Why & How]
dal_vector_reserve() computes the allocation size as
"capacity * vector->struct_size" using uint32_t arithmetic, which can
silently wrap to a small value on overflow. This would cause krealloc to
return a smaller buffer than expected, leading to heap overflows on
subsequent vector appends.
Replace krealloc() with krealloc_array() which performs an internal
overflow check and returns NULL on wrap, preventing the issue.
Fixes: 2004f45ef83f ("drm/amd/display: Use kernel alloc/free")
Assisted-by: Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 37668568641ccc4cc1dbca4923d0a16609dd5707)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/basics/vector.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/basics/vector.c
+++ b/drivers/gpu/drm/amd/display/dc/basics/vector.c
@@ -288,8 +288,8 @@ bool dal_vector_reserve(struct vector *v
if (capacity <= vector->capacity)
return true;
- new_container = krealloc(vector->container,
- capacity * vector->struct_size, GFP_KERNEL);
+ new_container = krealloc_array(vector->container,
+ capacity, vector->struct_size, GFP_KERNEL);
if (new_container) {
vector->container = new_container;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 442/522] selftests: mptcp: drop nanoseconds width specifier
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (440 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 441/522] mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 443/522] octeontx2-af: replace deprecated strncpy with strscpy Greg Kroah-Hartman
` (80 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts (NGI0), Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 01ff78e4b3d98689184c52d97f9575dfbdc3b10f ]
Using the format specifier +%s%3N with GNU date is honoured, and only
prints 3 digits of the nanoseconds portion of the seconds since epoch,
which corresponds to the milliseconds.
The uutils implementation of date currently does not honour this, and
always prints all 9 digits. This is a known issue [1], but can be worked
around by adapting this test to use nanoseconds instead of microseconds,
and then divide it by 1e6.
This fix is similar to what has been done on systemd side [2], and it is
needed to run the selftests on Ubuntu 26.04, containing uutils 0.8.0.
Note that the Fixes tag is there even if this patch doesn't fix an issue
in the kernel selftests, but it is useful for those using uutils 0.8.0.
Fixes: 048d19d444be ("mptcp: add basic kselftest for mptcp")
Cc: stable@vger.kernel.org
Link: https://github.com/uutils/coreutils/issues/11658 [1]
Link: https://github.com/systemd/systemd/pull/41627 [2]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260515-net-mptcp-misc-fixes-7-1-rc4-v2-6-701e96419f2f@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_connect.sh | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh
@@ -450,7 +450,7 @@ do_transfer()
wait_local_port_listen "${listener_ns}" "${port}"
local start
- start=$(date +%s%3N)
+ start=$(date +%s%N)
timeout ${timeout_test} \
ip netns exec ${connector_ns} \
./mptcp_connect -t ${timeout_poll} -p $port -s ${cl_proto} \
@@ -463,7 +463,7 @@ do_transfer()
local rets=$?
local stop
- stop=$(date +%s%3N)
+ stop=$(date +%s%N)
if $capture; then
sleep 1
@@ -479,7 +479,7 @@ do_transfer()
fi
local duration
- duration=$((stop-start))
+ duration=$(((stop-start) / 1000000))
printf "(duration %05sms) " "${duration}"
if [ ${rets} -ne 0 ] || [ ${retc} -ne 0 ]; then
echo "[ FAIL ] client exit code $retc, server $rets" 1>&2
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 359/378] fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 358/378] drm/amd/display: Use krealloc_array() in dal_vector_reserve() Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 360/378] driver core: faux: fix root device registration Greg Kroah-Hartman
` (20 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeff Layton, Mingyu Wang,
Christian Brauner (Amutable)
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
commit 00633c4683828acd5256fa8d5163f440d74bbe71 upstream.
A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in
send_sigio() and send_sigurg() when a process group receives a signal.
When FASYNC is configured for a process group (PIDTYPE_PGID), both
functions use read_lock(&tasklist_lock) to traverse the task list.
However, they are frequently called from softirq context:
- send_sigio() via input_inject_event -> kill_fasync
- send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ)
The deadlock is caused by the rwlock writer fairness mechanism:
1. CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait().
2. CPU 1 (process context) attempts write_lock(&tasklist_lock) in
fork() or exit() and spins, which blocks all new readers.
3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception).
4. The softirq calls send_sigurg() and attempts to acquire
read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting.
Since PID hashing and do_each_pid_task() traversals are already
RCU-protected, the read_lock on tasklist_lock is no longer strictly
required for safe traversal. Fix this by replacing tasklist_lock with
rcu_read_lock(), aligning the process group signaling path with the
single-PID path. This also mitigates a potential remote denial of
service vector via TCP URG packets.
Lockdep splat:
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
[...]
Chain exists of:
&dev->event_lock --> &f_owner->lock --> tasklist_lock
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(tasklist_lock);
local_irq_disable();
lock(&dev->event_lock);
lock(&f_owner->lock);
<Interrupt>
lock(&dev->event_lock);
*** DEADLOCK ***
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
Link: https://patch.msgid.link/20260523135210.590928-1-w15303746062@163.com
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fcntl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/fcntl.c
+++ b/fs/fcntl.c
@@ -929,11 +929,11 @@ void send_sigio(struct fown_struct *fown
send_sigio_to_task(p, fown, fd, band, type);
rcu_read_unlock();
} else {
- read_lock(&tasklist_lock);
+ rcu_read_lock();
do_each_pid_task(pid, type, p) {
send_sigio_to_task(p, fown, fd, band, type);
} while_each_pid_task(pid, type, p);
- read_unlock(&tasklist_lock);
+ rcu_read_unlock();
}
out_unlock_fown:
read_unlock_irqrestore(&fown->lock, flags);
@@ -975,11 +975,11 @@ int send_sigurg(struct file *file)
send_sigurg_to_task(p, fown, type);
rcu_read_unlock();
} else {
- read_lock(&tasklist_lock);
+ rcu_read_lock();
do_each_pid_task(pid, type, p) {
send_sigurg_to_task(p, fown, type);
} while_each_pid_task(pid, type, p);
- read_unlock(&tasklist_lock);
+ rcu_read_unlock();
}
out_unlock_fown:
read_unlock_irqrestore(&fown->lock, flags);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 443/522] octeontx2-af: replace deprecated strncpy with strscpy
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (441 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 442/522] selftests: mptcp: drop nanoseconds width specifier Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 444/522] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index Greg Kroah-Hartman
` (79 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Stitt, Kees Cook,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Stitt <justinstitt@google.com>
[ Upstream commit 473f8f2d1bfe1103f20140fdc80cad406b4d68c0 ]
`strncpy` is deprecated for use on NUL-terminated destination strings
[1] and as such we should prefer more robust and less ambiguous string
interfaces.
We can see that linfo->lmac_type is expected to be NUL-terminated based
on the `... - 1`'s present in the current code. Presumably making room
for a NUL-byte at the end of the buffer.
Considering the above, a suitable replacement is `strscpy` [2] due to
the fact that it guarantees NUL-termination on the destination buffer
without unnecessarily NUL-padding.
Let's also prefer the more idiomatic strscpy usage of (dest, src,
sizeof(dest)) rather than (dest, src, SOME_LEN).
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
Link: https://github.com/KSPP/linux/issues/90
Signed-off-by: Justin Stitt <justinstitt@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20231010-strncpy-drivers-net-ethernet-marvell-octeontx2-af-cgx-c-v1-1-a443e18f9de8@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: c0bf0a4f3f1f ("octeontx2-af: CGX: add bounds check to cgx_speed_mbps index")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/drivers/net/ethernet/marvell/octeontx2/af/cgx.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/cgx.c
@@ -1228,8 +1228,6 @@ static inline void link_status_user_form
struct cgx_link_user_info *linfo,
struct cgx *cgx, u8 lmac_id)
{
- const char *lmac_string;
-
linfo->link_up = FIELD_GET(RESP_LINKSTAT_UP, lstat);
linfo->full_duplex = FIELD_GET(RESP_LINKSTAT_FDUPLEX, lstat);
linfo->speed = cgx_speed_mbps[FIELD_GET(RESP_LINKSTAT_SPEED, lstat)];
@@ -1240,12 +1238,12 @@ static inline void link_status_user_form
if (linfo->lmac_type_id >= LMAC_MODE_MAX) {
dev_err(&cgx->pdev->dev, "Unknown lmac_type_id %d reported by firmware on cgx port%d:%d",
linfo->lmac_type_id, cgx->cgx_id, lmac_id);
- strncpy(linfo->lmac_type, "Unknown", LMACTYPE_STR_LEN - 1);
+ strscpy(linfo->lmac_type, "Unknown", sizeof(linfo->lmac_type));
return;
}
- lmac_string = cgx_lmactype_string[linfo->lmac_type_id];
- strncpy(linfo->lmac_type, lmac_string, LMACTYPE_STR_LEN - 1);
+ strscpy(linfo->lmac_type, cgx_lmactype_string[linfo->lmac_type_id],
+ sizeof(linfo->lmac_type));
}
/* Hardware event handlers */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 360/378] driver core: faux: fix root device registration
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 359/378] fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 361/378] driver core: reject devices with unregistered buses Greg Kroah-Hartman
` (19 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Danilo Krummrich
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 580a795105dae2ef1622df72a27a8fb0605e2f6b upstream.
A recent change made the faux bus root device be allocated dynamically
but failed to provide a release function to free the memory when the
last reference is dropped (on theoretical failure to register the device
or bus).
Fix this by using root_device_register() instead of open coding.
Also add the missing sanity check when registering faux devices to avoid
use-after-free if the bus failed to register (which would previously
have triggered a bunch of use-after-free warnings).
Fixes: 61b76d07d2b4 ("driver core: faux: stop using static struct device")
Cc: stable@vger.kernel.org # 7.0
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260424153127.2647405-2-johan@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/faux.c | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
--- a/drivers/base/faux.c
+++ b/drivers/base/faux.c
@@ -133,6 +133,9 @@ struct faux_device *faux_device_create_w
struct device *dev;
int ret;
+ if (!faux_bus_root)
+ return NULL;
+
faux_obj = kzalloc_obj(*faux_obj);
if (!faux_obj)
return NULL;
@@ -232,19 +235,12 @@ EXPORT_SYMBOL_GPL(faux_device_destroy);
int __init faux_bus_init(void)
{
+ struct device *root;
int ret;
- faux_bus_root = kzalloc_obj(*faux_bus_root);
- if (!faux_bus_root)
- return -ENOMEM;
-
- dev_set_name(faux_bus_root, "faux");
-
- ret = device_register(faux_bus_root);
- if (ret) {
- put_device(faux_bus_root);
- return ret;
- }
+ root = root_device_register("faux");
+ if (IS_ERR(root))
+ return PTR_ERR(root);
ret = bus_register(&faux_bus_type);
if (ret)
@@ -254,12 +250,14 @@ int __init faux_bus_init(void)
if (ret)
goto error_driver;
+ faux_bus_root = root;
+
return ret;
error_driver:
bus_unregister(&faux_bus_type);
error_bus:
- device_unregister(faux_bus_root);
+ root_device_unregister(root);
return ret;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 444/522] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (442 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 443/522] octeontx2-af: replace deprecated strncpy with strscpy Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 445/522] mptcp: reset rcv wnd on disconnect Greg Kroah-Hartman
` (78 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sunil Goutham, Linu Cherian,
Geetha sowjanya, hariprasad, Subbaraya Sundeep, Andrew Lunn,
stable, Sam Daly, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Daly <sam@samdaly.ie>
[ Upstream commit c0bf0a4f3f1f5f57aa83e1400ba4f56f0abfd542 ]
cgx_speed_mbps has 13 elements but RESP_LINKSTAT_SPEED can yield values
0-15. If it returns a value >= 13, this causes an out-of-bounds array
access. Add a bounds check and default to speed 0 if the index is out of
range.
Fixes: 61071a871ea6 ("octeontx2-af: Forward CGX link notifications to PFs")
Cc: Sunil Goutham <sgoutham@marvell.com>
Cc: Linu Cherian <lcherian@marvell.com>
Cc: Geetha sowjanya <gakula@marvell.com>
Cc: hariprasad <hkelam@marvell.com>
Cc: Subbaraya Sundeep <sbhatta@marvell.com>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Cc: stable <stable@kernel.org>
Signed-off-by: Sam Daly <sam@samdaly.ie>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026051352-refined-demise-e88d@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/marvell/octeontx2/af/cgx.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/cgx.c
@@ -1228,13 +1228,18 @@ static inline void link_status_user_form
struct cgx_link_user_info *linfo,
struct cgx *cgx, u8 lmac_id)
{
+ unsigned int speed;
+
linfo->link_up = FIELD_GET(RESP_LINKSTAT_UP, lstat);
linfo->full_duplex = FIELD_GET(RESP_LINKSTAT_FDUPLEX, lstat);
- linfo->speed = cgx_speed_mbps[FIELD_GET(RESP_LINKSTAT_SPEED, lstat)];
linfo->an = FIELD_GET(RESP_LINKSTAT_AN, lstat);
linfo->fec = FIELD_GET(RESP_LINKSTAT_FEC, lstat);
linfo->lmac_type_id = cgx_get_lmac_type(cgx, lmac_id);
+ speed = FIELD_GET(RESP_LINKSTAT_SPEED, lstat);
+ linfo->speed = speed < ARRAY_SIZE(cgx_speed_mbps) ?
+ cgx_speed_mbps[speed] : 0;
+
if (linfo->lmac_type_id >= LMAC_MODE_MAX) {
dev_err(&cgx->pdev->dev, "Unknown lmac_type_id %d reported by firmware on cgx port%d:%d",
linfo->lmac_type_id, cgx->cgx_id, lmac_id);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 361/378] driver core: reject devices with unregistered buses
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 360/378] driver core: faux: fix root device registration Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 362/378] RDMA: During rereg_mr ensure that REREG_ACCESS is compatible Greg Kroah-Hartman
` (18 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Danilo Krummrich
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 36f35b8df6972167102a1c3d4361e0afb6a84534 upstream.
Trying to register a device on a bus which has not yet been registered
used to trigger a NULL-pointer dereference, but since the const bus
structure rework registration instead succeeds without the device being
added to the bus.
This specifically means that the device will never bind to a driver and
that the bus sysfs attributes are not created (i.e. as if the device had
no bus).
Reject devices with unregistered buses to catch any callers that get
the ordering wrong and to handle bus registration failures more
gracefully.
Fixes: 5221b82d46f2 ("driver core: bus: bus_add/probe/remove_device() cleanups")
Cc: stable@vger.kernel.org # 6.3
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260430091718.230228-1-johan@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/bus.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/base/bus.c
+++ b/drivers/base/bus.c
@@ -544,10 +544,10 @@ static const struct attribute_group driv
*/
int bus_add_device(struct device *dev)
{
- struct subsys_private *sp = bus_to_subsys(dev->bus);
+ struct subsys_private *sp;
int error;
- if (!sp) {
+ if (!dev->bus) {
/*
* This is a normal operation for many devices that do not
* have a bus assigned to them, just say that all went
@@ -556,6 +556,13 @@ int bus_add_device(struct device *dev)
return 0;
}
+ sp = bus_to_subsys(dev->bus);
+ if (!sp) {
+ pr_err("%s: cannot add device '%s' to unregistered bus '%s'\n",
+ __func__, dev_name(dev), dev->bus->name);
+ return -EINVAL;
+ }
+
/*
* Reference in sp is now incremented and will be dropped when
* the device is removed from the bus
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 445/522] mptcp: reset rcv wnd on disconnect
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (443 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 444/522] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 446/522] mptcp: do not drop partial packets Greg Kroah-Hartman
` (77 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 0981f90e1a05773a4c29c6e720f5ea1e3c8f1876 ]
If the MPTCP socket fallback to TCP before the MP handshake completion,
the IASN remain 0, and the rcv_wnd_sent field is not explicitly
initialized, just incremented over time with the data transfer.
At disconnect time such value is not cleared. If the next connection falls
back to TCP before the MP handshake completion, the data transfer will
keep incrementing the receive window end sequence starting from the last
value used in the previous connection: the announced window will be
unrelated from the actual receiver buffer size and likely too big.
Address the issue zeroing the field at disconnect time.
Fixes: b29fcfb54cd7 ("mptcp: full disconnect implementation")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260515-net-mptcp-misc-fixes-7-1-rc4-v2-4-701e96419f2f@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -3298,6 +3298,7 @@ static int mptcp_disconnect(struct sock
mptcp_pm_data_reset(msk);
mptcp_ca_reset(sk);
msk->fastclosing = 0;
+ atomic64_set(&msk->rcv_wnd_sent, 0);
WRITE_ONCE(sk->sk_shutdown, 0);
sk_error_report(sk);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 362/378] RDMA: During rereg_mr ensure that REREG_ACCESS is compatible
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 361/378] driver core: reject devices with unregistered buses Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 363/378] netfilter: nft_fib: fix stale stack leak via the OIFNAME register Greg Kroah-Hartman
` (17 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Philip Tsukerman, Jason Gunthorpe
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit badad6fad60def1b9805559dd81dbab3d97b82aa upstream.
If IB_MR_REREG_ACCESS changes from RO to RW then the umem has to be
re-evaluated to ensure it is properly pinned as RW. Since the umem is
hidden inside each driver's mr struct add a ib_umem_check_rereg() function
that each driver has to call before processing IB_MR_REREG_ACCESS.
mlx4 has to retain its duplicate ib_access_writable check because it
implements IB_MR_REREG_ACCESS | IB_MR_REREG_TRANS by changing both items
in place sequentially while the MR is live, so it will continue to not
support this combination.
Cc: stable@vger.kernel.org
Fixes: b40656aa7d55 ("RDMA/umem: remove FOLL_FORCE usage")
Link: https://patch.msgid.link/r/0-v1-06fb1a2d6cf5+107-rereg_access_jgg@nvidia.com
Reported-by: Philip Tsukerman <philiptsukerman@gmail.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/umem.c | 16 ++++++++++++++++
drivers/infiniband/hw/hns/hns_roce_mr.c | 4 ++++
drivers/infiniband/hw/irdma/verbs.c | 4 ++++
drivers/infiniband/hw/mlx4/mr.c | 4 ++++
drivers/infiniband/hw/mlx5/mr.c | 4 ++++
drivers/infiniband/sw/rxe/rxe_verbs.c | 5 +++++
include/rdma/ib_umem.h | 8 ++++++++
7 files changed, 45 insertions(+)
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -332,3 +332,19 @@ int ib_umem_copy_from(void *dst, struct
return 0;
}
EXPORT_SYMBOL(ib_umem_copy_from);
+
+/*
+ * Called during rereg mr if the driver is able to re-use a umem for
+ * IB_MR_REREG_ACCESS.
+ */
+int ib_umem_check_rereg(struct ib_umem *umem, int flags, int new_access_flags)
+{
+ if (!umem)
+ return 0;
+
+ if ((flags & IB_MR_REREG_ACCESS) && !(flags & IB_MR_REREG_TRANS))
+ if (ib_access_writable(new_access_flags) && !umem->writable)
+ return -EACCES;
+ return 0;
+}
+EXPORT_SYMBOL(ib_umem_check_rereg);
--- a/drivers/infiniband/hw/hns/hns_roce_mr.c
+++ b/drivers/infiniband/hw/hns/hns_roce_mr.c
@@ -300,6 +300,10 @@ struct ib_mr *hns_roce_rereg_user_mr(str
goto err_out;
}
+ ret = ib_umem_check_rereg(mr->pbl_mtr.umem, flags, mr_access_flags);
+ if (ret)
+ goto err_out;
+
mailbox = hns_roce_alloc_cmd_mailbox(hr_dev);
ret = PTR_ERR_OR_ZERO(mailbox);
if (ret)
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -3759,6 +3759,10 @@ static struct ib_mr *irdma_rereg_user_mr
if (flags & ~(IB_MR_REREG_TRANS | IB_MR_REREG_PD | IB_MR_REREG_ACCESS))
return ERR_PTR(-EOPNOTSUPP);
+ ret = ib_umem_check_rereg(iwmr->region, flags, new_access);
+ if (ret)
+ return ERR_PTR(ret);
+
ret = irdma_hwdereg_mr(ib_mr);
if (ret)
return ERR_PTR(ret);
--- a/drivers/infiniband/hw/mlx4/mr.c
+++ b/drivers/infiniband/hw/mlx4/mr.c
@@ -208,6 +208,10 @@ struct ib_mr *mlx4_ib_rereg_user_mr(stru
struct mlx4_mpt_entry **pmpt_entry = &mpt_entry;
int err;
+ err = ib_umem_check_rereg(mmr->umem, flags, mr_access_flags);
+ if (err)
+ return ERR_PTR(err);
+
/* Since we synchronize this call and mlx4_ib_dereg_mr via uverbs,
* we assume that the calls can't run concurrently. Otherwise, a
* race exists.
--- a/drivers/infiniband/hw/mlx5/mr.c
+++ b/drivers/infiniband/hw/mlx5/mr.c
@@ -1895,6 +1895,10 @@ struct ib_mr *mlx5_ib_rereg_user_mr(stru
if (flags & ~(IB_MR_REREG_TRANS | IB_MR_REREG_PD | IB_MR_REREG_ACCESS))
return ERR_PTR(-EOPNOTSUPP);
+ err = ib_umem_check_rereg(mr->umem, flags, new_access_flags);
+ if (err)
+ return ERR_PTR(err);
+
if (!(flags & IB_MR_REREG_ACCESS))
new_access_flags = mr->access_flags;
if (!(flags & IB_MR_REREG_PD))
--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
+++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
@@ -1332,6 +1332,7 @@ static struct ib_mr *rxe_rereg_user_mr(s
struct rxe_mr *mr = to_rmr(ibmr);
struct rxe_pd *old_pd = to_rpd(ibmr->pd);
struct rxe_pd *pd = to_rpd(ibpd);
+ int err;
/* for now only support the two easy cases:
* rereg_pd and rereg_access
@@ -1341,6 +1342,10 @@ static struct ib_mr *rxe_rereg_user_mr(s
return ERR_PTR(-EOPNOTSUPP);
}
+ err = ib_umem_check_rereg(mr->umem, flags, access);
+ if (err)
+ return ERR_PTR(err);
+
if (flags & IB_MR_REREG_PD) {
rxe_put(old_pd);
rxe_get(pd);
--- a/include/rdma/ib_umem.h
+++ b/include/rdma/ib_umem.h
@@ -179,6 +179,8 @@ void ib_umem_dmabuf_unmap_pages(struct i
void ib_umem_dmabuf_release(struct ib_umem_dmabuf *umem_dmabuf);
void ib_umem_dmabuf_revoke(struct ib_umem_dmabuf *umem_dmabuf);
+int ib_umem_check_rereg(struct ib_umem *umem, int flags, int new_access_flags);
+
#else /* CONFIG_INFINIBAND_USER_MEM */
#include <linux/err.h>
@@ -239,5 +241,11 @@ static inline void ib_umem_dmabuf_unmap_
static inline void ib_umem_dmabuf_release(struct ib_umem_dmabuf *umem_dmabuf) { }
static inline void ib_umem_dmabuf_revoke(struct ib_umem_dmabuf *umem_dmabuf) {}
+static inline int ib_umem_check_rereg(struct ib_umem *umem, int flags,
+ int new_access_flags)
+{
+ return -EOPNOTSUPP;
+}
+
#endif /* CONFIG_INFINIBAND_USER_MEM */
#endif /* IB_UMEM_H */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 446/522] mptcp: do not drop partial packets
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (444 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 445/522] mptcp: reset rcv wnd on disconnect Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 447/522] platform/x86/intel/vsec: Add private data for per-device data Greg Kroah-Hartman
` (76 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shardul Bankar, Paolo Abeni,
Matthieu Baerts (NGI0), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shardul Bankar <shardul.b@mpiricsoftware.com>
[ Upstream commit 50c2d91c5dfa0e465826ec1f8dbad9cdc254bd85 ]
When a packet arrives with map_seq < ack_seq < end_seq, the beginning
of the packet has already been acknowledged but the end contains new
data. Currently the entire packet is dropped as "old data," forcing
the sender to retransmit.
Instead, skip the already-acked bytes by adjusting the skb offset and
enqueue only the new portion. Update bytes_received and ack_seq to
reflect the new data consumed.
A previous attempt at this fix has been sent by Paolo Abeni [1], but had
issues [2]: it also added a zero-window check and changed rcv_wnd_sent
initialization, which caused test regressions. This version addresses
only the partial packet handling without modifying receive window
accounting.
Fixes: ab174ad8ef76 ("mptcp: move ooo skbs into msk out of order queue.")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/c9b426a4e163aa3c4fe8b80c79f1a610f47ae7d8.1763075056.git.pabeni@redhat.com [1]
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/600 [2]
Signed-off-by: Shardul Bankar <shardul.b@mpiricsoftware.com>
[pabeni@redhat.com: update map]
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260515-net-mptcp-misc-fixes-7-1-rc4-v2-1-701e96419f2f@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ changed `skb_set_owner_r()` to `mptcp_set_owner_r()` and dropped the absent `msk->bytes_received` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -400,10 +400,25 @@ static bool __mptcp_move_skb(struct mptc
return false;
}
- /* old data, keep it simple and drop the whole pkt, sender
- * will retransmit as needed, if needed.
+ /* Completely old data? */
+ if (!after64(MPTCP_SKB_CB(skb)->end_seq, msk->ack_seq)) {
+ MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_DUPDATA);
+ mptcp_drop(sk, skb);
+ return false;
+ }
+
+ /* Partial packet: map_seq < ack_seq < end_seq.
+ * Skip the already-acked bytes and enqueue the new data.
*/
- MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_DUPDATA);
+ copy_len = MPTCP_SKB_CB(skb)->end_seq - msk->ack_seq;
+ MPTCP_SKB_CB(skb)->offset += msk->ack_seq - MPTCP_SKB_CB(skb)->map_seq;
+ MPTCP_SKB_CB(skb)->map_seq += msk->ack_seq -
+ MPTCP_SKB_CB(skb)->map_seq;
+ WRITE_ONCE(msk->ack_seq, msk->ack_seq + copy_len);
+
+ mptcp_set_owner_r(skb, sk);
+ __skb_queue_tail(&sk->sk_receive_queue, skb);
+ return true;
drop:
mptcp_drop(sk, skb);
return false;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 363/378] netfilter: nft_fib: fix stale stack leak via the OIFNAME register
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 362/378] RDMA: During rereg_mr ensure that REREG_ACCESS is compatible Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 364/378] sched_ext: Dont warn on NULL cgrp_moving_from in scx_cgroup_move_task() Greg Kroah-Hartman
` (16 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Davide Ornaghi,
Pablo Neira Ayuso, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davide Ornaghi <d.ornaghi97@gmail.com>
[ Upstream commit ab185e0c4fb82dfba6fb86f8271e06f931d9c64c ]
For NFT_FIB_RESULT_OIFNAME the destination register is declared with
len = IFNAMSIZ (four 32-bit registers), but on the lookup-fail,
RTN_LOCAL and oif-mismatch paths nft_fib{4,6}_eval() only writes one
register via "*dest = 0". The remaining three registers are left as
whatever was on the stack in nft_do_chain()'s struct nft_regs, and a
downstream expression that loads the register span can leak that
uninitialised kernel stack to userspace.
The NFTA_FIB_F_PRESENT existence check has the same shape: it is only
meaningful for NFT_FIB_RESULT_OIF, yet it was accepted for any result type
while the eval stores a single byte via nft_reg_store8(), leaving the rest
of the declared span stale.
Fix both:
- replace the bare "*dest = 0" in the eval with nft_fib_store_result(),
which strscpy_pad()s the whole IFNAMSIZ for OIFNAME (and is already
used on the other early-return path), and
- restrict NFTA_FIB_F_PRESENT to NFT_FIB_RESULT_OIF and declare its
destination as a single u8, so the marked span matches the one byte
the eval writes.
Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression")
Suggested-by: Florian Westphal <fw@strlen.de>
Cc: stable@vger.kernel.org
Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[ kept the tree's older `ip6_route_lookup()`/`rt6_info` IPv6 context and changed only `*dest = 0;` to `nft_fib_store_result(dest, priv, NULL);` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/netfilter/nft_fib_ipv4.c | 2 +-
net/ipv6/netfilter/nft_fib_ipv6.c | 2 +-
net/netfilter/nft_fib.c | 6 ++++++
3 files changed, 8 insertions(+), 2 deletions(-)
--- a/net/ipv4/netfilter/nft_fib_ipv4.c
+++ b/net/ipv4/netfilter/nft_fib_ipv4.c
@@ -128,7 +128,7 @@ void nft_fib4_eval(const struct nft_expr
fl4.saddr = get_saddr(iph->daddr);
}
- *dest = 0;
+ nft_fib_store_result(dest, priv, NULL);
if (fib_lookup(nft_net(pkt), &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE))
return;
--- a/net/ipv6/netfilter/nft_fib_ipv6.c
+++ b/net/ipv6/netfilter/nft_fib_ipv6.c
@@ -192,7 +192,7 @@ void nft_fib6_eval(const struct nft_expr
lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif, iph);
- *dest = 0;
+ nft_fib_store_result(dest, priv, NULL);
rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, pkt->skb,
lookup_flags);
if (rt->dst.error)
--- a/net/netfilter/nft_fib.c
+++ b/net/netfilter/nft_fib.c
@@ -107,6 +107,12 @@ int nft_fib_init(const struct nft_ctx *c
return -EINVAL;
}
+ if (priv->flags & NFTA_FIB_F_PRESENT) {
+ if (priv->result != NFT_FIB_RESULT_OIF)
+ return -EINVAL;
+ len = sizeof(u8);
+ }
+
err = nft_parse_register_store(ctx, tb[NFTA_FIB_DREG], &priv->dreg,
NULL, NFT_DATA_VALUE, len);
if (err < 0)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 447/522] platform/x86/intel/vsec: Add private data for per-device data
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (445 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 446/522] mptcp: do not drop partial packets Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 448/522] platform/x86/intel/vsec: Create wrapper to walk PCI config space Greg Kroah-Hartman
` (75 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David E. Box, Ilpo Järvinen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "David E. Box" <david.e.box@linux.intel.com>
[ Upstream commit dc957ab6aa05c118c3da0542428a4d6602aa2d2d ]
Introduce a new private structure, struct vsec_priv, to hold a pointer to
the platform-specific information. Although the driver didn’t previously
require this per-device data, adding it now lays the groundwork for
upcoming patches that will manage such data. No functional changes.
Signed-off-by: David E. Box <david.e.box@linux.intel.com>
Link: https://lore.kernel.org/r/20250703022832.1302928-3-david.e.box@linux.intel.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Stable-dep-of: 348ccc754d89 ("platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/vsec.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/platform/x86/intel/vsec.c
+++ b/drivers/platform/x86/intel/vsec.c
@@ -73,6 +73,10 @@ static enum intel_vsec_id intel_vsec_all
VSEC_ID_SDSI,
};
+struct vsec_priv {
+ struct intel_vsec_platform_info *info;
+};
+
static const char *intel_vsec_name(enum intel_vsec_id id)
{
switch (id) {
@@ -375,6 +379,7 @@ static bool intel_vsec_walk_vsec(struct
static int intel_vsec_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
{
struct intel_vsec_platform_info *info;
+ struct vsec_priv *priv;
bool have_devices = false;
int ret;
@@ -387,6 +392,13 @@ static int intel_vsec_pci_probe(struct p
if (!info)
return -EINVAL;
+ priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+
+ priv->info = info;
+ pci_set_drvdata(pdev, priv);
+
if (intel_vsec_walk_dvsec(pdev, info))
have_devices = true;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 364/378] sched_ext: Dont warn on NULL cgrp_moving_from in scx_cgroup_move_task()
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 363/378] netfilter: nft_fib: fix stale stack leak via the OIFNAME register Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 365/378] wifi: mac80211: skip ieee80211_verify_sta_ht_mcs_support check in non-strict mode Greg Kroah-Hartman
` (15 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Fleming, Tejun Heo,
Andrea Righi, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
[ Upstream commit 02e545c4297a26dbbc41df81b831e7f605bcd306 ]
A WARN fires when systemd's user manager writes "+cpu +memory +pids" to
its own subtree_control while a sched_ext scheduler is loaded:
WARNING: at kernel/sched/ext.c:3227 scx_cgroup_move_task+0xa8/0xb0
scx_cgroup_move_task+0xa8/0xb0
sched_move_task+0x134/0x290
cpu_cgroup_attach+0x39/0x70
cgroup_migrate_execute+0x37d/0x450
cgroup_update_dfl_csses+0x1e3/0x270
cgroup_subtree_control_write+0x3e7/0x440
scx_cgroup_can_attach() arms cgrp_moving_from only when a task's cpu
cgroup changes. It can still be NULL when scx_cgroup_move_task() runs,
through this sequence:
Step Result
--------------------------------- ----------------------------------
1. cpu enabled on cgroup G cpu css = A
2. cpu toggled off then on for G A killed, B created (same cgroup)
3. an exiting task keeps A alive migration skips it, A now stale
4. +memory migrates G stale A vs current B pulls cpu in
5. cpu attach runs for all tasks hits a live, cpu-unchanged task
6. scx_cgroup_move_task() on it cgrp_moving_from NULL -> WARN
The mismatch is that scx_cgroup_can_attach() keys on cgroup identity
while migration drives the move on css identity, so a NULL cgrp_moving_from
here is a legitimate css-only migration, not a missing prep.
The call is already gated on cgrp_moving_from, so just drop the warning.
ops.cgroup_prep_move() and ops.cgroup_move() stay paired.
Fixes: 819513666966 ("sched_ext: Add cgroup support")
Cc: stable@vger.kernel.org # v6.12+
Reported-by: Matt Fleming <mfleming@cloudflare.com>
Closes: https://lore.kernel.org/all/20260601124156.2205704-1-mfleming@cloudflare.com/
Signed-off-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -3402,11 +3402,13 @@ void scx_cgroup_move_task(struct task_st
return;
/*
- * @p must have ops.cgroup_prep_move() called on it and thus
- * cgrp_moving_from set.
+ * scx_cgroup_can_attach() sets cgrp_moving_from only when the task's
+ * cgroup changes. Migration keys off css rather than cgroup identity,
+ * so it can hand an unchanged-cgroup task here with cgrp_moving_from
+ * NULL. Nothing to report to the BPF scheduler then, so skip it and
+ * keep prep_move and move paired.
*/
- if (SCX_HAS_OP(sch, cgroup_move) &&
- !WARN_ON_ONCE(!p->scx.cgrp_moving_from))
+ if (SCX_HAS_OP(sch, cgroup_move) && p->scx.cgrp_moving_from)
SCX_CALL_OP_TASK(sch, SCX_KF_REST, cgroup_move, task_rq(p),
p, p->scx.cgrp_moving_from,
tg_cgrp(task_group(p)));
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 448/522] platform/x86/intel/vsec: Create wrapper to walk PCI config space
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (446 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 447/522] platform/x86/intel/vsec: Add private data for per-device data Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 449/522] platform/x86/intel/vsec: Make driver_data info const Greg Kroah-Hartman
` (74 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David E. Box, Ilpo Järvinen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "David E. Box" <david.e.box@linux.intel.com>
[ Upstream commit b0631f8a5740c55b52d02174cc4c9c84cc7a16a1 ]
Combine three PCI config space walkers — intel_vsec_walk_dvsec(),
intel_vsec_walk_vsec(), and intel_vsec_walk_header() — into a new wrapper
function, intel_vsec_feature_walk(). This refactoring simplifies the probe
logic and lays the groundwork for future patches that will loop over these
calls. No functional changes.
Signed-off-by: David E. Box <david.e.box@linux.intel.com>
Link: https://lore.kernel.org/r/20250703022832.1302928-4-david.e.box@linux.intel.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Stable-dep-of: 348ccc754d89 ("platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/vsec.c | 38 ++++++++++++++++++++++++++------------
1 file changed, 26 insertions(+), 12 deletions(-)
--- a/drivers/platform/x86/intel/vsec.c
+++ b/drivers/platform/x86/intel/vsec.c
@@ -376,11 +376,35 @@ static bool intel_vsec_walk_vsec(struct
return have_devices;
}
+static bool intel_vsec_get_features(struct pci_dev *pdev,
+ struct intel_vsec_platform_info *info)
+{
+ bool found = false;
+
+ /*
+ * Both DVSEC and VSEC capabilities can exist on the same device,
+ * so both intel_vsec_walk_dvsec() and intel_vsec_walk_vsec() must be
+ * called independently. Additionally, intel_vsec_walk_header() is
+ * needed for devices that do not have VSEC/DVSEC but provide the
+ * information via device_data.
+ */
+ if (intel_vsec_walk_dvsec(pdev, info))
+ found = true;
+
+ if (intel_vsec_walk_vsec(pdev, info))
+ found = true;
+
+ if (info && (info->quirks & VSEC_QUIRK_NO_DVSEC) &&
+ intel_vsec_walk_header(pdev, info))
+ found = true;
+
+ return found;
+}
+
static int intel_vsec_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
{
struct intel_vsec_platform_info *info;
struct vsec_priv *priv;
- bool have_devices = false;
int ret;
ret = pcim_enable_device(pdev);
@@ -399,17 +423,7 @@ static int intel_vsec_pci_probe(struct p
priv->info = info;
pci_set_drvdata(pdev, priv);
- if (intel_vsec_walk_dvsec(pdev, info))
- have_devices = true;
-
- if (intel_vsec_walk_vsec(pdev, info))
- have_devices = true;
-
- if (info && (info->quirks & VSEC_QUIRK_NO_DVSEC) &&
- intel_vsec_walk_header(pdev, info))
- have_devices = true;
-
- if (!have_devices)
+ if (!intel_vsec_get_features(pdev, info))
return -ENODEV;
return 0;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 365/378] wifi: mac80211: skip ieee80211_verify_sta_ht_mcs_support check in non-strict mode
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 364/378] sched_ext: Dont warn on NULL cgrp_moving_from in scx_cgroup_move_task() Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 366/378] wifi: mac80211: tests: mark HT check strict Greg Kroah-Hartman
` (14 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rio Liu, Johannes Berg
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rio Liu <rio@r26.me>
commit 711a9c018ad252b2807f85d44e1267b595644f9b upstream.
Some Xfinity XB8 firmware advertises >1 spatial stream MCS indexes in
their basic HT-MCS set. On cards with lower spatial streams, the check
would fail, and we'd be stuck with no HT when in fact work fine with its
own supported rate. This change makes it so the check is only performed
in strict mode.
Fixes: 574faa0e936d ("wifi: mac80211: add HT and VHT basic set verification")
Signed-off-by: Rio Liu <rio@r26.me>
Link: https://patch.msgid.link/99Mv9QEceyPrQhSP52MtAVmz0_kWJmzqotJjD9YW6LGLqk-AZloAueUyHCURilFkuqOh6Ecv8i2KKdSE1ujP3AnbU5QEouVisT1w_V3xdfc=@r26.me
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/mlme.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -420,6 +420,15 @@ ieee80211_verify_sta_ht_mcs_support(stru
ieee80211_apply_htcap_overrides(sdata, &sta_ht_cap);
/*
+ * Some Xfinity XB8 firmware advertises >1 spatial stream MCS indexes in
+ * their basic HT-MCS set. On cards with lower spatial streams, the check
+ * would fail, and we'd be stuck with no HT when it in fact work fine with
+ * its own supported rate. So check it only in strict mode.
+ */
+ if (!ieee80211_hw_check(&sdata->local->hw, STRICT))
+ return true;
+
+ /*
* P802.11REVme/D7.0 - 6.5.4.2.4
* ...
* If the MLME of an HT STA receives an MLME-JOIN.request primitive
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 449/522] platform/x86/intel/vsec: Make driver_data info const
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (447 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 448/522] platform/x86/intel/vsec: Create wrapper to walk PCI config space Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 450/522] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery Greg Kroah-Hartman
` (73 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David E. Box, Michael J. Ruhl,
Ilpo Järvinen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "David E. Box" <david.e.box@linux.intel.com>
[ Upstream commit 9577c74c96f88d807d1ba005adbf5952e7127e55 ]
Treat PCI id->driver_data (intel_vsec_platform_info) as read-only by making
vsec_priv->info a const pointer and updating all function signatures to
accept const intel_vsec_platform_info *.
This improves const-correctness and clarifies that the platform info data
from the driver_data table is not meant to be modified at runtime.
No functional changes intended.
Signed-off-by: David E. Box <david.e.box@linux.intel.com>
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Link: https://patch.msgid.link/20260313015202.3660072-3-david.e.box@linux.intel.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Stable-dep-of: 348ccc754d89 ("platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/vsec.c | 16 ++++++++--------
drivers/platform/x86/intel/vsec.h | 2 +-
2 files changed, 9 insertions(+), 9 deletions(-)
--- a/drivers/platform/x86/intel/vsec.c
+++ b/drivers/platform/x86/intel/vsec.c
@@ -74,7 +74,7 @@ static enum intel_vsec_id intel_vsec_all
};
struct vsec_priv {
- struct intel_vsec_platform_info *info;
+ const struct intel_vsec_platform_info *info;
};
static const char *intel_vsec_name(enum intel_vsec_id id)
@@ -203,7 +203,7 @@ int intel_vsec_add_aux(struct pci_dev *p
EXPORT_SYMBOL_NS_GPL(intel_vsec_add_aux, INTEL_VSEC);
static int intel_vsec_add_dev(struct pci_dev *pdev, struct intel_vsec_header *header,
- struct intel_vsec_platform_info *info)
+ const struct intel_vsec_platform_info *info)
{
struct intel_vsec_device *intel_vsec_dev;
struct resource *res, *tmp;
@@ -263,7 +263,7 @@ static int intel_vsec_add_dev(struct pci
}
static bool intel_vsec_walk_header(struct pci_dev *pdev,
- struct intel_vsec_platform_info *info)
+ const struct intel_vsec_platform_info *info)
{
struct intel_vsec_header **header = info->capabilities;
bool have_devices = false;
@@ -282,7 +282,7 @@ static bool intel_vsec_walk_header(struc
}
static bool intel_vsec_walk_dvsec(struct pci_dev *pdev,
- struct intel_vsec_platform_info *info)
+ const struct intel_vsec_platform_info *info)
{
bool have_devices = false;
int pos = 0;
@@ -332,7 +332,7 @@ static bool intel_vsec_walk_dvsec(struct
}
static bool intel_vsec_walk_vsec(struct pci_dev *pdev,
- struct intel_vsec_platform_info *info)
+ const struct intel_vsec_platform_info *info)
{
bool have_devices = false;
int pos = 0;
@@ -377,7 +377,7 @@ static bool intel_vsec_walk_vsec(struct
}
static bool intel_vsec_get_features(struct pci_dev *pdev,
- struct intel_vsec_platform_info *info)
+ const struct intel_vsec_platform_info *info)
{
bool found = false;
@@ -403,7 +403,7 @@ static bool intel_vsec_get_features(stru
static int intel_vsec_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
{
- struct intel_vsec_platform_info *info;
+ const struct intel_vsec_platform_info *info;
struct vsec_priv *priv;
int ret;
@@ -412,7 +412,7 @@ static int intel_vsec_pci_probe(struct p
return ret;
pci_save_state(pdev);
- info = (struct intel_vsec_platform_info *)id->driver_data;
+ info = (const struct intel_vsec_platform_info *)id->driver_data;
if (!info)
return -EINVAL;
--- a/drivers/platform/x86/intel/vsec.h
+++ b/drivers/platform/x86/intel/vsec.h
@@ -36,7 +36,7 @@ struct intel_vsec_device {
struct pci_dev *pcidev;
struct resource *resource;
struct ida *ida;
- struct intel_vsec_platform_info *info;
+ const struct intel_vsec_platform_info *info;
int num_resources;
int id; /* xa */
void *priv_data;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 366/378] wifi: mac80211: tests: mark HT check strict
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 365/378] wifi: mac80211: skip ieee80211_verify_sta_ht_mcs_support check in non-strict mode Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 367/378] RDMA/umem: fix kernel-doc warnings Greg Kroah-Hartman
` (13 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit 0cfff13c94cb5fa818bb374945ff280e08dc1bb9 upstream.
The HT check now only applies in strict mode since APs
were found to be broken. Mark it as such.
Fixes: 711a9c018ad2 ("wifi: mac80211: skip ieee80211_verify_sta_ht_mcs_support check in non-strict mode")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/tests/chan-mode.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/mac80211/tests/chan-mode.c
+++ b/net/mac80211/tests/chan-mode.c
@@ -65,6 +65,7 @@ static const struct determine_chan_mode_
.ht_capa_mask = {
.mcs.rx_mask[0] = 0xf7,
},
+ .strict = true,
}, {
.desc = "Masking out a RX rate in VHT capabilities",
.conn_mode = IEEE80211_CONN_MODE_EHT,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 450/522] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (448 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 449/522] platform/x86/intel/vsec: Make driver_data info const Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 451/522] octeontx2-pf: avoid double free of pool->stack on AQ init failure Greg Kroah-Hartman
` (72 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Ilpo Järvinen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
[ Upstream commit 348ccc754d8939e21ca5956ff45720b81d6e407f ]
After a PCIe Uncorrectable Error has been reported by a device with
Intel Vendor Specific Extended Capabilities and has been recovered
through a Secondary Bus Reset, its driver calls intel_vsec_pci_probe()
to rescan and reinitialize VSECs.
intel_vsec_pci_probe() invokes pcim_enable_device() and thereby adds
another devm action which calls pcim_disable_device() on driver unbind.
So once the driver unbinds, pcim_disable_device() will be called as many
times as an Uncorrectable Error occurred, plus one. This will lead to
an enable_cnt imbalance on driver unbind.
Additionally, since commit dc957ab6aa05 ("platform/x86/intel/vsec: Add
private data for per-device data"), a devm_kzalloc() allocation is
leaked on every Uncorrectable Error.
Avoid by splitting the VSEC rescan out of intel_vsec_pci_probe() into a
separate helper and calling that on PCIe error recovery.
Fixes: 936874b77dd0 ("platform/x86/intel/vsec: Add PCI error recovery support to Intel PMT")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v6.0+
Link: https://patch.msgid.link/bd594d09fa866dc51dddc9a447c3b23f9b1402cc.1778736835.git.lukas@wunner.de
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/vsec.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
--- a/drivers/platform/x86/intel/vsec.c
+++ b/drivers/platform/x86/intel/vsec.c
@@ -401,6 +401,17 @@ static bool intel_vsec_get_features(stru
return found;
}
+static int intel_vsec_pci_init(struct pci_dev *pdev)
+{
+ struct vsec_priv *priv = pci_get_drvdata(pdev);
+ const struct intel_vsec_platform_info *info = priv->info;
+
+ if (!intel_vsec_get_features(pdev, info))
+ return -ENODEV;
+
+ return 0;
+}
+
static int intel_vsec_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
{
const struct intel_vsec_platform_info *info;
@@ -423,10 +434,7 @@ static int intel_vsec_pci_probe(struct p
priv->info = info;
pci_set_drvdata(pdev, priv);
- if (!intel_vsec_get_features(pdev, info))
- return -ENODEV;
-
- return 0;
+ return intel_vsec_pci_init(pdev);
}
/* TGL info */
@@ -489,7 +497,6 @@ static pci_ers_result_t intel_vsec_pci_s
{
struct intel_vsec_device *intel_vsec_dev;
pci_ers_result_t status = PCI_ERS_RESULT_DISCONNECT;
- const struct pci_device_id *pci_dev_id;
unsigned long index;
dev_info(&pdev->dev, "Resetting PCI slot\n");
@@ -510,10 +517,8 @@ static pci_ers_result_t intel_vsec_pci_s
devm_release_action(&pdev->dev, intel_vsec_remove_aux,
&intel_vsec_dev->auxdev);
}
- pci_disable_device(pdev);
pci_restore_state(pdev);
- pci_dev_id = pci_match_id(intel_vsec_pci_ids, pdev);
- intel_vsec_pci_probe(pdev, pci_dev_id);
+ intel_vsec_pci_init(pdev);
out:
return status;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 367/378] RDMA/umem: fix kernel-doc warnings
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 366/378] wifi: mac80211: tests: mark HT check strict Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 368/378] RDMA: Move DMA block iterator logic into dedicated files Greg Kroah-Hartman
` (12 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Leon Romanovsky,
Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit ff46d1392750444fab5ae5a0194764ffdc4ac0d2 ]
Add or correct kernel-doc comments to eliminate warnings:
Warning: include/rdma/ib_umem.h:104 function parameter 'biter' not
described in 'rdma_umem_for_each_dma_block'
Warning: include/rdma/ib_umem.h:140 function parameter 'pgsz_bitmap' not
described in 'ib_umem_find_best_pgoff'
Warning: include/rdma/ib_umem.h:141 No description found for return
value of 'ib_umem_find_best_pgoff'
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Link: https://patch.msgid.link/20260224003120.3173892-1-rdunlap@infradead.org
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Stable-dep-of: 15fe76e23615 ("RDMA/umem: Fix truncation for block sizes >= 4G")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/rdma/ib_umem.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/include/rdma/ib_umem.h
+++ b/include/rdma/ib_umem.h
@@ -95,6 +95,7 @@ static inline bool __rdma_umem_block_ite
/**
* rdma_umem_for_each_dma_block - iterate over contiguous DMA blocks of the umem
* @umem: umem to iterate over
+ * @biter: block iterator variable
* @pgsz: Page size to split the list into
*
* pgsz must be <= PAGE_SIZE or computed by ib_umem_find_best_pgsz(). The
@@ -122,7 +123,7 @@ unsigned long ib_umem_find_best_pgsz(str
* ib_umem_find_best_pgoff - Find best HW page size
*
* @umem: umem struct
- * @pgsz_bitmap bitmap of HW supported page sizes
+ * @pgsz_bitmap: bitmap of HW supported page sizes
* @pgoff_bitmask: Mask of bits that can be represented with an offset
*
* This is very similar to ib_umem_find_best_pgsz() except instead of accepting
@@ -135,6 +136,9 @@ unsigned long ib_umem_find_best_pgsz(str
*
* If the pgoff_bitmask requires either alignment in the low bit or an
* unavailable page size for the high bits, this function returns 0.
+ *
+ * Returns: best HW page size for the parameters or 0 if none available
+ * for the given parameters.
*/
static inline unsigned long ib_umem_find_best_pgoff(struct ib_umem *umem,
unsigned long pgsz_bitmap,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 451/522] octeontx2-pf: avoid double free of pool->stack on AQ init failure
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (449 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 450/522] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 452/522] spi: qup: switch to use modern name Greg Kroah-Hartman
` (71 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Dawei Feng, Simon Horman,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
[ Upstream commit 9b244c242bec48b37e82b89787afd6a4c43457e1 ]
otx2_pool_aq_init() frees pool->stack when mailbox sync or retry
allocation fails, but leaves the pointer unchanged. Later,
otx2_sq_aura_pool_init() unwinds the partial setup through
otx2_aura_pool_free(), which frees pool->stack again. The CN20K-specific
cn20k_pool_aq_init() implementation has the same bug in
its corresponding error path.
Set pool->stack to NULL immediately after the local free so the shared
cleanup path does not free the same stack again while cleaning up
partially initialized pool state.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still present in
v7.1-rc3.
Runtime validation was not performed because reproducing this path
requires OcteonTX2/CN20K hardware.
Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues")
Fixes: d322fbd17203 ("octeontx2-pf: Initialize cn20k specific aura and pool contexts")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260515151826.1005397-1-dawei.feng@seu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
@@ -1374,11 +1374,13 @@ int otx2_pool_init(struct otx2_nic *pfvf
err = otx2_sync_mbox_msg(&pfvf->mbox);
if (err) {
qmem_free(pfvf->dev, pool->stack);
+ pool->stack = NULL;
return err;
}
aq = otx2_mbox_alloc_msg_npa_aq_enq(&pfvf->mbox);
if (!aq) {
qmem_free(pfvf->dev, pool->stack);
+ pool->stack = NULL;
return -ENOMEM;
}
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 368/378] RDMA: Move DMA block iterator logic into dedicated files
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 367/378] RDMA/umem: fix kernel-doc warnings Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 369/378] RDMA/umem: Fix truncation for block sizes >= 4G Greg Kroah-Hartman
` (11 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Leon Romanovsky, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@nvidia.com>
[ Upstream commit 6094ea64c69520ed1e770e7c79c43412de202bfa ]
The DMA iterator logic was mixed into verbs and umem-specific code,
forcing all users to include rdma/ib_umem.h. Move the block iterator
logic into iter.c and rdma/iter.h so that rdma/ib_umem.h and
rdma/ib_verbs.h can be separated in a follow-up patch.
