* [PATCH 7.1 001/518] rust: str: use the "kernel vertical" imports style
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 002/518] rust: str: clean unused import for Rust >= 1.98 Greg Kroah-Hartman
` (520 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gary Guo, Miguel Ojeda, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miguel Ojeda <ojeda@kernel.org>
[ Upstream commit 724a93a9f6033800b02a3530dbcb464638448e7f ]
Convert the imports to use the "kernel vertical" imports style [1].
No functional changes intended.
Link: https://docs.kernel.org/rust/coding-guidelines.html#imports [1]
Reviewed-by: Gary Guo <gary@garyguo.net>
Link: https://patch.msgid.link/20260609104152.261145-1-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Stable-dep-of: 3fff4271809b ("rust: str: clean unused import for Rust >= 1.98")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
rust/kernel/str.rs | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs
index 8311d91549e15e..a7fccd4c4f3b18 100644
--- a/rust/kernel/str.rs
+++ b/rust/kernel/str.rs
@@ -3,14 +3,28 @@
//! String representations.
use crate::{
- alloc::{flags::*, AllocError, KVec},
- error::{to_result, Result},
- fmt::{self, Write},
- prelude::*,
+ alloc::{
+ flags::*,
+ AllocError,
+ KVec, //
+ },
+ error::{
+ to_result,
+ Result, //
+ },
+ fmt::{
+ self,
+ Write, //
+ },
+ prelude::*, //
};
use core::{
marker::PhantomData,
- ops::{Deref, DerefMut, Index},
+ ops::{
+ Deref,
+ DerefMut,
+ Index, //
+ }, //
};
pub use crate::prelude::CStr;
--
2.53.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 002/518] rust: str: clean unused import for Rust >= 1.98
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 001/518] rust: str: use the "kernel vertical" imports style Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 003/518] userfaultfd: gate must_wait writability check on pte_present() Greg Kroah-Hartman
` (519 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gary Guo, Alice Ryhl, Miguel Ojeda,
Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miguel Ojeda <ojeda@kernel.org>
[ Upstream commit 3fff4271809b57182c4011811e96556bdd4cb2f9 ]
Starting with Rust 1.98.0 (expected 2026-08-20), the compiler has changed
how the resolution algorithm works [1] in upstream commit c4d84db5f184
("Resolver: Batched import resolution."), and it now spots:
error: unused import: `flags::*`
--> rust/kernel/str.rs:7:9
|
7 | flags::*,
| ^^^^^^^^
|
= note: `-D unused-imports` implied by `-D warnings`
= help: to override `-D warnings` add `#[allow(unused_imports)]`
It happens to not be needed because the `prelude::*` already provides
the flags.
Thus clean it up.
Cc: stable@vger.kernel.org # Needed in 6.18.y and later (prelude added to `str`).
Link: https://github.com/rust-lang/rust/pull/145108 [1]
Reviewed-by: Gary Guo <gary@garyguo.net>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260609104152.261145-2-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
rust/kernel/str.rs | 1 -
1 file changed, 1 deletion(-)
diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs
index a7fccd4c4f3b18..4517c1bc547afb 100644
--- a/rust/kernel/str.rs
+++ b/rust/kernel/str.rs
@@ -4,7 +4,6 @@
use crate::{
alloc::{
- flags::*,
AllocError,
KVec, //
},
--
2.53.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 003/518] userfaultfd: gate must_wait writability check on pte_present()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 001/518] rust: str: use the "kernel vertical" imports style Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 002/518] rust: str: clean unused import for Rust >= 1.98 Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 004/518] net/sched: dualpi2: fix GSO backlog accounting Greg Kroah-Hartman
` (518 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kiryl Shutsemau, Sashiko AI review,
Lorenzo Stoakes, David Hildenbrand, Michal Hocko, Mike Rapoport,
Peter Xu, Suren Baghdasaryan, Vlastimil Babka, Balbir Singh,
Andrew Morton, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kiryl Shutsemau <kas@kernel.org>
[ Upstream commit 8e80af52db652fbc41320eee45a4f73bc029faf2 ]
userfaultfd_must_wait() and userfaultfd_huge_must_wait() read the PTE
without taking the page table lock and then apply pte_write() /
huge_pte_write() to it. Those accessors decode bits from the present
encoding only; on a swap or migration entry they read the offset bits that
happen to share the same position and return an undefined result.
The intent of the check is "is this fault still WP-blocked?". A
non-marker swap entry means the page is in transit -- the userfault
context the original fault delivered against is no longer the same, and
the swap-in or migration completion path will re-deliver a fresh fault if
userspace still needs to handle it. Worst case under the current code the
garbage write bit says "wait", and the thread stays asleep until a
UFFDIO_WAKE that may never arrive.
Gate the writability check on pte_present() so the lockless re-check only
inspects present-PTE bits when the entry is actually present. The
non-present, non-marker case returns "don't wait" and lets the fault path
retry.
Link: https://lore.kernel.org/20260529172331.356655-6-kas@kernel.org
Fixes: 369cd2121be4 ("userfaultfd: hugetlbfs: userfaultfd_huge_must_wait for hugepmd ranges")
Fixes: 63b2d4174c4a ("userfaultfd: wp: add the writeprotect API to userfaultfd ioctl")
Signed-off-by: Kiryl Shutsemau <kas@kernel.org>
Reported-by: Sashiko AI review <sashiko-bot@kernel.org>
Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
Cc: David Hildenbrand <david@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Peter Xu <peterx@redhat.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ kas: apply to fs/userfaultfd.c; these checks moved to mm/userfaultfd.c
only after 7.1, the change is otherwise identical to upstream ]
Signed-off-by: Kiryl Shutsemau <kas@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/userfaultfd.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 390e4b7d9cb9fa..dba1172436b745 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -253,6 +253,15 @@ static inline bool userfaultfd_huge_must_wait(struct userfaultfd_ctx *ctx,
/* UFFD PTE markers require userspace to resolve the fault. */
if (pte_is_uffd_marker(pte))
return true;
+ /*
+ * Concurrent migration may have replaced the present PTE with a
+ * non-marker swap entry between fault delivery and this lockless
+ * re-check. huge_pte_write() on a swap entry decodes random offset
+ * bits, so gate it on pte_present(). The migration completion path
+ * will re-deliver the fault if it still needs userspace.
+ */
+ if (!pte_present(pte))
+ return false;
/*
* If VMA has UFFD WP faults enabled and WP fault, wait for userspace to
* resolve the fault.
@@ -339,6 +348,17 @@ static inline bool userfaultfd_must_wait(struct userfaultfd_ctx *ctx,
/* UFFD PTE markers require userspace to resolve the fault. */
if (pte_is_uffd_marker(ptent))
goto out;
+ /*
+ * Concurrent swap-out / migration may have replaced the present PTE
+ * with a non-marker swap entry between fault delivery and this
+ * lockless re-check. pte_write() on a swap entry decodes random
+ * offset bits, so gate it on pte_present(). The page-in path will
+ * re-deliver the fault if it still needs userspace.
+ */
+ if (!pte_present(ptent)) {
+ ret = false;
+ goto out;
+ }
/*
* If VMA has UFFD WP faults enabled and WP fault, wait for userspace to
* resolve the fault.
--
2.53.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 004/518] net/sched: dualpi2: fix GSO backlog accounting
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 003/518] userfaultfd: gate must_wait writability check on pte_present() Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 005/518] mm/khugepaged: write all dirty file folios when collapsing Greg Kroah-Hartman
` (517 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xingquan Liu, Jamal Hadi Salim,
Victor Nogueira, Jakub Kicinski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xingquan Liu <b1n@b1n.io>
commit 05ed733b65ab977dd931e7f7ac0f62fdb81205c2 upstream.
When DualPI2 splits a GSO skb into N segments, it propagates N
additional packets to its parent before returning NET_XMIT_SUCCESS.
The parent then accounts for the original skb once more, leaving its
qlen one larger than the number of packets actually queued.
With QFQ as the parent, after all real packets are dequeued, QFQ still
has a non-zero qlen while its in-service aggregate has no active
classes. qfq_choose_next_agg() returns NULL and qfq_dequeue() passes
the result to qfq_peek_skb(), causing a NULL pointer dereference.
Follow the same pattern used by tbf_segment() and taprio: count only
successfully queued segments, propagate the difference between the
original skb and those segments, and return NET_XMIT_SUCCESS whenever
at least one segment was queued.
Fixes: 8f9516daedd6 ("sched: Add enqueue/dequeue of dualpi2 qdisc")
Cc: stable@vger.kernel.org
Signed-off-by: Xingquan Liu <b1n@b1n.io>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Link: https://patch.msgid.link/20260619151447.223640-1-b1n@b1n.io
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_dualpi2.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/net/sched/sch_dualpi2.c
+++ b/net/sched/sch_dualpi2.c
@@ -461,7 +461,7 @@ static int dualpi2_qdisc_enqueue(struct
if (IS_ERR_OR_NULL(nskb))
return qdisc_drop(skb, sch, to_free);
- cnt = 1;
+ cnt = 0;
byte_len = 0;
orig_len = qdisc_pkt_len(skb);
skb_list_walk_safe(nskb, nskb, next) {
@@ -488,16 +488,15 @@ static int dualpi2_qdisc_enqueue(struct
byte_len += nskb->len;
}
}
- if (cnt > 1) {
+ if (cnt > 0) {
/* The caller will add the original skb stats to its
* backlog, compensate this if any nskb is enqueued.
*/
- --cnt;
- byte_len -= orig_len;
+ qdisc_tree_reduce_backlog(sch, 1 - cnt,
+ orig_len - byte_len);
}
- qdisc_tree_reduce_backlog(sch, -cnt, -byte_len);
consume_skb(skb);
- return err;
+ return cnt > 0 ? NET_XMIT_SUCCESS : err;
}
return dualpi2_enqueue_skb(skb, sch, to_free);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 005/518] mm/khugepaged: write all dirty file folios when collapsing
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 004/518] net/sched: dualpi2: fix GSO backlog accounting Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 006/518] slab: recognize @GFP parameter as optional in kernel-doc Greg Kroah-Hartman
` (516 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Viro, Christian Brauner,
Jan Kara, Matthew Wilcox, Song Liu, Eric Hagberg, Zi Yan,
Gregg Leventhal, Lance Yang, Pedro Falcato,
David Hildenbrand (Arm), Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pedro Falcato <pfalcato@suse.de>
[There is no upstream commit, as this code was removed by upstream
commit 044925f9b565 ("mm: fs: remove filemap_nr_thps*() functions and their users")]
As-is, khugepaged and writable-file opening exclude each other. A file
cannot be open writeable and have THPs (because the filesystem is not aware
of them). khugepaged will never collapse file pages for files that are
opened writeable. On an open(O_RDWR/O_WRONLY), the page cache for that
particular file is dropped. This is fine because nothing could've been
dirtied.
However, there is an edge-case: collapse_file() might not be able to
coexist with concurrent writers, but it can coexist with dirty folios
(from previous writers). Therefore, the following can happen:
open(file, O_RDWR)
write(file)
close(file)
madvise(file_mapping, MADV_COLLAPSE, some non-dirty range)
open(file, O_RDWR)
nr_thps > 0
truncate_inode_pages()
/* THPs are cleared out, but so are the dirty folios */
When this edge-case happens, there is data loss, as the dirty folios are
fully discarded.
Fix it by fully writing back the page cache (and waiting) when collapsing
file THPs. Doing so provides the guarantee that no dirty folio will be
observed while there are active THPs. To fully ensure this is safe, the
invalidate_lock needs to be held while doing the writeout, so that
do_dentry_open()'s page cache truncation excludes this write-and-wait.
As a side effect, move the nr_thps counter bumping outside the i_pages
lock. This is correct since the counter itself is an atomic_t and the
producer <-> consumer correctness is provided by a full memory barrier:
smp_mb() in collapse_file()/memory barrier implied by full ordering in
get_write_access() -> atomic_inc_unless_negative().
Cc: stable@vger.kernel.org
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Song Liu <song@kernel.org>
Cc: Eric Hagberg <ehagberg@janestreet.com>
Cc: Zi Yan <ziy@nvidia.com>
Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS")
Reported-by: Gregg Leventhal <gleventhal@janestreet.com>
Closes: https://lore.kernel.org/linux-mm/CAFN_u7H_0ECF3jixP=T=U7AH5=Q3wQNvJMo8an3VqUDMerQfUw@mail.gmail.com/
Tested-by: Zi Yan <ziy@nvidia.com>
Tested-by: Lance Yang <lance.yang@linux.dev>
Signed-off-by: Pedro Falcato <pfalcato@suse.de>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/khugepaged.c | 39 +++++++++++++++++++++++++--------------
1 file changed, 25 insertions(+), 14 deletions(-)
diff --git a/mm/khugepaged.c b/mm/khugepaged.c
index b8452dbdb043f8..d6e04041f5dc11 100644
--- a/mm/khugepaged.c
+++ b/mm/khugepaged.c
@@ -2094,32 +2094,43 @@ static enum scan_result collapse_file(struct mm_struct *mm, unsigned long addr,
goto xa_unlocked;
}
- if (!is_shmem) {
+xa_locked:
+ xas_unlock_irq(&xas);
+xa_unlocked:
+
+ /*
+ * If collapse is successful, flush must be done now before copying.
+ * If collapse is unsuccessful, does flush actually need to be done?
+ * Do it anyway, to clear the state.
+ */
+ try_to_unmap_flush();
+
+ if (result == SCAN_SUCCEED && !is_shmem && !mapping_large_folio_support(mapping)) {
+ /*
+ * invalidate_lock as shared excludes against concurrent opens
+ * in do_dentry_open() truncating the page cache. This is
+ * particularly important if there are dirty folios in transit.
+ */
+ filemap_invalidate_lock_shared(mapping);
filemap_nr_thps_inc(mapping);
/*
* Paired with the fence in do_dentry_open() -> get_write_access()
* to ensure i_writecount is up to date and the update to nr_thps
* is visible. Ensures the page cache will be truncated if the
- * file is opened writable.
+ * file is opened writable. If collapse looks to be successful,
+ * flush any dirty pages out the page cache. With the nr_thps
+ * incremented, there won't be any new writers (nor new dirties).
*/
smp_mb();
- if (inode_is_open_for_write(mapping->host)) {
+ if (inode_is_open_for_write(mapping->host) || filemap_write_and_wait(mapping)) {
result = SCAN_FAIL;
filemap_nr_thps_dec(mapping);
+ filemap_invalidate_unlock_shared(mapping);
+ goto rollback;
}
+ filemap_invalidate_unlock_shared(mapping);
}
-xa_locked:
- xas_unlock_irq(&xas);
-xa_unlocked:
-
- /*
- * If collapse is successful, flush must be done now before copying.
- * If collapse is unsuccessful, does flush actually need to be done?
- * Do it anyway, to clear the state.
- */
- try_to_unmap_flush();
-
if (result == SCAN_SUCCEED && nr_none &&
!shmem_charge(mapping->host, nr_none))
result = SCAN_FAIL;
--
2.53.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 006/518] slab: recognize @GFP parameter as optional in kernel-doc
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 005/518] mm/khugepaged: write all dirty file folios when collapsing Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 007/518] perf trace beauty fcntl: Fix build with older kernel headers Greg Kroah-Hartman
` (515 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Harry Yoo (Oracle),
Vlastimil Babka (SUSE), Eric Biggers
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
commit 7b5f5865fb11e60edd03c5e063e2d228b7062317 upstream.
Since the @GFP parameter in kmalloc_obj() etc. is now optional, change
the kernel-doc to indicate that it is optional. This avoids kernel-doc
warnings:
WARNING: include/linux/slab.h:1101 Excess function parameter 'GFP' description in 'kmalloc_obj'
WARNING: include/linux/slab.h:1113 Excess function parameter 'GFP' description in 'kmalloc_objs'
WARNING: include/linux/slab.h:1128 Excess function parameter 'GFP' description in 'kmalloc_flex'
Fixes: e19e1b480ac7 ("add default_gfp() helper macro and use it in the new *alloc_obj() helpers")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Acked-by: Harry Yoo (Oracle) <harry@kernel.org>
Link: https://patch.msgid.link/20260617163125.2716279-1-rdunlap@infradead.org
Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/slab.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -1000,7 +1000,7 @@ void *kmalloc_nolock_noprof(size_t size,
/**
* kmalloc_obj - Allocate a single instance of the given type
* @VAR_OR_TYPE: Variable or type to allocate.
- * @GFP: GFP flags for the allocation.
+ * @...: optional GFP flags for the allocation (GFP_KERNEL when not specified).
*
* Returns: newly allocated pointer to a @VAR_OR_TYPE on success, or NULL
* on failure.
@@ -1012,7 +1012,7 @@ void *kmalloc_nolock_noprof(size_t size,
* kmalloc_objs - Allocate an array of the given type
* @VAR_OR_TYPE: Variable or type to allocate an array of.
* @COUNT: How many elements in the array.
- * @GFP: GFP flags for the allocation.
+ * @...: optional GFP flags for the allocation (GFP_KERNEL when not specified).
*
* Returns: newly allocated pointer to array of @VAR_OR_TYPE on success,
* or NULL on failure.
@@ -1025,7 +1025,7 @@ void *kmalloc_nolock_noprof(size_t size,
* @VAR_OR_TYPE: Variable or type to allocate (with its flex array).
* @FAM: The name of the flexible array member of the structure.
* @COUNT: How many flexible array member elements are desired.
- * @GFP: GFP flags for the allocation.
+ * @...: optional GFP flags for the allocation (GFP_KERNEL when not specified).
*
* Returns: newly allocated pointer to @VAR_OR_TYPE on success, NULL on
* failure. If @FAM has been annotated with __counted_by(), the allocation
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 007/518] perf trace beauty fcntl: Fix build with older kernel headers
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 006/518] slab: recognize @GFP parameter as optional in kernel-doc Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 008/518] KVM: x86: Move update_cr8_intercept() to lapic.c Greg Kroah-Hartman
` (514 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Florian Fainelli,
Adrian Hunter, Alexander Shishkin, Ingo Molnar, James Clark,
Jiri Olsa, Mark Rutland, Markus Mayer, Namhyung Kim,
Peter Zijlstra, Arnaldo Carvalho de Melo
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <florian.fainelli@broadcom.com>
commit 7ee7f48413c42b90230de4a8e40898b757bc8e82 upstream.
Toolchains with older kernel headers that do not include upstream commit
c75b1d9421f80f41 ("fs: add fcntl() interface for setting/getting write
life time hints") will now fail to build perf due to missing definitions
for F_GET_RW_HINT/F_SET_RW_HINT/F_GET_FILE_RW_HINT/F_SET_FILE_RW_HINT.
Provide a fallback definition for these when they are not already
defined.
Fixes: 9c47f66748381ecb ("perf trace beauty fcntl: Basic 'arg' beautifier")
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Markus Mayer <mmayer@broadcom.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/perf/trace/beauty/fcntl.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/tools/perf/trace/beauty/fcntl.c
+++ b/tools/perf/trace/beauty/fcntl.c
@@ -9,6 +9,22 @@
#include <linux/kernel.h>
#include <linux/fcntl.h>
+#ifndef F_GET_RW_HINT
+#define F_GET_RW_HINT (F_LINUX_SPECIFIC_BASE + 11)
+#endif
+
+#ifndef F_SET_RW_HINT
+#define F_SET_RW_HINT (F_LINUX_SPECIFIC_BASE + 12)
+#endif
+
+#ifndef F_GET_FILE_RW_HINT
+#define F_GET_FILE_RW_HINT (F_LINUX_SPECIFIC_BASE + 13)
+#endif
+
+#ifndef F_SET_FILE_RW_HINT
+#define F_SET_FILE_RW_HINT (F_LINUX_SPECIFIC_BASE + 14)
+#endif
+
static size_t fcntl__scnprintf_getfd(unsigned long val, char *bf, size_t size, bool show_prefix)
{
return val ? scnprintf(bf, size, "%s", "0") :
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 008/518] KVM: x86: Move update_cr8_intercept() to lapic.c
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 007/518] perf trace beauty fcntl: Fix build with older kernel headers Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 009/518] KVM: VMX: Grab vmcs12 on CR8 interception update iff vCPU is in guest mode Greg Kroah-Hartman
` (513 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kai Huang, Yosry Ahmed,
Sean Christopherson, Carlos López
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream Commit c7722e5e1daeeabbd9f969554d52bb7158120b27 ]
Move update_cr8_intercept() to lapic.c so that it's globally visible
in anticipation of extracting most of the register-specific code out of
x86.c and into a new compilation unit. Opportunistically prefix the
helper kvm_lapic_ to make its role/scope more obvious.
No functional change intended.
Reviewed-by: Kai Huang <kai.huang@intel.com>
Reviewed-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260529222223.870923-14-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Carlos López <clopez@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/lapic.c | 26 ++++++++++++++++++++++++++
arch/x86/kvm/lapic.h | 1 +
arch/x86/kvm/x86.c | 34 +++-------------------------------
3 files changed, 30 insertions(+), 31 deletions(-)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -2744,6 +2744,32 @@ u64 kvm_lapic_get_cr8(struct kvm_vcpu *v
return (tpr & 0xf0) >> 4;
}
+void kvm_lapic_update_cr8_intercept(struct kvm_vcpu *vcpu)
+{
+ int max_irr, tpr;
+
+ if (!kvm_x86_ops.update_cr8_intercept)
+ return;
+
+ if (!lapic_in_kernel(vcpu))
+ return;
+
+ if (vcpu->arch.apic->apicv_active)
+ return;
+
+ if (!vcpu->arch.apic->vapic_addr)
+ max_irr = kvm_lapic_find_highest_irr(vcpu);
+ else
+ max_irr = -1;
+
+ if (max_irr != -1)
+ max_irr >>= 4;
+
+ tpr = kvm_lapic_get_cr8(vcpu);
+
+ kvm_x86_call(update_cr8_intercept)(vcpu, tpr, max_irr);
+}
+
static void __kvm_apic_set_base(struct kvm_vcpu *vcpu, u64 value)
{
u64 old_value = vcpu->arch.apic_base;
--- a/arch/x86/kvm/lapic.h
+++ b/arch/x86/kvm/lapic.h
@@ -100,6 +100,7 @@ int kvm_apic_accept_events(struct kvm_vc
void kvm_lapic_reset(struct kvm_vcpu *vcpu, bool init_event);
u64 kvm_lapic_get_cr8(struct kvm_vcpu *vcpu);
void kvm_lapic_set_tpr(struct kvm_vcpu *vcpu, unsigned long cr8);
+void kvm_lapic_update_cr8_intercept(struct kvm_vcpu *vcpu);
void kvm_lapic_set_eoi(struct kvm_vcpu *vcpu);
void kvm_apic_set_version(struct kvm_vcpu *vcpu);
void kvm_apic_after_set_mcg_cap(struct kvm_vcpu *vcpu);
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -128,7 +128,6 @@ static u64 __read_mostly efer_reserved_b
KVM_X2APIC_ENABLE_SUPPRESS_EOI_BROADCAST | \
KVM_X2APIC_DISABLE_SUPPRESS_EOI_BROADCAST)
-static void update_cr8_intercept(struct kvm_vcpu *vcpu);
static void process_nmi(struct kvm_vcpu *vcpu);
static void __kvm_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags);
static void store_regs(struct kvm_vcpu *vcpu);
@@ -5340,7 +5339,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
r = kvm_apic_set_state(vcpu, s);
if (r)
return r;
- update_cr8_intercept(vcpu);
+ kvm_lapic_update_cr8_intercept(vcpu);
return 0;
}
@@ -10595,33 +10594,6 @@ static void post_kvm_run_save(struct kvm
kvm_run->flags |= KVM_RUN_X86_GUEST_MODE;
}
-static void update_cr8_intercept(struct kvm_vcpu *vcpu)
-{
- int max_irr, tpr;
-
- if (!kvm_x86_ops.update_cr8_intercept)
- return;
-
- if (!lapic_in_kernel(vcpu))
- return;
-
- if (vcpu->arch.apic->apicv_active)
- return;
-
- if (!vcpu->arch.apic->vapic_addr)
- max_irr = kvm_lapic_find_highest_irr(vcpu);
- else
- max_irr = -1;
-
- if (max_irr != -1)
- max_irr >>= 4;
-
- tpr = kvm_lapic_get_cr8(vcpu);
-
- kvm_x86_call(update_cr8_intercept)(vcpu, tpr, max_irr);
-}
-
-
int kvm_check_nested_events(struct kvm_vcpu *vcpu)
{
if (kvm_test_request(KVM_REQ_TRIPLE_FAULT, vcpu)) {
@@ -11362,7 +11334,7 @@ static int vcpu_enter_guest(struct kvm_v
kvm_x86_call(enable_irq_window)(vcpu);
if (kvm_lapic_enabled(vcpu)) {
- update_cr8_intercept(vcpu);
+ kvm_lapic_update_cr8_intercept(vcpu);
kvm_lapic_sync_to_vapic(vcpu);
}
}
@@ -12511,7 +12483,7 @@ static int __set_sregs_common(struct kvm
kvm_set_segment(vcpu, &sregs->tr, VCPU_SREG_TR);
kvm_set_segment(vcpu, &sregs->ldt, VCPU_SREG_LDTR);
- update_cr8_intercept(vcpu);
+ kvm_lapic_update_cr8_intercept(vcpu);
/* Older userspace won't unhalt the vcpu on reset. */
if (kvm_vcpu_is_bsp(vcpu) && kvm_rip_read(vcpu) == 0xfff0 &&
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 009/518] KVM: VMX: Grab vmcs12 on CR8 interception update iff vCPU is in guest mode
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 008/518] KVM: x86: Move update_cr8_intercept() to lapic.c Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 010/518] KVM: x86: Unconditionally recompute CR8 intercept on PPR update Greg Kroah-Hartman
` (512 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot ci, Sean Christopherson,
Paolo Bonzini, Carlos López
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 7ef78d71ca713d8c00f7c34ddcf276c808143f77 ]
When updating CR8 intercepts, get vmcs12 if and only if the vCPU is in
guest mode so that a future change can have update CR8 intercepts during
vCPU creation, without running afoul of get_vmcs12()'s lockdep assertion.
------------[ cut here ]------------
debug_locks && !(lock_is_held(&(&vcpu->mutex)->dep_map) || !refcount_read(&vcpu->kvm->users_count))
WARNING: arch/x86/kvm/vmx/nested.h:61 at get_vmcs12 arch/x86/kvm/vmx/nested.h:60 [inline], CPU#0: syz.2.19/5879
WARNING: arch/x86/kvm/vmx/nested.h:61 at vmx_update_cr8_intercept+0x3de/0x4e0 arch/x86/kvm/vmx/vmx.c:6879, CPU#0: syz.2.19/5879
Modules linked in:
CPU: 0 UID: 0 PID: 5879 Comm: syz.2.19 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:get_vmcs12 arch/x86/kvm/vmx/nested.h:60 [inline]
RIP: 0010:vmx_update_cr8_intercept+0x3de/0x4e0 arch/x86/kvm/vmx/vmx.c:6879
Call Trace:
<TASK>
apic_update_ppr arch/x86/kvm/lapic.c:984 [inline]
kvm_lapic_reset+0x1c24/0x2980 arch/x86/kvm/lapic.c:3023
kvm_vcpu_reset+0x44c/0x1bf0 arch/x86/kvm/x86.c:12986
kvm_arch_vcpu_create+0x746/0x8b0 arch/x86/kvm/x86.c:12847
kvm_vm_ioctl_create_vcpu+0x428/0x930 virt/kvm/kvm_main.c:4201
kvm_vm_ioctl+0x893/0xd50 virt/kvm/kvm_main.c:5159
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
No functional change intended.
Reported-by: syzbot ci <syzbot+ci493c6d734b63e050@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/all/6a2adf3b.3b0a2d4e.8c8d1.0012.GAE@google.com
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260618174347.1981064-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Carlos López <clopez@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/vmx.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -6855,11 +6855,10 @@ int vmx_handle_exit(struct kvm_vcpu *vcp
void vmx_update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr)
{
- struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
int tpr_threshold;
if (is_guest_mode(vcpu) &&
- nested_cpu_has(vmcs12, CPU_BASED_TPR_SHADOW))
+ nested_cpu_has(get_vmcs12(vcpu), CPU_BASED_TPR_SHADOW))
return;
guard(vmx_vmcs01)(vcpu);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 010/518] KVM: x86: Unconditionally recompute CR8 intercept on PPR update
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 009/518] KVM: VMX: Grab vmcs12 on CR8 interception update iff vCPU is in guest mode Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 011/518] ACPI: CPPC: Suppress UBSAN warning caused by field misuse Greg Kroah-Hartman
` (511 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefano Garzarella,
Carlos López, Sean Christopherson, Paolo Bonzini
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 4243 bytes --]
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Carlos López" <clopez@suse.de>
[ Upstream commit bb365a506b1e6fb050c0fceaad354fe395385ef0 ]
The TPR_THRESHOLD field in the VMCS is used by VMX to induce VM exits
when the guest's virtual TPR falls under the specified threshold,
allowing KVM to inject previously masked interrupts.
KVM handles these VM exits in handle_tpr_below_threshold().
Commit eb90f3417a0c ("KVM: vmx: speed up TPR below threshold vmexits")
optimized this function by calling apic_update_ppr() instead of raising
KVM_REQ_EVENT. apic_update_ppr() then raises KVM_REQ_EVENT if there is
a pending, deliverable interrupt.
However, if there are no new interrupts pending, apic_update_ppr() does
not issue the request. Thus, kvm_lapic_update_cr8_intercept() and
vmx_update_cr8_intercept() are not called before VM entry, which results
in a high, stale TPR_THRESHOLD. This is problematic due to the following
sentence in 28.2.1.1 "VM-Execution Control Fields" in the SDM:
The following check is performed if the âuse TPR shadowâ VM-execution
control is 1 and the âvirtualize APIC accessesâ and âvirtual-interrupt
deliveryâ VM-execution controls are both 0: the value of bits 3:0 of
the TPR threshold VM-execution control field should not be greater
than the value of bits 7:4 of VTPR.
This error condition is typically not observed when KVM runs on a bare
metal system because modern processors support APICv, which enables
virtual-interrupt delivery, and which KVM uses when possible. This
causes the processor to no longer generate TPR-below-threshold exits
and to no longer check TPR_THRESHOLD on entry. However, when running
on older platforms, or under nested virtualization on a hypervisor that
does not support virtual-interrupt delivery and enforces this check
(like Hyper-V) this can cause a VM entry failure with hardware error
0x7, as seen in [1].
Call kvm_lapic_update_cr8_intercept() if apic_update_ppr() does not
find a deliverable interrupt (and thus does not raise KVM_REQ_EVENT).
Remove calls to kvm_lapic_update_cr8_intercept() on paths that end up in
apic_update_ppr(), as they now become redundant. This ensures that any
path that updates the guest's PPR also figures out if KVM needs to wait
for a TPR change (using TPR_THRESHOLD on VMX or CR8 intercepts on SVM).
Link: https://github.com/coconut-svsm/svsm/issues/1081 [1]
Tested-by: Stefano Garzarella <sgarzare@redhat.com>
Cc: stable@vger.kernel.org
Fixes: eb90f3417a0c ("KVM: vmx: speed up TPR below threshold vmexits")
Signed-off-by: Carlos López <clopez@suse.de>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260618174347.1981064-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/lapic.c | 2 ++
arch/x86/kvm/x86.c | 5 +----
2 files changed, 3 insertions(+), 4 deletions(-)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -980,6 +980,8 @@ static void apic_update_ppr(struct kvm_l
if (__apic_update_ppr(apic, &ppr) &&
apic_has_interrupt_for_ppr(apic, ppr) != -1)
kvm_make_request(KVM_REQ_EVENT, apic->vcpu);
+ else
+ kvm_lapic_update_cr8_intercept(apic->vcpu);
}
void kvm_apic_update_ppr(struct kvm_vcpu *vcpu)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5339,7 +5339,6 @@ static int kvm_vcpu_ioctl_set_lapic(stru
r = kvm_apic_set_state(vcpu, s);
if (r)
return r;
- kvm_lapic_update_cr8_intercept(vcpu);
return 0;
}
@@ -12453,8 +12452,6 @@ static int __set_sregs_common(struct kvm
kvm_register_mark_dirty(vcpu, VCPU_EXREG_CR3);
kvm_x86_call(post_set_cr3)(vcpu, sregs->cr3);
- kvm_set_cr8(vcpu, sregs->cr8);
-
*mmu_reset_needed |= vcpu->arch.efer != sregs->efer;
kvm_x86_call(set_efer)(vcpu, sregs->efer);
@@ -12483,7 +12480,7 @@ static int __set_sregs_common(struct kvm
kvm_set_segment(vcpu, &sregs->tr, VCPU_SREG_TR);
kvm_set_segment(vcpu, &sregs->ldt, VCPU_SREG_LDTR);
- kvm_lapic_update_cr8_intercept(vcpu);
+ kvm_set_cr8(vcpu, sregs->cr8);
/* Older userspace won't unhalt the vcpu on reset. */
if (kvm_vcpu_is_bsp(vcpu) && kvm_rip_read(vcpu) == 0xfff0 &&
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 011/518] ACPI: CPPC: Suppress UBSAN warning caused by field misuse
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 010/518] KVM: x86: Unconditionally recompute CR8 intercept on PPR update Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 012/518] ACPI: NFIT: core: Fix possible NULL pointer dereference Greg Kroah-Hartman
` (510 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeremy Linton, Jarred White,
Easwar Hariharan, Rafael J. Wysocki
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Linton <jeremy.linton@arm.com>
commit 1b1acf2dada0cc3931bb2cb9ff8832edfbee46a1 upstream.
The definition of reg->access_width changes depending on the
reg->space_id type. Type ACPI_ADR_SPACE_PLATFORM_COMM uses
access_width to indicate the PCC region, which can result in a UBSAN
if the value is greater than 4.
For example:
UBSAN: shift-out-of-bounds in drivers/acpi/cppc_acpi.c:1090:9
shift exponent 32 is too large for 32-bit type 'int'
CPU: 61 UID: 0 PID: 1220 Comm: (udev-worker) Not tainted 7.0.10-201.fc44.aarch64 #1 PREEMPT(lazy)
Hardware name: To be filled by O.E.M.
Call trace:
...(trimming)
ubsan_epilogue+0x10/0x48
__ubsan_handle_shift_out_of_bounds+0xdc/0x1e0
cpc_write+0x4d0/0x670
cppc_set_perf+0x18c/0x490
cppc_cpufreq_cpu_init+0x1c8/0x380 [cppc_cpufreq]
... (trimming)
Lets fix this by validating the region type, as well as whether
access_width has a value. Then since we are returning bit_width
directly for ACPI_ADR_SPACE_PLATFORM_COMM, drop the code correcting
the size.
Fixes: 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system memory accesses")
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
Tested-by: Jarred White <jarredwhite@linux.microsoft.com>
Reviewed-by: Jarred White <jarredwhite@linux.microsoft.com>
Reviewed-by: Easwar Hariharan <easwar.hariharan@linux.microsoft.com>
Cc: All applicable <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260601235808.1113137-1-jeremy.linton@arm.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/cppc_acpi.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/drivers/acpi/cppc_acpi.c
+++ b/drivers/acpi/cppc_acpi.c
@@ -185,8 +185,13 @@ show_cppc_data(cppc_get_perf_caps, cppc_
show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, wraparound_time);
-/* Check for valid access_width, otherwise, fallback to using bit_width */
-#define GET_BIT_WIDTH(reg) ((reg)->access_width ? (8 << ((reg)->access_width - 1)) : (reg)->bit_width)
+/*
+ * PCC reuses the access_width field as the subspace id, so only decode access
+ * size for non-PCC registers. Otherwise, use the bit_width.
+ */
+#define GET_BIT_WIDTH(reg) (((reg)->access_width && \
+ (reg)->space_id != ACPI_ADR_SPACE_PLATFORM_COMM) ? \
+ (8 << ((reg)->access_width - 1)) : (reg)->bit_width)
/* Shift and apply the mask for CPC reads/writes */
#define MASK_VAL_READ(reg, val) (((val) >> (reg)->bit_offset) & \
@@ -1045,7 +1050,6 @@ static int cpc_read(int cpu, struct cpc_
* by the bit width field; the access size is used to indicate
* the PCC subspace id.
*/
- size = reg->bit_width;
vaddr = GET_PCC_VADDR(reg->address, pcc_ss_id);
}
else if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
@@ -1118,7 +1122,6 @@ static int cpc_write(int cpu, struct cpc
* by the bit width field; the access size is used to indicate
* the PCC subspace id.
*/
- size = reg->bit_width;
vaddr = GET_PCC_VADDR(reg->address, pcc_ss_id);
}
else if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 012/518] ACPI: NFIT: core: Fix possible NULL pointer dereference
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 011/518] ACPI: CPPC: Suppress UBSAN warning caused by field misuse Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 013/518] ACPI: NFIT: core: Fix acpi_nfit_init() error cleanup Greg Kroah-Hartman
` (509 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Dave Jiang
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 027e128abb82788189d6d45b68e3e8e7329b67be upstream.
After commit 9b311b7313d6 ("ACPI: NFIT: Install Notify() handler before
getting NFIT table"), acpi_nfit_probe() installs an ACPI notify handler
for the NFIT device before checking the presence of the NFIT table. If
that table is not there, 0 is returned without allocating the acpi_desc
object and setting the driver data pointer of the NFIT device. If the
platform firmware triggers an NFIT_NOTIFY_UC_MEMORY_ERROR notification
on the NFIT device at that point, acpi_nfit_uc_error_notify() will
dereference a NULL pointer.
Prevent that from occurring by adding an acpi_desc check against NULL
to acpi_nfit_uc_error_notify().
Fixes: 9b311b7313d6 ("ACPI: NFIT: Install Notify() handler before getting NFIT table")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: All applicable <stable@vger.kernel.org>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://patch.msgid.link/2418508.ElGaqSPkdT@rafael.j.wysocki
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/nfit/core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/acpi/nfit/core.c
+++ b/drivers/acpi/nfit/core.c
@@ -3460,6 +3460,9 @@ static void acpi_nfit_uc_error_notify(st
{
struct acpi_nfit_desc *acpi_desc = dev_get_drvdata(dev);
+ if (!acpi_desc)
+ return;
+
if (acpi_desc->scrub_mode == HW_ERROR_SCRUB_ON)
acpi_nfit_ars_rescan(acpi_desc, ARS_REQ_LONG);
else
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 013/518] ACPI: NFIT: core: Fix acpi_nfit_init() error cleanup
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 012/518] ACPI: NFIT: core: Fix possible NULL pointer dereference Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 014/518] platform/x86: intel-hid: Protect ACPI notify handler against recursion Greg Kroah-Hartman
` (508 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Dave Jiang
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 38bf27511ef41bffebd157ec3eba41fc89ba59cd upstream.
If acpi_nfit_init() fails after adding the acpi_desc object to the
acpi_descs list, that object is never removed from that list because
the acpi_nfit_shutdown() devm action is not added for the NFIT device
in that case. Next, the acpi_nfit_init() failure causes
acpi_nfit_probe() to fail, the acpi_desc object is freed, and a
dangling pointer is left behind in the acpi_descs. Any subsequent
ACPI Machine Check Exception will trigger nfit_handle_mce() which
iterates over acpi_descs and so a use-after-free will occur.
Moreover, if acpi_nfit_probe() returns 0 after installing a notify
handler for the NFIT device and without allocating the acpi_desc
object and setting the NFIT device's driver data pointer, the
acpi_desc object will be allocated by acpi_nfit_update_notify()
and acpi_nfit_init() will be called to initialize it. Regardless
of whether or not acpi_nfit_init() fails in that case, the
acpi_nfit_shutdown() devm action is not added for the NFIT device
and acpi_desc is never removed from the acpi_descs list. If the
acpi_desc object is freed subsequently on driver removal, any
subsequent ACPI MCE will lead to a use-after-free like in the
previous case.
To address the first issue mentioned above, make acpi_nfit_probe()
call acpi_nfit_shutdown() directly on acpi_nfit_init() failures and
to address the other one, add a remove callback to the driver and
make it call acpi_nfit_shutdown(). Also, since it is now possible to
pass NULL to acpi_nfit_shutdown() or the acpi_desc object passed to it
may not have been initialized, add checks against NULL for acpi_desc and
its nvdimm_bus field to that function and make acpi_nfit_unregister()
clear the latter after unregistering the NVDIMM bus.
Fixes: a61fe6f7902e ("nfit, tools/testing/nvdimm: unify common init for acpi_nfit_desc")
Fixes: fbabd829fe76 ("acpi, nfit: fix module unload vs workqueue shutdown race")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: All applicable <stable@vger.kernel.org>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://patch.msgid.link/1963615.tdWV9SEqCh@rafael.j.wysocki
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/nfit/core.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
--- a/drivers/acpi/nfit/core.c
+++ b/drivers/acpi/nfit/core.c
@@ -3069,6 +3069,8 @@ static void acpi_nfit_unregister(void *d
struct acpi_nfit_desc *acpi_desc = data;
nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
+ /* The nvdimm_bus object may have been freed, so clear the pointer. */
+ acpi_desc->nvdimm_bus = NULL;
}
int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, void *data, acpi_size sz)
@@ -3309,7 +3311,10 @@ static void acpi_nfit_remove_notify_hand
void acpi_nfit_shutdown(void *data)
{
struct acpi_nfit_desc *acpi_desc = data;
- struct device *bus_dev = to_nvdimm_bus_dev(acpi_desc->nvdimm_bus);
+ struct device *bus_dev;
+
+ if (!acpi_desc || !acpi_desc->nvdimm_bus)
+ return;
/*
* Destruct under acpi_desc_lock so that nfit_handle_mce does not
@@ -3324,6 +3329,7 @@ void acpi_nfit_shutdown(void *data)
mutex_unlock(&acpi_desc->init_mutex);
cancel_delayed_work_sync(&acpi_desc->dwork);
+ bus_dev = to_nvdimm_bus_dev(acpi_desc->nvdimm_bus);
/*
* Bounce the nvdimm bus lock to make sure any in-flight
* acpi_nfit_ars_rescan() submissions have had a chance to
@@ -3406,9 +3412,14 @@ static int acpi_nfit_probe(struct platfo
sz - sizeof(struct acpi_table_nfit));
if (rc)
- return rc;
+ acpi_nfit_shutdown(acpi_desc);
- return devm_add_action_or_reset(dev, acpi_nfit_shutdown, acpi_desc);
+ return rc;
+}
+
+static void acpi_nfit_remove(struct platform_device *pdev)
+{
+ acpi_nfit_shutdown(platform_get_drvdata(pdev));
}
static void acpi_nfit_update_notify(struct device *dev, acpi_handle handle)
@@ -3492,6 +3503,7 @@ MODULE_DEVICE_TABLE(acpi, acpi_nfit_ids)
static struct platform_driver acpi_nfit_driver = {
.probe = acpi_nfit_probe,
+ .remove = acpi_nfit_remove,
.driver = {
.name = "acpi-nfit",
.acpi_match_table = acpi_nfit_ids,
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 014/518] platform/x86: intel-hid: Protect ACPI notify handler against recursion
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 013/518] ACPI: NFIT: core: Fix acpi_nfit_init() error cleanup Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 015/518] LoongArch: Add PIO for early access before ACPI PCI root register Greg Kroah-Hartman
` (507 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, HyeongJun An, Ilpo Järvinen
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: HyeongJun An <sammiee5311@gmail.com>
commit c085d82613d5618814b84406c8b2d64f1bc305e7 upstream.
Since commit e2ffcda16290 ("ACPI: OSL: Allow Notify () handlers to run on
all CPUs") ACPI notify handlers like the intel-hid notify_handler() may
run on multiple CPU cores racing with themselves.
On convertibles and detachables (matched by DMI chassis-type 31 and 32 in
dmi_auto_add_switch[]) the SW_TABLET_MODE input device is registered
lazily from notify_handler() on the first tablet-mode event, via
intel_hid_switches_setup(). When two such events race on different CPUs
both can pass the !priv->switches check and register the priv->switches
input device twice, resulting in a duplicate sysfs entry and a subsequent
NULL pointer dereference.
This is the same class of bug fixed by commit e075c3b13a0a ("platform/x86:
intel-vbtn: Protect ACPI notify handler against recursion") for the
sibling intel-vbtn driver.
Protect intel-hid notify_handler() from racing with itself with a mutex
to fix this.
Fixes: e2ffcda16290 ("ACPI: OSL: Allow Notify () handlers to run on all CPUs")
Cc: stable@vger.kernel.org
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
Link: https://patch.msgid.link/20260605174905.131095-1-sammiee5311@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/hid.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/platform/x86/intel/hid.c
+++ b/drivers/platform/x86/intel/hid.c
@@ -7,11 +7,13 @@
*/
#include <linux/acpi.h>
+#include <linux/cleanup.h>
#include <linux/dmi.h>
#include <linux/input.h>
#include <linux/input/sparse-keymap.h>
#include <linux/kernel.h>
#include <linux/module.h>
+#include <linux/mutex.h>
#include <linux/platform_device.h>
#include <linux/string_choices.h>
#include <linux/suspend.h>
@@ -230,6 +232,7 @@ static const struct dmi_system_id dmi_au
};
struct intel_hid_priv {
+ struct mutex mutex; /* Avoid notify_handler() racing with itself */
struct input_dev *input_dev;
struct input_dev *array;
struct input_dev *switches;
@@ -565,6 +568,8 @@ static void notify_handler(acpi_handle h
struct key_entry *ke;
int err;
+ guard(mutex)(&priv->mutex);
+
/*
* Some convertible have unreliable VGBS return which could cause incorrect
* SW_TABLET_MODE report, in these cases we enable support when receiving
@@ -720,6 +725,10 @@ static int intel_hid_probe(struct platfo
return -ENOMEM;
dev_set_drvdata(&device->dev, priv);
+ err = devm_mutex_init(&device->dev, &priv->mutex);
+ if (err)
+ return err;
+
/* See dual_accel_detect.h for more info on the dual_accel check. */
if (enable_sw_tablet_mode == TABLET_SW_AUTO) {
if (dmi_check_system(dmi_vgbs_allow_list))
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 015/518] LoongArch: Add PIO for early access before ACPI PCI root register
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 014/518] platform/x86: intel-hid: Protect ACPI notify handler against recursion Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 016/518] rust: cpufreq: clean new `clippy::map_or_identity` lint for Rust 1.98.0 Greg Kroah-Hartman
` (506 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuanzhen Gan, Huacai Chen
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 6061e65f95713b01f4313cda6637dfe3aa5412b4 upstream.
For ACPI system we suppose the ISA/LPC PIO range is registered together
with PCI root bridge. But the fact is there may be some early access to
the ISA/LPC PIO range before ACPI PCI root register (most of them are
due to abnormal BIOS). Unconditionally register the ISA/LPC PIO range
usually causes ACPI PCI root register fail because of the address range
confliction. So we add a pair of helpers: acpi_add_early_pio() to add
PIO for early access, and acpi_remove_early_pio() to remove PIO before
PCI root register. Since acpi_remove_early_pio() may be called multiple
times, we add an acpi_pio flag to ensure PIO be removed only once.
Cc: <stable@vger.kernel.org>
Tested-by: Yuanzhen Gan <elysia-best@simplelinux.cn.eu.org>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/include/asm/acpi.h | 2 ++
arch/loongarch/kernel/acpi.c | 28 ++++++++++++++++++++++++++++
arch/loongarch/kernel/setup.c | 2 ++
arch/loongarch/pci/acpi.c | 2 ++
4 files changed, 34 insertions(+)
--- a/arch/loongarch/include/asm/acpi.h
+++ b/arch/loongarch/include/asm/acpi.h
@@ -38,6 +38,8 @@ static inline bool acpi_has_cpu_in_madt(
extern struct list_head acpi_wakeup_device_list;
extern struct acpi_madt_core_pic acpi_core_pic[MAX_CORE_PIC];
+extern void acpi_add_early_pio(void);
+extern void acpi_remove_early_pio(void);
extern int __init parse_acpi_topology(void);
#endif /* !CONFIG_ACPI */
--- a/arch/loongarch/kernel/acpi.c
+++ b/arch/loongarch/kernel/acpi.c
@@ -16,6 +16,7 @@
#include <linux/memblock.h>
#include <linux/of_fdt.h>
#include <linux/serial_core.h>
+#include <linux/vmalloc.h>
#include <asm/io.h>
#include <asm/numa.h>
#include <asm/loongson.h>
@@ -59,6 +60,33 @@ void __iomem *acpi_os_ioremap(acpi_physi
return ioremap_cache(phys, size);
}
+#define PIO_BASE (unsigned long)PCI_IOBASE
+#define PIO_SIZE ALIGN(ISA_IOSIZE, PAGE_SIZE)
+
+static bool acpi_pio;
+
+/* Add PIO for early access */
+void acpi_add_early_pio(void)
+{
+ if (!acpi_disabled) {
+ acpi_pio = true;
+ vmap_page_range(PIO_BASE, PIO_BASE + PIO_SIZE,
+ LOONGSON_LIO_BASE, pgprot_device(PAGE_KERNEL));
+ }
+}
+
+/* Remove PIO for PCI register */
+void acpi_remove_early_pio(void)
+{
+ if (!acpi_pio)
+ return;
+
+ if (!acpi_disabled) {
+ acpi_pio = false;
+ vunmap_range(PIO_BASE, PIO_BASE + PIO_SIZE);
+ }
+}
+
#ifdef CONFIG_SMP
static int set_processor_mask(u32 id, u32 pass)
{
--- a/arch/loongarch/kernel/setup.c
+++ b/arch/loongarch/kernel/setup.c
@@ -502,6 +502,8 @@ static __init int arch_reserve_pio_range
{
struct device_node *np;
+ acpi_add_early_pio();
+
for_each_node_by_name(np, "isa") {
struct of_range range;
struct of_range_parser parser;
--- a/arch/loongarch/pci/acpi.c
+++ b/arch/loongarch/pci/acpi.c
@@ -65,6 +65,8 @@ static int acpi_prepare_root_resources(s
struct resource_entry *entry, *tmp;
struct acpi_device *device = ci->bridge;
+ acpi_remove_early_pio();
+
status = acpi_pci_probe_root_resources(ci);
if (status > 0) {
acpi_evaluate_integer(device->handle, "PCIH", NULL, &pci_h);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 016/518] rust: cpufreq: clean new `clippy::map_or_identity` lint for Rust 1.98.0
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 015/518] LoongArch: Add PIO for early access before ACPI PCI root register Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 017/518] rust: kasan: KASAN+RUST requires clang Greg Kroah-Hartman
` (505 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhongqiu Han, Gary Guo,
Alexandre Courbot, Viresh Kumar, Miguel Ojeda
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miguel Ojeda <ojeda@kernel.org>
commit 3473e0a219fdb2cb013da0a5d917e66fef052325 upstream.
Starting with Rust 1.98.0 (expected 2026-08-20), Clippy is likely
introducing a new lint `clippy::map_or_identity` [1][2], which currently
triggers in a single case:
warning: expression can be simplified using `Result::unwrap_or()`
--> rust/kernel/cpufreq.rs:1326:60
|
1326 | PolicyCpu::from_cpu(cpu_id).map_or(0, |mut policy| T::get(&mut policy).map_or(0, |f| f))
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#map_or_identity
= note: `-W clippy::map-or-identity` implied by `-W clippy::all`
= help: to override `-W clippy::all` add `#[allow(clippy::map_or_identity)]`
help: consider using `unwrap_or`
|
1326 - PolicyCpu::from_cpu(cpu_id).map_or(0, |mut policy| T::get(&mut policy).map_or(0, |f| f))
1326 + PolicyCpu::from_cpu(cpu_id).map_or(0, |mut policy| T::get(&mut policy).unwrap_or(0))
|
The suggestion is valid, thus clean it up.
Cc: stable@vger.kernel.org # Needed in 6.18.y and later.
Link: https://github.com/rust-lang/rust-clippy/issues/15801 [1]
Link: https://github.com/rust-lang/rust-clippy/pull/16052 [2]
Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
Reviewed-by: Gary Guo <gary@garyguo.net>
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Link: https://patch.msgid.link/20260530095809.213611-1-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
rust/kernel/cpufreq.rs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/rust/kernel/cpufreq.rs
+++ b/rust/kernel/cpufreq.rs
@@ -1323,7 +1323,7 @@ impl<T: Driver> Registration<T> {
// SAFETY: The C API guarantees that `cpu` refers to a valid CPU number.
let cpu_id = unsafe { CpuId::from_u32_unchecked(cpu) };
- PolicyCpu::from_cpu(cpu_id).map_or(0, |mut policy| T::get(&mut policy).map_or(0, |f| f))
+ PolicyCpu::from_cpu(cpu_id).map_or(0, |mut policy| T::get(&mut policy).unwrap_or(0))
}
/// Driver's `update_limit` callback.
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 017/518] rust: kasan: KASAN+RUST requires clang
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 016/518] rust: cpufreq: clean new `clippy::map_or_identity` lint for Rust 1.98.0 Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 018/518] rust: pci: use static lifetime for PCI BAR resource names Greg Kroah-Hartman
` (504 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alice Ryhl, Gary Guo, Miguel Ojeda
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Ryhl <aliceryhl@google.com>
commit 5b271543d0f08e9733d4732721e960e285f6448f upstream.
Kernel KASAN involves passing various llvm/gcc specific arguments to
the C and Rust compiler. Since these arguments differ between llvm and
gcc, it's not safe to mix an llvm-based rustc with a gcc build when
kasan is enabled.
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: stable@vger.kernel.org
Fixes: e3117404b411 ("kbuild: rust: Enable KASAN support")
Link: https://patch.msgid.link/20260408-kasan-rust-sw-tags-v3-1-e07964d14363@google.com
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
init/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -2198,6 +2198,7 @@ config RUST
depends on !DEBUG_INFO_BTF || (PAHOLE_HAS_LANG_EXCLUDE && !LTO)
depends on !CFI || HAVE_CFI_ICALL_NORMALIZE_INTEGERS_RUSTC
select CFI_ICALL_NORMALIZE_INTEGERS if CFI
+ depends on !KASAN || CC_IS_CLANG
depends on !KASAN_SW_TAGS
help
Enables Rust support in the kernel.
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 018/518] rust: pci: use static lifetime for PCI BAR resource names
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 017/518] rust: kasan: KASAN+RUST requires clang Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 019/518] rust: block: fix GenDisk cleanup paths Greg Kroah-Hartman
` (503 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko, Alexandre Courbot,
Eliot Courtney, Gary Guo, Danilo Krummrich
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <dakr@kernel.org>
commit e566a9e17f3774c962b6d2522750f227f027edc6 upstream.
pci_request_region() stores the name pointer directly in struct
resource; use &'static CStr to ensure the pointer remains valid even if
the Bar is leaked.
Cc: stable@vger.kernel.org
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/all/20260522004943.CDA7C1F000E9@smtp.kernel.org/
Fixes: 3c2e31d717ac ("rust: pci: move I/O infrastructure to separate file")
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
Reviewed-by: Eliot Courtney <ecourtney@nvidia.com>
Reviewed-by: Gary Guo <gary@garyguo.net>
Link: https://patch.msgid.link/20260525202921.124698-2-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
rust/kernel/pci/io.rs | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index ae78676c927f..3ce21482b079 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -153,7 +153,7 @@ pub struct Bar<const SIZE: usize = 0> {
}
impl<const SIZE: usize> Bar<SIZE> {
- pub(super) fn new(pdev: &Device, num: u32, name: &CStr) -> Result<Self> {
+ pub(super) fn new(pdev: &Device, num: u32, name: &'static CStr) -> Result<Self> {
let len = pdev.resource_len(num)?;
if len == 0 {
return Err(ENOMEM);
@@ -252,7 +252,7 @@ impl Device<device::Bound> {
pub fn iomap_region_sized<'a, const SIZE: usize>(
&'a self,
bar: u32,
- name: &'a CStr,
+ name: &'static CStr,
) -> impl PinInit<Devres<Bar<SIZE>>, Error> + 'a {
Devres::new(self.as_ref(), Bar::<SIZE>::new(self, bar, name))
}
@@ -261,7 +261,7 @@ pub fn iomap_region_sized<'a, const SIZE: usize>(
pub fn iomap_region<'a>(
&'a self,
bar: u32,
- name: &'a CStr,
+ name: &'static CStr,
) -> impl PinInit<Devres<Bar>, Error> + 'a {
self.iomap_region_sized::<0>(bar, name)
}
--
2.55.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 019/518] rust: block: fix GenDisk cleanup paths
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 018/518] rust: pci: use static lifetime for PCI BAR resource names Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 020/518] rust: doctest: fix incorrect pattern in replacement Greg Kroah-Hartman
` (502 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Xin Liu,
Andreas Hindborg, Haoze Xie, Ren Wei, Jens Axboe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoze Xie <royenheart@gmail.com>
commit 2957771379fa335103a4b539db57bb2271e12142 upstream.
GenDiskBuilder::build() still has fallible work after
__blk_mq_alloc_disk(), but its error path only recovers the
foreign queue data. That leaks the temporary gendisk and
request_queue until later teardown. If the caller moved the last
Arc<TagSet<T>> into build(), the leaked queue can retain blk-mq
state after the tag set is dropped.
Fix the pre-registration failure path by dropping the temporary
gendisk reference with put_disk() before recovering queue_data,
so disk_release() can tear down the owned queue.
Also pair GenDisk::drop() with put_disk() after del_gendisk().
Once a Rust GenDisk has been added with device_add_disk(),
del_gendisk() only unregisters it; the final gendisk reference
still has to be dropped to complete the release path.
Fixes: 3253aba3408a ("rust: block: introduce `kernel::block::mq` module")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Signed-off-by: Haoze Xie <royenheart@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/b70aff9a920cc42110fe5cf454c3099561863519.1780063368.git.royenheart@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
rust/kernel/block/mq/gen_disk.rs | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
--- a/rust/kernel/block/mq/gen_disk.rs
+++ b/rust/kernel/block/mq/gen_disk.rs
@@ -150,6 +150,19 @@ impl GenDiskBuilder {
// SAFETY: `gendisk` is a valid pointer as we initialized it above
unsafe { (*gendisk).fops = &TABLE };
+ let cleanup_failure = ScopeGuard::new_with_data((gendisk, data), |(gendisk, data)| {
+ // SAFETY: `gendisk` came from `__blk_mq_alloc_disk()` above and
+ // has not been added to the VFS on this cleanup path.
+ unsafe { bindings::put_disk(gendisk) };
+ // SAFETY: `data` came from `into_foreign()` above and has not been
+ // converted back on this cleanup path.
+ drop(unsafe { T::QueueData::from_foreign(data) });
+ });
+
+ // The failure guard now owns both pieces of cleanup; the early guard
+ // must not run on this path anymore.
+ recover_data.dismiss();
+
let mut writer = NullTerminatedFormatter::new(
// SAFETY: `gendisk` points to a valid and initialized instance. We
// have exclusive access, since the disk is not added to the VFS
@@ -172,7 +185,7 @@ impl GenDiskBuilder {
},
)?;
- recover_data.dismiss();
+ cleanup_failure.dismiss();
// INVARIANT: `gendisk` was initialized above.
// INVARIANT: `gendisk` was added to the VFS via `device_add_disk` above.
@@ -215,6 +228,11 @@ impl<T: Operations> Drop for GenDisk<T>
// to the VFS.
unsafe { bindings::del_gendisk(self.gendisk) };
+ // SAFETY: By type invariant, `self.gendisk` was added to the VFS, so
+ // `put_disk()` must follow `del_gendisk()` to drop the final gendisk
+ // reference and trigger the remaining release path.
+ unsafe { bindings::put_disk(self.gendisk) };
+
// SAFETY: `queue.queuedata` was created by `GenDiskBuilder::build` with
// a call to `ForeignOwnable::into_foreign` to create `queuedata`.
// `ForeignOwnable::from_foreign` is only called here.
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 020/518] rust: doctest: fix incorrect pattern in replacement
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 019/518] rust: block: fix GenDisk cleanup paths Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 021/518] rust: Kbuild: set frame-pointer llvm module flag for CONFIG_FRAME_POINTER Greg Kroah-Hartman
` (501 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gary Guo, Miguel Ojeda
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gary Guo <gary@garyguo.net>
commit ac4d1caa82d487e7ed46d0597da1adc9c1a51c70 upstream.
The `-> Result<(), impl core::fmt::Debug>` string is generated by rustdoc
and by adding "::" into the string it no longer finds anything, making
the line useless.
Remove the "::" in the pattern. Omit it in the replacement too, for
consistency with upstream rustdoc.
Fixes: de7cd3e4d638 ("rust: use absolute paths in macros referencing core and kernel")
Signed-off-by: Gary Guo <gary@garyguo.net>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260616132559.2245814-1-gary@kernel.org
[ Added link in code comment to `rustdoc`'s 1.87 PR that fully qualified
it for context. Improved comments for consistency. Reworded to drop
changelog and to fix typo. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
scripts/rustdoc_test_builder.rs | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/scripts/rustdoc_test_builder.rs
+++ b/scripts/rustdoc_test_builder.rs
@@ -28,7 +28,7 @@ fn main() {
//
// ```
// fn main() { #[allow(non_snake_case)] fn _doctest_main_rust_kernel_file_rs_28_0() {
- // fn main() { #[allow(non_snake_case)] fn _doctest_main_rust_kernel_file_rs_37_0() -> Result<(), impl ::core::fmt::Debug> {
+ // fn main() { #[allow(non_snake_case)] fn _doctest_main_rust_kernel_file_rs_37_0() -> Result<(), impl core::fmt::Debug> {
// ```
//
// It should be unlikely that doctest code matches such lines (when code is formatted properly).
@@ -47,12 +47,16 @@ fn main() {
})
.expect("No test function found in `rustdoc`'s output.");
- // Qualify `Result` to avoid the collision with our own `Result` coming from the prelude.
+ // Replicate `rustdoc` 1.87+ behaviour [1] by fully qualifying `Result` to avoid the collision
+ // with our own `Result` coming from the prelude.
+ //
+ // [1]: https://github.com/rust-lang/rust/pull/137807
+ //
+ // TODO: Remove this when MSRV is bumped above 1.87.
let body = body.replace(
- &format!("{rustdoc_function_name}() -> Result<(), impl ::core::fmt::Debug> {{"),
- &format!(
- "{rustdoc_function_name}() -> ::core::result::Result<(), impl ::core::fmt::Debug> {{"
- ),
+ &format!("{rustdoc_function_name}() -> Result<(), impl core::fmt::Debug> {{"),
+ // This intentionally does not use absolute paths to match `rustdoc` 1.87 behaviour.
+ &format!("{rustdoc_function_name}() -> core::result::Result<(), impl core::fmt::Debug> {{"),
);
// For tests that get generated with `Result`, like above, `rustdoc` generates an `unwrap()` on
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 021/518] rust: Kbuild: set frame-pointer llvm module flag for CONFIG_FRAME_POINTER
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 020/518] rust: doctest: fix incorrect pattern in replacement Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 15:58 ` Miguel Ojeda
2026-07-16 13:24 ` [PATCH 7.1 022/518] futex/requeue: Revert "Prevent NULL pointer dereference in remove_waiter() on self-deadlock"" Greg Kroah-Hartman
` (500 subsequent siblings)
521 siblings, 1 reply; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alice Ryhl, Miguel Ojeda
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Ryhl <aliceryhl@google.com>
commit 191f49f1e38b1c10eb44b0f967c6175c884ef7db upstream.
Due to a rustc bug, the -Cforce-frame-pointers=y flag only emits the
frame-pointer annotation for functions, but not for the module. This
means that functions generated by the LLVM backend such as
'asan.module_ctor' do not receive the frame-pointer annotation.
This is likely to lead to broken backtraces and may also cause issues
with ftrace if these features are used with functions generated by the
LLVM backend.
Thus, use -Zllvm_module_flag to work around this rustc bug if using a
rustc without the fix.
[ The fix [1] has landed for Rust 1.98.0 (expected release on
2026-08-20). - Miguel ]
Cc: stable@vger.kernel.org # 6.12.y and later (flag not available in pinned Rust in older LTSs).
Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support")
Link: https://github.com/rust-lang/rust/pull/156980 [1]
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260616-frame-ptr-fix-v1-1-dc6b29a631d9@google.com
[ - Adjusted Cc: stable@ as discussed.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
- Added comment with link to the PR, similar to what we did in commit
ac35b5580ace ("rust: arm64: set uwtable llvm module flag for
CONFIG_UNWIND_TABLES").
- Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
---
Makefile | 3 +++
1 file changed, 3 insertions(+)
--- a/Makefile
+++ b/Makefile
@@ -959,6 +959,9 @@ KBUILD_CFLAGS += $(stackp-flags-y)
ifdef CONFIG_FRAME_POINTER
KBUILD_CFLAGS += -fno-omit-frame-pointer -fno-optimize-sibling-calls
KBUILD_RUSTFLAGS += -Cforce-frame-pointers=y
+# Work around rustc bug on compilers without
+# https://github.com/rust-lang/rust/pull/156980.
+KBUILD_RUSTFLAGS += $(if $(call rustc-min-version,109800),,-Zllvm_module_flag=frame-pointer:u32:2:max)
else
# Some targets (ARM with Thumb2, for example), can't be built with frame
# pointers. For those, we don't have FUNCTION_TRACER automatically
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 022/518] futex/requeue: Revert "Prevent NULL pointer dereference in remove_waiter() on self-deadlock""
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 021/518] rust: Kbuild: set frame-pointer llvm module flag for CONFIG_FRAME_POINTER Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 023/518] perf/core: Detach event groups during remove_on_exec Greg Kroah-Hartman
` (499 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito,
Sebastian Andrzej Siewior, Thomas Gleixner
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
commit 39def6d250d370298f86c116f4ac60093cefadaa upstream.
The commit cited below should not have been merged. It attemted to fix an
existing problem ansd thereby introduced new problems by keeping the
pi_state in state Q_REQUEUE_PI_IN_PROGRESS and leaking it.
Based on the commit description the intention was to handle the case
when task_blocks_on_rt_mutex() returns -EDEADLK and the following
remove_waiter() dereferences the NULL pointer in waiter->task.
That is already handled by Davidlohr in commit 40a25d59e85b3
("locking/rtmutex: Skip remove_waiter() when waiter is not enqueued") and
requires no further acting.
Revert the commit breaking the "waiter == owner" case again.
Fixes: 74e144274af39 ("futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock")
Reported-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260701131150.0Ijhq4Dw@linutronix.de
Closes: https://lore.kernel.org/all/20260629020049.2082397-1-michael.bommarito@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/futex/requeue.c | 6 ------
1 file changed, 6 deletions(-)
--- a/kernel/futex/requeue.c
+++ b/kernel/futex/requeue.c
@@ -643,12 +643,6 @@ retry_private:
continue;
}
- /* Self-deadlock: non-top waiter already owns the PI futex. */
- if (rt_mutex_owner(&pi_state->pi_mutex) == this->task) {
- ret = -EDEADLK;
- break;
- }
-
ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex,
this->rt_waiter,
this->task);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 023/518] perf/core: Detach event groups during remove_on_exec
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 022/518] futex/requeue: Revert "Prevent NULL pointer dereference in remove_waiter() on self-deadlock"" Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 024/518] bpf: Support for hardening against JIT spraying Greg Kroah-Hartman
` (498 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Taeyang Lee, Peter Zijlstra (Intel),
Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Taeyang Lee <0wn@theori.io>
[ Upstream commit 037a3c43edfb597665dd34457cd22b14692f2ba3 ]
perf_event_remove_on_exec() removes events by calling
perf_event_exit_event(). For top-level events, this removes the event from
the context with DETACH_EXIT only.
This can leave inconsistent group state when a removed event is a group
leader and the group contains siblings without remove_on_exec. If the group
was active, the surviving siblings can remain active and attached to the
removed leader's sibling list, but are no longer represented by a valid
group leader on the PMU context active lists.
A later close of the removed leader uses DETACH_GROUP and can promote the
still-active siblings from this stale group state. The next schedule-in can
then add an already-linked active_list entry again, corrupting the PMU
context active list.
With DEBUG_LIST enabled, this is caught as a list_add double-add in
merge_sched_in().
Fix this by detaching group relationships when remove_on_exec removes an
event. This preserves the existing task-exit and revoke behavior, while
ensuring surviving siblings are ungrouped before the removed event leaves
the context.
Fixes: 2e498d0a74e5 ("perf: Add support for event removal on exec")
Signed-off-by: Taeyang Lee <0wn@theori.io>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/ai65GgZcC0LAlWLG@Taeyangs-MacBook-Pro.local
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 7935d5663944ee..bab0f3bd4fa8d8 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -4728,7 +4728,7 @@ static void perf_remove_from_owner(struct perf_event *event);
static void perf_event_exit_event(struct perf_event *event,
struct perf_event_context *ctx,
struct task_struct *task,
- bool revoke);
+ unsigned long detach_flags);
/*
* Removes all events from the current task that have been marked
@@ -4755,7 +4755,7 @@ static void perf_event_remove_on_exec(struct perf_event_context *ctx)
modified = true;
- perf_event_exit_event(event, ctx, ctx->task, false);
+ perf_event_exit_event(event, ctx, ctx->task, DETACH_GROUP);
}
raw_spin_lock_irqsave(&ctx->lock, flags);
@@ -12900,7 +12900,7 @@ static void __pmu_detach_event(struct pmu *pmu, struct perf_event *event,
/*
* De-schedule the event and mark it REVOKED.
*/
- perf_event_exit_event(event, ctx, ctx->task, true);
+ perf_event_exit_event(event, ctx, ctx->task, DETACH_REVOKE);
/*
* All _free_event() bits that rely on event->pmu:
@@ -14488,12 +14488,13 @@ static void
perf_event_exit_event(struct perf_event *event,
struct perf_event_context *ctx,
struct task_struct *task,
- bool revoke)
+ unsigned long detach_flags)
{
struct perf_event *parent_event = event->parent;
- unsigned long detach_flags = DETACH_EXIT;
unsigned int attach_state;
+ detach_flags |= DETACH_EXIT;
+
if (parent_event) {
/*
* Do not destroy the 'original' grouping; because of the
@@ -14516,8 +14517,8 @@ perf_event_exit_event(struct perf_event *event,
sync_child_event(event, task);
}
- if (revoke)
- detach_flags |= DETACH_GROUP | DETACH_REVOKE;
+ if (detach_flags & DETACH_REVOKE)
+ detach_flags |= DETACH_GROUP;
perf_remove_from_context(event, detach_flags);
/*
@@ -14605,7 +14606,7 @@ static void perf_event_exit_task_context(struct task_struct *task, bool exit)
perf_event_task(task, ctx, 0);
list_for_each_entry_safe(child_event, next, &ctx->event_list, event_entry)
- perf_event_exit_event(child_event, ctx, exit ? task : NULL, false);
+ perf_event_exit_event(child_event, ctx, exit ? task : NULL, 0);
mutex_unlock(&ctx->mutex);
--
2.53.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 024/518] bpf: Support for hardening against JIT spraying
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 023/518] perf/core: Detach event groups during remove_on_exec Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 025/518] x86/bugs: Enable IBPB flush on BPF JIT allocation Greg Kroah-Hartman
` (497 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pawan Gupta, Daniel Borkmann,
Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
commit 96cce16e26dd02a8678f1e87f88a4b5cdb63b995 upstream.
The BPF JIT allocator packs many small programs into larger executable
allocations and reuses space within those allocations as programs are
loaded and freed. When fresh code is written into space that a previous
program occupied, an indirect jump into the new program can reuse a branch
prediction left behind by the old one.
Flush the indirect branch predictors before reusing JIT memory so that
indirect jumps into a newly written program don't reuse predictions from an
old program that occupied the same space.
Introduce bpf_arch_pred_flush_enabled static key and bpf_arch_pred_flush
static call for flushing the branch predictors on JIT memory reuse.
Architectures that need a flush, can update it to a predictor flush
function. By default, its a NOP and does not emit any CALL.
Allocations larger than a pack are not covered by this flush. That is safe
because cBPF programs (the unprivileged attack surface) are bounded well
below a pack size. Issue a warning if this assumption is ever violated
while the flush is active.
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/filter.h | 10 ++++++++++
kernel/bpf/core.c | 19 +++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/include/linux/filter.h b/include/linux/filter.h
index 88a241aac36a27..2a7e6cbbbe1d3f 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -21,6 +21,7 @@
#include <linux/if_vlan.h>
#include <linux/vmalloc.h>
#include <linux/sockptr.h>
+#include <linux/static_call.h>
#include <linux/u64_stats_sync.h>
#include <net/sch_generic.h>
@@ -1291,6 +1292,15 @@ extern long bpf_jit_limit_max;
typedef void (*bpf_jit_fill_hole_t)(void *area, unsigned int size);
+/*
+ * Flush the indirect branch predictors before reusing JIT memory, so that
+ * indirect jumps into a newly written program don't reuse predictions left
+ * behind by an old program that occupied the same space.
+ */
+void bpf_arch_pred_flush(void);
+DECLARE_STATIC_CALL(bpf_arch_pred_flush, bpf_arch_pred_flush);
+DECLARE_STATIC_KEY_FALSE(bpf_pred_flush_enabled);
+
void bpf_jit_fill_hole_with_zero(void *area, unsigned int size);
struct bpf_binary_header *
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 6aa2a8b2403065..f49b9b23f95e60 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -20,6 +20,7 @@
#include <uapi/linux/btf.h>
#include <linux/filter.h>
#include <linux/skbuff.h>
+#include <linux/static_call.h>
#include <linux/vmalloc.h>
#include <linux/prandom.h>
#include <linux/bpf.h>
@@ -883,6 +884,15 @@ void bpf_jit_fill_hole_with_zero(void *area, unsigned int size)
memset(area, 0, size);
}
+DEFINE_STATIC_CALL_NULL(bpf_arch_pred_flush, bpf_arch_pred_flush);
+
+/*
+ * Enabled once bpf_arch_pred_flush points at a real flush routine. Lets the
+ * pack allocator test "is a predictor flush wired up at all" with a cheap
+ * static branch instead of repeatedly querying the static call target.
+ */
+DEFINE_STATIC_KEY_FALSE(bpf_pred_flush_enabled);
+
#define BPF_PROG_SIZE_TO_NBITS(size) (round_up(size, BPF_PROG_CHUNK_SIZE) / BPF_PROG_CHUNK_SIZE)
static DEFINE_MUTEX(pack_mutex);
@@ -941,6 +951,14 @@ void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns)
mutex_lock(&pack_mutex);
if (size > BPF_PROG_PACK_SIZE) {
+ /*
+ * Allocations larger than a pack get their own pages, and
+ * predictors are not flushed for such allocation. This is only
+ * safe because cBPF programs (the unprivileged attack surface)
+ * are bounded well below a pack size.
+ */
+ if (static_branch_unlikely(&bpf_pred_flush_enabled))
+ pr_warn_once("BPF: Predictors not flushed for allocations greater than BPF_PROG_PACK_SIZE\n");
size = round_up(size, PAGE_SIZE);
ptr = bpf_jit_alloc_exec(size);
if (ptr) {
@@ -971,6 +989,7 @@ void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns)
pos = 0;
found_free_area:
+ static_call_cond(bpf_arch_pred_flush)();
bitmap_set(pack->bitmap, pos, nbits);
ptr = (void *)(pack->ptr) + (pos << BPF_PROG_CHUNK_SHIFT);
--
2.53.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 025/518] x86/bugs: Enable IBPB flush on BPF JIT allocation
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 024/518] bpf: Support for hardening against JIT spraying Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 026/518] bpf: Restrict JIT predictor flush to cBPF Greg Kroah-Hartman
` (496 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pawan Gupta, Daniel Borkmann,
Dave Hansen, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
commit a3af84b0fa00ead01fcd0e28b5d773ff25990a0d upstream.
Enable hardening against JIT spraying when Spectre-v2 mitigations are in
use. Specifically, issue an IBPB flush on BPF JIT memory reuse. Skip
enabling the IBPB flush if the BPF dispatcher is already using a retpoline
sequence.
This hardening applies only when BPF-JIT is in use. Guard the enabling
under CONFIG_BPF_JIT so that bugs.c still builds with CONFIG_BPF_JIT=n.
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/nospec-branch.h | 4 +++
arch/x86/kernel/cpu/bugs.c | 50 +++++++++++++++++++++++++---
2 files changed, 49 insertions(+), 5 deletions(-)
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 4f4b5e8a157430..b68892e6d58c47 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -388,6 +388,10 @@ extern void srso_alias_return_thunk(void);
extern void entry_untrain_ret(void);
extern void write_ibpb(void);
+#ifdef CONFIG_BPF_JIT
+extern void bpf_arch_ibpb(void);
+#endif
+
#ifdef CONFIG_X86_64
extern void clear_bhb_loop(void);
#endif
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 83f51cab0b1e39..d9af230c051259 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -16,6 +16,7 @@
#include <linux/sched/smt.h>
#include <linux/pgtable.h>
#include <linux/bpf.h>
+#include <linux/filter.h>
#include <linux/kvm_types.h>
#include <asm/spec-ctrl.h>
@@ -1651,8 +1652,21 @@ static inline const char *spectre_v2_module_string(void)
{
return spectre_v2_bad_module ? " - vulnerable module loaded" : "";
}
+
+/*
+ * The "retpoline sequence" is the "call;mov;ret" sequence that
+ * replaces normal indirect branch instructions. Differentiate
+ * *the* retpoline sequence from the LFENCE-prefixed indirect
+ * branches that simply use the retpoline infrastructure.
+ */
+static inline bool retpoline_seq_enabled(void)
+{
+ return boot_cpu_has(X86_FEATURE_RETPOLINE) && !boot_cpu_has(X86_FEATURE_RETPOLINE_LFENCE);
+}
+
#else
static inline const char *spectre_v2_module_string(void) { return ""; }
+static inline bool retpoline_seq_enabled(void) { return false; }
#endif
#define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n"
@@ -2095,8 +2109,7 @@ static void __init bhi_apply_mitigation(void)
return;
/* Retpoline mitigates against BHI unless the CPU has RRSBA behavior */
- if (boot_cpu_has(X86_FEATURE_RETPOLINE) &&
- !boot_cpu_has(X86_FEATURE_RETPOLINE_LFENCE)) {
+ if (retpoline_seq_enabled()) {
spec_ctrl_disable_kernel_rrsba();
if (rrsba_disabled)
return;
@@ -2238,6 +2251,27 @@ static void __init spectre_v2_update_mitigation(void)
pr_info("%s\n", spectre_v2_strings[spectre_v2_enabled]);
}
+#ifdef CONFIG_BPF_JIT
+static void __bpf_arch_ibpb(void *unused)
+{
+ write_ibpb();
+}
+
+void bpf_arch_ibpb(void)
+{
+ on_each_cpu(__bpf_arch_ibpb, NULL, 1);
+}
+
+static bool __init cpu_wants_ibpb_bpf(void)
+{
+ /* A genuine retpoline already neutralizes ring0 indirect predictions */
+ if (retpoline_seq_enabled())
+ return false;
+
+ return boot_cpu_has(X86_FEATURE_IBPB);
+}
+#endif
+
static void __init spectre_v2_apply_mitigation(void)
{
if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
@@ -2314,6 +2348,14 @@ static void __init spectre_v2_apply_mitigation(void)
setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
pr_info("Enabling Restricted Speculation for firmware calls\n");
}
+
+#ifdef CONFIG_BPF_JIT
+ if (cpu_wants_ibpb_bpf()) {
+ static_call_update(bpf_arch_pred_flush, bpf_arch_ibpb);
+ static_branch_enable(&bpf_pred_flush_enabled);
+ pr_info("Enabling IBPB for BPF\n");
+ }
+#endif
}
static void update_stibp_msr(void * __unused)
@@ -3490,9 +3532,7 @@ static const char *spectre_bhi_state(void)
return "; BHI: BHI_DIS_S";
else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP))
return "; BHI: SW loop, KVM: SW loop";
- else if (boot_cpu_has(X86_FEATURE_RETPOLINE) &&
- !boot_cpu_has(X86_FEATURE_RETPOLINE_LFENCE) &&
- rrsba_disabled)
+ else if (retpoline_seq_enabled() && rrsba_disabled)
return "; BHI: Retpoline";
else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_VMEXIT))
return "; BHI: Vulnerable, KVM: SW loop";
--
2.53.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 026/518] bpf: Restrict JIT predictor flush to cBPF
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 025/518] x86/bugs: Enable IBPB flush on BPF JIT allocation Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 027/518] bpf: Skip redundant IBPB in pack allocator Greg Kroah-Hartman
` (495 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pawan Gupta, Daniel Borkmann,
Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
commit 0bb99f2cfaae6822d734d69722de30af823efdf3 upstream.
Currently predictor flush on memory reuse is done for all BPF JIT
allocations, but only cBPF programs can be loaded by an unprivileged user.
eBPF is privileged by default, and flushing predictors for all CPUs on
every eBPF reuse penalizes the common case for no security benefit.
eBPF allocations can be frequent on busy systems, only flush predictors
for cBPF programs. Trampoline and dispatcher allocations also skip the
flush as they are eBPF-only.
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/net/bpf_jit_comp.c | 4 ++--
arch/loongarch/net/bpf_jit.c | 5 +++--
arch/powerpc/net/bpf_jit_comp.c | 4 ++--
arch/riscv/net/bpf_jit_comp64.c | 2 +-
arch/riscv/net/bpf_jit_core.c | 3 ++-
arch/x86/net/bpf_jit_comp.c | 5 +++--
include/linux/filter.h | 5 +++--
kernel/bpf/core.c | 13 ++++++++-----
kernel/bpf/dispatcher.c | 2 +-
9 files changed, 25 insertions(+), 18 deletions(-)
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index 0816c40fc7af95..9491c987e50c01 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -2094,7 +2094,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_verifier_env *env, struct bpf_pr
image_size = extable_offset + extable_size;
ro_header = bpf_jit_binary_pack_alloc(image_size, &ro_image_ptr,
sizeof(u64), &header, &image_ptr,
- jit_fill_hole);
+ jit_fill_hole, was_classic);
if (!ro_header)
goto out_off;
@@ -2782,7 +2782,7 @@ int arch_bpf_trampoline_size(const struct btf_func_model *m, u32 flags,
void *arch_alloc_bpf_trampoline(unsigned int size)
{
- return bpf_prog_pack_alloc(size, jit_fill_hole);
+ return bpf_prog_pack_alloc(size, jit_fill_hole, false);
}
void arch_free_bpf_trampoline(void *image, unsigned int size)
diff --git a/arch/loongarch/net/bpf_jit.c b/arch/loongarch/net/bpf_jit.c
index 24913dc7f4e835..e14a8aa47fc8ea 100644
--- a/arch/loongarch/net/bpf_jit.c
+++ b/arch/loongarch/net/bpf_jit.c
@@ -1762,7 +1762,7 @@ static int invoke_bpf(struct jit_ctx *ctx, struct bpf_tramp_links *tl,
void *arch_alloc_bpf_trampoline(unsigned int size)
{
- return bpf_prog_pack_alloc(size, jit_fill_hole);
+ return bpf_prog_pack_alloc(size, jit_fill_hole, false);
}
void arch_free_bpf_trampoline(void *image, unsigned int size)
@@ -2228,7 +2228,8 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_verifier_env *env, struct bpf_pr
image_size = prog_size + extable_size;
/* Now we know the size of the structure to make */
ro_header = bpf_jit_binary_pack_alloc(image_size, &ro_image_ptr, sizeof(u32),
- &header, &image_ptr, jit_fill_hole);
+ &header, &image_ptr, jit_fill_hole,
+ bpf_prog_was_classic(prog));
if (!ro_header)
goto out_offset;
diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
index 53ab97ad607453..73ff8a64bb7fad 100644
--- a/arch/powerpc/net/bpf_jit_comp.c
+++ b/arch/powerpc/net/bpf_jit_comp.c
@@ -295,7 +295,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_verifier_env *env, struct bpf_pr
alloclen = proglen + FUNCTION_DESCR_SIZE + fixup_len + extable_len;
fhdr = bpf_jit_binary_pack_alloc(alloclen, &fimage, 4, &hdr, &image,
- bpf_jit_fill_ill_insns);
+ bpf_jit_fill_ill_insns, bpf_prog_was_classic(fp));
if (!fhdr)
goto out_err;
@@ -583,7 +583,7 @@ bool bpf_jit_inlines_helper_call(s32 imm)
void *arch_alloc_bpf_trampoline(unsigned int size)
{
- return bpf_prog_pack_alloc(size, bpf_jit_fill_ill_insns);
+ return bpf_prog_pack_alloc(size, bpf_jit_fill_ill_insns, false);
}
void arch_free_bpf_trampoline(void *image, unsigned int size)
diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c
index 2f1109dbf105b7..404a98a0fc90e8 100644
--- a/arch/riscv/net/bpf_jit_comp64.c
+++ b/arch/riscv/net/bpf_jit_comp64.c
@@ -1321,7 +1321,7 @@ int arch_bpf_trampoline_size(const struct btf_func_model *m, u32 flags,
void *arch_alloc_bpf_trampoline(unsigned int size)
{
- return bpf_prog_pack_alloc(size, bpf_fill_ill_insns);
+ return bpf_prog_pack_alloc(size, bpf_fill_ill_insns, false);
}
void arch_free_bpf_trampoline(void *image, unsigned int size)
diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c
index 4365d07aaf547c..ce3bd3762e08cc 100644
--- a/arch/riscv/net/bpf_jit_core.c
+++ b/arch/riscv/net/bpf_jit_core.c
@@ -109,7 +109,8 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_verifier_env *env, struct bpf_pr
bpf_jit_binary_pack_alloc(prog_size + extable_size,
&jit_data->ro_image, sizeof(u32),
&jit_data->header, &jit_data->image,
- bpf_fill_ill_insns);
+ bpf_fill_ill_insns,
+ bpf_prog_was_classic(prog));
if (!jit_data->ro_header)
goto out_offset;
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
index ea9e707e8abffb..ef8b112fd7b692 100644
--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -3520,7 +3520,7 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *rw_im
void *arch_alloc_bpf_trampoline(unsigned int size)
{
- return bpf_prog_pack_alloc(size, jit_fill_hole);
+ return bpf_prog_pack_alloc(size, jit_fill_hole, false);
}
void arch_free_bpf_trampoline(void *image, unsigned int size)
@@ -3831,7 +3831,8 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_verifier_env *env, struct bpf_pr
/* allocate module memory for x86 insns and extable */
header = bpf_jit_binary_pack_alloc(roundup(proglen, align) + extable_size,
&image, align, &rw_header, &rw_image,
- jit_fill_hole);
+ jit_fill_hole,
+ bpf_prog_was_classic(prog));
if (!header)
goto out_addrs;
prog->aux->extable = (void *) image + roundup(proglen, align);
diff --git a/include/linux/filter.h b/include/linux/filter.h
index 2a7e6cbbbe1d3f..ea654453e43a34 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -1315,7 +1315,7 @@ void bpf_jit_free(struct bpf_prog *fp);
struct bpf_binary_header *
bpf_jit_binary_pack_hdr(const struct bpf_prog *fp);
-void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns);
+void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns, bool was_classic);
void bpf_prog_pack_free(void *ptr, u32 size);
static inline bool bpf_prog_kallsyms_verify_off(const struct bpf_prog *fp)
@@ -1329,7 +1329,8 @@ bpf_jit_binary_pack_alloc(unsigned int proglen, u8 **ro_image,
unsigned int alignment,
struct bpf_binary_header **rw_hdr,
u8 **rw_image,
- bpf_jit_fill_hole_t bpf_fill_ill_insns);
+ bpf_jit_fill_hole_t bpf_fill_ill_insns,
+ bool was_classic);
int bpf_jit_binary_pack_finalize(struct bpf_binary_header *ro_header,
struct bpf_binary_header *rw_header);
void bpf_jit_binary_pack_free(struct bpf_binary_header *ro_header,
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index f49b9b23f95e60..1b7e74e63bd4bc 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -942,7 +942,7 @@ static struct bpf_prog_pack *alloc_new_pack(bpf_jit_fill_hole_t bpf_fill_ill_ins
return NULL;
}
-void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns)
+void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns, bool was_classic)
{
unsigned int nbits = BPF_PROG_SIZE_TO_NBITS(size);
struct bpf_prog_pack *pack;
@@ -957,7 +957,7 @@ void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns)
* safe because cBPF programs (the unprivileged attack surface)
* are bounded well below a pack size.
*/
- if (static_branch_unlikely(&bpf_pred_flush_enabled))
+ if (was_classic && static_branch_unlikely(&bpf_pred_flush_enabled))
pr_warn_once("BPF: Predictors not flushed for allocations greater than BPF_PROG_PACK_SIZE\n");
size = round_up(size, PAGE_SIZE);
ptr = bpf_jit_alloc_exec(size);
@@ -989,7 +989,9 @@ void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns)
pos = 0;
found_free_area:
- static_call_cond(bpf_arch_pred_flush)();
+ /* Flush only for cBPF as it may contain a crafted gadget */
+ if (static_branch_unlikely(&bpf_pred_flush_enabled) && was_classic)
+ static_call_cond(bpf_arch_pred_flush)();
bitmap_set(pack->bitmap, pos, nbits);
ptr = (void *)(pack->ptr) + (pos << BPF_PROG_CHUNK_SHIFT);
@@ -1149,7 +1151,8 @@ bpf_jit_binary_pack_alloc(unsigned int proglen, u8 **image_ptr,
unsigned int alignment,
struct bpf_binary_header **rw_header,
u8 **rw_image,
- bpf_jit_fill_hole_t bpf_fill_ill_insns)
+ bpf_jit_fill_hole_t bpf_fill_ill_insns,
+ bool was_classic)
{
struct bpf_binary_header *ro_header;
u32 size, hole, start;
@@ -1162,7 +1165,7 @@ bpf_jit_binary_pack_alloc(unsigned int proglen, u8 **image_ptr,
if (bpf_jit_charge_modmem(size))
return NULL;
- ro_header = bpf_prog_pack_alloc(size, bpf_fill_ill_insns);
+ ro_header = bpf_prog_pack_alloc(size, bpf_fill_ill_insns, was_classic);
if (!ro_header) {
bpf_jit_uncharge_modmem(size);
return NULL;
diff --git a/kernel/bpf/dispatcher.c b/kernel/bpf/dispatcher.c
index b77db7413f8c70..ea2d60dc1feeb7 100644
--- a/kernel/bpf/dispatcher.c
+++ b/kernel/bpf/dispatcher.c
@@ -145,7 +145,7 @@ void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from,
mutex_lock(&d->mutex);
if (!d->image) {
- d->image = bpf_prog_pack_alloc(PAGE_SIZE, bpf_jit_fill_hole_with_zero);
+ d->image = bpf_prog_pack_alloc(PAGE_SIZE, bpf_jit_fill_hole_with_zero, false);
if (!d->image)
goto out;
d->rw_image = bpf_jit_alloc_exec(PAGE_SIZE);
--
2.53.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 027/518] bpf: Skip redundant IBPB in pack allocator
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 026/518] bpf: Restrict JIT predictor flush to cBPF Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 028/518] bpf: Prefer packs that wont trigger an IBPB flush on allocation Greg Kroah-Hartman
` (494 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pawan Gupta, Daniel Borkmann,
Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
commit a23c1c5396a91680703360d1ee28a44657c503c4 upstream.
bpf_prog_pack_alloc() issues IBPB on all CPUs on every cBPF allocation,
even when reusing chunks from an existing pack where no new memory was
touched since the last IBPB.
Since IBPB on all CPUs is heavy, Dave Hansen suggested to track allocation
since last IBPB, and only issue IBPB at reuse for the chunks that have not
seen an IBPB since they were last freed.
Track per-pack whether an IBPB is needed via arch_flush_needed. Set it when
allocating a chunk, reset on IBPB flush. On reuse, conditionally issue the
flush. Since IBPB invalidates all BTB entries, clear the flag on all packs
after flushing.
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/core.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 1b7e74e63bd4bc..1bf4b8dffe9158 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -876,6 +876,7 @@ int bpf_jit_add_poke_descriptor(struct bpf_prog *prog,
struct bpf_prog_pack {
struct list_head list;
void *ptr;
+ bool arch_flush_needed;
unsigned long bitmap[];
};
@@ -928,6 +929,8 @@ static struct bpf_prog_pack *alloc_new_pack(bpf_jit_fill_hole_t bpf_fill_ill_ins
bpf_fill_ill_insns(pack->ptr, BPF_PROG_PACK_SIZE);
bitmap_zero(pack->bitmap, BPF_PROG_PACK_SIZE / BPF_PROG_CHUNK_SIZE);
+ if (static_branch_unlikely(&bpf_pred_flush_enabled))
+ pack->arch_flush_needed = true;
set_vm_flush_reset_perms(pack->ptr);
err = set_memory_rox((unsigned long)pack->ptr,
BPF_PROG_PACK_SIZE / PAGE_SIZE);
@@ -990,8 +993,15 @@ void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns, bool
found_free_area:
/* Flush only for cBPF as it may contain a crafted gadget */
- if (static_branch_unlikely(&bpf_pred_flush_enabled) && was_classic)
+ if (static_branch_unlikely(&bpf_pred_flush_enabled) &&
+ pack->arch_flush_needed &&
+ was_classic) {
+ struct bpf_prog_pack *p;
+
static_call_cond(bpf_arch_pred_flush)();
+ list_for_each_entry(p, &pack_list, list)
+ p->arch_flush_needed = false;
+ }
bitmap_set(pack->bitmap, pos, nbits);
ptr = (void *)(pack->ptr) + (pos << BPF_PROG_CHUNK_SHIFT);
@@ -1029,6 +1039,9 @@ void bpf_prog_pack_free(void *ptr, u32 size)
"bpf_prog_pack bug: missing bpf_arch_text_invalidate?\n");
bitmap_clear(pack->bitmap, pos, nbits);
+
+ if (static_branch_unlikely(&bpf_pred_flush_enabled))
+ pack->arch_flush_needed = true;
if (bitmap_find_next_zero_area(pack->bitmap, BPF_PROG_CHUNK_COUNT, 0,
BPF_PROG_CHUNK_COUNT, 0) == 0) {
list_del(&pack->list);
--
2.53.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 028/518] bpf: Prefer packs that wont trigger an IBPB flush on allocation
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 027/518] bpf: Skip redundant IBPB in pack allocator Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 029/518] bpf: Prefer dirty packs for eBPF allocations Greg Kroah-Hartman
` (493 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pawan Gupta, Daniel Borkmann,
Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
commit a9b1f19a6a673ba06820898d0f1ad02883ea1639 upstream.
Currently BPF pack allocator picks the chunks from the first available
pack. While this is okay, it naturally leads to more frequent flushes
when there are multiple packs in the system that weren't used since the
last flush.
As an optimization prefer allocating the new programs from packs that
are unused since last flush. When all packs are dirty, allocation forces
a flush and marks all packs clean.
Below are some future optimizations ideas:
1. Currently, the "dirty" tracking is only done at the pack-level.
Flush frequency can further be reduced with chunk-level tracking.
This requires a new bitmap per-pack to track the dirty state.
2. IBPB flush is done on all CPUs, even if only a single CPU ran the
BPF program. On a system with hundreds of CPUs this could be a
major bottleneck forcing hundreds of IPIs to deliver the flush.
The solution is to track the CPUs where a BPF program ran, and
issue IBPB only on those CPUs.
3. Avoid IBPB when flush is already done at other sources (e.g.
context switch).
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/core.c | 27 ++++++++++++++++++++++++---
1 file changed, 24 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 1bf4b8dffe9158..bba4acd61d4126 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -948,8 +948,8 @@ static struct bpf_prog_pack *alloc_new_pack(bpf_jit_fill_hole_t bpf_fill_ill_ins
void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns, bool was_classic)
{
unsigned int nbits = BPF_PROG_SIZE_TO_NBITS(size);
- struct bpf_prog_pack *pack;
- unsigned long pos;
+ struct bpf_prog_pack *pack, *fallback_pack = NULL;
+ unsigned long pos, fallback_pos = 0;
void *ptr = NULL;
mutex_lock(&pack_mutex);
@@ -981,8 +981,29 @@ void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns, bool
list_for_each_entry(pack, &pack_list, list) {
pos = bitmap_find_next_zero_area(pack->bitmap, BPF_PROG_CHUNK_COUNT, 0,
nbits, 0);
- if (pos < BPF_PROG_CHUNK_COUNT)
+ if (pos >= BPF_PROG_CHUNK_COUNT)
+ continue;
+ /* Flush not enabled, use any pack */
+ if (!static_branch_unlikely(&bpf_pred_flush_enabled))
goto found_free_area;
+ /*
+ * cBPF reuse of a dirty pack triggers a flush, so prefer a
+ * clean pack for cBPF. eBPF never flushes, so pick the first
+ * free pack, dirty or clean.
+ */
+ if (!was_classic || !pack->arch_flush_needed)
+ goto found_free_area;
+ if (!fallback_pack) {
+ fallback_pack = pack;
+ fallback_pos = pos;
+ }
+ }
+
+ /* No preferred pack found */
+ if (fallback_pack) {
+ pack = fallback_pack;
+ pos = fallback_pos;
+ goto found_free_area;
}
pack = alloc_new_pack(bpf_fill_ill_insns);
--
2.53.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 029/518] bpf: Prefer dirty packs for eBPF allocations
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 028/518] bpf: Prefer packs that wont trigger an IBPB flush on allocation Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 030/518] wifi: rtw89: correct drop logic for malformed AMPDU frames Greg Kroah-Hartman
` (492 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pawan Gupta, Daniel Borkmann,
Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
commit b72e29e0f7ee329d89f86db8700c8ea99b4a370a upstream.
The pack allocator only flushes predictors when reusing a dirty pack for
cBPF, eBPF allocations never trigger a flush. Currently, eBPF picks the
first free pack, which could be a clean pack. As an optimization, leaving
a clean pack for cBPF can avoid flushes.
Prefer dirty packs for eBPF and keep clean packs free for cBPF. This
mirrors the existing cBPF preference for clean packs: each program kind
prefers the pack that avoids an extra flush, and falls back to the other
kind only when no preferred pack has room. eBPF reuse of a dirty pack is
harmless since eBPF being privileged does not flush.
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/core.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index bba4acd61d4126..de61e1894452ef 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -988,10 +988,10 @@ void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns, bool
goto found_free_area;
/*
* cBPF reuse of a dirty pack triggers a flush, so prefer a
- * clean pack for cBPF. eBPF never flushes, so pick the first
- * free pack, dirty or clean.
+ * clean pack for cBPF. eBPF never flushes, so steer it to a
+ * dirty pack and keep clean packs free for cBPF.
*/
- if (!was_classic || !pack->arch_flush_needed)
+ if (was_classic ^ pack->arch_flush_needed)
goto found_free_area;
if (!fallback_pack) {
fallback_pack = pack;
--
2.53.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 030/518] wifi: rtw89: correct drop logic for malformed AMPDU frames
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 029/518] bpf: Prefer dirty packs for eBPF allocations Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:24 ` [PATCH 7.1 031/518] usb: gadget: function: rndis: add length check to response query Greg Kroah-Hartman
` (491 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Po-Hao Huang, Ping-Ke Shih,
Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Po-Hao Huang <phhuang@realtek.com>
[ Upstream commit 63ccdfac8677387dfdbd9d4336089e9823280704 ]
The previous commit aims to fix issue caused by malformed AMPDU frames.
But the drop logic fails to deal with the first AMPDU packet paired with
certain range of sequence number, and leads to unexpected packet drop.
It is more likely to encounter this failure when there are busy traffic
during rekey process and could lead to disconnection from the AP.
Fix this by adding a initial state judgement and only reset status
during pairwise rekey.
Fixes: bda294ed0ed0 ("wifi: rtw89: Drop malformed AMPDU frames with abnormal PN")
Signed-off-by: Po-Hao Huang <phhuang@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260515014433.16168-10-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw89/core.c | 3 ++-
drivers/net/wireless/realtek/rtw89/mac80211.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
index 70feab97dccb5a..486c1774fb9759 100644
--- a/drivers/net/wireless/realtek/rtw89/core.c
+++ b/drivers/net/wireless/realtek/rtw89/core.c
@@ -3363,7 +3363,8 @@ static bool rtw89_core_skb_pn_valid(struct rtw89_dev *rtwdev,
last_pn = tid_stats->last_pn;
if (pn > last_pn) {
- if (ieee80211_sn_less(mpdu_sn, tid_stats->last_sn)) {
+ if (last_pn != -1LL &&
+ ieee80211_sn_less(mpdu_sn, tid_stats->last_sn)) {
dev_kfree_skb_any(skb);
return false;
diff --git a/drivers/net/wireless/realtek/rtw89/mac80211.c b/drivers/net/wireless/realtek/rtw89/mac80211.c
index 501c3af1da01a9..0672d13d13a647 100644
--- a/drivers/net/wireless/realtek/rtw89/mac80211.c
+++ b/drivers/net/wireless/realtek/rtw89/mac80211.c
@@ -964,7 +964,8 @@ static int rtw89_ops_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
rtw89_err(rtwdev, "failed to add key to sec cam\n");
return ret;
}
- rtw89_core_tid_rx_stats_reset(rtwdev);
+ if (key->flags & IEEE80211_KEY_FLAG_PAIRWISE)
+ rtw89_core_tid_rx_stats_reset(rtwdev);
break;
case DISABLE_KEY:
flush_work(&rtwdev->txq_work);
--
2.53.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 031/518] usb: gadget: function: rndis: add length check to response query
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 030/518] wifi: rtw89: correct drop logic for malformed AMPDU frames Greg Kroah-Hartman
@ 2026-07-16 13:24 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 032/518] usb: gadget: function: rndis: add length check for header Greg Kroah-Hartman
` (490 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Griffin Kroah-Hartman
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Griffin Kroah-Hartman <griffin@kroah.com>
commit 95f90eea070837f7c72207d5520f805bdefc3bc5 upstream.
Add variable representations for BufLength and BufOffset in
rndis_query_response(), and perform a length check on them.
This is identical to how rndis_set_response() handles these parameters.
Assisted-by: gkh_clanker_2000
Cc: stable <stable@kernel.org>
Signed-off-by: Griffin Kroah-Hartman <griffin@kroah.com>
Link: https://patch.msgid.link/20260708-usb-gadget-rndis-v1-1-e77e026dcc6a@kroah.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/rndis.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/drivers/usb/gadget/function/rndis.c
+++ b/drivers/usb/gadget/function/rndis.c
@@ -591,6 +591,7 @@ static int rndis_init_response(struct rn
static int rndis_query_response(struct rndis_params *params,
rndis_query_msg_type *buf)
{
+ u32 BufLength, BufOffset;
rndis_query_cmplt_type *resp;
rndis_resp_t *r;
@@ -598,6 +599,13 @@ static int rndis_query_response(struct r
if (!params->dev)
return -ENOTSUPP;
+ BufLength = le32_to_cpu(buf->InformationBufferLength);
+ BufOffset = le32_to_cpu(buf->InformationBufferOffset);
+ if ((BufLength > RNDIS_MAX_TOTAL_SIZE) ||
+ (BufOffset > RNDIS_MAX_TOTAL_SIZE) ||
+ (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE))
+ return -EINVAL;
+
/*
* we need more memory:
* gen_ndis_query_resp expects enough space for
@@ -614,10 +622,8 @@ static int rndis_query_response(struct r
resp->RequestID = buf->RequestID; /* Still LE in msg buffer */
if (gen_ndis_query_resp(params, le32_to_cpu(buf->OID),
- le32_to_cpu(buf->InformationBufferOffset)
- + 8 + (u8 *)buf,
- le32_to_cpu(buf->InformationBufferLength),
- r)) {
+ BufOffset + 8 + (u8 *)buf,
+ BufLength, r)) {
/* OID not supported */
resp->Status = cpu_to_le32(RNDIS_STATUS_NOT_SUPPORTED);
resp->MessageLength = cpu_to_le32(sizeof *resp);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 032/518] usb: gadget: function: rndis: add length check for header
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-07-16 13:24 ` [PATCH 7.1 031/518] usb: gadget: function: rndis: add length check to response query Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 033/518] iio: accel: bmc150: clamp the device-reported FIFO frame count Greg Kroah-Hartman
` (489 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Griffin Kroah-Hartman
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Griffin Kroah-Hartman <griffin@kroah.com>
commit 21b5bf155435008e0fb0736795289788e63d426f upstream.
Add a length check for the rndis header in rndis_rm_hdr, to ensure that
MessageType, MessageLength, DataOffset, and DataLength fields are
present before they are accessed.
Assisted-by: gkh_clanker_2000
Cc: stable <stable@kernel.org>
Signed-off-by: Griffin Kroah-Hartman <griffin@kroah.com>
Link: https://patch.msgid.link/20260708-usb-gadget-rndis-v1-2-e77e026dcc6a@kroah.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/rndis.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/gadget/function/rndis.c
+++ b/drivers/usb/gadget/function/rndis.c
@@ -1080,6 +1080,12 @@ int rndis_rm_hdr(struct gether *port,
/* tmp points to a struct rndis_packet_msg_type */
__le32 *tmp = (void *)skb->data;
+ /* Need at least MessageType, MessageLength, DataOffset, DataLength */
+ if (skb->len < 16) {
+ dev_kfree_skb_any(skb);
+ return -EINVAL;
+ }
+
/* MessageType, MessageLength */
if (cpu_to_le32(RNDIS_MSG_PACKET)
!= get_unaligned(tmp++)) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 033/518] iio: accel: bmc150: clamp the device-reported FIFO frame count
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 032/518] usb: gadget: function: rndis: add length check for header Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 034/518] iio: accel: kxsd9: fix runtime PM imbalance on write_raw() error Greg Kroah-Hartman
` (488 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bryam Vargas, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryam Vargas <hexlabsecurity@proton.me>
commit ce0e1cae26096fe959a0da5563a6d6d5a801d5fb upstream.
__bmc150_accel_fifo_flush() copies the number of samples the device
reports in its hardware FIFO into an on-stack buffer
u16 buffer[BMC150_ACCEL_FIFO_LENGTH * 3];
which is sized for at most BMC150_ACCEL_FIFO_LENGTH (32) samples. The
frame count is read from the FIFO_STATUS register and only masked to its
7 valid bits:
count = val & 0x7F;
so it can be 0..127. The only other limit applied to it is the optional
caller-supplied sample budget:
if (samples && count > samples)
count = samples;
which does not constrain count on the flush-all path (samples == 0), and
leaves it well above 32 whenever samples is larger. count samples are
then transferred into buffer[]:
bmc150_accel_fifo_transfer(data, (u8 *)buffer, count);
bmc150_accel_fifo_transfer() reads count * 6 bytes through regmap, so a
malfunctioning, malicious or counterfeit accelerometer (or an attacker
tampering with the I2C/SPI bus) that reports up to 127 frames writes up
to 762 bytes into the 192-byte buffer: a stack out-of-bounds write of up
to 570 bytes that clobbers the stack canary, saved registers and the
return address.
Clamp count to BMC150_ACCEL_FIFO_LENGTH, the number of samples buffer[]
is sized for, before the transfer, mirroring the watermark clamp already
done in bmc150_accel_set_watermark(). A well-formed flush reports at most
BMC150_ACCEL_FIFO_LENGTH frames, so legitimate devices are unaffected.
Fixes: 3bbec9773389 ("iio: bmc150_accel: add support for hardware fifo")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/accel/bmc150-accel-core.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iio/accel/bmc150-accel-core.c
+++ b/drivers/iio/accel/bmc150-accel-core.c
@@ -991,6 +991,8 @@ static int __bmc150_accel_fifo_flush(str
if (samples && count > samples)
count = samples;
+ count = min_t(u8, count, BMC150_ACCEL_FIFO_LENGTH);
+
ret = bmc150_accel_fifo_transfer(data, (u8 *)buffer, count);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 034/518] iio: accel: kxsd9: fix runtime PM imbalance on write_raw() error
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 033/518] iio: accel: bmc150: clamp the device-reported FIFO frame count Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 035/518] iio: adc: ad4062: add GPIOLIB dependency Greg Kroah-Hartman
` (487 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Biren Pandya, Stable,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biren Pandya <birenpandya@gmail.com>
commit 44a5fd874bb6873bdaec59f722c1d57832fbc9df upstream.
kxsd9_write_raw() takes a runtime PM reference with pm_runtime_get_sync()
but returns -EINVAL directly when a scale with a non-zero integer part is
requested, skipping the matching pm_runtime_put_autosuspend(). This leaks
a runtime PM usage-counter reference on every such write, after which the
device can no longer autosuspend.
Set the error code and fall through to the existing put instead of
returning early.
Fixes: 9a9a369d6178 ("iio: accel: kxsd9: Deploy system and runtime PM")
Signed-off-by: Biren Pandya <birenpandya@gmail.com>
Assisted-by: Claude:claude-opus-4-8 coccinelle
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/accel/kxsd9.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/iio/accel/kxsd9.c
+++ b/drivers/iio/accel/kxsd9.c
@@ -147,8 +147,9 @@ static int kxsd9_write_raw(struct iio_de
if (mask == IIO_CHAN_INFO_SCALE) {
/* Check no integer component */
if (val)
- return -EINVAL;
- ret = kxsd9_write_scale(indio_dev, val2);
+ ret = -EINVAL;
+ else
+ ret = kxsd9_write_scale(indio_dev, val2);
}
pm_runtime_put_autosuspend(st->dev);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 035/518] iio: adc: ad4062: add GPIOLIB dependency
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 034/518] iio: accel: kxsd9: fix runtime PM imbalance on write_raw() error Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 036/518] iio: adc: ad7380: select REGMAP Greg Kroah-Hartman
` (486 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Stable,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit a5b7991d5a737df71a5e4230554481255af64ed4 upstream.
The ad4062 driver gained support for the gpiochip and now fails
to build when GPIOLIB is disabled:
390-linux-ld: drivers/iio/adc/ad4062.o: in function `ad4062_gpio_get':
drivers/iio/adc/ad4062.c:1383:(.text+0x3dc): undefined reference to `gpiochip_get_data`
Add a Kconfig dependency for this.
Fixes: da1d3596b1e4 ("iio: adc: ad4062: Add GPIO Controller support")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/adc/Kconfig
+++ b/drivers/iio/adc/Kconfig
@@ -78,6 +78,7 @@ config AD4030
config AD4062
tristate "Analog Devices AD4062 Driver"
depends on I3C
+ depends on GPIOLIB
select REGMAP_I3C
select IIO_BUFFER
select IIO_TRIGGERED_BUFFER
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 036/518] iio: adc: ad7380: select REGMAP
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 035/518] iio: adc: ad4062: add GPIOLIB dependency Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 037/518] iio: adc: ad7768-1: Select GPIOLIB Greg Kroah-Hartman
` (485 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samuel Moelius, Andy Shevchenko,
Nuno Sá, Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samuel Moelius <samuel.moelius@trailofbits.com>
commit 6697091b386a4e2830bdd38512c87a4befff2b32 upstream.
The AD7380 driver uses generic regmap types and APIs. However, its
Kconfig entry does not select REGMAP.
As a result, AD7380 can be enabled from an allnoconfig-derived config
with SPI_MASTER=y while REGMAP remains unset, causing ad7380.o to fail
to build.
Fixes: b095217c104b ("iio: adc: ad7380: new driver for AD7380 ADCs")
Signed-off-by: Samuel Moelius <samuel.moelius@trailofbits.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/adc/Kconfig
+++ b/drivers/iio/adc/Kconfig
@@ -312,6 +312,7 @@ config AD7298
config AD7380
tristate "Analog Devices AD7380 ADC driver"
depends on SPI_MASTER
+ select REGMAP
select SPI_OFFLOAD
select IIO_BUFFER
select IIO_BUFFER_DMAENGINE
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 037/518] iio: adc: ad7768-1: Select GPIOLIB
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 036/518] iio: adc: ad7380: select REGMAP Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 038/518] iio: adc: ad7779: add missing select IIO_TRIGGERED_BUFFER to Kconfig Greg Kroah-Hartman
` (484 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Jonathan Cameron,
Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
commit 5a9c90350be4f6f175bdd193e8bd60a7aedfb4d2 upstream.
This driver provides a gpio chip a some related functions are not
stubbed if GPIOLIB is not built.
ad7768-1.c:420: undefined reference to `gpiochip_get_data'
ad7768-1.c:498: undefined reference to `devm_gpiochip_add_data_with_key'
Dual sign off reflects change of affiliation whilst this was under review.
Fixes: d569ae0f052e ("iio: adc: ad7768-1: Add GPIO controller support")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202512271235.WwAmAbOa-lkp@intel.com/
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/adc/Kconfig
+++ b/drivers/iio/adc/Kconfig
@@ -416,6 +416,7 @@ config AD7766
config AD7768_1
tristate "Analog Devices AD7768-1 ADC driver"
depends on SPI
+ select GPIOLIB
select REGULATOR
select REGMAP_SPI
select RATIONAL
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 038/518] iio: adc: ad7779: add missing select IIO_TRIGGERED_BUFFER to Kconfig
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 037/518] iio: adc: ad7768-1: Select GPIOLIB Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 039/518] iio: adc: ad_sigma_delta: fix clear_pending_event for registerless devices Greg Kroah-Hartman
` (483 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Crofts, Andy Shevchenko,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Crofts <joshua.crofts1@gmail.com>
commit fd354554af1d2b33232ca6c8a3d79ed82413d715 upstream.
The Kconfig entry for the AD7779 is missing a
'select IIO_TRIGGERED_BUFFER' parameter, causing build failures.
Fixes: c9a3f8c7bfcb ("drivers: iio: adc: add support for ad777x family")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Crofts <joshua.crofts1@gmail.com>
Tested-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/adc/Kconfig
+++ b/drivers/iio/adc/Kconfig
@@ -437,6 +437,7 @@ config AD7779
depends on SPI
select CRC8
select IIO_BUFFER
+ select IIO_TRIGGERED_BUFFER
select IIO_BACKEND
help
Say yes here to build support for Analog Devices AD777X family
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 039/518] iio: adc: ad_sigma_delta: fix clear_pending_event for registerless devices
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 038/518] iio: adc: ad7779: add missing select IIO_TRIGGERED_BUFFER to Kconfig Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 040/518] iio: adc: ad_sigma_delta: fix CS held asserted and state leaks Greg Kroah-Hartman
` (482 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Radu Sabau, Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Radu Sabau <radu.sabau@analog.com>
commit 91bc6767a4f55dc470d8a56b55b9f2ea09094efe upstream.
ad_sigma_delta_clear_pending_event() falls through to the status register
read path for devices with has_registers = false and no rdy_gpiod. For
such devices, ad_sd_read_reg() skips the address byte entirely and clocks
raw MISO bytes with no address phase — making it byte-for-byte identical
to reading conversion data. If a pending conversion result is present,
this partially consumes it and corrupts the data stream for the subsequent
ad_sd_read_reg() call in ad_sigma_delta_single_conversion().
Furthermore, with num_resetclks = 0 on these devices, data_read_len
evaluates to 0. If the clocked byte has bit 7 clear, pending_event is set
and the code attempts memset(data + 2, 0xff, 0 - 1), overflowing to
SIZE_MAX and corrupting the heap.
Fix by returning 0 immediately when neither rdy_gpiod nor has_registers
is set. This is safe for all current registerless devices: ad7191 and
ad7780 (with powerdown GPIO) are reset between conversions by CS
deassertion, so there is no stale result to drain; ad7780 (without
powerdown GPIO) and max11205 are continuously-converting and cycle ~DRDY
at the output data rate regardless of whether the previous result was
read, so the next falling edge fires naturally.
A future registerless device that holds ~DRDY asserted until data is read
would be broken by this early return and would require either
num_resetclks set or a rdy-gpio.
The same heap corruption is reachable on any device with rdy_gpiod set
but num_resetclks = 0: if the GPIO indicates a pending event, the drain
path executes memset(data + 2, 0xff, 0 - 1) regardless of has_registers.
Add an explicit data_read_len == 0 guard after the pending event check;
the stale result is then consumed by the first ad_sd_read_reg() call in
ad_sigma_delta_single_conversion().
Fixes: 132d44dc6966 ("iio: adc: ad_sigma_delta: Check for previous ready signals")
Signed-off-by: Radu Sabau <radu.sabau@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad_sigma_delta.c | 31 +++++++++++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/ad_sigma_delta.c
+++ b/drivers/iio/adc/ad_sigma_delta.c
@@ -262,11 +262,25 @@ static int ad_sigma_delta_clear_pending_
/*
* Read R̅D̅Y̅ pin (if possible) or status register to check if there is an
- * old event.
+ * old event. For devices with neither an RDY GPIO nor registers,
+ * ad_sd_read_reg() transmits no address byte and clocks raw MISO bytes,
+ * which is indistinguishable from reading conversion data and would
+ * partially consume a pending result. Skip the check for such devices.
+ *
+ * This is safe for all current registerless devices: ad7191 and ad7780
+ * (with powerdown GPIO) are reset between conversions by CS deassertion,
+ * so there is no stale result to drain; ad7780 (without powerdown GPIO)
+ * and max11205 are continuously-converting and cycle ~DRDY at the output
+ * data rate regardless of whether the previous result was read, so the
+ * next falling edge fires naturally.
+ *
+ * A future registerless device that holds ~DRDY asserted until data is
+ * read would be broken by this early return and would need either
+ * num_resetclks set or a rdy-gpio.
*/
if (sigma_delta->rdy_gpiod) {
pending_event = gpiod_get_value(sigma_delta->rdy_gpiod);
- } else {
+ } else if (sigma_delta->info->has_registers) {
unsigned int status_reg;
ret = ad_sd_read_reg(sigma_delta, AD_SD_REG_STATUS, 1, &status_reg);
@@ -274,12 +288,25 @@ static int ad_sigma_delta_clear_pending_
return ret;
pending_event = !(status_reg & AD_SD_REG_STATUS_RDY);
+ } else {
+ return 0;
}
if (!pending_event)
return 0;
/*
+ * With num_resetclks = 0, data_read_len is 0 and the drain sequence
+ * below would compute memset(data + 2, 0xff, 0 - 1), underflowing to
+ * SIZE_MAX and corrupting the heap. There is no safe way to drain the
+ * stale result without knowing the data register size; it will be
+ * consumed by the first ad_sd_read_reg() call in
+ * ad_sigma_delta_single_conversion().
+ */
+ if (!data_read_len)
+ return 0;
+
+ /*
* In general the size of the data register is unknown. It varies from
* device to device, might be one byte longer if CONTROL.DATA_STATUS is
* set and even varies on some devices depending on which input is
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 040/518] iio: adc: ad_sigma_delta: fix CS held asserted and state leaks
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 039/518] iio: adc: ad_sigma_delta: fix clear_pending_event for registerless devices Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 041/518] iio: adc: lpc32xx: Initialize completion before requesting IRQ Greg Kroah-Hartman
` (481 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Radu Sabau, Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Radu Sabau <radu.sabau@analog.com>
commit c72da0688575e5ef39c36bb44fed53aa18f8ae65 upstream.
In ad_sigma_delta_single_conversion(), set_mode(AD_SD_MODE_IDLE) and
disable_one() were called from the out: block while keep_cs_asserted
was still true. This caused any SPI transfer issued by those callbacks
to carry cs_change=1, leaving CS permanently asserted after the
conversion. Fix by moving both calls into the out_unlock: block, after
keep_cs_asserted is cleared, matching the pattern already used in
ad_sd_calibrate().
In the error path of ad_sd_buffer_postenable(), if an operation fails
after set_mode(AD_SD_MODE_CONTINUOUS) has already succeeded (e.g.
spi_offload_trigger_enable()), the device is left in continuous
conversion mode with CS physically asserted. Additionally,
bus_locked remaining true after spi_bus_unlock() causes subsequent
SPI operations to call spi_sync_locked() without the bus lock actually
held, allowing concurrent SPI access.
Fix the error path by clearing keep_cs_asserted first, then calling
set_mode(AD_SD_MODE_IDLE) to revert the device mode and deassert CS,
then clearing bus_locked before releasing the bus.
For devices that implement neither set_mode nor disable_one (such as
MAX11205, which has no physical CS pin), no SPI transfer is issued
during cleanup and the cs_change flag has no effect on any physical
line.
Fixes: 132d44dc6966 ("iio: adc: ad_sigma_delta: Check for previous ready signals")
Signed-off-by: Radu Sabau <radu.sabau@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad_sigma_delta.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/iio/adc/ad_sigma_delta.c
+++ b/drivers/iio/adc/ad_sigma_delta.c
@@ -468,11 +468,10 @@ int ad_sigma_delta_single_conversion(str
out:
ad_sd_disable_irq(sigma_delta);
- ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
- ad_sigma_delta_disable_one(sigma_delta, chan->address);
-
out_unlock:
sigma_delta->keep_cs_asserted = false;
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+ ad_sigma_delta_disable_one(sigma_delta, chan->address);
sigma_delta->bus_locked = false;
spi_bus_unlock(sigma_delta->spi->controller);
out_release:
@@ -605,6 +604,9 @@ static int ad_sd_buffer_postenable(struc
return 0;
err_unlock:
+ sigma_delta->keep_cs_asserted = false;
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+ sigma_delta->bus_locked = false;
spi_bus_unlock(sigma_delta->spi->controller);
spi_unoptimize_message(&sigma_delta->sample_msg);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 041/518] iio: adc: lpc32xx: Initialize completion before requesting IRQ
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 040/518] iio: adc: ad_sigma_delta: fix CS held asserted and state leaks Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 042/518] iio: adc: nxp-sar-adc: Fix the delay calculation in nxp_sar_adc_wait_for() Greg Kroah-Hartman
` (480 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sangyun Kim, Kyungwook Boo,
Jaeyoung Chung, Maxwell Doose, Vladimir Zapolskiy, Stable,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxwell Doose <m32285159@gmail.com>
commit e561b35633f450ee607e87a6401d97f156a0cd54 upstream.
In the report from Jaeyoung Chung:
"lpc32xx_adc_probe() in drivers/iio/adc/lpc32xx_adc.c registers its
interrupt handler with devm_request_irq() before it initializes
st->completion with init_completion(). If an interrupt arrives after
devm_request_irq() and before init_completion(), the handler calls
complete() on an uninitialized completion, causing a kernel panic.
The probe path, in lpc32xx_adc_probe():
iodev = devm_iio_device_alloc(&pdev->dev, sizeof(*st)); /* st kzalloc-zeroed */
...
retval = devm_request_irq(&pdev->dev, irq, lpc32xx_adc_isr, 0,
LPC32XXAD_NAME, st); /* register handler */
...
init_completion(&st->completion); /* initialize completion */
lpc32xx_adc_isr() calls complete():
complete(&st->completion);
If the device raises an interrupt before init_completion() runs,
complete() acquires the uninitialized wait.lock and walks the zeroed
task_list in swake_up_locked(). The zeroed task_list makes list_empty()
return false, so swake_up_locked() dereferences a NULL list entry,
triggering a KASAN wild-memory-access."
Fix the chance of a spurious IRQ causing an uninitialized pointer
dereference by moving init_completion() above devm_request_irq().
Fixes: 7901b2a1453e ("staging:iio:adc:lpc32xx rename local state structure to _state")
Reported-by: Sangyun Kim <sangyun.kim@snu.ac.kr>
Reported-by: Kyungwook Boo <bookyungwook@gmail.com>
Reported-by: Jaeyoung Chung <jjy600901@snu.ac.kr>
Closes: https://lore.kernel.org/linux-iio/20260610115700.774689-1-jjy600901@snu.ac.kr/
Signed-off-by: Maxwell Doose <m32285159@gmail.com>
Reviewed-by: Vladimir Zapolskiy <vz@kernel.org>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/lpc32xx_adc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/lpc32xx_adc.c
+++ b/drivers/iio/adc/lpc32xx_adc.c
@@ -179,6 +179,8 @@ static int lpc32xx_adc_probe(struct plat
if (irq < 0)
return irq;
+ init_completion(&st->completion);
+
retval = devm_request_irq(&pdev->dev, irq, lpc32xx_adc_isr, 0,
LPC32XXAD_NAME, st);
if (retval < 0) {
@@ -197,8 +199,6 @@ static int lpc32xx_adc_probe(struct plat
platform_set_drvdata(pdev, iodev);
- init_completion(&st->completion);
-
iodev->name = LPC32XXAD_NAME;
iodev->info = &lpc32xx_adc_iio_info;
iodev->modes = INDIO_DIRECT_MODE;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 042/518] iio: adc: nxp-sar-adc: Fix the delay calculation in nxp_sar_adc_wait_for()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 041/518] iio: adc: lpc32xx: Initialize completion before requesting IRQ Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 043/518] iio: adc: spear: Initialize completion before requesting IRQ Greg Kroah-Hartman
` (479 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko, Andy Shevchenko,
Stepan Ionichev, Daniel Lezcano, Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit a9f41809bf1bd8e5c1bc4b6a1052adac58eb7ab6 upstream.
The original code was using ndelay() twice. In one case the delay
is calculated as 1/3 of ADC clock and in the other as 80 ADC clocks.
But according to the comments in all cases it should be a multiplier
of the ADC clock, and not a fraction of it. Inadvertently
nxp_sar_adc_wait_for() takes the wrong case and spread it over
the code make it wrong in all places. Fix this by modifying a helper
to correctly use the multiplier.
Fixes: 7e5c0f97c66a ("iio: adc: nxp-sar-adc: Avoid division by zero")
Fixes: 4434072a893e ("iio: adc: Add the NXP SAR ADC support for the s32g2/3 platforms")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260416090122.758990-1-andriy.shevchenko%40linux.intel.com
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Stepan Ionichev <sozdayvek@gmail.com>
Acked-by: Daniel Lezcano <daniel.lezcano@oss.qualcomm.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/nxp-sar-adc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/nxp-sar-adc.c
+++ b/drivers/iio/adc/nxp-sar-adc.c
@@ -198,13 +198,13 @@ static void nxp_sar_adc_irq_cfg(struct n
writel(0, NXP_SAR_ADC_IMR(info->regs));
}
-static void nxp_sar_adc_wait_for(struct nxp_sar_adc *info, unsigned int cycles)
+static void nxp_sar_adc_wait_for(struct nxp_sar_adc *info, u64 cycles)
{
u64 rate;
rate = clk_get_rate(info->clk);
if (rate)
- ndelay(div64_u64(NSEC_PER_SEC, rate * cycles));
+ ndelay(div64_u64(NSEC_PER_SEC * cycles, rate));
}
static bool nxp_sar_adc_set_enabled(struct nxp_sar_adc *info, bool enable)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 043/518] iio: adc: spear: Initialize completion before requesting IRQ
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 042/518] iio: adc: nxp-sar-adc: Fix the delay calculation in nxp_sar_adc_wait_for() Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 044/518] iio: adc: ti-ads1119: fix PM reference leak in buffer preenable Greg Kroah-Hartman
` (478 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sangyun Kim, Kyungwook Boo,
Jaeyoung Chung, Maxwell Doose, Vladimir Zapolskiy, Stable,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxwell Doose <m32285159@gmail.com>
commit 3ee2128b6f0eb0be7b6cb8f6e0f1f113a65201a0 upstream.
In the report from Jaeyoung Chung:
"spear_adc_probe() in drivers/iio/adc/spear_adc.c registers its
interrupt handler with devm_request_irq() before it initializes
st->completion with init_completion(). If an interrupt arrives after
devm_request_irq() and before init_completion(), the handler calls
complete() on an uninitialized completion, causing a kernel panic.
The probe path, in spear_adc_probe():
iodev = devm_iio_device_alloc(&pdev->dev, sizeof(*st)); /* st kzalloc-zeroed */
...
retval = devm_request_irq(&pdev->dev, irq, spear_adc_isr, 0,
LPC32XXAD_NAME, st); /* register handler */
...
init_completion(&st->completion); /* initialize completion */
spear_adc_isr() calls complete():
complete(&st->completion);
If the device raises an interrupt before init_completion() runs,
complete() acquires the uninitialized wait.lock and walks the zeroed
task_list in swake_up_locked(). The zeroed task_list makes list_empty()
return false, so swake_up_locked() dereferences a NULL list entry,
triggering a KASAN wild-memory-access."
Fix the chance of a spurious IRQ causing an uninitialized pointer
dereference by moving init_completion() above devm_request_irq().
Fixes: b586e5d9eee0 ("staging:iio:adc:spear rename device specific state structure to _state")
Reported-by: Sangyun Kim <sangyun.kim@snu.ac.kr>
Reported-by: Kyungwook Boo <bookyungwook@gmail.com>
Reported-by: Jaeyoung Chung <jjy600901@snu.ac.kr>
Closes: https://lore.kernel.org/linux-iio/20260610115700.774689-1-jjy600901@snu.ac.kr/
Signed-off-by: Maxwell Doose <m32285159@gmail.com>
Reviewed-by: Vladimir Zapolskiy <vz@kernel.org>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/spear_adc.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/iio/adc/spear_adc.c
+++ b/drivers/iio/adc/spear_adc.c
@@ -280,6 +280,7 @@ static int spear_adc_probe(struct platfo
st = iio_priv(indio_dev);
st->dev = dev;
+ init_completion(&st->completion);
mutex_init(&st->lock);
/*
@@ -326,8 +327,6 @@ static int spear_adc_probe(struct platfo
spear_adc_configure(st);
- init_completion(&st->completion);
-
indio_dev->name = SPEAR_ADC_MOD_NAME;
indio_dev->info = &spear_adc_info;
indio_dev->modes = INDIO_DIRECT_MODE;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 044/518] iio: adc: ti-ads1119: fix PM reference leak in buffer preenable
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 043/518] iio: adc: spear: Initialize completion before requesting IRQ Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 045/518] iio: adc: ti-ads124s08: Return reset GPIO lookup errors Greg Kroah-Hartman
` (477 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Stable,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit adf4bc07f814da8329278d32600147f5a150938c upstream.
ads1119_triggered_buffer_preenable() resumes the device with
pm_runtime_resume_and_get() before starting a conversion.
If i2c_smbus_write_byte() fails, the function returns the error directly
and leaves the runtime PM usage counter elevated. The matching
postdisable callback is not called when preenable fails, so the reference
is leaked and the device may remain runtime-active indefinitely.
Store the I2C transfer result in ret and drop the runtime PM reference on
failure before returning the error.
Fixes: a9306887eba41 ("iio: adc: ti-ads1119: Add driver")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ti-ads1119.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/iio/adc/ti-ads1119.c
+++ b/drivers/iio/adc/ti-ads1119.c
@@ -459,7 +459,11 @@ static int ads1119_triggered_buffer_pree
if (ret)
return ret;
- return i2c_smbus_write_byte(st->client, ADS1119_CMD_START_SYNC);
+ ret = i2c_smbus_write_byte(st->client, ADS1119_CMD_START_SYNC);
+ if (ret)
+ pm_runtime_put_autosuspend(dev);
+
+ return ret;
}
static int ads1119_triggered_buffer_postdisable(struct iio_dev *indio_dev)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 045/518] iio: adc: ti-ads124s08: Return reset GPIO lookup errors
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 044/518] iio: adc: ti-ads1119: fix PM reference leak in buffer preenable Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 046/518] iio: backend: fix uninitialized data in debugfs Greg Kroah-Hartman
` (476 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Crofts, Pengpeng Hou,
Andy Shevchenko, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
commit 7dc4de2aa6316f1d044cde21f5acfec5f3ec6b47 upstream.
devm_gpiod_get_optional() returns NULL when the optional GPIO is absent,
but returns an ERR_PTR when the GPIO provider lookup fails, including
probe deferral.
Probe currently logs the ERR_PTR case as if the reset GPIO were simply
absent and keeps the error pointer in reset_gpio. Later ads124s_reset()
treats any non-NULL reset_gpio as a valid descriptor and passes it to
gpiod_set_value_cansleep().
Return the lookup error instead of retaining the ERR_PTR.
Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code")
Cc: stable@vger.kernel.org
Reviewed-by: Joshua Crofts <joshua.crofts1@gmail.com>
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ti-ads124s08.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/iio/adc/ti-ads124s08.c
+++ b/drivers/iio/adc/ti-ads124s08.c
@@ -321,7 +321,8 @@ static int ads124s_probe(struct spi_devi
ads124s_priv->reset_gpio = devm_gpiod_get_optional(&spi->dev,
"reset", GPIOD_OUT_LOW);
if (IS_ERR(ads124s_priv->reset_gpio))
- dev_info(&spi->dev, "Reset GPIO not defined\n");
+ return dev_err_probe(&spi->dev, PTR_ERR(ads124s_priv->reset_gpio),
+ "Failed to get reset GPIO\n");
ads124s_priv->chip_info = &ads124s_chip_info_tbl[spi_id->driver_data];
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 046/518] iio: backend: fix uninitialized data in debugfs
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 045/518] iio: adc: ti-ads124s08: Return reset GPIO lookup errors Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 047/518] iio: buffer: hw-consumer: free scan_mask on buffer release Greg Kroah-Hartman
` (475 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Stable,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <error27@gmail.com>
commit a6e8b14a4897d0b6df9744f33d0a30e6b92368eb upstream.
If the *ppos value is non-zero then simple_write_to_buffer() will not
initialize the start of the buf[] buffer. Non-zero ppos values aren't
going to work at all. Check for that at the start of the function and
return -ENOSPC.
Fixes: cdf01e0809a4 ("iio: backend: add debugFs interface")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-backend.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/industrialio-backend.c
+++ b/drivers/iio/industrialio-backend.c
@@ -156,7 +156,7 @@ static ssize_t iio_backend_debugfs_write
ssize_t rc;
int ret;
- if (count >= sizeof(buf))
+ if (*ppos != 0 || count >= sizeof(buf))
return -ENOSPC;
rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 047/518] iio: buffer: hw-consumer: free scan_mask on buffer release
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 046/518] iio: backend: fix uninitialized data in debugfs Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 048/518] iio: chemical: scd30: Cleanup initializations and fix sign-extension bug Greg Kroah-Hartman
` (474 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Nuno Sá,
Andy Shevchenko, Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
commit 6325d6e2204327965b849c0a16efb6ac9202e5a8 upstream.
The scan_mask lifetime changed in commit 9a2e1233d38c ("iio: buffer:
hw-consumer: remove redundant scan_mask flexible array").
Before that change, the scan mask storage was embedded in struct
hw_consumer_buffer, so iio_hw_buf_release() could free the whole
allocation with a single kfree(hw_buf).
That commit moved the scan mask to a separate bitmap_zalloc() allocation
stored in buffer.scan_mask, but left iio_hw_buf_release() unchanged.
Free the scan mask in iio_hw_buf_release() before freeing the buffer
wrapper.
Fixes: 9a2e1233d38c ("iio: buffer: hw-consumer: remove redundant scan_mask flexible array")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/buffer/industrialio-hw-consumer.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/iio/buffer/industrialio-hw-consumer.c b/drivers/iio/buffer/industrialio-hw-consumer.c
index 700528c9a0a4..10e912bbf0c5 100644
--- a/drivers/iio/buffer/industrialio-hw-consumer.c
+++ b/drivers/iio/buffer/industrialio-hw-consumer.c
@@ -40,6 +40,8 @@ static void iio_hw_buf_release(struct iio_buffer *buffer)
{
struct hw_consumer_buffer *hw_buf =
iio_buffer_to_hw_consumer_buffer(buffer);
+
+ bitmap_free(buffer->scan_mask);
kfree(hw_buf);
}
--
2.55.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 048/518] iio: chemical: scd30: Cleanup initializations and fix sign-extension bug
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 047/518] iio: buffer: hw-consumer: free scan_mask on buffer release Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 049/518] iio: common: st_sensors: honour channel endianness in read_axis_data Greg Kroah-Hartman
` (473 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, sashiko, Maxwell Doose, Stable,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxwell Doose <m32285159@gmail.com>
commit 60d877910a43c305b5165131b258a17b1d772d57 upstream.
Include linux/bitfield.h for FIELD_GET().
Create new macros for bit manipulation in combination with manual bit
manipulation being replaced with FIELD_GET().
The current variable declaration and initializations are barely readable
and use comma separations across multiple lines. Refactor the
initializations so that mantissa and exp have separate declarations and
sign gets initialized later.
In addition (and due to the nature of the cleanup), fix a sign-extension
bug where, float32 would get bitwise anded with ~BIT(31)
(which is 0xFFFFFFFF7FFFFFFF) which corrupted the exponent.
Fixes: 64b3d8b1b0f5c ("iio: chemical: scd30: add core driver")
Reported-by: sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260524020309.18618-1-m32285159%40gmail.com
Signed-off-by: Maxwell Doose <m32285159@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/scd30_core.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
--- a/drivers/iio/chemical/scd30_core.c
+++ b/drivers/iio/chemical/scd30_core.c
@@ -4,6 +4,8 @@
*
* Copyright (c) 2020 Tomasz Duszynski <tomasz.duszynski@octakon.com>
*/
+
+#include <linux/bitfield.h>
#include <linux/bits.h>
#include <linux/cleanup.h>
#include <linux/completion.h>
@@ -43,6 +45,11 @@
#define SCD30_TEMP_OFFSET_MAX 655360
#define SCD30_EXTRA_TIMEOUT_PER_S 250
+/* Floating point arithmetic macros */
+#define SCD30_FLOAT_MANTISSA_MSK GENMASK(22, 0)
+#define SCD30_FLOAT_EXP_MSK GENMASK(30, 23)
+#define SCD30_FLOAT_SIGN_MSK BIT(31)
+
enum {
SCD30_CONC,
SCD30_TEMP,
@@ -89,10 +96,14 @@ static int scd30_reset(struct scd30_stat
/* simplified float to fixed point conversion with a scaling factor of 0.01 */
static int scd30_float_to_fp(int float32)
{
- int fraction, shift,
- mantissa = float32 & GENMASK(22, 0),
- sign = (float32 & BIT(31)) ? -1 : 1,
- exp = (float32 & ~BIT(31)) >> 23;
+ int fraction, shift, sign;
+ int mantissa = FIELD_GET(SCD30_FLOAT_MANTISSA_MSK, float32);
+ int exp = FIELD_GET(SCD30_FLOAT_EXP_MSK, float32);
+
+ if (float32 & SCD30_FLOAT_SIGN_MSK)
+ sign = -1;
+ else
+ sign = 1;
/* special case 0 */
if (!exp && !mantissa)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 049/518] iio: common: st_sensors: honour channel endianness in read_axis_data
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 048/518] iio: chemical: scd30: Cleanup initializations and fix sign-extension bug Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 050/518] iio: core: fix uninitialized data in debugfs Greg Kroah-Hartman
` (472 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Herman van Hazendonk,
Andy Shevchenko, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herman van Hazendonk <github.com@herrie.org>
commit 55052184ac9011db2ea983e54d6c21f0b1079a12 upstream.
st_sensors_read_axis_data() unconditionally decoded multi-byte
results with get_unaligned_le16() / get_unaligned_le24() regardless
of the channel's declared scan_type.endianness.
For every ST sensor that has used this helper since it was introduced
this happened to be fine because the ST IMU/accel/gyro/pressure
families publish their data registers as little-endian and the
channel specs in those drivers declare IIO_LE accordingly.
The LSM303DLH magnetometer however publishes its X/Y/Z output as a
pair of big-endian bytes (the H register sits at the lower address,
0x03/0x05/0x07, and the L register immediately after), and its
channel specs in st_magn_core.c correctly declare IIO_BE -- but
read_axis_data() ignored that and decoded as little-endian, swapping
the high and low bytes of every magnetometer sample. The LSM303DLHC
and LSM303DLM share the same st_magn_16bit_channels (IIO_BE) and
were therefore byte-swapped by the same bug; users of those parts
will see different in_magn_*_raw values after this fix lands.
The bug is most visible on a stationary chip: in earth's field the
true X reading is small and the high byte sits at 0x00, so swapping
the bytes pins sysfs X at exactly the low byte's pattern (e.g. 0x00F0
= 240). Y and Z still appear "to vary" because their magnitudes are
larger and the noise in the low byte produces big swings in the
swapped high byte:
before (LSM303DLH flat, sysfs in_magn_*_raw):
X=240 (stuck), Y= 12032..23296, Z=-16128..-9728
after (direct i2c-dev big-endian decode, same chip same orientation):
X≈-4096, Y≈210, Z≈80 (sensible values reflecting earth's
ambient field at low gauss range)
Fix read_axis_data() to dispatch on ch->scan_type.endianness and
call get_unaligned_be16() / get_unaligned_be24() when the channel
declares IIO_BE. Existing IIO_LE consumers (st_accel, st_gyro,
st_pressure, st_lsm6dsx and others) are unaffected because their
channel specs already declare IIO_LE and the LE path is unchanged.
While restructuring the branches, replace the previously implicit
silent-success-with-uninitialised-*data fall-through for
byte_for_channel outside 1..3 with an explicit return -EINVAL. No
in-tree ST sensor publishes such a channel, but the new behaviour
is strictly safer than handing userspace garbage.
Fixes: 23491b513bcd ("iio:common: Add STMicroelectronics common library")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7 sparse smatch clang-analyzer coccinelle checkpatch
Assisted-by: Sashiko:claude-opus-4-7
Signed-off-by: Herman van Hazendonk <github.com@herrie.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/common/st_sensors/st_sensors_core.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
--- a/drivers/iio/common/st_sensors/st_sensors_core.c
+++ b/drivers/iio/common/st_sensors/st_sensors_core.c
@@ -498,6 +498,7 @@ static int st_sensors_read_axis_data(str
u8 *outdata;
struct st_sensor_data *sdata = iio_priv(indio_dev);
unsigned int byte_for_channel;
+ u32 tmp;
byte_for_channel = DIV_ROUND_UP(ch->scan_type.realbits +
ch->scan_type.shift, 8);
@@ -508,12 +509,22 @@ static int st_sensors_read_axis_data(str
if (err < 0)
return err;
- if (byte_for_channel == 1)
- *data = (s8)*outdata;
- else if (byte_for_channel == 2)
- *data = (s16)get_unaligned_le16(outdata);
- else if (byte_for_channel == 3)
- *data = (s32)sign_extend32(get_unaligned_le24(outdata), 23);
+ if (byte_for_channel == 1) {
+ tmp = *outdata;
+ } else if (byte_for_channel == 2) {
+ if (ch->scan_type.endianness == IIO_BE)
+ tmp = get_unaligned_be16(outdata);
+ else
+ tmp = get_unaligned_le16(outdata);
+ } else if (byte_for_channel == 3) {
+ if (ch->scan_type.endianness == IIO_BE)
+ tmp = get_unaligned_be24(outdata);
+ else
+ tmp = get_unaligned_le24(outdata);
+ } else {
+ return -EINVAL;
+ }
+ *data = sign_extend32(tmp, BYTES_TO_BITS(byte_for_channel) - 1);
return 0;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 050/518] iio: core: fix uninitialized data in debugfs
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 049/518] iio: common: st_sensors: honour channel endianness in read_axis_data Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 051/518] iio: dac: ad3552r-hs: fix uninitialized data ni ad3552r_hs_write_data_source() Greg Kroah-Hartman
` (471 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Maxwell Doose, Stable,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <error27@gmail.com>
commit ab92ed206d41fd171ebd37bc46360d9f2140d043 upstream.
If *ppos is non-zero then simple_write_to_buffer() will not initialize
the start of buf[]. Non zero values for *ppos aren't going to work
anyway. Test for them at the start of the function and return -EINVAL.
Fixes: 6d5dd486c715 ("iio: core: make use of simple_write_to_buffer()")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Reviewed-by: Maxwell Doose <m32285159@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -418,7 +418,7 @@ static ssize_t iio_debugfs_write_reg(str
char buf[80];
int ret;
- if (count >= sizeof(buf))
+ if (*ppos != 0 || count >= sizeof(buf))
return -EINVAL;
ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf,
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 051/518] iio: dac: ad3552r-hs: fix uninitialized data ni ad3552r_hs_write_data_source()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 050/518] iio: core: fix uninitialized data in debugfs Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 052/518] iio: event: Fix event FIFO reset race Greg Kroah-Hartman
` (470 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Angelo Dureghello,
Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <error27@gmail.com>
commit eaaa7eef181892ef7ba56c6295b81f0ae4492c13 upstream.
If the *ppos value is non-zero then the simple_write_to_buffer() function
won't initialized the start of the buf[] buffer. Non-zero values for
*ppos won't work here generally, so just test for them and return -ENOSPC
at the start of the function.
Fixes: b1c5d68ea66e ("iio: dac: ad3552r-hs: add support for internal ramp")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Reviewed-by: Angelo Dureghello <adureghello@baylibre.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad3552r-hs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/dac/ad3552r-hs.c
+++ b/drivers/iio/dac/ad3552r-hs.c
@@ -549,7 +549,7 @@ static ssize_t ad3552r_hs_write_data_sou
guard(mutex)(&st->lock);
- if (count >= sizeof(buf))
+ if (*ppos != 0 || count >= sizeof(buf))
return -ENOSPC;
ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf,
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 052/518] iio: event: Fix event FIFO reset race
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 051/518] iio: dac: ad3552r-hs: fix uninitialized data ni ad3552r_hs_write_data_source() Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 053/518] iio: gyro: bmg160: bail out when bandwidth/filter is not in table Greg Kroah-Hartman
` (469 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lars-Peter Clausen, Nuno Sá,
Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@metafoo.de>
commit af791d295737ea6b6ff2c8d8488462a49c14af01 upstream.
`iio_event_getfd()` creates the event file descriptor with
`anon_inode_getfd()`, which allocates a new fd, creates the anonymous
file and installs it in the process fd table before returning to the
caller.
The IIO code resets the event FIFO after `anon_inode_getfd()` has returned,
but before `IIO_GET_EVENT_FD_IOCTL` has copied the fd number to userspace.
But since fd tables are shared between threads, another thread can guess
the newly allocated fd number and issue a `read()` on it as soon as the fd
has been installed.
This means the `kfifo_to_user()` in `iio_event_chrdev_read()` can run in
parallel with the `kfifo_reset_out()` in `iio_event_getfd()`.
The kfifo documentation says that `kfifo_reset_out()` is only safe when it
is called from the reader thread and there is only one concurrent reader.
Otherwise it is dangerous and must be handled in the same way as
`kfifo_reset()`.
If that happens, `kfifo_to_user()` can advance the FIFO `out` index based
on state from before the reset, after the reset has already moved the `out`
index to the current `in` index. That can leave the FIFO with an `out`
index past the `in` index. A later `read()` can then see an underflowed
FIFO length and copy more data than the event FIFO buffer contains. This
can result in an out-of-bounds read and leak adjacent kernel memory to
userspace.
Move the FIFO reset before `anon_inode_getfd()`. At that point the event fd is
marked busy, but the new fd has not been installed yet, so userspace cannot
access it while the FIFO is reset.
Fixes: b91accafbb10 ("iio:event: Fix and cleanup locking")
Reported-by: Codex:gpt-5.5
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-event.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/iio/industrialio-event.c
+++ b/drivers/iio/industrialio-event.c
@@ -207,6 +207,8 @@ static int iio_event_getfd(struct iio_de
goto unlock;
}
+ kfifo_reset_out(&ev_int->det_events);
+
iio_device_get(indio_dev);
fd = anon_inode_getfd("iio:event", &iio_event_chrdev_fileops,
@@ -214,10 +216,7 @@ static int iio_event_getfd(struct iio_de
if (fd < 0) {
clear_bit(IIO_BUSY_BIT_POS, &ev_int->flags);
iio_device_put(indio_dev);
- } else {
- kfifo_reset_out(&ev_int->det_events);
}
-
unlock:
mutex_unlock(&iio_dev_opaque->mlock);
return fd;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 053/518] iio: gyro: bmg160: bail out when bandwidth/filter is not in table
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 052/518] iio: event: Fix event FIFO reset race Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 054/518] iio: gyro: bmg160: wait full startup time after mode change at probe Greg Kroah-Hartman
` (468 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stepan Ionichev, Andy Shevchenko,
Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stepan Ionichev <sozdayvek@gmail.com>
commit 8320c77e67382d5d55d77043a5f60a867d408a2b upstream.
bmg160_get_filter() walks bmg160_samp_freq_table[] looking for the entry
matching the bw_bits value read from the chip:
for (i = 0; i < ARRAY_SIZE(bmg160_samp_freq_table); ++i) {
if (bmg160_samp_freq_table[i].bw_bits == bw_bits)
break;
}
*val = bmg160_samp_freq_table[i].filter;
If no entry matches, i ends up equal to the array size and the next line
reads one slot past the end. bmg160_set_filter() has the same shape, driven
by 'val' instead of bw_bits.
smatch flags both:
drivers/iio/gyro/bmg160_core.c:204 bmg160_get_filter() error:
buffer overflow 'bmg160_samp_freq_table' 7 <= 7
drivers/iio/gyro/bmg160_core.c:222 bmg160_set_filter() error:
buffer overflow 'bmg160_samp_freq_table' 7 <= 7
Return -EINVAL when no entry matches.
The set_filter() path is reachable from userspace via the sysfs
in_anglvel_filter_low_pass_3db_frequency interface, so userspace can
trivially trigger the out-of-bounds read with a value that is not in
bmg160_samp_freq_table[].filter.
Fixes: 22b46c45fb9b ("iio:gyro:bmg160 Gyro Sensor driver")
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/bmg160_core.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/iio/gyro/bmg160_core.c
+++ b/drivers/iio/gyro/bmg160_core.c
@@ -201,6 +201,9 @@ static int bmg160_get_filter(struct bmg1
break;
}
+ if (i == ARRAY_SIZE(bmg160_samp_freq_table))
+ return -EINVAL;
+
*val = bmg160_samp_freq_table[i].filter;
return ret ? ret : IIO_VAL_INT;
@@ -218,6 +221,9 @@ static int bmg160_set_filter(struct bmg1
break;
}
+ if (i == ARRAY_SIZE(bmg160_samp_freq_table))
+ return -EINVAL;
+
ret = regmap_write(data->regmap, BMG160_REG_PMU_BW,
bmg160_samp_freq_table[i].bw_bits);
if (ret < 0) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 054/518] iio: gyro: bmg160: wait full startup time after mode change at probe
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 053/518] iio: gyro: bmg160: bail out when bandwidth/filter is not in table Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 055/518] iio: imu: adis: add IRQF_NO_THREAD to non-FIFO trigger IRQ Greg Kroah-Hartman
` (467 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stepan Ionichev, Stable,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stepan Ionichev <sozdayvek@gmail.com>
commit 088fcb9b567f8723074ad9eb1bf5cb46f8a0096b upstream.
bmg160_chip_init() calls bmg160_set_mode(BMG160_MODE_NORMAL) and
then waits only 500-1000 us. Per the BMG160 datasheet
(BST-BMG160-DS000-07 Rev. 1.0, May 2013), the start-up and wake-up
times (tsu, twusm) are 30 ms.
The same file already waits BMG160_MAX_STARTUP_TIME_MS (80 ms)
in bmg160_runtime_resume() after the same set_mode(NORMAL)
operation. The 500 us value at probe was likely a unit mix-up;
the old comment said "500 ms" while the code used microseconds.
Reuse the same constant via msleep() and add a code comment
explaining the datasheet basis for the wait. Without this,
register writes that follow the mode change can hit the chip
before it is ready.
Fixes: 22b46c45fb9b ("iio:gyro:bmg160 Gyro Sensor driver")
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/bmg160_core.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/iio/gyro/bmg160_core.c
+++ b/drivers/iio/gyro/bmg160_core.c
@@ -264,8 +264,14 @@ static int bmg160_chip_init(struct bmg16
if (ret < 0)
return ret;
- /* Wait upto 500 ms to be ready after changing mode */
- usleep_range(500, 1000);
+ /*
+ * Wait for the chip to be ready after switching to normal mode.
+ * The BMG160 datasheet (BST-BMG160-DS000-07 Rev. 1.0, May 2013)
+ * specifies a start-up / wake-up time (tsu, twusm) of 30 ms; use
+ * BMG160_MAX_STARTUP_TIME_MS (80 ms) as a safety margin, matching
+ * what bmg160_runtime_resume() already does.
+ */
+ msleep(BMG160_MAX_STARTUP_TIME_MS);
/* Set Bandwidth */
ret = bmg160_set_bw(data, BMG160_DEF_BW);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 055/518] iio: imu: adis: add IRQF_NO_THREAD to non-FIFO trigger IRQ
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 054/518] iio: gyro: bmg160: wait full startup time after mode change at probe Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 056/518] iio: imu: bmi160: add IRQF_NO_THREAD to data-ready " Greg Kroah-Hartman
` (466 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Runyu Xiao, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Runyu Xiao <runyu.xiao@seu.edu.cn>
commit 6e1b9bff1202da55c464e36bd34a2b6863d7fe30 upstream.
devm_adis_probe_trigger() registers iio_trigger_generic_data_rdy_poll()
through devm_request_irq() on the non-FIFO path, but it does not add
IRQF_NO_THREAD to the IRQ flags.
When the kernel is booted with forced IRQ threading, the parent IRQ can
otherwise be threaded by the IRQ core and the subsequent IIO trigger
child IRQ is then dispatched from irq/... thread context instead of
hardirq context. Because iio_trigger_generic_data_rdy_poll()
immediately drives iio_trigger_poll(), this violates the hardirq-only
IIO trigger helper contract and can push downstream trigger consumers
through the wrong execution context.
Add IRQF_NO_THREAD on top of the existing adis->irq_flag value for the
non-FIFO request_irq() path, while preserving the current trigger
polarity and IRQF_NO_AUTOEN behavior.
Fixes: fec86c6b8369 ("iio: imu: adis: Add Managed device functions")
Cc: stable@vger.kernel.org
Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/adis_trigger.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/imu/adis_trigger.c
+++ b/drivers/iio/imu/adis_trigger.c
@@ -94,7 +94,7 @@ int devm_adis_probe_trigger(struct adis
else
ret = devm_request_irq(&adis->spi->dev, adis->spi->irq,
&iio_trigger_generic_data_rdy_poll,
- adis->irq_flag,
+ adis->irq_flag | IRQF_NO_THREAD,
indio_dev->name,
adis->trig);
if (ret)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 056/518] iio: imu: bmi160: add IRQF_NO_THREAD to data-ready trigger IRQ
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 055/518] iio: imu: adis: add IRQF_NO_THREAD to non-FIFO trigger IRQ Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 057/518] iio: imu: inv_icm42600: fix timestamp clock period by using lower value Greg Kroah-Hartman
` (465 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Runyu Xiao, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Runyu Xiao <runyu.xiao@seu.edu.cn>
commit cd5a6a5096b246e10600da3ac47a1274ce9573c8 upstream.
bmi160_probe_trigger() registers iio_trigger_generic_data_rdy_poll()
through devm_request_irq(), but it passes only irq_type and does not add
IRQF_NO_THREAD.
When the kernel is booted with forced IRQ threading, the parent IRQ can
otherwise be threaded by the IRQ core and the subsequent IIO trigger
child IRQ is dispatched from irq/... thread context instead of hardirq
context. Because the handler immediately pushes the event into
iio_trigger_poll(), this violates the hardirq-only IIO trigger helper
contract and can drive downstream trigger consumers through the wrong
execution context.
Add IRQF_NO_THREAD on top of irq_type when registering the BMI160 data-
ready trigger handler.
Fixes: 895bf81e6bbf ("iio:bmi160: add drdy interrupt support")
Cc: stable@vger.kernel.org
Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/bmi160/bmi160_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/iio/imu/bmi160/bmi160_core.c
+++ b/drivers/iio/imu/bmi160/bmi160_core.c
@@ -788,7 +788,8 @@ int bmi160_probe_trigger(struct iio_dev
ret = devm_request_irq(&indio_dev->dev, irq,
&iio_trigger_generic_data_rdy_poll,
- irq_type, "bmi160", data->trig);
+ irq_type | IRQF_NO_THREAD,
+ "bmi160", data->trig);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 057/518] iio: imu: inv_icm42600: fix timestamp clock period by using lower value
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 056/518] iio: imu: bmi160: add IRQF_NO_THREAD to data-ready " Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 058/518] iio: imu: inv_icm42600: fix timestamping by limiting FIFO reading Greg Kroah-Hartman
` (464 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean-Baptiste Maneyrol,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
commit 8b0b864c11a2e2ada470f9d5010e1c2bf1eceef2 upstream.
Clock period value is used for computing periods of sampling. There is
no need for it to be higher than the maximum odr, otherwise we are
losing precision in the computation for nothing.
Switch clock period value to maximum odr period (8kHz).