Link: https://patch.msgid.link/20260213-refactor-umem-v1-1-f3be85847922@nvidia.com
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Stable-dep-of: 15fe76e23615 ("RDMA/umem: Fix truncation for block sizes >= 4G")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/Makefile | 2
drivers/infiniband/core/iter.c | 43 +++++++++++++
drivers/infiniband/core/verbs.c | 38 -----------
drivers/infiniband/hw/bnxt_re/qplib_res.c | 2
drivers/infiniband/hw/cxgb4/mem.c | 2
drivers/infiniband/hw/efa/efa_verbs.c | 2
drivers/infiniband/hw/erdma/erdma_verbs.c | 2
drivers/infiniband/hw/hns/hns_roce_alloc.c | 2
drivers/infiniband/hw/ionic/ionic_ibdev.h | 2
drivers/infiniband/hw/irdma/main.h | 2
drivers/infiniband/hw/mana/mana_ib.h | 2
drivers/infiniband/hw/mlx4/mr.c | 1
drivers/infiniband/hw/mlx5/mem.c | 1
drivers/infiniband/hw/mlx5/umr.c | 1
drivers/infiniband/hw/mthca/mthca_provider.c | 2
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2
drivers/infiniband/hw/qedr/verbs.c | 2
drivers/infiniband/hw/vmw_pvrdma/pvrdma.h | 2
include/rdma/ib_umem.h | 32 ---------
include/rdma/ib_verbs.h | 48 --------------
include/rdma/iter.h | 88 +++++++++++++++++++++++++++
21 files changed, 147 insertions(+), 131 deletions(-)
create mode 100644 drivers/infiniband/core/iter.c
create mode 100644 include/rdma/iter.h
--- a/drivers/infiniband/core/Makefile
+++ b/drivers/infiniband/core/Makefile
@@ -12,7 +12,7 @@ ib_core-y := packer.o ud_header.o verb
roce_gid_mgmt.o mr_pool.o addr.o sa_query.o \
multicast.o mad.o smi.o agent.o mad_rmpp.o \
nldev.o restrack.o counters.o ib_core_uverbs.o \
- trace.o lag.o
+ trace.o lag.o iter.o
ib_core-$(CONFIG_SECURITY_INFINIBAND) += security.o
ib_core-$(CONFIG_CGROUP_RDMA) += cgroup.o
--- /dev/null
+++ b/drivers/infiniband/core/iter.c
@@ -0,0 +1,43 @@
+// SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB
+/* Copyright (c) 2026, NVIDIA CORPORATION & AFFILIATES. */
+
+#include <linux/export.h>
+#include <rdma/iter.h>
+
+void __rdma_block_iter_start(struct ib_block_iter *biter,
+ struct scatterlist *sglist, unsigned int nents,
+ unsigned long pgsz)
+{
+ memset(biter, 0, sizeof(struct ib_block_iter));
+ biter->__sg = sglist;
+ biter->__sg_nents = nents;
+
+ /* Driver provides best block size to use */
+ biter->__pg_bit = __fls(pgsz);
+}
+EXPORT_SYMBOL(__rdma_block_iter_start);
+
+bool __rdma_block_iter_next(struct ib_block_iter *biter)
+{
+ unsigned int block_offset;
+ unsigned int delta;
+
+ if (!biter->__sg_nents || !biter->__sg)
+ return false;
+
+ biter->__dma_addr = sg_dma_address(biter->__sg) + biter->__sg_advance;
+ block_offset = biter->__dma_addr & (BIT_ULL(biter->__pg_bit) - 1);
+ delta = BIT_ULL(biter->__pg_bit) - block_offset;
+
+ while (biter->__sg_nents && biter->__sg &&
+ sg_dma_len(biter->__sg) - biter->__sg_advance <= delta) {
+ delta -= sg_dma_len(biter->__sg) - biter->__sg_advance;
+ biter->__sg_advance = 0;
+ biter->__sg = sg_next(biter->__sg);
+ biter->__sg_nents--;
+ }
+ biter->__sg_advance += delta;
+
+ return true;
+}
+EXPORT_SYMBOL(__rdma_block_iter_next);
--- a/drivers/infiniband/core/verbs.c
+++ b/drivers/infiniband/core/verbs.c
@@ -3154,44 +3154,6 @@ int rdma_init_netdev(struct ib_device *d
}
EXPORT_SYMBOL(rdma_init_netdev);
-void __rdma_block_iter_start(struct ib_block_iter *biter,
- struct scatterlist *sglist, unsigned int nents,
- unsigned long pgsz)
-{
- memset(biter, 0, sizeof(struct ib_block_iter));
- biter->__sg = sglist;
- biter->__sg_nents = nents;
-
- /* Driver provides best block size to use */
- biter->__pg_bit = __fls(pgsz);
-}
-EXPORT_SYMBOL(__rdma_block_iter_start);
-
-bool __rdma_block_iter_next(struct ib_block_iter *biter)
-{
- unsigned int block_offset;
- unsigned int delta;
-
- if (!biter->__sg_nents || !biter->__sg)
- return false;
-
- biter->__dma_addr = sg_dma_address(biter->__sg) + biter->__sg_advance;
- block_offset = biter->__dma_addr & (BIT_ULL(biter->__pg_bit) - 1);
- delta = BIT_ULL(biter->__pg_bit) - block_offset;
-
- while (biter->__sg_nents && biter->__sg &&
- sg_dma_len(biter->__sg) - biter->__sg_advance <= delta) {
- delta -= sg_dma_len(biter->__sg) - biter->__sg_advance;
- biter->__sg_advance = 0;
- biter->__sg = sg_next(biter->__sg);
- biter->__sg_nents--;
- }
- biter->__sg_advance += delta;
-
- return true;
-}
-EXPORT_SYMBOL(__rdma_block_iter_next);
-
/**
* rdma_alloc_hw_stats_struct - Helper function to allocate dynamic struct
* for the drivers.
--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
@@ -46,7 +46,7 @@
#include <linux/if_vlan.h>
#include <linux/vmalloc.h>
#include <rdma/ib_verbs.h>
-#include <rdma/ib_umem.h>
+#include <rdma/iter.h>
#include "roce_hsi.h"
#include "qplib_res.h"
--- a/drivers/infiniband/hw/cxgb4/mem.c
+++ b/drivers/infiniband/hw/cxgb4/mem.c
@@ -32,9 +32,9 @@
#include <linux/module.h>
#include <linux/moduleparam.h>
-#include <rdma/ib_umem.h>
#include <linux/atomic.h>
#include <rdma/ib_user_verbs.h>
+#include <rdma/iter.h>
#include "iw_cxgb4.h"
--- a/drivers/infiniband/hw/efa/efa_verbs.c
+++ b/drivers/infiniband/hw/efa/efa_verbs.c
@@ -9,9 +9,9 @@
#include <linux/log2.h>
#include <rdma/ib_addr.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_user_verbs.h>
#include <rdma/ib_verbs.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#define UVERBS_MODULE_NAME efa_ib
#include <rdma/uverbs_named_ioctl.h>
--- a/drivers/infiniband/hw/erdma/erdma_verbs.c
+++ b/drivers/infiniband/hw/erdma/erdma_verbs.c
@@ -12,7 +12,7 @@
#include <linux/vmalloc.h>
#include <net/addrconf.h>
#include <rdma/erdma-abi.h>
-#include <rdma/ib_umem.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include "erdma.h"
--- a/drivers/infiniband/hw/hns/hns_roce_alloc.c
+++ b/drivers/infiniband/hw/hns/hns_roce_alloc.c
@@ -32,7 +32,7 @@
*/
#include <linux/vmalloc.h>
-#include <rdma/ib_umem.h>
+#include <rdma/iter.h>
#include "hns_roce_device.h"
void hns_roce_buf_free(struct hns_roce_dev *hr_dev, struct hns_roce_buf *buf)
--- a/drivers/infiniband/hw/ionic/ionic_ibdev.h
+++ b/drivers/infiniband/hw/ionic/ionic_ibdev.h
@@ -4,9 +4,9 @@
#ifndef _IONIC_IBDEV_H_
#define _IONIC_IBDEV_H_
-#include <rdma/ib_umem.h>
#include <rdma/ib_verbs.h>
#include <rdma/ib_pack.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include <rdma/ionic-abi.h>
--- a/drivers/infiniband/hw/irdma/main.h
+++ b/drivers/infiniband/hw/irdma/main.h
@@ -37,8 +37,8 @@
#include <rdma/rdma_cm.h>
#include <rdma/iw_cm.h>
#include <rdma/ib_user_verbs.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_cache.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include "osdep.h"
#include "defs.h"
--- a/drivers/infiniband/hw/mana/mana_ib.h
+++ b/drivers/infiniband/hw/mana/mana_ib.h
@@ -8,7 +8,7 @@
#include <rdma/ib_verbs.h>
#include <rdma/ib_mad.h>
-#include <rdma/ib_umem.h>
+#include <rdma/iter.h>
#include <rdma/mana-abi.h>
#include <rdma/uverbs_ioctl.h>
#include <linux/dmapool.h>
--- a/drivers/infiniband/hw/mlx4/mr.c
+++ b/drivers/infiniband/hw/mlx4/mr.c
@@ -33,6 +33,7 @@
#include <linux/slab.h>
#include <rdma/ib_user_verbs.h>
+#include <rdma/iter.h>
#include "mlx4_ib.h"
--- a/drivers/infiniband/hw/mlx5/mem.c
+++ b/drivers/infiniband/hw/mlx5/mem.c
@@ -31,6 +31,7 @@
*/
#include <rdma/ib_umem_odp.h>
+#include <rdma/iter.h>
#include "mlx5_ib.h"
/*
--- a/drivers/infiniband/hw/mlx5/umr.c
+++ b/drivers/infiniband/hw/mlx5/umr.c
@@ -2,6 +2,7 @@
/* Copyright (c) 2022, NVIDIA CORPORATION & AFFILIATES. */
#include <rdma/ib_umem_odp.h>
+#include <rdma/iter.h>
#include "mlx5_ib.h"
#include "umr.h"
#include "wr.h"
--- a/drivers/infiniband/hw/mthca/mthca_provider.c
+++ b/drivers/infiniband/hw/mthca/mthca_provider.c
@@ -35,8 +35,8 @@
*/
#include <rdma/ib_smi.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_user_verbs.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include <linux/sched.h>
--- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
+++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
@@ -45,9 +45,9 @@
#include <rdma/ib_verbs.h>
#include <rdma/ib_user_verbs.h>
#include <rdma/iw_cm.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_addr.h>
#include <rdma/ib_cache.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include "ocrdma.h"
--- a/drivers/infiniband/hw/qedr/verbs.c
+++ b/drivers/infiniband/hw/qedr/verbs.c
@@ -39,9 +39,9 @@
#include <rdma/ib_verbs.h>
#include <rdma/ib_user_verbs.h>
#include <rdma/iw_cm.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_addr.h>
#include <rdma/ib_cache.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include <linux/qed/common_hsi.h>
--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h
+++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h
@@ -53,8 +53,8 @@
#include <linux/pci.h>
#include <linux/semaphore.h>
#include <linux/workqueue.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_verbs.h>
+#include <rdma/iter.h>
#include <rdma/vmw_pvrdma-abi.h>
#include "pvrdma_ring.h"
--- a/include/rdma/ib_umem.h
+++ b/include/rdma/ib_umem.h
@@ -76,38 +76,6 @@ static inline size_t ib_umem_num_pages(s
{
return ib_umem_num_dma_blocks(umem, PAGE_SIZE);
}
-
-static inline void __rdma_umem_block_iter_start(struct ib_block_iter *biter,
- struct ib_umem *umem,
- unsigned long pgsz)
-{
- __rdma_block_iter_start(biter, umem->sgt_append.sgt.sgl,
- umem->sgt_append.sgt.nents, pgsz);
- biter->__sg_advance = ib_umem_offset(umem) & ~(pgsz - 1);
- biter->__sg_numblocks = ib_umem_num_dma_blocks(umem, pgsz);
-}
-
-static inline bool __rdma_umem_block_iter_next(struct ib_block_iter *biter)
-{
- return __rdma_block_iter_next(biter) && biter->__sg_numblocks--;
-}
-
-/**
- * rdma_umem_for_each_dma_block - iterate over contiguous DMA blocks of the umem
- * @umem: umem to iterate over
- * @biter: block iterator variable
- * @pgsz: Page size to split the list into
- *
- * pgsz must be <= PAGE_SIZE or computed by ib_umem_find_best_pgsz(). The
- * returned DMA blocks will be aligned to pgsz and span the range:
- * ALIGN_DOWN(umem->address, pgsz) to ALIGN(umem->address + umem->length, pgsz)
- *
- * Performs exactly ib_umem_num_dma_blocks() iterations.
- */
-#define rdma_umem_for_each_dma_block(umem, biter, pgsz) \
- for (__rdma_umem_block_iter_start(biter, umem, pgsz); \
- __rdma_umem_block_iter_next(biter);)
-
#ifdef CONFIG_INFINIBAND_USER_MEM
struct ib_umem *ib_umem_get(struct ib_device *device, unsigned long addr,
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -2959,22 +2959,6 @@ struct ib_client {
u8 no_kverbs_req:1;
};
-/*
- * IB block DMA iterator
- *
- * Iterates the DMA-mapped SGL in contiguous memory blocks aligned
- * to a HW supported page size.
- */
-struct ib_block_iter {
- /* internal states */
- struct scatterlist *__sg; /* sg holding the current aligned block */
- dma_addr_t __dma_addr; /* unaligned DMA address of this block */
- size_t __sg_numblocks; /* ib_umem_num_dma_blocks() */
- unsigned int __sg_nents; /* number of SG entries */
- unsigned int __sg_advance; /* number of bytes to advance in sg in next step */
- unsigned int __pg_bit; /* alignment of current block */
-};
-
struct ib_device *_ib_alloc_device(size_t size, struct net *net);
#define ib_alloc_device(drv_struct, member) \
container_of(_ib_alloc_device(sizeof(struct drv_struct) + \
@@ -3003,38 +2987,6 @@ void ib_unregister_device_queued(struct
int ib_register_client (struct ib_client *client);
void ib_unregister_client(struct ib_client *client);
-void __rdma_block_iter_start(struct ib_block_iter *biter,
- struct scatterlist *sglist,
- unsigned int nents,
- unsigned long pgsz);
-bool __rdma_block_iter_next(struct ib_block_iter *biter);
-
-/**
- * rdma_block_iter_dma_address - get the aligned dma address of the current
- * block held by the block iterator.
- * @biter: block iterator holding the memory block
- */
-static inline dma_addr_t
-rdma_block_iter_dma_address(struct ib_block_iter *biter)
-{
- return biter->__dma_addr & ~(BIT_ULL(biter->__pg_bit) - 1);
-}
-
-/**
- * rdma_for_each_block - iterate over contiguous memory blocks of the sg list
- * @sglist: sglist to iterate over
- * @biter: block iterator holding the memory block
- * @nents: maximum number of sg entries to iterate over
- * @pgsz: best HW supported page size to use
- *
- * Callers may use rdma_block_iter_dma_address() to get each
- * blocks aligned DMA address.
- */
-#define rdma_for_each_block(sglist, biter, nents, pgsz) \
- for (__rdma_block_iter_start(biter, sglist, nents, \
- pgsz); \
- __rdma_block_iter_next(biter);)
-
/**
* ib_get_client_data - Get IB client context
* @device:Device to get context for
--- /dev/null
+++ b/include/rdma/iter.h
@@ -0,0 +1,88 @@
+/* SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB */
+/* Copyright (c) 2026, NVIDIA CORPORATION & AFFILIATES. */
+
+#ifndef _RDMA_ITER_H_
+#define _RDMA_ITER_H_
+
+#include <linux/scatterlist.h>
+#include <rdma/ib_umem.h>
+
+/**
+ * IB block DMA iterator
+ *
+ * Iterates the DMA-mapped SGL in contiguous memory blocks aligned
+ * to a HW supported page size.
+ */
+struct ib_block_iter {
+ /* internal states */
+ struct scatterlist *__sg; /* sg holding the current aligned block */
+ dma_addr_t __dma_addr; /* unaligned DMA address of this block */
+ size_t __sg_numblocks; /* ib_umem_num_dma_blocks() */
+ unsigned int __sg_nents; /* number of SG entries */
+ unsigned int __sg_advance; /* number of bytes to advance in sg in next step */
+ unsigned int __pg_bit; /* alignment of current block */
+};
+
+void __rdma_block_iter_start(struct ib_block_iter *biter,
+ struct scatterlist *sglist,
+ unsigned int nents,
+ unsigned long pgsz);
+bool __rdma_block_iter_next(struct ib_block_iter *biter);
+
+/**
+ * rdma_block_iter_dma_address - get the aligned dma address of the current
+ * block held by the block iterator.
+ * @biter: block iterator holding the memory block
+ */
+static inline dma_addr_t
+rdma_block_iter_dma_address(struct ib_block_iter *biter)
+{
+ return biter->__dma_addr & ~(BIT_ULL(biter->__pg_bit) - 1);
+}
+
+/**
+ * rdma_for_each_block - iterate over contiguous memory blocks of the sg list
+ * @sglist: sglist to iterate over
+ * @biter: block iterator holding the memory block
+ * @nents: maximum number of sg entries to iterate over
+ * @pgsz: best HW supported page size to use
+ *
+ * Callers may use rdma_block_iter_dma_address() to get each
+ * blocks aligned DMA address.
+ */
+#define rdma_for_each_block(sglist, biter, nents, pgsz) \
+ for (__rdma_block_iter_start(biter, sglist, nents, \
+ pgsz); \
+ __rdma_block_iter_next(biter);)
+
+static inline void __rdma_umem_block_iter_start(struct ib_block_iter *biter,
+ struct ib_umem *umem,
+ unsigned long pgsz)
+{
+ __rdma_block_iter_start(biter, umem->sgt_append.sgt.sgl,
+ umem->sgt_append.sgt.nents, pgsz);
+ biter->__sg_advance = ib_umem_offset(umem) & ~(pgsz - 1);
+ biter->__sg_numblocks = ib_umem_num_dma_blocks(umem, pgsz);
+}
+
+static inline bool __rdma_umem_block_iter_next(struct ib_block_iter *biter)
+{
+ return __rdma_block_iter_next(biter) && biter->__sg_numblocks--;
+}
+
+/**
+ * rdma_umem_for_each_dma_block - iterate over contiguous DMA blocks of the umem
+ * @umem: umem to iterate over
+ * @pgsz: Page size to split the list into
+ *
+ * pgsz must be <= PAGE_SIZE or computed by ib_umem_find_best_pgsz(). The
+ * returned DMA blocks will be aligned to pgsz and span the range:
+ * ALIGN_DOWN(umem->address, pgsz) to ALIGN(umem->address + umem->length, pgsz)
+ *
+ * Performs exactly ib_umem_num_dma_blocks() iterations.
+ */
+#define rdma_umem_for_each_dma_block(umem, biter, pgsz) \
+ for (__rdma_umem_block_iter_start(biter, umem, pgsz); \
+ __rdma_umem_block_iter_next(biter);)
+
+#endif /* _RDMA_ITER_H_ */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 452/522] spi: qup: switch to use modern name
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (450 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 451/522] octeontx2-pf: avoid double free of pool->stack on AQ init failure Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 453/522] spi: qup: fix error pointer deref after DMA setup failure Greg Kroah-Hartman
` (70 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 597442ff4f6226206b7cc28b86eb2be0ae9c6418 ]
Change legacy name master to modern name host or controller.
No functional changed.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20230818093154.1183529-10-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: a7e8f3efd50a ("spi: qup: fix error pointer deref after DMA setup failure")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-qup.c | 168 +++++++++++++++++++++++++-------------------------
1 file changed, 84 insertions(+), 84 deletions(-)
--- a/drivers/spi/spi-qup.c
+++ b/drivers/spi/spi-qup.c
@@ -386,20 +386,20 @@ static void spi_qup_write(struct spi_qup
} while (remainder);
}
-static int spi_qup_prep_sg(struct spi_master *master, struct scatterlist *sgl,
+static int spi_qup_prep_sg(struct spi_controller *host, struct scatterlist *sgl,
unsigned int nents, enum dma_transfer_direction dir,
dma_async_tx_callback callback)
{
- struct spi_qup *qup = spi_master_get_devdata(master);
+ struct spi_qup *qup = spi_controller_get_devdata(host);
unsigned long flags = DMA_PREP_INTERRUPT | DMA_PREP_FENCE;
struct dma_async_tx_descriptor *desc;
struct dma_chan *chan;
dma_cookie_t cookie;
if (dir == DMA_MEM_TO_DEV)
- chan = master->dma_tx;
+ chan = host->dma_tx;
else
- chan = master->dma_rx;
+ chan = host->dma_rx;
desc = dmaengine_prep_slave_sg(chan, sgl, nents, dir, flags);
if (IS_ERR_OR_NULL(desc))
@@ -413,13 +413,13 @@ static int spi_qup_prep_sg(struct spi_ma
return dma_submit_error(cookie);
}
-static void spi_qup_dma_terminate(struct spi_master *master,
+static void spi_qup_dma_terminate(struct spi_controller *host,
struct spi_transfer *xfer)
{
if (xfer->tx_buf)
- dmaengine_terminate_all(master->dma_tx);
+ dmaengine_terminate_all(host->dma_tx);
if (xfer->rx_buf)
- dmaengine_terminate_all(master->dma_rx);
+ dmaengine_terminate_all(host->dma_rx);
}
static u32 spi_qup_sgl_get_nents_len(struct scatterlist *sgl, u32 max,
@@ -446,8 +446,8 @@ static int spi_qup_do_dma(struct spi_dev
unsigned long timeout)
{
dma_async_tx_callback rx_done = NULL, tx_done = NULL;
- struct spi_master *master = spi->master;
- struct spi_qup *qup = spi_master_get_devdata(master);
+ struct spi_controller *host = spi->controller;
+ struct spi_qup *qup = spi_controller_get_devdata(host);
struct scatterlist *tx_sgl, *rx_sgl;
int ret;
@@ -482,20 +482,20 @@ static int spi_qup_do_dma(struct spi_dev
return ret;
}
if (rx_sgl) {
- ret = spi_qup_prep_sg(master, rx_sgl, rx_nents,
+ ret = spi_qup_prep_sg(host, rx_sgl, rx_nents,
DMA_DEV_TO_MEM, rx_done);
if (ret)
return ret;
- dma_async_issue_pending(master->dma_rx);
+ dma_async_issue_pending(host->dma_rx);
}
if (tx_sgl) {
- ret = spi_qup_prep_sg(master, tx_sgl, tx_nents,
+ ret = spi_qup_prep_sg(host, tx_sgl, tx_nents,
DMA_MEM_TO_DEV, tx_done);
if (ret)
return ret;
- dma_async_issue_pending(master->dma_tx);
+ dma_async_issue_pending(host->dma_tx);
}
if (!wait_for_completion_timeout(&qup->done, timeout))
@@ -514,8 +514,8 @@ static int spi_qup_do_dma(struct spi_dev
static int spi_qup_do_pio(struct spi_device *spi, struct spi_transfer *xfer,
unsigned long timeout)
{
- struct spi_master *master = spi->master;
- struct spi_qup *qup = spi_master_get_devdata(master);
+ struct spi_controller *host = spi->controller;
+ struct spi_qup *qup = spi_controller_get_devdata(host);
int ret, n_words, iterations, offset = 0;
n_words = qup->n_words;
@@ -659,7 +659,7 @@ static irqreturn_t spi_qup_qup_irq(int i
/* set clock freq ... bits per word, determine mode */
static int spi_qup_io_prep(struct spi_device *spi, struct spi_transfer *xfer)
{
- struct spi_qup *controller = spi_master_get_devdata(spi->master);
+ struct spi_qup *controller = spi_controller_get_devdata(spi->controller);
int ret;
if (spi->mode & SPI_LOOP && xfer->len > controller->in_fifo_sz) {
@@ -680,9 +680,9 @@ static int spi_qup_io_prep(struct spi_de
if (controller->n_words <= (controller->in_fifo_sz / sizeof(u32)))
controller->mode = QUP_IO_M_MODE_FIFO;
- else if (spi->master->can_dma &&
- spi->master->can_dma(spi->master, spi, xfer) &&
- spi->master->cur_msg_mapped)
+ else if (spi->controller->can_dma &&
+ spi->controller->can_dma(spi->controller, spi, xfer) &&
+ spi->controller->cur_msg_mapped)
controller->mode = QUP_IO_M_MODE_BAM;
else
controller->mode = QUP_IO_M_MODE_BLOCK;
@@ -693,7 +693,7 @@ static int spi_qup_io_prep(struct spi_de
/* prep qup for another spi transaction of specific type */
static int spi_qup_io_config(struct spi_device *spi, struct spi_transfer *xfer)
{
- struct spi_qup *controller = spi_master_get_devdata(spi->master);
+ struct spi_qup *controller = spi_controller_get_devdata(spi->controller);
u32 config, iomode, control;
unsigned long flags;
@@ -841,11 +841,11 @@ static int spi_qup_io_config(struct spi_
return 0;
}
-static int spi_qup_transfer_one(struct spi_master *master,
+static int spi_qup_transfer_one(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *xfer)
{
- struct spi_qup *controller = spi_master_get_devdata(master);
+ struct spi_qup *controller = spi_controller_get_devdata(host);
unsigned long timeout, flags;
int ret;
@@ -879,21 +879,21 @@ static int spi_qup_transfer_one(struct s
spin_unlock_irqrestore(&controller->lock, flags);
if (ret && spi_qup_is_dma_xfer(controller->mode))
- spi_qup_dma_terminate(master, xfer);
+ spi_qup_dma_terminate(host, xfer);
return ret;
}
-static bool spi_qup_can_dma(struct spi_master *master, struct spi_device *spi,
+static bool spi_qup_can_dma(struct spi_controller *host, struct spi_device *spi,
struct spi_transfer *xfer)
{
- struct spi_qup *qup = spi_master_get_devdata(master);
+ struct spi_qup *qup = spi_controller_get_devdata(host);
size_t dma_align = dma_get_cache_alignment();
int n_words;
if (xfer->rx_buf) {
if (!IS_ALIGNED((size_t)xfer->rx_buf, dma_align) ||
- IS_ERR_OR_NULL(master->dma_rx))
+ IS_ERR_OR_NULL(host->dma_rx))
return false;
if (qup->qup_v1 && (xfer->len % qup->in_blk_sz))
return false;
@@ -901,7 +901,7 @@ static bool spi_qup_can_dma(struct spi_m
if (xfer->tx_buf) {
if (!IS_ALIGNED((size_t)xfer->tx_buf, dma_align) ||
- IS_ERR_OR_NULL(master->dma_tx))
+ IS_ERR_OR_NULL(host->dma_tx))
return false;
if (qup->qup_v1 && (xfer->len % qup->out_blk_sz))
return false;
@@ -914,30 +914,30 @@ static bool spi_qup_can_dma(struct spi_m
return true;
}
-static void spi_qup_release_dma(struct spi_master *master)
+static void spi_qup_release_dma(struct spi_controller *host)
{
- if (!IS_ERR_OR_NULL(master->dma_rx))
- dma_release_channel(master->dma_rx);
- if (!IS_ERR_OR_NULL(master->dma_tx))
- dma_release_channel(master->dma_tx);
+ if (!IS_ERR_OR_NULL(host->dma_rx))
+ dma_release_channel(host->dma_rx);
+ if (!IS_ERR_OR_NULL(host->dma_tx))
+ dma_release_channel(host->dma_tx);
}
-static int spi_qup_init_dma(struct spi_master *master, resource_size_t base)
+static int spi_qup_init_dma(struct spi_controller *host, resource_size_t base)
{
- struct spi_qup *spi = spi_master_get_devdata(master);
+ struct spi_qup *spi = spi_controller_get_devdata(host);
struct dma_slave_config *rx_conf = &spi->rx_conf,
*tx_conf = &spi->tx_conf;
struct device *dev = spi->dev;
int ret;
/* allocate dma resources, if available */
- master->dma_rx = dma_request_chan(dev, "rx");
- if (IS_ERR(master->dma_rx))
- return PTR_ERR(master->dma_rx);
-
- master->dma_tx = dma_request_chan(dev, "tx");
- if (IS_ERR(master->dma_tx)) {
- ret = PTR_ERR(master->dma_tx);
+ host->dma_rx = dma_request_chan(dev, "rx");
+ if (IS_ERR(host->dma_rx))
+ return PTR_ERR(host->dma_rx);
+
+ host->dma_tx = dma_request_chan(dev, "tx");
+ if (IS_ERR(host->dma_tx)) {
+ ret = PTR_ERR(host->dma_tx);
goto err_tx;
}
@@ -952,13 +952,13 @@ static int spi_qup_init_dma(struct spi_m
tx_conf->dst_addr = base + QUP_OUTPUT_FIFO;
tx_conf->dst_maxburst = spi->out_blk_sz;
- ret = dmaengine_slave_config(master->dma_rx, rx_conf);
+ ret = dmaengine_slave_config(host->dma_rx, rx_conf);
if (ret) {
dev_err(dev, "failed to configure RX channel\n");
goto err;
}
- ret = dmaengine_slave_config(master->dma_tx, tx_conf);
+ ret = dmaengine_slave_config(host->dma_tx, tx_conf);
if (ret) {
dev_err(dev, "failed to configure TX channel\n");
goto err;
@@ -967,9 +967,9 @@ static int spi_qup_init_dma(struct spi_m
return 0;
err:
- dma_release_channel(master->dma_tx);
+ dma_release_channel(host->dma_tx);
err_tx:
- dma_release_channel(master->dma_rx);
+ dma_release_channel(host->dma_rx);
return ret;
}
@@ -979,7 +979,7 @@ static void spi_qup_set_cs(struct spi_de
u32 spi_ioc;
u32 spi_ioc_orig;
- controller = spi_master_get_devdata(spi->master);
+ controller = spi_controller_get_devdata(spi->controller);
spi_ioc = readl_relaxed(controller->base + SPI_IO_CONTROL);
spi_ioc_orig = spi_ioc;
if (!val)
@@ -993,7 +993,7 @@ static void spi_qup_set_cs(struct spi_de
static int spi_qup_probe(struct platform_device *pdev)
{
- struct spi_master *master;
+ struct spi_controller *host;
struct clk *iclk, *cclk;
struct spi_qup *controller;
struct resource *res;
@@ -1029,34 +1029,34 @@ static int spi_qup_probe(struct platform
return -ENXIO;
}
- master = spi_alloc_master(dev, sizeof(struct spi_qup));
- if (!master) {
- dev_err(dev, "cannot allocate master\n");
+ host = spi_alloc_host(dev, sizeof(struct spi_qup));
+ if (!host) {
+ dev_err(dev, "cannot allocate host\n");
return -ENOMEM;
}
/* use num-cs unless not present or out of range */
if (of_property_read_u32(dev->of_node, "num-cs", &num_cs) ||
num_cs > SPI_NUM_CHIPSELECTS)
- master->num_chipselect = SPI_NUM_CHIPSELECTS;
+ host->num_chipselect = SPI_NUM_CHIPSELECTS;
else
- master->num_chipselect = num_cs;
+ host->num_chipselect = num_cs;
- master->use_gpio_descriptors = true;
- master->max_native_cs = SPI_NUM_CHIPSELECTS;
- master->bus_num = pdev->id;
- master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH | SPI_LOOP;
- master->bits_per_word_mask = SPI_BPW_RANGE_MASK(4, 32);
- master->max_speed_hz = max_freq;
- master->transfer_one = spi_qup_transfer_one;
- master->dev.of_node = pdev->dev.of_node;
- master->auto_runtime_pm = true;
- master->dma_alignment = dma_get_cache_alignment();
- master->max_dma_len = SPI_MAX_XFER;
+ host->use_gpio_descriptors = true;
+ host->max_native_cs = SPI_NUM_CHIPSELECTS;
+ host->bus_num = pdev->id;
+ host->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH | SPI_LOOP;
+ host->bits_per_word_mask = SPI_BPW_RANGE_MASK(4, 32);
+ host->max_speed_hz = max_freq;
+ host->transfer_one = spi_qup_transfer_one;
+ host->dev.of_node = pdev->dev.of_node;
+ host->auto_runtime_pm = true;
+ host->dma_alignment = dma_get_cache_alignment();
+ host->max_dma_len = SPI_MAX_XFER;
- platform_set_drvdata(pdev, master);
+ platform_set_drvdata(pdev, host);
- controller = spi_master_get_devdata(master);
+ controller = spi_controller_get_devdata(host);
controller->dev = dev;
controller->base = base;
@@ -1064,16 +1064,16 @@ static int spi_qup_probe(struct platform
controller->cclk = cclk;
controller->irq = irq;
- ret = spi_qup_init_dma(master, res->start);
+ ret = spi_qup_init_dma(host, res->start);
if (ret == -EPROBE_DEFER)
goto error;
else if (!ret)
- master->can_dma = spi_qup_can_dma;
+ host->can_dma = spi_qup_can_dma;
controller->qup_v1 = (uintptr_t)of_device_get_match_data(dev);
if (!controller->qup_v1)
- master->set_cs = spi_qup_set_cs;
+ host->set_cs = spi_qup_set_cs;
spin_lock_init(&controller->lock);
init_completion(&controller->done);
@@ -1151,7 +1151,7 @@ static int spi_qup_probe(struct platform
pm_runtime_set_active(dev);
pm_runtime_enable(dev);
- ret = devm_spi_register_master(dev, master);
+ ret = devm_spi_register_controller(dev, host);
if (ret)
goto disable_pm;
@@ -1163,17 +1163,17 @@ error_clk:
clk_disable_unprepare(cclk);
clk_disable_unprepare(iclk);
error_dma:
- spi_qup_release_dma(master);
+ spi_qup_release_dma(host);
error:
- spi_master_put(master);
+ spi_controller_put(host);
return ret;
}
#ifdef CONFIG_PM
static int spi_qup_pm_suspend_runtime(struct device *device)
{
- struct spi_master *master = dev_get_drvdata(device);
- struct spi_qup *controller = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(device);
+ struct spi_qup *controller = spi_controller_get_devdata(host);
u32 config;
/* Enable clocks auto gaiting */
@@ -1189,8 +1189,8 @@ static int spi_qup_pm_suspend_runtime(st
static int spi_qup_pm_resume_runtime(struct device *device)
{
- struct spi_master *master = dev_get_drvdata(device);
- struct spi_qup *controller = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(device);
+ struct spi_qup *controller = spi_controller_get_devdata(host);
u32 config;
int ret;
@@ -1215,8 +1215,8 @@ static int spi_qup_pm_resume_runtime(str
#ifdef CONFIG_PM_SLEEP
static int spi_qup_suspend(struct device *device)
{
- struct spi_master *master = dev_get_drvdata(device);
- struct spi_qup *controller = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(device);
+ struct spi_qup *controller = spi_controller_get_devdata(host);
int ret;
if (pm_runtime_suspended(device)) {
@@ -1224,7 +1224,7 @@ static int spi_qup_suspend(struct device
if (ret)
return ret;
}
- ret = spi_master_suspend(master);
+ ret = spi_controller_suspend(host);
if (ret)
return ret;
@@ -1239,8 +1239,8 @@ static int spi_qup_suspend(struct device
static int spi_qup_resume(struct device *device)
{
- struct spi_master *master = dev_get_drvdata(device);
- struct spi_qup *controller = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(device);
+ struct spi_qup *controller = spi_controller_get_devdata(host);
int ret;
ret = clk_prepare_enable(controller->iclk);
@@ -1257,7 +1257,7 @@ static int spi_qup_resume(struct device
if (ret)
goto disable_clk;
- ret = spi_master_resume(master);
+ ret = spi_controller_resume(host);
if (ret)
goto disable_clk;
@@ -1272,8 +1272,8 @@ disable_clk:
static int spi_qup_remove(struct platform_device *pdev)
{
- struct spi_master *master = dev_get_drvdata(&pdev->dev);
- struct spi_qup *controller = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(&pdev->dev);
+ struct spi_qup *controller = spi_controller_get_devdata(host);
int ret;
ret = pm_runtime_get_sync(&pdev->dev);
@@ -1291,7 +1291,7 @@ static int spi_qup_remove(struct platfor
ERR_PTR(ret));
}
- spi_qup_release_dma(master);
+ spi_qup_release_dma(host);
pm_runtime_put_noidle(&pdev->dev);
pm_runtime_disable(&pdev->dev);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 369/378] RDMA/umem: Fix truncation for block sizes >= 4G
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 7.0 368/378] RDMA: Move DMA block iterator logic into dedicated files Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 370/378] vsock/virtio: fix potential unbounded skb queue Greg Kroah-Hartman
` (10 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Sasha Levin
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
[ Upstream commit 15fe76e23615f502d051ef0768f86babaf08746c ]
When the iommu is used the linearization of the mapping can give a single
block that is very large split across multiple SG entries.
When __rdma_block_iter_next() reassembles the split SG entries it is
overflowing the 32 bit stack values and computed the wrong DMA addresses
for blocks after the truncation.
Use the right types to hold DMA addresses.
Link: https://patch.msgid.link/r/1-v1-88303e9e509f+f7-ib_umem_types_jgg@nvidia.com
Cc: stable@vger.kernel.org
Fixes: a808273a495c ("RDMA/verbs: Add a DMA iterator to return aligned contiguous memory blocks")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/iter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/core/iter.c
+++ b/drivers/infiniband/core/iter.c
@@ -19,8 +19,8 @@ EXPORT_SYMBOL(__rdma_block_iter_start);
bool __rdma_block_iter_next(struct ib_block_iter *biter)
{
- unsigned int block_offset;
- unsigned int delta;
+ dma_addr_t block_offset;
+ dma_addr_t delta;
if (!biter->__sg_nents || !biter->__sg)
return false;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 453/522] spi: qup: fix error pointer deref after DMA setup failure
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (451 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 6.1 452/522] spi: qup: switch to use modern name Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 454/522] arm64: tlb: Flush walk cache when unsharing PMD tables Greg Kroah-Hartman
` (69 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit a7e8f3efd50a165ba0189f6dc57f7e51a7d149db ]
The driver falls back to PIO mode if DMA setup fails during probe.
Make sure to the clear the DMA channel pointers on setup failure to
avoid dereferencing an error pointer (or attempting to release a channel
a second time) on later probe errors or driver unbind.
This issue was flagged by Sashiko when reviewing a devres allocation
conversion patch.
Fixes: 612762e82ae6 ("spi: qup: Add DMA capabilities")
Link: https://sashiko.dev/#/patchset/20260505072909.618363-1-johan%40kernel.org?part=4
Cc: stable@vger.kernel.org # 4.1
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260512074334.914735-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-qup.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/spi/spi-qup.c
+++ b/drivers/spi/spi-qup.c
@@ -968,8 +968,11 @@ static int spi_qup_init_dma(struct spi_c
err:
dma_release_channel(host->dma_tx);
+ host->dma_tx = NULL;
err_tx:
dma_release_channel(host->dma_rx);
+ host->dma_rx = NULL;
+
return ret;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 370/378] vsock/virtio: fix potential unbounded skb queue
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 7.0 369/378] RDMA/umem: Fix truncation for block sizes >= 4G Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 371/378] vsock/virtio: fix skb overhead accounting to preserve full buf_alloc Greg Kroah-Hartman
` (9 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Arseniy Krasnov,
Stefan Hajnoczi, Stefano Garzarella, Michael S. Tsirkin,
Jason Wang, Xuan Zhuo, Eugenio Pérez, virtualization,
Jakub Kicinski
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 059b7dbd20a6f0c539a45ddff1573cb8946685b5 upstream.
virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc.
virtio_transport_recv_enqueue() skips coalescing for packets
with VIRTIO_VSOCK_SEQ_EOM.
If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM,
a very large number of packets can be queued
because vvs->rx_bytes stays at 0.
Fix this by estimating the skb metadata size:
(Number of skbs in the queue) * SKB_TRUESIZE(0)
Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Stefano Garzarella <sgarzare@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Cc: "Eugenio Pérez" <eperezma@redhat.com>
Cc: virtualization@lists.linux.dev
Link: https://patch.msgid.link/20260430122653.554058-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/virtio_transport_common.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -425,7 +425,9 @@ static int virtio_transport_send_pkt_inf
static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs,
u32 len)
{
- if (vvs->buf_used + len > vvs->buf_alloc)
+ u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0);
+
+ if (skb_overhead + vvs->buf_used + len > vvs->buf_alloc)
return false;
vvs->rx_bytes += len;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 454/522] arm64: tlb: Flush walk cache when unsharing PMD tables
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (452 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 453/522] spi: qup: fix error pointer deref after DMA setup failure Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 455/522] phy: tegra: xusb: Disable trk clk when not in use Greg Kroah-Hartman
` (68 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zeng Heng, Catalin Marinas,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zeng Heng <zengheng4@huawei.com>
[ Upstream commit c2ff4764e03e7a8d758352f4aceb8fe1be6ac971 ]
When huge_pmd_unshare() is called to unshare a PMD table, the
tlb_unshare_pmd_ptdesc() function sets tlb->unshared_tables=true
but the aarch64 tlb_flush() only checked tlb->freed_tables to
determine whether to use TLBF_NONE (vae1is, invalidates walk
cache) or TLBF_NOWALKCACHE (vale1is, leaf-only).
This caused the stale PMD page table entry to remain in the walk cache
after unshare, potentially leading to incorrect page table walks.
Fix by including unshared_tables in the check, so that when
unsharing tables, TLBF_NONE is used and the walk cache is properly
invalidated.
Here is the detailed distinction between vae1is and vale1is:
| Instruction Combination | Actual Invalidation Scope |
| ------------------------ | --------------------------------------------------|
| `VAE1IS` + TTL=`0` | All entries at all levels (full invalidation) |
| `VAE1IS` + TTL=`2` (L2) | Non-leaf at Level 0/1 + leaf at Level 2 |
| `VALE1IS` + TTL=`0` | Leaf entries at all levels (non-leaf not cleared) |
| `VALE1IS` + TTL=`2` (L2) | Leaf entry at Level 2 only |
Signed-off-by: Zeng Heng <zengheng4@huawei.com>
Fixes: 8ce720d5bd91 ("mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather")
Cc: <stable@vger.kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/tlb.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/include/asm/tlb.h
+++ b/arch/arm64/include/asm/tlb.h
@@ -53,7 +53,7 @@ static inline int tlb_get_level(struct m
static inline void tlb_flush(struct mmu_gather *tlb)
{
struct vm_area_struct vma = TLB_FLUSH_VMA(tlb->mm, 0);
- bool last_level = !tlb->freed_tables;
+ bool last_level = !(tlb->freed_tables || tlb->unshared_tables);
unsigned long stride = tlb_get_unmap_size(tlb);
int tlb_level = tlb_get_level(tlb);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 371/378] vsock/virtio: fix skb overhead accounting to preserve full buf_alloc
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 7.0 370/378] vsock/virtio: fix potential unbounded skb queue Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 372/378] debugobjects: Do not fill_pool() if pi_blocked_on Greg Kroah-Hartman
` (8 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stefano Garzarella, Paolo Abeni
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Garzarella <sgarzare@redhat.com>
commit c6087c5aaad6d1b8be1a1a641e0a422218ade911 upstream.
After commit 059b7dbd20a6 ("vsock/virtio: fix potential unbounded skb
queue"), virtio_transport_inc_rx_pkt() subtracts per-skb overhead from
buf_alloc when checking whether a new packet fits. This reduces the
effective receive buffer below what the user configured via
SO_VM_SOCKETS_BUFFER_SIZE, causing legitimate data packets to be
silently dropped and applications that rely on the full buffer size
to deadlock.
Also, the reduced space is not communicated to the remote peer, so
its credit calculation accounts more credit than the receiver will
actually accept, causing data loss (there is no retransmission).
With this approach we currently have failures in
tools/testing/vsock/vsock_test.c. Test 18 sometimes fails, while
test 22 always fails in this way:
18 - SOCK_STREAM MSG_ZEROCOPY...hash mismatch
22 - SOCK_STREAM virtio credit update + SO_RCVLOWAT...send failed:
Resource temporarily unavailable
Fix by allowing at most `buf_alloc * 2` as the total budget for payload
plus skb overhead in virtio_transport_inc_rx_pkt(), similar to how
SO_RCVBUF is doubled to reserve space for sk_buff metadata.
This preserves the full buf_alloc for payload under normal operation,
while still bounding the skb queue growth.
With this patch, all tests in tools/testing/vsock/vsock_test.c are
now passing again.
Fixes: 059b7dbd20a6 ("vsock/virtio: fix potential unbounded skb queue")
Cc: stable@vger.kernel.org
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260518090656.134588-3-sgarzare@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/virtio_transport_common.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -427,7 +427,14 @@ static bool virtio_transport_inc_rx_pkt(
{
u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0);
- if (skb_overhead + vvs->buf_used + len > vvs->buf_alloc)
+ /* Allow at most buf_alloc * 2 total budget (payload + overhead),
+ * similar to how SO_RCVBUF is doubled to reserve space for sk_buff
+ * metadata. Check payload against buf_alloc to be sure the other
+ * peer is respecting the credit, and sk_buff overhead to bound
+ * queue growth.
+ */
+ if ((u64)vvs->buf_used + len > vvs->buf_alloc ||
+ skb_overhead > vvs->buf_alloc)
return false;
vvs->rx_bytes += len;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 455/522] phy: tegra: xusb: Disable trk clk when not in use
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (453 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 454/522] arm64: tlb: Flush walk cache when unsharing PMD tables Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 456/522] phy: tegra: xusb: Fix per-pad high-speed termination calibration Greg Kroah-Hartman
` (67 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wayne Chang, Jon Hunter, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wayne Chang <waynec@nvidia.com>
[ Upstream commit 71d9e899584e11bbd7eaf9934a619c69a15060d8 ]
Pad tracking is a one-time calibration for Tegra186 and Tegra194.
Clk should be disabled after calibration.
Disable clk after calibration.
While at it add 100us delay for HW recording the calibration value.
Signed-off-by: Wayne Chang <waynec@nvidia.com>
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://lore.kernel.org/r/20230111110450.24617-5-jonathanh@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: da110228b54f ("phy: tegra: xusb: Fix per-pad high-speed termination calibration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/tegra/xusb-tegra186.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/phy/tegra/xusb-tegra186.c
+++ b/drivers/phy/tegra/xusb-tegra186.c
@@ -612,6 +612,10 @@ static void tegra186_utmi_bias_pad_power
value &= ~USB2_PD_TRK;
padctl_writel(padctl, value, XUSB_PADCTL_USB2_BIAS_PAD_CTL1);
+ udelay(100);
+
+ clk_disable_unprepare(priv->usb2_trk_clk);
+
mutex_unlock(&padctl->lock);
}
@@ -636,8 +640,6 @@ static void tegra186_utmi_bias_pad_power
value |= USB2_PD_TRK;
padctl_writel(padctl, value, XUSB_PADCTL_USB2_BIAS_PAD_CTL1);
- clk_disable_unprepare(priv->usb2_trk_clk);
-
mutex_unlock(&padctl->lock);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 372/378] debugobjects: Do not fill_pool() if pi_blocked_on
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 7.0 371/378] vsock/virtio: fix skb overhead accounting to preserve full buf_alloc Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 373/378] debugobjects: Dont call fill_pool() in early boot hardirq context Greg Kroah-Hartman
` (7 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b8ca586b9fc235f0c0df,
Helen Koike, Thomas Gleixner
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helen Koike <koike@igalia.com>
commit 5f41161059fd0f1bbf18c90f3180e38cc45a14eb upstream.
On RT enabled kernels, fill_pool() ends up calling rtlock_lock(), which
asserts if current::pi_blocked_on is set, because a task can obviously only
block on one lock as otherwise the priority inheritenace chain gets
corrupted.
Prevent this by expanding the conditional to take current::pi_blocked_on
into account.
Fixes: 4bedcc28469a ("debugobjects: Make them PREEMPT_RT aware")
Reported-by: syzbot+b8ca586b9fc235f0c0df@syzkaller.appspotmail.com
Signed-off-by: Helen Koike <koike@igalia.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260511215359.3351259-1-koike@igalia.com
Closes: https://syzkaller.appspot.com/bug?extid=b8ca586b9fc235f0c0df
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/debugobjects.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -711,6 +711,15 @@ static struct debug_obj *lookup_object_o
return NULL;
}
+static inline bool debug_objects_is_pi_blocked_on(void)
+{
+#ifdef CONFIG_RT_MUTEXES
+ return current->pi_blocked_on != NULL;
+#else
+ return false;
+#endif
+}
+
static void debug_objects_fill_pool(void)
{
if (!static_branch_likely(&obj_cache_enabled))
@@ -727,11 +736,12 @@ static void debug_objects_fill_pool(void
/*
* On RT enabled kernels the pool refill must happen in preemptible
- * context -- for !RT kernels we rely on the fact that spinlock_t and
- * raw_spinlock_t are basically the same type and this lock-type
- * inversion works just fine.
+ * context and not enqueued on an rt_mutex -- for !RT kernels we rely
+ * on the fact that spinlock_t and raw_spinlock_t are basically the
+ * same type and this lock-type inversion works just fine.
*/
- if (!IS_ENABLED(CONFIG_PREEMPT_RT) || preemptible() || system_state < SYSTEM_SCHEDULING) {
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) || system_state < SYSTEM_SCHEDULING ||
+ (preemptible() && !debug_objects_is_pi_blocked_on())) {
/*
* Annotate away the spinlock_t inside raw_spinlock_t warning
* by temporarily raising the wait-type to LD_WAIT_CONFIG, matching
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 456/522] phy: tegra: xusb: Fix per-pad high-speed termination calibration
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (454 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 455/522] phy: tegra: xusb: Disable trk clk when not in use Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 457/522] iio: adc: fix the return value handle for platform_get_irq() Greg Kroah-Hartman
` (66 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wayne Chang, Wei-Cheng Chen,
Jon Hunter, Vinod Koul, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wayne Chang <waynec@nvidia.com>
[ Upstream commit da110228b54f2e2143d97ea7151e0dc22e539d67 ]
The existing code reads a single hs_term_range_adj value from bit field
[10:7] of FUSE_SKU_CALIB_0 and applies it to all USB2 pads uniformly.
However, on SoCs that support per-pad termination, each pad has its own
hs_term_range_adj field: pad 0 in FUSE_SKU_CALIB_0[10:7], and pads 1-3
in FUSE_USB_CALIB_EXT_0 at bit offsets [8:5], [12:9], and [16:13]
respectively.
Fix the calibration by reading per-pad values from the appropriate fuse
registers. For SoCs that do not support per-pad termination, replicate
pad 0's value to all pads to maintain existing behavior.
Add a has_per_pad_term flag to the SoC data to indicate whether per-pad
termination values are available in FUSE_USB_CALIB_EXT_0.
Fixes: 1ef535c6ba8e ("phy: tegra: xusb: Add Tegra194 support")
Cc: stable@vger.kernel.org
Signed-off-by: Wayne Chang <waynec@nvidia.com>
Signed-off-by: Wei-Cheng Chen <weichengc@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260504033305.2283145-1-weichengc@nvidia.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/tegra/xusb-tegra186.c | 32 +++++++++++++++++++++++++-------
drivers/phy/tegra/xusb.h | 1 +
2 files changed, 26 insertions(+), 7 deletions(-)
--- a/drivers/phy/tegra/xusb-tegra186.c
+++ b/drivers/phy/tegra/xusb-tegra186.c
@@ -20,8 +20,8 @@
/* FUSE USB_CALIB registers */
#define HS_CURR_LEVEL_PADX_SHIFT(x) ((x) ? (11 + (x - 1) * 6) : 0)
#define HS_CURR_LEVEL_PAD_MASK 0x3f
-#define HS_TERM_RANGE_ADJ_SHIFT 7
-#define HS_TERM_RANGE_ADJ_MASK 0xf
+#define HS_TERM_RANGE_ADJ_PADX_SHIFT(x) ((x) ? (5 + (x - 1) * 4) : 7)
+#define HS_TERM_RANGE_ADJ_PAD_MASK 0xf
#define HS_SQUELCH_SHIFT 29
#define HS_SQUELCH_MASK 0x7
@@ -238,7 +238,7 @@
struct tegra_xusb_fuse_calibration {
u32 *hs_curr_level;
u32 hs_squelch;
- u32 hs_term_range_adj;
+ u32 *hs_term_range_adj;
u32 rpd_ctrl;
};
@@ -868,7 +868,7 @@ static int tegra186_utmi_phy_power_on(st
value = padctl_readl(padctl, XUSB_PADCTL_USB2_OTG_PADX_CTL1(index));
value &= ~TERM_RANGE_ADJ(~0);
- value |= TERM_RANGE_ADJ(priv->calib.hs_term_range_adj);
+ value |= TERM_RANGE_ADJ(priv->calib.hs_term_range_adj[index]);
value &= ~RPD_CTRL(~0);
value |= RPD_CTRL(priv->calib.rpd_ctrl);
padctl_writel(padctl, value, XUSB_PADCTL_USB2_OTG_PADX_CTL1(index));
@@ -1403,17 +1403,23 @@ static const char * const tegra186_usb3_
static int
tegra186_xusb_read_fuse_calibration(struct tegra186_xusb_padctl *padctl)
{
+ const struct tegra_xusb_padctl_soc *soc = padctl->base.soc;
struct device *dev = padctl->base.dev;
unsigned int i, count;
u32 value, *level;
+ u32 *hs_term_range_adj;
int err;
- count = padctl->base.soc->ports.usb2.count;
+ count = soc->ports.usb2.count;
level = devm_kcalloc(dev, count, sizeof(u32), GFP_KERNEL);
if (!level)
return -ENOMEM;
+ hs_term_range_adj = devm_kcalloc(dev, count, sizeof(u32), GFP_KERNEL);
+ if (!hs_term_range_adj)
+ return -ENOMEM;
+
err = tegra_fuse_readl(TEGRA_FUSE_SKU_CALIB_0, &value);
if (err)
return dev_err_probe(dev, err,
@@ -1429,8 +1435,8 @@ tegra186_xusb_read_fuse_calibration(stru
padctl->calib.hs_squelch = (value >> HS_SQUELCH_SHIFT) &
HS_SQUELCH_MASK;
- padctl->calib.hs_term_range_adj = (value >> HS_TERM_RANGE_ADJ_SHIFT) &
- HS_TERM_RANGE_ADJ_MASK;
+ hs_term_range_adj[0] = (value >> HS_TERM_RANGE_ADJ_PADX_SHIFT(0)) &
+ HS_TERM_RANGE_ADJ_PAD_MASK;
err = tegra_fuse_readl(TEGRA_FUSE_USB_CALIB_EXT_0, &value);
if (err) {
@@ -1442,6 +1448,17 @@ tegra186_xusb_read_fuse_calibration(stru
padctl->calib.rpd_ctrl = (value >> RPD_CTRL_SHIFT) & RPD_CTRL_MASK;
+ for (i = 1; i < count; i++) {
+ if (soc->has_per_pad_term)
+ hs_term_range_adj[i] =
+ (value >> HS_TERM_RANGE_ADJ_PADX_SHIFT(i)) &
+ HS_TERM_RANGE_ADJ_PAD_MASK;
+ else
+ hs_term_range_adj[i] = hs_term_range_adj[0];
+ }
+
+ padctl->calib.hs_term_range_adj = hs_term_range_adj;
+
return 0;
}
@@ -1645,6 +1662,7 @@ const struct tegra_xusb_padctl_soc tegra
.supply_names = tegra194_xusb_padctl_supply_names,
.num_supplies = ARRAY_SIZE(tegra194_xusb_padctl_supply_names),
.supports_gen2 = true,
+ .has_per_pad_term = true,
};
EXPORT_SYMBOL_GPL(tegra194_xusb_padctl_soc);
#endif
--- a/drivers/phy/tegra/xusb.h
+++ b/drivers/phy/tegra/xusb.h
@@ -433,6 +433,7 @@ struct tegra_xusb_padctl_soc {
unsigned int num_supplies;
bool supports_gen2;
bool need_fake_usb3_port;
+ bool has_per_pad_term;
};
struct tegra_xusb_padctl {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 373/378] debugobjects: Dont call fill_pool() in early boot hardirq context
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 7.0 372/378] debugobjects: Do not fill_pool() if pi_blocked_on Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 374/378] arm64: cputype: Add C1-Ultra definitions Greg Kroah-Hartman
` (6 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Thomas Gleixner, Waiman Long, Thomas Gleixner
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
commit 0d046ae106255cba5eb83b23f78ee93f3620247d upstream.
When booting a debug PREEMPT_RT kernel on an ARM64 system, a "inconsistent
{HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage" lockdep warning message was
reported to the console.
During early boot, interrupts are enabled before the scheduler is
enabled. In this window (before SYSTEM_SCHEDULING is set) interrupts can
fire and in the hard interrupt context handler attempt to fill the pool
This can lead to a deadlock when the interrupt occurred when the interrupt
hits a region which holds a lock that is required to be taken in the
allocation path.
Add a new can_fill_pool() helper and reorder the exception rule and forbid
this scenario by excluding allocations from hard interrupt context.
Fixes: 06e0ae988f6e ("debugobjects: Allow to refill the pool before SYSTEM_SCHEDULING")
Suggested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260605173038.495075-1-longman@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/debugobjects.c | 46 +++++++++++++++++++++++++++++++++++++---------
1 file changed, 37 insertions(+), 9 deletions(-)
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -720,6 +720,41 @@ static inline bool debug_objects_is_pi_b
#endif
}
+static inline bool can_fill_pool(void)
+{
+ /*
+ * On !RT enabled kernels there are no restrictions and spinlock_t and
+ * raw_spinlock_t are the same types.
+ */
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT))
+ return true;
+
+ /*
+ * On RT enabled kernels, the task must not be blocked on a lock as
+ * that could corrupt the PI state when blocking on a lock in the
+ * allocation path.
+ */
+ if (debug_objects_is_pi_blocked_on())
+ return false;
+
+ /*
+ * On RT enabled kernels the pool refill should happen in preemptible
+ * context.
+ */
+ if (preemptible())
+ return true;
+
+ /*
+ * Though during system boot before scheduling is set up, preemption is
+ * disabled and the pool can get exhausted. Before scheduling is active
+ * a task cannot be blocked on a sleeping lock, but it might hold a lock
+ * and if interrupted then hard interrupt context might run into a lock
+ * inversion. So exclude hard interrupt context from allocations before
+ * scheduling is active.
+ */
+ return system_state < SYSTEM_SCHEDULING && !in_hardirq();
+}
+
static void debug_objects_fill_pool(void)
{
if (!static_branch_likely(&obj_cache_enabled))
@@ -734,18 +769,11 @@ static void debug_objects_fill_pool(void
if (likely(!pool_should_refill(&pool_global)))
return;
- /*
- * On RT enabled kernels the pool refill must happen in preemptible
- * context and not enqueued on an rt_mutex -- for !RT kernels we rely
- * on the fact that spinlock_t and raw_spinlock_t are basically the
- * same type and this lock-type inversion works just fine.
- */
- if (!IS_ENABLED(CONFIG_PREEMPT_RT) || system_state < SYSTEM_SCHEDULING ||
- (preemptible() && !debug_objects_is_pi_blocked_on())) {
+ if (can_fill_pool()) {
/*
* Annotate away the spinlock_t inside raw_spinlock_t warning
* by temporarily raising the wait-type to LD_WAIT_CONFIG, matching
- * the preemptible() condition above.
+ * the preemptible() condition in can_fill_pool().
*/
static DEFINE_WAIT_OVERRIDE_MAP(fill_pool_map, LD_WAIT_CONFIG);
lock_map_acquire_try(&fill_pool_map);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 457/522] iio: adc: fix the return value handle for platform_get_irq()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (455 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 456/522] phy: tegra: xusb: Fix per-pad high-speed termination calibration Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 458/522] iio: adc: npcm: Convert to platform remove callback returning void Greg Kroah-Hartman
` (65 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ruan Jinjie, Jonathan Cameron,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruan Jinjie <ruanjinjie@huawei.com>
[ Upstream commit c09ddcdd4dd32ee9768dc233ead4b3d726f26d38 ]
There is no possible for platform_get_irq() to return 0
and the return value of platform_get_irq() is more sensible
to show the error reason.
Signed-off-by: Ruan Jinjie <ruanjinjie@huawei.com>
Link: https://lore.kernel.org/r/20230727131607.2897937-1-ruanjinjie@huawei.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: 0d42e2c0bd6c ("iio: adc: npcm: fix unbalanced clk_disable_unprepare()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/bcm_iproc_adc.c | 4 ++--
drivers/iio/adc/lpc32xx_adc.c | 4 ++--
drivers/iio/adc/npcm_adc.c | 4 ++--
drivers/iio/adc/spear_adc.c | 4 ++--
4 files changed, 8 insertions(+), 8 deletions(-)
--- a/drivers/iio/adc/bcm_iproc_adc.c
+++ b/drivers/iio/adc/bcm_iproc_adc.c
@@ -540,8 +540,8 @@ static int iproc_adc_probe(struct platfo
}
adc_priv->irqno = platform_get_irq(pdev, 0);
- if (adc_priv->irqno <= 0)
- return -ENODEV;
+ if (adc_priv->irqno < 0)
+ return adc_priv->irqno;
ret = regmap_update_bits(adc_priv->regmap, IPROC_REGCTL2,
IPROC_ADC_AUXIN_SCAN_ENA, 0);
--- a/drivers/iio/adc/lpc32xx_adc.c
+++ b/drivers/iio/adc/lpc32xx_adc.c
@@ -173,8 +173,8 @@ static int lpc32xx_adc_probe(struct plat
}
irq = platform_get_irq(pdev, 0);
- if (irq <= 0)
- return -ENXIO;
+ if (irq < 0)
+ return irq;
retval = devm_request_irq(&pdev->dev, irq, lpc32xx_adc_isr, 0,
LPC32XXAD_NAME, st);
--- a/drivers/iio/adc/npcm_adc.c
+++ b/drivers/iio/adc/npcm_adc.c
@@ -244,8 +244,8 @@ static int npcm_adc_probe(struct platfor
info->adc_sample_hz = clk_get_rate(info->adc_clk) / ((div + 1) * 2);
irq = platform_get_irq(pdev, 0);
- if (irq <= 0) {
- ret = -EINVAL;
+ if (irq < 0) {
+ ret = irq;
goto err_disable_clk;
}
--- a/drivers/iio/adc/spear_adc.c
+++ b/drivers/iio/adc/spear_adc.c
@@ -311,8 +311,8 @@ static int spear_adc_probe(struct platfo
}
irq = platform_get_irq(pdev, 0);
- if (irq <= 0) {
- ret = -EINVAL;
+ if (irq < 0) {
+ ret = irq;
goto errout2;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 374/378] arm64: cputype: Add C1-Ultra definitions
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 7.0 373/378] debugobjects: Dont call fill_pool() in early boot hardirq context Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 375/378] arm64: cputype: Add C1-Premium definitions Greg Kroah-Hartman
` (5 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Will Deacon
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit 60349e64a6c65f9f0aa118af711b3c7e137f07ff upstream.
Add cputype definitions for C1-Ultra. These will be used for errata
detection in subsequent patches.
These values can be found in the C1-Ultra TRM:
https://developer.arm.com/documentation/108014/0100/
... in section A.5.1 ("MIDR_EL1, Main ID Register").
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v7.0.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -97,6 +97,7 @@
#define ARM_CPU_PART_CORTEX_X925 0xD85
#define ARM_CPU_PART_CORTEX_A725 0xD87
#define ARM_CPU_PART_CORTEX_A720AE 0xD89
+#define ARM_CPU_PART_C1_ULTRA 0xD8C
#define ARM_CPU_PART_NEOVERSE_N3 0xD8E
#define APM_CPU_PART_XGENE 0x000
@@ -188,6 +189,7 @@
#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925)
#define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725)
#define MIDR_CORTEX_A720AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720AE)
+#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA)
#define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3)
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
#define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 458/522] iio: adc: npcm: Convert to platform remove callback returning void
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (456 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 457/522] iio: adc: fix the return value handle for platform_get_irq() Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 459/522] iio: adc: npcm: fix unbalanced clk_disable_unprepare() Greg Kroah-Hartman
` (64 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 5253a5cc7709688b9a000f7928bfaa3366d0af98 ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is ignored (apart
from emitting a warning) and this typically results in resource leaks.
To improve here there is a quest to make the remove callback return
void. In the first step of this quest all drivers are converted to
.remove_new() which already returns void. Eventually after all drivers
are converted, .remove_new() will be renamed to .remove().
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20230919174931.1417681-18-u.kleine-koenig@pengutronix.de
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: 0d42e2c0bd6c ("iio: adc: npcm: fix unbalanced clk_disable_unprepare()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/npcm_adc.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/iio/adc/npcm_adc.c
+++ b/drivers/iio/adc/npcm_adc.c
@@ -320,7 +320,7 @@ err_disable_clk:
return ret;
}
-static int npcm_adc_remove(struct platform_device *pdev)
+static void npcm_adc_remove(struct platform_device *pdev)
{
struct iio_dev *indio_dev = platform_get_drvdata(pdev);
struct npcm_adc *info = iio_priv(indio_dev);
@@ -333,13 +333,11 @@ static int npcm_adc_remove(struct platfo
if (!IS_ERR(info->vref))
regulator_disable(info->vref);
clk_disable_unprepare(info->adc_clk);
-
- return 0;
}
static struct platform_driver npcm_adc_driver = {
.probe = npcm_adc_probe,
- .remove = npcm_adc_remove,
+ .remove_new = npcm_adc_remove,
.driver = {
.name = "npcm_adc",
.of_match_table = npcm_adc_match,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 375/378] arm64: cputype: Add C1-Premium definitions
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 7.0 374/378] arm64: cputype: Add C1-Ultra definitions Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 376/378] arm64: errata: Mitigate TLBI errata on various Arm CPUs Greg Kroah-Hartman
` (4 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Will Deacon
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit d28413bfc5a255957241f1df5d7fd0c2cd74fe18 upstream.
Add cputype definitions for C1-Premium. These will be used for errata
detection in subsequent patches.
These values can be found in the C1-Premium TRM:
https://developer.arm.com/documentation/109416/0100/
... in section A.5.1 ("MIDR_EL1, Main ID Register").
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v7.0.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -99,6 +99,7 @@
#define ARM_CPU_PART_CORTEX_A720AE 0xD89
#define ARM_CPU_PART_C1_ULTRA 0xD8C
#define ARM_CPU_PART_NEOVERSE_N3 0xD8E
+#define ARM_CPU_PART_C1_PREMIUM 0xD90
#define APM_CPU_PART_XGENE 0x000
#define APM_CPU_VAR_POTENZA 0x00
@@ -191,6 +192,7 @@
#define MIDR_CORTEX_A720AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720AE)
#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA)
#define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3)
+#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM)
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
#define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
#define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 459/522] iio: adc: npcm: fix unbalanced clk_disable_unprepare()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (457 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 458/522] iio: adc: npcm: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 460/522] iio: gyro: adis16260: fix division by zero in write_raw Greg Kroah-Hartman
` (63 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Andy Shevchenko,
Stable, Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit 0d42e2c0bd6ceb89e44c6e065f9bdf9b1df3ef0c ]
The driver acquired the ADC clock with devm_clk_get() and read its
rate, but never called clk_prepare_enable(). The probe error path and
npcm_adc_remove() both called clk_disable_unprepare() unconditionally,
causing the clk framework's enable/prepare counts to underflow on
probe failure or module unbind.
The issue went unnoticed because NPCM BMC firmware leaves the ADC
clock enabled at boot, so the driver happened to work in practice.
Switch to devm_clk_get_enabled() so the clock is properly enabled
during probe and automatically released by the device-managed
cleanup, and drop the now-redundant clk_disable_unprepare() from
both the probe error path and remove().
While at it, drop the duplicate error message on devm_request_irq()
failure since the IRQ core already logs it.
Fixes: 9bf85fbc9d8f ("iio: adc: add NPCM ADC driver")
Signed-off-by: David Carlier <devnexen@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/npcm_adc.c | 25 ++++++++-----------------
1 file changed, 8 insertions(+), 17 deletions(-)
--- a/drivers/iio/adc/npcm_adc.c
+++ b/drivers/iio/adc/npcm_adc.c
@@ -231,7 +231,7 @@ static int npcm_adc_probe(struct platfor
if (IS_ERR(info->reset))
return PTR_ERR(info->reset);
- info->adc_clk = devm_clk_get(&pdev->dev, NULL);
+ info->adc_clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(info->adc_clk)) {
dev_warn(&pdev->dev, "ADC clock failed: can't read clk\n");
return PTR_ERR(info->adc_clk);
@@ -244,17 +244,13 @@ static int npcm_adc_probe(struct platfor
info->adc_sample_hz = clk_get_rate(info->adc_clk) / ((div + 1) * 2);
irq = platform_get_irq(pdev, 0);
- if (irq < 0) {
- ret = irq;
- goto err_disable_clk;
- }
+ if (irq < 0)
+ return irq;
ret = devm_request_irq(&pdev->dev, irq, npcm_adc_isr, 0,
"NPCM_ADC", indio_dev);
- if (ret < 0) {
- dev_err(dev, "failed requesting interrupt\n");
- goto err_disable_clk;
- }
+ if (ret < 0)
+ return ret;
reg_con = ioread32(info->regs + NPCM_ADCCON);
info->vref = devm_regulator_get_optional(&pdev->dev, "vref");
@@ -262,7 +258,7 @@ static int npcm_adc_probe(struct platfor
ret = regulator_enable(info->vref);
if (ret) {
dev_err(&pdev->dev, "Can't enable ADC reference voltage\n");
- goto err_disable_clk;
+ return ret;
}
iowrite32(reg_con & ~NPCM_ADCCON_REFSEL,
@@ -272,10 +268,8 @@ static int npcm_adc_probe(struct platfor
* Any error which is not ENODEV indicates the regulator
* has been specified and so is a failure case.
*/
- if (PTR_ERR(info->vref) != -ENODEV) {
- ret = PTR_ERR(info->vref);
- goto err_disable_clk;
- }
+ if (PTR_ERR(info->vref) != -ENODEV)
+ return PTR_ERR(info->vref);
/* Use internal reference */
iowrite32(reg_con | NPCM_ADCCON_REFSEL,
@@ -314,8 +308,6 @@ err_iio_register:
iowrite32(reg_con & ~NPCM_ADCCON_ADC_EN, info->regs + NPCM_ADCCON);
if (!IS_ERR(info->vref))
regulator_disable(info->vref);
-err_disable_clk:
- clk_disable_unprepare(info->adc_clk);
return ret;
}
@@ -332,7 +324,6 @@ static void npcm_adc_remove(struct platf
iowrite32(regtemp & ~NPCM_ADCCON_ADC_EN, info->regs + NPCM_ADCCON);
if (!IS_ERR(info->vref))
regulator_disable(info->vref);
- clk_disable_unprepare(info->adc_clk);
}
static struct platform_driver npcm_adc_driver = {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 376/378] arm64: errata: Mitigate TLBI errata on various Arm CPUs
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 7.0 375/378] arm64: cputype: Add C1-Premium definitions Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 377/378] arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU Greg Kroah-Hartman
` (3 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Will Deacon
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit cfd391e74134db664feb499d43af286380b10ba8 upstream.
A number of CPUs developed by Arm suffer from errata whereby a broadcast
TLBI;DSB sequence may complete before the global observation of writes
which are translated by an affected TLB entry.
These errata ONLY affect the completion of memory accesses which have
been translated by an invalidated TLB entry, and these errata DO NOT
affect the actual invalidation of TLB entries. TLB entries are removed
correctly.
This issue has been assigned CVE ID CVE-2025-10263.
To mitigate this issue, Arm recommends that software follows any
affected TLBI;DSB sequence with an additional TLBI;DSB, which will
ensure that all memory write effects affected by the first TLBI have
been globally observed. The additional TLBI can use any operation that
is broadcast to affected CPUs, and the additional DSB can use any option
that is sufficient to complete the additional TLBI.
The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate
the issue. Enable this workaround for affected CPUs, and update the
silicon errata documentation accordingly.
Note that due to the manner in which Arm develops IP and tracks errata,
some CPUs share a common erratum number.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v7.0.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/arch/arm64/silicon-errata.rst | 44 ++++++++++++++++++++++++++++
arch/arm64/Kconfig | 36 ++++++++++++++++++++++
arch/arm64/kernel/cpu_errata.c | 32 +++++++++++++++++++-
3 files changed, 110 insertions(+), 2 deletions(-)
--- a/Documentation/arch/arm64/silicon-errata.rst
+++ b/Documentation/arch/arm64/silicon-errata.rst
@@ -128,16 +128,28 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A76 | #3324349 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A76 | #4193800 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A76AE | #4193801 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A77 | #1491015 | N/A |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A77 | #1508412 | ARM64_ERRATUM_1508412 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A77 | #3324348 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A77 | #4193798 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A78 | #3324344 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A78 | #4193791 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A78AE | #4193793 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A78C | #3324346,3324347| ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A78C | #4193794 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A710 | #2119858 | ARM64_ERRATUM_2119858 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A710 | #2054223 | ARM64_ERRATUM_2054223 |
@@ -146,6 +158,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A710 | #3324338 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A710 | #4193788 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A715 | #2645198 | ARM64_ERRATUM_2645198 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A715 | #3456084 | ARM64_ERRATUM_3194386 |
@@ -158,20 +172,32 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X1 | #3324344 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X1 | #4193791 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X1C | #3324346 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X1C | #4193792 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X2 | #2119858 | ARM64_ERRATUM_2119858 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X2 | #2224489 | ARM64_ERRATUM_2224489 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X2 | #3324338 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X2 | #4193788 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X3 | #3324335 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X3 | #4193786 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X4 | #3194386 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X4 | #4118414 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X925 | #3324334 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X925 | #4193781 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N1 | #1188873,1418040| ARM64_ERRATUM_1418040 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N1 | #1349291 | N/A |
@@ -182,6 +208,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N1 | #3324349 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-N1 | #4193800 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N2 | #2139208 | ARM64_ERRATUM_2139208 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N2 | #2067961 | ARM64_ERRATUM_2067961 |
@@ -190,18 +218,34 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N2 | #3324339 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-N2 | #4193789 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N3 | #3456111 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V1 | #1619801 | N/A |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V1 | #3324341 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-V1 | #4193790 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V2 | #3324336 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-V2 | #4193787 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-V3 | #4193784 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V3AE | #3312417 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-V3AE | #4193784 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | C1-Premium | #4193780 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | C1-Pro | #4193714 | ARM64_ERRATUM_4193714 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | C1-Ultra | #4193780 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | MMU-500 | #841119,826419 | ARM_SMMU_MMU_500_CPRE_ERRATA|
| | | #562869,1047329 | |
+----------------+-----------------+-----------------+-----------------------------+
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1176,6 +1176,42 @@ config ARM64_ERRATUM_4311569
If unsure, say Y.
+config ARM64_ERRATUM_4118414
+ bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI"
+ default y
+ select ARM64_WORKAROUND_REPEAT_TLBI
+ help
+ This option adds a workaround for the following errata:
+
+ * ARM C1-Premium erratum 4193780
+ * ARM C1-Ultra erratum 4193780
+ * ARM Cortex-A76 erratum 4193800
+ * ARM Cortex-A76AE erratum 4193801
+ * ARM Cortex-A77 erratum 4193798
+ * ARM Cortex-A78 erratum 4193791
+ * ARM Cortex-A78AE erratum 4193793
+ * ARM Cortex-A78C erratum 4193794
+ * ARM Cortex-A710 erratum 4193788
+ * ARM Cortex-X1 erratum 4193791
+ * ARM Cortex-X1C erratum 4193792
+ * ARM Cortex-X2 erratum 4193788
+ * ARM Cortex-X3 erratum 4193786
+ * ARM Cortex-X4 erratum 4118414
+ * ARM Cortex-X925 erratum 4193781
+ * ARM Neoverse-N1 erratum 4193800
+ * ARM Neoverse-N2 erratum 4193789
+ * ARM Neoverse-V1 erratum 4193790
+ * ARM Neoverse-V2 erratum 4193787
+ * ARM Neoverse-V3 erratum 4193784
+ * ARM Neoverse-V3AE erratum 4193784
+
+ On affected cores, some memory accesses might not be completed by
+ broadcast TLB invalidation.
+
+ This issue is also known as CVE-2025-10263.
+
+ If unsure, say Y.
+
config CAVIUM_ERRATUM_22375
bool "Cavium erratum 22375, 24313"
default y
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -339,7 +339,35 @@ static const struct arm64_cpu_capabiliti
ERRATA_MIDR_RANGE(MIDR_CORTEX_A510, 0, 0, 1, 1),
},
#endif
- {},
+#ifdef CONFIG_ARM64_ERRATUM_4118414
+ {
+ ERRATA_MIDR_RANGE_LIST(((const struct midr_range[]) {
+ MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM),
+ MIDR_ALL_VERSIONS(MIDR_C1_ULTRA),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X3),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X4),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X925),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE),
+ {}
+ })),
+ },
+#endif
+ {}
};
#endif
@@ -675,7 +703,7 @@ const struct arm64_cpu_capabilities arm6
#endif
#ifdef CONFIG_ARM64_WORKAROUND_REPEAT_TLBI
{
- .desc = "Qualcomm erratum 1009, or ARM erratum 1286807, 2441009",
+ .desc = "Broken broadcast TLBI completion",
.capability = ARM64_WORKAROUND_REPEAT_TLBI,
.type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM,
.matches = cpucap_multi_entry_cap_matches,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 460/522] iio: gyro: adis16260: fix division by zero in write_raw
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (458 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 459/522] iio: adc: npcm: fix unbalanced clk_disable_unprepare() Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 461/522] iio: chemical: scd30: Use guard(mutex) to allow early returns Greg Kroah-Hartman
` (62 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Nuno Sá,
Stable, Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
[ Upstream commit 761e8b489e6cf166c574034b70637f8a7eadd0ee ]
Add a validation check for the sampling frequency value before using it
as a divisor. A user writing zero to the sampling_frequency sysfs
attribute triggers a division by zero in the kernel.
Fixes: 089a41985c6c ("staging: iio: adis16260 digital gyro driver")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/adis16260.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/iio/gyro/adis16260.c
+++ b/drivers/iio/gyro/adis16260.c
@@ -288,6 +288,9 @@ static int adis16260_write_raw(struct ii
addr = adis16260_addresses[chan->scan_index][1];
return adis_write_reg_16(adis, addr, val);
case IIO_CHAN_INFO_SAMP_FREQ:
+ if (val <= 0)
+ return -EINVAL;
+
adis_dev_lock(adis);
if (spi_get_device_id(adis->spi)->driver_data)
t = 256 / val;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 377/378] arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 7.0 376/378] arm64: errata: Mitigate TLBI errata on various Arm CPUs Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 378/378] arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU Greg Kroah-Hartman
` (2 subsequent siblings)
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shanker Donthineni, Catalin Marinas,
Will Deacon, Mark Rutland
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shanker Donthineni <sdonthineni@nvidia.com>
commit ec7216f92e4ebd485b1c6dc6aa3f6064b71a5768 upstream.
NVIDIA Olympus cores are affected by the TLBI completion issue tracked as
CVE-2025-10263. The existing ARM64_ERRATUM_4118414 handling already uses
ARM64_WORKAROUND_REPEAT_TLBI to issue an additional broadcast TLBI;DSB
sequence and ensure affected memory write effects are globally observed.
Add MIDR_NVIDIA_OLYMPUS to the repeat-TLBI match list so the same
mitigation is enabled on affected Olympus systems. Also document the
NVIDIA Olympus erratum in the arm64 silicon errata table and list it in
the Kconfig help text.
Signed-off-by: Shanker Donthineni <sdonthineni@nvidia.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v7.0.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/arch/arm64/silicon-errata.rst | 2 ++
arch/arm64/Kconfig | 3 ++-
arch/arm64/kernel/cpu_errata.c | 1 +
3 files changed, 5 insertions(+), 1 deletion(-)
--- a/Documentation/arch/arm64/silicon-errata.rst
+++ b/Documentation/arch/arm64/silicon-errata.rst
@@ -289,6 +289,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| NVIDIA | Carmel Core | N/A | NVIDIA_CARMEL_CNP_ERRATUM |
+----------------+-----------------+-----------------+-----------------------------+
+| NVIDIA | Olympus core | T410-OLY-1029 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| NVIDIA | T241 GICv3/4.x | T241-FABRIC-4 | N/A |
+----------------+-----------------+-----------------+-----------------------------+
+----------------+-----------------+-----------------+-----------------------------+
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1177,7 +1177,7 @@ config ARM64_ERRATUM_4311569
If unsure, say Y.
config ARM64_ERRATUM_4118414
- bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI"
+ bool "Various: Completion of affected memory accesses might not be guaranteed by completion of a TLBI"
default y
select ARM64_WORKAROUND_REPEAT_TLBI
help
@@ -1204,6 +1204,7 @@ config ARM64_ERRATUM_4118414
* ARM Neoverse-V2 erratum 4193787
* ARM Neoverse-V3 erratum 4193784
* ARM Neoverse-V3AE erratum 4193784
+ * NVIDIA Olympus erratum T410-OLY-1029
On affected cores, some memory accesses might not be completed by
broadcast TLB invalidation.
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -363,6 +363,7 @@ static const struct arm64_cpu_capabiliti
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE),
+ MIDR_ALL_VERSIONS(MIDR_NVIDIA_OLYMPUS),
{}
})),
},
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 461/522] iio: chemical: scd30: Use guard(mutex) to allow early returns
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (459 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 460/522] iio: gyro: adis16260: fix division by zero in write_raw Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 462/522] iio: chemical: scd30: fix division by zero in write_raw Greg Kroah-Hartman
` (61 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Tomasz Duszynski,
Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ Upstream commit 5feb5532870fbced5d6f450b8061a33f461b88ca ]
Auto cleanup based release of the lock allows for simpler code flow in a
few functions with large multiplexing style switch statements and no
common operations following the switch.
Suggested-by: David Lechner <dlechner@baylibre.com>
Cc: Tomasz Duszynski <tomasz.duszynski@octakon.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Link: https://patch.msgid.link/20250209180624.701140-3-jic23@kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: 5aba4f94b225 ("iio: chemical: scd30: fix division by zero in write_raw")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/scd30_core.c | 63 ++++++++++++++++----------------------
1 file changed, 28 insertions(+), 35 deletions(-)
--- a/drivers/iio/chemical/scd30_core.c
+++ b/drivers/iio/chemical/scd30_core.c
@@ -5,6 +5,7 @@
* Copyright (c) 2020 Tomasz Duszynski <tomasz.duszynski@octakon.com>
*/
#include <linux/bits.h>
+#include <linux/cleanup.h>
#include <linux/completion.h>
#include <linux/delay.h>
#include <linux/device.h>
@@ -198,112 +199,104 @@ static int scd30_read_raw(struct iio_dev
int *val, int *val2, long mask)
{
struct scd30_state *state = iio_priv(indio_dev);
- int ret = -EINVAL;
+ int ret;
u16 tmp;
- mutex_lock(&state->lock);
+ guard(mutex)(&state->lock);
switch (mask) {
case IIO_CHAN_INFO_RAW:
case IIO_CHAN_INFO_PROCESSED:
if (chan->output) {
*val = state->pressure_comp;
- ret = IIO_VAL_INT;
- break;
+ return IIO_VAL_INT;
}
ret = iio_device_claim_direct_mode(indio_dev);
if (ret)
- break;
+ return ret;
ret = scd30_read(state);
if (ret) {
iio_device_release_direct_mode(indio_dev);
- break;
+ return ret;
}
*val = state->meas[chan->address];
iio_device_release_direct_mode(indio_dev);
- ret = IIO_VAL_INT;
- break;
+ return IIO_VAL_INT;
case IIO_CHAN_INFO_SCALE:
*val = 0;
*val2 = 1;
- ret = IIO_VAL_INT_PLUS_MICRO;
- break;
+ return IIO_VAL_INT_PLUS_MICRO;
case IIO_CHAN_INFO_SAMP_FREQ:
ret = scd30_command_read(state, CMD_MEAS_INTERVAL, &tmp);
if (ret)
- break;
+ return ret;
*val = 0;
*val2 = 1000000000 / tmp;
- ret = IIO_VAL_INT_PLUS_NANO;
- break;
+ return IIO_VAL_INT_PLUS_NANO;
case IIO_CHAN_INFO_CALIBBIAS:
ret = scd30_command_read(state, CMD_TEMP_OFFSET, &tmp);
if (ret)
- break;
+ return ret;
*val = tmp;
- ret = IIO_VAL_INT;
- break;
+ return IIO_VAL_INT;
+ default:
+ return -EINVAL;
}
- mutex_unlock(&state->lock);
-
- return ret;
}
static int scd30_write_raw(struct iio_dev *indio_dev, struct iio_chan_spec const *chan,
int val, int val2, long mask)
{
struct scd30_state *state = iio_priv(indio_dev);
- int ret = -EINVAL;
+ int ret;
- mutex_lock(&state->lock);
+ guard(mutex)(&state->lock);
switch (mask) {
case IIO_CHAN_INFO_SAMP_FREQ:
if (val)
- break;
+ return -EINVAL;
val = 1000000000 / val2;
if (val < SCD30_MEAS_INTERVAL_MIN_S || val > SCD30_MEAS_INTERVAL_MAX_S)
- break;
+ return -EINVAL;
ret = scd30_command_write(state, CMD_MEAS_INTERVAL, val);
if (ret)
- break;
+ return ret;
state->meas_interval = val;
- break;
+ return 0;
case IIO_CHAN_INFO_RAW:
switch (chan->type) {
case IIO_PRESSURE:
if (val < SCD30_PRESSURE_COMP_MIN_MBAR ||
val > SCD30_PRESSURE_COMP_MAX_MBAR)
- break;
+ return -EINVAL;
ret = scd30_command_write(state, CMD_START_MEAS, val);
if (ret)
- break;
+ return ret;
state->pressure_comp = val;
- break;
+ return 0;
default:
- break;
+ return -EINVAL;
}
- break;
case IIO_CHAN_INFO_CALIBBIAS:
if (val < 0 || val > SCD30_TEMP_OFFSET_MAX)
- break;
+ return -EINVAL;
/*
* Manufacturer does not explicitly specify min/max sensible
* values hence check is omitted for simplicity.
*/
- ret = scd30_command_write(state, CMD_TEMP_OFFSET / 10, val);
+ return scd30_command_write(state, CMD_TEMP_OFFSET / 10, val);
+ default:
+ return -EINVAL;
}
- mutex_unlock(&state->lock);
-
- return ret;
}
static int scd30_write_raw_get_fmt(struct iio_dev *indio_dev, struct iio_chan_spec const *chan,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 7.0 378/378] arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 7.0 377/378] arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:37 ` [PATCH 7.0 000/378] 7.0.13-rc1 review Ronald Warsow
2026-06-16 16:55 ` Brett A C Sheffield
378 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Will Deacon, Mark Rutland
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
commit 1940e70a8144bf75e6df26bf6f600862ea7f7ea1 upstream.
Commit fb091ff39479 ("arm64: Subscribe Microsoft Azure Cobalt 100 to ARM
Neoverse N2 errata") states that Microsoft Azure Cobalt 100 CPU "is a
Microsoft implemented CPU based on r0p0 of the ARM Neoverse N2 CPU, and
therefore suffers from all the same errata.".
So enable the workaround for the latest broadcast TLB invalidation bug
on these parts.
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v7.0.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/arch/arm64/silicon-errata.rst | 2 ++
arch/arm64/Kconfig | 1 +
arch/arm64/kernel/cpu_errata.c | 1 +
3 files changed, 4 insertions(+)
--- a/Documentation/arch/arm64/silicon-errata.rst
+++ b/Documentation/arch/arm64/silicon-errata.rst
@@ -352,3 +352,5 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| Microsoft | Azure Cobalt 100| #3324339 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| Microsoft | Azure Cobalt 100| #4193789 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1204,6 +1204,7 @@ config ARM64_ERRATUM_4118414
* ARM Neoverse-V2 erratum 4193787
* ARM Neoverse-V3 erratum 4193784
* ARM Neoverse-V3AE erratum 4193784
+ * Microsoft Azure Cobalt 100 4193789
* NVIDIA Olympus erratum T410-OLY-1029
On affected cores, some memory accesses might not be completed by
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -364,6 +364,7 @@ static const struct arm64_cpu_capabiliti
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE),
MIDR_ALL_VERSIONS(MIDR_NVIDIA_OLYMPUS),
+ MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100),
{}
})),
},
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 462/522] iio: chemical: scd30: fix division by zero in write_raw
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (460 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 461/522] iio: chemical: scd30: Use guard(mutex) to allow early returns Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 463/522] usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure Greg Kroah-Hartman
` (60 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Stable,
Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
[ Upstream commit 5aba4f94b225617a55fed442a70329b2ee19c0a5 ]
Add a zero check for val2 before using it as a divisor when setting the
sampling frequency. A user writing a zero fractional part to the
sampling_frequency sysfs attribute triggers a division by zero in the
kernel.
Fixes: 64b3d8b1b0f5 ("iio: chemical: scd30: add core driver")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/scd30_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/scd30_core.c
+++ b/drivers/iio/chemical/scd30_core.c
@@ -257,7 +257,7 @@ static int scd30_write_raw(struct iio_de
guard(mutex)(&state->lock);
switch (mask) {
case IIO_CHAN_INFO_SAMP_FREQ:
- if (val)
+ if (val || !val2)
return -EINVAL;
val = 1000000000 / val2;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 463/522] usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (461 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 462/522] iio: chemical: scd30: fix division by zero in write_raw Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 464/522] iio: dac: ad5686: fix ref bit initialization for single-channel parts Greg Kroah-Hartman
` (59 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, sashiko-bot, Peter Chen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Chen <peter.chen@cixtech.com>
[ Upstream commit e6970cda63fd4b4546aeed9d0e2f53a7c95cd09c ]
Move usb2_phy initialization after usb3_phy acquisition.
Fixes: f738957277ba ("usb: cdns3: Split core.c into cdns3-plat and core.c file")
Cc: stable <stable@kernel.org>
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/linux-devicetree/agKaEePSFknhDBg2@nchen-desktop/T/#m21e1d9c1574eb127ce03c0c2a1a49002ce435b52
Signed-off-by: Peter Chen <peter.chen@cixtech.com>
Link: https://patch.msgid.link/20260513085310.2217547-2-peter.chen@cixtech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdns3-plat.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/usb/cdns3/cdns3-plat.c
+++ b/drivers/usb/cdns3/cdns3-plat.c
@@ -120,14 +120,14 @@ static int cdns3_plat_probe(struct platf
if (IS_ERR(cdns->usb2_phy))
return PTR_ERR(cdns->usb2_phy);
- ret = phy_init(cdns->usb2_phy);
- if (ret)
- return ret;
-
cdns->usb3_phy = devm_phy_optional_get(dev, "cdns3,usb3-phy");
if (IS_ERR(cdns->usb3_phy))
return PTR_ERR(cdns->usb3_phy);
+ ret = phy_init(cdns->usb2_phy);
+ if (ret)
+ return ret;
+
ret = phy_init(cdns->usb3_phy);
if (ret)
goto err_phy3_init;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 464/522] iio: dac: ad5686: fix ref bit initialization for single-channel parts
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (462 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 463/522] usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 465/522] ALSA: firewire-motu: Protect register DSP event queue positions Greg Kroah-Hartman
` (58 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Rodrigo Alencar,
Stable, Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Alencar <rodrigo.alencar@analog.com>
[ Upstream commit ecae2ae606d493cf11457946436335bd0e726663 ]
The reference bit position was ignored when writing the register at the
probe() function (!!val was used). When such bit is 1, internal voltage
reference is disabled so that an external one can be used. For
multi-channel devices, bit 0 of the Internal Reference Setup command
behaves the same way, so AD5686_REF_BIT_MSK is created. The issue exists
since support for single-channel devices were first introduced.
Fixes: be1b24d24541 ("iio:dac:ad5686: Add AD5691R/AD5692R/AD5693/AD5693R support")
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Rodrigo Alencar <rodrigo.alencar@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
[ adapted `has_external_vref` to the in-tree equivalent `voltage_uv` variable in the `val =` computation ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5686.c | 6 +++---
drivers/iio/dac/ad5686.h | 1 +
2 files changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/iio/dac/ad5686.c
+++ b/drivers/iio/dac/ad5686.c
@@ -521,7 +521,7 @@ int ad5686_probe(struct device *dev,
break;
case AD5686_REGMAP:
cmd = AD5686_CMD_INTERNAL_REFER_SETUP;
- ref_bit_msk = 0;
+ ref_bit_msk = AD5686_REF_BIT_MSK;
break;
case AD5693_REGMAP:
cmd = AD5686_CMD_CONTROL_REG;
@@ -533,9 +533,9 @@ int ad5686_probe(struct device *dev,
goto error_disable_reg;
}
- val = (voltage_uv | ref_bit_msk);
+ val = voltage_uv ? ref_bit_msk : 0;
- ret = st->write(st, cmd, 0, !!val);
+ ret = st->write(st, cmd, 0, val);
if (ret)
goto error_disable_reg;
--- a/drivers/iio/dac/ad5686.h
+++ b/drivers/iio/dac/ad5686.h
@@ -46,6 +46,7 @@
#define AD5310_REF_BIT_MSK BIT(8)
#define AD5683_REF_BIT_MSK BIT(12)
+#define AD5686_REF_BIT_MSK BIT(0)
#define AD5693_REF_BIT_MSK BIT(12)
/**
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 465/522] ALSA: firewire-motu: Protect register DSP event queue positions
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (463 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 464/522] iio: dac: ad5686: fix ref bit initialization for single-channel parts Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 466/522] serial: samsung_tty: Use port lock wrappers Greg Kroah-Hartman
` (57 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel,
Takashi Sakamoto, Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 98fb1c1bb11e29eb609b7200a25e136e05aa4498 ]
The register DSP event queue is updated under parser->lock, but
snd_motu_register_dsp_message_parser_count_event() reads pull_pos and
push_pos without the lock.
snd_motu_register_dsp_message_parser_copy_event() also reads both queue
positions before taking the lock.
Protect these accesses with parser->lock as well. This keeps the hwdep
poll/read path consistent with the producer side and with the cached
meter/parameter accessors.
Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260521-alsa-firewire-motu-event-locking-v1-1-708e1c2b5e56@gmail.com
[ converted copy_event() from manual spin_lock_irqsave/spin_unlock_irqrestore to guard(spinlock_irqsave) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/firewire/motu/motu-register-dsp-message-parser.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/sound/firewire/motu/motu-register-dsp-message-parser.c
+++ b/sound/firewire/motu/motu-register-dsp-message-parser.c
@@ -390,6 +390,8 @@ unsigned int snd_motu_register_dsp_messa
{
struct msg_parser *parser = motu->message_parser;
+ guard(spinlock_irqsave)(&parser->lock);
+
if (parser->pull_pos > parser->push_pos)
return EVENT_QUEUE_SIZE - parser->pull_pos + parser->push_pos;
else
@@ -399,14 +401,14 @@ unsigned int snd_motu_register_dsp_messa
bool snd_motu_register_dsp_message_parser_copy_event(struct snd_motu *motu, u32 *event)
{
struct msg_parser *parser = motu->message_parser;
- unsigned int pos = parser->pull_pos;
- unsigned long flags;
+ unsigned int pos;
- if (pos == parser->push_pos)
- return false;
+ guard(spinlock_irqsave)(&parser->lock);
- spin_lock_irqsave(&parser->lock, flags);
+ if (parser->pull_pos == parser->push_pos)
+ return false;
+ pos = parser->pull_pos;
*event = parser->event_queue[pos];
++pos;
@@ -414,7 +416,5 @@ bool snd_motu_register_dsp_message_parse
pos = 0;
parser->pull_pos = pos;
- spin_unlock_irqrestore(&parser->lock, flags);
-
return true;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 466/522] serial: samsung_tty: Use port lock wrappers
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (464 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 465/522] ALSA: firewire-motu: Protect register DSP event queue positions Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 467/522] tty: serial: samsung: use u32 for register interactions Greg Kroah-Hartman
` (56 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, John Ogness,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 97d7a9aeba1d424c2359f1686d02c75d798ad184 ]
When a serial port is used for kernel console output, then all
modifications to the UART registers which are done from other contexts,
e.g. getty, termios, are interference points for the kernel console.
So far this has been ignored and the printk output is based on the
principle of hope. The rework of the console infrastructure which aims to
support threaded and atomic consoles, requires to mark sections which
modify the UART registers as unsafe. This allows the atomic write function
to make informed decisions and eventually to restore operational state. It
also allows to prevent the regular UART code from modifying UART registers
while printk output is in progress.
All modifications of UART registers are guarded by the UART port lock,
which provides an obvious synchronization point with the console
infrastructure.
To avoid adding this functionality to all UART drivers, wrap the
spin_[un]lock*() invocations for uart_port::lock into helper functions
which just contain the spin_[un]lock*() invocations for now. In a
subsequent step these helpers will gain the console synchronization
mechanisms.
Converted with coccinelle. No functional change.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: John Ogness <john.ogness@linutronix.de>
Link: https://lore.kernel.org/r/20230914183831.587273-54-john.ogness@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: a3bb136bff5e ("tty: serial: samsung: Remove redundant port lock acquisition in rx helpers")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/samsung_tty.c | 50 +++++++++++++++++++--------------------
1 file changed, 25 insertions(+), 25 deletions(-)
--- a/drivers/tty/serial/samsung_tty.c
+++ b/drivers/tty/serial/samsung_tty.c
@@ -251,7 +251,7 @@ static void s3c24xx_serial_rx_enable(str
unsigned int ucon, ufcon;
int count = 10000;
- spin_lock_irqsave(&port->lock, flags);
+ uart_port_lock_irqsave(port, &flags);
while (--count && !s3c24xx_serial_txempty_nofifo(port))
udelay(100);
@@ -265,7 +265,7 @@ static void s3c24xx_serial_rx_enable(str
wr_regl(port, S3C2410_UCON, ucon);
ourport->rx_enabled = 1;
- spin_unlock_irqrestore(&port->lock, flags);
+ uart_port_unlock_irqrestore(port, flags);
}
static void s3c24xx_serial_rx_disable(struct uart_port *port)
@@ -274,14 +274,14 @@ static void s3c24xx_serial_rx_disable(st
unsigned long flags;
unsigned int ucon;
- spin_lock_irqsave(&port->lock, flags);
+ uart_port_lock_irqsave(port, &flags);
ucon = rd_regl(port, S3C2410_UCON);
ucon &= ~S3C2410_UCON_RXIRQMODE;
wr_regl(port, S3C2410_UCON, ucon);
ourport->rx_enabled = 0;
- spin_unlock_irqrestore(&port->lock, flags);
+ uart_port_unlock_irqrestore(port, flags);
}
static void s3c24xx_serial_stop_tx(struct uart_port *port)
@@ -349,7 +349,7 @@ static void s3c24xx_serial_tx_dma_comple
dma->tx_transfer_addr, dma->tx_size,
DMA_TO_DEVICE);
- spin_lock_irqsave(&port->lock, flags);
+ uart_port_lock_irqsave(port, &flags);
xmit->tail = (xmit->tail + count) & (UART_XMIT_SIZE - 1);
port->icount.tx += count;
@@ -359,7 +359,7 @@ static void s3c24xx_serial_tx_dma_comple
uart_write_wakeup(port);
s3c24xx_serial_start_next_tx(ourport);
- spin_unlock_irqrestore(&port->lock, flags);
+ uart_port_unlock_irqrestore(port, flags);
}
static void enable_tx_dma(struct s3c24xx_uart_port *ourport)
@@ -625,7 +625,7 @@ static void s3c24xx_serial_rx_dma_comple
received = dma->rx_bytes_requested - state.residue;
async_tx_ack(dma->rx_desc);
- spin_lock_irqsave(&port->lock, flags);
+ uart_port_lock_irqsave(port, &flags);
if (received)
s3c24xx_uart_copy_rx_to_tty(ourport, t, received);
@@ -637,7 +637,7 @@ static void s3c24xx_serial_rx_dma_comple
s3c64xx_start_rx_dma(ourport);
- spin_unlock_irqrestore(&port->lock, flags);
+ uart_port_unlock_irqrestore(port, flags);
}
static void s3c64xx_start_rx_dma(struct s3c24xx_uart_port *ourport)
@@ -728,7 +728,7 @@ static irqreturn_t s3c24xx_serial_rx_cha
utrstat = rd_regl(port, S3C2410_UTRSTAT);
rd_regl(port, S3C2410_UFSTAT);
- spin_lock(&port->lock);
+ uart_port_lock(port);
if (!(utrstat & S3C2410_UTRSTAT_TIMEOUT)) {
s3c64xx_start_rx_dma(ourport);
@@ -757,7 +757,7 @@ static irqreturn_t s3c24xx_serial_rx_cha
wr_regl(port, S3C2410_UTRSTAT, S3C2410_UTRSTAT_TIMEOUT);
finish:
- spin_unlock(&port->lock);
+ uart_port_unlock(port);
return IRQ_HANDLED;
}
@@ -854,9 +854,9 @@ static irqreturn_t s3c24xx_serial_rx_cha
struct s3c24xx_uart_port *ourport = dev_id;
struct uart_port *port = &ourport->port;
- spin_lock(&port->lock);
+ uart_port_lock(port);
s3c24xx_serial_rx_drain_fifo(ourport);
- spin_unlock(&port->lock);
+ uart_port_unlock(port);
return IRQ_HANDLED;
}
@@ -938,11 +938,11 @@ static irqreturn_t s3c24xx_serial_tx_irq
struct s3c24xx_uart_port *ourport = id;
struct uart_port *port = &ourport->port;
- spin_lock(&port->lock);
+ uart_port_lock(port);
s3c24xx_serial_tx_chars(ourport);
- spin_unlock(&port->lock);
+ uart_port_unlock(port);
return IRQ_HANDLED;
}
@@ -1038,7 +1038,7 @@ static void s3c24xx_serial_break_ctl(str
unsigned long flags;
unsigned int ucon;
- spin_lock_irqsave(&port->lock, flags);
+ uart_port_lock_irqsave(port, &flags);
ucon = rd_regl(port, S3C2410_UCON);
@@ -1049,7 +1049,7 @@ static void s3c24xx_serial_break_ctl(str
wr_regl(port, S3C2410_UCON, ucon);
- spin_unlock_irqrestore(&port->lock, flags);
+ uart_port_unlock_irqrestore(port, flags);
}
static int s3c24xx_serial_request_dma(struct s3c24xx_uart_port *p)
@@ -1308,7 +1308,7 @@ static int s3c64xx_serial_startup(struct
ourport->rx_enabled = 1;
ourport->tx_enabled = 0;
- spin_lock_irqsave(&port->lock, flags);
+ uart_port_lock_irqsave(port, &flags);
ufcon = rd_regl(port, S3C2410_UFCON);
ufcon |= S3C2410_UFCON_RESETRX | S5PV210_UFCON_RXTRIG8;
@@ -1318,7 +1318,7 @@ static int s3c64xx_serial_startup(struct
enable_rx_pio(ourport);
- spin_unlock_irqrestore(&port->lock, flags);
+ uart_port_unlock_irqrestore(port, flags);
/* Enable Rx Interrupt */
s3c24xx_clear_bit(port, S3C64XX_UINTM_RXD, S3C64XX_UINTM);
@@ -1346,7 +1346,7 @@ static int apple_s5l_serial_startup(stru
ourport->rx_enabled = 1;
ourport->tx_enabled = 0;
- spin_lock_irqsave(&port->lock, flags);
+ uart_port_lock_irqsave(port, &flags);
ufcon = rd_regl(port, S3C2410_UFCON);
ufcon |= S3C2410_UFCON_RESETRX | S5PV210_UFCON_RXTRIG8;
@@ -1356,7 +1356,7 @@ static int apple_s5l_serial_startup(stru
enable_rx_pio(ourport);
- spin_unlock_irqrestore(&port->lock, flags);
+ uart_port_unlock_irqrestore(port, flags);
/* Enable Rx Interrupt */
s3c24xx_set_bit(port, APPLE_S5L_UCON_RXTHRESH_ENA, S3C2410_UCON);
@@ -1633,7 +1633,7 @@ static void s3c24xx_serial_set_termios(s
ulcon |= S3C2410_LCON_PNONE;
}
- spin_lock_irqsave(&port->lock, flags);
+ uart_port_lock_irqsave(port, &flags);
dev_dbg(port->dev,
"setting ulcon to %08x, brddiv to %d, udivslot %08x\n",
@@ -1691,7 +1691,7 @@ static void s3c24xx_serial_set_termios(s
if ((termios->c_cflag & CREAD) == 0)
port->ignore_status_mask |= RXSTAT_DUMMY_READ;
- spin_unlock_irqrestore(&port->lock, flags);
+ uart_port_unlock_irqrestore(port, flags);
}
static const char *s3c24xx_serial_type(struct uart_port *port)
@@ -2476,14 +2476,14 @@ s3c24xx_serial_console_write(struct cons
if (cons_uart->sysrq)
locked = false;
else if (oops_in_progress)
- locked = spin_trylock_irqsave(&cons_uart->lock, flags);
+ locked = uart_port_trylock_irqsave(cons_uart, &flags);
else
- spin_lock_irqsave(&cons_uart->lock, flags);
+ uart_port_lock_irqsave(cons_uart, &flags);
uart_console_write(cons_uart, s, count, s3c24xx_serial_console_putchar);
if (locked)
- spin_unlock_irqrestore(&cons_uart->lock, flags);
+ uart_port_unlock_irqrestore(cons_uart, flags);
}
/* Shouldn't be __init, as it can be instantiated from other module */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 467/522] tty: serial: samsung: use u32 for register interactions
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (465 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 466/522] serial: samsung_tty: Use port lock wrappers Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 468/522] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers Greg Kroah-Hartman
` (55 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam Protsenko, Tudor Ambarus,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@linaro.org>
[ Upstream commit 032a725c16add79332d774348d7ad7d0d4b86479 ]
All registers of the IP have 32 bits. Use u32 variables when reading
or writing from/to the registers. The purpose of those variables becomes
clearer.
Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Link: https://lore.kernel.org/r/20240119104526.1221243-9-tudor.ambarus@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: a3bb136bff5e ("tty: serial: samsung: Remove redundant port lock acquisition in rx helpers")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/samsung_tty.c | 80 +++++++++++++++++++--------------------
1 file changed, 40 insertions(+), 40 deletions(-)
--- a/drivers/tty/serial/samsung_tty.c
+++ b/drivers/tty/serial/samsung_tty.c
@@ -202,7 +202,7 @@ static void wr_reg(const struct uart_por
/* Byte-order aware bit setting/clearing functions. */
static inline void s3c24xx_set_bit(const struct uart_port *port, int idx,
- unsigned int reg)
+ u32 reg)
{
unsigned long flags;
u32 val;
@@ -215,7 +215,7 @@ static inline void s3c24xx_set_bit(const
}
static inline void s3c24xx_clear_bit(const struct uart_port *port, int idx,
- unsigned int reg)
+ u32 reg)
{
unsigned long flags;
u32 val;
@@ -248,8 +248,8 @@ static void s3c24xx_serial_rx_enable(str
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
unsigned long flags;
- unsigned int ucon, ufcon;
int count = 10000;
+ u32 ucon, ufcon;
uart_port_lock_irqsave(port, &flags);
@@ -272,7 +272,7 @@ static void s3c24xx_serial_rx_disable(st
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
unsigned long flags;
- unsigned int ucon;
+ u32 ucon;
uart_port_lock_irqsave(port, &flags);
@@ -597,7 +597,7 @@ static inline const struct s3c2410_uartc
}
static int s3c24xx_serial_rx_fifocnt(const struct s3c24xx_uart_port *ourport,
- unsigned long ufstat)
+ u32 ufstat)
{
const struct s3c24xx_uart_info *info = ourport->info;
@@ -669,7 +669,7 @@ static void s3c64xx_start_rx_dma(struct
static void enable_rx_dma(struct s3c24xx_uart_port *ourport)
{
struct uart_port *port = &ourport->port;
- unsigned int ucon;
+ u32 ucon;
/* set Rx mode to DMA mode */
ucon = rd_regl(port, S3C2410_UCON);
@@ -692,7 +692,7 @@ static void enable_rx_dma(struct s3c24xx
static void enable_rx_pio(struct s3c24xx_uart_port *ourport)
{
struct uart_port *port = &ourport->port;
- unsigned int ucon;
+ u32 ucon;
/* set Rx mode to DMA mode */
ucon = rd_regl(port, S3C2410_UCON);
@@ -717,13 +717,14 @@ static void s3c24xx_serial_rx_drain_fifo
static irqreturn_t s3c24xx_serial_rx_chars_dma(void *dev_id)
{
- unsigned int utrstat, received;
struct s3c24xx_uart_port *ourport = dev_id;
struct uart_port *port = &ourport->port;
struct s3c24xx_uart_dma *dma = ourport->dma;
struct tty_struct *tty = tty_port_tty_get(&ourport->port.state->port);
struct tty_port *t = &port->state->port;
struct dma_tx_state state;
+ unsigned int received;
+ u32 utrstat;
utrstat = rd_regl(port, S3C2410_UTRSTAT);
rd_regl(port, S3C2410_UFSTAT);
@@ -765,9 +766,10 @@ finish:
static void s3c24xx_serial_rx_drain_fifo(struct s3c24xx_uart_port *ourport)
{
struct uart_port *port = &ourport->port;
- unsigned int ufcon, ch, flag, ufstat, uerstat;
unsigned int fifocnt = 0;
int max_count = port->fifosize;
+ u32 ufcon, ufstat, uerstat;
+ u8 ch, flag;
while (max_count-- > 0) {
/*
@@ -951,7 +953,7 @@ static irqreturn_t s3c64xx_serial_handle
{
const struct s3c24xx_uart_port *ourport = id;
const struct uart_port *port = &ourport->port;
- unsigned int pend = rd_regl(port, S3C64XX_UINTP);
+ u32 pend = rd_regl(port, S3C64XX_UINTP);
irqreturn_t ret = IRQ_HANDLED;
if (pend & S3C64XX_UINTM_RXD_MSK) {
@@ -970,7 +972,7 @@ static irqreturn_t apple_serial_handle_i
{
const struct s3c24xx_uart_port *ourport = id;
const struct uart_port *port = &ourport->port;
- unsigned int pend = rd_regl(port, S3C2410_UTRSTAT);
+ u32 pend = rd_regl(port, S3C2410_UTRSTAT);
irqreturn_t ret = IRQ_NONE;
if (pend & (APPLE_S5L_UTRSTAT_RXTHRESH | APPLE_S5L_UTRSTAT_RXTO)) {
@@ -989,8 +991,8 @@ static irqreturn_t apple_serial_handle_i
static unsigned int s3c24xx_serial_tx_empty(struct uart_port *port)
{
const struct s3c24xx_uart_info *info = s3c24xx_port_to_info(port);
- unsigned long ufstat = rd_regl(port, S3C2410_UFSTAT);
- unsigned long ufcon = rd_regl(port, S3C2410_UFCON);
+ u32 ufstat = rd_regl(port, S3C2410_UFSTAT);
+ u32 ufcon = rd_regl(port, S3C2410_UFCON);
if (ufcon & S3C2410_UFCON_FIFOMODE) {
if ((ufstat & info->tx_fifomask) != 0 ||
@@ -1005,7 +1007,7 @@ static unsigned int s3c24xx_serial_tx_em
/* no modem control lines */
static unsigned int s3c24xx_serial_get_mctrl(struct uart_port *port)
{
- unsigned int umstat = rd_reg(port, S3C2410_UMSTAT);
+ u32 umstat = rd_reg(port, S3C2410_UMSTAT);
if (umstat & S3C2410_UMSTAT_CTS)
return TIOCM_CAR | TIOCM_DSR | TIOCM_CTS;
@@ -1015,8 +1017,8 @@ static unsigned int s3c24xx_serial_get_m
static void s3c24xx_serial_set_mctrl(struct uart_port *port, unsigned int mctrl)
{
- unsigned int umcon = rd_regl(port, S3C2410_UMCON);
- unsigned int ucon = rd_regl(port, S3C2410_UCON);
+ u32 umcon = rd_regl(port, S3C2410_UMCON);
+ u32 ucon = rd_regl(port, S3C2410_UCON);
if (mctrl & TIOCM_RTS)
umcon |= S3C2410_UMCOM_RTS_LOW;
@@ -1036,7 +1038,7 @@ static void s3c24xx_serial_set_mctrl(str
static void s3c24xx_serial_break_ctl(struct uart_port *port, int break_state)
{
unsigned long flags;
- unsigned int ucon;
+ u32 ucon;
uart_port_lock_irqsave(port, &flags);
@@ -1217,7 +1219,7 @@ static void apple_s5l_serial_shutdown(st
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
- unsigned int ucon;
+ u32 ucon;
ucon = rd_regl(port, S3C2410_UCON);
ucon &= ~(APPLE_S5L_UCON_TXTHRESH_ENA_MSK |
@@ -1285,7 +1287,7 @@ static int s3c64xx_serial_startup(struct
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
unsigned long flags;
- unsigned int ufcon;
+ u32 ufcon;
int ret;
wr_regl(port, S3C64XX_UINTM, 0xf);
@@ -1330,7 +1332,7 @@ static int apple_s5l_serial_startup(stru
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
unsigned long flags;
- unsigned int ufcon;
+ u32 ufcon;
int ret;
wr_regl(port, S3C2410_UTRSTAT, APPLE_S5L_UTRSTAT_ALL_FLAGS);
@@ -1415,7 +1417,7 @@ static void s3c24xx_serial_pm(struct uar
static inline int s3c24xx_serial_getsource(struct uart_port *port)
{
const struct s3c24xx_uart_info *info = s3c24xx_port_to_info(port);
- unsigned int ucon;
+ u32 ucon;
if (info->num_clks == 1)
return 0;
@@ -1429,7 +1431,7 @@ static void s3c24xx_serial_setsource(str
unsigned int clk_sel)
{
const struct s3c24xx_uart_info *info = s3c24xx_port_to_info(port);
- unsigned int ucon;
+ u32 ucon;
if (info->num_clks == 1)
return;
@@ -1548,9 +1550,8 @@ static void s3c24xx_serial_set_termios(s
struct clk *clk = ERR_PTR(-EINVAL);
unsigned long flags;
unsigned int baud, quot, clk_sel = 0;
- unsigned int ulcon;
- unsigned int umcon;
unsigned int udivslot = 0;
+ u32 ulcon, umcon;
/*
* We don't support modem control lines.
@@ -1857,7 +1858,7 @@ static void s3c24xx_serial_resetport(str
const struct s3c2410_uartcfg *cfg)
{
const struct s3c24xx_uart_info *info = s3c24xx_port_to_info(port);
- unsigned long ucon = rd_regl(port, S3C2410_UCON);
+ u32 ucon = rd_regl(port, S3C2410_UCON);
ucon &= (info->clksel_mask | info->ucon_mask);
wr_regl(port, S3C2410_UCON, ucon | cfg->ucon);
@@ -2100,7 +2101,7 @@ static int s3c24xx_serial_init_port(stru
wr_regl(port, S3C64XX_UINTSP, 0xf);
break;
case TYPE_APPLE_S5L: {
- unsigned int ucon;
+ u32 ucon;
ucon = rd_regl(port, S3C2410_UCON);
ucon &= ~(APPLE_S5L_UCON_TXTHRESH_ENA_MSK |
@@ -2312,7 +2313,7 @@ static int s3c24xx_serial_resume_noirq(s
/* restore IRQ mask */
switch (ourport->info->type) {
case TYPE_S3C6400: {
- unsigned int uintm = 0xf;
+ u32 uintm = 0xf;
if (ourport->tx_enabled)
uintm &= ~S3C64XX_UINTM_TXD_MSK;
@@ -2328,7 +2329,7 @@ static int s3c24xx_serial_resume_noirq(s
break;
}
case TYPE_APPLE_S5L: {
- unsigned int ucon;
+ u32 ucon;
int ret;
ret = clk_prepare_enable(ourport->clk);
@@ -2391,10 +2392,10 @@ static const struct dev_pm_ops s3c24xx_s
static struct uart_port *cons_uart;
static int
-s3c24xx_serial_console_txrdy(struct uart_port *port, unsigned int ufcon)
+s3c24xx_serial_console_txrdy(struct uart_port *port, u32 ufcon)
{
const struct s3c24xx_uart_info *info = s3c24xx_port_to_info(port);
- unsigned long ufstat, utrstat;
+ u32 ufstat, utrstat;
if (ufcon & S3C2410_UFCON_FIFOMODE) {
/* fifo mode - check amount of data in fifo registers... */
@@ -2410,7 +2411,7 @@ s3c24xx_serial_console_txrdy(struct uart
}
static bool
-s3c24xx_port_configured(unsigned int ucon)
+s3c24xx_port_configured(u32 ucon)
{
/* consider the serial port configured if the tx/rx mode set */
return (ucon & 0xf) != 0;
@@ -2425,7 +2426,7 @@ s3c24xx_port_configured(unsigned int uco
static int s3c24xx_serial_get_poll_char(struct uart_port *port)
{
const struct s3c24xx_uart_port *ourport = to_ourport(port);
- unsigned int ufstat;
+ u32 ufstat;
ufstat = rd_regl(port, S3C2410_UFSTAT);
if (s3c24xx_serial_rx_fifocnt(ourport, ufstat) == 0)
@@ -2437,8 +2438,8 @@ static int s3c24xx_serial_get_poll_char(
static void s3c24xx_serial_put_poll_char(struct uart_port *port,
unsigned char c)
{
- unsigned int ufcon = rd_regl(port, S3C2410_UFCON);
- unsigned int ucon = rd_regl(port, S3C2410_UCON);
+ u32 ufcon = rd_regl(port, S3C2410_UFCON);
+ u32 ucon = rd_regl(port, S3C2410_UCON);
/* not possible to xmit on unconfigured port */
if (!s3c24xx_port_configured(ucon))
@@ -2454,7 +2455,7 @@ static void s3c24xx_serial_put_poll_char
static void
s3c24xx_serial_console_putchar(struct uart_port *port, unsigned char ch)
{
- unsigned int ufcon = rd_regl(port, S3C2410_UFCON);
+ u32 ufcon = rd_regl(port, S3C2410_UFCON);
while (!s3c24xx_serial_console_txrdy(port, ufcon))
cpu_relax();
@@ -2465,7 +2466,7 @@ static void
s3c24xx_serial_console_write(struct console *co, const char *s,
unsigned int count)
{
- unsigned int ucon = rd_regl(cons_uart, S3C2410_UCON);
+ u32 ucon = rd_regl(cons_uart, S3C2410_UCON);
unsigned long flags;
bool locked = true;
@@ -2492,11 +2493,9 @@ s3c24xx_serial_get_options(struct uart_p
int *parity, int *bits)
{
struct clk *clk;
- unsigned int ulcon;
- unsigned int ucon;
- unsigned int ubrdiv;
unsigned long rate;
unsigned int clk_sel;
+ u32 ulcon, ucon, ubrdiv;
char clk_name[MAX_CLK_NAME_LENGTH];
ulcon = rd_regl(port, S3C2410_ULCON);
@@ -3010,7 +3009,8 @@ static int samsung_early_read(struct con
{
struct earlycon_device *dev = con->data;
const struct samsung_early_console_data *data = dev->port.private_data;
- int ch, ufstat, num_read = 0;
+ int num_read = 0;
+ u32 ch, ufstat;
while (num_read < n) {
ufstat = rd_regl(&dev->port, S3C2410_UFSTAT);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 468/522] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (466 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 467/522] tty: serial: samsung: use u32 for register interactions Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 469/522] usb: dwc3: xilinx: fix error handling in zynqmp init error paths Greg Kroah-Hartman
` (54 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, John Ogness, Tudor Ambarus,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@linaro.org>
[ Upstream commit a3bb136bff5e6a5e48cdd813246c9c4686feaaa9 ]
Sashiko identified a deadlock when the console flow is engaged [1].
When console flow control is enabled (UPF_CONS_FLOW),
s3c24xx_serial_stop_tx() calls s3c24xx_serial_rx_enable() and
s3c24xx_serial_start_tx() calls s3c24xx_serial_rx_disable().
The serial core framework invokes the .stop_tx() and .start_tx()
callbacks with the port->lock spinlock already held. Furthermore, all
internal driver paths that invoke stop_tx (such as the DMA TX
completion handler s3c24xx_serial_tx_dma_complete() or the PIO TX IRQ
handler s3c24xx_serial_tx_irq()) also acquire port->lock prior to
calling it. (Note that s3c24xx_serial_start_tx() is only invoked by the
serial core).
However, s3c24xx_serial_rx_enable() and s3c24xx_serial_rx_disable()
unconditionally attempt to acquire port->lock again using
uart_port_lock_irqsave(). Since spinlocks are not recursive, this
causes a deadlock on the same CPU when console flow control is engaged.
Remove the redundant lock acquisition from both rx helper functions.
Cc: stable <stable@kernel.org>
Fixes: b497549a035c ("[ARM] S3C24XX: Split serial driver into core and per-cpu drivers")
Reported-by: John Ogness <john.ogness@linutronix.de>
Closes: https://sashiko.dev/#/patchset/20260506121606.5805-1-john.ogness%40linutronix.de [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Link: https://patch.msgid.link/20260515-samsung-tty-flow-control-deadlock-v1-1-93255edbc9bc@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/samsung_tty.c | 8 --------
1 file changed, 8 deletions(-)
--- a/drivers/tty/serial/samsung_tty.c
+++ b/drivers/tty/serial/samsung_tty.c
@@ -247,12 +247,9 @@ static int s3c24xx_serial_txempty_nofifo
static void s3c24xx_serial_rx_enable(struct uart_port *port)
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
- unsigned long flags;
int count = 10000;
u32 ucon, ufcon;
- uart_port_lock_irqsave(port, &flags);
-
while (--count && !s3c24xx_serial_txempty_nofifo(port))
udelay(100);
@@ -265,23 +262,18 @@ static void s3c24xx_serial_rx_enable(str
wr_regl(port, S3C2410_UCON, ucon);
ourport->rx_enabled = 1;
- uart_port_unlock_irqrestore(port, flags);
}
static void s3c24xx_serial_rx_disable(struct uart_port *port)
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
- unsigned long flags;
u32 ucon;
- uart_port_lock_irqsave(port, &flags);
-
ucon = rd_regl(port, S3C2410_UCON);
ucon &= ~S3C2410_UCON_RXIRQMODE;
wr_regl(port, S3C2410_UCON, ucon);
ourport->rx_enabled = 0;
- uart_port_unlock_irqrestore(port, flags);
}
static void s3c24xx_serial_stop_tx(struct uart_port *port)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 469/522] usb: dwc3: xilinx: fix error handling in zynqmp init error paths
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (467 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 468/522] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 470/522] usb: musb: omap2430: Fix use-after-free in omap2430_probe() Greg Kroah-Hartman
` (53 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, Radhey Shyam Pandey,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
[ Upstream commit c1a0ecbf32c4b397353204e2ec94c5bb9f3300ed ]
Fix error handling and resource cleanup i.e remove invalid
phy_exit() after failed phy_init(), route failures through
proper cleanup paths and return 0 explicitly on success.
Fixes: 84770f028fab ("usb: dwc3: Add driver for Xilinx platforms")
Cc: stable@vger.kernel.org
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
Link: https://patch.msgid.link/20260519115529.2980421-1-radhey.shyam.pandey@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-xilinx.c | 26 ++++++++++++++------------
1 file changed, 14 insertions(+), 12 deletions(-)
--- a/drivers/usb/dwc3/dwc3-xilinx.c
+++ b/drivers/usb/dwc3/dwc3-xilinx.c
@@ -171,15 +171,13 @@ static int dwc3_xlnx_init_zynqmp(struct
}
ret = phy_init(priv_data->usb3_phy);
- if (ret < 0) {
- phy_exit(priv_data->usb3_phy);
+ if (ret < 0)
goto err;
- }
ret = reset_control_deassert(apbrst);
if (ret < 0) {
dev_err(dev, "Failed to release APB reset\n");
- goto err;
+ goto err_phy_exit;
}
/* Set PIPE Power Present signal in FPD Power Present Register*/
@@ -191,27 +189,25 @@ static int dwc3_xlnx_init_zynqmp(struct
ret = reset_control_deassert(crst);
if (ret < 0) {
dev_err(dev, "Failed to release core reset\n");
- goto err;
+ goto err_phy_exit;
}
ret = reset_control_deassert(hibrst);
if (ret < 0) {
dev_err(dev, "Failed to release hibernation reset\n");
- goto err;
+ goto err_phy_exit;
}
ret = phy_power_on(priv_data->usb3_phy);
- if (ret < 0) {
- phy_exit(priv_data->usb3_phy);
- goto err;
- }
+ if (ret < 0)
+ goto err_phy_exit;
skip_usb3_phy:
/* ulpi reset via gpio-modepin or gpio-framework driver */
reset_gpio = devm_gpiod_get_optional(dev, "reset", GPIOD_OUT_HIGH);
if (IS_ERR(reset_gpio)) {
- return dev_err_probe(dev, PTR_ERR(reset_gpio),
- "Failed to request reset GPIO\n");
+ ret = PTR_ERR(reset_gpio);
+ goto err_phy_power_off;
}
if (reset_gpio) {
@@ -231,6 +227,12 @@ skip_usb3_phy:
writel(reg, priv_data->regs + XLNX_USB_TRAFFIC_ROUTE_CONFIG);
}
+ return 0;
+
+err_phy_power_off:
+ phy_power_off(priv_data->usb3_phy);
+err_phy_exit:
+ phy_exit(priv_data->usb3_phy);
err:
return ret;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 470/522] usb: musb: omap2430: Fix use-after-free in omap2430_probe()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (468 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 469/522] usb: dwc3: xilinx: fix error handling in zynqmp init error paths Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 471/522] usb: gadget: f_hid: tidy error handling in hidg_alloc Greg Kroah-Hartman
` (52 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Wentao Liang, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
[ Upstream commit e194ce048f5a6c549b3a23a8c568c6470f40f772 ]
In omap2430_probe(), of_node_put(np) is called prematurely before the
last access to np, leading to a use-after-free if the node's reference
count drops to zero. Move the of_node_put() calls after the last use of
np in both the success and error paths.
Fixes: ffbe2feac59b ("usb: musb: omap2430: Fix probe regression for missing resources")
Cc: stable <stable@kernel.org>
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260409101104.480623-1-vulab@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/musb/omap2430.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/musb/omap2430.c
+++ b/drivers/usb/musb/omap2430.c
@@ -340,7 +340,6 @@ static int omap2430_probe(struct platfor
} else {
device_set_of_node_from_dev(&musb->dev, &pdev->dev);
}
- of_node_put(np);
glue->dev = &pdev->dev;
glue->musb = musb;
@@ -458,6 +457,7 @@ static int omap2430_probe(struct platfor
dev_err(&pdev->dev, "failed to register musb device\n");
goto err3;
}
+ of_node_put(np);
return 0;
@@ -467,6 +467,7 @@ err_put_control_otghs:
if (!IS_ERR(glue->control_otghs))
put_device(glue->control_otghs);
err2:
+ of_node_put(np);
platform_device_put(musb);
err0:
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 471/522] usb: gadget: f_hid: tidy error handling in hidg_alloc
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (469 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 470/522] usb: musb: omap2430: Fix use-after-free in omap2430_probe() Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 472/522] usb: gadget: f_hid: fix device reference leak in hidg_alloc() Greg Kroah-Hartman
` (51 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Jones, Andrzej Pietrasiewicz,
John Keeping, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Keeping <john@metanate.com>
[ Upstream commit 944fe915d00d3cb1bacb1e77cabfb6dc82e6f8b8 ]
Unify error handling at the end of the function, reducing the risk of
missing something on one of the error paths.
Moving the increment of opts->refcnt later means there is no need to
decrement it on the error path and is safe as this is guarded by
opts->lock which is held for this entire section.
Tested-by: Lee Jones <lee@kernel.org>
Reviewed-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
Reviewed-by: Lee Jones <lee@kernel.org>
Signed-off-by: John Keeping <john@metanate.com>
Link: https://lore.kernel.org/r/20221122123523.3068034-4-john@metanate.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 4f88d65def6f ("usb: gadget: f_hid: fix device reference leak in hidg_alloc()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_hid.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -1265,7 +1265,6 @@ static struct usb_function *hidg_alloc(s
opts = container_of(fi, struct f_hid_opts, func_inst);
mutex_lock(&opts->lock);
- ++opts->refcnt;
spin_lock_init(&hidg->write_spinlock);
spin_lock_init(&hidg->read_spinlock);
@@ -1278,11 +1277,8 @@ static struct usb_function *hidg_alloc(s
hidg->dev.class = hidg_class;
hidg->dev.devt = MKDEV(major, opts->minor);
ret = dev_set_name(&hidg->dev, "hidg%d", opts->minor);
- if (ret) {
- --opts->refcnt;
- mutex_unlock(&opts->lock);
- return ERR_PTR(ret);
- }
+ if (ret)
+ goto err_unlock;
hidg->bInterfaceSubClass = opts->subclass;
hidg->bInterfaceProtocol = opts->protocol;
@@ -1293,14 +1289,13 @@ static struct usb_function *hidg_alloc(s
opts->report_desc_length,
GFP_KERNEL);
if (!hidg->report_desc) {
- put_device(&hidg->dev);
- --opts->refcnt;
- mutex_unlock(&opts->lock);
- return ERR_PTR(-ENOMEM);
+ ret = -ENOMEM;
+ goto err_put_device;
}
}
hidg->use_out_ep = !opts->no_out_endpoint;
+ ++opts->refcnt;
mutex_unlock(&opts->lock);
hidg->func.name = "hid";
@@ -1315,6 +1310,12 @@ static struct usb_function *hidg_alloc(s
hidg->qlen = 4;
return &hidg->func;
+
+err_put_device:
+ put_device(&hidg->dev);
+err_unlock:
+ mutex_unlock(&opts->lock);
+ return ERR_PTR(ret);
}
DECLARE_USB_FUNCTION_INIT(hid, hidg_alloc_inst, hidg_alloc);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 472/522] usb: gadget: f_hid: fix device reference leak in hidg_alloc()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (470 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 471/522] usb: gadget: f_hid: tidy error handling in hidg_alloc Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 473/522] usb: typec: ucsi: Check if power role change actually happened before handling Greg Kroah-Hartman
` (50 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Johan Hovold, Guangshuo Li,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
[ Upstream commit 4f88d65def6f3c90121601b4f62a4c967f3063a6 ]
hidg_alloc() initializes hidg->dev with device_initialize() before
calling dev_set_name(). If dev_set_name() fails, the function currently
jumps to err_unlock and returns without calling put_device().
This leaves the device reference unbalanced and prevents hidg_release()
from being called. Calling put_device() here is also safe, since
hidg_release() only frees resources owned by hidg.
The issue was identified by a static analysis tool I developed and
confirmed by manual review.
Route the dev_set_name() failure path through err_put_device so the
device reference is dropped properly.
Fixes: 89ff3dfac604 ("usb: gadget: f_hid: fix f_hidg lifetime vs cdev")
Cc: stable <stable@kernel.org>
Reviewed-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Johan Hovold johan@kernel.org
Link: https://patch.msgid.link/20260413142119.2977716-1-lgs201920130244@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_hid.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -1278,7 +1278,7 @@ static struct usb_function *hidg_alloc(s
hidg->dev.devt = MKDEV(major, opts->minor);
ret = dev_set_name(&hidg->dev, "hidg%d", opts->minor);
if (ret)
- goto err_unlock;
+ goto err_put_device;
hidg->bInterfaceSubClass = opts->subclass;
hidg->bInterfaceProtocol = opts->protocol;
@@ -1313,7 +1313,6 @@ static struct usb_function *hidg_alloc(s
err_put_device:
put_device(&hidg->dev);
-err_unlock:
mutex_unlock(&opts->lock);
return ERR_PTR(ret);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 473/522] usb: typec: ucsi: Check if power role change actually happened before handling
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (471 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 472/522] usb: gadget: f_hid: fix device reference leak in hidg_alloc() Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 474/522] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() Greg Kroah-Hartman
` (49 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Myrrh Periwinkle,
Heikki Krogerus, Sasha Levin, Sergey Senozhatsky
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
[ Upstream commit b80e7d34c7ea6a564525119d6138fbb577a23dba ]
The CrOS EC may send a connector status change event with the power
direction changed flag set even if the power direction hasn't actually
changed after initiating a SET_PDR command internally [1]. In practice
this happens on every system suspend due to other changes performed by
the EC [2][3][4], causing suspend to fail.
Fix this by checking if the power role change actually happened before
handling it.
[1]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/ec/zephyr/subsys/pd_controller/pdc_power_mgmt.c;l=1689;drc=2d5a1cffce4e5ac8a39442cb3b764d2d5e1cf794
[2]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/ec/zephyr/subsys/pd_controller/pdc_power_mgmt.c;l=3923;drc=2d5a1cffce4e5ac8a39442cb3b764d2d5e1cf794
[3]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/ec/zephyr/subsys/pd_controller/pdc_power_mgmt.c;l=5094;drc=2d5a1cffce4e5ac8a39442cb3b764d2d5e1cf794
[4]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/ec/zephyr/subsys/pd_controller/pdc_power_mgmt.c;l=2229;drc=2d5a1cffce4e5ac8a39442cb3b764d2d5e1cf794
Cc: stable <stable@kernel.org>
Fixes: 7616f006db07 ("usb: typec: ucsi: Update power_supply on power role change")
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Reported-and-tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260519-ucsi-fix-2-v1-1-6f1239535187@qtmlabs.xyz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -783,7 +783,7 @@ static void ucsi_handle_connector_change
struct ucsi_connector *con = container_of(work, struct ucsi_connector,
work);
struct ucsi *ucsi = con->ucsi;
- enum typec_role role;
+ enum typec_role role, prev_role;
u64 command;
int ret;
@@ -791,6 +791,8 @@ static void ucsi_handle_connector_change
command = UCSI_GET_CONNECTOR_STATUS | UCSI_CONNECTOR_NUMBER(con->num);
+ prev_role = !!(con->status.flags & UCSI_CONSTAT_PWR_DIR);
+
ret = ucsi_send_command_common(ucsi, command, &con->status,
sizeof(con->status), true);
if (ret < 0) {
@@ -804,7 +806,7 @@ static void ucsi_handle_connector_change
role = !!(con->status.flags & UCSI_CONSTAT_PWR_DIR);
- if (con->status.change & UCSI_CONSTAT_POWER_DIR_CHANGE) {
+ if ((con->status.change & UCSI_CONSTAT_POWER_DIR_CHANGE) && role != prev_role) {
typec_set_pwr_role(con->port, role);
ucsi_port_psy_changed(con);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 474/522] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (472 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 473/522] usb: typec: ucsi: Check if power role change actually happened before handling Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 475/522] tty: serial: qcom-geni-serial: remove unused symbols Greg Kroah-Hartman
` (48 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit 928abe19fbf0127003abcb1ea69cabc1c897d0ab ]
A DIRECTORY entry's value field is used as the dir_offset for a
recursive call into __tb_property_parse_dir() with no depth counter.
A crafted peer that chains DIRECTORY entries into a back-reference
loop drives the parser until the kernel stack is exhausted and the
guard page fires. Any untrusted XDomain peer (cable, dock, in-line
inspector, adjacent host) that reaches the PROPERTIES_REQUEST
control-plane exchange can trigger this without authentication.
Thread a depth counter through tb_property_parse() and
__tb_property_parse_dir(), and reject blocks that exceed
TB_PROPERTY_MAX_DEPTH = 8. That is comfortably larger than any
observed legitimate XDomain layout.
Operators who do not need XDomain host-to-host discovery can disable
the path entirely with thunderbolt.xdomain=0 on the kernel command
line.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -35,10 +35,11 @@ struct tb_property_dir_entry {
};
#define TB_PROPERTY_ROOTDIR_MAGIC 0x55584401
+#define TB_PROPERTY_MAX_DEPTH 8
static struct tb_property_dir *__tb_property_parse_dir(const u32 *block,
size_t block_len, unsigned int dir_offset, size_t dir_len,
- bool is_root);
+ bool is_root, unsigned int depth);
static inline void parse_dwdata(void *dst, const void *src, size_t dwords)
{
@@ -99,7 +100,8 @@ tb_property_alloc(const char *key, enum
}
static struct tb_property *tb_property_parse(const u32 *block, size_t block_len,
- const struct tb_property_entry *entry)
+ const struct tb_property_entry *entry,
+ unsigned int depth)
{
char key[TB_PROPERTY_KEY_SIZE + 1];
struct tb_property *property;
@@ -120,7 +122,7 @@ static struct tb_property *tb_property_p
switch (property->type) {
case TB_PROPERTY_TYPE_DIRECTORY:
dir = __tb_property_parse_dir(block, block_len, entry->value,
- entry->length, false);
+ entry->length, false, depth + 1);
if (!dir) {
kfree(property);
return NULL;
@@ -165,13 +167,17 @@ static struct tb_property *tb_property_p
}
static struct tb_property_dir *__tb_property_parse_dir(const u32 *block,
- size_t block_len, unsigned int dir_offset, size_t dir_len, bool is_root)
+ size_t block_len, unsigned int dir_offset, size_t dir_len, bool is_root,
+ unsigned int depth)
{
const struct tb_property_entry *entries;
size_t i, content_len, nentries;
unsigned int content_offset;
struct tb_property_dir *dir;
+ if (depth > TB_PROPERTY_MAX_DEPTH)
+ return NULL;
+
dir = kzalloc(sizeof(*dir), GFP_KERNEL);
if (!dir)
return NULL;
@@ -206,7 +212,7 @@ static struct tb_property_dir *__tb_prop
for (i = 0; i < nentries; i++) {
struct tb_property *property;
- property = tb_property_parse(block, block_len, &entries[i]);
+ property = tb_property_parse(block, block_len, &entries[i], depth);
if (!property) {
tb_property_free_dir(dir);
return NULL;
@@ -243,7 +249,7 @@ struct tb_property_dir *tb_property_pars
return NULL;
return __tb_property_parse_dir(block, block_len, 0, rootdir->length,
- true);
+ true, 0);
}
/**
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 475/522] tty: serial: qcom-geni-serial: remove unused symbols
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (473 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 474/522] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 476/522] tty: serial: qcom-geni-serial: align #define values Greg Kroah-Hartman
` (47 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Konrad Dybcio,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
[ Upstream commit 68c6bd92c86cbc4937834c79963b27c77ee3bf51 ]
Drop all unused symbols from the driver.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Link: https://lore.kernel.org/r/20221229155030.418800-4-brgl@bgdev.pl
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: ca2584d841b6 ("serial: qcom-geni: fix UART_RX_PAR_EN bit position")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/qcom_geni_serial.c | 15 ---------------
1 file changed, 15 deletions(-)
--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -42,20 +42,11 @@
#define UART_TX_PAR_EN BIT(0)
#define UART_CTS_MASK BIT(1)
-/* SE_UART_TX_WORD_LEN */
-#define TX_WORD_LEN_MSK GENMASK(9, 0)
-
/* SE_UART_TX_STOP_BIT_LEN */
-#define TX_STOP_BIT_LEN_MSK GENMASK(23, 0)
#define TX_STOP_BIT_LEN_1 0
-#define TX_STOP_BIT_LEN_1_5 1
#define TX_STOP_BIT_LEN_2 2
-/* SE_UART_TX_TRANS_LEN */
-#define TX_TRANS_LEN_MSK GENMASK(23, 0)
-
/* SE_UART_RX_TRANS_CFG */
-#define UART_RX_INS_STATUS_BIT BIT(2)
#define UART_RX_PAR_EN BIT(3)
/* SE_UART_RX_WORD_LEN */
@@ -66,12 +57,9 @@
/* SE_UART_TX_PARITY_CFG/RX_PARITY_CFG */
#define PAR_CALC_EN BIT(0)
-#define PAR_MODE_MSK GENMASK(2, 1)
-#define PAR_MODE_SHFT 1
#define PAR_EVEN 0x00
#define PAR_ODD 0x01
#define PAR_SPACE 0x10
-#define PAR_MARK 0x11
/* SE_UART_MANUAL_RFR register fields */
#define UART_MANUAL_RFR_EN BIT(31)
@@ -80,11 +68,8 @@
/* UART M_CMD OP codes */
#define UART_START_TX 0x1
-#define UART_START_BREAK 0x4
-#define UART_STOP_BREAK 0x5
/* UART S_CMD OP codes */
#define UART_START_READ 0x1
-#define UART_PARAM 0x1
#define UART_OVERSAMPLING 32
#define STALE_TIMEOUT 16
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 476/522] tty: serial: qcom-geni-serial: align #define values
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (474 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 475/522] tty: serial: qcom-geni-serial: remove unused symbols Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 477/522] serial: qcom-geni: fix UART_RX_PAR_EN bit position Greg Kroah-Hartman
` (46 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Konrad Dybcio,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
[ Upstream commit 6cde11dbf4b65170eeefba48df730c93d75e01a3 ]
Keep the #define symbols aligned for better readability.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Link: https://lore.kernel.org/r/20221229155030.418800-5-brgl@bgdev.pl
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: ca2584d841b6 ("serial: qcom-geni: fix UART_RX_PAR_EN bit position")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/qcom_geni_serial.c | 60 +++++++++++++++++-----------------
1 file changed, 30 insertions(+), 30 deletions(-)
--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -39,57 +39,57 @@
#define SE_UART_MANUAL_RFR 0x2ac
/* SE_UART_TRANS_CFG */
-#define UART_TX_PAR_EN BIT(0)
-#define UART_CTS_MASK BIT(1)
+#define UART_TX_PAR_EN BIT(0)
+#define UART_CTS_MASK BIT(1)
/* SE_UART_TX_STOP_BIT_LEN */
-#define TX_STOP_BIT_LEN_1 0
-#define TX_STOP_BIT_LEN_2 2
+#define TX_STOP_BIT_LEN_1 0
+#define TX_STOP_BIT_LEN_2 2
/* SE_UART_RX_TRANS_CFG */
-#define UART_RX_PAR_EN BIT(3)
+#define UART_RX_PAR_EN BIT(3)
/* SE_UART_RX_WORD_LEN */
-#define RX_WORD_LEN_MASK GENMASK(9, 0)
+#define RX_WORD_LEN_MASK GENMASK(9, 0)
/* SE_UART_RX_STALE_CNT */
-#define RX_STALE_CNT GENMASK(23, 0)
+#define RX_STALE_CNT GENMASK(23, 0)
/* SE_UART_TX_PARITY_CFG/RX_PARITY_CFG */
-#define PAR_CALC_EN BIT(0)
-#define PAR_EVEN 0x00
-#define PAR_ODD 0x01
-#define PAR_SPACE 0x10
+#define PAR_CALC_EN BIT(0)
+#define PAR_EVEN 0x00
+#define PAR_ODD 0x01
+#define PAR_SPACE 0x10
/* SE_UART_MANUAL_RFR register fields */
-#define UART_MANUAL_RFR_EN BIT(31)
-#define UART_RFR_NOT_READY BIT(1)
-#define UART_RFR_READY BIT(0)
+#define UART_MANUAL_RFR_EN BIT(31)
+#define UART_RFR_NOT_READY BIT(1)
+#define UART_RFR_READY BIT(0)
/* UART M_CMD OP codes */
-#define UART_START_TX 0x1
+#define UART_START_TX 0x1
/* UART S_CMD OP codes */
-#define UART_START_READ 0x1
+#define UART_START_READ 0x1
-#define UART_OVERSAMPLING 32
-#define STALE_TIMEOUT 16
-#define DEFAULT_BITS_PER_CHAR 10
-#define GENI_UART_CONS_PORTS 1
-#define GENI_UART_PORTS 3
-#define DEF_FIFO_DEPTH_WORDS 16
-#define DEF_TX_WM 2
-#define DEF_FIFO_WIDTH_BITS 32
-#define UART_RX_WM 2
+#define UART_OVERSAMPLING 32
+#define STALE_TIMEOUT 16
+#define DEFAULT_BITS_PER_CHAR 10
+#define GENI_UART_CONS_PORTS 1
+#define GENI_UART_PORTS 3
+#define DEF_FIFO_DEPTH_WORDS 16
+#define DEF_TX_WM 2
+#define DEF_FIFO_WIDTH_BITS 32
+#define UART_RX_WM 2
/* SE_UART_LOOPBACK_CFG */
-#define RX_TX_SORTED BIT(0)
-#define CTS_RTS_SORTED BIT(1)
-#define RX_TX_CTS_RTS_SORTED (RX_TX_SORTED | CTS_RTS_SORTED)
+#define RX_TX_SORTED BIT(0)
+#define CTS_RTS_SORTED BIT(1)
+#define RX_TX_CTS_RTS_SORTED (RX_TX_SORTED | CTS_RTS_SORTED)
/* UART pin swap value */
-#define DEFAULT_IO_MACRO_IO0_IO1_MASK GENMASK(3, 0)
+#define DEFAULT_IO_MACRO_IO0_IO1_MASK GENMASK(3, 0)
#define IO_MACRO_IO0_SEL 0x3
-#define DEFAULT_IO_MACRO_IO2_IO3_MASK GENMASK(15, 4)
+#define DEFAULT_IO_MACRO_IO2_IO3_MASK GENMASK(15, 4)
#define IO_MACRO_IO2_IO3_SWAP 0x4640
/* We always configure 4 bytes per FIFO word */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 477/522] serial: qcom-geni: fix UART_RX_PAR_EN bit position
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (475 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 476/522] tty: serial: qcom-geni-serial: align #define values Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 478/522] scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() Greg Kroah-Hartman
` (45 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Prasanna S, Konrad Dybcio,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prasanna S <prasanna.s@oss.qualcomm.com>
[ Upstream commit ca2584d841b69391ffc4144840563d2e1a0018df ]
UART_RX_PAR_EN is incorrectly defined as bit 3, which triggers false
framing errors (S_GP_IRQ_1_EN) and causes received data to be dropped
when parity is enabled and the parity bit is 0.
Define UART_RX_PAR_EN as bit 4 of the SE_UART_RX_TRANS_CFG register, as
specified in the reference manual.
Fixes: c4f528795d1a ("tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP")
Cc: stable <stable@kernel.org>
Signed-off-by: Prasanna S <prasanna.s@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://patch.msgid.link/20260428-serial-bit-correct-v1-1-9131ad5b97d8@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/qcom_geni_serial.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -47,7 +47,7 @@
#define TX_STOP_BIT_LEN_2 2
/* SE_UART_RX_TRANS_CFG */
-#define UART_RX_PAR_EN BIT(3)
+#define UART_RX_PAR_EN BIT(4)
/* SE_UART_RX_WORD_LEN */
#define RX_WORD_LEN_MASK GENMASK(9, 0)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 478/522] scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (476 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 477/522] serial: qcom-geni: fix UART_RX_PAR_EN bit position Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 479/522] usb: typec: ucsi: Dont update power_supply on power role change if not connected Greg Kroah-Hartman
` (44 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, John Garry,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit 778c2ab142c625a8a8afa570e0f9b7873f445d99 ]
Two latent bugs in the Text-phase handler, both present since the
original LIO integration in commit e48354ce078c ("iscsi-target: Add
iSCSI fabric support for target v4.1"):
1) DataDigest CRC buffer overread (4 bytes past text_in).
text_in is kzalloc()'d at ALIGN(payload_length, 4). rx_size is then
incremented by ISCSI_CRC_LEN to make room for the received DataDigest
in the iovec, but the same (now-bumped) rx_size is passed as the
buffer length to iscsit_crc_buf():
if (conn->conn_ops->DataDigest) {
...
rx_size += ISCSI_CRC_LEN;
}
...
if (conn->conn_ops->DataDigest) {
data_crc = iscsit_crc_buf(text_in, rx_size, 0, NULL);
iscsit_crc_buf() walks rx_size bytes of text_in with crc32c(), so
when DataDigest is negotiated it reads 4 bytes past the end of the
text_in allocation. KASAN reproduces this directly on the unpatched
mainline tree as slab-out-of-bounds in crc32c() called from the Text
PDU path. The OOB bytes feed crc32c() and are then compared against
the initiator-supplied checksum, so the value does not flow back to
the attacker, but the kernel does read past the buffer on every Text
PDU with DataDigest=CRC32C.
Fix by passing the actual padded payload length
(ALIGN(payload_length, 4)) that was used for the kzalloc().
2) Stale cmd->text_in_ptr re-free (double-free) on ERL>0 bad DataDigest
drop.
On DataDigest mismatch with ErrorRecoveryLevel > 0 the handler
silently drops the PDU and lets the initiator plug the CmdSN gap:
kfree(text_in);
return 0;
cmd->text_in_ptr still points at the freed buffer. The next Text
Request on the same ITT re-enters iscsit_setup_text_cmd(), which
unconditionally does
kfree(cmd->text_in_ptr);
cmd->text_in_ptr = NULL;
freeing the same pointer a second time. Session teardown via
iscsit_release_cmd() has the same shape and hits the same double-free
if the connection is dropped before a second Text Request arrives.
On an unmodified mainline tree the bug-1 CRC overread fires first on
the initial valid Text Request and perturbs the subsequent state, so
#4 was isolated by building a kernel with only the bug-1 hunk of this
patch applied plus temporary printk() observability around the three
relevant kfree() sites. The observability prints are not part of
this patch. On that build, a three-PDU Text Request sequence after
login produces two back-to-back splats:
BUG: KASAN: double-free in iscsit_setup_text_cmd+0x??
BUG: KASAN: double-free in iscsit_release_cmd+0x??
showing the same pointer freed in the ERL>0 drop path and again in
iscsit_setup_text_cmd() (next Text Request on the same ITT) and once
more in iscsit_release_cmd() (session teardown). On distro kernels
with CONFIG_SLAB_FREELIST_HARDENED=y (default) the double-free
becomes a remote kernel BUG(); on non-hardened kernels it corrupts
the slab freelist.
Fix by clearing cmd->text_in_ptr after the kfree() in the ERL>0 drop
path. With both hunks applied #4 is directly observable on the stock
tree without observability printks; fixing bug-1 alone would mask #4
less, not more, so the hunks are submitted together.
Both fixes are one-liners. The Text PDU state machine is unchanged and
the wire protocol is unaffected.
Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Tested-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -2336,8 +2336,9 @@ iscsit_handle_text_cmd(struct iscsit_con
if (conn->conn_ops->DataDigest) {
iscsit_do_crypto_hash_buf(conn->conn_rx_hash,
- text_in, rx_size, 0, NULL,
- &data_crc);
+ text_in,
+ ALIGN(payload_length, 4),
+ 0, NULL, &data_crc);
if (checksum != data_crc) {
pr_err("Text data CRC32C DataDigest"
@@ -2357,6 +2358,7 @@ iscsit_handle_text_cmd(struct iscsit_con
" Command CmdSN: 0x%08x due to"
" DataCRC error.\n", hdr->cmdsn);
kfree(text_in);
+ cmd->text_in_ptr = NULL;
return 0;
}
} else {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 479/522] usb: typec: ucsi: Dont update power_supply on power role change if not connected
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (477 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 478/522] scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 480/522] netfilter: nft_fib: fix stale stack leak via the OIFNAME register Greg Kroah-Hartman
` (43 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Myrrh Periwinkle,
Sasha Levin, Sergey Senozhatsky
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
[ Upstream commit d98d413ca65d0790a8f3695d0a5845538958ab84 ]
We only need to update the power_supply on power role change if the port
is connected, because otherwise the online status should be the same for
both cases.
Cc: stable <stable@kernel.org>
Fixes: 7616f006db07 ("usb: typec: ucsi: Update power_supply on power role change")
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Reported-and-tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Link: https://patch.msgid.link/20260519-ucsi-fix-2-v1-2-6f1239535187@qtmlabs.xyz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ changed `UCSI_CONSTAT(con, CONNECTED)` accessor macro to `con->status.flags & UCSI_CONSTAT_CONNECTED` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -808,7 +808,12 @@ static void ucsi_handle_connector_change
if ((con->status.change & UCSI_CONSTAT_POWER_DIR_CHANGE) && role != prev_role) {
typec_set_pwr_role(con->port, role);
- ucsi_port_psy_changed(con);
+
+ /* Some power_supply properties vary depending on the power direction when
+ * connected
+ */
+ if (con->status.flags & UCSI_CONSTAT_CONNECTED)
+ ucsi_port_psy_changed(con);
/* Complete pending power role swap */
if (!completion_done(&con->complete))
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 480/522] netfilter: nft_fib: fix stale stack leak via the OIFNAME register
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (478 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 479/522] usb: typec: ucsi: Dont update power_supply on power role change if not connected Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 481/522] hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf Greg Kroah-Hartman
` (42 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Davide Ornaghi,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davide Ornaghi <d.ornaghi97@gmail.com>
[ Upstream commit ab185e0c4fb82dfba6fb86f8271e06f931d9c64c ]
For NFT_FIB_RESULT_OIFNAME the destination register is declared with
len = IFNAMSIZ (four 32-bit registers), but on the lookup-fail,
RTN_LOCAL and oif-mismatch paths nft_fib{4,6}_eval() only writes one
register via "*dest = 0". The remaining three registers are left as
whatever was on the stack in nft_do_chain()'s struct nft_regs, and a
downstream expression that loads the register span can leak that
uninitialised kernel stack to userspace.
The NFTA_FIB_F_PRESENT existence check has the same shape: it is only
meaningful for NFT_FIB_RESULT_OIF, yet it was accepted for any result type
while the eval stores a single byte via nft_reg_store8(), leaving the rest
of the declared span stale.
Fix both:
- replace the bare "*dest = 0" in the eval with nft_fib_store_result(),
which strscpy_pad()s the whole IFNAMSIZ for OIFNAME (and is already
used on the other early-return path), and
- restrict NFTA_FIB_F_PRESENT to NFT_FIB_RESULT_OIF and declare its
destination as a single u8, so the marked span matches the one byte
the eval writes.
Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression")
Suggested-by: Florian Westphal <fw@strlen.de>
Cc: stable@vger.kernel.org
Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[ kept the tree's existing `ip6_route_lookup`/`rt6_info` machinery (missing `fib6_lookup` refactor) and changed only `*dest = 0;` to `nft_fib_store_result(dest, priv, NULL)` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/netfilter/nft_fib_ipv4.c | 2 +-
net/ipv6/netfilter/nft_fib_ipv6.c | 2 +-
net/netfilter/nft_fib.c | 6 ++++++
3 files changed, 8 insertions(+), 2 deletions(-)
--- a/net/ipv4/netfilter/nft_fib_ipv4.c
+++ b/net/ipv4/netfilter/nft_fib_ipv4.c
@@ -122,7 +122,7 @@ void nft_fib4_eval(const struct nft_expr
fl4.saddr = get_saddr(iph->daddr);
}
- *dest = 0;
+ nft_fib_store_result(dest, priv, NULL);
if (fib_lookup(nft_net(pkt), &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE))
return;
--- a/net/ipv6/netfilter/nft_fib_ipv6.c
+++ b/net/ipv6/netfilter/nft_fib_ipv6.c
@@ -193,7 +193,7 @@ void nft_fib6_eval(const struct nft_expr
}
}
- *dest = 0;
+ nft_fib_store_result(dest, priv, NULL);
rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, pkt->skb,
lookup_flags);
if (rt->dst.error)
--- a/net/netfilter/nft_fib.c
+++ b/net/netfilter/nft_fib.c
@@ -107,6 +107,12 @@ int nft_fib_init(const struct nft_ctx *c
return -EINVAL;
}
+ if (priv->flags & NFTA_FIB_F_PRESENT) {
+ if (priv->result != NFT_FIB_RESULT_OIF)
+ return -EINVAL;
+ len = sizeof(u8);
+ }
+
err = nft_parse_register_store(ctx, tb[NFTA_FIB_DREG], &priv->dreg,
NULL, NFT_DATA_VALUE, len);
if (err < 0)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 481/522] hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (479 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 480/522] netfilter: nft_fib: fix stale stack leak via the OIFNAME register Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 482/522] mm/hugetlb: rename isolate_hugetlb() to folio_isolate_hugetlb() Greg Kroah-Hartman
` (41 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Anton Leontev, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Leontev <leontyevantony@gmail.com>
[ Upstream commit 004e9ecfe6c5384f9e0b2f6f6389d42ec22789af ]
netvsc_copy_to_send_buf() copies page buffer entries into the VMBus
send buffer using phys_to_virt() on the entry PFN. Entries for the
RNDIS header and the skb linear data come from kmalloc'd memory and
are always in the kernel direct map, but entries for skb fragments
reference page cache or user pages, which on 32-bit x86 with
CONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page
phys_to_virt() returns an address outside the direct map and the
subsequent memcpy() faults on the transmit softirq path, which is
fatal.
Map the pages with kmap_local_page() instead, handling two properties
of the page buffer entries:
- pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity,
not a native PFN. Reconstruct the physical address first and derive
the native page from it, so the mapping stays correct where
PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages).
- Since commit 41a6328b2c55 ("hv_netvsc: Preserve contiguous PFN
grouping in the page buffer array"), an entry describes a full
physically contiguous fragment and pb[i].len can exceed PAGE_SIZE,
while kmap_local_page() maps a single page. Copy page by page,
splitting at native page boundaries.
The copy path only handles packets smaller than the send section size
(6144 bytes by default); larger packets take the cp_partial path where
only the RNDIS header is copied. So entries here are bounded by the
section size and a copy is split at most once on 4K-page systems. On
!CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and
no mapping work is added.
Fixes: c25aaf814a63 ("hyperv: Enable sendbuf mechanism on the send path")
Cc: stable@vger.kernel.org
Signed-off-by: Anton Leontev <leontyevantony@gmail.com>
Link: https://patch.msgid.link/20260604165938.32033-1-leontyevantony@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ adapted `phys_to_page(paddr)` to `pfn_to_page(PHYS_PFN(paddr))` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/hyperv/netvsc.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
--- a/drivers/net/hyperv/netvsc.c
+++ b/drivers/net/hyperv/netvsc.c
@@ -12,6 +12,7 @@
#include <linux/sched.h>
#include <linux/wait.h>
#include <linux/mm.h>
+#include <linux/highmem.h>
#include <linux/delay.h>
#include <linux/io.h>
#include <linux/slab.h>
@@ -992,12 +993,22 @@ static void netvsc_copy_to_send_buf(stru
}
for (i = 0; i < page_count; i++) {
- char *src = phys_to_virt(pb[i].pfn << HV_HYP_PAGE_SHIFT);
- u32 offset = pb[i].offset;
+ phys_addr_t paddr = (pb[i].pfn << HV_HYP_PAGE_SHIFT) +
+ pb[i].offset;
u32 len = pb[i].len;
- memcpy(dest, (src + offset), len);
- dest += len;
+ while (len) {
+ struct page *page = pfn_to_page(PHYS_PFN(paddr));
+ u32 off = offset_in_page(paddr);
+ u32 chunk = min_t(u32, len, PAGE_SIZE - off);
+ char *src = kmap_local_page(page);
+
+ memcpy(dest, src + off, chunk);
+ kunmap_local(src);
+ dest += chunk;
+ paddr += chunk;
+ len -= chunk;
+ }
}
if (padding)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 482/522] mm/hugetlb: rename isolate_hugetlb() to folio_isolate_hugetlb()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (480 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 481/522] hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 483/522] mm/migrate: dont call folio_putback_active_hugetlb() on dst hugetlb folio Greg Kroah-Hartman
` (40 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand,
Matthew Wilcox (Oracle), Baolin Wang, Muchun Song,
Sidhartha Kumar, Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit 4c640f128074e0d4459ecf072595a44df5c2ae18 ]
Let's make the function name match "folio_isolate_lru()", and add some
kernel doc.