Fixes: 0ecc363ccea7 ("iio: make invensense timestamp module generic")
Cc: stable@vger.kernel.org
Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 4 ++--
drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c
@@ -1170,10 +1170,10 @@ struct iio_dev *inv_icm42600_accel_init(
accel_st->filter = INV_ICM42600_FILTER_AVG_16X;
/*
- * clock period is 32kHz (31250ns)
+ * clock period is 8kHz (125000ns)
* jitter is +/- 2% (20 per mille)
*/
- ts_chip.clock_period = 31250;
+ ts_chip.clock_period = 125000;
ts_chip.jitter = 20;
ts_chip.init_period = inv_icm42600_odr_to_period(st->conf.accel.odr);
inv_sensors_timestamp_init(&accel_st->ts, &ts_chip);
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c
@@ -755,10 +755,10 @@ struct iio_dev *inv_icm42600_gyro_init(s
}
/*
- * clock period is 32kHz (31250ns)
+ * clock period is 8kHz (125000ns)
* jitter is +/- 2% (20 per mille)
*/
- ts_chip.clock_period = 31250;
+ ts_chip.clock_period = 125000;
ts_chip.jitter = 20;
ts_chip.init_period = inv_icm42600_odr_to_period(st->conf.accel.odr);
inv_sensors_timestamp_init(&gyro_st->ts, &ts_chip);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 058/518] iio: imu: inv_icm42600: fix timestamping by limiting FIFO reading
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 057/518] iio: imu: inv_icm42600: fix timestamp clock period by using lower value Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 059/518] iio: imu: st_lsm6dsx: deselect shub page before reading whoami Greg Kroah-Hartman
` (463 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean-Baptiste Maneyrol,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
commit affe3f077d7a4eeb25937f5323ff059a54b4712c upstream.
Timestamps are made by measuring the chip clock using the watermark
interrupts. If we read more than watermark samples as done today, we
are reducing the period between interrupts and distort the time
measurement. Fix that by reading only watermark samples in the
interrupt case.
Fixes: 7f85e42a6c54 ("iio: imu: inv_icm42600: add buffer support in iio devices")
Cc: stable@vger.kernel.org
Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c | 9 +++++----
drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.h | 1 +
2 files changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c
@@ -248,6 +248,7 @@ int inv_icm42600_buffer_update_watermark
/* compute watermark value in bytes */
wm_size = watermark * packet_size;
+ st->fifo.watermark.value = watermark;
/* changing FIFO watermark requires to turn off watermark interrupt */
ret = regmap_update_bits_check(st->map, INV_ICM42600_REG_INT_SOURCE0,
@@ -454,11 +455,10 @@ int inv_icm42600_buffer_fifo_read(struct
st->fifo.nb.accel = 0;
st->fifo.nb.total = 0;
- /* compute maximum FIFO read size */
+ /* compute maximum FIFO read size (watermark for max = 0 interrupt case) */
if (max == 0)
- max_count = sizeof(st->fifo.data);
- else
- max_count = max * inv_icm42600_get_packet_size(st->fifo.en);
+ max = st->fifo.watermark.value;
+ max_count = max * inv_icm42600_get_packet_size(st->fifo.en);
/* read FIFO count value */
raw_fifo_count = (__be16 *)st->buffer;
@@ -574,6 +574,7 @@ int inv_icm42600_buffer_init(struct inv_
st->fifo.watermark.eff_gyro = 1;
st->fifo.watermark.eff_accel = 1;
+ st->fifo.watermark.value = 1;
/*
* Default FIFO configuration (bits 7 to 5)
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.h
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.h
@@ -34,6 +34,7 @@ struct inv_icm42600_fifo {
unsigned int accel;
unsigned int eff_gyro;
unsigned int eff_accel;
+ unsigned int value;
} watermark;
size_t count;
struct {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 059/518] iio: imu: st_lsm6dsx: deselect shub page before reading whoami
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 058/518] iio: imu: inv_icm42600: fix timestamping by limiting FIFO reading Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 060/518] iio: light: al3000a: add missing REGMAP_I2C to Kconfig Greg Kroah-Hartman
` (462 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andreas Kempe, Lorenzo Bianconi,
Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Kempe <andreas.kempe@actia.se>
commit aede83625ff5d9539508582036df30c809d51058 upstream.
As part of driver initialization, e.g. st_lsm6dsx_init_shub() selects
the shub register page using st_lsm6dsx_set_page(). Selecting the shub
register page shadows the regular register space so whoami, among other
registers, is no longer accessible.
In applications where the IMU is permanently powered separately from the
processor, there is a window where a reset of the CPU leaves the IMU in
the shub register page. Once this occurs, any subsequent probe attempt
fails because of the register shadowing.
Using the ism330dlc, the error typically looks like
st_lsm6dsx_i2c 3-006a: unsupported whoami [10]
with the unknown whoami read from a reserved register in the shub page.
The reset register is also shadowed by the page select, preventing a
reset from recovering the chip.
Unconditionally clear the shub page before the whoami readout to ensure
normal register access and allow the initialization to proceed.
Place the fix in st_lsm6dsx_check_whoami() before the whoami check
because hw->settings, which st_lsm6dsx_set_page() relies on, is first
assigned in that function.
Placing the fix in a more logical place than the whoami check would
require a bigger restructuring of the code.
Fixes: c91c1c844ebd ("iio: imu: st_lsm6dsx: add i2c embedded controller support")
Signed-off-by: Andreas Kempe <andreas.kempe@actia.se>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
@@ -1660,6 +1660,26 @@ static int st_lsm6dsx_check_whoami(struc
return -ENODEV;
}
+ hw->settings = &st_lsm6dsx_sensor_settings[i];
+
+ if (hw->settings->shub_settings.page_mux.addr) {
+ /*
+ * If the IMU has the shub page selected on init, for example
+ * after a CPU watchdog reset while the page is selected, the
+ * regular register space is shadowed. While the regular
+ * register space is shadowed, the registers needed for
+ * initializing the IMU are not available.
+ *
+ * Unconditionally clear the shub page selection to ensure
+ * normal register access.
+ */
+ err = st_lsm6dsx_set_page(hw, false);
+ if (err < 0) {
+ dev_err(hw->dev, "failed to clear shub page\n");
+ return err;
+ }
+ }
+
err = regmap_read(hw->regmap, ST_LSM6DSX_REG_WHOAMI_ADDR, &data);
if (err < 0) {
dev_err(hw->dev, "failed to read whoami register\n");
@@ -1672,7 +1692,6 @@ static int st_lsm6dsx_check_whoami(struc
}
*name = st_lsm6dsx_sensor_settings[i].id[j].name;
- hw->settings = &st_lsm6dsx_sensor_settings[i];
return 0;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 060/518] iio: light: al3000a: add missing REGMAP_I2C to Kconfig
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 059/518] iio: imu: st_lsm6dsx: deselect shub page before reading whoami Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 061/518] iio: light: al3010: " Greg Kroah-Hartman
` (461 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Crofts, Andy Shevchenko,
David Heidelberg, Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Crofts <joshua.crofts1@gmail.com>
commit a2d30022b7c316ad845d1b696e724058b88e5a4e upstream.
The KConfig entry for the al3000a is missing a `select REGMAP_I2C`,
causing build failures.
Fixes: d531b9f78949 ("iio: light: Add support for AL3000a illuminance sensor")
Signed-off-by: Joshua Crofts <joshua.crofts1@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: David Heidelberg <david@ixit.cz>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/light/Kconfig
+++ b/drivers/iio/light/Kconfig
@@ -45,6 +45,7 @@ config ADUX1020
config AL3000A
tristate "AL3000a ambient light sensor"
+ select REGMAP_I2C
depends on I2C
help
Say Y here if you want to build a driver for the Dyna Image AL3000a
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 061/518] iio: light: al3010: add missing REGMAP_I2C to Kconfig
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 060/518] iio: light: al3000a: add missing REGMAP_I2C to Kconfig Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 062/518] iio: light: al3010: fix incorrect scale for the highest gain range Greg Kroah-Hartman
` (460 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Crofts, Andy Shevchenko,
David Heidelberg, Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Crofts <joshua.crofts1@gmail.com>
commit 84486e3bbda18a2df1ed74ca78e1e14bde9a941b upstream.
The KConfig entry for the AL3010 is missing a `select REGMAP_I2C`,
causing build failures.
Fixes: 0e5e21e23dd6 ("iio: light: al3010: Implement regmap support")
Signed-off-by: Joshua Crofts <joshua.crofts1@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: David Heidelberg <david@ixit.cz>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/light/Kconfig
+++ b/drivers/iio/light/Kconfig
@@ -56,6 +56,7 @@ config AL3000A
config AL3010
tristate "AL3010 ambient light sensor"
+ select REGMAP_I2C
depends on I2C
help
Say Y here if you want to build a driver for the Dyna Image AL3010
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 062/518] iio: light: al3010: fix incorrect scale for the highest gain range
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 061/518] iio: light: al3010: " Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 063/518] iio: light: al3010: read both ALS ADC registers again Greg Kroah-Hartman
` (459 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidhu Sarwal, Andy Shevchenko,
Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidhu Sarwal <vidhu.linux@gmail.com>
commit aa411adc6ce40ad1a55ebc965f255a4cfc0005f8 upstream.
al3010_scales[] encodes the highest gain range as {0, 1187200}.
For IIO_VAL_INT_PLUS_MICRO, the fractional part must be less than
1000000, so the scale 1.1872 should instead be represented as
{ 1, 187200 }.
Since write_raw() compares the value from userspace against this
table, writing the advertised 1.1872 scale never matches the malformed
entry and returns -EINVAL. As a result, the highest gain range cannot
be selected. Reading the scale in that state also reports the malformed
value.
Fixes: c36b5195ab70 ("iio: light: add Dyna-Image AL3010 driver")
Signed-off-by: Vidhu Sarwal <vidhu.linux@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/al3010.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/light/al3010.c
+++ b/drivers/iio/light/al3010.c
@@ -42,7 +42,7 @@ enum al3xxxx_range {
};
static const int al3010_scales[][2] = {
- {0, 1187200}, {0, 296800}, {0, 74200}, {0, 18600}
+ { 1, 187200 }, { 0, 296800 }, { 0, 74200 }, { 0, 18600 },
};
static const struct regmap_config al3010_regmap_config = {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 063/518] iio: light: al3010: read both ALS ADC registers again
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 062/518] iio: light: al3010: fix incorrect scale for the highest gain range Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 064/518] iio: light: al3320a: add missing REGMAP_I2C to Kconfig Greg Kroah-Hartman
` (458 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander A. Klimov, Stable,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander A. Klimov <grandmaster@al2klimov.de>
commit ee78fae068f52a5582aaf448d9414f826855c106 upstream.
al3010_read_raw() used to read two adjacent registers
until the driver was modernized using the regmap framework.
That cleanup accidentally replaced the 16-bit word read
with a single byte read. I'm reverting latter.
Fixes: 0e5e21e23dd6 ("iio: light: al3010: Implement regmap support")
Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/al3010.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/iio/light/al3010.c
+++ b/drivers/iio/light/al3010.c
@@ -111,7 +111,8 @@ static int al3010_read_raw(struct iio_de
int *val2, long mask)
{
struct al3010_data *data = iio_priv(indio_dev);
- int ret, gain, raw;
+ int ret, gain;
+ __le16 raw;
switch (mask) {
case IIO_CHAN_INFO_RAW:
@@ -120,11 +121,12 @@ static int al3010_read_raw(struct iio_de
* - low byte of output is stored at AL3010_REG_DATA_LOW
* - high byte of output is stored at AL3010_REG_DATA_LOW + 1
*/
- ret = regmap_read(data->regmap, AL3010_REG_DATA_LOW, &raw);
+ ret = regmap_bulk_read(data->regmap, AL3010_REG_DATA_LOW,
+ &raw, sizeof(raw));
if (ret)
return ret;
- *val = raw;
+ *val = le16_to_cpu(raw);
return IIO_VAL_INT;
case IIO_CHAN_INFO_SCALE:
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 064/518] iio: light: al3320a: add missing REGMAP_I2C to Kconfig
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 063/518] iio: light: al3010: read both ALS ADC registers again Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 065/518] iio: light: al3320a: read both ALS ADC registers again Greg Kroah-Hartman
` (457 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Crofts, Andy Shevchenko,
David Heidelberg, Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Crofts <joshua.crofts1@gmail.com>
commit 9efcc9ba9b2e940cc01e63d132ae741e4c5d09c7 upstream.
The Kconfig entry for the al3320a is missing a `select REGMAP_I2C`,
causing build failures.
Fixes: 1850e6ae7f91 ("iio: light: al3320a: Implement regmap support")
Signed-off-by: Joshua Crofts <joshua.crofts1@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: David Heidelberg <david@ixit.cz>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/light/Kconfig
+++ b/drivers/iio/light/Kconfig
@@ -67,6 +67,7 @@ config AL3010
config AL3320A
tristate "AL3320A ambient light sensor"
+ select REGMAP_I2C
depends on I2C
help
Say Y here if you want to build a driver for the Dyna Image AL3320A
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 065/518] iio: light: al3320a: read both ALS ADC registers again
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 064/518] iio: light: al3320a: add missing REGMAP_I2C to Kconfig Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 066/518] iio: light: gp2ap002: fix runtime PM leak on read error Greg Kroah-Hartman
` (456 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander A. Klimov, Stable,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander A. Klimov <grandmaster@al2klimov.de>
commit 744bccc2647c6b2206290e8e40890a23812116b3 upstream.
al3320a_read_raw() used to read two adjacent registers
until the driver was modernized using the regmap framework.
That cleanup accidentally replaced the 16-bit word read
with a single byte read. I'm reverting latter.
Fixes: 1850e6ae7f91 ("iio: light: al3320a: Implement regmap support")
Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/al3320a.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/iio/light/al3320a.c
+++ b/drivers/iio/light/al3320a.c
@@ -135,7 +135,8 @@ static int al3320a_read_raw(struct iio_d
int *val2, long mask)
{
struct al3320a_data *data = iio_priv(indio_dev);
- int ret, gain, raw;
+ int ret, gain;
+ __le16 raw;
switch (mask) {
case IIO_CHAN_INFO_RAW:
@@ -144,11 +145,12 @@ static int al3320a_read_raw(struct iio_d
* - low byte of output is stored at AL3320A_REG_DATA_LOW
* - high byte of output is stored at AL3320A_REG_DATA_LOW + 1
*/
- ret = regmap_read(data->regmap, AL3320A_REG_DATA_LOW, &raw);
+ ret = regmap_bulk_read(data->regmap, AL3320A_REG_DATA_LOW,
+ &raw, sizeof(raw));
if (ret)
return ret;
- *val = raw;
+ *val = le16_to_cpu(raw);
return IIO_VAL_INT;
case IIO_CHAN_INFO_SCALE:
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 066/518] iio: light: gp2ap002: fix runtime PM leak on read error
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 065/518] iio: light: al3320a: read both ALS ADC registers again Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 067/518] iio: light: opt3001: fix missing state reset on timeout Greg Kroah-Hartman
` (455 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Biren Pandya, Stable,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biren Pandya <birenpandya@gmail.com>
commit 38b72267b7e22768a1f26d9935de4e1752a1dc85 upstream.
gp2ap002_read_raw() calls pm_runtime_get_sync() before reading the
lux value, but if gp2ap002_get_lux() fails, it returns directly. This
skips the pm_runtime_put_autosuspend() call at the "out" label,
permanently leaking a runtime PM reference and preventing the device
from autosuspending.
Replace the direct return with a "goto out" to ensure the reference
is properly dropped on the error path.
Fixes: f6dbf83c17cb ("iio: light: gp2ap002: Take runtime PM reference on light read")
Signed-off-by: Biren Pandya <birenpandya@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/gp2ap002.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/light/gp2ap002.c
+++ b/drivers/iio/light/gp2ap002.c
@@ -258,7 +258,7 @@ static int gp2ap002_read_raw(struct iio_
case IIO_LIGHT:
ret = gp2ap002_get_lux(gp2ap002);
if (ret < 0)
- return ret;
+ goto out;
*val = ret;
ret = IIO_VAL_INT;
goto out;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 067/518] iio: light: opt3001: fix missing state reset on timeout
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 066/518] iio: light: gp2ap002: fix runtime PM leak on read error Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 068/518] iio: light: tsl2591: return actual error from probe IRQ failure Greg Kroah-Hartman
` (454 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko, Joshua Crofts,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Crofts <joshua.crofts1@gmail.com>
commit c123ca6ee26ad98f70a866ff428b08145c5a24fe upstream.
Currently in the function opt3001_get_processed(), there is a check
that directly returns -ETIMEDOUT if the conversion IRQ times out,
completely bypassing the err label, leaving ok_to_ignore_lock
permanently true, potentially breaking the device's falling threshold
interrupt detection.
Assign -ETIMEDOUT to the return variable and jump to the error label
to ensure ok_to_ignore_lock is properly reset.
Fixes: 26d90b559057 ("iio: light: opt3001: Fixed timeout error when 0 lux")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260525-opt3001-cleanup-v4-0-65b36a174f78%40gmail.com?part=1
Signed-off-by: Joshua Crofts <joshua.crofts1@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/opt3001.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/iio/light/opt3001.c
+++ b/drivers/iio/light/opt3001.c
@@ -366,8 +366,10 @@ static int opt3001_get_processed(struct
ret = wait_event_timeout(opt->result_ready_queue,
opt->result_ready,
msecs_to_jiffies(OPT3001_RESULT_READY_LONG));
- if (ret == 0)
- return -ETIMEDOUT;
+ if (ret == 0) {
+ ret = -ETIMEDOUT;
+ goto err;
+ }
} else {
/* Sleep for result ready time */
timeout = (opt->int_time == OPT3001_INT_TIME_SHORT) ?
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 068/518] iio: light: tsl2591: return actual error from probe IRQ failure
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 067/518] iio: light: opt3001: fix missing state reset on timeout Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 069/518] iio: light: veml6030: fix channel type when pushing events Greg Kroah-Hartman
` (453 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stepan Ionichev, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stepan Ionichev <sozdayvek@gmail.com>
commit a00ffd15674bfaf8b906503c1600e3d8709af56c upstream.
When devm_request_threaded_irq() fails, probe logs the error and
then returns -EINVAL, dropping the real error code and breaking the
deferred-probe flow for -EPROBE_DEFER.
Return ret directly; the IRQ subsystem already prints on failure.
Fixes: 2335f0d7c790 ("iio: light: Added AMS tsl2591 driver implementation")
Cc: stable@vger.kernel.org
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/tsl2591.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/iio/light/tsl2591.c
+++ b/drivers/iio/light/tsl2591.c
@@ -1137,10 +1137,8 @@ static int tsl2591_probe(struct i2c_clie
NULL, tsl2591_event_handler,
IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
"tsl2591_irq", indio_dev);
- if (ret) {
- dev_err_probe(&client->dev, ret, "IRQ request error\n");
- return -EINVAL;
- }
+ if (ret)
+ return ret;
indio_dev->info = &tsl2591_info;
} else {
indio_dev->info = &tsl2591_info_no_irq;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 069/518] iio: light: veml6030: fix channel type when pushing events
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 068/518] iio: light: tsl2591: return actual error from probe IRQ failure Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 070/518] iio: magnetometer: ak8975: Add missed pm_runtime_put_autosuspend() call Greg Kroah-Hartman
` (452 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Javier Carrasco, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
commit c52bb33b641ebaae3e209f97714cb1758206f7d9 upstream.
The events are registered for IIO_LIGHT and not for IIO_INTENSITY.
Use the correct channel type.
When at it, fix minor checkpatch code style warning (alignment).
Cc: stable@vger.kernel.org
Fixes: 7b779f573c48 ("iio: light: add driver for veml6030 ambient light sensor")
Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/veml6030.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/iio/light/veml6030.c
+++ b/drivers/iio/light/veml6030.c
@@ -875,9 +875,11 @@ static irqreturn_t veml6030_event_handle
else
evtdir = IIO_EV_DIR_FALLING;
- iio_push_event(indio_dev, IIO_UNMOD_EVENT_CODE(IIO_INTENSITY,
- 0, IIO_EV_TYPE_THRESH, evtdir),
- iio_get_time_ns(indio_dev));
+ iio_push_event(indio_dev, IIO_UNMOD_EVENT_CODE(IIO_LIGHT,
+ 0,
+ IIO_EV_TYPE_THRESH,
+ evtdir),
+ iio_get_time_ns(indio_dev));
return IRQ_HANDLED;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 070/518] iio: magnetometer: ak8975: Add missed pm_runtime_put_autosuspend() call
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 069/518] iio: light: veml6030: fix channel type when pushing events Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 071/518] iio: pressure: bmp280: zero-init bmp580 trigger handler buffer Greg Kroah-Hartman
` (451 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko, Andy Shevchenko,
Joshua Crofts, Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit e94944d7364d3ddb273539492f9bd9c9a622549a upstream.
On the failure in the ak8975_read_axis() the PM runtime gets unbalanced.
Balance it by calling pm_runtime_put_autosuspend() on error path as well.
Fixes: cde4cb5dd422 ("iio: magn: ak8975: deploy runtime and system PM")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260505-magnetometer-fixes-v5-0-831b9b5550fc%40gmail.com
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Joshua Crofts <joshua.crofts1@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/magnetometer/ak8975.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/magnetometer/ak8975.c
+++ b/drivers/iio/magnetometer/ak8975.c
@@ -784,6 +784,7 @@ static int ak8975_read_axis(struct iio_d
exit:
mutex_unlock(&data->lock);
+ pm_runtime_put_autosuspend(&data->client->dev);
dev_err(&client->dev, "Error in reading axis\n");
return ret;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 071/518] iio: pressure: bmp280: zero-init bmp580 trigger handler buffer
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 070/518] iio: magnetometer: ak8975: Add missed pm_runtime_put_autosuspend() call Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 072/518] iio: pressure: mpl115: fix runtime PM leak on read error Greg Kroah-Hartman
` (450 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Carlier, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
commit 1172160f2a2de7bade3bec64b8c5ecf945cde5ed upstream.
bmp580_trigger_handler() builds an on-stack scan buffer containing
two __le32 fields and an aligned_s64 timestamp, and pushes it to
userspace via iio_push_to_buffers_with_ts(). However, only the low
3 bytes of each __le32 field are populated by the device data:
memcpy(&buffer.comp_press, &data->buf[3], 3);
memcpy(&buffer.comp_temp, &data->buf[0], 3);
The high byte of each field is left uninitialised on the stack.
The bmp580 channels declare storagebits = 32, so the IIO core
transports all four bytes per sample to userspace as part of the
scan element, leaking two bytes of kernel stack per scan.
Zero-initialise the buffer before populating it, mirroring the fix
applied to bme280_trigger_handler() in commit 018f50909e66 ("iio:
bmp280: zero-init buffer").
Fixes: 872c8014e05e ("iio: pressure: bmp280: drop sensor_data array")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/pressure/bmp280-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/pressure/bmp280-core.c
+++ b/drivers/iio/pressure/bmp280-core.c
@@ -1910,7 +1910,7 @@ static irqreturn_t bmp380_trigger_handle
u32 comp_press;
s32 comp_temp;
aligned_s64 timestamp;
- } buffer;
+ } buffer = { };
int ret;
guard(mutex)(&data->lock);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 072/518] iio: pressure: mpl115: fix runtime PM leak on read error
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 071/518] iio: pressure: bmp280: zero-init bmp580 trigger handler buffer Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 073/518] iio: proximity: vl53l0x: notify trigger and clear IRQ on error paths Greg Kroah-Hartman
` (449 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Biren Pandya, Stable,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biren Pandya <birenpandya@gmail.com>
commit fbe67ff37a6fd855a6c097f84f3738bd13d0a898 upstream.
mpl115_read_raw() takes a runtime PM reference with pm_runtime_get_sync()
before reading the processed pressure or raw temperature, but on the read
error path it returns without calling pm_runtime_put_autosuspend(). Each
failed read therefore leaks a runtime PM reference and prevents the device
from autosuspending.
Drop the reference before checking the return value so both the success
and error paths are balanced.
Fixes: 0c3a333524a3 ("iio: pressure: mpl115: Implementing low power mode by shutdown gpio")
Signed-off-by: Biren Pandya <birenpandya@gmail.com>
Assisted-by: Claude:claude-opus-4-8 coccinelle
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/pressure/mpl115.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/pressure/mpl115.c
+++ b/drivers/iio/pressure/mpl115.c
@@ -106,18 +106,18 @@ static int mpl115_read_raw(struct iio_de
case IIO_CHAN_INFO_PROCESSED:
pm_runtime_get_sync(data->dev);
ret = mpl115_comp_pressure(data, val, val2);
+ pm_runtime_put_autosuspend(data->dev);
if (ret < 0)
return ret;
- pm_runtime_put_autosuspend(data->dev);
return IIO_VAL_INT_PLUS_MICRO;
case IIO_CHAN_INFO_RAW:
pm_runtime_get_sync(data->dev);
/* temperature -5.35 C / LSB, 472 LSB is 25 C */
ret = mpl115_read_temp(data);
+ pm_runtime_put_autosuspend(data->dev);
if (ret < 0)
return ret;
- pm_runtime_put_autosuspend(data->dev);
*val = ret >> 6;
return IIO_VAL_INT;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 073/518] iio: proximity: vl53l0x: notify trigger and clear IRQ on error paths
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 072/518] iio: pressure: mpl115: fix runtime PM leak on read error Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 074/518] iio: resolver: ad2s1210: notify trigger and clear state on fault read error Greg Kroah-Hartman
` (448 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stepan Ionichev, Stable,
Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stepan Ionichev <sozdayvek@gmail.com>
commit be843b0579f872ec7590d825e2c9a656d4790c4b upstream.
vl53l0x_trigger_handler() returns directly on the I2C read failure
paths without calling iio_trigger_notify_done() or vl53l0x_clear_irq().
A single transient i2c_smbus_read_i2c_block_data() failure (negative
errno or a short read) therefore leaves two pieces of state behind:
- iio_trigger_notify_done() never decrements the trigger's use_count,
so iio_trigger_poll_nested() silently drops further dispatches
(see industrialio-trigger.c, the !atomic_read(&trig->use_count)
guard);
- vl53l0x_clear_irq() never writes SYSTEM_INTERRUPT_CLEAR, so the
chip keeps the DRDY interrupt asserted.
The sensor's buffer mode stays wedged from then on, recoverable only
by re-binding the driver. The sibling driver vl53l1x-i2c.c handles
exactly the same case correctly by jumping to a "notify_and_clear_irq"
label that always calls both helpers; mirror that here.
The bogus negative-int return value cast to irqreturn_t also goes
away as a side effect.
Fixes: 762186c6e7b1 ("iio: proximity: vl53l0x-i2c: Added continuous mode support")
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/proximity/vl53l0x-i2c.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/drivers/iio/proximity/vl53l0x-i2c.c
+++ b/drivers/iio/proximity/vl53l0x-i2c.c
@@ -87,15 +87,14 @@ static irqreturn_t vl53l0x_trigger_handl
ret = i2c_smbus_read_i2c_block_data(data->client,
VL_REG_RESULT_RANGE_STATUS,
sizeof(buffer), buffer);
- if (ret < 0)
- return ret;
- else if (ret != 12)
- return -EREMOTEIO;
+ if (ret != 12)
+ goto done;
scan.chan = get_unaligned_be16(&buffer[10]);
iio_push_to_buffers_with_ts(indio_dev, &scan, sizeof(scan),
iio_get_time_ns(indio_dev));
+done:
iio_trigger_notify_done(indio_dev->trig);
vl53l0x_clear_irq(data);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 074/518] iio: resolver: ad2s1210: notify trigger and clear state on fault read error
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 073/518] iio: proximity: vl53l0x: notify trigger and clear IRQ on error paths Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 075/518] iio: temperature: Build mlx90635 with CONFIG_MLX90635 Greg Kroah-Hartman
` (447 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stepan Ionichev, David Lechner,
Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stepan Ionichev <sozdayvek@gmail.com>
commit 70247658d0e783c93b48fcbc3b81d99e992ff478 upstream.
ad2s1210_trigger_handler() walks several scan-mask branches and uses
"goto error_ret" to land on the iio_trigger_notify_done() teardown at
the bottom of the function for every I/O error -- except the
MOD_CONFIG fault-register read, which uses a bare "return ret":
if (st->fixed_mode == MOD_CONFIG) {
unsigned int reg_val;
ret = regmap_read(st->regmap, AD2S1210_REG_FAULT, ®_val);
if (ret < 0)
return ret;
...
}
Two problems on that path:
- the handler returns a negative errno where the prototype expects
an irqreturn_t (IRQ_HANDLED / IRQ_NONE), so the caller in the
IIO core sees a value outside the enum;
- iio_trigger_notify_done() is skipped, leaving the trigger
busy-flag set. A single transient SPI/regmap error on the fault
read then wedges the trigger so subsequent samples are dropped
until the consumer is detached.
Convert the error path to "goto error_ret" so the failure path goes
through the same notify_done() teardown as every other error in the
handler.
Fixes: f9b9ff95be8c ("iio: resolver: ad2s1210: add support for adi,fixed-mode")
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/resolver/ad2s1210.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/resolver/ad2s1210.c
+++ b/drivers/iio/resolver/ad2s1210.c
@@ -1334,7 +1334,7 @@ static irqreturn_t ad2s1210_trigger_hand
ret = regmap_read(st->regmap, AD2S1210_REG_FAULT, ®_val);
if (ret < 0)
- return ret;
+ goto error_ret;
st->sample.fault = reg_val;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 075/518] iio: temperature: Build mlx90635 with CONFIG_MLX90635
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 074/518] iio: resolver: ad2s1210: notify trigger and clear state on fault read error Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 076/518] iio: temperature: ltc2983: Fix n_wires default bypassing rotation check Greg Kroah-Hartman
` (446 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, Andy Shevchenko,
Crt Mori, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
commit 63a76e3a587c4143e8e24e8a6b0c232fa0676034 upstream.
drivers/iio/temperature/Kconfig has a dedicated MLX90635 option, but
the Makefile currently builds mlx90635.o under CONFIG_MLX90632.
This means enabling CONFIG_MLX90635 alone does not carry its provider
object into the build, while enabling CONFIG_MLX90632 unexpectedly also
builds mlx90635.o.
Gate mlx90635.o on the matching generated Kconfig symbol.
Fixes: a1d1ba5e1c28 ("iio: temperature: mlx90635 MLX90635 IR Temperature sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Acked-by: Crt Mori <cmo@melexis.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/temperature/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/temperature/Makefile
+++ b/drivers/iio/temperature/Makefile
@@ -13,7 +13,7 @@ obj-$(CONFIG_MAX31865) += max31865.o
obj-$(CONFIG_MCP9600) += mcp9600.o
obj-$(CONFIG_MLX90614) += mlx90614.o
obj-$(CONFIG_MLX90632) += mlx90632.o
-obj-$(CONFIG_MLX90632) += mlx90635.o
+obj-$(CONFIG_MLX90635) += mlx90635.o
obj-$(CONFIG_TMP006) += tmp006.o
obj-$(CONFIG_TMP007) += tmp007.o
obj-$(CONFIG_TMP117) += tmp117.o
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 076/518] iio: temperature: ltc2983: Fix n_wires default bypassing rotation check
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 075/518] iio: temperature: Build mlx90635 with CONFIG_MLX90635 Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 077/518] iio: temperature: ltc2983: Fix reinit_completion() called after conversion start Greg Kroah-Hartman
` (445 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liviu Stan, Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liviu Stan <liviu.stan@analog.com>
commit 434c150752675f44dc52c384a7fa22e5176bc35a upstream.
When adi,number-of-wires is absent, n_wires is left at 0. The binding
documents a default of 2 wires, matching the hardware default. However
the current-rotate validation checks n_wires == 2 || n_wires == 3, so
with n_wires = 0 the guard is bypassed and adi,current-rotate is accepted
for a 2-wire RTD.
Initialize n_wires = 2 to match the binding default and ensure the
rotation check fires correctly when the property is absent.
Fixes: f110f3188e56 ("iio: temperature: Add support for LTC2983")
Signed-off-by: Liviu Stan <liviu.stan@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/temperature/ltc2983.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/temperature/ltc2983.c
+++ b/drivers/iio/temperature/ltc2983.c
@@ -741,7 +741,7 @@ ltc2983_rtd_new(const struct fwnode_hand
struct ltc2983_rtd *rtd;
int ret = 0;
struct device *dev = &st->spi->dev;
- u32 excitation_current = 0, n_wires = 0;
+ u32 excitation_current = 0, n_wires = 2;
rtd = devm_kzalloc(dev, sizeof(*rtd), GFP_KERNEL);
if (!rtd)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 077/518] iio: temperature: ltc2983: Fix reinit_completion() called after conversion start
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 076/518] iio: temperature: ltc2983: Fix n_wires default bypassing rotation check Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 078/518] iio: temperature: tmp006: use devm_iio_trigger_register Greg Kroah-Hartman
` (444 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liviu Stan, Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liviu Stan <liviu.stan@analog.com>
commit 5cb9fdb446bfc3ae0524496f53fb68e67051701b upstream.
reinit_completion() was called after regmap_write() initiated the hardware
conversion, creating a race window where the interrupt could fire and call
complete() before reinit_completion() reset the completion.
Move reinit_completion() before the regmap_write() to close the race.
ltc2983_eeprom_cmd() already does it in the correct order.
Fixes: f110f3188e56 ("iio: temperature: Add support for LTC2983")
Signed-off-by: Liviu Stan <liviu.stan@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/temperature/ltc2983.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/iio/temperature/ltc2983.c
+++ b/drivers/iio/temperature/ltc2983.c
@@ -1177,12 +1177,11 @@ static int ltc2983_chan_read(struct ltc2
start_conversion |= LTC2983_STATUS_CHAN_SEL(sensor->chan);
dev_dbg(&st->spi->dev, "Start conversion on chan:%d, status:%02X\n",
sensor->chan, start_conversion);
+ reinit_completion(&st->completion);
/* start conversion */
ret = regmap_write(st->regmap, LTC2983_STATUS_REG, start_conversion);
if (ret)
return ret;
-
- reinit_completion(&st->completion);
/*
* wait for conversion to complete.
* 300 ms should be more than enough to complete the conversion.
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 078/518] iio: temperature: tmp006: use devm_iio_trigger_register
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 077/518] iio: temperature: ltc2983: Fix reinit_completion() called after conversion start Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 079/518] ALSA: usx2y: us144mkii: fix work UAF on disconnect Greg Kroah-Hartman
` (443 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stepan Ionichev, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stepan Ionichev <sozdayvek@gmail.com>
commit 3c5eed894efd93d68d7f6a359a81ddef0e928774 upstream.
tmp006_probe() allocates the DRDY trigger with devm_iio_trigger_alloc()
but registers it with plain iio_trigger_register(). The driver has no
.remove() callback, so on module unload the trigger stays in the global
trigger list while its memory is freed by devm, leaving a dangling
entry.
Switch to devm_iio_trigger_register() so the registration is undone in
the same devm scope as the allocation.
Fixes: 91f75ccf9f03 ("iio: temperature: tmp006: add triggered buffer support")
Cc: stable@vger.kernel.org
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/temperature/tmp006.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/temperature/tmp006.c
+++ b/drivers/iio/temperature/tmp006.c
@@ -350,7 +350,7 @@ static int tmp006_probe(struct i2c_clien
data->drdy_trig->ops = &tmp006_trigger_ops;
iio_trigger_set_drvdata(data->drdy_trig, indio_dev);
- ret = iio_trigger_register(data->drdy_trig);
+ ret = devm_iio_trigger_register(&client->dev, data->drdy_trig);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 079/518] ALSA: usx2y: us144mkii: fix work UAF on disconnect
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 078/518] iio: temperature: tmp006: use devm_iio_trigger_register Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 080/518] ALSA: virtio: Add missing 384 kHz PCM rate mapping Greg Kroah-Hartman
` (442 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, HyeongJun An, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: HyeongJun An <sammiee5311@gmail.com>
commit 147996e7e7c9e8339c0e04f6fa7ccb3e4d448ff7 upstream.
tascam_disconnect() cancels capture_work and midi_in_work before
usb_kill_anchored_urbs() kills the capture/MIDI-in URBs. Those URBs
self-resubmit, and their completion handlers reschedule the work.
A URB that completes in the small window between cancel_work_sync() and
usb_kill_anchored_urbs() therefore re-arms the work after its only
cancel. Nothing cancels it again before snd_card_free() frees the
card-private tascam structure, so the work handler then runs on freed
memory.
Kill the anchored URBs before cancelling the work; once the work is
cancelled no remaining URB can complete to re-arm it.
Fixes: c1bb0c13e430 ("ALSA: usb-audio: us144mkii: Implement audio capture and decoding")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
Link: https://patch.msgid.link/20260701095231.1020811-1-sammiee5311@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/usx2y/us144mkii.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
--- a/sound/usb/usx2y/us144mkii.c
+++ b/sound/usb/usx2y/us144mkii.c
@@ -585,19 +585,24 @@ static void tascam_disconnect(struct usb
return;
if (intf->cur_altsetting->desc.bInterfaceNumber == 0) {
- /* Ensure all deferred work is complete before freeing resources */
snd_card_disconnect(tascam->card);
- cancel_work_sync(&tascam->stop_work);
- cancel_work_sync(&tascam->capture_work);
- cancel_work_sync(&tascam->midi_in_work);
- cancel_work_sync(&tascam->midi_out_work);
- cancel_work_sync(&tascam->stop_pcm_work);
+ /*
+ * Kill the URBs before cancelling the work, so a late URB
+ * completion cannot re-arm a work that then runs after
+ * snd_card_free().
+ */
usb_kill_anchored_urbs(&tascam->playback_anchor);
usb_kill_anchored_urbs(&tascam->capture_anchor);
usb_kill_anchored_urbs(&tascam->feedback_anchor);
usb_kill_anchored_urbs(&tascam->midi_in_anchor);
usb_kill_anchored_urbs(&tascam->midi_out_anchor);
+
+ cancel_work_sync(&tascam->stop_work);
+ cancel_work_sync(&tascam->capture_work);
+ cancel_work_sync(&tascam->midi_in_work);
+ cancel_work_sync(&tascam->midi_out_work);
+ cancel_work_sync(&tascam->stop_pcm_work);
timer_delete_sync(&tascam->error_timer);
tascam_free_urbs(tascam);
snd_card_free(tascam->card);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 080/518] ALSA: virtio: Add missing 384 kHz PCM rate mapping
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 079/518] ALSA: usx2y: us144mkii: fix work UAF on disconnect Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 081/518] ALSA: virtio: Validate control metadata from the device Greg Kroah-Hartman
` (441 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 83fbbcb7935ec6d2c8ba3bc133e8a0ead2ab0b2d upstream.
The VirtIO sound UAPI defines VIRTIO_SND_PCM_RATE_384000, and ALSA
has SNDRV_PCM_RATE_384000. However, virtio-snd's rate conversion
tables stop at 192 kHz.
A device advertising only 384 kHz is rejected as having no supported
PCM frame rates. A device advertising 384 kHz together with lower rates
does not expose 384 kHz through the ALSA hardware constraints. The
selected ALSA rate also needs a reverse mapping for SET_PARAMS.
Add the missing 384 kHz entries to both conversion tables.
Fixes: 29b96bf50ba9 ("ALSA: virtio: build PCM devices and substream hardware descriptors")
Fixes: da76e9f3e43a ("ALSA: virtio: PCM substream operators")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260515-alsa-virtio-384k-rate-v1-1-35ecb5df835c@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/virtio/virtio_pcm.c | 3 ++-
sound/virtio/virtio_pcm_ops.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/sound/virtio/virtio_pcm.c
+++ b/sound/virtio/virtio_pcm.c
@@ -77,7 +77,8 @@ static const struct virtsnd_v2a_rate g_v
[VIRTIO_SND_PCM_RATE_88200] = { SNDRV_PCM_RATE_88200, 88200 },
[VIRTIO_SND_PCM_RATE_96000] = { SNDRV_PCM_RATE_96000, 96000 },
[VIRTIO_SND_PCM_RATE_176400] = { SNDRV_PCM_RATE_176400, 176400 },
- [VIRTIO_SND_PCM_RATE_192000] = { SNDRV_PCM_RATE_192000, 192000 }
+ [VIRTIO_SND_PCM_RATE_192000] = { SNDRV_PCM_RATE_192000, 192000 },
+ [VIRTIO_SND_PCM_RATE_384000] = { SNDRV_PCM_RATE_384000, 384000 }
};
/**
--- a/sound/virtio/virtio_pcm_ops.c
+++ b/sound/virtio/virtio_pcm_ops.c
@@ -90,7 +90,8 @@ static const struct virtsnd_a2v_rate g_a
{ 88200, VIRTIO_SND_PCM_RATE_88200 },
{ 96000, VIRTIO_SND_PCM_RATE_96000 },
{ 176400, VIRTIO_SND_PCM_RATE_176400 },
- { 192000, VIRTIO_SND_PCM_RATE_192000 }
+ { 192000, VIRTIO_SND_PCM_RATE_192000 },
+ { 384000, VIRTIO_SND_PCM_RATE_384000 }
};
static int virtsnd_pcm_sync_stop(struct snd_pcm_substream *substream);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 081/518] ALSA: virtio: Validate control metadata from the device
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 080/518] ALSA: virtio: Add missing 384 kHz PCM rate mapping Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 082/518] ALSA: ymfpci: check snd_ctl_new1() return value Greg Kroah-Hartman
` (440 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit c77a6cbb36ff8cbc1f084d94f8dcda5250935271 upstream.
virtio-snd control handling trusts the device-provided control type and
value count returned by the device.
That metadata is then used directly to index g_v2a_type_map[] in
virtsnd_kctl_info(), and to size loops and memcpy() operations in
virtsnd_kctl_get() and virtsnd_kctl_put() against fixed-size
virtio_snd_ctl_value and snd_ctl_elem_value arrays.
A buggy or malicious device can therefore trigger out-of-bounds access by
advertising an invalid control type or an oversized value count.
Validate control type and count once in virtsnd_kctl_parse_cfg(), before
querying enumerated items or exposing the control to ALSA.
Fixes: d6568e3de42d ("ALSA: virtio: add support for audio controls")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260507-alsa-virtio-validate-kctl-info-v1-1-7404fb12ec37@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/virtio/virtio_kctl.c | 50 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
--- a/sound/virtio/virtio_kctl.c
+++ b/sound/virtio/virtio_kctl.c
@@ -18,6 +18,21 @@ static const snd_ctl_elem_type_t g_v2a_t
[VIRTIO_SND_CTL_TYPE_IEC958] = SNDRV_CTL_ELEM_TYPE_IEC958
};
+/* Map for converting VirtIO types to maximum value counts. */
+static const unsigned int g_v2a_count_map[] = {
+ [VIRTIO_SND_CTL_TYPE_BOOLEAN] =
+ ARRAY_SIZE(((struct virtio_snd_ctl_value *)0)->value.integer),
+ [VIRTIO_SND_CTL_TYPE_INTEGER] =
+ ARRAY_SIZE(((struct virtio_snd_ctl_value *)0)->value.integer),
+ [VIRTIO_SND_CTL_TYPE_INTEGER64] =
+ ARRAY_SIZE(((struct virtio_snd_ctl_value *)0)->value.integer64),
+ [VIRTIO_SND_CTL_TYPE_ENUMERATED] =
+ ARRAY_SIZE(((struct virtio_snd_ctl_value *)0)->value.enumerated),
+ [VIRTIO_SND_CTL_TYPE_BYTES] =
+ ARRAY_SIZE(((struct virtio_snd_ctl_value *)0)->value.bytes),
+ [VIRTIO_SND_CTL_TYPE_IEC958] = 1
+};
+
/* Map for converting VirtIO access rights to ALSA access rights. */
static const unsigned int g_v2a_access_map[] = {
[VIRTIO_SND_CTL_ACCESS_READ] = SNDRV_CTL_ELEM_ACCESS_READ,
@@ -36,6 +51,37 @@ static const unsigned int g_v2a_mask_map
[VIRTIO_SND_CTL_EVT_MASK_TLV] = SNDRV_CTL_EVENT_MASK_TLV
};
+static int virtsnd_kctl_validate_info(struct virtio_snd *snd, u32 cid,
+ struct virtio_snd_ctl_info *kinfo)
+{
+ struct virtio_device *vdev = snd->vdev;
+ unsigned int type = le32_to_cpu(kinfo->type);
+ unsigned int count = le32_to_cpu(kinfo->count);
+
+ if (type >= ARRAY_SIZE(g_v2a_type_map)) {
+ dev_err(&vdev->dev, "control #%u: unknown type %u\n",
+ cid, type);
+ return -EINVAL;
+ }
+
+ if (count > g_v2a_count_map[type] ||
+ (type == VIRTIO_SND_CTL_TYPE_IEC958 && count != 1)) {
+ dev_err(&vdev->dev, "control #%u: invalid count %u for type %u\n",
+ cid, count, type);
+ return -EINVAL;
+ }
+
+ if (type == VIRTIO_SND_CTL_TYPE_ENUMERATED &&
+ !le32_to_cpu(kinfo->value.enumerated.items)) {
+ dev_err(&vdev->dev,
+ "control #%u: no items for enumerated control\n",
+ cid);
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
/**
* virtsnd_kctl_info() - Returns information about the control.
* @kcontrol: ALSA control element.
@@ -385,6 +431,10 @@ int virtsnd_kctl_parse_cfg(struct virtio
struct virtio_snd_ctl_info *kinfo = &snd->kctl_infos[i];
unsigned int type = le32_to_cpu(kinfo->type);
+ rc = virtsnd_kctl_validate_info(snd, i, kinfo);
+ if (rc)
+ return rc;
+
if (type == VIRTIO_SND_CTL_TYPE_ENUMERATED) {
rc = virtsnd_kctl_get_enum_items(snd, i);
if (rc)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 082/518] ALSA: ymfpci: check snd_ctl_new1() return value
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 081/518] ALSA: virtio: Validate control metadata from the device Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 083/518] ALSA: aoa: " Greg Kroah-Hartman
` (439 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhao Dongdong, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Dongdong <zhaodongdong@kylinos.cn>
commit e64d170346d00b580c0043de3e5ccb3e331c47d4 upstream.
snd_ctl_new1() can return NULL when memory allocation fails.
snd_ymfpci_create_spdif_controls() does not check the return value
before dereferencing kctl->id.device, which can lead to a NULL pointer
dereference.
Add NULL checks after snd_ctl_new1() calls and return -ENOMEM if any
fails.
Assisted-by: Opencode:DeepSeek-V4-Flash
Cc: stable@vger.kernel.org
Fixes: c9b83ae4a160 ("ALSA: ymfpci: Fix kctl->id initialization")
Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
Link: https://patch.msgid.link/tencent_4745C5DC2333325C0EDAB1EFC88A136E6809@qq.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/ymfpci/ymfpci_main.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/sound/pci/ymfpci/ymfpci_main.c
+++ b/sound/pci/ymfpci/ymfpci_main.c
@@ -1781,16 +1781,22 @@ int snd_ymfpci_mixer(struct snd_ymfpci *
if (snd_BUG_ON(!chip->pcm_spdif))
return -ENXIO;
kctl = snd_ctl_new1(&snd_ymfpci_spdif_default, chip);
+ if (!kctl)
+ return -ENOMEM;
kctl->id.device = chip->pcm_spdif->device;
err = snd_ctl_add(chip->card, kctl);
if (err < 0)
return err;
kctl = snd_ctl_new1(&snd_ymfpci_spdif_mask, chip);
+ if (!kctl)
+ return -ENOMEM;
kctl->id.device = chip->pcm_spdif->device;
err = snd_ctl_add(chip->card, kctl);
if (err < 0)
return err;
kctl = snd_ctl_new1(&snd_ymfpci_spdif_stream, chip);
+ if (!kctl)
+ return -ENOMEM;
kctl->id.device = chip->pcm_spdif->device;
err = snd_ctl_add(chip->card, kctl);
if (err < 0)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 083/518] ALSA: aoa: check snd_ctl_new1() return value
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 082/518] ALSA: ymfpci: check snd_ctl_new1() return value Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 084/518] ALSA: caiaq: fix out-of-bounds read in the Traktor Kontrol S4 input parser Greg Kroah-Hartman
` (438 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhao Dongdong, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Dongdong <zhaodongdong@kylinos.cn>
commit 8df560fefe6fed6a20b7e06720eeaeccec349ac0 upstream.
snd_ctl_new1() can return NULL when memory allocation fails. In
layout.c, the function does not check the return value before
dereferencing ctl->id.name or passing to aoa_snd_ctl_add(), which can
lead to a NULL pointer dereference.
Add NULL checks after snd_ctl_new1() calls and return early if any
fails.
Assisted-by: Opencode:DeepSeek-V4-Flash
Cc: stable@vger.kernel.org
Fixes: f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa")
Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
Link: https://patch.msgid.link/tencent_35F3A25FEEBF190A2E15ED787754C57E3708@qq.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/aoa/fabrics/layout.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/sound/aoa/fabrics/layout.c
+++ b/sound/aoa/fabrics/layout.c
@@ -948,6 +948,8 @@ static void layout_attached_codec(struct
if (lineout == 1)
ldev->gpio.methods->set_lineout(codec->gpio, 1);
ctl = snd_ctl_new1(&lineout_ctl, codec->gpio);
+ if (!ctl)
+ return;
if (cc->connected & CC_LINEOUT_LABELLED_HEADPHONE)
strscpy(ctl->id.name, "Headphone Switch");
ldev->lineout_ctrl = ctl;
@@ -961,12 +963,16 @@ static void layout_attached_codec(struct
if (ldev->have_lineout_detect) {
ctl = snd_ctl_new1(&lineout_detect_choice,
ldev);
+ if (!ctl)
+ return;
if (cc->connected & CC_LINEOUT_LABELLED_HEADPHONE)
strscpy(ctl->id.name,
"Headphone Detect Autoswitch");
aoa_snd_ctl_add(ctl);
ctl = snd_ctl_new1(&lineout_detected,
ldev);
+ if (!ctl)
+ return;
if (cc->connected & CC_LINEOUT_LABELLED_HEADPHONE)
strscpy(ctl->id.name,
"Headphone Detected");
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 084/518] ALSA: caiaq: fix out-of-bounds read in the Traktor Kontrol S4 input parser
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 083/518] ALSA: aoa: " Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 085/518] ALSA: cmipci: check snd_ctl_new1() return value Greg Kroah-Hartman
` (437 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maoyi Xie, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit f7f3f9fd81e7adbaa12c2e62ee07f0e094a543fd upstream.
snd_usb_caiaq_tks4_dispatch() decodes the Traktor Kontrol S4 input
stream in fixed 16-byte (TKS4_MSGBLOCK_SIZE) message blocks. On every
iteration it advances buf and subtracts the block size while looping on
"while (len)".
len is urb->actual_length. That value is supplied by the device and is
not guaranteed to be a multiple of 16. When a final short block leaves
len between 1 and 15, the loop runs once more, reads up to buf[15], and
then does "len -= TKS4_MSGBLOCK_SIZE". As len is unsigned this underflows
to a huge value. The loop then keeps iterating and walking buf far past
the end of the 512-byte ep4_in_buf, reading out of bounds until a bogus
block id happens to be hit.
Iterate only while a full message block is available. This stops the
unsigned underflow and silently drops any trailing partial block, which
carries no complete control value anyway.
The sibling endpoint-4 parsers are not affected. The Traktor Kontrol X1
and Maschine arms in snd_usb_caiaq_ep4_reply_dispatch() floor
urb->actual_length before dispatching.
Fixes: 15c5ab607045 ("ALSA: snd-usb-caiaq: Add support for Traktor Kontrol S4")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Link: https://patch.msgid.link/178176259547.3343534.2724779296835237429@maoyixie.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/caiaq/input.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/caiaq/input.c
+++ b/sound/usb/caiaq/input.c
@@ -330,7 +330,7 @@ static void snd_usb_caiaq_tks4_dispatch(
{
struct device *dev = caiaqdev_to_dev(cdev);
- while (len) {
+ while (len >= TKS4_MSGBLOCK_SIZE) {
unsigned int i, block_id = (buf[0] << 8) | buf[1];
switch (block_id) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 085/518] ALSA: cmipci: check snd_ctl_new1() return value
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 084/518] ALSA: caiaq: fix out-of-bounds read in the Traktor Kontrol S4 input parser Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 086/518] ALSA: compress: Fix task creation error unwind Greg Kroah-Hartman
` (436 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhao Dongdong, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Dongdong <zhaodongdong@kylinos.cn>
commit c205bd1b28fb7e5f1061a4e78813fad7d315cb3e upstream.
snd_ctl_new1() can return NULL when memory allocation fails.
snd_cmipci_spdif_controls() does not check the return value before
dereferencing kctl->id.device, which can lead to a NULL pointer
dereference.
Add NULL checks after snd_ctl_new1() calls and return -ENOMEM if any
fails.
Assisted-by: Opencode:DeepSeek-V4-Flash
Cc: stable@vger.kernel.org
Fixes: f2f312ad88c6 ("ALSA: cmipci: Fix kctl->id initialization")
Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
Link: https://patch.msgid.link/tencent_964433DCD132125D5EDA79EE068A2D6EFA09@qq.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/cmipci.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/sound/pci/cmipci.c
+++ b/sound/pci/cmipci.c
@@ -2637,16 +2637,22 @@ static int snd_cmipci_mixer_new(struct c
}
if (cm->can_ac3_hw) {
kctl = snd_ctl_new1(&snd_cmipci_spdif_default, cm);
+ if (!kctl)
+ return -ENOMEM;
kctl->id.device = pcm_spdif_device;
err = snd_ctl_add(card, kctl);
if (err < 0)
return err;
kctl = snd_ctl_new1(&snd_cmipci_spdif_mask, cm);
+ if (!kctl)
+ return -ENOMEM;
kctl->id.device = pcm_spdif_device;
err = snd_ctl_add(card, kctl);
if (err < 0)
return err;
kctl = snd_ctl_new1(&snd_cmipci_spdif_stream, cm);
+ if (!kctl)
+ return -ENOMEM;
kctl->id.device = pcm_spdif_device;
err = snd_ctl_add(card, kctl);
if (err < 0)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 086/518] ALSA: compress: Fix task creation error unwind
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 085/518] ALSA: cmipci: check snd_ctl_new1() return value Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 087/518] ALSA: es1938: check snd_ctl_new1() return value Greg Kroah-Hartman
` (435 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 4a60127debb9e370d6c0e22a307326b624a141f3 upstream.
snd_compr_task_new() allocates the driver task before validating the
returned DMA buffers and reserving file descriptors. When either of
those later steps fails, the core frees its task wrapper and DMA-buffer
references without calling the driver's task_free() callback. Any
driver resources allocated by task_create() are therefore leaked.
The dual-fd allocation path also jumps to cleanup without storing the
negative get_unused_fd_flags() result in retval. Since retval still
contains the successful task_create() return value, TASK_CREATE can
incorrectly report success although the task was discarded.
Preserve the fd allocation errors and call task_free() when failure
occurs after a successful task_create() callback.
Fixes: 04177158cf98 ("ALSA: compress_offload: introduce accel operation mode")
Fixes: 3d3f43fab4cf ("ALSA: compress_offload: improve file descriptors installation for dma-buf")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260615-alsa-compress-task-unwind-v1-1-39e8ad3ddb27@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/compress_offload.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -1083,15 +1083,18 @@ static int snd_compr_task_new(struct snd
file descriptors are allocated before fd_install() */
if (!task->input || !task->input->file || !task->output || !task->output->file) {
retval = -EINVAL;
- goto cleanup;
+ goto free_driver_task;
}
fd_i = get_unused_fd_flags(O_WRONLY|O_CLOEXEC);
- if (fd_i < 0)
- goto cleanup;
+ if (fd_i < 0) {
+ retval = fd_i;
+ goto free_driver_task;
+ }
fd_o = get_unused_fd_flags(O_RDONLY|O_CLOEXEC);
if (fd_o < 0) {
+ retval = fd_o;
put_unused_fd(fd_i);
- goto cleanup;
+ goto free_driver_task;
}
/* keep dmabuf reference until freed with task free ioctl */
get_dma_buf(task->input);
@@ -1103,6 +1106,8 @@ static int snd_compr_task_new(struct snd
list_add_tail(&task->list, &stream->runtime->tasks);
stream->runtime->total_tasks++;
return 0;
+free_driver_task:
+ stream->ops->task_free(stream, task);
cleanup:
snd_compr_task_free(task);
return retval;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 087/518] ALSA: es1938: check snd_ctl_new1() return value
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 086/518] ALSA: compress: Fix task creation error unwind Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 088/518] ALSA: FCP: Add Focusrite ISA C8X support Greg Kroah-Hartman
` (434 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhao Dongdong, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Dongdong <zhaodongdong@kylinos.cn>
commit 1edd1f02dddd20aeb6066ded41017615766ea42f upstream.
snd_ctl_new1() can return NULL when memory allocation fails.
snd_es1938_mixer() does not check the return value before dereferencing
the pointer, which can lead to a NULL pointer dereference.
Add a NULL check after snd_ctl_new1() and return -ENOMEM if it fails.
Assisted-by: Opencode:DeepSeek-V4-Flash
Cc: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
Link: https://patch.msgid.link/tencent_E0DC65165FDF2C8982BAFB6794B854B53B0A@qq.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/es1938.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/pci/es1938.c
+++ b/sound/pci/es1938.c
@@ -1655,6 +1655,8 @@ static int snd_es1938_mixer(struct es193
for (idx = 0; idx < ARRAY_SIZE(snd_es1938_controls); idx++) {
struct snd_kcontrol *kctl;
kctl = snd_ctl_new1(&snd_es1938_controls[idx], chip);
+ if (!kctl)
+ return -ENOMEM;
switch (idx) {
case 0:
chip->master_volume = kctl;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 088/518] ALSA: FCP: Add Focusrite ISA C8X support
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 087/518] ALSA: es1938: check snd_ctl_new1() return value Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 089/518] ALSA: firewire: isight: bound the sample count to the packet payload Greg Kroah-Hartman
` (433 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Geoffrey D. Bennett, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geoffrey D. Bennett <g@b4.vu>
commit e0ecb324246be9cf3a0689346a658e48a38546b2 upstream.
Add USB PID 0x821e to the list of devices handled by the Focusrite
Control Protocol (FCP) driver.
Cc: stable@vger.kernel.org
Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
Link: https://patch.msgid.link/ajlw4HK+2RSW3nUl@m.b4.vu
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_quirks.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -4451,6 +4451,7 @@ int snd_usb_mixer_apply_create_quirk(str
case USB_ID(0x1235, 0x821b): /* Focusrite Scarlett 16i16 4th Gen */
case USB_ID(0x1235, 0x821c): /* Focusrite Scarlett 18i16 4th Gen */
case USB_ID(0x1235, 0x821d): /* Focusrite Scarlett 18i20 4th Gen */
+ case USB_ID(0x1235, 0x821e): /* Focusrite ISA C8X */
err = snd_fcp_init(mixer);
break;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 089/518] ALSA: firewire: isight: bound the sample count to the packet payload
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 088/518] ALSA: FCP: Add Focusrite ISA C8X support Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 090/518] ALSA: gus: check snd_ctl_new1() return value Greg Kroah-Hartman
` (432 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Takashi Sakamoto, Maoyi Xie,
Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit 29b9667982e4df2ed7744f86b1144f8bb58eb698 upstream.
isight_packet() takes the frame count from the device iso packet and
checks it only against the device claimed iso length.
count = be32_to_cpu(payload->sample_count);
if (likely(count <= (length - 16) / 4))
isight_samples(isight, payload->samples, count);
length is the iso header data_length. It can be up to 0xffff. So the
gate allows a count up to about 16379. isight_samples() then copies
count frames out of payload->samples into the PCM DMA buffer.
payload->samples holds only 2 * MAX_FRAMES_PER_PACKET values. The
device multiplexes two samples per frame. A count past
MAX_FRAMES_PER_PACKET reads past the payload. A count past the buffer
size writes past runtime->dma_area. The smallest PCM buffer is larger
than MAX_FRAMES_PER_PACKET. Bounding the count to MAX_FRAMES_PER_PACKET
keeps both the read and the write in range.
A malicious or faulty Apple iSight on the FireWire bus reaches this
during a normal capture.
Add the MAX_FRAMES_PER_PACKET bound to the gate.
Fixes: 3a691b28a0ca ("ALSA: add Apple iSight microphone driver")
Suggested-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Link: https://patch.msgid.link/178205454729.1900991.7807310178296762772@maoyixie.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/firewire/isight.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/firewire/isight.c
+++ b/sound/firewire/isight.c
@@ -179,7 +179,8 @@ static void isight_packet(struct fw_iso_
if (likely(length >= 16 &&
payload->signature == cpu_to_be32(0x73676874/*"sght"*/))) {
count = be32_to_cpu(payload->sample_count);
- if (likely(count <= (length - 16) / 4)) {
+ if (likely(count <= (length - 16) / 4 &&
+ count <= MAX_FRAMES_PER_PACKET)) {
total = be32_to_cpu(payload->sample_total);
if (unlikely(total != isight->total_samples)) {
if (!isight->first_packet)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 090/518] ALSA: gus: check snd_ctl_new1() return value
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 089/518] ALSA: firewire: isight: bound the sample count to the packet payload Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:25 ` [PATCH 7.1 091/518] ALSA: hda/cs35l41: Fix firmware load work teardown Greg Kroah-Hartman
` (431 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhao Dongdong, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Dongdong <zhaodongdong@kylinos.cn>
commit c7fa99d30c7a166a5e5db5a585ce7501ff68326b upstream.
snd_ctl_new1() can return NULL when memory allocation fails.
snd_gf1_pcm_volume_control() does not check the return value before
dereferencing kctl->id.index, which can lead to a NULL pointer
dereference.
Add a NULL check after snd_ctl_new1() and return -ENOMEM if it fails.
Assisted-by: Opencode:DeepSeek-V4-Flash
Cc: stable@vger.kernel.org
Fixes: c5ae57b1bb99 ("ALSA: gus: Fix kctl->id initialization")
Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
Link: https://patch.msgid.link/tencent_F644A3DCAD32945D62DB2FEEBE8A996F6809@qq.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/isa/gus/gus_pcm.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/isa/gus/gus_pcm.c
+++ b/sound/isa/gus/gus_pcm.c
@@ -851,6 +851,8 @@ int snd_gf1_pcm_new(struct snd_gus_card
kctl = snd_ctl_new1(&snd_gf1_pcm_volume_control1, gus);
else
kctl = snd_ctl_new1(&snd_gf1_pcm_volume_control, gus);
+ if (!kctl)
+ return -ENOMEM;
kctl->id.index = control_index;
err = snd_ctl_add(card, kctl);
if (err < 0)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 091/518] ALSA: hda/cs35l41: Fix firmware load work teardown
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 090/518] ALSA: gus: check snd_ctl_new1() return value Greg Kroah-Hartman
@ 2026-07-16 13:25 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 092/518] ALSA: hda/hdmi: Add force-connect quirk for HP EliteDesk 800 G5 Mini Greg Kroah-Hartman
` (430 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Stefan Binding,
Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit b65020d5398f499c09498c9786dba6d67ae57664 upstream.
cs35l41_hda creates ALSA controls whose private data points at the
cs35l41_hda object. The firmware load control can also queue
fw_load_work.
Those controls are not removed on component unbind, and device remove
only cancels fw_load_work through cs35l41_remove_dsp(). That helper is
skipped when halo_initialized is false. With firmware_autostart
disabled, a firmware load can be requested before the DSP has been
initialized. If the component or device is removed before the queued
work runs, the worker can run after teardown and dereference driver
state that is no longer valid.
Track the created controls and remove them on unbind so no new control
callback can reach the driver data or queue more work. Then cancel
fw_load_work to drain any request that was already queued. Also cancel
the work unconditionally during device remove before runtime PM teardown.
Fixes: 47ceabd99a28 ("ALSA: hda: cs35l41: Support Firmware switching and reloading")
Fixes: 4c870513fbb0 ("ALSA: hda: cs35l41: Add read-only ALSA control for forced mute")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Reviewed-by: Stefan Binding <sbinding@opensource.cirrus.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260511-alsa-hda-cs35l41-fw-work-teardown-v1-1-1184e9bc4f25@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/hda/codecs/side-codecs/cs35l41_hda.c | 77 ++++++++++++++++++++---------
sound/hda/codecs/side-codecs/cs35l41_hda.h | 5 +
2 files changed, 60 insertions(+), 22 deletions(-)
--- a/sound/hda/codecs/side-codecs/cs35l41_hda.c
+++ b/sound/hda/codecs/side-codecs/cs35l41_hda.c
@@ -1325,6 +1325,43 @@ static int cs35l41_fw_type_ctl_info(stru
return snd_ctl_enum_info(uinfo, 1, ARRAY_SIZE(cs35l41_hda_fw_ids), cs35l41_hda_fw_ids);
}
+static void cs35l41_remove_controls(struct cs35l41_hda *cs35l41)
+{
+ if (!cs35l41->codec)
+ return;
+
+ snd_ctl_remove(cs35l41->codec->card, cs35l41->mute_override_ctl);
+ cs35l41->mute_override_ctl = NULL;
+
+ snd_ctl_remove(cs35l41->codec->card, cs35l41->fw_load_ctl);
+ cs35l41->fw_load_ctl = NULL;
+
+ snd_ctl_remove(cs35l41->codec->card, cs35l41->fw_type_ctl);
+ cs35l41->fw_type_ctl = NULL;
+}
+
+static int cs35l41_add_control(struct cs35l41_hda *cs35l41,
+ struct snd_kcontrol_new *ctl,
+ struct snd_kcontrol **kctl)
+{
+ int ret;
+
+ *kctl = snd_ctl_new1(ctl, cs35l41);
+ if (!*kctl)
+ return -ENOMEM;
+
+ ret = snd_ctl_add(cs35l41->codec->card, *kctl);
+ if (ret) {
+ dev_err(cs35l41->dev, "Failed to add KControl %s = %d\n", ctl->name, ret);
+ *kctl = NULL;
+ return ret;
+ }
+
+ dev_dbg(cs35l41->dev, "Added Control %s\n", ctl->name);
+
+ return 0;
+}
+
static int cs35l41_create_controls(struct cs35l41_hda *cs35l41)
{
char fw_type_ctl_name[SNDRV_CTL_ELEM_ID_NAME_MAXLEN];
@@ -1360,32 +1397,23 @@ static int cs35l41_create_controls(struc
scnprintf(mute_override_ctl_name, SNDRV_CTL_ELEM_ID_NAME_MAXLEN, "%s Forced Mute Status",
cs35l41->amp_name);
- ret = snd_ctl_add(cs35l41->codec->card, snd_ctl_new1(&fw_type_ctl, cs35l41));
- if (ret) {
- dev_err(cs35l41->dev, "Failed to add KControl %s = %d\n", fw_type_ctl.name, ret);
- return ret;
- }
-
- dev_dbg(cs35l41->dev, "Added Control %s\n", fw_type_ctl.name);
-
- ret = snd_ctl_add(cs35l41->codec->card, snd_ctl_new1(&fw_load_ctl, cs35l41));
- if (ret) {
- dev_err(cs35l41->dev, "Failed to add KControl %s = %d\n", fw_load_ctl.name, ret);
- return ret;
- }
-
- dev_dbg(cs35l41->dev, "Added Control %s\n", fw_load_ctl.name);
+ ret = cs35l41_add_control(cs35l41, &fw_type_ctl, &cs35l41->fw_type_ctl);
+ if (ret)
+ goto err;
- ret = snd_ctl_add(cs35l41->codec->card, snd_ctl_new1(&mute_override_ctl, cs35l41));
- if (ret) {
- dev_err(cs35l41->dev, "Failed to add KControl %s = %d\n", mute_override_ctl.name,
- ret);
- return ret;
- }
+ ret = cs35l41_add_control(cs35l41, &fw_load_ctl, &cs35l41->fw_load_ctl);
+ if (ret)
+ goto err;
- dev_dbg(cs35l41->dev, "Added Control %s\n", mute_override_ctl.name);
+ ret = cs35l41_add_control(cs35l41, &mute_override_ctl, &cs35l41->mute_override_ctl);
+ if (ret)
+ goto err;
return 0;
+
+err:
+ cs35l41_remove_controls(cs35l41);
+ return ret;
}
static bool cs35l41_dsm_supported(acpi_handle handle, unsigned int commands)
@@ -1522,6 +1550,10 @@ static void cs35l41_hda_unbind(struct de
device_link_remove(&cs35l41->codec->core.dev, cs35l41->dev);
unlock_system_sleep(sleep_flags);
memset(comp, 0, sizeof(*comp));
+
+ cs35l41_remove_controls(cs35l41);
+ cancel_work_sync(&cs35l41->fw_load_work);
+ cs35l41->codec = NULL;
}
}
@@ -2060,6 +2092,7 @@ void cs35l41_hda_remove(struct device *d
struct cs35l41_hda *cs35l41 = dev_get_drvdata(dev);
component_del(cs35l41->dev, &cs35l41_hda_comp_ops);
+ cancel_work_sync(&cs35l41->fw_load_work);
pm_runtime_get_sync(cs35l41->dev);
pm_runtime_dont_use_autosuspend(cs35l41->dev);
--- a/sound/hda/codecs/side-codecs/cs35l41_hda.h
+++ b/sound/hda/codecs/side-codecs/cs35l41_hda.h
@@ -57,6 +57,8 @@ enum control_bus {
SPI
};
+struct snd_kcontrol;
+
struct cs35l41_hda {
struct device *dev;
struct regmap *regmap;
@@ -75,6 +77,9 @@ struct cs35l41_hda {
int speaker_id;
struct mutex fw_mutex;
struct work_struct fw_load_work;
+ struct snd_kcontrol *fw_type_ctl;
+ struct snd_kcontrol *fw_load_ctl;
+ struct snd_kcontrol *mute_override_ctl;
struct regmap_irq_chip_data *irq_data;
bool firmware_running;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 092/518] ALSA: hda/hdmi: Add force-connect quirk for HP EliteDesk 800 G5 Mini
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-07-16 13:25 ` [PATCH 7.1 091/518] ALSA: hda/cs35l41: Fix firmware load work teardown Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 093/518] ALSA: hda/hdmi: Use AC_PINSENSE_ELDV to detect pinsense for Loongson Greg Kroah-Hartman
` (429 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cameron Graham, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cameron Graham <cam.graham@gmail.com>
commit 0ec17ee704615125c0b6e100c38129393a346bcc upstream.
The HP EliteDesk 800 G5 Mini (PCI subsystem 103c:8595) uses
Cannon Lake PCH cAVS HDA with DisplayPort audio pins 0x05 and
0x06 set to AC_JACK_PORT_NONE (N/A) in BIOS defaults, causing
hdmi_add_pin() to skip them and the DP audio device to not
appear in ALSA.
Add the board to the existing force_connect_list alongside the
similar HP EliteDesk 800 G4 entries.
Signed-off-by: Cameron Graham <cam.graham@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260612094601.1209845-1-cam.graham@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/hda/codecs/hdmi/hdmi.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/hda/codecs/hdmi/hdmi.c
+++ b/sound/hda/codecs/hdmi/hdmi.c
@@ -1549,6 +1549,7 @@ static const struct snd_pci_quirk force_
SND_PCI_QUIRK(0x103c, 0x83e2, "HP EliteDesk 800 G4", 1),
SND_PCI_QUIRK(0x103c, 0x83ef, "HP MP9 G4 Retail System AMS", 1),
SND_PCI_QUIRK(0x103c, 0x845a, "HP EliteDesk 800 G4 DM 65W", 1),
+ SND_PCI_QUIRK(0x103c, 0x8595, "HP EliteDesk 800 G5 Mini", 1),
SND_PCI_QUIRK(0x103c, 0x83f3, "HP ProDesk 400", 1),
SND_PCI_QUIRK(0x103c, 0x870f, "HP", 1),
SND_PCI_QUIRK(0x103c, 0x871a, "HP", 1),
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 093/518] ALSA: hda/hdmi: Use AC_PINSENSE_ELDV to detect pinsense for Loongson
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 092/518] ALSA: hda/hdmi: Add force-connect quirk for HP EliteDesk 800 G5 Mini Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 094/518] ALSA: hda/realtek: Fix noisy mic for Clevo V6xxAW Greg Kroah-Hartman
` (428 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baoqi Zhang, Haowei Zheng,
Huacai Chen, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 958e4450e961d75bd9d8f5bfe245fb15bc78e02a upstream.
Due to a hardware defect, for Loongson PCI HDMI devices with a reversion
ID of 2, the pin sense status must be determined via the ELD.
Add a codec flag, eld_jack_detect, to indicate this case, and do special
handlings in read_pin_sense().
Cc: stable@vger.kernel.org
Signed-off-by: Baoqi Zhang <zhangbaoqi@loongson.cn>
Signed-off-by: Haowei Zheng <zhenghaowei@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Link: https://patch.msgid.link/20260527140841.3407183-1-chenhuacai@loongson.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/sound/hda_codec.h | 1 +
sound/hda/codecs/hdmi/hdmi.c | 8 +++++++-
sound/hda/common/jack.c | 6 ++++++
3 files changed, 14 insertions(+), 1 deletion(-)
--- a/include/sound/hda_codec.h
+++ b/include/sound/hda_codec.h
@@ -259,6 +259,7 @@ struct hda_codec {
unsigned int forced_resume:1; /* forced resume for jack */
unsigned int no_stream_clean_at_suspend:1; /* do not clean streams at suspend */
unsigned int ctl_dev_id:1; /* old control element id build behaviour */
+ unsigned int eld_jack_detect:1; /* Machine jack-detection by ELD */
unsigned long power_on_acct;
unsigned long power_off_acct;
--- a/sound/hda/codecs/hdmi/hdmi.c
+++ b/sound/hda/codecs/hdmi/hdmi.c
@@ -2286,6 +2286,7 @@ EXPORT_SYMBOL_NS_GPL(snd_hda_hdmi_acomp_
enum {
MODEL_GENERIC,
MODEL_GF,
+ MODEL_LOONGSON,
};
static int generichdmi_probe(struct hda_codec *codec,
@@ -2303,6 +2304,11 @@ static int generichdmi_probe(struct hda_
if (id->driver_data == MODEL_GF)
codec->no_sticky_stream = 1;
+ if (id->driver_data == MODEL_LOONGSON) {
+ if (codec->bus && codec->bus->pci->revision == 0x2)
+ codec->eld_jack_detect = 1; /* Jack-detection by ELD */
+ }
+
return 0;
}
@@ -2320,7 +2326,7 @@ static const struct hda_codec_ops generi
/*
*/
static const struct hda_device_id snd_hda_id_generichdmi[] = {
- HDA_CODEC_ID_MODEL(0x00147a47, "Loongson HDMI", MODEL_GENERIC),
+ HDA_CODEC_ID_MODEL(0x00147a47, "Loongson HDMI", MODEL_LOONGSON),
HDA_CODEC_ID_MODEL(0x10951390, "SiI1390 HDMI", MODEL_GENERIC),
HDA_CODEC_ID_MODEL(0x10951392, "SiI1392 HDMI", MODEL_GENERIC),
HDA_CODEC_ID_MODEL(0x11069f84, "VX11 HDMI/DP", MODEL_GENERIC),
--- a/sound/hda/common/jack.c
+++ b/sound/hda/common/jack.c
@@ -58,6 +58,12 @@ static u32 read_pin_sense(struct hda_cod
AC_VERB_GET_PIN_SENSE, dev_id);
if (codec->inv_jack_detect)
val ^= AC_PINSENSE_PRESENCE;
+ if (codec->eld_jack_detect) {
+ if (val & AC_PINSENSE_ELDV)
+ val |= AC_PINSENSE_PRESENCE;
+ else
+ val &= ~AC_PINSENSE_PRESENCE;
+ }
return val;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 094/518] ALSA: hda/realtek: Fix noisy mic for Clevo V6xxAW
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 093/518] ALSA: hda/hdmi: Use AC_PINSENSE_ELDV to detect pinsense for Loongson Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 095/518] ALSA: ice1712: check snd_ctl_new1() return value Greg Kroah-Hartman
` (427 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aaron Erhardt, Werner Sembach,
Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Erhardt <aer@tuxedocomputers.com>
commit 493765b8e922a506e09e22e80b6cc9ff05e8295b upstream.
Add a PCI quirk to reduce the volume of the internal microphone to prevent
extremely noisy signal.
Signed-off-by: Aaron Erhardt <aer@tuxedocomputers.com>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260519155047.106096-1-wse@tuxedocomputers.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/hda/codecs/realtek/alc269.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/hda/codecs/realtek/alc269.c
+++ b/sound/hda/codecs/realtek/alc269.c
@@ -7567,6 +7567,7 @@ static const struct hda_quirk alc269_fix
SND_PCI_QUIRK(0x1558, 0x51b3, "Clevo NS70AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x5630, "Clevo NP50RNJS", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x5700, "Clevo X560WN[RST]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x6480, "Clevo V6xxAW", ALC245_FIXUP_CLEVO_NOISY_MIC),
SND_PCI_QUIRK(0x1558, 0x70a1, "Clevo NB70T[HJK]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x70b3, "Clevo NK70SB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x70f2, "Clevo NH79EPY", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 095/518] ALSA: ice1712: check snd_ctl_new1() return value
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 094/518] ALSA: hda/realtek: Fix noisy mic for Clevo V6xxAW Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 096/518] ALSA: seq: Fix uninitialised heap leak in snd_seq_event_dup() Greg Kroah-Hartman
` (426 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhao Dongdong, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Dongdong <zhaodongdong@kylinos.cn>
commit 2b929b91b0f3bc6de8a844370049cd99ee8e31ff upstream.
snd_ctl_new1() can return NULL when memory allocation fails. The
ice1712 driver calls snd_ctl_new1() without checking the return value
before dereferencing the pointer in multiple places (ice1712.c,
ice1724.c, aureon.c), which can lead to NULL pointer dereferences.
Add NULL checks after snd_ctl_new1() calls and return -ENOMEM if any
fails.
Assisted-by: Opencode:DeepSeek-V4-Flash
Cc: stable@vger.kernel.org
Fixes: b9a4efd61b6b ("ALSA: ice1712,ice1724: fix the kcontrol->id initialization")
Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
Link: https://patch.msgid.link/tencent_42E5E2AB1B6A5101F7EE8C2117F1F687BB07@qq.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/ice1712/aureon.c | 2 ++
sound/pci/ice1712/ice1712.c | 8 ++++++++
sound/pci/ice1712/ice1724.c | 6 ++++++
3 files changed, 16 insertions(+)
--- a/sound/pci/ice1712/aureon.c
+++ b/sound/pci/ice1712/aureon.c
@@ -1891,6 +1891,8 @@ static int aureon_add_controls(struct sn
for (i = 0; i < ARRAY_SIZE(cs8415_controls); i++) {
struct snd_kcontrol *kctl;
kctl = snd_ctl_new1(&cs8415_controls[i], ice);
+ if (!kctl)
+ return -ENOMEM;
if (i > 1)
kctl->id.device = ice->pcm->device;
err = snd_ctl_add(ice->card, kctl);
--- a/sound/pci/ice1712/ice1712.c
+++ b/sound/pci/ice1712/ice1712.c
@@ -2346,21 +2346,29 @@ int snd_ice1712_spdif_build_controls(str
if (snd_BUG_ON(!ice->pcm_pro))
return -EIO;
kctl = snd_ctl_new1(&snd_ice1712_spdif_default, ice);
+ if (!kctl)
+ return -ENOMEM;
kctl->id.device = ice->pcm_pro->device;
err = snd_ctl_add(ice->card, kctl);
if (err < 0)
return err;
kctl = snd_ctl_new1(&snd_ice1712_spdif_maskc, ice);
+ if (!kctl)
+ return -ENOMEM;
kctl->id.device = ice->pcm_pro->device;
err = snd_ctl_add(ice->card, kctl);
if (err < 0)
return err;
kctl = snd_ctl_new1(&snd_ice1712_spdif_maskp, ice);
+ if (!kctl)
+ return -ENOMEM;
kctl->id.device = ice->pcm_pro->device;
err = snd_ctl_add(ice->card, kctl);
if (err < 0)
return err;
kctl = snd_ctl_new1(&snd_ice1712_spdif_stream, ice);
+ if (!kctl)
+ return -ENOMEM;
kctl->id.device = ice->pcm_pro->device;
err = snd_ctl_add(ice->card, kctl);
if (err < 0)
--- a/sound/pci/ice1712/ice1724.c
+++ b/sound/pci/ice1712/ice1724.c
@@ -2379,16 +2379,22 @@ static int snd_vt1724_spdif_build_contro
return err;
kctl = snd_ctl_new1(&snd_vt1724_spdif_default, ice);
+ if (!kctl)
+ return -ENOMEM;
kctl->id.device = ice->pcm->device;
err = snd_ctl_add(ice->card, kctl);
if (err < 0)
return err;
kctl = snd_ctl_new1(&snd_vt1724_spdif_maskc, ice);
+ if (!kctl)
+ return -ENOMEM;
kctl->id.device = ice->pcm->device;
err = snd_ctl_add(ice->card, kctl);
if (err < 0)
return err;
kctl = snd_ctl_new1(&snd_vt1724_spdif_maskp, ice);
+ if (!kctl)
+ return -ENOMEM;
kctl->id.device = ice->pcm->device;
err = snd_ctl_add(ice->card, kctl);
if (err < 0)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 096/518] ALSA: seq: Fix uninitialised heap leak in snd_seq_event_dup()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 095/518] ALSA: ice1712: check snd_ctl_new1() return value Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 097/518] ALSA: us144mkii: capture_urb_complete: redundant usb_anchor_urb corrupts anchor list on each resubmission Greg Kroah-Hartman
` (425 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, HyeongJun An, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: HyeongJun An <sammiee5311@gmail.com>
commit 435990e25bf1f4af3e6df12a6fbfd1f7ba4a97d4 upstream.
snd_seq_event_dup() copies an incoming event into a pool cell and, in
the UMP-enabled build, clears the trailing cell->ump.raw.extra word that
the memcpy() did not cover. The guard deciding whether to clear it
compares the copied size against sizeof(cell->event):
memcpy(&cell->ump, event, size);
if (size < sizeof(cell->event))
cell->ump.raw.extra = 0;
For a legacy (non-UMP) event, size == sizeof(struct snd_seq_event) ==
sizeof(cell->event), so the condition is false and the extra word keeps
stale data. The cell pool is allocated with kvmalloc() (not zeroed) and
cells are reused via a free list, so that word holds uninitialised heap
or leftover event data.
When such a cell is delivered to a UMP client (client->midi_version > 0)
that set SNDRV_SEQ_FILTER_NO_CONVERT -- so the legacy event reaches it
unconverted -- snd_seq_read() reads it out as the larger struct
snd_seq_ump_event and copies the stale word to user space, a 4-byte
kernel heap infoleak to an unprivileged /dev/snd/seq client.
Compare against sizeof(cell->ump) instead, so the trailing word is zeroed
for every event shorter than the UMP cell.
Fixes: 46397622a3fa ("ALSA: seq: Add UMP support")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
Link: https://patch.msgid.link/20260623233841.853326-1-sammiee5311@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/seq/seq_memory.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/core/seq/seq_memory.c
+++ b/sound/core/seq/seq_memory.c
@@ -364,7 +364,7 @@ int snd_seq_event_dup(struct snd_seq_poo
size = snd_seq_event_packet_size(event);
memcpy(&cell->ump, event, size);
#if IS_ENABLED(CONFIG_SND_SEQ_UMP)
- if (size < sizeof(cell->event))
+ if (size < sizeof(cell->ump))
cell->ump.raw.extra = 0;
#endif
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 097/518] ALSA: us144mkii: capture_urb_complete: redundant usb_anchor_urb corrupts anchor list on each resubmission
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 096/518] ALSA: seq: Fix uninitialised heap leak in snd_seq_event_dup() Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 098/518] ALSA: usb-audio: add IFB_SILENCE_ON_EMPTY quirk for Behringer Flow 8 Greg Kroah-Hartman
` (424 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, WenTao Liang, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: WenTao Liang <vulab@iscas.ac.cn>
commit 5cff1529a2f9b3461a7f5a6e36a86682fc290534 upstream.
In capture_urb_complete(), usb_anchor_urb() is called on every
completion callback, but the URB is already anchored from the
initial submission in tascam_trigger_start(). Each redundant call
corrupts the anchor's doubly-linked list and inflates the URB
refcount. When usb_kill_anchored_urbs() traverses the list during
stream stop / suspend / disconnect, the corrupted list leads to
use-after-free.
Remove the redundant usb_anchor_urb() from the resubmit path.
Cc: stable@vger.kernel.org
Fixes: c1bb0c13e430 ("ALSA: usb-audio: us144mkii: Implement audio capture and decoding")
Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260627042949.61767-1-vulab@iscas.ac.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/usx2y/us144mkii_capture.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/usx2y/us144mkii_capture.c
+++ b/sound/usb/usx2y/us144mkii_capture.c
@@ -302,7 +302,6 @@ void capture_urb_complete(struct urb *ur
}
usb_get_urb(urb);
- usb_anchor_urb(urb, &tascam->capture_anchor);
ret = usb_submit_urb(urb, GFP_ATOMIC);
if (ret < 0) {
dev_err_ratelimited(tascam->card->dev,
@@ -312,6 +311,7 @@ void capture_urb_complete(struct urb *ur
usb_put_urb(urb);
atomic_dec(
&tascam->active_urbs); /* Decrement on failed resubmission */
+ return;
}
out:
usb_put_urb(urb);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 098/518] ALSA: usb-audio: add IFB_SILENCE_ON_EMPTY quirk for Behringer Flow 8
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 097/518] ALSA: us144mkii: capture_urb_complete: redundant usb_anchor_urb corrupts anchor list on each resubmission Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 099/518] ALSA: usb-audio: avoid kobject path lookup in DualSense match Greg Kroah-Hartman
` (423 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gordon Chen, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gordon Chen <chengordon326@gmail.com>
commit a23812004228d4b041a858b927db787a7ff80f50 upstream.
The Behringer Flow 8 (1397:050c) is an 8-channel USB mixer that
declares OUT EP 0x01 with implicit feedback from capture EP 0x81 via
its UAC2 endpoint companion descriptor. After 5-35 minutes of
continuous playback, the device occasionally returns a capture URB in
which every iso_frame_desc has a non-zero status (-EXDEV bursts,
visible as rate-limited "frame N active: -18" lines in dmesg from
pcm.c).
In that case snd_usb_handle_sync_urb() at endpoint.c counts bytes==0
and falls into the early "skip empty packets" return originally added
for M-Audio Fast Track Ultra. As a result the playback EP loses its
sole IFB-driven feeder and the OUT ring starves permanently: hw_ptr
stops advancing while substream state remains RUNNING. Only USB
re-enumeration recovers.
Three independent ftrace captures (taken at the moment of stall via a
userspace watchdog) consistently show:
- 60-70 capture URB completions in the 70ms window before the marker
- 0 retire_playback_urb / queue_pending_output_urbs /
snd_usb_endpoint_implicit_feedback_sink calls
- every usb_submit_urb in the window comes from
snd_complete_urb+0x64e (capture self-resubmit), none from the
queue_pending_output_urbs path
Add a new opt-in quirk QUIRK_FLAG_IFB_SILENCE_ON_EMPTY: when set, the
early return is skipped and we fall through to enqueue a packet_info
whose packet_size[i] are all 0 (the existing loop already maps
status!=0 packets to size 0). prepare_outbound_urb then emits a
silence packet, the OUT ring keeps moving, and the device rides
through the glitch.
The default behaviour (early return) is preserved for all existing
devices including M-Audio Fast Track Ultra. Only Flow 8 opts in here.
Cc: stable@vger.kernel.org
Signed-off-by: Gordon Chen <chengordon326@gmail.com>
Link: https://patch.msgid.link/20260526072906.90106-1-chengordon326@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/endpoint.c | 10 +++++++++-
sound/usb/quirks.c | 3 +++
sound/usb/usbaudio.h | 8 ++++++++
3 files changed, 20 insertions(+), 1 deletion(-)
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -1780,8 +1780,16 @@ static void snd_usb_handle_sync_urb(stru
/*
* skip empty packets. At least M-Audio's Fast Track Ultra stops
* streaming once it received a 0-byte OUT URB
+ *
+ * However, on devices where bytes==0 means every sync-source
+ * packet errored (e.g. Behringer Flow 8 returning -EXDEV bursts
+ * for entire capture URBs), an unconditional return starves the
+ * IFB-fed OUT ring permanently. Such devices set
+ * QUIRK_FLAG_IFB_SILENCE_ON_EMPTY to fall through and enqueue a
+ * packet_info with size 0 packets, so playback emits silence
+ * and the OUT ring keeps moving.
*/
- if (bytes == 0)
+ if (bytes == 0 && !(ep->chip->quirk_flags & QUIRK_FLAG_IFB_SILENCE_ON_EMPTY))
return;
spin_lock_irqsave(&ep->lock, flags);
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2365,6 +2365,8 @@ static const struct usb_audio_quirk_flag
QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB),
DEVICE_FLG(0x1397, 0x0509, /* Behringer UMC404HD */
QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB),
+ DEVICE_FLG(0x1397, 0x050c, /* Behringer Flow 8 */
+ QUIRK_FLAG_IFB_SILENCE_ON_EMPTY),
DEVICE_FLG(0x13e5, 0x0001, /* Serato Phono */
QUIRK_FLAG_IGNORE_CTL_ERROR),
DEVICE_FLG(0x152a, 0x880a, /* NeuralDSP Quad Cortex */
@@ -2606,6 +2608,7 @@ static const char *const snd_usb_audio_q
QUIRK_STRING_ENTRY(SKIP_IFACE_SETUP),
QUIRK_STRING_ENTRY(MIXER_PLAYBACK_LINEAR_VOL),
QUIRK_STRING_ENTRY(MIXER_CAPTURE_LINEAR_VOL),
+ QUIRK_STRING_ENTRY(IFB_SILENCE_ON_EMPTY),
NULL
};
--- a/sound/usb/usbaudio.h
+++ b/sound/usb/usbaudio.h
@@ -236,6 +236,12 @@ extern bool snd_usb_skip_validation;
* QUIRK_FLAG_MIXER_CAPTURE_LINEAR_VOL
* Similar to QUIRK_FLAG_MIXER_PLAYBACK_LINEAR_VOL, but for capture streams.
* Overrides QUIRK_FLAG_MIXER_CAPTURE_MIN_MUTE
+ * QUIRK_FLAG_IFB_SILENCE_ON_EMPTY
+ * In implicit feedback mode, when an entire capture URB returns with
+ * all iso_frame_desc[i].status != 0 (bytes==0), do not silently return
+ * from snd_usb_handle_sync_urb. Instead fall through and enqueue a
+ * packet_info containing only size-0 packets, so the OUT ring keeps
+ * moving (emits silence). Needed by Behringer Flow 8 (1397:050c).
*/
enum {
@@ -268,6 +274,7 @@ enum {
QUIRK_TYPE_SKIP_IFACE_SETUP = 26,
QUIRK_TYPE_MIXER_PLAYBACK_LINEAR_VOL = 27,
QUIRK_TYPE_MIXER_CAPTURE_LINEAR_VOL = 28,
+ QUIRK_TYPE_IFB_SILENCE_ON_EMPTY = 29,
/* Please also edit snd_usb_audio_quirk_flag_names */
};
@@ -302,5 +309,6 @@ enum {
#define QUIRK_FLAG_SKIP_IFACE_SETUP QUIRK_FLAG(SKIP_IFACE_SETUP)
#define QUIRK_FLAG_MIXER_PLAYBACK_LINEAR_VOL QUIRK_FLAG(MIXER_PLAYBACK_LINEAR_VOL)
#define QUIRK_FLAG_MIXER_CAPTURE_LINEAR_VOL QUIRK_FLAG(MIXER_CAPTURE_LINEAR_VOL)
+#define QUIRK_FLAG_IFB_SILENCE_ON_EMPTY QUIRK_FLAG(IFB_SILENCE_ON_EMPTY)
#endif /* __USBAUDIO_H */
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 099/518] ALSA: usb-audio: avoid kobject path lookup in DualSense match
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 098/518] ALSA: usb-audio: add IFB_SILENCE_ON_EMPTY quirk for Behringer Flow 8 Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 100/518] ALSA: usb-audio: Propagate errors in scarlett_ctl_enum_put() Greg Kroah-Hartman
` (422 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Darvell Long, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darvell Long <contact@darvell.me>
commit 7693c0cc415f3a16a7a3355f245474a5e661be4e upstream.
The DualSense jack-detection input handler verifies that a matching input
device belongs to the same physical controller by building kobject path
strings for both the input device and the USB audio device, then comparing
the path prefix.
This was observed when a weak physical connection caused the controller
to rapidly disconnect and reconnect. During that repeated hotplug,
snd_dualsense_ih_match() can run while the controller's USB device is
being disconnected. kobject_get_path() walks ancestor kobjects and
dereferences their names; if the USB device kobject name is no longer
valid, this can fault in strlen():
RIP: 0010:strlen+0x10/0x30
Call Trace:
kobject_get_path+0x34/0x150
snd_dualsense_ih_match+0x49/0xd0 [snd_usb_audio]
input_register_device+0x566/0x6a0
ps_probe+0xb89/0x1590 [hid_playstation]
The same ownership check can be done without building kobject path
strings. The input device is parented below the HID device, USB interface
and USB device, so walking the input device parent chain and comparing
against the mixer USB device preserves the check without dereferencing
kobject names during disconnect.
Fixes: 79d561c4ec04 ("ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5")
Cc: <stable@vger.kernel.org>
Assisted-by: Cute:gpt-5.5
Signed-off-by: Darvell Long <contact@darvell.me>
Link: https://patch.msgid.link/20260624143723.2986353-1-contact@darvell.me
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_quirks.c | 40 ++++++++++++----------------------------
1 file changed, 12 insertions(+), 28 deletions(-)
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -567,46 +567,30 @@ static bool snd_dualsense_ih_match(struc
{
struct dualsense_mixer_elem_info *mei;
struct usb_device *snd_dev;
- char *input_dev_path, *usb_dev_path;
- size_t usb_dev_path_len;
- bool match = false;
+ struct device *parent;
mei = container_of(handler, struct dualsense_mixer_elem_info, ih);
snd_dev = mei->info.head.mixer->chip->dev;
- input_dev_path = kobject_get_path(&dev->dev.kobj, GFP_KERNEL);
- if (!input_dev_path) {
- dev_warn(&snd_dev->dev, "Failed to get input dev path\n");
- return false;
- }
-
- usb_dev_path = kobject_get_path(&snd_dev->dev.kobj, GFP_KERNEL);
- if (!usb_dev_path) {
- dev_warn(&snd_dev->dev, "Failed to get USB dev path\n");
- goto free_paths;
- }
-
/*
* Ensure the VID:PID matched input device supposedly owned by the
* hid-playstation driver belongs to the actual hardware handled by
- * the current USB audio device, which implies input_dev_path being
- * a subpath of usb_dev_path.
+ * the current USB audio device.
*
* This verification is necessary when there is more than one identical
* controller attached to the host system.
+ *
+ * The input device is registered below the HID device, USB interface and
+ * USB device, so compare the parent chain directly instead of building
+ * kobject path strings. This avoids dereferencing kobject names while the
+ * USB device hierarchy is being torn down during disconnect.
*/
- usb_dev_path_len = strlen(usb_dev_path);
- if (usb_dev_path_len >= strlen(input_dev_path))
- goto free_paths;
-
- usb_dev_path[usb_dev_path_len] = '/';
- match = !memcmp(input_dev_path, usb_dev_path, usb_dev_path_len + 1);
-
-free_paths:
- kfree(input_dev_path);
- kfree(usb_dev_path);
+ for (parent = dev->dev.parent; parent; parent = parent->parent) {
+ if (parent == &snd_dev->dev)
+ return true;
+ }
- return match;
+ return false;
}
static int snd_dualsense_ih_connect(struct input_handler *handler,
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 100/518] ALSA: usb-audio: Propagate errors in scarlett_ctl_enum_put()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 099/518] ALSA: usb-audio: avoid kobject path lookup in DualSense match Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 101/518] ALSA: usb-audio: Propagate US-16x08 write errors in route/mix EQ-switch put callbacks Greg Kroah-Hartman
` (421 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 0f25cf1f02e3dba626791d949c759a48c0a44996 upstream.
scarlett_ctl_enum_put() ignores the return value from
snd_usb_set_cur_mix_value() and reports success whenever the
requested enum value differs from the current one.
If the SET_CUR request fails, the callback still returns success even
though neither the hardware state nor the cached mixer value changed.
Fixes: 76b188c4b370 ("ALSA: usb-audio: Scarlett mixer interface for 6i6, 18i6, 18i8 and 18i20")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260419-usb-write-error-propagation-v1-2-5a3bd4a673ae@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_scarlett.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/sound/usb/mixer_scarlett.c
+++ b/sound/usb/mixer_scarlett.c
@@ -680,7 +680,9 @@ static int scarlett_ctl_enum_put(struct
val = ucontrol->value.integer.value[0];
val = val + opt->start;
if (val != oval) {
- snd_usb_set_cur_mix_value(elem, 0, 0, val);
+ err = snd_usb_set_cur_mix_value(elem, 0, 0, val);
+ if (err < 0)
+ return err;
return 1;
}
return 0;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 101/518] ALSA: usb-audio: Propagate US-16x08 write errors in route/mix EQ-switch put callbacks
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 100/518] ALSA: usb-audio: Propagate errors in scarlett_ctl_enum_put() Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 102/518] ALSA: usb-audio: Roll back quirk control caches on write errors Greg Kroah-Hartman
` (420 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 3c06aec8abda6ba068b58a8b7119cdb2a48456b1 upstream.
Several US-16x08 mixer put callbacks log failed control URBs but
still return success to userspace. That hides device write failures
even though the requested value was not applied.
Return the negative write error instead in the route, master, bus,
channel, and EQ switch put callbacks.
Fixes: d2bb390a2081 ("ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260419-usb-write-error-propagation-v1-3-5a3bd4a673ae@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_us16x08.c | 49 ++++++++++++++++++++++------------------------
1 file changed, 24 insertions(+), 25 deletions(-)
--- a/sound/usb/mixer_us16x08.c
+++ b/sound/usb/mixer_us16x08.c
@@ -224,14 +224,14 @@ static int snd_us16x08_route_put(struct
err = snd_us16x08_send_urb(chip, buf, sizeof(route_msg));
- if (err > 0) {
- elem->cached |= 1 << index;
- elem->cache_val[index] = val;
- } else {
+ if (err < 0) {
usb_audio_dbg(chip, "Failed to set routing, err:%d\n", err);
+ return err;
}
- return err > 0 ? 1 : 0;
+ elem->cached |= 1 << index;
+ elem->cache_val[index] = val;
+ return 1;
}
static int snd_us16x08_master_info(struct snd_kcontrol *kcontrol,
@@ -283,14 +283,14 @@ static int snd_us16x08_master_put(struct
buf[5] = index + 1;
err = snd_us16x08_send_urb(chip, buf, sizeof(mix_msg_out));
- if (err > 0) {
- elem->cached |= 1 << index;
- elem->cache_val[index] = val;
- } else {
+ if (err < 0) {
usb_audio_dbg(chip, "Failed to set master, err:%d\n", err);
+ return err;
}
- return err > 0 ? 1 : 0;
+ elem->cached |= 1 << index;
+ elem->cache_val[index] = val;
+ return 1;
}
static int snd_us16x08_bus_put(struct snd_kcontrol *kcontrol,
@@ -324,14 +324,14 @@ static int snd_us16x08_bus_put(struct sn
break;
}
- if (err > 0) {
- elem->cached |= 1;
- elem->cache_val[0] = val;
- } else {
+ if (err < 0) {
usb_audio_dbg(chip, "Failed to set bus parameter, err:%d\n", err);
+ return err;
}
- return err > 0 ? 1 : 0;
+ elem->cached |= 1;
+ elem->cache_val[0] = val;
+ return 1;
}
static int snd_us16x08_bus_get(struct snd_kcontrol *kcontrol,
@@ -392,14 +392,14 @@ static int snd_us16x08_channel_put(struc
err = snd_us16x08_send_urb(chip, buf, sizeof(mix_msg_in));
- if (err > 0) {
- elem->cached |= 1 << index;
- elem->cache_val[index] = val;
- } else {
+ if (err < 0) {
usb_audio_dbg(chip, "Failed to set channel, err:%d\n", err);
+ return err;
}
- return err > 0 ? 1 : 0;
+ elem->cached |= 1 << index;
+ elem->cache_val[index] = val;
+ return 1;
}
static int snd_us16x08_mix_info(struct snd_kcontrol *kcontrol,
@@ -529,13 +529,13 @@ static int snd_us16x08_eqswitch_put(stru
msleep(15);
}
- if (err > 0) {
- elem->cached |= 1 << index;
- elem->cache_val[index] = val;
- } else {
+ if (err < 0) {
usb_audio_dbg(chip, "Failed to set eq switch, err:%d\n", err);
+ return err;
}
+ elem->cached |= 1 << index;
+ elem->cache_val[index] = val;
return 1;
}
@@ -1418,4 +1418,3 @@ int snd_us16x08_controls_create(struct u
return 0;
}
-
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 102/518] ALSA: usb-audio: Roll back quirk control caches on write errors
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 101/518] ALSA: usb-audio: Propagate US-16x08 write errors in route/mix EQ-switch put callbacks Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 103/518] ALSA: usb-audio: Update Babyface Pro control caches only after successful writes Greg Kroah-Hartman
` (419 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 6380957fa24251856a532e48a46a4dc3d1ae26b6 upstream.
Several mixer quirk callbacks cache the requested
control value in kcontrol->private_value before
issuing a single vendor or class write.
Their paired get and resume paths consume that cache
directly, so a failed write currently leaves software
state changed even though the update did not succeed.
That can make later reads report a value the device
never accepted and can replay the stale cache on resume.
Restore the previous cached value on failure in
the Audigy2NX LED, Emu0204 channel switch,
Xonar U1 output switch, Native Instruments controls,
FTU effect program switch, and Sound Blaster E1 input source switch.
Fixes: 9cf3689bfe07 ("ALSA: usb-audio: Add audigy2nx resume support")
Fixes: 5f503ee9e270 ("ALSA: usb-audio: Add Emu0204 channel switch resume support")
Fixes: 2bfb14c3b8fb ("ALSA: usb-audio: Add Xonar U1 resume support")
Fixes: da6d276957ea ("ALSA: usb-audio: Add resume support for Native Instruments controls")
Fixes: 0b4e9cfcef05 ("ALSA: usb-audio: Add resume support for FTU controls")
Fixes: 388fdb8f882a ("ALSA: usb-audio: Support changing input on Sound Blaster E1")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260429-alsa-usb-quirks-cache-rollback-v1-1-01b35c688b80@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_quirks.c | 45 +++++++++++++++++++++++++++++++++++++--------
1 file changed, 37 insertions(+), 8 deletions(-)
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -333,6 +333,7 @@ static int snd_audigy2nx_led_put(struct
int index = kcontrol->private_value & 0xff;
unsigned int value = ucontrol->value.integer.value[0];
int old_value = kcontrol->private_value >> 8;
+ unsigned long old_pval = kcontrol->private_value;
int err;
if (value > 1)
@@ -341,7 +342,11 @@ static int snd_audigy2nx_led_put(struct
return 0;
kcontrol->private_value = (value << 8) | index;
err = snd_audigy2nx_led_update(mixer, value, index);
- return err < 0 ? err : 1;
+ if (err < 0) {
+ kcontrol->private_value = old_pval;
+ return err;
+ }
+ return 1;
}
static int snd_audigy2nx_led_resume(struct usb_mixer_elem_list *list)
@@ -487,6 +492,7 @@ static int snd_emu0204_ch_switch_put(str
struct usb_mixer_elem_list *list = snd_kcontrol_chip(kcontrol);
struct usb_mixer_interface *mixer = list->mixer;
unsigned int value = ucontrol->value.enumerated.item[0];
+ unsigned long old_pval = kcontrol->private_value;
int err;
if (value > 1)
@@ -497,7 +503,11 @@ static int snd_emu0204_ch_switch_put(str
kcontrol->private_value = value;
err = snd_emu0204_ch_switch_update(mixer, value);
- return err < 0 ? err : 1;
+ if (err < 0) {
+ kcontrol->private_value = old_pval;
+ return err;
+ }
+ return 1;
}
static int snd_emu0204_ch_switch_resume(struct usb_mixer_elem_list *list)
@@ -805,7 +815,11 @@ static int snd_xonar_u1_switch_put(struc
kcontrol->private_value = new_status;
err = snd_xonar_u1_switch_update(list->mixer, new_status);
- return err < 0 ? err : 1;
+ if (err < 0) {
+ kcontrol->private_value = old_status;
+ return err;
+ }
+ return 1;
}
static int snd_xonar_u1_switch_resume(struct usb_mixer_elem_list *list)
@@ -1143,7 +1157,8 @@ static int snd_nativeinstruments_control
struct snd_ctl_elem_value *ucontrol)
{
struct usb_mixer_elem_list *list = snd_kcontrol_chip(kcontrol);
- u8 oldval = (kcontrol->private_value >> 24) & 0xff;
+ unsigned long old_pval = kcontrol->private_value;
+ u8 oldval = (old_pval >> 24) & 0xff;
u8 newval = ucontrol->value.integer.value[0];
int err;
@@ -1153,7 +1168,11 @@ static int snd_nativeinstruments_control
kcontrol->private_value &= ~(0xff << 24);
kcontrol->private_value |= (unsigned int)newval << 24;
err = snd_ni_update_cur_val(list);
- return err < 0 ? err : 1;
+ if (err < 0) {
+ kcontrol->private_value = old_pval;
+ return err;
+ }
+ return 1;
}
static const struct snd_kcontrol_new snd_nativeinstruments_ta6_mixers[] = {
@@ -1308,7 +1327,8 @@ static int snd_ftu_eff_switch_put(struct
struct snd_ctl_elem_value *ucontrol)
{
struct usb_mixer_elem_list *list = snd_kcontrol_chip(kctl);
- unsigned int pval = list->kctl->private_value;
+ unsigned long old_pval = list->kctl->private_value;
+ unsigned int pval = old_pval;
int cur_val, err, new_val;
cur_val = pval >> 24;
@@ -1319,7 +1339,11 @@ static int snd_ftu_eff_switch_put(struct
kctl->private_value &= ~(0xff << 24);
kctl->private_value |= new_val << 24;
err = snd_ftu_eff_switch_update(list);
- return err < 0 ? err : 1;
+ if (err < 0) {
+ kctl->private_value = old_pval;
+ return err;
+ }
+ return 1;
}
static int snd_ftu_create_effect_switch(struct usb_mixer_interface *mixer,
@@ -2098,13 +2122,18 @@ static int snd_soundblaster_e1_switch_pu
{
struct usb_mixer_elem_list *list = snd_kcontrol_chip(kcontrol);
unsigned char value = !!ucontrol->value.integer.value[0];
+ unsigned long old_pval = kcontrol->private_value;
int err;
if (kcontrol->private_value == value)
return 0;
kcontrol->private_value = value;
err = snd_soundblaster_e1_switch_update(list->mixer, value);
- return err < 0 ? err : 1;
+ if (err < 0) {
+ kcontrol->private_value = old_pval;
+ return err;
+ }
+ return 1;
}
static int snd_soundblaster_e1_switch_resume(struct usb_mixer_elem_list *list)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 103/518] ALSA: usb-audio: Update Babyface Pro control caches only after successful writes
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 102/518] ALSA: usb-audio: Roll back quirk control caches on write errors Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 104/518] ALSA: usb-audio: Update US-16x08 EQ/comp shadow state " Greg Kroah-Hartman
` (418 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit d8f802ccf1fdbeb89d62748d6a0d0fbd442c8127 upstream.
snd_bbfpro_ctl_put() and snd_bbfpro_vol_put()
cache the requested packed control state in
kcontrol->private_value before issuing the USB write.
Their get and resume paths use that cached value directly,
so a failed write can leave the driver reporting and later
replaying a setting the hardware never accepted.
Update the cached state only after a successful USB write.
Fixes: 3e8f3bd04716 ("ALSA: usb-audio: RME Babyface Pro mixer patch")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260429-alsa-usb-quirks-cache-rollback-v1-2-01b35c688b80@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_quirks.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -3011,12 +3011,14 @@ static int snd_bbfpro_ctl_put(struct snd
if (val == old_value)
return 0;
+ err = snd_bbfpro_ctl_update(mixer, reg, idx, val);
+ if (err < 0)
+ return err;
+
kcontrol->private_value = reg
| ((idx & SND_BBFPRO_CTL_IDX_MASK) << SND_BBFPRO_CTL_IDX_SHIFT)
| ((val & SND_BBFPRO_CTL_VAL_MASK) << SND_BBFPRO_CTL_VAL_SHIFT);
-
- err = snd_bbfpro_ctl_update(mixer, reg, idx, val);
- return err < 0 ? err : 1;
+ return 1;
}
static int snd_bbfpro_ctl_resume(struct usb_mixer_elem_list *list)
@@ -3201,11 +3203,13 @@ static int snd_bbfpro_vol_put(struct snd
new_val = uvalue & SND_BBFPRO_MIXER_VAL_MASK;
+ err = snd_bbfpro_vol_update(mixer, idx, new_val);
+ if (err < 0)
+ return err;
+
kcontrol->private_value = idx
| (new_val << SND_BBFPRO_MIXER_VAL_SHIFT);
-
- err = snd_bbfpro_vol_update(mixer, idx, new_val);
- return err < 0 ? err : 1;
+ return 1;
}
static int snd_bbfpro_vol_resume(struct usb_mixer_elem_list *list)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 104/518] ALSA: usb-audio: Update US-16x08 EQ/comp shadow state after successful writes
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 103/518] ALSA: usb-audio: Update Babyface Pro control caches only after successful writes Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 105/518] x86,fs/resctrl: Prevent out-of-bounds access while offlining CPU when SNC enabled Greg Kroah-Hartman
` (417 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit a440c17869ecd71da0f295b62868fc742d09a8ba upstream.
snd_us16x08_comp_put() and snd_us16x08_eq_put() update their
software stores before sending the USB write. If the transfer
fails, later get callbacks report a value the hardware never
accepted.
Build the outgoing message from the current store plus the
pending value, then commit the store only after a successful
write.
Fixes: d2bb390a2081 ("ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260419-usb-write-error-propagation-v1-4-5a3bd4a673ae@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_us16x08.c | 78 ++++++++++++++++++++++++++++++----------------
1 file changed, 52 insertions(+), 26 deletions(-)
--- a/sound/usb/mixer_us16x08.c
+++ b/sound/usb/mixer_us16x08.c
@@ -435,6 +435,7 @@ static int snd_us16x08_comp_put(struct s
int index = ucontrol->id.index;
char buf[sizeof(comp_msg)];
int val_idx, val;
+ int threshold, ratio, attack, release, gain, switch_on;
int err;
val = ucontrol->value.integer.value[0];
@@ -447,36 +448,61 @@ static int snd_us16x08_comp_put(struct s
/* new control value incl. bias*/
val_idx = elem->head.id - SND_US16X08_ID_COMP_BASE;
- store->val[val_idx][index] = ucontrol->value.integer.value[0];
+ threshold = store->val[COMP_STORE_IDX(SND_US16X08_ID_COMP_THRESHOLD)]
+ [index];
+ ratio = store->val[COMP_STORE_IDX(SND_US16X08_ID_COMP_RATIO)][index];
+ attack = store->val[COMP_STORE_IDX(SND_US16X08_ID_COMP_ATTACK)][index];
+ release = store->val[COMP_STORE_IDX(SND_US16X08_ID_COMP_RELEASE)]
+ [index];
+ gain = store->val[COMP_STORE_IDX(SND_US16X08_ID_COMP_GAIN)][index];
+ switch_on = store->val[COMP_STORE_IDX(SND_US16X08_ID_COMP_SWITCH)]
+ [index];
+
+ switch (val_idx) {
+ case COMP_STORE_IDX(SND_US16X08_ID_COMP_THRESHOLD):
+ threshold = val;
+ break;
+ case COMP_STORE_IDX(SND_US16X08_ID_COMP_RATIO):
+ ratio = val;
+ break;
+ case COMP_STORE_IDX(SND_US16X08_ID_COMP_ATTACK):
+ attack = val;
+ break;
+ case COMP_STORE_IDX(SND_US16X08_ID_COMP_RELEASE):
+ release = val;
+ break;
+ case COMP_STORE_IDX(SND_US16X08_ID_COMP_GAIN):
+ gain = val;
+ break;
+ case COMP_STORE_IDX(SND_US16X08_ID_COMP_SWITCH):
+ switch_on = val;
+ break;
+ }
/* prepare compressor URB message from template */
memcpy(buf, comp_msg, sizeof(comp_msg));
/* place comp values in message buffer watch bias! */
- buf[8] = store->val[
- COMP_STORE_IDX(SND_US16X08_ID_COMP_THRESHOLD)][index]
- - SND_US16X08_COMP_THRESHOLD_BIAS;
- buf[11] = ratio_map[store->val[
- COMP_STORE_IDX(SND_US16X08_ID_COMP_RATIO)][index]];
- buf[14] = store->val[COMP_STORE_IDX(SND_US16X08_ID_COMP_ATTACK)][index]
- + SND_US16X08_COMP_ATTACK_BIAS;
- buf[17] = store->val[COMP_STORE_IDX(SND_US16X08_ID_COMP_RELEASE)][index]
- + SND_US16X08_COMP_RELEASE_BIAS;
- buf[20] = store->val[COMP_STORE_IDX(SND_US16X08_ID_COMP_GAIN)][index];
- buf[26] = store->val[COMP_STORE_IDX(SND_US16X08_ID_COMP_SWITCH)][index];
+ buf[8] = threshold - SND_US16X08_COMP_THRESHOLD_BIAS;
+ buf[11] = ratio_map[ratio];
+ buf[14] = attack + SND_US16X08_COMP_ATTACK_BIAS;
+ buf[17] = release + SND_US16X08_COMP_RELEASE_BIAS;
+ buf[20] = gain;
+ buf[26] = switch_on;
/* place channel selector in message buffer */
buf[5] = index + 1;
err = snd_us16x08_send_urb(chip, buf, sizeof(comp_msg));
- if (err > 0) {
- elem->cached |= 1 << index;
- elem->cache_val[index] = val;
- } else {
+ if (err < 0) {
usb_audio_dbg(chip, "Failed to set compressor, err:%d\n", err);
+ return err;
}
+ store->val[val_idx][index] = val;
+ elem->cached |= 1 << index;
+ elem->cache_val[index] = val;
return 1;
}
@@ -578,11 +604,10 @@ static int snd_us16x08_eq_put(struct snd
/* copy URB buffer from EQ template */
memcpy(buf, eqs_msq, sizeof(eqs_msq));
- store->val[b_idx][p_idx][index] = val;
- buf[20] = store->val[b_idx][3][index];
- buf[17] = store->val[b_idx][2][index];
- buf[14] = store->val[b_idx][1][index];
- buf[11] = store->val[b_idx][0][index];
+ buf[20] = p_idx == 3 ? val : store->val[b_idx][3][index];
+ buf[17] = p_idx == 2 ? val : store->val[b_idx][2][index];
+ buf[14] = p_idx == 1 ? val : store->val[b_idx][1][index];
+ buf[11] = p_idx == 0 ? val : store->val[b_idx][0][index];
/* place channel index in URB buffer */
buf[5] = index + 1;
@@ -592,14 +617,15 @@ static int snd_us16x08_eq_put(struct snd
err = snd_us16x08_send_urb(chip, buf, sizeof(eqs_msq));
- if (err > 0) {
- /* store new value in EQ band cache */
- elem->cached |= 1 << index;
- elem->cache_val[index] = val;
- } else {
+ if (err < 0) {
usb_audio_dbg(chip, "Failed to set eq param, err:%d\n", err);
+ return err;
}
+ store->val[b_idx][p_idx][index] = val;
+ /* store new value in EQ band cache */
+ elem->cached |= 1 << index;
+ elem->cache_val[index] = val;
return 1;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 105/518] x86,fs/resctrl: Prevent out-of-bounds access while offlining CPU when SNC enabled
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 104/518] ALSA: usb-audio: Update US-16x08 EQ/comp shadow state " Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 106/518] vfio/pci: Use a private flag to prevent power state change with VFs Greg Kroah-Hartman
` (416 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko, Reinette Chatre,
Borislav Petkov (AMD), stable
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Reinette Chatre <reinette.chatre@intel.com>
commit fc16126cc11d9f507130bf84ab137ee0938c900e upstream.
The architecture updates the cpu_mask in a domain's header to track which
online CPUs are associated with the domain. When this mask becomes empty
the architecture initiates offline of the domain that includes calling
on resctrl fs to offline the domain. If it is a monitoring domain in
which LLC occupancy is tracked resctrl fs forces the limbo handler to
clear all busy RMID state associated with the domain.
The limbo handler always reads the current event value associated with a
busy RMID irrespective of it being checked as part of regular "is it still
busy" check or whether it will be forced released anyway. When reading an
RMID on a system with SNC enabled the "logical RMID" is converted to the
"physical RMID" and this conversion requires the NUMA node ID of the
resctrl monitoring domain that is in turn determined by querying the NUMA
node ID of any CPU belonging to the monitoring domain.
When the monitoring domain is going offline its cpu_mask is empty causing
the NUMA node ID query via cpu_to_node() to be done with "nr_cpu_ids" as
argument resulting in an out-of-bounds access.
Refactor the limbo handler to skip reading the RMID when the RMID will
just be forced to no longer be dirty in the domain anyway. Add a safety
check to the architecture's RMID reader to protect against this scenario.
Fixes: e13db55b5a0d ("x86/resctrl: Introduce snc_nodes_per_l3_cache")
Closes: https://sashiko.dev/#/patchset/cover.1780456704.git.reinette.chatre%40intel.com?part=9
Reported-by: Sashiko <sashiko-bot@kernel.org>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: <stable@kernel.org>
Link: https://patch.msgid.link/16137433df42f85013b2f7a53626795cbd6637b9.1781029125.git.reinette.chatre@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/resctrl/monitor.c | 5 ++++
fs/resctrl/monitor.c | 37 +++++++++++++++++++---------------
2 files changed, 26 insertions(+), 16 deletions(-)
--- a/arch/x86/kernel/cpu/resctrl/monitor.c
+++ b/arch/x86/kernel/cpu/resctrl/monitor.c
@@ -258,6 +258,11 @@ int resctrl_arch_rmid_read(struct rdt_re
if (!domain_header_is_valid(hdr, RESCTRL_MON_DOMAIN, RDT_RESOURCE_L3))
return -EINVAL;
+ if (cpumask_empty(&hdr->cpu_mask)) {
+ pr_warn_once("Domain %d has no CPUs\n", hdr->id);
+ return -EINVAL;
+ }
+
d = container_of(hdr, struct rdt_l3_mon_domain, hdr);
hw_dom = resctrl_to_arch_mon_dom(d);
cpu = cpumask_any(&hdr->cpu_mask);
--- a/fs/resctrl/monitor.c
+++ b/fs/resctrl/monitor.c
@@ -135,10 +135,10 @@ void __check_limbo(struct rdt_l3_mon_dom
struct rdt_resource *r = resctrl_arch_get_resource(RDT_RESOURCE_L3);
u32 idx_limit = resctrl_arch_system_num_rmid_idx();
struct rmid_entry *entry;
+ bool rmid_dirty = true;
u32 idx, cur_idx = 1;
void *arch_mon_ctx;
void *arch_priv;
- bool rmid_dirty;
u64 val = 0;
arch_priv = mon_event_all[QOS_L3_OCCUP_EVENT_ID].arch_priv;
@@ -161,22 +161,27 @@ void __check_limbo(struct rdt_l3_mon_dom
break;
entry = __rmid_entry(idx);
- if (resctrl_arch_rmid_read(r, &d->hdr, entry->closid, entry->rmid,
- QOS_L3_OCCUP_EVENT_ID, arch_priv, &val,
- arch_mon_ctx)) {
- rmid_dirty = true;
- } else {
- rmid_dirty = (val >= resctrl_rmid_realloc_threshold);
+ if (!force_free) {
+ if (resctrl_arch_rmid_read(r, &d->hdr, entry->closid,
+ entry->rmid, QOS_L3_OCCUP_EVENT_ID,
+ arch_priv, &val, arch_mon_ctx)) {
+ rmid_dirty = true;
+ } else {
+ rmid_dirty = (val >= resctrl_rmid_realloc_threshold);
- /*
- * x86's CLOSID and RMID are independent numbers, so the entry's
- * CLOSID is an empty CLOSID (X86_RESCTRL_EMPTY_CLOSID). On Arm the
- * RMID (PMG) extends the CLOSID (PARTID) space with bits that aren't
- * used to select the configuration. It is thus necessary to track both
- * CLOSID and RMID because there may be dependencies between them
- * on some architectures.
- */
- trace_mon_llc_occupancy_limbo(entry->closid, entry->rmid, d->hdr.id, val);
+ /*
+ * x86's CLOSID and RMID are independent numbers,
+ * so the entry's CLOSID is an empty CLOSID
+ * (X86_RESCTRL_EMPTY_CLOSID). On Arm the RMID
+ * (PMG) extends the CLOSID (PARTID) space with
+ * bits that aren't used to select the configuration.
+ * It is thus necessary to track both CLOSID and
+ * RMID because there may be dependencies between
+ * them on some architectures.
+ */
+ trace_mon_llc_occupancy_limbo(entry->closid, entry->rmid,
+ d->hdr.id, val);
+ }
}
if (force_free || !rmid_dirty) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 106/518] vfio/pci: Use a private flag to prevent power state change with VFs
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 105/518] x86,fs/resctrl: Prevent out-of-bounds access while offlining CPU when SNC enabled Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 107/518] vfio/pci: Latch disable_idle_d3 per device Greg Kroah-Hartman
` (415 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Alex Williamson,
Raghavendra Rao Ananta
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raghavendra Rao Ananta <rananta@google.com>
commit 40ef3edf151e184d021917a5c4c771cc0870844a upstream.
The current implementation uses pci_num_vf() while holding the
memory_lock to prevent changing the power state of a PF when
VFs are enabled. This creates a lockdep circular dependency
warning because memory_lock is held during device probing.
[ 286.997167] ======================================================
[ 287.003363] WARNING: possible circular locking dependency detected
[ 287.009562] 7.0.0-dbg-DEV #3 Tainted: G S
[ 287.015074] ------------------------------------------------------
[ 287.021270] vfio_pci_sriov_/18636 is trying to acquire lock:
[ 287.026942] ff45bea2294d4968 (&vdev->memory_lock){+.+.}-{4:4}, at:
vfio_pci_core_runtime_resume+0x1f/0xa0
[ 287.036530]
[ 287.036530] but task is already holding lock:
[ 287.042383] ff45bea3a96b8230 (&new_dev_set->lock){+.+.}-{4:4}, at:
vfio_group_fops_unl_ioctl+0x44d/0x7b0
[ 287.051879]
[ 287.051879] which lock already depends on the new lock.
[ 287.051879]
[ 287.060070]
[ 287.060070] the existing dependency chain (in reverse order) is:
[ 287.067568]
[ 287.067568] -> #2 (&new_dev_set->lock){+.+.}-{4:4}:
[ 287.073941] __mutex_lock+0x92/0xb80
[ 287.078058] vfio_assign_device_set+0x66/0x1b0
[ 287.083042] vfio_pci_core_register_device+0xd1/0x2a0
[ 287.088638] vfio_pci_probe+0xd2/0x100
[ 287.092933] local_pci_probe_callback+0x4d/0xa0
[ 287.098001] process_scheduled_works+0x2ca/0x680
[ 287.103158] worker_thread+0x1e8/0x2f0
[ 287.107452] kthread+0x10c/0x140
[ 287.111230] ret_from_fork+0x18e/0x360
[ 287.115519] ret_from_fork_asm+0x1a/0x30
[ 287.119983]
[ 287.119983] -> #1 ((work_completion)(&arg.work)){+.+.}-{0:0}:
[ 287.127219] __flush_work+0x345/0x490
[ 287.131429] pci_device_probe+0x2e3/0x490
[ 287.135979] really_probe+0x1f9/0x4e0
[ 287.140180] __driver_probe_device+0x77/0x100
[ 287.145079] driver_probe_device+0x1e/0x110
[ 287.149803] __device_attach_driver+0xe3/0x170
[ 287.154789] bus_for_each_drv+0x125/0x150
[ 287.159346] __device_attach+0xca/0x1a0
[ 287.163720] device_initial_probe+0x34/0x50
[ 287.168445] pci_bus_add_device+0x6e/0x90
[ 287.172995] pci_iov_add_virtfn+0x3c9/0x3e0
[ 287.177719] sriov_add_vfs+0x2c/0x60
[ 287.181838] sriov_enable+0x306/0x4a0
[ 287.186038] vfio_pci_core_sriov_configure+0x184/0x220
[ 287.191715] sriov_numvfs_store+0xd9/0x1c0
[ 287.196351] kernfs_fop_write_iter+0x13f/0x1d0
[ 287.201338] vfs_write+0x2be/0x3b0
[ 287.205286] ksys_write+0x73/0x100
[ 287.209233] do_syscall_64+0x14d/0x750
[ 287.213529] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 287.219120]
[ 287.219120] -> #0 (&vdev->memory_lock){+.+.}-{4:4}:
[ 287.225491] __lock_acquire+0x14c6/0x2800
[ 287.230048] lock_acquire+0xd3/0x2f0
[ 287.234168] down_write+0x3a/0xc0
[ 287.238019] vfio_pci_core_runtime_resume+0x1f/0xa0
[ 287.243436] __rpm_callback+0x8c/0x310
[ 287.247730] rpm_resume+0x529/0x6f0
[ 287.251765] __pm_runtime_resume+0x68/0x90
[ 287.256402] vfio_pci_core_enable+0x44/0x310
[ 287.261216] vfio_pci_open_device+0x1c/0x80
[ 287.265947] vfio_df_open+0x10f/0x150
[ 287.270148] vfio_group_fops_unl_ioctl+0x4a4/0x7b0
[ 287.275476] __se_sys_ioctl+0x71/0xc0
[ 287.279679] do_syscall_64+0x14d/0x750
[ 287.283975] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 287.289559]
[ 287.289559] other info that might help us debug this:
[ 287.289559]
[ 287.297582] Chain exists of:
[ 287.297582] &vdev->memory_lock --> (work_completion)(&arg.work)
--> &new_dev_set->lock
[ 287.297582]
[ 287.310023] Possible unsafe locking scenario:
[ 287.310023]
[ 287.315961] CPU0 CPU1
[ 287.320510] ---- ----
[ 287.325059] lock(&new_dev_set->lock);
[ 287.328917]
lock((work_completion)(&arg.work));
[ 287.336153] lock(&new_dev_set->lock);
[ 287.342523] lock(&vdev->memory_lock);
[ 287.346382]
[ 287.346382] *** DEADLOCK ***
[ 287.346382]
[ 287.352315] 2 locks held by vfio_pci_sriov_/18636:
[ 287.357125] #0: ff45bea208ed3e18 (&group->group_lock){+.+.}-{4:4},
at: vfio_group_fops_unl_ioctl+0x3e3/0x7b0
[ 287.367048] #1: ff45bea3a96b8230 (&new_dev_set->lock){+.+.}-{4:4},
at: vfio_group_fops_unl_ioctl+0x44d/0x7b0
[ 287.376976]
[ 287.376976] stack backtrace:
[ 287.381353] CPU: 191 UID: 0 PID: 18636 Comm: vfio_pci_sriov_
Tainted: G S 7.0.0-dbg-DEV #3 PREEMPTLAZY
[ 287.381355] Tainted: [S]=CPU_OUT_OF_SPEC
[ 287.381356] Call Trace:
[ 287.381357] <TASK>
[ 287.381358] dump_stack_lvl+0x54/0x70
[ 287.381361] print_circular_bug+0x2e1/0x300
[ 287.381363] check_noncircular+0xf9/0x120
[ 287.381364] ? __lock_acquire+0x5b4/0x2800
[ 287.381366] __lock_acquire+0x14c6/0x2800
[ 287.381368] ? pci_mmcfg_read+0x4f/0x220
[ 287.381370] ? pci_mmcfg_write+0x57/0x220
[ 287.381371] ? lock_acquire+0xd3/0x2f0
[ 287.381373] ? pci_mmcfg_write+0x57/0x220
[ 287.381374] ? lock_release+0xef/0x360
[ 287.381376] ? vfio_pci_core_runtime_resume+0x1f/0xa0
[ 287.381377] lock_acquire+0xd3/0x2f0
[ 287.381378] ? vfio_pci_core_runtime_resume+0x1f/0xa0
[ 287.381379] ? lock_is_held_type+0x76/0x100
[ 287.381382] down_write+0x3a/0xc0
[ 287.381382] ? vfio_pci_core_runtime_resume+0x1f/0xa0
[ 287.381383] vfio_pci_core_runtime_resume+0x1f/0xa0
[ 287.381384] ? __pfx_pci_pm_runtime_resume+0x10/0x10
[ 287.381385] __rpm_callback+0x8c/0x310
[ 287.381386] ? ktime_get_mono_fast_ns+0x3d/0xb0
[ 287.381389] ? __pfx_pci_pm_runtime_resume+0x10/0x10
[ 287.381390] rpm_resume+0x529/0x6f0
[ 287.381392] ? lock_is_held_type+0x76/0x100
[ 287.381394] __pm_runtime_resume+0x68/0x90
[ 287.381396] vfio_pci_core_enable+0x44/0x310
[ 287.381398] vfio_pci_open_device+0x1c/0x80
[ 287.381399] vfio_df_open+0x10f/0x150
[ 287.381401] vfio_group_fops_unl_ioctl+0x4a4/0x7b0
[ 287.381402] __se_sys_ioctl+0x71/0xc0
[ 287.381404] do_syscall_64+0x14d/0x750
[ 287.381405] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 287.381406] ? trace_irq_disable+0x25/0xd0
[ 287.381409] entry_SYSCALL_64_after_hwframe+0x77/0x7f
Introduce a private flag 'sriov_active' in the vfio_pci_core_device
struct. This allows the driver to track the SR-IOV power state requirement
without relying on pci_num_vf() while holding the memory_lock. The lock is
now only held to set the flag and ensure the device is in D0, after which
pci_enable_sriov() can be called without the lock.
Fixes: f4162eb1e2fc ("vfio/pci: Change the PF power state to D0 before enabling VFs")
Cc: stable@vger.kernel.org
Suggested-by: Jason Gunthorpe <jgg@ziepe.ca>
Suggested-by: Alex Williamson <alex@shazbot.org>
Signed-off-by: Raghavendra Rao Ananta <rananta@google.com>
Link: https://lore.kernel.org/r/20260514173449.3282188-1-rananta@google.com
[promote bitfield to plain bool to avoid storage-unit races]
Signed-off-by: Alex Williamson <alex@shazbot.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vfio/pci/vfio_pci_core.c | 17 ++++++++++++++---
include/linux/vfio_pci_core.h | 1 +
2 files changed, 15 insertions(+), 3 deletions(-)
--- a/drivers/vfio/pci/vfio_pci_core.c
+++ b/drivers/vfio/pci/vfio_pci_core.c
@@ -271,8 +271,11 @@ int vfio_pci_set_power_state(struct vfio
int ret;
/* Prevent changing power state for PFs with VFs enabled */
- if (pci_num_vf(pdev) && state > PCI_D0)
- return -EBUSY;
+ if (state > PCI_D0) {
+ lockdep_assert_held_write(&vdev->memory_lock);
+ if (vdev->sriov_active)
+ return -EBUSY;
+ }
if (vdev->needs_pm_restore) {
if (pdev->current_state < PCI_D3hot && state >= PCI_D3hot) {
@@ -2327,8 +2330,9 @@ int vfio_pci_core_sriov_configure(struct
down_write(&vdev->memory_lock);
vfio_pci_set_power_state(vdev, PCI_D0);
- ret = pci_enable_sriov(pdev, nr_virtfn);
+ vdev->sriov_active = true;
up_write(&vdev->memory_lock);
+ ret = pci_enable_sriov(pdev, nr_virtfn);
if (ret) {
pm_runtime_put(&pdev->dev);
goto out_del;
@@ -2342,6 +2346,13 @@ int vfio_pci_core_sriov_configure(struct
}
out_del:
+ /*
+ * Avoid taking the memory_lock intentionally. A race with a power
+ * state transition would at most result in an -EBUSY, leaving the
+ * device in PCI_D0.
+ */
+ vdev->sriov_active = false;
+
mutex_lock(&vfio_pci_sriov_pfs_mutex);
list_del_init(&vdev->sriov_pfs_item);
out_unlock:
--- a/include/linux/vfio_pci_core.h
+++ b/include/linux/vfio_pci_core.h
@@ -127,6 +127,7 @@ struct vfio_pci_core_device {
bool needs_pm_restore:1;
bool pm_intx_masked:1;
bool pm_runtime_engaged:1;
+ bool sriov_active;
struct pci_saved_state *pci_saved_state;
struct pci_saved_state *pm_save;
int ioeventfds_nr;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 107/518] vfio/pci: Latch disable_idle_d3 per device
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 106/518] vfio/pci: Use a private flag to prevent power state change with VFs Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 108/518] vfio/pci: Release the VGA arbiter client on register_device() failure Greg Kroah-Hartman
` (414 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Williamson, Kevin Tian,
Alex Williamson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@nvidia.com>
commit 4575e9aac5336d1365138c0284773bf8da4b1fa3 upstream.
When disable_idle_d3 was introduced in vfio-pci, it directly manipulated
the device power state with pci_set_power_state(). There were no
refcounts to maintain or balanced operations, we could unconditionally
bring the device to D0 and conditionally move it to D3hot. Therefore
the module parameter was made writable.
Later, in commit c61302aa48f7 ("vfio/pci: Move module parameters to
vfio_pci.c"), as part of the vfio-pci-core split, the writable aspect
of the module parameter was nullified. The parameter value could still
be changed through sysfs, but the vfio-pci driver latched the values
into vfio-pci-core globals at module init. Loading the vfio-pci module,
or unloading and reloading, with non-default or different values could
change the globals relative to existing devices bound to vfio-pci
variant drivers.
Runtime PM was introduced in commit 7ab5e10eda02 ("vfio/pci: Move the
unused device into low power state with runtime PM"), which marks the
point where power states became refcounted. PM get and put operations
need to be balanced, but the same module operations noted above can
change the global variables relative to those devices already bound to
vfio-pci variant drivers. This introduces a window where PM operations
can now become unbalanced.
To resolve this with a narrow footprint for stable backports, the
disable_idle_d3 flag is latched into the vfio_pci_core_device at the
time of initialization, such that the device always operates with a
consistent value.
NB. vfio_pci_dev_set_try_reset() now unconditionally raises the
runtime PM usage count around bus reset to account for disable_idle_d3
becoming a per-device rather than global flag. When this flag is set,
the additional get/put pair is harmless and allows continued use of the
shared vfio_pci_dev_set_pm_runtime_get() helper.
Fixes: 7ab5e10eda02 ("vfio/pci: Move the unused device into low power state with runtime PM")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Alex Williamson <alex.williamson@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Link: https://lore.kernel.org/r/20260615191241.688297-2-alex.williamson@nvidia.com
Signed-off-by: Alex Williamson <alex@shazbot.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vfio/pci/vfio_pci_core.c | 19 ++++++++++---------
include/linux/vfio_pci_core.h | 1 +
2 files changed, 11 insertions(+), 9 deletions(-)
--- a/drivers/vfio/pci/vfio_pci_core.c
+++ b/drivers/vfio/pci/vfio_pci_core.c
@@ -538,7 +538,7 @@ int vfio_pci_core_enable(struct vfio_pci
u16 cmd;
u8 msix_pos;
- if (!disable_idle_d3) {
+ if (!vdev->disable_idle_d3) {
ret = pm_runtime_resume_and_get(&pdev->dev);
if (ret < 0)
return ret;
@@ -617,7 +617,7 @@ out_free_state:
out_disable_device:
pci_disable_device(pdev);
out_power:
- if (!disable_idle_d3)
+ if (!vdev->disable_idle_d3)
pm_runtime_put(&pdev->dev);
return ret;
}
@@ -753,7 +753,7 @@ out:
vfio_pci_dev_set_try_reset(vdev->vdev.dev_set);
/* Put the pm-runtime usage counter acquired during enable */
- if (!disable_idle_d3)
+ if (!vdev->disable_idle_d3)
pm_runtime_put(&pdev->dev);
}
EXPORT_SYMBOL_GPL(vfio_pci_core_disable);
@@ -2145,6 +2145,8 @@ int vfio_pci_core_init_dev(struct vfio_d
init_rwsem(&vdev->memory_lock);
xa_init(&vdev->ctx);
+ vdev->disable_idle_d3 = disable_idle_d3;
+
return 0;
}
EXPORT_SYMBOL_GPL(vfio_pci_core_init_dev);
@@ -2240,7 +2242,7 @@ int vfio_pci_core_register_device(struct
dev->driver->pm = &vfio_pci_core_pm_ops;
pm_runtime_allow(dev);
- if (!disable_idle_d3)
+ if (!vdev->disable_idle_d3)
pm_runtime_put(dev);
ret = vfio_register_group_dev(&vdev->vdev);
@@ -2249,7 +2251,7 @@ int vfio_pci_core_register_device(struct
return 0;
out_power:
- if (!disable_idle_d3)
+ if (!vdev->disable_idle_d3)
pm_runtime_get_noresume(dev);
pm_runtime_forbid(dev);
@@ -2268,7 +2270,7 @@ void vfio_pci_core_unregister_device(str
vfio_pci_vf_uninit(vdev);
vfio_pci_vga_uninit(vdev);
- if (!disable_idle_d3)
+ if (!vdev->disable_idle_d3)
pm_runtime_get_noresume(&vdev->pdev->dev);
pm_runtime_forbid(&vdev->pdev->dev);
@@ -2600,7 +2602,7 @@ static void vfio_pci_dev_set_try_reset(s
* state. Increment the usage count for all the devices in the dev_set
* before reset and decrement the same after reset.
*/
- if (!disable_idle_d3 && vfio_pci_dev_set_pm_runtime_get(dev_set))
+ if (vfio_pci_dev_set_pm_runtime_get(dev_set))
return;
if (!pci_reset_bus(pdev))
@@ -2610,8 +2612,7 @@ static void vfio_pci_dev_set_try_reset(s
if (reset_done)
cur->needs_reset = false;
- if (!disable_idle_d3)
- pm_runtime_put(&cur->pdev->dev);
+ pm_runtime_put(&cur->pdev->dev);
}
}
--- a/include/linux/vfio_pci_core.h
+++ b/include/linux/vfio_pci_core.h
@@ -127,6 +127,7 @@ struct vfio_pci_core_device {
bool needs_pm_restore:1;
bool pm_intx_masked:1;
bool pm_runtime_engaged:1;
+ bool disable_idle_d3:1;
bool sriov_active;
struct pci_saved_state *pci_saved_state;
struct pci_saved_state *pm_save;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 108/518] vfio/pci: Release the VGA arbiter client on register_device() failure
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 107/518] vfio/pci: Latch disable_idle_d3 per device Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 109/518] vfio/pci: Fix racy bitfields and tighten struct layout Greg Kroah-Hartman
` (413 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Williamson, Kevin Tian,
Alex Williamson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@nvidia.com>
commit daedde7f024ecf88bc8e832ed40cf2c795f0796a upstream.
The re-order in the Fixes commit below displaced vfio_pci_vga_init() as
the last failure point of what is now vfio_pci_core_register_device()
without introducing an unwind for the VGA arbiter registration.
In current kernels this is mostly benign because vfio_pci_set_decode()
only uses pci_dev state, but the original failure path could leave a
callback with a freed vdev cookie. The stale registration also becomes
unsafe again once the callback follows drvdata to the vfio device.
Add the required VGA unwind callout.
Fixes: 4aeec3984ddc ("vfio/pci: Re-order vfio_pci_probe()")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Alex Williamson <alex.williamson@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Link: https://lore.kernel.org/r/20260615191241.688297-3-alex.williamson@nvidia.com
Signed-off-by: Alex Williamson <alex@shazbot.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vfio/pci/vfio_pci_core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/vfio/pci/vfio_pci_core.c
+++ b/drivers/vfio/pci/vfio_pci_core.c
@@ -2255,6 +2255,7 @@ out_power:
pm_runtime_get_noresume(dev);
pm_runtime_forbid(dev);
+ vfio_pci_vga_uninit(vdev);
out_vf:
vfio_pci_vf_uninit(vdev);
return ret;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 109/518] vfio/pci: Fix racy bitfields and tighten struct layout
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 108/518] vfio/pci: Release the VGA arbiter client on register_device() failure Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 110/518] vfio: prevent infinite loop in vfio_mig_get_next_state() on blocked arc Greg Kroah-Hartman
` (412 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Williamson, Kevin Tian,
Alex Williamson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@nvidia.com>
commit e73638e55f861758d49f14d7bb5dba3035981cd7 upstream.
Bitfield operations are not atomic, they use a read-modify-write
pattern, therefore we should be careful not to pack bitfields that
can be concurrently updated into the same storage unit.
This split takes a binary approach: flags that are only modified
pre/post open/close remain bitfields, flags modified from user
action, including actions that reach across to another device (ex.
reset) use dedicated storage units.
Note that the virq_disabled and bardirty flags are relocated to fill
an existing hole in the structure.
Bitfield justifications:
has_dyn_msix: written only in vfio_pci_core_enable()
pci_2_3: written only in vfio_pci_core_enable()
reset_works: written only in vfio_pci_core_enable()
extended_caps: written only in vfio_cap_len() under vfio_config_init()
has_vga: written only in vfio_pci_core_enable()
nointx: written only in vfio_pci_core_enable()
needs_pm_restore: written only in vfio_pci_probe_power_state()
disable_idle_d3: written only at .init in vfio_pci_core_init_dev()
Dedicated storage units:
virq_disabled: written by guest INTx command writes in
vfio_basic_config_write() while the device is open
bardirty: written by guest BAR writes in vfio_basic_config_write()
while the device is open
pm_intx_masked: written in the runtime-PM suspend path.
pm_runtime_engaged: written by low-power feature entry/exit paths
needs_reset: set in vfio_pci_core_disable() and cleared for devices in
the set by vfio_pci_dev_set_try_reset()
sriov_active: written by vfio_pci_core_sriov_configure() via sysfs
sriov_numvfs while bound.
Fixes: 9cd0f6d5cbb6 ("vfio/pci: Use bitfield for struct vfio_pci_core_device flags")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Alex Williamson <alex.williamson@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Link: https://lore.kernel.org/r/20260615191241.688297-4-alex.williamson@nvidia.com
Signed-off-by: Alex Williamson <alex@shazbot.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/vfio_pci_core.h | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/include/linux/vfio_pci_core.h
+++ b/include/linux/vfio_pci_core.h
@@ -101,6 +101,9 @@ struct vfio_pci_core_device {
const struct vfio_pci_device_ops *pci_ops;
void __iomem *barmap[PCI_STD_NUM_BARS];
bool bar_mmap_supported[PCI_STD_NUM_BARS];
+ /* Flags modified at runtime - dedicated storage unit */
+ bool virq_disabled;
+ bool bardirty;
u8 *pci_config_map;
u8 *vconfig;
struct perm_bits *msi_perm;
@@ -115,19 +118,19 @@ struct vfio_pci_core_device {
u16 msix_size;
u32 msix_offset;
u32 rbar[7];
+ /* Flags only modified on setup/release - bitfield ok */
bool has_dyn_msix:1;
bool pci_2_3:1;
- bool virq_disabled:1;
bool reset_works:1;
bool extended_caps:1;
- bool bardirty:1;
bool has_vga:1;
- bool needs_reset:1;
bool nointx:1;
bool needs_pm_restore:1;
- bool pm_intx_masked:1;
- bool pm_runtime_engaged:1;
bool disable_idle_d3:1;
+ /* Flags modified at runtime - dedicated storage unit */
+ bool needs_reset;
+ bool pm_intx_masked;
+ bool pm_runtime_engaged;
bool sriov_active;
struct pci_saved_state *pci_saved_state;
struct pci_saved_state *pm_save;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 110/518] vfio: prevent infinite loop in vfio_mig_get_next_state() on blocked arc
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 109/518] vfio/pci: Fix racy bitfields and tighten struct layout Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 111/518] vfio: Remove device debugfs before releasing devres Greg Kroah-Hartman
` (411 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo, Kevin Tian,
Jason Gunthorpe, Alex Williamson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit a26b499b757cfc8bbff1088bb1b844639e250893 upstream.
vfio_mig_get_next_state() walks vfio_from_fsm_table[] one step at a time,
looping to skip optional states the device does not support until
*next_fsm is supported. A blocked transition is encoded as
VFIO_DEVICE_STATE_ERROR, which the trailing return reports as -EINVAL.
The skip loop does not account for the ERROR sentinel.
state_flags_table[ERROR] is ~0U and vfio_from_fsm_table[ERROR][*] is
ERROR, so once *next_fsm becomes ERROR the loop condition stays true and
*next_fsm never changes. The blocked arcs STOP_COPY -> PRE_COPY and
STOP_COPY -> PRE_COPY_P2P map to ERROR yet pass the support check on a
precopy-capable device, causing the loop to spin forever while holding
the driver state mutex. This can result in a soft lockup, and a panic
with softlockup_panic set.
Terminate the skip loop on the ERROR sentinel so a blocked transition
falls through to the existing return and reports -EINVAL.
Fixes: 4db52602a607 ("vfio: Extend the device migration protocol with PRE_COPY")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Link: https://lore.kernel.org/r/SYBPR01MB7881290BBDE79B61AE6A017FAF122@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Alex Williamson <alex@shazbot.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vfio/vfio_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/vfio/vfio_main.c
+++ b/drivers/vfio/vfio_main.c
@@ -858,7 +858,8 @@ int vfio_mig_get_next_state(struct vfio_
* logical state, as per the above comment.
*/
*next_fsm = vfio_from_fsm_table[cur_fsm][new_fsm];
- while ((state_flags_table[*next_fsm] & device->migration_flags) !=
+ while (*next_fsm != VFIO_DEVICE_STATE_ERROR &&
+ (state_flags_table[*next_fsm] & device->migration_flags) !=
state_flags_table[*next_fsm])
*next_fsm = vfio_from_fsm_table[*next_fsm][new_fsm];
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 111/518] vfio: Remove device debugfs before releasing devres
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 110/518] vfio: prevent infinite loop in vfio_mig_get_next_state() on blocked arc Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 112/518] vfio/mlx5: Fix racy bitfields and tighten struct layout Greg Kroah-Hartman
` (410 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko AI Review, Longfang Liu,
Alex Williamson, Kevin Tian, Alex Williamson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@nvidia.com>
commit dc7fe87de492ea7f33a72b78d26650b75bf37f4f upstream.
VFIO device debugfs files created with debugfs_create_devm_seqfile()
store a devres allocated debugfs_devm_entry as inode private data.
vfio_unregister_group_dev() currently calls vfio_device_del() before
vfio_device_debugfs_exit(), but device_del() releases devres. This can
leave debugfs entries visible with stale inode private data while
unregister waits for userspace references to drain.
Remove the per-device debugfs tree before vfio_device_del(). The debugfs
view is diagnostic only, so losing it at the start of unregister is
preferable to preserving entries whose backing storage may already have
been released.
Complete the teardown by clearing the per-device debugfs root after
removal. This matches the global debugfs root cleanup and prevents
future users from mistaking a removed dentry for a live debugfs tree
during the remainder of unregister.
Fixes: 2202844e4468 ("vfio/migration: Add debugfs to live migration driver")
Reported-by: Sashiko AI Review <sashiko-bot@kernel.org>
Link: https://lore.kernel.org/r/20260615192725.6A2221F000E9@smtp.kernel.org
Cc: stable@vger.kernel.org
Cc: Longfang Liu <liulongfang@huawei.com>
Assisted-by: OpenAI Codex:gpt-5
Signed-off-by: Alex Williamson <alex.williamson@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Link: https://lore.kernel.org/r/20260615204717.735302-1-alex.williamson@nvidia.com
Signed-off-by: Alex Williamson <alex@shazbot.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vfio/debugfs.c | 1 +
drivers/vfio/vfio_main.c | 8 +++++++-
2 files changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/vfio/debugfs.c
+++ b/drivers/vfio/debugfs.c
@@ -97,6 +97,7 @@ void vfio_device_debugfs_init(struct vfi
void vfio_device_debugfs_exit(struct vfio_device *vdev)
{
debugfs_remove_recursive(vdev->debug_root);
+ vdev->debug_root = NULL;
}
void vfio_debugfs_create_root(void)
--- a/drivers/vfio/vfio_main.c
+++ b/drivers/vfio/vfio_main.c
@@ -407,6 +407,13 @@ void vfio_unregister_group_dev(struct vf
vfio_device_group_unregister(device);
/*
+ * Remove debugfs before device_del(), which releases devres. Some
+ * debugfs entries are created with debugfs_create_devm_seqfile() and
+ * therefore rely on devres-managed inode private data.
+ */
+ vfio_device_debugfs_exit(device);
+
+ /*
* Balances vfio_device_add() in register path, also prevents
* new device opened by userspace in the cdev path.
*/
@@ -435,7 +442,6 @@ void vfio_unregister_group_dev(struct vf
}
}
- vfio_device_debugfs_exit(device);
/* Balances vfio_device_set_group in register path */
vfio_device_remove_group(device);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 112/518] vfio/mlx5: Fix racy bitfields and tighten struct layout
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 111/518] vfio: Remove device debugfs before releasing devres Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 113/518] Bluetooth: btusb: Add USB ID 2c4e:0128 for Mercusys MA60XNB Greg Kroah-Hartman
` (409 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yishai Hadas, Alex Williamson,
Kevin Tian, Alex Williamson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@nvidia.com>
commit f2365a63b02ddea32e7db78b742c2503ec7b81f1 upstream.
Bitfield operations are not atomic, they use a read-modify-write
pattern, therefore we should be careful not to pack bitfields that
can be concurrently updated into the same storage unit.
This split takes a binary approach: flags that are only modified
pre/post open/close remain bitfields, flags modified from user
action, including actions that reach across to another device (ex.
reset) use dedicated storage units.
Note mlx5_vhca_page_tracker.status is relocated to fill the alignment
hole this split exposes.
Bitfield justifications:
migrate_cap: written only in mlx5vf_cmd_set_migratable() at probe
chunk_mode: written only in mlx5vf_cmd_set_migratable() at probe
mig_state_cap: written only in mlx5vf_cmd_set_migratable() at probe
Dedicated storage units:
mdev_detach: written in the VF attach/detach event notifier
mlx5fv_vf_event() at runtime
log_active: written in mlx5vf_start_page_tracker()/
mlx5vf_stop_page_tracker() during runtime dirty tracking
deferred_reset: written in mlx5vf_state_mutex_unlock()/
mlx5vf_pci_aer_reset_done() during runtime reset handling
is_err: set by tracker error handling and dirty-log polling at runtime
object_changed: set by tracker event handling and cleared by dirty-log
polling at runtime
Fixes: 61a2f1460fd0 ("vfio/mlx5: Manage the VF attach/detach callback from the PF")
Fixes: 79c3cf279926 ("vfio/mlx5: Init QP based resources for dirty tracking")
Fixes: f886473071d6 ("vfio/mlx5: Add support for tracker object change event")
Cc: Yishai Hadas <yishaih@nvidia.com>
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Alex Williamson <alex.williamson@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Link: https://lore.kernel.org/r/20260615191241.688297-5-alex.williamson@nvidia.com
Signed-off-by: Alex Williamson <alex@shazbot.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vfio/pci/mlx5/cmd.h | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/drivers/vfio/pci/mlx5/cmd.h
+++ b/drivers/vfio/pci/mlx5/cmd.h
@@ -158,26 +158,29 @@ struct mlx5_vhca_qp {
struct mlx5_vhca_page_tracker {
u32 id;
u32 pdn;
- u8 is_err:1;
- u8 object_changed:1;
+ /* Flags modified at runtime - dedicated storage unit */
+ u8 is_err;
+ u8 object_changed;
+ int status;
struct mlx5_uars_page *uar;
struct mlx5_vhca_cq cq;
struct mlx5_vhca_qp *host_qp;
struct mlx5_vhca_qp *fw_qp;
struct mlx5_nb nb;
- int status;
};
struct mlx5vf_pci_core_device {
struct vfio_pci_core_device core_device;
int vf_id;
u16 vhca_id;
+ /* Flags only modified on setup/release - bitfield ok */
u8 migrate_cap:1;
- u8 deferred_reset:1;
- u8 mdev_detach:1;
- u8 log_active:1;
u8 chunk_mode:1;
u8 mig_state_cap:1;
+ /* Flags modified at runtime - dedicated storage unit */
+ u8 mdev_detach;
+ u8 log_active;
+ u8 deferred_reset;
struct completion tracker_comp;
/* protect migration state */
struct mutex state_mutex;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 113/518] Bluetooth: btusb: Add USB ID 2c4e:0128 for Mercusys MA60XNB
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 112/518] vfio/mlx5: Fix racy bitfields and tighten struct layout Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 114/518] Bluetooth: btusb: fix use-after-free on registration failure Greg Kroah-Hartman
` (408 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zenm Chen, Luiz Augusto von Dentz
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zenm Chen <zenmchen@gmail.com>
commit 88b4d528eda4ac71c2952b3458f2abbc80a91cd2 upstream.
Add USB ID 2c4e:0128 for Mercusys MA60XNB, an RTL8851BU-based
Wi-Fi + Bluetooth adapter.
The information in /sys/kernel/debug/usb/devices about the Bluetooth
device is listed as the below:
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=2c4e ProdID=0128 Rev= 0.00
S: Manufacturer=Realtek
S: Product=802.11ax WLAN Adapter
S: SerialNumber=00e04c000001
C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=500mA
A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms
I:* If#= 2 Alt= 0 #EPs= 8 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtw89_8851bu
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Cc: stable@vger.kernel.org # 6.6.x
Signed-off-by: Zenm Chen <zenmchen@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btusb.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -531,6 +531,8 @@ static const struct usb_device_id quirks
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x7392, 0xe611), .driver_info = BTUSB_REALTEK |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x2c4e, 0x0128), .driver_info = BTUSB_REALTEK |
+ BTUSB_WIDEBAND_SPEECH },
/* Realtek 8852AE Bluetooth devices */
{ USB_DEVICE(0x0bda, 0x2852), .driver_info = BTUSB_REALTEK |
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 114/518] Bluetooth: btusb: fix use-after-free on registration failure
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 113/518] Bluetooth: btusb: Add USB ID 2c4e:0128 for Mercusys MA60XNB Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 115/518] Bluetooth: btusb: fix use-after-free on marvell probe failure Greg Kroah-Hartman
` (407 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Menzel, Johan Hovold,
Luiz Augusto von Dentz
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit eedc6867ebad73edbfaf9a0a65fbef7115cc4753 upstream.
Make sure to release the sibling interfaces in case controller
registration fails to avoid use-after-free and double-free when they are
eventually disconnected.
This issue was reported by Sashiko while reviewing a fix for a wakeup
source leak in the btusb probe errors paths.
Link: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org
Fixes: 9bfa35fe422c ("[Bluetooth] Add SCO support to btusb driver")
Fixes: 9d08f50401ac ("Bluetooth: btusb: Add support for Broadcom LM_DIAG interface")
Cc: stable@vger.kernel.org # 2.6.27
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btusb.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -4409,7 +4409,7 @@ static int btusb_probe(struct usb_interf
err = hci_register_dev(hdev);
if (err < 0)
- goto out_free_dev;
+ goto err_release_siblings;
usb_set_intfdata(intf, data);
@@ -4418,6 +4418,15 @@ static int btusb_probe(struct usb_interf
return 0;
+err_release_siblings:
+ if (data->diag) {
+ usb_set_intfdata(data->diag, NULL);
+ usb_driver_release_interface(&btusb_driver, data->diag);
+ }
+ if (data->isoc) {
+ usb_set_intfdata(data->isoc, NULL);
+ usb_driver_release_interface(&btusb_driver, data->isoc);
+ }
out_free_dev:
if (data->reset_gpio)
gpiod_put(data->reset_gpio);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 115/518] Bluetooth: btusb: fix use-after-free on marvell probe failure
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 114/518] Bluetooth: btusb: fix use-after-free on registration failure Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 116/518] Bluetooth: btusb: fix wakeup source leak on " Greg Kroah-Hartman
` (406 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rajat Jain, Johan Hovold,
Luiz Augusto von Dentz
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c5b600a3c05b1a7a110d558df935a8fc8a471c79 upstream.