Link: https://lkml.kernel.org/r/20250113131611.2554758-3-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Sidhartha Kumar <sidhartha.kumar@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 3c2d42b8ee34 ("mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/hugetlb.h | 4 ++--
mm/gup.c | 2 +-
mm/hugetlb.c | 23 ++++++++++++++++++++---
mm/memory-failure.c | 2 +-
mm/memory_hotplug.c | 2 +-
mm/mempolicy.c | 2 +-
mm/migrate.c | 4 ++--
7 files changed, 28 insertions(+), 11 deletions(-)
--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -182,7 +182,7 @@ bool hugetlb_reserve_pages(struct inode
vm_flags_t vm_flags);
long hugetlb_unreserve_pages(struct inode *inode, long start, long end,
long freed);
-int isolate_hugetlb(struct page *page, struct list_head *list);
+int folio_isolate_hugetlb(struct page *page, struct list_head *list);
int get_hwpoison_huge_page(struct page *page, bool *hugetlb);
int get_huge_page_for_hwpoison(unsigned long pfn, int flags);
void putback_active_hugepage(struct page *page);
@@ -428,7 +428,7 @@ static inline pte_t *huge_pte_offset(str
return NULL;
}
-static inline int isolate_hugetlb(struct page *page, struct list_head *list)
+static inline int folio_isolate_hugetlb(struct page *page, struct list_head *list)
{
return -EBUSY;
}
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -1986,7 +1986,7 @@ static unsigned long collect_longterm_un
continue;
if (folio_test_hugetlb(folio)) {
- isolate_hugetlb(&folio->page, movable_page_list);
+ folio_isolate_hugetlb(&folio->page, movable_page_list);
continue;
}
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -2994,7 +2994,7 @@ retry:
* Fail with -EBUSY if not possible.
*/
spin_unlock_irq(&hugetlb_lock);
- ret = isolate_hugetlb(old_page, list);
+ ret = folio_isolate_hugetlb(old_page, list);
spin_lock_irq(&hugetlb_lock);
goto free_new;
} else if (!HPageFreed(old_page)) {
@@ -3070,7 +3070,7 @@ int isolate_or_dissolve_huge_page(struct
if (hstate_is_gigantic(h))
return -ENOMEM;
- if (page_count(head) && !isolate_hugetlb(head, list))
+ if (page_count(head) && !folio_isolate_hugetlb(head, list))
ret = 0;
else if (!page_count(head))
ret = alloc_and_dissolve_huge_page(h, head, list);
@@ -7445,7 +7445,24 @@ follow_huge_pgd(struct mm_struct *mm, un
return pte_page(*(pte_t *)pgd) + ((address & ~PGDIR_MASK) >> PAGE_SHIFT);
}
-int isolate_hugetlb(struct page *page, struct list_head *list)
+/**
+ * folio_isolate_hugetlb - try to isolate an allocated hugetlb page
+ * @page: the page to isolate
+ * @list: the list to add the page to on success
+ *
+ * Isolate an allocated (refcount > 0) hugetlb page, marking it as
+ * isolated/non-migratable, and moving it from the active list to the
+ * given list.
+ *
+ * Isolation will fail if @page is not an allocated hugetlb page, or if
+ * it is already isolated/non-migratable.
+ *
+ * On success, an additional page reference is taken that must be dropped
+ * using putback_active_hugepage() to undo the isolation.
+ *
+ * Return: 0 if isolation worked, otherwise -EBUSY.
+ */
+int folio_isolate_hugetlb(struct page *page, struct list_head *list)
{
int ret = 0;
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -2444,7 +2444,7 @@ static bool isolate_page(struct page *pa
bool isolated = false;
if (PageHuge(page)) {
- isolated = !isolate_hugetlb(page, pagelist);
+ isolated = !folio_isolate_hugetlb(page, pagelist);
} else {
bool lru = !__PageMovable(page);
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -1641,7 +1641,7 @@ do_migrate_range(unsigned long start_pfn
if (PageHuge(page)) {
pfn = page_to_pfn(head) + compound_nr(head) - 1;
- isolate_hugetlb(head, &source);
+ folio_isolate_hugetlb(head, &source);
continue;
} else if (PageTransHuge(page))
pfn = page_to_pfn(head) + thp_nr_pages(page) - 1;
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -598,7 +598,7 @@ static int queue_pages_hugetlb(pte_t *pt
if (flags & (MPOL_MF_MOVE_ALL) ||
(flags & MPOL_MF_MOVE && page_mapcount(page) == 1 &&
!hugetlb_pmd_shared(pte))) {
- if (isolate_hugetlb(page, qp->pagelist) &&
+ if (folio_isolate_hugetlb(page, qp->pagelist) &&
(flags & MPOL_MF_STRICT))
/*
* Failed to isolate page but allow migrating pages
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -133,7 +133,7 @@ static void putback_movable_page(struct
*
* This function shall be used whenever the isolated pageset has been
* built from lru, balloon, hugetlbfs page. See isolate_migratepages_range()
- * and isolate_hugetlb().
+ * and folio_isolate_hugetlb().
*/
void putback_movable_pages(struct list_head *l)
{
@@ -1995,7 +1995,7 @@ static int add_page_for_migration(struct
if (PageHuge(page)) {
if (PageHead(page)) {
- err = isolate_hugetlb(page, pagelist);
+ err = folio_isolate_hugetlb(page, pagelist);
if (!err)
err = 1;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 483/522] mm/migrate: dont call folio_putback_active_hugetlb() on dst hugetlb folio
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (481 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 482/522] mm/hugetlb: rename isolate_hugetlb() to folio_isolate_hugetlb() Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 484/522] mm/hugetlb: rename folio_putback_active_hugetlb() to folio_putback_hugetlb() Greg Kroah-Hartman
` (39 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Baolin Wang,
Matthew Wilcox (Oracle), Muchun Song, Sidhartha Kumar,
Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit ba23f58de896842028b4b33b95530f08288396fe ]
We replaced a simple put_page() by a putback_active_hugepage() call in
commit 3aaa76e125c1 ("mm: migrate: hugetlb: putback destination hugepage
to active list"), to set the "active" flag on the dst hugetlb folio.
Nowadays, we decoupled the "active" list from the flag, by calling the
flag "migratable".
Calling "putback" on something that wasn't allocated is weird and not
future proof, especially if we might reach that path when migration failed
and we just want to free the freshly allocated hugetlb folio.
Let's simply handle the migratable flag and the active list flag in
move_hugetlb_state(), where we know that allocation succeeded and already
handle the temporary flag; use a simple folio_put() to return our
reference.
Link: https://lkml.kernel.org/r/20250113131611.2554758-4-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Sidhartha Kumar <sidhartha.kumar@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 3c2d42b8ee34 ("mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/hugetlb.c | 10 ++++++++++
mm/migrate.c | 8 ++++----
2 files changed, 14 insertions(+), 4 deletions(-)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -7555,6 +7555,16 @@ void move_hugetlb_state(struct page *old
}
spin_unlock_irq(&hugetlb_lock);
}
+
+ /*
+ * Our old page is isolated and has "migratable" cleared until it
+ * is putback. As migration succeeded, set the new page "migratable"
+ * and add it to the active list.
+ */
+ spin_lock_irq(&hugetlb_lock);
+ SetHPageMigratable(newpage);
+ list_move_tail(&newpage->lru, &(page_hstate(newpage))->hugepage_activelist);
+ spin_unlock_irq(&hugetlb_lock);
}
/*
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -1460,14 +1460,14 @@ out:
list_move_tail(&src->lru, ret);
/*
- * If migration was not successful and there's a freeing callback, use
- * it. Otherwise, put_page() will drop the reference grabbed during
- * isolation.
+ * If migration was not successful and there's a freeing callback,
+ * return the folio to that special allocator. Otherwise, simply drop
+ * our additional reference.
*/
if (put_new_page)
put_new_page(new_hpage, private);
else
- putback_active_hugepage(new_hpage);
+ folio_put(dst);
return rc;
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 484/522] mm/hugetlb: rename folio_putback_active_hugetlb() to folio_putback_hugetlb()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (482 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 483/522] mm/migrate: dont call folio_putback_active_hugetlb() on dst hugetlb folio Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 485/522] mm/memory-failure: fix missing ->mf_stats count in hugetlb poison Greg Kroah-Hartman
` (38 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Baolin Wang,
Matthew Wilcox (Oracle), Muchun Song, Sidhartha Kumar,
Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit b235448e8cab7eea17d164efc7bf55505985ba65 ]
Now that folio_putback_hugetlb() is only called on folios that were
previously isolated through folio_isolate_hugetlb(), let's rename it to
match folio_putback_lru().
Add some kernel doc to clarify how this function is supposed to be used.
Link: https://lkml.kernel.org/r/20250113131611.2554758-5-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Sidhartha Kumar <sidhartha.kumar@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 3c2d42b8ee34 ("mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/hugetlb.h | 4 ++--
mm/hugetlb.c | 15 +++++++++++++--
mm/migrate.c | 6 +++---
3 files changed, 18 insertions(+), 7 deletions(-)
--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -185,7 +185,7 @@ long hugetlb_unreserve_pages(struct inod
int folio_isolate_hugetlb(struct page *page, struct list_head *list);
int get_hwpoison_huge_page(struct page *page, bool *hugetlb);
int get_huge_page_for_hwpoison(unsigned long pfn, int flags);
-void putback_active_hugepage(struct page *page);
+void folio_putback_hugetlb(struct page *page);
void move_hugetlb_state(struct page *oldpage, struct page *newpage, int reason);
void free_huge_page(struct page *page);
void hugetlb_fix_reserve_counts(struct inode *inode);
@@ -443,7 +443,7 @@ static inline int get_huge_page_for_hwpo
return 0;
}
-static inline void putback_active_hugepage(struct page *page)
+static inline void folio_putback_hugetlb(struct page *page)
{
}
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -7458,7 +7458,7 @@ follow_huge_pgd(struct mm_struct *mm, un
* it is already isolated/non-migratable.
*
* On success, an additional page reference is taken that must be dropped
- * using putback_active_hugepage() to undo the isolation.
+ * using folio_putback_hugetlb() to undo the isolation.
*
* Return: 0 if isolation worked, otherwise -EBUSY.
*/
@@ -7509,7 +7509,18 @@ int get_huge_page_for_hwpoison(unsigned
return ret;
}
-void putback_active_hugepage(struct page *page)
+/**
+ * folio_putback_hugetlb - unisolate a hugetlb page
+ * @page: the isolated hugetlb page
+ *
+ * Putback/un-isolate the hugetlb page that was previous isolated using
+ * folio_isolate_hugetlb(): marking it non-isolated/migratable and putting it
+ * back onto the active list.
+ *
+ * Will drop the additional page reference obtained through
+ * folio_isolate_hugetlb().
+ */
+void folio_putback_hugetlb(struct page *page)
{
spin_lock_irq(&hugetlb_lock);
SetHPageMigratable(page);
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -142,7 +142,7 @@ void putback_movable_pages(struct list_h
list_for_each_entry_safe(page, page2, l, lru) {
if (unlikely(PageHuge(page))) {
- putback_active_hugepage(page);
+ folio_putback_hugetlb(page);
continue;
}
list_del(&page->lru);
@@ -1371,7 +1371,7 @@ static int unmap_and_move_huge_page(new_
if (folio_ref_count(src) == 1) {
/* page was freed from under us. So we are done. */
- putback_active_hugepage(hpage);
+ folio_putback_hugetlb(hpage);
return MIGRATEPAGE_SUCCESS;
}
@@ -1455,7 +1455,7 @@ out_unlock:
folio_unlock(src);
out:
if (rc == MIGRATEPAGE_SUCCESS)
- putback_active_hugepage(hpage);
+ folio_putback_hugetlb(hpage);
else if (rc != -EAGAIN)
list_move_tail(&src->lru, ret);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 485/522] mm/memory-failure: fix missing ->mf_stats count in hugetlb poison
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (483 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 484/522] mm/hugetlb: rename folio_putback_active_hugetlb() to folio_putback_hugetlb() Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 486/522] mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison Greg Kroah-Hartman
` (37 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jane Chu, Miaohe Lin, Chris Mason,
David Hildenbrand, David Rientjes, Jiaqi Yan, Liam R. Howlett,
Lorenzo Stoakes, Matthew Wilcox (Oracle), Michal Hocko,
Mike Rapoport, Muchun Song, Naoya Horiguchi, Oscar Salvador,
Suren Baghdasaryan, William Roche, Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jane Chu <jane.chu@oracle.com>
[ Upstream commit a148a2040191b12b45b82cb29c281cb3036baf90 ]
When a newly poisoned subpage ends up in an already poisoned hugetlb
folio, 'num_poisoned_pages' is incremented, but the per node ->mf_stats is
not. Fix the inconsistency by designating action_result() to update them
both.
While at it, define __get_huge_page_for_hwpoison() return values in terms
of symbol names for better readibility. Also rename
folio_set_hugetlb_hwpoison() to hugetlb_update_hwpoison() since the
function does more than the conventional bit setting and the fact three
possible return values are expected.
Link: https://lkml.kernel.org/r/20260120232234.3462258-1-jane.chu@oracle.com
Fixes: 18f41fa616ee ("mm: memory-failure: bump memory failure stats to pglist_data")
Signed-off-by: Jane Chu <jane.chu@oracle.com>
Acked-by: Miaohe Lin <linmiaohe@huawei.com>
Cc: Chris Mason <clm@meta.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Jiaqi Yan <jiaqiyan@google.com>
Cc: Liam R. Howlett <Liam.Howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: William Roche <william.roche@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 3c2d42b8ee34 ("mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory-failure.c | 71 +++++++++++++++++++++++++++++++---------------------
1 file changed, 43 insertions(+), 28 deletions(-)
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1730,12 +1730,22 @@ static unsigned long __free_raw_hwp_page
return count;
}
-static int hugetlb_set_page_hwpoison(struct page *hpage, struct page *page)
+#define MF_HUGETLB_FREED 0 /* freed hugepage */
+#define MF_HUGETLB_IN_USED 1 /* in-use hugepage */
+#define MF_HUGETLB_NON_HUGEPAGE 2 /* not a hugepage */
+#define MF_HUGETLB_FOLIO_PRE_POISONED 3 /* folio already poisoned */
+#define MF_HUGETLB_PAGE_PRE_POISONED 4 /* exact page already poisoned */
+#define MF_HUGETLB_RETRY 5 /* hugepage is busy, retry */
+/*
+ * Set hugetlb page as hwpoisoned, update page private raw hwpoison list
+ * to keep track of the poisoned pages.
+ */
+static int hugetlb_update_hwpoison(struct page *hpage, struct page *page)
{
struct llist_head *head;
struct raw_hwp_page *raw_hwp;
struct llist_node *t, *tnode;
- int ret = TestSetPageHWPoison(hpage) ? -EHWPOISON : 0;
+ int ret = TestSetPageHWPoison(hpage) ? MF_HUGETLB_FOLIO_PRE_POISONED : 0;
/*
* Once the hwpoison hugepage has lost reliable raw error info,
@@ -1743,13 +1753,13 @@ static int hugetlb_set_page_hwpoison(str
* so skip to add additional raw error info.
*/
if (HPageRawHwpUnreliable(hpage))
- return -EHWPOISON;
+ return MF_HUGETLB_FOLIO_PRE_POISONED;
head = raw_hwp_list_head(hpage);
llist_for_each_safe(tnode, t, head->first) {
struct raw_hwp_page *p = container_of(tnode, struct raw_hwp_page, node);
if (p->page == page)
- return -EHWPOISON;
+ return MF_HUGETLB_PAGE_PRE_POISONED;
}
raw_hwp = kmalloc(sizeof(struct raw_hwp_page), GFP_ATOMIC);
@@ -1804,41 +1814,38 @@ void hugetlb_clear_page_hwpoison(struct
/*
* Called from hugetlb code with hugetlb_lock held.
- *
- * Return values:
- * 0 - free hugepage
- * 1 - in-use hugepage
- * 2 - not a hugepage
- * -EBUSY - the hugepage is busy (try to retry)
- * -EHWPOISON - the hugepage is already hwpoisoned
*/
int __get_huge_page_for_hwpoison(unsigned long pfn, int flags)
{
struct page *page = pfn_to_page(pfn);
struct page *head = compound_head(page);
- int ret = 2; /* fallback to normal page handling */
bool count_increased = false;
+ int ret, rc;
- if (!PageHeadHuge(head))
+ if (!PageHeadHuge(head)) {
+ ret = MF_HUGETLB_NON_HUGEPAGE;
goto out;
-
- if (flags & MF_COUNT_INCREASED) {
- ret = 1;
+ } else if (flags & MF_COUNT_INCREASED) {
+ ret = MF_HUGETLB_IN_USED;
count_increased = true;
} else if (HPageFreed(head)) {
- ret = 0;
+ ret = MF_HUGETLB_FREED;
} else if (HPageMigratable(head)) {
- ret = get_page_unless_zero(head);
- if (ret)
+ if (get_page_unless_zero(head)) {
+ ret = MF_HUGETLB_IN_USED;
count_increased = true;
+ } else {
+ ret = MF_HUGETLB_FREED;
+ }
} else {
- ret = -EBUSY;
+ ret = MF_HUGETLB_RETRY;
if (!(flags & MF_NO_RETRY))
goto out;
}
- if (hugetlb_set_page_hwpoison(head, page)) {
- ret = -EHWPOISON;
+ rc = hugetlb_update_hwpoison(head, page);
+ if (rc >= MF_HUGETLB_FOLIO_PRE_POISONED) {
+ ret = rc;
goto out;
}
@@ -1854,6 +1861,12 @@ out:
* with basic operations like hugepage allocation/free/demotion.
* So some of prechecks for hwpoison (pinning, and testing/setting
* PageHWPoison) should be done in single hugetlb_lock range.
+ * Returns:
+ * 0 - not hugetlb, or recovered
+ * -EBUSY - not recovered
+ * -EOPNOTSUPP - hwpoison_filter'ed
+ * -EHWPOISON - folio or exact page already poisoned
+ * -EFAULT - kill_accessing_process finds current->mm null
*/
static int try_memory_failure_hugetlb(unsigned long pfn, int flags, int *hugetlb)
{
@@ -1865,23 +1878,25 @@ static int try_memory_failure_hugetlb(un
*hugetlb = 1;
retry:
res = get_huge_page_for_hwpoison(pfn, flags);
- if (res == 2) { /* fallback to normal page handling */
+ if (res == MF_HUGETLB_NON_HUGEPAGE) { /* fallback to normal page handling */
*hugetlb = 0;
return 0;
- } else if (res == -EHWPOISON) {
+ } else if (res == MF_HUGETLB_FOLIO_PRE_POISONED ||
+ res == MF_HUGETLB_PAGE_PRE_POISONED) {
pr_err("%#lx: already hardware poisoned\n", pfn);
+ res = -EHWPOISON;
if (flags & MF_ACTION_REQUIRED) {
head = compound_head(p);
res = kill_accessing_process(current, page_to_pfn(head), flags);
}
return res;
- } else if (res == -EBUSY) {
+ } else if (res == MF_HUGETLB_RETRY) {
if (!(flags & MF_NO_RETRY)) {
flags |= MF_NO_RETRY;
goto retry;
}
action_result(pfn, MF_MSG_UNKNOWN, MF_IGNORED);
- return res;
+ return -EBUSY;
}
head = compound_head(p);
@@ -1890,7 +1905,7 @@ retry:
if (hwpoison_filter(p)) {
hugetlb_clear_page_hwpoison(head);
unlock_page(head);
- if (res == 1)
+ if (res == MF_HUGETLB_IN_USED)
put_page(head);
return -EOPNOTSUPP;
}
@@ -1899,7 +1914,7 @@ retry:
* Handling free hugepage. The possible race with hugepage allocation
* or demotion can be prevented by PageHWPoison flag.
*/
- if (res == 0) {
+ if (res == MF_HUGETLB_FREED) {
unlock_page(head);
if (__page_handle_poison(p) > 0) {
page_ref_inc(p);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 486/522] mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (484 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 485/522] mm/memory-failure: fix missing ->mf_stats count in hugetlb poison Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 487/522] RDMA/umem: fix kernel-doc warnings Greg Kroah-Hartman
` (36 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wupeng Ma, Oscar Salvador (SUSE),
Muchun Song, Kefeng Wang, Miaohe Lin, David Hildenbrand,
Liam Howlett, Lorenzo Stoakes, Michal Hocko, Mike Rapoport,
Naoya Horiguchi, Suren Baghdasaryan, Vlastimil Babka,
Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wupeng Ma <mawupeng1@huawei.com>
[ Upstream commit 3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e ]
Two concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can
trigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock
when racing with a concurrent unmap:
thread#0 thread#1
-------- --------
madvise(folio, MADV_HWPOISON)
-> poisons the folio successfully
madvise(folio, MADV_HWPOISON) unmap(folio)
try_memory_failure_hugetlb
get_huge_page_for_hwpoison
spin_lock_irq(&hugetlb_lock) <- held
__get_huge_page_for_hwpoison
hugetlb_update_hwpoison()
-> MF_HUGETLB_FOLIO_PRE_POISONED
goto out:
folio_put()
refcount: 1 -> 0
free_huge_folio()
spin_lock_irqsave(&hugetlb_lock)
-> AA DEADLOCK!
The out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop
the GUP reference while the hugetlb_lock is still held by the hugetlb.c
wrapper get_huge_page_for_hwpoison(). If concurrent unmap has released
the page table mapping reference, folio_put() drops the folio refcount to
zero, triggering free_huge_folio() which attempts to re-acquire the
non-recursive hugetlb_lock.
Fix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper
into get_huge_page_for_hwpoison(). Place spin_unlock_irq() before the
folio_put() at the out: label so the folio is always released outside the
lock.
[akpm@linux-foundation.org: fix race, rename label per Miaohe]
Link: https://sashiko.dev/#/patchset/20260522010305.4099834-1-mawupeng1@huawei.com
Link: https://lore.kernel.org/f39f405e-4b4b-8f79-70fe-a2b5b62114eb@huawei.com
Link: https://lore.kernel.org/20260522010305.4099834-1-mawupeng1@huawei.com
Fixes: 405ce051236c ("mm/hwpoison: fix race between hugetlb free/demotion and memory_failure_hugetlb()")
Signed-off-by: Wupeng Ma <mawupeng1@huawei.com>
Acked-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
Acked-by: Muchun Song <muchun.song@linux.dev>
Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Acked-by: Miaohe Lin <linmiaohe@huawei.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/hugetlb.h | 6 ------
include/linux/mm.h | 5 -----
mm/hugetlb.c | 10 ----------
mm/memory-failure.c | 19 ++++++++++---------
4 files changed, 10 insertions(+), 30 deletions(-)
--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -184,7 +184,6 @@ long hugetlb_unreserve_pages(struct inod
long freed);
int folio_isolate_hugetlb(struct page *page, struct list_head *list);
int get_hwpoison_huge_page(struct page *page, bool *hugetlb);
-int get_huge_page_for_hwpoison(unsigned long pfn, int flags);
void folio_putback_hugetlb(struct page *page);
void move_hugetlb_state(struct page *oldpage, struct page *newpage, int reason);
void free_huge_page(struct page *page);
@@ -437,11 +436,6 @@ static inline int get_hwpoison_huge_page
{
return 0;
}
-
-static inline int get_huge_page_for_hwpoison(unsigned long pfn, int flags)
-{
- return 0;
-}
static inline void folio_putback_hugetlb(struct page *page)
{
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3429,15 +3429,10 @@ extern atomic_long_t num_poisoned_pages
extern int soft_offline_page(unsigned long pfn, int flags);
#ifdef CONFIG_MEMORY_FAILURE
extern void memory_failure_queue(unsigned long pfn, int flags);
-extern int __get_huge_page_for_hwpoison(unsigned long pfn, int flags);
#else
static inline void memory_failure_queue(unsigned long pfn, int flags)
{
}
-static inline int __get_huge_page_for_hwpoison(unsigned long pfn, int flags)
-{
- return 0;
-}
#endif
#ifndef arch_memory_failure
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -7499,16 +7499,6 @@ int get_hwpoison_huge_page(struct page *
return ret;
}
-int get_huge_page_for_hwpoison(unsigned long pfn, int flags)
-{
- int ret;
-
- spin_lock_irq(&hugetlb_lock);
- ret = __get_huge_page_for_hwpoison(pfn, flags);
- spin_unlock_irq(&hugetlb_lock);
- return ret;
-}
-
/**
* folio_putback_hugetlb - unisolate a hugetlb page
* @page: the isolated hugetlb page
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1812,19 +1812,18 @@ void hugetlb_clear_page_hwpoison(struct
free_raw_hwp_pages(hpage, true);
}
-/*
- * Called from hugetlb code with hugetlb_lock held.
- */
-int __get_huge_page_for_hwpoison(unsigned long pfn, int flags)
+static int get_huge_page_for_hwpoison(unsigned long pfn, int flags)
{
struct page *page = pfn_to_page(pfn);
- struct page *head = compound_head(page);
+ struct page *head;
bool count_increased = false;
int ret, rc;
+ spin_lock_irq(&hugetlb_lock);
+ head = compound_head(page);
if (!PageHeadHuge(head)) {
ret = MF_HUGETLB_NON_HUGEPAGE;
- goto out;
+ goto out_unlock;
} else if (flags & MF_COUNT_INCREASED) {
ret = MF_HUGETLB_IN_USED;
count_increased = true;
@@ -1840,17 +1839,19 @@ int __get_huge_page_for_hwpoison(unsigne
} else {
ret = MF_HUGETLB_RETRY;
if (!(flags & MF_NO_RETRY))
- goto out;
+ goto out_unlock;
}
rc = hugetlb_update_hwpoison(head, page);
if (rc >= MF_HUGETLB_FOLIO_PRE_POISONED) {
ret = rc;
- goto out;
+ goto out_unlock;
}
+ spin_unlock_irq(&hugetlb_lock);
return ret;
-out:
+out_unlock:
+ spin_unlock_irq(&hugetlb_lock);
if (count_increased)
put_page(head);
return ret;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 487/522] RDMA/umem: fix kernel-doc warnings
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (485 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 486/522] mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 488/522] RDMA: Move DMA block iterator logic into dedicated files Greg Kroah-Hartman
` (35 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Leon Romanovsky,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit ff46d1392750444fab5ae5a0194764ffdc4ac0d2 ]
Add or correct kernel-doc comments to eliminate warnings:
Warning: include/rdma/ib_umem.h:104 function parameter 'biter' not
described in 'rdma_umem_for_each_dma_block'
Warning: include/rdma/ib_umem.h:140 function parameter 'pgsz_bitmap' not
described in 'ib_umem_find_best_pgoff'
Warning: include/rdma/ib_umem.h:141 No description found for return
value of 'ib_umem_find_best_pgoff'
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Link: https://patch.msgid.link/20260224003120.3173892-1-rdunlap@infradead.org
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Stable-dep-of: 15fe76e23615 ("RDMA/umem: Fix truncation for block sizes >= 4G")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/rdma/ib_umem.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/include/rdma/ib_umem.h
+++ b/include/rdma/ib_umem.h
@@ -90,6 +90,7 @@ static inline bool __rdma_umem_block_ite
/**
* rdma_umem_for_each_dma_block - iterate over contiguous DMA blocks of the umem
* @umem: umem to iterate over
+ * @biter: block iterator variable
* @pgsz: Page size to split the list into
*
* pgsz must be <= PAGE_SIZE or computed by ib_umem_find_best_pgsz(). The
@@ -117,7 +118,7 @@ unsigned long ib_umem_find_best_pgsz(str
* ib_umem_find_best_pgoff - Find best HW page size
*
* @umem: umem struct
- * @pgsz_bitmap bitmap of HW supported page sizes
+ * @pgsz_bitmap: bitmap of HW supported page sizes
* @pgoff_bitmask: Mask of bits that can be represented with an offset
*
* This is very similar to ib_umem_find_best_pgsz() except instead of accepting
@@ -130,6 +131,9 @@ unsigned long ib_umem_find_best_pgsz(str
*
* If the pgoff_bitmask requires either alignment in the low bit or an
* unavailable page size for the high bits, this function returns 0.
+ *
+ * Returns: best HW page size for the parameters or 0 if none available
+ * for the given parameters.
*/
static inline unsigned long ib_umem_find_best_pgoff(struct ib_umem *umem,
unsigned long pgsz_bitmap,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 488/522] RDMA: Move DMA block iterator logic into dedicated files
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (486 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 487/522] RDMA/umem: fix kernel-doc warnings Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 489/522] RDMA/umem: Fix truncation for block sizes >= 4G Greg Kroah-Hartman
` (34 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Leon Romanovsky, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@nvidia.com>
[ Upstream commit 6094ea64c69520ed1e770e7c79c43412de202bfa ]
The DMA iterator logic was mixed into verbs and umem-specific code,
forcing all users to include rdma/ib_umem.h. Move the block iterator
logic into iter.c and rdma/iter.h so that rdma/ib_umem.h and
rdma/ib_verbs.h can be separated in a follow-up patch.
Link: https://patch.msgid.link/20260213-refactor-umem-v1-1-f3be85847922@nvidia.com
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Stable-dep-of: 15fe76e23615 ("RDMA/umem: Fix truncation for block sizes >= 4G")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/Makefile | 2
drivers/infiniband/core/iter.c | 43 +++++++++++++
drivers/infiniband/core/verbs.c | 38 -----------
drivers/infiniband/hw/bnxt_re/qplib_res.c | 2
drivers/infiniband/hw/cxgb4/mem.c | 2
drivers/infiniband/hw/efa/efa_verbs.c | 2
drivers/infiniband/hw/erdma/erdma_verbs.c | 2
drivers/infiniband/hw/hns/hns_roce_alloc.c | 2
drivers/infiniband/hw/irdma/main.h | 2
drivers/infiniband/hw/mlx4/mr.c | 1
drivers/infiniband/hw/mlx5/mem.c | 1
drivers/infiniband/hw/mlx5/umr.c | 1
drivers/infiniband/hw/mthca/mthca_provider.c | 2
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2
drivers/infiniband/hw/qedr/verbs.c | 2
drivers/infiniband/hw/vmw_pvrdma/pvrdma.h | 2
include/rdma/ib_umem.h | 32 ---------
include/rdma/ib_verbs.h | 48 --------------
include/rdma/iter.h | 88 +++++++++++++++++++++++++++
19 files changed, 145 insertions(+), 129 deletions(-)
create mode 100644 drivers/infiniband/core/iter.c
create mode 100644 include/rdma/iter.h
--- a/drivers/infiniband/core/Makefile
+++ b/drivers/infiniband/core/Makefile
@@ -12,7 +12,7 @@ ib_core-y := packer.o ud_header.o verb
roce_gid_mgmt.o mr_pool.o addr.o sa_query.o \
multicast.o mad.o smi.o agent.o mad_rmpp.o \
nldev.o restrack.o counters.o ib_core_uverbs.o \
- trace.o lag.o
+ trace.o lag.o iter.o
ib_core-$(CONFIG_SECURITY_INFINIBAND) += security.o
ib_core-$(CONFIG_CGROUP_RDMA) += cgroup.o
--- /dev/null
+++ b/drivers/infiniband/core/iter.c
@@ -0,0 +1,43 @@
+// SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB
+/* Copyright (c) 2026, NVIDIA CORPORATION & AFFILIATES. */
+
+#include <linux/export.h>
+#include <rdma/iter.h>
+
+void __rdma_block_iter_start(struct ib_block_iter *biter,
+ struct scatterlist *sglist, unsigned int nents,
+ unsigned long pgsz)
+{
+ memset(biter, 0, sizeof(struct ib_block_iter));
+ biter->__sg = sglist;
+ biter->__sg_nents = nents;
+
+ /* Driver provides best block size to use */
+ biter->__pg_bit = __fls(pgsz);
+}
+EXPORT_SYMBOL(__rdma_block_iter_start);
+
+bool __rdma_block_iter_next(struct ib_block_iter *biter)
+{
+ unsigned int block_offset;
+ unsigned int delta;
+
+ if (!biter->__sg_nents || !biter->__sg)
+ return false;
+
+ biter->__dma_addr = sg_dma_address(biter->__sg) + biter->__sg_advance;
+ block_offset = biter->__dma_addr & (BIT_ULL(biter->__pg_bit) - 1);
+ delta = BIT_ULL(biter->__pg_bit) - block_offset;
+
+ while (biter->__sg_nents && biter->__sg &&
+ sg_dma_len(biter->__sg) - biter->__sg_advance <= delta) {
+ delta -= sg_dma_len(biter->__sg) - biter->__sg_advance;
+ biter->__sg_advance = 0;
+ biter->__sg = sg_next(biter->__sg);
+ biter->__sg_nents--;
+ }
+ biter->__sg_advance += delta;
+
+ return true;
+}
+EXPORT_SYMBOL(__rdma_block_iter_next);
--- a/drivers/infiniband/core/verbs.c
+++ b/drivers/infiniband/core/verbs.c
@@ -2943,44 +2943,6 @@ int rdma_init_netdev(struct ib_device *d
}
EXPORT_SYMBOL(rdma_init_netdev);
-void __rdma_block_iter_start(struct ib_block_iter *biter,
- struct scatterlist *sglist, unsigned int nents,
- unsigned long pgsz)
-{
- memset(biter, 0, sizeof(struct ib_block_iter));
- biter->__sg = sglist;
- biter->__sg_nents = nents;
-
- /* Driver provides best block size to use */
- biter->__pg_bit = __fls(pgsz);
-}
-EXPORT_SYMBOL(__rdma_block_iter_start);
-
-bool __rdma_block_iter_next(struct ib_block_iter *biter)
-{
- unsigned int block_offset;
- unsigned int delta;
-
- if (!biter->__sg_nents || !biter->__sg)
- return false;
-
- biter->__dma_addr = sg_dma_address(biter->__sg) + biter->__sg_advance;
- block_offset = biter->__dma_addr & (BIT_ULL(biter->__pg_bit) - 1);
- delta = BIT_ULL(biter->__pg_bit) - block_offset;
-
- while (biter->__sg_nents && biter->__sg &&
- sg_dma_len(biter->__sg) - biter->__sg_advance <= delta) {
- delta -= sg_dma_len(biter->__sg) - biter->__sg_advance;
- biter->__sg_advance = 0;
- biter->__sg = sg_next(biter->__sg);
- biter->__sg_nents--;
- }
- biter->__sg_advance += delta;
-
- return true;
-}
-EXPORT_SYMBOL(__rdma_block_iter_next);
-
/**
* rdma_alloc_hw_stats_struct - Helper function to allocate dynamic struct
* for the drivers.
--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
@@ -46,7 +46,7 @@
#include <linux/if_vlan.h>
#include <linux/vmalloc.h>
#include <rdma/ib_verbs.h>
-#include <rdma/ib_umem.h>
+#include <rdma/iter.h>
#include "roce_hsi.h"
#include "qplib_res.h"
--- a/drivers/infiniband/hw/cxgb4/mem.c
+++ b/drivers/infiniband/hw/cxgb4/mem.c
@@ -32,9 +32,9 @@
#include <linux/module.h>
#include <linux/moduleparam.h>
-#include <rdma/ib_umem.h>
#include <linux/atomic.h>
#include <rdma/ib_user_verbs.h>
+#include <rdma/iter.h>
#include "iw_cxgb4.h"
--- a/drivers/infiniband/hw/efa/efa_verbs.c
+++ b/drivers/infiniband/hw/efa/efa_verbs.c
@@ -9,9 +9,9 @@
#include <linux/log2.h>
#include <rdma/ib_addr.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_user_verbs.h>
#include <rdma/ib_verbs.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include "efa.h"
--- a/drivers/infiniband/hw/erdma/erdma_verbs.c
+++ b/drivers/infiniband/hw/erdma/erdma_verbs.c
@@ -12,7 +12,7 @@
#include <linux/vmalloc.h>
#include <net/addrconf.h>
#include <rdma/erdma-abi.h>
-#include <rdma/ib_umem.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include "erdma.h"
--- a/drivers/infiniband/hw/hns/hns_roce_alloc.c
+++ b/drivers/infiniband/hw/hns/hns_roce_alloc.c
@@ -32,7 +32,7 @@
*/
#include <linux/vmalloc.h>
-#include <rdma/ib_umem.h>
+#include <rdma/iter.h>
#include "hns_roce_device.h"
void hns_roce_buf_free(struct hns_roce_dev *hr_dev, struct hns_roce_buf *buf)
--- a/drivers/infiniband/hw/irdma/main.h
+++ b/drivers/infiniband/hw/irdma/main.h
@@ -37,8 +37,8 @@
#include <rdma/rdma_cm.h>
#include <rdma/iw_cm.h>
#include <rdma/ib_user_verbs.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_cache.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include "osdep.h"
#include "defs.h"
--- a/drivers/infiniband/hw/mlx4/mr.c
+++ b/drivers/infiniband/hw/mlx4/mr.c
@@ -33,6 +33,7 @@
#include <linux/slab.h>
#include <rdma/ib_user_verbs.h>
+#include <rdma/iter.h>
#include "mlx4_ib.h"
--- a/drivers/infiniband/hw/mlx5/mem.c
+++ b/drivers/infiniband/hw/mlx5/mem.c
@@ -32,6 +32,7 @@
#include <linux/io.h>
#include <rdma/ib_umem_odp.h>
+#include <rdma/iter.h>
#include "mlx5_ib.h"
#include <linux/jiffies.h>
--- a/drivers/infiniband/hw/mlx5/umr.c
+++ b/drivers/infiniband/hw/mlx5/umr.c
@@ -2,6 +2,7 @@
/* Copyright (c) 2022, NVIDIA CORPORATION & AFFILIATES. */
#include <rdma/ib_umem_odp.h>
+#include <rdma/iter.h>
#include "mlx5_ib.h"
#include "umr.h"
#include "wr.h"
--- a/drivers/infiniband/hw/mthca/mthca_provider.c
+++ b/drivers/infiniband/hw/mthca/mthca_provider.c
@@ -35,8 +35,8 @@
*/
#include <rdma/ib_smi.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_user_verbs.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include <linux/sched.h>
--- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
+++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
@@ -45,9 +45,9 @@
#include <rdma/ib_verbs.h>
#include <rdma/ib_user_verbs.h>
#include <rdma/iw_cm.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_addr.h>
#include <rdma/ib_cache.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include "ocrdma.h"
--- a/drivers/infiniband/hw/qedr/verbs.c
+++ b/drivers/infiniband/hw/qedr/verbs.c
@@ -39,9 +39,9 @@
#include <rdma/ib_verbs.h>
#include <rdma/ib_user_verbs.h>
#include <rdma/iw_cm.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_addr.h>
#include <rdma/ib_cache.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include <linux/qed/common_hsi.h>
--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h
+++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h
@@ -53,8 +53,8 @@
#include <linux/pci.h>
#include <linux/semaphore.h>
#include <linux/workqueue.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_verbs.h>
+#include <rdma/iter.h>
#include <rdma/vmw_pvrdma-abi.h>
#include "pvrdma_ring.h"
--- a/include/rdma/ib_umem.h
+++ b/include/rdma/ib_umem.h
@@ -71,38 +71,6 @@ static inline size_t ib_umem_num_pages(s
{
return ib_umem_num_dma_blocks(umem, PAGE_SIZE);
}
-
-static inline void __rdma_umem_block_iter_start(struct ib_block_iter *biter,
- struct ib_umem *umem,
- unsigned long pgsz)
-{
- __rdma_block_iter_start(biter, umem->sgt_append.sgt.sgl,
- umem->sgt_append.sgt.nents, pgsz);
- biter->__sg_advance = ib_umem_offset(umem) & ~(pgsz - 1);
- biter->__sg_numblocks = ib_umem_num_dma_blocks(umem, pgsz);
-}
-
-static inline bool __rdma_umem_block_iter_next(struct ib_block_iter *biter)
-{
- return __rdma_block_iter_next(biter) && biter->__sg_numblocks--;
-}
-
-/**
- * rdma_umem_for_each_dma_block - iterate over contiguous DMA blocks of the umem
- * @umem: umem to iterate over
- * @biter: block iterator variable
- * @pgsz: Page size to split the list into
- *
- * pgsz must be <= PAGE_SIZE or computed by ib_umem_find_best_pgsz(). The
- * returned DMA blocks will be aligned to pgsz and span the range:
- * ALIGN_DOWN(umem->address, pgsz) to ALIGN(umem->address + umem->length, pgsz)
- *
- * Performs exactly ib_umem_num_dma_blocks() iterations.
- */
-#define rdma_umem_for_each_dma_block(umem, biter, pgsz) \
- for (__rdma_umem_block_iter_start(biter, umem, pgsz); \
- __rdma_umem_block_iter_next(biter);)
-
#ifdef CONFIG_INFINIBAND_USER_MEM
struct ib_umem *ib_umem_get(struct ib_device *device, unsigned long addr,
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -2826,22 +2826,6 @@ struct ib_client {
u8 no_kverbs_req:1;
};
-/*
- * IB block DMA iterator
- *
- * Iterates the DMA-mapped SGL in contiguous memory blocks aligned
- * to a HW supported page size.
- */
-struct ib_block_iter {
- /* internal states */
- struct scatterlist *__sg; /* sg holding the current aligned block */
- dma_addr_t __dma_addr; /* unaligned DMA address of this block */
- size_t __sg_numblocks; /* ib_umem_num_dma_blocks() */
- unsigned int __sg_nents; /* number of SG entries */
- unsigned int __sg_advance; /* number of bytes to advance in sg in next step */
- unsigned int __pg_bit; /* alignment of current block */
-};
-
struct ib_device *_ib_alloc_device(size_t size);
#define ib_alloc_device(drv_struct, member) \
container_of(_ib_alloc_device(sizeof(struct drv_struct) + \
@@ -2863,38 +2847,6 @@ void ib_unregister_device_queued(struct
int ib_register_client (struct ib_client *client);
void ib_unregister_client(struct ib_client *client);
-void __rdma_block_iter_start(struct ib_block_iter *biter,
- struct scatterlist *sglist,
- unsigned int nents,
- unsigned long pgsz);
-bool __rdma_block_iter_next(struct ib_block_iter *biter);
-
-/**
- * rdma_block_iter_dma_address - get the aligned dma address of the current
- * block held by the block iterator.
- * @biter: block iterator holding the memory block
- */
-static inline dma_addr_t
-rdma_block_iter_dma_address(struct ib_block_iter *biter)
-{
- return biter->__dma_addr & ~(BIT_ULL(biter->__pg_bit) - 1);
-}
-
-/**
- * rdma_for_each_block - iterate over contiguous memory blocks of the sg list
- * @sglist: sglist to iterate over
- * @biter: block iterator holding the memory block
- * @nents: maximum number of sg entries to iterate over
- * @pgsz: best HW supported page size to use
- *
- * Callers may use rdma_block_iter_dma_address() to get each
- * blocks aligned DMA address.
- */
-#define rdma_for_each_block(sglist, biter, nents, pgsz) \
- for (__rdma_block_iter_start(biter, sglist, nents, \
- pgsz); \
- __rdma_block_iter_next(biter);)
-
/**
* ib_get_client_data - Get IB client context
* @device:Device to get context for
--- /dev/null
+++ b/include/rdma/iter.h
@@ -0,0 +1,88 @@
+/* SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB */
+/* Copyright (c) 2026, NVIDIA CORPORATION & AFFILIATES. */
+
+#ifndef _RDMA_ITER_H_
+#define _RDMA_ITER_H_
+
+#include <linux/scatterlist.h>
+#include <rdma/ib_umem.h>
+
+/**
+ * IB block DMA iterator
+ *
+ * Iterates the DMA-mapped SGL in contiguous memory blocks aligned
+ * to a HW supported page size.
+ */
+struct ib_block_iter {
+ /* internal states */
+ struct scatterlist *__sg; /* sg holding the current aligned block */
+ dma_addr_t __dma_addr; /* unaligned DMA address of this block */
+ size_t __sg_numblocks; /* ib_umem_num_dma_blocks() */
+ unsigned int __sg_nents; /* number of SG entries */
+ unsigned int __sg_advance; /* number of bytes to advance in sg in next step */
+ unsigned int __pg_bit; /* alignment of current block */
+};
+
+void __rdma_block_iter_start(struct ib_block_iter *biter,
+ struct scatterlist *sglist,
+ unsigned int nents,
+ unsigned long pgsz);
+bool __rdma_block_iter_next(struct ib_block_iter *biter);
+
+/**
+ * rdma_block_iter_dma_address - get the aligned dma address of the current
+ * block held by the block iterator.
+ * @biter: block iterator holding the memory block
+ */
+static inline dma_addr_t
+rdma_block_iter_dma_address(struct ib_block_iter *biter)
+{
+ return biter->__dma_addr & ~(BIT_ULL(biter->__pg_bit) - 1);
+}
+
+/**
+ * rdma_for_each_block - iterate over contiguous memory blocks of the sg list
+ * @sglist: sglist to iterate over
+ * @biter: block iterator holding the memory block
+ * @nents: maximum number of sg entries to iterate over
+ * @pgsz: best HW supported page size to use
+ *
+ * Callers may use rdma_block_iter_dma_address() to get each
+ * blocks aligned DMA address.
+ */
+#define rdma_for_each_block(sglist, biter, nents, pgsz) \
+ for (__rdma_block_iter_start(biter, sglist, nents, \
+ pgsz); \
+ __rdma_block_iter_next(biter);)
+
+static inline void __rdma_umem_block_iter_start(struct ib_block_iter *biter,
+ struct ib_umem *umem,
+ unsigned long pgsz)
+{
+ __rdma_block_iter_start(biter, umem->sgt_append.sgt.sgl,
+ umem->sgt_append.sgt.nents, pgsz);
+ biter->__sg_advance = ib_umem_offset(umem) & ~(pgsz - 1);
+ biter->__sg_numblocks = ib_umem_num_dma_blocks(umem, pgsz);
+}
+
+static inline bool __rdma_umem_block_iter_next(struct ib_block_iter *biter)
+{
+ return __rdma_block_iter_next(biter) && biter->__sg_numblocks--;
+}
+
+/**
+ * rdma_umem_for_each_dma_block - iterate over contiguous DMA blocks of the umem
+ * @umem: umem to iterate over
+ * @pgsz: Page size to split the list into
+ *
+ * pgsz must be <= PAGE_SIZE or computed by ib_umem_find_best_pgsz(). The
+ * returned DMA blocks will be aligned to pgsz and span the range:
+ * ALIGN_DOWN(umem->address, pgsz) to ALIGN(umem->address + umem->length, pgsz)
+ *
+ * Performs exactly ib_umem_num_dma_blocks() iterations.
+ */
+#define rdma_umem_for_each_dma_block(umem, biter, pgsz) \
+ for (__rdma_umem_block_iter_start(biter, umem, pgsz); \
+ __rdma_umem_block_iter_next(biter);)
+
+#endif /* _RDMA_ITER_H_ */
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 489/522] RDMA/umem: Fix truncation for block sizes >= 4G
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (487 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 488/522] RDMA: Move DMA block iterator logic into dedicated files Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 490/522] ipvs: skip ipv6 extension headers for csum checks Greg Kroah-Hartman
` (33 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
[ Upstream commit 15fe76e23615f502d051ef0768f86babaf08746c ]
When the iommu is used the linearization of the mapping can give a single
block that is very large split across multiple SG entries.
When __rdma_block_iter_next() reassembles the split SG entries it is
overflowing the 32 bit stack values and computed the wrong DMA addresses
for blocks after the truncation.
Use the right types to hold DMA addresses.
Link: https://patch.msgid.link/r/1-v1-88303e9e509f+f7-ib_umem_types_jgg@nvidia.com
Cc: stable@vger.kernel.org
Fixes: a808273a495c ("RDMA/verbs: Add a DMA iterator to return aligned contiguous memory blocks")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/iter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/core/iter.c
+++ b/drivers/infiniband/core/iter.c
@@ -19,8 +19,8 @@ EXPORT_SYMBOL(__rdma_block_iter_start);
bool __rdma_block_iter_next(struct ib_block_iter *biter)
{
- unsigned int block_offset;
- unsigned int delta;
+ dma_addr_t block_offset;
+ dma_addr_t delta;
if (!biter->__sg_nents || !biter->__sg)
return false;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 490/522] ipvs: skip ipv6 extension headers for csum checks
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (488 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 489/522] RDMA/umem: Fix truncation for block sizes >= 4G Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 491/522] blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init Greg Kroah-Hartman
` (32 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julian Anastasov, Florian Westphal,
Nazar Kalashnikov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julian Anastasov <ja@ssi.bg>
commit 05cfe9863ef049d98141dc2969eefde72fb07625 upstream.
Protocol checksum validation fails for IPv6 if there are extension
headers before the protocol header. iph->len already contains its
offset, so use it to fix the problem.
Fixes: 2906f66a5682 ("ipvs: SCTP Trasport Loadbalancing Support")
Fixes: 0bbdd42b7efa ("IPVS: Extend protocol DNAT/SNAT and state handlers")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Nazar Kalashnikov <nazarkalashnikov0@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/ipvs/ip_vs_proto_sctp.c | 18 ++++++------------
net/netfilter/ipvs/ip_vs_proto_tcp.c | 21 +++++++--------------
net/netfilter/ipvs/ip_vs_proto_udp.c | 20 +++++++-------------
3 files changed, 20 insertions(+), 39 deletions(-)
--- a/net/netfilter/ipvs/ip_vs_proto_sctp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c
@@ -10,7 +10,8 @@
#include <net/ip_vs.h>
static int
-sctp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp);
+sctp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+ unsigned int sctphoff);
static int
sctp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
@@ -108,7 +109,7 @@ sctp_snat_handler(struct sk_buff *skb, s
int ret;
/* Some checks before mangling */
- if (!sctp_csum_check(cp->af, skb, pp))
+ if (!sctp_csum_check(cp->af, skb, pp, sctphoff))
return 0;
/* Call application helper if needed */
@@ -156,7 +157,7 @@ sctp_dnat_handler(struct sk_buff *skb, s
int ret;
/* Some checks before mangling */
- if (!sctp_csum_check(cp->af, skb, pp))
+ if (!sctp_csum_check(cp->af, skb, pp, sctphoff))
return 0;
/* Call application helper if needed */
@@ -185,19 +186,12 @@ sctp_dnat_handler(struct sk_buff *skb, s
}
static int
-sctp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp)
+sctp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+ unsigned int sctphoff)
{
- unsigned int sctphoff;
struct sctphdr *sh;
__le32 cmp, val;
-#ifdef CONFIG_IP_VS_IPV6
- if (af == AF_INET6)
- sctphoff = sizeof(struct ipv6hdr);
- else
-#endif
- sctphoff = ip_hdrlen(skb);
-
sh = (struct sctphdr *)(skb->data + sctphoff);
cmp = sh->checksum;
val = sctp_compute_cksum(skb, sctphoff);
--- a/net/netfilter/ipvs/ip_vs_proto_tcp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_tcp.c
@@ -29,7 +29,8 @@
#include <net/ip_vs.h>
static int
-tcp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp);
+tcp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+ unsigned int tcphoff);
static int
tcp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
@@ -166,7 +167,7 @@ tcp_snat_handler(struct sk_buff *skb, st
int ret;
/* Some checks before mangling */
- if (!tcp_csum_check(cp->af, skb, pp))
+ if (!tcp_csum_check(cp->af, skb, pp, tcphoff))
return 0;
/* Call application helper if needed */
@@ -244,7 +245,7 @@ tcp_dnat_handler(struct sk_buff *skb, st
int ret;
/* Some checks before mangling */
- if (!tcp_csum_check(cp->af, skb, pp))
+ if (!tcp_csum_check(cp->af, skb, pp, tcphoff))
return 0;
/*
@@ -301,17 +302,9 @@ tcp_dnat_handler(struct sk_buff *skb, st
static int
-tcp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp)
+tcp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+ unsigned int tcphoff)
{
- unsigned int tcphoff;
-
-#ifdef CONFIG_IP_VS_IPV6
- if (af == AF_INET6)
- tcphoff = sizeof(struct ipv6hdr);
- else
-#endif
- tcphoff = ip_hdrlen(skb);
-
switch (skb->ip_summed) {
case CHECKSUM_NONE:
skb->csum = skb_checksum(skb, tcphoff, skb->len - tcphoff, 0);
@@ -322,7 +315,7 @@ tcp_csum_check(int af, struct sk_buff *s
if (csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
&ipv6_hdr(skb)->daddr,
skb->len - tcphoff,
- ipv6_hdr(skb)->nexthdr,
+ IPPROTO_TCP,
skb->csum)) {
IP_VS_DBG_RL_PKT(0, af, pp, skb, 0,
"Failed checksum for");
--- a/net/netfilter/ipvs/ip_vs_proto_udp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_udp.c
@@ -25,7 +25,8 @@
#include <net/ip6_checksum.h>
static int
-udp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp);
+udp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+ unsigned int udphoff);
static int
udp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
@@ -155,7 +156,7 @@ udp_snat_handler(struct sk_buff *skb, st
int ret;
/* Some checks before mangling */
- if (!udp_csum_check(cp->af, skb, pp))
+ if (!udp_csum_check(cp->af, skb, pp, udphoff))
return 0;
/*
@@ -238,7 +239,7 @@ udp_dnat_handler(struct sk_buff *skb, st
int ret;
/* Some checks before mangling */
- if (!udp_csum_check(cp->af, skb, pp))
+ if (!udp_csum_check(cp->af, skb, pp, udphoff))
return 0;
/*
@@ -297,17 +298,10 @@ udp_dnat_handler(struct sk_buff *skb, st
static int
-udp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp)
+udp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+ unsigned int udphoff)
{
struct udphdr _udph, *uh;
- unsigned int udphoff;
-
-#ifdef CONFIG_IP_VS_IPV6
- if (af == AF_INET6)
- udphoff = sizeof(struct ipv6hdr);
- else
-#endif
- udphoff = ip_hdrlen(skb);
uh = skb_header_pointer(skb, udphoff, sizeof(_udph), &_udph);
if (uh == NULL)
@@ -325,7 +319,7 @@ udp_csum_check(int af, struct sk_buff *s
if (csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
&ipv6_hdr(skb)->daddr,
skb->len - udphoff,
- ipv6_hdr(skb)->nexthdr,
+ IPPROTO_UDP,
skb->csum)) {
IP_VS_DBG_RL_PKT(0, af, pp, skb, 0,
"Failed checksum for");
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 491/522] blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (489 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 490/522] ipvs: skip ipv6 extension headers for csum checks Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 492/522] batman-adv: stop tp_meter sessions during mesh teardown Greg Kroah-Hartman
` (31 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tejun Heo, Breno Leitao, Jens Axboe,
Robert Garcia
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
commit ec14a87ee1999b19d8b7ed0fa95fea80644624ae upstream.
blk-iocost sometimes causes the following crash:
BUG: kernel NULL pointer dereference, address: 00000000000000e0
...