Make sure to stop any TX URBs submitted during Marvell OOB wakeup
configuration on later probe failures to avoid use-after-free in the
completion callback.
This issue was reported by Sashiko while reviewing a fix for a wakeup
source leak in the btusb probe errors paths.
Link: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org
Fixes: a4ccc9e33d2f ("Bluetooth: btusb: Configure Marvell to use one of the pins for oob wakeup")
Cc: stable@vger.kernel.org # 4.11
Cc: Rajat Jain <rajatja@google.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btusb.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -4220,7 +4220,7 @@ static int btusb_probe(struct usb_interf
if (id->driver_info & BTUSB_INTEL_COMBINED) {
err = btintel_configure_setup(hdev, btusb_driver.name);
if (err)
- goto out_free_dev;
+ goto err_kill_tx_urbs;
/* Transport specific configuration */
hdev->send = btusb_send_frame_intel;
@@ -4383,7 +4383,7 @@ static int btusb_probe(struct usb_interf
err = usb_set_interface(data->udev, 0, 0);
if (err < 0) {
BT_ERR("failed to set interface 0, alt 0 %d", err);
- goto out_free_dev;
+ goto err_kill_tx_urbs;
}
}
@@ -4391,7 +4391,7 @@ static int btusb_probe(struct usb_interf
err = usb_driver_claim_interface(&btusb_driver,
data->isoc, data);
if (err < 0)
- goto out_free_dev;
+ goto err_kill_tx_urbs;
}
if (IS_ENABLED(CONFIG_BT_HCIBTUSB_BCM) && data->diag) {
@@ -4427,6 +4427,8 @@ err_release_siblings:
usb_set_intfdata(data->isoc, NULL);
usb_driver_release_interface(&btusb_driver, data->isoc);
}
+err_kill_tx_urbs:
+ usb_kill_anchored_urbs(&data->tx_anchor);
out_free_dev:
if (data->reset_gpio)
gpiod_put(data->reset_gpio);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 116/518] Bluetooth: btusb: fix wakeup source leak on probe failure
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 115/518] Bluetooth: btusb: fix use-after-free on marvell probe failure Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 117/518] binder: fix UAF in binder_thread_release() Greg Kroah-Hartman
` (405 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rajat Jain, Johan Hovold,
Luiz Augusto von Dentz
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 3d93e1bb0fb881fe3ef961d1120556658e9cac4d upstream.
Make sure to disable wakeup on probe failure to avoid leaking the wakeup
source.
Fixes: fd913ef7ce61 ("Bluetooth: btusb: Add out-of-band wakeup support")
Cc: stable@vger.kernel.org # 4.11
Cc: Rajat Jain <rajatja@google.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btusb.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2996,6 +2996,11 @@ static int marvell_config_oob_wake(struc
return 0;
}
+#else
+static inline int marvell_config_oob_wake(struct hci_dev *hdev)
+{
+ return 0;
+}
#endif
static int btusb_set_bdaddr_marvell(struct hci_dev *hdev,
@@ -3838,6 +3843,11 @@ static int btusb_config_oob_wake(struct
bt_dev_info(hdev, "OOB Wake-on-BT configured at IRQ %u", irq);
return 0;
}
+#else
+static inline int btusb_config_oob_wake(struct hci_dev *hdev)
+{
+ return 0;
+}
#endif
static void btusb_check_needs_reset_resume(struct usb_interface *intf)
@@ -4174,7 +4184,6 @@ static int btusb_probe(struct usb_interf
hdev->wakeup = btusb_wakeup;
hdev->hci_drv = &btusb_hci_drv;
-#ifdef CONFIG_PM
err = btusb_config_oob_wake(hdev);
if (err)
goto out_free_dev;
@@ -4183,9 +4192,9 @@ static int btusb_probe(struct usb_interf
if (id->driver_info & BTUSB_MARVELL && data->oob_wake_irq) {
err = marvell_config_oob_wake(hdev);
if (err)
- goto out_free_dev;
+ goto err_disable_wakeup;
}
-#endif
+
if (id->driver_info & BTUSB_CW6622)
hci_set_quirk(hdev, HCI_QUIRK_BROKEN_STORED_LINK_KEY);
@@ -4429,6 +4438,9 @@ err_release_siblings:
}
err_kill_tx_urbs:
usb_kill_anchored_urbs(&data->tx_anchor);
+err_disable_wakeup:
+ if (data->oob_wake_irq)
+ device_init_wakeup(&data->udev->dev, false);
out_free_dev:
if (data->reset_gpio)
gpiod_put(data->reset_gpio);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 117/518] binder: fix UAF in binder_thread_release()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 116/518] Bluetooth: btusb: fix wakeup source leak on " Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 118/518] binder: fix UAF in binder_free_transaction() Greg Kroah-Hartman
` (404 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alice Ryhl, Carlos Llamas
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Llamas <cmllamas@google.com>
commit 114a116aaa5f0295376cdf12da743c5bce3b20ce upstream.
When a thread exits, binder_thread_release() walks its transaction stack
to clear the t->from and t->to_proc that correspond with the exiting
thread. However, a process dying in parallel might attempt to kfree some
of these transactions. And if one of them has no associated t->to_proc,
the t->to_proc->inner_lock will not be acquired.
This means that transaction accesses in binder_thread_release() after
t->to_proc has been cleared might race with binder_free_transaction()
and cause a use-after-free error as reported by KASAN:
==================================================================
BUG: KASAN: slab-use-after-free in binder_thread_release+0x5d0/0x798
Write of size 8 at addr ffff000016627500 by task X/715
CPU: 17 UID: 0 PID: 715 Comm: X Not tainted 7.1.0-rc5-00149-g8fde5d1d47f6 #30 PREEMPT
Hardware name: linux,dummy-virt (DT)
Call trace:
binder_thread_release+0x5d0/0x798
binder_ioctl+0x12c0/0x299c
[...]
Allocated by task 717 on cpu 18 at 67.267803s:
__kasan_kmalloc+0xa0/0xbc
__kmalloc_cache_noprof+0x174/0x444
binder_transaction+0x554/0x8150
binder_thread_write+0xa30/0x4354
binder_ioctl+0x20f0/0x299c
[...]
Freed by task 202 on cpu 18 at 90.416221s:
__kasan_slab_free+0x58/0x80
kfree+0x1a0/0x4a4
binder_free_transaction+0x150/0x294
binder_send_failed_reply+0x398/0x6d8
binder_release_work+0x3e4/0x4ec
binder_deferred_func+0xbd8/0x104c
[...]
==================================================================
In order to avoid this, make sure that binder_free_transaction() reads
the t->to_proc under the transaction lock. This will serialize the
transaction release with the accesses in binder_thread_release(). Plus,
it matches the documented locking rules for @to_proc.
Cc: stable <stable@kernel.org>
Fixes: 7a4408c6bd3e ("binder: make sure accesses to proc/thread are safe")
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://patch.msgid.link/20260619185233.2194678-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1658,7 +1658,11 @@ static void binder_txn_latency_free(stru
static void binder_free_transaction(struct binder_transaction *t)
{
- struct binder_proc *target_proc = t->to_proc;
+ struct binder_proc *target_proc;
+
+ spin_lock(&t->lock);
+ target_proc = t->to_proc;
+ spin_unlock(&t->lock);
if (target_proc) {
binder_inner_proc_lock(target_proc);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 118/518] binder: fix UAF in binder_free_transaction()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 117/518] binder: fix UAF in binder_thread_release() Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 119/518] rust_binder: use a u64 stride when cleaning up the offsets array Greg Kroah-Hartman
` (403 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alice Ryhl, Carlos Llamas
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Llamas <cmllamas@google.com>
commit f223d27a546c1e1f48d38fd67760e78f068fe8c4 upstream.
In binder_free_transaction(), the t->to_proc is read under the t->lock.
However, once the t->lock is dropped, the to_proc can die in parallel.
This leads to a use-after-free error when we attempt to acquire its
inner lock right afterwards:
==================================================================
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x1a0
Write of size 4 at addr ffff00001125da70 by task B/672
CPU: 20 UID: 0 PID: 672 Comm: B Not tainted 7.1.0-rc6-00284-g8e65320d91cd #4 PREEMPT
Hardware name: linux,dummy-virt (DT)
Call trace:
_raw_spin_lock+0xe4/0x1a0
binder_free_transaction+0x8c/0x320
binder_send_failed_reply+0x21c/0x2f8
binder_thread_release+0x488/0x7e0
binder_ioctl+0x12c0/0x29a0
[...]
Allocated by task 675:
__kmalloc_cache_noprof+0x174/0x444
binder_open+0x118/0xb70
do_dentry_open+0x374/0x1040
vfs_open+0x58/0x3bc
[...]
Freed by task 212:
__kasan_slab_free+0x58/0x80
kfree+0x1a0/0x4a4
binder_proc_dec_tmpref+0x32c/0x5e0
binder_deferred_func+0xc48/0x104c
process_one_work+0x53c/0xbc0
[...]
==================================================================
To prevent this, pin the target thread (t->to_thread) to guarantee the
target process remains alive. Undelivered transactions without a target
thread are already safe, as the target process can only be the current
context in those paths.
Cc: stable <stable@kernel.org>
Reported-by: Alice Ryhl <aliceryhl@google.com>
Closes: https://lore.kernel.org/all/aikJKVuny_eOivwN@google.com/
Fixes: a370003cc301 ("binder: fix possible UAF when freeing buffer")
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260619185233.2194678-2-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1658,10 +1658,19 @@ static void binder_txn_latency_free(stru
static void binder_free_transaction(struct binder_transaction *t)
{
+ struct binder_thread *target_thread;
struct binder_proc *target_proc;
spin_lock(&t->lock);
target_proc = t->to_proc;
+ target_thread = t->to_thread;
+ /*
+ * Pin target_thread to keep target_proc alive. Undelivered
+ * transactions with !target_thread are safe, as target_proc
+ * can only be the current context there.
+ */
+ if (target_thread)
+ atomic_inc(&target_thread->tmp_ref);
spin_unlock(&t->lock);
if (target_proc) {
@@ -1676,6 +1685,10 @@ static void binder_free_transaction(stru
t->buffer->transaction = NULL;
binder_inner_proc_unlock(target_proc);
}
+
+ if (target_thread)
+ binder_thread_dec_tmpref(target_thread);
+
if (trace_binder_txn_latency_free_enabled())
binder_txn_latency_free(t);
/*
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 119/518] rust_binder: use a u64 stride when cleaning up the offsets array
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 118/518] binder: fix UAF in binder_free_transaction() Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 120/518] rust_binder: fix BINDER_GET_EXTENDED_ERROR Greg Kroah-Hartman
` (402 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Hyunwoo Kim, Carlos Llamas,
Alice Ryhl
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
commit 803c8a9502e9b97cd6ae937618ef4a8fd6274343 upstream.
Allocation's Drop walks the offsets array (binder_size_t = u64 entries),
cleaning up the objects, but it used usize instead of u64 for both the
stride and the per-entry read.
On 64-bit kernels (usize == u64) this is harmless, but on 32-bit kernels
it walks the 8-byte entries in 4-byte steps, iterating an N-entry array
2N times, and reads the always-zero high word as offset 0, cleaning up
the object at offset 0 N extra times. As a result the referenced node or
handle ends up with a lower reference count than it actually has (a
refcount over-decrement), and binder's reference accounting is corrupted;
for example, the owner can be notified of a strong reference release
(BR_RELEASE) even though references still remain.
Change the stride to u64, and read each entry as a u64, narrowing it to
usize with try_into().
On 32-bit ARM, when this over-decrement would drive a count below zero,
the driver's existing refcount guard refuses it and fires:
rust_binder: Failure: refcount underflow!
Cc: stable <stable@kernel.org>
Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Acked-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/ahw3tFhLz9bMMJAO@v4bel
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder/allocation.rs | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/android/binder/allocation.rs
+++ b/drivers/android/binder/allocation.rs
@@ -259,7 +259,7 @@ impl Drop for Allocation {
if let Some(offsets) = info.offsets.clone() {
let view = AllocationView::new(self, offsets.start);
- for i in offsets.step_by(size_of::<usize>()) {
+ for i in offsets.step_by(size_of::<u64>()) {
if view.cleanup_object(i).is_err() {
pr_warn!("Error cleaning up object at offset {}\n", i)
}
@@ -420,7 +420,8 @@ impl<'a> AllocationView<'a> {
}
fn cleanup_object(&self, index_offset: usize) -> Result {
- let offset = self.alloc.read(index_offset)?;
+ let offset = self.alloc.read::<u64>(index_offset)?;
+ let offset: usize = offset.try_into().map_err(|_| EINVAL)?;
let header = self.read::<BinderObjectHeader>(offset)?;
match header.type_ {
BINDER_TYPE_WEAK_BINDER | BINDER_TYPE_BINDER => {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 120/518] rust_binder: fix BINDER_GET_EXTENDED_ERROR
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 119/518] rust_binder: use a u64 stride when cleaning up the offsets array Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 121/518] rust_binder: reject context manager self-transaction Greg Kroah-Hartman
` (401 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alice Ryhl, Carlos Llamas
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Ryhl <aliceryhl@google.com>
commit 77bfebf110773f5a0d6b5ff8110896adb2c9c335 upstream.
This code currently copies the ExtendedError struct to the stack,
modifies the copy, and then doesn't modify the original. Thus, fix it.
Furthermore, errors when replying must be delivered directly to the
remote thread, so update deliver_reply() to take an extended error
argument.
Cc: stable <stable@kernel.org>
Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Carlos Llamas <cmllamas@google.com>
Link: https://patch.msgid.link/20260605-set-extended-error-v3-1-d60b69a75f97@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder/error.rs | 13 ++----
drivers/android/binder/thread.rs | 65 ++++++++++++++++++++++++----------
drivers/android/binder/transaction.rs | 15 +++----
3 files changed, 58 insertions(+), 35 deletions(-)
--- a/drivers/android/binder/error.rs
+++ b/drivers/android/binder/error.rs
@@ -73,20 +73,17 @@ impl fmt::Debug for BinderError {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
match self.reply {
BR_FAILED_REPLY => match self.source.as_ref() {
- Some(source) => f
- .debug_struct("BR_FAILED_REPLY")
- .field("source", source)
- .finish(),
+ Some(source) => source.fmt(f),
None => f.pad("BR_FAILED_REPLY"),
},
BR_DEAD_REPLY => f.pad("BR_DEAD_REPLY"),
BR_FROZEN_REPLY => f.pad("BR_FROZEN_REPLY"),
BR_TRANSACTION_PENDING_FROZEN => f.pad("BR_TRANSACTION_PENDING_FROZEN"),
BR_TRANSACTION_COMPLETE => f.pad("BR_TRANSACTION_COMPLETE"),
- _ => f
- .debug_struct("BinderError")
- .field("reply", &self.reply)
- .finish(),
+ _ => match self.source.as_ref() {
+ Some(source) => source.fmt(f),
+ None => self.reply.fmt(f),
+ },
}
}
}
--- a/drivers/android/binder/thread.rs
+++ b/drivers/android/binder/thread.rs
@@ -495,9 +495,16 @@ impl Thread {
Ok(())
}
+ pub(crate) fn clear_extended_error(&self, debug_id: usize) {
+ self.inner.lock().extended_error = ExtendedError::new(debug_id as u32, BR_OK, 0);
+ }
+
pub(crate) fn get_extended_error(&self, data: UserSlice) -> Result {
let mut writer = data.writer();
- let ee = self.inner.lock().extended_error;
+ let mut inner = self.inner.lock();
+ let ee = inner.extended_error;
+ inner.extended_error = ExtendedError::new(0, BR_OK, 0);
+ drop(inner);
writer.write(&ee)?;
Ok(())
}
@@ -1109,7 +1116,10 @@ impl Thread {
inner.pop_transaction_to_reply(thread.as_ref())
} {
let reply = Err(BR_DEAD_REPLY);
- if !transaction.from.deliver_single_reply(reply, &transaction) {
+ if !transaction
+ .from
+ .deliver_single_reply(reply, &transaction, None)
+ {
break;
}
@@ -1121,8 +1131,9 @@ impl Thread {
&self,
reply: Result<DLArc<Transaction>, u32>,
transaction: &DArc<Transaction>,
+ extended_error: Option<ExtendedError>,
) {
- if self.deliver_single_reply(reply, transaction) {
+ if self.deliver_single_reply(reply, transaction, extended_error) {
transaction.from.unwind_transaction_stack();
}
}
@@ -1136,6 +1147,7 @@ impl Thread {
&self,
reply: Result<DLArc<Transaction>, u32>,
transaction: &DArc<Transaction>,
+ extended_error: Option<ExtendedError>,
) -> bool {
if let Ok(transaction) = &reply {
crate::trace::trace_transaction(true, transaction, Some(&self.task));
@@ -1152,6 +1164,12 @@ impl Thread {
return true;
}
+ if let Some(ee) = extended_error {
+ if inner.extended_error.command == BR_OK {
+ inner.extended_error = ee;
+ }
+ }
+
match reply {
Ok(work) => {
inner.push_work(work);
@@ -1222,6 +1240,9 @@ impl Thread {
info.buffers_size = td.buffers_size as usize;
// SAFETY: Above `read` call initializes all bytes, so this union read is ok.
info.target_handle = unsafe { td.transaction_data.target.handle };
+
+ info.debug_id = super::next_debug_id();
+
Ok(())
}
@@ -1230,6 +1251,8 @@ impl Thread {
let mut info = TransactionInfo::zeroed();
self.read_transaction_info(cmd, reader, &mut info)?;
+ self.clear_extended_error(info.debug_id);
+
let ret = if info.is_reply {
self.reply_inner(&mut info)
} else if info.is_oneway() {
@@ -1239,23 +1262,21 @@ impl Thread {
};
if let Err(err) = ret {
- if err.reply != BR_TRANSACTION_COMPLETE {
- info.reply = err.reply;
- }
-
self.push_return_work(err.reply);
- if let Some(source) = &err.source {
- info.errno = source.to_errno();
+ if err.reply != BR_TRANSACTION_COMPLETE {
info.reply = err.reply;
+ if let Some(source) = &err.source {
+ info.errno = source.to_errno();
- {
- let mut ee = self.inner.lock().extended_error;
- ee.command = err.reply;
- ee.param = source.to_errno();
+ {
+ let mut inner = self.inner.lock();
+ inner.extended_error =
+ ExtendedError::new(info.debug_id as u32, err.reply, source.to_errno());
+ }
}
pr_warn!(
- "{}:{} transaction to {} failed: {source:?}",
+ "{}:{} transaction to {} failed: {err:?}",
info.from_pid,
info.from_tid,
info.to_pid
@@ -1320,18 +1341,24 @@ impl Thread {
let allow_fds = orig.flags & TF_ACCEPT_FDS != 0;
let reply = Transaction::new_reply(self, process, info, allow_fds)?;
self.inner.lock().push_work(completion);
- orig.from.deliver_reply(Ok(reply), &orig);
+ orig.from.deliver_reply(Ok(reply), &orig, None);
Ok(())
})()
.map_err(|mut err| {
// At this point we only return `BR_TRANSACTION_COMPLETE` to the caller, and we must let
// the sender know that the transaction has completed (with an error in this case).
+
pr_warn!(
- "Failure {:?} during reply - delivering BR_FAILED_REPLY to sender.",
- err
+ "{}:{} reply to {} failed: {err:?}",
+ info.from_pid,
+ info.from_tid,
+ info.to_pid
);
- let reply = Err(BR_FAILED_REPLY);
- orig.from.deliver_reply(reply, &orig);
+
+ let param = err.source.as_ref().map_or(0, |e| e.to_errno());
+ let ee = ExtendedError::new(info.debug_id as u32, err.reply, param);
+ orig.from
+ .deliver_reply(Err(BR_FAILED_REPLY), &orig, Some(ee));
err.reply = BR_TRANSACTION_COMPLETE;
err
});
--- a/drivers/android/binder/transaction.rs
+++ b/drivers/android/binder/transaction.rs
@@ -42,6 +42,7 @@ pub(crate) struct TransactionInfo {
pub(crate) reply: u32,
pub(crate) oneway_spam_suspect: bool,
pub(crate) is_reply: bool,
+ pub(crate) debug_id: usize,
}
impl TransactionInfo {
@@ -93,7 +94,6 @@ impl Transaction {
from: &Arc<Thread>,
info: &mut TransactionInfo,
) -> BinderResult<DLArc<Self>> {
- let debug_id = super::next_debug_id();
let allow_fds = node_ref.node.flags & FLAT_BINDER_FLAG_ACCEPTS_FDS != 0;
let txn_security_ctx = node_ref.node.flags & FLAT_BINDER_FLAG_TXN_SECURITY_CTX != 0;
let mut txn_security_ctx_off = if txn_security_ctx { Some(0) } else { None };
@@ -101,7 +101,7 @@ impl Transaction {
let mut alloc = match from.copy_transaction_data(
to.clone(),
info,
- debug_id,
+ info.debug_id,
allow_fds,
txn_security_ctx_off.as_mut(),
) {
@@ -128,7 +128,7 @@ impl Transaction {
let data_address = alloc.ptr;
Ok(DTRWrap::arc_pin_init(pin_init!(Transaction {
- debug_id,
+ debug_id: info.debug_id,
target_node: Some(target_node),
from_parent,
sender_euid: Kuid::current_euid(),
@@ -152,9 +152,8 @@ impl Transaction {
info: &mut TransactionInfo,
allow_fds: bool,
) -> BinderResult<DLArc<Self>> {
- let debug_id = super::next_debug_id();
let mut alloc =
- match from.copy_transaction_data(to.clone(), info, debug_id, allow_fds, None) {
+ match from.copy_transaction_data(to.clone(), info, info.debug_id, allow_fds, None) {
Ok(alloc) => alloc,
Err(err) => {
pr_warn!("Failure in copy_transaction_data: {:?}", err);
@@ -165,7 +164,7 @@ impl Transaction {
alloc.set_info_clear_on_drop();
}
Ok(DTRWrap::arc_pin_init(pin_init!(Transaction {
- debug_id,
+ debug_id: info.debug_id,
target_node: None,
from_parent: None,
sender_euid: Kuid::current_euid(),
@@ -394,7 +393,7 @@ impl DeliverToRead for Transaction {
let send_failed_reply = ScopeGuard::new(|| {
if self.target_node.is_some() && self.flags & TF_ONE_WAY == 0 {
let reply = Err(BR_FAILED_REPLY);
- self.from.deliver_reply(reply, &self);
+ self.from.deliver_reply(reply, &self, None);
}
self.drop_outstanding_txn();
});
@@ -478,7 +477,7 @@ impl DeliverToRead for Transaction {
// If this is not a reply or oneway transaction, then send a dead reply.
if self.target_node.is_some() && self.flags & TF_ONE_WAY == 0 {
let reply = Err(BR_DEAD_REPLY);
- self.from.deliver_reply(reply, &self);
+ self.from.deliver_reply(reply, &self, None);
}
self.drop_outstanding_txn();
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 121/518] rust_binder: reject context manager self-transaction
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 120/518] rust_binder: fix BINDER_GET_EXTENDED_ERROR Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 122/518] rust_binder: synchronize Rust Binder stats with freeze commands Greg Kroah-Hartman
` (400 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Keshav Verma, Alice Ryhl
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keshav Verma <iganschel@gmail.com>
commit 6849cabfd30fb5727cfd31e8241e15801e17ebf9 upstream.
Rust binder resolved handle 0 to the context manager node, but it does not
reject the case where the caller owns the same node.
The C binder driver rejects transactions from the context-manager process
to handle 0 after resolving the target node. Match that behavior in Rust
Binder by rejecting handle 0 transactions when the resolved context-manager
node is owned by the calling process.
This applies to both synchronous and oneway transactions because both paths
resolve the target through Process::get_transaction_node().
Cc: stable <stable@kernel.org>
Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
Signed-off-by: Keshav Verma <iganschel@gmail.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260625103957.730-1-iganschel@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder/process.rs | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/android/binder/process.rs
+++ b/drivers/android/binder/process.rs
@@ -900,7 +900,11 @@ impl Process {
pub(crate) fn get_transaction_node(&self, handle: u32) -> BinderResult<NodeRef> {
// When handle is zero, try to get the context manager.
if handle == 0 {
- Ok(self.ctx.get_manager_node(true)?)
+ let node_ref = self.ctx.get_manager_node(true)?;
+ if core::ptr::eq(self, &*node_ref.node.owner) {
+ return Err(EINVAL.into());
+ }
+ Ok(node_ref)
} else {
Ok(self.get_node_from_handle(handle, true)?)
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 122/518] rust_binder: synchronize Rust Binder stats with freeze commands
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 121/518] rust_binder: reject context manager self-transaction Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 123/518] rust_binder: clear freeze listener on node removal Greg Kroah-Hartman
` (399 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Carlos Llamas, Alice Ryhl,
Keshav Verma
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keshav Verma <iganschel@gmail.com>
commit eb1645bf10190e71f6f0316e37ff70755d719b53 upstream.
Rust Binder stats use BC_COUNT and BR_COUNT to size the command and
return counters, and use event string tables when printing debug
statistics.
The Binder protocol includes freeze-related commands and return codes,
but the Rust Binder statistics code was not updated to cover them. As a
result, those commands and return codes are not accounted for or printed
by the stats debug output.
Update the counts and event string tables so these commands and return
codes are included in the debug statistics output.
Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
Cc: stable <stable@kernel.org>
Acked-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Keshav Verma <iganschel@gmail.com>
Link: https://patch.msgid.link/20260615211743.734-1-iganschel@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder/rust_binder_events.c | 7 ++++++-
drivers/android/binder/stats.rs | 4 ++--
2 files changed, 8 insertions(+), 3 deletions(-)
--- a/drivers/android/binder/rust_binder_events.c
+++ b/drivers/android/binder/rust_binder_events.c
@@ -28,6 +28,9 @@ const char * const binder_command_string
"BC_DEAD_BINDER_DONE",
"BC_TRANSACTION_SG",
"BC_REPLY_SG",
+ "BC_REQUEST_FREEZE_NOTIFICATION",
+ "BC_CLEAR_FREEZE_NOTIFICATION",
+ "BC_FREEZE_NOTIFICATION_DONE",
};
const char * const binder_return_strings[] = {
@@ -51,7 +54,9 @@ const char * const binder_return_strings
"BR_FAILED_REPLY",
"BR_FROZEN_REPLY",
"BR_ONEWAY_SPAM_SUSPECT",
- "BR_TRANSACTION_PENDING_FROZEN"
+ "BR_TRANSACTION_PENDING_FROZEN",
+ "BR_FROZEN_BINDER",
+ "BR_CLEAR_FREEZE_NOTIFICATION_DONE",
};
#define CREATE_TRACE_POINTS
--- a/drivers/android/binder/stats.rs
+++ b/drivers/android/binder/stats.rs
@@ -8,8 +8,8 @@ use crate::defs::*;
use kernel::sync::atomic::{ordering::Relaxed, Atomic};
use kernel::{ioctl::_IOC_NR, seq_file::SeqFile, seq_print};
-const BC_COUNT: usize = _IOC_NR(BC_REPLY_SG) as usize + 1;
-const BR_COUNT: usize = _IOC_NR(BR_TRANSACTION_PENDING_FROZEN) as usize + 1;
+const BC_COUNT: usize = _IOC_NR(BC_FREEZE_NOTIFICATION_DONE) as usize + 1;
+const BR_COUNT: usize = _IOC_NR(BR_CLEAR_FREEZE_NOTIFICATION_DONE) as usize + 1;
pub(crate) static GLOBAL_STATS: BinderStats = BinderStats::new();
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 123/518] rust_binder: clear freeze listener on node removal
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 122/518] rust_binder: synchronize Rust Binder stats with freeze commands Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 124/518] usb: xhci: Fix sleep in atomic context in xhci_free_streams() Greg Kroah-Hartman
` (398 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alice Ryhl
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Ryhl <aliceryhl@google.com>
commit bc4a9828897871ff3e5a1f8a1d346decbf4ee95e upstream.
Generally userspace is supposed to explicitly clear freeze listeners
before they drop the refcount on the node ref to zero, but there's
nothing forcing that. Currently, in this scenario the freeze listener
remains in the freeze_listeners rbtree and in the remote node's freeze
listener list, even though the ref for which the listener is registered
is gone. This could potentially lead to a memory leak due to a refcount
cycle. Thus, remove the freeze listener in this scenario.
Cc: stable <stable@kernel.org>
Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260703-remove-freeze-on-remove-node-v3-1-6e0c4547af46@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder/freeze.rs | 11 +++++++++--
drivers/android/binder/node.rs | 10 ++++++----
drivers/android/binder/process.rs | 12 +++++++++++-
3 files changed, 26 insertions(+), 7 deletions(-)
--- a/drivers/android/binder/freeze.rs
+++ b/drivers/android/binder/freeze.rs
@@ -154,10 +154,17 @@ impl DeliverToRead for FreezeMessage {
}
impl FreezeListener {
- pub(crate) fn on_process_exit(&self, proc: &Arc<Process>) {
+ /// Called when this freeze listener is cleared abnormally.
+ ///
+ /// This occurs either because the process exited or because the process dropped its last
+ /// refcount on the node ref without explicitly removing the freeze listener first.
+ ///
+ /// The returned `KVVec` is just a value that should be dropped outside of the lock.
+ pub(crate) fn on_process_cleanup(&self, proc: &Process) -> KVVec<Arc<Process>> {
if !self.is_clearing {
- self.node.remove_freeze_listener(proc);
+ return self.node.remove_freeze_listener(proc);
}
+ KVVec::new()
}
}
--- a/drivers/android/binder/node.rs
+++ b/drivers/android/binder/node.rs
@@ -682,12 +682,13 @@ impl Node {
}
}
- pub(crate) fn remove_freeze_listener(&self, p: &Arc<Process>) {
- let _unused_capacity;
+ pub(crate) fn remove_freeze_listener(&self, p: &Process) -> KVVec<Arc<Process>> {
let mut guard = self.owner.inner.lock();
let inner = self.inner.access_mut(&mut guard);
let len = inner.freeze_list.len();
- inner.freeze_list.retain(|proc| !Arc::ptr_eq(proc, p));
+ inner
+ .freeze_list
+ .retain(|proc| !core::ptr::eq::<Process>(&**proc, p));
if len == inner.freeze_list.len() {
pr_warn!(
"Could not remove freeze listener for {}\n",
@@ -695,8 +696,9 @@ impl Node {
);
}
if inner.freeze_list.is_empty() {
- _unused_capacity = mem::take(&mut inner.freeze_list);
+ return mem::take(&mut inner.freeze_list);
}
+ KVVec::new()
}
pub(crate) fn freeze_list<'a>(&'a self, guard: &'a ProcessInner) -> &'a [Arc<Process>] {
--- a/drivers/android/binder/process.rs
+++ b/drivers/android/binder/process.rs
@@ -946,6 +946,8 @@ impl Process {
// To preserve original binder behaviour, we only fail requests where the manager tries to
// increment references on itself.
+ let _to_free_freeze_listener;
+ let _to_free_freeze_listener_cleanup;
let mut refs = self.node_refs.lock();
if let Some(info) = refs.by_handle.get_mut(&handle) {
if info.node_ref().update(inc, strong) {
@@ -961,6 +963,14 @@ impl Process {
unsafe { info.node_ref2().node.remove_node_info(info) };
let id = info.node_ref().node.global_id();
+
+ if let Some(freeze) = *info.freeze() {
+ if let Some(fl) = refs.freeze_listeners.remove(&freeze) {
+ _to_free_freeze_listener_cleanup = fl.on_process_cleanup(&self);
+ _to_free_freeze_listener = fl;
+ }
+ }
+
refs.by_handle.remove(&handle);
refs.by_node.remove(&id);
refs.handle_is_present.release_id(handle as usize);
@@ -1384,7 +1394,7 @@ impl Process {
// Clean up freeze listeners.
let freeze_listeners = take(&mut self.node_refs.lock().freeze_listeners);
for listener in freeze_listeners.values() {
- listener.on_process_exit(&self);
+ listener.on_process_cleanup(&self);
}
drop(freeze_listeners);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 124/518] usb: xhci: Fix sleep in atomic context in xhci_free_streams()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 123/518] rust_binder: clear freeze listener on node removal Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 125/518] xhci: sideband: fix ring sg table pages leak Greg Kroah-Hartman
` (397 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Lianqin Hu, Mathias Nyman
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: 胡连勤 <hulianqin@vivo.com>
commit 42c37c4b75d38b51d84f31a8e29427f5e06a7c2a upstream.
When a USB device with active stream endpoints is disconnected,
xhci_free_streams() is called from the hub_event workqueue to
free the stream resources. It calls xhci_free_stream_info()
while holding xhci->lock with irqs disabled.
xhci_free_stream_info() invokes xhci_free_stream_ctx(), which
calls dma_free_coherent() for large stream context arrays.
dma_free_coherent() can sleep (e.g. via vunmap), triggering
a BUG when called from atomic context.
Call trace:
dma_free_attrs+0x174/0x220
xhci_free_stream_info+0xd0/0x11c
xhci_free_streams+0x278/0x37c
usb_free_streams+0x98/0xc0
usb_unbind_interface+0x1b8/0x2f8
device_release_driver_internal+0x1d4/0x2cc
device_release_driver+0x18/0x28
bus_remove_device+0x160/0x1a4
device_del+0x1ec/0x350
usb_disable_device+0x98/0x214
usb_disconnect+0xf0/0x35c
hub_event+0xab4/0x19ec
process_one_work+0x278/0x63c
Fix this by saving the stream_info pointers and clearing the
ep references under the lock, then calling xhci_free_stream_info()
outside the lock where sleeping is allowed.
Fixes: 8df75f42f8e6 ("USB: xhci: Add memory allocation for USB3 bulk streams.")
Cc: stable <stable@kernel.org>
Signed-off-by: Lianqin Hu <hulianqin@vivo.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20260703144033.483286-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -3788,6 +3788,7 @@ static int xhci_free_streams(struct usb_
struct xhci_virt_device *vdev;
struct xhci_command *command;
struct xhci_input_control_ctx *ctrl_ctx;
+ struct xhci_stream_info *stream_info[EP_CTX_PER_DEV];
unsigned int ep_index;
unsigned long flags;
u32 changed_ep_bitmask;
@@ -3848,10 +3849,15 @@ static int xhci_free_streams(struct usb_
if (ret < 0)
return ret;
+ /*
+ * dma_free_coherent() called by xhci_free_stream_info() may sleep,
+ * so save stream_info pointers and clear references under lock,
+ * then free the memory outside lock.
+ */
spin_lock_irqsave(&xhci->lock, flags);
for (i = 0; i < num_eps; i++) {
ep_index = xhci_get_endpoint_index(&eps[i]->desc);
- xhci_free_stream_info(xhci, vdev->eps[ep_index].stream_info);
+ stream_info[i] = vdev->eps[ep_index].stream_info;
vdev->eps[ep_index].stream_info = NULL;
/* FIXME Unset maxPstreams in endpoint context and
* update deq ptr to point to normal string ring.
@@ -3861,6 +3867,9 @@ static int xhci_free_streams(struct usb_
}
spin_unlock_irqrestore(&xhci->lock, flags);
+ for (i = 0; i < num_eps; i++)
+ xhci_free_stream_info(xhci, stream_info[i]);
+
return 0;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 125/518] xhci: sideband: fix ring sg table pages leak
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 124/518] usb: xhci: Fix sleep in atomic context in xhci_free_streams() Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 126/518] usb: typec: tcpci_rt1711h: unregister TCPCI port with devres Greg Kroah-Hartman
` (396 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Xu Rao, Mathias Nyman
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Rao <raoxu@uniontech.com>
commit 49f6e3c3ef19f04f6657ed8dce550e36c763abb8 upstream.
xhci_ring_to_sgtable() allocates a temporary pages array and
uses it to build the returned sg_table with
sg_alloc_table_from_pages().
The error paths free the pages array, but the success path
returns the sg_table without freeing it. This leaks the temporary
array every time a sideband client gets an endpoint or event ring
buffer.
Free the pages array after sg_alloc_table_from_pages() succeeds.
The returned sg_table has its own scatterlist entries and does not
depend on the temporary array after construction.
Fixes: de66754e9f80 ("xhci: sideband: add initial api to register a secondary interrupter entity")
Cc: stable <stable@kernel.org>
Signed-off-by: Xu Rao <raoxu@uniontech.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20260703144033.483286-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-sideband.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/host/xhci-sideband.c
+++ b/drivers/usb/host/xhci-sideband.c
@@ -58,6 +58,8 @@ xhci_ring_to_sgtable(struct xhci_sideban
if (sg_alloc_table_from_pages(sgt, pages, n_pages, 0, sz, GFP_KERNEL))
goto err;
+ kvfree(pages);
+
/*
* Save first segment dma address to sg dma_address field for the sideband
* client to have access to the IOVA of the ring.
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 126/518] usb: typec: tcpci_rt1711h: unregister TCPCI port with devres
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 125/518] xhci: sideband: fix ring sg table pages leak Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 127/518] riscv: dts: sophgo: Add dma-coherent to SG2042 PCIe controllers Greg Kroah-Hartman
` (395 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ijae Kim, Myeonghun Pak
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myeonghun Pak <mhun512@gmail.com>
commit e8da46d99d3710106e7c44db14566bf9b57386b5 upstream.
rt1711h_probe() registers the TCPCI port before requesting the interrupt
and enabling alert interrupts. If either of those later steps fails, the
probe function returns without unregistering the TCPCI port. The explicit
unregister currently only happens from the remove callback.
Register a devres action immediately after tcpci_register_port() succeeds,
so tcpci_unregister_port() runs on later probe failures and on driver
detach. Drop the remove callback to avoid unregistering the same port
twice.
This issue was identified during our ongoing static-analysis research while
reviewing kernel code.
Fixes: 302c570bf36e ("usb: typec: tcpci_rt1711h: avoid screaming irq causing boot hangs")
Cc: stable <stable@kernel.org>
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Link: https://patch.msgid.link/20260706145312.37260-1-mhun512@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpci_rt1711h.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/usb/typec/tcpm/tcpci_rt1711h.c
+++ b/drivers/usb/typec/tcpm/tcpci_rt1711h.c
@@ -295,6 +295,8 @@ static int rt1711h_sw_reset(struct rt171
return 0;
}
+static void rt1711h_unregister_tcpci_port(void *tcpci);
+
static int rt1711h_probe(struct i2c_client *client)
{
int ret;
@@ -340,6 +342,10 @@ static int rt1711h_probe(struct i2c_clie
if (IS_ERR_OR_NULL(chip->tcpci))
return PTR_ERR(chip->tcpci);
+ ret = devm_add_action_or_reset(chip->dev, rt1711h_unregister_tcpci_port, chip->tcpci);
+ if (ret)
+ return ret;
+
ret = devm_request_threaded_irq(chip->dev, client->irq, NULL,
rt1711h_irq,
IRQF_ONESHOT | IRQF_TRIGGER_LOW,
@@ -357,11 +363,9 @@ static int rt1711h_probe(struct i2c_clie
return 0;
}
-static void rt1711h_remove(struct i2c_client *client)
+static void rt1711h_unregister_tcpci_port(void *tcpci)
{
- struct rt1711h_chip *chip = i2c_get_clientdata(client);
-
- tcpci_unregister_port(chip->tcpci);
+ tcpci_unregister_port(tcpci);
}
static const struct rt1711h_chip_info rt1711h = {
@@ -394,7 +398,6 @@ static struct i2c_driver rt1711h_i2c_dri
.of_match_table = rt1711h_of_match,
},
.probe = rt1711h_probe,
- .remove = rt1711h_remove,
.id_table = rt1711h_id,
};
module_i2c_driver(rt1711h_i2c_driver);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 127/518] riscv: dts: sophgo: Add dma-coherent to SG2042 PCIe controllers
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 126/518] usb: typec: tcpci_rt1711h: unregister TCPCI port with devres Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 128/518] PCI: loongson: Override PCIe bridge supported speeds for Loongson-3C6000 series Greg Kroah-Hartman
` (394 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Han Gao, Inochi Amaoto, Chen Wang
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Han Gao <gaohan@iscas.ac.cn>
commit 2647eabde8de748ee2c9a2816615d4af3bd4bf9d upstream.
SG2042's PCIe root complexes are cache-coherent with the CPU. Mark all
four PCIe controller nodes (pcie_rc0 through pcie_rc3) as dma-coherent
so the kernel uses coherent DMA mappings instead of non-coherent bounce
buffering.
Cc: stable@vger.kernel.org
Signed-off-by: Han Gao <gaohan@iscas.ac.cn>
Link: https://patch.msgid.link/20260331171248.973014-3-gaohan@iscas.ac.cn
Signed-off-by: Inochi Amaoto <inochiama@gmail.com>
Signed-off-by: Chen Wang <unicorn_wang@outlook.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/boot/dts/sophgo/sg2042.dtsi | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/riscv/boot/dts/sophgo/sg2042.dtsi
+++ b/arch/riscv/boot/dts/sophgo/sg2042.dtsi
@@ -417,6 +417,7 @@
vendor-id = <0x1f1c>;
device-id = <0x2042>;
cdns,no-bar-match-nbits = <48>;
+ dma-coherent;
msi-parent = <&msi>;
status = "disabled";
};
@@ -439,6 +440,7 @@
vendor-id = <0x1f1c>;
device-id = <0x2042>;
cdns,no-bar-match-nbits = <48>;
+ dma-coherent;
msi-parent = <&msi>;
status = "disabled";
};
@@ -461,6 +463,7 @@
vendor-id = <0x1f1c>;
device-id = <0x2042>;
cdns,no-bar-match-nbits = <48>;
+ dma-coherent;
msi-parent = <&msi>;
status = "disabled";
};
@@ -483,6 +486,7 @@
vendor-id = <0x1f1c>;
device-id = <0x2042>;
cdns,no-bar-match-nbits = <48>;
+ dma-coherent;
msi-parent = <&msi>;
status = "disabled";
};
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 128/518] PCI: loongson: Override PCIe bridge supported speeds for Loongson-3C6000 series
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 127/518] riscv: dts: sophgo: Add dma-coherent to SG2042 PCIe controllers Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 129/518] PCI: altera: Do not dispose parent IRQ mapping Greg Kroah-Hartman
` (393 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ayden Meng, Mingcong Bai, Ziyao Li,
Xi Ruoyao, Manivannan Sadhasivam, Bjorn Helgaas,
Lain Fearyncess Yang, Huacai Chen
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziyao Li <liziyao@uniontech.com>
commit e373c789bac0ad73b472d8b44714df3bd18a4edf upstream.
Older steppings of the Loongson-3C6000 series incorrectly report the
supported link speeds on their PCIe bridges (device IDs 0x3c19, 0x3c29)
as only 2.5 GT/s, despite the upstream bus supporting speeds from
2.5 GT/s up to 16 GT/s.
As a result, since commit 774c71c52aa4 ("PCI/bwctrl: Enable only if more
than one speed is supported"), bwctrl will be disabled if there's only
one 2.5 GT/s value in vector 'supported_speeds'.
Manually override the 'supported_speeds' field for affected PCIe bridges
with those found on the upstream bus to correctly reflect the supported
link speeds. Updating the speeds to reflect what the hardware actually
supports avoids quirks in drivers consuming the speed information.
This commit was originally found from AOSC OS[1].
Fixes: cd89edda4002 ("PCI: loongson: Add ACPI init support")
Signed-off-by: Ayden Meng <aydenmeng@yeah.net>
Signed-off-by: Mingcong Bai <jeffbai@aosc.io>
[Ziyao Li: move from drivers/pci/quirks.c to drivers/pci/controller/pci-loongson.c]
Signed-off-by: Ziyao Li <liziyao@uniontech.com>
[Xi Ruoyao: Fixed falling through logic, added debug log, Fixes tag and rebased to 7.0-rc7]
Signed-off-by: Xi Ruoyao <xry111@xry111.site>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
[bhelgaas: commit log, https://lore.kernel.org/all/9d815df3b33a63223112b97440c01247935363c1.camel@xry111.site]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Lain Fearyncess Yang <fsf@live.com>
Tested-by: Ayden Meng <aydenmeng@yeah.net>
Tested-by: Mingcong Bai <jeffbai@aosc.io>
Reviewed-by: Huacai Chen <chenhuacai@loongson.cn>
Cc: stable@vger.kernel.org
Link: https://github.com/AOSC-Tracking/linux/commit/4392f441363abdf6fa0a0433d73175a17f493454
Link: https://github.com/AOSC-Tracking/linux/pull/2 #1
Link: https://patch.msgid.link/20260412101731.107059-1-xry111@xry111.site
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pci-loongson.c | 36 ++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
--- a/drivers/pci/controller/pci-loongson.c
+++ b/drivers/pci/controller/pci-loongson.c
@@ -176,6 +176,42 @@ static void loongson_pci_msi_quirk(struc
}
DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, DEV_LS7A_PCIE_PORT5, loongson_pci_msi_quirk);
+/*
+ * Older steppings of the Loongson-3C6000 series incorrectly report the
+ * supported link speeds on their PCIe bridges (device IDs 0x3c19,
+ * 0x3c29) as only 2.5 GT/s, despite the upstream bus supporting speeds
+ * from 2.5 GT/s up to 16 GT/s.
+ */
+static void loongson_pci_bridge_speed_quirk(struct pci_dev *pdev)
+{
+ u8 old_supported_speeds = pdev->supported_speeds;
+
+ switch (pdev->bus->max_bus_speed) {
+ case PCIE_SPEED_16_0GT:
+ pdev->supported_speeds |= PCI_EXP_LNKCAP2_SLS_16_0GB;
+ fallthrough;
+ case PCIE_SPEED_8_0GT:
+ pdev->supported_speeds |= PCI_EXP_LNKCAP2_SLS_8_0GB;
+ fallthrough;
+ case PCIE_SPEED_5_0GT:
+ pdev->supported_speeds |= PCI_EXP_LNKCAP2_SLS_5_0GB;
+ fallthrough;
+ case PCIE_SPEED_2_5GT:
+ pdev->supported_speeds |= PCI_EXP_LNKCAP2_SLS_2_5GB;
+ break;
+ default:
+ pci_warn(pdev, "unexpected max bus speed");
+
+ return;
+ }
+
+ if (pdev->supported_speeds != old_supported_speeds)
+ pci_info(pdev, "fixed up supported link speeds: 0x%x => 0x%x",
+ old_supported_speeds, pdev->supported_speeds);
+}
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_LOONGSON, 0x3c19, loongson_pci_bridge_speed_quirk);
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_LOONGSON, 0x3c29, loongson_pci_bridge_speed_quirk);
+
static struct loongson_pci *pci_bus_to_loongson_pci(struct pci_bus *bus)
{
struct pci_config_window *cfg;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 129/518] PCI: altera: Do not dispose parent IRQ mapping
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 128/518] PCI: loongson: Override PCIe bridge supported speeds for Loongson-3C6000 series Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 130/518] PCI: altera: Fix resource leaks on probe failure Greg Kroah-Hartman
` (392 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mahesh Vaidya, Manivannan Sadhasivam,
Subhransu S. Prusty
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mahesh Vaidya <mahesh.vaidya@altera.com>
commit 5ef4bac02189bee0b7c170e352d7a38e13fe9678 upstream.
altera_pcie_irq_teardown() calls irq_dispose_mapping() on pcie->irq.
However, pcie->irq is the parent IRQ returned by platform_get_irq(), not
the mapping created by Altera INTx irq_domain.
The Altera driver only sets the chained handler on the parent IRQ. It
should detach that handler during teardown, but it should not dispose the
parent IRQ mapping, which belongs to the parent interrupt controller's
irq_domain.
Drop irq_dispose_mapping(pcie->irq) from the teardown path.
Note that during irqchip remove(), the child IRQs should've disposed. But
since the chained handler itself is removed, there is no way the stale
child IRQs (if exists) could fire. So it is safe here.
Fixes: ec15c4d0d5d2 ("PCI: altera: Allow building as module")
Signed-off-by: Mahesh Vaidya <mahesh.vaidya@altera.com>
[mani: added a note about IRQ disposal]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Subhransu S. Prusty <subhransu.sekhar.prusty@altera.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260430204330.3121003-2-mahesh.vaidya@altera.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-altera.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/pci/controller/pcie-altera.c
+++ b/drivers/pci/controller/pcie-altera.c
@@ -868,7 +868,6 @@ static void altera_pcie_irq_teardown(str
{
irq_set_chained_handler_and_data(pcie->irq, NULL, NULL);
irq_domain_remove(pcie->irq_domain);
- irq_dispose_mapping(pcie->irq);
}
static int altera_pcie_parse_dt(struct altera_pcie *pcie)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 130/518] PCI: altera: Fix resource leaks on probe failure
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 129/518] PCI: altera: Do not dispose parent IRQ mapping Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 131/518] PCI: Always lift 2.5GT/s restriction in PCIe failed link retraining Greg Kroah-Hartman
` (391 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mahesh Vaidya, Manivannan Sadhasivam,
Subhransu S. Prusty
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mahesh Vaidya <mahesh.vaidya@altera.com>
commit 7a94138caeb27f3c49c1dbd93bf422098925bb28 upstream.
The chained IRQ handler is set during probe, but is only removed during the
driver remove(). If pci_host_probe() fails, the handler and INTx IRQ
domain remain set even though the devm-managed host bridge storage
containing struct altera_pcie will be released, leaving the handler with
a stale data pointer.
Interrupts are also enabled before pci_host_probe() is called. If probe
fails after that point, the controller interrupt source should be disabled
before the chained handler and INTx domain are removed.
So set the chained handler only after the INTx domain has been created.
Disable controller interrupts during IRQ teardown, and tear the IRQ setup
down if pci_host_probe() fails.
Fixes: c63aed7334c2 ("PCI: altera: Use pci_host_probe() to register host")
Signed-off-by: Mahesh Vaidya <mahesh.vaidya@altera.com>
[mani: commit log]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Subhransu S. Prusty <subhransu.sekhar.prusty@altera.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260430204330.3121003-3-mahesh.vaidya@altera.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-altera.c | 35 +++++++++++++++++++++++++++++++++--
1 file changed, 33 insertions(+), 2 deletions(-)
--- a/drivers/pci/controller/pcie-altera.c
+++ b/drivers/pci/controller/pcie-altera.c
@@ -864,8 +864,23 @@ static int altera_pcie_init_irq_domain(s
return 0;
}
+static void altera_pcie_disable_irq(struct altera_pcie *pcie)
+{
+ if (pcie->pcie_data->version == ALTERA_PCIE_V1 ||
+ pcie->pcie_data->version == ALTERA_PCIE_V2) {
+ /* Disable all P2A interrupts */
+ cra_writel(pcie, 0, P2A_INT_ENABLE);
+ } else if (pcie->pcie_data->version == ALTERA_PCIE_V3) {
+ /* Disable port-level interrupts (CFG_AER, etc.) */
+ writel(0, pcie->hip_base +
+ pcie->pcie_data->port_conf_offset +
+ pcie->pcie_data->port_irq_enable_offset);
+ }
+}
+
static void altera_pcie_irq_teardown(struct altera_pcie *pcie)
{
+ altera_pcie_disable_irq(pcie);
irq_set_chained_handler_and_data(pcie->irq, NULL, NULL);
irq_domain_remove(pcie->irq_domain);
}
@@ -890,7 +905,6 @@ static int altera_pcie_parse_dt(struct a
if (pcie->irq < 0)
return pcie->irq;
- irq_set_chained_handler_and_data(pcie->irq, pcie->pcie_data->ops->rp_isr, pcie);
return 0;
}
@@ -1019,6 +1033,14 @@ static int altera_pcie_probe(struct plat
return ret;
}
+ /*
+ * The chained handler uses pcie->irq_domain, so set it only after the
+ * INTx domain has been created.
+ */
+ irq_set_chained_handler_and_data(pcie->irq,
+ pcie->pcie_data->ops->rp_isr,
+ pcie);
+
if (pcie->pcie_data->version == ALTERA_PCIE_V1 ||
pcie->pcie_data->version == ALTERA_PCIE_V2) {
/* clear all interrupts */
@@ -1036,7 +1058,16 @@ static int altera_pcie_probe(struct plat
bridge->busnr = pcie->root_bus_nr;
bridge->ops = &altera_pcie_ops;
- return pci_host_probe(bridge);
+ ret = pci_host_probe(bridge);
+ if (ret)
+ goto err_teardown_irq;
+
+ return 0;
+
+err_teardown_irq:
+ altera_pcie_irq_teardown(pcie);
+
+ return ret;
}
static void altera_pcie_remove(struct platform_device *pdev)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 131/518] PCI: Always lift 2.5GT/s restriction in PCIe failed link retraining
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 130/518] PCI: altera: Fix resource leaks on probe failure Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 132/518] PCI: host-common: Request bus reassignment when not probe-only Greg Kroah-Hartman
` (390 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki, Bjorn Helgaas,
Alok Tiwari
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 72780f7964684939d7d2f69c348876213b184484 upstream.
Discard Vendor:Device ID matching in the PCIe failed link retraining quirk
and ignore the link status for the removal of the 2.5GT/s speed clamp,
whether applied by the quirk itself or the firmware earlier on. Revert to
the original target link speed if this final link retraining has failed.
This is so that link training noise in hot-plug scenarios does not make a
link remain clamped to the 2.5GT/s speed where an event race has led the
quirk to apply the speed clamp for one device, only to leave it in place
for a subsequent device to be plugged in.
Refer to the Link Capabilities register directly for the maximum link speed
determination so as to streamline backporting.
Fixes: a89c82249c37 ("PCI: Work around PCIe link training failures")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Cc: stable@vger.kernel.org # v6.5+
Link: https://patch.msgid.link/alpine.DEB.2.21.2512080331530.49654@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/quirks.c | 51 ++++++++++++++++++---------------------------------
1 file changed, 18 insertions(+), 33 deletions(-)
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -80,11 +80,10 @@ static bool pcie_lbms_seen(struct pci_de
* Restrict the speed to 2.5GT/s then with the Target Link Speed field,
* request a retrain and check the result.
*
- * If this turns out successful and we know by the Vendor:Device ID it is
- * safe to do so, then lift the restriction, letting the devices negotiate
- * a higher speed. Also check for a similar 2.5GT/s speed restriction the
- * firmware may have already arranged and lift it with ports that already
- * report their data link being up.
+ * If this turns out successful, or where a 2.5GT/s speed restriction has
+ * been previously arranged by the firmware and the port reports its link
+ * already being up, lift the restriction, in a hope it is safe to do so,
+ * letting the devices negotiate a higher speed.
*
* Otherwise revert the speed to the original setting and request a retrain
* again to remove any residual state, ignoring the result as it's supposed
@@ -95,52 +94,38 @@ static bool pcie_lbms_seen(struct pci_de
*/
int pcie_failed_link_retrain(struct pci_dev *dev)
{
- static const struct pci_device_id ids[] = {
- { PCI_VDEVICE(ASMEDIA, 0x2824) }, /* ASMedia ASM2824 */
- {}
- };
- u16 lnksta, lnkctl2;
+ u16 lnksta, lnkctl2, oldlnkctl2;
int ret = -ENOTTY;
+ u32 lnkcap;
if (!pci_is_pcie(dev) || !pcie_downstream_port(dev) ||
!pcie_cap_has_lnkctl2(dev) || !dev->link_active_reporting)
return ret;
pcie_capability_read_word(dev, PCI_EXP_LNKSTA, &lnksta);
+ pcie_capability_read_word(dev, PCI_EXP_LNKCTL2, &oldlnkctl2);
if (!(lnksta & PCI_EXP_LNKSTA_DLLLA) && pcie_lbms_seen(dev, lnksta)) {
- u16 oldlnkctl2;
-
pci_info(dev, "broken device, retraining non-functional downstream link at 2.5GT/s\n");
-
- pcie_capability_read_word(dev, PCI_EXP_LNKCTL2, &oldlnkctl2);
ret = pcie_set_target_speed(dev, PCIE_SPEED_2_5GT, false);
- if (ret) {
- pci_info(dev, "retraining failed\n");
- pcie_set_target_speed(dev, PCIE_LNKCTL2_TLS2SPEED(oldlnkctl2),
- true);
- return ret;
- }
-
- pcie_capability_read_word(dev, PCI_EXP_LNKSTA, &lnksta);
+ if (ret)
+ goto err;
}
pcie_capability_read_word(dev, PCI_EXP_LNKCTL2, &lnkctl2);
-
- if ((lnksta & PCI_EXP_LNKSTA_DLLLA) &&
- (lnkctl2 & PCI_EXP_LNKCTL2_TLS) == PCI_EXP_LNKCTL2_TLS_2_5GT &&
- pci_match_id(ids, dev)) {
- u32 lnkcap;
-
+ pcie_capability_read_dword(dev, PCI_EXP_LNKCAP, &lnkcap);
+ if ((lnkctl2 & PCI_EXP_LNKCTL2_TLS) == PCI_EXP_LNKCTL2_TLS_2_5GT &&
+ (lnkcap & PCI_EXP_LNKCAP_SLS) != PCI_EXP_LNKCAP_SLS_2_5GB) {
pci_info(dev, "removing 2.5GT/s downstream link speed restriction\n");
- pcie_capability_read_dword(dev, PCI_EXP_LNKCAP, &lnkcap);
ret = pcie_set_target_speed(dev, PCIE_LNKCAP_SLS2SPEED(lnkcap), false);
- if (ret) {
- pci_info(dev, "retraining failed\n");
- return ret;
- }
+ if (ret)
+ goto err;
}
return ret;
+err:
+ pci_info(dev, "retraining failed\n");
+ pcie_set_target_speed(dev, PCIE_LNKCTL2_TLS2SPEED(oldlnkctl2), true);
+ return ret;
}
static ktime_t fixup_debug_start(struct pci_dev *dev,
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 132/518] PCI: host-common: Request bus reassignment when not probe-only
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 131/518] PCI: Always lift 2.5GT/s restriction in PCIe failed link retraining Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 133/518] PCI: imx6: Configure REF_USE_PAD before PHY reset for i.MX95 Greg Kroah-Hartman
` (389 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ratheesh Kannoth,
Manivannan Sadhasivam, Bjorn Helgaas, Vidya Sagar
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ratheesh Kannoth <rkannoth@marvell.com>
commit fda8749ba73638f5bbca3ffb39bc6861eb3b23fa upstream.
pci_host_common_init() is used by several generic ECAM host drivers.
After PCI core changes around pci_flags and preserve_config, these hosts
no longer opted into full bus number reassignment the way they did
before, which broke enumeration of devices on a Marvell CN106XX board.
When PCI_PROBE_ONLY is not set, add PCI_REASSIGN_ALL_BUS so
pci_scan_bridge_extend() takes the reassignment path: bus numbers can be
assigned from firmware EA data (e.g. pci_ea_fixed_busnrs()). Skip the
flag in probe-only mode so existing assignments are not overridden.
Fixes: 7246a4520b4b ("PCI: Use preserve_config in place of pci_flags")
Closes: https://lore.kernel.org/all/abkqm_LCd9zAM8cW@rkannoth-OptiPlex-7090/
Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
[mani: added stable tag]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
[bhelgaas: add problem report link]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Cc: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260414081730.3864372-1-rkannoth@marvell.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pci-host-common.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/pci/controller/pci-host-common.c
+++ b/drivers/pci/controller/pci-host-common.c
@@ -68,6 +68,10 @@ int pci_host_common_init(struct platform
if (IS_ERR(cfg))
return PTR_ERR(cfg);
+ /* Do not reassign bus numbers if probe only */
+ if (!pci_has_flag(PCI_PROBE_ONLY))
+ pci_add_flags(PCI_REASSIGN_ALL_BUS);
+
bridge->sysdata = cfg;
bridge->ops = (struct pci_ops *)&ops->pci_ops;
bridge->enable_device = ops->enable_device;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 133/518] PCI: imx6: Configure REF_USE_PAD before PHY reset for i.MX95
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 132/518] PCI: host-common: Request bus reassignment when not probe-only Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 134/518] PCI: imx6: Fix IMX6SX_GPR12_PCIE_TEST_POWERDOWN handling Greg Kroah-Hartman
` (388 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Richard Zhu, Manivannan Sadhasivam
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Zhu <hongxing.zhu@nxp.com>
commit 0c26b1c34d12d4debfb5363cc0be6cdf68e87ba2 upstream.
According to the i.MX95 PCIe PHY Databook, the ref_use_pad signal in the
Common Block Signals section selects the reference clock source connected
to the PHY pads. Per the specification, any change to this input must be
followed by a PHY reset assertion to take effect.
Move the REF_USE_PAD configuration before the PHY reset toggle to comply
with the required initialization sequence.
Fixes: 47f54a902dcd ("PCI: imx6: Toggle the core reset for i.MX95 PCIe")
Signed-off-by: Richard Zhu <hongxing.zhu@nxp.com>
[mani: renamed the callback and helper to match the usecase]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260518072715.3166514-2-hongxing.zhu@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/dwc/pci-imx6.c | 27 ++++++++++++++++++++++++---
1 file changed, 24 insertions(+), 3 deletions(-)
--- a/drivers/pci/controller/dwc/pci-imx6.c
+++ b/drivers/pci/controller/dwc/pci-imx6.c
@@ -137,6 +137,7 @@ struct imx_pcie_drvdata {
const u32 mode_off[IMX_PCIE_MAX_INSTANCES];
const u32 mode_mask[IMX_PCIE_MAX_INSTANCES];
const struct pci_epc_features *epc_features;
+ int (*select_ref_clk_src)(struct imx_pcie *pcie);
int (*init_phy)(struct imx_pcie *pcie);
int (*enable_ref_clk)(struct imx_pcie *pcie, bool enable);
int (*core_reset)(struct imx_pcie *pcie, bool assert);
@@ -247,6 +248,24 @@ static unsigned int imx_pcie_grp_offset(
return imx_pcie->controller_id == 1 ? IOMUXC_GPR16 : IOMUXC_GPR14;
}
+static int imx95_pcie_select_ref_clk_src(struct imx_pcie *imx_pcie)
+{
+ bool ext = imx_pcie->enable_ext_refclk;
+
+ /*
+ * Regarding the Signal Descriptions of i.MX95 PCIe PHY, ref_use_pad is
+ * used to select reference clock connected to a pair of pads.
+ *
+ * Any change in this input must be followed by phy_reset assertion.
+ */
+
+ regmap_update_bits(imx_pcie->iomuxc_gpr, IMX95_PCIE_PHY_GEN_CTRL,
+ IMX95_PCIE_REF_USE_PAD,
+ ext ? IMX95_PCIE_REF_USE_PAD : 0);
+
+ return 0;
+}
+
static int imx95_pcie_init_phy(struct imx_pcie *imx_pcie)
{
bool ext = imx_pcie->enable_ext_refclk;
@@ -269,9 +288,6 @@ static int imx95_pcie_init_phy(struct im
IMX95_PCIE_PHY_CR_PARA_SEL,
IMX95_PCIE_PHY_CR_PARA_SEL);
- regmap_update_bits(imx_pcie->iomuxc_gpr, IMX95_PCIE_PHY_GEN_CTRL,
- IMX95_PCIE_REF_USE_PAD,
- ext ? IMX95_PCIE_REF_USE_PAD : 0);
regmap_update_bits(imx_pcie->iomuxc_gpr, IMX95_PCIE_SS_RW_REG_0,
IMX95_PCIE_REF_CLKEN,
ext ? 0 : IMX95_PCIE_REF_CLKEN);
@@ -1256,6 +1272,9 @@ static int imx_pcie_host_init(struct dw_
pp->bridge->disable_device = imx_pcie_disable_device;
}
+ if (imx_pcie->drvdata->select_ref_clk_src)
+ imx_pcie->drvdata->select_ref_clk_src(imx_pcie);
+
imx_pcie_assert_core_reset(imx_pcie);
imx_pcie_assert_perst(imx_pcie, true);
@@ -1967,6 +1986,7 @@ static const struct imx_pcie_drvdata drv
.mode_mask[0] = IMX95_PCIE_DEVICE_TYPE,
.core_reset = imx95_pcie_core_reset,
.init_phy = imx95_pcie_init_phy,
+ .select_ref_clk_src = imx95_pcie_select_ref_clk_src,
.wait_pll_lock = imx95_pcie_wait_for_phy_pll_lock,
.enable_ref_clk = imx95_pcie_enable_ref_clk,
.clr_clkreq_override = imx95_pcie_clr_clkreq_override,
@@ -2022,6 +2042,7 @@ static const struct imx_pcie_drvdata drv
.ltssm_mask = IMX95_PCIE_LTSSM_EN,
.mode_off[0] = IMX95_PE0_GEN_CTRL_1,
.mode_mask[0] = IMX95_PCIE_DEVICE_TYPE,
+ .select_ref_clk_src = imx95_pcie_select_ref_clk_src,
.init_phy = imx95_pcie_init_phy,
.core_reset = imx95_pcie_core_reset,
.wait_pll_lock = imx95_pcie_wait_for_phy_pll_lock,
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 134/518] PCI: imx6: Fix IMX6SX_GPR12_PCIE_TEST_POWERDOWN handling
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 133/518] PCI: imx6: Configure REF_USE_PAD before PHY reset for i.MX95 Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 135/518] PCI: imx6: Assert ref_clk_en after reference clock stabilizes on i.MX95 Greg Kroah-Hartman
` (387 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Zhu, Manivannan Sadhasivam,
Bjorn Helgaas, Frank Li
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Zhu <hongxing.zhu@nxp.com>
commit aad953fb4eed0df5486cd54ccad80ac197678e01 upstream.
The IMX6SX_GPR12_PCIE_TEST_POWERDOWN bit does not control the PCIe
reference clock on i.MX6SX. Instead, it is part of i.MX6SX PCIe core
reset sequence.
Move the IMX6SX_GPR12_PCIE_TEST_POWERDOWN assertion/deassertion into
the core reset functions to properly reflect its purpose. Remove the
.enable_ref_clk() callback for i.MX6SX since it was incorrectly
manipulating this bit.
Fixes: e3c06cd063d6 ("PCI: imx6: Add initial imx6sx support")
Signed-off-by: Richard Zhu <hongxing.zhu@nxp.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260319090844.444987-1-hongxing.zhu@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/dwc/pci-imx6.c | 12 +++---------
1 file changed, 3 insertions(+), 9 deletions(-)
--- a/drivers/pci/controller/dwc/pci-imx6.c
+++ b/drivers/pci/controller/dwc/pci-imx6.c
@@ -681,14 +681,6 @@ static int imx_pcie_attach_pd(struct dev
return 0;
}
-static int imx6sx_pcie_enable_ref_clk(struct imx_pcie *imx_pcie, bool enable)
-{
- regmap_update_bits(imx_pcie->iomuxc_gpr, IOMUXC_GPR12,
- IMX6SX_GPR12_PCIE_TEST_POWERDOWN,
- enable ? 0 : IMX6SX_GPR12_PCIE_TEST_POWERDOWN);
- return 0;
-}
-
static int imx6q_pcie_enable_ref_clk(struct imx_pcie *imx_pcie, bool enable)
{
if (enable) {
@@ -802,6 +794,9 @@ static int imx6sx_pcie_core_reset(struct
if (assert)
regmap_set_bits(imx_pcie->iomuxc_gpr, IOMUXC_GPR12,
IMX6SX_GPR12_PCIE_TEST_POWERDOWN);
+ else
+ regmap_clear_bits(imx_pcie->iomuxc_gpr, IOMUXC_GPR12,
+ IMX6SX_GPR12_PCIE_TEST_POWERDOWN);
/* Force PCIe PHY reset */
regmap_update_bits(imx_pcie->iomuxc_gpr, IOMUXC_GPR5, IMX6SX_GPR5_PCIE_BTNRST_RESET,
@@ -1896,7 +1891,6 @@ static const struct imx_pcie_drvdata drv
.mode_off[0] = IOMUXC_GPR12,
.mode_mask[0] = IMX6Q_GPR12_DEVICE_TYPE,
.init_phy = imx6sx_pcie_init_phy,
- .enable_ref_clk = imx6sx_pcie_enable_ref_clk,
.core_reset = imx6sx_pcie_core_reset,
.ops = &imx_pcie_host_ops,
},
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 135/518] PCI: imx6: Assert ref_clk_en after reference clock stabilizes on i.MX95
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 134/518] PCI: imx6: Fix IMX6SX_GPR12_PCIE_TEST_POWERDOWN handling Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 136/518] PCI: mediatek: Fix IRQ domain leak when port fails to enable Greg Kroah-Hartman
` (386 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Zhu, Manivannan Sadhasivam,
Frank Li
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Zhu <hongxing.zhu@nxp.com>
commit 9dda3f83ba677b9cc2613cecd9120123000ae50f upstream.
According to the PHY Databook Common Block Signals section, the
ref_clk_en signal must remain de-asserted until the reference clock is
running at the appropriate frequency. Once the clock is stable,
ref_clk_en can be asserted. For lower power states where the reference
clock to the PHY is disabled, ref_clk_en should also be de-asserted.
Move the ref_clk_en bit manipulation into imx95_pcie_enable_ref_clk()
to ensure the reference clock stabilizes before ref_clk_en is asserted
and before the PHY reset is de-asserted. This aligns with the timing
requirements specified in the PHY documentation.
Fixes: d8574ce57d76 ("PCI: imx6: Add external reference clock input mode support")
Signed-off-by: Richard Zhu <hongxing.zhu@nxp.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260518072715.3166514-3-hongxing.zhu@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/dwc/pci-imx6.c | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
--- a/drivers/pci/controller/dwc/pci-imx6.c
+++ b/drivers/pci/controller/dwc/pci-imx6.c
@@ -268,8 +268,6 @@ static int imx95_pcie_select_ref_clk_src
static int imx95_pcie_init_phy(struct imx_pcie *imx_pcie)
{
- bool ext = imx_pcie->enable_ext_refclk;
-
/*
* ERR051624: The Controller Without Vaux Cannot Exit L23 Ready
* Through Beacon or PERST# De-assertion
@@ -288,10 +286,6 @@ static int imx95_pcie_init_phy(struct im
IMX95_PCIE_PHY_CR_PARA_SEL,
IMX95_PCIE_PHY_CR_PARA_SEL);
- regmap_update_bits(imx_pcie->iomuxc_gpr, IMX95_PCIE_SS_RW_REG_0,
- IMX95_PCIE_REF_CLKEN,
- ext ? 0 : IMX95_PCIE_REF_CLKEN);
-
return 0;
}
@@ -740,7 +734,29 @@ static void imx95_pcie_clkreq_override(s
static int imx95_pcie_enable_ref_clk(struct imx_pcie *imx_pcie, bool enable)
{
+ bool ext = imx_pcie->enable_ext_refclk;
+
imx95_pcie_clkreq_override(imx_pcie, enable);
+ /*
+ * The ref_clk_en signal must remain de-asserted until the
+ * reference clock is running at appropriate frequency, at which
+ * point this bit can be asserted. For lower power states where
+ * the reference clock to the PHY is disabled, it may also be
+ * de-asserted.
+ * +------------------- -+--------+----------------+
+ * | External clock mode | Enable | PCIE_REF_CLKEN |
+ * +---------------------+--------+----------------+
+ * | TRUE | X | 1b'0 |
+ * +---------------------+--------+----------------+
+ * | FALSE | TRUE | 1b'1 |
+ * +---------------------+--------+----------------+
+ * | FALSE | FALSE | 1b'0 |
+ * +---------------------+--------+----------------+
+ */
+ regmap_update_bits(imx_pcie->iomuxc_gpr, IMX95_PCIE_SS_RW_REG_0,
+ IMX95_PCIE_REF_CLKEN,
+ ext || !enable ? 0 : IMX95_PCIE_REF_CLKEN);
+
return 0;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 136/518] PCI: mediatek: Fix IRQ domain leak when port fails to enable
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 135/518] PCI: imx6: Assert ref_clk_en after reference clock stabilizes on i.MX95 Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 137/518] PCI: qcom: Initialize DWC MSI lock for firmware-managed ECAM hosts Greg Kroah-Hartman
` (385 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Manivannan Sadhasivam, Caleb James DeLisle
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
commit f865a57896bd92d7662eb2818d8f48872e2cbbc7 upstream.
When mtk_pcie_enable_port() fails, mtk_pcie_port_free() removes the port
from pcie->ports and frees the port structure. However, the IRQ domains set
up earlier by mtk_pcie_init_irq_domain() are never freed.
Fix this by refactoring mtk_pcie_irq_teardown() into a per-port helper,
mtk_pcie_irq_teardown_port(), and calling it from mtk_pcie_setup() when
mtk_pcie_enable_port() fails. Since the IRQ teardown must only happen in
the probe error path (during resume, child devices may have active MSI
mappings and the NOIRQ context prohibits sleeping locks),
mtk_pcie_enable_port() is changed to return an error code so callers can
distinguish the two paths and act accordingly.
This issue was reported by Sashiko while reviewing the EcoNet EN7528 SoC
support series.
Fixes: b099631df160 ("PCI: mediatek: Add controller support for MT2712 and MT7622")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Cc: stable@vger.kernel.org # 5.10
Cc: Caleb James DeLisle <cjd@cjdns.fr>
Link: https://patch.msgid.link/20260521174617.17692-1-mani@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-mediatek.c | 63 ++++++++++++++++++++-------------
1 file changed, 40 insertions(+), 23 deletions(-)
--- a/drivers/pci/controller/pcie-mediatek.c
+++ b/drivers/pci/controller/pcie-mediatek.c
@@ -529,23 +529,27 @@ static void mtk_pcie_enable_msi(struct m
writel(val, port->base + PCIE_INT_MASK);
}
-static void mtk_pcie_irq_teardown(struct mtk_pcie *pcie)
+static void mtk_pcie_irq_teardown_port(struct mtk_pcie_port *port)
{
- struct mtk_pcie_port *port, *tmp;
+ irq_set_chained_handler_and_data(port->irq, NULL, NULL);
- list_for_each_entry_safe(port, tmp, &pcie->ports, list) {
- irq_set_chained_handler_and_data(port->irq, NULL, NULL);
+ if (port->irq_domain)
+ irq_domain_remove(port->irq_domain);
- if (port->irq_domain)
- irq_domain_remove(port->irq_domain);
+ if (IS_ENABLED(CONFIG_PCI_MSI)) {
+ if (port->inner_domain)
+ irq_domain_remove(port->inner_domain);
+ }
- if (IS_ENABLED(CONFIG_PCI_MSI)) {
- if (port->inner_domain)
- irq_domain_remove(port->inner_domain);
- }
+ irq_dispose_mapping(port->irq);
+}
- irq_dispose_mapping(port->irq);
- }
+static void mtk_pcie_irq_teardown(struct mtk_pcie *pcie)
+{
+ struct mtk_pcie_port *port, *tmp;
+
+ list_for_each_entry_safe(port, tmp, &pcie->ports, list)
+ mtk_pcie_irq_teardown_port(port);
}
static int mtk_pcie_intx_map(struct irq_domain *domain, unsigned int irq,
@@ -865,7 +869,7 @@ static int mtk_pcie_startup_port_an7583(
return mtk_pcie_startup_port_v2(port);
}
-static void mtk_pcie_enable_port(struct mtk_pcie_port *port)
+static int mtk_pcie_enable_port(struct mtk_pcie_port *port)
{
struct mtk_pcie *pcie = port->pcie;
struct device *dev = pcie->dev;
@@ -874,7 +878,7 @@ static void mtk_pcie_enable_port(struct
err = clk_prepare_enable(port->sys_ck);
if (err) {
dev_err(dev, "failed to enable sys_ck%d clock\n", port->slot);
- goto err_sys_clk;
+ return err;
}
err = clk_prepare_enable(port->ahb_ck);
@@ -922,11 +926,15 @@ static void mtk_pcie_enable_port(struct
goto err_phy_on;
}
- if (!pcie->soc->startup(port))
- return;
+ err = pcie->soc->startup(port);
+ if (err) {
+ dev_info(dev, "Port%d link down\n", port->slot);
+ goto err_soc_startup;
+ }
- dev_info(dev, "Port%d link down\n", port->slot);
+ return 0;
+err_soc_startup:
phy_power_off(port->phy);
err_phy_on:
phy_exit(port->phy);
@@ -942,8 +950,8 @@ err_aux_clk:
clk_disable_unprepare(port->ahb_ck);
err_ahb_clk:
clk_disable_unprepare(port->sys_ck);
-err_sys_clk:
- mtk_pcie_port_free(port);
+
+ return err;
}
static int mtk_pcie_parse_port(struct mtk_pcie *pcie,
@@ -1109,8 +1117,13 @@ static int mtk_pcie_setup(struct mtk_pci
return err;
/* enable each port, and then check link status */
- list_for_each_entry_safe(port, tmp, &pcie->ports, list)
- mtk_pcie_enable_port(port);
+ list_for_each_entry_safe(port, tmp, &pcie->ports, list) {
+ err = mtk_pcie_enable_port(port);
+ if (err) {
+ mtk_pcie_irq_teardown_port(port);
+ mtk_pcie_port_free(port);
+ }
+ }
/* power down PCIe subsys if slots are all empty (link down) */
if (list_empty(&pcie->ports))
@@ -1209,14 +1222,18 @@ static int mtk_pcie_resume_noirq(struct
{
struct mtk_pcie *pcie = dev_get_drvdata(dev);
struct mtk_pcie_port *port, *tmp;
+ int err;
if (list_empty(&pcie->ports))
return 0;
clk_prepare_enable(pcie->free_ck);
- list_for_each_entry_safe(port, tmp, &pcie->ports, list)
- mtk_pcie_enable_port(port);
+ list_for_each_entry_safe(port, tmp, &pcie->ports, list) {
+ err = mtk_pcie_enable_port(port);
+ if (err)
+ mtk_pcie_port_free(port);
+ }
/* In case of EP was removed while system suspend. */
if (list_empty(&pcie->ports))
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 137/518] PCI: qcom: Initialize DWC MSI lock for firmware-managed ECAM hosts
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 136/518] PCI: mediatek: Fix IRQ domain leak when port fails to enable Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 138/518] PCI: Skip Resizable BAR restore on read error Greg Kroah-Hartman
` (384 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yadu M G, Manivannan Sadhasivam,
stable
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yadu M G <yadu.mg@oss.qualcomm.com>
commit e0779713a1e2f891aeec53e629dbbd33f423c629 upstream.
A lockdep warning is observed during boot on a Qcom firmware-managed
platform:
INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
...
Call trace:
register_lock_class+0x128/0x4d8
__lock_acquire+0x110/0x1db0
lock_acquire+0x278/0x3d8
_raw_spin_lock_irq+0x6c/0xc0
dw_pcie_irq_domain_alloc+0x48/0x190
irq_domain_alloc_irqs_parent+0x2c/0x48
msi_domain_alloc+0x90/0x160
...
dw_pcie_irq_domain_alloc() takes pp->lock while allocating MSI
interrupts. pp->lock is normally initialized by dw_pcie_host_init(), but
Qcom firmware-managed hosts use the ECAM init path instead:
pci_host_common_ecam_create()
pci_ecam_create()
qcom_pcie_ecam_host_init()
dw_pcie_msi_host_init()
dw_pcie_allocate_domains()
That path constructs a fresh struct dw_pcie_rp and calls
dw_pcie_msi_host_init() directly, without going through
dw_pcie_host_init(). As a result, pp->lock was not initialized, which
triggers the warning.
Initialize pp->lock in qcom_pcie_ecam_host_init() before registering the
MSI domains so the firmware-managed ECAM path matches the normal DWC host
initialization sequence.
Fixes: 7d944c0f1469 ("PCI: qcom: Add support for Qualcomm SA8255p based PCIe Root Complex")
Signed-off-by: Yadu M G <yadu.mg@oss.qualcomm.com>
[mani: added fixes tag and CCed stable]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Cc: stable@kernel.org
Link: https://patch.msgid.link/20260604122418.727274-1-yadu.mg@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/dwc/pcie-qcom.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/pci/controller/dwc/pcie-qcom.c
+++ b/drivers/pci/controller/dwc/pcie-qcom.c
@@ -1674,6 +1674,12 @@ static int qcom_pcie_ecam_host_init(stru
pci->dbi_base = cfg->win;
pp->num_vectors = MSI_DEF_NUM_VECTORS;
+ /*
+ * dw_pcie_msi_host_init() is called directly here, bypassing
+ * dw_pcie_host_init() where pp->lock is normally initialized.
+ */
+ raw_spin_lock_init(&pp->lock);
+
ret = dw_pcie_msi_host_init(pp);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 138/518] PCI: Skip Resizable BAR restore on read error
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 137/518] PCI: qcom: Initialize DWC MSI lock for firmware-managed ECAM hosts Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 139/518] PCI/IOV: Skip VF " Greg Kroah-Hartman
` (383 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marco Nenciarini, Bjorn Helgaas
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marco Nenciarini <mnencia@kcore.it>
commit ee7471fe968d210939be9046089a924cd23c8c3b upstream.
pci_restore_rebar_state() uses the Resizable BAR Control register to decide
how many BARs to restore (nbars) and which BAR each iteration addresses
(bar_idx).
When a device does not respond, config reads typically return
PCI_ERROR_RESPONSE (~0). Both fields are 3 bits wide, so nbars and bar_idx
both evaluate to 7, past the spec's valid ranges for both fields.
pci_resource_n() then returns an unrelated resource slot, whose size is
used to derive a nonsensical value written back to the Resizable BAR
Control register.
Bail out if any Resizable BAR Control read returns PCI_ERROR_RESPONSE. No
further BARs are touched, which is safe because a config read that returns
PCI_ERROR_RESPONSE indicates the device is unreachable and restoration is
pointless.
Fixes: d3252ace0bc6 ("PCI: Restore resized BAR state on resume")
Signed-off-by: Marco Nenciarini <mnencia@kcore.it>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/666cac19b5daa0ab0e0ab64454e76b4d24465dbd.1776429882.git.mnencia@kcore.it
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/rebar.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/pci/rebar.c
+++ b/drivers/pci/rebar.c
@@ -231,6 +231,9 @@ void pci_restore_rebar_state(struct pci_
return;
pci_read_config_dword(pdev, pos + PCI_REBAR_CTRL, &ctrl);
+ if (PCI_POSSIBLE_ERROR(ctrl))
+ return;
+
nbars = FIELD_GET(PCI_REBAR_CTRL_NBAR_MASK, ctrl);
for (i = 0; i < nbars; i++, pos += 8) {
@@ -238,6 +241,9 @@ void pci_restore_rebar_state(struct pci_
int bar_idx, size;
pci_read_config_dword(pdev, pos + PCI_REBAR_CTRL, &ctrl);
+ if (PCI_POSSIBLE_ERROR(ctrl))
+ return;
+
bar_idx = ctrl & PCI_REBAR_CTRL_BAR_IDX;
res = pci_resource_n(pdev, bar_idx);
size = pci_rebar_bytes_to_size(resource_size(res));
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 139/518] PCI/IOV: Skip VF Resizable BAR restore on read error
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 138/518] PCI: Skip Resizable BAR restore on read error Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 140/518] tcp: restore RCU grace period in tcp_ao_destroy_sock Greg Kroah-Hartman
` (382 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marco Nenciarini, Bjorn Helgaas
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marco Nenciarini <mnencia@kcore.it>
commit f34f1712229d71ce4286440fef12526fd4590b37 upstream.
sriov_restore_vf_rebar_state() uses the VF Resizable BAR Control register
to decide how many VF BARs to restore (nbars) and which VF BAR each
iteration addresses (bar_idx). bar_idx indexes into dev->sriov->barsz[],
which has only PCI_SRIOV_NUM_BARS (6) entries.
When a device does not respond, config reads typically return
PCI_ERROR_RESPONSE (~0). Both fields are 3 bits wide, so nbars and bar_idx
both evaluate to 7. The barsz[] access then goes out of bounds. UBSAN
reports this as:
UBSAN: array-index-out-of-bounds in drivers/pci/iov.c:948:51 index 7 is out of range for type 'resource_size_t [6]'
Observed on an NVIDIA RTX PRO 1000 GPU (GB207GLM) that stopped responding
during a failed GC6 power state exit. The subsequent pci_restore_state()
invoked sriov_restore_vf_rebar_state() while config reads returned
0xffffffff, triggering the splat.
Bail out if any VF Resizable BAR Control read returns PCI_ERROR_RESPONSE.
No further VF BARs are touched, which is safe because a config read that
returns PCI_ERROR_RESPONSE indicates the device is unreachable and
restoration is pointless. This mirrors the guard in
pci_restore_rebar_state().
Fixes: 5a8f77e24a30 ("PCI/IOV: Restore VF resizable BAR state after reset")
Signed-off-by: Marco Nenciarini <mnencia@kcore.it>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/44a4ae53ec2825816b816c85cd378430d9a95cc6.1776429882.git.mnencia@kcore.it
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/iov.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/pci/iov.c
+++ b/drivers/pci/iov.c
@@ -938,12 +938,18 @@ static void sriov_restore_vf_rebar_state
return;
pci_read_config_dword(dev, pos + PCI_VF_REBAR_CTRL, &ctrl);
+ if (PCI_POSSIBLE_ERROR(ctrl))
+ return;
+
nbars = FIELD_GET(PCI_VF_REBAR_CTRL_NBAR_MASK, ctrl);
for (i = 0; i < nbars; i++, pos += 8) {
int bar_idx, size;
pci_read_config_dword(dev, pos + PCI_VF_REBAR_CTRL, &ctrl);
+ if (PCI_POSSIBLE_ERROR(ctrl))
+ return;
+
bar_idx = FIELD_GET(PCI_VF_REBAR_CTRL_BAR_IDX, ctrl);
size = pci_rebar_bytes_to_size(dev->sriov->barsz[bar_idx]);
ctrl &= ~PCI_VF_REBAR_CTRL_BAR_SIZE;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 140/518] tcp: restore RCU grace period in tcp_ao_destroy_sock
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 139/518] PCI/IOV: Skip VF " Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 141/518] mm/damon/ops-common: handle extreme intervals in damon_hot_score() Greg Kroah-Hartman
` (381 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Safonov, Michael Bommarito,
Eric Dumazet, Dmitry Safonov, Jakub Kicinski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 8bc4d43bccbd60efe85d0a44d5bf41762f2f0c30 upstream.
Commit 51e547e8c89c ("tcp: Free TCP-AO/TCP-MD5 info/keys without RCU")
removed the call_rcu() callback from tcp_ao_destroy_sock(), arguing that
"the destruction of info/keys is delayed until the socket destructor"
and therefore "no one can discover it anymore".
That argument does not hold for the call site in tcp_connect()
(net/ipv4/tcp_output.c:4327-4332). At that point the socket is in
TCP_SYN_SENT, has already been inserted into the inet ehash by
inet_hash_connect() in tcp_v4_connect(), and is therefore very much
discoverable: any softirq running tcp_v4_rcv() on another CPU can take
the socket out of the ehash, walk into tcp_inbound_hash(), and load
tp->ao_info via implicit RCU before bh_lock_sock_nested() is taken on
the destroying CPU.
The reader path then enters __tcp_ao_do_lookup() (net/ipv4/tcp_ao.c:208)
which re-loads tp->ao_info via rcu_dereference_check(); the re-load can
still observe the (about-to-be-freed) pointer because there is no
synchronize_rcu() between rcu_assign_pointer(tp->ao_info, NULL) and
tcp_ao_info_free() in tcp_ao_destroy_sock(). The captured pointer is
then walked at line 223:
hlist_for_each_entry_rcu(key, &ao->head, node, ...)
The writer's synchronous kfree() is free to complete between the line
218 re-fetch and the line 223 hlist iteration. The slab is reused
(or simply LIST_POISON1-stamped if not yet reused) and the iteration
walks attacker-controlled or poison memory in softirq context.
Reproducer (no debug shim, stock x86_64 v7.1-rc2 SMP+KASAN, QEMU+KVM):
an unprivileged uid=1000 process inside CLONE_NEWUSER|CLONE_NEWNET
installs TCP_MD5SIG + TCP_AO_ADD_KEY on a TCP socket, sprays forged
TCP-AO segments toward its eventual 4-tuple via raw sockets, then
calls connect(). The md5-wins reconciliation in tcp_connect() fires
tcp_ao_destroy_sock(); the softirq backlog reader on the loopback
NAPI path crashes on the freed ao->head.first walk:
Oops: general protection fault, probably for non-canonical
address 0xfbd59c000000002f
KASAN: maybe wild-memory-access in range
[0xdead000000000178-0xdead00000000017f]
CPU: 0 UID: 1000 PID: 100 Comm: repro_userns
RIP: 0010:__tcp_ao_do_lookup+0x107/0x1c0
Call Trace: <IRQ>
__tcp_ao_do_lookup+0x107/0x1c0
tcp_ao_inbound_lookup.constprop.0+0x12a/0x200
tcp_inbound_ao_hash+0x5ea/0x1520
tcp_inbound_hash+0x7ce/0x1240
tcp_v4_rcv+0x1e7a/0x3e10
...
Restore the RCU grace period: re-add struct rcu_head to tcp_ao_info
and replace the synchronous tcp_ao_info_free() with a call_rcu()
callback. Readers that captured tp->ao_info before rcu_assign_pointer
NULLed it now see the object remain valid until rcu_read_unlock().
With the patch applied the reproducer runs cleanly for 2000 iterations
on the same kernel build.
Fixes: 51e547e8c89c ("tcp: Free TCP-AO/TCP-MD5 info/keys without RCU")
Cc: stable@vger.kernel.org # v6.18+
Reviewed-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Dmitry Safonov <0x7f454c46@gmail.com>
Link: https://patch.msgid.link/20260625-tcp-md5-connect-v3-1-1fd313d6c1e0@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/tcp_ao.h | 1 +
net/ipv4/tcp_ao.c | 5 +++--
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/include/net/tcp_ao.h
+++ b/include/net/tcp_ao.h
@@ -130,6 +130,7 @@ struct tcp_ao_info {
u32 snd_sne;
u32 rcv_sne;
refcount_t refcnt; /* Protects twsk destruction */
+ struct rcu_head rcu;
};
#ifdef CONFIG_TCP_MD5SIG
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -270,8 +270,9 @@ static void tcp_ao_key_free_rcu(struct r
kfree_sensitive(key);
}
-static void tcp_ao_info_free(struct tcp_ao_info *ao)
+static void tcp_ao_info_free_rcu(struct rcu_head *head)
{
+ struct tcp_ao_info *ao = container_of(head, struct tcp_ao_info, rcu);
struct tcp_ao_key *key;
struct hlist_node *n;
@@ -311,7 +312,7 @@ void tcp_ao_destroy_sock(struct sock *sk
if (!twsk)
tcp_ao_sk_omem_free(sk, ao);
- tcp_ao_info_free(ao);
+ call_rcu(&ao->rcu, tcp_ao_info_free_rcu);
}
void tcp_ao_time_wait(struct tcp_timewait_sock *tcptw, struct tcp_sock *tp)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 141/518] mm/damon/ops-common: handle extreme intervals in damon_hot_score()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 140/518] tcp: restore RCU grace period in tcp_ao_destroy_sock Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 142/518] netfilter: ipset: fix race between dump and ip_set_list resize Greg Kroah-Hartman
` (380 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 35d4a3cf70a855b50e53189ac2f8463e20a02046 upstream.
Fix three issues in damon_hot_score() that comes from wrong handling of
extreme (zero or too high) monitoring intervals user setup.
When the user sets sampling interval zero, damon_max_nr_accesses(), which
is called from damon_hot_score(), causes a divide-by-zero. Needless to
say, it is a problem.
When the user sets the aggregation interval zero, the function returns
zero. It is wrong, since the real maximum nr_acceses in the setup should
be one. Worse yet, it can cause another divide-by-zero from its caller,
damon_hot_score(), since it uses damon_max_nr_accesses() return value as a
denominator.
When the user sets the aggregation interval very high, damon_hot_score()
could return a value out of [0, DAMOS_MAX_SCORE] range. Since the return
value is used as an index to the regions_score_histogram array, which is
DAMOS_MAX_SCORE+1 size, it causes out of bounds array access.
The issues can be relatively easily reproduced like below. The sysfs
write permission is required, though.
# ./damo start --damos_action lru_prio --damos_quota_space 100M \
--damos_quota_interval 1s
# cd /sys/kernel/mm/damon/admin/kdamonds/0
# echo 0 > contexts/0/monitoring_attrs/intervals/sample_us
# echo 0 > contexts/0/monitoring_attrs/intervals/aggr_us
# echo commit > state
# dmesg
[...]
[ 131.329762] Oops: divide error: 0000 [#1] SMP NOPTI
[...]
[ 131.336089] RIP: 0010:damon_hot_score+0x27/0xd0
[...]
Fix the divide-by-zero intervals problems by explicitly handling the zero
intervals in damon_max_nr_accesses(). Fix the out-of-bound array access
by applying [0, DAMOS_MAX_SCORE] bounds before returning from
damon_hot_score().
The issue was discovered [1] by Sashiko.
Link: https://lore.kernel.org/20260623135834.67189-1-sj@kernel.org
Link: https://lore.kernel.org/20260619202459.145010-1-sj@kernel.org [1]
Fixes: 198f0f4c58b9 ("mm/damon/vaddr,paddr: support pageout prioritization")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 5.16.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/damon.h | 8 ++++++--
mm/damon/ops-common.c | 1 +
2 files changed, 7 insertions(+), 2 deletions(-)
--- a/include/linux/damon.h
+++ b/include/linux/damon.h
@@ -979,9 +979,13 @@ static inline bool damon_target_has_pid(
static inline unsigned int damon_max_nr_accesses(const struct damon_attrs *attrs)
{
- /* {aggr,sample}_interval are unsigned long, hence could overflow */
- return min(attrs->aggr_interval / attrs->sample_interval,
+ unsigned long sample_interval;
+ unsigned long max_nr_accesses;
+
+ sample_interval = attrs->sample_interval ? : 1;
+ max_nr_accesses = min(attrs->aggr_interval / sample_interval,
(unsigned long)UINT_MAX);
+ return max_nr_accesses ? : 1;
}
--- a/mm/damon/ops-common.c
+++ b/mm/damon/ops-common.c
@@ -140,6 +140,7 @@ int damon_hot_score(struct damon_ctx *c,
* Transform it to fit in [0, DAMOS_MAX_SCORE]
*/
hotness = hotness * DAMOS_MAX_SCORE / DAMON_MAX_SUBSCORE;
+ hotness = max(min(hotness, DAMOS_MAX_SCORE), 0);
return hotness;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 142/518] netfilter: ipset: fix race between dump and ip_set_list resize
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 141/518] mm/damon/ops-common: handle extreme intervals in damon_hot_score() Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 143/518] virtio_pci: fix vq info pointer lookup via wrong index Greg Kroah-Hartman
` (379 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weiming Shi, Xiang Mei,
Jozsef Kadlecsik, Florian Westphal
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
commit 7cd9103283b26b917360ec99d7d2f2d761bcf1ab upstream.
The release path of ip_set_dump_do() and ip_set_dump_done() read
inst->ip_set_list via ip_set_ref_netlink(), a plain rcu_dereference_raw()
of the array pointer. These run from netlink_recvmsg() without the nfnl
mutex and without an RCU read-side critical section.
A concurrent ip_set_create() can grow the array: it publishes the new
array, calls synchronize_net() and then kvfree()s the old one. Since the
dump paths read the array outside any RCU reader, synchronize_net() does
not wait for them and the old array can be freed while they still index
into it, causing a use-after-free.
The dumped set itself stays pinned via set->ref_netlink, so only the
array load needs protecting. Take rcu_read_lock() around it, matching
ip_set_get_byname() and __ip_set_put_byindex().
BUG: KASAN: slab-use-after-free in ip_set_dump_do (net/netfilter/ipset/ip_set_core.c:1697)
Read of size 8 at addr ffff88800b5c4018 by task exploit/150
Call Trace:
...
kasan_report (mm/kasan/report.c:595)
ip_set_dump_do (net/netfilter/ipset/ip_set_core.c:1697)
netlink_dump (net/netlink/af_netlink.c:2325)
netlink_recvmsg (net/netlink/af_netlink.c:1976)
sock_recvmsg (net/socket.c:1159)
__sys_recvfrom (net/socket.c:2315)
...
Oops: general protection fault, probably for non-canonical address ... KASAN NOPTI
KASAN: maybe wild-memory-access in range [0x02d6...d0-0x02d6...d7]
RIP: 0010:ip_set_dump_do (net/netfilter/ipset/ip_set_core.c:1698)
Kernel panic - not syncing: Fatal exception
Fixes: 8a02bdd50b2e ("netfilter: ipset: Fix calling ip_set() macro at dumping")
Cc: stable@vger.kernel.org
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/ipset/ip_set_core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1480,7 +1480,11 @@ ip_set_dump_done(struct netlink_callback
struct ip_set_net *inst =
(struct ip_set_net *)cb->args[IPSET_CB_NET];
ip_set_id_t index = (ip_set_id_t)cb->args[IPSET_CB_INDEX];
- struct ip_set *set = ip_set_ref_netlink(inst, index);
+ struct ip_set *set;
+
+ rcu_read_lock();
+ set = ip_set_ref_netlink(inst, index);
+ rcu_read_unlock();
if (set->variant->uref)
set->variant->uref(set, cb, false);
@@ -1686,7 +1690,9 @@ next_set:
release_refcount:
/* If there was an error or set is done, release set */
if (ret || !cb->args[IPSET_CB_ARG0]) {
+ rcu_read_lock();
set = ip_set_ref_netlink(inst, index);
+ rcu_read_unlock();
if (set->variant->uref)
set->variant->uref(set, cb, false);
pr_debug("release set %s\n", set->name);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 143/518] virtio_pci: fix vq info pointer lookup via wrong index
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 142/518] netfilter: ipset: fix race between dump and ip_set_list resize Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 144/518] virtio-mmio: fix device release warning on module unload Greg Kroah-Hartman
` (378 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yichun Zhang, Jiri Pirko, Yuka,
Ammar Faizi, Michael S. Tsirkin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ammar Faizi <ammarfaizi2@openresty.com>
commit f7d380fb525c13bdd114369a1979c80c346e6abc upstream.
Unbinding a virtio balloon device:
echo virtio0 > /sys/bus/virtio/drivers/virtio_balloon/unbind
triggers a NULL pointer dereference. The dmesg says:
BUG: kernel NULL pointer dereference, address: 0000000000000008
[...]
RIP: 0010:__list_del_entry_valid_or_report+0x5/0xf0
Call Trace:
<TASK>
vp_del_vqs+0x121/0x230
remove_common+0x135/0x150
virtballoon_remove+0xee/0x100
virtio_dev_remove+0x3b/0x80
device_release_driver_internal+0x187/0x2c0
unbind_store+0xb9/0xe0
kernfs_fop_write_iter.llvm.11660790530567441834+0xf6/0x180
vfs_write+0x2a9/0x3b0
ksys_write+0x5c/0xd0
do_syscall_64+0x54/0x230
entry_SYSCALL_64_after_hwframe+0x29/0x31
[...]
</TASK>
The virtio_balloon device registers 5 queues (inflate, deflate, stats,
free_page, reporting) but only the first two are unconditional. The
stats, free_page and reporting queues are each conditional on their
respective feature bits. When any of these features are absent, the
corresponding vqs_info entry has name == NULL, creating holes in the
array.
The root cause is an indexing mismatch introduced when vq info storage
was changed to be passed as an argument. vp_find_vqs_msix() and
vp_find_vqs_intx() store the info pointer at vp_dev->vqs[i], where 'i'
is the caller's sparse array index. However, the virtqueue itself gets
vq->index assigned from queue_idx, a dense index that skips NULL
entries. When holes exist, 'i' and queue_idx diverge. Later,
vp_del_vqs() looks up info via vp_dev->vqs[vq->index] using the dense
index into the sparsely-populated array, and hits NULL.
Fix this by storing info at vp_dev->vqs[queue_idx] instead of
vp_dev->vqs[i], so the store index matches the lookup index
(vq->index). Apply the fix to both the MSIX and INTX paths.
Cc: Yichun Zhang <yichun@openresty.com>
Cc: Jiri Pirko <jiri@nvidia.com>
Cc: stable@vger.kernel.org # v6.11+
Tested-by: Yuka <yuka@umeyashiki.org>
Fixes: 89a1c435aec2 ("virtio_pci: pass vq info as an argument to vp_setup_vq()")
Signed-off-by: Ammar Faizi <ammarfaizi2@openresty.com>
Message-Id: <20260315141808.547081-1-ammarfaizi2@openresty.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/virtio/virtio_pci_common.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/virtio/virtio_pci_common.c
+++ b/drivers/virtio/virtio_pci_common.c
@@ -423,10 +423,11 @@ static int vp_find_vqs_msix(struct virti
vqs[i] = NULL;
continue;
}
- vqs[i] = vp_find_one_vq_msix(vdev, queue_idx++, vqi->callback,
+ vqs[i] = vp_find_one_vq_msix(vdev, queue_idx, vqi->callback,
vqi->name, vqi->ctx, false,
&allocated_vectors, vector_policy,
- &vp_dev->vqs[i]);
+ &vp_dev->vqs[queue_idx]);
+ queue_idx++;
if (IS_ERR(vqs[i])) {
err = PTR_ERR(vqs[i]);
goto error_find;
@@ -485,9 +486,10 @@ static int vp_find_vqs_intx(struct virti
vqs[i] = NULL;
continue;
}
- vqs[i] = vp_setup_vq(vdev, queue_idx++, vqi->callback,
+ vqs[i] = vp_setup_vq(vdev, queue_idx, vqi->callback,
vqi->name, vqi->ctx,
- VIRTIO_MSI_NO_VECTOR, &vp_dev->vqs[i]);
+ VIRTIO_MSI_NO_VECTOR, &vp_dev->vqs[queue_idx]);
+ queue_idx++;
if (IS_ERR(vqs[i])) {
err = PTR_ERR(vqs[i]);
goto out_del_vqs;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 144/518] virtio-mmio: fix device release warning on module unload
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 143/518] virtio_pci: fix vq info pointer lookup via wrong index Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 145/518] hwrng: virtio: clamp device-reported used.len at copy_data() Greg Kroah-Hartman
` (377 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pawel Moll, Johan Hovold,
Michael S. Tsirkin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c687bc35694698ec4c7f92bf929c3d659f0cecb8 upstream.
Driver core expects devices to be allocated dynamically and complains
loudly when a device that lacks a release function is freed.
Use __root_device_register() to allocate and register the root device
instead of open coding using a static device.
Note that root_device_register(), which also creates a link to the
module, cannot be used as the device is registered when parsing the
module parameters which happens before the module kobject has been set
up.
Fixes: 81a054ce0b46 ("virtio-mmio: Devices parameter parsing")
Cc: stable@vger.kernel.org # 3.5
Cc: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260427143710.14702-1-johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/virtio/virtio_mmio.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
--- a/drivers/virtio/virtio_mmio.c
+++ b/drivers/virtio/virtio_mmio.c
@@ -662,9 +662,7 @@ static void virtio_mmio_remove(struct pl
#if defined(CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES)
-static struct device vm_cmdline_parent = {
- .init_name = "virtio-mmio-cmdline",
-};
+static struct device *vm_cmdline_parent;
static int vm_cmdline_parent_registered;
static int vm_cmdline_id;
@@ -672,7 +670,6 @@ static int vm_cmdline_id;
static int vm_cmdline_set(const char *device,
const struct kernel_param *kp)
{
- int err;
struct resource resources[2] = {};
char *str;
long long base, size;
@@ -704,11 +701,10 @@ static int vm_cmdline_set(const char *de
resources[1].start = resources[1].end = irq;
if (!vm_cmdline_parent_registered) {
- err = device_register(&vm_cmdline_parent);
- if (err) {
- put_device(&vm_cmdline_parent);
+ vm_cmdline_parent = __root_device_register("virtio-mmio-cmdline", NULL);
+ if (IS_ERR(vm_cmdline_parent)) {
pr_err("Failed to register parent device!\n");
- return err;
+ return PTR_ERR(vm_cmdline_parent);
}
vm_cmdline_parent_registered = 1;
}
@@ -719,7 +715,7 @@ static int vm_cmdline_set(const char *de
(unsigned long long)resources[0].end,
(int)resources[1].start);
- pdev = platform_device_register_resndata(&vm_cmdline_parent,
+ pdev = platform_device_register_resndata(vm_cmdline_parent,
"virtio-mmio", vm_cmdline_id++,
resources, ARRAY_SIZE(resources), NULL, 0);
@@ -743,8 +739,12 @@ static int vm_cmdline_get_device(struct
static int vm_cmdline_get(char *buffer, const struct kernel_param *kp)
{
buffer[0] = '\0';
- device_for_each_child(&vm_cmdline_parent, buffer,
- vm_cmdline_get_device);
+
+ if (vm_cmdline_parent_registered) {
+ device_for_each_child(vm_cmdline_parent, buffer,
+ vm_cmdline_get_device);
+ }
+
return strlen(buffer) + 1;
}
@@ -766,9 +766,9 @@ static int vm_unregister_cmdline_device(
static void vm_unregister_cmdline_devices(void)
{
if (vm_cmdline_parent_registered) {
- device_for_each_child(&vm_cmdline_parent, NULL,
+ device_for_each_child(vm_cmdline_parent, NULL,
vm_unregister_cmdline_device);
- device_unregister(&vm_cmdline_parent);
+ root_device_unregister(vm_cmdline_parent);
vm_cmdline_parent_registered = 0;
}
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 145/518] hwrng: virtio: clamp device-reported used.len at copy_data()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 144/518] virtio-mmio: fix device release warning on module unload Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 146/518] USB: chaoskey: Fix slab-use-after-free in chaoskey_release() Greg Kroah-Hartman
` (376 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael S. Tsirkin,
Michael Bommarito
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit e3046eeada299f917a8ad883af4434bfb86556b1 upstream.
random_recv_done() stores the device-reported used.len directly into
vi->data_avail. copy_data() then indexes vi->data[] using
vi->data_idx (advanced by previous copy_data() calls) and issues a
memcpy() without re-validating either value against the posted
buffer size sizeof(vi->data) (SMP_CACHE_BYTES bytes, typically 32
or 64).
A malicious or buggy virtio-rng backend can set used.len beyond
sizeof(vi->data), steering the memcpy() past the end of the inline
array into adjacent kmalloc-1k slab bytes. hwrng_fillfn() mixes
those bytes into the guest RNG, and guest root can also observe
them directly via /dev/hwrng.
Concrete impact is inside the guest:
- Memory-safety / hardening: any virtio-rng backend that
over-reports used.len causes the driver to read past vi->data
into unrelated slab contents. hwrng_fillfn() is a kernel thread
that runs as soon as the device is probed; no guest userspace
interaction is required to first-trigger the OOB.
- Cross-boundary leak (confidential-compute threat model): a
malicious hypervisor cooperating with a malicious or compromised
guest root userspace can use /dev/hwrng as a leak channel for
guest-kernel heap data. The host sets a large used.len, guest
root reads /dev/hwrng, and the returned bytes contain guest
kernel slab contents that were adjacent to vi->data. In
practice, confidential-compute guests (SEV-SNP, TDX) usually
disable virtio-rng entirely, so this path is narrow, but the
fix is still worth carrying because the underlying
memory-safety bug contaminates the guest RNG on any host.
KASAN confirms the OOB on a 7.1-rc4 guest whose virtio-rng backend
has been patched to report used.len = 0x10000:
BUG: KASAN: slab-out-of-bounds in virtio_read+0x394/0x5d0
Read of size 64 at addr ffff88800ae0ba20 by task hwrng/52
Call Trace:
__asan_memcpy+0x23/0x60
virtio_read+0x394/0x5d0
hwrng_fillfn+0xb2/0x470
kthread+0x2cc/0x3a0
Allocated by task 1:
probe_common+0xa5/0x660
virtio_dev_probe+0x549/0xbc0
The buggy address belongs to the object at ffff88800ae0b800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes to the right of
allocated 544-byte region [ffff88800ae0b800, ffff88800ae0ba20)
Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer
overflow in USB transport layer"), which hardened
usb9pfs_rx_complete() against unchecked device-reported length in
the USB 9p transport.
With the clamp at point of use and array_index_nospec() in place,
the same harness boots cleanly: copy_data() returns zero for the
bogus report, the device-supplied bytes after data_idx are
discarded, and the driver issues a fresh request.
Fixes: f7f510ec1957 ("virtio: An entropy device, as suggested by hpa.")
Cc: stable@vger.kernel.org
Suggested-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260531142251.2792061-1-michael.bommarito@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/hw_random/virtio-rng.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
--- a/drivers/char/hw_random/virtio-rng.c
+++ b/drivers/char/hw_random/virtio-rng.c
@@ -7,6 +7,7 @@
#include <asm/barrier.h>
#include <linux/err.h>
#include <linux/hw_random.h>
+#include <linux/nospec.h>
#include <linux/scatterlist.h>
#include <linux/spinlock.h>
#include <linux/virtio.h>
@@ -69,8 +70,26 @@ static void request_entropy(struct virtr
static unsigned int copy_data(struct virtrng_info *vi, void *buf,
unsigned int size)
{
- size = min_t(unsigned int, size, vi->data_avail);
- memcpy(buf, vi->data + vi->data_idx, size);
+ unsigned int idx, avail;
+
+ /*
+ * vi->data_avail was set from the device-reported used.len and
+ * vi->data_idx was advanced by previous copy_data() calls. A
+ * malicious or buggy virtio-rng backend can drive either past
+ * sizeof(vi->data). Clamp at point of use and harden the index
+ * with array_index_nospec() so the memcpy() below cannot be
+ * steered into adjacent slab memory, including under
+ * speculation.
+ */
+ avail = min_t(unsigned int, vi->data_avail, sizeof(vi->data));
+ if (vi->data_idx >= avail) {
+ vi->data_avail = 0;
+ request_entropy(vi);
+ return 0;
+ }
+ size = min_t(unsigned int, size, avail - vi->data_idx);
+ idx = array_index_nospec(vi->data_idx, sizeof(vi->data));
+ memcpy(buf, vi->data + idx, size);
vi->data_idx += size;
vi->data_avail -= size;
if (vi->data_avail == 0)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 146/518] USB: chaoskey: Fix slab-use-after-free in chaoskey_release()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 145/518] hwrng: virtio: clamp device-reported used.len at copy_data() Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 147/518] usb: dwc3: run gadget disconnect from sleepable suspend context Greg Kroah-Hartman
` (375 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuangpeng Bai, Alan Stern, stable,
Johan Hovold
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit abf76d3239dee97b66e7241ad04811f1ce562e28 upstream.
The chaoskey driver has a use-after-free bug in its release routine.
If the user closes the device file after the USB device has been
unplugged, a debugging log statement will try to access the
usb_interface structure after it has been deallocated:
BUG: KASAN: slab-use-after-free in dev_driver_string (drivers/base/core.c:2406)
Read of size 8 at addr ffff888168e8a0b8 by task chaoskey_raw_re/10106
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
kasan_report (mm/kasan/report.c:595)
dev_driver_string (drivers/base/core.c:2406)
__dynamic_dev_dbg (lib/dynamic_debug.c:906)
chaoskey_release (drivers/usb/misc/chaoskey.c:323)
__fput (fs/file_table.c:510)
fput_close_sync (fs/file_table.c:615)
__x64_sys_close (fs/open.c:1507 fs/open.c:1492 fs/open.c:1492)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
The driver's last reference to the interface structure is dropped in
the chaoskey_free() routine, so the code must not use the interface --
even in a debugging statement -- after that routine returns.
(Exception: If we know that another reference is held by someone else,
such as the device core while the disconnect routine runs, there's no
problem. Thanks to Johan Hovold for pointing this out.)
Since the bad access is part of an unimportant debugging statement,
we can fix the problem simply by removing the whole statement.
Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
Closes: https://lore.kernel.org/linux-usb/20EC9664-054E-438B-B411-2145D347F97B@gmail.com/
Tested-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Fixes: 66e3e591891d ("usb: Add driver for Altus Metrum ChaosKey device (v2)")
Cc: stable <stable@kernel.org>
Reviewed-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/bb5b1dc6-eb59-43e1-8d26-51e658e88bbe@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/chaoskey.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/usb/misc/chaoskey.c
+++ b/drivers/usb/misc/chaoskey.c
@@ -320,7 +320,6 @@ bail:
mutex_unlock(&dev->lock);
destruction:
mutex_unlock(&chaoskey_list_lock);
- usb_dbg(interface, "release success");
return rv;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 147/518] usb: dwc3: run gadget disconnect from sleepable suspend context
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 146/518] USB: chaoskey: Fix slab-use-after-free in chaoskey_release() Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 148/518] usb: misc: usbio: fix disconnect UAF in client teardown Greg Kroah-Hartman
` (374 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Runyu Xiao, Thinh Nguyen
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Runyu Xiao <runyu.xiao@seu.edu.cn>
commit 010382937fb69892b3469ac4d30af072262f59e8 upstream.
dwc3_gadget_suspend() takes dwc->lock with IRQs disabled and then calls
dwc3_disconnect_gadget(). For async callbacks that helper only uses
plain spin_unlock()/spin_lock(), so the gadget ->disconnect() callback
still runs with IRQs disabled and any sleepable callback trips Lockdep.
This issue was found by our static analysis tool and then manually
reviewed against the current tree.
The grounded PoC kept the dwc3_gadget_suspend() ->
dwc3_disconnect_gadget() -> gadget_driver->disconnect() chain, and
Lockdep reported:
BUG: sleeping function called from invalid context
gadget_disconnect+0x21/0x39 [vuln_msv]
dwc3_gadget_suspend.constprop.0+0x2b/0x42 [vuln_msv]
Keep the disconnect callback selection in one common helper, but add a
sleepable suspend-side wrapper which snapshots the callback under
dwc->lock and then runs it after spin_unlock_irqrestore(). The regular
event path still uses the existing spin_unlock()/spin_lock() window.
Fixes: c8540870af4c ("usb: dwc3: gadget: Improve dwc3_gadget_suspend() and dwc3_gadget_resume()")
Cc: stable <stable@kernel.org>
Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20260612052005.3849659-1-runyu.xiao@seu.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/gadget.c | 43 ++++++++++++++++++++++++++++++++++++-------
1 file changed, 36 insertions(+), 7 deletions(-)
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -3934,15 +3934,48 @@ static void dwc3_endpoint_interrupt(stru
}
}
+static bool dwc3_prepare_disconnect_gadget(struct dwc3 *dwc,
+ struct usb_gadget_driver **driver,
+ struct usb_gadget **gadget)
+{
+ if (!dwc->async_callbacks || !dwc->gadget_driver ||
+ !dwc->gadget_driver->disconnect)
+ return false;
+
+ *driver = dwc->gadget_driver;
+ *gadget = dwc->gadget;
+
+ return true;
+}
+
static void dwc3_disconnect_gadget(struct dwc3 *dwc)
{
- if (dwc->async_callbacks && dwc->gadget_driver->disconnect) {
+ struct usb_gadget_driver *driver;
+ struct usb_gadget *gadget;
+
+ if (dwc3_prepare_disconnect_gadget(dwc, &driver, &gadget)) {
spin_unlock(&dwc->lock);
- dwc->gadget_driver->disconnect(dwc->gadget);
+ driver->disconnect(gadget);
spin_lock(&dwc->lock);
}
}
+static void dwc3_disconnect_gadget_sleepable(struct dwc3 *dwc)
+{
+ struct usb_gadget_driver *driver;
+ struct usb_gadget *gadget;
+ unsigned long flags;
+
+ spin_lock_irqsave(&dwc->lock, flags);
+ if (!dwc3_prepare_disconnect_gadget(dwc, &driver, &gadget)) {
+ spin_unlock_irqrestore(&dwc->lock, flags);
+ return;
+ }
+
+ spin_unlock_irqrestore(&dwc->lock, flags);
+ driver->disconnect(gadget);
+}
+
static void dwc3_suspend_gadget(struct dwc3 *dwc)
{
if (dwc->async_callbacks && dwc->gadget_driver->suspend) {
@@ -4838,7 +4871,6 @@ EXPORT_SYMBOL_GPL(dwc3_gadget_exit);
int dwc3_gadget_suspend(struct dwc3 *dwc)
{
- unsigned long flags;
int ret;
ret = dwc3_gadget_soft_disconnect(dwc);
@@ -4852,10 +4884,7 @@ int dwc3_gadget_suspend(struct dwc3 *dwc
return -EAGAIN;
}
- spin_lock_irqsave(&dwc->lock, flags);
- if (dwc->gadget_driver)
- dwc3_disconnect_gadget(dwc);
- spin_unlock_irqrestore(&dwc->lock, flags);
+ dwc3_disconnect_gadget_sleepable(dwc);
return 0;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 148/518] usb: misc: usbio: fix disconnect UAF in client teardown
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 147/518] usb: dwc3: run gadget disconnect from sleepable suspend context Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 149/518] 6lowpan: fix NHC entry use-after-free on error path Greg Kroah-Hartman
` (373 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Cen Zhang, Hans de Goede,
Sakari Ailus
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cen Zhang <zzzccc427@gmail.com>
commit 0bfeec21984fedd32987f4e4c0cde34b445af404 upstream.
usbio_disconnect() walks usbio->cli_list in reverse and uninitializes each
auxiliary device. auxiliary_device_uninit() drops the device reference, and
for an unbound child that can run usbio_auxdev_release() and free the
containing struct usbio_client.
list_for_each_entry_reverse() advances after the loop body by reading
client->link.prev. If the current client is freed by
auxiliary_device_uninit(), the iterator dereferences freed memory.
Use list_for_each_entry_safe_reverse() so the previous client is
cached before the body can drop the final reference. This preserves
reverse teardown order while keeping the next iterator cursor independent
of the current client's lifetime.
Validation reproduced this kernel report:
BUG: KASAN: slab-use-after-free in usbio_disconnect+0x12e/0x150
Call Trace:
<TASK>
dump_stack_lvl+0x66/0xa0
print_report+0xce/0x630
? usbio_disconnect+0x12e/0x150
? srso_alias_return_thunk+0x5/0xfbef5
? __virt_addr_valid+0x188/0x320
? usbio_disconnect+0x12e/0x150
kasan_report+0xe0/0x110
? usbio_disconnect+0x12e/0x150
usbio_disconnect+0x12e/0x150
usb_unbind_interface+0xf3/0x400
really_probe+0x316/0x660
__driver_probe_device+0x106/0x240
driver_probe_device+0x4a/0x110
__device_attach_driver+0xf1/0x1a0
? __pfx___device_attach_driver+0x10/0x10
bus_for_each_drv+0xf9/0x160
? __pfx_bus_for_each_drv+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
? trace_hardirqs_on+0x18/0x130
? srso_alias_return_thunk+0x5/0xfbef5
? _raw_spin_unlock_irqrestore+0x44/0x60
__device_attach+0x133/0x2a0
? __pfx___device_attach+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
? do_raw_spin_unlock+0x9a/0x100
? srso_alias_return_thunk+0x5/0xfbef5
device_initial_probe+0x55/0x70
bus_probe_device+0x4a/0xd0
device_add+0x9b9/0xc10
? __pfx_device_add+0x10/0x10
? _raw_spin_unlock_irqrestore+0x44/0x60
? srso_alias_return_thunk+0x5/0xfbef5
? lockdep_hardirqs_on_prepare+0xea/0x1a0
? srso_alias_return_thunk+0x5/0xfbef5
? usb_enable_lpm+0x3c/0x260
usb_set_configuration+0xb64/0xf20
usb_generic_driver_probe+0x5f/0x90
usb_probe_device+0x71/0x1b0
really_probe+0x46b/0x660
__driver_probe_device+0x106/0x240
driver_probe_device+0x4a/0x110
__device_attach_driver+0xf1/0x1a0
? __pfx___device_attach_driver+0x10/0x10
bus_for_each_drv+0xf9/0x160
? __pfx_bus_for_each_drv+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
? trace_hardirqs_on+0x18/0x130
? srso_alias_return_thunk+0x5/0xfbef5
? _raw_spin_unlock_irqrestore+0x44/0x60
__device_attach+0x133/0x2a0
? __pfx___device_attach+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
? do_raw_spin_unlock+0x9a/0x100
? srso_alias_return_thunk+0x5/0xfbef5
device_initial_probe+0x55/0x70
bus_probe_device+0x4a/0xd0
device_add+0x9b9/0xc10
? __pfx_device_add+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
? add_device_randomness+0xb7/0xf0
usb_new_device+0x492/0x870
hub_event+0x1b10/0x29c0
? __pfx_hub_event+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
? lock_acquire+0x187/0x300
? process_one_work+0x475/0xb90
? srso_alias_return_thunk+0x5/0xfbef5
? lock_release+0xc8/0x290
? srso_alias_return_thunk+0x5/0xfbef5
process_one_work+0x4d7/0xb90
? __pfx_process_one_work+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? __list_add_valid_or_report+0x37/0xf0
? __pfx_hub_event+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
worker_thread+0x2d8/0x570
? __pfx_worker_thread+0x10/0x10
kthread+0x1ad/0x1f0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x3c9/0x540
? __pfx_ret_from_fork+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
? __switch_to+0x2e9/0x730
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Fixes: 121a0f839dbb ("usb: misc: Add Intel USBIO bridge driver")
Cc: stable <stable@kernel.org>
Assisted-by: Codex:gpt-5.5
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Link: https://patch.msgid.link/20260618124029.3704089-1-zzzccc427@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/usbio.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/misc/usbio.c
+++ b/drivers/usb/misc/usbio.c
@@ -518,7 +518,7 @@ static int usbio_resume(struct usb_inter
static void usbio_disconnect(struct usb_interface *intf)
{
struct usbio_device *usbio = usb_get_intfdata(intf);
- struct usbio_client *client;
+ struct usbio_client *client, *next;
/* Wakeup any clients waiting for a reply */
usbio->rxdat_len = 0;
@@ -535,7 +535,7 @@ static void usbio_disconnect(struct usb_
usb_kill_urb(usbio->urb);
usb_free_urb(usbio->urb);
- list_for_each_entry_reverse(client, &usbio->cli_list, link) {
+ list_for_each_entry_safe_reverse(client, next, &usbio->cli_list, link) {
auxiliary_device_delete(&client->auxdev);
auxiliary_device_uninit(&client->auxdev);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 149/518] 6lowpan: fix NHC entry use-after-free on error path
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 148/518] usb: misc: usbio: fix disconnect UAF in client teardown Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 150/518] tracing: Fix NULL pointer dereference in func_set_flag() Greg Kroah-Hartman
` (372 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yizhou Zhao, Yuxiang Yang, Ao Wang,
Xuewei Feng, Qi Li, Ke Xu, Alexander Aring, Jakub Kicinski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
commit 1720db928e5a58ca7d75ac1d514c3b73fd7061a7 upstream.
lowpan_nhc_do_uncompression() looks up an NHC descriptor while holding
lowpan_nhc_lock. If the descriptor has no uncompress callback, the error
path drops the lock before printing nhc->name.
lowpan_nhc_del() removes descriptors under the same lock and then relies
on synchronize_net() before the owning module can be unloaded. That only
waits for net RX RCU readers. lowpan_header_decompress() is also exported
and can be reached from callers that are not necessarily covered by the net
core RX critical section, for example the Bluetooth 6LoWPAN L2CAP receive
path.
This leaves a race where one task drops lowpan_nhc_lock in the error path,
another task unregisters and frees the matching descriptor after
synchronize_net() returns, and the first task then dereferences nhc->name
for the warning.
With the post-unlock window widened, KASAN reports:
BUG: KASAN: slab-use-after-free in lowpan_nhc_do_uncompression+0x1f4/0x220
Read of size 8
lowpan_nhc_do_uncompression
lowpan_header_decompress
Fix this by printing the warning before dropping lowpan_nhc_lock, so the
descriptor name is read while unregister is still excluded. The malformed
packet is still rejected with -ENOTSUPP.
Fixes: 92aa7c65d295 ("6lowpan: add generic nhc layer interface")
Cc: stable@vger.kernel.org
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Acked-by: Alexander Aring <aahringo@redhat.com>
Link: https://patch.msgid.link/20260609080054.4541-1-zhaoyz24@mails.tsinghua.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/6lowpan/nhc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/6lowpan/nhc.c
+++ b/net/6lowpan/nhc.c
@@ -117,9 +117,9 @@ int lowpan_nhc_do_uncompression(struct s
return ret;
}
} else {
- spin_unlock_bh(&lowpan_nhc_lock);
netdev_warn(dev, "received nhc id for %s which is not implemented.\n",
nhc->name);
+ spin_unlock_bh(&lowpan_nhc_lock);
return -ENOTSUPP;
}
} else {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 150/518] tracing: Fix NULL pointer dereference in func_set_flag()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 149/518] 6lowpan: fix NHC entry use-after-free on error path Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:26 ` [PATCH 7.1 151/518] tipc: fix out-of-bounds read in broadcast Gap ACK blocks Greg Kroah-Hartman
` (371 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuanhe Shu, Steven Rostedt
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuanhe Shu <xiangzao@linux.alibaba.com>
commit c3e94604675e3db186111b8942650d86577df9b0 upstream.
func_set_flag() dereferences tr->current_trace_flags before verifying
that the current tracer is actually the function tracer. When the active
tracer has been switched away from "function" (e.g., to "wakeup_rt"),
tr->current_trace_flags can be NULL, leading to a NULL pointer
dereference and kernel crash.
The call chain that triggers this is:
trace_options_write()
-> __set_tracer_option()
-> trace->set_flag() /* func_set_flag */
In func_set_flag(), the first operation is:
if (!!set == !!(tr->current_trace_flags->val & bit))
This dereferences tr->current_trace_flags unconditionally. The safety
check that guards against a non-function tracer:
if (tr->current_trace != &function_trace)
return 0;
is placed *after* the dereference, which is too late.
This was observed with the following crash dump:
BUG: unable to handle page fault at 0000000000000000
RIP: func_set_flag+0xd
Call Trace:
__set_tracer_option+0x27
trace_options_write+0x75
vfs_write+0x12a
ksys_write+0x66
do_syscall_64+0x5b
RIP: ffffffff914c973d RSP: ff67ec88b01dfdf0 RFLAGS: 00010202
RAX: 0000000000000000 RBX: ff3a826e80354580 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffff93918080
The disassembly confirms the fault:
func_set_flag+0: mov 0x1f08(%rdi), %rax ; RAX = tr->current_trace_flags = NULL
func_set_flag+13: mov (%rax), %eax ; page fault: dereference NULL
At the time of the crash:
tr->current_trace_flags = 0x0 (NULL)
tr->current_trace = wakeup_rt_tracer (not function_trace)
The scenario is that a process opens a function tracer option file (such
as "func_stack_trace"), then the current tracer is switched to another
tracer (e.g., "wakeup_rt"), which sets current_trace_flags to NULL. When
the process subsequently writes to the option file, func_set_flag() is
invoked and crashes on the NULL dereference.
Fix this by moving the current_trace check before the
current_trace_flags dereference, so that func_set_flag() returns early
when the function tracer is not active.
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260624061715.1445655-1-xiangzao@linux.alibaba.com
Fixes: 76680d0d2825 ("tracing: Have function tracer define options per instance")
Signed-off-by: Yuanhe Shu <xiangzao@linux.alibaba.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_functions.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/kernel/trace/trace_functions.c
+++ b/kernel/trace/trace_functions.c
@@ -458,12 +458,12 @@ func_set_flag(struct trace_array *tr, u3
ftrace_func_t func;
u32 new_flags;
- /* Do nothing if already set. */
- if (!!set == !!(tr->current_trace_flags->val & bit))
+ /* We can change this flag only when current tracer is function. */
+ if (tr->current_trace != &function_trace)
return 0;
- /* We can change this flag only when not running. */
- if (tr->current_trace != &function_trace)
+ /* Do nothing if already set. */
+ if (!!set == !!(tr->current_trace_flags->val & bit))
return 0;
new_flags = (tr->current_trace_flags->val & ~bit) | (set ? bit : 0);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 151/518] tipc: fix out-of-bounds read in broadcast Gap ACK blocks
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 150/518] tracing: Fix NULL pointer dereference in func_set_flag() Greg Kroah-Hartman
@ 2026-07-16 13:26 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 152/518] staging: vme_user: bound slave read/write to the kern_buf size Greg Kroah-Hartman
` (370 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samuel Page, Tung Nguyen,
Jakub Kicinski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samuel Page <sam@bynar.io>
commit 2b66974a1b6134a4bbc3bfed181f7418f688eb54 upstream.
A broadcast PROTOCOL/STATE_MSG can carry a Gap ACK blocks record in its
data area. tipc_get_gap_ack_blks() only verifies that the record's len
field is self-consistent with its ugack_cnt/bgack_cnt counts
(sz == struct_size(p, gacks, ugack_cnt + bgack_cnt)); it does not check
that the record actually fits in the message data area, msg_data_sz().
The unicast caller tipc_link_proto_rcv() bounds it ("if (glen > dlen)
break;"), but the broadcast caller tipc_bcast_sync_rcv() discards the
returned size, so tipc_link_advance_transmq() copies the record off the
receive skb with an attacker-controlled count:
this_ga = kmemdup(ga, struct_size(ga, gacks, ga->bgack_cnt),
GFP_ATOMIC);
A TIPC neighbour that negotiated TIPC_GAP_ACK_BLOCK triggers it with one
ordinary broadcast STATE_MSG (msg_bc_ack_invalid() clear), sized so its
data area is short, carrying a Gap ACK record with len = 0x400,
bgack_cnt = 0xff and ugack_cnt = 0. len then equals
struct_size(p, gacks, 255), so the consistency check passes and ga is
non-NULL; kmemdup() reads struct_size(ga, gacks, 255) = 1024 bytes out
of the much smaller skb:
BUG: KASAN: slab-out-of-bounds in kmemdup_noprof+0x48/0x60
Read of size 1024 at addr ffff0000c7030d38 by task poc864/69
Call trace:
kmemdup_noprof+0x48/0x60
tipc_link_advance_transmq+0x86c/0xb80
tipc_link_bc_ack_rcv+0x19c/0x1e0
tipc_bcast_sync_rcv+0x1c4/0x2c4
tipc_rcv+0x85c/0x1340
tipc_l2_rcv_msg+0xac/0x104
The buggy address belongs to the object at ffff0000c7030d00
which belongs to the cache skbuff_small_head of size 704
The buggy address is located 56 bytes inside of
allocated 704-byte region [ffff0000c7030d00, ffff0000c7030fc0)
The copied-out bytes are subsequently consumed as gap/ack values, but
the read is already out of bounds at the kmemdup() regardless of how
they are used.
The unicast STATE path drops such a message: "if (glen > dlen) break;"
skips the rest of STATE_MSG handling and the skb is freed. Make the
broadcast path drop it too. tipc_bcast_sync_rcv() now bounds the record
against msg_data_sz() and, when it does not fit, reports it back through
tipc_node_bc_sync_rcv() to tipc_rcv() so the skb is discarded rather than
processed. ga is not cleared on this path: ga == NULL already means
"legacy peer without Selective ACK", a distinct legitimate state.
Fixes: d7626b5acff9 ("tipc: introduce Gap ACK blocks for broadcast link")
Cc: stable@vger.kernel.org
Signed-off-by: Samuel Page <sam@bynar.io>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Link: https://patch.msgid.link/20260625143815.1525412-1-sam@bynar.io
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/bcast.c | 22 ++++++++++++++--------
net/tipc/bcast.h | 2 +-
net/tipc/node.c | 15 ++++++++++++---
3 files changed, 27 insertions(+), 12 deletions(-)
--- a/net/tipc/bcast.c
+++ b/net/tipc/bcast.c
@@ -497,12 +497,13 @@ void tipc_bcast_ack_rcv(struct net *net,
*/
int tipc_bcast_sync_rcv(struct net *net, struct tipc_link *l,
struct tipc_msg *hdr,
- struct sk_buff_head *retrq)
+ struct sk_buff_head *retrq, bool *valid)
{
struct sk_buff_head *inputq = &tipc_bc_base(net)->inputq;
struct tipc_gap_ack_blks *ga;
struct sk_buff_head xmitq;
int rc = 0;
+ u16 glen;
__skb_queue_head_init(&xmitq);
@@ -510,13 +511,18 @@ int tipc_bcast_sync_rcv(struct net *net,
if (msg_type(hdr) != STATE_MSG) {
tipc_link_bc_init_rcv(l, hdr);
} else if (!msg_bc_ack_invalid(hdr)) {
- tipc_get_gap_ack_blks(&ga, l, hdr, false);
- if (!sysctl_tipc_bc_retruni)
- retrq = &xmitq;
- rc = tipc_link_bc_ack_rcv(l, msg_bcast_ack(hdr),
- msg_bc_gap(hdr), ga, &xmitq,
- retrq);
- rc |= tipc_link_bc_sync_rcv(l, hdr, &xmitq);
+ glen = tipc_get_gap_ack_blks(&ga, l, hdr, false);
+ if (glen > msg_data_sz(hdr)) {
+ /* Malformed Gap ACK blocks; caller drops the msg */
+ *valid = false;
+ } else {
+ if (!sysctl_tipc_bc_retruni)
+ retrq = &xmitq;
+ rc = tipc_link_bc_ack_rcv(l, msg_bcast_ack(hdr),
+ msg_bc_gap(hdr), ga, &xmitq,
+ retrq);
+ rc |= tipc_link_bc_sync_rcv(l, hdr, &xmitq);
+ }
}
tipc_bcast_unlock(net);
--- a/net/tipc/bcast.h
+++ b/net/tipc/bcast.h
@@ -97,7 +97,7 @@ void tipc_bcast_ack_rcv(struct net *net,
struct tipc_msg *hdr);
int tipc_bcast_sync_rcv(struct net *net, struct tipc_link *l,
struct tipc_msg *hdr,
- struct sk_buff_head *retrq);
+ struct sk_buff_head *retrq, bool *valid);
int tipc_nl_add_bc_link(struct net *net, struct tipc_nl_msg *msg,
struct tipc_link *bcl);
int tipc_nl_bc_link_set(struct net *net, struct nlattr *attrs[]);
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -1831,12 +1831,15 @@ static void tipc_node_mcast_rcv(struct t
}
static void tipc_node_bc_sync_rcv(struct tipc_node *n, struct tipc_msg *hdr,
- int bearer_id, struct sk_buff_head *xmitq)
+ int bearer_id, struct sk_buff_head *xmitq,
+ bool *valid)
{
struct tipc_link *ucl;
int rc;
- rc = tipc_bcast_sync_rcv(n->net, n->bc_entry.link, hdr, xmitq);
+ rc = tipc_bcast_sync_rcv(n->net, n->bc_entry.link, hdr, xmitq, valid);
+ if (!*valid)
+ return;
if (rc & TIPC_LINK_DOWN_EVT) {
tipc_node_reset_links(n);
@@ -2140,12 +2143,18 @@ rcv:
/* Ensure broadcast reception is in synch with peer's send state */
if (unlikely(usr == LINK_PROTOCOL)) {
+ bool valid = true;
+
if (unlikely(skb_linearize(skb))) {
tipc_node_put(n);
goto discard;
}
hdr = buf_msg(skb);
- tipc_node_bc_sync_rcv(n, hdr, bearer_id, &xmitq);
+ tipc_node_bc_sync_rcv(n, hdr, bearer_id, &xmitq, &valid);
+ if (!valid) {
+ tipc_node_put(n);
+ goto discard;
+ }
} else if (unlikely(tipc_link_acked(n->bc_entry.link) != bc_ack)) {
tipc_bcast_ack_rcv(net, n->bc_entry.link, hdr);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 152/518] staging: vme_user: bound slave read/write to the kern_buf size
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-07-16 13:26 ` [PATCH 7.1 151/518] tipc: fix out-of-bounds read in broadcast Gap ACK blocks Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 153/518] smb: client: restrict implied bcc[0] exemption to responses without data area Greg Kroah-Hartman
` (369 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Michael Tautschnig
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Tautschnig <tautschn@amazon.com>
commit 9f32f38265014fac7f5dc9490fb01a638ce6e121 upstream.
The SLAVE-path helpers buffer_to_user() and buffer_from_user() copy
'count' bytes into/out of the fixed-size kern_buf (size_buf ==
PCI_BUF_SIZE == 0x20000, 128 KiB) using *ppos as the offset, without
bounding *ppos + count against size_buf.
vme_user_write()/vme_user_read() only clamp count to the VME window size
(image_size = vme_get_size(resource)), which VME_SET_SLAVE sets from the
user-supplied slave.size -- validated against the VME address space (up
to VME_A32_MAX = 4 GiB), not against PCI_BUF_SIZE. When the window
exceeds 128 KiB, a write()/read() copies past the kern_buf allocation.
Clamp count against size_buf in both helpers, with an early return when
*ppos is already at/after the buffer end. *ppos is >= 0 here (the caller
rejects negative offsets), so size_buf - *ppos cannot wrap. This mirrors
the existing clamp in the MASTER-path helpers resource_to_user() /
resource_from_user(), and matches the read()/write() convention of a
short transfer at end-of-buffer.
Found by static analysis (CodeQL taint tracking + CBMC bounded model
checking) and confirmed dynamically under KASAN with the vme_fake bridge:
BUG: KASAN: slab-out-of-bounds in _copy_from_user+0x2d/0x80
Write of size 262144 at addr ffff888004100000 by task trigger/68
_copy_from_user+0x2d/0x80
vme_user_write+0x13e/0x240 [vme_user]
vfs_write+0x1b8/0x7a0
ksys_write+0xb8/0x150
Fixes: f00a86d98a1e ("Staging: vme: add VME userspace driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Michael Tautschnig <tautschn@amazon.com>
Link: https://patch.msgid.link/20260618114709.72499-1-tautschn@amazon.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/vme_user/vme_user.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--- a/drivers/staging/vme_user/vme_user.c
+++ b/drivers/staging/vme_user/vme_user.c
@@ -156,6 +156,17 @@ static ssize_t buffer_to_user(unsigned i
{
void *image_ptr;
+ /*
+ * The slave window (image_size) can exceed the fixed kern_buf
+ * (size_buf == PCI_BUF_SIZE), so bound the copy to kern_buf.
+ * *ppos is >= 0 here (checked by the caller), so the
+ * subtraction below cannot wrap.
+ */
+ if (*ppos >= image[minor].size_buf)
+ return 0;
+ if (count > image[minor].size_buf - *ppos)
+ count = image[minor].size_buf - *ppos;
+
image_ptr = image[minor].kern_buf + *ppos;
if (copy_to_user(buf, image_ptr, (unsigned long)count))
return -EFAULT;
@@ -168,6 +179,17 @@ static ssize_t buffer_from_user(unsigned
{
void *image_ptr;
+ /*
+ * The slave window (image_size) can exceed the fixed kern_buf
+ * (size_buf == PCI_BUF_SIZE), so bound the copy to kern_buf.
+ * *ppos is >= 0 here (checked by the caller), so the
+ * subtraction below cannot wrap.
+ */
+ if (*ppos >= image[minor].size_buf)
+ return 0;
+ if (count > image[minor].size_buf - *ppos)
+ count = image[minor].size_buf - *ppos;
+
image_ptr = image[minor].kern_buf + *ppos;
if (copy_from_user(image_ptr, buf, (unsigned long)count))
return -EFAULT;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 153/518] smb: client: restrict implied bcc[0] exemption to responses without data area
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 152/518] staging: vme_user: bound slave read/write to the kern_buf size Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 154/518] staging: vme_user: fix location monitor leak in fake bridge Greg Kroah-Hartman
` (368 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shoichiro Miyamoto, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shoichiro Miyamoto <shoichiro.miyamoto@gmail.com>
commit 53b7c271f06be4dd5cfc8c6ef552a8355c891a7f upstream.
smb2_check_message() has a long-standing quirk that accepts a response
whose calculated length is one byte larger than the bytes actually
received ("server can return one byte more due to implied bcc[0]").
This was introduced to accommodate servers that omit the trailing bcc[0]
overlap byte when no data area is present.
However, the exemption is applied unconditionally, regardless of whether
the command actually carries a data area (has_smb2_data_area[]). When a
response with a data area is subject to the +1 exemption, the reported
data can extend one byte beyond the bytes actually received, yet
smb2_check_message() still accepts it. The subsequent decoder then reads
past the end of the receive buffer. This is reachable during NEGOTIATE
and SESSION_SETUP, before the session is established.
The resulting out-of-bounds reads are visible under KASAN when mounting
against a non-conforming server; both the SPNEGO/negTokenInit and the
NTLMSSP challenge decoders are affected:
BUG: KASAN: slab-out-of-bounds in asn1_ber_decoder+0x16a7/0x1b00
Read of size 1 at addr ffff8880084d67c0 by task mount.cifs/81
CPU: 1 UID: 0 PID: 81 Comm: mount.cifs Not tainted 7.1.0-rc6 #1
Call Trace:
<TASK>
dump_stack_lvl+0x4e/0x70
print_report+0x157/0x4c9
kasan_report+0xce/0x100
asn1_ber_decoder+0x16a7/0x1b00
decode_negTokenInit+0x19/0x30
SMB2_negotiate+0x31d9/0x4c90
cifs_negotiate_protocol+0x1f2/0x3f0
cifs_get_smb_ses+0x93f/0x17e0
cifs_mount_get_session+0x7f/0x3a0
cifs_mount+0xb4/0xcf0
cifs_smb3_do_mount+0x23a/0x1500
smb3_get_tree+0x3b0/0x630
vfs_get_tree+0x82/0x2d0
fc_mount+0x10/0x1b0
path_mount+0x50d/0x1de0
__x64_sys_mount+0x20b/0x270
do_syscall_64+0xee/0x590
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Allocated by task 85:
kmem_cache_alloc_noprof+0x106/0x380
mempool_alloc_noprof+0x116/0x1e0
cifs_small_buf_get+0x31/0x80
allocate_buffers+0x10d/0x2b0
cifs_demultiplex_thread+0x1d5/0x1d50
kthread+0x2c6/0x390
ret_from_fork+0x36e/0x5a0
ret_from_fork_asm+0x1a/0x30
The buggy address is located 0 bytes to the right of
allocated 448-byte region [ffff8880084d6600, ffff8880084d67c0)
which belongs to the cache cifs_small_rq of size 448
BUG: KASAN: slab-out-of-bounds in kmemdup_noprof+0x36/0x50
Read of size 329 at addr ffff88800726c678 by task mount.cifs/89
CPU: 0 UID: 0 PID: 89 Comm: mount.cifs Tainted: G B 7.1.0-rc6 #1
Call Trace:
<TASK>
dump_stack_lvl+0x4e/0x70
print_report+0x157/0x4c9
kasan_report+0xce/0x100
kasan_check_range+0x10f/0x1e0
__asan_memcpy+0x23/0x60
kmemdup_noprof+0x36/0x50
decode_ntlmssp_challenge+0x457/0x680
SMB2_sess_auth_rawntlmssp_negotiate+0x6f0/0xcb0
SMB2_sess_setup+0x219/0x4f0
cifs_setup_session+0x248/0xaf0
cifs_get_smb_ses+0xf79/0x17e0
cifs_mount_get_session+0x7f/0x3a0
cifs_mount+0xb4/0xcf0
cifs_smb3_do_mount+0x23a/0x1500
smb3_get_tree+0x3b0/0x630
vfs_get_tree+0x82/0x2d0
fc_mount+0x10/0x1b0
path_mount+0x50d/0x1de0
__x64_sys_mount+0x20b/0x270
do_syscall_64+0xee/0x590
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Allocated by task 93:
kmem_cache_alloc_noprof+0x106/0x380
mempool_alloc_noprof+0x116/0x1e0
cifs_small_buf_get+0x31/0x80
allocate_buffers+0x10d/0x2b0
cifs_demultiplex_thread+0x1d5/0x1d50
kthread+0x2c6/0x390
ret_from_fork+0x36e/0x5a0
ret_from_fork_asm+0x1a/0x30
The buggy address is located 120 bytes inside of
allocated 448-byte region [ffff88800726c600, ffff88800726c7c0)
which belongs to the cache cifs_small_rq of size 448
Restrict the +1 exemption to responses that have no data area, so that
it still covers the bcc[0] omission it was meant for. When a data area
is present, the +1 discrepancy instead means the reported data length
overruns the received buffer, so the response must be rejected.
Fixes: 093b2bdad322 ("CIFS: Make demultiplex_thread work with SMB2 code")
Cc: stable@vger.kernel.org
Signed-off-by: Shoichiro Miyamoto <shoichiro.miyamoto@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2misc.c | 32 ++++++++++++++++++++++++++------
1 file changed, 26 insertions(+), 6 deletions(-)
--- a/fs/smb/client/smb2misc.c
+++ b/fs/smb/client/smb2misc.c
@@ -19,6 +19,8 @@
#include "nterr.h"
#include "cached_dir.h"
+static unsigned int __smb2_calc_size(void *buf, bool *have_data);
+
static int
check_smb2_hdr(struct smb2_hdr *shdr, __u64 mid)
{
@@ -145,6 +147,7 @@ smb2_check_message(char *buf, unsigned i
int command;
__u32 calc_len; /* calculated length */
__u64 mid;
+ bool have_data;
/* If server is a channel, select the primary channel */
pserver = SERVER_IS_CHAN(server) ? server->primary_server : server;
@@ -228,7 +231,8 @@ smb2_check_message(char *buf, unsigned i
}
}
- calc_len = smb2_calc_size(buf);
+ have_data = false;
+ calc_len = __smb2_calc_size(buf, &have_data);
/* For SMB2_IOCTL, OutputOffset and OutputLength are optional, so might
* be 0, and not a real miscalculation */
@@ -247,8 +251,13 @@ smb2_check_message(char *buf, unsigned i
/* Windows 7 server returns 24 bytes more */
if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE)
return 0;
- /* server can return one byte more due to implied bcc[0] */
- if (calc_len == len + 1)
+ /*
+ * Server can return one byte more due to implied bcc[0].
+ * Allow it only when there is no data area; if data_length > 0
+ * the +1 gap indicates an overreported data length rather than
+ * the bcc[0] omission.
+ */
+ if (calc_len == len + 1 && !have_data)
return 0;
/*
@@ -409,14 +418,17 @@ smb2_get_data_area_len(int *off, int *le
/*
* Calculate the size of the SMB message based on the fixed header
* portion, the number of word parameters and the data portion of the message.
+ * If have_data is non-NULL, it is set to true when a non-empty data area was
+ * found (data_length > 0), allowing callers to distinguish the implied bcc[0]
+ * case (no data area) from an overreported data length.
*/
-unsigned int
-smb2_calc_size(void *buf)
+static unsigned int
+__smb2_calc_size(void *buf, bool *have_data)
{
struct smb2_pdu *pdu = buf;
struct smb2_hdr *shdr = &pdu->hdr;
int offset; /* the offset from the beginning of SMB to data area */
- int data_length; /* the length of the variable length data area */
+ int data_length = 0; /* the length of the variable length data area */
/* Structure Size has already been checked to make sure it is 64 */
int len = le16_to_cpu(shdr->StructureSize);
@@ -449,9 +461,17 @@ smb2_calc_size(void *buf)
}
calc_size_exit:
cifs_dbg(FYI, "SMB2 len %d\n", len);
+ if (have_data)
+ *have_data = (data_length > 0);
return len;
}
+unsigned int
+smb2_calc_size(void *buf)
+{
+ return __smb2_calc_size(buf, NULL);
+}
+
/* Note: caller must free return buffer */
__le16 *
cifs_convert_path_to_utf16(const char *from, struct cifs_sb_info *cifs_sb)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 154/518] staging: vme_user: fix location monitor leak in fake bridge
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 153/518] smb: client: restrict implied bcc[0] exemption to responses without data area Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 155/518] staging: vme_user: fix location monitor leak in tsi148 bridge Greg Kroah-Hartman
` (367 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Martyn Welch, Hao-Qun Huang
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hao-Qun Huang <alvinhuang0603@gmail.com>
commit e8422d89e8af41d87f0e9db564be8e2634f4c602 upstream.
fake_init() allocates a location monitor resource and links it into
fake_bridge->lm_resources. The init error path frees this list, but
fake_exit() only frees the slave and master resource lists. Loading
and unloading the module therefore triggers a kmemleak warning:
unreferenced object 0xffff8b8b82aebe40 (size 64):
comm "init", pid 1, jiffies 4294894572
backtrace (crc c1e013ef):
kmemleak_alloc+0x4e/0x90
__kmalloc_cache_noprof+0x338/0x430
0xffffffffc0602246
do_one_initcall+0x4f/0x320
do_init_module+0x68/0x270
load_module+0x2a3b/0x2d90
Free the lm_resources list in fake_exit() as well, before fake_bridge
is freed.
Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver")
Cc: stable <stable@kernel.org>
Cc: Martyn Welch <martyn@welchs.me.uk>
Assisted-by: Claude:claude-fable-5
Signed-off-by: Hao-Qun Huang <alvinhuang0603@gmail.com>
Link: https://patch.msgid.link/20260704065817.403111-1-alvinhuang0603@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/vme_user/vme_fake.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/staging/vme_user/vme_fake.c
+++ b/drivers/staging/vme_user/vme_fake.c
@@ -1239,6 +1239,7 @@ static void __exit fake_exit(void)
{
struct list_head *pos = NULL;
struct list_head *tmplist;
+ struct vme_lm_resource *lm;
struct vme_master_resource *master_image;
struct vme_slave_resource *slave_image;
int i;
@@ -1269,6 +1270,13 @@ static void __exit fake_exit(void)
fake_crcsr_exit(fake_bridge);
/* resources are stored in link list */
+ list_for_each_safe(pos, tmplist, &fake_bridge->lm_resources) {
+ lm = list_entry(pos, struct vme_lm_resource, list);
+ list_del(pos);
+ kfree(lm);
+ }
+
+ /* resources are stored in link list */
list_for_each_safe(pos, tmplist, &fake_bridge->slave_resources) {
slave_image = list_entry(pos, struct vme_slave_resource, list);
list_del(pos);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 155/518] staging: vme_user: fix location monitor leak in tsi148 bridge
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 154/518] staging: vme_user: fix location monitor leak in fake bridge Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 156/518] media: staging: ipu3-imgu: Add range check for imgu_css_cfg_acc_stripe Greg Kroah-Hartman
` (366 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Martyn Welch, Hao-Qun Huang
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hao-Qun Huang <alvinhuang0603@gmail.com>
commit 151edde741f8bc7f2931c5f44ab376d32b0c8beb upstream.
tsi148_probe() allocates a location monitor resource and links it into
tsi148_bridge->lm_resources. The probe error path frees this list, but
tsi148_remove() only frees the dma, slave and master resource lists, so
the location monitor resource is leaked on device unbind or module
unload.
Free the lm_resources list in tsi148_remove() as well, before
tsi148_bridge is freed.
Fixes: d22b8ed9a3b0 ("Staging: vme: add Tundra TSI148 VME-PCI Bridge driver")
Cc: stable <stable@kernel.org>
Cc: Martyn Welch <martyn@welchs.me.uk>
Assisted-by: Claude:claude-fable-5
Signed-off-by: Hao-Qun Huang <alvinhuang0603@gmail.com>
Link: https://patch.msgid.link/20260704065817.403111-2-alvinhuang0603@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/vme_user/vme_tsi148.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/staging/vme_user/vme_tsi148.c
+++ b/drivers/staging/vme_user/vme_tsi148.c
@@ -2534,6 +2534,7 @@ static void tsi148_remove(struct pci_dev
{
struct list_head *pos = NULL;
struct list_head *tmplist;
+ struct vme_lm_resource *lm;
struct vme_master_resource *master_image;
struct vme_slave_resource *slave_image;
struct vme_dma_resource *dma_ctrlr;
@@ -2591,6 +2592,13 @@ static void tsi148_remove(struct pci_dev
tsi148_crcsr_exit(tsi148_bridge, pdev);
/* resources are stored in link list */
+ list_for_each_safe(pos, tmplist, &tsi148_bridge->lm_resources) {
+ lm = list_entry(pos, struct vme_lm_resource, list);
+ list_del(pos);
+ kfree(lm);
+ }
+
+ /* resources are stored in link list */
list_for_each_safe(pos, tmplist, &tsi148_bridge->dma_resources) {
dma_ctrlr = list_entry(pos, struct vme_dma_resource, list);
list_del(pos);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 156/518] media: staging: ipu3-imgu: Add range check for imgu_css_cfg_acc_stripe
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 155/518] staging: vme_user: fix location monitor leak in tsi148 bridge Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 157/518] staging: media: atomisp: reduce load_primary_binaries() stack usage Greg Kroah-Hartman
` (365 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ricardo Ribalda, Hans Verkuil
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
commit c32fe4c4918c9aa49f61359e3b42619c4d8686de upstream.
If the driver's stripe information is invalid it can result in an integer
underflow. Add a range check to avoid this kind of error.
This patch fixes the following smatch error:
drivers/staging/media/ipu3/ipu3-css-params.c:1792 imgu_css_cfg_acc_stripe() warn: 'acc->stripe.bds_out_stripes[0]->width - 2 * f' 4294967168 can't fit into 65535 'acc->stripe.bds_out_stripes[1]->offset'
Cc: stable@vger.kernel.org
Fixes: e11110a5b744 ("media: staging/intel-ipu3: css: Compute and program ccs")
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/media/ipu3/ipu3-css-params.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/staging/media/ipu3/ipu3-css-params.c
+++ b/drivers/staging/media/ipu3/ipu3-css-params.c
@@ -1770,6 +1770,8 @@ static int imgu_css_cfg_acc_stripe(struc
acc->stripe.bds_out_stripes[0].width =
ALIGN(css_pipe->rect[IPU3_CSS_RECT_BDS].width, f);
} else {
+ u32 offset;
+
/* Image processing is divided into two stripes */
acc->stripe.bds_out_stripes[0].width =
acc->stripe.bds_out_stripes[1].width =
@@ -1788,8 +1790,10 @@ static int imgu_css_cfg_acc_stripe(struc
acc->stripe.bds_out_stripes[1].width += f;
}
/* Overlap between stripes is IPU3_UAPI_ISP_VEC_ELEMS * 4 */
- acc->stripe.bds_out_stripes[1].offset =
- acc->stripe.bds_out_stripes[0].width - 2 * f;
+ offset = acc->stripe.bds_out_stripes[0].width - 2 * f;
+ if (offset > 65535)
+ return -EINVAL;
+ acc->stripe.bds_out_stripes[1].offset = offset;
}
acc->stripe.effective_stripes[0].height =
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 157/518] staging: media: atomisp: reduce load_primary_binaries() stack usage
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 156/518] media: staging: ipu3-imgu: Add range check for imgu_css_cfg_acc_stripe Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 158/518] staging: media: ipu7: fix double-free and use-after-free in error paths Greg Kroah-Hartman
` (364 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Andy Shevchenko,
Sakari Ailus
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit f4d51e55dd47ef467fbe37d8575e20eee41b092d upstream.
The load_primary_binaries() function is overly complex and has som large
variables on the stack, which can cause warnings depending on CONFIG_FRAME_WARN
setting:
drivers/staging/media/atomisp/pci/sh_css.c: In function 'load_primary_binaries':
drivers/staging/media/atomisp/pci/sh_css.c:5260:1: error: the frame size of 1560 bytes is larger than 1536 bytes [-Werror=frame-larger-than=]
Half of the stack usage is for the prim_descr[] array, but only one
member of the array is used at any given time.
Reduce the stack usage by turning the array into a single structure.
Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/media/atomisp/pci/sh_css.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/staging/media/atomisp/pci/sh_css.c
+++ b/drivers/staging/media/atomisp/pci/sh_css.c
@@ -5020,7 +5020,6 @@ static int load_primary_binaries(
struct ia_css_capture_settings *mycs;
unsigned int i;
bool need_extra_yuv_scaler = false;
- struct ia_css_binary_descr prim_descr[MAX_NUM_PRIMARY_STAGES];
IA_CSS_ENTER_PRIVATE("");
assert(pipe);
@@ -5189,15 +5188,16 @@ static int load_primary_binaries(
/* Primary */
for (i = 0; i < mycs->num_primary_stage; i++) {
+ struct ia_css_binary_descr prim_descr;
struct ia_css_frame_info *local_vf_info = NULL;
if (pipe->enable_viewfinder[IA_CSS_PIPE_OUTPUT_STAGE_0] &&
(i == mycs->num_primary_stage - 1))
local_vf_info = &vf_info;
- ia_css_pipe_get_primary_binarydesc(pipe, &prim_descr[i],
+ ia_css_pipe_get_primary_binarydesc(pipe, &prim_descr,
&prim_in_info, &prim_out_info,
local_vf_info, i);
- err = ia_css_binary_find(&prim_descr[i], &mycs->primary_binary[i]);
+ err = ia_css_binary_find(&prim_descr, &mycs->primary_binary[i]);
if (err) {
IA_CSS_LEAVE_ERR_PRIVATE(err);
return err;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 158/518] staging: media: ipu7: fix double-free and use-after-free in error paths
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 157/518] staging: media: atomisp: reduce load_primary_binaries() stack usage Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 159/518] staging: rtl8723bs: dont drop short TX frames in _rtw_pktfile_read() Greg Kroah-Hartman
` (363 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Alexandru Hossu,
Sakari Ailus
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Hossu <hossu.alexandru@gmail.com>
commit d3a9a8cf2d7fd61a2f63df61f6cbc0a9bb007cc0 upstream.
In both ipu7_isys_init() and ipu7_psys_init(), pdata is allocated and
then passed to ipu7_bus_initialize_device(), which stores it in
adev->pdata. The ipu7_bus_release() function frees adev->pdata when the
device's reference count drops to zero.
Two error paths incorrectly call kfree(pdata) after the device teardown
has already freed it:
1. When ipu7_mmu_init() fails: put_device() is called, which drops the
reference count to zero and triggers ipu7_bus_release() ->
kfree(pdata). The subsequent kfree(pdata) is a double-free.
2. When ipu7_bus_add_device() fails: it calls auxiliary_device_uninit()
internally, which calls put_device() -> ipu7_bus_release() ->
kfree(pdata). The subsequent kfree(pdata) is again a double-free.
Note that the kfree(pdata) when ipu7_bus_initialize_device() itself
fails is correct, because in that case auxiliary_device_init() failed
and the release function was never set up, so pdata must be freed
manually.
Additionally, the error code was not saved before calling put_device(),
causing ERR_CAST() to dereference the already-freed adev pointer when
constructing the return value. Fix this by saving the error from
dev_err_probe() before put_device() and returning ERR_PTR() instead.
Remove the redundant kfree(pdata) calls and fix the use-after-free in
the return values of the two affected error paths.
Fixes: b7fe4c0019b1 ("media: staging/ipu7: add Intel IPU7 PCI device driver")
Cc: stable@vger.kernel.org
Reviewed-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/media/ipu7/ipu7.c | 22 ++++++++--------------
1 file changed, 8 insertions(+), 14 deletions(-)
--- a/drivers/staging/media/ipu7/ipu7.c
+++ b/drivers/staging/media/ipu7/ipu7.c
@@ -2169,21 +2169,18 @@ ipu7_isys_init(struct pci_dev *pdev, str
isys_adev->mmu = ipu7_mmu_init(dev, base, ISYS_MMID,
&ipdata->hw_variant);
if (IS_ERR(isys_adev->mmu)) {
- dev_err_probe(dev, PTR_ERR(isys_adev->mmu),
- "ipu7_mmu_init(isys_adev->mmu) failed\n");
+ ret = dev_err_probe(dev, PTR_ERR(isys_adev->mmu),
+ "ipu7_mmu_init(isys_adev->mmu) failed\n");
put_device(&isys_adev->auxdev.dev);
- kfree(pdata);
- return ERR_CAST(isys_adev->mmu);
+ return ERR_PTR(ret);
}
isys_adev->mmu->dev = &isys_adev->auxdev.dev;
isys_adev->subsys = IPU_IS;
ret = ipu7_bus_add_device(isys_adev);
- if (ret) {
- kfree(pdata);
+ if (ret)
return ERR_PTR(ret);
- }
return isys_adev;
}
@@ -2216,21 +2213,18 @@ ipu7_psys_init(struct pci_dev *pdev, str
psys_adev->mmu = ipu7_mmu_init(&pdev->dev, base, PSYS_MMID,
&ipdata->hw_variant);
if (IS_ERR(psys_adev->mmu)) {
- dev_err_probe(&pdev->dev, PTR_ERR(psys_adev->mmu),
- "ipu7_mmu_init(psys_adev->mmu) failed\n");
+ ret = dev_err_probe(&pdev->dev, PTR_ERR(psys_adev->mmu),
+ "ipu7_mmu_init(psys_adev->mmu) failed\n");
put_device(&psys_adev->auxdev.dev);
- kfree(pdata);
- return ERR_CAST(psys_adev->mmu);
+ return ERR_PTR(ret);
}
psys_adev->mmu->dev = &psys_adev->auxdev.dev;
psys_adev->subsys = IPU_PS;
ret = ipu7_bus_add_device(psys_adev);
- if (ret) {
- kfree(pdata);
+ if (ret)
return ERR_PTR(ret);
- }
return psys_adev;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 159/518] staging: rtl8723bs: dont drop short TX frames in _rtw_pktfile_read()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 158/518] staging: media: ipu7: fix double-free and use-after-free in error paths Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 160/518] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() Greg Kroah-Hartman
` (362 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Christopher Mackle
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christopher Mackle <christophermackle01@gmail.com>
commit 252f8c681adc8614b70f844ba3de3a138c33a783 upstream.
Commit bc4df274dca6 ("staging: rtl8723bs: update _rtw_pktfile_read() to
return error codes") changed _rtw_pktfile_read() to fail when the caller
asks for more bytes than remain in the packet:
if (rtw_remainder_len(pfile) < rlen)
return -EINVAL;
That breaks the assumption made by the data TX path. In
rtw_xmitframe_coalesce() (core/rtw_xmit.c) the per-fragment copy is
issued with the full fragment length, mpdu_len, which is derived from
pxmitpriv->frag_len (~2300 bytes), and the code relies on the historical
behaviour of copying only what is left and returning the number of bytes
actually copied:
mem_sz = _rtw_pktfile_read(&pktfile, pframe, mpdu_len);
if (mem_sz < 0)
return mem_sz;
So for every outbound packet smaller than the fragmentation threshold -
i.e. essentially all normal traffic, including the EAPOL frames of the
WPA 4-way handshake and DHCP - rlen is larger than the bytes remaining,
_rtw_pktfile_read() returns -EINVAL, rtw_xmitframe_coalesce() aborts, and
the frame is dropped before it is queued to the hardware. The driver
floods the log with:
rtl8723bs ...: xmit_xmitframes: coalesce failed with error -22
Management frames (authentication/association) use a different path and
still go out, so the interface scans and associates, but no data frame is
ever transmitted. The 4-way handshake therefore never completes and
wpa_supplicant misreports it as:
WPA: 4-Way Handshake failed - pre-shared key may be incorrect
AP mode is unaffected. The net effect is that the chip is unusable in
station mode on any kernel carrying the offending commit.
This was confirmed with a wpa_supplicant -dd trace on an RTL8723BS SDIO
adapter (Bay Trail): message 1/4 is received and the PTK is derived, but
each "Sending EAPOL-Key 2/4" coincides 1:1 with a "coalesce failed with
error -22", so message 2/4 never reaches the AP, which keeps retrying
message 1/4 until the handshake times out.
Restore the original semantics: clamp the requested length to the bytes
remaining in the packet and return that length. The skb_copy_bits()
error path is kept, so genuine copy failures are still propagated.
Fixes: bc4df274dca6 ("staging: rtl8723bs: update _rtw_pktfile_read() to return error codes")
Cc: stable <stable@kernel.org>
Tested-by: Christopher Mackle <christophermackle01@gmail.com>
Signed-off-by: Christopher Mackle <christophermackle01@gmail.com>
Link: https://patch.msgid.link/20260620013916.7148-1-christophermackle01@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/os_dep/xmit_linux.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/rtl8723bs/os_dep/xmit_linux.c b/drivers/staging/rtl8723bs/os_dep/xmit_linux.c
index d5bb1c7932fc..4260ed5f4e97 100644
--- a/drivers/staging/rtl8723bs/os_dep/xmit_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/xmit_linux.c
@@ -24,9 +24,11 @@ void _rtw_open_pktfile(struct sk_buff *pktptr, struct pkt_file *pfile)
int _rtw_pktfile_read(struct pkt_file *pfile, u8 *rmem, unsigned int rlen)
{
int ret;
+ unsigned int remain = rtw_remainder_len(pfile);
- if (rtw_remainder_len(pfile) < rlen)
- return -EINVAL;
+ /* clamp to bytes remaining; the coalesce loop relies on short reads */
+ if (rlen > remain)
+ rlen = remain;
if (rmem) {
ret = skb_copy_bits(pfile->pkt, pfile->buf_len - pfile->pkt_len, rmem, rlen);
--
2.55.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 160/518] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 159/518] staging: rtl8723bs: dont drop short TX frames in _rtw_pktfile_read() Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 161/518] staging: rtl8723bs: fix WEP length underflow and OOB read in OnAuth() Greg Kroah-Hartman
` (361 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Luka Gejak, Alexandru Hossu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Hossu <hossu.alexandru@gmail.com>
commit 5a752a616e756844388a1a45404db9fc29fec655 upstream.
supplicant_ie is a 256-byte array in struct security_priv. The WPA and
WPA2 IE copy paths use:
memcpy(padapter->securitypriv.supplicant_ie, &pwpa[0], wpa_ielen + 2);
where wpa_ielen is the raw IE length field (u8, 0-255). When a local user
supplies a connect request via nl80211 with a crafted WPA IE of length 255,
wpa_ielen + 2 equals 257, overflowing the 256-byte buffer by one byte into
the adjacent last_mic_err_time field.
rtw_parse_wpa_ie() does not prevent this: its length consistency check
compares *(wpa_ie+1) against (u8)(wpa_ie_len-2), which is (u8)(255) == 255
when wpa_ie_len = 257, so the check passes silently.
Add explicit bounds checks for both the WPA and WPA2 paths before the
memcpy, rejecting any IE whose total size (wpa_ielen + 2) exceeds the
supplicant_ie buffer.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Link: https://patch.msgid.link/20260522004531.1038924-4-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
@@ -1445,6 +1445,10 @@ static int rtw_cfg80211_set_wpa_ie(struc
pwpa = rtw_get_wpa_ie(buf, &wpa_ielen, ielen);
if (pwpa && wpa_ielen > 0) {
+ if (wpa_ielen + 2 > sizeof(padapter->securitypriv.supplicant_ie)) {
+ ret = -EINVAL;
+ goto exit;
+ }
if (rtw_parse_wpa_ie(pwpa, wpa_ielen + 2, &group_cipher, &pairwise_cipher, NULL) == _SUCCESS) {
padapter->securitypriv.dot11AuthAlgrthm = dot11AuthAlgrthm_8021X;
padapter->securitypriv.ndisauthtype = Ndis802_11AuthModeWPAPSK;
@@ -1454,6 +1458,10 @@ static int rtw_cfg80211_set_wpa_ie(struc
pwpa2 = rtw_get_wpa2_ie(buf, &wpa2_ielen, ielen);
if (pwpa2 && wpa2_ielen > 0) {
+ if (wpa2_ielen + 2 > sizeof(padapter->securitypriv.supplicant_ie)) {
+ ret = -EINVAL;
+ goto exit;
+ }
if (rtw_parse_wpa2_ie(pwpa2, wpa2_ielen + 2, &group_cipher, &pairwise_cipher, NULL) == _SUCCESS) {
padapter->securitypriv.dot11AuthAlgrthm = dot11AuthAlgrthm_8021X;
padapter->securitypriv.ndisauthtype = Ndis802_11AuthModeWPA2PSK;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 161/518] staging: rtl8723bs: fix WEP length underflow and OOB read in OnAuth()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 160/518] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 162/518] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop Greg Kroah-Hartman
` (360 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alexandru Hossu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Hossu <hossu.alexandru@gmail.com>
commit a1fc19d61f661d47204f095b593de507884849f7 upstream.
OnAuth() has two bugs in the shared-key authentication path.
When the Privacy bit is set, rtw_wep_decrypt() is called without
verifying that the frame is long enough to contain a valid WEP IV and
ICV. Inside rtw_wep_decrypt(), length is computed as:
length = len - WLAN_HDR_A3_LEN - iv_len
and then passed as (length - 4) to crc32_le(). If len is less than
WLAN_HDR_A3_LEN + iv_len + icv_len (32 bytes), length - 4 is negative
and, after the implicit cast to size_t, causes crc32_le() to read far
beyond the frame buffer. Add a minimum length check before accessing
the IV field and calling the decryption path.
When processing a seq=3 response, rtw_get_ie() stores the Challenge
Text IE length in ie_len, but the subsequent memcmp() always reads 128
bytes regardless of ie_len. IEEE 802.11 mandates a challenge text of
exactly 128 bytes; reject any IE whose length field differs, matching
the check already applied to OnAuthClient().
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Link: https://patch.msgid.link/20260522004605.1039209-1-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -687,6 +687,9 @@ unsigned int OnAuth(struct adapter *pada
if ((pmlmeinfo->state&0x03) != WIFI_FW_AP_STATE)
return _FAIL;
+ if (len < WLAN_HDR_A3_LEN)
+ return _FAIL;
+
sa = GetAddr2Ptr(pframe);
auth_mode = psecuritypriv->dot11AuthAlgrthm;
@@ -698,6 +701,9 @@ unsigned int OnAuth(struct adapter *pada
prxattrib->hdrlen = WLAN_HDR_A3_LEN;
prxattrib->encrypt = _WEP40_;
+ if (len < WLAN_HDR_A3_LEN + 8)
+ return _FAIL;
+
iv = pframe+prxattrib->hdrlen;
prxattrib->key_index = ((iv[3]>>6)&0x3);
@@ -802,7 +808,7 @@ unsigned int OnAuth(struct adapter *pada
p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + 4 + _AUTH_IE_OFFSET_, WLAN_EID_CHALLENGE, (int *)&ie_len,
len - WLAN_HDR_A3_LEN - _AUTH_IE_OFFSET_ - 4);
- if (!p || ie_len <= 0) {
+ if (!p || ie_len != 128) {
status = WLAN_STATUS_CHALLENGE_FAIL;
goto auth_fail;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 162/518] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 161/518] staging: rtl8723bs: fix WEP length underflow and OOB read in OnAuth() Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 163/518] staging: rtl8723bs: fix OOB read in update_beacon_info() " Greg Kroah-Hartman
` (359 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alexandru Hossu, Luka Gejak
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Hossu <hossu.alexandru@gmail.com>
commit f9654207e92283e0acac5d64fe5f8835383b5a23 upstream.
The IE parsing loop in OnAssocRsp() advances by (pIE->length + 2) each
iteration but only guards on i < pkt_len. When a malicious AP sends an
AssocResponse whose last IE has only one byte remaining in the frame
(the element_id byte lands at pkt_len-1), the loop reads pIE->length
from pframe[pkt_len], which is one byte past the allocated receive buffer.
Additionally, even when the header bytes are in bounds, pIE->length
itself can extend the data window beyond pkt_len, silently passing a
truncated IE to the handler functions.
Add two guards at the top of the loop body:
1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
2. Break if the IE's declared data extends past pkt_len.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Link: https://patch.msgid.link/20260522004531.1038924-6-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -1406,7 +1406,11 @@ unsigned int OnAssocRsp(struct adapter *
/* to handle HT, WMM, rate adaptive, update MAC reg */
/* for not to handle the synchronous IO in the tasklet */
for (i = (6 + WLAN_HDR_A3_LEN); i < pkt_len;) {
+ if (i + sizeof(*pIE) > pkt_len)
+ break;
pIE = (struct ndis_80211_var_ie *)(pframe + i);
+ if (i + sizeof(*pIE) + pIE->length > pkt_len)
+ break;
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 163/518] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 162/518] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 164/518] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Greg Kroah-Hartman
` (358 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Luka Gejak, Alexandru Hossu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Hossu <hossu.alexandru@gmail.com>
commit ed51de4a86e173c3b0ef78e039c2e49e08b11f16 upstream.
The IE parsing loop in update_beacon_info() advances by
(pIE->length + 2) each iteration but only guards on i < len.
When a malicious AP sends a Beacon whose last IE has only one byte
remaining in the frame (the element_id byte lands at len-1), the loop
reads pIE->length from one byte past the allocated receive buffer.
Additionally, even when the header bytes are in bounds, pIE->length
itself can extend the data window beyond len, passing a truncated IE
to the handler functions.
Add two guards at the top of the loop body:
1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
2. Break if the IE's declared data extends past len.
Also replace i += (pIE->length + 2) with i += sizeof(*pIE) + pIE->length
for consistency with the sizeof(*pIE) guards added above.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Link: https://patch.msgid.link/20260522004531.1038924-2-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -1289,7 +1289,11 @@ void update_beacon_info(struct adapter *
len = pkt_len - (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN);
for (i = 0; i < len;) {
+ if (i + sizeof(*pIE) > len)
+ break;
pIE = (struct ndis_80211_var_ie *)(pframe + (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN) + i);
+ if (i + sizeof(*pIE) + pIE->length > len)
+ break;
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:
@@ -1314,7 +1318,7 @@ void update_beacon_info(struct adapter *
break;
}
- i += (pIE->length + 2);
+ i += sizeof(*pIE) + pIE->length;
}
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 164/518] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 163/518] staging: rtl8723bs: fix OOB read in update_beacon_info() " Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 165/518] staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() IE loop Greg Kroah-Hartman
` (357 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Luka Gejak, Alexandru Hossu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Hossu <hossu.alexandru@gmail.com>
commit ef61d628dfad38fead1fd2e08979ae9126d011d5 upstream.
Two IE parsing loops are missing the header bounds checks before they
dereference pIE->length:
- issue_assocreq() walks pmlmeinfo->network.ies to build the
association request. If the stored IE data ends with only an
element_id byte and no length byte, pIE->length is read one byte
past the end of the buffer.
- join_cmd_hdl() walks pnetwork->ies during station join and has
the same problem under the same conditions.
Both buffers are filled from AP beacon and probe-response frames, so a
malicious AP that sends a truncated final IE can trigger the issue.
Apply the two-guard pattern established in update_beacon_info():
1. Break if fewer than sizeof(*pIE) bytes remain.
2. Break if the IE's declared data extends past the buffer end.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Link: https://patch.msgid.link/20260522004531.1038924-3-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -2935,7 +2935,11 @@ void issue_assocreq(struct adapter *pada
/* vendor specific IE, such as WPA, WMM, WPS */
for (i = sizeof(struct ndis_802_11_fix_ie); i < pmlmeinfo->network.ie_length;) {
+ if (i + sizeof(*pIE) > pmlmeinfo->network.ie_length)
+ break;
pIE = (struct ndis_80211_var_ie *)(pmlmeinfo->network.ies + i);
+ if (i + sizeof(*pIE) + pIE->length > pmlmeinfo->network.ie_length)
+ break;
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:
@@ -5328,7 +5332,11 @@ u8 join_cmd_hdl(struct adapter *padapter
/* sizeof(struct ndis_802_11_fix_ie) */
for (i = _FIXED_IE_LENGTH_; i < pnetwork->ie_length;) {
+ if (i + sizeof(*pIE) > pnetwork->ie_length)
+ break;
pIE = (struct ndis_80211_var_ie *)(pnetwork->ies + i);
+ if (i + sizeof(*pIE) + pIE->length > pnetwork->ie_length)
+ break;
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:/* Get WMM IE. */
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 165/518] staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() IE loop
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 164/518] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 166/518] staging: rtl8723bs: fix OOB reads in rtw_get_sec_ie(), rtw_get_wapi_ie(), and rtw_get_wps_attr() Greg Kroah-Hartman
` (356 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alexandru Hossu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Hossu <hossu.alexandru@gmail.com>
commit 3bf39f711ff27c64be8680a8938bcc5001982e81 upstream.
The loop in is_ap_in_tkip() iterates over IEs without verifying that
enough bytes remain before dereferencing the IE header or its payload:
- pIE->element_id and pIE->length are read without checking that
i + sizeof(*pIE) <= ie_length, so a truncated IE at the end of the
buffer causes an OOB read.
- For WLAN_EID_VENDOR_SPECIFIC the code compares pIE->data + 12,
which requires pIE->length >= 16. For WLAN_EID_RSN it compares
pIE->data + 8, requiring pIE->length >= 12. Neither requirement
is checked.
Add the missing IE header and payload bounds checks and guard each
data access with an explicit pIE->length minimum, matching the
pattern established in update_beacon_info().
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Link: https://patch.msgid.link/20260522004531.1038924-7-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -1334,15 +1334,23 @@ unsigned int is_ap_in_tkip(struct adapte
for (i = sizeof(struct ndis_802_11_fix_ie); i < pmlmeinfo->network.ie_length;) {
pIE = (struct ndis_80211_var_ie *)(pmlmeinfo->network.ies + i);
+ if (i + sizeof(*pIE) > pmlmeinfo->network.ie_length)
+ break;
+ if (i + sizeof(*pIE) + pIE->length > pmlmeinfo->network.ie_length)
+ break;
+
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:
- if ((!memcmp(pIE->data, RTW_WPA_OUI, 4)) && (!memcmp((pIE->data + 12), WPA_TKIP_CIPHER, 4)))
+ if (pIE->length >= 16 &&
+ !memcmp(pIE->data, RTW_WPA_OUI, 4) &&
+ !memcmp((pIE->data + 12), WPA_TKIP_CIPHER, 4))
return true;
break;
case WLAN_EID_RSN:
- if (!memcmp((pIE->data + 8), RSN_TKIP_CIPHER, 4))
+ if (pIE->length >= 12 &&
+ !memcmp((pIE->data + 8), RSN_TKIP_CIPHER, 4))
return true;
break;
@@ -1350,7 +1358,7 @@ unsigned int is_ap_in_tkip(struct adapte
break;
}
- i += (pIE->length + 2);
+ i += sizeof(*pIE) + pIE->length;
}
return false;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 166/518] staging: rtl8723bs: fix OOB reads in rtw_get_sec_ie(), rtw_get_wapi_ie(), and rtw_get_wps_attr()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 165/518] staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() IE loop Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 167/518] staging: rtl8723bs: fix OOB write in HT_caps_handler() Greg Kroah-Hartman
` (355 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alexandru Hossu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Hossu <hossu.alexandru@gmail.com>
commit 1463ca3ec6601cbb097d8d87dbf5dcf1cb86a344 upstream.
Three IE/attribute parsing functions have missing bounds checks.
rtw_get_sec_ie() and rtw_get_wapi_ie() iterate over a raw IE buffer
without verifying that the header bytes (tag + length) are within the
remaining buffer before reading them. Additionally, rtw_get_sec_ie()
compares the 4-byte WPA OUI at cnt+2 without checking that at least
6 bytes remain, and rtw_get_wapi_ie() compares a 4-byte WAPI OUI at
cnt+6 without checking that at least 10 bytes remain.
rtw_get_wps_attr() reads wps_ie[0] and wps_ie+2 unconditionally at
entry, before verifying that wps_ielen is large enough to contain
the 6-byte WPS IE header (element_id + length + 4-byte OUI). Inside
the attribute loop, get_unaligned_be16() is called on attr_ptr and
attr_ptr+2 without checking that 4 bytes remain in the buffer.
Add a cnt+2 bounds check before each loop body in rtw_get_sec_ie()
and rtw_get_wapi_ie(), guard each multi-byte comparison with a minimum
IE length requirement, add a wps_ielen < 6 early return in
rtw_get_wps_attr(), and add a 4-byte bounds check in its inner loop.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Link: https://patch.msgid.link/20260522004531.1038924-8-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
@@ -583,9 +583,14 @@ int rtw_get_wapi_ie(u8 *in_ie, uint in_l
cnt = (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_);
while (cnt < in_len) {
+ if (cnt + 2 > in_len)
+ break;
+ if (cnt + 2 + in_ie[cnt + 1] > in_len)
+ break;
authmode = in_ie[cnt];
if (authmode == WLAN_EID_BSS_AC_ACCESS_DELAY &&
+ in_ie[cnt + 1] >= 8 &&
(!memcmp(&in_ie[cnt + 6], wapi_oui1, 4) ||
!memcmp(&in_ie[cnt + 6], wapi_oui2, 4))) {
if (wapi_ie)
@@ -616,9 +621,14 @@ void rtw_get_sec_ie(u8 *in_ie, uint in_l
cnt = (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_);
while (cnt < in_len) {
+ if (cnt + 2 > in_len)
+ break;
+ if (cnt + 2 + in_ie[cnt + 1] > in_len)
+ break;
authmode = in_ie[cnt];
if ((authmode == WLAN_EID_VENDOR_SPECIFIC) &&
+ in_ie[cnt + 1] >= 4 &&
(!memcmp(&in_ie[cnt + 2], &wpa_oui[0], 4))) {
if (wpa_ie)
memcpy(wpa_ie, &in_ie[cnt], in_ie[cnt + 1] + 2);
@@ -699,6 +709,9 @@ u8 *rtw_get_wps_attr(u8 *wps_ie, uint wp
if (len_attr)
*len_attr = 0;
+ if (wps_ielen < 6)
+ return attr_ptr;
+
if ((wps_ie[0] != WLAN_EID_VENDOR_SPECIFIC) ||
(memcmp(wps_ie + 2, wps_oui, 4))) {
return attr_ptr;
@@ -709,6 +722,8 @@ u8 *rtw_get_wps_attr(u8 *wps_ie, uint wp
while (attr_ptr - wps_ie < wps_ielen) {
/* 4 = 2(Attribute ID) + 2(Length) */
+ if (attr_ptr + 4 > wps_ie + wps_ielen)
+ break;
u16 attr_id = get_unaligned_be16(attr_ptr);
u16 attr_data_len = get_unaligned_be16(attr_ptr + 2);
u16 attr_len = attr_data_len + 4;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 167/518] staging: rtl8723bs: fix OOB write in HT_caps_handler()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 166/518] staging: rtl8723bs: fix OOB reads in rtw_get_sec_ie(), rtw_get_wapi_ie(), and rtw_get_wps_attr() Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 168/518] crypto: amlogic - avoid double cleanup in meson_crypto_probe() Greg Kroah-Hartman
` (354 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alexandru Hossu, Luka Gejak
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Hossu <hossu.alexandru@gmail.com>
commit f8001e1a516ba3b495728c65b61f799cbfad6bd0 upstream.
HT_caps_handler() iterates pIE->length bytes and writes into
HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
802.11 AssocResponse frame and is never validated, a malicious AP can
set it up to 255, causing up to 229 bytes of out-of-bounds writes into
adjacent fields of struct mlme_ext_info.
Truncate the iteration count to the size of HT_caps.u.HT_cap using
umin() so that data from a longer-than-expected IE is silently ignored
rather than written out of bounds, preserving interoperability with APs
that pad the element. An early return on oversized IEs was considered
but rejected: it would bypass the pmlmeinfo->HT_caps_enable = 1
assignment that precedes the loop, silently disabling HT mode for APs
that append extra bytes to the HT Capabilities IE.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Link: https://patch.msgid.link/20260522004531.1038924-5-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -936,7 +936,8 @@ void HT_caps_handler(struct adapter *pad
pmlmeinfo->HT_caps_enable = 1;
- for (i = 0; i < (pIE->length); i++) {
+ for (i = 0; i < umin(pIE->length,
+ sizeof(pmlmeinfo->HT_caps.u.HT_cap)); i++) {
if (i != 2) {
/* Commented by Albert 2010/07/12 */
/* Got the endian issue here. */
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 168/518] crypto: amlogic - avoid double cleanup in meson_crypto_probe()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 167/518] staging: rtl8723bs: fix OOB write in HT_caps_handler() Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 169/518] crypto: krb5 - filter out async aead implementations at alloc Greg Kroah-Hartman
` (353 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zilin Guan, Dawei Feng, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
commit 6d827ade51a24e18d81afb9f32756d339520a14c upstream.
When meson_allocate_chanlist() fails after a partial allocation, it already
unwinds the allocated chanlist state through its local error path.
meson_crypto_probe() then jump to error_flow and calls
meson_free_chanlist() again, causing the same per-flow resources to be torn
down twice. In the reproduced failure path, the second teardown
re-entered crypto_engine_exit() on an already destroyed worker and KASAN
reported a slab-use-after-free in kthread_destroy_worker().
Prevent double-free by handling partial allocation failures locally within
meson_allocate_chanlist() and skipping the outer cleanup path.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available.
The bug was reproduced in a QEMU x86_64 guest booted with KASAN on v7.1,
using the reproducer under tools/testing/meson_crypto_probe. The reproducer
forces the second dma_alloc_attrs() call in the gxl-crypto probe path to
return NULL, making meson_allocate_chanlist() fail after partial
initialization. On the unpatched kernel this reliably triggered a
slab-use-after-free. With this fix applied, the same reproducer no longer
emits any KASAN report and the probe fails cleanly with -ENOMEM.
==================================================================
BUG: KASAN: slab-use-after-free in kthread_destroy_worker+0xb2/0xd0
Read of size 8 at addr ff1100010c057a68 by task insmod/265
CPU: 1 UID: 0 PID: 265 Comm: insmod Tainted: G O 7.1.0-rc2-00376-g810af9adc907-dirty #10 PREEMPT(lazy)
Tainted: [O]=OOT_MODULE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x68/0xa0
print_report+0xcb/0x5e0
? __virt_addr_valid+0x21d/0x3f0
? kthread_destroy_worker+0xb2/0xd0
? kthread_destroy_worker+0xb2/0xd0
kasan_report+0xca/0x100
? kthread_destroy_worker+0xb2/0xd0
kthread_destroy_worker+0xb2/0xd0
meson_crypto_probe+0x4d0/0xc10 [amlogic_gxl_crypto]
platform_probe+0x99/0x140
really_probe+0x1c6/0x6a0
? __pfx___device_attach_driver+0x10/0x10
__driver_probe_device+0x248/0x310
? acpi_driver_match_device+0xb0/0x100
driver_probe_device+0x48/0x210
? __pfx___device_attach_driver+0x10/0x10
__device_attach_driver+0x160/0x320
bus_for_each_drv+0x104/0x190
? __pfx_bus_for_each_drv+0x10/0x10
? _raw_spin_unlock_irqrestore+0x2c/0x50
__device_attach+0x19d/0x3b0
? __pfx___device_attach+0x10/0x10
? do_raw_spin_unlock+0x53/0x220
device_initial_probe+0x78/0xa0
bus_probe_device+0x5b/0x130
device_add+0xcfd/0x1430
? __pfx_device_add+0x10/0x10
? insert_resource+0x34/0x50
? lock_release+0xc9/0x290
platform_device_add+0x24e/0x590
? __pfx_meson_crypto_probe_repro_init+0x10/0x10 [meson_crypto_probe_repro]
meson_crypto_probe_repro_init+0x330/0xff0 [meson_crypto_probe_repro]
do_one_initcall+0xc0/0x450
? __pfx_do_one_initcall+0x10/0x10
? _raw_spin_unlock_irqrestore+0x2c/0x50
? __create_object+0x59/0x80
? kasan_unpoison+0x27/0x60
do_init_module+0x27b/0x7d0
? __pfx_do_init_module+0x10/0x10
? kasan_quarantine_put+0x84/0x1d0
? kfree+0x32c/0x510
? load_module+0x561e/0x5ff0
load_module+0x54fe/0x5ff0
? __pfx_load_module+0x10/0x10
? security_file_permission+0x20/0x40
? kernel_read_file+0x23d/0x6e0
? mmap_region+0x235/0x4a0
? __pfx_kernel_read_file+0x10/0x10
? __file_has_perm+0x2c0/0x3e0
init_module_from_file+0x158/0x180
? __pfx_init_module_from_file+0x10/0x10
? __lock_acquire+0x45a/0x1ba0
? idempotent_init_module+0x315/0x610
? lock_release+0xc9/0x290
? lockdep_init_map_type+0x4b/0x220
? do_raw_spin_unlock+0x53/0x220
idempotent_init_module+0x330/0x610
? __pfx_idempotent_init_module+0x10/0x10
? __pfx_cred_has_capability.isra.0+0x10/0x10
? ksys_mmap_pgoff+0x385/0x520
__x64_sys_finit_module+0xbe/0x120
do_syscall_64+0x115/0x690
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7d6d31690d
Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f3 b4 0f 00 f7 d8 >
RSP: 002b:00007fffc027ac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000055f7b81967c0 RCX: 00007f7d6d31690d
RDX: 0000000000000000 RSI: 000055f79a0d6cd2 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 000055f79a0d6cd2
R13: 000055f7b8196790 R14: 000055f79a0d5888 R15: 000055f7b81968e0
</TASK>
Fixes: 48fe583fe541 ("crypto: amlogic - Add crypto accelerator for amlogic GXL")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/amlogic/amlogic-gxl-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/crypto/amlogic/amlogic-gxl-core.c
+++ b/drivers/crypto/amlogic/amlogic-gxl-core.c
@@ -291,8 +291,8 @@ static int meson_crypto_probe(struct pla
return 0;
error_alg:
meson_unregister_algs(mc);
-error_flow:
meson_free_chanlist(mc, MAXFLOW - 1);
+error_flow:
clk_disable_unprepare(mc->busclk);
return err;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 169/518] crypto: krb5 - filter out async aead implementations at alloc
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 168/518] crypto: amlogic - avoid double cleanup in meson_crypto_probe() Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 170/518] crypto: qat - fix VF2PF work teardown race in adf_disable_sriov() Greg Kroah-Hartman
` (352 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herbert Xu, Michael Bommarito
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 6c9dddeb582fde005360f4fe02c760d45ca05fb5 upstream.
krb5_aead_encrypt(), krb5_aead_decrypt() in rfc3961_simplified.c and
rfc8009_encrypt(), rfc8009_decrypt() in rfc8009_aes2.c set a NULL
completion callback and treat any negative return from
crypto_aead_{encrypt,decrypt}() as terminal, falling through to
kfree_sensitive(buffer). When the encrypt_name resolves to an
async AEAD instance the request returns -EINPROGRESS, the buffer
is freed while the backend's worker still holds a pointer, and the
worker dereferences the freed slab on completion.
KASAN report under UML+SLUB with a synthetic async aead backend
bound to krb5->encrypt_name:
BUG: KASAN: slab-use-after-free in t5_stub_complete+0x7d/0xc7
The helpers were written synchronously, so filter the async
instances out at allocation time instead of plumbing
crypto_wait_req() through every call site.
Reachable via net/rxrpc/rxgk.c, fs/afs/cm_security.c and
net/ceph/crypto.c on systems with an async AEAD provider bound to
the krb5 enctype name.
Fixes: 00244da40f78 ("crypto/krb5: Implement the Kerberos5 rfc3961 encrypt and decrypt functions")
Fixes: 6c3c0e86c2ac ("crypto/krb5: Implement the AES enctypes from rfc8009")
Cc: stable@vger.kernel.org
Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/krb5/krb5_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/crypto/krb5/krb5_api.c
+++ b/crypto/krb5/krb5_api.c
@@ -207,7 +207,7 @@ struct crypto_aead *krb5_prepare_encrypt
struct crypto_aead *ci = NULL;
int ret = -ENOMEM;
- ci = crypto_alloc_aead(krb5->encrypt_name, 0, 0);
+ ci = crypto_alloc_aead(krb5->encrypt_name, 0, CRYPTO_ALG_ASYNC);
if (IS_ERR(ci)) {
ret = PTR_ERR(ci);
if (ret == -ENOENT)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 170/518] crypto: qat - fix VF2PF work teardown race in adf_disable_sriov()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 169/518] crypto: krb5 - filter out async aead implementations at alloc Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 171/518] ksmbd: fix use-after-free of a deferred file_lock on SMB2_CLOSE then SMB2_CANCEL Greg Kroah-Hartman
` (351 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Giovanni Cabiddu, Ahsan Atta,
Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
commit 277281c10c63791067d24d421f7c43a15faa9096 upstream.
The VF2PF interrupt handler queues PF-side response work that stores a
raw pointer to per-VF state (struct adf_accel_vf_info). Currently,
adf_disable_sriov() destroys per-VF mutexes and frees vf_info without
stopping new VF2PF work or waiting for in-flight workers to complete. A
concurrently scheduled or already queued worker can then dereference
freed memory.
This manifests as a use-after-free when KASAN is enabled:
BUG: KASAN: null-ptr-deref in mutex_lock+0x76/0xe0
Write of size 8 at addr 0000000000000260 by task kworker/24:2/...
Workqueue: qat_pf2vf_resp_wq adf_iov_send_resp [intel_qat]
Call Trace:
kasan_report+0x119/0x140
mutex_lock+0x76/0xe0
adf_gen4_pfvf_send+0xd4/0x1f0 [intel_qat]
adf_recv_and_handle_vf2pf_msg+0x290/0x360 [intel_qat]
adf_iov_send_resp+0x8c/0xe0 [intel_qat]
process_one_work+0x6ac/0xfd0
worker_thread+0x4dd/0xd30
kthread+0x326/0x410
ret_from_fork+0x33b/0x670
Add a PF-local flag, vf2pf_disabled, that gates work queueing, worker
processing, and interrupt re-enabling during teardown. Set this flag
atomically with the hardware interrupt mask inside
adf_disable_all_vf2pf_interrupts(). After masking, synchronize the AE
cluster MSI-X interrupt and flush the PF response workqueue before
tearing down per-VF locks and state so all in-flight work completes
before vf_info is destroyed.
Introduce adf_enable_all_vf2pf_interrupts() to clear the flag and
unmask all VF2PF interrupts under the same lock when SR-IOV is
re-enabled. This ensures the software flag and hardware state transition
atomically on both the enable and disable paths.
Cc: stable@vger.kernel.org
Fixes: ed8ccaef52fa ("crypto: qat - Add support for SRIOV")
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/intel/qat/qat_common/adf_accel_devices.h | 2
drivers/crypto/intel/qat/qat_common/adf_common_drv.h | 2
drivers/crypto/intel/qat/qat_common/adf_isr.c | 39 ++++++++++++++++
drivers/crypto/intel/qat/qat_common/adf_sriov.c | 20 +++++++-
4 files changed, 61 insertions(+), 2 deletions(-)
--- a/drivers/crypto/intel/qat/qat_common/adf_accel_devices.h
+++ b/drivers/crypto/intel/qat/qat_common/adf_accel_devices.h
@@ -475,6 +475,8 @@ struct adf_accel_dev {
struct {
/* protects VF2PF interrupts access */
spinlock_t vf2pf_ints_lock;
+ /* prevents VF2PF handling from racing with VF state teardown */
+ bool vf2pf_disabled;
/* vf_info is non-zero when SR-IOV is init'ed */
struct adf_accel_vf_info *vf_info;
} pf;
--- a/drivers/crypto/intel/qat/qat_common/adf_common_drv.h
+++ b/drivers/crypto/intel/qat/qat_common/adf_common_drv.h
@@ -118,6 +118,7 @@ void qat_comp_alg_callback(void *resp);
int adf_isr_resource_alloc(struct adf_accel_dev *accel_dev);
void adf_isr_resource_free(struct adf_accel_dev *accel_dev);
+void adf_isr_sync_ae_cluster(struct adf_accel_dev *accel_dev);
int adf_vf_isr_resource_alloc(struct adf_accel_dev *accel_dev);
void adf_vf_isr_resource_free(struct adf_accel_dev *accel_dev);
@@ -191,6 +192,7 @@ int adf_sriov_configure(struct pci_dev *
void adf_disable_sriov(struct adf_accel_dev *accel_dev);
void adf_reenable_sriov(struct adf_accel_dev *accel_dev);
void adf_enable_vf2pf_interrupts(struct adf_accel_dev *accel_dev, u32 vf_mask);
+void adf_enable_all_vf2pf_interrupts(struct adf_accel_dev *accel_dev, u32 num_vfs);
void adf_disable_all_vf2pf_interrupts(struct adf_accel_dev *accel_dev);
bool adf_recv_and_handle_pf2vf_msg(struct adf_accel_dev *accel_dev);
bool adf_recv_and_handle_vf2pf_msg(struct adf_accel_dev *accel_dev, u32 vf_nr);
--- a/drivers/crypto/intel/qat/qat_common/adf_isr.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_isr.c
@@ -62,6 +62,23 @@ void adf_enable_vf2pf_interrupts(struct
unsigned long flags;
spin_lock_irqsave(&accel_dev->pf.vf2pf_ints_lock, flags);
+ if (!READ_ONCE(accel_dev->pf.vf2pf_disabled))
+ GET_PFVF_OPS(accel_dev)->enable_vf2pf_interrupts(pmisc_addr, vf_mask);
+ spin_unlock_irqrestore(&accel_dev->pf.vf2pf_ints_lock, flags);
+}
+
+void adf_enable_all_vf2pf_interrupts(struct adf_accel_dev *accel_dev, u32 num_vfs)
+{
+ void __iomem *pmisc_addr = adf_get_pmisc_base(accel_dev);
+ unsigned long flags;
+ u32 vf_mask;
+
+ vf_mask = BIT_ULL(num_vfs) - 1;
+ if (!vf_mask)
+ return;
+
+ spin_lock_irqsave(&accel_dev->pf.vf2pf_ints_lock, flags);
+ WRITE_ONCE(accel_dev->pf.vf2pf_disabled, false);
GET_PFVF_OPS(accel_dev)->enable_vf2pf_interrupts(pmisc_addr, vf_mask);
spin_unlock_irqrestore(&accel_dev->pf.vf2pf_ints_lock, flags);
}
@@ -72,6 +89,7 @@ void adf_disable_all_vf2pf_interrupts(st
unsigned long flags;
spin_lock_irqsave(&accel_dev->pf.vf2pf_ints_lock, flags);
+ WRITE_ONCE(accel_dev->pf.vf2pf_disabled, true);
GET_PFVF_OPS(accel_dev)->disable_all_vf2pf_interrupts(pmisc_addr);
spin_unlock_irqrestore(&accel_dev->pf.vf2pf_ints_lock, flags);
}
@@ -174,6 +192,27 @@ static irqreturn_t adf_msix_isr_ae(int i
return IRQ_NONE;
}
+void adf_isr_sync_ae_cluster(struct adf_accel_dev *accel_dev)
+{
+ struct adf_accel_pci *pci_dev_info = &accel_dev->accel_pci_dev;
+ struct adf_hw_device_data *hw_data = GET_HW_DATA(accel_dev);
+ u32 num_entries = pci_dev_info->msix_entries.num_entries;
+ struct adf_irq *irqs = pci_dev_info->msix_entries.irqs;
+ u32 irq_idx;
+ int irq;
+
+ if (!test_bit(ADF_STATUS_IRQ_ALLOCATED, &accel_dev->status) || !irqs)
+ return;
+
+ irq_idx = num_entries > 1 ? hw_data->num_banks : 0;
+ if (irq_idx >= num_entries || !irqs[irq_idx].enabled)
+ return;
+
+ irq = pci_irq_vector(pci_dev_info->pci_dev, hw_data->num_banks);
+ if (irq > 0)
+ synchronize_irq(irq);
+}
+
static void adf_free_irqs(struct adf_accel_dev *accel_dev)
{
struct adf_accel_pci *pci_dev_info = &accel_dev->accel_pci_dev;
--- a/drivers/crypto/intel/qat/qat_common/adf_sriov.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_sriov.c
@@ -26,6 +26,9 @@ static void adf_iov_send_resp(struct wor
u32 vf_nr = vf_info->vf_nr;
bool ret;
+ if (READ_ONCE(accel_dev->pf.vf2pf_disabled))
+ goto out;
+
mutex_lock(&vf_info->pfvf_mig_lock);
ret = adf_recv_and_handle_vf2pf_msg(accel_dev, vf_nr);
if (ret)
@@ -33,13 +36,18 @@ static void adf_iov_send_resp(struct wor
adf_enable_vf2pf_interrupts(accel_dev, 1 << vf_nr);
mutex_unlock(&vf_info->pfvf_mig_lock);
+out:
kfree(pf2vf_resp);
}
void adf_schedule_vf2pf_handler(struct adf_accel_vf_info *vf_info)
{
+ struct adf_accel_dev *accel_dev = vf_info->accel_dev;
struct adf_pf2vf_resp *pf2vf_resp;
+ if (READ_ONCE(accel_dev->pf.vf2pf_disabled))
+ return;
+
pf2vf_resp = kzalloc_obj(*pf2vf_resp, GFP_ATOMIC);
if (!pf2vf_resp)
return;
@@ -49,6 +57,12 @@ void adf_schedule_vf2pf_handler(struct a
queue_work(pf2vf_resp_wq, &pf2vf_resp->pf2vf_resp_work);
}
+static void adf_flush_pf2vf_resp_wq(void)
+{
+ if (pf2vf_resp_wq)
+ flush_workqueue(pf2vf_resp_wq);
+}
+
static int adf_enable_sriov(struct adf_accel_dev *accel_dev)
{
struct pci_dev *pdev = accel_to_pci_dev(accel_dev);
@@ -75,7 +89,7 @@ static int adf_enable_sriov(struct adf_a
hw_data->configure_iov_threads(accel_dev, true);
/* Enable VF to PF interrupts for all VFs */
- adf_enable_vf2pf_interrupts(accel_dev, BIT_ULL(totalvfs) - 1);
+ adf_enable_all_vf2pf_interrupts(accel_dev, totalvfs);
/*
* Due to the hardware design, when SR-IOV and the ring arbiter
@@ -248,8 +262,10 @@ void adf_disable_sriov(struct adf_accel_
adf_pf2vf_wait_for_restarting_complete(accel_dev);
pci_disable_sriov(accel_to_pci_dev(accel_dev));
- /* Disable VF to PF interrupts */
+ /* Block VF2PF work and disable VF to PF interrupts */
adf_disable_all_vf2pf_interrupts(accel_dev);
+ adf_isr_sync_ae_cluster(accel_dev);
+ adf_flush_pf2vf_resp_wq();
/* Clear Valid bits in AE Thread to PCIe Function Mapping */
if (hw_data->configure_iov_threads)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 171/518] ksmbd: fix use-after-free of a deferred file_lock on SMB2_CLOSE then SMB2_CANCEL
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 170/518] crypto: qat - fix VF2PF work teardown race in adf_disable_sriov() Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 172/518] net: af_key: initialize alg_key_len for IPComp states Greg Kroah-Hartman
` (350 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gil Portnoy, Namjae Jeon,
Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gil Portnoy <dddhkts1@gmail.com>
commit 10f293a07f9e10e988b0ae44e2e99c631f5a68e0 upstream.
Commit f580d27e8928 ("ksmbd: fix use-after-free of a deferred file_lock on
double SMB2_CANCEL") made smb2_cancel() skip a work whose state is
KSMBD_WORK_CANCELLED, so its cancel_fn cannot be fired a second time. But
KSMBD_WORK has three states (ACTIVE, CANCELLED, CLOSED), and the same
freeing producer path is reached for CLOSED too:
SMB2_CLOSE on the locking handle -> set_close_state_blocked_works() sets
the deferred work's state to KSMBD_WORK_CLOSED and wakes the smb2_lock()
worker. The worker takes the non-ACTIVE early-exit, locks_free_lock()s
the file_lock and, because the state is not KSMBD_WORK_CANCELLED, takes
the STATUS_RANGE_NOT_LOCKED branch with "goto out2" -- which, like the
cancelled branch, skips release_async_work(). The work stays on
conn->async_requests with a live cancel_fn = smb2_remove_blocked_lock
pointing at the freed file_lock.
A subsequent SMB2_CANCEL for the same AsyncId then passes the
KSMBD_WORK_CANCELLED-only guard (its state is KSMBD_WORK_CLOSED), so
smb2_cancel() fires cancel_fn again over the freed file_lock -- the same
use-after-free fixed, via SMB2_CLOSE instead of a first SMB2_CANCEL:
BUG: KASAN: slab-use-after-free in __locks_delete_block
__locks_delete_block
locks_delete_block
ksmbd_vfs_posix_lock_unblock
smb2_remove_blocked_lock
smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn
handle_ksmbd_work
Allocated by ...: locks_alloc_lock <- smb2_lock
Freed by ...: locks_free_lock <- smb2_lock (non-ACTIVE early-exit)
... cache file_lock_cache of size 192
Reproduced on mainline 7.1-rc7 (which already contains f580d27e8928) with
KASAN by an authenticated SMB client; the double-SMB2_CANCEL control is
silent on that kernel, so the splat is attributable to the CLOSE trigger.
Only an ACTIVE deferred work may have its cancel_fn fired: both terminal
states (CANCELLED and CLOSED) reach the smb2_lock() early-exit that frees
the file_lock and skips release_async_work(). Guard on KSMBD_WORK_ACTIVE
so any non-active work is skipped.
Fixes: f580d27e8928 ("ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL")
Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -7328,14 +7328,14 @@ int smb2_cancel(struct ksmbd_work *work)
continue;
/*
- * A cancelled deferred byte-range lock frees its
- * file_lock and takes the smb2_lock() early-exit that
- * skips release_async_work(), so the work stays on
- * conn->async_requests with a live cancel_fn pointing
- * at the freed file_lock. Re-firing it on a second
- * SMB2_CANCEL is a use-after-free.
+ * Only an ACTIVE deferred work may have its cancel_fn
+ * fired. A CANCELLED or CLOSED work already took the
+ * smb2_lock() non-ACTIVE early-exit that frees the
+ * file_lock and skips release_async_work(), so it is
+ * still on conn->async_requests with a live cancel_fn
+ * pointing at the freed file_lock.
*/
- if (iter->state == KSMBD_WORK_CANCELLED)
+ if (iter->state != KSMBD_WORK_ACTIVE)
break;
ksmbd_debug(SMB,
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 172/518] net: af_key: initialize alg_key_len for IPComp states
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 171/518] ksmbd: fix use-after-free of a deferred file_lock on SMB2_CLOSE then SMB2_CANCEL Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 173/518] audit: Fix data races of skb_queue_len() readers on audit_queue Greg Kroah-Hartman
` (349 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zijing Yin, Sabrina Dubroca,
Steffen Klassert
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijing Yin <yzjaurora@gmail.com>
commit d129c3177d7b1138fd5066fcc63a698b3ba415b0 upstream.
pfkey_msg2xfrm_state() handles the IPComp (SADB_X_SATYPE_IPCOMP) case by
allocating x->calg and copying only the algorithm name:
x->calg = kmalloc_obj(*x->calg);
if (!x->calg) {
err = -ENOMEM;
goto out;
}
strcpy(x->calg->alg_name, a->name);
x->props.calgo = sa->sadb_sa_encrypt;
Unlike the authentication (x->aalg) and encryption (x->ealg) branches of
the same function, the compression branch never initializes
calg->alg_key_len. IPComp carries no key and the allocation only
reserves sizeof(struct xfrm_algo) (i.e. no room for a key), so the field
is left containing uninitialized slab data.
calg->alg_key_len is later used as a length by xfrm_algo_clone() when an
IPComp state is cloned during XFRM_MSG_MIGRATE:
xfrm_state_migrate()
xfrm_state_clone_and_setup()
x->calg = xfrm_algo_clone(orig->calg);
kmemdup(orig, xfrm_alg_len(orig));
where xfrm_alg_len() returns sizeof(*alg) + (alg_key_len + 7) / 8. With
a non-zero garbage alg_key_len, kmemdup() reads past the end of the
68-byte calg object. Adding an IPComp SA via PF_KEY and then migrating
it triggers (net-next, KASAN, init_on_alloc=0):
BUG: KASAN: slab-out-of-bounds in kmemdup_noprof+0x44/0x60
Read of size 4164 at addr ff11000025a74980 by task diag2/9287
CPU: 3 UID: 0 PID: 9287 Comm: diag2 7.1.0-rc6-g903db046d557 #1
Call Trace:
<TASK>
dump_stack_lvl+0x10e/0x1f0
print_report+0xf7/0x600
kasan_report+0xe4/0x120
kasan_check_range+0x105/0x1b0
__asan_memcpy+0x23/0x60
kmemdup_noprof+0x44/0x60
xfrm_state_migrate+0x70a/0x1da0
xfrm_migrate+0x753/0x18a0
xfrm_do_migrate+0xb47/0xf10
xfrm_user_rcv_msg+0x411/0xb50
netlink_rcv_skb+0x158/0x420
xfrm_netlink_rcv+0x71/0x90
netlink_unicast+0x584/0x850
netlink_sendmsg+0x8b0/0xdc0
____sys_sendmsg+0x9f7/0xb90
___sys_sendmsg+0x134/0x1d0
__sys_sendmsg+0x16d/0x220
do_syscall_64+0x116/0x7d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Allocated by task 9287:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
__kasan_kmalloc+0xaa/0xb0
pfkey_add+0x2652/0x2ea0
pfkey_process+0x6d0/0x830
pfkey_sendmsg+0x42c/0x850
__sys_sendto+0x461/0x4b0
__x64_sys_sendto+0xe0/0x1c0
do_syscall_64+0x116/0x7d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ff11000025a74980
which belongs to the cache kmalloc-96 of size 96
The buggy address is located 0 bytes inside of
allocated 68-byte region [ff11000025a74980, ff11000025a749c4)
Depending on the uninitialized value the same field can instead request
an oversized kmemdup() allocation and make the migration clone fail.
The XFRM netlink path is not affected: verify_one_alg() rejects an
XFRMA_ALG_COMP attribute shorter than xfrm_alg_len(), so a calg added via
XFRM_MSG_NEWSA is always self-consistent.
Initialize calg->alg_key_len to 0, matching the aalg/ealg branches.
Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
Cc: stable@vger.kernel.org
Signed-off-by: Zijing Yin <yzjaurora@gmail.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/key/af_key.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1218,6 +1218,7 @@ static struct xfrm_state * pfkey_msg2xfr
goto out;
}
strcpy(x->calg->alg_name, a->name);
+ x->calg->alg_key_len = 0;
x->props.calgo = sa->sadb_sa_encrypt;
} else {
int keysize = 0;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 173/518] audit: Fix data races of skb_queue_len() readers on audit_queue
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 172/518] net: af_key: initialize alg_key_len for IPComp states Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 174/518] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref Greg Kroah-Hartman
` (348 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chi Wang, Ricardo Robaina,
Paul Moore
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chi Wang <wangchi@kylinos.cn>
commit c9a71daaecb2fb1d8c704545cc0b1c920b9bf5d7 upstream.
Multiple readers access audit_queue.qlen via skb_queue_len() without
holding the queue lock or using READ_ONCE(), while kauditd writes to
this field via the skb_dequeue() → __skb_unlink() path with WRITE_ONCE()
protected by a spinlock. This constitutes data races.
All affected skb_queue_len(&audit_queue) call sites:
- kauditd_thread() wait_event_freezable() condition
- audit_receive_msg() AUDIT_GET handler (s.backlog assignment)
- audit_receive() backlog check
- audit_log_start() backlog check and pr_warn()
KCSAN reports the following conflicting access pattern (one example):
==================================================================
BUG: KCSAN: data-race in audit_log_start / skb_dequeue
write (marked) to 0xffffffff8512ee20 of 4 bytes by task 661 on cpu 57:
skb_dequeue+0x70/0xf0
kauditd_send_queue+0x71/0x220
kauditd_thread+0x1cb/0x430
kthread+0x1c2/0x210
ret_from_fork+0x162/0x1a0
ret_from_fork_asm+0x1a/0x30
read to 0xffffffff8512ee20 of 4 bytes by task 36586 on cpu 1:
audit_log_start+0x2a0/0x6b0
audit_core_dumps+0x64/0xa0
do_coredump+0x14b/0x1260
get_signal+0xeb2/0xf70
arch_do_signal_or_restart+0x41/0x170
exit_to_user_mode_loop+0xa2/0x1c0
do_syscall_64+0x1a3/0x1c0
entry_SYSCALL_64_after_hwframe+0x76/0xe0
value changed: 0x00000001 -> 0x00000000
==================================================================
Resolve the race by switching to lockless helper skb_queue_len_lockless(),
which internally uses READ_ONCE() and properly pairs with the WRITE_ONCE()
write accesses already present on the writer side.
Cc: stable@vger.kernel.org
Fixes: 3197542482df ("audit: rework audit_log_start()")
Signed-off-by: Chi Wang <wangchi@kylinos.cn>
Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
[PM: line length tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/audit.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -950,7 +950,7 @@ main_queue:
* do the multicast send and rotate records from the
* main queue to the retry/hold queues */
wait_event_freezable(kauditd_wait,
- (skb_queue_len(&audit_queue) ? 1 : 0));
+ (skb_queue_len_lockless(&audit_queue) ? 1 : 0));
}
return 0;
@@ -1283,7 +1283,7 @@ static int audit_receive_msg(struct sk_b
s.rate_limit = audit_rate_limit;
s.backlog_limit = audit_backlog_limit;
s.lost = atomic_read(&audit_lost);
- s.backlog = skb_queue_len(&audit_queue);
+ s.backlog = skb_queue_len_lockless(&audit_queue);
s.feature_bitmap = AUDIT_FEATURE_BITMAP_ALL;
s.backlog_wait_time = audit_backlog_wait_time;
s.backlog_wait_time_actual = atomic_read(&audit_backlog_wait_time_actual);
@@ -1627,7 +1627,7 @@ static void audit_receive(struct sk_buff
/* can't block with the ctrl lock, so penalize the sender now */
if (audit_backlog_limit &&
- (skb_queue_len(&audit_queue) > audit_backlog_limit)) {
+ (skb_queue_len_lockless(&audit_queue) > audit_backlog_limit)) {
DECLARE_WAITQUEUE(wait, current);
/* wake kauditd to try and flush the queue */
@@ -1933,7 +1933,7 @@ struct audit_buffer *audit_log_start(str
long stime = audit_backlog_wait_time;
while (audit_backlog_limit &&
- (skb_queue_len(&audit_queue) > audit_backlog_limit)) {
+ (skb_queue_len_lockless(&audit_queue) > audit_backlog_limit)) {
/* wake kauditd to try and flush the queue */
wake_up_interruptible(&kauditd_wait);
@@ -1953,7 +1953,7 @@ struct audit_buffer *audit_log_start(str
} else {
if (audit_rate_check() && printk_ratelimit())
pr_warn("audit_backlog=%d > audit_backlog_limit=%d\n",
- skb_queue_len(&audit_queue),
+ skb_queue_len_lockless(&audit_queue),
audit_backlog_limit);
audit_log_lost("backlog limit exceeded");
return NULL;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 174/518] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 173/518] audit: Fix data races of skb_queue_len() readers on audit_queue Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 175/518] Bluetooth: MGMT: Fix UAF of hci_conn_params in add_device_complete Greg Kroah-Hartman
` (347 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Siwei Zhang, Luiz Augusto von Dentz,
Marco Elver
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marco Elver <elver@google.com>
commit b66774b48dd98f07254951f74ea6f513efe7ff8b upstream.
l2cap_chan_timeout() runs asynchronously and accesses chan->conn. If
the connection is torn down while the timer is running or pending,
chan->conn can be freed, leading to a use-after-free when the timer
worker attempts to lock conn->lock:
| BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
| BUG: KASAN: slab-use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
| BUG: KASAN: slab-use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
| BUG: KASAN: slab-use-after-free in mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
| Write of size 8 at addr ffff8881298d9550 by task kworker/2:1/83
|
| CPU: 2 UID: 0 PID: 83 Comm: kworker/2:1 Not tainted 7.1.0-rc6-next-20260601-dirty #6 PREEMPT(full)
| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
| Workqueue: events l2cap_chan_timeout
| Call Trace:
| <TASK>
| instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
| atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
| __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
| mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
| l2cap_chan_timeout+0x5d/0x1b0 net/bluetooth/l2cap_core.c:422
| process_one_work kernel/workqueue.c:3326 [inline]
| process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
| worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
| kthread+0x346/0x430 kernel/kthread.c:436
| ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
| ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
| </TASK>
|
| Allocated by task 320:
| l2cap_conn_add+0xa7/0x820 net/bluetooth/l2cap_core.c:7075
| l2cap_connect_cfm+0xdb/0xd70 net/bluetooth/l2cap_core.c:7452
| hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
| hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
| hci_event_func net/bluetooth/hci_event.c:7796 [inline]
| hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
| hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
| process_one_work kernel/workqueue.c:3326 [inline]
| process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
| worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
| kthread+0x346/0x430 kernel/kthread.c:436
| ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
| ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
|
| Freed by task 322:
| hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]
| hci_conn_hash_flush+0x101/0x1f0 net/bluetooth/hci_conn.c:2736
| hci_dev_close_sync+0x889/0xde0 net/bluetooth/hci_sync.c:5405
| hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
| hci_unregister_dev+0x1f7/0x370 net/bluetooth/hci_core.c:2679
| vhci_release+0x12a/0x180 drivers/bluetooth/hci_vhci.c:690
| __fput+0x369/0x890 fs/file_table.c:510
| task_work_run+0x160/0x1d0 kernel/task_work.c:233
| get_signal+0xf5b/0x1120 kernel/signal.c:2810
| arch_do_signal_or_restart+0x4d/0x600 arch/x86/kernel/signal.c:337
| __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
| exit_to_user_mode_loop+0x85/0x510 kernel/entry/common.c:98
| do_syscall_64+0x263/0x3d0 arch/x86/entry/syscall_64.c:100
| entry_SYSCALL_64_after_hwframe+0x77/0x7f
|
| The buggy address belongs to the object at ffff8881298d9400
| which belongs to the cache kmalloc-512 of size 512
| The buggy address is located 336 bytes inside of
| freed 512-byte region [ffff8881298d9400, ffff8881298d9600)
Fix it by having chan->conn hold a reference to l2cap_conn (via
l2cap_conn_get) when the channel is added to the connection, and
releasing it in the channel destructor. This ensures the l2cap_conn
remains alive as long as the channel exists.
A new FLAG_DEL channel flag is introduced to indicate that the channel
has been deleted from its connection. l2cap_chan_del() atomically sets
this flag using test_and_set_bit() instead of setting chan->conn to
NULL. All asynchronous workers (l2cap_chan_timeout, l2cap_ack_timeout,
l2cap_monitor_timeout, l2cap_retrans_timeout) and l2cap_chan_send()
check FLAG_DEL to determine whether the channel has been torn down,
rather than testing chan->conn for NULL.
Fixes: 8c8e620467a7 ("Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()")
Cc: <stable@vger.kernel.org>
Cc: Siwei Zhang <oss@fourdim.xyz>
Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Assisted-by: Gemini:gemini-3.1-pro-preview
Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/bluetooth/l2cap.h | 1 +
net/bluetooth/l2cap_core.c | 34 ++++++++++++++++++++--------------
2 files changed, 21 insertions(+), 14 deletions(-)
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -748,6 +748,7 @@ enum {
FLAG_ECRED_CONN_REQ_SENT,
FLAG_PENDING_SECURITY,
FLAG_HOLD_HCI_CONN,
+ FLAG_DEL,
};
/* Lock nesting levels for L2CAP channels. We need these because lockdep
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -411,7 +411,7 @@ static void l2cap_chan_timeout(struct wo
BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
- if (!conn) {
+ if (test_bit(FLAG_DEL, &chan->flags)) {
l2cap_chan_put(chan);
return;
}
@@ -422,6 +422,9 @@ static void l2cap_chan_timeout(struct wo
*/
l2cap_chan_lock(chan);
+ if (test_bit(FLAG_DEL, &chan->flags))
+ goto unlock;
+
if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
reason = ECONNREFUSED;
else if (chan->state == BT_CONNECT &&
@@ -434,10 +437,10 @@ static void l2cap_chan_timeout(struct wo
chan->ops->close(chan);
+unlock:
l2cap_chan_unlock(chan);
- l2cap_chan_put(chan);
-
mutex_unlock(&conn->lock);
+ l2cap_chan_put(chan);
}
struct l2cap_chan *l2cap_chan_create(void)
@@ -490,6 +493,9 @@ static void l2cap_chan_destroy(struct kr
list_del(&chan->global_l);
write_unlock(&chan_list_lock);
+ if (chan->conn)
+ l2cap_conn_put(chan->conn);
+
kfree(chan);
}
@@ -593,7 +599,7 @@ void __l2cap_chan_add(struct l2cap_conn
conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
- chan->conn = conn;
+ chan->conn = l2cap_conn_get(conn);
switch (chan->chan_type) {
case L2CAP_CHAN_CONN_ORIENTED:
@@ -648,30 +654,26 @@ void l2cap_chan_add(struct l2cap_conn *c
void l2cap_chan_del(struct l2cap_chan *chan, int err)
{
- struct l2cap_conn *conn = chan->conn;
-
__clear_chan_timer(chan);
- BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
+ BT_DBG("chan %p, err %d, state %s", chan, err,
state_to_string(chan->state));
chan->ops->teardown(chan, err);
- if (conn) {
+ if (!test_and_set_bit(FLAG_DEL, &chan->flags)) {
/* Delete from channel list */
list_del(&chan->list);
l2cap_chan_put(chan);
- chan->conn = NULL;
-
/* Reference was only held for non-fixed channels or
* fixed channels that explicitly requested it using the
* FLAG_HOLD_HCI_CONN flag.
*/
if (chan->chan_type != L2CAP_CHAN_FIXED ||
test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
- hci_conn_drop(conn->hcon);
+ hci_conn_drop(chan->conn->hcon);
}
if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
@@ -1903,7 +1905,7 @@ static void l2cap_monitor_timeout(struct
l2cap_chan_lock(chan);
- if (!chan->conn) {
+ if (test_bit(FLAG_DEL, &chan->flags)) {
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
return;
@@ -1924,7 +1926,7 @@ static void l2cap_retrans_timeout(struct
l2cap_chan_lock(chan);
- if (!chan->conn) {
+ if (test_bit(FLAG_DEL, &chan->flags)) {
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
return;
@@ -2565,7 +2567,7 @@ int l2cap_chan_send(struct l2cap_chan *c
int err;
struct sk_buff_head seg_queue;
- if (!chan->conn)
+ if (test_bit(FLAG_DEL, &chan->flags))
return -ENOTCONN;
/* Connectionless channel */
@@ -3160,12 +3162,16 @@ static void l2cap_ack_timeout(struct wor
l2cap_chan_lock(chan);
+ if (test_bit(FLAG_DEL, &chan->flags))
+ goto unlock;
+
frames_to_ack = __seq_offset(chan, chan->buffer_seq,
chan->last_acked_seq);
if (frames_to_ack)
l2cap_send_rr_or_rnr(chan, 0);
+unlock:
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 175/518] Bluetooth: MGMT: Fix UAF of hci_conn_params in add_device_complete
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 174/518] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 176/518] coresight: etb10: restore atomic_t for shared reading state Greg Kroah-Hartman
` (346 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Samuel Page, Luiz Augusto von Dentz
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samuel Page <sam@bynar.io>
commit fa85d985f614bc3feb343000f14a1072e99b0df1 upstream.
add_device_complete() runs from the hci_cmd_sync_work kworker, which
holds only hci_req_sync_lock and *not* hci_dev_lock. It calls
hci_conn_params_lookup() and then dereferences the returned object
(params->flags) without taking hci_dev_lock:
params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
le_addr_type(cp->addr.type));
...
device_flags_changed(NULL, hdev, &cp->addr.bdaddr,
cp->addr.type, hdev->conn_flags,
params ? params->flags : 0);
hci_conn_params_lookup() walks hdev->le_conn_params and is documented to
require hdev->lock. A concurrent MGMT_OP_REMOVE_DEVICE
(remove_device()), which does run under hci_dev_lock, can call
hci_conn_params_free() to list_del() and kfree() the very object the
lookup returned, so the subsequent params->flags read touches freed
memory [0].
Hold hci_dev_lock() across the hci_conn_params_lookup() and the read of
params->flags (and the matching event emission) so the lookup result
cannot be freed by a concurrent remove_device() before it is used,
honouring the locking contract of hci_conn_params_lookup().
[0]: (trailing page/memory-state dump trimmed)
BUG: KASAN: slab-use-after-free in add_device_complete+0x358/0x3d8 net/bluetooth/mgmt.c:7671
Read of size 1 at addr ffff000017ab26c1 by task kworker/u9:8/388
CPU: 1 UID: 0 PID: 388 Comm: kworker/u9:8 Not tainted 7.0.11 #20 PREEMPT
Hardware name: linux,dummy-virt (DT)
Workqueue: hci0 hci_cmd_sync_work
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xb4/0xd4 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x118/0x5d8 mm/kasan/report.c:482
kasan_report+0xb0/0xf4 mm/kasan/report.c:595
__asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378
add_device_complete+0x358/0x3d8 net/bluetooth/mgmt.c:7671
hci_cmd_sync_work+0x14c/0x240 net/bluetooth/hci_sync.c:334
process_one_work+0x628/0xd38 kernel/workqueue.c:3289
process_scheduled_works kernel/workqueue.c:3372 [inline]
worker_thread+0x7a8/0xac0 kernel/workqueue.c:3453
kthread+0x39c/0x444 kernel/kthread.c:436
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Allocated by task 3401:
kasan_save_stack+0x3c/0x64 mm/kasan/common.c:57
kasan_save_track+0x20/0x3c mm/kasan/common.c:78
kasan_save_alloc_info+0x40/0x54 mm/kasan/generic.c:570
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0xd4/0xd8 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x1b0/0x458 mm/slub.c:5385
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
hci_conn_params_add+0x10c/0x4b0 net/bluetooth/hci_core.c:2279
hci_conn_params_set net/bluetooth/mgmt.c:5162 [inline]
add_device+0x5b4/0xa54 net/bluetooth/mgmt.c:7755
hci_mgmt_cmd net/bluetooth/hci_sock.c:1721 [inline]
hci_sock_sendmsg+0x10b4/0x1dd0 net/bluetooth/hci_sock.c:1841
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0xe0/0x128 net/socket.c:742
sock_write_iter+0x250/0x390 net/socket.c:1195
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x66c/0xab0 fs/read_write.c:688
ksys_write+0x1fc/0x24c fs/read_write.c:740
__do_sys_write fs/read_write.c:751 [inline]
__se_sys_write fs/read_write.c:748 [inline]
__arm64_sys_write+0x70/0xa4 fs/read_write.c:748
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x84/0x2a8 arch/arm64/kernel/syscall.c:49
el0_svc_common.constprop.0+0xe4/0x294 arch/arm64/kernel/syscall.c:132
do_el0_svc+0x44/0x5c arch/arm64/kernel/syscall.c:151
el0_svc+0x38/0xac arch/arm64/kernel/entry-common.c:724
el0t_64_sync_handler+0xa0/0xe4 arch/arm64/kernel/entry-common.c:743
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
Freed by task 3740:
kasan_save_stack+0x3c/0x64 mm/kasan/common.c:57
kasan_save_track+0x20/0x3c mm/kasan/common.c:78
kasan_save_free_info+0x4c/0x74 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x88/0xb8 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2685 [inline]
slab_free mm/slub.c:6170 [inline]
kfree+0x14c/0x458 mm/slub.c:6488
hci_conn_params_free+0x288/0x484 net/bluetooth/hci_core.c:2312
remove_device+0x4b0/0x968 net/bluetooth/mgmt.c:7919
hci_mgmt_cmd net/bluetooth/hci_sock.c:1721 [inline]
hci_sock_sendmsg+0x10b4/0x1dd0 net/bluetooth/hci_sock.c:1841
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0xe0/0x128 net/socket.c:742
sock_write_iter+0x250/0x390 net/socket.c:1195
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x66c/0xab0 fs/read_write.c:688
ksys_write+0x1fc/0x24c fs/read_write.c:740
__do_sys_write fs/read_write.c:751 [inline]
__se_sys_write fs/read_write.c:748 [inline]
__arm64_sys_write+0x70/0xa4 fs/read_write.c:748
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x84/0x2a8 arch/arm64/kernel/syscall.c:49
el0_svc_common.constprop.0+0xe4/0x294 arch/arm64/kernel/syscall.c:132
do_el0_svc+0x44/0x5c arch/arm64/kernel/syscall.c:151
el0_svc+0x38/0xac arch/arm64/kernel/entry-common.c:724
el0t_64_sync_handler+0xa0/0xe4 arch/arm64/kernel/entry-common.c:743
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
Fixes: 1e2e3044c1bc ("Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags")
Cc: stable@vger.kernel.org
Assisted-by: Bynario AI
Signed-off-by: Samuel Page <sam@bynar.io>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/mgmt.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -7661,6 +7661,8 @@ static void add_device_complete(struct h
if (!err) {
struct hci_conn_params *params;
+ hci_dev_lock(hdev);
+
params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
le_addr_type(cp->addr.type));
@@ -7669,6 +7671,7 @@ static void add_device_complete(struct h
device_flags_changed(NULL, hdev, &cp->addr.bdaddr,
cp->addr.type, hdev->conn_flags,
params ? params->flags : 0);
+ hci_dev_unlock(hdev);
}
mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_ADD_DEVICE,
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 176/518] coresight: etb10: restore atomic_t for shared reading state
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 175/518] Bluetooth: MGMT: Fix UAF of hci_conn_params in add_device_complete Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 177/518] debugobjects: Plug race against a concurrent OOM disable Greg Kroah-Hartman
` (345 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Runyu Xiao, James Clark,
Suzuki K Poulose
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Runyu Xiao <runyu.xiao@seu.edu.cn>
commit fa09f08ede3db3050ae16ae1ed92c902d0cada23 upstream.
The etb10 miscdevice uses drvdata->reading as a shared exclusivity gate
for userspace buffer access. etb_open() claims that gate with
local_cmpxchg(), and etb_release() clears it with local_set().
That gate is shared per-device state rather than CPU-local state. A
running system can reach it whenever /dev/<etb> is opened, closed, and
reopened by different tasks while the device remains registered, so the
same drvdata->reading variable may be claimed on one CPU and later
cleared on another.
This code used to use atomic_t for the same gate, but commit
27b10da8fff2 ("coresight: etb10: moving to local atomic operations")
changed it to local_t even though the access pattern remained cross-task
and cross-CPU. Restore atomic_t together with atomic_cmpxchg() and
atomic_set() so the exclusivity gate again uses a primitive intended
for shared state.
The issue was found on Linux v6.18.21 by our static analysis tool while
scanning surviving local_t-on-shared-state sites, and then manually
reviewed against the live etb10 file-op path.
It was runtime-validated with a reproducible QEMU no-device KCSAN PoC
that kept the same report-local contract:
1. use one shared struct etb_drvdata carrier and its
drvdata->reading gate;
2. call etb_open() and etb_release() sequentially on that gate to
confirm the original claim/clear path;
3. bind the open side to CPU0 and the release side to CPU1 for the
same gate to show cross-CPU ownership;
4. run bound workers that repeatedly race etb_open() and
etb_release() on the same gate until KCSAN reports a target hit.
The harness recorded:
L1 passed open=1 release=1
reading_after_open=1 reading_after_release=0
L2 passed open_cpu=0 release_cpu=1
cross_cpu_release=1 reading_after=0 open_ret=0
Representative KCSAN excerpt from the no-device validation run:
BUG: KCSAN: data-race in etb_open.constprop.0.isra.0 [vuln_msv]
write to 0xffffffffc0003810 of 4 bytes by task 216 on cpu 1:
etb_open.constprop.0.isra.0+0x38/0x80 [vuln_msv]
l3_worker_thread_fn+0x4f/0xf0 [vuln_msv]
kthread+0x17e/0x1c0
ret_from_fork+0x22/0x30
read to 0xffffffffc0003810 of 4 bytes by task 215 on cpu 0:
etb_open.constprop.0.isra.0+0x18/0x80 [vuln_msv]
l3_worker_thread_fn+0x4f/0xf0 [vuln_msv]
kthread+0x17e/0x1c0
ret_from_fork+0x22/0x30
value changed: 0x00000000 -> 0x00000001
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 215 Comm: etb10_l3_a Tainted: G O 6.1.66 #2
This no-device harness is not a real ETB10 hardware end-to-end run, but
it preserves the same shared drvdata->reading gate and the same
etb_open()/etb_release() claim/clear contract. No real ETB10 hardware
was available for runtime testing.
Build-tested with:
make olddefconfig
make -j"$(nproc)" drivers/hwtracing/coresight/coresight-etb10.o
Fixes: 27b10da8fff2 ("coresight: etb10: moving to local atomic operations")
Cc: stable@vger.kernel.org
Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
Reviewed-by: James Clark <james.clark@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20260528165201.319452-1-runyu.xiao@seu.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/coresight/coresight-etb10.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/hwtracing/coresight/coresight-etb10.c
+++ b/drivers/hwtracing/coresight/coresight-etb10.c
@@ -83,7 +83,7 @@ struct etb_drvdata {
struct coresight_device *csdev;
struct miscdevice miscdev;
raw_spinlock_t spinlock;
- local_t reading;
+ atomic_t reading;
pid_t pid;
u8 *buf;
u32 buffer_depth;
@@ -601,7 +601,7 @@ static int etb_open(struct inode *inode,
struct etb_drvdata *drvdata = container_of(file->private_data,
struct etb_drvdata, miscdev);
- if (local_cmpxchg(&drvdata->reading, 0, 1))
+ if (atomic_cmpxchg(&drvdata->reading, 0, 1))
return -EBUSY;
dev_dbg(&drvdata->csdev->dev, "%s: successfully opened\n", __func__);
@@ -639,7 +639,7 @@ static int etb_release(struct inode *ino
{
struct etb_drvdata *drvdata = container_of(file->private_data,
struct etb_drvdata, miscdev);
- local_set(&drvdata->reading, 0);
+ atomic_set(&drvdata->reading, 0);
dev_dbg(&drvdata->csdev->dev, "%s: released\n", __func__);
return 0;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 177/518] debugobjects: Plug race against a concurrent OOM disable
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 176/518] coresight: etb10: restore atomic_t for shared reading state Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 178/518] fs/ntfs3: validate Dirty Page Table capacity in log_replay copy_lcns Greg Kroah-Hartman
` (344 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5e8dda76ca21dae314b6,
Thomas Gleixner
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@kernel.org>
commit b81dde13cc163450dcb402dcc915ef13ba241e01 upstream.
syzbot reported a puzzling splat:
WARNING: kernel/time/hrtimer.c:443 at stub_timer+0xa/0x20
stub_timer() is installed as timer callback function in
hrtimer_fixup_assert_init(), which is invoked when
debug_object_assert_init() can't find a shadow object. In that case debug
objects emits a warning about it before invoking the fixup.
Though the provided console log lacks this warning and instead has the
following a few seconds before the splat:
ODEBUG: Out of memory. ODEBUG disabled
So the object was looked up in debug_object_assert_init() and the lookup
failed due a concurrent out of memory situation which disabled debug
objects and freed the shadow objects:
debug_object_assert_init()
if (!debug_objects_enabled)
return; obj = alloc();
if (!obj) {
// Out of memory
debug_objects_enabled = false;
free_objects();
obj = lookup_or_alloc();
// The lookup failed because the other side
// removed the objects, so this returns
// an error code as the object in question
// is not statically initialized
if (!IS_ERR_OR_NULL(obj))
return;
if (!obj) {
debug_oom();
return;
}
print(...)
if (!debug_objects_enabled)
return;
fixup(...)
The debug object splat is skipped because debug_objects_enabled is false,
but the fixup callback is invoked unconditionally, which makes the timer
disfunctional.
This is only a problem in debug_object_assert_init() and
debug_object_activate() as both have to handle statically initialized
objects and therefore must handle the error pointer return case
gracefully. All other places only handle the found/not found case and the
NULL pointer return is a signal for OOM. Otherwise they get a valid shadow
object.
Plug the hole by checking whether debug objects are still enabled before
invoking the print and fixup function in those two places.
Fixes: b84d435cc228 ("debugobjects: Extend to assert that an object is initialized")
Reported-by: syzbot+5e8dda76ca21dae314b6@syzkaller.appspotmail.com
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/874iiwlzlb.ffs@fw13
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/debugobjects.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -894,6 +894,14 @@ int debug_object_activate(void *addr, co
}
raw_spin_unlock_irqrestore(&db->lock, flags);
+
+ /*
+ * lookup_object_or_alloc() might have raced with a concurrent
+ * allocation failure which disabled debug objects.
+ */
+ if (!debug_objects_enabled)
+ return 0;
+
debug_print_object(&o, "activate");
switch (o.state) {
@@ -1071,6 +1079,15 @@ void debug_object_assert_init(void *addr
return;
}
+ /*
+ * lookup_object_or_alloc() might have raced with a concurrent
+ * allocation failure which disabled debug objects. Don't run the fixup
+ * as it might turn a valid object useless. See for example
+ * hrtimer_fixup_assert_init().
+ */
+ if (!debug_objects_enabled)
+ return;
+
/* Object is neither tracked nor static. It's not initialized. */
debug_print_object(&o, "assert_init");
debug_object_fixup(descr->fixup_assert_init, addr, ODEBUG_STATE_NOTAVAILABLE);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 178/518] fs/ntfs3: validate Dirty Page Table capacity in log_replay copy_lcns
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 177/518] debugobjects: Plug race against a concurrent OOM disable Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 179/518] ntfs: avoid calling post_write_mst_fixup() for invalid index_block Greg Kroah-Hartman
` (343 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yunpeng Tian, Mingda Zhang,
Gongming Wang, Peiyuan Xu, Qinrun Dai, Konstantin Komarov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yunpeng Tian <shionthanatos@gmail.com>
commit 57382ec6ac63b63dce2789e835fded28b698ae79 upstream.
In the analysis pass of $LogFile journal replay, log_replay() copies
LCNs from each action log record into an existing Dirty Page Table
(DPT) entry without bounding the destination index. A crafted NTFS
image with DPT entry lcns_follow=1 and an action log record with
lcns_follow=2 produces a kernel slab out-of-bounds write at mount
time:
BUG: KASAN: slab-out-of-bounds in log_replay+0x654c/0xdb60
Write of size 8 at addr ffff8880095e1040 by task mount
Two attacker-controlled fields can drive j+i past the allocated
page_lcns[] array:
1. dp->lcns_follow (capacity) can be smaller than lrh->lcns_follow.
2. lrh->target_vcn may be smaller than dp->vcn, making the u64
subtraction wrap to a huge size_t.
Validate target VCN delta and per-record LCN count against the
DPT entry capacity, bail via the existing out: cleanup label with
-EINVAL.
This mirrors the bounds-check pattern added in commit b2bc7c44ed17
("fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot")
and commit 0ca0485e4b2e ("fs/ntfs3: validate rec->used in
journal-replay file record check").
Fixes: b46acd6a6a62 ("fs/ntfs3: Add NTFS journal")
Reported-by: Yunpeng Tian <shionthanatos@gmail.com>
Reported-by: Mingda Zhang <npczmd@qq.com>
Reported-by: Gongming Wang <gmwgg05@gmail.com>
Reported-by: Peiyuan Xu <paulbucket12@gmail.com>
Reported-by: Qinrun Dai <jupmouse@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Yunpeng Tian <shionthanatos@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/fslog.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
--- a/fs/ntfs3/fslog.c
+++ b/fs/ntfs3/fslog.c
@@ -4547,11 +4547,21 @@ copy_lcns:
* whole routine a loop, case Lcns do not fit below.
*/
t16 = le16_to_cpu(lrh->lcns_follow);
- for (i = 0; i < t16; i++) {
- size_t j = (size_t)(le64_to_cpu(lrh->target_vcn) -
- le64_to_cpu(dp->vcn));
- dp->page_lcns[j + i] = lrh->page_lcns[i];
- }
+ t32 = le32_to_cpu(dp->lcns_follow);
+ if (le64_to_cpu(lrh->target_vcn) < le64_to_cpu(dp->vcn)) {
+ err = -EINVAL;
+ goto out;
+ }
+
+ for (i = 0; i < t16; i++) {
+ size_t j = (size_t)(le64_to_cpu(lrh->target_vcn) -
+ le64_to_cpu(dp->vcn));
+ if (j >= t32 || i >= t32 - j) {
+ err = -EINVAL;
+ goto out;
+ }
+ dp->page_lcns[j + i] = lrh->page_lcns[i];
+ }
goto next_log_record_analyze;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 179/518] ntfs: avoid calling post_write_mst_fixup() for invalid index_block
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 178/518] fs/ntfs3: validate Dirty Page Table capacity in log_replay copy_lcns Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 180/518] NTB: epf: Avoid calling pci_irq_vector() from hardirq context Greg Kroah-Hartman
` (342 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Valeriy Yashnikov, Hyunchul Lee,
Namjae Jeon
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Valeriy Yashnikov <yashnikov.valeriy@gmail.com>
commit 5b6eedd7cc2936f9238e852b553a1b326105bde8 upstream.
ntfs_icx_ib_sync_write() calls post_write_mst_fixup() when ntfs_ib_write()
returns an error, intending to restore the buffer after a failed write.
However, ntfs_ib_write() returns an error immediately if
pre_write_mst_fixup() validation fails. The caller,
ntfs_icx_ib_sync_write(), interprets any error as a write failure
requiring rollback. It does not differentiate between I/O errors and
validation failures, and calls post_write_mst_fixup() anyway.
Since post_write_mst_fixup() assumes that the index_block contents is
correct, it doesn't perform the boundary checks, which results in
out-of-bounds memory access.
An attacker can craft a malicious NTFS image with:
- large index_block.usa_ofs offset, pointing outside the ntfs_record
- index_block.usa_count = 0, causing integer underflow
- or index_block.usa_count larger than actual number of sectors in the
ntfs_record, causing out-of-bounds access
KASAN reports describing the memory corruption:
==================================================================
BUG: KASAN: slab-out-of-bounds in post_write_mst_fixup+0x19c/0x1d0
Read of size 2 at addr ffff8881586c9018 by task p/9428
Call Trace:
<TASK>
dump_stack_lvl+0x100/0x190
print_report+0x139/0x4ad
? post_write_mst_fixup+0x19c/0x1d0
? __virt_addr_valid+0x262/0x500
? post_write_mst_fixup+0x19c/0x1d0
kasan_report+0xe4/0x1d0
? post_write_mst_fixup+0x19c/0x1d0
post_write_mst_fixup+0x19c/0x1d0
ntfs_icx_ib_sync_write+0x179/0x220
ntfs_inode_sync_filename+0x83d/0x1080
__ntfs_write_inode+0x1049/0x1480
ntfs_file_fsync+0x131/0x9b0
==================================================================
BUG: KASAN: slab-out-of-bounds in post_write_mst_fixup+0x1aa/0x1d0
Write of size 2 at addr ffff8881586c91fe by task p/9428
Call Trace:
<TASK>
dump_stack_lvl+0x100/0x190
print_report+0x139/0x4ad
? post_write_mst_fixup+0x1aa/0x1d0
? __virt_addr_valid+0x262/0x500
? post_write_mst_fixup+0x1aa/0x1d0
kasan_report+0xe4/0x1d0
? post_write_mst_fixup+0x1aa/0x1d0
post_write_mst_fixup+0x1aa/0x1d0
ntfs_icx_ib_sync_write+0x179/0x220
ntfs_inode_sync_filename+0x83d/0x1080
__ntfs_write_inode+0x1049/0x1480
ntfs_file_fsync+0x131/0x9b0
==================================================================
Let's move the post_write_mst_fixup() call to ntfs_ib_write().
The ntfs_ib_write() function calls pre_write_mst_fixup() at the beginning.
If the index_block contents is invalid, pre_write_mst_fixup() fails and
ntfs_ib_write() returns early without calling post_write_mst_fixup() on
bad index_block.
Fixes: 0a8ac0c1fa0b ("ntfs: update directory operations")
Cc: stable@vger.kernel.org
Signed-off-by: Valeriy Yashnikov <yashnikov.valeriy@gmail.com>
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs/index.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/ntfs/index.c
+++ b/fs/ntfs/index.c
@@ -141,6 +141,10 @@ static int ntfs_ib_write(struct ntfs_ind
ret = ntfs_inode_attr_pwrite(VFS_I(icx->ia_ni),
ntfs_ib_vcn_to_pos(icx, vcn), icx->block_size,
(u8 *)ib, icx->sync_write);
+
+ /* Perform data restoration before returning */
+ post_write_mst_fixup((struct ntfs_record *)ib);
+
if (ret != icx->block_size) {
ntfs_debug("Failed to write index block %lld, inode %llu",
vcn, (unsigned long long)icx->idx_ni->mft_no);
@@ -178,7 +182,6 @@ int ntfs_icx_ib_sync_write(struct ntfs_i
icx->ib = NULL;
icx->ib_dirty = false;
} else {
- post_write_mst_fixup((struct ntfs_record *)icx->ib);
icx->sync_write = false;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 180/518] NTB: epf: Avoid calling pci_irq_vector() from hardirq context
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 179/518] ntfs: avoid calling post_write_mst_fixup() for invalid index_block Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 181/518] gpio: eic-sprd: use raw_spinlock_t in the irq startup path Greg Kroah-Hartman
` (341 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Koichiro Den, Manivannan Sadhasivam,
Bjorn Helgaas, Dave Jiang
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Koichiro Den <den@valinux.co.jp>
commit 4dcddc1c794d1c65eda68f1f8dd04a0fecc0870f upstream.
ntb_epf_vec_isr() calls pci_irq_vector() in hardirq context to derive
the vector number. pci_irq_vector() calls msi_get_virq() that takes a
mutex and can therefore trigger "scheduling while atomic" splats:
BUG: scheduling while atomic: kworker/u33:0/55/0x00010001
...
Call trace:
...
schedule+0x38/0x110
schedule_preempt_disabled+0x28/0x50
__mutex_lock.constprop.0+0x848/0x908
__mutex_lock_slowpath+0x18/0x30
mutex_lock+0x4c/0x60
msi_domain_get_virq+0xe8/0x138
pci_irq_vector+0x2c/0x60
ntb_epf_vec_isr+0x28/0x120 [ntb_hw_epf]
__handle_irq_event_percpu+0x70/0x3a8
handle_irq_event+0x48/0x100
handle_edge_irq+0x100/0x1c8
...
Cache the Linux IRQ number for vector 0 when vectors are allocated and
use it as a base in the ISR. Running the ISR in a threaded IRQ handler
would also avoid the problem, but that would be unnecessary here.
Fixes: 812ce2f8d14e ("NTB: Add support for EPF PCI Non-Transparent Bridge")
Signed-off-by: Koichiro Den <den@valinux.co.jp>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Cc: stable@vger.kernel.org # v5.12+
Link: https://patch.msgid.link/20260304083028.1391068-3-den@valinux.co.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ntb/hw/epf/ntb_hw_epf.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/ntb/hw/epf/ntb_hw_epf.c
+++ b/drivers/ntb/hw/epf/ntb_hw_epf.c
@@ -92,6 +92,7 @@ struct ntb_epf_dev {
int db_val;
u64 db_valid_mask;
+ int irq_base;
};
#define ntb_ndev(__ntb) container_of(__ntb, struct ntb_epf_dev, ntb)
@@ -318,7 +319,7 @@ static irqreturn_t ntb_epf_vec_isr(int i
struct ntb_epf_dev *ndev = dev;
int irq_no;
- irq_no = irq - pci_irq_vector(ndev->ntb.pdev, 0);
+ irq_no = irq - ndev->irq_base;
ndev->db_val = irq_no + 1;
if (irq_no == 0)
@@ -350,6 +351,7 @@ static int ntb_epf_init_isr(struct ntb_e
argument &= ~MSIX_ENABLE;
}
+ ndev->irq_base = pci_irq_vector(pdev, 0);
for (i = 0; i < irq; i++) {
ret = request_irq(pci_irq_vector(pdev, i), ntb_epf_vec_isr,
0, "ntb_epf", ndev);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 181/518] gpio: eic-sprd: use raw_spinlock_t in the irq startup path
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 180/518] NTB: epf: Avoid calling pci_irq_vector() from hardirq context Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 182/518] gpio: sch: " Greg Kroah-Hartman
` (340 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Runyu Xiao,
Sebastian Andrzej Siewior, Bartosz Golaszewski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Runyu Xiao <runyu.xiao@seu.edu.cn>
commit 90f0109019e6817eb40a486671b7722d1544ae29 upstream.
sprd_eic_irq_unmask() enables the GPIO IRQ and then updates controller
state through sprd_eic_update(), which takes sprd_eic->lock with
spin_lock_irqsave(). The callback can be reached from irq_startup()
while setting up a requested IRQ. That path is not sleepable, but on
PREEMPT_RT a regular spinlock_t becomes a sleeping lock.
This issue was found by our static analysis tool and then manually
reviewed against the current tree.
The grounded PoC kept the request_threaded_irq() -> __setup_irq() ->
irq_startup() -> sprd_eic_irq_unmask() -> sprd_eic_update() carrier and
used the original spin_lock_irqsave(&sprd_eic->lock) edge. Lockdep
reported:
BUG: sleeping function called from invalid context
hardirqs last disabled at ... __setup_irq.constprop.0 ... [vuln_msv]
sprd_rt_spin_lock_irqsave+0x1c/0x30 [vuln_msv]
sprd_eic_update.constprop.0+0x48/0x90 [vuln_msv]
sprd_eic_irq_unmask.constprop.0+0x35/0x50 [vuln_msv]
__setup_irq.constprop.0+0xd/0x30 [vuln_msv]
Convert the Spreadtrum EIC controller lock to raw_spinlock_t. The
locked section only serializes MMIO register updates and does not contain
sleepable operations, so keeping it non-sleeping is appropriate for the
irqchip callbacks.
Fixes: 25518e024e3a ("gpio: Add Spreadtrum EIC driver support")
Cc: stable@vger.kernel.org
Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://patch.msgid.link/20260617154035.1199948-3-runyu.xiao@seu.edu.cn
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-eic-sprd.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/gpio/gpio-eic-sprd.c
+++ b/drivers/gpio/gpio-eic-sprd.c
@@ -95,7 +95,7 @@ struct sprd_eic {
struct notifier_block irq_nb;
void __iomem *base[SPRD_EIC_MAX_BANK];
enum sprd_eic_type type;
- spinlock_t lock;
+ raw_spinlock_t lock;
int irq;
};
@@ -149,7 +149,7 @@ static void sprd_eic_update(struct gpio_
unsigned long flags;
u32 tmp;
- spin_lock_irqsave(&sprd_eic->lock, flags);
+ raw_spin_lock_irqsave(&sprd_eic->lock, flags);
tmp = readl_relaxed(base + reg);
if (val)
@@ -158,7 +158,7 @@ static void sprd_eic_update(struct gpio_
tmp &= ~BIT(SPRD_EIC_BIT(offset));
writel_relaxed(tmp, base + reg);
- spin_unlock_irqrestore(&sprd_eic->lock, flags);
+ raw_spin_unlock_irqrestore(&sprd_eic->lock, flags);
}
static int sprd_eic_read(struct gpio_chip *chip, unsigned int offset, u16 reg)
@@ -628,7 +628,7 @@ static int sprd_eic_probe(struct platfor
if (!sprd_eic)
return -ENOMEM;
- spin_lock_init(&sprd_eic->lock);
+ raw_spin_lock_init(&sprd_eic->lock);
sprd_eic->type = pdata->type;
sprd_eic->irq = platform_get_irq(pdev, 0);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 182/518] gpio: sch: use raw_spinlock_t in the irq startup path
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 181/518] gpio: eic-sprd: use raw_spinlock_t in the irq startup path Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 183/518] HID: logitech-dj: Fix maxfield check in DJ short report validation Greg Kroah-Hartman
` (339 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Runyu Xiao,
Sebastian Andrzej Siewior, Andy Shevchenko, Bartosz Golaszewski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Runyu Xiao <runyu.xiao@seu.edu.cn>
commit 286533cb14a3c8a8bd39ff64ea2fc8e1aa0f638b upstream.
sch_irq_unmask() enables the GPIO IRQ and then updates the controller
state through sch_irq_mask_unmask(), which takes sch->lock with
spin_lock_irqsave(). The callback can be reached from irq_startup()
while setting up a requested IRQ. That path is not sleepable, but on
PREEMPT_RT a regular spinlock_t becomes a sleeping lock.
This issue was found by our static analysis tool and then manually
reviewed against the current tree.
The grounded PoC kept the request_threaded_irq() -> __setup_irq() ->
irq_startup() -> sch_irq_unmask() -> sch_irq_mask_unmask() carrier and
used the original spin_lock_irqsave(&sch->lock) edge. Lockdep reported:
BUG: sleeping function called from invalid context
hardirqs last disabled at ... __setup_irq.constprop.0 ... [vuln_msv]
sch_rt_spin_lock_irqsave+0x1c/0x30 [vuln_msv]
sch_irq_mask_unmask.constprop.0+0x31/0x70 [vuln_msv]
__setup_irq.constprop.0+0xd/0x30 [vuln_msv]
Convert the SCH controller lock to raw_spinlock_t. The same lock is
also used by the GPIO direction and value callbacks, but those critical
sections only update MMIO-backed GPIO registers and do not contain
sleepable operations. Keeping this register lock non-sleeping is
therefore appropriate for the irqchip callbacks and does not change the
GPIO-side locking contract.
Fixes: 7a81638485c1 ("gpio: sch: Add edge event support")
Cc: stable@vger.kernel.org
Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Link: https://patch.msgid.link/20260617154035.1199948-2-runyu.xiao@seu.edu.cn
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-sch.c | 32 ++++++++++++++++----------------
1 file changed, 16 insertions(+), 16 deletions(-)
--- a/drivers/gpio/gpio-sch.c
+++ b/drivers/gpio/gpio-sch.c
@@ -39,7 +39,7 @@
struct sch_gpio {
struct gpio_chip chip;
void __iomem *regs;
- spinlock_t lock;
+ raw_spinlock_t lock;
unsigned short resume_base;
/* GPE handling */
@@ -104,9 +104,9 @@ static int sch_gpio_direction_in(struct
struct sch_gpio *sch = gpiochip_get_data(gc);
unsigned long flags;
- spin_lock_irqsave(&sch->lock, flags);
+ raw_spin_lock_irqsave(&sch->lock, flags);
sch_gpio_reg_set(sch, gpio_num, GIO, 1);
- spin_unlock_irqrestore(&sch->lock, flags);
+ raw_spin_unlock_irqrestore(&sch->lock, flags);
return 0;
}
@@ -122,9 +122,9 @@ static int sch_gpio_set(struct gpio_chip
struct sch_gpio *sch = gpiochip_get_data(gc);
unsigned long flags;
- spin_lock_irqsave(&sch->lock, flags);
+ raw_spin_lock_irqsave(&sch->lock, flags);
sch_gpio_reg_set(sch, gpio_num, GLV, val);
- spin_unlock_irqrestore(&sch->lock, flags);
+ raw_spin_unlock_irqrestore(&sch->lock, flags);
return 0;
}
@@ -135,9 +135,9 @@ static int sch_gpio_direction_out(struct
struct sch_gpio *sch = gpiochip_get_data(gc);
unsigned long flags;
- spin_lock_irqsave(&sch->lock, flags);
+ raw_spin_lock_irqsave(&sch->lock, flags);
sch_gpio_reg_set(sch, gpio_num, GIO, 0);
- spin_unlock_irqrestore(&sch->lock, flags);
+ raw_spin_unlock_irqrestore(&sch->lock, flags);
/*
* according to the datasheet, writing to the level register has no
@@ -196,14 +196,14 @@ static int sch_irq_type(struct irq_data
return -EINVAL;
}
- spin_lock_irqsave(&sch->lock, flags);
+ raw_spin_lock_irqsave(&sch->lock, flags);
sch_gpio_reg_set(sch, gpio_num, GTPE, rising);
sch_gpio_reg_set(sch, gpio_num, GTNE, falling);
irq_set_handler_locked(d, handle_edge_irq);
- spin_unlock_irqrestore(&sch->lock, flags);
+ raw_spin_unlock_irqrestore(&sch->lock, flags);
return 0;
}
@@ -215,9 +215,9 @@ static void sch_irq_ack(struct irq_data
irq_hw_number_t gpio_num = irqd_to_hwirq(d);
unsigned long flags;
- spin_lock_irqsave(&sch->lock, flags);
+ raw_spin_lock_irqsave(&sch->lock, flags);
sch_gpio_reg_set(sch, gpio_num, GTS, 1);
- spin_unlock_irqrestore(&sch->lock, flags);
+ raw_spin_unlock_irqrestore(&sch->lock, flags);
}
static void sch_irq_mask_unmask(struct gpio_chip *gc, irq_hw_number_t gpio_num, int val)
@@ -225,9 +225,9 @@ static void sch_irq_mask_unmask(struct g
struct sch_gpio *sch = gpiochip_get_data(gc);
unsigned long flags;
- spin_lock_irqsave(&sch->lock, flags);
+ raw_spin_lock_irqsave(&sch->lock, flags);
sch_gpio_reg_set(sch, gpio_num, GGPE, val);
- spin_unlock_irqrestore(&sch->lock, flags);
+ raw_spin_unlock_irqrestore(&sch->lock, flags);
}
static void sch_irq_mask(struct irq_data *d)
@@ -268,12 +268,12 @@ static u32 sch_gpio_gpe_handler(acpi_han
int offset;
u32 ret;
- spin_lock_irqsave(&sch->lock, flags);
+ raw_spin_lock_irqsave(&sch->lock, flags);
core_status = ioread32(sch->regs + CORE_BANK_OFFSET + GTS);
resume_status = ioread32(sch->regs + RESUME_BANK_OFFSET + GTS);
- spin_unlock_irqrestore(&sch->lock, flags);
+ raw_spin_unlock_irqrestore(&sch->lock, flags);
pending = (resume_status << sch->resume_base) | core_status;
for_each_set_bit(offset, &pending, sch->chip.ngpio)
@@ -343,7 +343,7 @@ static int sch_gpio_probe(struct platfor
sch->regs = regs;
- spin_lock_init(&sch->lock);
+ raw_spin_lock_init(&sch->lock);
sch->chip = sch_gpio_chip;
sch->chip.label = dev_name(dev);
sch->chip.parent = dev;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 183/518] HID: logitech-dj: Fix maxfield check in DJ short report validation
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 182/518] gpio: sch: " Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 184/518] io_uring/nop: fix file reference leak with IOSQE_FIXED_FILE Greg Kroah-Hartman
` (338 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, HyeongJun An, Jiri Kosina
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: HyeongJun An <sammiee5311@gmail.com>
commit 590cc4d782487632a52f37c2171bee1eeea29627 upstream.
Commit b6a57912854e ("HID: logitech-dj: Prevent REPORT_ID_DJ_SHORT
related user initiated OOB write") added validation for the DJ short
output report, but the error path dereferences rep->field[0] even when
rep->maxfield is zero.
Commit 8b9a097eb2fc ("HID: logitech-dj: fix wrong detection of bad
DJ_SHORT output report") made the check conditional on rep being present,
but a crafted descriptor can still create report ID 0x20 with only padding
output items. hid-core registers the report, ignores the padding field,
and leaves rep->maxfield as zero.
In that case the validation enters the rep->maxfield < 1 branch and then
dereferences rep->field[0]->report_count while printing the error message,
causing a NULL pointer dereference during probe. This is reproducible with
uhid by emulating a Logitech receiver with a padding-only DJ short output
report:
BUG: KASAN: null-ptr-deref in logi_dj_probe+0xb1/0x754 [hid_logitech_dj]
Read of size 4 at addr 0000000000000028 by task kworker/4:1/129
...
Call Trace:
logi_dj_probe+0xb1/0x754 [hid_logitech_dj]
hid_device_probe+0x329/0x3f0 [hid]
really_probe+0x162/0x570
__device_attach+0x137/0x2c0
bus_probe_device+0x38/0xc0
device_add+0xa56/0xce0
hid_add_device+0x19c/0x280 [hid]
uhid_device_add_worker+0x2c/0xb0 [uhid]
Reject the zero-field report before printing the field report_count.
Fixes: b6a57912854e ("HID: logitech-dj: Prevent REPORT_ID_DJ_SHORT related user initiated OOB write")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-logitech-dj.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
index 381e4dc5aba7..9c574ab8b60b 100644
--- a/drivers/hid/hid-logitech-dj.c
+++ b/drivers/hid/hid-logitech-dj.c
@@ -1907,8 +1907,13 @@ static int logi_dj_probe(struct hid_device *hdev,
output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT];
rep = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT];
- if (rep && (rep->maxfield < 1 ||
- rep->field[0]->report_count != DJREPORT_SHORT_LENGTH - 1)) {
+ if (rep && rep->maxfield < 1) {
+ hid_err(hdev, "Expected size of DJ short report is %d, but got 0",
+ DJREPORT_SHORT_LENGTH - 1);
+ return -EINVAL;
+ }
+
+ if (rep && rep->field[0]->report_count != DJREPORT_SHORT_LENGTH - 1) {
hid_err(hdev, "Expected size of DJ short report is %d, but got %d",
DJREPORT_SHORT_LENGTH - 1, rep->field[0]->report_count);
return -EINVAL;
--
2.55.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 184/518] io_uring/nop: fix file reference leak with IOSQE_FIXED_FILE
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 183/518] HID: logitech-dj: Fix maxfield check in DJ short report validation Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 185/518] io_uring/io-wq: re-check IO_WQ_BIT_EXIT for each linked work item Greg Kroah-Hartman
` (337 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+2cd473471e77bda12b0e,
Vasileios Almpanis, Jens Axboe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasileios Almpanis <vasilisalmpanis@gmail.com>
commit 2564ca2e31bd8ee8348362941af2ee4671e487ca upstream.
NOP file-acquisition support choses between a fixed (registered) file and
a normal fget()'d file based on its own IORING_NOP_FIXED_FILE flag in
sqe->nop_flags. However, a request's REQ_F_FIXED_FILE is set
independently from the generic IOSQE_FIXED_FILE sqe flag during request
init, before the issue handler runs.
If a NOP is submitted with IOSQE_FIXED_FILE set (so REQ_F_FIXED_FILE is
set) but without IORING_NOP_FIXED_FILE, io_nop() takes the normal path
and grabs a real reference via io_file_get_normal(). On completion,
io_put_file() only drops the reference when REQ_F_FIXED_FILE is clear,
so the fget()'d file is never released and leaks:
BUG: memory leak
unreferenced object 0xffff88800f42c240 (size 176):
kmem_cache_alloc_noprof+0x358/0x440
alloc_empty_file+0x57/0x180
path_openat+0x44/0x1e50
do_file_open+0x121/0x200
do_sys_openat2+0xa7/0x150
__x64_sys_openat+0x82/0xf0
Decide between fixed and normal file acquisition from REQ_F_FIXED_FILE,
the same way io_assign_file() does for every other opcode, and fold
IORING_NOP_FIXED_FILE into REQ_F_FIXED_FILE at prep time.
Cc: stable@vger.kernel.org
Fixes: a85f31052bce ("io_uring/nop: add support for testing registered files and buffers")
Reported-by: syzbot+2cd473471e77bda12b0e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=879092631b98f73a28ea405adacfa5bb34a14a25
Signed-off-by: Vasileios Almpanis <vasilisalmpanis@gmail.com>
Link: https://patch.msgid.link/20260615144619.482749-1-vasilisalmpanis@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/nop.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/io_uring/nop.c
+++ b/io_uring/nop.c
@@ -41,6 +41,8 @@ int io_nop_prep(struct io_kiocb *req, co
nop->fd = READ_ONCE(sqe->fd);
else
nop->fd = -1;
+ if (nop->flags & IORING_NOP_FIXED_FILE)
+ req->flags |= REQ_F_FIXED_FILE;
if (nop->flags & IORING_NOP_FIXED_BUFFER)
req->buf_index = READ_ONCE(sqe->buf_index);
if (nop->flags & IORING_NOP_CQE32) {
@@ -60,12 +62,10 @@ int io_nop(struct io_kiocb *req, unsigne
int ret = nop->result;
if (nop->flags & IORING_NOP_FILE) {
- if (nop->flags & IORING_NOP_FIXED_FILE) {
+ if (req->flags & REQ_F_FIXED_FILE)
req->file = io_file_get_fixed(req, nop->fd, issue_flags);
- req->flags |= REQ_F_FIXED_FILE;
- } else {
+ else
req->file = io_file_get_normal(req, nop->fd);
- }
if (!req->file) {
ret = -EBADF;
goto done;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 185/518] io_uring/io-wq: re-check IO_WQ_BIT_EXIT for each linked work item
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 184/518] io_uring/nop: fix file reference leak with IOSQE_FIXED_FILE Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 186/518] io_uring/rw: preserve partial result for iopoll Greg Kroah-Hartman
` (336 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Runyu Xiao, Jens Axboe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Runyu Xiao <runyu.xiao@seu.edu.cn>
commit 29bef9934b2521f787bb15dd1985d4c0d12ae02a upstream.
commit 10dc95939817 ("io_uring/io-wq: check IO_WQ_BIT_EXIT inside work
run loop") fixed the obvious case where io_worker_handle_work() took one
exit-bit snapshot before draining pending work, but the fix stops one
level too early.
io_worker_handle_work() now re-checks IO_WQ_BIT_EXIT in its outer work
run loop, yet it still snapshots that bit once before processing a whole
dependent linked-work chain. If io_wq_exit_start() sets IO_WQ_BIT_EXIT
after the first linked item has started, the remaining linked items can
still reuse stale do_kill = false, skip IO_WQ_WORK_CANCEL, and continue
running after exit has begun.
Move the check further inside, so it covers linked items too. Note: this
is a syzbot special as it loves setting up tons of slow linked work on
weird devices like msr that take forever to read, and immediately close
the ring. Exit then takes a long time.
Fixes: 10dc95939817 ("io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop")
Cc: stable@vger.kernel.org
Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
Link: https://patch.msgid.link/20260527172203.2043962-1-runyu.xiao@seu.edu.cn
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io-wq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/io_uring/io-wq.c
+++ b/io_uring/io-wq.c
@@ -602,7 +602,6 @@ static void io_worker_handle_work(struct
struct io_wq *wq = worker->wq;
do {
- bool do_kill = test_bit(IO_WQ_BIT_EXIT, &wq->state);
struct io_wq_work *work;
/*
@@ -638,6 +637,7 @@ static void io_worker_handle_work(struct
/* handle a whole dependent link */
do {
+ bool do_kill = test_bit(IO_WQ_BIT_EXIT, &wq->state);
struct io_wq_work *next_hashed, *linked;
unsigned int work_flags = atomic_read(&work->flags);
unsigned int hash = __io_wq_is_hashed(work_flags)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 186/518] io_uring/rw: preserve partial result for iopoll
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 185/518] io_uring/io-wq: re-check IO_WQ_BIT_EXIT for each linked work item Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 187/518] netpoll: fix a use-after-free on shutdown path Greg Kroah-Hartman
` (335 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Wigham, Jens Axboe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Wigham <michael@wigham.net>
commit c554246ff4c68abf71b61a89c6e39d3cf94f523e upstream.
A partial read will store the completed byte count in io->bytes_done.
The regular completion path applies io_fixup_rw_res() so that, when the
following operation reaches EOF, the number of bytes already read is
returned.
The iopoll completion path does not apply this fixup to the return value
and can return zero instead.
Use the fixup result when updating the CQE, and the raw result for the
reissue check.
Cc: stable@vger.kernel.org
Fixes: 4d9cb92ca41d ("io_uring/rw: fix short rw error handling")
Signed-off-by: Michael Wigham <michael@wigham.net>
Link: https://patch.msgid.link/20260613225240.34032-1-michael@wigham.net
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/rw.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -601,15 +601,15 @@ static void io_complete_rw_iopoll(struct
{
struct io_rw *rw = container_of(kiocb, struct io_rw, kiocb);
struct io_kiocb *req = cmd_to_io_kiocb(rw);
+ int final_res = io_fixup_rw_res(req, res);
if (kiocb->ki_flags & IOCB_WRITE)
io_req_end_write(req);
- if (unlikely(res != req->cqe.res)) {
- if (res == -EAGAIN && io_rw_should_reissue(req))
- req->flags |= REQ_F_REISSUE | REQ_F_BL_NO_RECYCLE;
- else
- req->cqe.res = res;
- }
+
+ if (res == -EAGAIN && io_rw_should_reissue(req))
+ req->flags |= REQ_F_REISSUE | REQ_F_BL_NO_RECYCLE;
+ else if (unlikely(final_res != req->cqe.res))
+ req->cqe.res = final_res;
/* order with io_iopoll_complete() checking ->iopoll_completed */
smp_store_release(&req->iopoll_completed, 1);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 187/518] netpoll: fix a use-after-free on shutdown path
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 186/518] io_uring/rw: preserve partial result for iopoll Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 188/518] ipv4: igmp: remove multicast group from hash table on device destruction Greg Kroah-Hartman
` (334 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pavan Chebbi, Breno Leitao,
Jakub Kicinski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
commit 45f1458a85017a023f138b22ac5c76abd477db42 upstream.
There is a use-after-free error on netpoll, which is clearly detected by
KASAN.
BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0x3b/0x80
Read of size 1 at addr ... by task kworker/9:1
Workqueue: events queue_process
Call Trace:
skb_dequeue+0x1e/0xb0
queue_process+0x2c/0x600
process_scheduled_works+0x4b6/0x850
worker_thread+0x414/0x5a0
Allocated by task 242:
__netpoll_setup+0x201/0x4a0
netpoll_setup+0x249/0x550
enabled_store+0x32f/0x380
Freed by task 0:
kfree+0x1b7/0x540
rcu_core+0x3f8/0x7a0
The problem happens when there is a pending TX worker running in
parallel with the cleanup path.
This is what happens on netpoll shutdown path:
1) __netpoll_cleanup() is called
2) set dev->npinfo to NULL
3) call_rcu() with rcu_cleanup_netpoll_info()
3.1) rcu_cleanup_netpoll_info() tries to cancel all workers with
cancel_delayed_work(), but doesn't wait for the worker to finish
4) and kfree(npinfo);
Because 3.1) doesn't really cancel the work, as the comment says "we
can't call cancel_delayed_work_sync here, as we are in softirq", the TX
worker can run after 4).
Tl;DR: queue_process() is not an RCU reader, it reaches npinfo through
the work item via container_of().
Use disable_delayed_work_sync() to ensure the worker is completely
stopped and prevent any future re-arming attempts. Once npinfo is set
to NULL, senders will bail out and not queue new work. The disable flag
ensures any in-flight re-arming attempts also fail silently.
In the future, we can do the cleanup inline here without needing the
npinfo->rcu rcu_head, but that is net-next material.
Cc: stable@vger.kernel.org
Fixes: 38e6bc185d95 ("netpoll: make __netpoll_cleanup non-block")
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/20260625-netpoll_rcu_fix-v2-1-0748ffac1e98@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/netpoll.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -814,14 +814,6 @@ static void rcu_cleanup_netpoll_info(str
container_of(rcu_head, struct netpoll_info, rcu);
skb_queue_purge(&npinfo->txq);
-
- /* we can't call cancel_delayed_work_sync here, as we are in softirq */
- cancel_delayed_work(&npinfo->tx_work);
-
- /* clean after last, unfinished work */
- __skb_queue_purge(&npinfo->txq);
- /* now cancel it again */
- cancel_delayed_work(&npinfo->tx_work);
kfree(npinfo);
}
@@ -845,6 +837,7 @@ static void __netpoll_cleanup(struct net
ops->ndo_netpoll_cleanup(np->dev);
RCU_INIT_POINTER(np->dev->npinfo, NULL);
+ disable_delayed_work_sync(&npinfo->tx_work);
call_rcu(&npinfo->rcu, rcu_cleanup_netpoll_info);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 188/518] ipv4: igmp: remove multicast group from hash table on device destruction
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 187/518] netpoll: fix a use-after-free on shutdown path Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 189/518] net: ipv4: bound TCP reordering sysctl writes and MTU probe sizes Greg Kroah-Hartman
` (333 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuyang Huang, Kuniyuki Iwashima,
Ido Schimmel, Paolo Abeni
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuyang Huang <yuyanghuang@google.com>
commit 7993211bde166471dffac074dc965489f86531f8 upstream.
When a device is destroyed under RTNL, ip_mc_destroy_dev() iterates through
the multicast list and calls ip_ma_put() on each membership, scheduling
them for RCU reclamation. However, they are not unlinked from the device's
multicast hash table (mc_hash).
Since the device remains published in dev->ip_ptr until after
ip_mc_destroy_dev() completes, concurrent RCU readers traversing mc_hash
can still locate and access the multicast group after its refcount is
decremented. If the RCU callback runs and frees the group while a reader is
accessing it, a use-after-free occurs.
Fix this by unlinking the multicast group from mc_hash using
ip_mc_hash_remove() before scheduling it for reclamation.
BUG: KASAN: slab-use-after-free in ip_check_mc_rcu+0x149/0x3f0
Read of size 4 at addr ffff888009bf1408 by task mausezahn/2276
Call Trace:
<IRQ>
dump_stack_lvl+0x67/0x90
print_report+0x175/0x7c0
kasan_report+0x147/0x180
ip_check_mc_rcu+0x149/0x3f0
udp_v4_early_demux+0x36d/0x12d0
ip_rcv_finish_core+0xb8b/0x1390
ip_rcv_finish+0x54/0x120
NF_HOOK+0x213/0x2b0
__netif_receive_skb+0x126/0x340
process_backlog+0x4f2/0xf00
__napi_poll+0x92/0x2c0
net_rx_action+0x583/0xc60
handle_softirqs+0x236/0x7f0
do_softirq+0x57/0x80
</IRQ>
Allocated by task 2239:
kasan_save_track+0x3e/0x80
__kasan_kmalloc+0x72/0x90
____ip_mc_inc_group+0x31a/0xa40
__ip_mc_join_group+0x334/0x3f0
do_ip_setsockopt+0x16fa/0x2010
ip_setsockopt+0x3f/0x90
do_sock_setsockopt+0x1ad/0x300
Freed by task 0:
kasan_save_track+0x3e/0x80
kasan_save_free_info+0x40/0x50
__kasan_slab_free+0x3a/0x60
__rcu_free_sheaf_prepare+0xd4/0x220
rcu_free_sheaf+0x36/0x190
rcu_core+0x8d9/0x12f0
handle_softirqs+0x236/0x7f0
Fixes: e9897071350b ("igmp: hash a hash table to speedup ip_check_mc_rcu()")
Cc: stable@vger.kernel.org
Signed-off-by: Yuyang Huang <yuyanghuang@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260701235014.73505-1-yuyanghuang@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/igmp.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -1918,6 +1918,7 @@ void ip_mc_destroy_dev(struct in_device
#endif
while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) {
+ ip_mc_hash_remove(in_dev, i);
in_dev->mc_list = i->next_rcu;
in_dev->mc_count--;
ip_mc_clear_src(i);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 189/518] net: ipv4: bound TCP reordering sysctl writes and MTU probe sizes
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 188/518] ipv4: igmp: remove multicast group from hash table on device destruction Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 190/518] media: nxp: imx8-isi: Fix use-after-free on remove Greg Kroah-Hartman
` (332 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Zhengchuan Liang, Xin Liu,
Eric Dumazet, Wyatt Feng, Ren Wei, Jakub Kicinski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wyatt Feng <bronzed_45_vested@icloud.com>
commit efb8763d7bbb40cff4cc55a6b62c3095a038149c upstream.
Reject invalid `net.ipv4.tcp_reordering` values before they reach TCP
socket state. The sysctl is stored as an `int` but copied into the
`u32` `tp->reordering` field for new sockets, so negative writes wrap
to large values.
With `tcp_mtu_probing=2`, the wrapped value can overflow the
`tcp_mtu_probe()` size calculation and drive the MTU probing path into
an out-of-bounds read. Route `tcp_reordering` writes through
`proc_dointvec_minmax()` and require it to be at least 1. Also require
`tcp_max_reordering` to be at least 1 so the configured maximum cannot
become negative either.
When registering the table for a non-init network namespace, relocate
`extra2` pointers that refer into `init_net.ipv4` so the
`tcp_reordering` upper bound follows that namespace's
`tcp_max_reordering`.
Harden `tcp_mtu_probe()` itself by computing `size_needed` as `u64`.
This keeps the send queue and window checks from being bypassed through
signed integer overflow.
Fixes: 91cc17c0e5e5 ("[TCP]: MTUprobe: receiver window & data available checks fixed")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/1a5b7e1ef4d70fbad8c8ee0b82d8405f3c964a3d.1781395200.git.bronzed_45_vested@icloud.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/sysctl_net_ipv4.c | 10 ++++++++--
net/ipv4/tcp_output.c | 4 ++--
2 files changed, 10 insertions(+), 4 deletions(-)
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -1058,7 +1058,9 @@ static struct ctl_table ipv4_net_table[]
.data = &init_net.ipv4.sysctl_tcp_reordering,
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = SYSCTL_ONE,
+ .extra2 = &init_net.ipv4.sysctl_tcp_max_reordering,
},
{
.procname = "tcp_retries1",
@@ -1293,7 +1295,8 @@ static struct ctl_table ipv4_net_table[]
.data = &init_net.ipv4.sysctl_tcp_max_reordering,
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = SYSCTL_ONE,
},
{
.procname = "tcp_dsack",
@@ -1676,6 +1679,9 @@ static __net_init int ipv4_sysctl_init_n
*/
table[i].mode &= ~0222;
}
+ if (table[i].extra2 >= (void *)&init_net.ipv4 &&
+ table[i].extra2 < (void *)(&init_net.ipv4 + 1))
+ table[i].extra2 += (void *)net - (void *)&init_net;
}
}
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2687,7 +2687,7 @@ static int tcp_mtu_probe(struct sock *sk
struct sk_buff *skb, *nskb, *next;
struct net *net = sock_net(sk);
int probe_size;
- int size_needed;
+ u64 size_needed;
int copy, len;
int mss_now;
int interval;
@@ -2711,7 +2711,7 @@ static int tcp_mtu_probe(struct sock *sk
mss_now = tcp_current_mss(sk);
probe_size = tcp_mtu_to_mss(sk, (icsk->icsk_mtup.search_high +
icsk->icsk_mtup.search_low) >> 1);
- size_needed = probe_size + (tp->reordering + 1) * tp->mss_cache;
+ size_needed = probe_size + (tp->reordering + 1) * (u64)tp->mss_cache;
interval = icsk->icsk_mtup.search_high - icsk->icsk_mtup.search_low;
/* When misfortune happens, we are reprobing actively,
* and then reprobe timer has expired. We stick with current
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 190/518] media: nxp: imx8-isi: Fix use-after-free on remove
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 189/518] net: ipv4: bound TCP reordering sysctl writes and MTU probe sizes Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 191/518] mfd: cros_ec: Delay dev_set_drvdata() until probe success Greg Kroah-Hartman
` (331 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaolei Wang, Frank Li,
Laurent Pinchart, Hans Verkuil
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaolei Wang <xiaolei.wang@windriver.com>
commit b670bf89824ede5d07d20bb9bfbafb754846081d upstream.
KASAN reports a slab-use-after-free in __media_entity_remove_link()
during rmmod of imx8_isi:
BUG: KASAN: slab-use-after-free in __media_entity_remove_link+0x608/0x650
Read of size 2 at addr ffff0000d47cb02a by task rmmod/724
Call trace:
__media_entity_remove_link+0x608/0x650
__media_entity_remove_links+0x78/0x144
__media_device_unregister_entity+0x150/0x280
media_device_unregister_entity+0x48/0x68
v4l2_device_unregister_subdev+0x158/0x300
v4l2_async_unbind_subdev_one+0x22c/0x358
v4l2_async_nf_unbind_all_subdevs+0xfc/0x1c0
v4l2_async_nf_unregister+0x5c/0x14c
mxc_isi_remove+0x124/0x2a0 [imx8_isi]
Allocated by task 249:
__kmalloc_noprof+0x27c/0x690
mxc_isi_crossbar_init+0x22c/0x560 [imx8_isi]
Freed by task 724:
kfree+0x1e4/0x5b0
mxc_isi_crossbar_cleanup+0x34/0x80 [imx8_isi]
mxc_isi_remove+0x11c/0x2a0 [imx8_isi]
The problem is that mxc_isi_remove() calls mxc_isi_crossbar_cleanup()
before mxc_isi_v4l2_cleanup(). The crossbar cleanup frees the media
entity pads, but the subsequent v4l2 cleanup still tries to remove
media links that reference those pads.
Fix this by calling mxc_isi_v4l2_cleanup() before
mxc_isi_crossbar_cleanup() to ensure all media entities are properly
unregistered while the pads are still valid.
Fixes: cf21f328fcaf ("media: nxp: Add i.MX8 ISI driver")
Cc: stable@vger.kernel.org
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://patch.msgid.link/20260507041318.491594-2-xiaolei.wang@windriver.com
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/nxp/imx8-isi/imx8-isi-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-core.c
+++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-core.c
@@ -556,8 +556,8 @@ static void mxc_isi_remove(struct platfo
mxc_isi_pipe_cleanup(pipe);
}
- mxc_isi_crossbar_cleanup(&isi->crossbar);
mxc_isi_v4l2_cleanup(isi);
+ mxc_isi_crossbar_cleanup(&isi->crossbar);
}
static const struct of_device_id mxc_isi_of_match[] = {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 191/518] mfd: cros_ec: Delay dev_set_drvdata() until probe success
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 190/518] media: nxp: imx8-isi: Fix use-after-free on remove Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 192/518] mm/shrinker: do not hold RCU lock in shrinker_debugfs_count_show() Greg Kroah-Hartman
` (330 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sergey Senozhatsky, Andrei Kuchynski,
Benson Leung, Lee Jones
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrei Kuchynski <akuchynski@chromium.org>
commit 8b2c1d41bc36c100b38ce5ee6def246c527eaf8a upstream.
If ec_device_probe() fails, cros_ec_class_release releases memory for the
cros_ec_dev structure. However, because the drvdata was already set,
sub-drivers like cros_ec_typec can still retrieve the stale pointer via the
platform device. This leads to a use-after-free when cros_ec_typec attempts
to access &typec->ec->ec->dev on a device that has already been released.
Move dev_set_drvdata() to ensure that the pointer is only made available
once all initialization steps have succeeded.
sysfs: cannot create duplicate filename '/class/chromeos/cros_ec'
Call trace:
sysfs_do_create_link_sd+0x94/0xdc
sysfs_create_link+0x30/0x44
device_add_class_symlinks+0x90/0x13c
device_add+0xf0/0x50c
ec_device_probe+0x150/0x4f0
platform_probe+0xa0/0xe0
...
BUG: KASAN: invalid-access in __memcpy+0x44/0x230
Write at addr f5ffff809e2d33ac by task kworker/u32:5/125
Pointer tag: [f5], memory tag: [fe]
Tainted : [W]=WARN, [O]=OOT_MODULE
Hardware name: Google Navi unprovisioned 0x7FFFFFFF/sku0 board/sku3
Workqueue: events_unbound deferred_probe_work_func
Call trace:
__memcpy+0x44/0x230
cros_ec_check_features+0x60/0xcc [cros_ec_proto]
cros_typec_probe+0xe8/0x6e0 [cros_ec_typec]
platform_probe+0xa0/0xe0
Cc: stable@vger.kernel.org
Fixes: 1c1d152cc5ac ("platform/chrome: cros_ec_dev - utilize new cdev_device_add helper function")
Co-developed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Signed-off-by: Andrei Kuchynski <akuchynski@chromium.org>
Reviewed-by: Benson Leung <bleung@chromium.org>
Link: https://patch.msgid.link/20260427131721.1165078-1-akuchynski@chromium.org
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mfd/cros_ec_dev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/mfd/cros_ec_dev.c
+++ b/drivers/mfd/cros_ec_dev.c
@@ -195,7 +195,6 @@ static int ec_device_probe(struct platfo
if (!ec)
return retval;
- dev_set_drvdata(dev, ec);
ec->ec_dev = dev_get_drvdata(dev->parent);
ec->dev = dev;
ec->cmd_offset = ec_platform->cmd_offset;
@@ -237,6 +236,8 @@ static int ec_device_probe(struct platfo
if (retval)
goto failed;
+ dev_set_drvdata(dev, ec);
+
/* check whether this EC is a sensor hub. */
if (cros_ec_get_sensor_count(ec) > 0) {
retval = mfd_add_hotplug_devices(ec->dev,
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 192/518] mm/shrinker: do not hold RCU lock in shrinker_debugfs_count_show()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 191/518] mfd: cros_ec: Delay dev_set_drvdata() until probe success Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 193/518] mm: shrinker: fix shrinker_info teardown race with expansion Greg Kroah-Hartman
` (329 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shakeel Butt, Zenghui Yu, Nhat Pham,
SeongJae Park, Qi Zheng, Muchun Song, Roman Gushchin,
Dave Chinner, Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shakeel Butt <shakeel.butt@linux.dev>
commit b902890c62d200b3509cb5e09cf1e0a66553c128 upstream.
Reading the debugfs "count" file of a memcg-aware shrinker can sleep
inside an RCU read-side critical section:
BUG: sleeping function called from invalid context at kernel/cgroup/rstat.c:421
RCU nest depth: 1, expected: 0
css_rstat_flush
mem_cgroup_flush_stats
zswap_shrinker_count
shrinker_debugfs_count_show
shrinker_debugfs_count_show() invokes the ->count_objects() callback under
rcu_read_lock(). The zswap callback flushes memcg stats via
css_rstat_flush(), which may sleep, so it must not run under RCU.
The RCU lock is not needed here. mem_cgroup_iter() takes RCU internally
and returns a memcg holding a css reference (dropped on the next iteration
or by mem_cgroup_iter_break()), so the memcg stays alive without it. The
shrinker is kept alive by the open debugfs file: shrinker_free() removes
the debugfs entries via debugfs_remove_recursive(), which waits for
in-flight readers to drain, before call_rcu(..., shrinker_free_rcu_cb).
The sibling "scan" handler already invokes the sleeping ->scan_objects()
callback with no RCU section.
Drop the rcu_read_lock()/rcu_read_unlock().
Link: https://lore.kernel.org/20260610232048.62930-1-shakeel.butt@linux.dev
Fixes: 5035ebc644ae ("mm: shrinkers: introduce debugfs interface for memory shrinkers")
Signed-off-by: Shakeel Butt <shakeel.butt@linux.dev>
Reported-by: Zenghui Yu <zenghui.yu@linux.dev>
Closes: https://lore.kernel.org/all/c052a064-cddb-494f-a0d8-f8a10b4b1c4d@linux.dev/
Suggested-by: Nhat Pham <nphamcs@gmail.com>
Reviewed-by: SeongJae Park <sj@kernel.org>
Reviewed-by: Qi Zheng <qi.zheng@linux.dev>
Tested-by: Zenghui Yu (Huawei) <zenghui.yu@linux.dev>
Reviewed-by: Nhat Pham <nphamcs@gmail.com>
Acked-by: Muchun Song <muchun.song@linux.dev>
Reviewed-by: Roman Gushchin <roman.gushchin@linux.dev>
Cc: Dave Chinner <david@fromorbit.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/shrinker_debug.c | 4 ----
1 file changed, 4 deletions(-)
--- a/mm/shrinker_debug.c
+++ b/mm/shrinker_debug.c
@@ -57,8 +57,6 @@ static int shrinker_debugfs_count_show(s
if (!count_per_node)
return -ENOMEM;
- rcu_read_lock();
-
memcg_aware = shrinker->flags & SHRINKER_MEMCG_AWARE;
memcg = mem_cgroup_iter(NULL, NULL, NULL);
@@ -88,8 +86,6 @@ static int shrinker_debugfs_count_show(s
}
} while ((memcg = mem_cgroup_iter(NULL, memcg, NULL)) != NULL);
- rcu_read_unlock();
-
kfree(count_per_node);
return ret;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 193/518] mm: shrinker: fix shrinker_info teardown race with expansion
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 192/518] mm/shrinker: do not hold RCU lock in shrinker_debugfs_count_show() Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 194/518] mm: shrinker: fix NULL pointer dereference in debugfs Greg Kroah-Hartman
` (328 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qi Zheng, Muchun Song, Dave Chinner,
Roman Gushchin, Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qi Zheng <zhengqi.arch@bytedance.com>
commit 65476d31d8056e859c48580f82295ce159196ffe upstream.
expand_shrinker_info() iterates all visible memcgs under shrinker_mutex,
including memcgs that have not finished ->css_online() yet.
Once pn->shrinker_info has been published, teardown must stay serialized
with expand_shrinker_info() until that memcg is either fully online or no
longer visible to iteration. Today alloc_shrinker_info() breaks that rule
by dropping shrinker_mutex before freeing a partially initialized
shrinker_info array, which may cause the following race:
CPU0 CPU1
==== ====
css_create
--> list_add_tail_rcu(&css->sibling, &parent_css->children);
online_css
--> mem_cgroup_css_online
--> alloc_shrinker_info
--> alloc node0 info
rcu_assign_pointer(C->node0->shrinker_info, old0)
alloc node1 info -> FAIL -> goto err
mutex_unlock(shrinker_mutex)
shrinker_alloc()
--> shrinker_memcg_alloc
--> mutex_lock(shrinker_mutex)
expand_shrinker_info
--> mem_cgroup_iter see the memcg
expand_one_shrinker_info
--> old0 = C->node0->shrinker_info
memcpy(new->unit, old0->unit, ...);
free_shrinker_info
--> kvfree(old0);
/* double free !! */
kvfree_rcu(old0, rcu);
The same problem exists later in mem_cgroup_css_online(). If
alloc_shrinker_info() succeeds but a subsequent objcg allocation fails,
the free_objcg -> free_shrinker_info() unwind path tears down the already
published pn->shrinker_info arrays without shrinker_mutex. The
expand_one_shrinker_info() can race with that teardown in the same way,
leading to use-after-free or double-free of the old shrinker_info.
Fix this by serializing shrinker_info teardown with shrinker_mutex, and by
keeping alloc_shrinker_info() error cleanup inside the locked section.
Link: https://lore.kernel.org/20260617085658.27096-1-qi.zheng@linux.dev
Fixes: 307bececcd12 ("mm: shrinker: add a secondary array for shrinker_info::{map, nr_deferred}")
Signed-off-by: Qi Zheng <zhengqi.arch@bytedance.com>
Acked-by: Muchun Song <muchun.song@linux.dev>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Qi Zheng <zhengqi.arch@bytedance.com>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/shrinker.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/mm/shrinker.c
+++ b/mm/shrinker.c
@@ -59,12 +59,14 @@ static inline int shrinker_unit_alloc(st
return 0;
}
-void free_shrinker_info(struct mem_cgroup *memcg)
+static void __free_shrinker_info(struct mem_cgroup *memcg)
{
struct mem_cgroup_per_node *pn;
struct shrinker_info *info;
int nid;
+ lockdep_assert_held(&shrinker_mutex);
+
for_each_node(nid) {
pn = memcg->nodeinfo[nid];
info = rcu_dereference_protected(pn->shrinker_info, true);
@@ -74,6 +76,13 @@ void free_shrinker_info(struct mem_cgrou
}
}
+void free_shrinker_info(struct mem_cgroup *memcg)
+{
+ mutex_lock(&shrinker_mutex);
+ __free_shrinker_info(memcg);
+ mutex_unlock(&shrinker_mutex);
+}
+
int alloc_shrinker_info(struct mem_cgroup *memcg)
{
int nid, ret = 0;
@@ -98,8 +107,8 @@ int alloc_shrinker_info(struct mem_cgrou
return ret;
err:
+ __free_shrinker_info(memcg);
mutex_unlock(&shrinker_mutex);
- free_shrinker_info(memcg);
return -ENOMEM;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 194/518] mm: shrinker: fix NULL pointer dereference in debugfs
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 193/518] mm: shrinker: fix shrinker_info teardown race with expansion Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 195/518] mm: swap_cgroup: fix NULL deref in lookup_swap_cgroup_id on swapless host Greg Kroah-Hartman
` (327 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qi Zheng, Muchun Song, Dave Chinner,
Roman Gushchin, Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qi Zheng <zhengqi.arch@bytedance.com>
commit e30453c61e185e914fde83c650e268067b140218 upstream.
shrinker_debugfs_add() creates both "count" and "scan" debugfs files
unconditionally.
That assumes every shrinker implements both count_objects() and
scan_objects(), which is not guaranteed. For example, the xen-backend
shrinker sets count_objects() but leaves scan_objects() NULL, so writing
to its scan file calls through a NULL function pointer and panics the
kernel:
BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
Call Trace:
<TASK>
shrinker_debugfs_scan_write+0x12e/0x270
full_proxy_write+0x5f/0x90
vfs_write+0xde/0x420
? filp_flush+0x75/0x90
? filp_close+0x1d/0x30
? do_dup2+0xb8/0x120
ksys_write+0x68/0xf0
? filp_flush+0x75/0x90
do_syscall_64+0xb3/0x5b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The count path has the same issue in principle if a shrinker omits
count_objects().
To fix it, only create "count" and "scan" debugfs files when the
corresponding callbacks are present.
Link: https://lore.kernel.org/20260617090052.27325-1-qi.zheng@linux.dev
Fixes: bbf535fd6f06 ("mm: shrinkers: add scan interface for shrinker debugfs")
Signed-off-by: Qi Zheng <zhengqi.arch@bytedance.com>
Reviewed-by: Muchun Song <muchun.song@linux.dev>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Qi Zheng <zhengqi.arch@bytedance.com>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/shrinker_debug.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/mm/shrinker_debug.c
+++ b/mm/shrinker_debug.c
@@ -183,10 +183,12 @@ int shrinker_debugfs_add(struct shrinker
}
shrinker->debugfs_entry = entry;
- debugfs_create_file("count", 0440, entry, shrinker,
- &shrinker_debugfs_count_fops);
- debugfs_create_file("scan", 0220, entry, shrinker,
- &shrinker_debugfs_scan_fops);
+ if (shrinker->count_objects)
+ debugfs_create_file("count", 0440, entry, shrinker,
+ &shrinker_debugfs_count_fops);
+ if (shrinker->scan_objects)
+ debugfs_create_file("scan", 0220, entry, shrinker,
+ &shrinker_debugfs_scan_fops);
return 0;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 195/518] mm: swap_cgroup: fix NULL deref in lookup_swap_cgroup_id on swapless host
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 194/518] mm: shrinker: fix NULL pointer dereference in debugfs Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 196/518] mm/swap: add cond_resched() in swap_reclaim_full_clusters to prevent softlockup Greg Kroah-Hartman
` (326 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jose Fernandez (Anthropic),
syzbot+e12bd9ca48157add237a, Barry Song, David Hildenbrand,
Hugh Dickins, Johannes Weiner, Kairui Song, Michal Hocko,
Muchun Song, Roman Gushchin, Shakeel Butt, Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jose Fernandez (Anthropic) <jose.fernandez@linux.dev>
commit 63b02a9409cb5180398491b093e48bcb5315f5fb upstream.
lookup_swap_cgroup_id() passes swap_cgroup_ctrl[type].map to
__swap_cgroup_id_lookup() without checking that the type was ever
registered via swap_cgroup_swapon(). On a swapless host every ctrl->map
is NULL, so __swap_cgroup_id_lookup() dereferences NULL + a scaled
swp_offset().
Since commit bea67dcc5eea ("mm: attempt to batch free swap entries for
zap_pte_range()"), zap_pte_range() -> swap_pte_batch() calls
lookup_swap_cgroup_id() on any non-present, non-none PTE that decodes as a
real swap entry, without first validating it against swap_info[]. A
single PTE corrupted into a type-0 swap entry takes the host down at
process exit.
We hit this in production on a swapless 6.12.58 host: ~1s of
"get_swap_device: Bad swap file entry 3f800204222bb" (do_swap_page() being
correctly defensive about the same entry) followed by
BUG: unable to handle page fault for address: 000003f800204220
RIP: 0010:lookup_swap_cgroup_id+0x2b/0x60
Call Trace:
swap_pte_batch+0xbf/0x230
zap_pte_range+0x4c8/0x780
unmap_page_range+0x190/0x3e0
exit_mmap+0xd9/0x3c0
do_exit+0x20c/0x4b0
syzbot has reported the identical stack.
The source of the PTE corruption is a separate bug; this change makes the
teardown path as robust as the fault path already is. Every other caller
of lookup_swap_cgroup_id() is downstream of a get_swap_device() that has
already validated the entry, so the new branch is cold.
Link: https://lore.kernel.org/20260504-swap-cgroup-fix-7-0-v1-1-f53ff41ee553@linux.dev
Fixes: bea67dcc5eea ("mm: attempt to batch free swap entries for zap_pte_range()")
Signed-off-by: Jose Fernandez (Anthropic) <jose.fernandez@linux.dev>
Reported-by: syzbot+e12bd9ca48157add237a@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/69859728.050a0220.3b3015.0033.GAE@google.com
Assisted-by: Claude:unspecified
Cc: Barry Song <baohua@kernel.org>
Cc: David Hildenbrand <david@kernel.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kairui Song <ryncsn@gmail.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/swap_cgroup.c | 2 ++
1 file changed, 2 insertions(+)
--- a/mm/swap_cgroup.c
+++ b/mm/swap_cgroup.c
@@ -124,6 +124,8 @@ unsigned short lookup_swap_cgroup_id(swp
return 0;
ctrl = &swap_cgroup_ctrl[swp_type(ent)];
+ if (unlikely(!ctrl->map))
+ return 0;
return __swap_cgroup_id_lookup(ctrl->map, swp_offset(ent));
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 196/518] mm/swap: add cond_resched() in swap_reclaim_full_clusters to prevent softlockup
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 195/518] mm: swap_cgroup: fix NULL deref in lookup_swap_cgroup_id on swapless host Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 197/518] netfilter: ctnetlink: use nf_ct_exp_net() in expectation dump Greg Kroah-Hartman
` (325 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zijiang Huang, Kairui Song, Hao Peng,
albinwyang, Baoquan He, Chris Li, Barry Song, Kemeng Shi,
Nhat Pham, Youngjun Park, Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijiang Huang <huangzjsmile@gmail.com>
commit 66366d291f666ddeda5f8c84f253e308de3e6b55 upstream.
We hit a real softlockup in an internal stress test environment. The
workload was LTP memory/swap stress on a large arm64 machine, with 320
CPUs, about 1TB memory and an 8.6GB swap device. The system was under
heavy load and the swap device had a large number of full clusters. The
softlockup was triggered during a stress test after about 3 days.
So, add periodic cond_resched() calls during large full_clusters
reclaim operations to prevent softlockup issues.
Detailed call trace as follow:
PID: 3817773 TASK: ffff0883bb28b780 CPU: 48 COMMAND: "kworker/48:7"
#0 [ffff800080183d10] __crash_kexec at ffffa4c1361e5de4
#1 [ffff800080183d90] panic at ffffa4c1360d5e9c
#2 [ffff800080183e20] watchdog_timer_fn at ffffa4c136231fa8
...
#16 [ffff8000c4ad3cb0] swap_cache_del_folio at ffffa4c1363e1614
#17 [ffff8000c4ad3ce0] __try_to_reclaim_swap at ffffa4c1363e4bfc
#18 [ffff8000c4ad3d40] swap_reclaim_full_clusters at ffffa4c1363e5474
#19 [ffff8000c4ad3da0] swap_reclaim_work at ffffa4c1363e550c
#20 [ffff8000c4ad3dc0] process_one_work at ffffa4c136102edc
#21 [ffff8000c4ad3e10] worker_thread at ffffa4c136103398
#22 [ffff8000c4ad3e70] kthread at ffffa4c13610d95c
Link: https://lore.kernel.org/20260506130919.2298807-1-kerayhuang@tencent.com
Fixes: 5168a68eb78f ("mm, swap: avoid over reclaim of full clusters")
Signed-off-by: Zijiang Huang <kerayhuang@tencent.com>
Reviewed-by: Kairui Song <kasong@tencent.com>
Reviewed-by: Hao Peng <flyingpeng@tencent.com>
Reviewed-by: albinwyang <albinwyang@tencent.com>
Reviewed-by: Baoquan He <baoquan.he@linux.dev>
Acked-by: Chris Li <chrisl@kernel.org>
Cc: Barry Song <baohua@kernel.org>
Cc: Kairui Song <kasong@tencent.com>
Cc: Kemeng Shi <shikemeng@huaweicloud.com>
Cc: Nhat Pham <nphamcs@gmail.com>
Cc: Youngjun Park <youngjun.park@lge.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/swapfile.c | 1 +
1 file changed, 1 insertion(+)
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -1054,6 +1054,7 @@ static void swap_reclaim_full_clusters(s
swap_cluster_unlock(ci);
if (to_scan <= 0)
break;
+ cond_resched();
}
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 197/518] netfilter: ctnetlink: use nf_ct_exp_net() in expectation dump
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 196/518] mm/swap: add cond_resched() in swap_reclaim_full_clusters to prevent softlockup Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 198/518] netfilter: handle unreadable frags Greg Kroah-Hartman
` (324 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pratham Gupta, Florian Westphal
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pratham Gupta <pratham36gupta@gmail.com>
commit a7f57320bbbc67e347bf5fff4b4a9bab980d5956 upstream.
Commit 02a3231b6d82 ("netfilter: nf_conntrack_expect: store netns and zone in expectation")
introduced exp->net so RCU-only expectation paths no longer need to
dereference exp->master for netns lookups.
Commit 3db5647984de ("netfilter: nf_conntrack_expect: skip expectations in other netns via proc")
updated the proc path accordingly, but ctnetlink_exp_dump_table() still
compares against nf_ct_net(exp->master).
Use nf_ct_exp_net(exp) here as well so the netlink dump path matches
the rest of the March 2026 expectation netns/RCU cleanup.
Fixes: 02a3231b6d82 ("netfilter: nf_conntrack_expect: store netns and zone in expectation")
Cc: stable@vger.kernel.org
Signed-off-by: Pratham Gupta <pratham36gupta@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_conntrack_netlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -3173,7 +3173,7 @@ restart:
if (l3proto && exp->tuple.src.l3num != l3proto)
continue;
- if (!net_eq(nf_ct_net(exp->master), net))
+ if (!net_eq(nf_ct_exp_net(exp), net))
continue;
if (cb->args[1]) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 198/518] netfilter: handle unreadable frags
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 197/518] netfilter: ctnetlink: use nf_ct_exp_net() in expectation dump Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 199/518] netfilter: ebtables: zero chainstack array Greg Kroah-Hartman
` (323 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mina Almasry, Florian Westphal
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit da5b58478a9c1b85608c9e40a3b8432d071b409e upstream.
sashiko reports:
When an skb with unreadable fragments (such as from devmem TCP, where
skb_frags_readable(skb) returns false) is processed by the u32 module,
skb_copy_bits() will safely return a negative error code [..]
xt_u32: bail out with hotdrop in this case.
gather_frags: return -1, just as if we had no fragment header.
nfnetlink_queue: restrict to the linear part.
nfnetlink_log: restrict to the linear part.
v2:
- skb_zerocopy helpers don't copy readable flag, i.e. nfnetlink_queue
is broken too
xt_u32 shouldn't return true if hotdrop was set.
Fixes: 65249feb6b3d ("net: add support for skbs with unreadable frags")
Cc: stable@vger.kernel.org
Acked-by: Mina Almasry <almasrymina@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +-
net/netfilter/nfnetlink_log.c | 26 +++++++++++++++++---------
net/netfilter/nfnetlink_queue.c | 16 ++++++++++++----
net/netfilter/xt_u32.c | 16 +++++++++++-----
4 files changed, 41 insertions(+), 19 deletions(-)
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -418,7 +418,7 @@ find_prev_fhdr(struct sk_buff *skb, u8 *
return -1;
}
if (skb_copy_bits(skb, start, &hdr, sizeof(hdr)))
- BUG();
+ return -1;
if (nexthdr == NEXTHDR_AUTH)
hdrlen = ipv6_authlen(&hdr);
else
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -676,7 +676,7 @@ __build_packet_message(struct nfnl_log_n
goto nla_put_failure;
if (skb_copy_bits(skb, 0, nla_data(nla), data_len))
- BUG();
+ goto nla_put_failure;
}
nlh->nlmsg_len = inst->skb->tail - old_tail;
@@ -698,6 +698,21 @@ static const struct nf_loginfo default_l
},
};
+static unsigned int nfulnl_get_copy_len(const struct nf_loginfo *li,
+ const struct sk_buff *skb,
+ unsigned int copy_len)
+{
+ unsigned int len = skb->len;
+
+ if ((li->u.ulog.flags & NF_LOG_F_COPY_LEN) &&
+ li->u.ulog.copy_len < copy_len)
+ copy_len = li->u.ulog.copy_len;
+ if (!skb_frags_readable(skb))
+ len = skb_headlen(skb);
+
+ return min(len, copy_len);
+}
+
/* log handler for internal netfilter logging api */
static void
nfulnl_log_packet(struct net *net,
@@ -790,14 +805,7 @@ nfulnl_log_packet(struct net *net,
break;
case NFULNL_COPY_PACKET:
- data_len = inst->copy_range;
- if ((li->u.ulog.flags & NF_LOG_F_COPY_LEN) &&
- (li->u.ulog.copy_len < data_len))
- data_len = li->u.ulog.copy_len;
-
- if (data_len > skb->len)
- data_len = skb->len;
-
+ data_len = nfulnl_get_copy_len(li, skb, inst->copy_range);
size += nla_total_size(data_len);
break;
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -690,6 +690,17 @@ static int nfqnl_put_master_ifindex(stru
}
#endif
+static unsigned int nfqnl_get_data_len(const struct sk_buff *entskb,
+ unsigned int copy_range)
+{
+ unsigned int data_len = entskb->len;
+
+ if (!skb_frags_readable(entskb))
+ data_len = skb_headlen(entskb);
+
+ return min(data_len, copy_range);
+}
+
static struct sk_buff *
nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
struct nf_queue_entry *entry,
@@ -755,10 +766,7 @@ nfqnl_build_packet_message(struct net *n
nf_queue_checksum_help(entskb))
return NULL;
- data_len = READ_ONCE(queue->copy_range);
- if (data_len > entskb->len)
- data_len = entskb->len;
-
+ data_len = nfqnl_get_data_len(entskb, READ_ONCE(queue->copy_range));
hlen = skb_zerocopy_headlen(entskb);
hlen = min_t(unsigned int, hlen, data_len);
size += sizeof(struct nlattr) + hlen;
--- a/net/netfilter/xt_u32.c
+++ b/net/netfilter/xt_u32.c
@@ -14,8 +14,8 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_u32.h>
-static bool u32_match_it(const struct xt_u32 *data,
- const struct sk_buff *skb)
+static int u32_match_it(const struct xt_u32 *data,
+ const struct sk_buff *skb)
{
const struct xt_u32_test *ct;
unsigned int testind;
@@ -40,7 +40,8 @@ static bool u32_match_it(const struct xt
return false;
if (skb_copy_bits(skb, pos, &n, sizeof(n)) < 0)
- BUG();
+ return -1;
+
val = ntohl(n);
nnums = ct->nnums;
@@ -68,7 +69,7 @@ static bool u32_match_it(const struct xt
if (skb_copy_bits(skb, at + pos, &n,
sizeof(n)) < 0)
- BUG();
+ return -1;
val = ntohl(n);
break;
}
@@ -90,9 +91,14 @@ static bool u32_match_it(const struct xt
static bool u32_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_u32 *data = par->matchinfo;
- bool ret;
+ int ret;
ret = u32_match_it(data, skb);
+ if (ret < 0) {
+ par->hotdrop = true;
+ return false;
+ }
+
return ret ^ data->invert;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 199/518] netfilter: ebtables: zero chainstack array
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 198/518] netfilter: handle unreadable frags Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 200/518] netfilter: ebtables: module names must be null-terminated Greg Kroah-Hartman
` (322 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florian Westphal
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit cbfe53599eebffd188938ab6774cc41794f6f9d5 upstream.
sashiko reports:
looking at ebtables table
translation, could a sparse cpu_possible_mask lead to an uninitialized pointer
free?
If cpu_possible_mask is sparse (for example, CPU 0 and CPU 2 are possible,
but CPU 1 is not), the allocation loop skips CPU 1. If vmalloc_node() fails at
CPU 2, the cleanup loop will blindly decrement and call vfree() on
newinfo->chainstack[1].
Not a real-world bug, such allocation isn't expected to fail
in the first place.
Cc: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bridge/netfilter/ebtables.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -921,8 +921,7 @@ static int translate_table(struct net *n
* if an error occurs
*/
newinfo->chainstack =
- vmalloc_array(nr_cpu_ids,
- sizeof(*(newinfo->chainstack)));
+ vcalloc(nr_cpu_ids, sizeof(*(newinfo->chainstack)));
if (!newinfo->chainstack)
return -ENOMEM;
for_each_possible_cpu(i) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 200/518] netfilter: ebtables: module names must be null-terminated
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 199/518] netfilter: ebtables: zero chainstack array Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 201/518] netfilter: ebtables: terminate table name before find_table_lock() Greg Kroah-Hartman
` (321 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florian Westphal
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 084d23f818321390509e9738a0b08bbf46df6425 upstream.
We need to explicitly check the length, else we may pass non-null
terminated string to request_module().
Cc: stable@vger.kernel.org
Fixes: bcf493428840 ("netfilter: ebtables: Fix extension lookup with identical name")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bridge/netfilter/ebtables.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -403,6 +403,9 @@ ebt_check_match(struct ebt_entry_match *
left - sizeof(struct ebt_entry_match) < m->match_size)
return -EINVAL;
+ if (strnlen(m->u.name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
+ return -EINVAL;
+
match = xt_find_match(NFPROTO_BRIDGE, m->u.name, m->u.revision);
if (IS_ERR(match) || match->family != NFPROTO_BRIDGE) {
if (!IS_ERR(match))
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 201/518] netfilter: ebtables: terminate table name before find_table_lock()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 200/518] netfilter: ebtables: module names must be null-terminated Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 202/518] netfilter: flowtable: fix offloaded ct timeout never being extended Greg Kroah-Hartman
` (320 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weiming Shi, Xiang Mei,
Florian Westphal
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
commit a622d2e9608c9dff47fc2e5759ac7aa3a836b45d upstream.
update_counters() and compat_update_counters() forward a user-supplied
32-byte table name to find_table_lock() without NUL-terminating it. On a
lookup miss, find_inlist_lock() calls try_then_request_module(..., "%s%s",
"ebtable_", name), and vsnprintf() reads past the name field and the
stack object until it hits a zero byte.
BUG: KASAN: stack-out-of-bounds in string (lib/vsprintf.c:648 lib/vsprintf.c:730)
Read of size 1 at addr ffff8880119dfb20 by task exploit/147
Call Trace:
...
string (lib/vsprintf.c:648 lib/vsprintf.c:730)
vsnprintf (lib/vsprintf.c:2945)
__request_module (kernel/module/kmod.c:150)
do_update_counters.isra.0 (net/bridge/netfilter/ebtables.c:371 net/bridge/netfilter/ebtables.c:380)
update_counters (net/bridge/netfilter/ebtables.c:1440)
do_ebt_set_ctl (net/bridge/netfilter/ebtables.c:2573)
nf_setsockopt (net/netfilter/nf_sockopt.c:101)
ip_setsockopt (net/ipv4/ip_sockglue.c:1424)
raw_setsockopt (net/ipv4/raw.c:847)
__sys_setsockopt (net/socket.c:2393)
...
compat_do_replace() shares the same unterminated name via
compat_copy_ebt_replace_from_user(); terminate it there too so all
find_table_lock() callers behave alike. The other callers already
terminate the name after the copy.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
Cc: stable@vger.kernel.org
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bridge/netfilter/ebtables.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1436,6 +1436,8 @@ static int update_counters(struct net *n
if (copy_from_sockptr(&hlp, arg, sizeof(hlp)))
return -EFAULT;
+ hlp.name[sizeof(hlp.name) - 1] = '\0';
+
if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
return -EINVAL;
@@ -2275,6 +2277,8 @@ static int compat_copy_ebt_replace_from_
memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
+ repl->name[sizeof(repl->name) - 1] = '\0';
+
/* starting with hook_entry, 32 vs. 64 bit structures are different */
for (i = 0; i < NF_BR_NUMHOOKS; i++)
repl->hook_entry[i] = compat_ptr(tmp.hook_entry[i]);
@@ -2397,6 +2401,8 @@ static int compat_update_counters(struct
if (copy_from_sockptr(&hlp, arg, sizeof(hlp)))
return -EFAULT;
+ hlp.name[sizeof(hlp.name) - 1] = '\0';
+
/* try real handler in case userland supplied needed padding */
if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
return update_counters(net, arg, len);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 202/518] netfilter: flowtable: fix offloaded ct timeout never being extended
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 201/518] netfilter: ebtables: terminate table name before find_table_lock() Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 203/518] netfilter: flowtable: IPIP tunnel hardware offload is not yet support Greg Kroah-Hartman
` (319 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Adrian Bente,
Pablo Neira Ayuso
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Bente <adibente@gmail.com>
commit 53b3e60edb674b442b2b3bbdba484667b0f47a5d upstream.