RIP: 0010:_raw_spin_lock+0x17/0x30
Code: be 01 02 00 00 e8 79 38 39 ff 31 d2 89 d0 5d c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 65 ff 05 48 d0 34 7e b9 01 00 00 00 31 c0 <f0> 0f b1 0f 75 02 5d c3 89 c6 e8 ea 04 00 00 5d c3 0f 1f 84 00 00
RSP: 0018:ffffc900023b3d40 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 00000000000000e0 RCX: 0000000000000001
RDX: ffffc900023b3d20 RSI: ffffc900023b3cf0 RDI: 00000000000000e0
RBP: ffffc900023b3d40 R08: ffffc900023b3c10 R09: 0000000000000003
R10: 0000000000000064 R11: 000000000000000a R12: ffff888102337000
R13: fffffffffffffff2 R14: ffff88810af408c8 R15: ffff8881070c3600
FS: 00007faaaf364fc0(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000e0 CR3: 00000001097b1000 CR4: 0000000000350ea0
Call Trace:
<TASK>
ioc_weight_write+0x13d/0x410
cgroup_file_write+0x7a/0x130
kernfs_fop_write_iter+0xf5/0x170
vfs_write+0x298/0x370
ksys_write+0x5f/0xb0
__x64_sys_write+0x1b/0x20
do_syscall_64+0x3d/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
This happens because iocg->ioc is NULL. The field is initialized by
ioc_pd_init() and never cleared. The NULL deref is caused by
blkcg_activate_policy() installing blkg_policy_data before initializing it.
blkcg_activate_policy() was doing the following:
1. Allocate pd's for all existing blkg's and install them in blkg->pd[].
2. Initialize all pd's.
3. Online all pd's.
blkcg_activate_policy() only grabs the queue_lock and may release and
re-acquire the lock as allocation may need to sleep. ioc_weight_write()
grabs blkcg->lock and iterates all its blkg's. The two can race and if
ioc_weight_write() runs during #1 or between #1 and #2, it can encounter a
pd which is not initialized yet, leading to crash.
The crash can be reproduced with the following script:
#!/bin/bash
echo +io > /sys/fs/cgroup/cgroup.subtree_control
systemd-run --unit touch-sda --scope dd if=/dev/sda of=/dev/null bs=1M count=1 iflag=direct
echo 100 > /sys/fs/cgroup/system.slice/io.weight
bash -c "echo '8:0 enable=1' > /sys/fs/cgroup/io.cost.qos" &
sleep .2
echo 100 > /sys/fs/cgroup/system.slice/io.weight
with the following patch applied:
> diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
> index fc49be622e05..38d671d5e10c 100644
> --- a/block/blk-cgroup.c
> +++ b/block/blk-cgroup.c
> @@ -1553,6 +1553,12 @@ int blkcg_activate_policy(struct gendisk *disk, const struct blkcg_policy *pol)
> pd->online = false;
> }
>
> + if (system_state == SYSTEM_RUNNING) {
> + spin_unlock_irq(&q->queue_lock);
> + ssleep(1);
> + spin_lock_irq(&q->queue_lock);
> + }
> +
> /* all allocated, init in the same order */
> if (pol->pd_init_fn)
> list_for_each_entry_reverse(blkg, &q->blkg_list, q_node)
I don't see a reason why all pd's should be allocated, initialized and
onlined together. The only ordering requirement is that parent blkgs to be
initialized and onlined before children, which is guaranteed from the
walking order. Let's fix the bug by allocating, initializing and onlining pd
for each blkg and holding blkcg->lock over initialization and onlining. This
ensures that an installed blkg is always fully initialized and onlined
removing the the race window.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Breno Leitao <leitao@debian.org>
Fixes: 9d179b865449 ("blkcg: Fix multiple bugs in blkcg_activate_policy()")
Link: https://lore.kernel.org/r/ZN0p5_W-Q9mAHBVY@slm.duckdns.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-cgroup.c | 32 ++++++++++++++++++--------------
1 file changed, 18 insertions(+), 14 deletions(-)
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -1407,7 +1407,7 @@ int blkcg_activate_policy(struct request
retry:
spin_lock_irq(&q->queue_lock);
- /* blkg_list is pushed at the head, reverse walk to allocate parents first */
+ /* blkg_list is pushed at the head, reverse walk to initialize parents first */
list_for_each_entry_reverse(blkg, &q->blkg_list, q_node) {
struct blkg_policy_data *pd;
@@ -1445,21 +1445,20 @@ retry:
goto enomem;
}
- blkg->pd[pol->plid] = pd;
+ spin_lock(&blkg->blkcg->lock);
+
pd->blkg = blkg;
pd->plid = pol->plid;
- pd->online = false;
- }
+ blkg->pd[pol->plid] = pd;
- /* all allocated, init in the same order */
- if (pol->pd_init_fn)
- list_for_each_entry_reverse(blkg, &q->blkg_list, q_node)
- pol->pd_init_fn(blkg->pd[pol->plid]);
+ if (pol->pd_init_fn)
+ pol->pd_init_fn(pd);
- list_for_each_entry_reverse(blkg, &q->blkg_list, q_node) {
if (pol->pd_online_fn)
- pol->pd_online_fn(blkg->pd[pol->plid]);
- blkg->pd[pol->plid]->online = true;
+ pol->pd_online_fn(pd);
+ pd->online = true;
+
+ spin_unlock(&blkg->blkcg->lock);
}
__set_bit(pol->plid, q->blkcg_pols);
@@ -1476,14 +1475,19 @@ out:
return ret;
enomem:
- /* alloc failed, nothing's initialized yet, free everything */
+ /* alloc failed, take down everything */
spin_lock_irq(&q->queue_lock);
list_for_each_entry(blkg, &q->blkg_list, q_node) {
struct blkcg *blkcg = blkg->blkcg;
+ struct blkg_policy_data *pd;
spin_lock(&blkcg->lock);
- if (blkg->pd[pol->plid]) {
- pol->pd_free_fn(blkg->pd[pol->plid]);
+ pd = blkg->pd[pol->plid];
+ if (pd) {
+ if (pd->online && pol->pd_offline_fn)
+ pol->pd_offline_fn(pd);
+ pd->online = false;
+ pol->pd_free_fn(pd);
blkg->pd[pol->plid] = NULL;
}
spin_unlock(&blkcg->lock);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 492/522] batman-adv: stop tp_meter sessions during mesh teardown
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (490 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 491/522] blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 493/522] batman-adv: tp_meter: fix tp_num leak on kmalloc failure Greg Kroah-Hartman
` (30 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Luxing Yin, Jiexun Wang, Ren Wei,
Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
commit 3d3cf6a7314aca4df0a6dde28ce784a2a30d0166 upstream.
TP meter sessions remain linked on bat_priv->tp_list after the netlink
request has already finished. When the mesh interface is removed,
batadv_mesh_free() currently tears down the mesh without first draining
these sessions.
A running sender thread or a late incoming tp_meter packet can then keep
processing against a mesh instance which is already shutting down.
Synchronize tp_meter with the mesh lifetime by stopping all active
sessions from batadv_mesh_free() and waiting for sender threads to exit
before teardown continues.
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/main.c | 1
net/batman-adv/tp_meter.c | 94 +++++++++++++++++++++++++++++++++++++---------
net/batman-adv/tp_meter.h | 1
net/batman-adv/types.h | 4 +
4 files changed, 82 insertions(+), 18 deletions(-)
--- a/net/batman-adv/main.c
+++ b/net/batman-adv/main.c
@@ -262,6 +262,7 @@ void batadv_mesh_free(struct net_device
atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
batadv_purge_outstanding_packets(bat_priv, NULL);
+ batadv_tp_stop_all(bat_priv);
batadv_gw_node_free(bat_priv);
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -12,6 +12,7 @@
#include <linux/byteorder/generic.h>
#include <linux/cache.h>
#include <linux/compiler.h>
+#include <linux/completion.h>
#include <linux/container_of.h>
#include <linux/err.h>
#include <linux/etherdevice.h>
@@ -365,23 +366,38 @@ static void batadv_tp_vars_put(struct ba
}
/**
- * batadv_tp_sender_cleanup() - cleanup sender data and drop and timer
- * @bat_priv: the bat priv with all the soft interface information
- * @tp_vars: the private data of the current TP meter session to cleanup
+ * batadv_tp_list_detach() - remove tp session from mesh session list once
+ * @tp_vars: the private data of the current TP meter session
*/
-static void batadv_tp_sender_cleanup(struct batadv_priv *bat_priv,
- struct batadv_tp_vars *tp_vars)
+static void batadv_tp_list_detach(struct batadv_tp_vars *tp_vars)
{
- cancel_delayed_work(&tp_vars->finish_work);
+ bool detached = false;
spin_lock_bh(&tp_vars->bat_priv->tp_list_lock);
- hlist_del_rcu(&tp_vars->list);
+ if (!hlist_unhashed(&tp_vars->list)) {
+ hlist_del_init_rcu(&tp_vars->list);
+ detached = true;
+ }
spin_unlock_bh(&tp_vars->bat_priv->tp_list_lock);
+ if (!detached)
+ return;
+
+ atomic_dec(&tp_vars->bat_priv->tp_num);
+
/* drop list reference */
batadv_tp_vars_put(tp_vars);
+}
- atomic_dec(&tp_vars->bat_priv->tp_num);
+/**
+ * batadv_tp_sender_cleanup() - cleanup sender data and drop and timer
+ * @tp_vars: the private data of the current TP meter session to cleanup
+ */
+static void batadv_tp_sender_cleanup(struct batadv_tp_vars *tp_vars)
+{
+ cancel_delayed_work_sync(&tp_vars->finish_work);
+
+ batadv_tp_list_detach(tp_vars);
/* kill the timer and remove its reference */
timer_shutdown_sync(&tp_vars->timer);
@@ -883,7 +899,8 @@ out:
batadv_orig_node_put(orig_node);
batadv_tp_sender_end(bat_priv, tp_vars);
- batadv_tp_sender_cleanup(bat_priv, tp_vars);
+ batadv_tp_sender_cleanup(tp_vars);
+ complete(&tp_vars->finished);
batadv_tp_vars_put(tp_vars);
@@ -915,7 +932,8 @@ static void batadv_tp_start_kthread(stru
batadv_tp_vars_put(tp_vars);
/* cleanup of failed tp meter variables */
- batadv_tp_sender_cleanup(bat_priv, tp_vars);
+ batadv_tp_sender_cleanup(tp_vars);
+ complete(&tp_vars->finished);
return;
}
@@ -1021,6 +1039,7 @@ void batadv_tp_start(struct batadv_priv
tp_vars->start_time = jiffies;
init_waitqueue_head(&tp_vars->more_bytes);
+ init_completion(&tp_vars->finished);
spin_lock_init(&tp_vars->unacked_lock);
INIT_LIST_HEAD(&tp_vars->unacked_list);
@@ -1127,14 +1146,7 @@ static void batadv_tp_receiver_shutdown(
"Shutting down for inactivity (more than %dms) from %pM\n",
BATADV_TP_RECV_TIMEOUT, tp_vars->other_end);
- spin_lock_bh(&tp_vars->bat_priv->tp_list_lock);
- hlist_del_rcu(&tp_vars->list);
- spin_unlock_bh(&tp_vars->bat_priv->tp_list_lock);
-
- /* drop list reference */
- batadv_tp_vars_put(tp_vars);
-
- atomic_dec(&bat_priv->tp_num);
+ batadv_tp_list_detach(tp_vars);
spin_lock_bh(&tp_vars->unacked_lock);
list_for_each_entry_safe(un, safe, &tp_vars->unacked_list, list) {
@@ -1498,6 +1510,52 @@ out:
}
/**
+ * batadv_tp_stop_all() - stop all currently running tp meter sessions
+ * @bat_priv: the bat priv with all the mesh interface information
+ */
+void batadv_tp_stop_all(struct batadv_priv *bat_priv)
+{
+ struct batadv_tp_vars *tp_vars[BATADV_TP_MAX_NUM];
+ struct batadv_tp_vars *tp_var;
+ size_t count = 0;
+ size_t i;
+
+ spin_lock_bh(&bat_priv->tp_list_lock);
+ hlist_for_each_entry(tp_var, &bat_priv->tp_list, list) {
+ if (WARN_ON_ONCE(count >= BATADV_TP_MAX_NUM))
+ break;
+
+ if (!kref_get_unless_zero(&tp_var->refcount))
+ continue;
+
+ tp_vars[count++] = tp_var;
+ }
+ spin_unlock_bh(&bat_priv->tp_list_lock);
+
+ for (i = 0; i < count; i++) {
+ tp_var = tp_vars[i];
+
+ switch (tp_var->role) {
+ case BATADV_TP_SENDER:
+ batadv_tp_sender_shutdown(tp_var,
+ BATADV_TP_REASON_CANCEL);
+ wake_up(&tp_var->more_bytes);
+ wait_for_completion(&tp_var->finished);
+ break;
+ case BATADV_TP_RECEIVER:
+ batadv_tp_list_detach(tp_var);
+ if (timer_shutdown_sync(&tp_var->timer))
+ batadv_tp_vars_put(tp_var);
+ break;
+ }
+
+ batadv_tp_vars_put(tp_var);
+ }
+
+ synchronize_net();
+}
+
+/**
* batadv_tp_meter_init() - initialize global tp_meter structures
*/
void __init batadv_tp_meter_init(void)
--- a/net/batman-adv/tp_meter.h
+++ b/net/batman-adv/tp_meter.h
@@ -17,6 +17,7 @@ void batadv_tp_start(struct batadv_priv
u32 test_length, u32 *cookie);
void batadv_tp_stop(struct batadv_priv *bat_priv, const u8 *dst,
u8 return_value);
+void batadv_tp_stop_all(struct batadv_priv *bat_priv);
void batadv_tp_meter_recv(struct batadv_priv *bat_priv, struct sk_buff *skb);
#endif /* _NET_BATMAN_ADV_TP_METER_H_ */
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -14,6 +14,7 @@
#include <linux/average.h>
#include <linux/bitops.h>
#include <linux/compiler.h>
+#include <linux/completion.h>
#include <linux/if.h>
#include <linux/if_ether.h>
#include <linux/kref.h>
@@ -1405,6 +1406,9 @@ struct batadv_tp_vars {
/** @finish_work: work item for the finishing procedure */
struct delayed_work finish_work;
+ /** @finished: completion signaled when a sender thread exits */
+ struct completion finished;
+
/** @test_length: test length in milliseconds */
u32 test_length;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 493/522] batman-adv: tp_meter: fix tp_num leak on kmalloc failure
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (491 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 492/522] batman-adv: stop tp_meter sessions during mesh teardown Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 494/522] ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6 Greg Kroah-Hartman
` (29 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit ce425dd05d0fe7594930a0fb103634f35ac47bb6 upstream.
When batadv_tp_start() or batadv_tp_init_recv() fail to allocate a new
tp_vars object, the previously incremented bat_priv->tp_num counter is
never decremented. This causes tp_num to drift upward on each allocation
failure. Since only BATADV_TP_MAX_NUM sessions can be started and the count
is never reduced for these failed allocations, it causes to an exhaustion
of throughput meter sessions. In worst case, no new throughput meter
session can be started until the mesh interface is removed.
The error handling must decrement tp_num releasing the lock and aborting
the creation of an throughput meter session
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/tp_meter.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -991,6 +991,7 @@ void batadv_tp_start(struct batadv_priv
tp_vars = kmalloc(sizeof(*tp_vars), GFP_ATOMIC);
if (!tp_vars) {
+ atomic_dec(&bat_priv->tp_num);
spin_unlock_bh(&bat_priv->tp_list_lock);
batadv_dbg(BATADV_DBG_TP_METER, bat_priv,
"Meter: %s cannot allocate list elements\n",
@@ -1367,8 +1368,10 @@ batadv_tp_init_recv(struct batadv_priv *
}
tp_vars = kmalloc(sizeof(*tp_vars), GFP_ATOMIC);
- if (!tp_vars)
+ if (!tp_vars) {
+ atomic_dec(&bat_priv->tp_num);
goto out_unlock;
+ }
ether_addr_copy(tp_vars->other_end, icmp->orig);
tp_vars->role = BATADV_TP_RECEIVER;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 494/522] ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (492 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 493/522] batman-adv: tp_meter: fix tp_num leak on kmalloc failure Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 495/522] perf build: Conditionally define NDEBUG Greg Kroah-Hartman
` (28 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aaron Erhardt, Werner Sembach,
Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Erhardt <aer@tuxedocomputers.com>
commit d649c58bcad8fb9b749e3837136a201632fa109d upstream.
Depending on the timing during boot, the BIOS might report wrong pin
capabilities, which can lead to HDMI audio being disabled. Therefore,
force HDMI audio connection on TUXEDO InfinityBook S 14 Gen6.
Signed-off-by: Aaron Erhardt <aer@tuxedocomputers.com>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Link: https://patch.msgid.link/20260218213234.429686-1-wse@tuxedocomputers.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_hdmi.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -1999,6 +1999,7 @@ static const struct snd_pci_quirk force_
SND_PCI_QUIRK(0x1043, 0x86ae, "ASUS", 1), /* Z170 PRO */
SND_PCI_QUIRK(0x1043, 0x86c7, "ASUS", 1), /* Z170M PLUS */
SND_PCI_QUIRK(0x1462, 0xec94, "MS-7C94", 1),
+ SND_PCI_QUIRK(0x1558, 0x14a1, "TUXEDO InfinityBook S 14 Gen6", 1),
SND_PCI_QUIRK(0x8086, 0x2060, "Intel NUC5CPYB", 1),
SND_PCI_QUIRK(0x8086, 0x2081, "Intel NUC 10", 1),
{}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 495/522] perf build: Conditionally define NDEBUG
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (493 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 494/522] ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6 Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 496/522] perf parse-events: Make YYDEBUG dependent on doing a debug build Greg Kroah-Hartman
` (27 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Adrian Hunter,
Alexander Shishkin, Ingo Molnar, Jiri Olsa, Mark Rutland,
Namhyung Kim, Paolo Bonzini, Peter Zijlstra, Sean Christopherson,
Arnaldo Carvalho de Melo, Florian Fainelli
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
commit 616b14b47a86d880ba21a363440f20f82152d8f2 upstream
When a build is done without DEBUG=1 then define NDEBUG. This will
compile out asserts and other debug code.
Signed-off-by: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sean Christopherson <seanjc@google.com>
Link: https://lore.kernel.org/r/20230330183827.1412303-1-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/perf/Makefile.config | 1 +
1 file changed, 1 insertion(+)
--- a/tools/perf/Makefile.config
+++ b/tools/perf/Makefile.config
@@ -228,6 +228,7 @@ ifndef DEBUG
endif
ifeq ($(DEBUG),0)
+CORE_CFLAGS += -DNDEBUG=1
ifeq ($(CC_NO_CLANG), 0)
CORE_CFLAGS += -O3
else
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 496/522] perf parse-events: Make YYDEBUG dependent on doing a debug build
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (494 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 495/522] perf build: Conditionally define NDEBUG Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 497/522] perf build: Disable fewer bison warnings Greg Kroah-Hartman
` (26 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Namhyung Kim,
Adrian Hunter, Alexander Shishkin, Gaosheng Cui, Ingo Molnar,
James Clark, Jiri Olsa, Kan Liang, Mark Rutland, Peter Zijlstra,
Rob Herring, bpf, Arnaldo Carvalho de Melo, Florian Fainelli
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
commit d4ce60190e08d84f88937019defa5e3d23409ac1 upstream
YYDEBUG enables line numbers and other error helpers in the generated
parse-events-bison.c. These shouldn't be generated when debugging
isn't enabled.
Signed-off-by: Ian Rogers <irogers@google.com>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Gaosheng Cui <cuigaosheng1@huawei.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@arm.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rob Herring <robh@kernel.org>
Cc: bpf@vger.kernel.org
Link: https://lore.kernel.org/r/20230911170559.4037734-2-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/perf/util/parse-events.y | 2 ++
1 file changed, 2 insertions(+)
--- a/tools/perf/util/parse-events.y
+++ b/tools/perf/util/parse-events.y
@@ -6,7 +6,9 @@
%{
+#ifndef NDEBUG
#define YYDEBUG 1
+#endif
#include <fnmatch.h>
#include <stdio.h>
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 497/522] perf build: Disable fewer bison warnings
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (495 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 496/522] perf parse-events: Make YYDEBUG dependent on doing a debug build Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 498/522] tools build: Add 3-component logical version comparators Greg Kroah-Hartman
` (25 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Adrian Hunter,
Alexander Shishkin, Andrii Nakryiko, Eduard Zingerman,
Gaosheng Cui, Ingo Molnar, Jiri Olsa, Kan Liang, Mark Rutland,
Namhyung Kim, Nathan Chancellor, Nick Desaulniers, Peter Zijlstra,
Rob Herring, Tom Rix, bpf, llvm, Arnaldo Carvalho de Melo,
Florian Fainelli
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
commit ddc8e4c966923ad1137790817157c8a5f0301aec upstream
If bison is version 3.8.2, reduce the number of bison C warnings
disabled. Earlier bison versions have all C warnings disabled. Avoid
implicit declarations of yylex by adding the declaration in the C
file. A header can't be included as a circular dependency would occur
due to the lexer using the bison defined tokens.
Committer notes:
Some recent versions of gcc and clang (noticed on Alpine Linux 3.17,
edge, clearlinux, fedora 37, etc.
Signed-off-by: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andrii Nakryiko <andrii@kernel.org>
Cc: Eduard Zingerman <eddyz87@gmail.com>
Cc: Gaosheng Cui <cuigaosheng1@huawei.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rob Herring <robh@kernel.org>
Cc: Tom Rix <trix@redhat.com>
Cc: bpf@vger.kernel.org
Cc: llvm@lists.linux.dev
Link: https://lore.kernel.org/r/20230728064917.767761-6-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
[florian: Remove non-existent tools/perf/util/bpf-filter.y in 6.1.y]
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Change-Id: I62327ddbe816008197053a9234a92d9c253a2c5d
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/perf/util/Build | 12 ++++++++----
tools/perf/util/expr.y | 4 +++-
tools/perf/util/parse-events.y | 1 +
tools/perf/util/pmu.y | 3 +++
4 files changed, 15 insertions(+), 5 deletions(-)
--- a/tools/perf/util/Build
+++ b/tools/perf/util/Build
@@ -269,10 +269,14 @@ CFLAGS_parse-events-flex.o += $(flex_fl
CFLAGS_pmu-flex.o += $(flex_flags)
CFLAGS_expr-flex.o += $(flex_flags)
-bison_flags := -DYYENABLE_NLS=0
-BISON_GE_35 := $(shell expr $(shell $(BISON) --version | grep bison | sed -e 's/.\+ \([0-9]\+\).\([0-9]\+\)/\1\2/g') \>\= 35)
-ifeq ($(BISON_GE_35),1)
- bison_flags += -Wno-unused-parameter -Wno-nested-externs -Wno-implicit-function-declaration -Wno-switch-enum -Wno-unused-but-set-variable -Wno-unknown-warning-option
+# Some newer clang and gcc version complain about this
+# util/parse-events-bison.c:1317:9: error: variable 'parse_events_nerrs' set but not used [-Werror,-Wunused-but-set-variable]
+# int yynerrs = 0;
+
+bison_flags := -DYYENABLE_NLS=0 -Wno-unused-but-set-variable
+BISON_GE_382 := $(shell expr $(shell $(BISON) --version | grep bison | sed -e 's/.\+ \([0-9]\+\).\([0-9]\+\).\([0-9]\+\)/\1\2\3/g') \>\= 382)
+ifeq ($(BISON_GE_382),1)
+ bison_flags += -Wno-switch-enum
else
bison_flags += -w
endif
--- a/tools/perf/util/expr.y
+++ b/tools/perf/util/expr.y
@@ -7,6 +7,8 @@
#include "util/debug.h"
#define IN_EXPR_Y 1
#include "expr.h"
+#include "expr-bison.h"
+int expr_lex(YYSTYPE * yylval_param , void *yyscanner);
%}
%define api.pure full
@@ -56,7 +58,7 @@
static void expr_error(double *final_val __maybe_unused,
struct expr_parse_ctx *ctx __maybe_unused,
bool compute_ids __maybe_unused,
- void *scanner,
+ void *scanner __maybe_unused,
const char *s)
{
pr_debug("%s\n", s);
--- a/tools/perf/util/parse-events.y
+++ b/tools/perf/util/parse-events.y
@@ -20,6 +20,7 @@
#include "parse-events.h"
#include "parse-events-bison.h"
+int parse_events_lex(YYSTYPE * yylval_param, YYLTYPE * yylloc_param , void *yyscanner);
void parse_events_error(YYLTYPE *loc, void *parse_state, void *scanner, char const *msg);
#define ABORT_ON(val) \
--- a/tools/perf/util/pmu.y
+++ b/tools/perf/util/pmu.y
@@ -9,6 +9,9 @@
#include <linux/bitmap.h>
#include <string.h>
#include "pmu.h"
+#include "pmu-bison.h"
+
+int perf_pmu_lex(void);
#define ABORT_ON(val) \
do { \
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 498/522] tools build: Add 3-component logical version comparators
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (496 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 497/522] perf build: Disable fewer bison warnings Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 499/522] perf build: Remove -Wno-unused-but-set-variable from the flex flags when building with clang < 13.0.0 Greg Kroah-Hartman
` (24 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Ian Rogers, Jiri Olsa,
Namhyung Kim, Arnaldo Carvalho de Melo, Florian Fainelli
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
commit a9b451509565d40a5ca3b41c39a2b758cdbc5355 upstream
The next cset needs to compare if a flex version is greater or
equal/less than another, but since there is no canonical, generally
available way to compare versions in the command line (sort -V, yeah,
but...), just use awk to canonicalize the versions like is also done in
scripts/rust_is_available.sh.
There was a problem spotted in linux-next where a bashism, here
documents, aka the '<<<' stdin redirector, for strings to be used as the
stdin for awk. Use $(shell echo | awk ...) instead.
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/scripts/utilities.mak | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
--- a/tools/scripts/utilities.mak
+++ b/tools/scripts/utilities.mak
@@ -177,3 +177,23 @@ $(if $($(1)),$(call _ge_attempt,$($(1)),
endef
_ge_attempt = $(or $(get-executable),$(call _gea_err,$(2)))
_gea_err = $(if $(1),$(error Please set '$(1)' appropriately))
+
+# version-ge3
+#
+# Usage $(call version-ge3,2.6.4,$(FLEX_VERSION))
+#
+# To compare if a 3 component version is greater or equal to another, first use
+# was to check the flex version to see if we can use compiler warnings as
+# errors for one of the cases flex generates code C compilers complains about.
+
+version-ge3 = $(shell echo "$(1).$(2)" | awk -F'.' '{ printf("%d\n", (10000000 * $$1 + 10000 * $$2 + $$3) >= (10000000 * $$4 + 10000 * $$5 + $$6)) }')
+
+# version-lt3
+#
+# Usage $(call version-lt3,2.6.2,$(FLEX_VERSION))
+#
+# To compare if a 3 component version is less thjan another, first use was to
+# check the flex version to see if we can use compiler warnings as errors for
+# one of the cases flex generates code C compilers complains about.
+
+version-lt3 = $(shell echo "$(1).$(2)" | awk -F'.' '{ printf("%d\n", (10000000 * $$1 + 10000 * $$2 + $$3) < (10000000 * $$4 + 10000 * $$5 + $$6)) }')
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 499/522] perf build: Remove -Wno-unused-but-set-variable from the flex flags when building with clang < 13.0.0
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (497 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 498/522] tools build: Add 3-component logical version comparators Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 500/522] KVM: arm64: Wake-up from WFI when iqrchip is in userspace Greg Kroah-Hartman
` (23 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Ian Rogers, Jiri Olsa,
Namhyung Kim, Arnaldo Carvalho de Melo, Florian Fainelli
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
clang < 13.0.0 doesn't grok -Wno-unused-but-set-variable, so just remove
it to avoid:
error: unknown warning option '-Wno-unused-but-set-variable'; did you mean '-Wno-unused-const-variable'? [-Werror,-Wunknown-warning-option]
make[4]: *** [/git/perf-6.5.0-rc4/tools/build/Makefile.build:128: /tmp/build/perf/util/pmu-flex.o] Error 1
make[4]: *** Waiting for unfinished jobs....
Fixes: ddc8e4c966923ad1 ("perf build: Disable fewer bison warnings")
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: https://lore.kernel.org/lkml/ZNUSWr52jUnVaaa%2F@kernel.org/
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/perf/util/Build | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
--- a/tools/perf/util/Build
+++ b/tools/perf/util/Build
@@ -1,3 +1,6 @@
+include $(srctree)/tools/scripts/Makefile.include
+include $(srctree)/tools/scripts/utilities.mak
+
perf-y += arm64-frame-pointer-unwind-support.o
perf-y += annotate.o
perf-y += block-info.o
@@ -265,15 +268,22 @@ ifeq ($(FLEX_GE_26),1)
else
flex_flags := -w
endif
-CFLAGS_parse-events-flex.o += $(flex_flags)
-CFLAGS_pmu-flex.o += $(flex_flags)
-CFLAGS_expr-flex.o += $(flex_flags)
# Some newer clang and gcc version complain about this
# util/parse-events-bison.c:1317:9: error: variable 'parse_events_nerrs' set but not used [-Werror,-Wunused-but-set-variable]
# int yynerrs = 0;
bison_flags := -DYYENABLE_NLS=0 -Wno-unused-but-set-variable
+
+# Old clangs don't grok -Wno-unused-but-set-variable, remove it
+ifeq ($(CC_NO_CLANG), 0)
+ CLANG_VERSION := $(shell $(CLANG) --version | head -1 | sed 's/.*clang version \([[:digit:]]\+.[[:digit:]]\+.[[:digit:]]\+\).*/\1/g')
+ ifeq ($(call version-lt3,$(CLANG_VERSION),13.0.0),1)
+ bison_flags := $(subst -Wno-unused-but-set-variable,,$(bison_flags))
+ flex_flags := $(subst -Wno-unused-but-set-variable,,$(flex_flags))
+ endif
+endif
+
BISON_GE_382 := $(shell expr $(shell $(BISON) --version | grep bison | sed -e 's/.\+ \([0-9]\+\).\([0-9]\+\).\([0-9]\+\)/\1\2\3/g') \>\= 382)
ifeq ($(BISON_GE_382),1)
bison_flags += -Wno-switch-enum
@@ -286,6 +296,10 @@ ifeq ($(BISON_LT_381),1)
bison_flags += -DYYNOMEM=YYABORT
endif
+CFLAGS_parse-events-flex.o += $(flex_flags)
+CFLAGS_pmu-flex.o += $(flex_flags)
+CFLAGS_expr-flex.o += $(flex_flags)
+
CFLAGS_parse-events-bison.o += $(bison_flags)
CFLAGS_pmu-bison.o += -DYYLTYPE_IS_TRIVIAL=0 $(bison_flags)
CFLAGS_expr-bison.o += -DYYLTYPE_IS_TRIVIAL=0 $(bison_flags)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 500/522] KVM: arm64: Wake-up from WFI when iqrchip is in userspace
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (498 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 499/522] perf build: Remove -Wno-unused-but-set-variable from the flex flags when building with clang < 13.0.0 Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 501/522] ipmi:ssif: Fix a shutdown race Greg Kroah-Hartman
` (22 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Zyngier
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit 4ce98bf0865c349e7026ad9c14f48da264920953 upstream.
It appears that there is nothing in the wake-up path that
evaluates whether the in-kernel interrupts are pending unless
we have a vgic.
This means that the userspace irqchip support has been broken for
about four years, and nobody noticed. It was also broken before
as we wouldn't wake-up on a PMU interrupt, but hey, who cares...
It is probably time to remove the feature altogether, because it
was a terrible idea 10 years ago, and it still is.
Fixes: b57de4ffd7c6d ("KVM: arm64: Simplify kvm_cpu_has_pending_timer()")
Link: https://patch.msgid.link/20260423163607.486345-1-maz@kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/arm.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -540,6 +540,11 @@ int kvm_arch_vcpu_ioctl_set_mpstate(stru
int kvm_arch_vcpu_runnable(struct kvm_vcpu *v)
{
bool irq_lines = *vcpu_hcr(v) & (HCR_VI | HCR_VF);
+
+ irq_lines |= (!irqchip_in_kernel(v->kvm) &&
+ (kvm_timer_should_notify_user(v) ||
+ kvm_pmu_should_notify_user(v)));
+
return ((irq_lines || kvm_vgic_vcpu_pending_irq(v))
&& !kvm_arm_vcpu_stopped(v) && !v->arch.pause);
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 501/522] ipmi:ssif: Fix a shutdown race
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (499 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 500/522] KVM: arm64: Wake-up from WFI when iqrchip is in userspace Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 502/522] ipmi:ssif: Clean up kthread on errors Greg Kroah-Hartman
` (21 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Corey Minyard
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit 6bd0eb6d759b9a22c5509ea04e19c2e8407ba418 upstream.
It was possible for the SSIF thread to stop and quit before the
kthread_stop() call because ssif->stopping was set before the
stop. So only exit the SSIF thread is kthread_should_stop()
returns true.
There is no need to wake the thread, as the wait will be interrupted
by kthread_stop().
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_ssif.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
--- a/drivers/char/ipmi/ipmi_ssif.c
+++ b/drivers/char/ipmi/ipmi_ssif.c
@@ -490,8 +490,6 @@ static int ipmi_ssif_thread(void *data)
/* Wait for something to do */
result = wait_for_completion_interruptible(
&ssif_info->wake_thread);
- if (ssif_info->stopping)
- break;
if (result == -ERESTARTSYS)
continue;
init_completion(&ssif_info->wake_thread);
@@ -1289,10 +1287,8 @@ static void shutdown_ssif(void *send_inf
ssif_info->stopping = true;
del_timer_sync(&ssif_info->watch_timer);
del_timer_sync(&ssif_info->retry_timer);
- if (ssif_info->thread) {
- complete(&ssif_info->wake_thread);
+ if (ssif_info->thread)
kthread_stop(ssif_info->thread);
- }
}
static void ssif_remove(struct i2c_client *client)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 502/522] ipmi:ssif: Clean up kthread on errors
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (500 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 501/522] ipmi:ssif: Fix a shutdown race Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 503/522] mm/damon/core: use time_in_range_open() for damos quota window start Greg Kroah-Hartman
` (20 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Xiao, Corey Minyard
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit 75c486cb1bcaa1a3ec3a6438498176a3a4998ae4 upstream.
If an error occurs after the ssif kthread is created, but before the
main IPMI code starts the ssif interface, the ssif kthread will not
be stopped.
So make sure the kthread is stopped on an error condition if it is
running.
Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)")
Reported-by: Li Xiao <<252270051@hdu.edu.cn>
Cc: stable@vger.kernel.org
Reviewed-by: Li Xiao <252270051@hdu.edu.cn>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_ssif.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/drivers/char/ipmi/ipmi_ssif.c
+++ b/drivers/char/ipmi/ipmi_ssif.c
@@ -1287,8 +1287,10 @@ static void shutdown_ssif(void *send_inf
ssif_info->stopping = true;
del_timer_sync(&ssif_info->watch_timer);
del_timer_sync(&ssif_info->retry_timer);
- if (ssif_info->thread)
+ if (ssif_info->thread) {
kthread_stop(ssif_info->thread);
+ ssif_info->thread = NULL;
+ }
}
static void ssif_remove(struct i2c_client *client)
@@ -1916,6 +1918,15 @@ static int ssif_probe(struct i2c_client
out:
if (rv) {
+ /*
+ * If ipmi_register_smi() starts the interface, it will
+ * call shutdown and that will free the thread and set
+ * it to NULL. Otherwise it must be freed here.
+ */
+ if (ssif_info->thread) {
+ kthread_stop(ssif_info->thread);
+ ssif_info->thread = NULL;
+ }
if (addr_info)
addr_info->client = NULL;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 503/522] mm/damon/core: use time_in_range_open() for damos quota window start
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (501 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 502/522] ipmi:ssif: Clean up kthread on errors Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 504/522] mm/damon/core: disallow time-quota setting zero esz Greg Kroah-Hartman
` (19 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 049a57421dd67a28c45ae7e92c36df758033e5fa upstream.
damos_adjust_quota() uses time_after_eq() to show if it is time to start a
new quota charge window, comparing the current jiffies and the scheduled
next charge window start time. If it is, the next charge window start
time is updated and the new charge window starts.
The time check and next window start time update is skipped while the
scheme is deactivated by the watermarks. Let's suppose the deactivation
is kept more than LONG_MAX jiffies (assuming CONFIG_HZ of 250, more than
99 days in 32 bit systems and more than one billion years in 64 bit
systems), resulting in having the jiffies larger than the next charge
window start time + LONG_MAX. Then, the time_after_eq() call can return
false until another LONG_MAX jiffies are passed.
This means the scheme can continue working after being reactivated by the
watermarks. But, soon, the quota will be exceeded and the scheme will
again effectively stop working until the next charge window starts.
Because the current charge window is extended to up to LONG_MAX jiffies,
however, it will look like it stopped unexpectedly and indefinitely, from
the user's perspective.
Fix this by using !time_in_range_open() instead.
The issue was discovered [1] by sashiko.
Link: https://lore.kernel.org/20260329152306.45796-1-sj@kernel.org
Link: https://lore.kernel.org/20260324040722.57944-1-sj@kernel.org [1]
Fixes: ee801b7dd782 ("mm/damon/schemes: activate schemes based on a watermarks mechanism")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 5.16.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -826,7 +826,8 @@ static void kdamond_apply_schemes(struct
continue;
/* New charge window starts */
- if (time_after_eq(jiffies, quota->charged_from +
+ if (!time_in_range_open(jiffies, quota->charged_from,
+ quota->charged_from +
msecs_to_jiffies(
quota->reset_interval))) {
if (quota->esz && quota->charged_sz >= quota->esz)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 504/522] mm/damon/core: disallow time-quota setting zero esz
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (502 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 503/522] mm/damon/core: use time_in_range_open() for damos quota window start Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 505/522] usb: typec: tcpm: reset internal port states on soft reset AMS Greg Kroah-Hartman
` (18 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 8bbde987c2b84f80da0853f739f0a920386f8b99 upstream.
When the throughput of a DAMOS scheme is very slow, DAMOS time quota can
make the effective size quota smaller than damon_ctx->min_region_sz. In
the case, damos_apply_scheme() will skip applying the action, because the
action is tried at region level, which requires >=min_region_sz size.
That is, the quota is effectively exceeded for the quota charge window.
Because no action will be applied, the total_charged_sz and
total_charged_ns are also not updated. damos_set_effective_quota() will
try to update the effective size quota before starting the next charge
window. However, because the total_charged_sz and total_charged_ns have
not updated, the throughput and effective size quota are also not changed.
Since effective size quota can only be decreased, other effective size
quota update factors including DAMOS quota goals and size quota cannot
make any change, either.
As a result, the scheme is unexpectedly deactivated until the user notices
and mitigates the situation. The users can mitigate this situation by
changing the time quota online or re-install the scheme. While the
mitigation is somewhat straightforward, finding the situation would be
challenging, because DAMON is not providing good observabilities for that.
Even if such observability is provided, doing the additional monitoring
and the mitigation is somewhat cumbersome and not aligned to the intention
of the time quota. The time quota was intended to help reduce the user's
administration overhead.
Fix the problem by setting time quota-modified effective size quota be at
least min_region_sz always.
The issue was discovered [1] by sashiko.
Link: https://lore.kernel.org/20260407003153.79589-1-sj@kernel.org
Link: https://lore.kernel.org/20260405192504.110014-1-sj@kernel.org [1]
Fixes: 1cd243030059 ("mm/damon/schemes: implement time quota")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 5.16.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core.c | 1 +
1 file changed, 1 insertion(+)
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -802,6 +802,7 @@ static void damos_set_effective_quota(st
else
throughput = PAGE_SIZE * 1024;
esz = throughput * quota->ms;
+ esz = max(DAMON_MIN_REGION, esz);
if (quota->sz && quota->sz < esz)
esz = quota->sz;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 505/522] usb: typec: tcpm: reset internal port states on soft reset AMS
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (503 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 504/522] mm/damon/core: disallow time-quota setting zero esz Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 506/522] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Greg Kroah-Hartman
` (17 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amit Sunil Dhamne, stable,
Badhri Jagan Sridharan, Heikki Krogerus
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amit Sunil Dhamne <amitsd@google.com>
commit 2909f0d4994fb4306bf116df5ccee797791fce2c upstream.
Reset internal port states (such as vdm_sm_running and
explicit_contract) on soft reset AMS as the port needs to negotiate a
new contract. The consequence of leaving the states in as-is cond are as
follows:
* port is in SRC power role and an explicit contract is negotiated
with the port partner (in sink role)
* port partner sends a Soft Reset AMS while VDM State Machine is
running
* port accepts the Soft Reset request and the port advertises src caps
* port partner sends a Request message but since the explicit_contract
and vdm_sm_running are true from previous negotiation, the port ends
up sending Soft Reset instead of Accept msg.
Stub Log:
[ 203.653942] AMS DISCOVER_IDENTITY start
[ 203.653947] PD TX, header: 0x176f
[ 203.655901] PD TX complete, status: 0
[ 203.657470] PD RX, header: 0x124f [1]
[ 203.657477] Rx VDM cmd 0xff008081 type 2 cmd 1 len 1
[ 203.657482] AMS DISCOVER_IDENTITY finished
[ 203.657484] cc:=4
[ 204.155698] PD RX, header: 0x144f [1]
[ 204.155718] Rx VDM cmd 0xeeee8001 type 0 cmd 1 len 1
[ 204.155741] PD TX, header: 0x196f
[ 204.157622] PD TX complete, status: 0
[ 204.160060] PD RX, header: 0x4d [1]
[ 204.160066] state change SRC_READY -> SOFT_RESET [rev2 SOFT_RESET_AMS]
[ 204.160076] PD TX, header: 0x163
[ 204.162486] PD TX complete, status: 0
[ 204.162832] AMS SOFT_RESET_AMS finished
[ 204.162840] cc:=4
[ 204.162891] AMS POWER_NEGOTIATION start
[ 204.162896] state change SOFT_RESET -> AMS_START [rev2 POWER_NEGOTIATION]
[ 204.162908] state change AMS_START -> SRC_SEND_CAPABILITIES [rev2 POWER_NEGOTIATION]
[ 204.162913] PD TX, header: 0x1361
[ 204.165529] PD TX complete, status: 0
[ 204.165571] pending state change SRC_SEND_CAPABILITIES -> SRC_SEND_CAPABILITIES_TIMEOUT @ 60 ms [rev2 POWER_NEGOTIATION]
[ 204.166996] PD RX, header: 0x1242 [1]
[ 204.167009] state change SRC_SEND_CAPABILITIES -> SRC_SOFT_RESET_WAIT_SNK_TX [rev2 POWER_NEGOTIATION]
[ 204.167019] AMS POWER_NEGOTIATION finished
[ 204.167020] cc:=4
[ 204.167083] AMS SOFT_RESET_AMS start
[ 204.167086] state change SRC_SOFT_RESET_WAIT_SNK_TX -> SOFT_RESET_SEND [rev2 SOFT_RESET_AMS]
[ 204.167092] PD TX, header: 0x16d
[ 204.168824] PD TX complete, status: 0
[ 204.168854] pending state change SOFT_RESET_SEND -> HARD_RESET_SEND @ 60 ms [rev2 SOFT_RESET_AMS]
[ 204.171876] PD RX, header: 0x43 [1]
[ 204.171879] AMS SOFT_RESET_AMS finished
This causes COMMON.PROC.PD.11.2 check failure for
TEST.PD.VDM.SRC.2_Rev2Src test on the PD compliance tester.
Signed-off-by: Amit Sunil Dhamne <amitsd@google.com>
Fixes: 8d3a0578ad1a ("usb: typec: tcpm: Respond Wait if VDM state machine is running")
Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)")
Cc: stable <stable@kernel.org>
Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260414-fix-soft-reset-v1-1-01d7cb9764e2@google.com
Signed-off-by: Amit Sunil Dhamne <amitsd@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -4651,6 +4651,8 @@ static void run_state_machine(struct tcp
usb_power_delivery_unregister_capabilities(port->partner_source_caps);
port->partner_source_caps = NULL;
tcpm_pd_send_control(port, PD_CTRL_ACCEPT);
+ port->vdm_sm_running = false;
+ port->explicit_contract = false;
tcpm_ams_finish(port);
if (port->pwr_role == TYPEC_SOURCE) {
port->upcoming_state = SRC_SEND_CAPABILITIES;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 506/522] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (504 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 505/522] usb: typec: tcpm: reset internal port states on soft reset AMS Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 507/522] ipmi:ssif: Remove unnecessary indention Greg Kroah-Hartman
` (16 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Ignat Korchagin,
Jarkko Sakkinen, Eric Biggers, Yiming Qian
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 8c2f1288250a90a4b5cabed5d888d7e3aeed4035 upstream.
Yiming reports an integer underflow in mpi_read_raw_from_sgl() when
subtracting "lzeros" from the unsigned "nbytes".
For this to happen, the scatterlist "sgl" needs to occupy more bytes
than the "nbytes" parameter and the first "nbytes + 1" bytes of the
scatterlist must be zero. Under these conditions, the while loop
iterating over the scatterlist will count more zeroes than "nbytes",
subtract the number of zeroes from "nbytes" and cause the underflow.
When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally
introduced the bug, it couldn't be triggered because all callers of
mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to
"nbytes".
However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto
interface without scatterlists"), the underflow can now actually be
triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a
larger "out_len" than "in_len" and filling the "in" buffer with zeroes,
crypto_akcipher_sync_prep() will create an all-zero scatterlist used for
both the "src" and "dst" member of struct akcipher_request and thereby
fulfil the conditions to trigger the bug:
sys_keyctl()
keyctl_pkey_e_d_s()
asymmetric_key_eds_op()
software_key_eds_op()
crypto_akcipher_sync_encrypt()
crypto_akcipher_sync_prep()
crypto_akcipher_encrypt()
rsa_enc()
mpi_read_raw_from_sgl()
To the user this will be visible as a DoS as the kernel spins forever,
causing soft lockup splats as a side effect.
Fix it.
Reported-by: Yiming Qian <yimingqian591@gmail.com> # off-list
Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v4.4+
Reviewed-by: Ignat Korchagin <ignat@linux.win>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Link: https://lore.kernel.org/r/59eca92ff4f87e2081777f1423a0efaaadcfdb39.1776003111.git.lukas@wunner.de
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/mpi/mpicoder.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/mpi/mpicoder.c
+++ b/lib/mpi/mpicoder.c
@@ -453,7 +453,7 @@ MPI mpi_read_raw_from_sgl(struct scatter
lzeros = 0;
len = 0;
while (nbytes > 0) {
- while (len && !*buff) {
+ while (len && !*buff && lzeros < nbytes) {
lzeros++;
len--;
buff++;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 507/522] ipmi:ssif: Remove unnecessary indention
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (505 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 506/522] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 508/522] ipmi:ssif: NULL thread on error Greg Kroah-Hartman
` (15 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Corey Minyard
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit 91eb7ec7261254b6875909df767185838598e21e upstream.
A section was in {} that didn't need to be, move the variable
definition to the top and set th eindentino properly.
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_ssif.c | 28 ++++++++++++----------------
1 file changed, 12 insertions(+), 16 deletions(-)
--- a/drivers/char/ipmi/ipmi_ssif.c
+++ b/drivers/char/ipmi/ipmi_ssif.c
@@ -1670,6 +1670,7 @@ static int ssif_probe(struct i2c_client
int len = 0;
int i;
u8 slave_addr = 0;
+ unsigned int thread_num;
struct ssif_addr_info *addr_info = NULL;
mutex_lock(&ssif_infos_mutex);
@@ -1878,22 +1879,17 @@ static int ssif_probe(struct i2c_client
ssif_info->handlers.request_events = request_events;
ssif_info->handlers.set_need_watch = ssif_set_need_watch;
- {
- unsigned int thread_num;
-
- thread_num = ((i2c_adapter_id(ssif_info->client->adapter)
- << 8) |
- ssif_info->client->addr);
- init_completion(&ssif_info->wake_thread);
- ssif_info->thread = kthread_run(ipmi_ssif_thread, ssif_info,
- "kssif%4.4x", thread_num);
- if (IS_ERR(ssif_info->thread)) {
- rv = PTR_ERR(ssif_info->thread);
- dev_notice(&ssif_info->client->dev,
- "Could not start kernel thread: error %d\n",
- rv);
- goto out;
- }
+ thread_num = ((i2c_adapter_id(ssif_info->client->adapter) << 8) |
+ ssif_info->client->addr);
+ init_completion(&ssif_info->wake_thread);
+ ssif_info->thread = kthread_run(ipmi_ssif_thread, ssif_info,
+ "kssif%4.4x", thread_num);
+ if (IS_ERR(ssif_info->thread)) {
+ rv = PTR_ERR(ssif_info->thread);
+ dev_notice(&ssif_info->client->dev,
+ "Could not start kernel thread: error %d\n",
+ rv);
+ goto out;
}
dev_set_drvdata(&ssif_info->client->dev, ssif_info);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 508/522] ipmi:ssif: NULL thread on error
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (506 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 507/522] ipmi:ssif: Remove unnecessary indention Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 509/522] mm/damon/core: implement damon_kdamond_pid() Greg Kroah-Hartman
` (14 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Corey Minyard
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit a8aebe93a4938c0ca1941eeaae821738f869be3d upstream.
Cleanup code was checking the thread for NULL, but it was possibly
a PTR_ERR() in one spot.
Spotted with static analysis.
Link: https://sourceforge.net/p/openipmi/mailman/message/59324676/
Fixes: 75c486cb1bca ("ipmi:ssif: Clean up kthread on errors")
Cc: <stable@vger.kernel.org> # 91eb7ec72612: ipmi:ssif: Remove unnecessary indention
Cc: stable@vger.kernel.org
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_ssif.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/char/ipmi/ipmi_ssif.c
+++ b/drivers/char/ipmi/ipmi_ssif.c
@@ -1886,6 +1886,7 @@ static int ssif_probe(struct i2c_client
"kssif%4.4x", thread_num);
if (IS_ERR(ssif_info->thread)) {
rv = PTR_ERR(ssif_info->thread);
+ ssif_info->thread = NULL;
dev_notice(&ssif_info->client->dev,
"Could not start kernel thread: error %d\n",
rv);
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 509/522] mm/damon/core: implement damon_kdamond_pid()
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (507 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 508/522] ipmi:ssif: NULL thread on error Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 510/522] mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values Greg Kroah-Hartman
` (13 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 4262c53236977de3ceaa3bf2aefdf772c9b874dd upstream.
Patch series "mm/damon: hide kdamond and kdamond_lock from API callers".
'kdamond' and 'kdamond_lock' fields initially exposed to DAMON API callers
for flexible synchronization and use cases. As DAMON API became somewhat
complicated compared to the early days, Keeping those exposed could only
encourage the API callers to invent more creative but complicated and
difficult-to-debug use cases.
Fortunately DAMON API callers didn't invent that many creative use cases.
There exist only two use cases of 'kdamond' and 'kdamond_lock'. Finding
whether the kdamond is actively running, and getting the pid of the
kdamond. For the first use case, a dedicated API function, namely
'damon_is_running()' is provided, and all DAMON API callers are using the
function for the use case. Hence only the second use case is where the
fields are directly being used by DAMON API callers.
To prevent future invention of complicated and erroneous use cases of the
fields, hide the fields from the API callers. For that, provide new
dedicated DAMON API functions for the remaining use case, namely
damon_kdamond_pid(), migrate DAMON API callers to use the new function,
and mark the fields as private fields.
This patch (of 5):
'kdamond' and 'kdamond_lock' are directly being used by DAMON API callers
for getting the pid of the corresponding kdamond. To discourage invention
of creative but complicated and erroneous new usages of the fields that
require careful synchronization, implement a new API function that can
simply be used without the manual synchronizations.