OpenWrt has recently migrated many platforms to kernel 6.18. On the
MediaTek platform, which supports hardware network offloading, WiFi
connections accelerated via the WED path were observed to drop after
roughly 300 seconds.
After several debugging sessions, assisted by the Claude LLM, the
problem was narrowed down as follows:
nf_flow_table_extend_ct_timeout() extends ct->timeout for offloaded
flows using:
cmpxchg(&ct->timeout, expires, new_timeout);
'expires' comes from nf_ct_expires(ct) and is a relative value, while
ct->timeout holds an absolute timestamp. The two are never equal, so
the cmpxchg always fails and the timeout is never extended.
This goes unnoticed for most flows, but a long-lived hardware (WED)
offloaded flow on MediaTek MT7986 eventually has ct->timeout decay to
zero, the conntrack entry is reaped and the connection breaks.
Open-code the relative value from a single READ_ONCE(ct->timeout)
snapshot and compare against that same absolute snapshot in the
cmpxchg, so the timeout extension actually takes effect while the
datapath remains authoritative if it updates ct->timeout concurrently.
Fixes: 03428ca5cee9 ("netfilter: conntrack: rework offload nf_conn timeout extension logic")
Cc: stable@vger.kernel.org
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Adrian Bente <adibente@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_flow_table_core.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -505,8 +505,13 @@ static u32 nf_flow_table_tcp_timeout(con
*/
static void nf_flow_table_extend_ct_timeout(struct nf_conn *ct)
{
- static const u32 min_timeout = 5 * 60 * HZ;
- u32 expires = nf_ct_expires(ct);
+ static const s32 min_timeout = 5 * 60 * HZ;
+ u32 ct_timeout = READ_ONCE(ct->timeout);
+ s32 expires;
+
+ expires = ct_timeout - nfct_time_stamp;
+ if (expires <= 0) /* already expired */
+ return;
/* normal case: large enough timeout, nothing to do. */
if (likely(expires >= min_timeout))
@@ -524,7 +529,7 @@ static void nf_flow_table_extend_ct_time
if (nf_ct_is_confirmed(ct) &&
test_bit(IPS_OFFLOAD_BIT, &ct->status)) {
u8 l4proto = nf_ct_protonum(ct);
- u32 new_timeout = true;
+ u32 new_timeout = 1;
switch (l4proto) {
case IPPROTO_UDP:
@@ -549,7 +554,7 @@ static void nf_flow_table_extend_ct_time
*/
if (new_timeout) {
new_timeout += nfct_time_stamp;
- cmpxchg(&ct->timeout, expires, new_timeout);
+ cmpxchg(&ct->timeout, ct_timeout, new_timeout);
}
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 203/518] netfilter: flowtable: IPIP tunnel hardware offload is not yet support
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 202/518] netfilter: flowtable: fix offloaded ct timeout never being extended Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 204/518] Bluetooth: btmtksdio: fix infinite loop in btmtksdio_txrx_work() Greg Kroah-Hartman
` (318 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Xin Liu, Zhengyang Chen,
Pablo Neira Ayuso, Lorenzo Bianconi, Florian Westphal
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
commit 6c5dcab95f4cd42a1648739ec9300fbb4b1a021f upstream.
No driver supports for IPIP tunnels yet, give up early on setting up the
hardware offload for this scenario.
This patch adds a stub that can be enhanced to add more configuration
that are currently not supported. As of now, the offload work is
enqueued to the worker, then ignored if the hardware offload
configuration is not supported.
Check the NF_FLOW_HW flag to know if this entry was already tried once
to be offloaded so this is not retried on refresh when unsupported. Move
NF_FLOW_HW flag check to nf_flow_offload_add(). If this NF_FLOW_HW flag
is unset the _del and _stats variants are never called.
This can be updated later on to skip hardware offload work to be queued
in case hardware offload does not support it.
Fixes: d98103575dcd ("netfilter: flowtable: Add IP6IP6 rx sw acceleration")
Fixes: ab427db17885 ("netfilter: flowtable: Add IPIP rx sw acceleration")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reported-by: Zhengyang Chen <chzhengyang2023@lzu.edu.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/netfilter/nf_flow_table.h | 2 ++
net/netfilter/nf_flow_table_core.c | 7 +++----
net/netfilter/nf_flow_table_offload.c | 22 ++++++++++++++++++++--
3 files changed, 25 insertions(+), 6 deletions(-)
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -357,6 +357,8 @@ static inline int nf_flow_register_bpf(v
void nf_flow_offload_add(struct nf_flowtable *flowtable,
struct flow_offload *flow);
+void nf_flow_offload_refresh(struct nf_flowtable *flowtable,
+ struct flow_offload *flow);
void nf_flow_offload_del(struct nf_flowtable *flowtable,
struct flow_offload *flow);
void nf_flow_offload_stats(struct nf_flowtable *flowtable,
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -345,10 +345,8 @@ int flow_offload_add(struct nf_flowtable
nf_ct_refresh(flow->ct, NF_CT_DAY);
- if (nf_flowtable_hw_offload(flow_table)) {
- __set_bit(NF_FLOW_HW, &flow->flags);
+ if (nf_flowtable_hw_offload(flow_table))
nf_flow_offload_add(flow_table, flow);
- }
return 0;
}
@@ -369,7 +367,8 @@ void flow_offload_refresh(struct nf_flow
test_bit(NF_FLOW_CLOSING, &flow->flags))
return;
- nf_flow_offload_add(flow_table, flow);
+ if (test_bit(NF_FLOW_HW, &flow->flags))
+ nf_flow_offload_refresh(flow_table, flow);
}
EXPORT_SYMBOL_GPL(flow_offload_refresh);
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -1101,9 +1101,17 @@ nf_flow_offload_work_alloc(struct nf_flo
return offload;
}
+static bool nf_flow_offload_unsupported(struct flow_offload *flow)
+{
+ if (flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.tun_num ||
+ flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.tun_num)
+ return true;
-void nf_flow_offload_add(struct nf_flowtable *flowtable,
- struct flow_offload *flow)
+ return false;
+}
+
+void nf_flow_offload_refresh(struct nf_flowtable *flowtable,
+ struct flow_offload *flow)
{
struct flow_offload_work *offload;
@@ -1114,6 +1122,16 @@ void nf_flow_offload_add(struct nf_flowt
flow_offload_queue_work(offload);
}
+void nf_flow_offload_add(struct nf_flowtable *flowtable,
+ struct flow_offload *flow)
+{
+ if (nf_flow_offload_unsupported(flow))
+ return;
+
+ set_bit(NF_FLOW_HW, &flow->flags);
+ nf_flow_offload_refresh(flowtable, flow);
+}
+
void nf_flow_offload_del(struct nf_flowtable *flowtable,
struct flow_offload *flow)
{
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 204/518] Bluetooth: btmtksdio: fix infinite loop in btmtksdio_txrx_work()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 203/518] netfilter: flowtable: IPIP tunnel hardware offload is not yet support Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 205/518] Bluetooth: bnep: pin L2CAP connection during netdev registration Greg Kroah-Hartman
` (317 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sergey Senozhatsky, Sean Wang,
Luiz Augusto von Dentz
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Senozhatsky <senozhatsky@chromium.org>
commit a257407e2bbbb099ed427719a50563f67fa366d8 upstream.
Every once in a while we see a hung btmtksdio_flush() task:
INFO: task kworker/u17:0:189 blocked for more than 122 seconds.
__cancel_work_timer+0x3f4/0x460
cancel_work_sync+0x1c/0x2c
btmtksdio_flush+0x2c/0x40
hci_dev_open_sync+0x10c4/0x2190
[..]
It all boils down to incorrect time_is_before_jiffies() usage in
btmtksdio_txrx_work(). The btmtksdio_txrx_work() loop is expected
to be terminated if running for longer than 5*HZ. However the
timeout check is twisted: time_is_before_jiffies(old_jiffies + 5*HZ)
evaluates to true when old_jiffies + 5*HZ is in the past i.e. when a
timeout has occurred. Using OR with time_is_before_jiffies(txrx_timeout)
means that:
- before the 5-second timeout: the condition is `int_status || false`,
so it loops as long as there are pending interrupts.
- after the 5-second timeout: the condition becomes `int_status || true`,
which is always true.
When the loop becomes infinite btmtksdio_txrx_work() loop never
terminates and never releases the SDIO host.
Fix loop termination condition to actually enforce a 5*HZ timeout.
Fixes: 26270bc189ea4 ("Bluetooth: btmtksdio: move interrupt service to work")
Cc: stable@vger.kernel.org
Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Reviewed-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btmtksdio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/bluetooth/btmtksdio.c
+++ b/drivers/bluetooth/btmtksdio.c
@@ -620,7 +620,7 @@ static void btmtksdio_txrx_work(struct w
if (btmtksdio_rx_packet(bdev, rx_size) < 0)
bdev->hdev->stat.err_rx++;
}
- } while (int_status || time_is_before_jiffies(txrx_timeout));
+ } while (int_status && time_is_after_jiffies(txrx_timeout));
/* Enable interrupt */
if (bdev->func->irq_handler)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 205/518] Bluetooth: bnep: pin L2CAP connection during netdev registration
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 204/518] Bluetooth: btmtksdio: fix infinite loop in btmtksdio_txrx_work() Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 206/518] Bluetooth: btnxpuart: Fix out-of-bounds firmware read in nxp_recv_fw_req_v3() Greg Kroah-Hartman
` (316 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+fed5dce4553262f3b35c,
Yousef Alhouseen, Luiz Augusto von Dentz
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yousef Alhouseen <alhouseenyousef@gmail.com>
commit bb067a99a0356196c0b89a95721985485ebce5a5 upstream.
bnep_add_connection() reads the L2CAP connection without holding the
channel lock, then passes its HCI device to register_netdev(). Controller
teardown can clear and release that connection concurrently, leaving the
network device registration path to dereference a freed parent device.
Take a reference to the L2CAP connection while holding the channel lock.
Retain it until register_netdev() has taken the parent device reference.
Fixes: 65f53e9802db ("Bluetooth: Access BNEP session addresses through L2CAP channel")
Reported-by: syzbot+fed5dce4553262f3b35c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fed5dce4553262f3b35c
Cc: stable@vger.kernel.org
Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/bnep/core.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -562,14 +562,18 @@ static int bnep_session(void *arg)
return 0;
}
-static struct device *bnep_get_device(struct bnep_session *session)
+static struct l2cap_conn *bnep_get_conn(struct bnep_session *session)
{
- struct l2cap_conn *conn = l2cap_pi(session->sock->sk)->chan->conn;
+ struct l2cap_chan *chan = l2cap_pi(session->sock->sk)->chan;
+ struct l2cap_conn *conn;
- if (!conn || !conn->hcon)
- return NULL;
+ l2cap_chan_lock(chan);
+ conn = chan->conn;
+ if (conn)
+ l2cap_conn_get(conn);
+ l2cap_chan_unlock(chan);
- return &conn->hcon->dev;
+ return conn;
}
static const struct device_type bnep_type = {
@@ -581,6 +585,7 @@ int bnep_add_connection(struct bnep_conn
u32 valid_flags = BIT(BNEP_SETUP_RESPONSE);
struct net_device *dev;
struct bnep_session *s, *ss;
+ struct l2cap_conn *conn = NULL;
u8 dst[ETH_ALEN], src[ETH_ALEN];
int err;
@@ -640,10 +645,18 @@ int bnep_add_connection(struct bnep_conn
bnep_set_default_proto_filter(s);
#endif
- SET_NETDEV_DEV(dev, bnep_get_device(s));
+ conn = bnep_get_conn(s);
+ if (!conn) {
+ err = -ENOTCONN;
+ goto failed;
+ }
+
+ SET_NETDEV_DEV(dev, &conn->hcon->dev);
SET_NETDEV_DEVTYPE(dev, &bnep_type);
err = register_netdev(dev);
+ l2cap_conn_put(conn);
+ conn = NULL;
if (err)
goto failed;
@@ -665,6 +678,8 @@ int bnep_add_connection(struct bnep_conn
return 0;
failed:
+ if (conn)
+ l2cap_conn_put(conn);
up_write(&bnep_session_sem);
free_netdev(dev);
return err;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 206/518] Bluetooth: btnxpuart: Fix out-of-bounds firmware read in nxp_recv_fw_req_v3()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 205/518] Bluetooth: bnep: pin L2CAP connection during netdev registration Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 207/518] Bluetooth: fix UAF in bt_accept_dequeue() Greg Kroah-Hartman
` (315 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neeraj Sanjay Kale, Maoyi Xie,
Luiz Augusto von Dentz
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit badff6c3bed8923a1257a853f137d447976eec30 upstream.
During the v3 firmware download the controller sends a v3_data_req with a
32 bit offset and a 16 bit len. nxp_recv_fw_req_v3() checks only the lower
bound of the offset and then sends firmware from that offset.
nxpdev->fw_dnld_v3_offset = offset - nxpdev->fw_v3_offset_correction;
serdev_device_write_buf(nxpdev->serdev, nxpdev->fw->data +
nxpdev->fw_dnld_v3_offset, len);
Nothing checks that fw_dnld_v3_offset + len stays within nxpdev->fw->size,
so a controller that asks for an offset or length past the firmware image
makes the driver read past the end of nxpdev->fw->data and send that
memory back over UART.
nxp_recv_fw_req_v1() already bounds the same write. Add the equivalent
check to the v3 path, reject the request when it falls outside the firmware
image, and zero len on the error path so the fw_v3_prev_sent bookkeeping at
free_skb stays consistent.
Fixes: 689ca16e5232 ("Bluetooth: NXP: Add protocol support for NXP Bluetooth chipsets")
Suggested-by: Neeraj Sanjay Kale <neeraj.sanjaykale@nxp.com>
Reviewed-by: Neeraj Sanjay Kale <neeraj.sanjaykale@nxp.com>
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btnxpuart.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/bluetooth/btnxpuart.c
+++ b/drivers/bluetooth/btnxpuart.c
@@ -1267,6 +1267,12 @@ static int nxp_recv_fw_req_v3(struct hci
}
nxpdev->fw_dnld_v3_offset = offset - nxpdev->fw_v3_offset_correction;
+ if (nxpdev->fw_dnld_v3_offset >= nxpdev->fw->size ||
+ len > nxpdev->fw->size - nxpdev->fw_dnld_v3_offset) {
+ bt_dev_err(hdev, "FW download out of bounds, ignoring request");
+ len = 0;
+ goto free_skb;
+ }
serdev_device_write_buf(nxpdev->serdev, nxpdev->fw->data +
nxpdev->fw_dnld_v3_offset, len);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 207/518] Bluetooth: fix UAF in bt_accept_dequeue()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 206/518] Bluetooth: btnxpuart: Fix out-of-bounds firmware read in nxp_recv_fw_req_v3() Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 208/518] Bluetooth: hci_conn: Fix null ptr deref in hci_abort_conn() Greg Kroah-Hartman
` (314 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+674ff7e4d7fdfd572afc,
Yousef Alhouseen, Luiz Augusto von Dentz
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yousef Alhouseen <alhouseenyousef@gmail.com>
commit 4bd0b274054f2679f28b70222b607bb0afc3ab9a upstream.
bt_accept_get() takes a temporary reference before dropping the accept
queue lock. bt_accept_dequeue() currently drops that reference before
bt_accept_unlink(), leaving only the queue reference.
bt_accept_unlink() drops the queue reference. The subsequent
sock_hold() therefore accesses freed memory if it was the final
reference, as observed by KASAN during listening L2CAP socket cleanup.
Retain the temporary queue-walk reference through unlink and hand it to
the caller on success. Drop it explicitly on the closed and
not-yet-connected paths.
Fixes: ab1513597c6c ("Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()")
Reported-by: syzbot+674ff7e4d7fdfd572afc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=674ff7e4d7fdfd572afc
Cc: stable@vger.kernel.org
Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/af_bluetooth.c | 17 +++--------------
net/bluetooth/l2cap_sock.c | 4 ++--
2 files changed, 5 insertions(+), 16 deletions(-)
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -308,7 +308,7 @@ struct sock *bt_accept_dequeue(struct so
restart:
for (sk = bt_accept_get(parent, NULL); sk; sk = next) {
- /* Prevent early freeing of sk due to unlink and sock_kill */
+ /* The reference from bt_accept_get() keeps sk alive. */
lock_sock(sk);
/* Check sk has not already been unlinked via
@@ -324,13 +324,11 @@ restart:
next = bt_accept_get(parent, sk);
- /* sk is safely in the parent list so reduce reference count */
- sock_put(sk);
-
/* FIXME: Is this check still needed */
if (sk->sk_state == BT_CLOSED) {
bt_accept_unlink(sk);
release_sock(sk);
+ sock_put(sk);
continue;
}
@@ -340,16 +338,6 @@ restart:
if (newsock)
sock_graft(sk, newsock);
- /* Hand the caller a reference taken while sk is
- * still locked. bt_accept_unlink() just dropped
- * the accept-queue reference; without this hold a
- * concurrent teardown (e.g. l2cap_conn_del() ->
- * l2cap_sock_kill()) could free sk between
- * release_sock() and the caller using it. Every
- * caller drops this with sock_put() when done.
- */
- sock_hold(sk);
-
release_sock(sk);
if (next)
sock_put(next);
@@ -357,6 +345,7 @@ restart:
}
release_sock(sk);
+ sock_put(sk);
}
return NULL;
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1482,8 +1482,8 @@ static void l2cap_sock_cleanup_listen(st
/* Close not yet accepted channels.
*
- * bt_accept_dequeue() now returns sk with an extra reference held
- * (taken while sk was still locked) so a concurrent l2cap_conn_del()
+ * bt_accept_dequeue() returns sk with its temporary queue-walk
+ * reference held, so a concurrent l2cap_conn_del()
* -> l2cap_sock_kill() cannot free sk under us.
*
* cleanup_listen() runs under the parent sk lock, so unlike
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 208/518] Bluetooth: hci_conn: Fix null ptr deref in hci_abort_conn()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 207/518] Bluetooth: fix UAF in bt_accept_dequeue() Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 209/518] Bluetooth: hci_uart: clear HCI_UART_SENDING when write_work is canceled Greg Kroah-Hartman
` (313 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, XIAO WU, Siwei Zhang,
Luiz Augusto von Dentz
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 12917f591cea1af36087dba5b9ec888652f0b42a upstream.
hci_abort_conn() read hci_skb_event(hdev->sent_cmd) when a connection
was pending, but hdev->sent_cmd can be NULL while req_status is still
HCI_REQ_PEND, leading to a NULL pointer dereference and a general
protection fault from the hci_rx_work() receive path.
Instead of inspecting hdev->sent_cmd, track the in-flight create
connection command with a new per-connection HCI_CONN_CREATE flag and
route all cancellation through hci_cancel_connect_sync(), which
dispatches to a dedicated per-type cancel function. The create command
is in exactly one of two states: still queued, or in flight. The cancel
function holds cmd_sync_work_lock across the whole decision: the worker
takes this lock to dequeue every entry, so while it is held a queued
command cannot start running and an in-flight command cannot complete
and let the next command become pending. This keeps the flag test and
hci_cmd_sync_cancel() atomic with respect to the worker, so a queued
command is simply dequeued, and an in-flight command owned by this
connection is cancelled without the risk of cancelling an unrelated
command that became pending in the meantime. CIS uses the same flag
mechanism via HCI_CONN_CREATE_CIS but cannot be dequeued per-connection.
hci_acl_create_conn_sync() and hci_le_create_conn_sync() clear
HCI_CONN_CREATE after the create command completes, but the command
status handler can free conn via hci_conn_del() (for example when the
controller rejects the connection) while the worker is still blocked on
the connection complete event. Hold a reference on conn across the
create command so the flag can be cleared without a use-after-free.
Fixes: a13f316e90fd ("Bluetooth: hci_conn: Consolidate code for aborting connections")
Cc: stable@vger.kernel.org
Suggested-by: XIAO WU <xiaowu.417@qq.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/bluetooth/hci_core.h | 1
net/bluetooth/hci_conn.c | 21 ------
net/bluetooth/hci_sync.c | 133 ++++++++++++++++++++++++++++++++++-----
3 files changed, 123 insertions(+), 32 deletions(-)
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -988,6 +988,7 @@ enum {
HCI_CONN_AUTH_FAILURE,
HCI_CONN_PER_ADV,
HCI_CONN_BIG_CREATED,
+ HCI_CONN_CREATE,
HCI_CONN_CREATE_CIS,
HCI_CONN_CREATE_BIG_SYNC,
HCI_CONN_BIG_SYNC,
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -3181,26 +3181,11 @@ int hci_abort_conn(struct hci_conn *conn
conn->abort_reason = reason;
- /* If the connection is pending check the command opcode since that
- * might be blocking on hci_cmd_sync_work while waiting its respective
- * event so we need to hci_cmd_sync_cancel to cancel it.
- *
- * hci_connect_le serializes the connection attempts so only one
- * connection can be in BT_CONNECT at time.
+ /* Cancel the connect attempt. A return of 0 means the create command
+ * was still queued and got dequeued, so there is nothing to disconnect.
*/
- if (conn->state == BT_CONNECT && READ_ONCE(hdev->req_status) == HCI_REQ_PEND) {
- switch (hci_skb_event(hdev->sent_cmd)) {
- case HCI_EV_CONN_COMPLETE:
- case HCI_EV_LE_CONN_COMPLETE:
- case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
- case HCI_EVT_LE_CIS_ESTABLISHED:
- hci_cmd_sync_cancel(hdev, ECANCELED);
- break;
- }
- /* Cancel connect attempt if still queued/pending */
- } else if (!hci_cancel_connect_sync(hdev, conn)) {
+ if (!hci_cancel_connect_sync(hdev, conn))
return 0;
- }
/* Run immediately if on cmd_sync_work since this may be called
* as a result to MGMT_OP_DISCONNECT/MGMT_OP_UNPAIR which does
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -6611,6 +6611,11 @@ static int hci_le_create_conn_sync(struc
bt_dev_dbg(hdev, "conn %p", conn);
+ /* Hold a reference so conn stays valid for the HCI_CONN_CREATE
+ * clear_bit() at done.
+ */
+ hci_conn_get(conn);
+
clear_bit(HCI_CONN_SCANNING, &conn->flags);
conn->state = BT_CONNECT;
@@ -6623,6 +6628,7 @@ static int hci_le_create_conn_sync(struc
hdev->le_scan_type == LE_SCAN_ACTIVE &&
!hci_dev_test_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES)) {
hci_conn_del(conn);
+ hci_conn_put(conn);
return -EBUSY;
}
@@ -6668,6 +6674,12 @@ static int hci_le_create_conn_sync(struc
&own_addr_type);
if (err)
goto done;
+
+ /* Mark create connection in flight so hci_cancel_connect_sync() can
+ * cancel it while blocking on the connection complete event.
+ */
+ set_bit(HCI_CONN_CREATE, &conn->flags);
+
/* Send command LE Extended Create Connection if supported */
if (use_ext_conn(hdev)) {
err = hci_le_ext_create_conn_sync(hdev, conn, own_addr_type);
@@ -6703,11 +6715,14 @@ static int hci_le_create_conn_sync(struc
conn->conn_timeout, NULL);
done:
+ clear_bit(HCI_CONN_CREATE, &conn->flags);
+
if (err == -ETIMEDOUT)
hci_le_connect_cancel_sync(hdev, conn, 0x00);
/* Re-enable advertising after the connection attempt is finished. */
hci_resume_advertising_sync(hdev);
+ hci_conn_put(conn);
return err;
}
@@ -6982,10 +6997,25 @@ static int hci_acl_create_conn_sync(stru
else
cp.role_switch = 0x00;
- return __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN,
- sizeof(cp), &cp,
- HCI_EV_CONN_COMPLETE,
- conn->conn_timeout, NULL);
+ /* Hold a reference so conn stays valid for the HCI_CONN_CREATE
+ * clear_bit() below.
+ */
+ hci_conn_get(conn);
+
+ /* Mark create connection in flight so hci_cancel_connect_sync() can
+ * cancel it while blocking on the connection complete event.
+ */
+ set_bit(HCI_CONN_CREATE, &conn->flags);
+
+ err = __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN,
+ sizeof(cp), &cp,
+ HCI_EV_CONN_COMPLETE,
+ conn->conn_timeout, NULL);
+
+ clear_bit(HCI_CONN_CREATE, &conn->flags);
+ hci_conn_put(conn);
+
+ return err;
}
int hci_connect_acl_sync(struct hci_dev *hdev, struct hci_conn *conn)
@@ -7037,22 +7067,97 @@ int hci_connect_le_sync(struct hci_dev *
return (err == -EEXIST) ? 0 : err;
}
-int hci_cancel_connect_sync(struct hci_dev *hdev, struct hci_conn *conn)
+static int hci_acl_cancel_create_conn_sync(struct hci_dev *hdev,
+ struct hci_conn *conn)
+{
+ struct hci_cmd_sync_work_entry *entry;
+ int err = -EBUSY;
+
+ /* cmd_sync_work_lock makes the HCI_CONN_CREATE test and the cancel
+ * atomic against the worker, which takes this lock to dequeue every
+ * entry: while it is held no other command can become pending, so
+ * hci_cmd_sync_cancel() cannot cancel an unrelated command.
+ */
+ mutex_lock(&hdev->cmd_sync_work_lock);
+
+ /* In flight: this connection owns the pending request, cancel it. */
+ if (test_bit(HCI_CONN_CREATE, &conn->flags)) {
+ hci_cmd_sync_cancel(hdev, ECANCELED);
+ goto unlock;
+ }
+
+ /* Still queued: a successful dequeue means it never started, so there
+ * is nothing to disconnect.
+ */
+ entry = _hci_cmd_sync_lookup_entry(hdev, hci_acl_create_conn_sync, conn,
+ NULL);
+ if (entry) {
+ _hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED);
+ err = 0;
+ }
+
+unlock:
+ mutex_unlock(&hdev->cmd_sync_work_lock);
+ return err;
+}
+
+static int hci_le_cancel_create_conn_sync(struct hci_dev *hdev,
+ struct hci_conn *conn)
{
- if (conn->state != BT_OPEN)
- return -EINVAL;
+ struct hci_cmd_sync_work_entry *entry;
+ int err = -EBUSY;
+
+ /* cmd_sync_work_lock keeps the HCI_CONN_CREATE test and the cancel
+ * atomic against the cmd_sync worker.
+ */
+ mutex_lock(&hdev->cmd_sync_work_lock);
+
+ if (test_bit(HCI_CONN_CREATE, &conn->flags)) {
+ hci_cmd_sync_cancel(hdev, ECANCELED);
+ goto unlock;
+ }
+ entry = _hci_cmd_sync_lookup_entry(hdev, hci_le_create_conn_sync, conn,
+ create_le_conn_complete);
+ if (entry) {
+ _hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED);
+ err = 0;
+ }
+
+unlock:
+ mutex_unlock(&hdev->cmd_sync_work_lock);
+ return err;
+}
+
+static int hci_cis_cancel_create_conn_sync(struct hci_dev *hdev,
+ struct hci_conn *conn)
+{
+ /* LE Create CIS is shared by the whole CIG and cannot be dequeued
+ * per-connection, so only an in-flight command can be cancelled.
+ * cmd_sync_work_lock keeps the test and the cancel atomic against the
+ * cmd_sync worker.
+ */
+ mutex_lock(&hdev->cmd_sync_work_lock);
+
+ if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags))
+ hci_cmd_sync_cancel(hdev, ECANCELED);
+
+ mutex_unlock(&hdev->cmd_sync_work_lock);
+ return -EBUSY;
+}
+
+int hci_cancel_connect_sync(struct hci_dev *hdev, struct hci_conn *conn)
+{
switch (conn->type) {
case ACL_LINK:
- return !hci_cmd_sync_dequeue_once(hdev,
- hci_acl_create_conn_sync,
- conn, NULL);
+ return hci_acl_cancel_create_conn_sync(hdev, conn);
case LE_LINK:
- return !hci_cmd_sync_dequeue_once(hdev, hci_le_create_conn_sync,
- conn, create_le_conn_complete);
+ return hci_le_cancel_create_conn_sync(hdev, conn);
+ case CIS_LINK:
+ return hci_cis_cancel_create_conn_sync(hdev, conn);
+ default:
+ return -ENOENT;
}
-
- return -ENOENT;
}
int hci_le_conn_update_sync(struct hci_dev *hdev, struct hci_conn *conn,
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 209/518] Bluetooth: hci_uart: clear HCI_UART_SENDING when write_work is canceled
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 208/518] Bluetooth: hci_conn: Fix null ptr deref in hci_abort_conn() Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 210/518] Bluetooth: ISO: avoid NULL deref of conn in iso_conn_big_sync() Greg Kroah-Hartman
` (312 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pauli Virtanen,
Luiz Augusto von Dentz
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pauli Virtanen <pav@iki.fi>
commit 1b0d946d6f08bd39211385bc703a440911b41e46 upstream.
HCI_UART_SENDING bit in tx_state means write_work is pending and blocks
queueing it again. Currently this bit is not cleared when canceling the
work in hci_uart_close(), which blocks future writes when device is
reopened later if write_work was pending.
Fix by clearing HCI_UART_SENDING when canceling the work.
Also make clearing of tx_skb safe by using disable_work_sync +
enable_work instead of just cancel_work_sync. hci_uart_flush() purges
the proto tx queue so we can cancel the pending write_work there,
instead of doing it just in hci_uart_close(). Re-enable and possibly
requeue the work after queue flush.
Fixes: c1bb9336ae6b ("Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths")
Link: https://lore.kernel.org/linux-bluetooth/07e0a28650773abec711ee492fdb1bf5d21a6c98.camel@iki.fi/
Cc: stable@vger.kernel.org
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_ldisc.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -239,6 +239,8 @@ static int hci_uart_flush(struct hci_dev
BT_DBG("hdev %p tty %p", hdev, tty);
+ disable_work_sync(&hu->write_work);
+
if (hu->tx_skb) {
kfree_skb(hu->tx_skb); hu->tx_skb = NULL;
}
@@ -254,6 +256,14 @@ static int hci_uart_flush(struct hci_dev
percpu_up_read(&hu->proto_lock);
+ /* Resume TX. Also reschedule in case work was queued concurrently;
+ * this may schedule write_work although there's nothing to do.
+ */
+ enable_work(&hu->write_work);
+ clear_bit(HCI_UART_SENDING, &hu->tx_state);
+ if (test_bit(HCI_UART_TX_WAKEUP, &hu->tx_state))
+ hci_uart_tx_wakeup(hu);
+
return 0;
}
@@ -271,12 +281,8 @@ static int hci_uart_open(struct hci_dev
/* Close device */
static int hci_uart_close(struct hci_dev *hdev)
{
- struct hci_uart *hu = hci_get_drvdata(hdev);
-
BT_DBG("hdev %p", hdev);
- cancel_work_sync(&hu->write_work);
-
hci_uart_flush(hdev);
hdev->flush = NULL;
return 0;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 210/518] Bluetooth: ISO: avoid NULL deref of conn in iso_conn_big_sync()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 209/518] Bluetooth: hci_uart: clear HCI_UART_SENDING when write_work is canceled Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:27 ` [PATCH 7.1 211/518] Bluetooth: L2CAP: cancel pending_rx_work before taking conn->lock Greg Kroah-Hartman
` (311 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal,
Luiz Augusto von Dentz
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit d5541eb148da72d5e0a1bca8ecd171f9fc8b366f upstream.
iso_conn_big_sync() drops the socket lock to call hci_get_route() and
then re-acquires it, but dereferences iso_pi(sk)->conn->hcon afterwards
without re-checking that conn is still valid.
While the lock is dropped, the connection can be torn down under the
same socket lock: iso_disconn_cfm() -> iso_conn_del() -> iso_chan_del()
sets iso_pi(sk)->conn to NULL (and the broadcast teardown path can also
clear conn->hcon on its own). When iso_conn_big_sync() re-acquires the
lock and reads conn->hcon, conn may be NULL, causing a NULL pointer
dereference (hcon is the first member of struct iso_conn).
This path is reached from iso_sock_recvmsg() for a PA-sync broadcast
sink socket (BT_SK_DEFER_SETUP | BT_SK_PA_SYNC), so the dropped-lock
window can race with connection teardown driven by controller events.
Re-validate iso_pi(sk)->conn and its hcon after re-acquiring the socket
lock and bail out if the connection went away, as already done in the
sibling iso_sock_rebind_bc().
Fixes: 7a17308c17880d ("Bluetooth: iso: Fix circular lock in iso_conn_big_sync")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/iso.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -1589,6 +1589,7 @@ static void iso_conn_big_sync(struct soc
{
int err;
struct hci_dev *hdev;
+ struct iso_conn *conn;
bdaddr_t src, dst;
u8 src_type;
@@ -1611,8 +1612,17 @@ static void iso_conn_big_sync(struct soc
hci_dev_lock(hdev);
lock_sock(sk);
+ /* The socket lock was dropped for hci_get_route(), so the connection
+ * may have been torn down meanwhile: iso_chan_del() clears conn and
+ * the broadcast teardown path can clear conn->hcon on its own. Check
+ * both before dereferencing conn->hcon.
+ */
+ conn = iso_pi(sk)->conn;
+ if (!conn || !conn->hcon)
+ goto unlock;
+
if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) {
- err = hci_conn_big_create_sync(hdev, iso_pi(sk)->conn->hcon,
+ err = hci_conn_big_create_sync(hdev, conn->hcon,
&iso_pi(sk)->qos,
iso_pi(sk)->sync_handle,
iso_pi(sk)->bc_num_bis,
@@ -1621,6 +1631,7 @@ static void iso_conn_big_sync(struct soc
bt_dev_err(hdev, "hci_big_create_sync: %d", err);
}
+unlock:
release_sock(sk);
hci_dev_unlock(hdev);
hci_dev_put(hdev);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 211/518] Bluetooth: L2CAP: cancel pending_rx_work before taking conn->lock
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 210/518] Bluetooth: ISO: avoid NULL deref of conn in iso_conn_big_sync() Greg Kroah-Hartman
@ 2026-07-16 13:27 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 212/518] Bluetooth: L2CAP: validate option length before reading conf opt value Greg Kroah-Hartman
` (310 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Runyu Xiao, Luiz Augusto von Dentz
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Runyu Xiao <runyu.xiao@seu.edu.cn>
commit 2641a9e0a1dd4af2e21995470a21d55dd35e5203 upstream.
l2cap_conn_del() takes conn->lock and then calls cancel_work_sync() for
pending_rx_work. process_pending_rx() takes the same mutex, so teardown
can deadlock against the worker it is flushing.
This issue was found by our static analysis tool and then manually
reviewed against the current tree.
The grounded PoC kept the l2cap_conn_ready() -> queue_work(...,
&conn->pending_rx_work) submit path, the l2cap_conn_del() ->
cancel_work_sync(&conn->pending_rx_work) teardown path, and the
process_pending_rx() -> mutex_lock(&conn->lock) worker edge. Lockdep
reported:
WARNING: possible circular locking dependency detected
process_pending_rx+0x21/0x2a [vuln_msv]
l2cap_conn_del.constprop.0+0x3f/0x4e [vuln_msv]
*** DEADLOCK ***
Cancel pending_rx_work before taking conn->lock, matching the existing
lock-before-drain ordering used for the two delayed works in the same
teardown path. The pending_rx queue is still purged after the work has
been cancelled and conn->lock has been acquired.
Fixes: 7ab56c3a6ecc ("Bluetooth: Fix deadlock in l2cap_conn_del()")
Cc: stable@vger.kernel.org
Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_core.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1778,19 +1778,13 @@ static void l2cap_conn_del(struct hci_co
disable_delayed_work_sync(&conn->info_timer);
disable_delayed_work_sync(&conn->id_addr_timer);
+ cancel_work_sync(&conn->pending_rx_work);
+
mutex_lock(&conn->lock);
kfree_skb(conn->rx_skb);
skb_queue_purge(&conn->pending_rx);
-
- /* We can not call flush_work(&conn->pending_rx_work) here since we
- * might block if we are running on a worker from the same workqueue
- * pending_rx_work is waiting on.
- */
- if (work_pending(&conn->pending_rx_work))
- cancel_work_sync(&conn->pending_rx_work);
-
ida_destroy(&conn->tx_ida);
l2cap_unregister_all_users(conn);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 212/518] Bluetooth: L2CAP: validate option length before reading conf opt value
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-07-16 13:27 ` [PATCH 7.1 211/518] Bluetooth: L2CAP: cancel pending_rx_work before taking conn->lock Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 213/518] coresight: ultrasoc-smb: Fix OOB write in smb_sync_perf_buffer() Greg Kroah-Hartman
` (309 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal,
Luiz Augusto von Dentz
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit 687617555cedfb74c9e3cb85d759b908dcb17856 upstream.
l2cap_get_conf_opt() derives the option length from the
attacker-controlled opt->len field and immediately dereferences
opt->val (as u8, get_unaligned_le16() or get_unaligned_le32(), or a
raw pointer for the default case) before any caller has confirmed
that opt->len bytes are present in the buffer. The callers
(l2cap_parse_conf_req(), l2cap_parse_conf_rsp() and
l2cap_conf_rfc_get()) only detect a malformed option afterwards, once
the running length has gone negative, by which point the
out-of-bounds read has already executed.
An existing post-hoc length check keeps the garbage value from being
consumed, so this is not a data leak in the current control flow. It
is still a validate-after-use ordering bug: up to 4 bytes are read
past the end of the buffer before it is known to contain them, and it
is fragile to future changes in the callers.
Fix it at the source. Pass the end of the buffer into
l2cap_get_conf_opt() and refuse to touch opt->val unless the full
option (header + value) fits. Each caller computes an end pointer
once before the loop and checks the return value directly instead of
inferring the error from a negative length.
Fixes: 7c9cbd0b5e38 ("Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_core.c | 36 ++++++++++++++++++++++++++++--------
1 file changed, 28 insertions(+), 8 deletions(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3048,13 +3048,24 @@ fail:
return NULL;
}
-static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
- unsigned long *val)
+static inline int l2cap_get_conf_opt(void **ptr, void *end, int *type,
+ int *olen, unsigned long *val)
{
struct l2cap_conf_opt *opt = *ptr;
int len;
+ /* opt->len is attacker-controlled. Validate that the full option
+ * (header + value) actually fits in the buffer before touching
+ * opt->val, otherwise the switch below reads past the end of the
+ * caller's buffer.
+ */
+ if (end - *ptr < L2CAP_CONF_OPT_SIZE)
+ return -EINVAL;
+
len = L2CAP_CONF_OPT_SIZE + opt->len;
+ if (end - *ptr < len)
+ return -EINVAL;
+
*ptr += len;
*type = opt->type;
@@ -3426,6 +3437,7 @@ static int l2cap_parse_conf_req(struct l
void *ptr = rsp->data;
void *endptr = data + data_size;
void *req = chan->conf_req;
+ void *req_end = req + chan->conf_len;
int len = chan->conf_len;
int type, hint, olen;
unsigned long val;
@@ -3439,9 +3451,11 @@ static int l2cap_parse_conf_req(struct l
BT_DBG("chan %p", chan);
while (len >= L2CAP_CONF_OPT_SIZE) {
- len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
- if (len < 0)
+ int ret = l2cap_get_conf_opt(&req, req_end, &type, &olen, &val);
+
+ if (ret < 0)
break;
+ len -= ret;
hint = type & L2CAP_CONF_HINT;
type &= L2CAP_CONF_MASK;
@@ -3669,6 +3683,7 @@ static int l2cap_parse_conf_rsp(struct l
struct l2cap_conf_req *req = data;
void *ptr = req->data;
void *endptr = data + size;
+ void *rsp_end = rsp + len;
int type, olen;
unsigned long val;
struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
@@ -3677,9 +3692,11 @@ static int l2cap_parse_conf_rsp(struct l
BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
while (len >= L2CAP_CONF_OPT_SIZE) {
- len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
- if (len < 0)
+ int ret = l2cap_get_conf_opt(&rsp, rsp_end, &type, &olen, &val);
+
+ if (ret < 0)
break;
+ len -= ret;
switch (type) {
case L2CAP_CONF_MTU:
@@ -3930,6 +3947,7 @@ static void l2cap_conf_rfc_get(struct l2
{
int type, olen;
unsigned long val;
+ void *rsp_end = rsp + len;
/* Use sane default values in case a misbehaving remote device
* did not send an RFC or extended window size option.
*/
@@ -3948,9 +3966,11 @@ static void l2cap_conf_rfc_get(struct l2
return;
while (len >= L2CAP_CONF_OPT_SIZE) {
- len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
- if (len < 0)
+ int ret = l2cap_get_conf_opt(&rsp, rsp_end, &type, &olen, &val);
+
+ if (ret < 0)
break;
+ len -= ret;
switch (type) {
case L2CAP_CONF_RFC:
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 213/518] coresight: ultrasoc-smb: Fix OOB write in smb_sync_perf_buffer()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 212/518] Bluetooth: L2CAP: validate option length before reading conf opt value Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 214/518] smb: client: resolve SWN tcon from live registrations Greg Kroah-Hartman
` (308 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Suzuki K Poulose
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit 98495b5a4d77dd22e106f462b76e1093a55b29a7 upstream.
When the SMB sink is used as a perf AUX sink, smb_update_buffer() calls
smb_sync_perf_buffer() to copy hardware trace data into the perf AUX ring
buffer pages. It derives pg_idx = head >> PAGE_SHIFT from @head, which is
handle->head, and indexes dst_pages[pg_idx]. The pg_idx %= nr_pages
normalization is only applied after the first loop iteration.
This leaves the initial page index underived from the buffer size, which
can result in an out-of-bounds write past dst_pages[] when head exceeds
the AUX buffer size.
Normalize head modulo the AUX buffer size before deriving the page index
and offset, mirroring tmc_etr_sync_perf_buffer().
Fixes: 06f5c2926aaa ("drivers/coresight: Add UltraSoc System Memory Buffer driver")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/SYBPR01MB788156B3380A36835DB22290AF102@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/coresight/ultrasoc-smb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/hwtracing/coresight/ultrasoc-smb.c
+++ b/drivers/hwtracing/coresight/ultrasoc-smb.c
@@ -337,6 +337,7 @@ static void smb_sync_perf_buffer(struct
unsigned long to_copy;
long pg_idx, pg_offset;
+ head %= (unsigned long)buf->nr_pages << PAGE_SHIFT;
pg_idx = head >> PAGE_SHIFT;
pg_offset = head & (PAGE_SIZE - 1);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 214/518] smb: client: resolve SWN tcon from live registrations
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 213/518] coresight: ultrasoc-smb: Fix OOB write in smb_sync_perf_buffer() Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 215/518] smb/client: Fix error code in smb2_aead_req_alloc() Greg Kroah-Hartman
` (307 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit ec457f9afe5ae9538bdcd58fd4cb442b9787e183 upstream.
cifs_swn_notify() looks up a witness registration by id under
cifs_swnreg_idr_mutex, drops the mutex, and then uses the registration's
cached tcon pointer. That pointer is not a lifetime reference, and it is
not a stable representative once cifs_get_swn_reg() lets multiple tcons
for the same net/share name share one registration id.
A same-share second mount can keep the cifs_swn_reg alive after the first
tcon unregisters and is freed. The registration then still points at the
freed first tcon, so taking tc_lock or incrementing tc_count through
swnreg->tcon only moves the use-after-free earlier. Taking tc_lock while
holding cifs_swnreg_idr_mutex also violates the documented CIFS lock
order.
Fix this by making the registration store only the stable witness
identity: id, net name, share name, and notify flags. When a notify
arrives, copy that identity under cifs_swnreg_idr_mutex, drop the mutex,
then find and pin a live witness tcon that currently matches the net/share
pair under the normal cifs_tcp_ses_lock -> tc_lock order. The notification
path uses that pinned tcon directly and drops the reference when done.
Registration and unregister messages now use the live tcon passed by the
caller instead of a cached tcon in the registration. The final unregister
send is folded into cifs_swn_unregister() while the registration is still
protected by cifs_swnreg_idr_mutex. This removes the previous
find/drop/reacquire raw-pointer window. The release path only removes the
idr entry and frees the stable identity strings.
This preserves the intended one-registration/many-tcon behavior: a
registration id represents a net/share pair, and notify handling acts on a
live representative selected at use time. It also preserves CLIENT_MOVE
ordering for the representative tcon because the old-IP unregister is sent
before cifs_swn_register() sends the new-IP register.
Fixes: fed979a7e082 ("cifs: Set witness notification handler for messages from userspace daemon")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifs_swn.c | 314 ++++++++++++++++++++++++++++++++++++++---------
fs/smb/client/trace.h | 2
2 files changed, 262 insertions(+), 54 deletions(-)
--- a/fs/smb/client/cifs_swn.c
+++ b/fs/smb/client/cifs_swn.c
@@ -28,10 +28,54 @@ struct cifs_swn_reg {
bool net_name_notify;
bool share_name_notify;
bool ip_notify;
+};
- struct cifs_tcon *tcon;
+struct cifs_swn_reg_info {
+ int id;
+ unsigned int ref_count;
+ const char *net_name;
+ const char *share_name;
+ bool net_name_notify;
+ bool share_name_notify;
+ bool ip_notify;
};
+static void cifs_swn_snapshot_reg(struct cifs_swn_reg *swnreg,
+ struct cifs_swn_reg_info *info)
+{
+ info->id = swnreg->id;
+ info->ref_count = kref_read(&swnreg->ref_count);
+ info->net_name = swnreg->net_name;
+ info->share_name = swnreg->share_name;
+ info->net_name_notify = swnreg->net_name_notify;
+ info->share_name_notify = swnreg->share_name_notify;
+ info->ip_notify = swnreg->ip_notify;
+}
+
+static int cifs_swn_dup_reg(struct cifs_swn_reg *swnreg,
+ struct cifs_swn_reg_info *info)
+{
+ cifs_swn_snapshot_reg(swnreg, info);
+
+ info->net_name = kstrdup(swnreg->net_name, GFP_KERNEL);
+ if (!info->net_name)
+ return -ENOMEM;
+
+ info->share_name = kstrdup(swnreg->share_name, GFP_KERNEL);
+ if (!info->share_name) {
+ kfree(info->net_name);
+ return -ENOMEM;
+ }
+
+ return 0;
+}
+
+static void cifs_swn_free_reg_info(struct cifs_swn_reg_info *info)
+{
+ kfree(info->net_name);
+ kfree(info->share_name);
+}
+
static int cifs_swn_auth_info_krb(struct cifs_tcon *tcon, struct sk_buff *skb)
{
int ret;
@@ -73,7 +117,8 @@ static int cifs_swn_auth_info_ntlm(struc
* The authentication information to connect to the witness service is bundled
* into the message.
*/
-static int cifs_swn_send_register_message(struct cifs_swn_reg *swnreg)
+static int cifs_swn_send_register_message(struct cifs_swn_reg_info *swnreg,
+ struct cifs_tcon *tcon)
{
struct sk_buff *skb;
struct genlmsghdr *hdr;
@@ -109,10 +154,10 @@ static int cifs_swn_send_register_messag
* told to switch to it (client move message). In these cases we unregister from the
* server address and register to the new address when we receive the notification.
*/
- if (swnreg->tcon->ses->server->use_swn_dstaddr)
- addr = &swnreg->tcon->ses->server->swn_dstaddr;
+ if (tcon->ses->server->use_swn_dstaddr)
+ addr = &tcon->ses->server->swn_dstaddr;
else
- addr = &swnreg->tcon->ses->server->dstaddr;
+ addr = &tcon->ses->server->dstaddr;
ret = nla_put(skb, CIFS_GENL_ATTR_SWN_IP, sizeof(struct sockaddr_storage), addr);
if (ret < 0)
@@ -136,10 +181,10 @@ static int cifs_swn_send_register_messag
goto nlmsg_fail;
}
- authtype = cifs_select_sectype(swnreg->tcon->ses->server, swnreg->tcon->ses->sectype);
+ authtype = cifs_select_sectype(tcon->ses->server, tcon->ses->sectype);
switch (authtype) {
case Kerberos:
- ret = cifs_swn_auth_info_krb(swnreg->tcon, skb);
+ ret = cifs_swn_auth_info_krb(tcon, skb);
if (ret < 0) {
cifs_dbg(VFS, "%s: Failed to get kerberos auth info: %d\n", __func__, ret);
goto nlmsg_fail;
@@ -147,7 +192,7 @@ static int cifs_swn_send_register_messag
break;
case NTLMv2:
case RawNTLMSSP:
- ret = cifs_swn_auth_info_ntlm(swnreg->tcon, skb);
+ ret = cifs_swn_auth_info_ntlm(tcon, skb);
if (ret < 0) {
cifs_dbg(VFS, "%s: Failed to get NTLM auth info: %d\n", __func__, ret);
goto nlmsg_fail;
@@ -176,7 +221,8 @@ nlmsg_fail:
/*
* Sends an uregister message to the userspace daemon based on the registration
*/
-static int cifs_swn_send_unregister_message(struct cifs_swn_reg *swnreg)
+static int cifs_swn_send_unregister_message(struct cifs_swn_reg_info *swnreg,
+ struct cifs_tcon *tcon)
{
struct sk_buff *skb;
struct genlmsghdr *hdr;
@@ -205,7 +251,7 @@ static int cifs_swn_send_unregister_mess
goto nlmsg_fail;
ret = nla_put(skb, CIFS_GENL_ATTR_SWN_IP, sizeof(struct sockaddr_storage),
- &swnreg->tcon->ses->server->dstaddr);
+ &tcon->ses->server->dstaddr);
if (ret < 0)
goto nlmsg_fail;
@@ -242,6 +288,88 @@ nlmsg_fail:
}
/*
+ * Allocation-free mirror of extract_hostname() + extract_sharename() from
+ * fs/smb/client/unc.c. Those helpers kmalloc(GFP_KERNEL); this runs under
+ * cifs_tcp_ses_lock and tcon->tc_lock, both spinlocks, so we mirror their
+ * parsing in place against the caller's stable net_name/share_name strings.
+ * Keep in sync with unc.c.
+ */
+static bool cifs_swn_tcon_matches(struct cifs_tcon *tcon,
+ const char *net_name,
+ const char *share_name)
+{
+ const char *unc = tcon->tree_name;
+ const char *host, *share, *delim;
+ size_t host_len, share_len;
+
+ if (!tcon->use_witness)
+ return false;
+
+ /* extract_hostname: require strlen(unc) >= 3 */
+ if (strnlen(unc, 3) < 3)
+ return false;
+ /* extract_hostname: skip all leading '\' characters */
+ for (host = unc; *host == '\\'; host++)
+ ;
+ if (!*host)
+ return false;
+ delim = strchr(host, '\\');
+ if (!delim)
+ return false;
+ host_len = delim - host;
+ if (strlen(net_name) != host_len ||
+ strncasecmp(host, net_name, host_len))
+ return false;
+
+ /* extract_sharename: start at unc + 2, then first '\' onward */
+ share = unc + 2;
+ delim = strchr(share, '\\');
+ if (!delim)
+ return false;
+ share = delim + 1;
+ share_len = strlen(share);
+
+ return strlen(share_name) == share_len &&
+ !strncasecmp(share, share_name, share_len);
+}
+
+/*
+ * One SWN registration id represents one net/share name pair. Multiple
+ * mounted tcons can therefore share the id. Pick a live representative at
+ * use time instead of caching the first tcon pointer in the registration.
+ */
+static struct cifs_tcon *cifs_swn_get_tcon(struct cifs_swn_reg_info *swnreg)
+{
+ struct TCP_Server_Info *server;
+ struct cifs_ses *ses;
+ struct cifs_tcon *tcon;
+
+ spin_lock(&cifs_tcp_ses_lock);
+ list_for_each_entry(server, &cifs_tcp_ses_list, tcp_ses_list) {
+ list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
+ list_for_each_entry(tcon, &ses->tcon_list, tcon_list) {
+ spin_lock(&tcon->tc_lock);
+ if (tcon->status == TID_EXITING ||
+ !cifs_swn_tcon_matches(tcon, swnreg->net_name,
+ swnreg->share_name)) {
+ spin_unlock(&tcon->tc_lock);
+ continue;
+ }
+ ++tcon->tc_count;
+ trace_smb3_tcon_ref(tcon->debug_id,
+ tcon->tc_count,
+ netfs_trace_tcon_ref_get_swn_notify);
+ spin_unlock(&tcon->tc_lock);
+ spin_unlock(&cifs_tcp_ses_lock);
+ return tcon;
+ }
+ }
+ }
+ spin_unlock(&cifs_tcp_ses_lock);
+ return NULL;
+}
+
+/*
* Try to find a matching registration for the tcon's server name and share name.
* Calls to this function must be protected by cifs_swnreg_idr_mutex.
* TODO Try to avoid memory allocations
@@ -347,8 +475,6 @@ static struct cifs_swn_reg *cifs_get_swn
reg->net_name_notify = true;
reg->share_name_notify = true;
reg->ip_notify = (tcon->capabilities & SMB2_SHARE_CAP_SCALEOUT);
-
- reg->tcon = tcon;
unlock:
mutex_unlock(&cifs_swnreg_idr_mutex);
@@ -368,11 +494,6 @@ fail_unlock:
static void cifs_swn_reg_release(struct kref *ref)
{
struct cifs_swn_reg *swnreg = container_of(ref, struct cifs_swn_reg, ref_count);
- int ret;
-
- ret = cifs_swn_send_unregister_message(swnreg);
- if (ret < 0)
- cifs_dbg(VFS, "%s: Failed to send unregister message: %d\n", __func__, ret);
idr_remove(&cifs_swnreg_idr, swnreg->id);
kfree(swnreg->net_name);
@@ -380,23 +501,33 @@ static void cifs_swn_reg_release(struct
kfree(swnreg);
}
-static void cifs_put_swn_reg(struct cifs_swn_reg *swnreg)
+static void cifs_put_swn_reg_locked(struct cifs_swn_reg *swnreg,
+ struct cifs_tcon *tcon)
{
- mutex_lock(&cifs_swnreg_idr_mutex);
+ if (kref_read(&swnreg->ref_count) == 1) {
+ struct cifs_swn_reg_info swnreg_info;
+ int ret;
+
+ cifs_swn_snapshot_reg(swnreg, &swnreg_info);
+ ret = cifs_swn_send_unregister_message(&swnreg_info, tcon);
+ if (ret < 0)
+ cifs_dbg(VFS, "%s: Failed to send unregister message: %d\n",
+ __func__, ret);
+ }
+
kref_put(&swnreg->ref_count, cifs_swn_reg_release);
- mutex_unlock(&cifs_swnreg_idr_mutex);
}
-static int cifs_swn_resource_state_changed(struct cifs_swn_reg *swnreg, const char *name, int state)
+static int cifs_swn_resource_state_changed(struct cifs_tcon *tcon, const char *name, int state)
{
switch (state) {
case CIFS_SWN_RESOURCE_STATE_UNAVAILABLE:
cifs_dbg(FYI, "%s: resource name '%s' become unavailable\n", __func__, name);
- cifs_signal_cifsd_for_reconnect(swnreg->tcon->ses->server, true);
+ cifs_signal_cifsd_for_reconnect(tcon->ses->server, true);
break;
case CIFS_SWN_RESOURCE_STATE_AVAILABLE:
cifs_dbg(FYI, "%s: resource name '%s' become available\n", __func__, name);
- cifs_signal_cifsd_for_reconnect(swnreg->tcon->ses->server, true);
+ cifs_signal_cifsd_for_reconnect(tcon->ses->server, true);
break;
case CIFS_SWN_RESOURCE_STATE_UNKNOWN:
cifs_dbg(FYI, "%s: resource name '%s' changed to unknown state\n", __func__, name);
@@ -502,7 +633,7 @@ unlock:
return ret;
}
-static int cifs_swn_client_move(struct cifs_swn_reg *swnreg, struct sockaddr_storage *addr)
+static int cifs_swn_client_move(struct cifs_tcon *tcon, struct sockaddr_storage *addr)
{
struct sockaddr_in *ipv4 = (struct sockaddr_in *)addr;
struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)addr;
@@ -512,14 +643,17 @@ static int cifs_swn_client_move(struct c
else if (addr->ss_family == AF_INET6)
cifs_dbg(FYI, "%s: move to %pI6\n", __func__, &ipv6->sin6_addr);
- return cifs_swn_reconnect(swnreg->tcon, addr);
+ return cifs_swn_reconnect(tcon, addr);
}
int cifs_swn_notify(struct sk_buff *skb, struct genl_info *info)
{
struct cifs_swn_reg *swnreg;
+ struct cifs_swn_reg_info swnreg_info;
+ struct cifs_tcon *tcon;
char name[256];
int type;
+ int ret = 0;
if (info->attrs[CIFS_GENL_ATTR_SWN_REGISTRATION_ID]) {
int swnreg_id;
@@ -527,21 +661,34 @@ int cifs_swn_notify(struct sk_buff *skb,
swnreg_id = nla_get_u32(info->attrs[CIFS_GENL_ATTR_SWN_REGISTRATION_ID]);
mutex_lock(&cifs_swnreg_idr_mutex);
swnreg = idr_find(&cifs_swnreg_idr, swnreg_id);
- mutex_unlock(&cifs_swnreg_idr_mutex);
if (swnreg == NULL) {
+ mutex_unlock(&cifs_swnreg_idr_mutex);
cifs_dbg(FYI, "%s: registration id %d not found\n", __func__, swnreg_id);
return -EINVAL;
}
+ ret = cifs_swn_dup_reg(swnreg, &swnreg_info);
+ mutex_unlock(&cifs_swnreg_idr_mutex);
+ if (ret)
+ return ret;
} else {
cifs_dbg(FYI, "%s: missing registration id attribute\n", __func__);
return -EINVAL;
}
+ tcon = cifs_swn_get_tcon(&swnreg_info);
+ if (!tcon) {
+ cifs_dbg(FYI, "%s: registration id %d has no live tcon\n",
+ __func__, swnreg_info.id);
+ ret = -ENODEV;
+ goto free_info;
+ }
+
if (info->attrs[CIFS_GENL_ATTR_SWN_NOTIFICATION_TYPE]) {
type = nla_get_u32(info->attrs[CIFS_GENL_ATTR_SWN_NOTIFICATION_TYPE]);
} else {
cifs_dbg(FYI, "%s: missing notification type attribute\n", __func__);
- return -EINVAL;
+ ret = -EINVAL;
+ goto out;
}
switch (type) {
@@ -553,15 +700,18 @@ int cifs_swn_notify(struct sk_buff *skb,
sizeof(name));
} else {
cifs_dbg(FYI, "%s: missing resource name attribute\n", __func__);
- return -EINVAL;
+ ret = -EINVAL;
+ goto out;
}
if (info->attrs[CIFS_GENL_ATTR_SWN_RESOURCE_STATE]) {
state = nla_get_u32(info->attrs[CIFS_GENL_ATTR_SWN_RESOURCE_STATE]);
} else {
cifs_dbg(FYI, "%s: missing resource state attribute\n", __func__);
- return -EINVAL;
+ ret = -EINVAL;
+ goto out;
}
- return cifs_swn_resource_state_changed(swnreg, name, state);
+ ret = cifs_swn_resource_state_changed(tcon, name, state);
+ break;
}
case CIFS_SWN_NOTIFICATION_CLIENT_MOVE: {
struct sockaddr_storage addr;
@@ -570,28 +720,36 @@ int cifs_swn_notify(struct sk_buff *skb,
nla_memcpy(&addr, info->attrs[CIFS_GENL_ATTR_SWN_IP], sizeof(addr));
} else {
cifs_dbg(FYI, "%s: missing IP address attribute\n", __func__);
- return -EINVAL;
+ ret = -EINVAL;
+ goto out;
}
- return cifs_swn_client_move(swnreg, &addr);
+ ret = cifs_swn_client_move(tcon, &addr);
+ break;
}
default:
cifs_dbg(FYI, "%s: unknown notification type %d\n", __func__, type);
break;
}
- return 0;
+out:
+ cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_swn_notify);
+free_info:
+ cifs_swn_free_reg_info(&swnreg_info);
+ return ret;
}
int cifs_swn_register(struct cifs_tcon *tcon)
{
struct cifs_swn_reg *swnreg;
+ struct cifs_swn_reg_info swnreg_info;
int ret;
swnreg = cifs_get_swn_reg(tcon);
if (IS_ERR(swnreg))
return PTR_ERR(swnreg);
- ret = cifs_swn_send_register_message(swnreg);
+ cifs_swn_snapshot_reg(swnreg, &swnreg_info);
+ ret = cifs_swn_send_register_message(&swnreg_info, tcon);
if (ret < 0) {
cifs_dbg(VFS, "%s: Failed to send swn register message: %d\n", __func__, ret);
/* Do not put the swnreg or return error, the echo task will retry */
@@ -612,35 +770,68 @@ int cifs_swn_unregister(struct cifs_tcon
return PTR_ERR(swnreg);
}
+ cifs_put_swn_reg_locked(swnreg, tcon);
mutex_unlock(&cifs_swnreg_idr_mutex);
- cifs_put_swn_reg(swnreg);
-
return 0;
}
-void cifs_swn_dump(struct seq_file *m)
+/*
+ * Snapshot one registration under cifs_swnreg_idr_mutex and return. Callers
+ * intentionally do the per-registration network/genlmsg work without the
+ * mutex held, both to keep the critical section short and to avoid nesting
+ * cifs_swnreg_idr_mutex inside the higher tc_lock when a live tcon is then
+ * pinned for the send.
+ */
+static int cifs_swn_get_next_reg_info(int *id, struct cifs_swn_reg_info *info)
{
struct cifs_swn_reg *swnreg;
+ int ret = 0;
+
+ mutex_lock(&cifs_swnreg_idr_mutex);
+ swnreg = idr_get_next(&cifs_swnreg_idr, id);
+ if (swnreg) {
+ ret = cifs_swn_dup_reg(swnreg, info);
+ if (!ret) {
+ *id = swnreg->id + 1;
+ ret = 1;
+ }
+ }
+ mutex_unlock(&cifs_swnreg_idr_mutex);
+
+ return ret;
+}
+
+void cifs_swn_dump(struct seq_file *m)
+{
+ struct cifs_swn_reg_info swnreg_info;
+ struct cifs_tcon *tcon;
struct sockaddr_in *sa;
struct sockaddr_in6 *sa6;
- int id;
+ int id = 0;
+ int ret;
seq_puts(m, "Witness registrations:");
- mutex_lock(&cifs_swnreg_idr_mutex);
- idr_for_each_entry(&cifs_swnreg_idr, swnreg, id) {
+ while ((ret = cifs_swn_get_next_reg_info(&id, &swnreg_info)) > 0) {
seq_printf(m, "\nId: %u Refs: %u Network name: '%s'%s Share name: '%s'%s Ip address: ",
- id, kref_read(&swnreg->ref_count),
- swnreg->net_name, swnreg->net_name_notify ? "(y)" : "(n)",
- swnreg->share_name, swnreg->share_name_notify ? "(y)" : "(n)");
- switch (swnreg->tcon->ses->server->dstaddr.ss_family) {
+ swnreg_info.id, swnreg_info.ref_count,
+ swnreg_info.net_name, swnreg_info.net_name_notify ? "(y)" : "(n)",
+ swnreg_info.share_name, swnreg_info.share_name_notify ? "(y)" : "(n)");
+
+ tcon = cifs_swn_get_tcon(&swnreg_info);
+ if (!tcon) {
+ seq_puts(m, "(no live tcon)");
+ goto next;
+ }
+
+ switch (tcon->ses->server->dstaddr.ss_family) {
case AF_INET:
- sa = (struct sockaddr_in *) &swnreg->tcon->ses->server->dstaddr;
+ sa = (struct sockaddr_in *)&tcon->ses->server->dstaddr;
seq_printf(m, "%pI4", &sa->sin_addr.s_addr);
break;
case AF_INET6:
- sa6 = (struct sockaddr_in6 *) &swnreg->tcon->ses->server->dstaddr;
+ sa6 = (struct sockaddr_in6 *)&tcon->ses->server->dstaddr;
seq_printf(m, "%pI6", &sa6->sin6_addr.s6_addr);
if (sa6->sin6_scope_id)
seq_printf(m, "%%%u", sa6->sin6_scope_id);
@@ -648,23 +839,38 @@ void cifs_swn_dump(struct seq_file *m)
default:
seq_puts(m, "(unknown)");
}
- seq_printf(m, "%s", swnreg->ip_notify ? "(y)" : "(n)");
+ cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_swn_notify);
+next:
+ seq_printf(m, "%s", swnreg_info.ip_notify ? "(y)" : "(n)");
+ cifs_swn_free_reg_info(&swnreg_info);
}
- mutex_unlock(&cifs_swnreg_idr_mutex);
+ if (ret < 0)
+ seq_printf(m, "\nFailed to snapshot witness registration: %d", ret);
seq_puts(m, "\n");
}
void cifs_swn_check(void)
{
- struct cifs_swn_reg *swnreg;
- int id;
+ struct cifs_swn_reg_info swnreg_info;
+ struct cifs_tcon *tcon;
+ int id = 0;
int ret;
- mutex_lock(&cifs_swnreg_idr_mutex);
- idr_for_each_entry(&cifs_swnreg_idr, swnreg, id) {
- ret = cifs_swn_send_register_message(swnreg);
+ while ((ret = cifs_swn_get_next_reg_info(&id, &swnreg_info)) > 0) {
+ tcon = cifs_swn_get_tcon(&swnreg_info);
+ if (!tcon) {
+ cifs_dbg(FYI, "%s: registration id %d has no live tcon\n",
+ __func__, swnreg_info.id);
+ goto free_info;
+ }
+
+ ret = cifs_swn_send_register_message(&swnreg_info, tcon);
if (ret < 0)
cifs_dbg(FYI, "%s: Failed to send register message: %d\n", __func__, ret);
+ cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_swn_notify);
+free_info:
+ cifs_swn_free_reg_info(&swnreg_info);
}
- mutex_unlock(&cifs_swnreg_idr_mutex);
+ if (ret < 0)
+ cifs_dbg(FYI, "%s: Failed to snapshot registration: %d\n", __func__, ret);
}
--- a/fs/smb/client/trace.h
+++ b/fs/smb/client/trace.h
@@ -181,6 +181,7 @@
EM(netfs_trace_tcon_ref_get_find, "GET Find ") \
EM(netfs_trace_tcon_ref_get_find_sess_tcon, "GET FndSes") \
EM(netfs_trace_tcon_ref_get_reconnect_server, "GET Reconn") \
+ EM(netfs_trace_tcon_ref_get_swn_notify, "GET SwnNot") \
EM(netfs_trace_tcon_ref_new, "NEW ") \
EM(netfs_trace_tcon_ref_new_ipc, "NEW Ipc ") \
EM(netfs_trace_tcon_ref_new_reconnect_server, "NEW Reconn") \
@@ -192,6 +193,7 @@
EM(netfs_trace_tcon_ref_put_mnt_ctx, "PUT MntCtx") \
EM(netfs_trace_tcon_ref_put_dfs_refer, "PUT DfsRfr") \
EM(netfs_trace_tcon_ref_put_reconnect_server, "PUT Reconn") \
+ EM(netfs_trace_tcon_ref_put_swn_notify, "PUT SwnNot") \
EM(netfs_trace_tcon_ref_put_tlink, "PUT Tlink ") \
EM(netfs_trace_tcon_ref_see_cancelled_close, "SEE Cn-Cls") \
EM(netfs_trace_tcon_ref_see_fscache_collision, "SEE FV-CO!") \
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 215/518] smb/client: Fix error code in smb2_aead_req_alloc()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 214/518] smb: client: resolve SWN tcon from live registrations Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 216/518] ksmbd: prevent path traversal bypass by restricting caseless retry Greg Kroah-Hartman
` (306 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Dan Carpenter, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <error27@gmail.com>
commit 61f28012e5650c619223decdb7970e0d3162e949 upstream.
The "*num_sgs" variable is a u32 so "ERR_PTR(*num_sgs)" doesn't work.
We would have to do something similar to the previous line where it's
cast to int and then long. However, it's simpler to store the return in
an int ret variable.
This bug would eventually result in a crash when dereference the invalid
error pointer.
Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list")
Cc: stable@kernel.org
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2ops.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -4359,11 +4359,13 @@ static void *smb2_aead_req_alloc(struct
unsigned int req_size = sizeof(**req) + crypto_aead_reqsize(tfm);
unsigned int iv_size = crypto_aead_ivsize(tfm);
unsigned int len;
+ int ret;
u8 *p;
- *num_sgs = cifs_get_num_sgs(rqst, num_rqst, sig);
- if (IS_ERR_VALUE((long)(int)*num_sgs))
- return ERR_PTR(*num_sgs);
+ ret = cifs_get_num_sgs(rqst, num_rqst, sig);
+ if (ret < 0)
+ return ERR_PTR(ret);
+ *num_sgs = ret;
len = iv_size;
len += crypto_aead_alignmask(tfm) & ~(crypto_tfm_ctx_alignment() - 1);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 216/518] ksmbd: prevent path traversal bypass by restricting caseless retry
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 215/518] smb/client: Fix error code in smb2_aead_req_alloc() Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 217/518] ksmbd: add permission checks for FSCTL_DUPLICATE_EXTENTS_TO_FILE Greg Kroah-Hartman
` (305 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Y s65, Namjae Jeon, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit 54bab9ba5a9f156ffa9324fcbe5a356fd0242f95 upstream.
ksmbd_vfs_path_lookup() enforces LOOKUP_BENEATH to restrict path
resolution within the share root. When a crafted path attempts to
escape the share boundary using parent-directory components ('..'),
vfs_path_parent_lookup() detects this and immediately fails,
returning -EXDEV.
However, a bug exists in __ksmbd_vfs_kern_path() under caseless mode.
The function fails to intercept the -EXDEV error and erroneously
falls through to the caseless retry logic, which is intended only
for genuinely missing files. During this retry process, the path
is reconstructed, leading to an unintended LOOKUP_BENEATH bypass
that allows write-capable users to create zero-length files or
directories outside the exported share.
Fix this by ensuring that the execution only proceeds to the caseless
lookup retry when the error is specifically -ENOENT. Any other errors,
such as -EXDEV from a path traversal attempt, must be returned immediately.
Cc: stable@vger.kernel.org
Reported-by: Y s65 <yu4ys@outlook.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/vfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/smb/server/vfs.c
+++ b/fs/smb/server/vfs.c
@@ -1149,7 +1149,7 @@ int __ksmbd_vfs_kern_path(struct ksmbd_w
retry:
err = ksmbd_vfs_path_lookup(share_conf, filepath, flags, path, for_remove);
- if (!err || !caseless)
+ if (!err || err != -ENOENT || !caseless)
return err;
path_len = strlen(filepath);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 217/518] ksmbd: add permission checks for FSCTL_DUPLICATE_EXTENTS_TO_FILE
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 216/518] ksmbd: prevent path traversal bypass by restricting caseless retry Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 218/518] ksmbd: add a permission check for FSCTL_SET_ZERO_DATA Greg Kroah-Hartman
` (304 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gil Portnoy, Namjae Jeon,
Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gil Portnoy <dddhkts1@gmail.com>
commit 388e4139db27a9e3612c9d356b826f5b1ff6a9e3 upstream.
The FSCTL_DUPLICATE_EXTENTS_TO_FILE arm of smb2_ioctl() overwrites the
destination file's data via vfs_clone_file_range() with neither the
share-level KSMBD_TREE_CONN_FLAG_WRITABLE check nor a per-handle
fp->daccess check that the other write-bearing arms carry. A client can
overwrite destination data on a read-only share, or from a handle opened
with only FILE_WRITE_ATTRIBUTES (which still yields an FMODE_WRITE filp).
FILE_WRITE_ATTRIBUTES-only destination handle overwrote the file's data via
the clone. Add both checks, matching the FSCTL_SET_SPARSE permission fix;
require FILE_WRITE_DATA since this writes data.
Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -8562,6 +8562,17 @@ int smb2_ioctl(struct ksmbd_work *work)
goto dup_ext_out;
}
+ if (!test_tree_conn_flag(work->tcon,
+ KSMBD_TREE_CONN_FLAG_WRITABLE)) {
+ ret = -EACCES;
+ goto dup_ext_out;
+ }
+
+ if (!(fp_out->daccess & FILE_WRITE_DATA_LE)) {
+ ret = -EACCES;
+ goto dup_ext_out;
+ }
+
src_off = le64_to_cpu(dup_ext->SourceFileOffset);
dst_off = le64_to_cpu(dup_ext->TargetFileOffset);
length = le64_to_cpu(dup_ext->ByteCount);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 218/518] ksmbd: add a permission check for FSCTL_SET_ZERO_DATA
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 217/518] ksmbd: add permission checks for FSCTL_DUPLICATE_EXTENTS_TO_FILE Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 219/518] ksmbd: serialize QUERY_DIRECTORY requests per file Greg Kroah-Hartman
` (303 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gil Portnoy, Namjae Jeon,
Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gil Portnoy <dddhkts1@gmail.com>
commit 3320ba068198adc144c89d6661b805acce01735b upstream.
FSCTL_SET_ZERO_DATA in smb2_ioctl() destroys file data via
ksmbd_vfs_zero_data() -> vfs_fallocate(PUNCH_HOLE/ZERO_RANGE) after
checking only the share-level KSMBD_TREE_CONN_FLAG_WRITABLE, with no
per-handle access check. A handle opened with only FILE_WRITE_ATTRIBUTES
still yields an FMODE_WRITE filp (FILE_WRITE_ATTRIBUTES is part of
FILE_WRITE_DESIRE_ACCESS_LE, so smb2_create_open_flags() opens it
O_WRONLY), so the vfs_fallocate FMODE_WRITE check does not stop it; only
the missing fp->daccess gate would. Reproduced on mainline 7.1-rc7 with
KASAN by an authenticated SMB client: a FILE_WRITE_ATTRIBUTES-only handle
zeroed 4096 bytes of file data it had no FILE_WRITE_DATA right to
(6/6; a FILE_READ_DATA-only handle was correctly denied).
This is the unfixed sibling of commit cc57232cae23 ("ksmbd: fix FSCTL
permission bypass by adding a permission check for FSCTL_SET_SPARSE").
Because SET_ZERO_DATA writes data (not an attribute), require
FILE_WRITE_DATA.
Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -8487,6 +8487,12 @@ int smb2_ioctl(struct ksmbd_work *work)
goto out;
}
+ if (!(fp->daccess & FILE_WRITE_DATA_LE)) {
+ ksmbd_fd_put(work, fp);
+ ret = -EACCES;
+ goto out;
+ }
+
ret = ksmbd_vfs_zero_data(work, fp, off, len);
ksmbd_fd_put(work, fp);
if (ret < 0)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 219/518] ksmbd: serialize QUERY_DIRECTORY requests per file
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 218/518] ksmbd: add a permission check for FSCTL_SET_ZERO_DATA Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 220/518] ksmbd: fix UAF of struct file_lock in SMB2_LOCK deferred-lock cancellation Greg Kroah-Hartman
` (302 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French,
zdi-disclosures
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit be6d26bf27499977c746abc163659915082348d8 upstream.
smb2_query_dir() stores a pointer to its stack-allocated private data in
the ksmbd_file readdir_data. Concurrent QUERY_DIRECTORY requests using the
same file handle can overwrite this pointer while an iterate_dir() callback
is still using it, resulting in a stack use-after-free.
Add a per-file mutex and hold it while accessing the shared directory
enumeration state. The lock covers scan restart, dot entry state,
readdir_data setup and iteration, and response construction. This prevents
another request from replacing readdir_data.private before the current
request has finished using it and also serializes the shared file position.
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-30527
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 4 ++++
fs/smb/server/vfs_cache.c | 1 +
fs/smb/server/vfs_cache.h | 2 ++
3 files changed, 7 insertions(+)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -4470,6 +4470,8 @@ int smb2_query_dir(struct ksmbd_work *wo
ksmbd_debug(SMB, "Search pattern is %s\n", srch_ptr);
}
+ mutex_lock(&dir_fp->readdir_lock);
+
if (srch_flag & SMB2_REOPEN || srch_flag & SMB2_RESTART_SCANS) {
ksmbd_debug(SMB, "Restart directory scan\n");
generic_file_llseek(dir_fp->filp, 0, SEEK_SET);
@@ -4574,6 +4576,7 @@ no_buf_len:
goto err_out;
}
+ mutex_unlock(&dir_fp->readdir_lock);
kfree(srch_ptr);
ksmbd_fd_put(work, dir_fp);
ksmbd_revert_fsids(work);
@@ -4581,6 +4584,7 @@ no_buf_len:
err_out:
pr_err("error while processing smb2 query dir rc = %d\n", rc);
+ mutex_unlock(&dir_fp->readdir_lock);
kfree(srch_ptr);
err_out2:
--- a/fs/smb/server/vfs_cache.c
+++ b/fs/smb/server/vfs_cache.c
@@ -790,6 +790,7 @@ struct ksmbd_file *ksmbd_open_fd(struct
INIT_LIST_HEAD(&fp->node);
INIT_LIST_HEAD(&fp->lock_list);
spin_lock_init(&fp->f_lock);
+ mutex_init(&fp->readdir_lock);
atomic_set(&fp->refcount, 1);
fp->filp = filp;
--- a/fs/smb/server/vfs_cache.h
+++ b/fs/smb/server/vfs_cache.h
@@ -8,6 +8,7 @@
#include <linux/file.h>
#include <linux/fs.h>
+#include <linux/mutex.h>
#include <linux/rwsem.h>
#include <linux/spinlock.h>
#include <linux/idr.h>
@@ -113,6 +114,7 @@ struct ksmbd_file {
/* if ls is happening on directory, below is valid*/
struct ksmbd_readdir_data readdir_data;
+ struct mutex readdir_lock;
int dot_dotdot[2];
unsigned int f_state;
bool reserve_lease_break;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 220/518] ksmbd: fix UAF of struct file_lock in SMB2_LOCK deferred-lock cancellation
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 219/518] ksmbd: serialize QUERY_DIRECTORY requests per file Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 221/518] ksmbd: require source read access for duplicate extents Greg Kroah-Hartman
` (301 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Davide Ornaghi, Namjae Jeon,
Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davide Ornaghi <d.ornaghi97@gmail.com>
commit d20d1c8ba5765d1d12eefc0aee6385ab3f240e1e upstream.
When a blocking byte-range lock request is deferred in the
FILE_LOCK_DEFERRED path, ksmbd registers the asynchronous work into
the connection's async_requests list via setup_async_work(). The cancel
callback smb2_remove_blocked_lock() holds a reference to the flock.
If the lock waiter is subsequently woken up but the work state is no
longer KSMBD_WORK_ACTIVE (e.g., due to a concurrent cancellation), the
cleanup path calls locks_free_lock(flock) without dequeuing the work from
the async_requests list. Concurrently, smb2_cancel() walks the list
under conn->request_lock and invokes the cancel callback, which then
dereferences the already freed 'flock'. This leads to a slab-use-after-free
inside __wake_up_common.
Fix this by restructuring the cleanup logic after the worker returns
from ksmbd_vfs_posix_lock_wait(). Move list_del(&smb_lock->llist) and
release_async_work(work) to the top of the cleanup block. This guarantees
that the async work is completely dequeued and serialized under
conn->request_lock before locks_free_lock(flock) is called, rendering
the flock unreachable for any concurrent smb2_cancel().
Cc: stable@vger.kernel.org
Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 34 ++++++++++++++++------------------
1 file changed, 16 insertions(+), 18 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -7746,29 +7746,27 @@ skip:
list_del(&work->fp_entry);
spin_unlock(&fp->f_lock);
- if (work->state != KSMBD_WORK_ACTIVE) {
- list_del(&smb_lock->llist);
- locks_free_lock(flock);
+ list_del(&smb_lock->llist);
+ release_async_work(work);
+
+ if (work->state == KSMBD_WORK_ACTIVE)
+ goto retry;
- if (work->state == KSMBD_WORK_CANCELLED) {
- rsp->hdr.Status =
- STATUS_CANCELLED;
- kfree(smb_lock);
- smb2_send_interim_resp(work,
- STATUS_CANCELLED);
- work->send_no_response = 1;
- goto out;
- }
+ locks_free_lock(flock);
- rsp->hdr.Status =
- STATUS_RANGE_NOT_LOCKED;
+ if (work->state == KSMBD_WORK_CANCELLED) {
+ rsp->hdr.Status = STATUS_CANCELLED;
kfree(smb_lock);
- goto out2;
+ smb2_send_interim_resp(work,
+ STATUS_CANCELLED);
+ work->send_no_response = 1;
+ goto out;
}
- list_del(&smb_lock->llist);
- release_async_work(work);
- goto retry;
+ rsp->hdr.Status =
+ STATUS_RANGE_NOT_LOCKED;
+ kfree(smb_lock);
+ goto out2;
} else if (!rc) {
list_add(&smb_lock->llist, &rollback_list);
spin_lock(&work->conn->llist_lock);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 221/518] ksmbd: require source read access for duplicate extents
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 220/518] ksmbd: fix UAF of struct file_lock in SMB2_LOCK deferred-lock cancellation Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 222/518] ksmbd: add a WRITE_DAC/WRITE_OWNER check to SMB2 SET_INFO SECURITY Greg Kroah-Hartman
` (300 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Musaab Khan, Namjae Jeon,
Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit cedff600f1642aa982178503552f0d007bc829c8 upstream.
FSCTL_DUPLICATE_EXTENTS_TO_FILE passes the source file directly to
vfs_clone_file_range() or vfs_copy_file_range() without checking the SMB
access mask granted to the source handle. A handle opened with attribute
access can consequently be used to copy file contents into an
attacker-readable destination.
Require FILE_READ_DATA on the source handle before either VFS operation,
matching other ksmbd data-copy paths.
Cc: stable@vger.kernel.org
Reported-by: Musaab Khan <musaab.khan@protonmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -8580,6 +8580,10 @@ int smb2_ioctl(struct ksmbd_work *work)
ret = -EACCES;
goto dup_ext_out;
}
+ if (!(fp_in->daccess & FILE_READ_DATA_LE)) {
+ ret = -EACCES;
+ goto dup_ext_out;
+ }
src_off = le64_to_cpu(dup_ext->SourceFileOffset);
dst_off = le64_to_cpu(dup_ext->TargetFileOffset);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 222/518] ksmbd: add a WRITE_DAC/WRITE_OWNER check to SMB2 SET_INFO SECURITY
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 221/518] ksmbd: require source read access for duplicate extents Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 223/518] ksmbd: run set info with opener credentials Greg Kroah-Hartman
` (299 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gil Portnoy, Namjae Jeon,
Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gil Portnoy <dddhkts1@gmail.com>
commit 44df157a1183a7f746caa970c169255da5ac61f8 upstream.
commit cc57232cae23 ("ksmbd: fix FSCTL permission bypass by adding a
permission check for FSCTL_SET_SPARSE") added a fp->daccess gate to
fsctl_set_sparse and noted that "similar handle-level checks exist in other
functions but are missing here." The SMB2 SET_INFO SECURITY arm is one of
the missing ones, and the most security-relevant: smb2_set_info_sec() calls
set_info_sec() with no per-handle access check.
set_info_sec() (fs/smb/server/smbacl.c) re-permissions the file: it
rewrites owner/group/mode via notify_change(), rewrites the POSIX ACL via
set_posix_acl(), and on KSMBD_SHARE_FLAG_ACL_XATTR shares removes and
rewrites the Windows security descriptor via ksmbd_vfs_set_sd_xattr().
Every other persistent-mutation arm of the sibling handler
smb2_set_info_file() checks fp->daccess first (FILE_WRITE_DATA /
FILE_DELETE / FILE_WRITE_EA / FILE_WRITE_ATTRIBUTES); the SECURITY arm —
which mutates the access control itself — is the only one with no gate.
A client can therefore open a handle with FILE_WRITE_ATTRIBUTES only (no
FILE_WRITE_DAC / FILE_WRITE_OWNER) and use SMB2_SET_INFO with InfoType
SMB2_O_INFO_SECURITY to rewrite the file's DACL and owner, granting itself
access the handle's daccess never carried. Unlike the FSCTL data arms this
is a metadata/xattr operation, so there is no FMODE_WRITE VFS backstop —
the missing fp->daccess check is the entire gate.
Setting a security descriptor is the WRITE_DAC / WRITE_OWNER operation, so
require at least one of those on the handle before re-permissioning the
file. -EACCES is mapped to STATUS_ACCESS_DENIED by smb2_set_info().
Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -6615,6 +6615,9 @@ static int smb2_set_info_sec(struct ksmb
fp->saccess |= FILE_SHARE_DELETE_LE;
+ if (!(fp->daccess & (FILE_WRITE_DAC_LE | FILE_WRITE_OWNER_LE)))
+ return -EACCES;
+
return set_info_sec(fp->conn, fp->tcon, &fp->filp->f_path, pntsd,
buf_len, false, true);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 223/518] ksmbd: run set info with opener credentials
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 222/518] ksmbd: add a WRITE_DAC/WRITE_OWNER check to SMB2 SET_INFO SECURITY Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 224/518] ksmbd: enforce FILE_READ_ATTRIBUTES on SMB_FIND_FILE_POSIX_INFORMATION Greg Kroah-Hartman
` (298 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Musaab Khan, Namjae Jeon,
Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit b383bcad3d2fe634b26efbce53e22bbb5753a520 upstream.
SMB2 SET_INFO handlers call path-based VFS helpers after checking the
access mask granted to the SMB handle. Those helpers perform their owner,
inode permission and LSM checks using the current ksmbd worker credentials.
Run the complete SET_INFO dispatch with the credentials captured when the
handle was opened. This also removes the separate security information
credential setup and keeps all SET_INFO classes under one credential scope.
Direct override_creds() is used because it can nest with the request
credential overrides already used by rename and link helpers.
Cc: stable@vger.kernel.org
Reported-by: Musaab Khan <musaab.khan@protonmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -6630,6 +6630,7 @@ static int smb2_set_info_sec(struct ksmb
*/
int smb2_set_info(struct ksmbd_work *work)
{
+ const struct cred *saved_cred;
struct smb2_set_info_req *req;
struct smb2_set_info_rsp *rsp;
struct ksmbd_file *fp = NULL;
@@ -6671,6 +6672,7 @@ int smb2_set_info(struct ksmbd_work *wor
goto err_out;
}
+ saved_cred = override_creds(fp->filp->f_cred);
switch (req->InfoType) {
case SMB2_O_INFO_FILE:
ksmbd_debug(SMB, "GOT SMB2_O_INFO_FILE\n");
@@ -6678,19 +6680,15 @@ int smb2_set_info(struct ksmbd_work *wor
break;
case SMB2_O_INFO_SECURITY:
ksmbd_debug(SMB, "GOT SMB2_O_INFO_SECURITY\n");
- if (ksmbd_override_fsids(work)) {
- rc = -ENOMEM;
- goto err_out;
- }
rc = smb2_set_info_sec(fp,
le32_to_cpu(req->AdditionalInformation),
(char *)req + le16_to_cpu(req->BufferOffset),
le32_to_cpu(req->BufferLength));
- ksmbd_revert_fsids(work);
break;
default:
rc = -EOPNOTSUPP;
}
+ revert_creds(saved_cred);
if (rc < 0)
goto err_out;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 224/518] ksmbd: enforce FILE_READ_ATTRIBUTES on SMB_FIND_FILE_POSIX_INFORMATION
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 223/518] ksmbd: run set info with opener credentials Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 225/518] ksmbd: add per-handle permission check to FILE_LINK_INFORMATION Greg Kroah-Hartman
` (297 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gil Portnoy, Namjae Jeon,
Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gil Portnoy <dddhkts1@gmail.com>
commit 20c8442dc1003f9f7bb522d3dcd81d09ea59a79e upstream.
find_file_posix_info() in smb2_query_info() returns file metadata (owner
uid, group gid, mode, inode, size, allocation size, hard-link count and all
four timestamps) but performs no per-handle access check. Every sibling
query handler gates on the handle's granted access first --
get_file_basic_info(), get_file_all_info(), get_file_network_open_info()
and get_file_attribute_tag_info() all reject a handle lacking
FILE_READ_ATTRIBUTES_LE with -EACCES. The POSIX handler is gated only by
the connection-scoped tcon->posix_extensions flag, which is not a
per-handle authorization, so a handle opened with only FILE_WRITE_DATA is
correctly denied FileBasicInformation yet is allowed the strict-superset
POSIX info. Mirror the FILE_READ_ATTRIBUTES_LE gate the sibling info
handlers already use.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -5337,6 +5337,12 @@ static int find_file_posix_info(struct s
int out_buf_len = sizeof(struct smb311_posix_qinfo) + 32;
int ret;
+ if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) {
+ pr_err("no right to read the attributes : 0x%x\n",
+ fp->daccess);
+ return -EACCES;
+ }
+
ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS,
AT_STATX_SYNC_AS_STAT);
if (ret)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 225/518] ksmbd: add per-handle permission check to FILE_LINK_INFORMATION
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 224/518] ksmbd: enforce FILE_READ_ATTRIBUTES on SMB_FIND_FILE_POSIX_INFORMATION Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 226/518] ksmbd: use opener credentials for delete-on-close Greg Kroah-Hartman
` (296 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gil Portnoy, Namjae Jeon,
Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gil Portnoy <dddhkts1@gmail.com>
commit 13f3942f2bf45856bb751faed2f0c4618f41ca20 upstream.
The FILE_LINK_INFORMATION arm of smb2_set_info_file() calls
smb2_create_link() with no per-handle fp->daccess check. On the
ReplaceIfExists path smb2_create_link() unlinks an existing file at the
target name (ksmbd_vfs_remove_file) and creates a hardlink
(ksmbd_vfs_link); neither helper checks daccess. A handle opened with
FILE_READ_DATA only (no FILE_DELETE, no FILE_WRITE_DATA) can therefore
delete an arbitrary file in the share and plant a hardlink over its name.
The sibling delete/move arms in the same switch already gate:
FILE_RENAME_INFORMATION and FILE_DISPOSITION_INFORMATION both require
FILE_DELETE_LE; FILE_FULL_EA_INFORMATION requires FILE_WRITE_EA_LE. Gate
the link arm the same way as its closest analogue (rename), since it
mutates the namespace and, on replace, deletes an existing entry.
This is a sibling of commit cc57232cae23 ("ksmbd: fix FSCTL permission
bypass by adding a permission check for FSCTL_SET_SPARSE").
Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -6564,6 +6564,11 @@ static int smb2_set_info_file(struct ksm
}
case FILE_LINK_INFORMATION:
{
+ if (!(fp->daccess & FILE_DELETE_LE)) {
+ pr_err("no right to delete : 0x%x\n", fp->daccess);
+ return -EACCES;
+ }
+
if (buf_len < sizeof(struct smb2_file_link_info))
return -EMSGSIZE;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 226/518] ksmbd: use opener credentials for delete-on-close
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 225/518] ksmbd: add per-handle permission check to FILE_LINK_INFORMATION Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 227/518] ksmbd: use opener credentials for ADS I/O Greg Kroah-Hartman
` (295 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Musaab Khan, Namjae Jeon,
Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit 52e2f21911158ec961cd5aae19c56460db382af0 upstream.
Delete-on-close can be completed by deferred or durable handle teardown,
where no request work is available. Both the base-file unlink and the ADS
xattr removal consequently run with the ksmbd worker credentials and can
bypass filesystem permission checks.
Run both operations with the credentials captured in struct file when the
handle was opened. This preserves the authenticated user's fsuid, fsgid,
supplementary groups and capability restrictions at final close.
Cc: stable@vger.kernel.org
Reported-by: Musaab Khan <musaab.khan@protonmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/vfs.c | 7 +++++--
fs/smb/server/vfs_cache.c | 4 ++++
2 files changed, 9 insertions(+), 2 deletions(-)
--- a/fs/smb/server/vfs.c
+++ b/fs/smb/server/vfs.c
@@ -1009,13 +1009,15 @@ int ksmbd_vfs_remove_xattr(struct mnt_id
int ksmbd_vfs_unlink(struct file *filp)
{
+ const struct cred *saved_cred;
int err = 0;
struct dentry *dir, *dentry = filp->f_path.dentry;
struct mnt_idmap *idmap = file_mnt_idmap(filp);
+ saved_cred = override_creds(filp->f_cred);
err = mnt_want_write(filp->f_path.mnt);
if (err)
- return err;
+ goto out_revert;
dir = dget_parent(dentry);
dentry = start_removing_dentry(dir, dentry);
@@ -1034,7 +1036,8 @@ int ksmbd_vfs_unlink(struct file *filp)
out:
dput(dir);
mnt_drop_write(filp->f_path.mnt);
-
+out_revert:
+ revert_creds(saved_cred);
return err;
}
--- a/fs/smb/server/vfs_cache.c
+++ b/fs/smb/server/vfs_cache.c
@@ -385,10 +385,14 @@ static void __ksmbd_inode_close(struct k
up_write(&ci->m_lock);
if (remove_stream_xattr) {
+ const struct cred *saved_cred;
+
+ saved_cred = override_creds(filp->f_cred);
err = ksmbd_vfs_remove_xattr(file_mnt_idmap(filp),
&filp->f_path,
fp->stream.name,
true);
+ revert_creds(saved_cred);
if (err)
pr_err("remove xattr failed : %s\n",
fp->stream.name);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 227/518] ksmbd: use opener credentials for ADS I/O
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 226/518] ksmbd: use opener credentials for delete-on-close Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 228/518] ksmbd: track the connection owning a byte-range lock Greg Kroah-Hartman
` (294 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Musaab Khan, Namjae Jeon,
Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit baa5e094886fffa7e6272edcb5e08be5ce28262c upstream.
Alternate data streams are stored as xattrs. Unlike regular file I/O,
their read and write paths therefore call VFS xattr helpers which recheck
inode permissions and LSM policy using the current task credentials.
Run ADS I/O with the credentials captured when the SMB handle was opened.
Cc: stable@vger.kernel.org
Reported-by: Musaab Khan <musaab.khan@protonmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/vfs.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/fs/smb/server/vfs.c
+++ b/fs/smb/server/vfs.c
@@ -254,17 +254,20 @@ out:
static int ksmbd_vfs_stream_read(struct ksmbd_file *fp, char *buf, loff_t *pos,
size_t count)
{
+ const struct cred *saved_cred;
ssize_t v_len;
char *stream_buf = NULL;
ksmbd_debug(VFS, "read stream data pos : %llu, count : %zd\n",
*pos, count);
+ saved_cred = override_creds(fp->filp->f_cred);
v_len = ksmbd_vfs_getcasexattr(file_mnt_idmap(fp->filp),
fp->filp->f_path.dentry,
fp->stream.name,
fp->stream.size,
&stream_buf);
+ revert_creds(saved_cred);
if ((int)v_len <= 0)
return (int)v_len;
@@ -388,6 +391,7 @@ int ksmbd_vfs_read(struct ksmbd_work *wo
static int ksmbd_vfs_stream_write(struct ksmbd_file *fp, char *buf, loff_t *pos,
size_t count)
{
+ const struct cred *saved_cred;
char *stream_buf = NULL, *wbuf;
struct mnt_idmap *idmap = file_mnt_idmap(fp->filp);
size_t size;
@@ -408,6 +412,7 @@ static int ksmbd_vfs_stream_write(struct
count = XATTR_SIZE_MAX - *pos;
}
+ saved_cred = override_creds(fp->filp->f_cred);
v_len = ksmbd_vfs_getcasexattr(idmap,
fp->filp->f_path.dentry,
fp->stream.name,
@@ -416,14 +421,14 @@ static int ksmbd_vfs_stream_write(struct
if (v_len < 0) {
pr_err("not found stream in xattr : %zd\n", v_len);
err = v_len;
- goto out;
+ goto out_revert;
}
if (v_len < size) {
wbuf = kvzalloc(size, KSMBD_DEFAULT_GFP);
if (!wbuf) {
err = -ENOMEM;
- goto out;
+ goto out_revert;
}
if (v_len > 0)
@@ -441,6 +446,8 @@ static int ksmbd_vfs_stream_write(struct
size,
0,
true);
+out_revert:
+ revert_creds(saved_cred);
if (err < 0)
goto out;
else
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 228/518] ksmbd: track the connection owning a byte-range lock
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 227/518] ksmbd: use opener credentials for ADS I/O Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 229/518] ksmbd: validate NTLMv2 response before updating session key Greg Kroah-Hartman
` (293 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Musaab Khan, Namjae Jeon,
Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit c1016dd1d8b2bcd1158bbaabe94a31bb7e7431fb upstream.
SMB2_LOCK adds each granted byte-range lock to both the file lock list
and the lock list of the connection which handled the request. The
final close and durable handle paths, however, remove the connection
list entry while holding fp->conn->llist_lock.
With SMB3 multichannel, the connection handling the LOCK request can be
different from the connection which opened the file. The entry can
therefore be removed under a different spinlock from the one protecting
the list it belongs to. A concurrent traversal can then access freed
struct ksmbd_lock and struct file_lock objects.
Record the connection owning each lock's clist entry and hold a
reference to it while the entry is linked. Use that connection and its
llist_lock for unlock, rollback, close, and durable preserve. Durable
reconnect assigns the new connection as the owner when publishing the
locks again.
Fixes: f5a544e3bab7 ("ksmbd: add support for SMB3 multichannel")
Cc: stable@vger.kernel.org
Reported-by: Musaab Khan <musaab.khan@protonmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 10 ++++++++--
fs/smb/server/vfs_cache.c | 23 +++++++++++++++++------
fs/smb/server/vfs_cache.h | 1 +
3 files changed, 26 insertions(+), 8 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -7644,9 +7644,11 @@ int smb2_lock(struct ksmbd_work *work)
nolock = 0;
list_del(&cmp_lock->flist);
list_del(&cmp_lock->clist);
+ cmp_lock->conn = NULL;
spin_unlock(&conn->llist_lock);
up_read(&conn_list_lock);
+ ksmbd_conn_put(conn);
locks_free_lock(cmp_lock->fl);
kfree(cmp_lock);
goto out_check_cl;
@@ -7781,6 +7783,7 @@ skip:
goto out2;
} else if (!rc) {
list_add(&smb_lock->llist, &rollback_list);
+ smb_lock->conn = ksmbd_conn_get(work->conn);
spin_lock(&work->conn->llist_lock);
list_add_tail(&smb_lock->clist,
&work->conn->lock_list);
@@ -7835,11 +7838,14 @@ out:
}
list_del(&smb_lock->llist);
- spin_lock(&work->conn->llist_lock);
+ conn = smb_lock->conn;
+ spin_lock(&conn->llist_lock);
if (!list_empty(&smb_lock->flist))
list_del(&smb_lock->flist);
list_del(&smb_lock->clist);
- spin_unlock(&work->conn->llist_lock);
+ smb_lock->conn = NULL;
+ spin_unlock(&conn->llist_lock);
+ ksmbd_conn_put(conn);
locks_free_lock(smb_lock->fl);
if (rlock)
--- a/fs/smb/server/vfs_cache.c
+++ b/fs/smb/server/vfs_cache.c
@@ -484,10 +484,14 @@ static void __ksmbd_close_fd(struct ksmb
* there are not accesses to fp->lock_list.
*/
list_for_each_entry_safe(smb_lock, tmp_lock, &fp->lock_list, flist) {
- if (!list_empty(&smb_lock->clist) && fp->conn) {
- spin_lock(&fp->conn->llist_lock);
- list_del(&smb_lock->clist);
- spin_unlock(&fp->conn->llist_lock);
+ struct ksmbd_conn *conn = smb_lock->conn;
+
+ if (conn) {
+ spin_lock(&conn->llist_lock);
+ list_del_init(&smb_lock->clist);
+ smb_lock->conn = NULL;
+ spin_unlock(&conn->llist_lock);
+ ksmbd_conn_put(conn);
}
list_del(&smb_lock->flist);
@@ -1303,9 +1307,15 @@ static bool session_fd_check(struct ksmb
up_write(&ci->m_lock);
list_for_each_entry_safe(smb_lock, tmp_lock, &fp->lock_list, flist) {
- spin_lock(&conn->llist_lock);
+ struct ksmbd_conn *lock_conn = smb_lock->conn;
+
+ if (!lock_conn)
+ continue;
+ spin_lock(&lock_conn->llist_lock);
list_del_init(&smb_lock->clist);
- spin_unlock(&conn->llist_lock);
+ smb_lock->conn = NULL;
+ spin_unlock(&lock_conn->llist_lock);
+ ksmbd_conn_put(lock_conn);
}
fp->conn = NULL;
@@ -1435,6 +1445,7 @@ int ksmbd_reopen_durable_fd(struct ksmbd
}
list_for_each_entry(smb_lock, &fp->lock_list, flist) {
+ smb_lock->conn = ksmbd_conn_get(conn);
spin_lock(&conn->llist_lock);
list_add_tail(&smb_lock->clist, &conn->lock_list);
spin_unlock(&conn->llist_lock);
--- a/fs/smb/server/vfs_cache.h
+++ b/fs/smb/server/vfs_cache.h
@@ -32,6 +32,7 @@ struct ksmbd_session;
struct ksmbd_lock {
struct file_lock *fl;
+ struct ksmbd_conn *conn;
struct list_head clist;
struct list_head flist;
struct list_head llist;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 229/518] ksmbd: validate NTLMv2 response before updating session key
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 228/518] ksmbd: track the connection owning a byte-range lock Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 230/518] smb/client: fix chown/chgrp with SMB3 POSIX Extensions Greg Kroah-Hartman
` (292 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haofeng Li, ChenXiaoSong,
Namjae Jeon, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haofeng Li <lihaofeng@kylinos.cn>
commit 954d196bebb2b50151cb96454c72dc113b2af1ac upstream.
ksmbd_auth_ntlmv2() derives the NTLMv2 session key into
sess->sess_key before it verifies the NTLMv2 response.
ksmbd_decode_ntlmssp_auth_blob() then continues into KEY_XCH even
when ksmbd_auth_ntlmv2() failed.
With SMB3 multichannel binding, the failed authentication operates on
an existing session and the session setup error path does not expire
binding sessions. A client can send a binding session setup with a
bad NT proof and KEY_XCH and still modify sess->sess_key before
STATUS_LOGON_FAILURE is returned.
Relevant path:
smb2_sess_setup()
-> conn->binding = true
-> ntlm_authenticate()
-> session_user()
-> ksmbd_decode_ntlmssp_auth_blob()
-> ksmbd_auth_ntlmv2()
-> calc_ntlmv2_hash()
-> hmac_md5_usingrawkey(..., sess->sess_key)
-> crypto_memneq() returns mismatch
-> KEY_XCH arc4_crypt(..., sess->sess_key, ...)
-> out_err without expiring the binding session
Derive the base session key into a local buffer and copy it to
sess->sess_key only after the proof matches. Return immediately on
authentication failure so KEY_XCH is only processed after successful
authentication.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Fixes: f9929ef6a2a5 ("ksmbd: add support for key exchange")
Cc: stable@vger.kernel.org
Signed-off-by: Haofeng Li <lihaofeng@kylinos.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/auth.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
--- a/fs/smb/server/auth.c
+++ b/fs/smb/server/auth.c
@@ -142,6 +142,7 @@ int ksmbd_auth_ntlmv2(struct ksmbd_conn
{
char ntlmv2_hash[CIFS_ENCPWD_SIZE];
char ntlmv2_rsp[CIFS_HMAC_MD5_HASH_SIZE];
+ char sess_key[SMB2_NTLMV2_SESSKEY_SIZE];
struct hmac_md5_ctx ctx;
int rc;
@@ -164,12 +165,21 @@ int ksmbd_auth_ntlmv2(struct ksmbd_conn
/* Generate the session key */
hmac_md5_usingrawkey(ntlmv2_hash, CIFS_HMAC_MD5_HASH_SIZE,
ntlmv2_rsp, CIFS_HMAC_MD5_HASH_SIZE,
- sess->sess_key);
+ sess_key);
if (crypto_memneq(ntlmv2->ntlmv2_hash, ntlmv2_rsp,
- CIFS_HMAC_MD5_HASH_SIZE))
- return -EINVAL;
- return 0;
+ CIFS_HMAC_MD5_HASH_SIZE)) {
+ rc = -EINVAL;
+ goto out;
+ }
+
+ memcpy(sess->sess_key, sess_key, sizeof(sess_key));
+ rc = 0;
+out:
+ memzero_explicit(ntlmv2_hash, sizeof(ntlmv2_hash));
+ memzero_explicit(ntlmv2_rsp, sizeof(ntlmv2_rsp));
+ memzero_explicit(sess_key, sizeof(sess_key));
+ return rc;
}
/**
@@ -226,6 +236,8 @@ int ksmbd_decode_ntlmssp_auth_blob(struc
nt_len - CIFS_ENCPWD_SIZE,
domain_name, conn->ntlmssp.cryptkey);
kfree(domain_name);
+ if (ret)
+ return ret;
/* The recovered secondary session key */
if (conn->ntlmssp.client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 230/518] smb/client: fix chown/chgrp with SMB3 POSIX Extensions
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 229/518] ksmbd: validate NTLMv2 response before updating session key Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 231/518] smb: client: fix query directory replay double-free Greg Kroah-Hartman
` (291 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ralph Boehme, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ralph Boehme <slow@samba.org>
commit 760ef2c579c2609cf17fb1cd5392f64d42d43d33 upstream.
Ownership (chown) and group (chgrp) modifications were being ignored when
mounting with SMB3 POSIX Extensions unless CIFS_MOUNT_CIFS_ACL or
CIFS_MOUNT_MODE_FROM_SID were also explicitly set.
Fix this by checking for posix_extensions in cifs_setattr_nounix() when
updating UID and GID, ensuring that id_mode_to_cifs_acl() is called to map
and set the ownership/group information on the server.
Cc: stable@vger.kernel.org
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/smb/client/inode.c
+++ b/fs/smb/client/inode.c
@@ -3348,7 +3348,8 @@ cifs_setattr_nounix(struct dentry *diren
if (attrs->ia_valid & ATTR_GID)
gid = attrs->ia_gid;
- if (sbflags & (CIFS_MOUNT_CIFS_ACL | CIFS_MOUNT_MODE_FROM_SID)) {
+ if ((sbflags & (CIFS_MOUNT_CIFS_ACL | CIFS_MOUNT_MODE_FROM_SID)) ||
+ cifs_sb_master_tcon(cifs_sb)->posix_extensions) {
if (uid_valid(uid) || gid_valid(gid)) {
mode = NO_CHANGE_64;
rc = id_mode_to_cifs_acl(inode, full_path, &mode,
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 231/518] smb: client: fix query directory replay double-free
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 230/518] smb/client: fix chown/chgrp with SMB3 POSIX Extensions Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 232/518] smb: client: fix query_info() " Greg Kroah-Hartman
` (290 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Henrique Carvalho, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henrique Carvalho <henrique.carvalho@suse.com>
commit 9647492b5e41954be59d5157eddbcd4cdc1656f7 upstream.
A response-bearing attempt can return a replayable error and free its
response buffer. If SMB2_query_directory_init() fails before the next send,
cleanup retains the previous buffer type and frees that response again.
Reset response bookkeeping before each attempt to prevent the stale free.
Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
Cc: stable@vger.kernel.org
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -5683,6 +5683,8 @@ SMB2_query_directory(const unsigned int
replay_again:
/* reinitialize for possible replay */
+ resp_buftype = CIFS_NO_BUFFER;
+ memset(&rsp_iov, 0, sizeof(rsp_iov));
flags = 0;
server = cifs_pick_channel(ses);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 232/518] smb: client: fix query_info() replay double-free
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 231/518] smb: client: fix query directory replay double-free Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 233/518] smb: client: fix double-free in SMB2_ioctl() replay Greg Kroah-Hartman
` (289 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Henrique Carvalho, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henrique Carvalho <henrique.carvalho@suse.com>
commit 2a88561d66eb855813cf004a0abe648bbb17de5e upstream.
A response-bearing attempt can return a replayable error and free its
response buffer. If SMB2_query_info_init() fails before the next send,
cleanup retains the previous buffer type and frees that response again.
Reset response bookkeeping before each attempt to prevent the stale free.
Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
Cc: stable@vger.kernel.org
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -3911,6 +3911,8 @@ query_info(const unsigned int xid, struc
replay_again:
/* reinitialize for possible replay */
+ resp_buftype = CIFS_NO_BUFFER;
+ memset(&rsp_iov, 0, sizeof(rsp_iov));
flags = 0;
allocated = false;
server = cifs_pick_channel(ses);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 233/518] smb: client: fix double-free in SMB2_ioctl() replay
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 232/518] smb: client: fix query_info() " Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 234/518] smb: client: fix change notify replay double-free Greg Kroah-Hartman
` (288 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Henrique Carvalho, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henrique Carvalho <henrique.carvalho@suse.com>
commit f9bbadb6c94583e3b4af1afc449bfceb1d1ddec9 upstream.
A response-bearing attempt can return a replayable error and free its
response buffer. If SMB2_ioctl_init() fails before the next send, cleanup
retains the previous buffer type and frees that response again.
Reset response bookkeeping before each attempt to prevent the stale free.
Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
Cc: stable@vger.kernel.org
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -3505,6 +3505,8 @@ SMB2_ioctl(const unsigned int xid, struc
replay_again:
/* reinitialize for possible replay */
+ resp_buftype = CIFS_NO_BUFFER;
+ memset(&rsp_iov, 0, sizeof(rsp_iov));
flags = 0;
server = cifs_pick_channel(ses);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 234/518] smb: client: fix change notify replay double-free
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 233/518] smb: client: fix double-free in SMB2_ioctl() replay Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 235/518] smb: client: fix double-free in SMB2_flush() replay Greg Kroah-Hartman
` (287 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Henrique Carvalho, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henrique Carvalho <henrique.carvalho@suse.com>
commit 145f820dcbb2cced374f2532f8a61a44dce4a615 upstream.
A response-bearing attempt can return a replayable error and free its
response buffer. If SMB2_notify_init() fails before the next send, cleanup
retains the previous buffer type and frees that response again.
Reset response bookkeeping before each attempt to prevent the stale free.
Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
Cc: stable@vger.kernel.org
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -4087,6 +4087,8 @@ SMB2_change_notify(const unsigned int xi
replay_again:
/* reinitialize for possible replay */
+ resp_buftype = CIFS_NO_BUFFER;
+ memset(&rsp_iov, 0, sizeof(rsp_iov));
flags = 0;
server = cifs_pick_channel(ses);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 235/518] smb: client: fix double-free in SMB2_flush() replay
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 234/518] smb: client: fix change notify replay double-free Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 236/518] smb: client: fix double-free in SMB2_open() replay Greg Kroah-Hartman
` (286 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Zhengchuan Liang, Xin Liu,
Henrique Carvalho, Zhao Zhang, Ren Wei, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Zhang <zzhan461@ucr.edu>
commit 4be31c943a3a27a5a0251dbb8f5cb89059ec3d5a upstream.
SMB2_flush() keeps its response buffer bookkeeping across replay
attempts. If a replayable flush response is received and the retry then
fails before cifs_send_recv() stores a replacement response, flush_exit
will free the stale response pointer a second time.
Reinitialize resp_buftype and rsp_iov at the top of the replay loop so
cleanup only acts on response state produced by the current attempt.
This fixes a double-free without changing replay handling for successful
requests.
Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Acked-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Zhao Zhang <zzhan461@ucr.edu>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -4431,6 +4431,8 @@ SMB2_flush(const unsigned int xid, struc
replay_again:
/* reinitialize for possible replay */
+ resp_buftype = CIFS_NO_BUFFER;
+ memset(&rsp_iov, 0, sizeof(rsp_iov));
flags = 0;
server = cifs_pick_channel(ses);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 236/518] smb: client: fix double-free in SMB2_open() replay
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 235/518] smb: client: fix double-free in SMB2_flush() replay Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 237/518] smb: client: fix double-free in SMB2_close() replay Greg Kroah-Hartman
` (285 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Henrique Carvalho, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henrique Carvalho <henrique.carvalho@suse.com>
commit b55e182f2324bc6a604c21a47aa6c448f719a532 upstream.
A response-bearing attempt can return a replayable error and free its
response buffer. If SMB2_open_init() fails before the next send, cleanup
retains the previous buffer type and frees that response again.
Reset response bookkeeping before each attempt to prevent the stale free.
Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
Cc: stable@vger.kernel.org
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -3280,6 +3280,8 @@ SMB2_open(const unsigned int xid, struct
replay_again:
/* reinitialize for possible replay */
+ resp_buftype = CIFS_NO_BUFFER;
+ memset(&rsp_iov, 0, sizeof(rsp_iov));
flags = 0;
server = cifs_pick_channel(ses);
oparms->replay = !!(retries);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 237/518] smb: client: fix double-free in SMB2_close() replay
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 236/518] smb: client: fix double-free in SMB2_open() replay Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 238/518] smb: client: Fix next buffer leak in receive_encrypted_standard() Greg Kroah-Hartman
` (284 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Henrique Carvalho, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henrique Carvalho <henrique.carvalho@suse.com>
commit f96e1cdcb63ed3321142ff2fcdf784e32cda8fee upstream.
A response-bearing attempt can return a replayable error and free its
response buffer. If SMB2_close_init() fails before the next send, cleanup
retains the previous buffer type and frees that response again.
Reset response bookkeeping before each attempt to prevent the stale free.
Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
Cc: stable@vger.kernel.org
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -3703,6 +3703,8 @@ __SMB2_close(const unsigned int xid, str
replay_again:
/* reinitialize for possible replay */
+ resp_buftype = CIFS_NO_BUFFER;
+ memset(&rsp_iov, 0, sizeof(rsp_iov));
flags = 0;
query_attrs = false;
server = cifs_pick_channel(ses);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 238/518] smb: client: Fix next buffer leak in receive_encrypted_standard()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 237/518] smb: client: fix double-free in SMB2_close() replay Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 239/518] smb: client: use unaligned reads in parse_posix_ctxt() Greg Kroah-Hartman
` (283 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit 1c6267a1d5cf4c73b656f8181b310cbbb3e4767b upstream.
receive_encrypted_standard() allocates next_buffer before checking
whether the number of compound PDUs already reached MAX_COMPOUND. If
the limit check fails, the function returns immediately and the newly
allocated next_buffer is not assigned to server->smallbuf/server->bigbuf,
making it leaked.
Move the MAX_COMPOUND check before allocating next_buffer.
Fixes: b24df3e30cbf ("cifs: update receive_encrypted_standard to handle compounded responses")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2ops.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -5111,6 +5111,12 @@ receive_encrypted_standard(struct TCP_Se
one_more:
shdr = (struct smb2_hdr *)buf;
next_cmd = le32_to_cpu(shdr->NextCommand);
+
+ if (*num_mids >= MAX_COMPOUND) {
+ cifs_server_dbg(VFS, "too many PDUs in compound\n");
+ return -1;
+ }
+
if (next_cmd) {
if (WARN_ON_ONCE(next_cmd > pdu_length))
return -1;
@@ -5134,10 +5140,6 @@ one_more:
mid_entry->resp_buf_size = server->pdu_size;
}
- if (*num_mids >= MAX_COMPOUND) {
- cifs_server_dbg(VFS, "too many PDUs in compound\n");
- return -1;
- }
bufs[*num_mids] = buf;
mids[(*num_mids)++] = mid_entry;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 239/518] smb: client: use unaligned reads in parse_posix_ctxt()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 238/518] smb: client: Fix next buffer leak in receive_encrypted_standard() Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 240/518] smb: client: harden POSIX SID length parsing Greg Kroah-Hartman
` (282 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zihan Xi, Ren Wei, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zihan Xi <xizh2024@lzu.edu.cn>
commit b86467cd2691192ad4809a5a6e922fc24b8e9839 upstream.
The server controls create-context DataOffset, so the POSIX context data
pointer may be misaligned on strict-alignment architectures. Use
get_unaligned_le32() when reading nlink, reparse_tag, and mode.
Fixes: 69dda3059e7a ("cifs: add SMB2_open() arg to return POSIX data")
Cc: stable@vger.kernel.org
Signed-off-by: Zihan Xi <xizh2024@lzu.edu.cn>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -2371,9 +2371,9 @@ parse_posix_ctxt(struct create_context *
memset(posix, 0, sizeof(*posix));
- posix->nlink = le32_to_cpu(*(__le32 *)(beg + 0));
- posix->reparse_tag = le32_to_cpu(*(__le32 *)(beg + 4));
- posix->mode = le32_to_cpu(*(__le32 *)(beg + 8));
+ posix->nlink = get_unaligned_le32(beg);
+ posix->reparse_tag = get_unaligned_le32(beg + 4);
+ posix->mode = get_unaligned_le32(beg + 8);
sid = beg + 12;
sid_len = posix_info_sid_size(sid, end);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 240/518] smb: client: harden POSIX SID length parsing
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 239/518] smb: client: use unaligned reads in parse_posix_ctxt() Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 241/518] smb: client: fix atime clamp check in read completion Greg Kroah-Hartman
` (281 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Xin Liu, Zihan Xi, Ren Wei, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zihan Xi <xizh2024@lzu.edu.cn>
commit 7ad2bcf2441430bb2e918fb3ef9a90d775a6e422 upstream.
posix_info_sid_size() reads sid[1] to obtain the subauthority count,
but its existing boundary check still accepts buffers with only one
remaining byte. Require two bytes before reading sid[1] so all client
paths that reuse the helper reject truncated POSIX SIDs safely.
Fixes: 349e13ad30b4 ("cifs: add smb2 POSIX info level")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:gpt-5.4
Signed-off-by: Zihan Xi <xizh2024@lzu.edu.cn>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -5380,7 +5380,7 @@ int posix_info_sid_size(const void *beg,
size_t subauth;
int total;
- if (beg + 1 > end)
+ if (beg + 2 > end)
return -1;
subauth = *(u8 *)(beg+1);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 241/518] smb: client: fix atime clamp check in read completion
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 240/518] smb: client: harden POSIX SID length parsing Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 242/518] smb: client: mask server-provided mode to 07777 in modefromsid Greg Kroah-Hartman
` (280 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xu Rao, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Rao <raoxu@uniontech.com>
commit 0b043279e73880bee21d3b1f221bafda5af1b27e upstream.
cifs_rreq_done() updates the inode atime to current_time(inode) after a
netfs read. It then preserves the CIFS rule that atime should not be
older than mtime, because some applications break if atime is less than
mtime. That rule only requires clamping when atime < mtime.
The current check uses the raw non-zero result of timespec64_compare().
It therefore takes the clamp path for both atime < mtime and
atime > mtime. The latter is the normal case when reading an older file:
the newly recorded atime is newer than the file mtime. The completion
handler then immediately moves atime back to mtime, losing the access
time that was just recorded. Userspace tools that rely on atime, such as
stat, find -atime, backup tools or cold-data classifiers, can therefore
see a recently read CIFS file as not recently accessed.
This is easy to miss because the bug is silent: read I/O still succeeds,
no error is reported, and many systems either do not check atime after
reads or mount with policies such as relatime/noatime. It becomes
visible when a CIFS file has an mtime older than the current time, the
file is read, and the local inode atime is inspected before a later
revalidation replaces the cached timestamps.
Clamp only when atime is actually older than mtime. This matches the
same atime/mtime rule used when applying CIFS inode attributes.
Fixes: 69c3c023af25 ("cifs: Implement netfslib hooks")
Cc: stable@vger.kernel.org
Signed-off-by: Xu Rao <raoxu@uniontech.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/smb/client/file.c
+++ b/fs/smb/client/file.c
@@ -301,7 +301,7 @@ static void cifs_rreq_done(struct netfs_
/* we do not want atime to be less than mtime, it broke some apps */
atime = inode_set_atime_to_ts(inode, current_time(inode));
mtime = inode_get_mtime(inode);
- if (timespec64_compare(&atime, &mtime))
+ if (timespec64_compare(&atime, &mtime) < 0)
inode_set_atime_to_ts(inode, inode_get_mtime(inode));
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 242/518] smb: client: mask server-provided mode to 07777 in modefromsid
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 241/518] smb: client: fix atime clamp check in read completion Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 243/518] smb/server: do not require delete access for non-replacing links Greg Kroah-Hartman
` (279 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Norbert Manthey, Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Norbert Manthey <nmanthey@amazon.de>
commit e3d9c7160d483fc8f9e225aafad8ecbbc43f3151 upstream.
When modefromsid is active, parse_dacl() applies the server-provided
sub_auth[2] value from the NFS mode SID to cf_mode without masking to
07777. Apply the correct masking, same as in the read path.
Fixes: e2f8fbfb8d09c ("cifs: get mode bits from special sid on stat")
Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
Assisted-by: Kiro:claude-opus-4.6
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsacl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/smb/client/cifsacl.c
+++ b/fs/smb/client/cifsacl.c
@@ -889,7 +889,7 @@ static void parse_dacl(struct smb_acl *p
*/
fattr->cf_mode &= ~07777;
fattr->cf_mode |=
- le32_to_cpu(ppace[i]->sid.sub_auth[2]);
+ le32_to_cpu(ppace[i]->sid.sub_auth[2]) & 07777;
break;
} else {
if (compare_sids(&(ppace[i]->sid), pownersid) == 0) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 243/518] smb/server: do not require delete access for non-replacing links
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 242/518] smb: client: mask server-provided mode to 07777 in modefromsid Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 244/518] writeback: fix race between cgroup_writeback_umount() and inode_switch_wbs() Greg Kroah-Hartman
` (278 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Steve French, ChenXiaoSong,
Namjae Jeon
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: ChenXiaoSong <chenxiaosong@kylinos.cn>
commit 851ed9e09639e0daf79a506ce26097b296ed5518 upstream.
Reproducer:
1. server: systemctl start ksmbd
2. client: mount -t cifs //${server_ip}/export /mnt
3. client: touch /mnt/file; ln /mnt/file /mnt/hardlink
4. client err log: ln: failed to create hard link 'hardlink' =>
'file': Permission denied
5. server err log: ksmbd: no right to delete : 0x80
Fixes: 13f3942f2bf4 ("ksmbd: add per-handle permission check to FILE_LINK_INFORMATION")
Cc: stable@vger.kernel.org
Reported-by: Steve French <stfrench@microsoft.com>
Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -6564,16 +6564,18 @@ static int smb2_set_info_file(struct ksm
}
case FILE_LINK_INFORMATION:
{
- if (!(fp->daccess & FILE_DELETE_LE)) {
- pr_err("no right to delete : 0x%x\n", fp->daccess);
- return -EACCES;
- }
+ struct smb2_file_link_info *file_info;
if (buf_len < sizeof(struct smb2_file_link_info))
return -EMSGSIZE;
- return smb2_create_link(work, work->tcon->share_conf,
- (struct smb2_file_link_info *)buffer,
+ file_info = (struct smb2_file_link_info *)buffer;
+ if (file_info->ReplaceIfExists && !(fp->daccess & FILE_DELETE_LE)) {
+ pr_err("no right to delete : 0x%x\n", fp->daccess);
+ return -EACCES;
+ }
+
+ return smb2_create_link(work, work->tcon->share_conf, file_info,
buf_len, fp->filp,
work->conn->local_nls);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 244/518] writeback: fix race between cgroup_writeback_umount() and inode_switch_wbs()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 243/518] smb/server: do not require delete access for non-replacing links Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 245/518] OPP: of: Fix potential memory leak in opp_parse_supplies() Greg Kroah-Hartman
` (277 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Baokun Li, Tejun Heo,
Christian Brauner (Amutable)
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun@linux.alibaba.com>
commit cba38ec4cbd3a7b8b942a8d52531a05be8a9ff0d upstream.
When a container exits, the following BUG_ON() is occasionally triggered:
==================================================================
VFS: Busy inodes after unmount of sdb (ext4)
------------[ cut here ]------------
kernel BUG at fs/super.c:695!
CPU: 3 PID: 6 Comm: containerd-shim Tainted: G OE K 6.6 #1
pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : generic_shutdown_super+0xf0/0x100
lr : generic_shutdown_super+0xf0/0x100
Call trace:
generic_shutdown_super+0xf0/0x100
kill_block_super+0x20/0x48
ext4_kill_sb+0x28/0x60
deactivate_locked_super+0x54/0x130
deactivate_super+0x84/0xa0
cleanup_mnt+0xa4/0x140
__cleanup_mnt+0x18/0x28
task_work_run+0x78/0xe0
do_notify_resume+0x204/0x240
==================================================================
The root cause is a race between cgroup_writeback_umount() and
inode_switch_wbs()/cleanup_offline_cgwb(). There is a window between
inode_prepare_wbs_switch() returning true and the subsequent
wb_queue_isw() call. Following is the process that triggers the issue:
CPU A (umount) | CPU B (writeback)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
inode_switch_wbs/cleanup_offline_cgwb
atomic_inc(&isw_nr_in_flight)
inode_prepare_wbs_switch
-> passes SB_ACTIVE check
__iget(inode)
generic_shutdown_super
sb->s_flags &= ~SB_ACTIVE
cgroup_writeback_umount(sb)
smp_mb()
atomic_read(&isw_nr_in_flight)
rcu_barrier()
-> no pending RCU callbacks
flush_workqueue(isw_wq)
-> nothing queued, returns
evict_inodes(sb)
-> Inode skipped as isw still holds a ref.
sop->put_super(sb)
/* destroys percpu counters */
-> VFS: Busy inodes after unmount!
wb_queue_isw()
queue_work(isw_wq, ...)
/* later in work function */
inode_switch_wbs_work_fn
process_inode_switch_wbs
iput() -> evict
percpu_counter_dec() // UAF!
Fix this by extending the RCU read-side critical section in
inode_switch_wbs() and cleanup_offline_cgwb() to cover from
inode_prepare_wbs_switch() through wb_queue_isw(). Since there is
no sleep in this window, rcu_read_lock() can be used. Then add a
synchronize_rcu() in cgroup_writeback_umount() before the existing
rcu_barrier(), so that all in-flight switchers that have passed the
SB_ACTIVE check have completed queue_work() before flush_workqueue()
is called.
The existing rcu_barrier() is intentionally retained so this fix can
be backported unchanged to stable kernels (5.10.y, 6.6.y, ...) that
still queue switches via queue_rcu_work(). It is a no-op on current
mainline (since commit e1b849cfa6b6 ("writeback: Avoid contention on
wb->list_lock when switching inodes")) and is removed in a follow-up
patch.
Fixes: a1a0e23e4903 ("writeback: flush inode cgroup wb switches instead of pinning super_block")
Cc: stable@vger.kernel.org
Suggested-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/all/mxnjq2l6guusfchvauxr3v7c4bwjasybxlleqbbh4efloeqspz@iqylk76ohufz
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Baokun Li <libaokun@linux.alibaba.com>
Link: https://patch.msgid.link/20260521095016.2791354-2-libaokun@linux.alibaba.com
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fs-writeback.c | 31 +++++++++++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -660,12 +660,19 @@ static void inode_switch_wbs(struct inod
atomic_inc(&isw_nr_in_flight);
- /* find and pin the new wb */
+ /*
+ * Paired with synchronize_rcu() in cgroup_writeback_umount():
+ * holding rcu_read_lock across inode_prepare_wbs_switch()
+ * (covering the SB_ACTIVE check and the inode grab) and
+ * wb_queue_isw() ensures synchronize_rcu() cannot return until
+ * the work is queued, so the subsequent flush_workqueue() will
+ * wait for the switch.
+ */
rcu_read_lock();
+ /* find and pin the new wb */
memcg_css = css_from_id(new_wb_id, &memory_cgrp_subsys);
if (memcg_css && !css_tryget(memcg_css))
memcg_css = NULL;
- rcu_read_unlock();
if (!memcg_css)
goto out_free;
@@ -681,9 +688,11 @@ static void inode_switch_wbs(struct inod
trace_inode_switch_wbs_queue(inode->i_wb, new_wb, 1);
wb_queue_isw(new_wb, isw);
+ rcu_read_unlock();
return;
out_free:
+ rcu_read_unlock();
atomic_dec(&isw_nr_in_flight);
if (new_wb)
wb_put(new_wb);
@@ -741,6 +750,14 @@ bool cleanup_offline_cgwb(struct bdi_wri
new_wb = &wb->bdi->wb; /* wb_get() is noop for bdi's wb */
nr = 0;
+ /*
+ * Paired with synchronize_rcu() in cgroup_writeback_umount().
+ * Holding rcu_read_lock across the SB_ACTIVE check, the inode grab
+ * and wb_queue_isw() ensures synchronize_rcu() cannot return until
+ * the work is queued, so the subsequent flush_workqueue() will wait
+ * for the switch.
+ */
+ rcu_read_lock();
spin_lock(&wb->list_lock);
/*
* In addition to the inodes that have completed writeback, also switch
@@ -758,6 +775,7 @@ bool cleanup_offline_cgwb(struct bdi_wri
/* no attached inodes? bail out */
if (nr == 0) {
+ rcu_read_unlock();
atomic_dec(&isw_nr_in_flight);
wb_put(new_wb);
kfree(isw);
@@ -766,6 +784,7 @@ bool cleanup_offline_cgwb(struct bdi_wri
trace_inode_switch_wbs_queue(wb, new_wb, nr);
wb_queue_isw(new_wb, isw);
+ rcu_read_unlock();
return restart;
}
@@ -1222,6 +1241,14 @@ void cgroup_writeback_umount(struct supe
if (atomic_read(&isw_nr_in_flight)) {
/*
+ * Paired with rcu_read_lock() in inode_switch_wbs() and
+ * cleanup_offline_cgwb(). synchronize_rcu() waits for any
+ * in-flight switcher that already passed the SB_ACTIVE check
+ * to finish queueing its work, so flush_workqueue() below
+ * will then drain it.
+ */
+ synchronize_rcu();
+ /*
* Use rcu_barrier() to wait for all pending callbacks to
* ensure that all in-flight wb switches are in the workqueue.
*/
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 245/518] OPP: of: Fix potential memory leak in opp_parse_supplies()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 244/518] writeback: fix race between cgroup_writeback_umount() and inode_switch_wbs() Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 246/518] cpufreq: qcom-cpufreq-hw: Fix possible double free Greg Kroah-Hartman
` (276 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Viresh Kumar
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
commit 69f888381d2ecbe18ed9f112c096f8fd3623db98 upstream.
The memory allocated for microvolt, microamp and microwatt is not freed
in one of the paths in opp_parse_supplies() which returns directly.
Fix that by adding a goto to the error unwind ladder.
Fixes: 2eedf62e66c2 ("OPP: decouple dt properties in opp_parse_supplies()")
Cc: stable@vger.kernel.org
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/opp/of.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/opp/of.c
+++ b/drivers/opp/of.c
@@ -673,7 +673,7 @@ static int opp_parse_supplies(struct dev
*/
if (unlikely(opp_table->regulator_count == -1)) {
opp_table->regulator_count = 0;
- return 0;
+ goto free_microwatt;
}
for (i = 0, j = 0; i < opp_table->regulator_count; i++) {
@@ -696,6 +696,7 @@ static int opp_parse_supplies(struct dev
opp->supplies[i].u_watt = microwatt[i];
}
+free_microwatt:
kfree(microwatt);
free_microamp:
kfree(microamp);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 246/518] cpufreq: qcom-cpufreq-hw: Fix possible double free
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 245/518] OPP: of: Fix potential memory leak in opp_parse_supplies() Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 247/518] firmware_loader: fix device reference leak in firmware_upload_register() Greg Kroah-Hartman
` (275 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Zhongqiu Han,
Viresh Kumar
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit bcb8889c4981fdde42d4fd2c29a77d510fe21da2 upstream.
qcom_cpufreq.data is allocated with devm_kzalloc() in probe() as an
array of per-domain data. qcom_cpufreq_hw_cpu_init() stores a pointer to
one element of this array in policy->driver_data.
qcom_cpufreq_hw_cpu_exit() currently calls kfree() on policy->driver_data.
This is not valid because the memory is devm-managed. For the first
domain, this can free the devm-managed allocation while the devres entry
is still active, leading to a possible double free when the platform
device is later detached. For other domains, the pointer may refer to an
element inside the array rather than the allocation base.
Remove the kfree(data) call and let devres release qcom_cpufreq.data.
This issue was found by a static analysis tool I am developing.
Fixes: 054a3ef683a1 ("cpufreq: qcom-hw: Allocate qcom_cpufreq_data during probe")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/qcom-cpufreq-hw.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/cpufreq/qcom-cpufreq-hw.c
+++ b/drivers/cpufreq/qcom-cpufreq-hw.c
@@ -578,7 +578,6 @@ static void qcom_cpufreq_hw_cpu_exit(str
dev_pm_opp_of_cpumask_remove_table(policy->related_cpus);
qcom_cpufreq_hw_lmh_exit(data);
kfree(policy->freq_table);
- kfree(data);
}
static void qcom_cpufreq_ready(struct cpufreq_policy *policy)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 247/518] firmware_loader: fix device reference leak in firmware_upload_register()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 246/518] cpufreq: qcom-cpufreq-hw: Fix possible double free Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 248/518] libfs: set SB_I_NOEXEC and SB_I_NODEV by default in init_pseudo() Greg Kroah-Hartman
` (274 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Danilo Krummrich
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 896df22ee57648b0c505bd76ddbc6b2341834696 upstream.
firmware_upload_register()
-> fw_create_instance()
-> device_initialize()
After fw_create_instance() succeeds, the lifetime of the embedded struct
device is expected to be managed through the device core reference
counting, since fw_create_instance() has already called
device_initialize().
In firmware_upload_register(), if alloc_lookup_fw_priv() fails after
fw_create_instance() succeeds, the code reaches free_fw_sysfs and frees
fw_sysfs directly instead of releasing the device reference with
put_device(). This may leave the reference count of the embedded struct
device unbalanced, resulting in a refcount leak.
The issue was identified by a static analysis tool I developed and
confirmed by manual review. Fix this by using put_device(fw_dev) in the
failure path and letting fw_dev_release() handle the final cleanup,
instead of freeing the instance directly from the error path.
Fixes: 97730bbb242c ("firmware_loader: Add firmware-upload support")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Link: https://patch.msgid.link/20260505091231.607089-1-lgs201920130244@gmail.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/firmware_loader/sysfs_upload.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/drivers/base/firmware_loader/sysfs_upload.c
+++ b/drivers/base/firmware_loader/sysfs_upload.c
@@ -343,7 +343,6 @@ firmware_upload_register(struct module *
goto free_fw_upload_priv;
}
fw_upload->priv = fw_sysfs;
- fw_sysfs->fw_upload_priv = fw_upload_priv;
fw_dev = &fw_sysfs->dev;
ret = alloc_lookup_fw_priv(name, &fw_cache, &fw_priv, NULL, 0, 0,
@@ -351,10 +350,12 @@ firmware_upload_register(struct module *
if (ret != 0) {
if (ret > 0)
ret = -EINVAL;
- goto free_fw_sysfs;
+ put_device(fw_dev);
+ goto free_fw_upload_priv;
}
fw_priv->is_paged_buf = true;
fw_sysfs->fw_priv = fw_priv;
+ fw_sysfs->fw_upload_priv = fw_upload_priv;
ret = device_add(fw_dev);
if (ret) {
@@ -365,9 +366,6 @@ firmware_upload_register(struct module *
return fw_upload;
-free_fw_sysfs:
- kfree(fw_sysfs);
-
free_fw_upload_priv:
kfree(fw_upload_priv);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 248/518] libfs: set SB_I_NOEXEC and SB_I_NODEV by default in init_pseudo()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 247/518] firmware_loader: fix device reference leak in firmware_upload_register() Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 249/518] proc: protect ptrace_may_access() with exec_update_lock (FD links) Greg Kroah-Hartman
` (273 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, John Hubbard,
Christian Brauner (Amutable)
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Hubbard <jhubbard@nvidia.com>
commit 6de2aeffabaafaeda819e60ec8d04f199711e11a upstream.
Since commit 1e7ab6f67824 ("anon_inode: rework assertions"),
path_noexec() warns when an anonymous-inode file is mmap'd from a
superblock that has not set SB_I_NOEXEC. dma-buf backs its files this
way and never set the flag, so mmap of any exported buffer trips the
warning on a CONFIG_DEBUG_VFS=y kernel:
WARNING: CPU: 11 PID: 121813 at fs/exec.c:118 path_noexec+0x47/0x50
do_mmap+0x2b5/0x680
vm_mmap_pgoff+0x129/0x210
ksys_mmap_pgoff+0x177/0x240
__x64_sys_mmap+0x33/0x70
init_pseudo() sets up internal SB_NOUSER mounts that are never
path-reachable. Set both flags here so every pseudo filesystem gets
them by default instead of each caller setting them.
SB_I_NODEV is inert for unreachable mounts. SB_I_NOEXEC has one
visible effect: an executable mapping of a pseudo-fs fd, such as a
dma-buf, now fails with -EPERM, which is the invariant the assertion
enforces. No in-tree caller maps these executable.
Reproduce on CONFIG_DEBUG_VFS=y:
make -C tools/testing/selftests/dmabuf-heaps
sudo ./tools/testing/selftests/dmabuf-heaps/dmabuf-heap -t system
Fixes: 1e7ab6f67824 ("anon_inode: rework assertions")
Suggested-by: Christoph Hellwig <hch@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: John Hubbard <jhubbard@nvidia.com>
Link: https://patch.msgid.link/20260604025315.245910-2-jhubbard@nvidia.com
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/libfs.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -736,6 +736,7 @@ struct pseudo_fs_context *init_pseudo(st
fc->fs_private = ctx;
fc->ops = &pseudo_fs_context_ops;
fc->sb_flags |= SB_NOUSER;
+ fc->s_iflags |= SB_I_NOEXEC | SB_I_NODEV;
fc->global = true;
}
return ctx;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 249/518] proc: protect ptrace_may_access() with exec_update_lock (FD links)
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 248/518] libfs: set SB_I_NOEXEC and SB_I_NODEV by default in init_pseudo() Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 250/518] perf/x86/intel/uncore: Defer ADL global PMON enable to enable_box() Greg Kroah-Hartman
` (272 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jann Horn,
Christian Brauner (Amutable)
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 6255da28d4bb5349fe18e84cb043ccd394eba75d upstream.
proc_pid_get_link() and proc_pid_readlink() currently look up the task from
the pid once, then do the ptrace access check on that task, then look up
the task from the pid a second time to do the actual access.
That's racy in several ways.
To fix it, pass the task to the ->proc_get_link() handler, and instead of
proc_fd_access_allowed(), introduce a new helper call_proc_get_link() that
looks up and locks the task, does the access check, and calls
->proc_get_link().
Fixes: 778c1144771f ("[PATCH] proc: Use sane permission checks on the /proc/<pid>/fd/ symlinks")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://patch.msgid.link/20260518-procfs-lockfix-part1-v1-2-5c3d20e0ac33@google.com
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/proc/base.c | 119 ++++++++++++++++++++---------------------------------
fs/proc/fd.c | 25 ++++-------
fs/proc/internal.h | 2
3 files changed, 58 insertions(+), 88 deletions(-)
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -218,33 +218,24 @@ static int get_task_root(struct task_str
return result;
}
-static int proc_cwd_link(struct dentry *dentry, struct path *path)
+static int proc_cwd_link(struct dentry *dentry, struct path *path,
+ struct task_struct *task)
{
- struct task_struct *task = get_proc_task(d_inode(dentry));
int result = -ENOENT;
- if (task) {
- task_lock(task);
- if (task->fs) {
- get_fs_pwd(task->fs, path);
- result = 0;
- }
- task_unlock(task);
- put_task_struct(task);
+ task_lock(task);
+ if (task->fs) {
+ get_fs_pwd(task->fs, path);
+ result = 0;
}
+ task_unlock(task);
return result;
}
-static int proc_root_link(struct dentry *dentry, struct path *path)
+static int proc_root_link(struct dentry *dentry, struct path *path,
+ struct task_struct *task)
{
- struct task_struct *task = get_proc_task(d_inode(dentry));
- int result = -ENOENT;
-
- if (task) {
- result = get_task_root(task, path);
- put_task_struct(task);
- }
- return result;
+ return get_task_root(task, path);
}
/*
@@ -704,23 +695,6 @@ static int proc_pid_syscall(struct seq_f
/* Here the fs part begins */
/************************************************************************/
-/* permission checks */
-static bool proc_fd_access_allowed(struct inode *inode)
-{
- struct task_struct *task;
- bool allowed = false;
- /* Allow access to a task's file descriptors if it is us or we
- * may use ptrace attach to the process and find out that
- * information.
- */
- task = get_proc_task(inode);
- if (task) {
- allowed = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);
- put_task_struct(task);
- }
- return allowed;
-}
-
int proc_nochmod_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
struct iattr *attr)
{
@@ -1777,16 +1751,12 @@ static const struct file_operations proc
.release = single_release,
};
-static int proc_exe_link(struct dentry *dentry, struct path *exe_path)
+static int proc_exe_link(struct dentry *dentry, struct path *exe_path,
+ struct task_struct *task)
{
- struct task_struct *task;
struct file *exe_file;
- task = get_proc_task(d_inode(dentry));
- if (!task)
- return -ENOENT;
exe_file = get_task_exe_file(task);
- put_task_struct(task);
if (exe_file) {
*exe_path = exe_file->f_path;
path_get(&exe_file->f_path);
@@ -1796,26 +1766,42 @@ static int proc_exe_link(struct dentry *
return -ENOENT;
}
+static int call_proc_get_link(struct dentry *dentry, struct inode *inode, struct path *path_out)
+{
+ struct task_struct *task;
+ int ret;
+
+ task = get_proc_task(inode);
+ if (!task)
+ return -ENOENT;
+ ret = down_read_killable(&task->signal->exec_update_lock);
+ if (ret)
+ goto out_put_task;
+ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) {
+ ret = -EACCES;
+ goto out;
+ }
+ ret = PROC_I(inode)->op.proc_get_link(dentry, path_out, task);
+
+out:
+ up_read(&task->signal->exec_update_lock);
+out_put_task:
+ put_task_struct(task);
+ return ret;
+}
+
static const char *proc_pid_get_link(struct dentry *dentry,
struct inode *inode,
struct delayed_call *done)
{
struct path path;
- int error = -EACCES;
+ int error;
if (!dentry)
return ERR_PTR(-ECHILD);
-
- /* Are we allowed to snoop on the tasks file descriptors? */
- if (!proc_fd_access_allowed(inode))
- goto out;
-
- error = PROC_I(inode)->op.proc_get_link(dentry, &path);
- if (error)
- goto out;
-
- error = nd_jump_link(&path);
-out:
+ error = call_proc_get_link(dentry, inode, &path);
+ if (!error)
+ error = nd_jump_link(&path);
return ERR_PTR(error);
}
@@ -1849,17 +1835,11 @@ static int proc_pid_readlink(struct dent
struct inode *inode = d_inode(dentry);
struct path path;
- /* Are we allowed to snoop on the tasks file descriptors? */
- if (!proc_fd_access_allowed(inode))
- goto out;
-
- error = PROC_I(inode)->op.proc_get_link(dentry, &path);
- if (error)
- goto out;
-
- error = do_proc_readlink(&path, buffer, buflen);
- path_put(&path);
-out:
+ error = call_proc_get_link(dentry, inode, &path);
+ if (!error) {
+ error = do_proc_readlink(&path, buffer, buflen);
+ path_put(&path);
+ }
return error;
}
@@ -2250,21 +2230,16 @@ static const struct dentry_operations ti
.d_delete = pid_delete_dentry,
};
-static int map_files_get_link(struct dentry *dentry, struct path *path)
+static int map_files_get_link(struct dentry *dentry, struct path *path,
+ struct task_struct *task)
{
unsigned long vm_start, vm_end;
struct vm_area_struct *vma;
- struct task_struct *task;
struct mm_struct *mm;
int rc;
rc = -ENOENT;
- task = get_proc_task(d_inode(dentry));
- if (!task)
- goto out;
-
mm = get_task_mm(task);
- put_task_struct(task);
if (!mm)
goto out;
--- a/fs/proc/fd.c
+++ b/fs/proc/fd.c
@@ -171,24 +171,19 @@ static const struct dentry_operations ti
.d_delete = pid_delete_dentry,
};
-static int proc_fd_link(struct dentry *dentry, struct path *path)
+static int proc_fd_link(struct dentry *dentry, struct path *path,
+ struct task_struct *task)
{
- struct task_struct *task;
int ret = -ENOENT;
+ unsigned int fd = proc_fd(d_inode(dentry));
+ struct file *fd_file;
- task = get_proc_task(d_inode(dentry));
- if (task) {
- unsigned int fd = proc_fd(d_inode(dentry));
- struct file *fd_file;
-
- fd_file = fget_task(task, fd);
- if (fd_file) {
- *path = fd_file->f_path;
- path_get(&fd_file->f_path);
- ret = 0;
- fput(fd_file);
- }
- put_task_struct(task);
+ fd_file = fget_task(task, fd);
+ if (fd_file) {
+ *path = fd_file->f_path;
+ path_get(&fd_file->f_path);
+ ret = 0;
+ fput(fd_file);
}
return ret;
--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
@@ -107,7 +107,7 @@ extern struct kmem_cache *proc_dir_entry
void pde_free(struct proc_dir_entry *pde);
union proc_op {
- int (*proc_get_link)(struct dentry *, struct path *);
+ int (*proc_get_link)(struct dentry *, struct path *, struct task_struct *);
int (*proc_show)(struct seq_file *m,
struct pid_namespace *ns, struct pid *pid,
struct task_struct *task);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 250/518] perf/x86/intel/uncore: Defer ADL global PMON enable to enable_box()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 249/518] proc: protect ptrace_may_access() with exec_update_lock (FD links) Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 251/518] cpufreq: intel_pstate: Sync policy->cur during CPU offline Greg Kroah-Hartman
` (271 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zide Chen, Peter Zijlstra (Intel),
Dapeng Mi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zide Chen <zide.chen@intel.com>
commit 9a0bb848a37150aeccc10088e141339917d995dc upstream.
On some Raptor Cove CPUs, enabling uncore PMON globally at driver init
may increase power consumption even when no perf events are in use.
Drop adl_uncore_msr_init_box() and defer programming the global control
register to enable_box(), so it is only set when a box is actually used.
IMC and IMC freerunning counters use a separate control path and are
unaffected.
Fixes: 772ed05f3c5c ("perf/x86/intel/uncore: Add Alder Lake support")
Signed-off-by: Zide Chen <zide.chen@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260602144908.263680-5-zide.chen@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/uncore_snb.c | 7 -------
1 file changed, 7 deletions(-)
--- a/arch/x86/events/intel/uncore_snb.c
+++ b/arch/x86/events/intel/uncore_snb.c
@@ -563,12 +563,6 @@ void tgl_uncore_cpu_init(void)
skl_uncore_msr_ops.init_box = rkl_uncore_msr_init_box;
}
-static void adl_uncore_msr_init_box(struct intel_uncore_box *box)
-{
- if (box->pmu->pmu_idx == 0)
- wrmsrq(ADL_UNC_PERF_GLOBAL_CTL, SNB_UNC_GLOBAL_CTL_EN);
-}
-
static void adl_uncore_msr_enable_box(struct intel_uncore_box *box)
{
wrmsrq(ADL_UNC_PERF_GLOBAL_CTL, SNB_UNC_GLOBAL_CTL_EN);
@@ -587,7 +581,6 @@ static void adl_uncore_msr_exit_box(stru
}
static struct intel_uncore_ops adl_uncore_msr_ops = {
- .init_box = adl_uncore_msr_init_box,
.enable_box = adl_uncore_msr_enable_box,
.disable_box = adl_uncore_msr_disable_box,
.exit_box = adl_uncore_msr_exit_box,
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 251/518] cpufreq: intel_pstate: Sync policy->cur during CPU offline
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 250/518] perf/x86/intel/uncore: Defer ADL global PMON enable to enable_box() Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 252/518] sched/rt: Have RT_PUSH_IPI be default off for non PREEMPT_RT Greg Kroah-Hartman
` (270 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Pandruvada, Fushuai Wang,
Rafael J. Wysocki
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fushuai Wang <wangfushuai@baidu.com>
commit bcbdaa1086c25a8a5d48e04e1b82fdfb0682b681 upstream.
When a CPU goes offline with HWP disabled, intel_pstate_set_min_pstate()
sets the MSR_IA32_PERF_CTL to minimum frequency to prevent SMT siblings
from being restricted. However, the policy->cur value was not updated,
leaving it at the previous value.
When the CPU comes back online, governor->limits() checks if target_freq
equals policy->cur and skips the frequency adjustment if they match. Since
policy->cur still holds the previous value, the governor does not call
cpufreq_driver->target to update MSR_IA32_PERF_CTL.
Fix this by synchronizing policy->cur with the hardware state when setting
minimum pstate during CPU offline.
Fixes: bb18008f8086 ("intel_pstate: Set core to min P state during core offline")
Cc: stable@vger.kernel.org # 3.15+
Suggested-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Fushuai Wang <wangfushuai@baidu.com>
[ rjw: Subject refinement ]
Link: https://patch.msgid.link/20260520032119.30615-1-fushuai.wang@linux.dev
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/intel_pstate.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -2984,10 +2984,12 @@ static int intel_cpufreq_cpu_offline(str
* from getting to lower performance levels, so force the minimum
* performance on CPU offline to prevent that from happening.
*/
- if (hwp_active)
+ if (hwp_active) {
intel_pstate_hwp_offline(cpu);
- else
+ } else {
intel_pstate_set_min_pstate(cpu);
+ policy->cur = cpu->pstate.min_freq;
+ }
intel_pstate_exit_perf_limits(policy);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 252/518] sched/rt: Have RT_PUSH_IPI be default off for non PREEMPT_RT
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 251/518] cpufreq: intel_pstate: Sync policy->cur during CPU offline Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 253/518] cpufreq: Fix hotplug-suspend race during reboot Greg Kroah-Hartman
` (269 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tejun Heo, Steven Rostedt,
Peter Zijlstra (Intel)
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit dd29c017aed628076e915fe4cdfb5392fd4c5cab upstream.
RT migration is done aggressively. When a CPU schedules out a high
priority RT task for a lower priority task, it will look to see if there's
any RT tasks that are waiting to run on another CPU that is of higher
priority than the task this CPU is about to run. If it finds one, it will
pull that task over to the CPU and allow it to run there instead.
Normally, this pulling is done by looking at the RT overloaded mask (rto)
which contains all the CPUs in the scheduler domain with RT tasks that are
waiting to run due to a higher priority RT task currently running on their
CPU. The CPU that is about to schedule a lower priority task will grab the
rq lock of the overloaded CPU and move the RT task from that CPU's runqueue
to the local one and schedule the higher priority RT task.
This caused issues when a lot of CPUs would schedule a lower priority task
at the same time. They would all try to grab the same runqueue lock of
the CPU with the overloaded RT tasks. Only the first CPU that got in will
get that task. All the others would wait until they got the runqueue lock
and see there's nothing to pull and do nothing. On systems with lots of
CPUs, this caused a large latency (up to 500us) which is beyond what
PREEMPT_RT is to allow.
The solution to that was to create an RT_PUSH_IPI logic. When any CPU
wanted to pull a task, instead of grabbing the runqueue lock of the
overloaded CPU, it would start by sending an IPI to the overloaded CPU,
and that IPI handler would have the CPU with the waiting RT task do a push
instead. Then that handler would send an IPI to the next CPU with
overloaded RT tasks, and so on. Note, after the first CPU starts this
process, if another CPU wanted to do a pull, it would see that the process
has already begun and would only increment a counter to have the IPIs
continue again.
The RT_PUSH_IPI solved the latency problem with PREEMPT_RT but could cause
a new issue with non PREEMPT_RT. Namely, softirqs run in a threaded
context on PREEMPT_RT but they can run in an interrupt context in non-RT.
If an IPI lands on a CPU that has just woken up multiple RT tasks and the
current CPU is running a non RT or a low priority RT task, instead of
doing a push, it would simply do a schedule on that CPU. But if a softirq
was also executing on this CPU, the schedule would need to wait until the
softirq finished. Until then, the CPU would still be considered overloaded
as there are RT tasks still waiting to run on it.
A live lock occurred on a workload that was doing heavy networking traffic
on a large machine where the softirqs would run 500us out of 750us. And it
would also be waking up RT tasks, causing the RT pull logic to be
constantly executed.
When a softirq triggered on a CPU with RT tasks queued but not running
yet, and the other CPUs would see this CPU as being overloaded, they would
send an IPI over to it. The CPU would notice that the waiting RT tasks are
of higher priority than the currently running task and simply schedule
that CPU instead. But because the softirq was executing, before it could
schedule, it would receive another IPI to do the same. The amount of IPIs
would slow down the currently running softirq so much that before it could
return back to task context, it would execute another softirq never
allowing the CPU to schedule. This live locked that CPU.
As RT_PUSH_IPI was created to help PREEMPT_RT, make it default off if
PREEMPT_RT is not enabled.
Fixes: b6366f048e0c ("sched/rt: Use IPI to trigger RT task push migration instead of pulling")
Closes: https://lore.kernel.org/all/20260506235716.2530720-1-tj@kernel.org/
Reported-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260515103740.25ccbed8@gandalf.local.home
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/features.h | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/kernel/sched/features.h
+++ b/kernel/sched/features.h
@@ -110,8 +110,16 @@ SCHED_FEAT(WARN_DOUBLE_CLOCK, false)
* rq lock and possibly create a large contention, sending an
* IPI to that CPU and let that CPU push the RT task to where
* it should go may be a better scenario.
+ *
+ * This is best for PREEMPT_RT, but for non-RT it can cause issues
+ * when preemption is disabled for long periods of time. Have
+ * it only default enabled for PREEMPT_RT.
*/
+# ifdef CONFIG_PREEMPT_RT
SCHED_FEAT(RT_PUSH_IPI, true)
+# else
+SCHED_FEAT(RT_PUSH_IPI, false)
+# endif
#endif
SCHED_FEAT(RT_RUNTIME_SHARE, false)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 253/518] cpufreq: Fix hotplug-suspend race during reboot
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 252/518] sched/rt: Have RT_PUSH_IPI be default off for non PREEMPT_RT Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 254/518] cpufreq: pcc: fix use-after-free and double free in _OSC evaluation Greg Kroah-Hartman
` (268 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tianxiang Chen, Zhongqiu Han,
Rafael J. Wysocki
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tianxiang Chen <nanmu@xiaomi.com>
commit a9029dd55696c651ee46912afa2a166fa456bb3e upstream.
During system reboot, cpufreq_suspend() is called via the
kernel_restart() -> device_shutdown() path. Unlike the normal system
suspend path, the reboot path does not call freeze_processes(), so
userspace processes and kernel threads remain active.
This allows CPU hotplug operations to run concurrently with
cpufreq_suspend(). The original code has no synchronization with CPU
hotplug, leading to a race condition where governor_data can be freed
by the hotplug path while cpufreq_suspend() is still accessing it,
resulting in a null pointer dereference:
Unable to handle kernel NULL pointer dereference
Call Trace:
do_kernel_fault+0x28/0x3c
cpufreq_suspend+0xdc/0x160
device_shutdown+0x18/0x200
kernel_restart+0x40/0x80
arm64_sys_reboot+0x1b0/0x200
Fix this by adding cpus_read_lock()/cpus_read_unlock() to
cpufreq_suspend() to block CPU hotplug operations while suspend is in
progress.
Fixes: 65650b35133f ("cpufreq: Avoid cpufreq_suspend() deadlock on system shutdown")
Signed-off-by: Tianxiang Chen <nanmu@xiaomi.com>
Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
Cc: All applicable <stable@vger.kernel.org>
[ rjw: Changelog edits ]
Link: https://patch.msgid.link/20260408141914.35281-1-nanmu@xiaomi.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/cpufreq.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -1972,6 +1972,7 @@ void cpufreq_suspend(void)
if (!cpufreq_driver)
return;
+ cpus_read_lock();
if (!has_target() && !cpufreq_driver->suspend)
goto suspend;
@@ -1991,6 +1992,7 @@ void cpufreq_suspend(void)
suspend:
cpufreq_suspended = true;
+ cpus_read_unlock();
}
/**
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 254/518] cpufreq: pcc: fix use-after-free and double free in _OSC evaluation
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 253/518] cpufreq: Fix hotplug-suspend race during reboot Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 255/518] proc: protect ptrace_may_access() with exec_update_lock (part 1) Greg Kroah-Hartman
` (267 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuho Choi, Zhongqiu Han,
Rafael J. Wysocki
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuho Choi <dbgh9129@gmail.com>
commit 266d3dd8b757b48a576e90f018b51f7b7563cc32 upstream.
pcc_cpufreq_do_osc() calls acpi_evaluate_object() twice for the
two-phase _OSC negotiation. Between the two calls it freed
output.pointer but left output.length unchanged. Since
acpi_evaluate_object() treats a non-zero length with a non-NULL
pointer as an existing buffer to write into, the second call wrote
into freed memory (use-after-free). The subsequent kfree(output.pointer)
at out_free then freed the same pointer a second time (double free).
Reset output.pointer to NULL and output.length to ACPI_ALLOCATE_BUFFER
after freeing the first result, so ACPICA allocates a fresh buffer for
each phase independently.
Fixes: 0f1d683fb35d ("[CPUFREQ] Processor Clocking Control interface driver")
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
Cc: All applicable <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260416144621.93964-1-dbgh9129@gmail.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/pcc-cpufreq.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/cpufreq/pcc-cpufreq.c
+++ b/drivers/cpufreq/pcc-cpufreq.c
@@ -352,6 +352,8 @@ static int __init pcc_cpufreq_do_osc(acp
}
kfree(output.pointer);
+ output.pointer = NULL;
+ output.length = ACPI_ALLOCATE_BUFFER;
capabilities[0] = 0x0;
capabilities[1] = 0x1;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 255/518] proc: protect ptrace_may_access() with exec_update_lock (part 1)
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 254/518] cpufreq: pcc: fix use-after-free and double free in _OSC evaluation Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 256/518] posix-cpu-timers: Fix pid refcount leak in do_cpu_nanosleep() error path Greg Kroah-Hartman
` (266 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jann Horn,
Christian Brauner (Amutable)
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 6650527444dadc63d84aa939d14ecba4fadb2f69 upstream.
Fix the easy cases where procfs currently calls ptrace_may_access() without
exec_update_lock protection, where the fix is to simply add the extra lock
or use mm_access():
- do_task_stat(): grab exec_update_lock
- proc_pid_wchan(): grab exec_update_lock
- proc_map_files_lookup(): use mm_access() instead of get_task_mm()
- proc_map_files_readdir(): use mm_access() instead of get_task_mm()
- proc_ns_get_link(): grab exec_update_lock
- proc_ns_readlink(): grab exec_update_lock
Fixes: f83ce3e6b02d ("proc: avoid information leaks to non-privileged processes")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://patch.msgid.link/20260518-procfs-lockfix-part1-v1-1-5c3d20e0ac33@google.com
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/proc/array.c | 6 ++++++
fs/proc/base.c | 41 ++++++++++++++++++++++-------------------
fs/proc/namespaces.c | 12 ++++++++++++
3 files changed, 40 insertions(+), 19 deletions(-)
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -482,6 +482,11 @@ static int do_task_stat(struct seq_file
unsigned long flags;
int exit_code = task->exit_code;
struct signal_struct *sig = task->signal;
+ int ret;
+
+ ret = down_read_killable(&task->signal->exec_update_lock);
+ if (ret)
+ return ret;
state = *get_task_state(task);
vsize = eip = esp = 0;
@@ -657,6 +662,7 @@ static int do_task_stat(struct seq_file
seq_puts(m, " 0");
seq_putc(m, '\n');
+ up_read(&task->signal->exec_update_lock);
if (mm)
mmput(mm);
return 0;
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -414,18 +414,24 @@ static int proc_pid_wchan(struct seq_fil
{
unsigned long wchan;
char symname[KSYM_NAME_LEN];
+ int err;
+ err = down_read_killable(&task->signal->exec_update_lock);
+ if (err)
+ return err;
if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
goto print0;
wchan = get_wchan(task);
if (wchan && !lookup_symbol_name(wchan, symname)) {
seq_puts(m, symname);
+ up_read(&task->signal->exec_update_lock);
return 0;
}
print0:
seq_putc(m, '0');
+ up_read(&task->signal->exec_update_lock);
return 0;
}
#endif /* CONFIG_KALLSYMS */
@@ -2335,17 +2341,15 @@ static struct dentry *proc_map_files_loo
if (!task)
goto out;
- result = ERR_PTR(-EACCES);
- if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
- goto out_put_task;
-
result = ERR_PTR(-ENOENT);
if (dname_to_vma_addr(dentry, &vm_start, &vm_end))
goto out_put_task;
- mm = get_task_mm(task);
- if (!mm)
+ mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
+ if (IS_ERR(mm)) {
+ result = ERR_CAST(mm);
goto out_put_task;
+ }
result = ERR_PTR(-EINTR);
if (mmap_read_lock_killable(mm))
@@ -2395,23 +2399,22 @@ proc_map_files_readdir(struct file *file
if (!task)
goto out;
- ret = -EACCES;
- if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
- goto out_put_task;
-
ret = 0;
if (!dir_emit_dots(file, ctx))
goto out_put_task;
- mm = get_task_mm(task);
- if (!mm)
+ mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
+ if (IS_ERR(mm)) {
+ ret = PTR_ERR(mm);
+ /* if the task has no mm, the directory should just be empty */
+ if (ret == -ESRCH)
+ ret = 0;
goto out_put_task;
+ }
ret = mmap_read_lock_killable(mm);
- if (ret) {
- mmput(mm);
- goto out_put_task;
- }
+ if (ret)
+ goto out_put_mm;
nr_files = 0;
@@ -2437,8 +2440,7 @@ proc_map_files_readdir(struct file *file
if (!p) {
ret = -ENOMEM;
mmap_read_unlock(mm);
- mmput(mm);
- goto out_put_task;
+ goto out_put_mm;
}
p->start = vma->vm_start;
@@ -2446,7 +2448,6 @@ proc_map_files_readdir(struct file *file
p->mode = vma->vm_file->f_mode;
}
mmap_read_unlock(mm);
- mmput(mm);
for (i = 0; i < nr_files; i++) {
char buf[4 * sizeof(long) + 2]; /* max: %lx-%lx\0 */
@@ -2463,6 +2464,8 @@ proc_map_files_readdir(struct file *file
ctx->pos++;
}
+out_put_mm:
+ mmput(mm);
out_put_task:
put_task_struct(task);
out:
--- a/fs/proc/namespaces.c
+++ b/fs/proc/namespaces.c
@@ -55,6 +55,10 @@ static const char *proc_ns_get_link(stru
if (!task)
return ERR_PTR(-EACCES);
+ error = down_read_killable(&task->signal->exec_update_lock);
+ if (error)
+ goto out_put_task;
+
if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
goto out;
@@ -64,6 +68,8 @@ static const char *proc_ns_get_link(stru
error = nd_jump_link(&ns_path);
out:
+ up_read(&task->signal->exec_update_lock);
+out_put_task:
put_task_struct(task);
return ERR_PTR(error);
}
@@ -80,11 +86,17 @@ static int proc_ns_readlink(struct dentr
if (!task)
return res;
+ res = down_read_killable(&task->signal->exec_update_lock);
+ if (res)
+ goto out_put_task;
+
if (ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) {
res = ns_get_name(name, sizeof(name), task, ns_ops);
if (res >= 0)
res = readlink_copy(buffer, buflen, name, strlen(name));
}
+ up_read(&task->signal->exec_update_lock);
+out_put_task:
put_task_struct(task);
return res;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 256/518] posix-cpu-timers: Fix pid refcount leak in do_cpu_nanosleep() error path
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 255/518] proc: protect ptrace_may_access() with exec_update_lock (part 1) Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 257/518] time/jiffies: Register jiffies clocksource before usage Greg Kroah-Hartman
` (265 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, WenTao Liang, Thomas Gleixner,
Frederic Weisbecker
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: WenTao Liang <vulab@iscas.ac.cn>
commit 87bd2ad568e15b90d5f7d4bcd70342d05dad649c upstream.
In do_cpu_nanosleep(), posix_cpu_timer_create() takes a pid reference
via get_pid() and stores it in timer.it.cpu.pid. If the subsequent
posix_cpu_timer_set() call fails, the function returns immediately
without calling posix_cpu_timer_del() to release the pid reference,
causing a leak.
Fix it by calling posix_cpu_timer_del() before the unlock-and-return
on the error path, consistent with the other exit paths in the same
function.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260611161738.97043-1-vulab@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/posix-cpu-timers.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/time/posix-cpu-timers.c
+++ b/kernel/time/posix-cpu-timers.c
@@ -1504,6 +1504,7 @@ static int do_cpu_nanosleep(const clocki
spin_lock_irq(&timer.it_lock);
error = posix_cpu_timer_set(&timer, flags, &it, NULL);
if (error) {
+ posix_cpu_timer_del(&timer);
spin_unlock_irq(&timer.it_lock);
return error;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 257/518] time/jiffies: Register jiffies clocksource before usage
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 256/518] posix-cpu-timers: Fix pid refcount leak in do_cpu_nanosleep() error path Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 258/518] clocksource/drivers/timer-tegra186: Fix support for multiple watchdog instances Greg Kroah-Hartman
` (264 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Teddy Astie, Thomas Gleixner
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@kernel.org>
commit f24df84cbe05e4471c04ac4b921fc0340bbc7752 upstream.
Teddy reported that a XEN HVM has a long boot delay, which was bisected to
the recent enhancements to the negative motion detection. It turned out
that the jiffies clocksource is used in early boot before it is registered,
which leaves the max_delta_raw field at zero. That causes the read out to
be clamped to the max delta of 0, which means time is not making progress.
Cure it by ensuring that it is initialized before its first usage in
timekeeping_init().
Fixes: 76031d9536a0 ("clocksource: Make negative motion detection more robust")
Reported-by: Teddy Astie <teddy.astie@vates.tech>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Tested-by: Teddy Astie <teddy.astie@vates.tech>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/87y0gn3fve.ffs@fw13
Closes: https://lore.kernel.org/all/1780914594.8631fc262581453bbf619ec5b2062170.19ea6c8227b000701b@vates.tech
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/jiffies.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/kernel/time/jiffies.c
+++ b/kernel/time/jiffies.c
@@ -60,15 +60,14 @@ EXPORT_SYMBOL(get_jiffies_64);
EXPORT_SYMBOL(jiffies);
-static int __init init_jiffies_clocksource(void)
-{
- return __clocksource_register(&clocksource_jiffies);
-}
-
-core_initcall(init_jiffies_clocksource);
+static bool cs_jiffies_registered __initdata;
struct clocksource * __init __weak clocksource_default_clock(void)
{
+ if (!cs_jiffies_registered) {
+ __clocksource_register(&clocksource_jiffies);
+ cs_jiffies_registered = true;
+ }
return &clocksource_jiffies;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 258/518] clocksource/drivers/timer-tegra186: Fix support for multiple watchdog instances
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 257/518] time/jiffies: Register jiffies clocksource before usage Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 259/518] s390: Revert support for DCACHE_WORD_ACCESS Greg Kroah-Hartman
` (263 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kartik Rajput, Daniel Lezcano,
Jon Hunter
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kartik Rajput <kkartik@nvidia.com>
commit ca57bf46e7a94f8c53d05c376df9fcfdcb482100 upstream.
Tegra SoCs support multiple watchdogs; currently only one (WDT0) is
used. When multiple watchdogs are registered, tegra186_wdt_enable()
overwrites the TKEIE(x) register, discarding any existing watchdog
interrupt enable bits. As a result, enabling one watchdog inadvertently
disables interrupts for the others.
Fix this by preserving the existing TKEIE(x) value and updating it
using a read-modify-write sequence.
Fixes: 42cee19a9f83 ("clocksource: Add Tegra186 timers support")
Cc: stable@vger.kernel.org
Signed-off-by: Kartik Rajput <kkartik@nvidia.com>
Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260507154557.2082697-2-kkartik@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clocksource/timer-tegra186.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/clocksource/timer-tegra186.c
+++ b/drivers/clocksource/timer-tegra186.c
@@ -149,7 +149,8 @@ static void tegra186_wdt_enable(struct t
u32 value;
/* unmask hardware IRQ, this may have been lost across powergate */
- value = TKEIE_WDT_MASK(wdt->index, 1);
+ value = readl(tegra->regs + TKEIE(wdt->tmr->hwirq));
+ value |= TKEIE_WDT_MASK(wdt->index, 1);
writel(value, tegra->regs + TKEIE(wdt->tmr->hwirq));
/* clear interrupt */
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 259/518] s390: Revert support for DCACHE_WORD_ACCESS
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 258/518] clocksource/drivers/timer-tegra186: Fix support for multiple watchdog instances Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 260/518] perf/arm-cmn: Fix DVM node events Greg Kroah-Hartman
` (262 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Borntraeger,
Heiko Carstens, Alexander Gordeev
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
commit 37540b8c287fc817bdbd0c62bb75ad6eab0e5d03 upstream.
load_unaligned_zeropad() reads eight bytes from unaligned addresses and may
cross page boundaries. It handles exceptions which may happen if reading
from the second page results in an exception.
For pages which are donated to the Ultravisor for secure execution purposes
the do_secure_storage_access() exception handler however does not handle
such exceptions correctly. Such an exception may result in an endless
exception loop which will never be resolved.
An attempt to fix this [1] turned out to be not sufficient. For now revert
load_unaligned_zeropad() until this problem has been resolved in a proper
way.
Note that the implementation of load_unaligned_zeropad() itself is
correct. The revert is just a temporary workaround until there is complete
fix for secure storage access exceptions.
[1] commit b00be77302d7 ("s390/mm: Add missing secure storage access fixups for donated memory")
Fixes: 802ba53eefc5 ("s390: add support for DCACHE_WORD_ACCESS")
Cc: stable@vger.kernel.org
Acked-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/Kconfig | 1 -
arch/s390/include/asm/asm-extable.h | 4 ----
arch/s390/include/asm/word-at-a-time.h | 22 ----------------------
arch/s390/mm/extable.c | 18 ------------------
4 files changed, 45 deletions(-)
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -163,7 +163,6 @@ config S390
select ARCH_WANTS_THP_SWAP
select BUILDTIME_TABLE_SORT
select CLONE_BACKWARDS2
- select DCACHE_WORD_ACCESS if !KMSAN
select DYNAMIC_FTRACE if FUNCTION_TRACER
select FUNCTION_ALIGNMENT_8B if CC_IS_GCC
select FUNCTION_ALIGNMENT_16B if !CC_IS_GCC
--- a/arch/s390/include/asm/asm-extable.h
+++ b/arch/s390/include/asm/asm-extable.h
@@ -12,7 +12,6 @@
#define EX_TYPE_UA_FAULT 3
#define EX_TYPE_UA_LOAD_REG 5
#define EX_TYPE_UA_LOAD_REGPAIR 6
-#define EX_TYPE_ZEROPAD 7
#define EX_TYPE_FPC 8
#define EX_TYPE_UA_MVCOS_TO 9
#define EX_TYPE_UA_MVCOS_FROM 10
@@ -80,9 +79,6 @@
#define EX_TABLE_UA_LOAD_REGPAIR(_fault, _target, _regerr, _regzero) \
__EX_TABLE(__ex_table, _fault, _target, EX_TYPE_UA_LOAD_REGPAIR, _regerr, _regzero, 0)
-#define EX_TABLE_ZEROPAD(_fault, _target, _regdata, _regaddr) \
- __EX_TABLE(__ex_table, _fault, _target, EX_TYPE_ZEROPAD, _regdata, _regaddr, 0)
-
#define EX_TABLE_FPC(_fault, _target) \
__EX_TABLE(__ex_table, _fault, _target, EX_TYPE_FPC, __stringify(%%r0), __stringify(%%r0), 0)
--- a/arch/s390/include/asm/word-at-a-time.h
+++ b/arch/s390/include/asm/word-at-a-time.h
@@ -4,7 +4,6 @@
#include <linux/bitops.h>
#include <linux/wordpart.h>
-#include <asm/asm-extable.h>
#include <asm/bitsperlong.h>
struct word_at_a_time {
@@ -41,25 +40,4 @@ static inline unsigned long zero_bytemas
return ~1UL << data;
}
-/*
- * Load an unaligned word from kernel space.
- *
- * In the (very unlikely) case of the word being a page-crosser
- * and the next page not being mapped, take the exception and
- * return zeroes in the non-existing part.
- */
-static inline unsigned long load_unaligned_zeropad(const void *addr)
-{
- unsigned long data;
-
- asm_inline volatile(
- "0: lg %[data],0(%[addr])\n"
- "1: nopr %%r7\n"
- EX_TABLE_ZEROPAD(0b, 1b, %[data], %[addr])
- EX_TABLE_ZEROPAD(1b, 1b, %[data], %[addr])
- : [data] "=d" (data)
- : [addr] "a" (addr), "m" (*(unsigned long *)addr));
- return data;
-}
-
#endif /* _ASM_WORD_AT_A_TIME_H */
--- a/arch/s390/mm/extable.c
+++ b/arch/s390/mm/extable.c
@@ -50,22 +50,6 @@ static bool ex_handler_ua_load_reg(const
return true;
}
-static bool ex_handler_zeropad(const struct exception_table_entry *ex, struct pt_regs *regs)
-{
- unsigned int reg_addr = FIELD_GET(EX_DATA_REG_ADDR, ex->data);
- unsigned int reg_data = FIELD_GET(EX_DATA_REG_ERR, ex->data);
- unsigned long data, addr, offset;
-
- addr = regs->gprs[reg_addr];
- offset = addr & (sizeof(unsigned long) - 1);
- addr &= ~(sizeof(unsigned long) - 1);
- data = *(unsigned long *)addr;
- data <<= BITS_PER_BYTE * offset;
- regs->gprs[reg_data] = data;
- regs->psw.addr = extable_fixup(ex);
- return true;
-}
-
static bool ex_handler_fpc(const struct exception_table_entry *ex, struct pt_regs *regs)
{
fpu_sfpc(0);
@@ -134,8 +118,6 @@ bool fixup_exception(struct pt_regs *reg
return ex_handler_ua_load_reg(ex, false, regs);
case EX_TYPE_UA_LOAD_REGPAIR:
return ex_handler_ua_load_reg(ex, true, regs);
- case EX_TYPE_ZEROPAD:
- return ex_handler_zeropad(ex, regs);
case EX_TYPE_FPC:
return ex_handler_fpc(ex, regs);
case EX_TYPE_UA_MVCOS_TO:
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 260/518] perf/arm-cmn: Fix DVM node events
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 259/518] s390: Revert support for DCACHE_WORD_ACCESS Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 261/518] X.509: Fix validation of ASN.1 certificate header Greg Kroah-Hartman
` (261 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Robin Murphy, Will Deacon
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robin Murphy <robin.murphy@arm.com>
commit 5936245125f78d896fdb1bbc2ae79213e28a6579 upstream.
The new DVM node events added in CMN-700 also apply to CMN S3; fix
the model encoding so that we can expose the aliases and handle
occupancy filtering on newer CMNs too.
Cc: stable@vger.kernel.org
Fixes: 0dc2f4963f7e ("perf/arm-cmn: Support CMN S3")
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/perf/arm-cmn.c | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
--- a/drivers/perf/arm-cmn.c
+++ b/drivers/perf/arm-cmn.c
@@ -197,13 +197,14 @@
enum cmn_model {
CMN600 = 1,
CMN650 = 2,
- CMN700 = 4,
- CI700 = 8,
+ CI700 = 4,
+ CMN700 = 8,
CMNS3 = 16,
/* ...and then we can use bitmap tricks for commonality */
CMN_ANY = -1,
NOT_CMN600 = -2,
- CMN_650ON = CMN650 | CMN700 | CMNS3,
+ CMN_700ON = ~(CMN700 - 1),
+ CMN_650ON = CMN_700ON | CMN650,
};
/* Actual part numbers and revision IDs defined by the hardware */
@@ -919,14 +920,14 @@ static struct attribute *arm_cmn_event_a
CMN_EVENT_DVM(NOT_CMN600, txsnp_stall, 0x0a),
CMN_EVENT_DVM(NOT_CMN600, trkfull, 0x0b),
CMN_EVENT_DVM_OCC(NOT_CMN600, trk_occupancy, 0x0c),
- CMN_EVENT_DVM_OCC(CMN700, trk_occupancy_cxha, 0x0d),
- CMN_EVENT_DVM_OCC(CMN700, trk_occupancy_pdn, 0x0e),
- CMN_EVENT_DVM(CMN700, trk_alloc, 0x0f),
- CMN_EVENT_DVM(CMN700, trk_cxha_alloc, 0x10),
- CMN_EVENT_DVM(CMN700, trk_pdn_alloc, 0x11),
- CMN_EVENT_DVM(CMN700, txsnp_stall_limit, 0x12),
- CMN_EVENT_DVM(CMN700, rxsnp_stall_starv, 0x13),
- CMN_EVENT_DVM(CMN700, txsnp_sync_stall_op, 0x14),
+ CMN_EVENT_DVM_OCC(CMN_700ON, trk_occupancy_cxha, 0x0d),
+ CMN_EVENT_DVM_OCC(CMN_700ON, trk_occupancy_pdn, 0x0e),
+ CMN_EVENT_DVM(CMN_700ON, trk_alloc, 0x0f),
+ CMN_EVENT_DVM(CMN_700ON, trk_cxha_alloc, 0x10),
+ CMN_EVENT_DVM(CMN_700ON, trk_pdn_alloc, 0x11),
+ CMN_EVENT_DVM(CMN_700ON, txsnp_stall_limit, 0x12),
+ CMN_EVENT_DVM(CMN_700ON, rxsnp_stall_starv, 0x13),
+ CMN_EVENT_DVM(CMN_700ON, txsnp_sync_stall_op, 0x14),
CMN_EVENT_HNF(CMN_ANY, cache_miss, 0x01),
CMN_EVENT_HNF(CMN_ANY, slc_sf_cache_access, 0x02),
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 261/518] X.509: Fix validation of ASN.1 certificate header
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 260/518] perf/arm-cmn: Fix DVM node events Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 262/518] mm/slab: do not limit zeroing to orig_size when only red zoning is enabled Greg Kroah-Hartman
` (260 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko, Lukas Wunner,
Ignat Korchagin, Alistair Francis, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 3b626ba431c4501512ad07549310685e07fe4706 upstream.
x509_load_certificate_list() seeks to enforce that a certificate starts
with 0x30 0x82 (ASN.1 SEQUENCE tag followed by a length of more than 256
and less than 65535 bytes).
But it only enforces that *either* of those two byte values are present,
instead of checking for the *conjunction* of the two values. Fix it.
Fixes: 631cc66eb9ea ("MODSIGN: Provide module signing public keys to the kernel")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/r/20260508033917.B5873C2BCB0@smtp.kernel.org/
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v3.7+
Reviewed-by: Ignat Korchagin <ignat@linux.win>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/asymmetric_keys/x509_loader.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/crypto/asymmetric_keys/x509_loader.c
+++ b/crypto/asymmetric_keys/x509_loader.c
@@ -20,7 +20,7 @@ int x509_load_certificate_list(const u8
*/
if (end - p < 4)
goto dodgy_cert;
- if (p[0] != 0x30 &&
+ if (p[0] != 0x30 ||
p[1] != 0x82)
goto dodgy_cert;
plen = (p[2] << 8) | p[3];
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 262/518] mm/slab: do not limit zeroing to orig_size when only red zoning is enabled
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 261/518] X.509: Fix validation of ASN.1 certificate header Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 263/518] tools/mm/slabinfo: Fix trace disable logic inversion Greg Kroah-Hartman
` (259 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harry Yoo (Oracle), Hao Li,
Vlastimil Babka (SUSE)
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vlastimil Babka (SUSE) <vbabka@kernel.org>
commit 648927ceb84021a25a0fbd5673740956f318d534 upstream.
When init (zeroing) on allocation is requested, for kmalloc() we
generally have to zero the full object size even if a smaller size is
requested, in order to provide krealloc()'s __GFP_ZERO guarantees.
But if we track the requested size, krealloc() uses that information to
do the right thing, so we can zero only the requested size. With red
zoning also enabled, any extra size became part of the red zone, so it
must not be zeroed and thus we must zero only the requested size.
However the current check is imprecise, and will trigger also when only
SLAB_RED_ZONE is enabled without SLAB_STORE_USER (which enables tracking
the requested size). This means enabling red zoning alone can compromise
krealloc()'s __GFP_ZERO contract.
Fix this by using slub_debug_orig_size() instead, which is the exact
check for whether the requested size is tracked. We don't need to care
if red zoning is also enabled or not. Also update and expand the
comment accordingly.
Fixes: 9ce67395f5a0 ("mm/slub: only zero requested size of buffer for kzalloc when debug enabled")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260610-slab_alloc_flags-v2-1-7190909db118@kernel.org
Reviewed-by: Harry Yoo (Oracle) <harry@kernel.org>
Reviewed-by: Hao Li <hao.li@linux.dev>
Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/slub.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -4537,15 +4537,17 @@ bool slab_post_alloc_hook(struct kmem_ca
gfp_t init_flags = flags & gfp_allowed_mask;
/*
- * For kmalloc object, the allocated memory size(object_size) is likely
- * larger than the requested size(orig_size). If redzone check is
- * enabled for the extra space, don't zero it, as it will be redzoned
- * soon. The redzone operation for this extra space could be seen as a
- * replacement of current poisoning under certain debug option, and
- * won't break other sanity checks.
+ * For kmalloc object, the allocated size (object_size) can be larger
+ * than the requested size (orig_size). We however need to zero the
+ * whole object_size to handle possible later krealloc() with
+ *__GFP_ZERO properly.
+ *
+ * But if we keep track of the requested size, krealloc() uses that
+ * information. Additionally if red zoning is enabled, the extra space
+ * is also red zone, so we should not overwrite it. So limit zeroing to
+ * orig_size if we track it.
*/
- if (kmem_cache_debug_flags(s, SLAB_STORE_USER | SLAB_RED_ZONE) &&
- (s->flags & SLAB_KMALLOC))
+ if (slub_debug_orig_size(s))
zero_size = orig_size;
/*
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 263/518] tools/mm/slabinfo: Fix trace disable logic inversion
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 262/518] mm/slab: do not limit zeroing to orig_size when only red zoning is enabled Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 264/518] tools/mm/slabinfo: fix total_objects attribute name Greg Kroah-Hartman
` (258 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Xuewen Wang,
Vlastimil Babka (SUSE)
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xuewen Wang <wangxuewen@kylinos.cn>
commit 235ab68d67eadbef1fdbfb771f21f5bacc77a2ae upstream.
The disable trace path in slab_debug() had a logic error where it would
set trace=1 instead of trace=0. This made trace functionality permanently
enabled once turned on for any slab cache.
Fixes: a87615b8f9e2 ("SLUB: slabinfo upgrade")
Cc: stable@vger.kernel.org
Reviewed-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Xuewen Wang <wangxuewen@kylinos.cn>
WARNING: From:/Signed-off-by: email address mismatch: 'From: wangxuewen <18810879172@163.com>' != 'Signed-off-by: wangxuewen <wangxuewen@kylinos.cn>'
Link: https://patch.msgid.link/20260518062159.80664-2-wangxuewen@kylinos.cn
Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/mm/slabinfo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/mm/slabinfo.c
+++ b/tools/mm/slabinfo.c
@@ -798,7 +798,7 @@ static void slab_debug(struct slabinfo *
fprintf(stderr, "%s can only enable trace for one slab at a time\n", s->name);
}
if (!tracing && s->trace)
- set_obj(s, "trace", 1);
+ set_obj(s, "trace", 0);
}
static void totals(void)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 264/518] tools/mm/slabinfo: fix total_objects attribute name
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 263/518] tools/mm/slabinfo: Fix trace disable logic inversion Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 265/518] HID: hid-goodix-spi: validate report size to prevent stack buffer overflow Greg Kroah-Hartman
` (257 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yichong Chen, SeongJae Park,
Vlastimil Babka (SUSE)
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yichong Chen <chenyichong@uniontech.com>
commit 892a7864730775c3dbee2a39e9ead4fa8d4256e7 upstream.
SLUB exports the total_objects sysfs attribute, but slabinfo tries to read
objects_total. As a result, the lookup fails and the field remains zero.
Use the correct attribute name and rename the corresponding structure
member to match.
Fixes: 205ab99dd103 ("slub: Update statistics handling for variable order slabs")
Signed-off-by: Yichong Chen <chenyichong@uniontech.com>
Cc: <stable@vger.kernel.org>
Reviewed-by: SeongJae Park <sj@kernel.org>
Link: https://patch.msgid.link/96556748872BB47E+20260612071359.649946-1-chenyichong@uniontech.com
Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/mm/slabinfo.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/tools/mm/slabinfo.c
+++ b/tools/mm/slabinfo.c
@@ -33,7 +33,7 @@ struct slabinfo {
unsigned int hwcache_align, object_size, objs_per_slab;
unsigned int sanity_checks, slab_size, store_user, trace;
int order, poison, reclaim_account, red_zone;
- unsigned long partial, objects, slabs, objects_partial, objects_total;
+ unsigned long partial, objects, slabs, objects_partial, total_objects;
unsigned long alloc_fastpath, alloc_slowpath;
unsigned long free_fastpath, free_slowpath;
unsigned long free_frozen, free_add_partial, free_remove_partial;
@@ -1263,7 +1263,7 @@ static void read_slab_dir(void)
slab->object_size = get_obj("object_size");
slab->objects = get_obj("objects");
slab->objects_partial = get_obj("objects_partial");
- slab->objects_total = get_obj("objects_total");
+ slab->total_objects = get_obj("total_objects");
slab->objs_per_slab = get_obj("objs_per_slab");
slab->order = get_obj("order");
slab->partial = get_obj("partial");
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 265/518] HID: hid-goodix-spi: validate report size to prevent stack buffer overflow
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 264/518] tools/mm/slabinfo: fix total_objects attribute name Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 266/518] HID: uhid: convert to hid_safe_input_report() Greg Kroah-Hartman
` (256 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tianchu Chen, Dmitry Torokhov,
Jiri Kosina
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tianchu Chen <flynnnchen@tencent.com>
commit db0a0768d09273aadadeb76730cd658d720333a4 upstream.
goodix_hid_set_raw_report() builds a protocol frame in a 128-byte stack
buffer (tmp_buf), writing an 11-12 byte header followed by the
caller-supplied report data. The HID core caps report size at
HID_MAX_BUFFER_SIZE (16384) by default, while the driver does not set
hid_ll_driver.max_buffer_size and performs no bounds checking before
copying the payload:
memcpy(tmp_buf + tx_len, buf, len);
A hidraw SET_REPORT ioctl with a report larger than ~116 bytes
overflows the stack buffer.
Add a size check after constructing the header, rejecting reports that
would exceed the buffer capacity.
Discovered by Atuin - Automated Vulnerability Discovery Engine.
Fixes: 75e16c8ce283 ("HID: hid-goodix: Add Goodix HID-over-SPI driver")
Cc: stable@vger.kernel.org
Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-goodix-spi.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/hid/hid-goodix-spi.c
+++ b/drivers/hid/hid-goodix-spi.c
@@ -520,6 +520,9 @@ static int goodix_hid_set_raw_report(str
memcpy(tmp_buf + tx_len, args, args_len);
tx_len += args_len;
+ if (tx_len + len > sizeof(tmp_buf))
+ return -EINVAL;
+
memcpy(tmp_buf + tx_len, buf, len);
tx_len += len;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 266/518] HID: uhid: convert to hid_safe_input_report()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 265/518] HID: hid-goodix-spi: validate report size to prevent stack buffer overflow Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 267/518] HID: wacom: stop hardware after post-start probe failures Greg Kroah-Hartman
` (255 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Carlos Llamas, Lee Jones,
Jiri Kosina
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Llamas <cmllamas@google.com>
commit 63a694c51bf120a37550890b8e7736b4888985e9 upstream.
Commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing
bogus memset()"), added a check in hid_report_raw_event() to reject
reports if the received data size is smaller than expected. This was
intended to prevent OOB errors by no longer allowing zeroing-out of
shorter reports due to the lack of buffer size information.
However, this leads to regressions in hid_report_raw_event(), where
shorter than expected reports are rejected, even though their buffers
are sufficiently large to be zero-padded.
To solve this issue, Benjamin introduced a safer alternative in commit
206342541fc8 ("HID: core: introduce hid_safe_input_report()"), which
forwards the buffer size and allows hid_report_raw_event() to safely
zero-pad the data.
Convert uhid to use hid_safe_input_report() and pass UHID_DATA_MAX as
the buffer size. This prevents the reported regressions [1], allowing
hid core to zero-pad the shorter reports safely as expected.
Cc: stable@vger.kernel.org
Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()")
Closes: https://lore.kernel.org/all/ahsh0UtTX6e0ZeHa@google.com/ [1]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Lee Jones <lee@kernel.org>
Closes: https://lore.kernel.org/all/ahsh0UtTX6e0ZeHa@google.com/
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/uhid.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/hid/uhid.c
+++ b/drivers/hid/uhid.c
@@ -595,8 +595,8 @@ static int uhid_dev_input(struct uhid_de
if (!READ_ONCE(uhid->running))
return -EINVAL;
- hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input.data,
- min_t(size_t, ev->u.input.size, UHID_DATA_MAX), 0);
+ hid_safe_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input.data, UHID_DATA_MAX,
+ min_t(size_t, ev->u.input.size, UHID_DATA_MAX), 0);
return 0;
}
@@ -606,8 +606,8 @@ static int uhid_dev_input2(struct uhid_d
if (!READ_ONCE(uhid->running))
return -EINVAL;
- hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input2.data,
- min_t(size_t, ev->u.input2.size, UHID_DATA_MAX), 0);
+ hid_safe_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input2.data, UHID_DATA_MAX,
+ min_t(size_t, ev->u.input2.size, UHID_DATA_MAX), 0);
return 0;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 267/518] HID: wacom: stop hardware after post-start probe failures
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 266/518] HID: uhid: convert to hid_safe_input_report() Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 268/518] HID: pidff: Use correct effect type in effect update Greg Kroah-Hartman
` (254 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ijae Kim, Myeonghun Pak,
Dmitry Torokhov, Jiri Kosina
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myeonghun Pak <mhun512@gmail.com>
commit ec2612b8ad9e642596db011dd8b6568ef1edeaa1 upstream.
wacom_parse_and_register() starts HID hardware before registering inputs
and initializing pad LEDs/remotes. Those later steps can fail, but their
error paths currently release Wacom resources without stopping the HID
hardware.
Route post-hid_hw_start() failures through hid_hw_stop() before
releasing driver resources.
This issue was identified during our ongoing static-analysis research while
reviewing kernel code.
Fixes: c1d6708bf0d3 ("HID: wacom: Do not register input devices until after hid_hw_start")
Cc: stable@vger.kernel.org
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/wacom_sys.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -2462,16 +2462,16 @@ static int wacom_parse_and_register(stru
error = wacom_register_inputs(wacom);
if (error)
- goto fail;
+ goto fail_hw_stop;
if (wacom->wacom_wac.features.device_type & WACOM_DEVICETYPE_PAD) {
error = wacom_initialize_leds(wacom);
if (error)
- goto fail;
+ goto fail_hw_stop;
error = wacom_initialize_remotes(wacom);
if (error)
- goto fail;
+ goto fail_hw_stop;
}
if (!wireless) {
@@ -2485,14 +2485,14 @@ static int wacom_parse_and_register(stru
cancel_delayed_work_sync(&wacom->init_work);
_wacom_query_tablet_data(wacom);
error = -ENODEV;
- goto fail_quirks;
+ goto fail_hw_stop;
}
if (features->device_type & WACOM_DEVICETYPE_WL_MONITOR) {
error = hid_hw_open(hdev);
if (error) {
hid_err(hdev, "hw open failed\n");
- goto fail_quirks;
+ goto fail_hw_stop;
}
}
@@ -2501,7 +2501,7 @@ static int wacom_parse_and_register(stru
return 0;
-fail_quirks:
+fail_hw_stop:
hid_hw_stop(hdev);
fail:
wacom_release_resources(wacom);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 268/518] HID: pidff: Use correct effect type in effect update
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 267/518] HID: wacom: stop hardware after post-start probe failures Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 269/518] HID: hid-lenovo-go: cancel cfg_setup work in hid_go_cfg_remove() Greg Kroah-Hartman
` (253 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Roundtree, Ryno Kotzé,
Oleg Makarenko, Jiri Kosina
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Makarenko <oleg@makarenk.ooo>
commit b251598b8bf37300510868f739a79e07800d41ce upstream.
When updating an existing effect, the effect type from the last created
effect was sent to the device instead of the updated one.
This caused incorrect reports when a game creates multiple different
effects and updates only one that is not the last created.
Fixes FFB in multiple games that create multiple simultaneous effects
(Forza Horizon 5/6).
Fixes: 224ee88fe395 ("Input: add force feedback driver for PID devices")
Cc: stable@vger.kernel.org
Tested-by: Oliver Roundtree <oroundtree1@gmail.com>
Co-developed-by: Ryno Kotzé <lemon.xah@gmail.com>
Signed-off-by: Ryno Kotzé <lemon.xah@gmail.com>
Signed-off-by: Oleg Makarenko <oleg@makarenk.ooo>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/usbhid/hid-pidff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -522,7 +522,7 @@ static void pidff_set_effect_report(stru
pidff->set_effect[PID_EFFECT_BLOCK_INDEX].value[0] =
pidff->block_load[PID_EFFECT_BLOCK_INDEX].value[0];
pidff->set_effect_type->value[0] =
- pidff->create_new_effect_type->value[0];
+ pidff_get_effect_type_id(pidff, effect);
pidff_set_duration(&pidff->set_effect[PID_DURATION],
effect->replay.length);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 269/518] HID: hid-lenovo-go: cancel cfg_setup work in hid_go_cfg_remove()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 268/518] HID: pidff: Use correct effect type in effect update Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 270/518] HID: wacom: fix slab-out-of-bounds write in wacom_wac_queue_insert Greg Kroah-Hartman
` (252 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Manish Khadka, Jiri Kosina
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manish Khadka <maskmemanish@gmail.com>
commit 73fde0cbff7d9d618591774a12c23434232752c1 upstream.
hid_go_cfg_probe() initialises drvdata.go_cfg_setup and schedules it
to run 2 ms later:
INIT_DELAYED_WORK(&drvdata.go_cfg_setup, &cfg_setup);
schedule_delayed_work(&drvdata.go_cfg_setup, msecs_to_jiffies(2));
cfg_setup() dereferences drvdata.hdev to issue MCU command requests.
hid_go_cfg_remove() tears down sysfs and stops the HID device, but
never drains the delayed work. If the device is unbound within the
2 ms scheduling delay (a probe failure rolling back via remove, or a
fast rmmod after probe), the work fires after hid_destroy_device()
has dropped its reference and released the underlying hdev struct,
leaving cfg_setup() with a stale drvdata.hdev pointer.
Mirror the sibling driver hid-lenovo-go-s.c, whose hid_gos_cfg_remove()
already calls cancel_delayed_work_sync() on its analogous work, and
drain go_cfg_setup at the top of hid_go_cfg_remove(). The cancel
must come before guard(mutex)(&drvdata.cfg_mutex) because cfg_setup()
acquires that mutex; reversing the order would deadlock.
Fixes: d69ccfcbc955 ("HID: hid-lenovo-go: Add Lenovo Legion Go Series HID Driver")
Cc: stable@vger.kernel.org
Signed-off-by: Manish Khadka <maskmemanish@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-lenovo-go.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/hid/hid-lenovo-go.c
+++ b/drivers/hid/hid-lenovo-go.c
@@ -2405,6 +2405,15 @@ static int hid_go_cfg_probe(struct hid_d
static void hid_go_cfg_remove(struct hid_device *hdev)
{
+ /*
+ * cfg_setup is scheduled from hid_go_cfg_probe() with a 2 ms delay
+ * and dereferences drvdata.hdev. Drain it here before tearing
+ * down so the workqueue cannot run after hid_destroy_device()'s
+ * put_device() has released the underlying hdev and dereference
+ * a stale drvdata.hdev pointer.
+ */
+ cancel_delayed_work_sync(&drvdata.go_cfg_setup);
+
guard(mutex)(&drvdata.cfg_mutex);
sysfs_remove_groups(&hdev->dev.kobj, top_level_attr_groups);
hid_hw_close(hdev);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 270/518] HID: wacom: fix slab-out-of-bounds write in wacom_wac_queue_insert
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 269/518] HID: hid-lenovo-go: cancel cfg_setup work in hid_go_cfg_remove() Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:28 ` [PATCH 7.1 271/518] HID: wacom: use GFP_ATOMIC in wacom_wac_queue_flush() Greg Kroah-Hartman
` (251 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov, Jinmo Yang,
Benjamin Tissoires
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinmo Yang <jinmo44.yang@gmail.com>
commit 6b3014ec0e9a390ca563030b2d7689921f0daef5 upstream.
wacom_wac_queue_insert() calls kfifo_skip() in a loop when the kfifo
doesn't have enough space for the incoming report. If the kfifo is
empty, kfifo_skip() reads stale data left in the kmalloc'd buffer
via __kfifo_peek_n() and interprets it as a record length, advancing
fifo->out by that garbage value. This corrupts the internal kfifo
state, causing kfifo_unused() to return a value much larger than the
actual buffer size, which bypasses __kfifo_in_r()'s guard:
if (len + recsize > kfifo_unused(fifo))
return 0;
kfifo_copy_in() then performs an out-of-bounds memcpy, writing up to
3842 bytes past the 256-byte buffer.
Add a !kfifo_is_empty() condition to the while loop so kfifo_skip()
is never called on an empty fifo, and check the return value of
kfifo_in() to reject reports that are too large for the fifo.
Suggested-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Fixes: 5e013ad20689 ("HID: wacom: Remove static WACOM_PKGLEN_MAX limit")
Cc: stable@vger.kernel.org
Signed-off-by: Jinmo Yang <jinmo44.yang@gmail.com>
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/wacom_sys.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -54,7 +54,7 @@ static void wacom_wac_queue_insert(struc
{
bool warned = false;
- while (kfifo_avail(fifo) < size) {
+ while (kfifo_avail(fifo) < size && !kfifo_is_empty(fifo)) {
if (!warned)
hid_warn(hdev, "%s: kfifo has filled, starting to drop events\n", __func__);
warned = true;
@@ -62,7 +62,9 @@ static void wacom_wac_queue_insert(struc
kfifo_skip(fifo);
}
- kfifo_in(fifo, raw_data, size);
+ if (!kfifo_in(fifo, raw_data, size))
+ hid_warn_ratelimited(hdev, "%s: report is too large (%d)\n",
+ __func__, size);
}
static void wacom_wac_queue_flush(struct hid_device *hdev,
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 271/518] HID: wacom: use GFP_ATOMIC in wacom_wac_queue_flush()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 270/518] HID: wacom: fix slab-out-of-bounds write in wacom_wac_queue_insert Greg Kroah-Hartman
@ 2026-07-16 13:28 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 272/518] HID: letsketch: fix UAF on inrange_timer at driver unbind Greg Kroah-Hartman
` (250 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko-bot, Dmitry Torokhov,
Jinmo Yang, Benjamin Tissoires
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinmo Yang <jinmo44.yang@gmail.com>
commit 55f1ad573e34abf9a0443c34bc5a63d74edba7d7 upstream.
wacom_wac_queue_flush() is called via the .raw_event callback
(wacom_raw_event → wacom_wac_pen_serial_enforce → wacom_wac_queue_flush).
For USB HID devices, this callback is invoked from hid_irq_in(), which
is a URB completion handler running in atomic context. Using GFP_KERNEL
in this path can sleep, leading to a "scheduling while atomic" bug.
Use GFP_ATOMIC instead. The existing code already handles allocation
failure by skipping the fifo entry and continuing.
Reported-by: Sashiko-bot <sashiko-bot@kernel.org>
Fixes: 5e013ad20689 ("HID: wacom: Remove static WACOM_PKGLEN_MAX limit")
Cc: stable@vger.kernel.org
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jinmo Yang <jinmo44.yang@gmail.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/wacom_sys.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -76,7 +76,7 @@ static void wacom_wac_queue_flush(struct
unsigned int count;
int err;
- buf = kzalloc(size, GFP_KERNEL);
+ buf = kzalloc(size, GFP_ATOMIC);
if (!buf) {
kfifo_skip(fifo);
continue;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 272/518] HID: letsketch: fix UAF on inrange_timer at driver unbind
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-07-16 13:28 ` [PATCH 7.1 271/518] HID: wacom: use GFP_ATOMIC in wacom_wac_queue_flush() Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 273/518] HID: multitouch: fix out-of-bounds bit access on mt_io_flags Greg Kroah-Hartman
` (249 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Manish Khadka, Jiri Kosina
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manish Khadka <maskmemanish@gmail.com>
commit 46c8beeccd8ab2c863827254a85ea877654a3534 upstream.
letsketch_driver does not provide a .remove callback, but
letsketch_probe() arms a per-device timer:
timer_setup(&data->inrange_timer, letsketch_inrange_timeout, 0);
The timer is re-armed from letsketch_raw_event() with a 100 ms
timeout on every pen-in-range report, and its callback dereferences
data->input_tablet to deliver a synthetic BTN_TOOL_PEN release.
letsketch_data is allocated with devm_kzalloc(), and its input_dev
fields are devm-allocated via letsketch_setup_input_tablet(). On
device unbind (USB unplug or rmmod), the HID core runs its default
teardown and devm cleanup frees both letsketch_data and the input
devices. Because no .remove callback exists, nothing drains the
timer first: if raw_event armed it within ~100 ms of the unbind,
the pending timer fires on freed memory. This is a UAF read of
data and of data->input_tablet, followed by input_report_key() /
input_sync() into the freed input_dev.
The same problem can occur on the probe error path: if
hid_hw_start() enabled I/O on an always-poll-quirk device and then
failed, raw_event may have armed the timer before devm releases
data.
Fix by adding a .remove callback that calls hid_hw_stop() first.
hid_hw_stop() synchronously kills the URBs that deliver raw_event(),
so once it returns no path can re-arm the timer. timer_shutdown_sync()
then drains any in-flight callback and permanently disables further
mod_timer() calls. Apply the same timer_shutdown_sync() in the probe
error path so the timer is guaranteed not to outlive data.
Fixes: 33a5c2793451 ("HID: Add new Letsketch tablet driver")
Cc: stable@vger.kernel.org
Signed-off-by: Manish Khadka <maskmemanish@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-letsketch.c | 36 +++++++++++++++++++++++++++++++++---
1 file changed, 33 insertions(+), 3 deletions(-)
--- a/drivers/hid/hid-letsketch.c
+++ b/drivers/hid/hid-letsketch.c
@@ -296,13 +296,42 @@ static int letsketch_probe(struct hid_de
ret = letsketch_setup_input_tablet(data);
if (ret)
- return ret;
+ goto err_shutdown_timer;
ret = letsketch_setup_input_tablet_pad(data);
if (ret)
- return ret;
+ goto err_shutdown_timer;
- return hid_hw_start(hdev, HID_CONNECT_HIDRAW);
+ ret = hid_hw_start(hdev, HID_CONNECT_HIDRAW);
+ if (ret)
+ goto err_shutdown_timer;
+
+ return 0;
+
+err_shutdown_timer:
+ /*
+ * Drain any pending callback and permanently disable the timer
+ * before devm releases data: if hid_hw_start() enabled I/O on an
+ * always-poll-quirk device and then failed, raw_event may have
+ * armed the timer already.
+ */
+ timer_shutdown_sync(&data->inrange_timer);
+ return ret;
+}
+
+static void letsketch_remove(struct hid_device *hdev)
+{
+ struct letsketch_data *data = hid_get_drvdata(hdev);
+
+ /*
+ * hid_hw_stop() synchronously kills the URBs that deliver
+ * raw_event(), so once it returns no path can re-arm
+ * inrange_timer. timer_shutdown_sync() then drains any
+ * in-flight callback and permanently disables further
+ * mod_timer() calls before devm releases data.
+ */
+ hid_hw_stop(hdev);
+ timer_shutdown_sync(&data->inrange_timer);
}
static const struct hid_device_id letsketch_devices[] = {
@@ -315,6 +344,7 @@ static struct hid_driver letsketch_drive
.name = "letsketch",
.id_table = letsketch_devices,
.probe = letsketch_probe,
+ .remove = letsketch_remove,
.raw_event = letsketch_raw_event,
};
module_hid_driver(letsketch_driver);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 273/518] HID: multitouch: fix out-of-bounds bit access on mt_io_flags
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 272/518] HID: letsketch: fix UAF on inrange_timer at driver unbind Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 274/518] HID: appleir: fix UAF on pending key_up_timer in remove() Greg Kroah-Hartman
` (248 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trung Nguyen, Benjamin Tissoires
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trung Nguyen <trungnh@cystack.net>
commit 8813b0612275cc61fe9e6603d0ee019247ade6be upstream.
mt_io_flags is a single unsigned long, but mt_process_slot(),
mt_release_pending_palms() and mt_release_contacts() use it as a
per-slot bitmap indexed by the slot number. That slot number is only
bounded by td->maxcontacts, which is taken from the device's
ContactCountMaximum feature report and can be up to 255, not by
BITS_PER_LONG.
As a result, a multitouch device that advertises a large contact count
makes set_bit()/clear_bit() operate past the mt_io_flags word and
corrupt the adjacent members of struct mt_device. The sticky-fingers
release timer is the easiest way to reach this. mt_release_contacts()
runs
for (i = 0; i < mt->num_slots; i++)
clear_bit(i, &td->mt_io_flags);
with num_slots == maxcontacts. For maxcontacts around 250 the loop
clears the bits that overlap td->applications.next, zeroing that list
head, and the list_for_each_entry() that immediately follows then
dereferences NULL. The kernel panics from timer (softirq) context. On a
KASAN build this shows up as a general protection fault in
mt_release_contacts() with a null-ptr-deref at offset 0x58, which is
offsetof(struct mt_application, num_received).
The state is reachable from an untrusted USB or Bluetooth HID
multitouch device; no local privileges are required.
Store the per-slot active state in a separately allocated bitmap sized
for maxcontacts, the same pattern already used for pending_palm_slots,
and keep only MT_IO_FLAGS_RUNNING in mt_io_flags. The two
"mt_io_flags & MT_IO_SLOTS_MASK" arming checks become
bitmap_empty(td->active_slots, td->maxcontacts).
Move MT_IO_FLAGS_RUNNING back to bit 0. It was bumped to bit 32 by the
same commit to leave the low byte for the slot bits; with the slot bits
gone it fits in bit 0 again, which also keeps it within the unsigned
long on 32-bit.
Fixes: 46f781e0d151 ("HID: multitouch: fix sticky fingers")
Cc: stable@vger.kernel.org
Signed-off-by: Trung Nguyen <trungnh@cystack.net>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-multitouch.c | 32 ++++++++++++++++++++------------
1 file changed, 20 insertions(+), 12 deletions(-)
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -31,6 +31,7 @@
* [1] https://gitlab.freedesktop.org/libevdev/hid-tools
*/
+#include <linux/bitmap.h>
#include <linux/bits.h>
#include <linux/device.h>
#include <linux/hid.h>
@@ -97,8 +98,7 @@ enum report_mode {
TOUCHPAD_REPORT_ALL = TOUCHPAD_REPORT_BUTTONS | TOUCHPAD_REPORT_CONTACTS,
};
-#define MT_IO_SLOTS_MASK GENMASK(7, 0) /* reserve first 8 bits for slot tracking */
-#define MT_IO_FLAGS_RUNNING 32
+#define MT_IO_FLAGS_RUNNING 0
static const bool mtrue = true; /* default for true */
static const bool mfalse; /* default for false */
@@ -174,10 +174,9 @@ struct mt_device {
struct timer_list release_timer; /* to release sticky fingers */
struct hid_haptic_device *haptic; /* haptic related configuration */
struct hid_device *hdev; /* hid_device we're attached to */
- unsigned long mt_io_flags; /* mt flags (MT_IO_FLAGS_RUNNING)
- * first 8 bits are reserved for keeping the slot
- * states, this is fine because we only support up
- * to 250 slots (MT_MAX_MAXCONTACT)
+ unsigned long mt_io_flags; /* mt flags (MT_IO_FLAGS_RUNNING) */
+ unsigned long *active_slots; /* bitmap of slots with an active
+ * contact, sized for maxcontacts
*/
__u8 inputmode_value; /* InputMode HID feature value */
__u8 maxcontacts;
@@ -1033,7 +1032,7 @@ static void mt_release_pending_palms(str
for_each_set_bit(slotnum, app->pending_palm_slots, td->maxcontacts) {
clear_bit(slotnum, app->pending_palm_slots);
- clear_bit(slotnum, &td->mt_io_flags);
+ clear_bit(slotnum, td->active_slots);
input_mt_slot(input, slotnum);
input_mt_report_slot_inactive(input);
@@ -1244,9 +1243,9 @@ static int mt_process_slot(struct mt_dev
input_event(input, EV_ABS, ABS_MT_TOUCH_MAJOR, major);
input_event(input, EV_ABS, ABS_MT_TOUCH_MINOR, minor);
- set_bit(slotnum, &td->mt_io_flags);
+ set_bit(slotnum, td->active_slots);
} else {
- clear_bit(slotnum, &td->mt_io_flags);
+ clear_bit(slotnum, td->active_slots);
}
return 0;
@@ -1381,7 +1380,7 @@ static void mt_touch_report(struct hid_d
* defect.
*/
if (app->quirks & MT_QUIRK_STICKY_FINGERS) {
- if (td->mt_io_flags & MT_IO_SLOTS_MASK)
+ if (!bitmap_empty(td->active_slots, td->maxcontacts))
mod_timer(&td->release_timer,
jiffies + msecs_to_jiffies(100));
else
@@ -1440,6 +1439,15 @@ static int mt_touch_input_configured(str
if (td->is_pressurepad)
__set_bit(INPUT_PROP_PRESSUREPAD, input->propbit);
+ if (!td->active_slots) {
+ td->active_slots = devm_kcalloc(&td->hdev->dev,
+ BITS_TO_LONGS(td->maxcontacts),
+ sizeof(long),
+ GFP_KERNEL);
+ if (!td->active_slots)
+ return -ENOMEM;
+ }
+
app->pending_palm_slots = devm_kcalloc(&hi->input->dev,
BITS_TO_LONGS(td->maxcontacts),
sizeof(long),
@@ -1917,7 +1925,7 @@ static void mt_release_contacts(struct h
for (i = 0; i < mt->num_slots; i++) {
input_mt_slot(input_dev, i);
input_mt_report_slot_inactive(input_dev);
- clear_bit(i, &td->mt_io_flags);
+ clear_bit(i, td->active_slots);
}
input_mt_sync_frame(input_dev);
input_sync(input_dev);
@@ -1940,7 +1948,7 @@ static void mt_expired_timeout(struct ti
*/
if (test_and_set_bit_lock(MT_IO_FLAGS_RUNNING, &td->mt_io_flags))
return;
- if (td->mt_io_flags & MT_IO_SLOTS_MASK)
+ if (!bitmap_empty(td->active_slots, td->maxcontacts))
mt_release_contacts(hdev);
clear_bit_unlock(MT_IO_FLAGS_RUNNING, &td->mt_io_flags);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 274/518] HID: appleir: fix UAF on pending key_up_timer in remove()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 273/518] HID: multitouch: fix out-of-bounds bit access on mt_io_flags Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 275/518] HID: lg-g15: cancel pending work on remove to fix a use-after-free Greg Kroah-Hartman
` (247 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Manish Khadka, Jiri Kosina
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manish Khadka <maskmemanish@gmail.com>
commit 75fe87e19d8aff81eb2c64d15d244ab8da4de945 upstream.
appleir_remove() runs hid_hw_stop() before timer_delete_sync().
hid_hw_stop() synchronously unregisters the HID input device via
hid_disconnect() -> hidinput_disconnect() -> input_unregister_device(),
which drops the last reference and frees the underlying input_dev when
no userspace handle holds it open.
key_up_tick() reads appleir->input_dev and calls input_report_key() /
input_sync() on it. The timer is armed from appleir_raw_event() with
a HZ/8 (~125 ms) timeout on every keydown and key-repeat report. If a
key was pressed shortly before the device is disconnected, the timer
can fire after hid_hw_stop() has freed input_dev but before the
teardown drains it.
A simple reorder is not sufficient. Putting the timer drain first
still leaves a window where a USB URB completion (raw_event) running
during hid_hw_stop() can call mod_timer() and re-arm the timer, which
then fires after hidinput_disconnect() has freed input_dev. The same
URB-completion window also lets raw_event() reach key_up(), key_down()
and battery_flat() directly, all of which dereference
appleir->input_dev.
Introduce a 'removing' flag on struct appleir, gated by the existing
spinlock. appleir_remove() sets the flag under the lock and then
shuts down the timer with timer_shutdown_sync(), which both drains any
in-flight callback and permanently disables further mod_timer() calls.
appleir_raw_event() and key_up_tick() bail out early if the flag is
set, so no path can arm or run the timer, or dereference
appleir->input_dev, after remove() has started tearing down.
The keyrepeat and flatbattery branches of appleir_raw_event()
previously called into the input layer without holding the spinlock;
take it now so the flag check is well-defined. This incidentally
closes a pre-existing read-side race on appleir->current_key in the
keyrepeat branch.
This bug is structurally a sibling of commit 4db2af929279 ("HID:
appletb-kbd: fix UAF in inactivity-timer cleanup path") and has been
present since the driver was introduced.
Fixes: 9a4a5574ce42 ("HID: appleir: add support for Apple ir devices")
Cc: stable@vger.kernel.org
Signed-off-by: Manish Khadka <maskmemanish@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-appleir.c | 45 +++++++++++++++++++++++++++++++++++----------
1 file changed, 35 insertions(+), 10 deletions(-)
--- a/drivers/hid/hid-appleir.c
+++ b/drivers/hid/hid-appleir.c
@@ -109,9 +109,10 @@ struct appleir {
struct hid_device *hid;
unsigned short keymap[ARRAY_SIZE(appleir_key_table)];
struct timer_list key_up_timer; /* timer for key up */
- spinlock_t lock; /* protects .current_key */
+ spinlock_t lock; /* protects .current_key, .removing */
int current_key; /* the currently pressed key */
int prev_key_idx; /* key index in a 2 packets message */
+ bool removing; /* set during teardown; gates input_dev access */
};
static int get_key(int data)
@@ -172,7 +173,7 @@ static void key_up_tick(struct timer_lis
unsigned long flags;
spin_lock_irqsave(&appleir->lock, flags);
- if (appleir->current_key) {
+ if (!appleir->removing && appleir->current_key) {
key_up(hid, appleir, appleir->current_key);
appleir->current_key = 0;
}
@@ -195,6 +196,10 @@ static int appleir_raw_event(struct hid_
int index;
spin_lock_irqsave(&appleir->lock, flags);
+ if (appleir->removing) {
+ spin_unlock_irqrestore(&appleir->lock, flags);
+ goto out;
+ }
/*
* If we already have a key down, take it up before marking
* this one down
@@ -229,17 +234,25 @@ static int appleir_raw_event(struct hid_
appleir->prev_key_idx = 0;
if (!memcmp(data, keyrepeat, sizeof(keyrepeat))) {
- key_down(hid, appleir, appleir->current_key);
- /*
- * Remote doesn't do key up, either pull them up, in the test
- * above, or here set a timer which pulls them up after 1/8 s
- */
- mod_timer(&appleir->key_up_timer, jiffies + HZ / 8);
+ spin_lock_irqsave(&appleir->lock, flags);
+ if (!appleir->removing) {
+ key_down(hid, appleir, appleir->current_key);
+ /*
+ * Remote doesn't do key up, either pull them up, in
+ * the test above, or here set a timer which pulls them
+ * up after 1/8 s
+ */
+ mod_timer(&appleir->key_up_timer, jiffies + HZ / 8);
+ }
+ spin_unlock_irqrestore(&appleir->lock, flags);
goto out;
}
if (!memcmp(data, flatbattery, sizeof(flatbattery))) {
- battery_flat(appleir);
+ spin_lock_irqsave(&appleir->lock, flags);
+ if (!appleir->removing)
+ battery_flat(appleir);
+ spin_unlock_irqrestore(&appleir->lock, flags);
/* Fall through */
}
@@ -318,8 +331,20 @@ fail:
static void appleir_remove(struct hid_device *hid)
{
struct appleir *appleir = hid_get_drvdata(hid);
+ unsigned long flags;
+
+ /*
+ * Mark the driver as tearing down so that any concurrent raw_event
+ * (e.g. from a USB URB completion that hid_hw_stop() has not yet
+ * killed) and the key_up_timer softirq stop touching input_dev
+ * before hid_hw_stop() frees it via hidinput_disconnect().
+ */
+ spin_lock_irqsave(&appleir->lock, flags);
+ appleir->removing = true;
+ spin_unlock_irqrestore(&appleir->lock, flags);
+
+ timer_shutdown_sync(&appleir->key_up_timer);
hid_hw_stop(hid);
- timer_delete_sync(&appleir->key_up_timer);
}
static const struct hid_device_id appleir_devices[] = {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 275/518] HID: lg-g15: cancel pending work on remove to fix a use-after-free
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 274/518] HID: appleir: fix UAF on pending key_up_timer in remove() Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 276/518] HID: sensor-hub: Add sensor_hub_input_attr_read_values() for multi-byte reads Greg Kroah-Hartman
` (246 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Maoyi Xie,
Hans de Goede, Jiri Kosina
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit 7705b4140d188ce22656f6e541ae7ef834c7e11a upstream.
lg_g15_data is allocated with devm and holds a work item. The report
handlers schedule that work straight from device input.
lg_g15_event() and lg_g15_v2_event() do it on the backlight cycle key,
and lg_g510_leds_event() does it too. The worker dereferences the
lg_g15_data back through container_of.
The driver had no remove callback and never cancelled the work. So if a
report scheduled the work and the keyboard was then unplugged, devres
freed lg_g15_data while the work was still pending or running, and the
worker touched freed memory. This is a use-after-free. It is reachable
as a race on device unplug.
Add a remove callback that cancels the work before devres frees the
state. g15->work is only initialized for the models that schedule it
(G15, G15 v2, G510). The G13 and Z-10 leave it zeroed, so guard the
cancel on g15->work.func to avoid cancelling a work that was never set
up. The g15 NULL test mirrors the one already in lg_g15_raw_event().
Fixes: 97b741aba918 ("HID: lg-g15: Add keyboard and LCD backlight control")
Cc: stable@vger.kernel.org
Suggested-by: Hans de Goede <hansg@kernel.org>
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-lg-g15.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/drivers/hid/hid-lg-g15.c
+++ b/drivers/hid/hid-lg-g15.c
@@ -1374,11 +1374,27 @@ static const struct hid_device_id lg_g15
};
MODULE_DEVICE_TABLE(hid, lg_g15_devices);
+static void lg_g15_remove(struct hid_device *hdev)
+{
+ struct lg_g15_data *g15 = hid_get_drvdata(hdev);
+
+ /*
+ * g15->work is only initialized for the models that schedule it
+ * (G15, G15 v2, G510). The G13 and Z-10 leave it zeroed, so only
+ * cancel it when it was set up.
+ */
+ if (g15 && g15->work.func)
+ cancel_work_sync(&g15->work);
+
+ hid_hw_stop(hdev);
+}
+
static struct hid_driver lg_g15_driver = {
.name = "lg-g15",
.id_table = lg_g15_devices,
.raw_event = lg_g15_raw_event,
.probe = lg_g15_probe,
+ .remove = lg_g15_remove,
};
module_hid_driver(lg_g15_driver);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 276/518] HID: sensor-hub: Add sensor_hub_input_attr_read_values() for multi-byte reads
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 275/518] HID: lg-g15: cancel pending work on remove to fix a use-after-free Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 277/518] hfs/hfsplus: fix u32 overflow in check_and_correct_requested_length Greg Kroah-Hartman
` (245 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Pandruvada, Zhang Lixu,
Jiri Kosina, Andy Shevchenko, Stable, Jonathan Cameron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
commit f784fcea450617055d2d12eec5b2f6e0e38bf878 upstream.
sensor_hub_input_attr_get_raw_value() is limited to returning a single
32-bit value, which is insufficient for sensors that report data larger
than 32 bits, such as a quaternion with four s16 elements.
Add sensor_hub_input_attr_read_values() that accepts a caller-provided
buffer and accumulates incoming data until the buffer is full. The two
paths are distinguished in sensor_hub_raw_event() by pending.max_raw_size
being non-zero, preserving backward compatibility.
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Co-developed-by: Zhang Lixu <lixu.zhang@intel.com>
Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
Acked-by: Jiri Kosina <jkosina@suse.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-sensor-hub.c | 77 +++++++++++++++++++++++++++++++++++++----
include/linux/hid-sensor-hub.h | 25 +++++++++++++
2 files changed, 96 insertions(+), 6 deletions(-)
--- a/drivers/hid/hid-sensor-hub.c
+++ b/drivers/hid/hid-sensor-hub.c
@@ -286,6 +286,54 @@ done_proc:
}
EXPORT_SYMBOL_GPL(sensor_hub_get_feature);
+int sensor_hub_input_attr_read_values(struct hid_sensor_hub_device *hsdev,
+ u32 usage_id, u32 attr_usage_id,
+ u32 report_id,
+ enum sensor_hub_read_flags flag,
+ u32 buffer_size, u8 *buffer)
+{
+ struct sensor_hub_data *data = hid_get_drvdata(hsdev->hdev);
+ struct hid_report *report;
+ unsigned long flags;
+ long cycles;
+ int ret;
+
+ report = sensor_hub_report(report_id, hsdev->hdev, HID_INPUT_REPORT);
+ if (!report)
+ return -EINVAL;
+
+ mutex_lock(hsdev->mutex_ptr);
+ if (flag == SENSOR_HUB_SYNC) {
+ memset(&hsdev->pending, 0, sizeof(hsdev->pending));
+ init_completion(&hsdev->pending.ready);
+ hsdev->pending.usage_id = usage_id;
+ hsdev->pending.attr_usage_id = attr_usage_id;
+ hsdev->pending.max_raw_size = buffer_size;
+ hsdev->pending.raw_data = buffer;
+
+ spin_lock_irqsave(&data->lock, flags);
+ hsdev->pending.status = true;
+ spin_unlock_irqrestore(&data->lock, flags);
+ }
+ mutex_lock(&data->mutex);
+ hid_hw_request(hsdev->hdev, report, HID_REQ_GET_REPORT);
+ mutex_unlock(&data->mutex);
+ ret = 0;
+ if (flag == SENSOR_HUB_SYNC) {
+ cycles = wait_for_completion_interruptible_timeout(&hsdev->pending.ready,
+ HZ * 5);
+ if (cycles == 0)
+ ret = -ETIMEDOUT;
+ else if (cycles < 0)
+ ret = cycles;
+
+ hsdev->pending.status = false;
+ }
+ mutex_unlock(hsdev->mutex_ptr);
+
+ return ret;
+}
+EXPORT_SYMBOL_GPL(sensor_hub_input_attr_read_values);
int sensor_hub_input_attr_get_raw_value(struct hid_sensor_hub_device *hsdev,
u32 usage_id,
@@ -478,6 +526,8 @@ static int sensor_hub_raw_event(struct h
struct hid_collection *collection = NULL;
void *priv = NULL;
struct hid_sensor_hub_device *hsdev = NULL;
+ u32 copy_size;
+ u32 avail;
hid_dbg(hdev, "sensor_hub_raw_event report id:0x%x size:%d type:%d\n",
report->id, size, report->type);
@@ -518,12 +568,27 @@ static int sensor_hub_raw_event(struct h
hsdev->pending.attr_usage_id ==
report->field[i]->logical)) {
hid_dbg(hdev, "data was pending ...\n");
- hsdev->pending.raw_data = kmemdup(ptr, sz, GFP_ATOMIC);
- if (hsdev->pending.raw_data)
- hsdev->pending.raw_size = sz;
- else
- hsdev->pending.raw_size = 0;
- complete(&hsdev->pending.ready);
+ if (hsdev->pending.max_raw_size) {
+ if (hsdev->pending.index < hsdev->pending.max_raw_size) {
+ avail = hsdev->pending.max_raw_size - hsdev->pending.index;
+ copy_size = clamp(sz, 0U, avail);
+
+ memcpy(hsdev->pending.raw_data + hsdev->pending.index,
+ ptr, copy_size);
+ hsdev->pending.index += copy_size;
+ if (hsdev->pending.index >= hsdev->pending.max_raw_size) {
+ hsdev->pending.raw_size = hsdev->pending.index;
+ complete(&hsdev->pending.ready);
+ }
+ }
+ } else {
+ hsdev->pending.raw_data = kmemdup(ptr, sz, GFP_ATOMIC);
+ if (hsdev->pending.raw_data)
+ hsdev->pending.raw_size = sz;
+ else
+ hsdev->pending.raw_size = 0;
+ complete(&hsdev->pending.ready);
+ }
}
if (callback->capture_sample) {
if (report->field[i]->logical)
--- a/include/linux/hid-sensor-hub.h
+++ b/include/linux/hid-sensor-hub.h
@@ -43,6 +43,8 @@ struct hid_sensor_hub_attribute_info {
* @attr_usage_id: Usage Id of a field, e.g. X-axis for a gyro.
* @raw_size: Response size for a read request.
* @raw_data: Place holder for received response.
+ * @index: Current write index into raw_data for multi-byte reads.
+ * @max_raw_size: Total buffer size for multi-byte reads; 0 for single-value reads.
*/
struct sensor_hub_pending {
bool status;
@@ -51,6 +53,8 @@ struct sensor_hub_pending {
u32 attr_usage_id;
int raw_size;
u8 *raw_data;
+ u32 index;
+ u32 max_raw_size;
};
/**
@@ -184,6 +188,27 @@ int sensor_hub_input_attr_get_raw_value(
);
/**
+ * sensor_hub_input_attr_read_values() - Synchronous multi-byte read request
+ * @hsdev: Hub device instance.
+ * @usage_id: Attribute usage id of parent physical device as per spec
+ * @attr_usage_id: Attribute usage id as per spec
+ * @report_id: Report id to look for
+ * @flag: Synchronous or asynchronous read
+ * @buffer_size: Size of the buffer in bytes
+ * @buffer: Buffer to store the read data
+ *
+ * Issues a synchronous or asynchronous read request for an input attribute,
+ * accumulating data into the provided buffer until it is full.
+ * Return: 0 on success, -ETIMEDOUT if the device did not respond, or a
+ * negative error code.
+ */
+int sensor_hub_input_attr_read_values(struct hid_sensor_hub_device *hsdev,
+ u32 usage_id, u32 attr_usage_id,
+ u32 report_id,
+ enum sensor_hub_read_flags flag,
+ u32 buffer_size, u8 *buffer);
+
+/**
* sensor_hub_set_feature() - Feature set request
* @hsdev: Hub device instance.
* @report_id: Report id to look for
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 277/518] hfs/hfsplus: fix u32 overflow in check_and_correct_requested_length
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 276/518] HID: sensor-hub: Add sensor_hub_input_attr_read_values() for multi-byte reads Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 278/518] hfs/hfsplus: zero-initialize buffer in hfs_bnode_read Greg Kroah-Hartman
` (244 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6df204b70bf3261691c5,
syzbot+e76bf3d19b85350571ac, Tristan Madani, Viacheslav Dubeyko
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristan Madani <tristan@talencesecurity.com>
commit 966cb76fb2857a4242cab6ea2ea17acf818a3da7 upstream.
check_and_correct_requested_length() compares (off + len) against
node_size using u32 arithmetic. When the caller passes a large len
value (e.g. from an underflowed subtraction in hfs_brec_remove()),
off + len can wrap past 2^32 and produce a small result, causing the
bounds check to pass when it should fail.
For example, with off=14 and len=0xFFFFFFF2 (underflowed from
data_off - keyoffset - size in hfs_brec_remove), off + len wraps to 6,
which is less than a typical node_size of 512, so the check passes and
the subsequent memmove reads ~4GB past the node buffer.
Fix this by widening the addition to u64 before comparing against
node_size. This prevents the u32 wrap while keeping the logic
straightforward.
Reported-by: syzbot+6df204b70bf3261691c5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6df204b70bf3261691c5
Tested-by: syzbot+6df204b70bf3261691c5@syzkaller.appspotmail.com
Reported-by: syzbot+e76bf3d19b85350571ac@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e76bf3d19b85350571ac
Tested-by: syzbot+e76bf3d19b85350571ac@syzkaller.appspotmail.com
Fixes: a431930c9bac ("hfs: fix slab-out-of-bounds in hfs_bnode_read()")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20260505111300.3592757-2-tristmd@gmail.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfs/bnode.c | 2 +-
fs/hfsplus/hfsplus_fs.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -41,7 +41,7 @@ u32 check_and_correct_requested_length(s
node_size = node->tree->node_size;
- if ((off + len) > node_size) {
+ if ((u64)off + len > node_size) {
u32 new_len = node_size - off;
pr_err("requested length has been corrected: "
--- a/fs/hfsplus/hfsplus_fs.h
+++ b/fs/hfsplus/hfsplus_fs.h
@@ -600,7 +600,7 @@ u32 check_and_correct_requested_length(s
node_size = node->tree->node_size;
- if ((off + len) > node_size) {
+ if ((u64)off + len > node_size) {
u32 new_len = node_size - off;
pr_err("requested length has been corrected: "
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 278/518] hfs/hfsplus: zero-initialize buffer in hfs_bnode_read
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 277/518] hfs/hfsplus: fix u32 overflow in check_and_correct_requested_length Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 279/518] nilfs2: reject CLEAN_SEGMENTS ioctl with out-of-range segment numbers Greg Kroah-Hartman
` (243 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+217eb327242d08197efb,
Tristan Madani, Viacheslav Dubeyko
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristan Madani <tristan@talencesecurity.com>
commit d67aadee19ffdf3cc8520c5a4f4d5b2916d30baf upstream.
hfs_bnode_read() can return early without writing to the output buffer
when is_bnode_offset_valid() fails or when check_and_correct_requested_
length() corrects the length to zero. Callers such as hfs_bnode_read_
u16() and hfs_bnode_read_u8() pass stack-allocated buffers and use the
result unconditionally, leading to KMSAN uninit-value reports.
Rather than initializing at each individual call site, zero the buffer
at the start of hfs_bnode_read() before any validation checks. This
ensures all callers in both hfs and hfsplus get a deterministic zero
value regardless of which early-return path is taken.
Reported-by: syzbot+217eb327242d08197efb@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
Tested-by: syzbot+217eb327242d08197efb@syzkaller.appspotmail.com
Fixes: a431930c9bac ("hfs: fix slab-out-of-bounds in hfs_bnode_read()")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20260505111300.3592757-3-tristmd@gmail.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfs/bnode.c | 2 ++
fs/hfsplus/bnode.c | 2 ++
2 files changed, 4 insertions(+)
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -64,6 +64,8 @@ void hfs_bnode_read(struct hfs_bnode *no
u32 bytes_read;
u32 bytes_to_read;
+ memset(buf, 0, len);
+
if (!is_bnode_offset_valid(node, off))
return;
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -25,6 +25,8 @@ void hfs_bnode_read(struct hfs_bnode *no
struct page **pagep;
u32 l;
+ memset(buf, 0, len);
+
if (!is_bnode_offset_valid(node, off))
return;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 279/518] nilfs2: reject CLEAN_SEGMENTS ioctl with out-of-range segment numbers
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 278/518] hfs/hfsplus: zero-initialize buffer in hfs_bnode_read Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 280/518] media: mtk-jpeg: cancel workqueue on release for supported platforms only Greg Kroah-Hartman
` (242 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+62f0f99d2f2bb8e3bbd7,
Deepanshu Kartikey, Ryusuke Konishi, Viacheslav Dubeyko
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit 0e7a690fe435f8d5ea3feb7c1d8d73ba7e8b8aa9 upstream.
Syzbot reported a hung task in nilfs_transaction_begin() where multiple
tasks performing chmod() on a nilfs2 mount blocked for over 143 seconds
waiting to acquire ns_segctor_sem for read:
INFO: task syz.0.17:5918 blocked for more than 143 seconds.
Call Trace:
schedule+0x164/0x360
rwsem_down_read_slowpath+0x6d9/0x940
down_read+0x99/0x2e0
nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
notify_change+0xc1a/0xf40
chmod_common+0x273/0x4a0
do_fchmodat+0x12d/0x230
The writer holding ns_segctor_sem was a concurrent
NILFS_IOCTL_CLEAN_SEGMENTS caller, stuck inside printk while emitting
per-element warnings from nilfs_sufile_updatev():
__nilfs_msg+0x373/0x450 fs/nilfs2/super.c:78
nilfs_sufile_updatev+0x21c/0x6d0 fs/nilfs2/sufile.c:186
nilfs_sufile_freev fs/nilfs2/sufile.h:93 [inline]
nilfs_free_segments fs/nilfs2/segment.c:1140 [inline]
nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1261 [inline]
nilfs_segctor_do_construct+0x1f55/0x76c0
nilfs_clean_segments+0x3bd/0xa50
nilfs_ioctl_clean_segments fs/nilfs2/ioctl.c:922 [inline]
nilfs_ioctl+0x261f/0x2780
The root cause is that user-supplied segment numbers are not validated
before nilfs_clean_segments() begins doing work; the range check on
each segnum is performed deep inside the call chain by
nilfs_sufile_updatev(), which emits a nilfs_warn() per invalid entry
while still holding the segctor lock and the sufile mi_sem. Under load
(repeated invocations across multiple mounts saturating the global
printk path), the cumulative printk latency keeps ns_segctor_sem held
long enough to trip the hung_task watchdog, blocking concurrent
operations such as chmod() that need ns_segctor_sem for read.
Fix by validating the contents of kbufs[4] in nilfs_clean_segments()
immediately after acquiring ns_segctor_sem via nilfs_transaction_lock().
Holding ns_segctor_sem serializes the check against
nilfs_ioctl_resize(), which can modify ns_nsegments, so the validation
uses a consistent value. Out-of-range segment numbers are rejected
with -EINVAL before any segment-cleaning work begins, so the bad
entries never reach the per-element diagnostic path inside
nilfs_sufile_updatev().
Reported-by: syzbot+62f0f99d2f2bb8e3bbd7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=62f0f99d2f2bb8e3bbd7
Tested-by: syzbot+62f0f99d2f2bb8e3bbd7@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Fixes: 071cb4b81987 ("nilfs2: eliminate removal list of segments")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/segment.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--- a/fs/nilfs2/segment.c
+++ b/fs/nilfs2/segment.c
@@ -2512,12 +2512,33 @@ int nilfs_clean_segments(struct super_bl
struct nilfs_sc_info *sci = nilfs->ns_writer;
struct nilfs_transaction_info ti;
int err;
+ size_t i, nfreesegs = argv[4].v_nmembs;
+ __u64 *segnumv = kbufs[4];
if (unlikely(!sci))
return -EROFS;
nilfs_transaction_lock(sb, &ti, 1);
+ /*
+ * Validate segment numbers under ns_segctor_sem (held for write
+ * by nilfs_transaction_lock above) so the check is serialized
+ * against nilfs_ioctl_resize(), which can modify ns_nsegments.
+ * Rejecting bad input here, before any segment-cleaning work
+ * begins, avoids the per-element diagnostic path inside
+ * nilfs_sufile_updatev() that would otherwise run under this
+ * same lock and stall concurrent readers.
+ */
+ for (i = 0; i < nfreesegs; i++) {
+ if (segnumv[i] >= nilfs->ns_nsegments) {
+ nilfs_err(sb,
+ "Segment number %llu to be freed is out of range",
+ (unsigned long long)segnumv[i]);
+ err = -EINVAL;
+ goto bail_unlock;
+ }
+ }
+
err = nilfs_mdt_save_to_shadow_map(nilfs->ns_dat);
if (unlikely(err))
goto out_unlock;
@@ -2558,6 +2579,7 @@ int nilfs_clean_segments(struct super_bl
sci->sc_freesegs = NULL;
sci->sc_nfreesegs = 0;
nilfs_mdt_clear_shadow_map(nilfs->ns_dat);
+ bail_unlock:
nilfs_transaction_unlock(sb);
return err;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 280/518] media: mtk-jpeg: cancel workqueue on release for supported platforms only
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 279/518] nilfs2: reject CLEAN_SEGMENTS ioctl with out-of-range segment numbers Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 281/518] serial: 8250_mid: Disable DMA for selected platforms Greg Kroah-Hartman
` (241 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Louis-Alexis Eyraud,
Nicolas Dufresne, Hans Verkuil
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Louis-Alexis Eyraud <louisalexis.eyraud@collabora.com>
commit b1845a227fda37b2fe5327df3ca0015d7e290235 upstream.
Since a recent fix the mtk_jpeg_release function cancels any pending
or running work present in the driver workqueue using
cancel_work_sync function.
Currently, only the multicore based variants use this workqueue and they
have the jpeg_worker platform data field initialized with a workqueue
callback function. For the others, this field value remain NULL by
default.
The cancel_work_sync function is unconditionally called in
mtk_jpeg_release function, even for the variants that do not use the
workqueue. This call generates a WARN_ON print in __flush_work because
the workqueue callback function presence check fails in __flush_work
function (used by cancel_work_sync).
So, to avoid these warnings, call cancel_work_sync only if a workqueue
callback is defined in platform data.
Fixes: 34c519feef3e ("media: mtk-jpeg: fix use-after-free in release path due to uncancelled work")
Cc: stable@vger.kernel.org
Signed-off-by: Louis-Alexis Eyraud <louisalexis.eyraud@collabora.com>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
+++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
@@ -1202,7 +1202,8 @@ static int mtk_jpeg_release(struct file
struct mtk_jpeg_dev *jpeg = video_drvdata(file);
struct mtk_jpeg_ctx *ctx = mtk_jpeg_file_to_ctx(file);
- cancel_work_sync(&ctx->jpeg_work);
+ if (jpeg->variant->jpeg_worker)
+ cancel_work_sync(&ctx->jpeg_work);
mutex_lock(&jpeg->lock);
v4l2_m2m_ctx_release(ctx->fh.m2m_ctx);
v4l2_ctrl_handler_free(&ctx->ctrl_hdl);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 281/518] serial: 8250_mid: Disable DMA for selected platforms
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 280/518] media: mtk-jpeg: cancel workqueue on release for supported platforms only Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 282/518] xfs: use null daddr for unset first bad log block Greg Kroah-Hartman
` (240 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, micas-opensource, stable,
Andy Shevchenko
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit b1b4efea05a56c0995e4702a86d6624b4fdff32f upstream.
In accordance with Errata (specification updates)
HSUART May Stop Functioning when DMA is Active.
- Denverton document #572409, rev 3.4, DNV60
- Ice Lake Xeon D document #714070, ICXD65
- Snowridge document #731931, SNR44
For a quick fix just disable the respective callbacks during the device probe.
Depending on the future development we might remove them completely.
Reported-by: micas-opensource <zjianan156@gmail.com>
Closes: https://lore.kernel.org/linux-serial/20250625031409.2404219-1-opensource@ruijie.com.cn/
Fixes: 6ede6dcd87aa ("serial: 8250_mid: add support for DMA engine handling from UART MMIO")
Cc: stable <stable@kernel.org>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/20260626094937.561776-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_mid.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/tty/serial/8250/8250_mid.c
+++ b/drivers/tty/serial/8250/8250_mid.c
@@ -10,6 +10,7 @@
#include <linux/module.h>
#include <linux/pci.h>
#include <linux/rational.h>
+#include <linux/util_macros.h>
#include <linux/dma/hsu.h>
@@ -368,8 +369,16 @@ static const struct mid8250_board dnv_bo
.freq = 133333333,
.base_baud = 115200,
.bar = 1,
- .setup = dnv_setup,
- .exit = dnv_exit,
+ /*
+ * Errata:
+ * HSUART May Stop Functioning when DMA is Active.
+ *
+ * - Denverton document #572409, rev 3.4, DNV60
+ * - Ice Lake Xeon D document #714070, ICXD65
+ * - Snowridge document #731931, SNR44
+ */
+ .setup = PTR_IF(false, dnv_setup),
+ .exit = PTR_IF(false, dnv_exit),
};
static const struct pci_device_id pci_ids[] = {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 282/518] xfs: use null daddr for unset first bad log block
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 281/518] serial: 8250_mid: Disable DMA for selected platforms Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 283/518] xfs: release dquot buffer after dqflush failure Greg Kroah-Hartman
` (239 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong,
syzbot+b7dfbed0c6c2b5e9fd34, Yousef Alhouseen, Carlos Maiolino
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yousef Alhouseen <alhouseenyousef@gmail.com>
commit cc9af5e461ea5f6e37738f3f1e41c45a9b7f45d6 upstream.
xlog_do_recovery_pass() may return before setting first_bad. The caller
must distinguish that case from an error at a valid log block, including
block zero after the log wraps.
Initialize first_bad to XFS_BUF_DADDR_NULL and test it explicitly before
treating the error as a torn write.
Fixes: 7088c4136fa1 ("xfs: detect and trim torn writes during log recovery")
Suggested-by: Darrick J. Wong <djwong@kernel.org>
Reported-by: syzbot+b7dfbed0c6c2b5e9fd34@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b7dfbed0c6c2b5e9fd34
Cc: stable@vger.kernel.org # v4.5
Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_log_recover.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -1028,7 +1028,7 @@ xlog_verify_head(
{
struct xlog_rec_header *tmp_rhead;
char *tmp_buffer;
- xfs_daddr_t first_bad;
+ xfs_daddr_t first_bad = XFS_BUF_DADDR_NULL;
xfs_daddr_t tmp_rhead_blk;
int found;
int error;
@@ -1057,7 +1057,8 @@ xlog_verify_head(
*/
error = xlog_do_recovery_pass(log, *head_blk, tmp_rhead_blk,
XLOG_RECOVER_CRCPASS, &first_bad);
- if ((error == -EFSBADCRC || error == -EFSCORRUPTED) && first_bad) {
+ if ((error == -EFSBADCRC || error == -EFSCORRUPTED) &&
+ first_bad != XFS_BUF_DADDR_NULL) {
/*
* We've hit a potential torn write. Reset the error and warn
* about it.
@@ -3575,4 +3576,3 @@ xlog_recover_cancel(
if (xlog_recovery_needed(log))
xlog_recover_cancel_intents(log);
}
-
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 283/518] xfs: release dquot buffer after dqflush failure
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 282/518] xfs: use null daddr for unset first bad log block Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 284/518] xfs: pass back updated nb from xfs_growfs_compute_deltas Greg Kroah-Hartman
` (238 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yingjie Gao, Darrick J. Wong,
Carlos Maiolino
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yingjie Gao <gaoyingjie@uniontech.com>
commit 0c1b3a823a22af623d55f225fe2ac7e8b9052821 upstream.
xfs_qm_dqpurge() gets a locked buffer from xfs_dquot_use_attached_buf().
If xfs_qm_dqflush() fails, the error path skips xfs_buf_relse() and then
calls xfs_dquot_detach_buf(), which tries to lock the same buffer again.
Release the buffer after xfs_qm_dqflush() returns so the error path drops
the caller hold and unlocks the buffer before the dquot is detached,
matching the other dqflush callers.
Fixes: a40fe30868ba ("xfs: separate dquot buffer reads from xfs_dqflush")
Cc: stable@vger.kernel.org # v6.13+
Signed-off-by: Yingjie Gao <gaoyingjie@uniontech.com>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_qm.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/fs/xfs/xfs_qm.c
+++ b/fs/xfs/xfs_qm.c
@@ -166,10 +166,9 @@ xfs_qm_dqpurge(
* does it on success.
*/
error = xfs_qm_dqflush(dqp, bp);
- if (!error) {
+ if (!error)
error = xfs_bwrite(bp);
- xfs_buf_relse(bp);
- }
+ xfs_buf_relse(bp);
xfs_dqflock(dqp);
}
xfs_dquot_detach_buf(dqp);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 284/518] xfs: pass back updated nb from xfs_growfs_compute_deltas
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 283/518] xfs: release dquot buffer after dqflush failure Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 285/518] xfs: only log freed extents for the current RTG in zoned growfs Greg Kroah-Hartman
` (237 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Darrick J. Wong,
Carlos Maiolino, Carlos Maiolino
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
commit 4cb6e89a3d901d4da515977e55f9a9a779238660 upstream.
xfs_growfs_compute_deltas can update nb for corner cases like a number
of blocks that would create a less the minimal sized AG, or running
past the max AG limit. Pass back the calculated value to the caller,
as it relies on to calculate the new number of perag structures.
Note that the grown file system size is not affected by this
miscalculation as it uses the passed back delta value.
Fixes: a49b7ff63f98 ("xfs: Refactoring the nagcount and delta calculation")
Cc: stable@vger.kernel.org # v7.0
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/libxfs/xfs_ag.c | 10 +++++-----
fs/xfs/libxfs/xfs_ag.h | 2 +-
fs/xfs/xfs_fsops.c | 2 +-
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/fs/xfs/libxfs/xfs_ag.c b/fs/xfs/libxfs/xfs_ag.c
index dcd2f93b6a6c..0c5f0548021f 100644
--- a/fs/xfs/libxfs/xfs_ag.c
+++ b/fs/xfs/libxfs/xfs_ag.c
@@ -866,7 +866,7 @@ xfs_ag_shrink_space(
void
xfs_growfs_compute_deltas(
struct xfs_mount *mp,
- xfs_rfsblock_t nb,
+ xfs_rfsblock_t *nb,
int64_t *deltap,
xfs_agnumber_t *nagcountp)
{
@@ -874,19 +874,19 @@ xfs_growfs_compute_deltas(
int64_t delta;
xfs_agnumber_t nagcount;
- nb_div = nb;
+ nb_div = *nb;
nb_mod = do_div(nb_div, mp->m_sb.sb_agblocks);
if (nb_mod && nb_mod >= XFS_MIN_AG_BLOCKS)
nb_div++;
else if (nb_mod)
- nb = nb_div * mp->m_sb.sb_agblocks;
+ *nb = nb_div * mp->m_sb.sb_agblocks;
if (nb_div > XFS_MAX_AGNUMBER + 1) {
nb_div = XFS_MAX_AGNUMBER + 1;
- nb = nb_div * mp->m_sb.sb_agblocks;
+ *nb = nb_div * mp->m_sb.sb_agblocks;
}
nagcount = nb_div;
- delta = nb - mp->m_sb.sb_dblocks;
+ delta = *nb - mp->m_sb.sb_dblocks;
*deltap = delta;
*nagcountp = nagcount;
}
diff --git a/fs/xfs/libxfs/xfs_ag.h b/fs/xfs/libxfs/xfs_ag.h
index 16a9b43a3c27..8aa4266c5571 100644
--- a/fs/xfs/libxfs/xfs_ag.h
+++ b/fs/xfs/libxfs/xfs_ag.h
@@ -330,7 +330,7 @@ int xfs_ag_init_headers(struct xfs_mount *mp, struct aghdr_init_data *id);
int xfs_ag_shrink_space(struct xfs_perag *pag, struct xfs_trans **tpp,
xfs_extlen_t delta);
void
-xfs_growfs_compute_deltas(struct xfs_mount *mp, xfs_rfsblock_t nb,
+xfs_growfs_compute_deltas(struct xfs_mount *mp, xfs_rfsblock_t *nb,
int64_t *deltap, xfs_agnumber_t *nagcountp);
int xfs_ag_extend_space(struct xfs_perag *pag, struct xfs_trans *tp,
xfs_extlen_t len);
diff --git a/fs/xfs/xfs_fsops.c b/fs/xfs/xfs_fsops.c
index 8d64d904d73c..436857356a0a 100644
--- a/fs/xfs/xfs_fsops.c
+++ b/fs/xfs/xfs_fsops.c
@@ -124,7 +124,7 @@ xfs_growfs_data_private(
mp->m_sb.sb_rextsize);
if (error)
return error;
- xfs_growfs_compute_deltas(mp, nb, &delta, &nagcount);
+ xfs_growfs_compute_deltas(mp, &nb, &delta, &nagcount);
/*
* Reject filesystems with a single AG because they are not
--
2.55.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 285/518] xfs: only log freed extents for the current RTG in zoned growfs
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 284/518] xfs: pass back updated nb from xfs_growfs_compute_deltas Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 286/518] xfs: initialize iomap->flags earlier in xfs_bmbt_to_iomap Greg Kroah-Hartman
` (236 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Darrick J. Wong,
Damien Le Moal, Carlos Maiolino
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
commit 44cccefe65749821d9a13523c8b763bf1262ef73 upstream.
Otherwise a power fail or crash during growfs could lead to an
elevated sb_rblocks counter.
Note that the step function is much simpler compared to the classic RT
allocator as zoned RT sections must be aligned to real time group
boundaries.
Fixes: 01b71e64bb87 ("xfs: support growfs on zoned file systems")
Cc: <stable@vger.kernel.org> # v6.15
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_rtalloc.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/xfs/xfs_rtalloc.c
+++ b/fs/xfs/xfs_rtalloc.c
@@ -890,8 +890,7 @@ xfs_growfs_rt_sb_fields(
static int
xfs_growfs_rt_zoned(
- struct xfs_rtgroup *rtg,
- xfs_rfsblock_t nrblocks)
+ struct xfs_rtgroup *rtg)
{
struct xfs_mount *mp = rtg_mount(rtg);
struct xfs_mount *nmp;
@@ -903,7 +902,8 @@ xfs_growfs_rt_zoned(
* Calculate new sb and mount fields for this round. Also ensure the
* rtg_extents value is uptodate as the rtbitmap code relies on it.
*/
- nmp = xfs_growfs_rt_alloc_fake_mount(mp, nrblocks,
+ nmp = xfs_growfs_rt_alloc_fake_mount(mp,
+ xfs_rtgs_to_rfsbs(mp, rtg_rgno(rtg) + 1),
mp->m_sb.sb_rextsize);
if (!nmp)
return -ENOMEM;
@@ -1218,7 +1218,7 @@ xfs_growfs_rtg(
}
if (xfs_has_zoned(mp)) {
- error = xfs_growfs_rt_zoned(rtg, nrblocks);
+ error = xfs_growfs_rt_zoned(rtg);
goto out_rele;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 286/518] xfs: initialize iomap->flags earlier in xfs_bmbt_to_iomap
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 285/518] xfs: only log freed extents for the current RTG in zoned growfs Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 287/518] xfs: fix unreachable BIGTIME check in dquot flush validation Greg Kroah-Hartman
` (235 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Darrick J. Wong,
Carlos Maiolino
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
commit 327e58826eb72f8bae9419cf1a4e722b57c85694 upstream.
Otherwise we lose the IOMAP_IOEND_BOUNDARY assingment for writes to the
first block in a realtime group, and could cause incorrect merges for
such writes.
Fixes: b91afef72471 ("xfs: don't merge ioends across RTGs")
Cc: <stable@vger.kernel.org> # v6.13
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_iomap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/xfs/xfs_iomap.c
+++ b/fs/xfs/xfs_iomap.c
@@ -113,6 +113,7 @@ xfs_bmbt_to_iomap(
return xfs_alert_fsblock_zero(ip, imap);
}
+ iomap->flags = iomap_flags;
if (imap->br_startblock == HOLESTARTBLOCK) {
iomap->addr = IOMAP_NULL_ADDR;
iomap->type = IOMAP_HOLE;
@@ -143,7 +144,6 @@ xfs_bmbt_to_iomap(
}
iomap->offset = XFS_FSB_TO_B(mp, imap->br_startoff);
iomap->length = XFS_FSB_TO_B(mp, imap->br_blockcount);
- iomap->flags = iomap_flags;
if (mapping_flags & IOMAP_DAX) {
iomap->dax_dev = target->bt_daxdev;
} else {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 287/518] xfs: fix unreachable BIGTIME check in dquot flush validation
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 286/518] xfs: initialize iomap->flags earlier in xfs_bmbt_to_iomap Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 288/518] xfs: fix pointer arithmetic error on 32-bit systems Greg Kroah-Hartman
` (234 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Nepomnyashih, Darrick J. Wong,
Allison Henderson, Carlos Maiolino
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Nepomnyashih <sdl@nppct.ru>
commit 03866d130ed33ab68cc7faaf4bf2c4abef96d42e upstream.
The dqp->q_id == 0 check inside the XFS_DQTYPE_BIGTIME block is
unreachable because root dquots return successfully earlier. Reject root
dquots with XFS_DQTYPE_BIGTIME before that early return, preserving the
intended validation and removing the unreachable condition.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 4ea1ff3b4968 ("xfs: widen ondisk quota expiration timestamps to handle y2038+")
Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Alexey Nepomnyashih <sdl@nppct.ru>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Reviewed-by: Allison Henderson <achender@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_dquot.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/fs/xfs/xfs_dquot.c
+++ b/fs/xfs/xfs_dquot.c
@@ -1216,6 +1216,14 @@ xfs_qm_dqflush_check(
type != XFS_DQTYPE_PROJ)
return __this_address;
+ /* bigtime flag should never be set on root dquots */
+ if (dqp->q_type & XFS_DQTYPE_BIGTIME) {
+ if (!xfs_has_bigtime(dqp->q_mount))
+ return __this_address;
+ if (dqp->q_id == 0)
+ return __this_address;
+ }
+
if (dqp->q_id == 0)
return NULL;
@@ -1231,14 +1239,6 @@ xfs_qm_dqflush_check(
!dqp->q_rtb.timer)
return __this_address;
- /* bigtime flag should never be set on root dquots */
- if (dqp->q_type & XFS_DQTYPE_BIGTIME) {
- if (!xfs_has_bigtime(dqp->q_mount))
- return __this_address;
- if (dqp->q_id == 0)
- return __this_address;
- }
-
return NULL;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 288/518] xfs: fix pointer arithmetic error on 32-bit systems
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 287/518] xfs: fix unreachable BIGTIME check in dquot flush validation Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 289/518] xfs: fix exchmaps reservation limit check Greg Kroah-Hartman
` (233 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig,
Carlos Maiolino
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
commit 84eec3f7fc73144d1a230c9e8ad92721e37dcaab upstream.
The translation of the old XFS_BMBT_KEY_ADDR macro into a static
function is not correct on 32-bit systems because the sizeof() argument
went from being a xfs_bmbt_key_t (i.e. a struct) to a (struct
xfs_bmbt_key *) (i.e. a pointer to the same struct). On 64-bit systems
this turns out ok because they are the same size, but on 32-bit systems
this is catastrophic because they are not the same size. So far there
have been no complaints, most likely because the xfs developers urge
against running it on 32-bit systems. But this needs fixing asap.
Cc: stable@vger.kernel.org # v6.12
Fixes: 79124b37400635 ("xfs: replace shouty XFS_BM{BT,DR} macros")
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/libxfs/xfs_bmap_btree.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/xfs/libxfs/xfs_bmap_btree.h
+++ b/fs/xfs/libxfs/xfs_bmap_btree.h
@@ -89,7 +89,7 @@ xfs_bmbt_key_addr(
{
return (struct xfs_bmbt_key *)
((char *)block + xfs_bmbt_block_len(mp) +
- (index - 1) * sizeof(struct xfs_bmbt_key *));
+ (index - 1) * sizeof(struct xfs_bmbt_key));
}
static inline xfs_bmbt_ptr_t *
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 289/518] xfs: fix exchmaps reservation limit check
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 288/518] xfs: fix pointer arithmetic error on 32-bit systems Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 290/518] xfs: fix memory leak in xfs_dqinode_metadir_create() Greg Kroah-Hartman
` (232 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yingjie Gao, Darrick J. Wong,
Carlos Maiolino
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yingjie Gao <gaoyingjie@uniontech.com>
commit 0a5213bbff62b51c7d4999ac8c7e11ea57d00d45 upstream.
xfs_exchmaps_estimate_overhead() adds the bmbt and rmapbt
overhead to a local resblks variable, but the final UINT_MAX
check still tests req->resblks. That is the reservation value
from before the overhead was added.
The computed value is stored back in req->resblks and later passed
to xfs_trans_alloc(), whose block reservation argument is unsigned
int. Check the computed reservation so the existing limit applies
to the value that will be used.
Fixes: 966ceafc7a43 ("xfs: create deferred log items for file mapping exchanges")
Cc: stable@vger.kernel.org # v6.10
Signed-off-by: Yingjie Gao <gaoyingjie@uniontech.com>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/libxfs/xfs_exchmaps.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/xfs/libxfs/xfs_exchmaps.c
+++ b/fs/xfs/libxfs/xfs_exchmaps.c
@@ -711,7 +711,7 @@ xfs_exchmaps_estimate_overhead(
return -ENOSPC;
/* Can't actually reserve more than UINT_MAX blocks. */
- if (req->resblks > UINT_MAX)
+ if (resblks > UINT_MAX)
return -ENOSPC;
req->resblks = resblks;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 290/518] xfs: fix memory leak in xfs_dqinode_metadir_create()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 289/518] xfs: fix exchmaps reservation limit check Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 291/518] bpf: Reject fragmented frames in devmap Greg Kroah-Hartman
` (231 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dawei Feng, Darrick J. Wong,
Carlos Maiolino
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
commit 45de375b25060edf46e20abb36521ba530336ceb upstream.
If xfs_metadir_create() fails in xfs_dqinode_metadir_create(), the current
code returns directly, leaking the allocated update and transaction state.
If the subsequent commit fails, the caller-owned inode reference is left
behind.
Fix this memory leak by routing the create failure path through
xfs_metadir_cancel(). For both create and commit failures, finish and
release any inode returned to the caller, mirroring the unwind pattern in
xfs_metadir_mkdir().
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still
present in v7.1.1.
An x86_64 allyesconfig build showed no new warnings. Runtime validation
used kprobe fault injection during `mount -o uquota` on a metadir XFS
image. Injecting xfs_metadir_create() reproduced the old active-update path
that left mount stuck later in mount setup; after this change, the same
injection reported cancel_hits=1 and irele_hits=1. Injecting
xfs_metadir_commit() exercised the old inode-reference leak path; after
this change, it reported irele_hits=1.
Fixes: e80fbe1ad8ef ("xfs: use metadir for quota inodes")
Cc: stable@vger.kernel.org # v6.13
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/libxfs/xfs_dquot_buf.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/fs/xfs/libxfs/xfs_dquot_buf.c
+++ b/fs/xfs/libxfs/xfs_dquot_buf.c
@@ -436,17 +436,27 @@ xfs_dqinode_metadir_create(
error = xfs_metadir_create(&upd, S_IFREG);
if (error)
- return error;
+ goto out_cancel;
xfs_trans_log_inode(upd.tp, upd.ip, XFS_ILOG_CORE);
error = xfs_metadir_commit(&upd);
if (error)
- return error;
+ goto out_irele;
xfs_finish_inode_setup(upd.ip);
*ipp = upd.ip;
return 0;
+
+out_cancel:
+ xfs_metadir_cancel(&upd, error);
+out_irele:
+ /* Have to finish setting up the inode to ensure it's deleted. */
+ if (upd.ip) {
+ xfs_finish_inode_setup(upd.ip);
+ xfs_irele(upd.ip);
+ }
+ return error;
}
#ifndef __KERNEL__
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 291/518] bpf: Reject fragmented frames in devmap
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 290/518] xfs: fix memory leak in xfs_dqinode_metadir_create() Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 292/518] bpf: Restore sysctl new-value from 1 to 0 Greg Kroah-Hartman
` (230 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Zhengchuan Liang,
Xin Liu, Zhao Zhang, Ren Wei, Emil Tsalapatis,
Toke Høiland-Jørgensen, Alexei Starovoitov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Zhang <zzhan461@ucr.edu>
commit aa496720618f1a6054f1c870bf10b4f6c99bf656 upstream.
Devmap broadcast redirects clone the packet for all but the last
destination.
For native XDP, that clone path copies only the linear xdp_frame data,
while fragmented frames keep skb_shared_info in tailroom outside the
linear area. Cloning such a frame leaves XDP_FLAGS_HAS_FRAGS set but
without valid frag metadata, and the later free path can interpret
uninitialized tail data as skb_shared_info, leading to an out-of-bounds
access during frame return.
Reject fragmented native XDP frames in dev_map_enqueue_clone().
Add the same restriction to the generic XDP clone path in
dev_map_redirect_clone(). Generic XDP represents fragmented packets as
nonlinear skbs, and rejecting them here keeps clone-based broadcast
support aligned between native and generic XDP.
Fixes: e624d4ed4aa8 ("xdp: Extend xdp_redirect_map with broadcast support")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Zhao Zhang <zzhan461@ucr.edu>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Link: https://lore.kernel.org/r/21c2d153dd25603d359069a02bf06779b51f6423.1780385378.git.zzhan461@ucr.edu
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/devmap.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -581,6 +581,10 @@ static int dev_map_enqueue_clone(struct
{
struct xdp_frame *nxdpf;
+ /* Frags live outside the linear frame and cannot be cloned safely. */
+ if (unlikely(xdp_frame_has_frags(xdpf)))
+ return -EOPNOTSUPP;
+
nxdpf = xdpf_clone(xdpf);
if (!nxdpf)
return -ENOMEM;
@@ -726,6 +730,9 @@ static int dev_map_redirect_clone(struct
struct sk_buff *nskb;
int err;
+ if (unlikely(skb_is_nonlinear(skb)))
+ return -EOPNOTSUPP;
+
nskb = skb_clone(skb, GFP_ATOMIC);
if (!nskb)
return -ENOMEM;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 292/518] bpf: Restore sysctl new-value from 1 to 0
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 291/518] bpf: Reject fragmented frames in devmap Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 293/518] bpf: Validate BTF repeated field counts before expansion Greg Kroah-Hartman
` (229 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yonghong Song, Zilin Guan,
Dawei Feng, Jiayuan Chen, Xu Kuohai, Alexei Starovoitov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
commit 2566c3b24219c5b30e35205cba029ff34ff7c78b upstream.
Commit 4e63acdff864 ("bpf: Introduce bpf_sysctl_{get,set}_new_value
helpers") changed the success return value to 0, but failed to update the
corresponding check in __cgroup_bpf_run_filter_sysctl(). Since
bpf_prog_run_array_cg() now returns 0 on success, the legacy ret == 1
condition is never satisfied. As a result, the modified value is ignored,
and bpf_sysctl_set_new_value() fails to replace the write buffer.
Fix this by checking for a return value of 0 instead, so cgroup/sysctl
programs can correctly replace the pending sysctl buffer.
This bug was discovered during a manual code review. Tested via a
cgroup/sysctl BPF reproducer overriding writes to a target sysctl.
Pre-fix, bpf_sysctl_set_new_value("foo") was silently ignored: the write
returned 8192 and the value remained "600". Post-fix, the BPF replacement
buffer properly propagates: the write returns 3 and the value updates to
"foo".
Fixes: f10d05966196 ("bpf: Make BPF_PROG_RUN_ARRAY return -err instead of allow boolean")
Cc: stable@vger.kernel.org
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Acked-by: Xu Kuohai <xukuohai@huawei.com>
Link: https://lore.kernel.org/r/20260603105317.944304-4-dawei.feng@seu.edu.cn
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/cgroup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -1935,7 +1935,7 @@ int __cgroup_bpf_run_filter_sysctl(struc
kfree(ctx.cur_val);
- if (ret == 1 && ctx.new_updated) {
+ if (!ret && ctx.new_updated) {
kvfree(*buf);
*buf = ctx.new_val;
*pcount = ctx.new_len;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 293/518] bpf: Validate BTF repeated field counts before expansion
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 292/518] bpf: Restore sysctl new-value from 1 to 0 Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 294/518] bpf: Keep dynamic inner array lookups nullable Greg Kroah-Hartman
` (228 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Moses, Eduard Zingerman,
Kumar Kartikeya Dwivedi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moses <p@1g4.org>
commit b9452b594fd3aecbfd4aa0a6a1f741330a37dab7 upstream.
btf_parse_struct_metas() walks user-supplied BTF during BPF_BTF_LOAD,
and btf_repeat_fields() expands repeatable fields from array elements
into the fixed BTF_FIELDS_MAX scratch array used by btf_parse_fields().
The remaining-capacity check performs the expanded field count calculation
in u32. A malformed BTF can wrap that calculation, causing the check to
pass even when the expanded field count exceeds the scratch array
capacity. The following memcpy() can then write past the end of the
array.
Use checked addition and multiplication before copying repeated fields
and reject impossible counts.
Fixes: 797d73ee232d ("bpf: Check the remaining info_cnt before repeating btf fields")
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moses <p@1g4.org>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/bpf/20260605234301.1109063-1-p@1g4.org
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/btf.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -3668,7 +3668,7 @@ end:
static int btf_repeat_fields(struct btf_field_info *info, int info_cnt,
u32 field_cnt, u32 repeat_cnt, u32 elem_size)
{
- u32 i, j;
+ u32 i, j, total_cnt, total_repeats;
u32 cur;
/* Ensure not repeating fields that should not be repeated. */
@@ -3686,10 +3686,9 @@ static int btf_repeat_fields(struct btf_
}
}
- /* The type of struct size or variable size is u32,
- * so the multiplication will not overflow.
- */
- if (field_cnt * (repeat_cnt + 1) > info_cnt)
+ if (check_add_overflow(repeat_cnt, 1, &total_repeats) ||
+ check_mul_overflow(field_cnt, total_repeats, &total_cnt) ||
+ total_cnt > (u32)info_cnt)
return -E2BIG;
cur = field_cnt;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 294/518] bpf: Keep dynamic inner array lookups nullable
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 293/518] bpf: Validate BTF repeated field counts before expansion Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 295/518] bpf: Allow LPM map access from sleepable BPF programs Greg Kroah-Hartman
` (227 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nuoqi Gui, Eduard Zingerman,
Jiri Olsa, Kumar Kartikeya Dwivedi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
commit 53040a81ae57cdca8af8ac36fe4e661730cf7c6b upstream.
An ARRAY_OF_MAPS can use an array created with BPF_F_INNER_MAP as its
inner map template. A concrete inner array with a different max_entries
value can then replace the template.
After a successful outer map lookup, the verifier represents the
resulting map pointer using the inner map template. Const-key lookup
nullness elision consequently uses the template max_entries even though
the runtime helper uses the concrete inner map max_entries.
Do not elide lookup result nullness for maps marked with BPF_F_INNER_MAP,
because the template max_entries does not prove that the key is in bounds
for the concrete runtime map.
Fixes: d2102f2f5d75 ("bpf: verifier: Support eliding map lookup nullness")
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/bpf/20260607-f01-v2-v2-1-da48453146e8@mails.tsinghua.edu.cn
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/verifier.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -8471,7 +8471,7 @@ static int get_constant_map_key(struct b
return 0;
}
-static bool can_elide_value_nullness(enum bpf_map_type type);
+static bool can_elide_value_nullness(const struct bpf_map *map);
static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
struct bpf_call_arg_meta *meta,
@@ -8621,7 +8621,7 @@ skip_type_check:
err = check_helper_mem_access(env, regno, key_size, BPF_READ, false, NULL);
if (err)
return err;
- if (can_elide_value_nullness(meta->map.ptr->map_type)) {
+ if (can_elide_value_nullness(meta->map.ptr)) {
err = get_constant_map_key(env, reg, key_size, &meta->const_map_key);
if (err < 0) {
meta->const_map_key = -1;
@@ -10221,13 +10221,16 @@ static void update_loop_inline_state(str
state->callback_subprogno == subprogno);
}
-/* Returns whether or not the given map type can potentially elide
+/* Returns whether or not the given map can potentially elide
* lookup return value nullness check. This is possible if the key
* is statically known.
*/
-static bool can_elide_value_nullness(enum bpf_map_type type)
+static bool can_elide_value_nullness(const struct bpf_map *map)
{
- switch (type) {
+ if (map->map_flags & BPF_F_INNER_MAP)
+ return false;
+
+ switch (map->map_type) {
case BPF_MAP_TYPE_ARRAY:
case BPF_MAP_TYPE_PERCPU_ARRAY:
return true;
@@ -10589,7 +10592,7 @@ static int check_helper_call(struct bpf_
}
if (func_id == BPF_FUNC_map_lookup_elem &&
- can_elide_value_nullness(meta.map.ptr->map_type) &&
+ can_elide_value_nullness(meta.map.ptr) &&
meta.const_map_key >= 0 &&
meta.const_map_key < meta.map.ptr->max_entries)
ret_flag &= ~PTR_MAYBE_NULL;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 295/518] bpf: Allow LPM map access from sleepable BPF programs
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 294/518] bpf: Keep dynamic inner array lookups nullable Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 296/518] net: usb: kalmia: bound RX frame length in kalmia_rx_fixup() Greg Kroah-Hartman
` (226 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vlad Poenaru, Emil Tsalapatis,
Alexei Starovoitov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vlad Poenaru <vlad.wing@gmail.com>
commit 2f884d371fafea137afea504d49ee4a7c8d7985b upstream.
trie_lookup_elem() annotates its rcu_dereference_check() walks with
only rcu_read_lock_bh_held(). Because rcu_dereference_check(p, c)
resolves to "c || rcu_read_lock_held()", this passes for XDP/NAPI and
classic RCU readers but fails for sleepable BPF programs, which enter
via __bpf_prog_enter_sleepable() and hold only rcu_read_lock_trace().
trie_update_elem() and trie_delete_elem() have the same problem in a
different form: they walk the trie with plain rcu_dereference(), which
asserts rcu_read_lock_held() unconditionally. Both are reachable from
sleepable BPF programs via the bpf_map_update_elem / bpf_map_delete_elem
helpers, and from the syscall path under classic rcu_read_lock(). In
the writer paths the trie is actually protected by trie->lock (an
rqspinlock taken across the walk); we never relied on the RCU read-side
lock to keep nodes alive there.
A sleepable LSM hook that ends up touching an LPM trie therefore
triggers lockdep on debug kernels:
=============================
WARNING: suspicious RCU usage
7.1.0-... Tainted: G E
-----------------------------
kernel/bpf/lpm_trie.c:249 suspicious rcu_dereference_check() usage!
1 lock held by net_tests/540:
#0: (rcu_tasks_trace_srcu_struct){....}-{0:0},
at: __bpf_prog_enter_sleepable+0x26/0x280
Call Trace:
dump_stack_lvl
lockdep_rcu_suspicious
trie_lookup_elem
bpf_prog_..._enforce_security_socket_connect
bpf_trampoline_...
security_socket_connect
__sys_connect
do_syscall_64
This is lockdep-only -- no UAF, since Tasks Trace RCU does serialize
against the trie's reclaim path -- but it spams the console once per
distinct callsite on every debug kernel running a sleepable BPF LSM
that touches an LPM trie, which is increasingly common.
For the lookup path, switch the rcu_dereference_check() annotation
from rcu_read_lock_bh_held() to bpf_rcu_lock_held(), which accepts all
three contexts (classic, BH, Tasks Trace). Other map types already
follow this convention.
For trie_update_elem() and trie_delete_elem(), annotate the walks as
rcu_dereference_protected(*p, 1) -- matching trie_free() in the same
file -- since trie->lock is held across the walk. rqspinlock has no
lockdep_map, so the predicate degenerates to '1' rather than
lockdep_is_held(&trie->lock); the protection is real but not
machine-verifiable. trie_get_next_key() also uses bare
rcu_dereference() but is reachable only from the BPF syscall, which
holds classic rcu_read_lock() before dispatching, so it is left
untouched.
Fixes: 694cea395fde ("bpf: Allow RCU-protected lookups to happen from bh context")
Cc: stable@vger.kernel.org
Signed-off-by: Vlad Poenaru <vlad.wing@gmail.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Link: https://lore.kernel.org/r/20260609135558.193287-2-vlad.wing@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/lpm_trie.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/kernel/bpf/lpm_trie.c
+++ b/kernel/bpf/lpm_trie.c
@@ -246,7 +246,7 @@ static void *trie_lookup_elem(struct bpf
/* Start walking the trie from the root node ... */
- for (node = rcu_dereference_check(trie->root, rcu_read_lock_bh_held());
+ for (node = rcu_dereference_check(trie->root, bpf_rcu_lock_held());
node;) {
unsigned int next_bit;
size_t matchlen;
@@ -280,7 +280,7 @@ static void *trie_lookup_elem(struct bpf
*/
next_bit = extract_bit(key->data, node->prefixlen);
node = rcu_dereference_check(node->child[next_bit],
- rcu_read_lock_bh_held());
+ bpf_rcu_lock_held());
}
if (!found)
@@ -359,7 +359,7 @@ static long trie_update_elem(struct bpf_
*/
slot = &trie->root;
- while ((node = rcu_dereference(*slot))) {
+ while ((node = rcu_dereference_protected(*slot, 1))) {
matchlen = longest_prefix_match(trie, node, key);
if (node->prefixlen != matchlen ||
@@ -482,7 +482,7 @@ static long trie_delete_elem(struct bpf_
trim = &trie->root;
trim2 = trim;
parent = NULL;
- while ((node = rcu_dereference(*trim))) {
+ while ((node = rcu_dereference_protected(*trim, 1))) {
matchlen = longest_prefix_match(trie, node, key);
if (node->prefixlen != matchlen ||
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 296/518] net: usb: kalmia: bound RX frame length in kalmia_rx_fixup()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 295/518] bpf: Allow LPM map access from sleepable BPF programs Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 297/518] Revert "usb: typec: mux: avoid duplicated mux switches" Greg Kroah-Hartman
` (225 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maoyi Xie, Andrew Lunn,
Jakub Kicinski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit 47b6bcef6e679593d2e86e04ee72c46a4e2f7139 upstream.
kalmia_rx_fixup() computes usb_packet_length = skb->len - (2 *
KALMIA_HEADER_LENGTH) as a u16, guarded only by a pre-loop check that
skb->len is at least KALMIA_HEADER_LENGTH, which is 6. A device can
deliver a short bulk-IN frame with skb->len in the 6 to 11 range, or
leave a short trailing remainder on a later loop iteration. Either case
underflows usb_packet_length to about 65530.
That bypasses the usb_packet_length < ether_packet_length truncation path.
The device-supplied ether_packet_length, a le16 up to 65535 read from
header_start[2], then drives a memcmp() and the following skb_trim() and
skb_pull() past the end of the rx buffer. The rx buffer is hard_mtu * 10,
which is 14000 bytes. That is an out of bounds read.
Require both the start and end framing headers to be present before
subtracting them, on every loop iteration.
Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/178211531778.2216480.12637613349790980750@maoyixie.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/kalmia.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/net/usb/kalmia.c
+++ b/drivers/net/usb/kalmia.c
@@ -276,6 +276,14 @@ kalmia_rx_fixup(struct usbnet *dev, stru
"Received header: %6phC. Package length: %i\n",
header_start, skb->len - KALMIA_HEADER_LENGTH);
+ /* both framing headers must be present before we subtract
+ * them, otherwise usb_packet_length underflows and the
+ * device-supplied ether_packet_length drives an out of bounds
+ * access below
+ */
+ if (skb->len < 2 * KALMIA_HEADER_LENGTH)
+ return 0;
+
/* subtract start header and end header */
usb_packet_length = skb->len - (2 * KALMIA_HEADER_LENGTH);
ether_packet_length = get_unaligned_le16(&header_start[2]);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 297/518] Revert "usb: typec: mux: avoid duplicated mux switches"
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 296/518] net: usb: kalmia: bound RX frame length in kalmia_rx_fixup() Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 298/518] usb: cdc_acm: Add quirk for Uniden BC125AT scanner Greg Kroah-Hartman
` (224 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jens Glathe, Heikki Krogerus
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Glathe <jens.glathe@oldschoolsolutions.biz>
commit f576c75f95a52c71b30167d7efb6d47148f9c279 upstream.
This reverts commit b145c3f29d62f71cc9d2d714e2d4ae4c8d3f863d.
The deduplication logic appears to cause issues with separate
SBU muxes. The mode-switch call on these (like gpio-sbu-mux)
never appeared, so no successful mode-switch happened. The more
high-end Parade PS883X redrivers are not affected due to being
retimer-switch. The revert fixes dp altmode mode-switch for both.
Tested on:
Lenovo Thinkbook 16 G7 QOY
Lenovo Ideapad 5 2in1 14Q8X9
Microsoft Windows Dev Kit 2023 (Blackrock)
Lenovo Thinkpad T14s G6
Fixes: b145c3f29d62 ("usb: typec: mux: avoid duplicated mux switches")
Cc: stable <stable@kernel.org>
Signed-off-by: Jens Glathe <jens.glathe@oldschoolsolutions.biz>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260530-typc-mux-modeset-v1-1-64b0281e2cd6@oldschoolsolutions.biz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/mux.c | 13 +------------
1 file changed, 1 insertion(+), 12 deletions(-)
diff --git a/drivers/usb/typec/mux.c b/drivers/usb/typec/mux.c
index db5e4a4c0a99..9b908c46bd7d 100644
--- a/drivers/usb/typec/mux.c
+++ b/drivers/usb/typec/mux.c
@@ -275,9 +275,7 @@ static int mux_fwnode_match(struct device *dev, const void *fwnode)
static void *typec_mux_match(const struct fwnode_handle *fwnode,
const char *id, void *data)
{
- struct typec_mux_dev **mux_devs = data;
struct device *dev;
- int i;
/*
* Device graph (OF graph) does not give any means to identify the
@@ -293,14 +291,6 @@ static void *typec_mux_match(const struct fwnode_handle *fwnode,
dev = class_find_device(&typec_mux_class, NULL, fwnode,
mux_fwnode_match);
- /* Skip duplicates */
- for (i = 0; i < TYPEC_MUX_MAX_DEVS; i++)
- if (to_typec_mux_dev(dev) == mux_devs[i]) {
- put_device(dev);
- return NULL;
- }
-
-
return dev ? to_typec_mux_dev(dev) : ERR_PTR(-EPROBE_DEFER);
}
@@ -326,8 +316,7 @@ struct typec_mux *fwnode_typec_mux_get(struct fwnode_handle *fwnode)
return ERR_PTR(-ENOMEM);
count = fwnode_connection_find_matches(fwnode, "mode-switch",
- (void **)mux_devs,
- typec_mux_match,
+ NULL, typec_mux_match,
(void **)mux_devs,
ARRAY_SIZE(mux_devs));
if (count <= 0) {
--
2.55.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 298/518] usb: cdc_acm: Add quirk for Uniden BC125AT scanner
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 297/518] Revert "usb: typec: mux: avoid duplicated mux switches" Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 299/518] usb: cdnsp: fix stream context array leak in cdnsp_alloc_stream_info() Greg Kroah-Hartman
` (223 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jared Baldridge, stable
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jared Baldridge <jrb@expunge.us>
commit 6eba58568f6cc3ff8515a00b05e258d8cfb72b72 upstream.
Uniden BC125AT radio scanner has a USB interface which fails to work
with the cdc_acm driver:
usb 1-1: new full-speed USB device number 2 using uhci_hcd
cdc_acm 1-1:1.0: Zero length descriptor references
cdc_acm 1-1:1.0: probe with driver cdc_acm failed with error -22
usbcore: registered new interface driver cdc_acm
Adding the NO_UNION_NORMAL quirk for the device fixes the issue:
usb 1-1: new full-speed USB device number 2 using uhci_hcd
cdc_acm 1-1:1.0: ttyACM0: USB ACM device
usbcore: registered new interface driver cdc_acm
`lsusb -v` of the device:
Bus 001 Device 002: ID 1965:0017 Uniden Corporation BC125AT
Negotiated speed: Full Speed (12Mbps)
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 2 Communications
bDeviceSubClass 0 [unknown]
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x1965 Uniden Corporation
idProduct 0x0017 BC125AT
bcdDevice 0.01
iManufacturer 1 Uniden America Corp.
iProduct 2 BC125AT
iSerial 3 0001
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0030
bNumInterfaces 2
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 2 Abstract (modem)
bInterfaceProtocol 0
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x87 EP 7 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0008 1x 8 bytes
bInterval 10
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0 [unknown]
bInterfaceProtocol 0
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Device Status: 0x0000
(Bus Powered)
Signed-off-by: Jared Baldridge <jrb@expunge.us>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260530221959.612526-1-jrb@expunge.us
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1810,6 +1810,9 @@ static const struct usb_device_id acm_id
{ USB_DEVICE(0x1901, 0x0006), /* GE Healthcare Patient Monitor UI Controller */
.driver_info = DISABLE_ECHO, /* DISABLE ECHO in termios flag */
},
+ { USB_DEVICE(0x1965, 0x0017), /* Uniden BC125AT */
+ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ },
{ USB_DEVICE(0x1965, 0x0018), /* Uniden UBC125XLT */
.driver_info = NO_UNION_NORMAL, /* has no union descriptor */
},
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 299/518] usb: cdnsp: fix stream context array leak in cdnsp_alloc_stream_info()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 298/518] usb: cdc_acm: Add quirk for Uniden BC125AT scanner Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 300/518] USB: core: add USB_QUIRK_NO_LPM for VIA Labs USB 2.0 hub Greg Kroah-Hartman
` (222 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Haoxiang Li, Peter Chen
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit 3348f444a4ce43dd5c2d1aa41634cb6eff33aa64 upstream.
cdnsp_alloc_stream_info() allocates stream_info->stream_ctx_array with
cdnsp_alloc_stream_ctx(). If a later stream ring allocation or stream
mapping update fails, the error path frees the allocated stream rings
and stream_rings array, but leaves stream_ctx_array allocated.
Free the stream context array before falling through to the stream_rings
cleanup path.
Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://patch.msgid.link/20260622052627.696373-1-haoxiang_li2024@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdnsp-mem.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/cdns3/cdnsp-mem.c
+++ b/drivers/usb/cdns3/cdnsp-mem.c
@@ -631,6 +631,8 @@ cleanup_rings:
}
}
+ cdnsp_free_stream_ctx(pdev, pep);
+
cleanup_stream_rings:
kfree(pep->stream_info.stream_rings);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 300/518] USB: core: add USB_QUIRK_NO_LPM for VIA Labs USB 2.0 hub
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 299/518] usb: cdnsp: fix stream context array leak in cdnsp_alloc_stream_info() Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 301/518] usb: dwc3: fix dwc3_readl() and dwc3_writel() calls in dwc3_ulpi_setup() Greg Kroah-Hartman
` (221 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
Rodrigo Lugathe da Conceição Alves, stable
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Lugathe da Conceição Alves <lugathe2@gmail.com>
commit bd728c3d9b1cc0bb0fda6a7055c5c8b55d7477b2 upstream.
The VIA Labs, Inc. USB 2.0 hub controller (2109:2817),
found in a KVM switch, fails to enumerate high-power devices during
cold boot and system restart.
Applying the kernel parameter
usbcore.quirks=2109:2817:k
resolves the issue.
Enumeration failure log:
usb 1-1.2.3: device descriptor read/64, error -32
usb 1-1.2.3: Device not responding to setup address.
usb 1-1.2.3: device not accepting address 11, error -71
usb 1-1.2-port3: unable to enumerate USB device
Add USB_QUIRK_NO_LPM for this device.
Signed-off-by: Rodrigo Lugathe da Conceição Alves <lugathe2@gmail.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260603113626.395612-1-lugathe2@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -576,6 +576,9 @@ static const struct usb_device_id usb_qu
/* VLI disk */
{ USB_DEVICE(0x2109, 0x0711), .driver_info = USB_QUIRK_NO_LPM },
+ /* VIA Labs, Inc. USB2.0 Hub */
+ { USB_DEVICE(0x2109, 0x2817), .driver_info = USB_QUIRK_NO_LPM },
+
/* Raydium Touchscreen */
{ USB_DEVICE(0x2386, 0x3114), .driver_info = USB_QUIRK_NO_LPM },
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 301/518] usb: dwc3: fix dwc3_readl() and dwc3_writel() calls in dwc3_ulpi_setup()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 300/518] USB: core: add USB_QUIRK_NO_LPM for VIA Labs USB 2.0 hub Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 302/518] usb: dwc3: meson-g12a: fix refcount leak in dwc3_meson_g12a_resume() Greg Kroah-Hartman
` (220 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Thinh Nguyen, Ben Dooks
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Dooks <ben.dooks@codethink.co.uk>
commit e0f844d9d74200d311c6438a0f04270834ba5365 upstream.
The dwc3_ulpi_setup() calls the register read and write calls with
dwc3->regs when both these calls take the dwc3 structure directly.
Chnage these two calls to fix the following sparse warning, and
possibly a nasty bug in the dwc3_ulpi_setup() code:
drivers/usb/dwc3/core.c:796:45: warning: incorrect type in argument 1 (different address spaces)
drivers/usb/dwc3/core.c:796:45: expected struct dwc3 *dwc
drivers/usb/dwc3/core.c:796:45: got void [noderef] __iomem *regs
drivers/usb/dwc3/core.c:798:40: warning: incorrect type in argument 1 (different address spaces)
drivers/usb/dwc3/core.c:798:40: expected struct dwc3 *dwc
drivers/usb/dwc3/core.c:798:40: got void [noderef] __iomem *regs
Cc: stable <stable@kernel.org>
Fixes: 9accc68b1cf0 ("usb: dwc3: Add dwc pointer to dwc3_readl/writel")
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
Link: https://patch.msgid.link/20260703162033.2847599-1-ben.dooks@codethink.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -793,9 +793,9 @@ static void dwc3_ulpi_setup(struct dwc3
if (dwc->enable_usb2_transceiver_delay) {
for (index = 0; index < dwc->num_usb2_ports; index++) {
- reg = dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(index));
+ reg = dwc3_readl(dwc, DWC3_GUSB2PHYCFG(index));
reg |= DWC3_GUSB2PHYCFG_XCVRDLY;
- dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(index), reg);
+ dwc3_writel(dwc, DWC3_GUSB2PHYCFG(index), reg);
}
}
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 302/518] usb: dwc3: meson-g12a: fix refcount leak in dwc3_meson_g12a_resume()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 301/518] usb: dwc3: fix dwc3_readl() and dwc3_writel() calls in dwc3_ulpi_setup() Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 303/518] usb: free iso schedules on failed submit Greg Kroah-Hartman
` (219 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, WenTao Liang
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: WenTao Liang <vulab@iscas.ac.cn>
commit 692c354bef03b77b30e57e61934da502c8a12d45 upstream.
If dwc3_meson_g12a_resume() succeeds in calling
reset_control_reset(), an internal triggered_count reference is
acquired. If any later step fails (usb_init, phy_init,
phy_power_on, regulator_enable, or usb_post_init), the function
returns the error without rearming the reset control. This leaks
the reference and leaves the reset control in a triggered state,
causing future reset_control_reset() calls to incorrectly return
early as if already reset.
Add an error path that calls reset_control_rearm() to balance
the reference before returning the error.
Cc: stable <stable@kernel.org>
Fixes: 5b0ba0caaf3a ("usb: dwc3: meson-g12a: refactor usb init")
Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260611131121.81784-1-vulab@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-meson-g12a.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/drivers/usb/dwc3/dwc3-meson-g12a.c
+++ b/drivers/usb/dwc3/dwc3-meson-g12a.c
@@ -907,35 +907,39 @@ static int __maybe_unused dwc3_meson_g12
ret = priv->drvdata->usb_init(priv);
if (ret)
- return ret;
+ goto err_rearm;
/* Init PHYs */
for (i = 0 ; i < PHY_COUNT ; ++i) {
ret = phy_init(priv->phys[i]);
if (ret)
- return ret;
+ goto err_rearm;
}
/* Set PHY Power */
for (i = 0 ; i < PHY_COUNT ; ++i) {
ret = phy_power_on(priv->phys[i]);
if (ret)
- return ret;
+ goto err_rearm;
}
if (priv->vbus && priv->otg_phy_mode == PHY_MODE_USB_HOST) {
ret = regulator_enable(priv->vbus);
if (ret)
- return ret;
+ goto err_rearm;
}
if (priv->drvdata->usb_post_init) {
ret = priv->drvdata->usb_post_init(priv);
if (ret)
- return ret;
+ goto err_rearm;
}
return 0;
+
+err_rearm:
+ reset_control_rearm(priv->reset);
+ return ret;
}
static const struct dev_pm_ops dwc3_meson_g12a_dev_pm_ops = {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 303/518] usb: free iso schedules on failed submit
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 302/518] usb: dwc3: meson-g12a: fix refcount leak in dwc3_meson_g12a_resume() Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 304/518] usb: gadget: composite: fix dead empty check in the USB_DT_OTG handler Greg Kroah-Hartman
` (218 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Dawei Feng, Alan Stern
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
commit b9399d25fbb34a05bbe76eeedd730f62ff2670e9 upstream.
EHCI and FOTG210 isochronous submits build an ehci_iso_sched before
linking the URB to the endpoint queue, and keep the staged schedule in
urb->hcpriv until iso_stream_schedule() and the link helpers consume it.
If the controller is no longer accessible, or usb_hcd_link_urb_to_ep()
fails, submit jumps to done_not_linked before that handoff happens and
leaks the staged schedule still attached to urb->hcpriv.
Free the staged schedule from done_not_linked when submit fails before
the URB is linked and clear urb->hcpriv after the free.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still
present in v7.1.1.
An x86_64 allyesconfig build showed no new warnings. As we do not have an
EHCI host controller with a USB isochronous device to test with, no
runtime testing was able to be performed.
Fixes: 8de98402652c ("[PATCH] USB: Fix USB suspend/resume crasher (#2)")
Fixes: e9df41c5c589 ("USB: make HCDs responsible for managing endpoint queues")
Fixes: 7d50195f6c50 ("usb: host: Faraday fotg210-hcd driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20260630071419.349161-1-dawei.feng@seu.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/fotg210/fotg210-hcd.c | 6 ++++--
drivers/usb/host/ehci-sched.c | 11 +++++++++--
2 files changed, 13 insertions(+), 4 deletions(-)
--- a/drivers/usb/fotg210/fotg210-hcd.c
+++ b/drivers/usb/fotg210/fotg210-hcd.c
@@ -4267,8 +4267,6 @@ static int iso_stream_schedule(struct fo
return 0;
fail:
- iso_sched_free(stream, sched);
- urb->hcpriv = NULL;
return status;
}
@@ -4562,6 +4560,10 @@ static int itd_submit(struct fotg210_hcd
else
usb_hcd_unlink_urb_from_ep(fotg210_to_hcd(fotg210), urb);
done_not_linked:
+ if (status < 0) {
+ iso_sched_free(stream, urb->hcpriv);
+ urb->hcpriv = NULL;
+ }
spin_unlock_irqrestore(&fotg210->lock, flags);
done:
return status;
--- a/drivers/usb/host/ehci-sched.c
+++ b/drivers/usb/host/ehci-sched.c
@@ -1623,6 +1623,7 @@ iso_stream_schedule(
status = 1; /* and give it back immediately */
iso_sched_free(stream, sched);
sched = NULL;
+ urb->hcpriv = NULL;
}
}
urb->error_count = skip / period;
@@ -1653,8 +1654,6 @@ iso_stream_schedule(
return status;
fail:
- iso_sched_free(stream, sched);
- urb->hcpriv = NULL;
return status;
}
@@ -1966,6 +1965,10 @@ static int itd_submit(struct ehci_hcd *e
usb_hcd_unlink_urb_from_ep(ehci_to_hcd(ehci), urb);
}
done_not_linked:
+ if (status < 0) {
+ iso_sched_free(stream, urb->hcpriv);
+ urb->hcpriv = NULL;
+ }
spin_unlock_irqrestore(&ehci->lock, flags);
done:
return status;
@@ -2343,6 +2346,10 @@ static int sitd_submit(struct ehci_hcd *
usb_hcd_unlink_urb_from_ep(ehci_to_hcd(ehci), urb);
}
done_not_linked:
+ if (status < 0) {
+ iso_sched_free(stream, urb->hcpriv);
+ urb->hcpriv = NULL;
+ }
spin_unlock_irqrestore(&ehci->lock, flags);
done:
return status;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 304/518] usb: gadget: composite: fix dead empty check in the USB_DT_OTG handler
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 303/518] usb: free iso schedules on failed submit Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 305/518] usb: gadget: udc: Fix use-after-free in gadget_match_driver Greg Kroah-Hartman
` (217 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Maoyi Xie
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit f8f680609c2b3ab795ffcd6f21585b6dfc46d395 upstream.
The OTG branch of composite_setup() falls back to the first
configuration when none is selected:
if (cdev->config)
config = cdev->config;
else
config = list_first_entry(&cdev->configs,
struct usb_configuration, list);
if (!config)
goto done;
...
memcpy(req->buf, config->descriptors[0], value);
list_first_entry() never returns NULL. On an empty list it returns
container_of() of the list head. So the "if (!config)" check is dead.
When cdev->configs is empty, config points at the head inside struct
usb_composite_dev. config->descriptors[0] reads whatever sits at that
offset. The memcpy copies up to w_length bytes of it into the response
buffer.
cdev->configs can be empty in two cases. One is a teardown race on
gadget unbind with a control transfer in flight. The other is a driver
that sets is_otg before it adds a config. A reproducer that holds
cdev->configs empty triggers a KASAN fault in this branch.
Use list_first_entry_or_null() so the existing check does its job.
Fixes: 53e6242db8d6 ("usb: gadget: composite: add USB_DT_OTG request handling")
Cc: stable <stable@kernel.org>
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Link: https://patch.msgid.link/20260527150832.2943293-1-maoyixie.tju@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/composite.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -1863,9 +1863,10 @@ composite_setup(struct usb_gadget *gadge
if (cdev->config)
config = cdev->config;
else
- config = list_first_entry(
+ config = list_first_entry_or_null(
&cdev->configs,
- struct usb_configuration, list);
+ struct usb_configuration,
+ list);
if (!config)
goto done;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 305/518] usb: gadget: udc: Fix use-after-free in gadget_match_driver
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 304/518] usb: gadget: composite: fix dead empty check in the USB_DT_OTG handler Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 306/518] usb: gadget: f_printer: take kref only for successful open Greg Kroah-Hartman
` (216 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alan Stern, stable, Jimmy Hu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jimmy Hu <hhhuuu@google.com>
commit 67e511d2989eb1c8c588b599ce2fcc6bb8e6f7ea upstream.
The udc structure acts as the management structure for the gadget,
but their lifecycles are decoupled. A race condition exists where
usb_del_gadget() frees the udc memory (e.g., via mode-switch work)
while gadget_match_driver() concurrently accesses the freed udc memory
(e.g., via configfs), causing a Use-After-Free (UAF) that triggers a
NULL pointer dereference when the freed memory is zeroed:
[39430.908615][ T1171] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[39430.911397][ T1171] pc : __pi_strcmp+0x20/0x140
[39430.911441][ T1171] lr : gadget_match_driver+0x34/0x60
...
[39430.911890][ T1171] usb_gadget_register_driver_owner+0x50/0xf8
[39430.911910][ T1171] gadget_dev_desc_UDC_store+0xf4/0x140
[39430.931308][ T1171] configfs_write_iter+0xec/0x134
[39430.957058][ T1171] Workqueue: events_freezable __dwc3_set_mode
[39430.957287][ T1171] dwc3_gadget_exit+0x34/0x8c
[39430.957304][ T1171] __dwc3_set_mode+0xc0/0x664
Fix this by ensuring the udc structure remains allocated until the
gadget is released. To achieve this, introduce a new
usb_gadget_release() routine to the core. When the gadget is added,
usb_add_gadget() stores the gadget's release routine in the udc
structure and takes a reference to the udc. When the gadget is
released, usb_gadget_release() drops the reference to the udc and
then calls the gadget's release routine.
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Cc: stable <stable@kernel.org>
Signed-off-by: Jimmy Hu <hhhuuu@google.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20260625073705.803880-1-hhhuuu@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/core.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/udc/core.c
+++ b/drivers/usb/gadget/udc/core.c
@@ -31,8 +31,9 @@ static const struct bus_type gadget_bus_
/**
* struct usb_udc - describes one usb device controller
* @driver: the gadget driver pointer. For use by the class code
- * @dev: the child device to the actual controller
* @gadget: the gadget. For use by the class code
+ * @gadget_release: the gadget's release routine
+ * @dev: the child device to the actual controller
* @list: for use by the udc class driver
* @vbus: for udcs who care about vbus status, this value is real vbus status;
* for udcs who do not care about vbus status, this value is always true
@@ -53,6 +54,7 @@ static const struct bus_type gadget_bus_
struct usb_udc {
struct usb_gadget_driver *driver;
struct usb_gadget *gadget;
+ void (*gadget_release)(struct device *dev);
struct device dev;
struct list_head list;
bool vbus;
@@ -1357,6 +1359,17 @@ static void usb_udc_nop_release(struct d
dev_vdbg(dev, "%s\n", __func__);
}
+static void usb_gadget_release(struct device *dev)
+{
+ struct usb_gadget *gadget = dev_to_usb_gadget(dev);
+ struct usb_udc *udc = gadget->udc;
+ /* Cache the gadget's release routine to prevent UAF */
+ void (*release)(struct device *dev) = udc->gadget_release;
+
+ put_device(&udc->dev);
+ release(dev);
+}
+
/**
* usb_initialize_gadget - initialize a gadget and its embedded struct device
* @parent: the parent device to this udc. Usually the controller driver's
@@ -1413,6 +1426,14 @@ int usb_add_gadget(struct usb_gadget *ga
mutex_init(&udc->connect_lock);
udc->started = false;
+ /*
+ * Align decoupled lifecycles: take a UDC reference to ensure it
+ * remains allocated until the gadget is released, requiring an
+ * override of the gadget's release routine to drop it.
+ */
+ udc->gadget_release = gadget->dev.release;
+ gadget->dev.release = usb_gadget_release;
+ get_device(&udc->dev);
mutex_lock(&udc_lock);
list_add_tail(&udc->list, &udc_list);
@@ -1457,6 +1478,12 @@ int usb_add_gadget(struct usb_gadget *ga
mutex_lock(&udc_lock);
list_del(&udc->list);
mutex_unlock(&udc_lock);
+ /*
+ * Revert the override and drop the UDC reference to prevent
+ * leaking the UDC if the gadget was statically allocated.
+ */
+ gadget->dev.release = udc->gadget_release;
+ put_device(&udc->dev);
err_put_udc:
put_device(&udc->dev);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 306/518] usb: gadget: f_printer: take kref only for successful open
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 305/518] usb: gadget: udc: Fix use-after-free in gadget_match_driver Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 307/518] USB: idmouse: fix use-after-free on disconnect race Greg Kroah-Hartman
` (215 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Xu Rao
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Rao <raoxu@uniontech.com>
commit 30adce93d5c4a5a1ec29d9249e3fdfcc391d406b upstream.
printer_open() returns -EBUSY when the character device is already
open, but it increments dev->kref regardless of the return value. VFS
does not call ->release() for a failed open, so every rejected second
open permanently leaks one reference.
Move kref_get() into the successful-open branch.
Fixes: e8d5f92b8d30 ("usb: gadget: function: printer: fix use-after-free in __lock_acquire")
Cc: stable <stable@kernel.org>
Signed-off-by: Xu Rao <raoxu@uniontech.com>
Link: https://patch.msgid.link/80295742B820DA9B+20260626064617.4090626-1-raoxu@uniontech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_printer.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/f_printer.c
+++ b/drivers/usb/gadget/function/f_printer.c
@@ -363,12 +363,11 @@ printer_open(struct inode *inode, struct
ret = 0;
/* Change the printer status to show that it's on-line. */
dev->printer_status |= PRINTER_SELECTED;
+ kref_get(&dev->kref);
}
spin_unlock_irqrestore(&dev->lock, flags);
- kref_get(&dev->kref);
-
return ret;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 307/518] USB: idmouse: fix use-after-free on disconnect race
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 306/518] usb: gadget: f_printer: take kref only for successful open Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 308/518] USB: ldusb: " Greg Kroah-Hartman
` (214 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Johan Hovold
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit ff002c153f9722caece3983cc23dc4d9d4652cb4 upstream.
mutex_unlock() may access the mutex structure after releasing the lock
and therefore cannot be used to manage lifetime of objects directly
(unlike spinlocks and refcounts). [1][2]
Use a kref to release the driver data to avoid use-after-free in
mutex_unlock() when release() races with disconnect().
[1] a51749ab34d9 ("locking/mutex: Document that mutex_unlock() is
non-atomic")
[2] 2b9d9e0a9ba0 ("locking/mutex: Clarify that mutex_unlock(), and most
other sleeping locks, can still use the lock object
after it's unlocked")
Fixes: 54d2bc068fd2 ("USB: fix locking in idmouse")
Cc: stable@vger.kernel.org # 2.6.24
Cc: Oliver Neukum <oliver@neukum.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260622152612.116422-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/idmouse.c | 45 ++++++++++++++++++++++-----------------------
1 file changed, 22 insertions(+), 23 deletions(-)
--- a/drivers/usb/misc/idmouse.c
+++ b/drivers/usb/misc/idmouse.c
@@ -63,6 +63,7 @@ MODULE_DEVICE_TABLE(usb, idmouse_table);
/* structure to hold all of our device specific stuff */
struct usb_idmouse {
+ struct kref kref;
struct usb_device *udev; /* save off the usb device pointer */
struct usb_interface *interface; /* the interface for this device */
@@ -209,8 +210,10 @@ static int idmouse_resume(struct usb_int
return 0;
}
-static inline void idmouse_delete(struct usb_idmouse *dev)
+static inline void idmouse_delete(struct kref *kref)
{
+ struct usb_idmouse *dev = container_of(kref, struct usb_idmouse, kref);
+
kfree(dev->bulk_in_buffer);
kfree(dev);
}
@@ -254,6 +257,8 @@ static int idmouse_open(struct inode *in
/* increment our usage count for the driver */
++dev->open;
+ kref_get(&dev->kref);
+
/* save our object in the file's private structure */
file->private_data = dev;
@@ -277,16 +282,11 @@ static int idmouse_release(struct inode
/* lock our device */
mutex_lock(&dev->lock);
-
--dev->open;
+ mutex_unlock(&dev->lock);
+
+ kref_put(&dev->kref, idmouse_delete);
- if (!dev->present) {
- /* the device was unplugged before the file was released */
- mutex_unlock(&dev->lock);
- idmouse_delete(dev);
- } else {
- mutex_unlock(&dev->lock);
- }
return 0;
}
@@ -334,6 +334,7 @@ static int idmouse_probe(struct usb_inte
if (dev == NULL)
return -ENOMEM;
+ kref_init(&dev->kref);
mutex_init(&dev->lock);
dev->udev = udev;
dev->interface = interface;
@@ -342,8 +343,7 @@ static int idmouse_probe(struct usb_inte
result = usb_find_bulk_in_endpoint(iface_desc, &endpoint);
if (result) {
dev_err(&interface->dev, "Unable to find bulk-in endpoint.\n");
- idmouse_delete(dev);
- return result;
+ goto err_put_kref;
}
dev->orig_bi_size = usb_endpoint_maxp(endpoint);
@@ -351,8 +351,8 @@ static int idmouse_probe(struct usb_inte
dev->bulk_in_endpointAddr = endpoint->bEndpointAddress;
dev->bulk_in_buffer = kmalloc(IMGSIZE + dev->bulk_in_size, GFP_KERNEL);
if (!dev->bulk_in_buffer) {
- idmouse_delete(dev);
- return -ENOMEM;
+ result = -ENOMEM;
+ goto err_put_kref;
}
/* allow device read, write and ioctl */
@@ -364,14 +364,18 @@ static int idmouse_probe(struct usb_inte
if (result) {
/* something prevented us from registering this device */
dev_err(&interface->dev, "Unable to allocate minor number.\n");
- idmouse_delete(dev);
- return result;
+ goto err_put_kref;
}
/* be noisy */
dev_info(&interface->dev,"%s now attached\n",DRIVER_DESC);
return 0;
+
+err_put_kref:
+ kref_put(&dev->kref, idmouse_delete);
+
+ return result;
}
static void idmouse_disconnect(struct usb_interface *interface)
@@ -387,14 +391,9 @@ static void idmouse_disconnect(struct us
/* prevent device read, write and ioctl */
dev->present = 0;
- /* if the device is opened, idmouse_release will clean this up */
- if (!dev->open) {
- mutex_unlock(&dev->lock);
- idmouse_delete(dev);
- } else {
- /* unlock */
- mutex_unlock(&dev->lock);
- }
+ mutex_unlock(&dev->lock);
+
+ kref_put(&dev->kref, idmouse_delete);
dev_info(&interface->dev, "disconnected\n");
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 308/518] USB: ldusb: fix use-after-free on disconnect race
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 307/518] USB: idmouse: fix use-after-free on disconnect race Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 309/518] USB: iowarrior: fix use-after-free on disconnect Greg Kroah-Hartman
` (213 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Daniel Walker, Johan Hovold
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 19bdfc7b3c179331eafa423d87e1336f43bbfeb8 upstream.
mutex_unlock() may access the mutex structure after releasing the lock
and therefore cannot be used to manage lifetime of objects directly
(unlike spinlocks and refcounts). [1][2]
Use a kref to release the driver data to avoid use-after-free in
mutex_unlock() when release() races with disconnect().
[1] a51749ab34d9 ("locking/mutex: Document that mutex_unlock() is
non-atomic")
[2] 2b9d9e0a9ba0 ("locking/mutex: Clarify that mutex_unlock(), and most
other sleeping locks, can still use the lock object
after it's unlocked")
Fixes: ce0d7d3f575f ("usb: ldusb: ld_usb semaphore to mutex")
Cc: stable <stable@kernel.org>
Cc: Daniel Walker <dwalker@mvista.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260622152612.116422-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/ldusb.c | 38 ++++++++++++++++++--------------------
1 file changed, 18 insertions(+), 20 deletions(-)
--- a/drivers/usb/misc/ldusb.c
+++ b/drivers/usb/misc/ldusb.c
@@ -150,6 +150,7 @@ MODULE_PARM_DESC(min_interrupt_out_inter
/* Structure to hold all of our device specific stuff */
struct ld_usb {
+ struct kref kref;
struct mutex mutex; /* locks this structure */
struct usb_interface *intf; /* save off the usb interface pointer */
unsigned long disconnected:1;
@@ -201,8 +202,10 @@ static void ld_usb_abort_transfers(struc
/*
* ld_usb_delete
*/
-static void ld_usb_delete(struct ld_usb *dev)
+static void ld_usb_delete(struct kref *kref)
{
+ struct ld_usb *dev = container_of(kref, struct ld_usb, kref);
+
/* free data structures */
usb_free_urb(dev->interrupt_in_urb);
usb_free_urb(dev->interrupt_out_urb);
@@ -355,6 +358,8 @@ static int ld_usb_open(struct inode *ino
goto unlock_exit;
}
+ kref_get(&dev->kref);
+
/* save device in the file's private structure */
file->private_data = dev;
@@ -381,17 +386,8 @@ static int ld_usb_release(struct inode *
mutex_lock(&dev->mutex);
- if (dev->open_count != 1) {
- retval = -ENODEV;
+ if (dev->disconnected)
goto unlock_exit;
- }
- if (dev->disconnected) {
- /* the device was unplugged before the file was released */
- mutex_unlock(&dev->mutex);
- /* unlock here as ld_usb_delete frees dev */
- ld_usb_delete(dev);
- goto exit;
- }
/* wait until write transfer is finished */
if (dev->interrupt_out_busy)
@@ -401,7 +397,7 @@ static int ld_usb_release(struct inode *
unlock_exit:
mutex_unlock(&dev->mutex);
-
+ kref_put(&dev->kref, ld_usb_delete);
exit:
return retval;
}
@@ -659,6 +655,8 @@ static int ld_usb_probe(struct usb_inter
dev = kzalloc_obj(*dev);
if (!dev)
goto exit;
+
+ kref_init(&dev->kref);
mutex_init(&dev->mutex);
spin_lock_init(&dev->rbsl);
dev->intf = intf;
@@ -740,7 +738,7 @@ exit:
return retval;
error:
- ld_usb_delete(dev);
+ kref_put(&dev->kref, ld_usb_delete);
return retval;
}
@@ -768,18 +766,18 @@ static void ld_usb_disconnect(struct usb
mutex_lock(&dev->mutex);
- /* if the device is not opened, then we clean up right now */
- if (!dev->open_count) {
- mutex_unlock(&dev->mutex);
- ld_usb_delete(dev);
- } else {
- dev->disconnected = 1;
+ dev->disconnected = 1;
+
+ if (dev->open_count) {
/* wake up pollers */
wake_up_interruptible_all(&dev->read_wait);
wake_up_interruptible_all(&dev->write_wait);
- mutex_unlock(&dev->mutex);
}
+ mutex_unlock(&dev->mutex);
+
+ kref_put(&dev->kref, ld_usb_delete);
+
dev_info(&intf->dev, "LD USB Device #%d now disconnected\n",
(minor - USB_LD_MINOR_BASE));
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 309/518] USB: iowarrior: fix use-after-free on disconnect
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 308/518] USB: ldusb: " Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 310/518] USB: iowarrior: fix use-after-free on disconnect race Greg Kroah-Hartman
` (212 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ad2aac2febc3bedf0962, stable,
Johan Hovold
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit bc0e4f16c44e50daa0b1ea729934baa3b4815dee upstream.
Submitted write URBs are not stopped on close() and therefore need to be
stopped unconditionally on disconnect() to avoid use-after-free in the
completion handler.
Fixes: b5f8d46867ca ("USB: iowarrior: fix use-after-free after driver unbind")
Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
Reported-by: syzbot+ad2aac2febc3bedf0962@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/6a0ce39b.170a0220.39a13.0007.GAE@google.com/
Cc: stable <stable@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260523170523.1074563-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/iowarrior.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -905,13 +905,15 @@ static void iowarrior_disconnect(struct
/* prevent device read, write and ioctl */
dev->present = 0;
+ /* write urbs are not stopped on close() so kill unconditionally */
+ usb_kill_anchored_urbs(&dev->submitted);
+
if (dev->opened) {
/* There is a process that holds a filedescriptor to the device ,
so we only shutdown read-/write-ops going on.
Deleting the device is postponed until close() was called.
*/
usb_kill_urb(dev->int_in_urb);
- usb_kill_anchored_urbs(&dev->submitted);
wake_up_interruptible(&dev->read_wait);
wake_up_interruptible(&dev->write_wait);
mutex_unlock(&dev->mutex);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 310/518] USB: iowarrior: fix use-after-free on disconnect race
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 309/518] USB: iowarrior: fix use-after-free on disconnect Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 311/518] USB: quirks: add NO_LPM for the Samsung T5 EVO Portable SSD Greg Kroah-Hartman
` (211 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Yue Sun, Johan Hovold
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c602254ba4c10f60a73cd99d147874f86a3f485c upstream.
mutex_unlock() may access the mutex structure after releasing the lock
and therefore cannot be used to manage lifetime of objects directly
(unlike spinlocks and refcounts). [1][2]
Use a kref to release the driver data to avoid use-after-free in
mutex_unlock() when release() races with disconnect().
[1] a51749ab34d9 ("locking/mutex: Document that mutex_unlock() is non-atomic")
[2] 2b9d9e0a9ba0 ("locking/mutex: Clarify that mutex_unlock(), and most
other sleeping locks, can still use the lock object
after it's unlocked")
Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
Cc: stable <stable@kernel.org>
Reported-by: Yue Sun <samsun1006219@gmail.com>
Link: https://lore.kernel.org/r/20260618080204.38322-1-samsun1006219@gmail.com
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260622152612.116422-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/iowarrior.c | 57 ++++++++++++++++++-------------------------
1 file changed, 24 insertions(+), 33 deletions(-)
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -72,6 +72,7 @@ static struct usb_driver iowarrior_drive
/* Structure to hold all of our device specific stuff */
struct iowarrior {
+ struct kref kref;
struct mutex mutex; /* locks this structure */
struct usb_device *udev; /* save off the usb device pointer */
struct usb_interface *interface; /* the interface for this device */
@@ -240,8 +241,10 @@ static void iowarrior_write_callback(str
/*
* iowarrior_delete
*/
-static inline void iowarrior_delete(struct iowarrior *dev)
+static inline void iowarrior_delete(struct kref *kref)
{
+ struct iowarrior *dev = container_of(kref, struct iowarrior, kref);
+
kfree(dev->int_in_buffer);
usb_free_urb(dev->int_in_urb);
kfree(dev->read_queue);
@@ -637,6 +640,9 @@ static int iowarrior_open(struct inode *
}
/* increment our usage count for the driver */
++dev->opened;
+
+ kref_get(&dev->kref);
+
/* save our object in the file's private structure */
file->private_data = dev;
retval = 0;
@@ -652,7 +658,6 @@ out:
static int iowarrior_release(struct inode *inode, struct file *file)
{
struct iowarrior *dev;
- int retval = 0;
dev = file->private_data;
if (!dev)
@@ -660,29 +665,18 @@ static int iowarrior_release(struct inod
/* lock our device */
mutex_lock(&dev->mutex);
+ dev->opened = 0; /* we're closing now */
- if (dev->opened <= 0) {
- retval = -ENODEV; /* close called more than once */
- mutex_unlock(&dev->mutex);
- } else {
- dev->opened = 0; /* we're closing now */
- retval = 0;
- if (dev->present) {
- /*
- The device is still connected so we only shutdown
- pending read-/write-ops.