Link: https://lkml.kernel.org/r/20260115152047.68415-1-sj@kernel.org
Link: https://lkml.kernel.org/r/20260115152047.68415-2-sj@kernel.org
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/damon.h | 1 +
mm/damon/core.c | 17 +++++++++++++++++
2 files changed, 18 insertions(+)
--- a/include/linux/damon.h
+++ b/include/linux/damon.h
@@ -572,6 +572,7 @@ static inline unsigned int damon_max_nr_
int damon_start(struct damon_ctx **ctxs, int nr_ctxs, bool exclusive);
int damon_stop(struct damon_ctx **ctxs, int nr_ctxs);
+int damon_kdamond_pid(struct damon_ctx *ctx);
int damon_set_region_biggest_system_ram_default(struct damon_target *t,
unsigned long *start, unsigned long *end);
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -643,6 +643,23 @@ static bool damon_check_reset_time_inter
return true;
}
+/**
+ * damon_kdamond_pid() - Return pid of a given DAMON context's worker thread.
+ * @ctx: The DAMON context of the question.
+ *
+ * Return: pid if @ctx is running, negative error code otherwise.
+ */
+int damon_kdamond_pid(struct damon_ctx *ctx)
+{
+ int pid = -EINVAL;
+
+ mutex_lock(&ctx->kdamond_lock);
+ if (ctx->kdamond)
+ pid = ctx->kdamond->pid;
+ mutex_unlock(&ctx->kdamond_lock);
+ return pid;
+}
+
/*
* Check whether it is time to flush the aggregated information
*/
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 510/522] mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (508 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 509/522] mm/damon/core: implement damon_kdamond_pid() Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 511/522] mm/damon/reclaim: " Greg Kroah-Hartman
` (12 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liew Rui Yan, SeongJae Park,
Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit b98b7ff6025ae82570d4915e083f0cbd8d48b3cf upstream.
DAMON_LRU_SORT updates 'enabled' and 'kdamond_pid' parameter values, which
represents the running status of its kdamond, when the user explicitly
requests start/stop of the kdamond. The kdamond can, however, be stopped
in events other than the explicit user request in the following three
events.
1. ctx->regions_score_histogram allocation failure at beginning of the
execution,
2. damon_commit_ctx() failure due to invalid user input, and
3. damon_commit_ctx() failure due to its internal allocation failures.
Hence, if the kdamond is stopped by the above three events, the values of
the status parameters can be stale. Users could show the stale values and
be confused. This is already bad, but the real consequence is worse.
DAMON_LRU_SORT avoids unnecessary damon_start() and damon_stop() calls
based on the 'enabled' parameter value. And the update of 'enabled'
parameter value depends on the damon_start() and damon_stop() call
results. Hence, once the kdamond has stopped by the unintentional events,
the user cannot restart the kdamond before the system reboot. For
example, the issue can be reproduced via below steps.
# cd /sys/module/damon_lru_sort/parameters
#
# # start DAMON_LRU_SORT
# echo Y > enabled
# ps -ef | grep kdamond
root 806 2 0 17:53 ? 00:00:00 [kdamond.0]
root 808 803 0 17:53 pts/4 00:00:00 grep kdamond
#
# # commit wrong input to stop kdamond withou explicit stop request
# echo 3 > addr_unit
# echo Y > commit_inputs
bash: echo: write error: Invalid argument
#
# # confirm kdamond is stopped
# ps -ef | grep kdamond
root 811 803 0 17:53 pts/4 00:00:00 grep kdamond
#
# # users casn now show stable status
# cat enabled
Y
# cat kdamond_pid
806
#
# # even after fixing the wrong parameter,
# # kdamond cannot be restarted.
# echo 1 > addr_unit
# echo Y > enabled
# ps -ef | grep kdamond
root 815 803 0 17:54 pts/4 00:00:00 grep kdamond
The problem will only rarely happen in real and common setups for the
following reasons. The allocation failures are unlikely in such setups
since those allocations are arguably too small to fail. Also sane users
on real production environments may not commit wrong input parameters.
But once it happens, the consequence is quite bad. And the bug is a bug.
The issue stems from the fact that there are multiple events that can
change the status, and following all the events is challenging.
Dynamically detect and use the fresh status for the parameters when those
are requested.
Link: https://lore.kernel.org/20260419161003.79176-3-sj@kernel.org
Fixes: 40e983cca927 ("mm/damon: introduce DAMON-based LRU-lists Sorting")
Co-developed-by: Liew Rui Yan <aethernet65535@gmail.com>
Signed-off-by: Liew Rui Yan <aethernet65535@gmail.com>
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 6.0.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/damon.h | 1
mm/damon/core.c | 16 +++++++++
mm/damon/lru_sort.c | 84 +++++++++++++++++++++++++++++++++-----------------
3 files changed, 73 insertions(+), 28 deletions(-)
--- a/include/linux/damon.h
+++ b/include/linux/damon.h
@@ -572,6 +572,7 @@ static inline unsigned int damon_max_nr_
int damon_start(struct damon_ctx **ctxs, int nr_ctxs, bool exclusive);
int damon_stop(struct damon_ctx **ctxs, int nr_ctxs);
+bool damon_is_running(struct damon_ctx *ctx);
int damon_kdamond_pid(struct damon_ctx *ctx);
int damon_set_region_biggest_system_ram_default(struct damon_target *t,
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -644,6 +644,22 @@ static bool damon_check_reset_time_inter
}
/**
+ * damon_is_running() - Returns if a given DAMON context is running.
+ * @ctx: The DAMON context to see if running.
+ *
+ * Return: true if @ctx is running, false otherwise.
+ */
+bool damon_is_running(struct damon_ctx *ctx)
+{
+ bool running;
+
+ mutex_lock(&ctx->kdamond_lock);
+ running = ctx->kdamond != NULL;
+ mutex_unlock(&ctx->kdamond_lock);
+ return running;
+}
+
+/**
* damon_kdamond_pid() - Return pid of a given DAMON context's worker thread.
* @ctx: The DAMON context of the question.
*
--- a/mm/damon/lru_sort.c
+++ b/mm/damon/lru_sort.c
@@ -113,15 +113,6 @@ module_param(monitor_region_start, ulong
static unsigned long monitor_region_end __read_mostly;
module_param(monitor_region_end, ulong, 0600);
-/*
- * PID of the DAMON thread
- *
- * If DAMON_LRU_SORT is enabled, this becomes the PID of the worker thread.
- * Else, -1.
- */
-static int kdamond_pid __read_mostly = -1;
-module_param(kdamond_pid, int, 0400);
-
static struct damos_stat damon_lru_sort_hot_stat;
DEFINE_DAMON_MODULES_DAMOS_STATS_PARAMS(damon_lru_sort_hot_stat,
lru_sort_tried_hot_regions, lru_sorted_hot_regions,
@@ -249,37 +240,32 @@ static int damon_lru_sort_turn(bool on)
{
int err;
- if (!on) {
- err = damon_stop(&ctx, 1);
- if (!err)
- kdamond_pid = -1;
- return err;
- }
+ if (!on)
+ return damon_stop(&ctx, 1);
err = damon_lru_sort_apply_parameters();
if (err)
return err;
- err = damon_start(&ctx, 1, true);
- if (err)
- return err;
- kdamond_pid = ctx->kdamond->pid;
- return 0;
+ return damon_start(&ctx, 1, true);
+}
+
+static bool damon_lru_sort_enabled(void)
+{
+ if (!ctx)
+ return false;
+ return damon_is_running(ctx);
}
static struct delayed_work damon_lru_sort_timer;
static void damon_lru_sort_timer_fn(struct work_struct *work)
{
- static bool last_enabled;
bool now_enabled;
now_enabled = enabled;
- if (last_enabled != now_enabled) {
- if (!damon_lru_sort_turn(now_enabled))
- last_enabled = now_enabled;
- else
- enabled = last_enabled;
- }
+ if (damon_lru_sort_enabled() == now_enabled)
+ return;
+ damon_lru_sort_turn(now_enabled);
}
static DECLARE_DELAYED_WORK(damon_lru_sort_timer, damon_lru_sort_timer_fn);
@@ -301,15 +287,57 @@ static int damon_lru_sort_enabled_store(
return 0;
}
+static int damon_lru_sort_enabled_load(char *buffer,
+ const struct kernel_param *kp)
+{
+ return sprintf(buffer, "%c\n", damon_lru_sort_enabled() ? 'Y' : 'N');
+}
+
static const struct kernel_param_ops enabled_param_ops = {
.set = damon_lru_sort_enabled_store,
- .get = param_get_bool,
+ .get = damon_lru_sort_enabled_load,
};
module_param_cb(enabled, &enabled_param_ops, &enabled, 0600);
MODULE_PARM_DESC(enabled,
"Enable or disable DAMON_LRU_SORT (default: disabled)");
+static int damon_lru_sort_kdamond_pid_store(const char *val,
+ const struct kernel_param *kp)
+{
+ /*
+ * kdamond_pid is read-only, but kernel command line could write it.
+ * Do nothing here.
+ */
+ return 0;
+}
+
+static int damon_lru_sort_kdamond_pid_load(char *buffer,
+ const struct kernel_param *kp)
+{
+ int kdamond_pid = -1;
+
+ if (ctx) {
+ kdamond_pid = damon_kdamond_pid(ctx);
+ if (kdamond_pid < 0)
+ kdamond_pid = -1;
+ }
+ return sprintf(buffer, "%d\n", kdamond_pid);
+}
+
+static const struct kernel_param_ops kdamond_pid_param_ops = {
+ .set = damon_lru_sort_kdamond_pid_store,
+ .get = damon_lru_sort_kdamond_pid_load,
+};
+
+/*
+ * PID of the DAMON thread
+ *
+ * If DAMON_LRU_SORT is enabled, this becomes the PID of the worker thread.
+ * Else, -1.
+ */
+module_param_cb(kdamond_pid, &kdamond_pid_param_ops, NULL, 0400);
+
static int damon_lru_sort_handle_commit_inputs(void)
{
int err;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 511/522] mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (509 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 510/522] mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 512/522] drm/v3d: Reject empty multisync extension to prevent infinite loop Greg Kroah-Hartman
` (11 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liew Rui Yan, SeongJae Park,
Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 64a140afa5ed1c6f5ba6d451512cbdbbab1ba339 upstream.
Patch series "mm/damon/modules: detect and use fresh status", v3.
DAMON modules including DAMON_RECLAIM, DAMON_LRU_SORT and DAMON_STAT
commonly expose the kdamond running status via their parameters. Under
certain scenarios including wrong user inputs and memory allocation
failures, those parameter values can be stale. It can confuse users. For
DAMON_RECLAIM and DAMON_LRU_SORT, it even makes the kdamond unable to be
restarted before the system reboot.
The problem comes from the fact that there are multiple events for the
status changes and it is difficult to follow up all the scenarios. Fix
the issue by detecting and using the status on demand, instead of using a
cached status that is difficult to be updated.
Patches 1-3 fix the bugs in DAMON_RECLAIM, DAMON_LRU_SORT and DAMON_STAT
in the order.
This patch (of 3):
DAMON_RECLAIM updates 'enabled' and 'kdamond_pid' parameter values, which
represents the running status of its kdamond, when the user explicitly
requests start/stop of the kdamond. The kdamond can, however, be stopped
in events other than the explicit user request in the following three
events.
1. ctx->regions_score_histogram allocation failure at beginning of the
execution,
2. damon_commit_ctx() failure due to invalid user input, and
3. damon_commit_ctx() failure due to its internal allocation failures.
Hence, if the kdamond is stopped by the above three events, the values of
the status parameters can be stale. Users could show the stale values and
be confused. This is already bad, but the real consequence is worse.
DAMON_RECLAIM avoids unnecessary damon_start() and damon_stop() calls
based on the 'enabled' parameter value. And the update of 'enabled'
parameter value depends on the damon_start() and damon_stop() call
results. Hence, once the kdamond has stopped by the unintentional events,
the user cannot restart the kdamond before the system reboot. For
example, the issue can be reproduced via below steps.
# cd /sys/module/damon_reclaim/parameters
#
# # start DAMON_RECLAIM
# echo Y > enabled
# ps -ef | grep kdamond
root 806 2 0 17:53 ? 00:00:00 [kdamond.0]
root 808 803 0 17:53 pts/4 00:00:00 grep kdamond
#
# # commit wrong input to stop kdamond withou explicit stop request
# echo 3 > addr_unit
# echo Y > commit_inputs
bash: echo: write error: Invalid argument
#
# # confirm kdamond is stopped
# ps -ef | grep kdamond
root 811 803 0 17:53 pts/4 00:00:00 grep kdamond
#
# # users casn now show stable status
# cat enabled
Y
# cat kdamond_pid
806
#
# # even after fixing the wrong parameter,
# # kdamond cannot be restarted.
# echo 1 > addr_unit
# echo Y > enabled
# ps -ef | grep kdamond
root 815 803 0 17:54 pts/4 00:00:00 grep kdamond
The problem will only rarely happen in real and common setups for the
following reasons. The allocation failures are unlikely in such setups
since those allocations are arguably too small to fail. Also sane users
on real production environments may not commit wrong input parameters.
But once it happens, the consequence is quite bad. And the bug is a bug.
The issue stems from the fact that there are multiple events that can
change the status, and following all the events is challenging.
Dynamically detect and use the fresh status for the parameters when those
are requested.
Link: https://lore.kernel.org/20260419161003.79176-1-sj@kernel.org
Link: https://lore.kernel.org/20260419161003.79176-2-sj@kernel.org
Fixes: e035c280f6df ("mm/damon/reclaim: support online inputs update")
Co-developed-by: Liew Rui Yan <aethernet65535@gmail.com>
Signed-off-by: Liew Rui Yan <aethernet65535@gmail.com>
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 5.19.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/reclaim.c | 84 +++++++++++++++++++++++++++++++++++------------------
1 file changed, 56 insertions(+), 28 deletions(-)
--- a/mm/damon/reclaim.c
+++ b/mm/damon/reclaim.c
@@ -100,15 +100,6 @@ module_param(monitor_region_start, ulong
static unsigned long monitor_region_end __read_mostly;
module_param(monitor_region_end, ulong, 0600);
-/*
- * PID of the DAMON thread
- *
- * If DAMON_RECLAIM is enabled, this becomes the PID of the worker thread.
- * Else, -1.
- */
-static int kdamond_pid __read_mostly = -1;
-module_param(kdamond_pid, int, 0400);
-
static struct damos_stat damon_reclaim_stat;
DEFINE_DAMON_MODULES_DAMOS_STATS_PARAMS(damon_reclaim_stat,
reclaim_tried_regions, reclaimed_regions, quota_exceeds);
@@ -184,37 +175,32 @@ static int damon_reclaim_turn(bool on)
{
int err;
- if (!on) {
- err = damon_stop(&ctx, 1);
- if (!err)
- kdamond_pid = -1;
- return err;
- }
+ if (!on)
+ return damon_stop(&ctx, 1);
err = damon_reclaim_apply_parameters();
if (err)
return err;
- err = damon_start(&ctx, 1, true);
- if (err)
- return err;
- kdamond_pid = ctx->kdamond->pid;
- return 0;
+ return damon_start(&ctx, 1, true);
+}
+
+static bool damon_reclaim_enabled(void)
+{
+ if (!ctx)
+ return false;
+ return damon_is_running(ctx);
}
static struct delayed_work damon_reclaim_timer;
static void damon_reclaim_timer_fn(struct work_struct *work)
{
- static bool last_enabled;
bool now_enabled;
now_enabled = enabled;
- if (last_enabled != now_enabled) {
- if (!damon_reclaim_turn(now_enabled))
- last_enabled = now_enabled;
- else
- enabled = last_enabled;
- }
+ if (damon_reclaim_enabled() != now_enabled)
+ return;
+ damon_reclaim_turn(now_enabled);
}
static DECLARE_DELAYED_WORK(damon_reclaim_timer, damon_reclaim_timer_fn);
@@ -236,15 +222,57 @@ static int damon_reclaim_enabled_store(c
return 0;
}
+static int damon_reclaim_enabled_load(char *buffer,
+ const struct kernel_param *kp)
+{
+ return sprintf(buffer, "%c\n", damon_reclaim_enabled() ? 'Y' : 'N');
+}
+
static const struct kernel_param_ops enabled_param_ops = {
.set = damon_reclaim_enabled_store,
- .get = param_get_bool,
+ .get = damon_reclaim_enabled_load,
};
module_param_cb(enabled, &enabled_param_ops, &enabled, 0600);
MODULE_PARM_DESC(enabled,
"Enable or disable DAMON_RECLAIM (default: disabled)");
+static int damon_reclaim_kdamond_pid_store(const char *val,
+ const struct kernel_param *kp)
+{
+ /*
+ * kdamond_pid is read-only, but kernel command line could write it.
+ * Do nothing here.
+ */
+ return 0;
+}
+
+static int damon_reclaim_kdamond_pid_load(char *buffer,
+ const struct kernel_param *kp)
+{
+ int kdamond_pid = -1;
+
+ if (ctx) {
+ kdamond_pid = damon_kdamond_pid(ctx);
+ if (kdamond_pid < 0)
+ kdamond_pid = -1;
+ }
+ return sprintf(buffer, "%d\n", kdamond_pid);
+}
+
+static const struct kernel_param_ops kdamond_pid_param_ops = {
+ .set = damon_reclaim_kdamond_pid_store,
+ .get = damon_reclaim_kdamond_pid_load,
+};
+
+/*
+ * PID of the DAMON thread
+ *
+ * If DAMON_RECLAIM is enabled, this becomes the PID of the worker thread.
+ * Else, -1.
+ */
+module_param_cb(kdamond_pid, &kdamond_pid_param_ops, NULL, 0400);
+
static int damon_reclaim_handle_commit_inputs(void)
{
int err;
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 512/522] drm/v3d: Reject empty multisync extension to prevent infinite loop
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (510 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 511/522] mm/damon/reclaim: " Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 513/522] arm64: cputype: Add NVIDIA Olympus definitions Greg Kroah-Hartman
` (10 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ashutosh Desai, Maíra Canal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ashutosh Desai <ashutoshdesai993@gmail.com>
commit fb44d589bf3148e13452185a6e772a7efbf2d684 upstream.
v3d_get_extensions() walks a userspace-provided singly-linked list of
ioctl extensions without any bound on the chain length. A local user
can craft a self-referential extension (ext->next == &ext) with zero
in_sync_count and out_sync_count, which bypasses the existing duplicate-
extension guard:
if (se->in_sync_count || se->out_sync_count)
return -EINVAL;
The guard never fires because v3d_get_multisync_post_deps() returns
immediately when count is zero, leaving both fields at zero on every
iteration. The result is an infinite loop in kernel context, blocking
the calling thread and pegging a CPU core indefinitely.
Fix this by rejecting a multisync extension where both in_sync_count
and out_sync_count are zero in v3d_get_multisync_submit_deps(). An
empty multisync carries no synchronization information and serves no
useful purpose, so returning -EINVAL for such an extension is the
correct defense against this attack vector.
Fixes: e4165ae8304e ("drm/v3d: add multiple syncobjs support")
Cc: stable@vger.kernel.org
Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
Link: https://patch.msgid.link/20260415050000.3816128-1-ashutoshdesai993@gmail.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/v3d/v3d_gem.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/gpu/drm/v3d/v3d_gem.c
+++ b/drivers/gpu/drm/v3d/v3d_gem.c
@@ -649,6 +649,11 @@ v3d_get_multisync_submit_deps(struct drm
if (multisync.pad)
return -EINVAL;
+ if (!multisync.in_sync_count && !multisync.out_sync_count) {
+ DRM_DEBUG("Empty multisync extension\n");
+ return -EINVAL;
+ }
+
ret = v3d_get_multisync_post_deps(file_priv, data, multisync.out_sync_count,
multisync.out_syncs);
if (ret)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 513/522] arm64: cputype: Add NVIDIA Olympus definitions
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (511 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 6.1 512/522] drm/v3d: Reject empty multisync extension to prevent infinite loop Greg Kroah-Hartman
@ 2026-06-16 15:01 ` Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 514/522] arm64: cputype: Add C1-Ultra definitions Greg Kroah-Hartman
` (9 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shanker Donthineni, Will Deacon,
Mark Rutland
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shanker Donthineni <sdonthineni@nvidia.com>
commit e185c8a0d84236d14af61faff8147c953a878a77 upstream.
Add cpu part and model macro definitions for NVIDIA Olympus core.
Signed-off-by: Shanker Donthineni <sdonthineni@nvidia.com>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v6.1.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -129,6 +129,7 @@
#define NVIDIA_CPU_PART_DENVER 0x003
#define NVIDIA_CPU_PART_CARMEL 0x004
+#define NVIDIA_CPU_PART_OLYMPUS 0x010
#define FUJITSU_CPU_PART_A64FX 0x001
@@ -202,6 +203,7 @@
#define MIDR_QCOM_KRYO_4XX_SILVER MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_4XX_SILVER)
#define MIDR_NVIDIA_DENVER MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_DENVER)
#define MIDR_NVIDIA_CARMEL MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_CARMEL)
+#define MIDR_NVIDIA_OLYMPUS MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_OLYMPUS)
#define MIDR_FUJITSU_A64FX MIDR_CPU_MODEL(ARM_CPU_IMP_FUJITSU, FUJITSU_CPU_PART_A64FX)
#define MIDR_HISI_TSV110 MIDR_CPU_MODEL(ARM_CPU_IMP_HISI, HISI_CPU_PART_TSV110)
#define MIDR_HISI_HIP09 MIDR_CPU_MODEL(ARM_CPU_IMP_HISI, HISI_CPU_PART_HIP09)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 514/522] arm64: cputype: Add C1-Ultra definitions
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (512 preceding siblings ...)
2026-06-16 15:01 ` [PATCH 6.1 513/522] arm64: cputype: Add NVIDIA Olympus definitions Greg Kroah-Hartman
@ 2026-06-16 15:01 ` Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 515/522] arm64: cputype: Add C1-Premium definitions Greg Kroah-Hartman
` (8 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Will Deacon
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit 60349e64a6c65f9f0aa118af711b3c7e137f07ff upstream.
Add cputype definitions for C1-Ultra. These will be used for errata
detection in subsequent patches.
These values can be found in the C1-Ultra TRM:
https://developer.arm.com/documentation/108014/0100/
... in section A.5.1 ("MIDR_EL1, Main ID Register").
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v6.1.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -97,6 +97,7 @@
#define ARM_CPU_PART_NEOVERSE_V3 0xD84
#define ARM_CPU_PART_CORTEX_X925 0xD85
#define ARM_CPU_PART_CORTEX_A725 0xD87
+#define ARM_CPU_PART_C1_ULTRA 0xD8C
#define ARM_CPU_PART_NEOVERSE_N3 0xD8E
#define APM_CPU_PART_XGENE 0x000
@@ -179,6 +180,7 @@
#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3)
#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925)
#define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725)
+#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA)
#define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3)
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
#define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 515/522] arm64: cputype: Add C1-Premium definitions
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (513 preceding siblings ...)
2026-06-16 15:01 ` [PATCH 6.1 514/522] arm64: cputype: Add C1-Ultra definitions Greg Kroah-Hartman
@ 2026-06-16 15:01 ` Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 516/522] arm64: errata: Mitigate TLBI errata on various Arm CPUs Greg Kroah-Hartman
` (7 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Will Deacon
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit d28413bfc5a255957241f1df5d7fd0c2cd74fe18 upstream.
Add cputype definitions for C1-Premium. These will be used for errata
detection in subsequent patches.
These values can be found in the C1-Premium TRM:
https://developer.arm.com/documentation/109416/0100/
... in section A.5.1 ("MIDR_EL1, Main ID Register").
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v6.1.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -99,6 +99,7 @@
#define ARM_CPU_PART_CORTEX_A725 0xD87
#define ARM_CPU_PART_C1_ULTRA 0xD8C
#define ARM_CPU_PART_NEOVERSE_N3 0xD8E
+#define ARM_CPU_PART_C1_PREMIUM 0xD90
#define APM_CPU_PART_XGENE 0x000
#define APM_CPU_VAR_POTENZA 0x00
@@ -182,6 +183,7 @@
#define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725)
#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA)
#define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3)
+#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM)
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
#define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
#define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX)
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 516/522] arm64: errata: Mitigate TLBI errata on various Arm CPUs
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (514 preceding siblings ...)
2026-06-16 15:01 ` [PATCH 6.1 515/522] arm64: cputype: Add C1-Premium definitions Greg Kroah-Hartman
@ 2026-06-16 15:01 ` Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 517/522] arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU Greg Kroah-Hartman
` (6 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Will Deacon
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit cfd391e74134db664feb499d43af286380b10ba8 upstream.
A number of CPUs developed by Arm suffer from errata whereby a broadcast
TLBI;DSB sequence may complete before the global observation of writes
which are translated by an affected TLB entry.
These errata ONLY affect the completion of memory accesses which have
been translated by an invalidated TLB entry, and these errata DO NOT
affect the actual invalidation of TLB entries. TLB entries are removed
correctly.
This issue has been assigned CVE ID CVE-2025-10263.
To mitigate this issue, Arm recommends that software follows any
affected TLBI;DSB sequence with an additional TLBI;DSB, which will
ensure that all memory write effects affected by the first TLBI have
been globally observed. The additional TLBI can use any operation that
is broadcast to affected CPUs, and the additional DSB can use any option
that is sufficient to complete the additional TLBI.
The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate
the issue. Enable this workaround for affected CPUs, and update the
silicon errata documentation accordingly.
Note that due to the manner in which Arm develops IP and tracks errata,
some CPUs share a common erratum number.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v6.1.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/arm64/silicon-errata.rst | 42 ++++++++++++++++++++++++++++
arch/arm64/Kconfig | 48 +++++++++++++++++++++++++++++++++
arch/arm64/kernel/cpu_errata.c | 32 ++++++++++++++++++++--
3 files changed, 120 insertions(+), 2 deletions(-)
--- a/Documentation/arm64/silicon-errata.rst
+++ b/Documentation/arm64/silicon-errata.rst
@@ -111,14 +111,26 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A76 | #3324349 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A76 | #4193800 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A76AE | #4193801 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A77 | #1508412 | ARM64_ERRATUM_1508412 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A77 | #3324348 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A77 | #4193798 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A78 | #3324344 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A78 | #4193791 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A78AE | #4193793 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A78C | #3324346,3324347| ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A78C | #4193794 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A510 | #2051678 | ARM64_ERRATUM_2051678 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A510 | #2077057 | ARM64_ERRATUM_2077057 |
@@ -135,6 +147,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A710 | #3324338 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A710 | #4193788 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A715 | #3456084 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A720 | #3456091 | ARM64_ERRATUM_3194386 |
@@ -143,20 +157,32 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X1 | #3324344 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X1 | #4193791 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X1C | #3324346 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X1C | #4193792 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X2 | #2119858 | ARM64_ERRATUM_2119858 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X2 | #2224489 | ARM64_ERRATUM_2224489 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X2 | #3324338 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X2 | #4193788 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X3 | #3324335 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X3 | #4193786 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X4 | #3194386 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X4 | #4118414 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X925 | #3324334 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X925 | #4193781 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N1 | #1188873,1418040| ARM64_ERRATUM_1418040 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N1 | #1349291 | N/A |
@@ -165,6 +191,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N1 | #3324349 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-N1 | #4193800 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N2 | #2139208 | ARM64_ERRATUM_2139208 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N2 | #2067961 | ARM64_ERRATUM_2067961 |
@@ -173,16 +201,30 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N2 | #3324339 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-N2 | #4193789 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N3 | #3456111 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V1 | #3324341 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-V1 | #4193790 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V2 | #3324336 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-V2 | #4193787 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-V3 | #4193784 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V3AE | #3312417 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-V3AE | #4193784 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | C1-Premium | #4193780 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | C1-Ultra | #4193780 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | MMU-500 | #841119,826419 | N/A |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | MMU-600 | #1076982,1209401| N/A |
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1041,6 +1041,54 @@ config ARM64_ERRATUM_3194386
If unsure, say Y.
+config ARM64_ERRATUM_4193714
+ bool "C1-Pro: 4193714: SME DVMSync early acknowledgement"
+ depends on ARM64_SME
+ default y
+ help
+ Enable workaround for C1-Pro acknowledging the DVMSync before
+ the SME memory accesses are complete. This will cause TLB
+ maintenance for processes using SME to also issue an IPI to
+ the affected CPUs.
+
+ If unsure, say Y.
+
+config ARM64_ERRATUM_4118414
+ bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI"
+ default y
+ select ARM64_WORKAROUND_REPEAT_TLBI
+ help
+ This option adds a workaround for the following errata:
+
+ * ARM C1-Premium erratum 4193780
+ * ARM C1-Ultra erratum 4193780
+ * ARM Cortex-A76 erratum 4193800
+ * ARM Cortex-A76AE erratum 4193801
+ * ARM Cortex-A77 erratum 4193798
+ * ARM Cortex-A78 erratum 4193791
+ * ARM Cortex-A78AE erratum 4193793
+ * ARM Cortex-A78C erratum 4193794
+ * ARM Cortex-A710 erratum 4193788
+ * ARM Cortex-X1 erratum 4193791
+ * ARM Cortex-X1C erratum 4193792
+ * ARM Cortex-X2 erratum 4193788
+ * ARM Cortex-X3 erratum 4193786
+ * ARM Cortex-X4 erratum 4118414
+ * ARM Cortex-X925 erratum 4193781
+ * ARM Neoverse-N1 erratum 4193800
+ * ARM Neoverse-N2 erratum 4193789
+ * ARM Neoverse-V1 erratum 4193790
+ * ARM Neoverse-V2 erratum 4193787
+ * ARM Neoverse-V3 erratum 4193784
+ * ARM Neoverse-V3AE erratum 4193784
+
+ On affected cores, some memory accesses might not be completed by
+ broadcast TLB invalidation.
+
+ This issue is also known as CVE-2025-10263.
+
+ If unsure, say Y.
+
config CAVIUM_ERRATUM_22375
bool "Cavium erratum 22375, 24313"
default y
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -241,7 +241,35 @@ static const struct arm64_cpu_capabiliti
ERRATA_MIDR_RANGE(MIDR_CORTEX_A510, 0, 0, 1, 1),
},
#endif
- {},
+#ifdef CONFIG_ARM64_ERRATUM_4118414
+ {
+ ERRATA_MIDR_RANGE_LIST(((const struct midr_range[]) {
+ MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM),
+ MIDR_ALL_VERSIONS(MIDR_C1_ULTRA),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X3),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X4),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X925),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE),
+ {}
+ })),
+ },
+#endif
+ {}
};
#endif
@@ -547,7 +575,7 @@ const struct arm64_cpu_capabilities arm6
#endif
#ifdef CONFIG_ARM64_WORKAROUND_REPEAT_TLBI
{
- .desc = "Qualcomm erratum 1009, or ARM erratum 1286807, 2441009",
+ .desc = "Broken broadcast TLBI completion",
.capability = ARM64_WORKAROUND_REPEAT_TLBI,
.type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM,
.matches = cpucap_multi_entry_cap_matches,
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 517/522] arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (515 preceding siblings ...)
2026-06-16 15:01 ` [PATCH 6.1 516/522] arm64: errata: Mitigate TLBI errata on various Arm CPUs Greg Kroah-Hartman
@ 2026-06-16 15:01 ` Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 518/522] arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU Greg Kroah-Hartman
` (5 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shanker Donthineni, Catalin Marinas,
Will Deacon, Mark Rutland
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shanker Donthineni <sdonthineni@nvidia.com>
commit ec7216f92e4ebd485b1c6dc6aa3f6064b71a5768 upstream.
NVIDIA Olympus cores are affected by the TLBI completion issue tracked as
CVE-2025-10263. The existing ARM64_ERRATUM_4118414 handling already uses
ARM64_WORKAROUND_REPEAT_TLBI to issue an additional broadcast TLBI;DSB
sequence and ensure affected memory write effects are globally observed.
Add MIDR_NVIDIA_OLYMPUS to the repeat-TLBI match list so the same
mitigation is enabled on affected Olympus systems. Also document the
NVIDIA Olympus erratum in the arm64 silicon errata table and list it in
the Kconfig help text.
Signed-off-by: Shanker Donthineni <sdonthineni@nvidia.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v6.1.y]
Signed-off-by: Shanker Donthineni <sdonthineni@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/arm64/silicon-errata.rst | 2 ++
arch/arm64/Kconfig | 3 ++-
arch/arm64/kernel/cpu_errata.c | 1 +
3 files changed, 5 insertions(+), 1 deletion(-)
--- a/Documentation/arm64/silicon-errata.rst
+++ b/Documentation/arm64/silicon-errata.rst
@@ -263,6 +263,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| NVIDIA | Carmel Core | N/A | NVIDIA_CARMEL_CNP_ERRATUM |
+----------------+-----------------+-----------------+-----------------------------+
+| NVIDIA | Olympus core | T410-OLY-1029 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| NVIDIA | T241 GICv3/4.x | T241-FABRIC-4 | N/A |
+----------------+-----------------+-----------------+-----------------------------+
+----------------+-----------------+-----------------+-----------------------------+
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1054,7 +1054,7 @@ config ARM64_ERRATUM_4193714
If unsure, say Y.
config ARM64_ERRATUM_4118414
- bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI"
+ bool "Various: Completion of affected memory accesses might not be guaranteed by completion of a TLBI"
default y
select ARM64_WORKAROUND_REPEAT_TLBI
help
@@ -1081,6 +1081,7 @@ config ARM64_ERRATUM_4118414
* ARM Neoverse-V2 erratum 4193787
* ARM Neoverse-V3 erratum 4193784
* ARM Neoverse-V3AE erratum 4193784
+ * NVIDIA Olympus erratum T410-OLY-1029
On affected cores, some memory accesses might not be completed by
broadcast TLB invalidation.
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -265,6 +265,7 @@ static const struct arm64_cpu_capabiliti
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE),
+ MIDR_ALL_VERSIONS(MIDR_NVIDIA_OLYMPUS),
{}
})),
},
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 518/522] arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (516 preceding siblings ...)
2026-06-16 15:01 ` [PATCH 6.1 517/522] arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU Greg Kroah-Hartman
@ 2026-06-16 15:01 ` Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 519/522] Revert "selftest/ptp: update ptp selftest to exercise the gettimex options" Greg Kroah-Hartman
` (4 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Will Deacon, Mark Rutland
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
commit 1940e70a8144bf75e6df26bf6f600862ea7f7ea1 upstream.
Commit fb091ff39479 ("arm64: Subscribe Microsoft Azure Cobalt 100 to ARM
Neoverse N2 errata") states that Microsoft Azure Cobalt 100 CPU "is a
Microsoft implemented CPU based on r0p0 of the ARM Neoverse N2 CPU, and
therefore suffers from all the same errata.".
So enable the workaround for the latest broadcast TLB invalidation bug
on these parts.
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v6.1.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/arm64/silicon-errata.rst | 2 ++
arch/arm64/Kconfig | 1 +
arch/arm64/kernel/cpu_errata.c | 1 +
3 files changed, 4 insertions(+)
--- a/Documentation/arm64/silicon-errata.rst
+++ b/Documentation/arm64/silicon-errata.rst
@@ -314,3 +314,5 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| Microsoft | Azure Cobalt 100| #2253138 | ARM64_ERRATUM_2253138 |
+----------------+-----------------+-----------------+-----------------------------+
+| Microsoft | Azure Cobalt 100| #4193789 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1081,6 +1081,7 @@ config ARM64_ERRATUM_4118414
* ARM Neoverse-V2 erratum 4193787
* ARM Neoverse-V3 erratum 4193784
* ARM Neoverse-V3AE erratum 4193784
+ * Microsoft Azure Cobalt 100 4193789
* NVIDIA Olympus erratum T410-OLY-1029
On affected cores, some memory accesses might not be completed by
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -266,6 +266,7 @@ static const struct arm64_cpu_capabiliti
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE),
MIDR_ALL_VERSIONS(MIDR_NVIDIA_OLYMPUS),
+ MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100),
{}
})),
},
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 519/522] Revert "selftest/ptp: update ptp selftest to exercise the gettimex options"
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (517 preceding siblings ...)
2026-06-16 15:01 ` [PATCH 6.1 518/522] arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU Greg Kroah-Hartman
@ 2026-06-16 15:01 ` Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 520/522] fbdev: vt8500lcdfb: Fix dma_free_coherent() cpu_addr parameter Greg Kroah-Hartman
` (3 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:01 UTC (permalink / raw)
To: stable, Sasha Levin; +Cc: Greg Kroah-Hartman, patches, Yong Wang, Petr Machata
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Machata <petrm@nvidia.com>
This reverts commit 06954f715deb0ed053f8bf85547370db6870225d, which is
commit 3d07b691ee707c00afaf365440975e81bb96cd9b upstream.
The cited commit allows testptp to set a configurable clock_id. That is
done via a PTP_SYS_OFFSET_EXTENDED ioctl call, whose argument is struct
ptp_sys_offset_extended, where the clock_id is set. However, this Linux
version does not support the ptp_sys_offset_extended.clockid field, and
the test case cannot be built against this tree's own UAPI headers.
The reverted commit was introduced to resolve a missing dependency of
commit c6dc458227a3 ("testptp: Add option to open PHC in readonly mode"),
which is 76868642e427 upstream. My suspicion is that the only conflict
between the two is the getopt string, and there is otherwise no direct
dependency between the two.
This patch therefore reverts the cited commit, with hand-resolving the
getopt string to include 'r' (as introduced by c6dc458227a3), but not
'y' (introduced by 06954f715deb).
Reported-by: Yong Wang <yongwang@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/ptp/testptp.c | 62 ++--------------------------------
1 file changed, 5 insertions(+), 57 deletions(-)
--- a/tools/testing/selftests/ptp/testptp.c
+++ b/tools/testing/selftests/ptp/testptp.c
@@ -147,7 +147,6 @@ static void usage(char *progname)
" -T val set the ptp clock time to 'val' seconds\n"
" -x val get an extended ptp clock time with the desired number of samples (up to %d)\n"
" -X get a ptp clock cross timestamp\n"
- " -y val pre/post tstamp timebase to use {realtime|monotonic|monotonic-raw}\n"
" -z test combinations of rising/falling external time stamp flags\n",
progname, PTP_MAX_SAMPLES);
}
@@ -192,7 +191,6 @@ int main(int argc, char *argv[])
int readonly = 0;
int settime = 0;
int channel = -1;
- clockid_t ext_clockid = CLOCK_REALTIME;
int64_t t1, t2, tp;
int64_t interval, offset;
@@ -202,7 +200,7 @@ int main(int argc, char *argv[])
progname = strrchr(argv[0], '/');
progname = progname ? 1+progname : argv[0];
- while (EOF != (c = getopt(argc, argv, "cd:e:f:F:ghH:i:k:lL:n:o:p:P:rsSt:T:w:x:Xy:z"))) {
+ while (EOF != (c = getopt(argc, argv, "cd:e:f:F:ghH:i:k:lL:n:o:p:P:rsSt:T:w:x:Xz"))) {
switch (c) {
case 'c':
capabilities = 1;
@@ -285,21 +283,6 @@ int main(int argc, char *argv[])
case 'X':
getcross = 1;
break;
- case 'y':
- if (!strcasecmp(optarg, "realtime"))
- ext_clockid = CLOCK_REALTIME;
- else if (!strcasecmp(optarg, "monotonic"))
- ext_clockid = CLOCK_MONOTONIC;
- else if (!strcasecmp(optarg, "monotonic-raw"))
- ext_clockid = CLOCK_MONOTONIC_RAW;
- else {
- fprintf(stderr,
- "type needs to be realtime, monotonic or monotonic-raw; was given %s\n",
- optarg);
- return -1;
- }
- break;
-
case 'z':
flagtest = 1;
break;
@@ -590,7 +573,6 @@ int main(int argc, char *argv[])
}
soe->n_samples = getextended;
- soe->clockid = ext_clockid;
if (ioctl(fd, PTP_SYS_OFFSET_EXTENDED, soe)) {
perror("PTP_SYS_OFFSET_EXTENDED");
@@ -599,46 +581,12 @@ int main(int argc, char *argv[])
getextended);
for (i = 0; i < getextended; i++) {
- switch (ext_clockid) {
- case CLOCK_REALTIME:
- printf("sample #%2d: real time before: %lld.%09u\n",
- i, soe->ts[i][0].sec,
- soe->ts[i][0].nsec);
- break;
- case CLOCK_MONOTONIC:
- printf("sample #%2d: monotonic time before: %lld.%09u\n",
- i, soe->ts[i][0].sec,
- soe->ts[i][0].nsec);
- break;
- case CLOCK_MONOTONIC_RAW:
- printf("sample #%2d: monotonic-raw time before: %lld.%09u\n",
- i, soe->ts[i][0].sec,
- soe->ts[i][0].nsec);
- break;
- default:
- break;
- }
+ printf("sample #%2d: system time before: %lld.%09u\n",
+ i, soe->ts[i][0].sec, soe->ts[i][0].nsec);
printf(" phc time: %lld.%09u\n",
soe->ts[i][1].sec, soe->ts[i][1].nsec);
- switch (ext_clockid) {
- case CLOCK_REALTIME:
- printf(" real time after: %lld.%09u\n",
- soe->ts[i][2].sec,
- soe->ts[i][2].nsec);
- break;
- case CLOCK_MONOTONIC:
- printf(" monotonic time after: %lld.%09u\n",
- soe->ts[i][2].sec,
- soe->ts[i][2].nsec);
- break;
- case CLOCK_MONOTONIC_RAW:
- printf(" monotonic-raw time after: %lld.%09u\n",
- soe->ts[i][2].sec,
- soe->ts[i][2].nsec);
- break;
- default:
- break;
- }
+ printf(" system time after: %lld.%09u\n",
+ soe->ts[i][2].sec, soe->ts[i][2].nsec);
}
}
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 520/522] fbdev: vt8500lcdfb: Fix dma_free_coherent() cpu_addr parameter
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (518 preceding siblings ...)
2026-06-16 15:01 ` [PATCH 6.1 519/522] Revert "selftest/ptp: update ptp selftest to exercise the gettimex options" Greg Kroah-Hartman
@ 2026-06-16 15:01 ` Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 521/522] apparmor: validate default DFA states are in bounds Greg Kroah-Hartman
` (2 subsequent siblings)
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ben Hutchings
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <benh@debian.org>
Before commit 63a11adaceb8 "fbdev/vt8500lcdfb: Initialize fb_ops with
fbdev macros", the virtual address of the screen buffer was stored in
the fb_info::screen_base field and not fb_info::screen_buffer. The
backport of commit 88b3b9924337 ("fbdev: vt8500lcdfb: fix missing
dma_free_coherent()") did not take that into account.
Change the cpu_addr parameter to dma_free_coherent() accordingly.
Fixes: 778f31be5b8c ("fbdev: vt8500lcdfb: fix missing dma_free_coherent()")
Signed-off-by: Ben Hutchings <benh@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/vt8500lcdfb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/fbdev/vt8500lcdfb.c
+++ b/drivers/video/fbdev/vt8500lcdfb.c
@@ -434,7 +434,7 @@ failed_free_palette:
fbi->palette_cpu, fbi->palette_phys);
failed_free_mem_virt:
dma_free_coherent(&pdev->dev, fbi->fb.fix.smem_len,
- fbi->fb.screen_buffer, fbi->fb.fix.smem_start);
+ fbi->fb.screen_base, fbi->fb.fix.smem_start);
failed_free_io:
iounmap(fbi->regbase);
failed_free_res:
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 521/522] apparmor: validate default DFA states are in bounds
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (519 preceding siblings ...)
2026-06-16 15:01 ` [PATCH 6.1 520/522] fbdev: vt8500lcdfb: Fix dma_free_coherent() cpu_addr parameter Greg Kroah-Hartman
@ 2026-06-16 15:01 ` Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 522/522] x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function Greg Kroah-Hartman
2026-06-16 16:55 ` [PATCH 6.1 000/522] 6.1.176-rc1 review Brett A C Sheffield
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ben Hutchings
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <benh@debian.org>
Some backports of commit 9063d7e2615f ("apparmor: validate DFA start
states are in bounds in unpack_pdb") limited the bounds checks on DFA
start states to the case where the start state was explicit in the
policy. However, the default DFA start state (DFA_START = 1) could
also be out-of-bounds.
Move these checks out of the else-branches so that they are applied
regardless of how the start state was initialised.
Fixes: 5443c027ec16 ("apparmor: validate DFA start states are in bounds in unpack_pdb")
Signed-off-by: Ben Hutchings <benh@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/policy_unpack.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -829,6 +829,8 @@ static struct aa_profile *unpack_profile
}
if (aa_unpack_nameX(e, AA_STRUCT, "policydb")) {
+ size_t state_count;
+
/* generic policy dfa - optional and may be NULL */
info = "failed to unpack policydb";
profile->policy.dfa = unpack_dfa(e);
@@ -843,13 +845,12 @@ static struct aa_profile *unpack_profile
if (!aa_unpack_u32(e, &profile->policy.start[0], "start")) {
/* default start state */
profile->policy.start[0] = DFA_START;
- } else {
- size_t state_count = profile->policy.dfa->tables[YYTD_ID_BASE]->td_lolen;
+ }
- if (profile->policy.start[0] >= state_count) {
- info = "invalid dfa start state";
- goto fail;
- }
+ state_count = profile->policy.dfa->tables[YYTD_ID_BASE]->td_lolen;
+ if (profile->policy.start[0] >= state_count) {
+ info = "invalid dfa start state";
+ goto fail;
}
/* setup class index */
@@ -872,16 +873,18 @@ static struct aa_profile *unpack_profile
info = "failed to unpack profile file rules";
goto fail;
} else if (profile->file.dfa) {
+ size_t state_count;
+
if (!aa_unpack_u32(e, &profile->file.start, "dfa_start")) {
/* default start state */
profile->file.start = DFA_START;
- } else {
- size_t state_count = profile->file.dfa->tables[YYTD_ID_BASE]->td_lolen;
+ }
+
+ state_count = profile->file.dfa->tables[YYTD_ID_BASE]->td_lolen;
- if (profile->file.start >= state_count) {
- info = "invalid dfa start state";
- goto fail;
- }
+ if (profile->file.start >= state_count) {
+ info = "invalid dfa start state";
+ goto fail;
}
} else if (profile->policy.dfa &&
profile->policy.start[AA_CLASS_FILE]) {
^ permalink raw reply [flat|nested] 906+ messages in thread
* [PATCH 6.1 522/522] x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (520 preceding siblings ...)
2026-06-16 15:01 ` [PATCH 6.1 521/522] apparmor: validate default DFA states are in bounds Greg Kroah-Hartman
@ 2026-06-16 15:01 ` Greg Kroah-Hartman
2026-06-16 16:55 ` [PATCH 6.1 000/522] 6.1.176-rc1 review Brett A C Sheffield
522 siblings, 0 replies; 906+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Borislav Petkov (AMD),
Nikolay Borisov, Ben Hutchings
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Borislav Petkov (AMD) <bp@alien8.de>
commit affc66cb96f865b3763a8e18add52e133d864f04 upstream.
No functional changes.
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
Link: http://lore.kernel.org/r/20231120104152.13740-4-bp@alien8.de
Stable-dep-of: 7c81ad8e8bc2 ("x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()")
[bwh: Adjusted to apply after backports of the above commit which actually
depended on this]
Signed-off-by: Ben Hutchings <benh@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/amd.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -1087,14 +1087,6 @@ static void init_amd_zen1(struct cpuinfo
/* Erratum 1076: CPB feature bit not being set in CPUID. */
if (!cpu_has(c, X86_FEATURE_CPB))
set_cpu_cap(c, X86_FEATURE_CPB);
-
- /*
- * Zen3 (Fam19 model < 0x10) parts are not susceptible to
- * Branch Type Confusion, but predate the allocation of the
- * BTC_NO bit.
- */
- if (c->x86 == 0x19 && !cpu_has(c, X86_FEATURE_BTC_NO))
- set_cpu_cap(c, X86_FEATURE_BTC_NO);
}
pr_notice_once("AMD Zen1 FPDSS bug detected, enabling mitigation.\n");
@@ -1154,6 +1146,16 @@ static void init_amd_zen2(struct cpuinfo
static void init_amd_zen3(struct cpuinfo_x86 *c)
{
init_amd_zen_common();
+
+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
+ /*
+ * Zen3 (Fam19 model < 0x10) parts are not susceptible to
+ * Branch Type Confusion, but predate the allocation of the
+ * BTC_NO bit.
+ */
+ if (!cpu_has(c, X86_FEATURE_BTC_NO))
+ set_cpu_cap(c, X86_FEATURE_BTC_NO);
+ }
}
static void init_amd_zen4(struct cpuinfo_x86 *c)
^ permalink raw reply [flat|nested] 906+ messages in thread
* Re: [PATCH 7.0 000/378] 7.0.13-rc1 review
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 7.0 378/378] arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU Greg Kroah-Hartman
@ 2026-06-16 15:37 ` Ronald Warsow
2026-06-16 16:55 ` Brett A C Sheffield
378 siblings, 0 replies; 906+ messages in thread
From: Ronald Warsow @ 2026-06-16 15:37 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
conor, hargar, broonie, achill, sr
Hi
kernel build / boot test on x86_64.
No regressions here.
Thanks
Tested-by: Ronald Warsow <rwarsow@gmx.de>
^ permalink raw reply [flat|nested] 906+ messages in thread
* Re: [PATCH 6.1 000/522] 6.1.176-rc1 review
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
` (521 preceding siblings ...)
2026-06-16 15:01 ` [PATCH 6.1 522/522] x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function Greg Kroah-Hartman
@ 2026-06-16 16:55 ` Brett A C Sheffield
522 siblings, 0 replies; 906+ messages in thread
From: Brett A C Sheffield @ 2026-06-16 16:55 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 6.1.176-rc1-01488-g6db5a9e163ae #1 SMP PREEMPT_DYNAMIC Tue Jun 16 15:53:20 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 906+ messages in thread
* Re: [PATCH 7.0 000/378] 7.0.13-rc1 review
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2026-06-16 15:37 ` [PATCH 7.0 000/378] 7.0.13-rc1 review Ronald Warsow
@ 2026-06-16 16:55 ` Brett A C Sheffield
378 siblings, 0 replies; 906+ messages in thread
From: Brett A C Sheffield @ 2026-06-16 16:55 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 7.0.13-rc1-g21d90861e421 #1 SMP PREEMPT_DYNAMIC Tue Jun 16 16:09:06 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 906+ messages in thread
* Re: [PATCH 6.1 011/522] tools/bootconfig: Cleanup bootconfig footer size calculations
2026-06-16 14:52 ` [PATCH 6.1 011/522] tools/bootconfig: Cleanup bootconfig footer size calculations Greg Kroah-Hartman
@ 2026-06-16 21:06 ` Ben Hutchings
0 siblings, 0 replies; 906+ messages in thread
From: Ben Hutchings @ 2026-06-16 21:06 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, Masami Hiramatsu (Google), Sasha Levin
[-- Attachment #1: Type: text/plain, Size: 740 bytes --]
On Tue, 2026-06-16 at 20:22 +0530, Greg Kroah-Hartman wrote:
> 6.1-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
>
> [ Upstream commit 26dda57695090e05c1a99c3e8f802f862d1ac474 ]
>
> There are many same pattern of 8 + BOOTCONFIG_MAGIC_LEN for calculating
> the size of bootconfig footer. Use BOOTCONFIG_FOOTER_SIZE macro to
> clean up those magic numbers.
[...]
This causes a regression in some configurations, fixed by commit
729dc340a4ed "bootconfig: Fix negative seeks on 32-bit with LFS
enabled".
Ben.