- */
- usb_kill_urb(dev->int_in_urb);
- wake_up_interruptible(&dev->read_wait);
- wake_up_interruptible(&dev->write_wait);
- mutex_unlock(&dev->mutex);
- } else {
- /* The device was unplugged, cleanup resources */
- mutex_unlock(&dev->mutex);
- iowarrior_delete(dev);
- }
+ if (dev->present) {
+ usb_kill_urb(dev->int_in_urb);
+ wake_up_interruptible(&dev->read_wait);
+ wake_up_interruptible(&dev->write_wait);
}
- return retval;
+ mutex_unlock(&dev->mutex);
+
+ kref_put(&dev->kref, iowarrior_delete);
+
+ return 0;
}
static __poll_t iowarrior_poll(struct file *file, poll_table * wait)
@@ -767,6 +761,7 @@ static int iowarrior_probe(struct usb_in
if (!dev)
return retval;
+ kref_init(&dev->kref);
mutex_init(&dev->mutex);
atomic_set(&dev->intr_idx, 0);
@@ -885,7 +880,8 @@ static int iowarrior_probe(struct usb_in
return retval;
error:
- iowarrior_delete(dev);
+ kref_put(&dev->kref, iowarrior_delete);
+
return retval;
}
@@ -909,19 +905,14 @@ static void iowarrior_disconnect(struct
usb_kill_anchored_urbs(&dev->submitted);
if (dev->opened) {
- /* There is a process that holds a filedescriptor to the device ,
- so we only shutdown read-/write-ops going on.
- Deleting the device is postponed until close() was called.
- */
usb_kill_urb(dev->int_in_urb);
wake_up_interruptible(&dev->read_wait);
wake_up_interruptible(&dev->write_wait);
- mutex_unlock(&dev->mutex);
- } else {
- /* no process is using the device, cleanup now */
- mutex_unlock(&dev->mutex);
- iowarrior_delete(dev);
}
+
+ mutex_unlock(&dev->mutex);
+
+ kref_put(&dev->kref, iowarrior_delete);
}
/* usb specific object needed to register this driver with the usb subsystem */
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 311/518] USB: quirks: add NO_LPM for the Samsung T5 EVO Portable SSD
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 310/518] USB: iowarrior: fix use-after-free on disconnect race Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 312/518] USB: legousbtower: fix use-after-free on disconnect race Greg Kroah-Hartman
` (210 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Erich E. Hoover, stable
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erich E. Hoover <erich.e.hoover@gmail.com>
commit fc591787785b9709a0bb65a7df3ba2537d611c47 upstream.
The Samsung T5 EVO Portable SSD (04e8:6200) exhibit two forms of
link instability when USB Link Power Management is enabled:
1. The units fail to initialize properly on first detection,
resulting in a lockup in the drive where it must be power cycled
or the kernel will not recognize the presence of the device.
2. If used for sustained operations (small amounts of continuous
data are transferred to the unit) then the unit will "hiccup"
after roughly 8 hours of use and will disconnect and reconnect.
This has a certain probability of triggering the first issue,
but also causes mount points to become invalid since the device
gets issued a new letter.
Signed-off-by: Erich E. Hoover <erich.e.hoover@gmail.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260602204508.48856-1-erich.e.hoover@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -296,6 +296,9 @@ static const struct usb_device_id usb_qu
/* CarrolTouch 4500U */
{ USB_DEVICE(0x04e7, 0x0030), .driver_info = USB_QUIRK_RESET_RESUME },
+ /* Samsung T5 EVO Portable SSD */
+ { USB_DEVICE(0x04e8, 0x6200), .driver_info = USB_QUIRK_NO_LPM },
+
/* Samsung Android phone modem - ID conflict with SPH-I500 */
{ USB_DEVICE(0x04e8, 0x6601), .driver_info =
USB_QUIRK_CONFIG_INTF_STRINGS },
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 312/518] USB: legousbtower: fix use-after-free on disconnect race
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 311/518] USB: quirks: add NO_LPM for the Samsung T5 EVO Portable SSD Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 313/518] usb: sl811-hcd: disable controller wakeup on remove Greg Kroah-Hartman
` (209 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Daniel Walker, Johan Hovold
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 62fc8eb1b1481051f7bab4aa93d79809053dd09f upstream.
mutex_unlock() may access the mutex structure after releasing the lock
and therefore cannot be used to manage lifetime of objects directly
(unlike spinlocks and refcounts). [1][2]
Use a kref to release the driver data to avoid use-after-free in
mutex_unlock() when release() races with disconnect().
[1] a51749ab34d9 ("locking/mutex: Document that mutex_unlock() is
non-atomic")
[2] 2b9d9e0a9ba0 ("locking/mutex: Clarify that mutex_unlock(), and most
other sleeping locks, can still use the lock object
after it's unlocked")
Fixes: 18bcbcfe9ca2 ("USB: misc: legousbtower: semaphore to mutex")
Cc: stable <stable@kernel.org>
Cc: Daniel Walker <dwalker@mvista.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260622152612.116422-5-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/legousbtower.c | 37 +++++++++++++++++++------------------
1 file changed, 19 insertions(+), 18 deletions(-)
--- a/drivers/usb/misc/legousbtower.c
+++ b/drivers/usb/misc/legousbtower.c
@@ -185,6 +185,7 @@ MODULE_DEVICE_TABLE(usb, tower_table);
/* Structure to hold all of our device specific stuff */
struct lego_usb_tower {
+ struct kref kref;
struct mutex lock; /* locks this structure */
struct usb_device *udev; /* save off the usb device pointer */
unsigned char minor; /* the starting minor number for this device */
@@ -220,7 +221,6 @@ struct lego_usb_tower {
/* local function prototypes */
static ssize_t tower_read(struct file *file, char __user *buffer, size_t count, loff_t *ppos);
static ssize_t tower_write(struct file *file, const char __user *buffer, size_t count, loff_t *ppos);
-static inline void tower_delete(struct lego_usb_tower *dev);
static int tower_open(struct inode *inode, struct file *file);
static int tower_release(struct inode *inode, struct file *file);
static __poll_t tower_poll(struct file *file, poll_table *wait);
@@ -286,8 +286,10 @@ static inline void lego_usb_tower_debug_
/*
* tower_delete
*/
-static inline void tower_delete(struct lego_usb_tower *dev)
+static inline void tower_delete(struct kref *kref)
{
+ struct lego_usb_tower *dev = container_of(kref, struct lego_usb_tower, kref);
+
/* free data structures */
usb_free_urb(dev->interrupt_in_urb);
usb_free_urb(dev->interrupt_out_urb);
@@ -381,6 +383,8 @@ static int tower_open(struct inode *inod
dev->open_count = 1;
+ kref_get(&dev->kref);
+
unlock_exit:
mutex_unlock(&dev->lock);
@@ -404,14 +408,8 @@ static int tower_release(struct inode *i
mutex_lock(&dev->lock);
- if (dev->disconnected) {
- /* the device was unplugged before the file was released */
-
- /* unlock here as tower_delete frees dev */
- mutex_unlock(&dev->lock);
- tower_delete(dev);
- goto exit;
- }
+ if (dev->disconnected)
+ goto out_unlock;
/* wait until write transfer is finished */
if (dev->interrupt_out_busy) {
@@ -425,7 +423,9 @@ static int tower_release(struct inode *i
dev->open_count = 0;
+out_unlock:
mutex_unlock(&dev->lock);
+ kref_put(&dev->kref, tower_delete);
exit:
return retval;
}
@@ -752,6 +752,7 @@ static int tower_probe(struct usb_interf
if (!dev)
goto exit;
+ kref_init(&dev->kref);
mutex_init(&dev->lock);
dev->udev = usb_get_dev(udev);
spin_lock_init(&dev->read_buffer_lock);
@@ -828,7 +829,7 @@ exit:
return retval;
error:
- tower_delete(dev);
+ kref_put(&dev->kref, tower_delete);
return retval;
}
@@ -856,18 +857,18 @@ static void tower_disconnect(struct usb_
mutex_lock(&dev->lock);
- /* if the device is not opened, then we clean up right now */
- if (!dev->open_count) {
- mutex_unlock(&dev->lock);
- tower_delete(dev);
- } else {
- dev->disconnected = 1;
+ dev->disconnected = 1;
+
+ if (dev->open_count) {
/* wake up pollers */
wake_up_interruptible_all(&dev->read_wait);
wake_up_interruptible_all(&dev->write_wait);
- mutex_unlock(&dev->lock);
}
+ mutex_unlock(&dev->lock);
+
+ kref_put(&dev->kref, tower_delete);
+
dev_info(&interface->dev, "LEGO USB Tower #%d now disconnected\n",
(minor - LEGO_USB_TOWER_MINOR_BASE));
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 313/518] usb: sl811-hcd: disable controller wakeup on remove
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 312/518] USB: legousbtower: fix use-after-free on disconnect race Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 314/518] USB: storage: include US_FL_NO_SAME in quirks mask Greg Kroah-Hartman
` (208 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ijae Kim, Myeonghun Pak
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myeonghun Pak <mhun512@gmail.com>
commit 4e8ba83ac4d311992e6a4c21de5dd705010df06e upstream.
sl811h_probe() enables the HCD controller device as a wakeup source after
usb_add_hcd() succeeds, but sl811h_remove() removes the HCD and releases
the driver resources without disabling that wakeup source.
Disable controller wakeup after usb_remove_hcd() and before usb_put_hcd()
so the wakeup source object is detached while the controller device pointer
is still available.
This issue was identified during our ongoing static-analysis research while
reviewing kernel code.
Fixes: 3c9740a117d4 ("usb: hcd: move controller wakeup setting initialization to individual driver")
Cc: stable <stable@kernel.org>
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Link: https://patch.msgid.link/20260701121625.96815-1-mhun512@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/sl811-hcd.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/host/sl811-hcd.c
+++ b/drivers/usb/host/sl811-hcd.c
@@ -1591,6 +1591,7 @@ sl811h_remove(struct platform_device *de
remove_debug_file(sl811);
usb_remove_hcd(hcd);
+ device_wakeup_disable(hcd->self.controller);
/* some platforms may use IORESOURCE_IO */
res = platform_get_resource(dev, IORESOURCE_MEM, 1);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 314/518] USB: storage: include US_FL_NO_SAME in quirks mask
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 313/518] usb: sl811-hcd: disable controller wakeup on remove Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 315/518] usb: misc: usbio: bound bulk IN response length to the received transfer Greg Kroah-Hartman
` (207 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Xu Rao, Alan Stern
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Rao <raoxu@uniontech.com>
commit 2c00e09e3f9f06f8434f5ea2ee6179ce46692ee6 upstream.
usb_stor_adjust_quirks() parses the usb-storage.quirks module
parameter into a new flag set and then applies it with the quirk
mask to override built-in flags.
The mask is meant to cover the flags that can be overridden by
the module parameter. The 'k' quirk character sets US_FL_NO_SAME,
but US_FL_NO_SAME is not included in the mask.
As a result, the module parameter can set US_FL_NO_SAME, but it
cannot clear a built-in US_FL_NO_SAME flag by providing an override
entry that omits 'k'.
Add US_FL_NO_SAME to the mask so that the module parameter can
override it in the same way as the other supported flags.
Fixes: 8010622c86ca ("USB: UAS: introduce a quirk to set no_write_same")
Cc: stable <stable@kernel.org>
Signed-off-by: Xu Rao <raoxu@uniontech.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/3BCE5880F9A45C2E+20260602053842.2920137-1-raoxu@uniontech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/storage/usb.c
+++ b/drivers/usb/storage/usb.c
@@ -570,7 +570,7 @@ void usb_stor_adjust_quirks(struct usb_d
US_FL_INITIAL_READ10 | US_FL_WRITE_CACHE |
US_FL_NO_ATA_1X | US_FL_NO_REPORT_OPCODES |
US_FL_MAX_SECTORS_240 | US_FL_NO_REPORT_LUNS |
- US_FL_ALWAYS_SYNC);
+ US_FL_ALWAYS_SYNC | US_FL_NO_SAME);
p = quirks;
while (*p) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 315/518] usb: misc: usbio: bound bulk IN response length to the received transfer
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 314/518] USB: storage: include US_FL_NO_SAME in quirks mask Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 316/518] USB: misc: uss720: unregister parport on probe failure Greg Kroah-Hartman
` (206 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, HE WEI
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: HE WEI (ギカク) <skyexpoc@gmail.com>
commit 8c6314489550fa81d41723a0ff33f655b5b6c7b6 upstream.
usbio_bulk_msg() copies bpkt_len = le16_to_cpu(bpkt->len) bytes out of
the bulk IN buffer (usbio->rxbuf, allocated with size usbio->rxbuf_len)
into the caller's buffer. bpkt_len is fully controlled by the device
and is only checked against ibuf_len; ibuf_len in turn is checked
against usbio->txbuf_len, not against rxbuf_len:
if ((obuf_len > (usbio->txbuf_len - sizeof(*bpkt))) ||
(ibuf_len > (usbio->txbuf_len - sizeof(*bpkt))))
return -EMSGSIZE;
txbuf_len and rxbuf_len are taken independently from the bulk OUT and
bulk IN endpoint wMaxPacketSize in usbio_probe(). A malicious or
malfunctioning device that advertises a large bulk OUT endpoint and a
small bulk IN endpoint (e.g. by claiming one of the quirk-free IDs such
as the Lattice NX33U, 0x2ac1:0x20cb) therefore makes ibuf_len, and
hence the device-supplied bpkt_len, exceed rxbuf_len. memcpy() then
reads up to txbuf_len - rxbuf_len bytes past the end of the rxbuf slab
object. The over-read bytes are handed back to the i2c layer and on to
user space through i2c-dev, disclosing adjacent slab memory; with KASAN
this is reported as a slab-out-of-bounds read.
The number of bytes actually received is already known: act equals the
URB actual_length and is bounded by rxbuf_len. Reject any response
that claims more payload than was received, mirroring the existing
"act < sizeof(*bpkt)" check just above.
The control path (usbio_ctrl_msg()) is not affected: it uses a single
buffer (ctrlbuf) for both directions, so its analogous copy can never
leave the allocation.
Found by code review. The out-of-bounds read was confirmed under
AddressSanitizer with a faithful userspace model of usbio_bulk_msg()'s
receive path (an rxbuf_len-sized buffer, the same act/ibuf_len/bpkt_len
checks and the memcpy). A USB raw-gadget + dummy_hcd reproducer is
also available.
Fixes: 121a0f839dbb ("usb: misc: Add Intel USBIO bridge driver")
Cc: stable <stable@kernel.org>
Signed-off-by: HE WEI (ギカク) <skyexpoc@gmail.com>
Link: https://patch.msgid.link/20260624090952.86439-1-skyexpoc@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/usbio.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/misc/usbio.c
+++ b/drivers/usb/misc/usbio.c
@@ -344,6 +344,10 @@ read:
if (ibuf_len < bpkt_len)
return -ENOSPC;
+ /* The device must not claim more payload than it actually sent. */
+ if (bpkt_len > act - sizeof(*bpkt))
+ return -EPROTO;
+
memcpy(ibuf, bpkt->data, bpkt_len);
return bpkt_len;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 316/518] USB: misc: uss720: unregister parport on probe failure
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 315/518] usb: misc: usbio: bound bulk IN response length to the received transfer Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 317/518] usb: mtu3: unmap request DMA on queue failure Greg Kroah-Hartman
` (205 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Ijae Kim, Myeonghun Pak,
Alex Henrie
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myeonghun Pak <mhun512@gmail.com>
commit b4ecbdc4f8830f5586c4a5cfc384c00f20f8f8b3 upstream.
uss720_probe() registers a parport before reading the 1284 register used
to detect unsupported Belkin F5U002 adapters. If get_1284_register()
fails, the error path drops the driver private data and the USB device
reference, but leaves the parport device registered.
Leaving the port registered is more than a private allocation leak:
parport_register_port() has already reserved a parport number and
registered the parport bus device, while pp->private_data still points at
the private data that the common error path is about to release.
Undo the pre-announce registration in the get_1284_register() failure
branch before jumping to the common private-data cleanup path. Clear
priv->pp first, matching the disconnect path and avoiding a stale pointer
in the private data.
This issue was identified during our ongoing static-analysis research while
reviewing kernel code.
Fixes: 3295f1b866bf ("usb: misc: uss720: check for incompatible versions of the Belkin F5U002")
Cc: stable <stable@kernel.org>
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Reviewed-by: Alex Henrie <alexhenrie24@gmail.com>
Link: https://patch.msgid.link/20260706151049.63470-1-mhun512@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/uss720.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/usb/misc/uss720.c
+++ b/drivers/usb/misc/uss720.c
@@ -732,8 +732,11 @@ static int uss720_probe(struct usb_inter
* here. */
ret = get_1284_register(pp, 0, ®, GFP_KERNEL);
dev_dbg(&intf->dev, "reg: %7ph\n", priv->reg);
- if (ret < 0)
+ if (ret < 0) {
+ priv->pp = NULL;
+ parport_del_port(pp);
goto probe_abort;
+ }
ret = usb_find_last_int_in_endpoint(interface, &epd);
if (!ret) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 317/518] usb: mtu3: unmap request DMA on queue failure
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 316/518] USB: misc: uss720: unregister parport on probe failure Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 318/518] USB: serial: keyspan_pda: fix information leak Greg Kroah-Hartman
` (204 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Haoxiang Li
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit 0bddda5a11665c210339de76d27ebbd1a2e0b43c upstream.
mtu3_gadget_queue() maps the request before checking whether
the QMU GPD ring can accept another transfer. the request is
returned with -EAGAIN before it is linked on the endpoint
request list if mtu3_prepare_transfer() fails.
Normal completion and dequeue paths unmap requests from
mtu3_req_complete(), but this error path never reaches that
helper, so the DMA mapping is left active. Unmap the request
before returning from the failed queue path.
Fixes: df2069acb005 ("usb: Add MediaTek USB3 DRD driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Link: https://patch.msgid.link/20260623093325.2105323-1-haoxiang_li2024@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/mtu3/mtu3_gadget.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/mtu3/mtu3_gadget.c
+++ b/drivers/usb/mtu3/mtu3_gadget.c
@@ -305,6 +305,7 @@ static int mtu3_gadget_queue(struct usb_
if (mtu3_prepare_transfer(mep)) {
ret = -EAGAIN;
+ usb_gadget_unmap_request(&mtu->g, req, mep->is_in);
goto error;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 318/518] USB: serial: keyspan_pda: fix information leak
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 317/518] usb: mtu3: unmap request DMA on queue failure Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 319/518] USB: serial: option: add Telit Cinterion FE990D50 compositions Greg Kroah-Hartman
` (203 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 6bfc8d01ac4068eced509f8fc74d0cd205e4dcec upstream.
The write() callback is supposed to return the number of characters
accepted or a negative errno. Since the addition of write fifo support
the keyspan_pda implementation will however return the number characters
submitted to the device if the write urb is not already in use. If this
number is larger than the number of characters passed to write(), the
line discipline continues writing data from beyond the tty write buffer.
Fix the information leak by making sure that keyspan_pda_write_start()
returns zero on success as intended.
Fixes: 034e38e8f687 ("USB: serial: keyspan_pda: add write-fifo support")
Cc: stable@vger.kernel.org # 5.11
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/keyspan_pda.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/serial/keyspan_pda.c
+++ b/drivers/usb/serial/keyspan_pda.c
@@ -518,7 +518,7 @@ static int keyspan_pda_write_start(struc
if (count == room)
schedule_work(&priv->unthrottle_work);
- return count;
+ return 0;
}
static void keyspan_pda_write_bulk_callback(struct urb *urb)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 319/518] USB: serial: option: add Telit Cinterion FE990D50 compositions
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 318/518] USB: serial: keyspan_pda: fix information leak Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 320/518] USB: serial: digi_acceleport: fix broken rx after throttle Greg Kroah-Hartman
` (202 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Johan Hovold
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit b33ab1dd80f5c1742f49eb6ec7b337c5ffcf3d32 upstream.
Add support for Telit Cinterion FE990D50 compositions:
0x990: RNDIS + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
tty (diag) + ADPL + adb
T: Bus=01 Lev=01 Prnt=01 Port=06 Cnt=03 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=0990 Rev=06.06
S: Manufacturer=Telit Cinterion
S: Product=FE990
S: SerialNumber=90b6a3ed
C: #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 8 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x991: rmnet + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
tty (diag) + ADPL + adb
T: Bus=01 Lev=01 Prnt=01 Port=06 Cnt=03 Dev#= 9 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=0991 Rev=06.06
S: Manufacturer=Telit Cinterion
S: Product=FE990
S: SerialNumber=90b6a3ed
C: #Ifs= 9 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=(none)
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x992: MBIM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
tty (diag) + ADPL + adb
T: Bus=01 Lev=01 Prnt=01 Port=06 Cnt=03 Dev#= 12 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=0992 Rev=06.06
S: Manufacturer=Telit Cinterion
S: Product=FE990
S: SerialNumber=90b6a3ed
C: #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 8 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x993: ECM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
tty (diag) + ADPL + adb
T: Bus=01 Lev=01 Prnt=01 Port=06 Cnt=03 Dev#= 15 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=0993 Rev=06.06
S: Manufacturer=Telit Cinterion
S: Product=FE990
S: SerialNumber=90b6a3ed
C: #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 8 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Cc: stable@vger.kernel.org
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1326,6 +1326,22 @@ static const struct usb_device_id option
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_CC864_SINGLE) },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_DE910_DUAL) },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UE910_V2) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x0990, 0xff, 0xff, 0x30), /* Telit FE990D50 (RNDIS) */
+ .driver_info = NCTRL(6) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x0990, 0xff, 0xff, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x0990, 0xff, 0xff, 0x60) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x0991, 0xff, 0xff, 0x30), /* Telit FE990D50 (rmnet) */
+ .driver_info = NCTRL(5) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x0991, 0xff, 0xff, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x0991, 0xff, 0xff, 0x60) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x0992, 0xff, 0xff, 0x30), /* Telit FE990D50 (MBIM) */
+ .driver_info = NCTRL(6) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x0992, 0xff, 0xff, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x0992, 0xff, 0xff, 0x60) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x0993, 0xff, 0xff, 0x30), /* Telit FE990D50 (ECM) */
+ .driver_info = NCTRL(6) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x0993, 0xff, 0xff, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x0993, 0xff, 0xff, 0x60) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1031, 0xff), /* Telit LE910C1-EUX */
.driver_info = NCTRL(0) | RSVD(3) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1033, 0xff), /* Telit LE910C1-EUX (ECM) */
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 320/518] USB: serial: digi_acceleport: fix broken rx after throttle
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 319/518] USB: serial: option: add Telit Cinterion FE990D50 compositions Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 321/518] USB: serial: digi_acceleport: fix hard lockup on disconnect Greg Kroah-Hartman
` (201 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 83a3dfc018943b05b6daf3a6f891833e1aabfa1f upstream.
If the port is closed while throttled, the read urb is never resubmitted
and the port will not receive any further data until the device is
reconnected (or the driver is rebound).
Clear the throttle flags and submit the urb if needed when opening the
port.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/digi_acceleport.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -1071,6 +1071,7 @@ static int digi_open(struct tty_struct *
unsigned char buf[32];
struct digi_port *priv = usb_get_serial_port_data(port);
struct ktermios not_termios;
+ int throttled;
/* be sure the device is started up */
if (digi_startup_device(port->serial) != 0)
@@ -1098,6 +1099,21 @@ static int digi_open(struct tty_struct *
not_termios.c_iflag = ~tty->termios.c_iflag;
digi_set_termios(tty, port, ¬_termios);
}
+
+ spin_lock_irq(&priv->dp_port_lock);
+ throttled = priv->dp_throttle_restart;
+ priv->dp_throttled = 0;
+ priv->dp_throttle_restart = 0;
+ spin_unlock_irq(&priv->dp_port_lock);
+
+ if (throttled) {
+ ret = usb_submit_urb(port->read_urb, GFP_KERNEL);
+ if (ret) {
+ dev_err(&port->dev, "failed to submit read urb: %d\n", ret);
+ return ret;
+ }
+ }
+
return 0;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 321/518] USB: serial: digi_acceleport: fix hard lockup on disconnect
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 320/518] USB: serial: digi_acceleport: fix broken rx after throttle Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 322/518] USB: serial: digi_acceleport: fix write buffer corruption Greg Kroah-Hartman
` (200 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 5c1ea24b53bf3bfb859f0a05573997487975da23 upstream.
If submitting the OOB write urb fails persistently (e.g if the device is
being disconnected) the driver would loop indefinitely with interrupts
disabled.
Check for urb submission errors when sending OOB commands to avoid
hanging if, for example, open(), set_termios() or close() races with a
physical disconnect.
This is issue was flagged by Sashiko when reviewing an unrelated change
to the driver.
Link: https://sashiko.dev/#/patchset/20260610132232.356139-1-johan%40kernel.org?part=1
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/digi_acceleport.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -394,12 +394,14 @@ static int digi_write_oob_command(struct
len &= ~3;
memcpy(oob_port->write_urb->transfer_buffer, buf, len);
oob_port->write_urb->transfer_buffer_length = len;
+
ret = usb_submit_urb(oob_port->write_urb, GFP_ATOMIC);
- if (ret == 0) {
- oob_priv->dp_write_urb_in_use = 1;
- count -= len;
- buf += len;
- }
+ if (ret)
+ break;
+
+ oob_priv->dp_write_urb_in_use = 1;
+ count -= len;
+ buf += len;
}
spin_unlock_irqrestore(&oob_priv->dp_port_lock, flags);
if (ret)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 322/518] USB: serial: digi_acceleport: fix write buffer corruption
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 321/518] USB: serial: digi_acceleport: fix hard lockup on disconnect Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 323/518] USB: ulpi: fix memory leak on registration failure Greg Kroah-Hartman
` (199 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 24ca1fea8f2753bf33e1d458ec1ae5d9b7796a65 upstream.
The digi_write_inb_command() is supposed to wait for the write urb to
become available or return an error, but instead it updates the transfer
buffer and tries to resubmit the urb on timeout.
To make things worse, for commands like break control where no timeout
is used, the driver would corrupt the urb immediately due to a broken
jiffies comparison (on 32-bit machines this takes five minutes of uptime
to trigger due to INITIAL_JIFFIES).
Fix this by adding the missing return on timeout and waiting
indefinitely when no timeout has been specified as intended.
This issue was (sort of) flagged by Sashiko when reviewing an unrelated
change to the driver.
Link: https://sashiko.dev/#/patchset/20260610132232.356139-1-johan%40kernel.org?part=11
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/digi_acceleport.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -431,20 +431,22 @@ static int digi_write_inb_command(struct
int len;
struct digi_port *priv = usb_get_serial_port_data(port);
unsigned char *data = port->write_urb->transfer_buffer;
+ unsigned long expire;
unsigned long flags;
dev_dbg(&port->dev, "digi_write_inb_command: TOP: port=%d, count=%d\n",
priv->dp_port_num, count);
if (timeout)
- timeout += jiffies;
- else
- timeout = ULONG_MAX;
+ expire = jiffies + timeout;
spin_lock_irqsave(&priv->dp_port_lock, flags);
while (count > 0 && ret == 0) {
- while (priv->dp_write_urb_in_use &&
- time_before(jiffies, timeout)) {
+ while (priv->dp_write_urb_in_use) {
+ if (timeout && time_after(jiffies, expire)) {
+ ret = -ETIMEDOUT;
+ break;
+ }
cond_wait_interruptible_timeout_irqrestore(
&priv->write_wait, DIGI_RETRY_TIMEOUT,
&priv->dp_port_lock, flags);
@@ -453,6 +455,9 @@ static int digi_write_inb_command(struct
spin_lock_irqsave(&priv->dp_port_lock, flags);
}
+ if (ret)
+ break;
+
/* len must be a multiple of 4 and small enough to */
/* guarantee the write will send buffered data first, */
/* so commands are in order with data and not split */
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 323/518] USB: ulpi: fix memory leak on registration failure
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 322/518] USB: serial: digi_acceleport: fix write buffer corruption Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 324/518] USB: usb-storage: ene_ub6250: restore media-ready check Greg Kroah-Hartman
` (198 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Heikki Krogerus,
Johan Hovold
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 8af6812795869a66e9b26044f455b13deecdb69c upstream.
The allocated device name is never freed on early ULPI device
registration failures.
Fix this by initialising the device structure earlier and releasing the
initial reference whenever registration fails.
Fixes: 289fcff4bcdb ("usb: add bus type for USB ULPI")
Cc: stable <stable@kernel.org>
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260608145803.69360-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/common/ulpi.c | 23 ++++++++++-------------
1 file changed, 10 insertions(+), 13 deletions(-)
--- a/drivers/usb/common/ulpi.c
+++ b/drivers/usb/common/ulpi.c
@@ -281,28 +281,24 @@ static int ulpi_register(struct device *
ulpi->dev.parent = dev; /* needed early for ops */
ulpi->dev.bus = &ulpi_bus;
ulpi->dev.type = &ulpi_dev_type;
+
+ device_initialize(&ulpi->dev);
+
dev_set_name(&ulpi->dev, "%s.ulpi", dev_name(dev));
ACPI_COMPANION_SET(&ulpi->dev, ACPI_COMPANION(dev));
ret = ulpi_of_register(ulpi);
- if (ret) {
- kfree(ulpi);
+ if (ret)
return ret;
- }
ret = ulpi_read_id(ulpi);
- if (ret) {
- of_node_put(ulpi->dev.of_node);
- kfree(ulpi);
+ if (ret)
return ret;
- }
- ret = device_register(&ulpi->dev);
- if (ret) {
- put_device(&ulpi->dev);
+ ret = device_add(&ulpi->dev);
+ if (ret)
return ret;
- }
root = debugfs_create_dir(dev_name(&ulpi->dev), ulpi_root);
debugfs_create_file("regs", 0444, root, ulpi, &ulpi_regs_fops);
@@ -334,9 +330,10 @@ struct ulpi *ulpi_register_interface(str
ulpi->ops = ops;
ret = ulpi_register(dev, ulpi);
- if (ret)
+ if (ret) {
+ put_device(&ulpi->dev);
return ERR_PTR(ret);
-
+ }
return ulpi;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 324/518] USB: usb-storage: ene_ub6250: restore media-ready check
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 323/518] USB: ulpi: fix memory leak on registration failure Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 325/518] usbip: tools: support SuperSpeedPlus devices Greg Kroah-Hartman
` (197 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Xu Rao, Alan Stern
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Rao <raoxu@uniontech.com>
commit 5fc3f333c001f1e308bbcdeecdec0d054d24338b upstream.
Commit 1892bf90677a ("USB: usb-storage: Fix use of bitfields for
hardware data in ene_ub6250.c") converted the media status fields from
bitfields to bit masks.
The original ene_transport() test called ene_init() only when neither
media type was ready:
!(sd_ready || ms_ready)
The converted test became:
!sd_ready || ms_ready
This is not equivalent. Restore the original semantics by testing that
both ready bits are clear before calling ene_init().
Fixes: 1892bf90677a ("USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c")
Cc: stable <stable@kernel.org>
Signed-off-by: Xu Rao <raoxu@uniontech.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/F42641386E32404F+20260626070607.4119527-1-raoxu@uniontech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/ene_ub6250.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/storage/ene_ub6250.c
+++ b/drivers/usb/storage/ene_ub6250.c
@@ -2305,7 +2305,8 @@ static int ene_transport(struct scsi_cmn
/*US_DEBUG(usb_stor_show_command(us, srb)); */
scsi_set_resid(srb, 0);
- if (unlikely(!(info->SD_Status & SD_Ready) || (info->MS_Status & MS_Ready)))
+ if (unlikely(!(info->SD_Status & SD_Ready) &&
+ !(info->MS_Status & MS_Ready)))
result = ene_init(us);
if (result == USB_STOR_XFER_GOOD) {
result = USB_STOR_TRANSPORT_ERROR;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 325/518] usbip: tools: support SuperSpeedPlus devices
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 324/518] USB: usb-storage: ene_ub6250: restore media-ready check Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 326/518] usbip: vudc: fix NULL deref in vep_dequeue() Greg Kroah-Hartman
` (196 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Yichong Chen, Shuah Khan
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yichong Chen <chenyichong@uniontech.com>
commit 195e667c8719480c320cd48ac0fbf1cb81d6ffe0 upstream.
USB devices running at SuperSpeedPlus report "10000" or "20000" in
their sysfs speed attribute. usbip currently maps only "5000" to
USB_SPEED_SUPER, so a SuperSpeedPlus device is imported as
USB_SPEED_UNKNOWN.
The attach request is then rejected by vhci_hcd:
vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN
Map the SuperSpeedPlus sysfs speed values to USB_SPEED_SUPER_PLUS, use
the SuperSpeed VHCI hub for SuperSpeedPlus devices, and recognize the
gadget current_speed string used by the kernel.
Fixes: b2316645ca5e ("usb: show speed "10000" in sysfs for USB 3.1 SuperSpeedPlus devices")
Cc: stable <stable@kernel.org>
Signed-off-by: Yichong Chen <chenyichong@uniontech.com>
Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://patch.msgid.link/00C828F338E43447+20260617020613.199086-1-chenyichong@uniontech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/usb/usbip/libsrc/usbip_common.c | 2 ++
tools/usb/usbip/libsrc/usbip_device_driver.c | 4 ++++
tools/usb/usbip/libsrc/vhci_driver.c | 1 +
3 files changed, 7 insertions(+)
--- a/tools/usb/usbip/libsrc/usbip_common.c
+++ b/tools/usb/usbip/libsrc/usbip_common.c
@@ -29,6 +29,8 @@ static const struct speed_string speed_s
{ USB_SPEED_HIGH, "480", "High Speed(480Mbps)" },
{ USB_SPEED_WIRELESS, "53.3-480", "Wireless"},
{ USB_SPEED_SUPER, "5000", "Super Speed(5000Mbps)" },
+ { USB_SPEED_SUPER_PLUS, "10000", "Super Speed Plus(10000Mbps)" },
+ { USB_SPEED_SUPER_PLUS, "20000", "Super Speed Plus(20000Mbps)" },
{ 0, NULL, NULL }
};
--- a/tools/usb/usbip/libsrc/usbip_device_driver.c
+++ b/tools/usb/usbip/libsrc/usbip_device_driver.c
@@ -57,6 +57,10 @@ static struct {
.speed = USB_SPEED_SUPER,
.name = "super-speed",
},
+ {
+ .speed = USB_SPEED_SUPER_PLUS,
+ .name = "super-speed-plus",
+ },
};
static
--- a/tools/usb/usbip/libsrc/vhci_driver.c
+++ b/tools/usb/usbip/libsrc/vhci_driver.c
@@ -338,6 +338,7 @@ int usbip_vhci_get_free_port(uint32_t sp
switch (speed) {
case USB_SPEED_SUPER:
+ case USB_SPEED_SUPER_PLUS:
if (vhci_driver->idev[i].hub != HUB_SPEED_SUPER)
continue;
break;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 326/518] usbip: vudc: fix NULL deref in vep_dequeue()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 325/518] usbip: tools: support SuperSpeedPlus devices Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 327/518] usb: typec: anx7411: use devm_pm_runtime_enable() Greg Kroah-Hartman
` (195 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Igor Kotrasinski, Sam Day
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Day <me@samcday.com>
commit c5371e0b91b24159a3ebaa61e70b0980bcf03c0a upstream.
vep_alloc_request() wasn't initializing vrequest->udc, so cancellations
on the FunctionFS AIO path were arriving in vep_dequeue without a valid
UDC reference.
Since vrequest->udc is never actually properly used anywhere, we opt to
remove it, and update vep_dequeue to obtain a reference to the udc with
ep_to_vudc(), consistent with the other vep_ ops.
AFAICT this bug has existed for ~10 years. Seems that nobody has really
stressed the FunctionFS AIO path on usbip's vudc.
I tested this fix in a QEMU aarch64 guest driving FunctionFS endpoints
via AIO. Before the fix, running `usbip attach` from the host would
cause the guest to oops with the following backtrace:
Call trace:
vep_dequeue+0x1c/0xe4 (P)
usb_ep_dequeue+0x14/0x20
ffs_aio_cancel+0x24/0x34
__arm64_sys_io_cancel+0xb0/0x124
do_el0_svc+0x68/0x100
el0_svc+0x18/0x5c
el0t_64_sync_handler+0x98/0xdc
el0t_64_sync+0x154/0x158
Assisted-by: opencode:openai/gpt-5.5
Cc: stable <stable@kernel.org>
Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
Reviewed-by: Igor Kotrasinski <i.kotrasinsk@samsung.com>
Signed-off-by: Sam Day <me@samcday.com>
Link: https://patch.msgid.link/20260626-usbip-vudc-deque-fix-v3-1-98c2dc4d6a48@samcday.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/usbip/vudc.h | 1 -
drivers/usb/usbip/vudc_dev.c | 4 +---
2 files changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/usb/usbip/vudc.h
+++ b/drivers/usb/usbip/vudc.h
@@ -38,7 +38,6 @@ struct vep {
struct vrequest {
struct usb_request req;
- struct vudc *udc;
struct list_head req_entry; /* Request queue */
};
--- a/drivers/usb/usbip/vudc_dev.c
+++ b/drivers/usb/usbip/vudc_dev.c
@@ -333,7 +333,6 @@ static int vep_queue(struct usb_ep *_ep,
static int vep_dequeue(struct usb_ep *_ep, struct usb_request *_req)
{
struct vep *ep;
- struct vrequest *req;
struct vudc *udc;
struct vrequest *lst;
unsigned long flags;
@@ -343,8 +342,7 @@ static int vep_dequeue(struct usb_ep *_e
return ret;
ep = to_vep(_ep);
- req = to_vrequest(_req);
- udc = req->udc;
+ udc = ep_to_vudc(ep);
if (!udc->driver)
return -ESHUTDOWN;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 327/518] usb: typec: anx7411: use devm_pm_runtime_enable()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 326/518] usbip: vudc: fix NULL deref in vep_dequeue() Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 328/518] usb: typec: class: drop PD lookup reference Greg Kroah-Hartman
` (194 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Ijae Kim, Myeonghun Pak,
Heikki Krogerus
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myeonghun Pak <mhun512@gmail.com>
commit 0ef7cc27da8b9e315a4a5a665c68c44206f5e559 upstream.
anx7411_i2c_probe() enables runtime PM before returning successfully, but
anx7411_i2c_remove() tears down the Type-C partner state, workqueue, dummy
I2C device, mux, switch and port without disabling runtime PM.
Use devm_pm_runtime_enable() so runtime PM is disabled automatically on
driver detach. Since devres action registration can fail, route that
failure through the existing probe unwind path.
This issue was identified during our ongoing static-analysis research while
reviewing kernel code.
Fixes: fe6d8a9c8e64 ("usb: typec: anx7411: Add Analogix PD ANX7411 support")
Cc: stable <stable@kernel.org>
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260701114006.75738-1-mhun512@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/anx7411.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/typec/anx7411.c
+++ b/drivers/usb/typec/anx7411.c
@@ -1537,7 +1537,9 @@ static int anx7411_i2c_probe(struct i2c_
if (anx7411_typec_check_connection(plat))
dev_err(dev, "check status\n");
- pm_runtime_enable(dev);
+ ret = devm_pm_runtime_enable(dev);
+ if (ret)
+ goto free_wq;
return 0;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 328/518] usb: typec: class: drop PD lookup reference
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 327/518] usb: typec: anx7411: use devm_pm_runtime_enable() Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 329/518] usb: typec: ps883x: Fix DP+USB3 configuration Greg Kroah-Hartman
` (193 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Shuangpeng Bai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
commit 43ae2f90b70cda374c487c1639a01d0f14e5d583 upstream.
usb_power_delivery_find() wraps class_find_device_by_name(). That helper
returns a device reference that must be released by the caller.
select_usb_power_delivery_store() only needs this reference while calling
the pd_set callback. Drop it once the callback returns. Otherwise the sysfs
write can pin the selected USB Power Delivery object and prevent it from
being released on unregister.
Fixes: a7cff92f0635 ("usb: typec: USB Power Delivery helpers for ports and partners")
Cc: stable <stable@kernel.org>
Signed-off-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
Link: https://patch.msgid.link/20260702191329.2648043-1-shuangpeng.kernel@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/class.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/typec/class.c
+++ b/drivers/usb/typec/class.c
@@ -1619,6 +1619,7 @@ static ssize_t select_usb_power_delivery
return -EINVAL;
ret = port->ops->pd_set(port, pd);
+ put_device(&pd->dev);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 329/518] usb: typec: ps883x: Fix DP+USB3 configuration
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 328/518] usb: typec: class: drop PD lookup reference Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 330/518] usb: typec: tcpm: Fix VDM type for Enter Mode commands Greg Kroah-Hartman
` (192 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Stephan Gerhold,
Heikki Krogerus, Jens Glathe, Konrad Dybcio
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Gerhold <stephan.gerhold@linaro.org>
commit b229b22b0a945d52dee887c856991ad08744d08e upstream.
Commit 6bebd9b77726 ("usb: typec: ps883x: Rework ps883x_set()") introduced
two regressions:
1. The CONN_STATUS_0_USB_3_1_CONNECTED bit is mistakenly written to the
wrong configuration register (cfg1 instead of cfg0). This breaks USB3
when using USB3+DP adapters.
2. The switch-case fallthrough block is inverted: Currently,
TYPEC_DP_STATE_C (DP-only) inherits the USB3 configuration, while
TYPEC_DP_STATE_D (DP+USB3) is missing the necessary DP sink flags.
Fix these by writing the USB3 bit to the correct register and swapping the
case statement order so both states get their correct bits assigned.
Cc: stable <stable@kernel.org>
Fixes: 6bebd9b77726 ("usb: typec: ps883x: Rework ps883x_set()")
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Tested-by: Jens Glathe <jens.glathe@oldschoolsolutions.biz>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://patch.msgid.link/20260601-ps883x-usb3dp-fixes-v1-1-d19bec3a6d26@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/mux/ps883x.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/usb/typec/mux/ps883x.c
+++ b/drivers/usb/typec/mux/ps883x.c
@@ -118,12 +118,12 @@ static int ps883x_set(struct ps883x_reti
CONN_STATUS_1_DP_HPD_LEVEL;
switch (state->mode) {
+ case TYPEC_DP_STATE_D:
+ cfg0 |= CONN_STATUS_0_USB_3_1_CONNECTED;
+ fallthrough;
case TYPEC_DP_STATE_C:
cfg1 |= CONN_STATUS_1_DP_SINK_REQUESTED |
CONN_STATUS_1_DP_PIN_ASSIGNMENT_C_D;
- fallthrough;
- case TYPEC_DP_STATE_D:
- cfg1 |= CONN_STATUS_0_USB_3_1_CONNECTED;
break;
default: /* MODE_E */
break;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 330/518] usb: typec: tcpm: Fix VDM type for Enter Mode commands
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 329/518] usb: typec: ps883x: Fix DP+USB3 configuration Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:29 ` [PATCH 7.1 331/518] usb: typec: tcpm: Validate SVID index in svdm_consume_modes() Greg Kroah-Hartman
` (191 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Andy Yan, Heikki Krogerus
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Yan <andyshrk@163.com>
commit 9cff680e47632b7723cb19f9c5e63669063c3417 upstream.
VDO() second parameter is VDM type (bit 15): 1 for SVDM, 0 for UVDM.
Using 'vdo ? 2 : 1' corrupts SVID low bit when vdo is non-NULL
(2 << 15 = BIT(16)). Enter Mode is always SVDM, hardcode to 1.
Fixes: 8face9aa57c8 ("usb: typec: Add parameter for the VDO to typec_altmode_enter()")
Cc: stable <stable@kernel.org>
Signed-off-by: Andy Yan <andyshrk@163.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260604105059.18750-1-andyshrk@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -3088,7 +3088,7 @@ static int tcpm_altmode_enter(struct typ
if (svdm_version < 0)
return svdm_version;
- header = VDO(altmode->svid, vdo ? 2 : 1, svdm_version, CMD_ENTER_MODE);
+ header = VDO(altmode->svid, 1, svdm_version, CMD_ENTER_MODE);
header |= VDO_OPOS(altmode->mode);
return tcpm_queue_vdm_unlocked(port, header, vdo, vdo ? 1 : 0, TCPC_TX_SOP);
@@ -3136,7 +3136,7 @@ static int tcpm_cable_altmode_enter(stru
if (svdm_version < 0)
return svdm_version;
- header = VDO(altmode->svid, vdo ? 2 : 1, svdm_version, CMD_ENTER_MODE);
+ header = VDO(altmode->svid, 1, svdm_version, CMD_ENTER_MODE);
header |= VDO_OPOS(altmode->mode);
return tcpm_queue_vdm_unlocked(port, header, vdo, vdo ? 1 : 0, TCPC_TX_SOP_PRIME);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 331/518] usb: typec: tcpm: Validate SVID index in svdm_consume_modes()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 330/518] usb: typec: tcpm: Fix VDM type for Enter Mode commands Greg Kroah-Hartman
@ 2026-07-16 13:29 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 332/518] usb: typec: ucsi: Invert DisplayPort role assignment Greg Kroah-Hartman
` (190 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Badhri Jagan Sridharan,
RD Babiera, Heikki Krogerus
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Badhri Jagan Sridharan <badhri@google.com>
commit 7b681dd5fbf60b24a13c14661e5b7735759fb491 upstream.
In svdm_consume_modes(), the SVID value is read from pmdata->svids using
pmdata->svid_index as an array index without bounds validation:
paltmode->svid = pmdata->svids[pmdata->svid_index];
If pmdata->svid_index is driven beyond SVID_DISCOVERY_MAX (16), it results
in an out-of-bounds read of the pmdata->svids array. Because pd_mode_data
is embedded inside struct tcpm_port, indexing past svids reads into
adjacent fields. In particular:
- At index 16, it reads the altmodes count.
- At index 18 and beyond, it reads into altmode_desc[], which contains
partner-supplied SVDM Discovery Modes VDOs.
By injecting a chosen SVID into altmode_desc[0].vdo and driving svid_index
to 20, the partner can force paltmode->svid to be loaded with an arbitrary,
partner- chosen SVID, which is then registered via
typec_partner_register_altmode().
Fix this by validating that pmdata->svid_index is non-negative and strictly
less than pmdata->nsvids before accessing the pmdata->svids array inside
svdm_consume_modes().
Assisted-by: Antigravity:gemini-3.5-flash
Fixes: 4ab8c18d4d67 ("usb: typec: Register a device for every mode")
Cc: stable <stable@kernel.org>
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Reviewed-by: RD Babiera <rdbabiera@google.com>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260622220803.305750-1-badhri@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -2000,6 +2000,11 @@ static void svdm_consume_modes(struct tc
return;
}
+ if (pmdata->svid_index < 0 || pmdata->svid_index >= pmdata->nsvids) {
+ tcpm_log(port, "Invalid SVID index %d", pmdata->svid_index);
+ return;
+ }
+
for (i = 1; i < cnt; i++) {
if (pmdata->altmodes >= ALTMODE_DISCOVERY_MAX) {
/* Already logged in svdm_consume_svids() */
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 332/518] usb: typec: ucsi: Invert DisplayPort role assignment
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2026-07-16 13:29 ` [PATCH 7.1 331/518] usb: typec: tcpm: Validate SVID index in svdm_consume_modes() Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 333/518] usb: typec: ucsi: Pass full DP config payload in SET_NEW_CAM for DP alt mode Greg Kroah-Hartman
` (189 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Andrei Kuchynski,
Heikki Krogerus
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrei Kuchynski <akuchynski@chromium.org>
commit d092d7edf8faefa3e27b9fc7f0e7904b06c833a2 upstream.
The existing implementation assigned these flags backwards, configuring
the partner's DisplayPort role to match the port's role instead of
complementing it.
This prevents proper configuration during DP altmode activation, often
causing `pin_assignment` to remain 0 in `dp_altmode_configure()` and
resulting in VDM negotiation failures:
[ 583.328246] typec port1.1: VDM 0xff01a150 failed
Additionally, the fix ensures that the `pin_assignment` sysfs attribute
displays the correct values.
Cc: stable <stable@kernel.org>
Fixes: af8622f6a585 ("usb: typec: ucsi: Support for DisplayPort alt mode")
Signed-off-by: Andrei Kuchynski <akuchynski@chromium.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260601142837.3240207-1-akuchynski@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/displayport.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/typec/ucsi/displayport.c
+++ b/drivers/usb/typec/ucsi/displayport.c
@@ -166,12 +166,12 @@ static int ucsi_displayport_status_updat
* that Multi-function is preferred.
*/
if (DP_CAP_CAPABILITY(cap) & DP_CAP_UFP_D) {
- dp->data.status |= DP_STATUS_CON_UFP_D;
+ dp->data.status |= DP_STATUS_CON_DFP_D;
if (DP_CAP_UFP_D_PIN_ASSIGN(cap) & BIT(DP_PIN_ASSIGN_D))
dp->data.status |= DP_STATUS_PREFER_MULTI_FUNC;
} else {
- dp->data.status |= DP_STATUS_CON_DFP_D;
+ dp->data.status |= DP_STATUS_CON_UFP_D;
if (DP_CAP_DFP_D_PIN_ASSIGN(cap) & BIT(DP_PIN_ASSIGN_D))
dp->data.status |= DP_STATUS_PREFER_MULTI_FUNC;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 333/518] usb: typec: ucsi: Pass full DP config payload in SET_NEW_CAM for DP alt mode
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 332/518] usb: typec: ucsi: Invert DisplayPort role assignment Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 334/518] usb: typec: ucsi: ccg: Fix use-after-free of ucsi on remove Greg Kroah-Hartman
` (188 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Madhu M, Jameson Thies,
Andrei Kuchynski, Heikki Krogerus
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Madhu M <madhu.m@intel.com>
commit 735a461d060d4eeb2f9732aba1295bc32a3982e2 upstream.
In the UCSI Specification Revision 3.1 RC1, bits 32-63 of the SET_NEW_CAM
command hold the 32-bit Alternate Mode Specific (AMSpecific) field.
For DisplayPort Alternate Mode, this field must contain the full
32-bit DisplayPort configuration VDO payload that the OPM wants the
connector to operate in, rather than just the pin assignment value.
This AMSpecific value follows the DisplayPort Configurations defined
in the DisplayPort Alt Mode on USB Type-C Specification v2.1a,
Table 5-13: SOP DisplayPort Configurations.
Fixes: af8622f6a585 ("usb: typec: ucsi: Support for DisplayPort alt mode")
Cc: stable <stable@kernel.org>
Signed-off-by: Madhu M <madhu.m@intel.com>
Reviewed-by: Jameson Thies <jthies@google.com>
Reviewed-by: Andrei Kuchynski <akuchynski@chromium.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260619153311.3526083-1-madhu.m@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/displayport.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/usb/typec/ucsi/displayport.c
+++ b/drivers/usb/typec/ucsi/displayport.c
@@ -185,13 +185,12 @@ static int ucsi_displayport_status_updat
static int ucsi_displayport_configure(struct ucsi_dp *dp)
{
- u32 pins = DP_CONF_GET_PIN_ASSIGN(dp->data.conf);
u64 command;
if (!dp->override)
return 0;
- command = UCSI_CMD_SET_NEW_CAM(dp->con->num, 1, dp->offset, pins);
+ command = UCSI_CMD_SET_NEW_CAM(dp->con->num, 1, dp->offset, dp->data.conf);
return ucsi_send_command(dp->con->ucsi, command, NULL, 0);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 334/518] usb: typec: ucsi: ccg: Fix use-after-free of ucsi on remove
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 333/518] usb: typec: ucsi: Pass full DP config payload in SET_NEW_CAM for DP alt mode Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 335/518] usb: typec: ucsi: cancel pending work on system suspend Greg Kroah-Hartman
` (187 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Fan Wu, Heikki Krogerus
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fan Wu <fanwu01@zju.edu.cn>
commit 1f0bdc2884b67de337215079bba166df0cdf4ac5 upstream.
The threaded IRQ handler ccg_irq_handler() calls ucsi_notify_common(),
which on a connector-change event calls ucsi_connector_change() and
schedules connector work. In ucsi_ccg_remove(), ucsi_destroy() frees
uc->ucsi (kfree) before free_irq() is called, so a handler invocation
already in flight may access the freed object after ucsi_destroy().
CPU 0 (remove) | CPU 1 (threaded IRQ)
ucsi_destroy(uc->ucsi) | ccg_irq_handler()
kfree(ucsi) // FREE | ucsi_notify_common(uc->ucsi) // USE
Move free_irq() before ucsi_destroy() in the remove path. It is kept
after ucsi_unregister(): ucsi_unregister() cancels connector work whose
handler issues GET_CONNECTOR_STATUS through ucsi_send_command_common(),
which waits for a completion that is signalled from the IRQ handler, so
the IRQ must stay active until that work has been cancelled.
The probe error path already orders free_irq() before ucsi_destroy().
This bug was found by static analysis.
Fixes: e32fd989ac1c ("usb: typec: ucsi: ccg: Move to the new API")
Cc: stable <stable@kernel.org>
Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260616132011.103279-1-fanwu01@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi_ccg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/typec/ucsi/ucsi_ccg.c
+++ b/drivers/usb/typec/ucsi/ucsi_ccg.c
@@ -1519,8 +1519,8 @@ static void ucsi_ccg_remove(struct i2c_c
cancel_work_sync(&uc->work);
pm_runtime_disable(uc->dev);
ucsi_unregister(uc->ucsi);
- ucsi_destroy(uc->ucsi);
free_irq(uc->irq, uc);
+ ucsi_destroy(uc->ucsi);
}
static const struct of_device_id ucsi_ccg_of_match_table[] = {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 335/518] usb: typec: ucsi: cancel pending work on system suspend
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 334/518] usb: typec: ucsi: ccg: Fix use-after-free of ucsi on remove Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 336/518] usb: gadget: f_fs: initialize reset_work at allocation time Greg Kroah-Hartman
` (186 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Paul Menzel, Heikki Krogerus
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Menzel <pmenzel@molgen.mpg.de>
commit 7c4a234bd31a64a8dbd0140dc812da592c5e0787 upstream.
On a Dell XPS 13 9360 (BIOS 2.21.0), entering system suspend (deep/S3)
races a pending UCSI connector-change worker against the ACPI EC teardown.
The worker evaluates the UCSI _DSM (GET_CONNECTOR_STATUS), whose AML
accesses the Embedded Controller. By that point the ACPI EC has already
been stopped for suspend, so the EC address space handler rejects the
access with AE_BAD_PARAMETER, aborting the AML and failing the connector
query:
[22314.689495] ACPI: EC: interrupt blocked
[22314.711981] ACPI: PM: Preparing to enter system sleep state S3
[22314.743260] ACPI: EC: event blocked
[22314.743265] ACPI: EC: EC stopped
[22314.743267] ACPI: PM: Saving platform NVS memory
[22314.744241] ACPI Error: AE_BAD_PARAMETER, Returned by Handler for [EmbeddedControl] (20260408/evregion-303)
[22314.744432] ACPI Error: Aborting method \_SB.PCI0.LPCB.ECDV.ECW1 due to previous error (AE_BAD_PARAMETER) (20260408/psparse-543)
[22314.744673] ACPI Error: Aborting method \ECWB due to previous error (AE_BAD_PARAMETER) (20260408/psparse-543)
[22314.745201] ACPI Error: Aborting method \_SB.UBTC._DSM due to previous error (AE_BAD_PARAMETER) (20260408/psparse-543)
[22314.745394] ACPI: \_SB_.UBTC: failed to evaluate _DSM c298836f-a47c-e411-ad36-631042b5008f rev:1 func:1 (0x1001)
[22314.745414] ucsi_acpi USBC000:00: ucsi_acpi_dsm: failed to evaluate _DSM 1
[22314.745424] ucsi_acpi USBC000:00: ucsi_handle_connector_change: GET_CONNECTOR_STATUS failed (-5)
ucsi_acpi implements a resume callback but no suspend callback, so nothing
cancels the connector-change work before the firmware/EC is torn down.
Add a `ucsi_suspend()` core helper that cancels the pending init and
connector-change work, and wire it into ucsi_acpi's PM ops. The connector
state is re-read on resume by `ucsi_resume()`, so cancelling the work loses
nothing.
Fixes: 4e3a50293c2b ("usb: typec: ucsi: acpi: Implement resume callback")
Cc: stable <stable@kernel.org>
Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
Assisted-by: Claude Opus 4.8
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260703110738.8457-2-pmenzel@molgen.mpg.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi.c | 20 ++++++++++++++++++++
drivers/usb/typec/ucsi/ucsi.h | 1 +
drivers/usb/typec/ucsi/ucsi_acpi.c | 10 +++++++++-
3 files changed, 30 insertions(+), 1 deletion(-)
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -1978,6 +1978,26 @@ static void ucsi_resume_work(struct work
}
}
+int ucsi_suspend(struct ucsi *ucsi)
+{
+ int i;
+
+ /*
+ * Cancel pending work so it cannot access the firmware after the ACPI
+ * EC is stopped for suspend; state is re-read on resume.
+ */
+ cancel_delayed_work_sync(&ucsi->work);
+
+ if (!ucsi->connector)
+ return 0;
+
+ for (i = 0; i < ucsi->cap.num_connectors; i++)
+ cancel_work_sync(&ucsi->connector[i].work);
+
+ return 0;
+}
+EXPORT_SYMBOL_GPL(ucsi_suspend);
+
int ucsi_resume(struct ucsi *ucsi)
{
if (ucsi->connector)
--- a/drivers/usb/typec/ucsi/ucsi.h
+++ b/drivers/usb/typec/ucsi/ucsi.h
@@ -566,6 +566,7 @@ int ucsi_send_command(struct ucsi *ucsi,
void *retval, size_t size);
void ucsi_altmode_update_active(struct ucsi_connector *con);
+int ucsi_suspend(struct ucsi *ucsi);
int ucsi_resume(struct ucsi *ucsi);
void ucsi_notify_common(struct ucsi *ucsi, u32 cci);
--- a/drivers/usb/typec/ucsi/ucsi_acpi.c
+++ b/drivers/usb/typec/ucsi/ucsi_acpi.c
@@ -245,6 +245,13 @@ static void ucsi_acpi_remove(struct plat
ucsi_acpi_notify);
}
+static int ucsi_acpi_suspend(struct device *dev)
+{
+ struct ucsi_acpi *ua = dev_get_drvdata(dev);
+
+ return ucsi_suspend(ua->ucsi);
+}
+
static int ucsi_acpi_resume(struct device *dev)
{
struct ucsi_acpi *ua = dev_get_drvdata(dev);
@@ -252,7 +259,8 @@ static int ucsi_acpi_resume(struct devic
return ucsi_resume(ua->ucsi);
}
-static DEFINE_SIMPLE_DEV_PM_OPS(ucsi_acpi_pm_ops, NULL, ucsi_acpi_resume);
+static DEFINE_SIMPLE_DEV_PM_OPS(ucsi_acpi_pm_ops, ucsi_acpi_suspend,
+ ucsi_acpi_resume);
static const struct acpi_device_id ucsi_acpi_match[] = {
{ "PNP0CA0", 0 },
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 336/518] usb: gadget: f_fs: initialize reset_work at allocation time
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 335/518] usb: typec: ucsi: cancel pending work on system suspend Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 337/518] usb: gadget: f_fs: Fix DMA fence leak Greg Kroah-Hartman
` (185 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Tyler Baker, Loic Poulain,
Dmitry Baryshkov, Srinivas Kandagatla, Peter Chen,
Michał Nazarewicz
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tyler Baker <tyler.baker@oss.qualcomm.com>
commit 3137b243c93982fe3460335e12f9247739766e10 upstream.
ffs_fs_kill_sb() unconditionally calls cancel_work_sync() on
ffs->reset_work when a functionfs instance is unmounted:
ffs_data_reset(ffs);
cancel_work_sync(&ffs->reset_work);
However ffs->reset_work is only ever initialized via INIT_WORK() in
ffs_func_set_alt() and ffs_func_disable(), and only on the
FFS_DEACTIVATED path. That state is reached solely by ffs_data_closed()
when the instance is mounted with the "no_disconnect" option, so for the
common case (no "no_disconnect", or mounted and unmounted without ever
being deactivated) reset_work is never initialized.
ffs_data_new() allocates the ffs_data with kzalloc_obj() and does not
initialize reset_work, and ffs_data_reset()/ffs_data_clear() do not touch
it either, so reset_work.func is left NULL. cancel_work_sync() on such a
work then trips the WARN_ON(!work->func) guard in __flush_work():
WARNING: kernel/workqueue.c:4301 at __flush_work+0x330/0x360, CPU#3: umount
Call trace:
__flush_work
cancel_work_sync
ffs_fs_kill_sb [usb_f_fs]
deactivate_locked_super
deactivate_super
cleanup_mnt
__cleanup_mnt
task_work_run
exit_to_user_mode_loop
el0_svc
On older kernels cancel_work_sync() on a zero-initialized work struct was
a silent no-op, which hid the missing initialization.
Initialize reset_work once in ffs_data_new() so it is always valid for
the lifetime of the ffs_data, and drop the now-redundant INIT_WORK()
calls from the two deactivation paths.
Fixes: 18d6b32fca38 ("usb: gadget: f_fs: add "no_disconnect" mode")
Cc: stable <stable@kernel.org>
Signed-off-by: Tyler Baker <tyler.baker@oss.qualcomm.com>
Cc: Loic Poulain <loic.poulain@oss.qualcomm.com>
Cc: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Cc: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Tested-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
Reviewed-by: Peter Chen <peter.chen@kernel.org>
Acked-by: Michał Nazarewicz <mina86@mina86.com>
Link: https://patch.msgid.link/20260609193635.2284430-1-tyler.baker@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_fs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -288,6 +288,7 @@ static int ffs_acquire_dev(const char *d
static void ffs_release_dev(struct ffs_dev *ffs_dev);
static int ffs_ready(struct ffs_data *ffs);
static void ffs_closed(struct ffs_data *ffs);
+static void ffs_reset_work(struct work_struct *work);
/* Misc helper functions ****************************************************/
@@ -2221,6 +2222,7 @@ static struct ffs_data *ffs_data_new(con
init_waitqueue_head(&ffs->ev.waitq);
init_waitqueue_head(&ffs->wait);
init_completion(&ffs->ep0req_completion);
+ INIT_WORK(&ffs->reset_work, ffs_reset_work);
/* XXX REVISIT need to update it in some places, or do we? */
ffs->ev.can_stall = 1;
@@ -3775,7 +3777,6 @@ static int ffs_func_set_alt(struct usb_f
if (ffs->state == FFS_DEACTIVATED) {
ffs->state = FFS_CLOSING;
spin_unlock_irqrestore(&ffs->eps_lock, flags);
- INIT_WORK(&ffs->reset_work, ffs_reset_work);
schedule_work(&ffs->reset_work);
return -ENODEV;
}
@@ -3806,7 +3807,6 @@ static void ffs_func_disable(struct usb_
if (ffs->state == FFS_DEACTIVATED) {
ffs->state = FFS_CLOSING;
spin_unlock_irqrestore(&ffs->eps_lock, flags);
- INIT_WORK(&ffs->reset_work, ffs_reset_work);
schedule_work(&ffs->reset_work);
return;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 337/518] usb: gadget: f_fs: Fix DMA fence leak
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 336/518] usb: gadget: f_fs: initialize reset_work at allocation time Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 338/518] usb: gadget: f_fs: Initialize epfile->in early to fix endpoint direction checks Greg Kroah-Hartman
` (184 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Paul Cercueil, Nuno Sá
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Cercueil <paul@crapouillou.net>
commit baa6b6068a3f2bf2ed525a1cb37975905dadc658 upstream.
In ffs_dmabuf_transfer(), a ffs_dma_fence object is kmalloc'd, with the
underlying dma_fence later initialized by dma_fence_init(), which sets
its kref counter to 1. Then, dma_resv_add_fence() gets a second
reference, and a pointer to the ffs_dma_fence is passed as the
usb_request's "context" field.
The dma-resv mechanism will manage the second reference, but the first
reference is never properly released; the ffs_dmabuf_cleanup() function
decreases the reference count, but only to balance with the reference
grab in ffs_dmabuf_signal_done().
The code will then slowly leak memory as more ffs_dma_fence objects are
created without being ever freed.
Address this issue by transferring ownership of the fence to the DMA
reservation object, by calling dma_fence_put() right after
dma_resv_add_fence(). The ffs_dma_fence then gets properly discarded
after being signalled.
Fixes: 7b07a2a7ca02 ("usb: gadget: functionfs: Add DMABUF import interface")
Cc: stable <stable@kernel.org>
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Tested-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Link: https://patch.msgid.link/20260609152905.729328-1-paul@crapouillou.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_fs.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1705,6 +1705,7 @@ static int ffs_dmabuf_transfer(struct fi
resv_dir = epfile->in ? DMA_RESV_USAGE_READ : DMA_RESV_USAGE_WRITE;
dma_resv_add_fence(dmabuf->resv, &fence->base, resv_dir);
+ dma_fence_put(&fence->base);
dma_resv_unlock(dmabuf->resv);
/* Now that the dma_fence is in place, queue the transfer. */
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 338/518] usb: gadget: f_fs: Initialize epfile->in early to fix endpoint direction checks
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 337/518] usb: gadget: f_fs: Fix DMA fence leak Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 339/518] usb: gadget: f_fs: Tie read_buffer lifetime to ffs_epfile Greg Kroah-Hartman
` (183 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Neill Kapron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neill Kapron <nkapron@google.com>
commit 82cfd4739011bdc7e87b5d585703427e89ddfaa5 upstream.
When parsing endpoint descriptors, ffs_data_got_descs() generates the
eps_addrmap which contains the endpoint direction. However, epfile->in
was previously only populated in ffs_func_eps_enable() which executes
upon USB host connection. As a result, early userspace ioctls like
FUNCTIONFS_DMABUF_ATTACH that run before the host connects would see
epfile->in as 0, leading to incorrect DMA directions.
By moving the initialization to ffs_epfiles_create(), epfile->in is
accurate before userspace opens the endpoint files.
Fixes: 7b07a2a7ca02 ("usb: gadget: functionfs: Add DMABUF import interface")
Cc: stable <stable@kernel.org>
Assisted-by: Antigravity:gemini-3.1-pro
Signed-off-by: Neill Kapron <nkapron@google.com>
Link: https://patch.msgid.link/20260619040609.4010746-2-nkapron@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_fs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -2367,6 +2367,7 @@ static int ffs_epfiles_create(struct ffs
sprintf(epfile->name, "ep%02x", ffs->eps_addrmap[i]);
else
sprintf(epfile->name, "ep%u", i);
+ epfile->in = (ffs->eps_addrmap[i] & USB_ENDPOINT_DIR_MASK) ? 1 : 0;
err = ffs_sb_create_file(ffs->sb, epfile->name,
epfile, &ffs_epfile_operations);
if (err) {
@@ -2456,7 +2457,6 @@ static int ffs_func_eps_enable(struct ff
ret = usb_ep_enable(ep->ep);
if (!ret) {
epfile->ep = ep;
- epfile->in = usb_endpoint_dir_in(ep->ep->desc);
epfile->isoc = usb_endpoint_xfer_isoc(ep->ep->desc);
} else {
break;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 339/518] usb: gadget: f_fs: Tie read_buffer lifetime to ffs_epfile
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 338/518] usb: gadget: f_fs: Initialize epfile->in early to fix endpoint direction checks Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 340/518] block: skip sync_blockdev() on surprise removal in bdev_mark_dead() Greg Kroah-Hartman
` (182 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Neill Kapron
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neill Kapron <nkapron@google.com>
commit 8bdcf96eb135aebacac319667f87db034fb38406 upstream.
Currently, ffs_epfile_release unconditionally frees the endpoint's
read_buffer when a file descriptor is closed. If userspace explicitly
opens the endpoint multiple times and closes one, the read_buffer is
destroyed. This can lead to silent data loss if other file descriptors
are still actively reading from the endpoint.
By tying the lifetime of the read_buffer to the ffs_epfile structure itself
(which is destroyed when the functionfs instance is torn down in
ffs_epfiles_destroy), we eliminate the brittle dependency on open/release
calls while correctly matching the conceptual lifetime of unread data on
the hardware endpoint.
Fixes: 9353afbbfa7b ("usb: gadget: f_fs: buffer data from ‘oversized’ OUT requests")
Cc: stable <stable@kernel.org>
Assisted-by: Antigravity:gemini-3.1-pro
Signed-off-by: Neill Kapron <nkapron@google.com>
Link: https://patch.msgid.link/20260619040609.4010746-3-nkapron@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_fs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1375,7 +1375,6 @@ ffs_epfile_release(struct inode *inode,
mutex_unlock(&epfile->dmabufs_mutex);
- __ffs_epfile_read_buffer_free(epfile);
ffs_data_closed(epfile->ffs);
return 0;
@@ -2393,6 +2392,7 @@ static void ffs_epfiles_destroy(struct s
for (; count; --count, ++epfile) {
BUG_ON(mutex_is_locked(&epfile->mutex));
+ __ffs_epfile_read_buffer_free(epfile);
simple_remove_by_name(root, epfile->name, clear_one);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 340/518] block: skip sync_blockdev() on surprise removal in bdev_mark_dead()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 339/518] usb: gadget: f_fs: Tie read_buffer lifetime to ffs_epfile Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 341/518] wifi: mt76: mt7921/mt7925: fix NULL dereference in CSA beacon Greg Kroah-Hartman
` (181 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sungwoo Kim, Dave Tian, Weidong Zhu,
Chao Shi, Christoph Hellwig, Jens Axboe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Shi <coshi036@gmail.com>
commit 49f06cff50a4ccf3b7a1a662ceb892b3b21a527a upstream.
bdev_mark_dead()'s @surprise == true means the device is already gone.
The filesystem callback fs_bdev_mark_dead() honours this and skips
sync_filesystem(), but the bare block device path (no ->mark_dead op)
lost its !surprise guard when the holder ->mark_dead callback was wired
up (see Fixes), and now calls sync_blockdev() unconditionally, which can
hang forever waiting on writeback that can no longer complete.
syzkaller hit this via nvme_reset_work()'s "I/O queues lost" path:
nvme_mark_namespaces_dead() -> blk_mark_disk_dead() ->
bdev_mark_dead(bdev, true) -> sync_blockdev() blocks in
folio_wait_writeback(), wedging the reset worker and every task waiting
on it.
Skip the sync on surprise removal, matching fs_bdev_mark_dead();
invalidate_bdev() still runs. Orderly removal (surprise == false) is
unchanged.
Found by FuzzNvme(Syzkaller with FEMU fuzzing framework).
Fixes: d8530de5a6e8 ("block: call into the file system for bdev_mark_dead")
Acked-by: Sungwoo Kim <iam@sung-woo.kim>
Acked-by: Dave Tian <daveti@purdue.edu>
Acked-by: Weidong Zhu <weizhu@fiu.edu>
Signed-off-by: Chao Shi <coshi036@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://patch.msgid.link/20260522220025.1770388-1-coshi036@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/bdev.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/block/bdev.c
+++ b/block/bdev.c
@@ -1245,7 +1245,13 @@ void bdev_mark_dead(struct block_device
bdev->bd_holder_ops->mark_dead(bdev, surprise);
else {
mutex_unlock(&bdev->bd_holder_lock);
- sync_blockdev(bdev);
+ /*
+ * On surprise removal the device is already gone; syncing is
+ * futile and can hang forever waiting on I/O that will never
+ * complete. Match fs_bdev_mark_dead(), which also skips it.
+ */
+ if (!surprise)
+ sync_blockdev(bdev);
}
invalidate_bdev(bdev);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 341/518] wifi: mt76: mt7921/mt7925: fix NULL dereference in CSA beacon
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 340/518] block: skip sync_blockdev() on surprise removal in bdev_mark_dead() Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 342/518] udf: validate free block extents against the partition length Greg Kroah-Hartman
` (180 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bongani Hlope, Arjan van de Ven,
linux-wireless, linux-mediatek, Felix Fietkau, Lorenzo Bianconi,
Ryder Lee, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arjan van de Ven <arjan@linux.intel.com>
[ Upstream commit 351dd7d2c80d23e56dcce6faa4e62bea5b0877c7 ]
This patch is based on a BUG as reported by Bongani Hlope at
https://lore.kernel.org/all/20260502125824.425d7159@bongani-mini.home.org.za/
When a channel-switch announcement (CSA) beacon is received,
cfg80211 queues a wiphy work item that eventually calls
mt7921_channel_switch_rx_beacon(). If the station disconnects
(or the channel context is otherwise torn down) between the
time the work is queued and the time it runs, the driver's
dev->new_ctx pointer can already have been cleared to NULL.
mt7921_channel_switch_rx_beacon() then dereferences new_ctx
unconditionally, triggering a NULL pointer dereference at
address 0x0:
BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: 0010:mt7921_channel_switch_rx_beacon+0x1f/0x100 [mt7921_common]
The same missing guard exists in mt7925_channel_switch_rx_beacon(),
which shares the same code pattern introduced by the same commit.
Add an early-return NULL check for dev->new_ctx in both
mt7921_channel_switch_rx_beacon() and
mt7925_channel_switch_rx_beacon(). When new_ctx is NULL there is
no pending channel switch to process, so returning immediately is
the correct and safe action.
Fixes: 8aa2f59260eb ("wifi: mt76: mt7921: introduce CSA support")
Reported-by: Bongani Hlope <developer@hlope.org.za>
Oops-Analysis: http://oops.fenrus.org/reports/lkml/20260502125824.425d7159@bongani-mini.home.org.za/report.html
Link: https://lore.kernel.org/all/20260502125824.425d7159@bongani-mini.home.org.za/
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: linux-wireless@vger.kernel.org
Cc: linux-mediatek@lists.infradead.org
Cc: Felix Fietkau <nbd@nbd.name>
Cc: Lorenzo Bianconi <lorenzo@kernel.org>
Cc: Ryder Lee <ryder.lee@mediatek.com>
Link: https://patch.msgid.link/20260504145107.1329197-1-arjan@linux.intel.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7921/main.c | 3 +++
drivers/net/wireless/mediatek/mt76/mt7925/main.c | 3 +++
2 files changed, 6 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
index 3d74fabe74085e..a326f4c95c7c86 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
@@ -1508,6 +1508,9 @@ static void mt7921_channel_switch_rx_beacon(struct ieee80211_hw *hw,
struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
u16 beacon_interval = vif->bss_conf.beacon_int;
+ if (!dev->new_ctx)
+ return;
+
if (cfg80211_chandef_identical(&chsw->chandef,
&dev->new_ctx->def) &&
chsw->count) {
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
index 79cc30a3b29efc..9dc5ee51eb9f96 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
@@ -2403,6 +2403,9 @@ static void mt7925_channel_switch_rx_beacon(struct ieee80211_hw *hw,
if (ieee80211_vif_is_mld(vif))
return;
+ if (!dev->new_ctx)
+ return;
+
beacon_interval = vif->bss_conf.beacon_int;
if (cfg80211_chandef_identical(&chsw->chandef,
--
2.53.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 342/518] udf: validate free block extents against the partition length
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 341/518] wifi: mt76: mt7921/mt7925: fix NULL dereference in CSA beacon Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 343/518] udf: validate VAT header length against the VAT inode size Greg Kroah-Hartman
` (179 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jan Kara
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 5f0419457f89dce1a3f1c8e62a3adf2f39ab8168 upstream.
udf_free_blocks() checks the logical block number and count against the
partition length, but drops the extent offset from that final bound. A
crafted extent can pass the guard while logicalBlockNum + offset + count
points past the partition, which later indexes past the space bitmap
array.
A single ftruncate(2) on a file backed by such an extent reliably
panics the kernel. This is a local availability issue. On desktop
systems where UDisks/polkit allows the active user to mount removable
UDF media without CAP_SYS_ADMIN, an unprivileged local user can supply
the crafted filesystem and trigger the panic by truncating a writable
file on it. Systems that require root or CAP_SYS_ADMIN to mount the
image have a higher prerequisite.
No confidentiality or integrity impact is claimed: the reproduced
primitive is an out-of-bounds read of a bitmap pointer slot followed by
a kernel panic.
Use the already computed logicalBlockNum + offset + count value for the
partition length check. Also make load_block_bitmap() reject an
out-of-range block group before indexing s_block_bitmap[], so corrupted
callers cannot walk past the flexible array.
Fixes: 56e69e59751d ("udf: prevent integer overflow in udf_bitmap_free_blocks()")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260515142327.1120767-1-michael.bommarito@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/balloc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/udf/balloc.c
+++ b/fs/udf/balloc.c
@@ -82,8 +82,9 @@ static int load_block_bitmap(struct supe
int nr_groups = bitmap->s_nr_groups;
if (block_group >= nr_groups) {
- udf_debug("block_group (%u) > nr_groups (%d)\n",
+ udf_debug("block_group (%u) >= nr_groups (%d)\n",
block_group, nr_groups);
+ return -EFSCORRUPTED;
}
if (bitmap->s_block_bitmap[block_group]) {
@@ -662,7 +663,7 @@ void udf_free_blocks(struct super_block
if (check_add_overflow(bloc->logicalBlockNum, offset, &blk) ||
check_add_overflow(blk, count, &blk) ||
- bloc->logicalBlockNum + count > map->s_partition_len) {
+ blk > map->s_partition_len) {
udf_debug("Invalid request to free blocks: (%d, %u), off %u, "
"len %u, partition len %u\n",
partition, bloc->logicalBlockNum, offset, count,
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 343/518] udf: validate VAT header length against the VAT inode size
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 342/518] udf: validate free block extents against the partition length Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 344/518] udf: validate sparing table length as an entry count, not a byte count Greg Kroah-Hartman
` (178 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bryam Vargas, Jan Kara
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryam Vargas <hexlabsecurity@proton.me>
commit d8202786b3d75125c84ebc4de6d946f92fde0ee8 upstream.
udf_load_vat() takes the virtual partition's start offset straight from
the on-disk VAT 2.0 header without checking it against the VAT inode
size:
map->s_type_specific.s_virtual.s_start_offset =
le16_to_cpu(vat20->lengthHeader);
map->s_type_specific.s_virtual.s_num_entries =
(sbi->s_vat_inode->i_size -
map->s_type_specific.s_virtual.s_start_offset) >> 2;
lengthHeader is a fully attacker-controlled 16-bit value. If it exceeds
the VAT inode size, the s_num_entries subtraction underflows to a huge
count, which defeats the "block > s_num_entries" bound in
udf_get_pblock_virt15(); and on the ICB-inline path that function reads
((__le32 *)(iinfo->i_data + s_start_offset))[block]
so a large s_start_offset indexes past the inode's in-ICB data. Mounting
a crafted UDF image with a virtual (VAT) partition then triggers an
out-of-bounds read.
Reject a VAT whose header length does not leave room for at least one
entry within the VAT inode.
Fixes: fa5e08156335 ("udf: Handle VAT packed inside inode properly")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Link: https://patch.msgid.link/20260612-b4-disp-9a2317ee-v1-1-fefef5736154@proton.me
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/super.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1263,6 +1263,14 @@ static int udf_load_vat(struct super_blo
map->s_type_specific.s_virtual.s_start_offset =
le16_to_cpu(vat20->lengthHeader);
+ if (map->s_type_specific.s_virtual.s_start_offset
+ > sbi->s_vat_inode->i_size) {
+ udf_err(sb, "Corrupted VAT header length %u (VAT inode size %lld)\n",
+ map->s_type_specific.s_virtual.s_start_offset,
+ sbi->s_vat_inode->i_size);
+ brelse(bh);
+ return -EFSCORRUPTED;
+ }
map->s_type_specific.s_virtual.s_num_entries =
(sbi->s_vat_inode->i_size -
map->s_type_specific.s_virtual.
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 344/518] udf: validate sparing table length as an entry count, not a byte count
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 343/518] udf: validate VAT header length against the VAT inode size Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 345/518] hwrng: jh7110 - fix refcount leak in starfive_trng_read() Greg Kroah-Hartman
` (177 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bryam Vargas, Jan Kara
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryam Vargas <hexlabsecurity@proton.me>
commit 3ec997bd5508e9b25210b5bbec89031629cdb093 upstream.
udf_load_sparable_map() accepts a sparing table when
sizeof(*st) + le16_to_cpu(st->reallocationTableLen) > sb->s_blocksize
is false, i.e. it treats reallocationTableLen as a number of BYTES that
must fit in the block. But the table is walked as an array of 8-byte
sparingEntry elements:
for (i = 0; i < le16_to_cpu(st->reallocationTableLen); i++) {
struct sparingEntry *entry = &st->mapEntry[i];
... entry->origLocation ...
}
in udf_get_pblock_spar15() and udf_relocate_blocks(). A
reallocationTableLen of N therefore passes the check whenever
sizeof(*st) + N <= blocksize, yet the consumers index
sizeof(*st) + N * sizeof(struct sparingEntry) bytes -- up to ~8x the
block. On a crafted UDF image this is an out-of-bounds read in
udf_get_pblock_spar15(); udf_relocate_blocks() additionally feeds the
same length to udf_update_tag(), whose crc_itu_t() reads far past the
block, and its memmove() through st->mapEntry[] is an out-of-bounds
write.
Validate reallocationTableLen as the entry count it is, with
struct_size().
Fixes: 1df2ae31c724 ("udf: Fortify loading of sparing table")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Link: https://patch.msgid.link/20260612-b4-disp-91780c4e-v1-1-f15112ff6882@proton.me
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/super.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1426,7 +1426,8 @@ static int udf_load_sparable_map(struct
if (ident != 0 ||
strncmp(st->sparingIdent.ident, UDF_ID_SPARING,
strlen(UDF_ID_SPARING)) ||
- sizeof(*st) + le16_to_cpu(st->reallocationTableLen) >
+ struct_size(st, mapEntry,
+ le16_to_cpu(st->reallocationTableLen)) >
sb->s_blocksize) {
brelse(bh);
continue;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 345/518] hwrng: jh7110 - fix refcount leak in starfive_trng_read()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 344/518] udf: validate sparing table length as an entry count, not a byte count Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 346/518] crypto: atmel-sha204a - drop hwrng quality reduction for ATSHA204A Greg Kroah-Hartman
` (176 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 8d13f7a8450206e3f820cdb26e33e91d181071b4 upstream.
The starfive_trng_read() function acquires a runtime PM reference
via pm_runtime_get_sync() but fails to release it on two error
paths. If starfive_trng_wait_idle() or starfive_trng_cmd() returns
an error, the function exits without calling
pm_runtime_put_sync_autosuspend(), leaving the runtime PM usage
counter permanently elevated and preventing the device from entering
runtime suspend.
Refactor the function to use a unified error path that calls
pm_runtime_put_sync_autosuspend() before returning.
Cc: stable@vger.kernel.org
Fixes: c388f458bc34 ("hwrng: starfive - Add TRNG driver for StarFive SoC")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/hw_random/jh7110-trng.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/char/hw_random/jh7110-trng.c
+++ b/drivers/char/hw_random/jh7110-trng.c
@@ -256,19 +256,22 @@ static int starfive_trng_read(struct hwr
if (wait) {
ret = starfive_trng_wait_idle(trng);
- if (ret)
- return -ETIMEDOUT;
+ if (ret) {
+ ret = -ETIMEDOUT;
+ goto out_put;
+ }
}
ret = starfive_trng_cmd(trng, STARFIVE_CTRL_GENE_RANDNUM, wait);
if (ret)
- return ret;
+ goto out_put;
memcpy_fromio(buf, trng->base + STARFIVE_RAND0, max);
+ ret = max;
+out_put:
pm_runtime_put_sync_autosuspend(trng->dev);
-
- return max;
+ return ret;
}
static int starfive_trng_probe(struct platform_device *pdev)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 346/518] crypto: atmel-sha204a - drop hwrng quality reduction for ATSHA204A
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 345/518] hwrng: jh7110 - fix refcount leak in starfive_trng_read() Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 347/518] crypto: atmel-sha204a - fail on hwrng registration error in probe path Greg Kroah-Hartman
` (175 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Ard Biesheuvel,
Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit ea5e57cc97185329dcc5ebdcaae7e1500bf0ad0b upstream.
Commit 8006aff15516 ("crypto: atmel-sha204a - Set hwrng quality to
lowest possible") reduced the hwrng quality to 1 based on a review by
Bill Cox [1]. However, despite its title, the review only tested the
ATSHA204, not the ATSHA204A.
In the same thread, Atmel engineer Landon Cox wrote "this behavior has
been eliminated entirely"[2] in the ATSHA204A and "this problem does not
affect the ATECC108 or the ATECC108A (or the ATSHA204A)"[3].
According to the official ATSHA204A datasheet [4], the device contains a
high-quality hardware RNG that combines its output with an internal seed
value stored in EEPROM or SRAM to generate random numbers. The device
also implements all security functions using SHA-256, and the driver
uses the chip's Random command in seed-update mode.
Keep 'quality = 1' for ATSHA204, but drop the explicit hwrng quality
reduction for ATSHA204A and fall back to the hwrng core default.
[1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html
[2] https://www.metzdowd.com/pipermail/cryptography/2014-December/023852.html
[3] https://www.metzdowd.com/pipermail/cryptography/2014-December/023886.html
[4] https://ww1.microchip.com/downloads/en/DeviceDoc/ATSHA204A-Data-Sheet-40002025A.pdf
Fixes: 8006aff15516 ("crypto: atmel-sha204a - Set hwrng quality to lowest possible")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/atmel-sha204a.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
--- a/drivers/crypto/atmel-sha204a.c
+++ b/drivers/crypto/atmel-sha204a.c
@@ -19,6 +19,12 @@
#include <linux/workqueue.h>
#include "atmel-i2c.h"
+/*
+ * According to review by Bill Cox [1], the ATSHA204 has very low entropy.
+ * [1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html
+ */
+static const unsigned short atsha204_quality = 1;
+
static void atmel_sha204a_rng_done(struct atmel_i2c_work_data *work_data,
void *areq, int status)
{
@@ -158,6 +164,7 @@ static const struct attribute_group atme
static int atmel_sha204a_probe(struct i2c_client *client)
{
struct atmel_i2c_client_priv *i2c_priv;
+ const unsigned short *quality;
int ret;
ret = atmel_i2c_probe(client);
@@ -171,11 +178,9 @@ static int atmel_sha204a_probe(struct i2
i2c_priv->hwrng.name = dev_name(&client->dev);
i2c_priv->hwrng.read = atmel_sha204a_rng_read;
- /*
- * According to review by Bill Cox [1], this HWRNG has very low entropy.
- * [1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html
- */
- i2c_priv->hwrng.quality = 1;
+ quality = i2c_get_match_data(client);
+ if (quality)
+ i2c_priv->hwrng.quality = *quality;
ret = devm_hwrng_register(&client->dev, &i2c_priv->hwrng);
if (ret)
@@ -203,14 +208,14 @@ static void atmel_sha204a_remove(struct
}
static const struct of_device_id atmel_sha204a_dt_ids[] __maybe_unused = {
- { .compatible = "atmel,atsha204", },
+ { .compatible = "atmel,atsha204", .data = &atsha204_quality },
{ .compatible = "atmel,atsha204a", },
{ /* sentinel */ }
};
MODULE_DEVICE_TABLE(of, atmel_sha204a_dt_ids);
static const struct i2c_device_id atmel_sha204a_id[] = {
- { "atsha204" },
+ { "atsha204", (kernel_ulong_t)&atsha204_quality },
{ "atsha204a" },
{ /* sentinel */ }
};
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 347/518] crypto: atmel-sha204a - fail on hwrng registration error in probe path
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 346/518] crypto: atmel-sha204a - drop hwrng quality reduction for ATSHA204A Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 348/518] nvme: target: rdma: fix ndev refcount leak on queue connect Greg Kroah-Hartman
` (174 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 49e05bb00f2e8168695f7af4d694c39e1423e8a2 upstream.
Commit 13909a0c8897 ("crypto: atmel-sha204a - provide the otp content")
overwrote the hwrng registration return value when creating the sysfs
group, which allowed atmel_sha204a_probe() to succeed even if
devm_hwrng_register() failed.
Return immediately when devm_hwrng_register() fails, and report both
hwrng and sysfs registration errors with dev_err(). Adjust the sysfs
error log message for consistency.
Fixes: 13909a0c8897 ("crypto: atmel-sha204a - provide the otp content")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/atmel-sha204a.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/crypto/atmel-sha204a.c
+++ b/drivers/crypto/atmel-sha204a.c
@@ -183,12 +183,14 @@ static int atmel_sha204a_probe(struct i2
i2c_priv->hwrng.quality = *quality;
ret = devm_hwrng_register(&client->dev, &i2c_priv->hwrng);
- if (ret)
- dev_warn(&client->dev, "failed to register RNG (%d)\n", ret);
+ if (ret) {
+ dev_err(&client->dev, "failed to register RNG (%d)\n", ret);
+ return ret;
+ }
ret = sysfs_create_group(&client->dev.kobj, &atmel_sha204a_groups);
if (ret) {
- dev_err(&client->dev, "failed to register sysfs entry\n");
+ dev_err(&client->dev, "failed to create sysfs group (%d)\n", ret);
return ret;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 348/518] nvme: target: rdma: fix ndev refcount leak on queue connect
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 347/518] crypto: atmel-sha204a - fail on hwrng registration error in probe path Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 349/518] block: partitions: fix of_node refcount leak in of_partition() Greg Kroah-Hartman
` (173 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Wentao Liang,
Keith Busch
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit badc53620fe813b3a9f727ef9526f98567c2c898 upstream.
nvmet_rdma_queue_connect() calls nvmet_rdma_find_get_device() which
acquires a reference on the returned ndev via kref_get(). On the path
where the host queue backlog is exceeded and the function returns
NVME_SC_CONNECT_CTRL_BUSY, reference of ndev is not released, leaking
the kref.
Fix this by adding a goto to the existing put_device label before the
early return.
Fixes: 31deaeb11ba7 ("nvmet-rdma: avoid circular locking dependency on install_queue()")
Cc: stable@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/target/rdma.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/nvme/target/rdma.c
+++ b/drivers/nvme/target/rdma.c
@@ -1598,8 +1598,10 @@ static int nvmet_rdma_queue_connect(stru
pending++;
}
mutex_unlock(&nvmet_rdma_queue_mutex);
- if (pending > NVMET_RDMA_BACKLOG)
- return NVME_SC_CONNECT_CTRL_BUSY;
+ if (pending > NVMET_RDMA_BACKLOG) {
+ ret = NVME_SC_CONNECT_CTRL_BUSY;
+ goto put_device;
+ }
}
ret = nvmet_rdma_cm_accept(cm_id, queue, &event->param.conn);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 349/518] block: partitions: fix of_node refcount leak in of_partition()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 348/518] nvme: target: rdma: fix ndev refcount leak on queue connect Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 350/518] dm-ioctl: report an error if a device has no table Greg Kroah-Hartman
` (172 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Liang, Md Haris Iqbal,
Jens Axboe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 148cd4873115feb266c002d4d4618ea7f14342d9 upstream.
of_partition() calls of_node_get() on the parent device node at the
beginning of the function, storing the reference in 'partitions_np'.
This reference is leaked in two paths:
1. The compatibility check at the top of the function returns 0
without releasing partitions_np when the node exists but is not
"fixed-partitions" compatible.
2. The function returns 1 at the end after successfully processing
all partitions without releasing partitions_np.
Fix both leaks by adding of_node_put(partitions_np) on each path.
Fixes: 2e3a191e89f9 ("block: add support for partition table defined in OF")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Md Haris Iqbal <haris.iqbal@linux.dev>
Link: https://patch.msgid.link/20260526102124.2283846-1-vulab@iscas.ac.cn
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/partitions/of.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/block/partitions/of.c
+++ b/block/partitions/of.c
@@ -74,8 +74,10 @@ int of_partition(struct parsed_partition
struct device_node *partitions_np = of_node_get(ddev->of_node);
if (!partitions_np ||
- !of_device_is_compatible(partitions_np, "fixed-partitions"))
+ !of_device_is_compatible(partitions_np, "fixed-partitions")) {
+ of_node_put(partitions_np);
return 0;
+ }
slot = 1;
/* Validate parition offset and size */
@@ -104,5 +106,6 @@ int of_partition(struct parsed_partition
seq_buf_puts(&state->pp_buf, "\n");
+ of_node_put(partitions_np);
return 1;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 350/518] dm-ioctl: report an error if a device has no table
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 349/518] block: partitions: fix of_node refcount leak in of_partition() Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 351/518] nvme-multipath: set BIO_REMAPPED on bios remapped to per-path namespace disks Greg Kroah-Hartman
` (171 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Benjamin Marzinski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 457e32348d606a77f9b20e25e989734189834c07 upstream.
When we send a message to a device that has no table, the return code was
not set. The code would return "2", which is not considered a valid return value.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-ioctl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1816,8 +1816,11 @@ static int target_message(struct file *f
goto out_argv;
table = dm_get_live_table(md, &srcu_idx);
- if (!table)
+ if (!table) {
+ DMERR("The device has no table.");
+ r = -EINVAL;
goto out_table;
+ }
if (dm_deleting_md(md)) {
r = -ENXIO;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 351/518] nvme-multipath: set BIO_REMAPPED on bios remapped to per-path namespace disks
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 350/518] dm-ioctl: report an error if a device has no table Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 352/518] nvmet: fix pre-auth out-of-bounds heap read in Discovery Get Log Page Greg Kroah-Hartman
` (170 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Igor Achkinazi,
Keith Busch
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Achkinazi, Igor <Igor.Achkinazi@dell.com>
commit 88bac2c1a72b8f4f71e9845699aa872df04e5850 upstream.
When nvme_ns_head_submit_bio() remaps a bio from the multipath head to a
per-path namespace, bio_set_dev() clears BIO_REMAPPED. The remapped bio
is then resubmitted through submit_bio_noacct() which calls
bio_check_eod() because BIO_REMAPPED is not set.
This races with nvme_ns_remove() which zeroes the per-path capacity
before synchronize_srcu():
CPU 0 (IO submission)
---------------------
srcu_read_lock()
nvme_find_path() -> ns
[NVME_NS_READY is set]
CPU 1 (namespace removal)
-------------------------
clear_bit(NVME_NS_READY)
set_capacity(ns->disk, 0)
synchronize_srcu() <- blocks
CPU 0 (IO submission)
---------------------
bio_set_dev(bio, ns->disk->part0)
[clears BIO_REMAPPED]
submit_bio_noacct(bio)
-> bio_check_eod() sees capacity=0
-> bio fails with IO error
The SRCU read lock prevents synchronize_srcu() from completing, but does
not prevent set_capacity(0) from executing. The bio fails the EOD check
before it reaches the NVMe driver, so nvme_failover_req() never gets a
chance to redirect it to another path of multipath. IO errors are
reported to the application despite another path being available.
On older kernels (before commit 0b64682e78f7 "block: skip unnecessary
checks for split bio"), the same race was also reachable through split
remainders resubmitted via submit_bio_noacct().
Fix this by setting BIO_REMAPPED after bio_set_dev() in
nvme_ns_head_submit_bio(). This skips bio_check_eod() on the per-path
device; the EOD check already passed on the multipath head.
NVMe per-path namespace devices are always whole disks (bd_partno=0), so
the blk_partition_remap() skip also gated by BIO_REMAPPED is a no-op.
The flag does not persist across failover and cannot go stale if the
namespace geometry changes between attempts: nvme_failover_req() calls
bio_set_dev() to redirect the bio back to the multipath head, which
clears BIO_REMAPPED. When nvme_requeue_work() resubmits through
submit_bio_noacct(), bio_check_eod() runs normally against the current
capacity.
Same approach as commit 3a905c37c351 ("block: skip bio_check_eod for
partition-remapped bios").
Fixes: a7c7f7b2b641 ("nvme: use bio_set_dev to assign ->bi_bdev")
Cc: stable@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Igor Achkinazi <igor.achkinazi@dell.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/multipath.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/nvme/host/multipath.c
+++ b/drivers/nvme/host/multipath.c
@@ -511,6 +511,12 @@ static void nvme_ns_head_submit_bio(stru
ns = nvme_find_path(head);
if (likely(ns)) {
bio_set_dev(bio, ns->disk->part0);
+ /*
+ * Use BIO_REMAPPED to skip bio_check_eod() when this bio
+ * enters submit_bio_noacct() for the per-path device. The EOD
+ * check already passed on the multipath head.
+ */
+ bio_set_flag(bio, BIO_REMAPPED);
bio->bi_opf |= REQ_NVME_MPATH;
trace_block_bio_remap(bio, disk_devt(ns->head->disk),
bio->bi_iter.bi_sector);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 352/518] nvmet: fix pre-auth out-of-bounds heap read in Discovery Get Log Page
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 351/518] nvme-multipath: set BIO_REMAPPED on bios remapped to per-path namespace disks Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 353/518] btrfs: fix false IO failure after falling back to buffered write Greg Kroah-Hartman
` (169 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chaitanya Kulkarni,
Christoph Hellwig, Bryam Vargas, Keith Busch
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryam Vargas <hexlabsecurity@proton.me>
commit 53cd102a7a56079b11b897835bd9b94c14e6322c upstream.
nvmet_execute_disc_get_log_page() validates only the dword alignment
of the host-supplied Log Page Offset (lpo). The 64-bit offset is then
added to a small kzalloc'd buffer that holds the discovery log page
and the result is passed straight to nvmet_copy_to_sgl(), which
memcpy()s data_len bytes out to the host with no source-side bound
check:
u64 offset = nvmet_get_log_page_offset(req->cmd); /* 64-bit host */
size_t data_len = nvmet_get_log_page_len(req->cmd); /* 32-bit host */
...
if (offset & 0x3) { ... } /* only check */
...
alloc_len = sizeof(*hdr) + entry_size * discovery_log_entries(req);
buffer = kzalloc(alloc_len, GFP_KERNEL);
...
status = nvmet_copy_to_sgl(req, 0, buffer + offset, data_len);
The Discovery controller is unauthenticated -- nvmet_host_allowed()
returns true unconditionally for the discovery subsystem -- so the call
is reachable pre-authentication by any TCP/RDMA/FC peer that can reach
the nvmet target. With a discovery log page of ~1 KiB, an attacker
requesting up to 4 KiB starting at offset == alloc_len reads the next
slab page out and gets its content returned over the fabric (an
empirical run on a default nvmet-tcp loopback target leaked 81
canonical kernel pointers in one Get Log Page response). Pointing the
offset at unmapped kernel memory faults the in-kernel memcpy and
crashes (or panics, on panic_on_oops=1) the target host instead.
The attacker-controlled source-side offset pattern
"nvmet_copy_to_sgl(req, 0, buffer + ATTACKER_OFFSET, ...)" is unique
to nvmet_execute_disc_get_log_page in the entire nvmet codebase: every
other Get Log Page handler in admin-cmd.c either ignores lpo (and
silently starts every response at offset 0) or tracks a local
destination offset with a fixed source pointer.
Validate the host-supplied offset against the log page size, cap the
copy length to what is actually available, and zero-fill any remainder
of the host transfer buffer. The zero-fill matches the existing
short-response pattern in nvmet_execute_get_log_changed_ns()
(admin-cmd.c) and prevents leaking transport SGL contents when the
host asks for more bytes than the log page contains.
Fixes: a07b4970f464 ("nvmet: add a generic NVMe target")
Cc: stable@vger.kernel.org
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/target/discovery.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
--- a/drivers/nvme/target/discovery.c
+++ b/drivers/nvme/target/discovery.c
@@ -166,6 +166,7 @@ static void nvmet_execute_disc_get_log_p
u64 offset = nvmet_get_log_page_offset(req->cmd);
size_t data_len = nvmet_get_log_page_len(req->cmd);
size_t alloc_len;
+ size_t copy_len;
struct nvmet_subsys_link *p;
struct nvmet_port *r;
u32 numrec = 0;
@@ -242,7 +243,27 @@ static void nvmet_execute_disc_get_log_p
up_read(&nvmet_config_sem);
- status = nvmet_copy_to_sgl(req, 0, buffer + offset, data_len);
+ /*
+ * Validate the host-supplied log page offset before copying out.
+ * Without this check, the host controls a 64-bit byte offset into
+ * a small kzalloc'd buffer: a value past the log page lets the
+ * subsequent memcpy read adjacent kernel heap, and a value aimed
+ * at unmapped kernel memory faults the in-kernel copy and crashes
+ * the target host. The Discovery controller is unauthenticated,
+ * so the bug is reachable from any reachable fabric peer.
+ */
+ if (offset > alloc_len) {
+ req->error_loc =
+ offsetof(struct nvme_get_log_page_command, lpo);
+ status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
+ goto out_free_buffer;
+ }
+
+ copy_len = min_t(size_t, data_len, alloc_len - offset);
+ status = nvmet_copy_to_sgl(req, 0, buffer + offset, copy_len);
+ if (!status && copy_len < data_len)
+ status = nvmet_zero_sgl(req, copy_len, data_len - copy_len);
+out_free_buffer:
kfree(buffer);
out:
nvmet_req_complete(req, status);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 353/518] btrfs: fix false IO failure after falling back to buffered write
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 352/518] nvmet: fix pre-auth out-of-bounds heap read in Discovery Get Log Page Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 354/518] nvmet-auth: validate reply message payload bounds against transfer length Greg Kroah-Hartman
` (168 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Boris Burkov, Qu Wenruo,
David Sterba
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
commit 66ff4d366e7eb4d31813d2acabf3af512ce03aa5 upstream.
[BUG]
The test case generic/362 will fail with "nodatasum" mount option (*):
MOUNT_OPTIONS -- -o nodatasum /dev/mapper/test-scratch1 /mnt/scratch
# generic/362 0s ... - output mismatch (see /home/adam/xfstests/results//generic/362.out.bad)
# --- tests/generic/362.out 2024-08-24 15:31:37.200000000 +0930
# +++ /home/adam/xfstests/results//generic/362.out.bad 2026-05-27 10:21:17.574771567 +0930
# @@ -1,2 +1,3 @@
# QA output created by 362
# +First write failed: Input/output error
# Silence is golden
# ...
*: If the test case has been executed before with default data checksum,
the failure will not reproduce. Need the following fix to make it
reliably reproducible:
https://lore.kernel.org/linux-btrfs/20260528111659.87113-1-wqu@suse.com/
[CAUSE]
Inside __iomap_dio_rw(), the -EFAULT/-ENOTBLK error is not directly returned.
Thus we never got an error pointer from __iomap_dio_rw().
The call chain looks like this:
btrfs_direct_write()
|- btrfs_dio_write()
|- __iomap_dio_rw()
| |- iomap_iter()
| | |- btrfs_dio_iomap_begin()
| | Now an ordered extent is allocated for the 4K write.
| |
| |- iomi.status = iomap_dio_iter()
| | Where iomap_dio_iter() returned -EFAULT.
| |
| |- ret = iomap_iter()
| | |- btrfs_dio_iomap_end()
| | | |- btrfs_finish_ordered_extent(uptodate = false)
| | | | |- can_finish_ordered_extent()
| | | | |- btrfs_mark_ordered_extent_error()
| | | | |- mapping_set_error()
| | | | Now the address space is marked error.
| | | | return -ENOTBLK
| | |- return -ENOTBLK
| |- if (ret == -ENOTBLK) { ret = 0; }
| Now the return value is reset to 0.
| Thus no error pointer will be returned.
|
|- ret = iomap_dio_complete()
| Since no byte is submitted, @ret is 0.
|
|- Fallback to buffered IO
| And the buffered write finished without error
|
|- filemap_fdatawait_range()
|- filemap_check_errors()
The previous error is recorded, thus an error is returned
However the buffered write is properly submitted and finished, the error
is from the btrfs_finish_ordered_extent() call with @uptodate = false.
[FIX]
When a short dio write happened, any range that is submitted will have
btrfs_extract_ordered_extent() to be called, thus the submitted range
will always have an OE just covering the submitted range.
The remaining OE range is never submitted, thus they should be treated
as truncated, not an error. So that we can properly reclaim and not
insert an unnecessary file extent item, without marking the mapping as
error.
Extract a helper, btrfs_mark_ordered_extent_truncated(), and utilize
that helper to mark the direct IO ordered extent as truncated, so it
won't cause failure for the later buffered fallback.
[REASON FOR NO FIXES TAG]
The bug itself is pretty old, at commit f85781fb505e ("btrfs: switch to
iomap for direct IO") we're already passing @uptodate=false finishing
the OE.
But at that time OE with IOERR won't call mapping_set_error(), so it's
not exposed.
Later commit d61bec08b904 ("btrfs: mark ordered extent and inode with
error if we fail to finish") finally exposed the bug, but that commit
is doing a correct job, not the root cause.
Anyway the bug is very old, dating back to 5.1x days, thus only CC to
stable.
CC: stable@vger.kernel.org # 5.15+
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/direct-io.c | 17 ++++++++++++++---
fs/btrfs/inode.c | 6 +-----
fs/btrfs/ordered-data.c | 12 ++++++++++++
fs/btrfs/ordered-data.h | 2 ++
4 files changed, 29 insertions(+), 8 deletions(-)
--- a/fs/btrfs/direct-io.c
+++ b/fs/btrfs/direct-io.c
@@ -624,12 +624,23 @@ static int btrfs_dio_iomap_end(struct in
if (submitted < length) {
pos += submitted;
length -= submitted;
- if (write)
+ if (write) {
+ /*
+ * We have a short write, if there is any range
+ * that is submitted properly, that part will have
+ * its own OE split from the original one.
+ *
+ * So for the OE at dio_data->ordered, it's the part
+ * that is not submitted, and should be marked
+ * as fully truncated.
+ */
+ btrfs_mark_ordered_extent_truncated(dio_data->ordered, 0);
btrfs_finish_ordered_extent(dio_data->ordered,
- pos, length, false);
- else
+ pos, length, true);
+ } else {
btrfs_unlock_dio_extent(&BTRFS_I(inode)->io_tree, pos,
pos + length - 1, NULL);
+ }
ret = -ENOTBLK;
}
if (write) {
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -7776,11 +7776,7 @@ static void btrfs_invalidate_folio(struc
EXTENT_LOCKED | EXTENT_DO_ACCOUNTING |
EXTENT_DEFRAG, &cached_state);
- spin_lock(&inode->ordered_tree_lock);
- set_bit(BTRFS_ORDERED_TRUNCATED, &ordered->flags);
- ordered->truncated_len = min(ordered->truncated_len,
- cur - ordered->file_offset);
- spin_unlock(&inode->ordered_tree_lock);
+ btrfs_mark_ordered_extent_truncated(ordered, cur - ordered->file_offset);
/*
* If the ordered extent has finished, we're safe to delete all
--- a/fs/btrfs/ordered-data.c
+++ b/fs/btrfs/ordered-data.c
@@ -357,6 +357,18 @@ void btrfs_mark_ordered_extent_error(str
mapping_set_error(ordered->inode->vfs_inode.i_mapping, -EIO);
}
+void btrfs_mark_ordered_extent_truncated(struct btrfs_ordered_extent *ordered,
+ u64 truncate_len)
+{
+ struct btrfs_inode *inode = ordered->inode;
+
+ ASSERT(truncate_len <= ordered->num_bytes);
+ spin_lock(&inode->ordered_tree_lock);
+ set_bit(BTRFS_ORDERED_TRUNCATED, &ordered->flags);
+ ordered->truncated_len = min(ordered->truncated_len, truncate_len);
+ spin_unlock(&inode->ordered_tree_lock);
+}
+
static void finish_ordered_fn(struct btrfs_work *work)
{
struct btrfs_ordered_extent *ordered_extent;
--- a/fs/btrfs/ordered-data.h
+++ b/fs/btrfs/ordered-data.h
@@ -226,6 +226,8 @@ bool btrfs_try_lock_ordered_range(struct
struct btrfs_ordered_extent *btrfs_split_ordered_extent(
struct btrfs_ordered_extent *ordered, u64 len);
void btrfs_mark_ordered_extent_error(struct btrfs_ordered_extent *ordered);
+void btrfs_mark_ordered_extent_truncated(struct btrfs_ordered_extent *ordered,
+ u64 truncate_len);
int __init ordered_data_init(void);
void __cold ordered_data_exit(void);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 354/518] nvmet-auth: validate reply message payload bounds against transfer length
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 353/518] btrfs: fix false IO failure after falling back to buffered write Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 355/518] btrfs: check and set EXTENT_DELALLOC_NEW before clearing EXTENT_DELALLOC Greg Kroah-Hartman
` (167 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hannes Reinecke, Tianchu Chen,
Keith Busch
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tianchu Chen <flynnnchen@tencent.com>
commit 3a413ece2504c70aa34a20be4dafec04e8c741f9 upstream.
nvmet_auth_reply() accesses the variable-length rval[] array using
attacker-controlled hl (hash length) and dhvlen (DH value length) fields
without verifying they fit within the allocated buffer of tl bytes.
A malicious NVMe-oF initiator can craft a DHCHAP_REPLY message with a
small transfer length but large hl/dhvlen values, causing out-of-bounds
heap reads when the target processes the DH public key (rval + 2*hl) or
performs the host response memcmp.
With DH authentication configured, the OOB pointer is passed directly to
sg_init_one() and read by crypto_kpp_compute_shared_secret(), reaching
up to 526 bytes past the buffer. This is exploitable pre-authentication.
Add bounds validation ensuring sizeof(*data) + 2*hl + dhvlen <= tl before
any access to the variable-length fields.
Discovered by Atuin - Automated Vulnerability Discovery Engine.
Fixes: db1312dd9548 ("nvmet: implement basic In-Band Authentication")
Cc: stable@vger.kernel.org
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/target/fabrics-cmd-auth.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/drivers/nvme/target/fabrics-cmd-auth.c
+++ b/drivers/nvme/target/fabrics-cmd-auth.c
@@ -132,13 +132,22 @@ static u8 nvmet_auth_negotiate(struct nv
return 0;
}
-static u8 nvmet_auth_reply(struct nvmet_req *req, void *d)
+static u8 nvmet_auth_reply(struct nvmet_req *req, void *d, u32 tl)
{
struct nvmet_ctrl *ctrl = req->sq->ctrl;
struct nvmf_auth_dhchap_reply_data *data = d;
- u16 dhvlen = le16_to_cpu(data->dhvlen);
+ u16 dhvlen;
u8 *response;
+ if (tl < sizeof(*data))
+ return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
+
+ dhvlen = le16_to_cpu(data->dhvlen);
+
+ /* Validate that hl and dhvlen fit within the transfer length */
+ if (sizeof(*data) + 2 * (size_t)data->hl + dhvlen > tl)
+ return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
+
pr_debug("%s: ctrl %d qid %d: data hl %d cvalid %d dhvlen %u\n",
__func__, ctrl->cntlid, req->sq->qid,
data->hl, data->cvalid, dhvlen);
@@ -338,7 +347,7 @@ void nvmet_execute_auth_send(struct nvme
switch (data->auth_id) {
case NVME_AUTH_DHCHAP_MESSAGE_REPLY:
- dhchap_status = nvmet_auth_reply(req, d);
+ dhchap_status = nvmet_auth_reply(req, d, tl);
if (dhchap_status == 0)
req->sq->dhchap_step =
NVME_AUTH_DHCHAP_MESSAGE_SUCCESS1;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 355/518] btrfs: check and set EXTENT_DELALLOC_NEW before clearing EXTENT_DELALLOC
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 354/518] nvmet-auth: validate reply message payload bounds against transfer length Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 356/518] btrfs: do not trim a device which is not writeable Greg Kroah-Hartman
` (166 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Filipe Manana, Qu Wenruo,
David Sterba
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
commit 95ee2231896d5f2a31760411429075a99d6045a7 upstream.
[WARNING]
When running test cases with injected errors or shutdown, e.g.
generic/388 or generic/475, there is a chance that the following kernel
warning is triggered:
BTRFS info (device dm-2): first mount of filesystem d8a19a28-3232-4809-b0df-38df83e71bff
BTRFS info (device dm-2): using crc32c checksum algorithm
BTRFS info (device dm-2): checking UUID tree
BTRFS info (device dm-2): turning on async discard
BTRFS info (device dm-2): enabling free space tree
BTRFS critical (device dm-2 state E): emergency shutdown
------------[ cut here ]------------
WARNING: extent_io.c:1742 at extent_writepage_io+0x437/0x520 [btrfs], CPU#2: kworker/u43:2/651591
CPU: 2 UID: 0 PID: 651591 Comm: kworker/u43:2 Tainted: G W OE 7.0.0-rc6-custom+ #365 PREEMPT(full) 5804053f02137e627472d94b5128cc9fcb110e88
RIP: 0010:extent_writepage_io+0x437/0x520 [btrfs]
Call Trace:
<TASK>
extent_write_cache_pages+0x2a5/0x820 [btrfs 70299925d0856939e93b17d480651713b3cbba58]
btrfs_writepages+0x74/0x130 [btrfs 70299925d0856939e93b17d480651713b3cbba58]
do_writepages+0xd0/0x160
__writeback_single_inode+0x42/0x340
writeback_sb_inodes+0x22d/0x580
wb_writeback+0xc6/0x360
wb_workfn+0xbd/0x470
process_one_work+0x198/0x3b0
worker_thread+0x1c8/0x330
kthread+0xee/0x120
ret_from_fork+0x2a6/0x330
ret_from_fork_asm+0x11/0x20
</TASK>
---[ end trace 0000000000000000 ]---
BTRFS error (device dm-2 state E): root 5 ino 259 folio 1323008 is marked dirty without notifying the fs
BTRFS error (device dm-2 state E): failed to submit blocks, root=5 inode=259 folio=1323008 submit_bitmap=0: -117
BTRFS info (device dm-2 state E): last unmount of filesystem d8a19a28-3232-4809-b0df-38df83e71bff
[CAUSE]
Inside btrfs we have the following pattern in several locations, for
example inside btrfs_dirty_folio():
btrfs_clear_extent_bit(&inode->io_tree, start_pos, end_of_last_block,
EXTENT_DELALLOC | EXTENT_DO_ACCOUNTING | EXTENT_DEFRAG,
cached);
ret = btrfs_set_extent_delalloc(inode, start_pos, end_of_last_block,
extra_bits, cached);
if (ret)
return ret;
However btrfs_set_extent_delalloc() can return IO errors other than -ENOMEM
through the following callchain:
btrfs_set_extent_delalloc()
\- btrfs_find_new_delalloc_bytes()
\- btrfs_get_extent()
\- btrfs_lookup_file_extent()
\- btrfs_search_slot()
When such IO error happened, the previous btrfs_clear_extent_bit() has
cleared the EXTENT_DELALLOC for the range, and we're expecting
btrfs_set_extent_delalloc() to re-set EXTENT_DELALLOC.
But since btrfs_set_extent_delalloc() failed before
btrfs_set_extent_bit(), EXTENT_DELALLOC flag is no longer present.
And if the folio range is dirty before entering
btrfs_set_extent_delalloc(), we got a dirty folio but no EXTENT_DELALLOC
flag now.
Then we hit the folio writeback:
extent_writepage()
|- writepage_delalloc()
| No ordered extent is created, as there is no EXTENT_DELALLOC set
| for the folio range.
| This also means the folio has no ordered flag set.
|
|- extent_writepage_io()
\- if (unlikely(!folio_test_ordered(folio))
Now we hit the warning.
[FIX]
Introduce a new helper, btrfs_reset_extent_delalloc() to replace the
currently open-coded btrfs_clear_extent_bit() +
btrfs_set_extent_delalloc() combination.
Instead of calling btrfs_clear_extent_bit() first, update
EXTENT_DELALLOC_NEW first, as that part can fail due to metadata IO,
meanwhile btrfs_clear_extent_bit() and btrfs_set_extent_bit() won't
return any error but retry memory allocation until succeeded.
This allows us to fail early without clearing EXTENT_DELALLOC bit, so
even if that new btrfs_reset_extent_delalloc() failed before touching
EXTENT_DELALLOC, the existing dirty range will still have their old
EXTENT_DELALLOC flag present, thus avoid the warning.
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/btrfs_inode.h | 2 +
fs/btrfs/file.c | 25 ++------------------
fs/btrfs/inode.c | 61 +++++++++++++++++++++++++++++++++++++++++++------
fs/btrfs/reflink.c | 4 ---
4 files changed, 60 insertions(+), 32 deletions(-)
--- a/fs/btrfs/btrfs_inode.h
+++ b/fs/btrfs/btrfs_inode.h
@@ -569,6 +569,8 @@ int btrfs_start_delalloc_roots(struct bt
int btrfs_set_extent_delalloc(struct btrfs_inode *inode, u64 start, u64 end,
unsigned int extra_bits,
struct extent_state **cached_state);
+int btrfs_reset_extent_delalloc(struct btrfs_inode *inode, u64 start, u64 end,
+ unsigned int extra_bits, struct extent_state **cached_state);
struct btrfs_new_inode_args {
/* Input */
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -93,16 +93,8 @@ int btrfs_dirty_folio(struct btrfs_inode
end_of_last_block = start_pos + num_bytes - 1;
- /*
- * The pages may have already been dirty, clear out old accounting so
- * we can set things up properly
- */
- btrfs_clear_extent_bit(&inode->io_tree, start_pos, end_of_last_block,
- EXTENT_DELALLOC | EXTENT_DO_ACCOUNTING | EXTENT_DEFRAG,
- cached);
-
- ret = btrfs_set_extent_delalloc(inode, start_pos, end_of_last_block,
- extra_bits, cached);
+ ret = btrfs_reset_extent_delalloc(inode, start_pos, end_of_last_block,
+ extra_bits, cached);
if (ret)
return ret;
@@ -1966,18 +1958,7 @@ again:
}
}
- /*
- * page_mkwrite gets called when the page is firstly dirtied after it's
- * faulted in, but write(2) could also dirty a page and set delalloc
- * bits, thus in this case for space account reason, we still need to
- * clear any delalloc bits within this page range since we have to
- * reserve data&meta space before lock_page() (see above comments).
- */
- btrfs_clear_extent_bit(io_tree, page_start, end,
- EXTENT_DELALLOC | EXTENT_DO_ACCOUNTING |
- EXTENT_DEFRAG, &cached_state);
-
- ret = btrfs_set_extent_delalloc(inode, page_start, end, 0, &cached_state);
+ ret = btrfs_reset_extent_delalloc(inode, page_start, end, 0, &cached_state);
if (ret < 0) {
btrfs_unlock_extent(io_tree, page_start, page_end, &cached_state);
goto out_unlock;
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -2810,7 +2810,13 @@ int btrfs_set_extent_delalloc(struct btr
unsigned int extra_bits,
struct extent_state **cached_state)
{
- WARN_ON(PAGE_ALIGNED(end));
+ const u32 blocksize = inode->root->fs_info->sectorsize;
+
+ /* Basic alignment check. */
+ ASSERT(IS_ALIGNED(start, blocksize), "start=%llu blocksize=%u",
+ start, blocksize);
+ ASSERT(IS_ALIGNED(end + 1, blocksize), "inclusive end=%llu blocksize=%u",
+ end, blocksize);
if (start >= i_size_read(&inode->vfs_inode) &&
!(inode->flags & BTRFS_INODE_PREALLOC)) {
@@ -3035,6 +3041,52 @@ int btrfs_writepage_cow_fixup(struct fol
return -EAGAIN;
}
+/*
+ * Clear the old accounting flags and set EXTENT_DELALLOC for the range.
+ *
+ * Return <0 for error, in that case no range has EXTENT_DELALLOC bit cleared or set.
+ */
+int btrfs_reset_extent_delalloc(struct btrfs_inode *inode, u64 start, u64 end,
+ unsigned int extra_bits, struct extent_state **cached_state)
+{
+ const u32 blocksize = inode->root->fs_info->sectorsize;
+
+ /* The @extra_bits can only be EXTENT_NORESERVE for now. */
+ ASSERT(!(extra_bits & ~EXTENT_NORESERVE), "extra_bits=0x%x", extra_bits);
+
+ /* Basic alignment check. */
+ ASSERT(IS_ALIGNED(start, blocksize), "start=%llu blocksize=%u",
+ start, blocksize);
+ ASSERT(IS_ALIGNED(end + 1, blocksize), "inclusive end=%llu blocksize=%u",
+ end, blocksize);
+
+ /*
+ * Check and set DELALLOC_NEW flag, this needs to search tree thus can
+ * fail early. Thus we want to do this before clearing EXTENT_DELALLOC.
+ */
+ if (start >= i_size_read(&inode->vfs_inode) &&
+ !(inode->flags & BTRFS_INODE_PREALLOC)) {
+ /*
+ * There can't be any extents following EOF in this case so just
+ * set the delalloc new bit for the range directly.
+ */
+ extra_bits |= EXTENT_DELALLOC_NEW;
+ } else {
+ int ret;
+
+ ret = btrfs_find_new_delalloc_bytes(inode, start, end + 1 - start,
+ NULL);
+ if (unlikely(ret))
+ return ret;
+ }
+ /* Clear the old accounting as the range may already be dirty. */
+ btrfs_clear_extent_bit(&inode->io_tree, start, end,
+ EXTENT_DELALLOC | EXTENT_DO_ACCOUNTING |
+ EXTENT_DEFRAG, cached_state);
+ return btrfs_set_extent_bit(&inode->io_tree, start, end,
+ EXTENT_DELALLOC | extra_bits, cached_state);
+}
+
static int insert_reserved_file_extent(struct btrfs_trans_handle *trans,
struct btrfs_inode *inode, u64 file_pos,
struct btrfs_file_extent_item *stack_fi,
@@ -5181,12 +5233,7 @@ again:
goto again;
}
- btrfs_clear_extent_bit(&inode->io_tree, block_start, block_end,
- EXTENT_DELALLOC | EXTENT_DO_ACCOUNTING | EXTENT_DEFRAG,
- &cached_state);
-
- ret = btrfs_set_extent_delalloc(inode, block_start, block_end, 0,
- &cached_state);
+ ret = btrfs_reset_extent_delalloc(inode, block_start, block_end, 0, &cached_state);
if (ret) {
btrfs_unlock_extent(io_tree, block_start, block_end, &cached_state);
goto out_unlock;
--- a/fs/btrfs/reflink.c
+++ b/fs/btrfs/reflink.c
@@ -94,9 +94,7 @@ static int copy_inline_to_page(struct bt
if (ret < 0)
goto out_unlock;
- btrfs_clear_extent_bit(&inode->io_tree, file_offset, range_end,
- EXTENT_DELALLOC | EXTENT_DO_ACCOUNTING | EXTENT_DEFRAG, NULL);
- ret = btrfs_set_extent_delalloc(inode, file_offset, range_end, 0, NULL);
+ ret = btrfs_reset_extent_delalloc(inode, file_offset, range_end, 0, NULL);
if (ret)
goto out_unlock;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 356/518] btrfs: do not trim a device which is not writeable
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 355/518] btrfs: check and set EXTENT_DELALLOC_NEW before clearing EXTENT_DELALLOC Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 357/518] partitions: aix: bound the pp_count scan to the ppe array Greg Kroah-Hartman
` (165 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Su Yue, Filipe Manana, Qu Wenruo,
David Sterba
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
commit 1b1937eb08f51319bf71575484cde2b8c517aedc upstream.
[BUG]
There is a bug report that btrfs/242 can randomly fail with the
following NULL pointer dereference:
run fstests btrfs/242 at 2026-06-01 10:25:08
BTRFS: device fsid d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 9 /dev/sdc (8:32) scanned by mount (122609)
BTRFS info (device sdc): first mount of filesystem d4d7f234-487c-4787-88e4-47a8b68c9874
BTRFS info (device sdc): using crc32c checksum algorithm
BTRFS warning (device sdc): devid 2 uuid fbe72d72-3272-482d-80fb-ab88ed398192 is missing
BTRFS warning (device sdc): devid 2 uuid fbe72d72-3272-482d-80fb-ab88ed398192 is missing
BTRFS info (device sdc): allowing degraded mounts
BTRFS info (device sdc): turning on async discard
BTRFS info (device sdc): enabling free space tree
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018
user pgtable: 4k pages, 48-bit VAs, pgdp=000000013fd6b000
CPU: 4 UID: 0 PID: 122625 Comm: fstrim Not tainted 7.0.10-2-default #1 PREEMPT(full) openSUSE Tumbleweed e9a5f6b24978fba3bf015a992f865837fdfff3dd
Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250812-19.fc42 08/12/2025
pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : btrfs_trim_fs+0x34c/0xa00 [btrfs]
lr : btrfs_trim_fs+0x1f0/0xa00 [btrfs]
Call trace:
btrfs_trim_fs+0x34c/0xa00 [btrfs f02c1d570ceea621c69d302ba75dd61868083840] (P)
btrfs_ioctl_fitrim+0xe8/0x178 [btrfs f02c1d570ceea621c69d302ba75dd61868083840]
btrfs_ioctl+0xdd4/0x2bd8 [btrfs f02c1d570ceea621c69d302ba75dd61868083840]
__arm64_sys_ioctl+0xac/0x108
invoke_syscall.constprop.0+0x5c/0xd0
el0_svc_common.constprop.0+0x40/0xf0
do_el0_svc+0x24/0x40
el0_svc+0x40/0x1d0
el0t_64_sync_handler+0xa0/0xe8
el0t_64_sync+0x1b0/0x1b8
Code: 17ffff83 f94017e0 f9002be0 f9402ea0 (f9400c00)
---[ end trace 0000000000000000 ]---
Also the reporter is very kind to test the following ASSERT() added to
btrfs_trim_free_extents_throttle():
ASSERT(device->bdev,
"devid=%llu path=%s dev_state=0x%lx\n",
device->devid, btrfs_dev_name(device), device->dev_state);
And it shows the following output:
assertion failed: device->bdev, in extent-tree.c:6630 (devid=2 path=/dev/sdd dev_state=0x82)
Which means the device->bdev is NULL, and the dev_state is
BTRFS_DEV_STATE_IN_FS_METADATA | BTRFS_DEV_STATE_ITEM_FOUND, without
BTRFS_DEV_STATE_WRITEABLE flag set.
[CAUSE]
The pc points to the following call chain:
btrfs_trim_fs()
|- btrfs_trim_free_extents()
|- btrfs_trim_free_extents_throttle()
|- bdev_max_discard_sectors(device->bdev)
So the NULL pointer dereference is caused by device->bdev being NULL.
This looks impossible by a quick glance, as just before calling
btrfs_trim_free_extents_throttle(), we have skipped any device that has
BTRFS_DEV_STATE_MISSING flag set.
However in this particular case, there is a window where the missing
device is later re-scanned, causing btrfs to remove the
BTRFS_DEV_STATE_MISSING flag:
btrfs_control_ioctl()
|- btrfs_scan_one_device()
|- device_list_add()
|- rcu_assign_pointer(device->name, name);
| This updates the missing device's path to the new good path.
|
|- clear_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state)
This removes the BTRFS_DEV_STATE_MISSING flag.
This allows the missing device to re-appear and clear the
BTRFS_DEV_STATE_MISSING flag. However the device still does not have
the BTRFS_DEV_STATE_WRITEABLE flag set, nor is its bdev pointer updated.
The bdev pointer remains NULL, triggering the crash later.
[FIX]
This is a big de-synchronization between BTRFS_DEV_STATE_MISSING and
device->bdev pointer, and shows a gap in btrfs's re-appearing-device
handling.
The proper handling of re-appearing device will need quite some extra
work, which is out of the context of this small fix.
Thankfully the regular bbio submission path has already handled it well
by checking if the device->bdev is NULL before submitting.
So here we just fix the crash by checking if the device is writeable and
has a bdev pointer before calling bdev_max_discard_sectors().
Reported-by: Su Yue <glass.su@suse.com>
Link: https://lore.kernel.org/linux-btrfs/wlwir19t.fsf@damenly.org/
Fixes: 499f377f49f0 ("btrfs: iterate over unused chunk space in FITRIM")
CC: stable@vger.kernel.org # 5.10+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/extent-tree.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -6613,12 +6613,16 @@ static int btrfs_trim_free_extents_throt
*trimmed = 0;
- /* Discard not supported = nothing to do. */
- if (!bdev_max_discard_sectors(device->bdev))
+ /*
+ * The caller only filters out MISSING devices, but a device that was
+ * missing at mount and later rescanned has MISSING cleared while bdev
+ * is still NULL and WRITEABLE is still unset. Skip those here.
+ */
+ if (!test_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state) || !device->bdev)
return 0;
- /* Not writable = nothing to do. */
- if (!test_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state))
+ /* Discard not supported = nothing to do. */
+ if (!bdev_max_discard_sectors(device->bdev))
return 0;
/* No free space = nothing to do. */
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 357/518] partitions: aix: bound the pp_count scan to the ppe array
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 356/518] btrfs: do not trim a device which is not writeable Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 358/518] btrfs: fix incorrect buffered IO fallback for append direct writes Greg Kroah-Hartman
` (164 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bryam Vargas, Philippe De Muyter,
Jens Axboe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryam Vargas <hexlabsecurity@proton.me>
commit 2dc0bfd2fe355fb930de63c2f2eb8ced8570c579 upstream.
aix_partition() reads the physical volume descriptor into a fixed-size
struct pvd and then scans its physical-partition-extent array:
int numpps = be16_to_cpu(pvd->pp_count);
...
for (i = 0; i < numpps; i += 1) {
struct ppe *p = pvd->ppe + i;
...
lp_ix = be16_to_cpu(p->lp_ix);
pvd points at a single kmalloc()'d struct pvd whose ppe[] member holds a
fixed ARRAY_SIZE(pvd->ppe) (1016) entries, but the loop runs up to the
on-disk pp_count. pp_count is an unvalidated __be16 read straight from
the descriptor, so a crafted AIX image with pp_count larger than 1016
drives the loop to read pvd->ppe[i] past the end of the allocation (up
to 65535 entries, ~2 MB out of bounds).
The partition scan runs without mounting anything, when a block device
with a crafted AIX/IBM partition table appears (an attacker-supplied
image attached with losetup -P, or a device auto-scanned by udev), via
msdos_partition() -> aix_partition().
Clamp the scan to the number of entries the ppe[] array can hold.
Fixes: 6ceea22bbbc8 ("partitions: add aix lvm partition support files")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Acked-by: Philippe De Muyter <phdm@macqel.be>
Link: https://patch.msgid.link/20260607064137.302574-1-hexlabsecurity@proton.me
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/partitions/aix.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/block/partitions/aix.c
+++ b/block/partitions/aix.c
@@ -226,6 +226,15 @@ int aix_partition(struct parsed_partitio
int next_lp_ix = 1;
int lp_ix;
+ /*
+ * pvd was read into a fixed-size struct pvd whose ppe[] array
+ * holds ARRAY_SIZE(pvd->ppe) entries. pp_count is an
+ * unvalidated on-disk __be16, so clamp the scan to the array
+ * size to avoid walking past the allocation.
+ */
+ if (numpps > ARRAY_SIZE(pvd->ppe))
+ numpps = ARRAY_SIZE(pvd->ppe);
+
for (i = 0; i < numpps; i += 1) {
struct ppe *p = pvd->ppe + i;
unsigned int lv_ix;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 358/518] btrfs: fix incorrect buffered IO fallback for append direct writes
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 357/518] partitions: aix: bound the pp_count scan to the ppe array Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 359/518] isofs: bound Rock Ridge symlink components to the SL record Greg Kroah-Hartman
` (163 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Boris Burkov, Qu Wenruo,
David Sterba
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
commit ff66fe6662330226b3f486014c375538d91c44aa upstream.
[BUG]
With the previous bug of short direct writes fixed, test case
generic/362 (*) still fails with the following error with nodatasum
mount option:
# generic/362 0s ... - output mismatch (see /home/adam/xfstests/results//generic/362.out.bad)
# - output mismatch (see /home/adam/xfstests/results//generic/362.out.bad)
# --- tests/generic/362.out 2024-08-24 15:31:37.200000000 +0930
# +++ /home/adam/xfstests/results//generic/362.out.bad 2026-05-27 10:13:09.072485767 +0930
# @@ -1,2 +1,3 @@
# QA output created by 362
# +Wrong file size after first write, got 8192 expected 4096
# Silence is golden
# ...
*: If the test case has been executed before with default data checksum,
the failure will not reproduce. Need the following fix to make it
reliably reproducible:
https://lore.kernel.org/linux-btrfs/20260528111659.87113-1-wqu@suse.com/
[CAUSE]
Inside btrfs_dio_iomap_begin() for a direct write, we increase the isize
if it's beyond the current isize.
But if the direct io finished short, we do not revert the isize to the
previous value nor to the short write end.
Then if we need to fall back to buffered writes, and the write has
IOCB_APPEND flag, then the buffered write will be positioned at the
incorrect isize.
The call chain looks like this:
btrfs_direct_write(pos=0, length=4K)
|- __iomap_dio_rw()
| |- iomap_iter()
| | |- btrfs_dio_iomap_begin()
| | |- btrfs_get_blocks_direct_write()
| | |- i_size_write()
| | Which updates the isize to the write end (4K).
| |
| |- iomap_dio_iter()
| | Failed with -EFAULT on the first page.
| |
| |- iomap_iter()
| | |- btrfs_dio_iomap_end()
| | Detects a short write, return -ENOTBLK
| |- if (ret == -ENOTBLK) { ret = 0;}
| Which resets the return value.
|
|- ret = iomap_dio_complet()
| Which returns 0.
|
|- btrfs_buffered_write(iocb, from);
|- generic_write_checks()
|- iocb->ki_pos = i_size_read()
Which is still the new size (4K), other than the original
isize 0.
[FIX]
Introduce the following btrfs_dio_data members:
- old_isize
- updated_isize
If the direct write has enlarged the isize.
Then if we got a short write, and btrfs_dio_data::updated_isize is set,
revert to the correct isize based on old_isize and current file
position.
And here we call i_size_write() without holding an extent lock, which is
a very special case that we're safe to do:
- Only a single writer can be enlarging isize
Enlarging isize will take the exclusive inode lock.
- Buffered readers need to wait for the OE we're holding
Buffered readers will lock extent and wait for OE of the folio range.
Sometimes we can skip the OE wait, but since all page cache is
invalidated, the OE wait can not be skipped.
But I do not think this is the most elegant solution, nor covers all
cases. E.g. if the bio is submitted but IO failed, we are unable to do
the revert.
I believe the more elegant one would be extend the EXTENT_DIO_LOCKED
lifespan for direct writes, so that we can update the isize when a
write beyond EOF finished successfully.
However that change is too huge for a small bug fix.
So only implement the minimal partial fix for now.
[REASON FOR NO FIXES TAG]
The bug is again very old, before commit f85781fb505e ("btrfs: switch to
iomap for direct IO") we are already increasing isize without a
proper rollback for short writes.
Thus only a CC to stable.
CC: stable@vger.kernel.org # 5.15+
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/direct-io.c | 43 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 42 insertions(+), 1 deletion(-)
--- a/fs/btrfs/direct-io.c
+++ b/fs/btrfs/direct-io.c
@@ -15,10 +15,12 @@
struct btrfs_dio_data {
ssize_t submitted;
+ loff_t old_isize;
struct extent_changeset *data_reserved;
struct btrfs_ordered_extent *ordered;
bool data_space_reserved;
bool nocow_done;
+ bool updated_isize;
};
struct btrfs_dio_private {
@@ -228,6 +230,7 @@ static int btrfs_get_blocks_direct_write
bool space_reserved = false;
u64 len = *lenp;
u64 prev_len;
+ loff_t old_isize;
int ret = 0;
/*
@@ -341,8 +344,14 @@ static int btrfs_get_blocks_direct_write
* Need to update the i_size under the extent lock so buffered
* readers will get the updated i_size when we unlock.
*/
- if (start + len > i_size_read(inode))
+ old_isize = i_size_read(inode);
+ if (start + len > old_isize) {
+ if (!dio_data->updated_isize) {
+ dio_data->old_isize = old_isize;
+ dio_data->updated_isize = true;
+ }
i_size_write(inode, start + len);
+ }
out:
if (ret && space_reserved) {
btrfs_delalloc_release_extents(BTRFS_I(inode), len);
@@ -626,6 +635,38 @@ static int btrfs_dio_iomap_end(struct in
length -= submitted;
if (write) {
/*
+ * Got a short write and have updated the isize, need to
+ * revert the isize change.
+ *
+ * Normally we need to update isize with extent lock hold,
+ * but we're safe due to the following factors:
+ *
+ * - Only a single writer can be enlarging isize
+ * Enlarging isize will take the exclusive inode lock.
+ *
+ * - Buffered readers need to wait for the OE we're holding
+ * Buffered readers will lock extent and wait for OE
+ * of the folio range, and since page cache is invalidated
+ * the OE wait can not be skipped.
+ *
+ * So here we are safe to revert the isize before
+ * finishing the OE, and no reader of the remaining range
+ * can see the enlarged size.
+ *
+ * TODO: Extend the DIO_LOCKED lifespan for direct writes,
+ * and only enlarge isize after a successful write.
+ */
+ if (dio_data->updated_isize) {
+ u64 new_isize;
+
+ if (submitted == 0)
+ new_isize = dio_data->old_isize;
+ else
+ new_isize = max(dio_data->old_isize, pos);
+ i_size_write(inode, new_isize);
+ dio_data->updated_isize = false;
+ }
+ /*
* We have a short write, if there is any range
* that is submitted properly, that part will have
* its own OE split from the original one.
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 359/518] isofs: bound Rock Ridge symlink components to the SL record
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 358/518] btrfs: fix incorrect buffered IO fallback for append direct writes Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 360/518] crypto: af_alg - Remove zero-copy support from skcipher and aead Greg Kroah-Hartman
` (162 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Bryam Vargas,
Jan Kara
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryam Vargas <hexlabsecurity@proton.me>
commit 5fa1d6a5ec2356d2107dead614437c66fa7138b1 upstream.
get_symlink_chunk() and the SL handling in
parse_rock_ridge_inode_internal() walk the variable-length components of
a Rock Ridge "SL" (symbolic link) record. Each component is a two-byte
header (flags, len) followed by len bytes of text, so it occupies
slp->len + 2 bytes. Both loops read slp->len and advance to the next
component, and get_symlink_chunk() additionally does
memcpy(rpnt, slp->text, slp->len), but neither checks that the component
lies within the SL record before dereferencing it.
A crafted SL record whose component declares a len that runs past the
record (rr->len) therefore triggers an out-of-bounds read of up to 255
bytes. When the record sits at the tail of its backing buffer - for
example a small kmalloc()ed continuation block reached through a CE
record - the read crosses the allocation; get_symlink_chunk() then
copies the out-of-bounds bytes into the symlink body returned to user
space by readlink(), disclosing adjacent kernel memory.
ISO 9660 images are routinely mounted from untrusted removable media -
desktop environments auto-mount them (e.g. via udisks2) without
CAP_SYS_ADMIN - so the record contents are attacker-controlled.
Reject any component that does not fit in the remaining record bytes
before using it. In get_symlink_chunk() return NULL, like the existing
output-buffer (plimit) checks, so a malformed record makes readlink()
fail with -EIO rather than silently returning a truncated target; in
parse_rock_ridge_inode_internal() stop the inode-size walk.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Suggested-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Link: https://patch.msgid.link/20260607011823.217748-1-hexlabsecurity@proton.me
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/isofs/rock.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -466,6 +466,9 @@ repeat:
inode->i_size = symlink_len;
while (slen > 1) {
rootflag = 0;
+ /* keep the component within the SL record */
+ if (slp->len + 2 > slen)
+ goto eio;
switch (slp->flags & ~1) {
case 0:
inode->i_size +=
@@ -621,6 +624,14 @@ static char *get_symlink_chunk(char *rpn
slp = &rr->u.SL.link;
while (slen > 1) {
rootflag = 0;
+ /*
+ * A component is slp->len + 2 bytes (a two-byte header plus
+ * len bytes of text). If it does not fit in the bytes left in
+ * the SL record the record is malformed: fail like the plimit
+ * checks below so readlink() returns -EIO, not a truncated path.
+ */
+ if (slp->len + 2 > slen)
+ return NULL;
switch (slp->flags & ~1) {
case 0:
if (slp->len > plimit - rpnt)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 360/518] crypto: af_alg - Remove zero-copy support from skcipher and aead
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 359/518] isofs: bound Rock Ridge symlink components to the SL record Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 361/518] crypto: caam - use print_hex_dump_devel to guard key hex dumps Greg Kroah-Hartman
` (161 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Taeyang Lee, Feng Ning,
Demi Marie Obenour, Eric Biggers, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit ffdd2bc378953b525aca61902534e753f1f8e734 upstream.
The zero-copy support is one of the riskiest aspects of AF_ALG. It
allows userspace to request cryptographic operations directly on
pagecache pages of files like the 'su' binary. It also allows userspace
to concurrently modify the memory which is being operated on, a recipe
for TOCTOU vulnerabilities.
While zero-copy support is more valuable in other areas of the kernel
like the frequently used networking and file I/O code, it has far less
value in AF_ALG, which is a niche UAPI. AF_ALG primarily just exists
for backwards compatibility with a small set of userspace programs such
as 'iwd' that haven't yet been fixed to use userspace crypto code.
Originally AF_ALG was intended to be used to access hardware crypto
accelerators. However, it isn't an efficient interface for that anyway,
and it turned out to be rarely used in this way in practice.
Thus, the risks of the zero-copy support in AF_ALG vastly outweigh its
benefits. Let's just remove it.
This commit removes it from the "skcipher" and "aead" algorithm types.
"hash" will be handled separately.
This is a soft break, not a hard break. Even after this commit, it
still works to use splice() or sendfile() to transfer data to an AF_ALG
request socket from a pipe or any file, respectively. What changes is
just that the kernel now makes an internal, stable copy of the data
before doing the crypto operation. So performance is slightly reduced,
but the UAPI isn't broken. And, very importantly, it's much safer.
Tested with libkcapi/test.sh. All its test cases still pass. I also
verified that this would have prevented the copy.fail exploit as well.
I also used a custom test program to verify that sendfile() still works.
Fixes: 8ff590903d5f ("crypto: algif_skcipher - User-space interface for skcipher operations")
Fixes: 400c40cf78da ("crypto: algif - add AEAD support")
Reported-by: Taeyang Lee <0wn@theori.io>
Link: https://copy.fail/
Reported-by: Feng Ning <feng@innora.ai>
Closes: https://lore.kernel.org/r/afYcc-tZFwvZZo76@ans-MacBook-Pro.local
Reviewed-by: Demi Marie Obenour <demiobenour@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/crypto/userspace-if.rst | 31 +-------------
crypto/af_alg.c | 71 +++++++++++-----------------------
crypto/algif_aead.c | 8 +--
3 files changed, 32 insertions(+), 78 deletions(-)
--- a/Documentation/crypto/userspace-if.rst
+++ b/Documentation/crypto/userspace-if.rst
@@ -327,33 +327,10 @@ CRYPTO_USER_API_RNG_CAVP option:
Zero-Copy Interface
-------------------
-In addition to the send/write/read/recv system call family, the AF_ALG
-interface can be accessed with the zero-copy interface of
-splice/vmsplice. As the name indicates, the kernel tries to avoid a copy
-operation into kernel space.
-
-The zero-copy operation requires data to be aligned at the page
-boundary. Non-aligned data can be used as well, but may require more
-operations of the kernel which would defeat the speed gains obtained
-from the zero-copy interface.
-
-The system-inherent limit for the size of one zero-copy operation is 16
-pages. If more data is to be sent to AF_ALG, user space must slice the
-input into segments with a maximum size of 16 pages.
-
-Zero-copy can be used with the following code example (a complete
-working example is provided with libkcapi):
-
-::
-
- int pipes[2];
-
- pipe(pipes);
- /* input data in iov */
- vmsplice(pipes[1], iov, iovlen, SPLICE_F_GIFT);
- /* opfd is the file descriptor returned from accept() system call */
- splice(pipes[0], NULL, opfd, NULL, ret, 0);
- read(opfd, out, outlen);
+AF_ALG used to have zero-copy support, but it was removed due to it being a
+frequent source of vulnerabilities. For backwards compatibility the splice()
+and sendfile() system calls are still supported, but the kernel will make an
+internal copy of the data before passing it to the crypto code.
Setsockopt Interface
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -973,7 +973,7 @@ int af_alg_sendmsg(struct socket *sock,
ssize_t plen;
/* use the existing memory in an allocated page */
- if (ctx->merge && !(msg->msg_flags & MSG_SPLICE_PAGES)) {
+ if (ctx->merge) {
sgl = list_entry(ctx->tsgl_list.prev,
struct af_alg_tsgl, list);
sg = sgl->sg + sgl->cur - 1;
@@ -1017,60 +1017,37 @@ int af_alg_sendmsg(struct socket *sock,
if (sgl->cur)
sg_unmark_end(sg + sgl->cur - 1);
- if (msg->msg_flags & MSG_SPLICE_PAGES) {
- struct sg_table sgtable = {
- .sgl = sg,
- .nents = sgl->cur,
- .orig_nents = sgl->cur,
- };
-
- plen = extract_iter_to_sg(&msg->msg_iter, len, &sgtable,
- MAX_SGL_ENTS - sgl->cur, 0);
- if (plen < 0) {
- err = plen;
+ do {
+ struct page *pg;
+ unsigned int i = sgl->cur;
+
+ plen = min_t(size_t, len, PAGE_SIZE);
+
+ pg = alloc_page(GFP_KERNEL);
+ if (!pg) {
+ err = -ENOMEM;
goto unlock;
}
- for (; sgl->cur < sgtable.nents; sgl->cur++)
- get_page(sg_page(&sg[sgl->cur]));
+ sg_assign_page(sg + i, pg);
+
+ err = memcpy_from_msg(page_address(sg_page(sg + i)),
+ msg, plen);
+ if (err) {
+ __free_page(sg_page(sg + i));
+ sg_assign_page(sg + i, NULL);
+ goto unlock;
+ }
+
+ sg[i].length = plen;
len -= plen;
ctx->used += plen;
copied += plen;
size -= plen;
- } else {
- do {
- struct page *pg;
- unsigned int i = sgl->cur;
-
- plen = min_t(size_t, len, PAGE_SIZE);
-
- pg = alloc_page(GFP_KERNEL);
- if (!pg) {
- err = -ENOMEM;
- goto unlock;
- }
-
- sg_assign_page(sg + i, pg);
-
- err = memcpy_from_msg(
- page_address(sg_page(sg + i)),
- msg, plen);
- if (err) {
- __free_page(sg_page(sg + i));
- sg_assign_page(sg + i, NULL);
- goto unlock;
- }
-
- sg[i].length = plen;
- len -= plen;
- ctx->used += plen;
- copied += plen;
- size -= plen;
- sgl->cur++;
- } while (len && sgl->cur < MAX_SGL_ENTS);
+ sgl->cur++;
+ } while (len && sgl->cur < MAX_SGL_ENTS);
- ctx->merge = plen & (PAGE_SIZE - 1);
- }
+ ctx->merge = plen & (PAGE_SIZE - 1);
if (!size)
sg_mark_end(sg + sgl->cur - 1);
--- a/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -9,10 +9,10 @@
* The following concept of the memory management is used:
*
* The kernel maintains two SGLs, the TX SGL and the RX SGL. The TX SGL is
- * filled by user space with the data submitted via sendmsg (maybe with
- * MSG_SPLICE_PAGES). Filling up the TX SGL does not cause a crypto operation
- * -- the data will only be tracked by the kernel. Upon receipt of one recvmsg
- * call, the caller must provide a buffer which is tracked with the RX SGL.
+ * filled by user space with the data submitted via sendmsg. Filling up the TX
+ * SGL does not cause a crypto operation -- the data will only be tracked by the
+ * kernel. Upon receipt of one recvmsg call, the caller must provide a buffer
+ * which is tracked with the RX SGL.
*
* During the processing of the recvmsg operation, the cipher request is
* allocated and prepared. As part of the recvmsg operation, the processed
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 361/518] crypto: caam - use print_hex_dump_devel to guard key hex dumps
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 360/518] crypto: af_alg - Remove zero-copy support from skcipher and aead Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 362/518] crypto: caam - use print_hex_dump_devel to guard key hex dumps again Greg Kroah-Hartman
` (160 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 3f57657b6ea23f933371f2c2846322f441773cee upstream.
Use print_hex_dump_devel() for dumping sensitive key material in
*_setkey() and gen_split_key() to avoid leaking secrets at runtime when
CONFIG_DYNAMIC_DEBUG is enabled.
Fixes: 6e005503199b ("crypto: caam - print debug messages at debug level")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/caam/caamalg.c | 12 ++++++------
drivers/crypto/caam/caamalg_qi.c | 12 ++++++------
drivers/crypto/caam/caamhash.c | 4 ++--
drivers/crypto/caam/key_gen.c | 4 ++--
4 files changed, 16 insertions(+), 16 deletions(-)
--- a/drivers/crypto/caam/caamalg.c
+++ b/drivers/crypto/caam/caamalg.c
@@ -603,7 +603,7 @@ static int aead_setkey(struct crypto_aea
dev_dbg(jrdev, "keylen %d enckeylen %d authkeylen %d\n",
keys.authkeylen + keys.enckeylen, keys.enckeylen,
keys.authkeylen);
- print_hex_dump_debug("key in @"__stringify(__LINE__)": ",
+ print_hex_dump_devel("key in @"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
/*
@@ -639,7 +639,7 @@ static int aead_setkey(struct crypto_aea
dma_sync_single_for_device(jrdev, ctx->key_dma, ctx->adata.keylen_pad +
keys.enckeylen, ctx->dir);
- print_hex_dump_debug("ctx.key@"__stringify(__LINE__)": ",
+ print_hex_dump_devel("ctx.key@"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, ctx->key,
ctx->adata.keylen_pad + keys.enckeylen, 1);
@@ -680,7 +680,7 @@ static int gcm_setkey(struct crypto_aead
if (err)
return err;
- print_hex_dump_debug("key in @"__stringify(__LINE__)": ",
+ print_hex_dump_devel("key in @"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
memcpy(ctx->key, key, keylen);
@@ -701,7 +701,7 @@ static int rfc4106_setkey(struct crypto_
if (err)
return err;
- print_hex_dump_debug("key in @"__stringify(__LINE__)": ",
+ print_hex_dump_devel("key in @"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
memcpy(ctx->key, key, keylen);
@@ -727,7 +727,7 @@ static int rfc4543_setkey(struct crypto_
if (err)
return err;
- print_hex_dump_debug("key in @"__stringify(__LINE__)": ",
+ print_hex_dump_devel("key in @"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
memcpy(ctx->key, key, keylen);
@@ -754,7 +754,7 @@ static int skcipher_setkey(struct crypto
u32 *desc;
const bool is_rfc3686 = alg->caam.rfc3686;
- print_hex_dump_debug("key in @"__stringify(__LINE__)": ",
+ print_hex_dump_devel("key in @"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
/* Here keylen is actual key length */
--- a/drivers/crypto/caam/caamalg_qi.c
+++ b/drivers/crypto/caam/caamalg_qi.c
@@ -212,7 +212,7 @@ static int aead_setkey(struct crypto_aea
dev_dbg(jrdev, "keylen %d enckeylen %d authkeylen %d\n",
keys.authkeylen + keys.enckeylen, keys.enckeylen,
keys.authkeylen);
- print_hex_dump_debug("key in @" __stringify(__LINE__)": ",
+ print_hex_dump_devel("key in @" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
/*
@@ -248,7 +248,7 @@ static int aead_setkey(struct crypto_aea
ctx->adata.keylen_pad + keys.enckeylen,
ctx->dir);
- print_hex_dump_debug("ctx.key@" __stringify(__LINE__)": ",
+ print_hex_dump_devel("ctx.key@" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, ctx->key,
ctx->adata.keylen_pad + keys.enckeylen, 1);
@@ -371,7 +371,7 @@ static int gcm_setkey(struct crypto_aead
if (ret)
return ret;
- print_hex_dump_debug("key in @" __stringify(__LINE__)": ",
+ print_hex_dump_devel("key in @" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
memcpy(ctx->key, key, keylen);
@@ -475,7 +475,7 @@ static int rfc4106_setkey(struct crypto_
if (ret)
return ret;
- print_hex_dump_debug("key in @" __stringify(__LINE__)": ",
+ print_hex_dump_devel("key in @" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
memcpy(ctx->key, key, keylen);
@@ -581,7 +581,7 @@ static int rfc4543_setkey(struct crypto_
if (ret)
return ret;
- print_hex_dump_debug("key in @" __stringify(__LINE__)": ",
+ print_hex_dump_devel("key in @" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
memcpy(ctx->key, key, keylen);
@@ -631,7 +631,7 @@ static int skcipher_setkey(struct crypto
const bool is_rfc3686 = alg->caam.rfc3686;
int ret = 0;
- print_hex_dump_debug("key in @" __stringify(__LINE__)": ",
+ print_hex_dump_devel("key in @" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
ctx->cdata.keylen = keylen;
--- a/drivers/crypto/caam/caamhash.c
+++ b/drivers/crypto/caam/caamhash.c
@@ -505,7 +505,7 @@ static int axcbc_setkey(struct crypto_ah
DMA_TO_DEVICE);
ctx->adata.keylen = keylen;
- print_hex_dump_debug("axcbc ctx.key@" __stringify(__LINE__)" : ",
+ print_hex_dump_devel("axcbc ctx.key@" __stringify(__LINE__)" : ",
DUMP_PREFIX_ADDRESS, 16, 4, ctx->key, keylen, 1);
return axcbc_set_sh_desc(ahash);
@@ -525,7 +525,7 @@ static int acmac_setkey(struct crypto_ah
ctx->adata.key_virt = key;
ctx->adata.keylen = keylen;
- print_hex_dump_debug("acmac ctx.key@" __stringify(__LINE__)" : ",
+ print_hex_dump_devel("acmac ctx.key@" __stringify(__LINE__)" : ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
return acmac_set_sh_desc(ahash);
--- a/drivers/crypto/caam/key_gen.c
+++ b/drivers/crypto/caam/key_gen.c
@@ -58,7 +58,7 @@ int gen_split_key(struct device *jrdev,
dev_dbg(jrdev, "split keylen %d split keylen padded %d\n",
adata->keylen, adata->keylen_pad);
- print_hex_dump_debug("ctx.key@" __stringify(__LINE__)": ",
+ print_hex_dump_devel("ctx.key@" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key_in, keylen, 1);
if (local_max > max_keylen)
@@ -113,7 +113,7 @@ int gen_split_key(struct device *jrdev,
wait_for_completion(&result.completion);
ret = result.err;
- print_hex_dump_debug("ctx.key@"__stringify(__LINE__)": ",
+ print_hex_dump_devel("ctx.key@"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key_out,
adata->keylen_pad, 1);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 362/518] crypto: caam - use print_hex_dump_devel to guard key hex dumps again
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 361/518] crypto: caam - use print_hex_dump_devel to guard key hex dumps Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 363/518] crypto: chacha20poly1305 - validate poly1305 template argument Greg Kroah-Hartman
` (159 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 8005dc808bcce7d6cc2ae015a3cde1683bee602d upstream.
Use print_hex_dump_devel() for dumping sensitive key material in
*_setkey() to avoid leaking secrets at runtime when CONFIG_DYNAMIC_DEBUG
is enabled.