--
Ben Hutchings
For every complex problem
there is a solution that is simple, neat, and wrong.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 906+ messages in thread
end of thread, other threads:[~2026-06-16 21:51 UTC | newest]
Thread overview: 906+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-16 14:52 [PATCH 6.1 000/522] 6.1.176-rc1 review Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 001/522] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 002/522] net/sched: cls_fw: fix NULL dereference of "old" filters before change() Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 003/522] net: mctp: ensure our nlmsg responses are initialised Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 004/522] net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 005/522] drm: Remove plane hsub/vsub alignment requirement for core helpers Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 006/522] net: cpsw_new: Fix potential unregister of netdev that has not been registered yet Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 007/522] nfc: llcp: Fix use-after-free in llcp_sock_release() Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 008/522] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 009/522] xfrm: Check for underflow in xfrm_state_mtu Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 010/522] nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 011/522] tools/bootconfig: Cleanup bootconfig footer size calculations Greg Kroah-Hartman
2026-06-16 21:06 ` Ben Hutchings
2026-06-16 14:52 ` [PATCH 6.1 012/522] tools/bootconfig: Fix buf leaks in apply_xbc Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 013/522] netfilter: synproxy: refresh tcphdr after skb_ensure_writable Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 014/522] netfilter: xt_cpu: prefer raw_smp_processor_id Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 015/522] netfilter: ebtables: fix OOB read in compat_mtw_from_user Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 016/522] tun: free page on short-frame rejection in tun_xdp_one() Greg Kroah-Hartman
2026-06-16 14:52 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 306/378] mm/mincore: handle non-swap entries before !CONFIG_SWAP guard Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 017/522] tun: free page on build_skb failure in tun_xdp_one() Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 018/522] net: netlink: fix sending unassigned nsid after assigned one Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 019/522] net: netlink: dont set nsid on local notifications Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 020/522] net/smc: Do not re-initialize smc hashtables Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 021/522] net/iucv: fix locking in .getsockopt Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 022/522] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 023/522] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 024/522] net: hsr: fix potential OOB access in supervision frame handling Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 025/522] tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 026/522] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 027/522] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 028/522] ASoC: codecs: simple-mux: Fix enum control bounds check Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 029/522] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 030/522] bonding: refuse to enslave CAN devices Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 031/522] ethtool: eeprom: add more safeties to EEPROM Netlink fallback Greg Kroah-Hartman
2026-06-16 14:52 ` [PATCH 6.1 032/522] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 033/522] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 034/522] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 035/522] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 036/522] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 037/522] net: mana: Add NULL guards in teardown path to prevent panic on attach failure Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 038/522] sctp: fix race between sctp_wait_for_connect and peeloff Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 039/522] ipv6: fix possible infinite loop in rt6_fill_node() Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 040/522] ipv6: fix possible infinite loop in fib6_select_path() Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 041/522] net: skbuff: fix pskb_carve leaking zcopy pages Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 042/522] batman-adv: v: stop OGMv2 on disabled interface Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 043/522] batman-adv: tvlv: abort OGM send on tvlv append failure Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 044/522] batman-adv: tt: reject oversized local TVLV buffers Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 045/522] batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 046/522] batman-adv: tvlv: reject oversized TVLV packets Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 047/522] batman-adv: iv: recover OGM scheduling after forward packet error Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 048/522] selftests: forwarding: lib: Add helpers for checksum handling Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 049/522] batman-adv: tp_meter: directly shut down timer on cleanup Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 050/522] batman-adv: tt: fix TOCTOU race for reported vlans Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 051/522] batman-adv: tt: avoid empty VLAN responses Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 052/522] batman-adv: bla: avoid double decrement of bla.num_requests Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 053/522] mm/page_alloc: clear page->private in free_pages_prepare() Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 054/522] selftests/bpf: add generic BPF program tester-loader Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 055/522] selftests/bpf: Convert test_global_funcs test to test_loader framework Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 056/522] Revert "selftests/bpf: Workaround strict bpf_lsm return value check." Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 057/522] Revert "selftests/bpf: Add tests for _opts variants of bpf_*_get_fd_by_id()" Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 058/522] selftests/bpf: Add read_build_id function Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 059/522] bpf: Fix a few selftest failures due to llvm18 change Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 060/522] selftests/bpf: Update bpf_clone_redirect expected return code Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 061/522] selftests/bpf: enhance align selftests expected log matching Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 062/522] Revert "selftests/bpf: Add a cgroup prog bpf_get_ns_current_pid_tgid() test" Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 063/522] selftests/bpf: Fix ARG_PTR_TO_LONG {half-,}uninitialized test Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 064/522] selftests/bpf: S/iptables/iptables-legacy/ in the bpf_nf and xdp_synproxy test Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 065/522] net/packet: convert po->tp_tx_has_off to an atomic flag Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 066/522] net/packet: convert po->tp_loss " Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 067/522] net/packet: convert po->has_vnet_hdr " Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 068/522] net/packet: convert po->running " Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 069/522] net/packet: fix TOCTOU race on mmapd vnet_hdr in tpacket_snd() Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 070/522] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 071/522] drm/dp: Add eDP 1.5 bit definition Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 072/522] drm/i915/psr: Read Intel DPCD workaround register Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 073/522] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 074/522] Revert "RDMA/rxe: Fix double free in rxe_srq_from_init" Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 075/522] RDMA/rxe: Fix double free in rxe_srq_from_init Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 076/522] net: gro: dont merge zcopy skbs Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 077/522] phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 078/522] phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 079/522] hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 080/522] hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read " Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 081/522] hwmon: (pmbus/adm1266) serialize NVMEM blackbox " Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 082/522] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 083/522] usb: typec: ucsi: ccg: reject firmware images without a : record header Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 084/522] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 085/522] usb: typec: altmodes/displayport: validate count before reading Status Update VDO Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 086/522] usb: typec: wcove: dont write past struct pd_message in wcove_read_rx_buffer() Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 087/522] usb: typec: ucsi: validate connector number in ucsi_connector_change() Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 088/522] USB: serial: safe_serial: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 089/522] Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 090/522] HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 091/522] Bluetooth: btusb: Allow firmware re-download when version matches Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 6.1 092/522] hpfs: fix a crash if hpfs_map_dnode_bitmap fails Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 093/522] ipc: limit next_id allocation to the valid ID range Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 094/522] auxdisplay: line-display: fix OOB read on zero-length message_store() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 095/522] Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 096/522] Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 097/522] Bluetooth: HIDP: fix missing length checks in hidp_input_report() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 098/522] Bluetooth: ISO: fix UAF in iso_recv_frame Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 099/522] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 100/522] parport: Fix race between port and client registration Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 101/522] USB: cdc-acm: Fix bit overlap and move quirk definitions to header Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 102/522] wireguard: send: append trailer after expanding head Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 103/522] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 104/522] iio: dac: max5821: fix return value check in powerdown sync Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 105/522] iio: dac: ad5686: fix input raw value check Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 106/522] iio: dac: ad5686: acquire lock when doing powerdown control Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 107/522] iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 108/522] iio: gyro: itg3200: fix i2c read into the wrong stack location Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 109/522] iio: ssp_sensors: cancel delayed work_refresh on remove Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 110/522] iio: temperature: tsys01: fix broken PROM checksum validation Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 111/522] iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 112/522] iio: light: cm3323: fix reg_conf not being initialized correctly Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 113/522] iio: buffer: hw-consumer: fix use-after-free in error path Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 114/522] USB: serial: omninet: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 115/522] usb: cdns3: gadget: fix request skipping after clearing halt Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 116/522] usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 117/522] usb: dwc2: Fix use after free in debug code Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 118/522] Input: elan_i2c - validate firmware size before use Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 119/522] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 120/522] macsec: fix replay protection at XPN lower-PN wrap Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 121/522] ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 122/522] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 123/522] ipv6: exthdrs: refresh nh after handling HAO option Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 124/522] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 125/522] ipv6: validate extension header length before copying to cmsg Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 126/522] xfrm: input: hold netns during deferred transport reinjection Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 127/522] ip6: vti: Use ip6_tnl.net in vti6_changelink() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 128/522] HID: wacom: Fix OOB write in wacom_hid_set_device_mode() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 129/522] iommu, debugobjects: avoid gcc-16.1 section mismatch warnings Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 130/522] nfc: hci: fix out-of-bounds read in HCP header parsing Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 131/522] xfrm: route MIGRATE notifications to callers netns Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 132/522] xfrm: ah: use skb_to_full_sk in async output callbacks Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 133/522] netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 134/522] ASoC: qcom: q6asm-dai: close stream only when running Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 135/522] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 136/522] xfrm: esp: restore combined single-frag length gate Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 137/522] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 138/522] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 139/522] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 140/522] comedi: comedi_test: Fix limiting of convert_arg " Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 141/522] counter: Fix refcount leak in counter_alloc() error path Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 142/522] tty: serial: pch_uart: add check for dma_alloc_coherent() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 143/522] usb: chipidea: core: convert ci_role_switch to local variable Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 144/522] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 145/522] USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 146/522] usb: storage: Add quirks for PNY Elite Portable SSD Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 147/522] usbip: vudc: Fix use after free bug in vudc_remove due to race condition Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 148/522] usb: usbtmc: check URB actual_length for interrupt-IN notifications Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 149/522] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 150/522] USB: serial: option: add MeiG SRM813Q Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 151/522] USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 6.1 152/522] USB: serial: belkin_sa: validate interrupt status length Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 153/522] USB: serial: cypress_m8: validate interrupt packet headers Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 154/522] USB: serial: keyspan: fix missing indat transfer sanity check Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 155/522] USB: serial: mxuport: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 156/522] USB: serial: mct_u232: fix missing interrupt-in transfer sanity check Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 157/522] usb: gadget: net2280: Fix double free in probe error path Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 158/522] usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 159/522] usb: gadget: f_fs: copy only received bytes on short ep0 read Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 160/522] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 161/522] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 162/522] scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 163/522] scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 164/522] scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 165/522] scsi: target: iscsi: Validate CHAP_R length before base64 decode Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 166/522] drm/hyperv: validate resolution_count and fix WIN8 fallback Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 167/522] drm/hyperv: validate VMBus packet size in receive callback Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 168/522] drm/i915: Fix potential UAF in TTM object purge Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 169/522] drm/amd/pm/si: Disregard vblank time when no displays are connected Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 170/522] serial: altera_jtaguart: handle uart_add_one_port() failures Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 171/522] serial: sh-sci: fix memory region release in error path Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 172/522] serial: zs: Fix swapped RI/DSR modem line transition counting Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 173/522] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 174/522] drm/amdkfd: fix NULL pointer bug in svm_range_set_attr Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 175/522] drm/amdkfd: Check for pdd drm file first in CRIU restore path Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 176/522] serial: dz: Fix bootconsole message clobbering at chip reset Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 177/522] serial: zs: Fix bootconsole handover lockup Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 178/522] serial: zs: Switch to using channel reset Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 179/522] HID: core: Add printk_ratelimited variants to hid_warn() etc Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 180/522] HID: pass the buffer size to hid_report_raw_event Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 181/522] HID: core: Fix size_t specifier in hid_report_raw_event() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 182/522] RDMA/rxe: Complete the rxe_cleanup_task backport Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 183/522] USB: serial: digi_acceleport: fix memory corruption with small endpoints Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 184/522] xhci: tegra: Fix ghost USB device on dual-role port unplug Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 185/522] netfilter: nf_tables: restore set elements when delete set fails Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 186/522] USB: serial: cypress_m8: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 187/522] serial: dz: Fix bootconsole handover lockup Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 188/522] bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 189/522] usb: core: Fix SuperSpeed root hub wMaxPacketSize Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 190/522] bpf: Free reuseport cBPF prog after RCU grace period Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 191/522] USB: serial: mct_u232: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 192/522] dmaengine: idxd: Fix not releasing workqueue on .release() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 193/522] Disable -Wattribute-alias for clang-23 and newer Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 194/522] i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 195/522] ipv6: mcast: Fix use-after-free when processing MLD queries Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 196/522] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 197/522] tee: optee: prevent use-after-free when the client exits before the supplicant Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 198/522] netfilter: xt_NFQUEUE: prefer raw_smp_processor_id Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 199/522] ipvs: clear the svc scheduler ptr early on edit Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 200/522] netfilter: synproxy: add mutex to guard hook reference counting Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 201/522] netfilter: conntrack_irc: fix possible out-of-bounds read Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 202/522] netfilter: bridge: make ebt_snat ARP rewrite writable Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 203/522] dm cache policy smq: check allocation under invalidate lock Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 204/522] net/sched: act_api: use RCU with deferred freeing for action lifecycle Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 205/522] 6lowpan: fix off-by-one in multicast context address compression Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 206/522] drm/imx: Fix three kernel-doc warnings in dcss-scaler.c Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 207/522] pcnet32: stop holding device spin lock during napi_complete_done Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 208/522] net: Annotate sk->sk_write_space() for UDP SOCKMAP Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 209/522] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 210/522] net: lan743x: permit VLAN-tagged packets up to configured MTU Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 211/522] net: fec: fix pinctrl default state restore order on resume Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 6.1 212/522] Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 213/522] Bluetooth: MGMT: validate advertising TLV before type checks Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 214/522] Bluetooth: RFCOMM: validate skb length in MCC handlers Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 215/522] Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 216/522] Bluetooth: bnep: reject short frames before parsing Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 217/522] Bluetooth: fix memory leak in error path of hci_alloc_dev() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 218/522] Bluetooth: MGMT: Fix backward compatibility with userspace Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 219/522] ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 220/522] ptp: vclock: Switch from RCU to SRCU Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 221/522] octeontx2-af: npc: Fix CPT channel mask in npc_install_flow Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 222/522] vxlan: vnifilter: send notification on VNI add Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 223/522] vxlan: vnifilter: fix spurious notification on VNI update Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 224/522] ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 225/522] net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 226/522] sctp: purge outqueue on stale COOKIE-ECHO handling Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 227/522] ipmi: Fix rcu_read_unlock to srcu_read_unlock in handle_read_event_rsp Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 228/522] signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 229/522] time: Fix off-by-one in settimeofday() usec validation Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 230/522] ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 231/522] fs/ntfs3: Return error for inconsistent extended attributes Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 232/522] usb: gadget: f_ncm: Fix net_device lifecycle with device_move Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 233/522] usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 234/522] net: skbuff: fix missing zerocopy reference in pskb_carve helpers Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 235/522] tap: free page on error paths in tap_get_user_xdp() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 236/522] KVM: arm64: Remove VPIPT I-cache handling Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 237/522] arm64: tlb: Allow XZR argument to TLBI ops Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 238/522] arm64: tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 239/522] iomap: dont revert iov_iter on partially completed buffered writes Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 240/522] xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 241/522] netlabel: validate unlabeled address and mask attribute lengths Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 242/522] ASoC: wm_adsp: Fix NULL dereference when removing firmware controls Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 243/522] tcp: restrict SO_ATTACH_FILTER to priv users Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 244/522] net/mlx4: avoid GCC 10 __bad_copy_from() false positive Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 245/522] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 246/522] ipv6: sit: reload inner IPv6 header after GSO offloads Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 247/522] net: openvswitch: fix possible kfree_skb of ERR_PTR Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 248/522] r8152: reduce the control transfer of rtl8152_get_version() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 249/522] r8152: Block future register access if register access fails Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 250/522] r8152: handle the return value of usb_reset_device() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 251/522] sctp: fix uninit-value in __sctp_rcv_asconf_lookup() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 252/522] net: guard timestamp cmsgs to real error queue skbs Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 253/522] net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 254/522] ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 255/522] rds: mark snapshot pages dirty in rds_info_getsockopt() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 256/522] netfilter: nf_conntrack: destroy stale expectfn expectations on unregister Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 257/522] netfilter: x_tables: avoid leaking percpu counter pointers Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 258/522] netfilter: nf_log: validate MAC header was set before dumping it Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 259/522] netfilter: nft_exthdr: fix register tracking for F_PRESENT flag Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 260/522] net: mvpp2: sync RX data at the hardware packet offset Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 261/522] net: mvpp2: limit XDP frame size to the RX buffer Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 262/522] net: mvpp2: Add metadata support for xdp mode Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 263/522] net: mvpp2: refill RX buffers before XDP or skb use Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 264/522] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 265/522] netfilter: ctnetlink: ensure safe access to master conntrack Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 266/522] drm/vc4: fix krealloc() memory leak Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 267/522] netfilter: nft_tunnel: fix use-after-free on object destroy Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 268/522] Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 269/522] Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 270/522] mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 271/522] drm/i915/gem: Fix phys BO pread/pwrite with offset Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 6.1 272/522] ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 273/522] xfrm: espintcp: do not reuse an in-progress partial send Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 274/522] USB: serial: io_ti: fix heap overflow in get_manuf_info() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 275/522] USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 276/522] USB: serial: option: add usb-id for Dell Wireless DW5826e-m Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 277/522] USB: serial: kl5kusb105: fix bulk-out buffer overflow Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 278/522] ALSA: timer: Fix UAF at snd_timer_user_params() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 279/522] drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 280/522] RDMA/srp: bound SRP_RSP sense copy by the received length Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 281/522] udp: clear skb->dev before running a sockmap verdict Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 282/522] ARM: socfpga: Fix OF node refcount leak in SMP setup Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 283/522] ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 284/522] ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 285/522] mptcp: fix retransmission loop when csum is enabled Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 286/522] mptcp: close TOCTOU race while computing rcv_wnd Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 287/522] mptcp: allow subflow rcv wnd to shrink Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 288/522] mptcp: sockopt: check timestamping ret value Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 289/522] wifi: nl80211: reject oversized EMA RNR lists Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 290/522] vsock/vmci: fix sk_ack_backlog leak on failed handshake Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 291/522] bnxt_en: Fix NULL pointer dereference Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 292/522] IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 293/522] pidfd: refuse access to tasks that have started exiting harder Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 294/522] fuse: reject fuse_notify() pagecache ops on directories Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 295/522] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 296/522] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 297/522] i2c: tegra: Fix NOIRQ suspend/resume Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 298/522] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 299/522] Input: atkbd - skip deactivate for HONOR BCC-Ns internal keyboard Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 300/522] ipc/shm: serialize orphan cleanup with shm_nattch updates Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 301/522] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 302/522] misc: fastrpc: fix use-after-free race in fastrpc_map_create Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 303/522] misc: fastrpc: fix DMA address corruption due to find_vma misuse Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 304/522] net/mlx5: Reorder completion before putting command entry in cmd_work_handler Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 305/522] net: bonding: fix NULL pointer dereference in bond_do_ioctl() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 306/522] net: mv643xx: fix OF node refcount Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 307/522] net: rds: clear i_sends on setup unwind Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 308/522] octeontx2-af: fix memory leak in rvu_setup_hw_resources() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 309/522] mmc: core: Fix host controller programming for fixed driver type Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 310/522] mmc: litex_mmc: Set mandatory idle clocks before CMD0 Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 311/522] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 312/522] mmc: sdhci: add signal voltage switch in sdhci_resume_host Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 313/522] sctp: diag: reject stale associations in dump_one path Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 314/522] sctp: stream: fully roll back denied add-stream state Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 315/522] thunderbolt: Reject zero-length property entries in validator Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 316/522] thunderbolt: Bound root directory content to block size Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 317/522] thunderbolt: Clamp XDomain response data copy to allocation size Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 318/522] thunderbolt: Validate XDomain request packet size before type cast Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 319/522] thunderbolt: Limit XDomain response copy to actual frame size Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 320/522] slimbus: qcom-ngd-ctrl: fix OF node refcount Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 321/522] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 322/522] drm/amdgpu: restart the CS if some parts of the VM are still invalidated Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 323/522] drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 324/522] drm/amd/display: Clamp VBIOS HDMI retimer register count to array size Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 325/522] drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 326/522] drm/amd/display: Use krealloc_array() in dal_vector_reserve() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 327/522] fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 328/522] mm/hugetlb: avoid false positive lockdep assertion Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 329/522] mm/damon/ops-common: call folio_test_lru() after folio_get() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 330/522] mm/huge_memory: update file PMD counter before folio_put() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 331/522] f2fs: use kfree() instead of kvfree() to free some memory Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 6.1 332/522] f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 333/522] f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 334/522] ksmbd: require minimum ACE size in smb_check_perm_dacl() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 335/522] smb: client: validate the whole DACL before rewriting it in cifsacl Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 336/522] LoongArch: Add spectre boundry for syscall dispatch table Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 337/522] arm64/mm: Enable batched TLB flush in unmap_hotplug_range() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 338/522] lib: test_hmm: evict device pages on file close to avoid use-after-free Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 339/522] wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 340/522] spi: imx: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 341/522] spi: imx: fix use-after-free on unbind Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 342/522] thermal: core: Fix thermal zone governor cleanup issues Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 343/522] ALSA: aoa: Use guard() for mutex locks Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 344/522] ALSA: aoa: i2sbus: clear stale prepared state Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 345/522] media: rc: ttusbir: respect DMA coherency rules Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 346/522] ALSA: aoa: Skip devices with no codecs in i2sbus_resume() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 347/522] media: rc: igorplugusb: heed coherency rules Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 348/522] sched: Use u64 for bandwidth ratio calculations Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 349/522] net: qrtr: ns: Limit the maximum number of lookups Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 350/522] net: qrtr: ns: Change servers radix tree to xarray Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 351/522] net: qrtr: ns: Free the node during ctrl_cmd_bye() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 352/522] net: mctp: fix dont require received header reserved bits to be zero Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 353/522] net: qrtr: ns: Limit the total number of nodes Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 354/522] net: bridge: use a stable FDB dst snapshot in RCU readers Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 355/522] spi: fix resource leaks on device setup failure Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 356/522] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 357/522] xfs: fix a resource leak in xfs_alloc_buftarg() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 358/522] udf: fix partition descriptor append bookkeeping Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 359/522] hfsplus: fix uninit-value by validating catalog record size Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 360/522] hfsplus: fix held lock freed on hfsplus_fill_super() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 361/522] crypto: nx - Avoid -Wflex-array-member-not-at-end warning Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 362/522] crypto: nx - Migrate to scomp API Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 363/522] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 364/522] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 365/522] ceph: only d_add() negative dentries when they are unhashed Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 366/522] printk: add print_hex_dump_devel() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 367/522] crypto: caam - guard HMAC key hex dumps in hash_digest_key Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 368/522] net: stmmac: avoid shadowing global buf_sz Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 369/522] net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 370/522] net: stmmac: Prevent NULL deref when RX memory exhausted Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 371/522] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 372/522] wifi: mac80211: remove station if connection prep fails Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 373/522] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 374/522] usb: dwc3: Move GUID programming after PHY initialization Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 375/522] net: ipv4: stop checking crypto_ahash_alignmask Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 376/522] net: ipv6: " Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 377/522] xfrm: ah: account for ESN high bits in async callbacks Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 378/522] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 379/522] spi: synquacer: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 380/522] spi: synquacer: switch to use modern name Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 381/522] spi: syncuacer: fix controller deregistration Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 382/522] spi: sun4i: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 383/522] spi: sun4i: switch to use modern name Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 384/522] spi: sun4i: fix controller deregistration Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 385/522] spi: Convert to SPI_CONTROLLER_HALF_DUPLEX Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 386/522] spi: spi-ti-qspi: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 387/522] spi: spi-ti-qspi: switch to use modern name Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 388/522] spi: ti-qspi: fix controller deregistration Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 389/522] spi: zynq-qspi: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 390/522] spi: spi-zynq: Do not check for 0 return after calling platform_get_irq() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 391/522] spi: zynq-qspi: switch to use modern name Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 6.1 392/522] spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 393/522] spi: zynq-qspi: fix controller deregistration Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 394/522] spi: sun6i: " Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 395/522] spi: s3c64xx: Use devm_clk_get_enabled() Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 396/522] spi: s3c64xx: fix NULL-deref on driver unbind Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 397/522] mtd: spi-nor: core: fix implicit declaration warning Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 398/522] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 399/522] spi: tegra114: fix controller deregistration Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 400/522] spi: tegra20-sflash: " Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 401/522] spi: uniphier: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 402/522] spi: uniphier: switch to use modern name Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 403/522] spi: uniphier: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 404/522] spi: uniphier: fix controller deregistration Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 405/522] mm/hugetlb_cma: round up per_node before logging it Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 406/522] net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 407/522] spi: microchip-core-qspi: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 408/522] spi: microchip-core-qspi: Use helper function devm_clk_get_enabled() Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 409/522] spi: microchip-core-qspi: fix controller deregistration Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 410/522] fbcon: Avoid OOB font access if console rotation fails Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 411/522] spi: topcliff-pch: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 412/522] btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 413/522] tracing/probes: Limit size of event probe to 3K Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 414/522] btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type() Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 415/522] btrfs: fix double free in create_space_info_sub_group() error path Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 416/522] pmdomain: core: Fix detach procedure for virtual devices in genpd Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 417/522] smb: client: validate dacloffset before building DACL pointers Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 418/522] smb: client: Use FullSessionKey for AES-256 encryption key derivation Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 419/522] btrfs: fix missing last_unlink_trans update when removing a directory Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 420/522] mptcp: fastclose msk when linger time is 0 Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 421/522] mptcp: pm: prio: skip closed subflows Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 422/522] mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 423/522] mptcp: pm: ADD_ADDR rtx: allow " Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 424/522] mptcp: pm: ADD_ADDR rtx: fix potential data-race Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 425/522] mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 426/522] f2fs: fix incorrect file address mapping when inline inode is unwritten Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 427/522] f2fs: fix false alarm of lockdep on cp_global_sem lock Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 428/522] spi: st-ssc4: switch to use modern name Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 429/522] spi: st-ssc4: fix controller deregistration Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 430/522] spi: lantiq-ssc: " Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 431/522] cgroup/cpuset: Reset DL migration state on can_attach() failure Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 432/522] genetlink: Use internal flags for multicast groups Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 433/522] smb: client: require net admin for CIFS SWN netlink Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 434/522] Bluetooth: hci_qca: Convert timeout from jiffies to ms Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 435/522] mm/memory: fix spurious warning when unmapping device-private/exclusive pages Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 436/522] Bluetooth: Init sk_peer_* on bt_sock_alloc Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 437/522] Bluetooth: serialize accept_q access Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 438/522] net: hsr: defer node table free until after RCU readers Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 439/522] ipv6: ioam: add NULL check for idev in ipv6_hop_ioam() Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 440/522] ice: fix VF queue configuration with low MTU values Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 441/522] mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 442/522] selftests: mptcp: drop nanoseconds width specifier Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 443/522] octeontx2-af: replace deprecated strncpy with strscpy Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 444/522] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 445/522] mptcp: reset rcv wnd on disconnect Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 446/522] mptcp: do not drop partial packets Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 447/522] platform/x86/intel/vsec: Add private data for per-device data Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 448/522] platform/x86/intel/vsec: Create wrapper to walk PCI config space Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 449/522] platform/x86/intel/vsec: Make driver_data info const Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 450/522] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 451/522] octeontx2-pf: avoid double free of pool->stack on AQ init failure Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 6.1 452/522] spi: qup: switch to use modern name Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 453/522] spi: qup: fix error pointer deref after DMA setup failure Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 454/522] arm64: tlb: Flush walk cache when unsharing PMD tables Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 455/522] phy: tegra: xusb: Disable trk clk when not in use Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 456/522] phy: tegra: xusb: Fix per-pad high-speed termination calibration Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 457/522] iio: adc: fix the return value handle for platform_get_irq() Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 458/522] iio: adc: npcm: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 459/522] iio: adc: npcm: fix unbalanced clk_disable_unprepare() Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 460/522] iio: gyro: adis16260: fix division by zero in write_raw Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 461/522] iio: chemical: scd30: Use guard(mutex) to allow early returns Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 462/522] iio: chemical: scd30: fix division by zero in write_raw Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 463/522] usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 464/522] iio: dac: ad5686: fix ref bit initialization for single-channel parts Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 465/522] ALSA: firewire-motu: Protect register DSP event queue positions Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 466/522] serial: samsung_tty: Use port lock wrappers Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 467/522] tty: serial: samsung: use u32 for register interactions Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 468/522] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 469/522] usb: dwc3: xilinx: fix error handling in zynqmp init error paths Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 470/522] usb: musb: omap2430: Fix use-after-free in omap2430_probe() Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 471/522] usb: gadget: f_hid: tidy error handling in hidg_alloc Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 472/522] usb: gadget: f_hid: fix device reference leak in hidg_alloc() Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 473/522] usb: typec: ucsi: Check if power role change actually happened before handling Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 474/522] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 475/522] tty: serial: qcom-geni-serial: remove unused symbols Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 476/522] tty: serial: qcom-geni-serial: align #define values Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 477/522] serial: qcom-geni: fix UART_RX_PAR_EN bit position Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 478/522] scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 479/522] usb: typec: ucsi: Dont update power_supply on power role change if not connected Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 480/522] netfilter: nft_fib: fix stale stack leak via the OIFNAME register Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 481/522] hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 482/522] mm/hugetlb: rename isolate_hugetlb() to folio_isolate_hugetlb() Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 483/522] mm/migrate: dont call folio_putback_active_hugetlb() on dst hugetlb folio Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 484/522] mm/hugetlb: rename folio_putback_active_hugetlb() to folio_putback_hugetlb() Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 485/522] mm/memory-failure: fix missing ->mf_stats count in hugetlb poison Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 486/522] mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 487/522] RDMA/umem: fix kernel-doc warnings Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 488/522] RDMA: Move DMA block iterator logic into dedicated files Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 489/522] RDMA/umem: Fix truncation for block sizes >= 4G Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 490/522] ipvs: skip ipv6 extension headers for csum checks Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 491/522] blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 492/522] batman-adv: stop tp_meter sessions during mesh teardown Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 493/522] batman-adv: tp_meter: fix tp_num leak on kmalloc failure Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 494/522] ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6 Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 495/522] perf build: Conditionally define NDEBUG Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 496/522] perf parse-events: Make YYDEBUG dependent on doing a debug build Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 497/522] perf build: Disable fewer bison warnings Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 498/522] tools build: Add 3-component logical version comparators Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 499/522] perf build: Remove -Wno-unused-but-set-variable from the flex flags when building with clang < 13.0.0 Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 500/522] KVM: arm64: Wake-up from WFI when iqrchip is in userspace Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 501/522] ipmi:ssif: Fix a shutdown race Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 502/522] ipmi:ssif: Clean up kthread on errors Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 503/522] mm/damon/core: use time_in_range_open() for damos quota window start Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 504/522] mm/damon/core: disallow time-quota setting zero esz Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 505/522] usb: typec: tcpm: reset internal port states on soft reset AMS Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 506/522] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 507/522] ipmi:ssif: Remove unnecessary indention Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 508/522] ipmi:ssif: NULL thread on error Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 509/522] mm/damon/core: implement damon_kdamond_pid() Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 510/522] mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 511/522] mm/damon/reclaim: " Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 6.1 512/522] drm/v3d: Reject empty multisync extension to prevent infinite loop Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 513/522] arm64: cputype: Add NVIDIA Olympus definitions Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 514/522] arm64: cputype: Add C1-Ultra definitions Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 515/522] arm64: cputype: Add C1-Premium definitions Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 516/522] arm64: errata: Mitigate TLBI errata on various Arm CPUs Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 517/522] arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 518/522] arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 519/522] Revert "selftest/ptp: update ptp selftest to exercise the gettimex options" Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 520/522] fbdev: vt8500lcdfb: Fix dma_free_coherent() cpu_addr parameter Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 521/522] apparmor: validate default DFA states are in bounds Greg Kroah-Hartman
2026-06-16 15:01 ` [PATCH 6.1 522/522] x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function Greg Kroah-Hartman
2026-06-16 16:55 ` [PATCH 6.1 000/522] 6.1.176-rc1 review Brett A C Sheffield
-- strict thread matches above, loose matches on Subject: below --
2026-06-16 14:53 [PATCH 7.0 000/378] 7.0.13-rc1 review Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 001/378] bpf: Free reuseport cBPF prog after RCU grace period Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 002/378] KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 003/378] i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 004/378] Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 005/378] ipv6: mcast: Fix use-after-free when processing MLD queries Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 006/378] net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 007/378] tee: optee: prevent use-after-free when the client exits before the supplicant Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 7.0 008/378] soc: qcom: ice: Allow explicit votes on iface clock for ICE Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 009/378] arm64: dts: qcom: x1-dell-thena: remove i2c20 (battery SMBus) and reserve its pins Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 010/378] ARM: dts: microchip: sam9x7: fix GMAC clock configuration Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 011/378] soc: qcom: ice: Return -ENODEV if the ICE platform device is not found Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 012/378] tee: fix tee_ioctl_object_invoke_arg padding Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 013/378] tee: qcomtee: add missing va_end in early return qcomtee_object_user_init() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 014/378] s390/bug: Always emit format word in __BUG_ENTRY Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 015/378] ARM: dts: gemini: Fix partition offsets Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 016/378] erofs: fix use-after-free on sbi->sync_decompress Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 017/378] wifi: iwlwifi: mvm: dont support the reset handshake for old firmwares Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 018/378] ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 019/378] netfilter: xt_NFQUEUE: prefer raw_smp_processor_id Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 020/378] ipvs: clear the svc scheduler ptr early on edit Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 021/378] netfilter: synproxy: add mutex to guard hook reference counting Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 022/378] netfilter: conntrack_irc: fix possible out-of-bounds read Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 023/378] netfilter: nft_ct: bail out on template ct in get eval Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 024/378] netfilter: bridge: make ebt_snat ARP rewrite writable Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 025/378] dm cache policy smq: check allocation under invalidate lock Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 026/378] net/sched: act_api: use RCU with deferred freeing for action lifecycle Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 027/378] 6lowpan: fix off-by-one in multicast context address compression Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 028/378] l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 029/378] devlink: Release nested relation on devlink free Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 030/378] drm/imx: Fix three kernel-doc warnings in dcss-scaler.c Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 031/378] wifi: mac80211: limit injected antenna index in ieee80211_parse_tx_radiotap Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 032/378] pcnet32: stop holding device spin lock during napi_complete_done Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 033/378] net: Annotate sk->sk_write_space() for UDP SOCKMAP Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 034/378] tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 035/378] hsr: Remove WARN_ONCE() in hsr_addr_is_self() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 036/378] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 037/378] net: lan743x: permit VLAN-tagged packets up to configured MTU Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 038/378] net: fec: fix pinctrl default state restore order on resume Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 039/378] ipv6: anycast: insert aca into global hash under idev->lock Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 040/378] wifi: fix leak if split 6 GHz scanning fails Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 041/378] wifi: cfg80211: add support to handle incumbent signal detected event from mac80211/driver Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 042/378] wifi: nl80211: split out UHR operation information Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 043/378] wifi: cfg80211: enforce HE/EHT cap/oper consistency Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 044/378] Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 045/378] Bluetooth: MGMT: validate advertising TLV before type checks Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 046/378] Bluetooth: RFCOMM: validate skb length in MCC handlers Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 047/378] Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 048/378] Bluetooth: bnep: reject short frames before parsing Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 049/378] Bluetooth: fix memory leak in error path of hci_alloc_dev() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 050/378] Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 051/378] Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 052/378] Bluetooth: SCO: Fix data-race on sco_pi fields in sco_connect Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 053/378] Bluetooth: MGMT: Fix backward compatibility with userspace Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 054/378] xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 055/378] octeontx2-pf: Fix NDC sync operation errors Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 056/378] octeontx2-af: Fix initialization of mcams entry2target_pffunc field Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 057/378] af_unix: Fix inq_len update problem in partial read Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 058/378] ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 059/378] ptp: vclock: Switch from RCU to SRCU Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 060/378] net: airoha: Fix use-after-free in metadata dst teardown Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 061/378] net: ethernet: mtk_eth_soc: " Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 062/378] geneve: fix length used in GRO hint UDP checksum adjustment Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 063/378] net/sched: fix pedit partial COW leading to page cache corruption Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 064/378] sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 065/378] octeontx2-af: npc: Fix CPT channel mask in npc_install_flow Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 066/378] vxlan: vnifilter: send notification on VNI add Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 067/378] vxlan: vnifilter: fix spurious notification on VNI update Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 7.0 068/378] ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 069/378] net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 070/378] bonding: annotate data-races arcound churn variables Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 071/378] sctp: purge outqueue on stale COOKIE-ECHO handling Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 072/378] fwctl/bnxt_en: Move common definitions to include/linux/bnxt/ Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 073/378] fwctl/bnxt_en: Refactor aux bus functions to be more generic Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 074/378] Reapply "bnxt_en: bring back rtnl_lock() in the bnxt_open() path" Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 075/378] Drivers: hv: vmbus: Provide option to skip VMBus unload on panic Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 076/378] drm/hyperv: During panic do VMBus unload after frame buffer is flushed Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 077/378] selftests: harness: fix pidfd leak in __wait_for_test Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 078/378] signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 079/378] regulator: mt6363: select CONFIG_IRQ_DOMAIN Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 080/378] hyperv: Clean up and fix the guest ID comment in hvgdk.h Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 081/378] VFS: fix possible failure to unlock in nfsd4_create_file() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 082/378] crypto: s390 - add select CRYPTO_AEAD for aes Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 083/378] rseq: Fix using an uninitialized stack variable in rseq_exit_user_update() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 084/378] time: Fix off-by-one in settimeofday() usec validation Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 085/378] ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 086/378] ALSA: seq: dummy: fix UMP event stack overread Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 087/378] x86/resctrl: Only check Intel systems for SNC Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 088/378] cpufreq/amd-pstate: drop stale @epp_cached kdoc Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 089/378] rtla: Fix parsing of multi-character short options Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 090/378] tools/rv: Ensure monitor name and desc are NUL-terminated Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 091/378] tools/rv: Fix substring match bug in monitor name search Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 092/378] tools/rv: Fix substring match when listing container monitors Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 093/378] tools/rv: Fix cleanup after failed trace setup Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 094/378] verification/rvgen: Fix options shared among commands Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 095/378] verification/rvgen: Fix ltl2k writing True as a literal Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 096/378] riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 097/378] riscv: cfi: reject unknown flags in PR_SET_CFI Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 098/378] xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 099/378] dma-mapping: direct: fix missing mapping for THRU_HOST_BRIDGE segments Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 100/378] dma-debug: fix physical address retrieval in debug_dma_sync_sg_for_device Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 101/378] xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 102/378] ice: fix missing priority callbacks for U.FL DPLL pins Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 103/378] idpf: fix mailbox capability for set device clock time Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 104/378] net: ena: PHC: Add missing barrier Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 105/378] bnge: fix context mem iteration Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 106/378] netlabel: validate unlabeled address and mask attribute lengths Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 107/378] gpio: mvebu: fix NULL pointer dereference in suspend/resume Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 108/378] ASoC: wm_adsp: Fix NULL dereference when removing firmware controls Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 109/378] tcp: restrict SO_ATTACH_FILTER to priv users Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 110/378] net: add pskb_may_pull() to skb_gro_receive_list() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 111/378] net/mlx4: avoid GCC 10 __bad_copy_from() false positive Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 112/378] net: ibm: emac: Fix use-after-free during device removal Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 113/378] netdev: fix double-free in netdev_nl_bind_rx_doit() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 114/378] net: phy: clean the sfp upstream if phy probing fails Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 115/378] net: phy: remove phy ports upon probe failure Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 116/378] net: phy: Clean the phy_ports after unregistering the downstream SFP bus Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 117/378] net: phy: dont try to setup PHY-driven SFP cages when using genphy Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 118/378] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 119/378] net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 120/378] net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 121/378] net/mlx5: Use effective affinity mask for IRQ selection Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 122/378] ipv6: sit: reload inner IPv6 header after GSO offloads Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 123/378] net: openvswitch: fix possible kfree_skb of ERR_PTR Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 124/378] r8152: handle the return value of usb_reset_device() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 125/378] gpio: zynq: fix runtime PM leak on remove Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 126/378] gpio: rockchip: fix generic IRQ chip " Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 127/378] net: mctp: usb: fix race between urb completion and rx_retry cancellation Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 7.0 128/378] net: mctp: usb: dont fail mctp_usb_rx_queue on a deferred submission Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 129/378] esp: fix page frag reference leak on skb_to_sgvec failure Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 130/378] ASoC: SOF: amd: fix for ipc flags check Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 131/378] sctp: fix uninit-value in __sctp_rcv_asconf_lookup() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 132/378] ip6_vti: set netns_immutable on the fallback device Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 133/378] sctp: validate embedded INIT chunk and address list lengths in cookie Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 134/378] net: guard timestamp cmsgs to real error queue skbs Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 135/378] net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 136/378] tun: zero the whole vnet header in tun_put_user() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 137/378] ptp: ocp: fix resource freeing order Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 138/378] ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 139/378] rds: mark snapshot pages dirty in rds_info_getsockopt() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 140/378] spi: rzv2h-rspi: Fix SPDR read access width for 16-bit RX Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 141/378] netfilter: revalidate bridge ports Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 142/378] netfilter: nf_conntrack: destroy stale expectfn expectations on unregister Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 143/378] netfilter: x_tables: avoid leaking percpu counter pointers Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 144/378] netfilter: nf_log: validate MAC header was set before dumping it Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 145/378] netfilter: nft_exthdr: fix register tracking for F_PRESENT flag Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 146/378] net: mvpp2: sync RX data at the hardware packet offset Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 147/378] net: mvpp2: limit XDP frame size to the RX buffer Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 148/378] net: mvpp2: refill RX buffers before XDP or skb use Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 149/378] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 150/378] net: txgbe: initialize module info buffer Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 151/378] net: txgbe: distinguish module types by checking identifier Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 152/378] net: txgbe: initialize PHY interface to 0 Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 153/378] ipv6: Fix a potential NPD in cleanup_prefix_route() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 154/378] ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 155/378] clk: qcom: x1e80100-dispcc: Stop disp_cc_mdss_mdp_clk_src from getting parked Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 156/378] clk: samsung: gs101: Fix missing USI7_USI DIV clock in peric0_clk_regs Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 157/378] clk: qcom: dispcc-sc8280xp: Dont park mdp_clk_src at registration time Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 158/378] drm/i915/edp: Check supported link rates DPCD read Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 159/378] drm/virtio: Fix driver removal with disabled KMS Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 160/378] drm/vc4: fix krealloc() memory leak Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 161/378] drm/colorop: Remove read-only comments from interpolation fields Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 162/378] drm/colorop: make lut(1/3)d_interpolation props correctly behave as mutable Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 163/378] drm/atomic: track individual colorop updates Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 164/378] drm/amd/display: use plane color_mgmt_changed to track colorop changes Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 165/378] drm/xe: fix refcount leak in xe_range_fence_insert() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 166/378] drm/xe: fix job timeout recovery for unstarted jobs and kernel queues Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 167/378] accel/amdxdna: Fix mm_struct reference leak in aie2_populate_range() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 168/378] namespace: restrict OPEN_TREE_NAMESPACE/FSMOUNT_NAMESPACE to directories Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 169/378] netfilter: nft_tunnel: fix use-after-free on object destroy Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 170/378] netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 171/378] tee: shm: fix shm leak in register_shm_helper() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 172/378] Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 173/378] Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 174/378] soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 175/378] mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 176/378] Revert "drm/xe/nvls: Define GuC firmware for NVL-S" Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 177/378] accel/ivpu: Add bounds check for firmware runtime memory Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 178/378] accel/ivpu: Add bounds checks for firmware log indices Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 179/378] firmware: stratix10-svc: Dont fail probe when async ops unsupported Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 180/378] firmware: stratix10-svc: Return -EOPNOTSUPP when ATF async unsupported Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 181/378] firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 182/378] accel/ivpu: Add buffer overflow check in MS get_info_ioctl Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 183/378] accel/ivpu: Fix signed integer truncation in IPC receive Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 184/378] tracing: Fix CFI violation in probestub being called by tprobes Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 185/378] tracing/probes: Point the error offset correctly for eprobe argument error Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 186/378] cgroup/cpuset: Use effective_xcpus in partcmd_update add/del mask calculation Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 187/378] Revert "drm/xe: Skip exec queue schedule toggle if queue is idle during suspend" Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 7.0 188/378] rust: x86: support Rust >= 1.98.0 target spec Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 189/378] ARM: Do not select HAVE_RUST when KASAN is enabled Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 190/378] rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 191/378] rust: kasan/kbuild: fix rustc-option when cross-compiling Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 192/378] mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 193/378] cfi: Include uaccess.h for get_kernel_nofault() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 194/378] mshv: add a missing padding field Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 195/378] KVM: Dont WARN if memory is dirtied without a vCPU when the VM is dying Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 196/378] KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 197/378] KVM: arm64: nv: Fix handling of XN[0] when !FEAT_XNX Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 198/378] KVM: arm64: Correctly identify executable PTEs at stage-2 Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 199/378] KVM: arm64: Restore POR_EL0 access to host EL0 Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 200/378] drm/i915/gem: Fix phys BO pread/pwrite with offset Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 201/378] hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 202/378] pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 203/378] ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 204/378] xfrm: espintcp: do not reuse an in-progress partial send Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 205/378] xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 206/378] xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 207/378] USB: serial: io_ti: fix heap overflow in get_manuf_info() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 208/378] USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 209/378] USB: serial: option: add usb-id for Dell Wireless DW5826e-m Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 210/378] USB: serial: kl5kusb105: fix bulk-out buffer overflow Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 211/378] ALSA: timer: Forcibly close timer instances at closing Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 212/378] ALSA: timer: Fix UAF at snd_timer_user_params() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 213/378] io_uring/wait: fix min_timeout behavior Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 214/378] io_uring/kbuf: dont truncate end buffer for bundles Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 215/378] io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 216/378] drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 217/378] drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 218/378] mm/huge_memory: update file PMD counter before folio_put() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 219/378] mm/damon/ops-common: call folio_test_lru() after folio_get() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 220/378] mm/huge_memory: update file PUD counter before folio_put() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 221/378] RDMA/core: Validate the passed in fops for ib_get_ucaps() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 222/378] RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 223/378] RDMA/srp: bound SRP_RSP sense copy by the received length Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 224/378] zram: fix use-after-free in zram_bvec_write_partial() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 225/378] udp: clear skb->dev before running a sockmap verdict Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 226/378] ARM: socfpga: Fix OF node refcount leak in SMP setup Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 227/378] ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 228/378] ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 229/378] arm64: mm: call pagetable dtor when freeing hot-removed page tables Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 230/378] mptcp: fix missing wakeups in edge scenarios Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 231/378] mptcp: fix retransmission loop when csum is enabled Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 232/378] mptcp: close TOCTOU race while computing rcv_wnd Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 233/378] mptcp: allow subflow rcv wnd to shrink Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 234/378] mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 235/378] mptcp: check desc->count in read_sock Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 236/378] mptcp: sockopt: check timestamping ret value Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 237/378] mptcp: sockopt: set sockopt on all subflows Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 238/378] selftests: mptcp: add test for extra_subflows underflow on userspace PM Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 239/378] mptcp: add-addr: always drop other suboptions Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 240/378] xfs: fix error returns in CoW fork repair Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 241/378] xfs: fix rtgroup cleanup " Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 242/378] wifi: iwlwifi: pcie: simplify the resume flow if fast resume is not used Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 243/378] wifi: nl80211: reject oversized EMA RNR lists Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 244/378] vsock/vmci: fix sk_ack_backlog leak on failed handshake Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 245/378] timers/migration: Fix livelock in tmigr_handle_remote_up() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 246/378] spi: qcom-geni: Fix cs_change handling on the last transfer Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 247/378] staging: rtl8723bs: fix buffer over-read in rtw_update_protection Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 7.0 248/378] staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtraction Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 249/378] ASoC: fsl_sai: Fix 32 slots TDM broken by integer shift UB in xMR write Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 250/378] bnxt_en: Fix NULL pointer dereference Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 251/378] Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 252/378] fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 253/378] hv: utils: handle and propagate errors in kvp_register Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 254/378] IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 255/378] inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 256/378] ovl: keep err zero after successful ovl_cache_get() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 257/378] pidfd: refuse access to tasks that have started exiting harder Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 258/378] s390: Remove GENERIC_LOCKBREAK Kconfig option Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 259/378] accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 260/378] accel/ethosu: fix IFM region index out-of-bounds in command stream parser Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 261/378] accel/ethosu: fix wrong weight index in NPU_SET_SCALE1_LENGTH on U85 Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 262/378] accel/ethosu: fix arithmetic issues in dma_length() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 263/378] accel/ethosu: reject DMA commands with uninitialized length Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 264/378] accel/ethosu: reject NPU_OP_RESIZE commands from userspace Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 265/378] fs/qnx6: fix pointer arithmetic in directory iteration Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 266/378] fuse: reject fuse_notify() pagecache ops on directories Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 267/378] fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 268/378] futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 269/378] i2c: imx-lpi2c: fix resource leaks switching to devm_dma_request_chan() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 270/378] i2c: imx: fix clock and pinctrl state inconsistency in runtime PM Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 271/378] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 272/378] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 273/378] i2c: tegra: Fix NOIRQ suspend/resume Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 274/378] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 275/378] Input: atkbd - skip deactivate for HONOR BCC-Ns internal keyboard Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 276/378] iomap: avoid potential null folio->mapping deref during error reporting Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 277/378] iommu/dma: Do not try to iommu_map a 0 length region in swiotlb Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 278/378] ipc/shm: serialize orphan cleanup with shm_nattch updates Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 279/378] locking/rtmutex: Skip remove_waiter() when waiter is not enqueued Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 280/378] memcg: use round-robin victim selection in refill_stock Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 281/378] memory: atmel-ebi: Allow deferred probing Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 282/378] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 283/378] misc: fastrpc: fix use-after-free race in fastrpc_map_create Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 284/378] misc: fastrpc: fix DMA address corruption due to find_vma misuse Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 285/378] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 286/378] firmware: samsung: acpm: Fix mailbox channel leak on probe error Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 287/378] net/mlx5: Reorder completion before putting command entry in cmd_work_handler Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 288/378] net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 289/378] net: bonding: fix NULL pointer dereference in bond_do_ioctl() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 290/378] net: mv643xx: fix OF node refcount Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 291/378] net: phonet: free phonet_device after RCU grace period Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 292/378] net: rds: clear i_sends on setup unwind Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 293/378] net: sfp: initialize i2c_block_size at adapter configure time Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 294/378] nvmem: core: fix use-after-free bugs in error paths Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 295/378] nvmem: layouts: onie-tlv: fix hang on unknown types Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 296/378] octeontx2-af: fix memory leak in rvu_setup_hw_resources() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 297/378] pinctrl: mcp23s08: Read spi-present-mask as u8 not u32 Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 298/378] mm/cma: fix reserved page leak on activation failure Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 299/378] mm/cma_debug: fix invalid accesses for inactive CMA areas Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 300/378] mm/damon/lru_sort: handle ctx allocation failure Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 301/378] mm/damon/reclaim: " Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 302/378] mm/huge_memory: use correct flags for device private PMD entry Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 303/378] mm/hugetlb: avoid false positive lockdep assertion Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 304/378] mm/hugetlb: restore reservation on error in hugetlb folio copy paths Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 305/378] mm/list_lru: drain before clearing xarray entry on reparent Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 307/378] mmc: core: Fix host controller programming for fixed driver type Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 7.0 308/378] mmc: dw_mmc-rockchip: Add missing private data for very old controllers Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 309/378] mmc: litex_mmc: Set mandatory idle clocks before CMD0 Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 310/378] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 311/378] mmc: sdhci-of-dwcmshc: Fix reset, clk, and SDIO support for Eswin EIC7700 Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 312/378] mmc: sdhci: add signal voltage switch in sdhci_resume_host Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 313/378] pmdomain: imx: fix OF node refcount Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 314/378] pmdomain: ti_sci: add wakeup constraint to parent devices of wakeup source Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 315/378] rtase: Avoid sleeping in get_stats64() Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 316/378] rtase: Reset TX subqueue when clearing TX ring Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 317/378] rxrpc: Fix the ACK parser to extract the SACK table for parsing Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 318/378] sctp: diag: reject stale associations in dump_one path Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 319/378] sctp: stream: fully roll back denied add-stream state Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 320/378] thunderbolt: Reject zero-length property entries in validator Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 321/378] thunderbolt: Bound root directory content to block size Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 322/378] thunderbolt: Clamp XDomain response data copy to allocation size Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 323/378] thunderbolt: Validate XDomain request packet size before type cast Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 324/378] thunderbolt: Limit XDomain response copy to actual frame size Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 325/378] slimbus: qcom-ngd-ctrl: fix OF node refcount Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 326/378] slimbus: qcom-ngd-ctrl: Fix up platform_driver registration Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 327/378] slimbus: qcom-ngd-ctrl: Fix probe error path ordering Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 328/378] slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 329/378] slimbus: qcom-ngd-ctrl: Initialize controller resources in controller Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 330/378] slimbus: qcom-ngd-ctrl: Correct PDR and SSR cleanup ownership Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 331/378] slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 332/378] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 333/378] drm/gem: Try to fix change_handle ioctl, attempt 4 Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 334/378] drm/i915: Fix color blob reference handling in intel_plane_state Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 335/378] drm/amdkfd: fix NULL dereference in get_queue_ids() Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 336/378] drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11 Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 337/378] drm/xe/display: fix oops in suspend/shutdown without display Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 338/378] drm/xe/multi_queue: skip submit when primary queue is suspended Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 339/378] drm/xe: Clear pending_disable before signaling suspend fence Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 340/378] drm/v3d: Wait for pending L2T flush before cleaning caches Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 341/378] drm/v3d: Fix global performance monitor reference counting Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 342/378] drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 343/378] drm/v3d: Skip CSD when it " Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 344/378] drm/amdgpu: fix waiting for all submissions for userptrs Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 345/378] drm/amdgpu: restart the CS if some parts of the VM are still invalidated Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 346/378] drm/amdgpu: set noretry=1 as default for GFX 10.1.x (Navi10/12/14) Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 347/378] drm/amdgpu: Fix incorrect VRAM GART mappings on non-4K page size systems Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 348/378] drm/amd/pm: apply SMU 13.0.10 workaround during MP1 unload Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 349/378] drm/amd/pm: fix smu13 power limit default/cap calculation Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 350/378] drm/amd/pm: mark metrics.energy_accumulator is invalid for smu 14.0.2 Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 351/378] drm/amd/pm: smu_v14_0_0: use SoftMin for gfxclk in set_soft_freq_limited_range Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 352/378] drm/amd/display: Bound VBIOS record-chain walk loops Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 353/378] drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 354/378] drm/amd/display: Clamp VBIOS HDMI retimer register count to array size Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 355/378] drm/amd/display: add missing CSC entries for BT.2020 for DCE IPs Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 356/378] drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 357/378] drm/amd/display: Fix out-of-bounds read in dp_get_eq_aux_rd_interval() Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 358/378] drm/amd/display: Use krealloc_array() in dal_vector_reserve() Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 359/378] fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 360/378] driver core: faux: fix root device registration Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 361/378] driver core: reject devices with unregistered buses Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 362/378] RDMA: During rereg_mr ensure that REREG_ACCESS is compatible Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 363/378] netfilter: nft_fib: fix stale stack leak via the OIFNAME register Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 364/378] sched_ext: Dont warn on NULL cgrp_moving_from in scx_cgroup_move_task() Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 365/378] wifi: mac80211: skip ieee80211_verify_sta_ht_mcs_support check in non-strict mode Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 366/378] wifi: mac80211: tests: mark HT check strict Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 367/378] RDMA/umem: fix kernel-doc warnings Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 7.0 368/378] RDMA: Move DMA block iterator logic into dedicated files Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 369/378] RDMA/umem: Fix truncation for block sizes >= 4G Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 370/378] vsock/virtio: fix potential unbounded skb queue Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 371/378] vsock/virtio: fix skb overhead accounting to preserve full buf_alloc Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 372/378] debugobjects: Do not fill_pool() if pi_blocked_on Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 373/378] debugobjects: Dont call fill_pool() in early boot hardirq context Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 374/378] arm64: cputype: Add C1-Ultra definitions Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 375/378] arm64: cputype: Add C1-Premium definitions Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 376/378] arm64: errata: Mitigate TLBI errata on various Arm CPUs Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 377/378] arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 7.0 378/378] arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU Greg Kroah-Hartman
2026-06-16 15:37 ` [PATCH 7.0 000/378] 7.0.13-rc1 review Ronald Warsow
2026-06-16 16:55 ` Brett A C Sheffield
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.