Fixes: 8d818c105501 ("crypto: caam/qi2 - add DPAA2-CAAM driver")
Fixes: 226853ac3ebe ("crypto: caam/qi2 - add skcipher algorithms")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/caam/caamalg_qi2.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/crypto/caam/caamalg_qi2.c
+++ b/drivers/crypto/caam/caamalg_qi2.c
@@ -301,7 +301,7 @@ static int aead_setkey(struct crypto_aea
dev_dbg(dev, "keylen %d enckeylen %d authkeylen %d\n",
keys.authkeylen + keys.enckeylen, keys.enckeylen,
keys.authkeylen);
- print_hex_dump_debug("key in @" __stringify(__LINE__)": ",
+ print_hex_dump_devel("key in @" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
ctx->adata.keylen = keys.authkeylen;
@@ -315,7 +315,7 @@ static int aead_setkey(struct crypto_aea
memcpy(ctx->key + ctx->adata.keylen_pad, keys.enckey, keys.enckeylen);
dma_sync_single_for_device(dev, ctx->key_dma, ctx->adata.keylen_pad +
keys.enckeylen, ctx->dir);
- print_hex_dump_debug("ctx.key@" __stringify(__LINE__)": ",
+ print_hex_dump_devel("ctx.key@" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, ctx->key,
ctx->adata.keylen_pad + keys.enckeylen, 1);
@@ -732,7 +732,7 @@ static int gcm_setkey(struct crypto_aead
ret = aes_check_keylen(keylen);
if (ret)
return ret;
- print_hex_dump_debug("key in @" __stringify(__LINE__)": ",
+ print_hex_dump_devel("key in @" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
memcpy(ctx->key, key, keylen);
@@ -828,7 +828,7 @@ static int rfc4106_setkey(struct crypto_
if (ret)
return ret;
- print_hex_dump_debug("key in @" __stringify(__LINE__)": ",
+ print_hex_dump_devel("key in @" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
memcpy(ctx->key, key, keylen);
@@ -927,7 +927,7 @@ static int rfc4543_setkey(struct crypto_
if (ret)
return ret;
- print_hex_dump_debug("key in @" __stringify(__LINE__)": ",
+ print_hex_dump_devel("key in @" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
memcpy(ctx->key, key, keylen);
@@ -955,7 +955,7 @@ static int skcipher_setkey(struct crypto
u32 *desc;
const bool is_rfc3686 = alg->caam.rfc3686;
- print_hex_dump_debug("key in @" __stringify(__LINE__)": ",
+ print_hex_dump_devel("key in @" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
ctx->cdata.keylen = keylen;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 363/518] crypto: chacha20poly1305 - validate poly1305 template argument
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 362/518] crypto: caam - use print_hex_dump_devel to guard key hex dumps again Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 364/518] crypto: crypto4xx - Remove insecure and unused rng_alg Greg Kroah-Hartman
` (158 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Zhengchuan Liang,
Xin Liu, Luxing Yin, Xiaonan Zhao, Ren Wei, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaonan Zhao <ngochuongbui67@gmail.com>
commit 265b861bece38318b8e0fc8fac0643d4ef906d31 upstream.
chachapoly_create() still accepts the compatibility poly1305 parameter
in the template name, but it assumes the second template argument is
always present and immediately passes it to strcmp().
When the argument is missing, crypto_attr_alg_name() returns an error
pointer. Check for that before comparing the name so malformed template
instantiations fail with an error instead of dereferencing the error
pointer in strcmp().
This matches the surrounding Crypto API template pattern where
crypto_attr_alg_name() results are validated before string-specific use.
Fixes: a298765e28ad ("crypto: chacha20poly1305 - Use lib/crypto poly1305")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Xiaonan Zhao <ngochuongbui67@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/chacha20poly1305.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/crypto/chacha20poly1305.c
+++ b/crypto/chacha20poly1305.c
@@ -375,6 +375,7 @@ static int chachapoly_create(struct cryp
struct aead_instance *inst;
struct chachapoly_instance_ctx *ctx;
struct skcipher_alg_common *chacha;
+ const char *poly_name;
int err;
if (ivsize > CHACHAPOLY_IV_SIZE)
@@ -396,9 +397,15 @@ static int chachapoly_create(struct cryp
goto err_free_inst;
chacha = crypto_spawn_skcipher_alg_common(&ctx->chacha);
+ poly_name = crypto_attr_alg_name(tb[2]);
+ if (IS_ERR(poly_name)) {
+ err = PTR_ERR(poly_name);
+ goto err_free_inst;
+ }
+
err = -EINVAL;
- if (strcmp(crypto_attr_alg_name(tb[2]), "poly1305") &&
- strcmp(crypto_attr_alg_name(tb[2]), "poly1305-generic"))
+ if (strcmp(poly_name, "poly1305") &&
+ strcmp(poly_name, "poly1305-generic"))
goto err_free_inst;
/* Need 16-byte IV size, including Initial Block Counter value */
if (chacha->ivsize != CHACHA_IV_SIZE)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 364/518] crypto: crypto4xx - Remove insecure and unused rng_alg
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 363/518] crypto: chacha20poly1305 - validate poly1305 template argument Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 365/518] crypto: ecc - Fix carry overflow in vli multiplication Greg Kroah-Hartman
` (157 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Biggers, Christian Lamparter,
Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 7811ec9e973d2c9e465083699f0c8240b98cb8c4 upstream.
Remove crypto4xx_rng, as it is insecure and unused:
- It has only a 64-bit security strength, which is highly inadequate.
This can be seen by the fact that crypto4xx_hw_init() seeds it with
only 64 bits of entropy, and the fact that the original commit
mentions that it implements ANSI X9.17 Annex C.
Another issue was that this driver didn't implement the crypto_rng API
correctly, as crypto4xx_prng_generate() didn't return 0 on success.
- No user of this code is known. It's usable only theoretically via the
"rng" algorithm type of AF_ALG. But userspace actually just uses the
actual Linux RNG (/dev/random etc) instead. And rng_algs don't
contribute entropy to the actual Linux RNG either. (This may have
been confused with hwrng, which does contribute entropy.)
Fixes: d072bfa48853 ("crypto: crypto4xx - add prng crypto support")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Acked-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/Kconfig | 1
drivers/crypto/amcc/crypto4xx_core.c | 88 --------------------------------
drivers/crypto/amcc/crypto4xx_core.h | 4 -
drivers/crypto/amcc/crypto4xx_reg_def.h | 11 ----
4 files changed, 104 deletions(-)
--- a/drivers/crypto/Kconfig
+++ b/drivers/crypto/Kconfig
@@ -301,7 +301,6 @@ config CRYPTO_DEV_PPC4XX
select CRYPTO_CCM
select CRYPTO_CTR
select CRYPTO_GCM
- select CRYPTO_RNG
select CRYPTO_SKCIPHER
help
This option allows you to have support for AMCC crypto acceleration.
--- a/drivers/crypto/amcc/crypto4xx_core.c
+++ b/drivers/crypto/amcc/crypto4xx_core.c
@@ -31,11 +31,9 @@
#include <crypto/ctr.h>
#include <crypto/gcm.h>
#include <crypto/sha1.h>
-#include <crypto/rng.h>
#include <crypto/scatterwalk.h>
#include <crypto/skcipher.h>
#include <crypto/internal/aead.h>
-#include <crypto/internal/rng.h>
#include <crypto/internal/skcipher.h>
#include "crypto4xx_reg_def.h"
#include "crypto4xx_core.h"
@@ -985,10 +983,6 @@ static int crypto4xx_register_alg(struct
rc = crypto_register_aead(&alg->alg.u.aead);
break;
- case CRYPTO_ALG_TYPE_RNG:
- rc = crypto_register_rng(&alg->alg.u.rng);
- break;
-
default:
rc = crypto_register_skcipher(&alg->alg.u.cipher);
break;
@@ -1014,10 +1008,6 @@ static void crypto4xx_unregister_alg(str
crypto_unregister_aead(&alg->alg.u.aead);
break;
- case CRYPTO_ALG_TYPE_RNG:
- crypto_unregister_rng(&alg->alg.u.rng);
- break;
-
default:
crypto_unregister_skcipher(&alg->alg.u.cipher);
}
@@ -1076,69 +1066,6 @@ static irqreturn_t crypto4xx_ce_interrup
PPC4XX_TMO_ERR_INT);
}
-static int ppc4xx_prng_data_read(struct crypto4xx_device *dev,
- u8 *data, unsigned int max)
-{
- unsigned int i, curr = 0;
- u32 val[2];
-
- do {
- /* trigger PRN generation */
- writel(PPC4XX_PRNG_CTRL_AUTO_EN,
- dev->ce_base + CRYPTO4XX_PRNG_CTRL);
-
- for (i = 0; i < 1024; i++) {
- /* usually 19 iterations are enough */
- if ((readl(dev->ce_base + CRYPTO4XX_PRNG_STAT) &
- CRYPTO4XX_PRNG_STAT_BUSY))
- continue;
-
- val[0] = readl_be(dev->ce_base + CRYPTO4XX_PRNG_RES_0);
- val[1] = readl_be(dev->ce_base + CRYPTO4XX_PRNG_RES_1);
- break;
- }
- if (i == 1024)
- return -ETIMEDOUT;
-
- if ((max - curr) >= 8) {
- memcpy(data, &val, 8);
- data += 8;
- curr += 8;
- } else {
- /* copy only remaining bytes */
- memcpy(data, &val, max - curr);
- break;
- }
- } while (curr < max);
-
- return curr;
-}
-
-static int crypto4xx_prng_generate(struct crypto_rng *tfm,
- const u8 *src, unsigned int slen,
- u8 *dstn, unsigned int dlen)
-{
- struct rng_alg *alg = crypto_rng_alg(tfm);
- struct crypto4xx_alg *amcc_alg;
- struct crypto4xx_device *dev;
- int ret;
-
- amcc_alg = container_of(alg, struct crypto4xx_alg, alg.u.rng);
- dev = amcc_alg->dev;
-
- mutex_lock(&dev->core_dev->rng_lock);
- ret = ppc4xx_prng_data_read(dev, dstn, dlen);
- mutex_unlock(&dev->core_dev->rng_lock);
- return ret;
-}
-
-
-static int crypto4xx_prng_seed(struct crypto_rng *tfm, const u8 *seed,
- unsigned int slen)
-{
- return 0;
-}
-
/*
* Supported Crypto Algorithms
*/
@@ -1268,18 +1195,6 @@ static struct crypto4xx_alg_common crypt
.cra_module = THIS_MODULE,
},
} },
- { .type = CRYPTO_ALG_TYPE_RNG, .u.rng = {
- .base = {
- .cra_name = "stdrng",
- .cra_driver_name = "crypto4xx_rng",
- .cra_priority = 300,
- .cra_ctxsize = 0,
- .cra_module = THIS_MODULE,
- },
- .generate = crypto4xx_prng_generate,
- .seed = crypto4xx_prng_seed,
- .seedsize = 0,
- } },
};
/*
@@ -1353,9 +1268,6 @@ static int crypto4xx_probe(struct platfo
core_dev->dev->core_dev = core_dev;
core_dev->dev->is_revb = is_revb;
core_dev->device = dev;
- rc = devm_mutex_init(&ofdev->dev, &core_dev->rng_lock);
- if (rc)
- return rc;
spin_lock_init(&core_dev->lock);
INIT_LIST_HEAD(&core_dev->dev->alg_list);
ratelimit_default_init(&core_dev->dev->aead_ratelimit);
--- a/drivers/crypto/amcc/crypto4xx_core.h
+++ b/drivers/crypto/amcc/crypto4xx_core.h
@@ -14,10 +14,8 @@
#define __CRYPTO4XX_CORE_H__
#include <linux/ratelimit.h>
-#include <linux/mutex.h>
#include <linux/scatterlist.h>
#include <crypto/internal/aead.h>
-#include <crypto/internal/rng.h>
#include <crypto/internal/skcipher.h>
#include "crypto4xx_reg_def.h"
#include "crypto4xx_sa.h"
@@ -111,7 +109,6 @@ struct crypto4xx_core_device {
u32 irq;
struct tasklet_struct tasklet;
spinlock_t lock;
- struct mutex rng_lock;
};
struct crypto4xx_ctx {
@@ -135,7 +132,6 @@ struct crypto4xx_alg_common {
union {
struct skcipher_alg cipher;
struct aead_alg aead;
- struct rng_alg rng;
} u;
};
--- a/drivers/crypto/amcc/crypto4xx_reg_def.h
+++ b/drivers/crypto/amcc/crypto4xx_reg_def.h
@@ -90,20 +90,9 @@
#define CRYPTO4XX_BYTE_ORDER_CFG 0x000600d8
#define CRYPTO4XX_ENDIAN_CFG 0x000600d8
-#define CRYPTO4XX_PRNG_STAT 0x00070000
-#define CRYPTO4XX_PRNG_STAT_BUSY 0x1
#define CRYPTO4XX_PRNG_CTRL 0x00070004
#define CRYPTO4XX_PRNG_SEED_L 0x00070008
#define CRYPTO4XX_PRNG_SEED_H 0x0007000c
-
-#define CRYPTO4XX_PRNG_RES_0 0x00070020
-#define CRYPTO4XX_PRNG_RES_1 0x00070024
-#define CRYPTO4XX_PRNG_RES_2 0x00070028
-#define CRYPTO4XX_PRNG_RES_3 0x0007002C
-
-#define CRYPTO4XX_PRNG_LFSR_L 0x00070030
-#define CRYPTO4XX_PRNG_LFSR_H 0x00070034
-
/*
* Initialize CRYPTO ENGINE registers, and memory bases.
*/
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 365/518] crypto: ecc - Fix carry overflow in vli multiplication
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 364/518] crypto: crypto4xx - Remove insecure and unused rng_alg Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 366/518] crypto: hisi-trng - Remove crypto_rng interface Greg Kroah-Hartman
` (156 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anastasia Tishchenko, Lukas Wunner,
Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anastasia Tishchenko <sv3iry@gmail.com>
commit 27b536a2ec8e2f85a0380c2d13c9ecbc7aaab406 upstream.
The carry flag calculation fails when r01.m_high is saturated
(0xFFFFFFFFFFFFFFFF) and addition of lower bits overflows.
The condition (r01.m_high < product.m_high) doesn't handle the case
where r01.m_high == product.m_high and an additional carry exists
from lower-bit overflow.
When commit 3c4b23901a0c ("crypto: ecdh - Add ECDH software support")
introduced crypto/ecc.c, it split the muladd() function in the
micro-ecc library into separate mul_64_64() and add_128_128() helpers.
It seems the check got lost in translation.
Add proper handling for this boundary by accounting for the carry
from the lower addition.
Fixes: 3c4b23901a0c ("crypto: ecdh - Add ECDH software support")
Signed-off-by: Anastasia Tishchenko <sv3iry@gmail.com>
Cc: stable@vger.kernel.org # v4.8+
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/ecc.c | 31 ++++++++++++++++++++-----------
1 file changed, 20 insertions(+), 11 deletions(-)
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -393,14 +393,26 @@ static uint128_t mul_64_64(u64 left, u64
return result;
}
-static uint128_t add_128_128(uint128_t a, uint128_t b)
+/* Calculate addition with overflow checking. Returns true on wrap-around,
+ * false otherwise.
+ */
+static bool check_add_128_128_overflow(uint128_t *result, uint128_t a,
+ uint128_t b)
{
- uint128_t result;
+ bool carry;
- result.m_low = a.m_low + b.m_low;
- result.m_high = a.m_high + b.m_high + (result.m_low < a.m_low);
+ result->m_low = a.m_low + b.m_low;
+ carry = (result->m_low < a.m_low);
- return result;
+ result->m_high = a.m_high + b.m_high + carry;
+
+ /* Using constant-time bitwise arithmetic to prevent timing
+ * side-channels.
+ */
+ carry = (result->m_high < a.m_high) |
+ ((result->m_high == a.m_high) & carry);
+
+ return carry;
}
static void vli_mult(u64 *result, const u64 *left, const u64 *right,
@@ -425,9 +437,7 @@ static void vli_mult(u64 *result, const
uint128_t product;
product = mul_64_64(left[i], right[k - i]);
-
- r01 = add_128_128(r01, product);
- r2 += (r01.m_high < product.m_high);
+ r2 += check_add_128_128_overflow(&r01, r01, product);
}
result[k] = r01.m_low;
@@ -450,7 +460,7 @@ static void vli_umult(u64 *result, const
uint128_t product;
product = mul_64_64(left[k], right);
- r01 = add_128_128(r01, product);
+ check_add_128_128_overflow(&r01, r01, product);
/* no carry */
result[k] = r01.m_low;
r01.m_low = r01.m_high;
@@ -487,8 +497,7 @@ static void vli_square(u64 *result, cons
product.m_low <<= 1;
}
- r01 = add_128_128(r01, product);
- r2 += (r01.m_high < product.m_high);
+ r2 += check_add_128_128_overflow(&r01, r01, product);
}
result[k] = r01.m_low;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 366/518] crypto: hisi-trng - Remove crypto_rng interface
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 365/518] crypto: ecc - Fix carry overflow in vli multiplication Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 367/518] crypto: pcrypt - restore callback for non-parallel fallback Greg Kroah-Hartman
` (155 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 216a7795ec210bdabd5dad42323eee70bbfc8d90 upstream.
drivers/crypto/hisilicon/trng/trng.c exposes the same hardware through
two completely separate interfaces, crypto_rng and hwrng. However, the
implementation of this is buggy because it permits generation operations
from these interfaces to run concurrently with each other, accessing the
same registers. That is, hisi_trng_generate() synchronizes with itself
but not with hisi_trng_read(). This results in potential repetition of
output from the RNG, output of non-random values, etc.
Fortunately, there's actually no point in hardware RNG drivers
implementing the crypto_rng interface. It's not actually used by
anything besides the "rng" algorithm type of AF_ALG, which in turn is
not actually used in practice. Other crypto_rng hardware drivers are
likewise being phased out, leaving just the hwrng support.
Thus, remove it to simplify the code and avoid conflict (and confusion)
with the hwrng interface which is the one that actually matters.
Fixes: e4d9d10ef4be ("crypto: hisilicon/trng - add support for PRNG")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/hisilicon/Kconfig | 1
drivers/crypto/hisilicon/trng/trng.c | 296 -----------------------------------
2 files changed, 2 insertions(+), 295 deletions(-)
--- a/drivers/crypto/hisilicon/Kconfig
+++ b/drivers/crypto/hisilicon/Kconfig
@@ -80,6 +80,5 @@ config CRYPTO_DEV_HISI_TRNG
tristate "Support for HISI TRNG Driver"
depends on ARM64 && ACPI
select HW_RANDOM
- select CRYPTO_RNG
help
Support for HiSilicon TRNG Driver.
--- a/drivers/crypto/hisilicon/trng/trng.c
+++ b/drivers/crypto/hisilicon/trng/trng.c
@@ -1,234 +1,27 @@
// SPDX-License-Identifier: GPL-2.0
/* Copyright (c) 2019 HiSilicon Limited. */
-#include <crypto/internal/rng.h>
#include <linux/acpi.h>
-#include <linux/crypto.h>
#include <linux/err.h>
#include <linux/hw_random.h>
#include <linux/io.h>
#include <linux/iopoll.h>
#include <linux/kernel.h>
-#include <linux/list.h>
#include <linux/module.h>
-#include <linux/mutex.h>
#include <linux/platform_device.h>
#include <linux/random.h>
#define HISI_TRNG_REG 0x00F0
#define HISI_TRNG_BYTES 4
#define HISI_TRNG_QUALITY 512
-#define HISI_TRNG_VERSION 0x01B8
-#define HISI_TRNG_VER_V1 GENMASK(31, 0)
#define SLEEP_US 10
#define TIMEOUT_US 10000
-#define SW_DRBG_NUM_SHIFT 2
-#define SW_DRBG_KEY_BASE 0x082C
-#define SW_DRBG_SEED(n) (SW_DRBG_KEY_BASE - ((n) << SW_DRBG_NUM_SHIFT))
-#define SW_DRBG_SEED_REGS_NUM 12
-#define SW_DRBG_SEED_SIZE 48
-#define SW_DRBG_BLOCKS 0x0830
-#define SW_DRBG_INIT 0x0834
-#define SW_DRBG_GEN 0x083c
-#define SW_DRBG_STATUS 0x0840
-#define SW_DRBG_BLOCKS_NUM 4095
-#define SW_DRBG_DATA_BASE 0x0850
-#define SW_DRBG_DATA_NUM 4
-#define SW_DRBG_DATA(n) (SW_DRBG_DATA_BASE - ((n) << SW_DRBG_NUM_SHIFT))
-#define SW_DRBG_BYTES 16
-#define SW_DRBG_ENABLE_SHIFT 12
-#define SEED_SHIFT_24 24
-#define SEED_SHIFT_16 16
-#define SEED_SHIFT_8 8
-#define SW_MAX_RANDOM_BYTES 65520
-
-struct hisi_trng_list {
- struct mutex lock;
- struct list_head list;
- bool is_init;
-};
struct hisi_trng {
void __iomem *base;
- struct hisi_trng_list *trng_list;
- struct list_head list;
struct hwrng rng;
- u32 ver;
- u32 ctx_num;
- /* The bytes of the random number generated since the last seeding. */
- u32 random_bytes;
- struct mutex lock;
-};
-
-struct hisi_trng_ctx {
- struct hisi_trng *trng;
};
-static atomic_t trng_active_devs;
-static struct hisi_trng_list trng_devices;
-static int hisi_trng_read(struct hwrng *rng, void *buf, size_t max, bool wait);
-
-static int hisi_trng_set_seed(struct hisi_trng *trng, const u8 *seed)
-{
- u32 val, seed_reg, i;
- int ret;
-
- writel(0x0, trng->base + SW_DRBG_BLOCKS);
-
- for (i = 0; i < SW_DRBG_SEED_SIZE;
- i += SW_DRBG_SEED_SIZE / SW_DRBG_SEED_REGS_NUM) {
- val = seed[i] << SEED_SHIFT_24;
- val |= seed[i + 1UL] << SEED_SHIFT_16;
- val |= seed[i + 2UL] << SEED_SHIFT_8;
- val |= seed[i + 3UL];
-
- seed_reg = (i >> SW_DRBG_NUM_SHIFT) % SW_DRBG_SEED_REGS_NUM;
- writel(val, trng->base + SW_DRBG_SEED(seed_reg));
- }
-
- writel(SW_DRBG_BLOCKS_NUM | (0x1 << SW_DRBG_ENABLE_SHIFT),
- trng->base + SW_DRBG_BLOCKS);
- writel(0x1, trng->base + SW_DRBG_INIT);
- ret = readl_relaxed_poll_timeout(trng->base + SW_DRBG_STATUS,
- val, val & BIT(0), SLEEP_US, TIMEOUT_US);
- if (ret) {
- pr_err("failed to init trng(%d)\n", ret);
- return -EIO;
- }
-
- trng->random_bytes = 0;
-
- return 0;
-}
-
-static int hisi_trng_seed(struct crypto_rng *tfm, const u8 *seed,
- unsigned int slen)
-{
- struct hisi_trng_ctx *ctx = crypto_rng_ctx(tfm);
- struct hisi_trng *trng = ctx->trng;
- int ret;
-
- if (slen < SW_DRBG_SEED_SIZE) {
- pr_err("slen(%u) is not matched with trng(%d)\n", slen,
- SW_DRBG_SEED_SIZE);
- return -EINVAL;
- }
-
- mutex_lock(&trng->lock);
- ret = hisi_trng_set_seed(trng, seed);
- mutex_unlock(&trng->lock);
-
- return ret;
-}
-
-static int hisi_trng_reseed(struct hisi_trng *trng)
-{
- u8 seed[SW_DRBG_SEED_SIZE];
- int size;
-
- if (!trng->random_bytes)
- return 0;
-
- size = hisi_trng_read(&trng->rng, seed, SW_DRBG_SEED_SIZE, false);
- if (size != SW_DRBG_SEED_SIZE)
- return -EIO;
-
- return hisi_trng_set_seed(trng, seed);
-}
-
-static int hisi_trng_get_bytes(struct hisi_trng *trng, u8 *dstn, unsigned int dlen)
-{
- u32 data[SW_DRBG_DATA_NUM];
- u32 currsize = 0;
- u32 val = 0;
- int ret;
- u32 i;
-
- ret = hisi_trng_reseed(trng);
- if (ret)
- return ret;
-
- do {
- ret = readl_relaxed_poll_timeout(trng->base + SW_DRBG_STATUS,
- val, val & BIT(1), SLEEP_US, TIMEOUT_US);
- if (ret) {
- pr_err("failed to generate random number(%d)!\n", ret);
- break;
- }
-
- for (i = 0; i < SW_DRBG_DATA_NUM; i++)
- data[i] = readl(trng->base + SW_DRBG_DATA(i));
-
- if (dlen - currsize >= SW_DRBG_BYTES) {
- memcpy(dstn + currsize, data, SW_DRBG_BYTES);
- currsize += SW_DRBG_BYTES;
- } else {
- memcpy(dstn + currsize, data, dlen - currsize);
- currsize = dlen;
- }
-
- trng->random_bytes += SW_DRBG_BYTES;
- writel(0x1, trng->base + SW_DRBG_GEN);
- } while (currsize < dlen);
-
- return ret;
-}
-
-static int hisi_trng_generate(struct crypto_rng *tfm, const u8 *src,
- unsigned int slen, u8 *dstn, unsigned int dlen)
-{
- struct hisi_trng_ctx *ctx = crypto_rng_ctx(tfm);
- struct hisi_trng *trng = ctx->trng;
- unsigned int currsize = 0;
- unsigned int block_size;
- int ret;
-
- if (!dstn || !dlen) {
- pr_err("output is error, dlen %u!\n", dlen);
- return -EINVAL;
- }
-
- do {
- block_size = min_t(unsigned int, dlen - currsize, SW_MAX_RANDOM_BYTES);
- mutex_lock(&trng->lock);
- ret = hisi_trng_get_bytes(trng, dstn + currsize, block_size);
- mutex_unlock(&trng->lock);
- if (ret)
- return ret;
- currsize += block_size;
- } while (currsize < dlen);
-
- return 0;
-}
-
-static int hisi_trng_init(struct crypto_tfm *tfm)
-{
- struct hisi_trng_ctx *ctx = crypto_tfm_ctx(tfm);
- struct hisi_trng *trng;
- u32 ctx_num = ~0;
-
- mutex_lock(&trng_devices.lock);
- list_for_each_entry(trng, &trng_devices.list, list) {
- if (trng->ctx_num < ctx_num) {
- ctx_num = trng->ctx_num;
- ctx->trng = trng;
- }
- }
- ctx->trng->ctx_num++;
- mutex_unlock(&trng_devices.lock);
-
- return 0;
-}
-
-static void hisi_trng_exit(struct crypto_tfm *tfm)
-{
- struct hisi_trng_ctx *ctx = crypto_tfm_ctx(tfm);
-
- mutex_lock(&trng_devices.lock);
- ctx->trng->ctx_num--;
- mutex_unlock(&trng_devices.lock);
-}
-
static int hisi_trng_read(struct hwrng *rng, void *buf, size_t max, bool wait)
{
struct hisi_trng *trng;
@@ -260,42 +53,6 @@ static int hisi_trng_read(struct hwrng *
return currsize;
}
-static struct rng_alg hisi_trng_alg = {
- .generate = hisi_trng_generate,
- .seed = hisi_trng_seed,
- .seedsize = SW_DRBG_SEED_SIZE,
- .base = {
- .cra_name = "stdrng",
- .cra_driver_name = "hisi_stdrng",
- .cra_priority = 300,
- .cra_ctxsize = sizeof(struct hisi_trng_ctx),
- .cra_module = THIS_MODULE,
- .cra_init = hisi_trng_init,
- .cra_exit = hisi_trng_exit,
- },
-};
-
-static void hisi_trng_add_to_list(struct hisi_trng *trng)
-{
- mutex_lock(&trng_devices.lock);
- list_add_tail(&trng->list, &trng_devices.list);
- mutex_unlock(&trng_devices.lock);
-}
-
-static int hisi_trng_del_from_list(struct hisi_trng *trng)
-{
- int ret = -EBUSY;
-
- mutex_lock(&trng_devices.lock);
- if (!trng->ctx_num) {
- list_del(&trng->list);
- ret = 0;
- }
- mutex_unlock(&trng_devices.lock);
-
- return ret;
-}
-
static int hisi_trng_probe(struct platform_device *pdev)
{
struct hisi_trng *trng;
@@ -305,68 +62,20 @@ static int hisi_trng_probe(struct platfo
if (!trng)
return -ENOMEM;
- platform_set_drvdata(pdev, trng);
-
trng->base = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(trng->base))
return PTR_ERR(trng->base);
- trng->ctx_num = 0;
- trng->random_bytes = SW_MAX_RANDOM_BYTES;
- mutex_init(&trng->lock);
- trng->ver = readl(trng->base + HISI_TRNG_VERSION);
- if (!trng_devices.is_init) {
- INIT_LIST_HEAD(&trng_devices.list);
- mutex_init(&trng_devices.lock);
- trng_devices.is_init = true;
- }
-
- hisi_trng_add_to_list(trng);
- if (trng->ver != HISI_TRNG_VER_V1 &&
- atomic_inc_return(&trng_active_devs) == 1) {
- ret = crypto_register_rng(&hisi_trng_alg);
- if (ret) {
- dev_err(&pdev->dev,
- "failed to register crypto(%d)\n", ret);
- atomic_dec_return(&trng_active_devs);
- goto err_remove_from_list;
- }
- }
-
trng->rng.name = pdev->name;
trng->rng.read = hisi_trng_read;
trng->rng.quality = HISI_TRNG_QUALITY;
+
ret = devm_hwrng_register(&pdev->dev, &trng->rng);
- if (ret) {
+ if (ret)
dev_err(&pdev->dev, "failed to register hwrng: %d!\n", ret);
- goto err_crypto_unregister;
- }
-
- return ret;
-
-err_crypto_unregister:
- if (trng->ver != HISI_TRNG_VER_V1 &&
- atomic_dec_return(&trng_active_devs) == 0)
- crypto_unregister_rng(&hisi_trng_alg);
-
-err_remove_from_list:
- hisi_trng_del_from_list(trng);
return ret;
}
-static void hisi_trng_remove(struct platform_device *pdev)
-{
- struct hisi_trng *trng = platform_get_drvdata(pdev);
-
- /* Wait until the task is finished */
- while (hisi_trng_del_from_list(trng))
- ;
-
- if (trng->ver != HISI_TRNG_VER_V1 &&
- atomic_dec_return(&trng_active_devs) == 0)
- crypto_unregister_rng(&hisi_trng_alg);
-}
-
static const struct acpi_device_id hisi_trng_acpi_match[] = {
{ "HISI02B3", 0 },
{ }
@@ -375,7 +84,6 @@ MODULE_DEVICE_TABLE(acpi, hisi_trng_acpi
static struct platform_driver hisi_trng_driver = {
.probe = hisi_trng_probe,
- .remove = hisi_trng_remove,
.driver = {
.name = "hisi-trng-v2",
.acpi_match_table = ACPI_PTR(hisi_trng_acpi_match),
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 367/518] crypto: pcrypt - restore callback for non-parallel fallback
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 366/518] crypto: hisi-trng - Remove crypto_rng interface Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 368/518] crypto: tegra - fix refcount leak in tegra_se_host1x_submit() Greg Kroah-Hartman
` (154 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Zhengchuan Liang, Xin Liu, Ruijie Li, Ren Wei,
Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruijie Li <ruijieli51@gmail.com>
commit ed459fe319376e876de433d12b6c6772e612ca36 upstream.
pcrypt installs pcrypt_aead_done() on the child AEAD request before
trying to submit it through padata. If padata_do_parallel() returns
-EBUSY, pcrypt falls back to calling the child AEAD directly.
That fallback must not keep the padata completion callback. Otherwise
an asynchronous completion runs pcrypt_aead_done() even though the
request was never enrolled in padata.
Restore the original request callback and callback data before calling
the child AEAD directly. This keeps the fallback path aligned with a
direct AEAD request while leaving the parallel path unchanged.
Fixes: 662f2f13e66d ("crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:gpt-5.4
Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/pcrypt.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/crypto/pcrypt.c
+++ b/crypto/pcrypt.c
@@ -122,6 +122,8 @@ static int pcrypt_aead_encrypt(struct ae
return -EINPROGRESS;
if (err == -EBUSY) {
/* try non-parallel mode */
+ aead_request_set_callback(creq, flags, req->base.complete,
+ req->base.data);
return crypto_aead_encrypt(creq);
}
@@ -173,6 +175,8 @@ static int pcrypt_aead_decrypt(struct ae
return -EINPROGRESS;
if (err == -EBUSY) {
/* try non-parallel mode */
+ aead_request_set_callback(creq, flags, req->base.complete,
+ req->base.data);
return crypto_aead_decrypt(creq);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 368/518] crypto: tegra - fix refcount leak in tegra_se_host1x_submit()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 367/518] crypto: pcrypt - restore callback for non-parallel fallback Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 369/518] crypto: loongson - Select CRYPTO_RNG Greg Kroah-Hartman
` (153 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Akhil R, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 6ea0ce3a19f9c37a014099e2b0a46b27fa164564 upstream.
The timeout error path in tegra_se_host1x_submit() returns without
calling host1x_job_put(), while all other paths (success, submit
error, pin error) properly release the job reference through the
job_put label. Since host1x_job_alloc() initializes the reference
count and host1x_job_put() is required to drop it, omitting it on
timeout causes a permanent refcount leak.
Fix this by redirecting the timeout return to the existing job_put
label, ensuring the job reference and any associated syncpt
references are consistently released.
Cc: stable@vger.kernel.org
Fixes: 0880bb3b00c8 ("crypto: tegra - Add Tegra Security Engine driver")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Akhil R <akhilrajeev@nvidia.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/tegra/tegra-se-main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/crypto/tegra/tegra-se-main.c
+++ b/drivers/crypto/tegra/tegra-se-main.c
@@ -180,7 +180,7 @@ int tegra_se_host1x_submit(struct tegra_
MAX_SCHEDULE_TIMEOUT, NULL);
if (ret) {
dev_err(se->dev, "host1x job timed out\n");
- return ret;
+ goto job_put;
}
host1x_job_put(job);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 369/518] crypto: loongson - Select CRYPTO_RNG
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 368/518] crypto: tegra - fix refcount leak in tegra_se_host1x_submit() Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 370/518] crypto: loongson - Remove broken and unused loongson-rng Greg Kroah-Hartman
` (152 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Eric Biggers,
Huacai Chen, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 4c600ab0d8cfc9d75b92f3426dbcb2ad85eac91d upstream.
This driver registers a rng_alg, so it requires CRYPTO_RNG.
Fixes: 766b2d724c8d ("crypto: loongson - add Loongson RNG driver support")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202605201622.qWOiiZTV-lkp@intel.com/
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/loongson/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/crypto/loongson/Kconfig
+++ b/drivers/crypto/loongson/Kconfig
@@ -1,5 +1,6 @@
config CRYPTO_DEV_LOONGSON_RNG
tristate "Support for Loongson RNG Driver"
depends on MFD_LOONGSON_SE
+ select CRYPTO_RNG
help
Support for Loongson RNG Driver.
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 370/518] crypto: loongson - Remove broken and unused loongson-rng
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 369/518] crypto: loongson - Select CRYPTO_RNG Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 371/518] crypto: ccp - Do not initialize SNP for SEV ioctls Greg Kroah-Hartman
` (151 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit af3d1bb9a09daf928fc3f173689fb7904d6a6d4f upstream.
The loongson-rng rng_alg has several vulnerabilities, including not
providing forward security, and a use-after-free bug due to the use of
wait_for_completion_interruptible().
Meanwhile, the rng_alg framework doesn't really have any purpose in the
first place other than to access the software algorithms crypto/drbg.c
and crypto/jitterentropy.c. Hardware-specific rng_algs have no
in-kernel user, and unlike hwrng there's no feed into the actual Linux
RNG. As such, there's really no point to this code. There are of
course other rng_alg drivers that are similarly unused, but they're
similarly in the process of being phased out, e.g.
https://lore.kernel.org/r/20260529193648.18172-1-ebiggers@kernel.org and
https://lore.kernel.org/r/20260529220430.34135-1-ebiggers@kernel.org
Given that, there's no point in fixing forward these vulnerabilities,
and it makes much more sense to simply roll back the addition of this
driver. If this platform provides TRNG (not PRNG) functionality, it
could make sense to add a hwrng driver, but it would be quite different.
Link: https://lore.kernel.org/linux-crypto/20260525145939.GC2018@quark/
Fixes: 766b2d724c8d ("crypto: loongson - add Loongson RNG driver support")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
MAINTAINERS | 1
arch/loongarch/configs/loongson32_defconfig | 1
arch/loongarch/configs/loongson64_defconfig | 1
drivers/crypto/Kconfig | 1
drivers/crypto/Makefile | 1
drivers/crypto/loongson/Kconfig | 6
drivers/crypto/loongson/Makefile | 1
drivers/crypto/loongson/loongson-rng.c | 209 ----------------------------
8 files changed, 221 deletions(-)
delete mode 100644 drivers/crypto/loongson/Kconfig
delete mode 100644 drivers/crypto/loongson/Makefile
delete mode 100644 drivers/crypto/loongson/loongson-rng.c
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -15087,7 +15087,6 @@ M: Qunqin Zhao <zhaoqunqin@loongson.cn>
L: linux-crypto@vger.kernel.org
S: Maintained
F: drivers/char/tpm/tpm_loongson.c
-F: drivers/crypto/loongson/
F: drivers/mfd/loongson-se.c
F: include/linux/mfd/loongson-se.h
--- a/arch/loongarch/configs/loongson32_defconfig
+++ b/arch/loongarch/configs/loongson32_defconfig
@@ -1091,7 +1091,6 @@ CONFIG_CRYPTO_USER_API_SKCIPHER=m
CONFIG_CRYPTO_USER_API_RNG=m
CONFIG_CRYPTO_USER_API_AEAD=m
CONFIG_CRYPTO_DEV_VIRTIO=m
-CONFIG_CRYPTO_DEV_LOONGSON_RNG=m
CONFIG_DMA_CMA=y
CONFIG_CMA_SIZE_MBYTES=0
CONFIG_PRINTK_TIME=y
--- a/arch/loongarch/configs/loongson64_defconfig
+++ b/arch/loongarch/configs/loongson64_defconfig
@@ -1124,7 +1124,6 @@ CONFIG_CRYPTO_USER_API_SKCIPHER=m
CONFIG_CRYPTO_USER_API_RNG=m
CONFIG_CRYPTO_USER_API_AEAD=m
CONFIG_CRYPTO_DEV_VIRTIO=m
-CONFIG_CRYPTO_DEV_LOONGSON_RNG=m
CONFIG_DMA_CMA=y
CONFIG_DMA_NUMA_CMA=y
CONFIG_CMA_SIZE_MBYTES=0
--- a/drivers/crypto/Kconfig
+++ b/drivers/crypto/Kconfig
@@ -845,7 +845,6 @@ config CRYPTO_DEV_CCREE
If unsure say Y.
source "drivers/crypto/hisilicon/Kconfig"
-source "drivers/crypto/loongson/Kconfig"
source "drivers/crypto/amlogic/Kconfig"
--- a/drivers/crypto/Makefile
+++ b/drivers/crypto/Makefile
@@ -43,7 +43,6 @@ obj-y += inside-secure/
obj-$(CONFIG_CRYPTO_DEV_ARTPEC6) += axis/
obj-y += xilinx/
obj-y += hisilicon/
-obj-y += loongson/
obj-$(CONFIG_CRYPTO_DEV_AMLOGIC_GXL) += amlogic/
obj-y += intel/
obj-y += starfive/
--- a/drivers/crypto/loongson/Kconfig
+++ /dev/null
@@ -1,6 +0,0 @@
-config CRYPTO_DEV_LOONGSON_RNG
- tristate "Support for Loongson RNG Driver"
- depends on MFD_LOONGSON_SE
- select CRYPTO_RNG
- help
- Support for Loongson RNG Driver.
--- a/drivers/crypto/loongson/Makefile
+++ /dev/null
@@ -1 +0,0 @@
-obj-$(CONFIG_CRYPTO_DEV_LOONGSON_RNG) += loongson-rng.o
--- a/drivers/crypto/loongson/loongson-rng.c
+++ /dev/null
@@ -1,209 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/* Copyright (c) 2019 HiSilicon Limited. */
-/* Copyright (c) 2025 Loongson Technology Corporation Limited. */
-
-#include <linux/crypto.h>
-#include <linux/err.h>
-#include <linux/hw_random.h>
-#include <linux/io.h>
-#include <linux/iopoll.h>
-#include <linux/kernel.h>
-#include <linux/list.h>
-#include <linux/mfd/loongson-se.h>
-#include <linux/module.h>
-#include <linux/mutex.h>
-#include <linux/platform_device.h>
-#include <linux/random.h>
-#include <crypto/internal/rng.h>
-
-#define SE_SEED_SIZE 32
-
-struct loongson_rng_list {
- struct mutex lock;
- struct list_head list;
- int registered;
-};
-
-struct loongson_rng {
- u32 used;
- struct loongson_se_engine *engine;
- struct list_head list;
- struct mutex lock;
-};
-
-struct loongson_rng_ctx {
- struct loongson_rng *rng;
-};
-
-struct loongson_rng_cmd {
- u32 cmd_id;
- union {
- u32 len;
- u32 ret;
- } u;
- u32 seed_off;
- u32 out_off;
- u32 pad[4];
-};
-
-static struct loongson_rng_list rng_devices = {
- .lock = __MUTEX_INITIALIZER(rng_devices.lock),
- .list = LIST_HEAD_INIT(rng_devices.list),
-};
-
-static int loongson_rng_generate(struct crypto_rng *tfm, const u8 *src,
- unsigned int slen, u8 *dstn, unsigned int dlen)
-{
- struct loongson_rng_ctx *ctx = crypto_rng_ctx(tfm);
- struct loongson_rng *rng = ctx->rng;
- struct loongson_rng_cmd *cmd = rng->engine->command;
- int err, len;
-
- mutex_lock(&rng->lock);
- cmd->seed_off = 0;
- do {
- len = min(dlen, rng->engine->buffer_size);
- cmd = rng->engine->command;
- cmd->u.len = len;
- err = loongson_se_send_engine_cmd(rng->engine);
- if (err)
- break;
-
- cmd = rng->engine->command_ret;
- if (cmd->u.ret) {
- err = -EIO;
- break;
- }
-
- memcpy(dstn, rng->engine->data_buffer, len);
- dlen -= len;
- dstn += len;
- } while (dlen > 0);
- mutex_unlock(&rng->lock);
-
- return err;
-}
-
-static int loongson_rng_init(struct crypto_tfm *tfm)
-{
- struct loongson_rng_ctx *ctx = crypto_tfm_ctx(tfm);
- struct loongson_rng *rng;
- u32 min_used = U32_MAX;
-
- mutex_lock(&rng_devices.lock);
- list_for_each_entry(rng, &rng_devices.list, list) {
- if (rng->used < min_used) {
- ctx->rng = rng;
- min_used = rng->used;
- }
- }
- ctx->rng->used++;
- mutex_unlock(&rng_devices.lock);
-
- return 0;
-}
-
-static void loongson_rng_exit(struct crypto_tfm *tfm)
-{
- struct loongson_rng_ctx *ctx = crypto_tfm_ctx(tfm);
-
- mutex_lock(&rng_devices.lock);
- ctx->rng->used--;
- mutex_unlock(&rng_devices.lock);
-}
-
-static int loongson_rng_seed(struct crypto_rng *tfm, const u8 *seed,
- unsigned int slen)
-{
- struct loongson_rng_ctx *ctx = crypto_rng_ctx(tfm);
- struct loongson_rng *rng = ctx->rng;
- struct loongson_rng_cmd *cmd;
- int err;
-
- if (slen < SE_SEED_SIZE)
- return -EINVAL;
-
- slen = min(slen, rng->engine->buffer_size);
-
- mutex_lock(&rng->lock);
- cmd = rng->engine->command;
- cmd->u.len = slen;
- cmd->seed_off = rng->engine->buffer_off;
- memcpy(rng->engine->data_buffer, seed, slen);
- err = loongson_se_send_engine_cmd(rng->engine);
- if (err)
- goto out;
-
- cmd = rng->engine->command_ret;
- if (cmd->u.ret)
- err = -EIO;
-out:
- mutex_unlock(&rng->lock);
-
- return err;
-}
-
-static struct rng_alg loongson_rng_alg = {
- .generate = loongson_rng_generate,
- .seed = loongson_rng_seed,
- .seedsize = SE_SEED_SIZE,
- .base = {
- .cra_name = "stdrng",
- .cra_driver_name = "loongson_stdrng",
- .cra_priority = 300,
- .cra_ctxsize = sizeof(struct loongson_rng_ctx),
- .cra_module = THIS_MODULE,
- .cra_init = loongson_rng_init,
- .cra_exit = loongson_rng_exit,
- },
-};
-
-static int loongson_rng_probe(struct platform_device *pdev)
-{
- struct loongson_rng_cmd *cmd;
- struct loongson_rng *rng;
- int ret = 0;
-
- rng = devm_kzalloc(&pdev->dev, sizeof(*rng), GFP_KERNEL);
- if (!rng)
- return -ENOMEM;
-
- rng->engine = loongson_se_init_engine(pdev->dev.parent, SE_ENGINE_RNG);
- if (!rng->engine)
- return -ENODEV;
- cmd = rng->engine->command;
- cmd->cmd_id = SE_CMD_RNG;
- cmd->out_off = rng->engine->buffer_off;
- mutex_init(&rng->lock);
-
- mutex_lock(&rng_devices.lock);
-
- if (!rng_devices.registered) {
- ret = crypto_register_rng(&loongson_rng_alg);
- if (ret) {
- dev_err(&pdev->dev, "failed to register crypto(%d)\n", ret);
- goto out;
- }
- rng_devices.registered = 1;
- }
-
- list_add_tail(&rng->list, &rng_devices.list);
-out:
- mutex_unlock(&rng_devices.lock);
-
- return ret;
-}
-
-static struct platform_driver loongson_rng_driver = {
- .probe = loongson_rng_probe,
- .driver = {
- .name = "loongson-rng",
- },
-};
-module_platform_driver(loongson_rng_driver);
-
-MODULE_ALIAS("platform:loongson-rng");
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Yinggang Gu <guyinggang@loongson.cn>");
-MODULE_AUTHOR("Qunqin Zhao <zhaoqunqin@loongson.cn>");
-MODULE_DESCRIPTION("Loongson Random Number Generator driver");
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 371/518] crypto: ccp - Do not initialize SNP for SEV ioctls
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 370/518] crypto: loongson - Remove broken and unused loongson-rng Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 372/518] crypto: ccp - Do not initialize SNP for ioctl(SNP_COMMIT) Greg Kroah-Hartman
` (150 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tycho Andersen (AMD), Tom Lendacky,
Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tycho Andersen (AMD) <tycho@kernel.org>
commit fb1758e74b8061aacfbce7bbb7a7cc650537e167 upstream.
Sashiko notes:
> if SEV initialization fails and KVM is actively running normal VMs, could a
> userspace process trigger this code path via /dev/sev ioctls (e.g.,
> SEV_PDH_GEN) and zero out MSR_VM_HSAVE_PA globally? Would the next VMRUN
> execution for an active VM trigger a general protection fault and crash the
> host?
sev_move_to_init_state() is called for ioctls requiring only SEV firmware:
SEV_PEK_GEN, SEV_PDH_GEN, SEV_PEK_CSR, SEV_PEK_CERT_IMPORT, and
SEV_PDH_CERT_EXPORT. After the firmware command, it does SEV_SHUTDOWN on
the SEV firmware. Since these commands do not require SNP to be
initialized, skip it by calling __sev_platform_init_locked() which only
initializes the SEV firmware. This way SNP is not Initialized at all, and
HSAVE_PA is not cleared.
The previous code saved any SEV initialization firmware error to
init_args.error and then threw it away and hardcoded the return value of
INVALID_PLATFORM_STATE regardless of the real firmware error. This patch
changes it to surface the underlying error, which is hopefully both more
useful and doesn't cause any problems.
Note that it is still safe to call __sev_firmware_shutdown() directly: it
calls __sev_snp_shutdown_locked(), which skips SNP shutdown if SNP was not
initialized.
Fixes: ceac7fb89e8d ("crypto: ccp - Ensure implicit SEV/SNP init and shutdown in ioctls")
Reported-by: Sashiko
Assisted-by: Gemini:gemini-3.1-pro-preview
Link: https://sashiko.dev/#/patchset/20260324161301.1353976-1-tycho%40kernel.org
CC: <stable@vger.kernel.org>
Signed-off-by: Tycho Andersen (AMD) <tycho@kernel.org>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/ccp/sev-dev.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -1716,14 +1716,11 @@ static int sev_get_platform_state(int *s
static int sev_move_to_init_state(struct sev_issue_cmd *argp, bool *shutdown_required)
{
- struct sev_platform_init_args init_args = {0};
int rc;
- rc = _sev_platform_init_locked(&init_args);
- if (rc) {
- argp->error = SEV_RET_INVALID_PLATFORM_STATE;
+ rc = __sev_platform_init_locked(&argp->error);
+ if (rc)
return rc;
- }
*shutdown_required = true;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 372/518] crypto: ccp - Do not initialize SNP for ioctl(SNP_COMMIT)
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 371/518] crypto: ccp - Do not initialize SNP for SEV ioctls Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 373/518] crypto: ccp - Do not initialize SNP for ioctl(SNP_VLEK_LOAD) Greg Kroah-Hartman
` (149 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tycho Andersen (AMD), Tom Lendacky,
Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tycho Andersen (AMD) <tycho@kernel.org>
commit 5a1364da2f04217a36e2fdfa2db4ee025b383a20 upstream.
Sashiko notes:
> if SEV initialization fails and KVM is actively running normal VMs, could a
> userspace process trigger this code path via /dev/sev ioctls (e.g.,
> SEV_PDH_GEN) and zero out MSR_VM_HSAVE_PA globally? Would the next VMRUN
> execution for an active VM trigger a general protection fault and crash the
> host?
The SNP_COMMIT command does not require the firmware to be in any
particular state. Skip initializing it if it was previously uninitialized.
The SEV-SNP firmware specification doc 56860 does not mention SNP_COMMIT in
Table 5 as a command that is allowed in the UNINIT state, but it is in fact
allowed and a future documentation update will reflect that.
Fixes: ceac7fb89e8d ("crypto: ccp - Ensure implicit SEV/SNP init and shutdown in ioctls")
Reported-by: Sashiko
Assisted-by: Gemini:gemini-3.1-pro-preview
Link: https://sashiko.dev/#/patchset/20260324161301.1353976-1-tycho%40kernel.org
CC: <stable@vger.kernel.org>
Signed-off-by: Tycho Andersen (AMD) <tycho@kernel.org>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/ccp/sev-dev.c | 13 +------------
1 file changed, 1 insertion(+), 12 deletions(-)
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -2437,24 +2437,13 @@ cleanup:
static int sev_ioctl_do_snp_commit(struct sev_issue_cmd *argp)
{
- struct sev_device *sev = psp_master->sev_data;
struct sev_data_snp_commit buf;
- bool shutdown_required = false;
- int ret, error;
-
- if (!sev->snp_initialized) {
- ret = snp_move_to_init_state(argp, &shutdown_required);
- if (ret)
- return ret;
- }
+ int ret;
buf.len = sizeof(buf);
ret = __sev_do_cmd_locked(SEV_CMD_SNP_COMMIT, &buf, &argp->error);
- if (shutdown_required)
- __sev_snp_shutdown_locked(&error, false);
-
return ret;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 373/518] crypto: ccp - Do not initialize SNP for ioctl(SNP_VLEK_LOAD)
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 372/518] crypto: ccp - Do not initialize SNP for ioctl(SNP_COMMIT) Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 374/518] crypto: ccp - Do not initialize SNP for ioctl(SNP_CONFIG) Greg Kroah-Hartman
` (148 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tycho Andersen (AMD), Tom Lendacky,
Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tycho Andersen (AMD) <tycho@kernel.org>
commit f91e9dbb5845d1e5abf1028e6df57dcf61583e1b upstream.
Sashiko notes:
> if SEV initialization fails and KVM is actively running normal VMs, could a
> userspace process trigger this code path via /dev/sev ioctls (e.g.,
> SEV_PDH_GEN) and zero out MSR_VM_HSAVE_PA globally? Would the next VMRUN
> execution for an active VM trigger a general protection fault and crash the
> host?
The SEV firmware docs for SNP_VLEK_LOAD note:
> On SNP_SHUTDOWN, the VLEK is deleted.
That is, the initialization/shutdown wrapper here is pointless, because the
firmware immediately throws away the key anyway. Instead, refuse to do
anything if SNP has not been previously initialized.
This is an ABI break: before, this was a no-op and almost certainly a
mistake by userspace, and now it returns -ENODEV. ABI compatibility could be
maintained here by simply returning 0 in the check instead.
Fixes: ceac7fb89e8d ("crypto: ccp - Ensure implicit SEV/SNP init and shutdown in ioctls")
Reported-by: Sashiko
Assisted-by: Gemini:gemini-3.1-pro-preview
Link: https://sashiko.dev/#/patchset/20260324161301.1353976-1-tycho%40kernel.org
CC: <stable@vger.kernel.org>
Signed-off-by: Tycho Andersen (AMD) <tycho@kernel.org>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/ccp/sev-dev.c | 17 ++++-------------
1 file changed, 4 insertions(+), 13 deletions(-)
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -2481,9 +2481,8 @@ static int sev_ioctl_do_snp_vlek_load(st
{
struct sev_device *sev = psp_master->sev_data;
struct sev_user_data_snp_vlek_load input;
- bool shutdown_required = false;
- int ret, error;
void *blob;
+ int ret;
if (!argp->data)
return -EINVAL;
@@ -2491,6 +2490,9 @@ static int sev_ioctl_do_snp_vlek_load(st
if (!writable)
return -EPERM;
+ if (!sev->snp_initialized)
+ return -ENODEV;
+
if (copy_from_user(&input, u64_to_user_ptr(argp->data), sizeof(input)))
return -EFAULT;
@@ -2504,18 +2506,7 @@ static int sev_ioctl_do_snp_vlek_load(st
input.vlek_wrapped_address = __psp_pa(blob);
- if (!sev->snp_initialized) {
- ret = snp_move_to_init_state(argp, &shutdown_required);
- if (ret)
- goto cleanup;
- }
-
ret = __sev_do_cmd_locked(SEV_CMD_SNP_VLEK_LOAD, &input, &argp->error);
-
- if (shutdown_required)
- __sev_snp_shutdown_locked(&error, false);
-
-cleanup:
kfree(blob);
return ret;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 374/518] crypto: ccp - Do not initialize SNP for ioctl(SNP_CONFIG)
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 373/518] crypto: ccp - Do not initialize SNP for ioctl(SNP_VLEK_LOAD) Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 375/518] crypto: drbg - Fix returning success on failure in CTR_DRBG Greg Kroah-Hartman
` (147 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tycho Andersen (AMD), Tom Lendacky,
Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tycho Andersen (AMD) <tycho@kernel.org>
commit 08f0e65e784c4b20e6e620dd4f68d8636073a3d2 upstream.
Sashiko notes:
> if SEV initialization fails and KVM is actively running normal VMs, could a
> userspace process trigger this code path via /dev/sev ioctls (e.g.,
> SEV_PDH_GEN) and zero out MSR_VM_HSAVE_PA globally? Would the next VMRUN
> execution for an active VM trigger a general protection fault and crash the
> host?
Refuse to re-try initialization if SNP is not already initialized for
SNP_CONFIG.
This is technically an ABI break: before if SNP initialization failed it
could be transparently retriggered by this ioctl, and if no VMs were
running, everything worked fine. Hopefully this is enough of a corner case
that nobody will notice, but someone does, there are a few options:
* do something like symbol_get() for kvm and refuse to initialize if KVM is
loaded
* check each cpu's HSAVE_PA for non-zero data before re-initializing
* once initialization has failed, continue to refuse to initialize until
the ccp module is unloaded
Fixes: ceac7fb89e8d ("crypto: ccp - Ensure implicit SEV/SNP init and shutdown in ioctls")
Reported-by: Sashiko
Assisted-by: Gemini:gemini-3.1-pro-preview
Link: https://sashiko.dev/#/patchset/20260324161301.1353976-1-tycho%40kernel.org
CC: <stable@vger.kernel.org>
Signed-off-by: Tycho Andersen (AMD) <tycho@kernel.org>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/ccp/sev-dev.c | 33 ++++-----------------------------
1 file changed, 4 insertions(+), 29 deletions(-)
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -1727,21 +1727,6 @@ static int sev_move_to_init_state(struct
return 0;
}
-static int snp_move_to_init_state(struct sev_issue_cmd *argp, bool *shutdown_required)
-{
- int error, rc;
-
- rc = __sev_snp_init_locked(&error, 0);
- if (rc) {
- argp->error = SEV_RET_INVALID_PLATFORM_STATE;
- return rc;
- }
-
- *shutdown_required = true;
-
- return 0;
-}
-
static int sev_ioctl_do_reset(struct sev_issue_cmd *argp, bool writable)
{
int state, rc;
@@ -2451,8 +2436,6 @@ static int sev_ioctl_do_snp_set_config(s
{
struct sev_device *sev = psp_master->sev_data;
struct sev_user_data_snp_config config;
- bool shutdown_required = false;
- int ret, error;
if (!argp->data)
return -EINVAL;
@@ -2460,21 +2443,13 @@ static int sev_ioctl_do_snp_set_config(s
if (!writable)
return -EPERM;
+ if (!sev->snp_initialized)
+ return -ENODEV;
+
if (copy_from_user(&config, (void __user *)argp->data, sizeof(config)))
return -EFAULT;
- if (!sev->snp_initialized) {
- ret = snp_move_to_init_state(argp, &shutdown_required);
- if (ret)
- return ret;
- }
-
- ret = __sev_do_cmd_locked(SEV_CMD_SNP_CONFIG, &config, &argp->error);
-
- if (shutdown_required)
- __sev_snp_shutdown_locked(&error, false);
-
- return ret;
+ return __sev_do_cmd_locked(SEV_CMD_SNP_CONFIG, &config, &argp->error);
}
static int sev_ioctl_do_snp_vlek_load(struct sev_issue_cmd *argp, bool writable)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 375/518] crypto: drbg - Fix returning success on failure in CTR_DRBG
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 374/518] crypto: ccp - Do not initialize SNP for ioctl(SNP_CONFIG) Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 376/518] crypto: drbg - Fix misaligned writes in CTR_DRBG and HASH_DRBG Greg Kroah-Hartman
` (146 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 39a31ad9e2a5ed7e9c9c6f711dca96c8c8f5f26b upstream.
drbg_ctr_generate() sometimes returns success when it fails, leaving the
output buffer uninitialized. Fix it.
Fixes: cde001e4c3c3 ("crypto: rng - RNGs must return 0 in success case")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/drbg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -377,7 +377,7 @@ static int drbg_ctr_generate(struct drbg
if (addtl && !list_empty(addtl)) {
ret = drbg_ctr_update(drbg, addtl, 2);
if (ret)
- return 0;
+ return ret;
}
/* 10.2.1.5.2 step 4.1 */
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 376/518] crypto: drbg - Fix misaligned writes in CTR_DRBG and HASH_DRBG
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 375/518] crypto: drbg - Fix returning success on failure in CTR_DRBG Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 377/518] crypto: drbg - Fix ineffective sanity check Greg Kroah-Hartman
` (145 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit ddc4dedb9ba3c8eecbc8c050fffd46d1b7e75c21 upstream.
drbg_cpu_to_be32() is being used to do a plain write to a byte array,
which doesn't have any alignment guarantee. This can cause a misaligned
write. Replace it with the correct function, put_unaligned_be32().
Fixes: 72f3e00dd67e ("crypto: drbg - replace int2byte with cpu_to_be")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/df_sp80090a.c | 7 ++++---
crypto/drbg.c | 3 ++-
include/crypto/internal/drbg.h | 18 ------------------
3 files changed, 6 insertions(+), 22 deletions(-)
--- a/crypto/df_sp80090a.c
+++ b/crypto/df_sp80090a.c
@@ -10,6 +10,7 @@
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/string.h>
+#include <linux/unaligned.h>
#include <crypto/aes.h>
#include <crypto/df_sp80090a.h>
#include <crypto/internal/drbg.h>
@@ -141,10 +142,10 @@ int crypto_drbg_ctr_df(struct aes_enckey
/* 10.4.2 step 2 -- calculate the entire length of all input data */
list_for_each_entry(seed, seedlist, list)
inputlen += seed->len;
- drbg_cpu_to_be32(inputlen, &L_N[0]);
+ put_unaligned_be32(inputlen, &L_N[0]);
/* 10.4.2 step 3 */
- drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
+ put_unaligned_be32(bytes_to_return, &L_N[4]);
/* 10.4.2 step 5: length is L_N, input_string, one byte, padding */
padlen = (inputlen + sizeof(L_N) + 1) % (blocklen_bytes);
@@ -175,7 +176,7 @@ int crypto_drbg_ctr_df(struct aes_enckey
* holds zeros after allocation -- even the increment of i
* is irrelevant as the increment remains within length of i
*/
- drbg_cpu_to_be32(i, iv);
+ put_unaligned_be32(i, iv);
/* 10.4.2 step 9.2 -- BCC and concatenation with temp */
drbg_ctr_bcc(aeskey, temp + templen, K, &bcc_list,
blocklen_bytes, keylen);
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -103,6 +103,7 @@
#include <linux/kernel.h>
#include <linux/jiffies.h>
#include <linux/string_choices.h>
+#include <linux/unaligned.h>
/***************************************************************
* Backend cipher definitions available to DRBG
@@ -601,7 +602,7 @@ static int drbg_hash_df(struct drbg_stat
/* 10.4.1 step 3 */
input[0] = 1;
- drbg_cpu_to_be32((outlen * 8), &input[1]);
+ put_unaligned_be32(outlen * 8, &input[1]);
/* 10.4.1 step 4.1 -- concatenation of data for input into hash */
drbg_string_fill(&data, input, 5);
--- a/include/crypto/internal/drbg.h
+++ b/include/crypto/internal/drbg.h
@@ -10,24 +10,6 @@
#define _INTERNAL_DRBG_H
/*
- * Convert an integer into a byte representation of this integer.
- * The byte representation is big-endian
- *
- * @val value to be converted
- * @buf buffer holding the converted integer -- caller must ensure that
- * buffer size is at least 32 bit
- */
-static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf)
-{
- struct s {
- __be32 conv;
- };
- struct s *conversion = (struct s *)buf;
-
- conversion->conv = cpu_to_be32(val);
-}
-
-/*
* Concatenation Helper and string operation helper
*
* SP800-90A requires the concatenation of different data. To avoid copying
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 377/518] crypto: drbg - Fix ineffective sanity check
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 376/518] crypto: drbg - Fix misaligned writes in CTR_DRBG and HASH_DRBG Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 378/518] crypto: drbg - Fix drbg_max_addtl() on 64-bit kernels Greg Kroah-Hartman
` (144 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 040ad83b0e8aa065fd2fc641cacba8491a8b186d upstream.
Fix drbg_healthcheck_sanity() to correctly check the return value of
drbg_generate(). drbg_generate() returns 0 on success, or a negative
errno value on failure. drbg_healthcheck_sanity() incorrectly assumed
that it returned a positive value on success.
This didn't make the sanity check fail, but it made it ineffective.
Fixes: cde001e4c3c3 ("crypto: rng - RNGs must return 0 in success case")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/drbg.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1737,7 +1737,6 @@ static int drbg_kcapi_seed(struct crypto
*/
static inline int __init drbg_healthcheck_sanity(void)
{
- int len = 0;
#define OUTBUFLEN 16
unsigned char buf[OUTBUFLEN];
struct drbg_state *drbg = NULL;
@@ -1782,11 +1781,11 @@ static inline int __init drbg_healthchec
max_request_bytes = drbg_max_request_bytes(drbg);
drbg_string_fill(&addtl, buf, max_addtllen + 1);
/* overflow addtllen with additional info string */
- len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
- BUG_ON(0 < len);
+ ret = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
+ BUG_ON(ret == 0);
/* overflow max_bits */
- len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
- BUG_ON(0 < len);
+ ret = drbg_generate(drbg, buf, max_request_bytes + 1, NULL);
+ BUG_ON(ret == 0);
/* overflow max addtllen with personalization string */
ret = drbg_seed(drbg, &addtl, false);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 378/518] crypto: drbg - Fix drbg_max_addtl() on 64-bit kernels
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 377/518] crypto: drbg - Fix ineffective sanity check Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 379/518] crypto: drbg - Fix the fips_enabled priority boost Greg Kroah-Hartman
` (143 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 6f49f00c981bbb9ef602966f19bfdbef46b681d2 upstream.
On 64-bit kernels, drbg_max_addtl() returns 2**35 bytes. That's too
large, for two reasons:
1. SP800-90A says the maximum limit is 2**35 *bits*, not 2**35 bytes.
So the implemented limit has confused bits and bytes.
2. When drbg_kcapi_hash() calls crypto_shash_update() on the additional
information string, the length is implicitly cast to 'unsigned int'.
That truncates the additional information string to U32_MAX bytes.
Fix the maximum additional information string length to always be
U32_MAX - 1, causing an error to be returned for any longer lengths.
Fixes: 541af946fe13 ("crypto: drbg - SP800-90A Deterministic Random Bit Generator")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/crypto/drbg.h | 18 +++++++-----------
1 file changed, 7 insertions(+), 11 deletions(-)
--- a/include/crypto/drbg.h
+++ b/include/crypto/drbg.h
@@ -148,19 +148,15 @@ static inline size_t drbg_max_request_by
return (1 << 16);
}
+/*
+ * SP800-90A allows implementations to support additional info / personalization
+ * strings of up to 2**35 bits. Implementations can have a smaller maximum. We
+ * use 2**35 - 16 bits == U32_MAX - 1 bytes so that the max + 1 always fits in a
+ * size_t, allowing drbg_healthcheck_sanity() to verify its enforcement.
+ */
static inline size_t drbg_max_addtl(struct drbg_state *drbg)
{
- /* SP800-90A requires 2**35 bytes additional info str / pers str */
-#if (__BITS_PER_LONG == 32)
- /*
- * SP800-90A allows smaller maximum numbers to be returned -- we
- * return SIZE_MAX - 1 to allow the verification of the enforcement
- * of this value in drbg_healthcheck_sanity.
- */
- return (SIZE_MAX - 1);
-#else
- return (1UL<<35);
-#endif
+ return U32_MAX - 1;
}
static inline size_t drbg_max_requests(struct drbg_state *drbg)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 379/518] crypto: drbg - Fix the fips_enabled priority boost
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 378/518] crypto: drbg - Fix drbg_max_addtl() on 64-bit kernels Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 380/518] crypto: qat - centralize bus master enable Greg Kroah-Hartman
` (142 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit a8a1f93080efc83a9ff8452954429ae379e9e614 upstream.
When fips_enabled=1, it seems to have been intended for one of the
algorithms defined in crypto/drbg.c to be the highest priority "stdrng"
algorithm, so that it is what is used by "stdrng" users.
However, the code only boosts the priority to 400, which is less than
the priority 500 used in drivers/crypto/caam/caamprng.c. Thus, the CAAM
RNG could be used instead.
Fix this by boosting the priority by 2000 instead of 200.
Fixes: 541af946fe13 ("crypto: drbg - SP800-90A Deterministic Random Bit Generator")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/drbg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1832,7 +1832,7 @@ static inline void __init drbg_fill_arra
* it is selected.
*/
if (fips_enabled)
- alg->base.cra_priority += 200;
+ alg->base.cra_priority += 2000;
alg->base.cra_ctxsize = sizeof(struct drbg_state);
alg->base.cra_module = THIS_MODULE;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 380/518] crypto: qat - centralize bus master enable
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 379/518] crypto: drbg - Fix the fips_enabled priority boost Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 381/518] crypto: qat - fix restarting state leak on allocation failure Greg Kroah-Hartman
` (141 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahsan Atta, Giovanni Cabiddu,
Andy Shevchenko, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahsan Atta <ahsan.atta@intel.com>
commit e5712ff82947dd02d118cee119ed36cec671d814 upstream.
QAT driver currently toggles PCI bus mastering in multiple places
(probe paths, and reset callbacks). This makes BME state depend on
call ordering and on what PCI command bits were captured in saved PCI
config state.
Make BME control explicit and deterministic:
- remove pci_set_master() from device-specific probe paths
- add adf_set_bme() and call it from adf_dev_init() so BME is enabled
at one point before device bring-up
- drop redundant pci_set_master() and pci_clear_master from adf_aer.c
and rely on the unified init path for BME enablement
This is in preparation for adding reset_prepare() and reset_done()
hooks. In the PCI reset callback flow, the PCI core saves and
restores device configuration state around reset_prepare() and
reset_done(). This change is needed to ensure that we are able to
properly shutdown or reinitialize the device post sysfs triggered
resets.
Cc: stable@vger.kernel.org
Signed-off-by: Ahsan Atta <ahsan.atta@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Suggested-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/intel/qat/qat_420xx/adf_drv.c | 2 --
drivers/crypto/intel/qat/qat_4xxx/adf_drv.c | 2 --
drivers/crypto/intel/qat/qat_6xxx/adf_drv.c | 2 --
drivers/crypto/intel/qat/qat_c3xxx/adf_drv.c | 1 -
drivers/crypto/intel/qat/qat_c3xxxvf/adf_drv.c | 1 -
drivers/crypto/intel/qat/qat_c62x/adf_drv.c | 1 -
drivers/crypto/intel/qat/qat_c62xvf/adf_drv.c | 1 -
drivers/crypto/intel/qat/qat_common/adf_aer.c | 10 +++++++---
drivers/crypto/intel/qat/qat_common/adf_common_drv.h | 1 +
drivers/crypto/intel/qat/qat_common/adf_init.c | 2 ++
drivers/crypto/intel/qat/qat_dh895xcc/adf_drv.c | 1 -
drivers/crypto/intel/qat/qat_dh895xccvf/adf_drv.c | 1 -
12 files changed, 10 insertions(+), 15 deletions(-)
--- a/drivers/crypto/intel/qat/qat_420xx/adf_drv.c
+++ b/drivers/crypto/intel/qat/qat_420xx/adf_drv.c
@@ -146,8 +146,6 @@ static int adf_probe(struct pci_dev *pde
}
}
- pci_set_master(pdev);
-
if (pci_save_state(pdev)) {
dev_err(&pdev->dev, "Failed to save pci state.\n");
ret = -ENOMEM;
--- a/drivers/crypto/intel/qat/qat_4xxx/adf_drv.c
+++ b/drivers/crypto/intel/qat/qat_4xxx/adf_drv.c
@@ -148,8 +148,6 @@ static int adf_probe(struct pci_dev *pde
}
}
- pci_set_master(pdev);
-
if (pci_save_state(pdev)) {
dev_err(&pdev->dev, "Failed to save pci state.\n");
ret = -ENOMEM;
--- a/drivers/crypto/intel/qat/qat_6xxx/adf_drv.c
+++ b/drivers/crypto/intel/qat/qat_6xxx/adf_drv.c
@@ -189,8 +189,6 @@ static int adf_probe(struct pci_dev *pde
}
}
- pci_set_master(pdev);
-
/*
* The PCI config space is saved at this point and will be restored
* after a Function Level Reset (FLR) as the FLR does not completely
--- a/drivers/crypto/intel/qat/qat_c3xxx/adf_drv.c
+++ b/drivers/crypto/intel/qat/qat_c3xxx/adf_drv.c
@@ -167,7 +167,6 @@ static int adf_probe(struct pci_dev *pde
goto out_err_free_reg;
}
}
- pci_set_master(pdev);
if (pci_save_state(pdev)) {
dev_err(&pdev->dev, "Failed to save pci state\n");
--- a/drivers/crypto/intel/qat/qat_c3xxxvf/adf_drv.c
+++ b/drivers/crypto/intel/qat/qat_c3xxxvf/adf_drv.c
@@ -163,7 +163,6 @@ static int adf_probe(struct pci_dev *pde
goto out_err_free_reg;
}
}
- pci_set_master(pdev);
/* Completion for VF2PF request/response message exchange */
init_completion(&accel_dev->vf.msg_received);
--- a/drivers/crypto/intel/qat/qat_c62x/adf_drv.c
+++ b/drivers/crypto/intel/qat/qat_c62x/adf_drv.c
@@ -167,7 +167,6 @@ static int adf_probe(struct pci_dev *pde
goto out_err_free_reg;
}
}
- pci_set_master(pdev);
if (pci_save_state(pdev)) {
dev_err(&pdev->dev, "Failed to save pci state\n");
--- a/drivers/crypto/intel/qat/qat_c62xvf/adf_drv.c
+++ b/drivers/crypto/intel/qat/qat_c62xvf/adf_drv.c
@@ -163,7 +163,6 @@ static int adf_probe(struct pci_dev *pde
goto out_err_free_reg;
}
}
- pci_set_master(pdev);
/* Completion for VF2PF request/response message exchange */
init_completion(&accel_dev->vf.msg_received);
--- a/drivers/crypto/intel/qat/qat_common/adf_aer.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_aer.c
@@ -41,7 +41,6 @@ static pci_ers_result_t adf_error_detect
adf_error_notifier(accel_dev);
adf_pf2vf_notify_fatal_error(accel_dev);
adf_dev_restarting_notify(accel_dev);
- pci_clear_master(pdev);
adf_dev_down(accel_dev);
return PCI_ERS_RESULT_NEED_RESET;
@@ -106,6 +105,13 @@ void adf_dev_restore(struct adf_accel_de
}
}
+void adf_set_bme(struct adf_accel_dev *accel_dev)
+{
+ struct pci_dev *pdev = accel_to_pci_dev(accel_dev);
+
+ pci_set_master(pdev);
+}
+
static void adf_device_sriov_worker(struct work_struct *work)
{
struct adf_sriov_dev_data *sriov_data =
@@ -198,8 +204,6 @@ static pci_ers_result_t adf_slot_reset(s
return PCI_ERS_RESULT_DISCONNECT;
}
- if (!pdev->is_busmaster)
- pci_set_master(pdev);
pci_restore_state(pdev);
res = adf_dev_up(accel_dev, false);
if (res && res != -EALREADY)
--- a/drivers/crypto/intel/qat/qat_common/adf_common_drv.h
+++ b/drivers/crypto/intel/qat/qat_common/adf_common_drv.h
@@ -84,6 +84,7 @@ extern const struct pci_error_handlers a
void adf_reset_sbr(struct adf_accel_dev *accel_dev);
void adf_reset_flr(struct adf_accel_dev *accel_dev);
void adf_dev_restore(struct adf_accel_dev *accel_dev);
+void adf_set_bme(struct adf_accel_dev *accel_dev);
int adf_init_aer(void);
void adf_exit_aer(void);
int adf_init_arb(struct adf_accel_dev *accel_dev);
--- a/drivers/crypto/intel/qat/qat_common/adf_init.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_init.c
@@ -74,6 +74,8 @@ static int adf_dev_init(struct adf_accel
return -EFAULT;
}
+ adf_set_bme(accel_dev);
+
if (!test_bit(ADF_STATUS_CONFIGURED, &accel_dev->status) &&
!accel_dev->is_vf) {
dev_err(&GET_DEV(accel_dev), "Device not configured\n");
--- a/drivers/crypto/intel/qat/qat_dh895xcc/adf_drv.c
+++ b/drivers/crypto/intel/qat/qat_dh895xcc/adf_drv.c
@@ -167,7 +167,6 @@ static int adf_probe(struct pci_dev *pde
goto out_err_free_reg;
}
}
- pci_set_master(pdev);
if (pci_save_state(pdev)) {
dev_err(&pdev->dev, "Failed to save pci state\n");
--- a/drivers/crypto/intel/qat/qat_dh895xccvf/adf_drv.c
+++ b/drivers/crypto/intel/qat/qat_dh895xccvf/adf_drv.c
@@ -163,7 +163,6 @@ static int adf_probe(struct pci_dev *pde
goto out_err_free_reg;
}
}
- pci_set_master(pdev);
/* Completion for VF2PF request/response message exchange */
init_completion(&accel_dev->vf.msg_received);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 381/518] crypto: qat - fix restarting state leak on allocation failure
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 380/518] crypto: qat - centralize bus master enable Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 382/518] crypto: qat - handle sysfs-triggered reset callbacks Greg Kroah-Hartman
` (140 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahsan Atta, Maksim Lukoshkov,
Giovanni Cabiddu, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahsan Atta <ahsan.atta@intel.com>
commit 7d3ed20f7e46b3e991936fedd7a28f3ff4aec8d2 upstream.
In adf_dev_aer_schedule_reset(), ADF_STATUS_RESTARTING is set before
allocating reset_data. If the allocation fails, the function returns
-ENOMEM without queuing reset work, so nothing ever clears the bit.
This leaves the device permanently stuck in the restarting state,
causing all subsequent reset attempts to be silently skipped.
Fix this by using test_and_set_bit() to atomically claim the
RESTARTING state, preventing duplicate reset scheduling races under
concurrent fatal error reporting. If the subsequent allocation fails,
clear the bit to restore clean state so future reset attempts can
proceed.
Cc: stable@vger.kernel.org
Fixes: d8cba25d2c68 ("crypto: qat - Intel(R) QAT driver framework")
Signed-off-by: Ahsan Atta <ahsan.atta@intel.com>
Co-developed-by: Maksim Lukoshkov <maksim.lukoshkov@intel.com>
Signed-off-by: Maksim Lukoshkov <maksim.lukoshkov@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/intel/qat/qat_common/adf_aer.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/crypto/intel/qat/qat_common/adf_aer.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_aer.c
@@ -162,13 +162,14 @@ static int adf_dev_aer_schedule_reset(st
struct adf_reset_dev_data *reset_data;
if (!adf_dev_started(accel_dev) ||
- test_bit(ADF_STATUS_RESTARTING, &accel_dev->status))
+ test_and_set_bit(ADF_STATUS_RESTARTING, &accel_dev->status))
return 0;
- set_bit(ADF_STATUS_RESTARTING, &accel_dev->status);
reset_data = kzalloc_obj(*reset_data);
- if (!reset_data)
+ if (!reset_data) {
+ clear_bit(ADF_STATUS_RESTARTING, &accel_dev->status);
return -ENOMEM;
+ }
reset_data->accel_dev = accel_dev;
init_completion(&reset_data->compl);
reset_data->mode = mode;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 382/518] crypto: qat - handle sysfs-triggered reset callbacks
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 381/518] crypto: qat - fix restarting state leak on allocation failure Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 383/518] crypto: qat - keep VFs enabled during reset Greg Kroah-Hartman
` (139 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahsan Atta, Giovanni Cabiddu,
Damian Muszynski, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahsan Atta <ahsan.atta@intel.com>
commit 4627ef7019bc532f992c0723e881811ce12f0a02 upstream.
A reset requested through /sys/bus/pci/devices/.../reset invokes the
driver reset_prepare() and reset_done() callbacks. The QAT driver does
not implement those callbacks today, so the reset proceeds without
quiescing the device or bringing it back up afterward, which leaves
the device unusable.
Hook reset_prepare() and reset_done() into adf_err_handler so the
common shutdown and recovery flow also runs for reset. Skip device
quiesce if the device is already in a down state.
Cc: stable@vger.kernel.org
Signed-off-by: Ahsan Atta <ahsan.atta@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Damian Muszynski <damian.muszynski@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/intel/qat/qat_common/adf_aer.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/crypto/intel/qat/qat_common/adf_aer.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_aer.c
@@ -223,10 +223,22 @@ static void adf_resume(struct pci_dev *p
dev_info(&pdev->dev, "Device is up and running\n");
}
+static void adf_reset_prepare(struct pci_dev *pdev)
+{
+ reset_prepare(pdev);
+}
+
+static void adf_reset_done(struct pci_dev *pdev)
+{
+ reset_done(pdev);
+}
+
const struct pci_error_handlers adf_err_handler = {
.error_detected = adf_error_detected,
.slot_reset = adf_slot_reset,
.resume = adf_resume,
+ .reset_prepare = adf_reset_prepare,
+ .reset_done = adf_reset_done,
};
EXPORT_SYMBOL_GPL(adf_err_handler);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 383/518] crypto: qat - keep VFs enabled during reset
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 382/518] crypto: qat - handle sysfs-triggered reset callbacks Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 384/518] crypto: qat - notify fatal error before AER reset preparation Greg Kroah-Hartman
` (138 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahsan Atta, Giovanni Cabiddu,
Damian Muszynski, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahsan Atta <ahsan.atta@intel.com>
commit 57518500053987672050dc2f7bf8a774d5d52fd9 upstream.
When a reset is triggered via sysfs, the PCI core invokes the
reset_prepare() callback while holding pci_dev_lock(), which includes
the PCI configuration space access semaphore. If reset_prepare() calls
adf_dev_down(), the call chain adf_dev_stop() -> adf_disable_sriov()
-> pci_disable_sriov() attempts to acquire the same semaphore,
resulting in a deadlock.
Avoid this by skipping pci_disable_sriov() when ADF_STATUS_RESTARTING
is set. During reset the PCI topology is preserved, so VF devices
remain valid and enumerated across the reset. VF notification and the
quiesce handshake via adf_pf2vf_notify_restarting() are still
performed unconditionally so that VFs stop submitting work before the
PF shuts down.
Correspondingly, skip pci_enable_sriov() in adf_enable_sriov() when
VFs are already present, since their PCI devices were preserved from
before the restart.
This is in preparation for adding reset_prepare() and reset_done()
callbacks in adf_aer.c.
Cc: stable@vger.kernel.org
Signed-off-by: Ahsan Atta <ahsan.atta@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Damian Muszynski <damian.muszynski@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/intel/qat/qat_common/adf_sriov.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/crypto/intel/qat/qat_common/adf_sriov.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_sriov.c
@@ -91,6 +91,10 @@ static int adf_enable_sriov(struct adf_a
/* Enable VF to PF interrupts for all VFs */
adf_enable_all_vf2pf_interrupts(accel_dev, totalvfs);
+ /* Do not enable SR-IOV if already enabled */
+ if (pci_num_vf(pdev))
+ return 0;
+
/*
* Due to the hardware design, when SR-IOV and the ring arbiter
* are enabled all the VFs supported in hardware must be enabled in
@@ -260,7 +264,13 @@ void adf_disable_sriov(struct adf_accel_
adf_pf2vf_notify_restarting(accel_dev);
adf_pf2vf_wait_for_restarting_complete(accel_dev);
- pci_disable_sriov(accel_to_pci_dev(accel_dev));
+ /*
+ * When the device is restarting, preserve VF PCI devices across
+ * the reset by skipping pci_disable_sriov(). VFs are notified to
+ * quiesce regardless so the PF can safely shut down.
+ */
+ if (!test_bit(ADF_STATUS_RESTARTING, &accel_dev->status))
+ pci_disable_sriov(accel_to_pci_dev(accel_dev));
/* Block VF2PF work and disable VF to PF interrupts */
adf_disable_all_vf2pf_interrupts(accel_dev);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 384/518] crypto: qat - notify fatal error before AER reset preparation
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 383/518] crypto: qat - keep VFs enabled during reset Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 385/518] crypto: qat - protect service table iterations with service_lock Greg Kroah-Hartman
` (137 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahsan Atta, Giovanni Cabiddu,
Damian Muszynski, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahsan Atta <ahsan.atta@intel.com>
commit 6931835f2fdd0cb9b1c7791748d7e67d0749056a upstream.
Send fatal error notifications to subsystems and VFs as soon as
AER error detection starts, before entering the reset preparation
shutdown sequence.
This reduces notification latency and ensures peers are informed
immediately on fatal detection, rather than after restart-state setup
and arbitration teardown.
Cc: stable@vger.kernel.org
Signed-off-by: Ahsan Atta <ahsan.atta@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Damian Muszynski <damian.muszynski@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/intel/qat/qat_common/adf_aer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/crypto/intel/qat/qat_common/adf_aer.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_aer.c
@@ -33,13 +33,13 @@ static pci_ers_result_t adf_error_detect
return PCI_ERS_RESULT_DISCONNECT;
}
+ adf_error_notifier(accel_dev);
+ adf_pf2vf_notify_fatal_error(accel_dev);
set_bit(ADF_STATUS_RESTARTING, &accel_dev->status);
if (accel_dev->hw_device->exit_arb) {
dev_dbg(&pdev->dev, "Disabling arbitration\n");
accel_dev->hw_device->exit_arb(accel_dev);
}
- adf_error_notifier(accel_dev);
- adf_pf2vf_notify_fatal_error(accel_dev);
adf_dev_restarting_notify(accel_dev);
adf_dev_down(accel_dev);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 385/518] crypto: qat - protect service table iterations with service_lock
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 384/518] crypto: qat - notify fatal error before AER reset preparation Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 386/518] crypto: qat - skip restart for down devices Greg Kroah-Hartman
` (136 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahsan Atta, Maksim Lukoshkov,
Giovanni Cabiddu, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahsan Atta <ahsan.atta@intel.com>
commit 5c6f845e77ec35f9b7b047cc8f9789bf397cdd3e upstream.
The service_table list is protected by service_lock when entries are
added or removed (in adf_service_add() and adf_service_remove()), but
several functions iterate over the list without holding this lock.
A concurrent adf_service_register() or adf_service_unregister() call
could modify the list during traversal, leading to list corruption or
a use-after-free.
Fix this by holding service_lock across all list_for_each_entry()
iterations of service_table in adf_dev_init(), adf_dev_start(),
adf_dev_stop(), adf_dev_shutdown(), adf_dev_restarting_notify(),
adf_dev_restarted_notify(), and adf_error_notifier().
The lock ordering is safe: callers of the static helpers (adf_dev_up()
and adf_dev_down()) acquire state_lock before service_lock, and no
event_hld callback or service_lock holder ever acquires state_lock in
the reverse order.
Cc: stable@vger.kernel.org
Fixes: d8cba25d2c68 ("crypto: qat - Intel(R) QAT driver framework")
Signed-off-by: Ahsan Atta <ahsan.atta@intel.com>
Co-developed-by: Maksim Lukoshkov <maksim.lukoshkov@intel.com>
Signed-off-by: Maksim Lukoshkov <maksim.lukoshkov@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/intel/qat/qat_common/adf_init.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/drivers/crypto/intel/qat/qat_common/adf_init.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_init.c
@@ -155,15 +155,18 @@ static int adf_dev_init(struct adf_accel
* This is to facilitate any ordering dependencies between services
* prior to starting any of the accelerators.
*/
+ mutex_lock(&service_lock);
list_for_each_entry(service, &service_table, list) {
if (service->event_hld(accel_dev, ADF_EVENT_INIT)) {
dev_err(&GET_DEV(accel_dev),
"Failed to initialise service %s\n",
service->name);
+ mutex_unlock(&service_lock);
return -EFAULT;
}
set_bit(accel_dev->accel_id, service->init_status);
}
+ mutex_unlock(&service_lock);
return 0;
}
@@ -233,15 +236,18 @@ static int adf_dev_start(struct adf_acce
if (ret && ret != -EOPNOTSUPP)
return ret;
+ mutex_lock(&service_lock);
list_for_each_entry(service, &service_table, list) {
if (service->event_hld(accel_dev, ADF_EVENT_START)) {
dev_err(&GET_DEV(accel_dev),
"Failed to start service %s\n",
service->name);
+ mutex_unlock(&service_lock);
return -EFAULT;
}
set_bit(accel_dev->accel_id, service->start_status);
}
+ mutex_unlock(&service_lock);
clear_bit(ADF_STATUS_STARTING, &accel_dev->status);
set_bit(ADF_STATUS_STARTED, &accel_dev->status);
@@ -315,6 +321,7 @@ static void adf_dev_stop(struct adf_acce
qat_comp_algs_unregister(hw_data->accel_capabilities_ext_mask);
clear_bit(ADF_STATUS_COMP_ALGS_REGISTERED, &accel_dev->status);
+ mutex_lock(&service_lock);
list_for_each_entry(service, &service_table, list) {
if (!test_bit(accel_dev->accel_id, service->start_status))
continue;
@@ -326,6 +333,7 @@ static void adf_dev_stop(struct adf_acce
clear_bit(accel_dev->accel_id, service->start_status);
}
}
+ mutex_unlock(&service_lock);
if (hw_data->stop_timer)
hw_data->stop_timer(accel_dev);
@@ -375,6 +383,7 @@ static void adf_dev_shutdown(struct adf_
&accel_dev->status);
}
+ mutex_lock(&service_lock);
list_for_each_entry(service, &service_table, list) {
if (!test_bit(accel_dev->accel_id, service->init_status))
continue;
@@ -385,6 +394,7 @@ static void adf_dev_shutdown(struct adf_
else
clear_bit(accel_dev->accel_id, service->init_status);
}
+ mutex_unlock(&service_lock);
adf_rl_exit(accel_dev);
@@ -419,12 +429,14 @@ int adf_dev_restarting_notify(struct adf
{
struct service_hndl *service;
+ mutex_lock(&service_lock);
list_for_each_entry(service, &service_table, list) {
if (service->event_hld(accel_dev, ADF_EVENT_RESTARTING))
dev_err(&GET_DEV(accel_dev),
"Failed to restart service %s.\n",
service->name);
}
+ mutex_unlock(&service_lock);
return 0;
}
@@ -432,12 +444,14 @@ int adf_dev_restarted_notify(struct adf_
{
struct service_hndl *service;
+ mutex_lock(&service_lock);
list_for_each_entry(service, &service_table, list) {
if (service->event_hld(accel_dev, ADF_EVENT_RESTARTED))
dev_err(&GET_DEV(accel_dev),
"Failed to restart service %s.\n",
service->name);
}
+ mutex_unlock(&service_lock);
return 0;
}
@@ -445,12 +459,14 @@ void adf_error_notifier(struct adf_accel
{
struct service_hndl *service;
+ mutex_lock(&service_lock);
list_for_each_entry(service, &service_table, list) {
if (service->event_hld(accel_dev, ADF_EVENT_FATAL_ERROR))
dev_err(&GET_DEV(accel_dev),
"Failed to send error event to %s.\n",
service->name);
}
+ mutex_unlock(&service_lock);
}
int adf_dev_down(struct adf_accel_dev *accel_dev)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 386/518] crypto: qat - skip restart for down devices
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 385/518] crypto: qat - protect service table iterations with service_lock Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 387/518] crypto: qat - validate RSA CRT component lengths Greg Kroah-Hartman
` (135 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahsan Atta, Giovanni Cabiddu,
Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahsan Atta <ahsan.atta@intel.com>
commit 9676657117b79f88c22875680c36d7da84b75eca upstream.
Skip the shutdown and restart flow when adf_slot_reset() is entered
for a device that is already down. In that case, leave
ADF_STATUS_RESTARTING clear and let adf_slot_reset() restore PCI
function state without calling adf_dev_up(), re-enabling SR-IOV, or
sending restarted notifications.
This is in preparation for adding reset_prepare() and reset_done()
callbacks in adf_aer.c.
Cc: stable@vger.kernel.org
Signed-off-by: Ahsan Atta <ahsan.atta@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/intel/qat/qat_common/adf_aer.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/crypto/intel/qat/qat_common/adf_aer.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_aer.c
@@ -33,6 +33,9 @@ static pci_ers_result_t adf_error_detect
return PCI_ERS_RESULT_DISCONNECT;
}
+ if (!adf_dev_started(accel_dev))
+ return PCI_ERS_RESULT_CAN_RECOVER;
+
adf_error_notifier(accel_dev);
adf_pf2vf_notify_fatal_error(accel_dev);
set_bit(ADF_STATUS_RESTARTING, &accel_dev->status);
@@ -205,6 +208,9 @@ static pci_ers_result_t adf_slot_reset(s
return PCI_ERS_RESULT_DISCONNECT;
}
+ if (!adf_devmgr_in_reset(accel_dev))
+ goto reset_complete;
+
pci_restore_state(pdev);
res = adf_dev_up(accel_dev, false);
if (res && res != -EALREADY)
@@ -214,6 +220,8 @@ static pci_ers_result_t adf_slot_reset(s
adf_pf2vf_notify_restarted(accel_dev);
adf_dev_restarted_notify(accel_dev);
clear_bit(ADF_STATUS_RESTARTING, &accel_dev->status);
+
+reset_complete:
return PCI_ERS_RESULT_RECOVERED;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 387/518] crypto: qat - validate RSA CRT component lengths
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 386/518] crypto: qat - skip restart for down devices Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 388/518] crypto: qat - factor out AER reset helpers Greg Kroah-Hartman
` (134 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Giovanni Cabiddu, Ahsan Atta,
Laurent M Coquerel, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
commit b3ac78756588059729b9195fcc9f4b37d54057a5 upstream.
The generic RSA key parser (rsa_helper.c) bounds each CRT component (p,
q, dp, dq, qinv) by the modulus size n_sz, but qat_rsa_setkey_crt()
allocates half-size DMA buffers (key_sz / 2) and right-aligns each
component with:
memcpy(dst + half_key_sz - len, src, len)
When a CRT component is larger than half_key_sz the subtraction
underflows and memcpy writes past the DMA buffer, causing memory
corruption.
Add a len > half_key_sz check next to the existing !len check for each
of the five CRT components so the driver falls back to the non-CRT path
instead of writing out of bounds.
Fixes: 879f77e9071f ("crypto: qat - Add RSA CRT mode")
Cc: stable@vger.kernel.org
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
Reviewed-by: Laurent M Coquerel <laurent.m.coquerel@intel.com>
Tested-by: Laurent M Coquerel <laurent.m.coquerel@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/intel/qat/qat_common/qat_asym_algs.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/crypto/intel/qat/qat_common/qat_asym_algs.c
+++ b/drivers/crypto/intel/qat/qat_common/qat_asym_algs.c
@@ -1085,7 +1085,7 @@ static void qat_rsa_setkey_crt(struct qa
ptr = rsa_key->p;
len = rsa_key->p_sz;
qat_rsa_drop_leading_zeros(&ptr, &len);
- if (!len)
+ if (!len || len > half_key_sz)
goto err;
ctx->p = dma_alloc_coherent(dev, half_key_sz, &ctx->dma_p, GFP_KERNEL);
if (!ctx->p)
@@ -1096,7 +1096,7 @@ static void qat_rsa_setkey_crt(struct qa
ptr = rsa_key->q;
len = rsa_key->q_sz;
qat_rsa_drop_leading_zeros(&ptr, &len);
- if (!len)
+ if (!len || len > half_key_sz)
goto free_p;
ctx->q = dma_alloc_coherent(dev, half_key_sz, &ctx->dma_q, GFP_KERNEL);
if (!ctx->q)
@@ -1107,7 +1107,7 @@ static void qat_rsa_setkey_crt(struct qa
ptr = rsa_key->dp;
len = rsa_key->dp_sz;
qat_rsa_drop_leading_zeros(&ptr, &len);
- if (!len)
+ if (!len || len > half_key_sz)
goto free_q;
ctx->dp = dma_alloc_coherent(dev, half_key_sz, &ctx->dma_dp,
GFP_KERNEL);
@@ -1119,7 +1119,7 @@ static void qat_rsa_setkey_crt(struct qa
ptr = rsa_key->dq;
len = rsa_key->dq_sz;
qat_rsa_drop_leading_zeros(&ptr, &len);
- if (!len)
+ if (!len || len > half_key_sz)
goto free_dp;
ctx->dq = dma_alloc_coherent(dev, half_key_sz, &ctx->dma_dq,
GFP_KERNEL);
@@ -1131,7 +1131,7 @@ static void qat_rsa_setkey_crt(struct qa
ptr = rsa_key->qinv;
len = rsa_key->qinv_sz;
qat_rsa_drop_leading_zeros(&ptr, &len);
- if (!len)
+ if (!len || len > half_key_sz)
goto free_dq;
ctx->qinv = dma_alloc_coherent(dev, half_key_sz, &ctx->dma_qinv,
GFP_KERNEL);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 388/518] crypto: qat - factor out AER reset helpers
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 387/518] crypto: qat - validate RSA CRT component lengths Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 389/518] crypto: talitos - use dma_sync_single_for_cpu() before reading descriptor header Greg Kroah-Hartman
` (133 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahsan Atta, Giovanni Cabiddu,
Damian Muszynski, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahsan Atta <ahsan.atta@intel.com>
commit 56707afb92fee371c0f2e04332c9aa03cdb89793 upstream.
Move the shutdown and recovery sequences out of adf_error_detected()
and adf_slot_reset() into reset_prepare() and reset_done() helpers.
This makes the AER recovery path easier to follow and prepares the
common reset flow for reuse by additional PCI reset callbacks without
duplicating the logic.
No functional change intended.
Cc: stable@vger.kernel.org
Signed-off-by: Ahsan Atta <ahsan.atta@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Damian Muszynski <damian.muszynski@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/intel/qat/qat_common/adf_aer.c | 86 ++++++++++++++++----------
1 file changed, 53 insertions(+), 33 deletions(-)
--- a/drivers/crypto/intel/qat/qat_common/adf_aer.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_aer.c
@@ -17,27 +17,18 @@ struct adf_fatal_error_data {
static struct workqueue_struct *device_reset_wq;
static struct workqueue_struct *device_sriov_wq;
-static pci_ers_result_t adf_error_detected(struct pci_dev *pdev,
- pci_channel_state_t state)
+static pci_ers_result_t reset_prepare(struct pci_dev *pdev)
{
struct adf_accel_dev *accel_dev = adf_devmgr_pci_to_accel_dev(pdev);
- dev_info(&pdev->dev, "Acceleration driver hardware error detected.\n");
if (!accel_dev) {
dev_err(&pdev->dev, "Can't find acceleration device\n");
return PCI_ERS_RESULT_DISCONNECT;
}
- if (state == pci_channel_io_perm_failure) {
- dev_err(&pdev->dev, "Can't recover from device error\n");
- return PCI_ERS_RESULT_DISCONNECT;
- }
-
if (!adf_dev_started(accel_dev))
return PCI_ERS_RESULT_CAN_RECOVER;
- adf_error_notifier(accel_dev);
- adf_pf2vf_notify_fatal_error(accel_dev);
set_bit(ADF_STATUS_RESTARTING, &accel_dev->status);
if (accel_dev->hw_device->exit_arb) {
dev_dbg(&pdev->dev, "Disabling arbitration\n");
@@ -49,6 +40,57 @@ static pci_ers_result_t adf_error_detect
return PCI_ERS_RESULT_NEED_RESET;
}
+static pci_ers_result_t reset_done(struct pci_dev *pdev)
+{
+ struct adf_accel_dev *accel_dev = adf_devmgr_pci_to_accel_dev(pdev);
+ int res;
+
+ if (!accel_dev) {
+ dev_err(&pdev->dev, "Can't find acceleration device\n");
+ return PCI_ERS_RESULT_DISCONNECT;
+ }
+
+ if (!adf_devmgr_in_reset(accel_dev))
+ goto reset_complete;
+
+ pci_restore_state(pdev);
+ res = adf_dev_up(accel_dev, false);
+ if (res && res != -EALREADY)
+ return PCI_ERS_RESULT_DISCONNECT;
+
+ adf_reenable_sriov(accel_dev);
+ adf_pf2vf_notify_restarted(accel_dev);
+ adf_dev_restarted_notify(accel_dev);
+ clear_bit(ADF_STATUS_RESTARTING, &accel_dev->status);
+
+reset_complete:
+ dev_info(&pdev->dev, "Device reset completed successfully\n");
+
+ return PCI_ERS_RESULT_RECOVERED;
+}
+
+static pci_ers_result_t adf_error_detected(struct pci_dev *pdev,
+ pci_channel_state_t state)
+{
+ struct adf_accel_dev *accel_dev = adf_devmgr_pci_to_accel_dev(pdev);
+
+ dev_info(&pdev->dev, "Acceleration driver hardware error detected.\n");
+ if (!accel_dev) {
+ dev_err(&pdev->dev, "Can't find acceleration device\n");
+ return PCI_ERS_RESULT_DISCONNECT;
+ }
+
+ if (state == pci_channel_io_perm_failure) {
+ dev_err(&pdev->dev, "Can't recover from device error\n");
+ return PCI_ERS_RESULT_DISCONNECT;
+ }
+
+ adf_error_notifier(accel_dev);
+ adf_pf2vf_notify_fatal_error(accel_dev);
+
+ return reset_prepare(pdev);
+}
+
/* reset dev data */
struct adf_reset_dev_data {
int mode;
@@ -200,29 +242,7 @@ static int adf_dev_aer_schedule_reset(st
static pci_ers_result_t adf_slot_reset(struct pci_dev *pdev)
{
- struct adf_accel_dev *accel_dev = adf_devmgr_pci_to_accel_dev(pdev);
- int res = 0;
-
- if (!accel_dev) {
- pr_err("QAT: Can't find acceleration device\n");
- return PCI_ERS_RESULT_DISCONNECT;
- }
-
- if (!adf_devmgr_in_reset(accel_dev))
- goto reset_complete;
-
- pci_restore_state(pdev);
- res = adf_dev_up(accel_dev, false);
- if (res && res != -EALREADY)
- return PCI_ERS_RESULT_DISCONNECT;
-
- adf_reenable_sriov(accel_dev);
- adf_pf2vf_notify_restarted(accel_dev);
- adf_dev_restarted_notify(accel_dev);
- clear_bit(ADF_STATUS_RESTARTING, &accel_dev->status);
-
-reset_complete:
- return PCI_ERS_RESULT_RECOVERED;
+ return reset_done(pdev);
}
static void adf_resume(struct pci_dev *pdev)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 389/518] crypto: talitos - use dma_sync_single_for_cpu() before reading descriptor header
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 388/518] crypto: qat - factor out AER reset helpers Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 390/518] crypto: talitos - add chaining of arbitrary number of descriptor for the SEC1 Greg Kroah-Hartman
` (132 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Louvel, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Louvel <paul.louvel@bootlin.com>
commit e17ff3d6ff907dc8406261e8fd3e1fc8a908f0f6 upstream.
In order to know if a descriptor has been processed by the device,
the driver polls the FIFO to see if DESC_HDR_DONE is set on a descriptor
header to confirm completion.
The current code does not make sure that the CPU gets up to date data
before reading the descriptor.
Fix this by calling dma_sync_single_for_cpu() before reading memory
written by the device.
Cc: stable@vger.kernel.org
Fixes: 58cdbc6d2263 ("crypto: talitos - fix hash on SEC1.")
Signed-off-by: Paul Louvel <paul.louvel@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/talitos.c | 28 ++++++++++++++++++++--------
1 file changed, 20 insertions(+), 8 deletions(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -322,19 +322,31 @@ static int talitos_submit(struct device
return -EINPROGRESS;
}
-static __be32 get_request_hdr(struct talitos_request *request, bool is_sec1)
+static __be32 get_request_hdr(struct device *dev,
+ struct talitos_request *request, bool is_sec1)
{
struct talitos_edesc *edesc;
- if (!is_sec1)
+ if (!is_sec1) {
+ dma_sync_single_for_cpu(dev, request->dma_desc,
+ TALITOS_DESC_SIZE, DMA_BIDIRECTIONAL);
+
return request->desc->hdr;
+ }
- if (!request->desc->next_desc)
+ if (!request->desc->next_desc) {
+ dma_sync_single_for_cpu(dev, request->dma_desc,
+ TALITOS_DESC_SIZE, DMA_BIDIRECTIONAL);
return request->desc->hdr1;
-
- edesc = container_of(request->desc, struct talitos_edesc, desc);
-
- return ((struct talitos_desc *)(edesc->buf + edesc->dma_len))->hdr1;
+ } else {
+ dma_sync_single_for_cpu(dev,
+ be32_to_cpu(request->desc->next_desc),
+ TALITOS_DESC_SIZE, DMA_BIDIRECTIONAL);
+ edesc = container_of(request->desc, struct talitos_edesc, desc);
+
+ return ((struct talitos_desc *)(edesc->buf + edesc->dma_len))
+ ->hdr1;
+ }
}
/*
@@ -358,7 +370,7 @@ static void flush_channel(struct device
/* descriptors with their done bits set don't get the error */
rmb();
- hdr = get_request_hdr(request, is_sec1);
+ hdr = get_request_hdr(dev, request, is_sec1);
if ((hdr & DESC_HDR_DONE) == DESC_HDR_DONE)
status = 0;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 390/518] crypto: talitos - add chaining of arbitrary number of descriptor for the SEC1
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 389/518] crypto: talitos - use dma_sync_single_for_cpu() before reading descriptor header Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:30 ` [PATCH 7.1 391/518] crypto: talitos - move dma unmapping code in flush_channel() into a standalone dma_unmap_request() function Greg Kroah-Hartman
` (131 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Louvel, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Louvel <paul.louvel@bootlin.com>
commit f126384ed55279c3b676f89d5ab547b8de8df782 upstream.
The SEC1 hardware can process a chain of descriptors without host
intervention. Only the hash implementation currently use this feature,
but with a chain of at most 2 descriptors added in commit 37b5e8897eb5
("crypto: talitos - chain in buffered data for ahash on SEC1").
Add supports for chaining an arbitrary number of descriptors in a chain.
Adapt the ahash implementation to make it compatible.
Cc: stable@vger.kernel.org
Signed-off-by: Paul Louvel <paul.louvel@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/talitos.c | 180 +++++++++++++++++++++++++++++++----------------
drivers/crypto/talitos.h | 2
2 files changed, 124 insertions(+), 58 deletions(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -273,7 +273,10 @@ static int talitos_submit(struct device
void *context, int error),
void *context)
{
+ struct talitos_edesc *edesc = container_of(desc, struct talitos_edesc, desc);
struct talitos_private *priv = dev_get_drvdata(dev);
+ dma_addr_t dma_desc, prev_dma_desc;
+ struct talitos_edesc *prev_edesc = NULL;
struct talitos_request *request;
unsigned long flags;
int head;
@@ -292,10 +295,31 @@ static int talitos_submit(struct device
/* map descriptor and save caller data */
if (is_sec1) {
- desc->hdr1 = desc->hdr;
- request->dma_desc = dma_map_single(dev, &desc->hdr1,
+ while (edesc) {
+ edesc->desc.hdr1 = edesc->desc.hdr;
+
+ dma_desc = dma_map_single(dev, &edesc->desc.hdr1,
+ TALITOS_DESC_SIZE,
+ DMA_BIDIRECTIONAL);
+
+ if (!prev_edesc) {
+ request->dma_desc = dma_desc;
+ goto next;
+ }
+
+ /* Chain in any previous descriptors. */
+
+ prev_edesc->desc.next_desc = cpu_to_be32(dma_desc);
+
+ dma_sync_single_for_device(dev, prev_dma_desc,
TALITOS_DESC_SIZE,
- DMA_BIDIRECTIONAL);
+ DMA_TO_DEVICE);
+
+next:
+ prev_edesc = edesc;
+ prev_dma_desc = dma_desc;
+ edesc = edesc->next_desc;
+ }
} else {
request->dma_desc = dma_map_single(dev, desc,
TALITOS_DESC_SIZE,
@@ -326,6 +350,7 @@ static __be32 get_request_hdr(struct dev
struct talitos_request *request, bool is_sec1)
{
struct talitos_edesc *edesc;
+ dma_addr_t dma_desc;
if (!is_sec1) {
dma_sync_single_for_cpu(dev, request->dma_desc,
@@ -334,19 +359,17 @@ static __be32 get_request_hdr(struct dev
return request->desc->hdr;
}
- if (!request->desc->next_desc) {
- dma_sync_single_for_cpu(dev, request->dma_desc,
- TALITOS_DESC_SIZE, DMA_BIDIRECTIONAL);
- return request->desc->hdr1;
- } else {
- dma_sync_single_for_cpu(dev,
- be32_to_cpu(request->desc->next_desc),
- TALITOS_DESC_SIZE, DMA_BIDIRECTIONAL);
- edesc = container_of(request->desc, struct talitos_edesc, desc);
-
- return ((struct talitos_desc *)(edesc->buf + edesc->dma_len))
- ->hdr1;
+ edesc = container_of(request->desc, struct talitos_edesc, desc);
+ dma_desc = request->dma_desc;
+ while (edesc->next_desc) {
+ dma_desc = be32_to_cpu(edesc->desc.next_desc);
+ edesc = edesc->next_desc;
}
+
+ dma_sync_single_for_cpu(dev, dma_desc, TALITOS_DESC_SIZE,
+ DMA_BIDIRECTIONAL);
+
+ return edesc->desc.hdr1;
}
/*
@@ -356,6 +379,7 @@ static void flush_channel(struct device
{
struct talitos_private *priv = dev_get_drvdata(dev);
struct talitos_request *request, saved_req;
+ struct talitos_edesc *edesc;
unsigned long flags;
int tail, status;
bool is_sec1 = has_ftr_sec1(priv);
@@ -380,9 +404,22 @@ static void flush_channel(struct device
else
status = error;
- dma_unmap_single(dev, request->dma_desc,
- TALITOS_DESC_SIZE,
- DMA_BIDIRECTIONAL);
+ if (is_sec1) {
+ dma_unmap_single(dev, request->dma_desc,
+ TALITOS_DESC_SIZE, DMA_BIDIRECTIONAL);
+ edesc = container_of(request->desc,
+ struct talitos_edesc, desc);
+ while (edesc->next_desc) {
+ dma_unmap_single(
+ dev, be32_to_cpu(edesc->desc.next_desc),
+ TALITOS_DESC_SIZE, DMA_BIDIRECTIONAL);
+ edesc = edesc->next_desc;
+ }
+ } else {
+ dma_unmap_single(dev, request->dma_desc,
+ TALITOS_DESC_SIZE,
+ DMA_BIDIRECTIONAL);
+ }
/* copy entries so we can call callback outside lock */
saved_req.desc = request->desc;
@@ -477,8 +514,12 @@ DEF_TALITOS2_DONE(ch1_3, TALITOS2_ISR_CH
static __be32 current_desc_hdr(struct device *dev, int ch)
{
struct talitos_private *priv = dev_get_drvdata(dev);
+ bool is_sec1 = has_ftr_sec1(priv);
+ struct talitos_request *request;
+ struct talitos_edesc *edesc;
int tail, iter;
dma_addr_t cur_desc;
+ __be32 hdr = 0;
cur_desc = ((u64)in_be32(priv->chan[ch].reg + TALITOS_CDPR)) << 32;
cur_desc |= in_be32(priv->chan[ch].reg + TALITOS_CDPR_LO);
@@ -489,27 +530,35 @@ static __be32 current_desc_hdr(struct de
}
tail = priv->chan[ch].tail;
-
iter = tail;
- while (priv->chan[ch].fifo[iter].dma_desc != cur_desc &&
- priv->chan[ch].fifo[iter].desc->next_desc != cpu_to_be32(cur_desc)) {
- iter = (iter + 1) & (priv->fifo_len - 1);
- if (iter == tail) {
- dev_err(dev, "couldn't locate current descriptor\n");
- return 0;
+ do {
+ request = &priv->chan[ch].fifo[iter];
+
+ if (request->dma_desc == cur_desc) {
+ hdr = request->desc->hdr;
+ } else if (is_sec1) {
+ edesc = container_of(request->desc,
+ struct talitos_edesc, desc);
+ while (edesc->next_desc) {
+ if (edesc->desc.next_desc ==
+ cpu_to_be32(cur_desc)) {
+ hdr = edesc->next_desc->desc.hdr1;
+ break;
+ }
+ edesc = edesc->next_desc;
+ }
}
- }
- if (priv->chan[ch].fifo[iter].desc->next_desc == cpu_to_be32(cur_desc)) {
- struct talitos_edesc *edesc;
+ if (hdr)
+ break;
- edesc = container_of(priv->chan[ch].fifo[iter].desc,
- struct talitos_edesc, desc);
- return ((struct talitos_desc *)
- (edesc->buf + edesc->dma_len))->hdr;
- }
+ iter = (iter + 1) & (priv->fifo_len - 1);
+ } while (iter != tail);
+
+ if (!hdr)
+ dev_err(dev, "couldn't locate current descriptor\n");
- return priv->chan[ch].fifo[iter].desc->hdr;
+ return hdr;
}
/*
@@ -1408,10 +1457,6 @@ static struct talitos_edesc *talitos_ede
dma_len = 0;
}
alloc_len += icv_stashing ? authsize : 0;
-
- /* if its a ahash, add space for a second desc next to the first one */
- if (is_sec1 && !dst)
- alloc_len += sizeof(struct talitos_desc);
alloc_len += ivsize;
edesc = kmalloc(ALIGN(alloc_len, dma_get_cache_alignment()), flags);
@@ -1427,6 +1472,7 @@ static struct talitos_edesc *talitos_ede
edesc->dst_nents = dst_nents;
edesc->iv_dma = iv_dma;
edesc->dma_len = dma_len;
+ edesc->next_desc = NULL;
if (dma_len)
edesc->dma_link_tbl = dma_map_single(dev, &edesc->link_tbl[0],
edesc->dma_len,
@@ -1727,8 +1773,10 @@ static void common_nonsnoop_hash_unmap(s
struct talitos_private *priv = dev_get_drvdata(dev);
bool is_sec1 = has_ftr_sec1(priv);
struct talitos_desc *desc = &edesc->desc;
- struct talitos_desc *desc2 = (struct talitos_desc *)
- (edesc->buf + edesc->dma_len);
+ struct talitos_desc *desc2;
+
+ if (desc->next_desc)
+ desc2 = &edesc->next_desc->desc;
unmap_single_talitos_ptr(dev, &desc->ptr[5], DMA_FROM_DEVICE);
if (desc->next_desc &&
@@ -1756,10 +1804,17 @@ static void common_nonsnoop_hash_unmap(s
if (edesc->dma_len)
dma_unmap_single(dev, edesc->dma_link_tbl, edesc->dma_len,
DMA_BIDIRECTIONAL);
+}
- if (desc->next_desc)
- dma_unmap_single(dev, be32_to_cpu(desc->next_desc),
- TALITOS_DESC_SIZE, DMA_BIDIRECTIONAL);
+static void free_edesc_list_from(struct talitos_edesc *edesc)
+{
+ struct talitos_edesc *next;
+
+ while (edesc) {
+ next = edesc->next_desc;
+ kfree(edesc);
+ edesc = next;
+ }
}
static void ahash_done(struct device *dev,
@@ -1778,7 +1833,7 @@ static void ahash_done(struct device *de
}
common_nonsnoop_hash_unmap(dev, edesc, areq);
- kfree(edesc);
+ free_edesc_list_from(edesc);
if (err) {
ahash_request_complete(areq, err);
@@ -1894,14 +1949,23 @@ static int common_nonsnoop_hash(struct t
talitos_handle_buggy_hash(ctx, edesc, &desc->ptr[3]);
if (is_sec1 && req_ctx->nbuf && length) {
- struct talitos_desc *desc2 = (struct talitos_desc *)
- (edesc->buf + edesc->dma_len);
- dma_addr_t next_desc;
+ struct talitos_edesc *edesc2;
+ struct talitos_desc *desc2;
+
+ edesc2 = kzalloc(sizeof(*edesc2),
+ areq->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ?
+ GFP_KERNEL :
+ GFP_ATOMIC);
+ if (!edesc2) {
+ ret = -ENOMEM;
+ goto err;
+ }
+ edesc->next_desc = edesc2;
+
+ desc2 = &edesc2->desc;
- memset(desc2, 0, sizeof(*desc2));
desc2->hdr = desc->hdr;
desc2->hdr &= ~DESC_HDR_MODE0_MDEU_INIT;
- desc2->hdr1 = desc2->hdr;
desc->hdr &= ~DESC_HDR_MODE0_MDEU_PAD;
desc->hdr |= DESC_HDR_MODE0_MDEU_CONT;
desc->hdr &= ~DESC_HDR_DONE_NOTIFY;
@@ -1925,21 +1989,21 @@ static int common_nonsnoop_hash(struct t
req_ctx->hw_context_size,
req_ctx->hw_context,
DMA_FROM_DEVICE);
-
- next_desc = dma_map_single(dev, &desc2->hdr1, TALITOS_DESC_SIZE,
- DMA_BIDIRECTIONAL);
- desc->next_desc = cpu_to_be32(next_desc);
}
if (sync_needed)
dma_sync_single_for_device(dev, edesc->dma_link_tbl,
edesc->dma_len, DMA_BIDIRECTIONAL);
- ret = talitos_submit(dev, ctx->ch, desc, callback, areq);
- if (ret != -EINPROGRESS) {
- common_nonsnoop_hash_unmap(dev, edesc, areq);
- kfree(edesc);
- }
+ ret = talitos_submit(dev, ctx->ch, desc, callback,
+ areq);
+ if (ret != -EINPROGRESS)
+ goto err;
+
+ return -EINPROGRESS;
+err:
+ common_nonsnoop_hash_unmap(dev, edesc, areq);
+ kfree(edesc);
return ret;
}
--- a/drivers/crypto/talitos.h
+++ b/drivers/crypto/talitos.h
@@ -49,6 +49,7 @@ struct talitos_desc {
* @iv_dma: dma address of iv for checking continuity and link table
* @dma_len: length of dma mapped link_tbl space
* @dma_link_tbl: bus physical address of link_tbl/buf
+ * @next_desc: next descriptor
* @desc: h/w descriptor
* @link_tbl: input and output h/w link tables (if {src,dst}_nents > 1) (SEC2)
* @buf: input and output buffeur (if {src,dst}_nents > 1) (SEC1)
@@ -63,6 +64,7 @@ struct talitos_edesc {
dma_addr_t iv_dma;
int dma_len;
dma_addr_t dma_link_tbl;
+ struct talitos_edesc *next_desc;
struct talitos_desc desc;
union {
DECLARE_FLEX_ARRAY(struct talitos_ptr, link_tbl);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 391/518] crypto: talitos - move dma unmapping code in flush_channel() into a standalone dma_unmap_request() function
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 390/518] crypto: talitos - add chaining of arbitrary number of descriptor for the SEC1 Greg Kroah-Hartman
@ 2026-07-16 13:30 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 392/518] crypto: talitos - move dma mapping code in talitos_submit() into a standalone dma_map_request() function Greg Kroah-Hartman
` (130 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Louvel, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Louvel <paul.louvel@bootlin.com>
commit 4d9b0b7415b9e79a3d54d18b5ff230974ea78740 upstream.
Previously added code to flush_channel() in order to unmap an entire
descriptor.
Move that code into a standalone function to improve readability.
Cc: stable@vger.kernel.org
Signed-off-by: Paul Louvel <paul.louvel@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/talitos.c | 39 ++++++++++++++++++++++-----------------
1 file changed, 22 insertions(+), 17 deletions(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -372,6 +372,27 @@ static __be32 get_request_hdr(struct dev
return edesc->desc.hdr1;
}
+static void dma_unmap_request(struct device *dev,
+ struct talitos_request *request, bool is_sec1)
+{
+ struct talitos_edesc *edesc;
+
+ if (is_sec1) {
+ dma_unmap_single(dev, request->dma_desc, TALITOS_DESC_SIZE,
+ DMA_BIDIRECTIONAL);
+ edesc = container_of(request->desc, struct talitos_edesc, desc);
+ while (edesc->next_desc) {
+ dma_unmap_single(dev,
+ be32_to_cpu(edesc->desc.next_desc),
+ TALITOS_DESC_SIZE, DMA_BIDIRECTIONAL);
+ edesc = edesc->next_desc;
+ }
+ } else {
+ dma_unmap_single(dev, request->dma_desc, TALITOS_DESC_SIZE,
+ DMA_BIDIRECTIONAL);
+ }
+}
+
/*
* process what was done, notify callback of error if not
*/
@@ -379,7 +400,6 @@ static void flush_channel(struct device
{
struct talitos_private *priv = dev_get_drvdata(dev);
struct talitos_request *request, saved_req;
- struct talitos_edesc *edesc;
unsigned long flags;
int tail, status;
bool is_sec1 = has_ftr_sec1(priv);
@@ -404,22 +424,7 @@ static void flush_channel(struct device
else
status = error;
- if (is_sec1) {
- dma_unmap_single(dev, request->dma_desc,
- TALITOS_DESC_SIZE, DMA_BIDIRECTIONAL);
- edesc = container_of(request->desc,
- struct talitos_edesc, desc);
- while (edesc->next_desc) {
- dma_unmap_single(
- dev, be32_to_cpu(edesc->desc.next_desc),
- TALITOS_DESC_SIZE, DMA_BIDIRECTIONAL);
- edesc = edesc->next_desc;
- }
- } else {
- dma_unmap_single(dev, request->dma_desc,
- TALITOS_DESC_SIZE,
- DMA_BIDIRECTIONAL);
- }
+ dma_unmap_request(dev, request, is_sec1);
/* copy entries so we can call callback outside lock */
saved_req.desc = request->desc;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 392/518] crypto: talitos - move dma mapping code in talitos_submit() into a standalone dma_map_request() function
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2026-07-16 13:30 ` [PATCH 7.1 391/518] crypto: talitos - move dma unmapping code in flush_channel() into a standalone dma_unmap_request() function Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 393/518] crypto: talitos - move code in current_desc_hdr() into a standalone function Greg Kroah-Hartman
` (129 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Louvel, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Louvel <paul.louvel@bootlin.com>
commit 5c0aa8cad7745505297103f05dda3fa06e8ac670 upstream.
Previously added code to talitos_submit() in order to map an entire
descriptor chain.
Move that code into a standalone function to improve readability.
Cc: stable@vger.kernel.org
Signed-off-by: Paul Louvel <paul.louvel@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/talitos.c | 75 +++++++++++++++++++++++++----------------------
1 file changed, 41 insertions(+), 34 deletions(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -255,6 +255,46 @@ static int init_device(struct device *de
return 0;
}
+static void dma_map_request(struct device *dev, struct talitos_request *request,
+ struct talitos_desc *desc, bool is_sec1)
+{
+ struct talitos_edesc *edesc =
+ container_of(desc, struct talitos_edesc, desc);
+ dma_addr_t dma_desc, prev_dma_desc;
+ struct talitos_edesc *prev_edesc = NULL;
+
+ if (is_sec1) {
+ while (edesc) {
+ edesc->desc.hdr1 = edesc->desc.hdr;
+
+ dma_desc = dma_map_single(dev, &edesc->desc.hdr1,
+ TALITOS_DESC_SIZE,
+ DMA_BIDIRECTIONAL);
+
+ if (!prev_edesc) {
+ request->dma_desc = dma_desc;
+ goto next;
+ }
+
+ /* Chain in any previous descriptors. */
+
+ prev_edesc->desc.next_desc = cpu_to_be32(dma_desc);
+
+ dma_sync_single_for_device(dev, prev_dma_desc,
+ TALITOS_DESC_SIZE,
+ DMA_TO_DEVICE);
+
+next:
+ prev_edesc = edesc;
+ prev_dma_desc = dma_desc;
+ edesc = edesc->next_desc;
+ }
+ } else {
+ request->dma_desc = dma_map_single(dev, desc, TALITOS_DESC_SIZE,
+ DMA_BIDIRECTIONAL);
+ }
+}
+
/**
* talitos_submit - submits a descriptor to the device for processing
* @dev: the SEC device to be used
@@ -273,10 +313,7 @@ static int talitos_submit(struct device
void *context, int error),
void *context)
{
- struct talitos_edesc *edesc = container_of(desc, struct talitos_edesc, desc);
struct talitos_private *priv = dev_get_drvdata(dev);
- dma_addr_t dma_desc, prev_dma_desc;
- struct talitos_edesc *prev_edesc = NULL;
struct talitos_request *request;
unsigned long flags;
int head;
@@ -294,37 +331,7 @@ static int talitos_submit(struct device
request = &priv->chan[ch].fifo[head];
/* map descriptor and save caller data */
- if (is_sec1) {
- while (edesc) {
- edesc->desc.hdr1 = edesc->desc.hdr;
-
- dma_desc = dma_map_single(dev, &edesc->desc.hdr1,
- TALITOS_DESC_SIZE,
- DMA_BIDIRECTIONAL);
-
- if (!prev_edesc) {
- request->dma_desc = dma_desc;
- goto next;
- }
-
- /* Chain in any previous descriptors. */
-
- prev_edesc->desc.next_desc = cpu_to_be32(dma_desc);
-
- dma_sync_single_for_device(dev, prev_dma_desc,
- TALITOS_DESC_SIZE,
- DMA_TO_DEVICE);
-
-next:
- prev_edesc = edesc;
- prev_dma_desc = dma_desc;
- edesc = edesc->next_desc;
- }
- } else {
- request->dma_desc = dma_map_single(dev, desc,
- TALITOS_DESC_SIZE,
- DMA_BIDIRECTIONAL);
- }
+ dma_map_request(dev, request, desc, is_sec1);
request->callback = callback;
request->context = context;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 393/518] crypto: talitos - move code in current_desc_hdr() into a standalone function
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 392/518] crypto: talitos - move dma mapping code in talitos_submit() into a standalone dma_map_request() function Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 394/518] crypto: talitos/hash - prepare SEC1 descriptor chaining, remove additional descriptor Greg Kroah-Hartman
` (128 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Louvel, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Louvel <paul.louvel@bootlin.com>
commit f8713d9e6091755dd30f7f1cfa25f8440cddf81b upstream.
Previously added code in current_desc_hdr() in order to add support for
searching an offending descriptor inside a descriptor chain.
Move that code into a standalone function to improve readability.
Cc: stable@vger.kernel.org
Signed-off-by: Paul Louvel <paul.louvel@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/talitos.c | 35 +++++++++++++++++++----------------
1 file changed, 19 insertions(+), 16 deletions(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -520,6 +520,24 @@ DEF_TALITOS2_DONE(ch0, TALITOS2_ISR_CH_0
DEF_TALITOS2_DONE(ch0_2, TALITOS2_ISR_CH_0_2_DONE)
DEF_TALITOS2_DONE(ch1_3, TALITOS2_ISR_CH_1_3_DONE)
+static __be32 search_desc_hdr_in_request(struct talitos_request *request,
+ dma_addr_t cur_desc, bool is_sec1)
+{
+ struct talitos_edesc *edesc;
+
+ if (request->dma_desc == cur_desc) {
+ return request->desc->hdr;
+ } else if (is_sec1) {
+ edesc = container_of(request->desc, struct talitos_edesc, desc);
+ while (edesc->next_desc) {
+ if (edesc->desc.next_desc == cpu_to_be32(cur_desc))
+ return edesc->next_desc->desc.hdr1;
+ edesc = edesc->next_desc;
+ }
+ }
+ return 0;
+}
+
/*
* locate current (offending) descriptor
*/
@@ -528,7 +546,6 @@ static __be32 current_desc_hdr(struct de
struct talitos_private *priv = dev_get_drvdata(dev);
bool is_sec1 = has_ftr_sec1(priv);
struct talitos_request *request;
- struct talitos_edesc *edesc;
int tail, iter;
dma_addr_t cur_desc;
__be32 hdr = 0;
@@ -546,21 +563,7 @@ static __be32 current_desc_hdr(struct de
do {
request = &priv->chan[ch].fifo[iter];
- if (request->dma_desc == cur_desc) {
- hdr = request->desc->hdr;
- } else if (is_sec1) {
- edesc = container_of(request->desc,
- struct talitos_edesc, desc);
- while (edesc->next_desc) {
- if (edesc->desc.next_desc ==
- cpu_to_be32(cur_desc)) {
- hdr = edesc->next_desc->desc.hdr1;
- break;
- }
- edesc = edesc->next_desc;
- }
- }
-
+ hdr = search_desc_hdr_in_request(request, cur_desc, is_sec1);
if (hdr)
break;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 394/518] crypto: talitos/hash - prepare SEC1 descriptor chaining, remove additional descriptor
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 393/518] crypto: talitos - move code in current_desc_hdr() into a standalone function Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 395/518] crypto: talitos/hash - use descriptor chaining for SEC1 instead of workqueue Greg Kroah-Hartman
` (127 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Louvel, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Louvel <paul.louvel@bootlin.com>
commit 59b5d899e33701665f18abe6bebf987427876e3e upstream.
Currently, when SEC1 has buffered data (nbuf != 0), the ahash code
creates an additional descriptor on the fly inside
common_nonsnoop_hash() to handle the remainder of the data. This
approach is incompatible with the arbitrary-length descriptor chaining
that follows.
Remove the "additional descriptor" logic from common_nonsnoop_hash()
and common_nonsnoop_hash_unmap().
Also remove the nbytes adjustment for SEC1 in ahash_edesc_alloc()
that subtracted nbuf.
Cc: stable@vger.kernel.org
Signed-off-by: Paul Louvel <paul.louvel@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/talitos.c | 101 ++---------------------------------------------
1 file changed, 6 insertions(+), 95 deletions(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1788,15 +1788,9 @@ static void common_nonsnoop_hash_unmap(s
struct talitos_private *priv = dev_get_drvdata(dev);
bool is_sec1 = has_ftr_sec1(priv);
struct talitos_desc *desc = &edesc->desc;
- struct talitos_desc *desc2;
-
- if (desc->next_desc)
- desc2 = &edesc->next_desc->desc;
unmap_single_talitos_ptr(dev, &desc->ptr[5], DMA_FROM_DEVICE);
- if (desc->next_desc &&
- desc->ptr[5].ptr != desc2->ptr[5].ptr)
- unmap_single_talitos_ptr(dev, &desc2->ptr[5], DMA_FROM_DEVICE);
+
if (req_ctx->last_desc)
memcpy(areq->result, req_ctx->hw_context,
crypto_ahash_digestsize(tfm));
@@ -1808,13 +1802,6 @@ static void common_nonsnoop_hash_unmap(s
if (from_talitos_ptr_len(&desc->ptr[1], is_sec1))
unmap_single_talitos_ptr(dev, &desc->ptr[1],
DMA_TO_DEVICE);
- else if (desc->next_desc)
- unmap_single_talitos_ptr(dev, &desc2->ptr[1],
- DMA_TO_DEVICE);
-
- if (is_sec1 && req_ctx->nbuf)
- unmap_single_talitos_ptr(dev, &desc->ptr[3],
- DMA_TO_DEVICE);
if (edesc->dma_len)
dma_unmap_single(dev, edesc->dma_link_tbl, edesc->dma_len,
@@ -1922,9 +1909,6 @@ static int common_nonsnoop_hash(struct t
to_talitos_ptr(&desc->ptr[2], ctx->dma_key, ctx->keylen,
is_sec1);
- if (is_sec1 && req_ctx->nbuf)
- length -= req_ctx->nbuf;
-
sg_count = edesc->src_nents ?: 1;
if (is_sec1 && sg_count > 1)
sg_copy_to_buffer(req_ctx->psrc, sg_count, edesc->buf, length);
@@ -1934,16 +1918,10 @@ static int common_nonsnoop_hash(struct t
/*
* data in
*/
- if (is_sec1 && req_ctx->nbuf) {
- map_single_talitos_ptr(dev, &desc->ptr[3], req_ctx->nbuf,
- req_ctx->buf[req_ctx->buf_idx],
- DMA_TO_DEVICE);
- } else {
- sg_count = talitos_sg_map(dev, req_ctx->psrc, length, edesc,
- &desc->ptr[3], sg_count, 0, 0);
- if (sg_count > 1)
- sync_needed = true;
- }
+ sg_count = talitos_sg_map(dev, req_ctx->psrc, length, edesc,
+ &desc->ptr[3], sg_count, 0, 0);
+ if (sg_count > 1)
+ sync_needed = true;
/* fifth DWORD empty */
@@ -1963,49 +1941,6 @@ static int common_nonsnoop_hash(struct t
if (is_sec1 && from_talitos_ptr_len(&desc->ptr[3], true) == 0)
talitos_handle_buggy_hash(ctx, edesc, &desc->ptr[3]);
- if (is_sec1 && req_ctx->nbuf && length) {
- struct talitos_edesc *edesc2;
- struct talitos_desc *desc2;
-
- edesc2 = kzalloc(sizeof(*edesc2),
- areq->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ?
- GFP_KERNEL :
- GFP_ATOMIC);
- if (!edesc2) {
- ret = -ENOMEM;
- goto err;
- }
- edesc->next_desc = edesc2;
-
- desc2 = &edesc2->desc;
-
- desc2->hdr = desc->hdr;
- desc2->hdr &= ~DESC_HDR_MODE0_MDEU_INIT;
- desc->hdr &= ~DESC_HDR_MODE0_MDEU_PAD;
- desc->hdr |= DESC_HDR_MODE0_MDEU_CONT;
- desc->hdr &= ~DESC_HDR_DONE_NOTIFY;
-
- if (desc->ptr[1].ptr)
- copy_talitos_ptr(&desc2->ptr[1], &desc->ptr[1],
- is_sec1);
- else
- map_single_talitos_ptr_nosync(dev, &desc2->ptr[1],
- req_ctx->hw_context_size,
- req_ctx->hw_context,
- DMA_TO_DEVICE);
- copy_talitos_ptr(&desc2->ptr[2], &desc->ptr[2], is_sec1);
- sg_count = talitos_sg_map(dev, req_ctx->psrc, length, edesc,
- &desc2->ptr[3], sg_count, 0, 0);
- if (sg_count > 1)
- sync_needed = true;
- copy_talitos_ptr(&desc2->ptr[5], &desc->ptr[5], is_sec1);
- if (req_ctx->last_desc)
- map_single_talitos_ptr_nosync(dev, &desc->ptr[5],
- req_ctx->hw_context_size,
- req_ctx->hw_context,
- DMA_FROM_DEVICE);
- }
-
if (sync_needed)
dma_sync_single_for_device(dev, edesc->dma_link_tbl,
edesc->dma_len, DMA_BIDIRECTIONAL);
@@ -2028,11 +1963,6 @@ static struct talitos_edesc *ahash_edesc
struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
struct talitos_ctx *ctx = crypto_ahash_ctx(tfm);
struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
- struct talitos_private *priv = dev_get_drvdata(ctx->dev);
- bool is_sec1 = has_ftr_sec1(priv);
-
- if (is_sec1)
- nbytes -= req_ctx->nbuf;
return talitos_edesc_alloc(ctx->dev, req_ctx->psrc, NULL, NULL, 0,
nbytes, 0, 0, 0, areq->base.flags, false);
@@ -2051,8 +1981,6 @@ static int ahash_process_req_one(struct
unsigned int nsg;
int nents;
struct device *dev = ctx->dev;
- struct talitos_private *priv = dev_get_drvdata(dev);
- bool is_sec1 = has_ftr_sec1(priv);
u8 *ctx_buf = req_ctx->buf[req_ctx->buf_idx];
if (!req_ctx->last_desc && (nbytes + req_ctx->nbuf <= blocksize)) {
@@ -2084,30 +2012,13 @@ static int ahash_process_req_one(struct
}
/* Chain in any previously buffered data */
- if (!is_sec1 && req_ctx->nbuf) {
+ if (req_ctx->nbuf) {
nsg = (req_ctx->nbuf < nbytes_to_hash) ? 2 : 1;
sg_init_table(req_ctx->bufsl, nsg);
sg_set_buf(req_ctx->bufsl, ctx_buf, req_ctx->nbuf);
if (nsg > 1)
sg_chain(req_ctx->bufsl, 2, req_ctx->request_sl);
req_ctx->psrc = req_ctx->bufsl;
- } else if (is_sec1 && req_ctx->nbuf && req_ctx->nbuf < blocksize) {
- int offset;
-
- if (nbytes_to_hash > blocksize)
- offset = blocksize - req_ctx->nbuf;
- else
- offset = nbytes_to_hash - req_ctx->nbuf;
- nents = sg_nents_for_len(req_ctx->request_sl, offset);
- if (nents < 0) {
- dev_err(dev, "Invalid number of src SG.\n");
- return nents;
- }
- sg_copy_to_buffer(req_ctx->request_sl, nents,
- ctx_buf + req_ctx->nbuf, offset);
- req_ctx->nbuf += offset;
- req_ctx->psrc = scatterwalk_ffwd(req_ctx->bufsl, req_ctx->request_sl,
- offset);
} else
req_ctx->psrc = req_ctx->request_sl;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 395/518] crypto: talitos/hash - use descriptor chaining for SEC1 instead of workqueue
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 394/518] crypto: talitos/hash - prepare SEC1 descriptor chaining, remove additional descriptor Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 396/518] crypto: talitos/hash - drop workqueue mechanism for SEC1 Greg Kroah-Hartman
` (126 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Louvel, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Louvel <paul.louvel@bootlin.com>
commit f1ede6d95d8ad3b32c6a552d2baab805bd00fc38 upstream.
Rework the SEC1 ahash implementation to build a chain of hardware
descriptors, replacing the previous approach of submitting one
descriptor at a time via a workqueue, introduced by commit 655ef638a2bc
("crypto: talitos - fix SEC1 32k ahash request limitation").
Introduce ahash_process_req_prepare() which iterates over the request
data, allocating enough descriptors to cover the entire ahash request.
The new fields (bufsl, src, first, last) are added to talitos_edesc for
this purpose.
common_nonsnoop_hash() no longer calls talitos_submit(); it only
maps and sets up the descriptor. Submission is now done by the caller
after the chain is built.
ahash_free_desc_list_from() takes over calling
common_nonsnoop_hash_unmap() for each descriptor during cleanup.
Compared to the workqueue based solution, request are slightly faster
since there is no more scheduling latency induced by the workqueue, and
only one interrupt is generated by the device at the end of a chain.
Commit 655ef638a2bc ("crypto: talitos - fix SEC1 32k ahash request
limitation") :
$ /usr/libexec/libkcapi/sha256sum ./test_5M.bin
013c5609d63c... ./test_5M.bin
real 0m 0.41s
user 0m 0.01s
sys 0m 0.07s
Now :
$ /usr/libexec/libkcapi/sha256sum ./test_5M.bin
013c5609d63c... ./test_5M.bin
real 0m 0.33s
user 0m 0.01s
sys 0m 0.20s
Tested on a system with an MPC885 SoC featuring the SEC1 Lite.
The increase in sys time is due to the fact that commit 37b5e8897eb5
("crypto: talitos - chain in buffered data for ahash on SEC1") can no
longer be applied.
Cc: stable@vger.kernel.org
Signed-off-by: Paul Louvel <paul.louvel@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/talitos.c | 168 +++++++++++++++++++++++++++++------------------
drivers/crypto/talitos.h | 10 ++
2 files changed, 115 insertions(+), 63 deletions(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1791,12 +1791,12 @@ static void common_nonsnoop_hash_unmap(s
unmap_single_talitos_ptr(dev, &desc->ptr[5], DMA_FROM_DEVICE);
- if (req_ctx->last_desc)
+ if (edesc->last && req_ctx->last_request)
memcpy(areq->result, req_ctx->hw_context,
crypto_ahash_digestsize(tfm));
- if (req_ctx->psrc)
- talitos_sg_unmap(dev, edesc, req_ctx->psrc, NULL, 0, 0);
+ if (edesc->src)
+ talitos_sg_unmap(dev, edesc, edesc->src, NULL, 0, 0);
/* When using hashctx-in, must unmap it. */
if (from_talitos_ptr_len(&desc->ptr[1], is_sec1))
@@ -1808,12 +1808,14 @@ static void common_nonsnoop_hash_unmap(s
DMA_BIDIRECTIONAL);
}
-static void free_edesc_list_from(struct talitos_edesc *edesc)
+static void free_edesc_list_from(struct ahash_request *areq, struct talitos_edesc *edesc)
{
+ struct talitos_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(areq));
struct talitos_edesc *next;
while (edesc) {
next = edesc->next_desc;
+ common_nonsnoop_hash_unmap(ctx->dev, edesc, areq);
kfree(edesc);
edesc = next;
}
@@ -1828,19 +1830,18 @@ static void ahash_done(struct device *de
container_of(desc, struct talitos_edesc, desc);
struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
+
if (!req_ctx->last_desc && req_ctx->to_hash_later) {
/* Position any partial block for next update/final/finup */
req_ctx->buf_idx = (req_ctx->buf_idx + 1) & 1;
req_ctx->nbuf = req_ctx->to_hash_later;
}
- common_nonsnoop_hash_unmap(dev, edesc, areq);
- free_edesc_list_from(edesc);
+ free_edesc_list_from(areq, edesc);
- if (err) {
- ahash_request_complete(areq, err);
- return;
- }
+ ahash_request_complete(areq, err);
+
+ return;
req_ctx->remaining_ahash_request_bytes -=
req_ctx->current_ahash_request_bytes;
@@ -1874,18 +1875,15 @@ static void talitos_handle_buggy_hash(st
(char *)padded_hash, DMA_TO_DEVICE);
}
-static int common_nonsnoop_hash(struct talitos_edesc *edesc,
- struct ahash_request *areq, unsigned int length,
- void (*callback) (struct device *dev,
- struct talitos_desc *desc,
- void *context, int error))
+static void common_nonsnoop_hash(struct talitos_edesc *edesc,
+ struct ahash_request *areq,
+ unsigned int length)
{
struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
struct talitos_ctx *ctx = crypto_ahash_ctx(tfm);
struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
struct device *dev = ctx->dev;
struct talitos_desc *desc = &edesc->desc;
- int ret;
bool sync_needed = false;
struct talitos_private *priv = dev_get_drvdata(dev);
bool is_sec1 = has_ftr_sec1(priv);
@@ -1894,7 +1892,7 @@ static int common_nonsnoop_hash(struct t
/* first DWORD empty */
/* hash context in */
- if (!req_ctx->first_desc || req_ctx->swinit) {
+ if (!edesc->first || !req_ctx->first_desc || req_ctx->swinit) {
map_single_talitos_ptr_nosync(dev, &desc->ptr[1],
req_ctx->hw_context_size,
req_ctx->hw_context,
@@ -1911,22 +1909,22 @@ static int common_nonsnoop_hash(struct t
sg_count = edesc->src_nents ?: 1;
if (is_sec1 && sg_count > 1)
- sg_copy_to_buffer(req_ctx->psrc, sg_count, edesc->buf, length);
+ sg_copy_to_buffer(edesc->src, sg_count, edesc->buf, length);
else if (length)
- sg_count = dma_map_sg(dev, req_ctx->psrc, sg_count,
- DMA_TO_DEVICE);
+ sg_count = dma_map_sg(dev, edesc->src, sg_count, DMA_TO_DEVICE);
+
/*
* data in
*/
- sg_count = talitos_sg_map(dev, req_ctx->psrc, length, edesc,
- &desc->ptr[3], sg_count, 0, 0);
+ sg_count = talitos_sg_map(dev, edesc->src, length, edesc, &desc->ptr[3],
+ sg_count, 0, 0);
if (sg_count > 1)
sync_needed = true;
/* fifth DWORD empty */
/* hash/HMAC out -or- hash context out */
- if (req_ctx->last_desc)
+ if (edesc->last && req_ctx->last_request)
map_single_talitos_ptr(dev, &desc->ptr[5],
crypto_ahash_digestsize(tfm),
req_ctx->hw_context, DMA_FROM_DEVICE);
@@ -1944,30 +1942,89 @@ static int common_nonsnoop_hash(struct t
if (sync_needed)
dma_sync_single_for_device(dev, edesc->dma_link_tbl,
edesc->dma_len, DMA_BIDIRECTIONAL);
-
- ret = talitos_submit(dev, ctx->ch, desc, callback,
- areq);
- if (ret != -EINPROGRESS)
- goto err;
-
- return -EINPROGRESS;
-err:
- common_nonsnoop_hash_unmap(dev, edesc, areq);
- kfree(edesc);
- return ret;
}
static struct talitos_edesc *ahash_edesc_alloc(struct ahash_request *areq,
+ struct scatterlist *src,
unsigned int nbytes)
{
struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
struct talitos_ctx *ctx = crypto_ahash_ctx(tfm);
- struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
- return talitos_edesc_alloc(ctx->dev, req_ctx->psrc, NULL, NULL, 0,
+ return talitos_edesc_alloc(ctx->dev, src, NULL, NULL, 0,
nbytes, 0, 0, 0, areq->base.flags, false);
}
+static struct talitos_edesc *
+ahash_process_req_prepare(struct ahash_request *areq, unsigned int nbytes,
+ unsigned int blocksize, bool is_sec1)
+{
+ struct talitos_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(areq));
+ struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
+ struct talitos_edesc *first = NULL, *prev_edesc = NULL, *edesc;
+ size_t desc_max = is_sec1 ? TALITOS1_MAX_DATA_LEN : SIZE_MAX;
+ struct scatterlist tmp[2];
+ size_t to_hash_this_desc;
+ struct scatterlist *src;
+ size_t offset = 0;
+
+ do {
+ src = scatterwalk_ffwd(tmp, req_ctx->psrc, offset);
+
+ to_hash_this_desc =
+ min(nbytes, ALIGN_DOWN(desc_max, blocksize));
+
+ /* Allocate extended descriptor */
+ edesc = ahash_edesc_alloc(areq, src, to_hash_this_desc);
+ if (IS_ERR(edesc)) {
+ if (first)
+ free_edesc_list_from(areq, first);
+ return edesc;
+ }
+
+ edesc->src =
+ scatterwalk_ffwd(edesc->bufsl, req_ctx->psrc, offset);
+ edesc->desc.hdr = ctx->desc_hdr_template;
+ edesc->first = offset == 0;
+ edesc->last = nbytes - to_hash_this_desc == 0;
+
+ /* On last one, request SEC to pad; otherwise continue */
+ if (req_ctx->last_request && edesc->last)
+ edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_PAD;
+ else
+ edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_CONT;
+
+ /* request SEC to INIT hash. */
+ if (req_ctx->first_desc && edesc->first && !req_ctx->swinit)
+ edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_INIT;
+
+ /*
+ * When the tfm context has a keylen, it's an HMAC.
+ * A first or last (ie. not middle) descriptor must request HMAC.
+ */
+ if (ctx->keylen && ((req_ctx->first_desc && edesc->first) ||
+ (req_ctx->last_request && edesc->last)))
+ edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_HMAC;
+
+ /* clear the DN bit */
+ if (is_sec1 && !edesc->last)
+ edesc->desc.hdr &= ~DESC_HDR_DONE_NOTIFY;
+
+ common_nonsnoop_hash(edesc, areq, to_hash_this_desc);
+
+ offset += to_hash_this_desc;
+ nbytes -= to_hash_this_desc;
+
+ if (!prev_edesc)
+ first = edesc;
+ else
+ prev_edesc->next_desc = edesc;
+ prev_edesc = edesc;
+ } while (nbytes);
+
+ return first;
+}
+
static int ahash_process_req_one(struct ahash_request *areq, unsigned int nbytes)
{
struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
@@ -1976,14 +2033,16 @@ static int ahash_process_req_one(struct
struct talitos_edesc *edesc;
unsigned int blocksize =
crypto_tfm_alg_blocksize(crypto_ahash_tfm(tfm));
+ bool is_sec1 = has_ftr_sec1(dev_get_drvdata(ctx->dev));
unsigned int nbytes_to_hash;
unsigned int to_hash_later;
unsigned int nsg;
int nents;
struct device *dev = ctx->dev;
u8 *ctx_buf = req_ctx->buf[req_ctx->buf_idx];
+ int ret;
- if (!req_ctx->last_desc && (nbytes + req_ctx->nbuf <= blocksize)) {
+ if (!req_ctx->last_request && (nbytes + req_ctx->nbuf <= blocksize)) {
/* Buffer up to one whole block */
nents = sg_nents_for_len(req_ctx->request_sl, nbytes);
if (nents < 0) {
@@ -2000,7 +2059,7 @@ static int ahash_process_req_one(struct
nbytes_to_hash = nbytes + req_ctx->nbuf;
to_hash_later = nbytes_to_hash & (blocksize - 1);
- if (req_ctx->last_desc)
+ if (req_ctx->last_request)
to_hash_later = 0;
else if (to_hash_later)
/* There is a partial block. Hash the full block(s) now */
@@ -2035,30 +2094,16 @@ static int ahash_process_req_one(struct
}
req_ctx->to_hash_later = to_hash_later;
- /* Allocate extended descriptor */
- edesc = ahash_edesc_alloc(req_ctx->areq, nbytes_to_hash);
+ edesc = ahash_process_req_prepare(areq, nbytes_to_hash, blocksize,
+ is_sec1);
if (IS_ERR(edesc))
return PTR_ERR(edesc);
- edesc->desc.hdr = ctx->desc_hdr_template;
-
- /* On last one, request SEC to pad; otherwise continue */
- if (req_ctx->last_desc)
- edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_PAD;
- else
- edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_CONT;
-
- /* request SEC to INIT hash. */
- if (req_ctx->first_desc && !req_ctx->swinit)
- edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_INIT;
-
- /* When the tfm context has a keylen, it's an HMAC.
- * A first or last (ie. not middle) descriptor must request HMAC.
- */
- if (ctx->keylen && (req_ctx->first_desc || req_ctx->last_desc))
- edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_HMAC;
+ ret = talitos_submit(dev, ctx->ch, &edesc->desc, ahash_done, areq);
+ if (ret != -EINPROGRESS)
+ free_edesc_list_from(areq, edesc);
- return common_nonsnoop_hash(edesc, req_ctx->areq, nbytes_to_hash, ahash_done);
+ return ret;
}
static void sec1_ahash_process_remaining(struct work_struct *work)
@@ -2102,16 +2147,13 @@ static int ahash_process_req(struct ahas
req_ctx->remaining_ahash_request_bytes = nbytes;
if (is_sec1) {
- if (nbytes > TALITOS1_MAX_DATA_LEN)
- nbytes = TALITOS1_MAX_DATA_LEN;
- else if (req_ctx->last_request)
+ if (req_ctx->last_request)
req_ctx->last_desc = 1;
}
req_ctx->current_ahash_request_bytes = nbytes;
- return ahash_process_req_one(req_ctx->areq,
- req_ctx->current_ahash_request_bytes);
+ return ahash_process_req_one(req_ctx->areq, nbytes);
}
static int ahash_init(struct ahash_request *areq)
--- a/drivers/crypto/talitos.h
+++ b/drivers/crypto/talitos.h
@@ -44,6 +44,11 @@ struct talitos_desc {
/*
* talitos_edesc - s/w-extended descriptor
+ * @bufsl: scatterlist buffer
+ * @src: pointer to input scatterlist
+ * @first: first descriptor of a chain
+ * @last: last descriptor of a chain
+ *
* @src_nents: number of segments in input scatterlist
* @dst_nents: number of segments in output scatterlist
* @iv_dma: dma address of iv for checking continuity and link table
@@ -59,6 +64,11 @@ struct talitos_desc {
* of link_tbl data
*/
struct talitos_edesc {
+ struct scatterlist bufsl[2];
+ struct scatterlist *src;
+ int first;
+ int last;
+
int src_nents;
int dst_nents;
dma_addr_t iv_dma;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 396/518] crypto: talitos/hash - drop workqueue mechanism for SEC1
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 395/518] crypto: talitos/hash - use descriptor chaining for SEC1 instead of workqueue Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 397/518] crypto: talitos/hash - rename first_desc/last_desc to first_request/last_request Greg Kroah-Hartman
` (125 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Louvel, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Louvel <paul.louvel@bootlin.com>
commit be4802afb1700534e48cb776d0d1e772c27de130 upstream.
Now that SEC1 hash uses hardware descriptor chaining instead of a
workqueue to process requests exceeding TALITOS1_MAX_DATA_LEN, the
workqueue code is no longer needed.
Remove sec1_ahash_process_remaining(), the related fields from
talitos_ahash_req_ctx (request_bufsl, areq, request_sl,
remaining_ahash_request_bytes, current_ahash_request_bytes,
sec1_ahash_process_remaining), the dead code in ahash_done(), and
simplify ahash_process_req() to call ahash_process_req_one() directly
with the original areq->src and areq->nbytes.
Cc: stable@vger.kernel.org
Signed-off-by: Paul Louvel <paul.louvel@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/talitos.c | 80 ++++-------------------------------------------
1 file changed, 7 insertions(+), 73 deletions(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -12,7 +12,6 @@
* All rights reserved.
*/
-#include <linux/workqueue.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/mod_devicetable.h>
@@ -952,13 +951,6 @@ struct talitos_ahash_req_ctx {
unsigned int nbuf;
struct scatterlist bufsl[2];
struct scatterlist *psrc;
-
- struct scatterlist request_bufsl[2];
- struct ahash_request *areq;
- struct scatterlist *request_sl;
- unsigned int remaining_ahash_request_bytes;
- unsigned int current_ahash_request_bytes;
- struct work_struct sec1_ahash_process_remaining;
};
struct talitos_export_state {
@@ -1840,18 +1832,6 @@ static void ahash_done(struct device *de
free_edesc_list_from(areq, edesc);
ahash_request_complete(areq, err);
-
- return;
-
- req_ctx->remaining_ahash_request_bytes -=
- req_ctx->current_ahash_request_bytes;
-
- if (!req_ctx->remaining_ahash_request_bytes) {
- ahash_request_complete(areq, 0);
- return;
- }
-
- schedule_work(&req_ctx->sec1_ahash_process_remaining);
}
/*
@@ -2044,12 +2024,12 @@ static int ahash_process_req_one(struct
if (!req_ctx->last_request && (nbytes + req_ctx->nbuf <= blocksize)) {
/* Buffer up to one whole block */
- nents = sg_nents_for_len(req_ctx->request_sl, nbytes);
+ nents = sg_nents_for_len(areq->src, nbytes);
if (nents < 0) {
dev_err(dev, "Invalid number of src SG.\n");
return nents;
}
- sg_copy_to_buffer(req_ctx->request_sl, nents,
+ sg_copy_to_buffer(areq->src, nents,
ctx_buf + req_ctx->nbuf, nbytes);
req_ctx->nbuf += nbytes;
return 0;
@@ -2076,18 +2056,18 @@ static int ahash_process_req_one(struct
sg_init_table(req_ctx->bufsl, nsg);
sg_set_buf(req_ctx->bufsl, ctx_buf, req_ctx->nbuf);
if (nsg > 1)
- sg_chain(req_ctx->bufsl, 2, req_ctx->request_sl);
+ sg_chain(req_ctx->bufsl, 2, areq->src);
req_ctx->psrc = req_ctx->bufsl;
} else
- req_ctx->psrc = req_ctx->request_sl;
+ req_ctx->psrc = areq->src;
if (to_hash_later) {
- nents = sg_nents_for_len(req_ctx->request_sl, nbytes);
+ nents = sg_nents_for_len(areq->src, nbytes);
if (nents < 0) {
dev_err(dev, "Invalid number of src SG.\n");
return nents;
}
- sg_pcopy_to_buffer(req_ctx->request_sl, nents,
+ sg_pcopy_to_buffer(areq->src, nents,
req_ctx->buf[(req_ctx->buf_idx + 1) & 1],
to_hash_later,
nbytes - to_hash_later);
@@ -2106,54 +2086,9 @@ static int ahash_process_req_one(struct
return ret;
}
-static void sec1_ahash_process_remaining(struct work_struct *work)
-{
- struct talitos_ahash_req_ctx *req_ctx =
- container_of(work, struct talitos_ahash_req_ctx,
- sec1_ahash_process_remaining);
- int err = 0;
-
- req_ctx->request_sl = scatterwalk_ffwd(req_ctx->request_bufsl,
- req_ctx->request_sl, TALITOS1_MAX_DATA_LEN);
-
- if (req_ctx->remaining_ahash_request_bytes > TALITOS1_MAX_DATA_LEN)
- req_ctx->current_ahash_request_bytes = TALITOS1_MAX_DATA_LEN;
- else {
- req_ctx->current_ahash_request_bytes =
- req_ctx->remaining_ahash_request_bytes;
-
- if (req_ctx->last_request)
- req_ctx->last_desc = 1;
- }
-
- err = ahash_process_req_one(req_ctx->areq,
- req_ctx->current_ahash_request_bytes);
-
- if (err != -EINPROGRESS)
- ahash_request_complete(req_ctx->areq, err);
-}
-
static int ahash_process_req(struct ahash_request *areq, unsigned int nbytes)
{
- struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
- struct talitos_ctx *ctx = crypto_ahash_ctx(tfm);
- struct device *dev = ctx->dev;
- struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
- struct talitos_private *priv = dev_get_drvdata(dev);
- bool is_sec1 = has_ftr_sec1(priv);
-
- req_ctx->areq = areq;
- req_ctx->request_sl = areq->src;
- req_ctx->remaining_ahash_request_bytes = nbytes;
-
- if (is_sec1) {
- if (req_ctx->last_request)
- req_ctx->last_desc = 1;
- }
-
- req_ctx->current_ahash_request_bytes = nbytes;
-
- return ahash_process_req_one(req_ctx->areq, nbytes);
+ return ahash_process_req_one(areq, nbytes);
}
static int ahash_init(struct ahash_request *areq)
@@ -2176,7 +2111,6 @@ static int ahash_init(struct ahash_reque
req_ctx->hw_context_size = size;
req_ctx->last_request = 0;
req_ctx->last_desc = 0;
- INIT_WORK(&req_ctx->sec1_ahash_process_remaining, sec1_ahash_process_remaining);
dma = dma_map_single(dev, req_ctx->hw_context, req_ctx->hw_context_size,
DMA_TO_DEVICE);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 397/518] crypto: talitos/hash - rename first_desc/last_desc to first_request/last_request
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 396/518] crypto: talitos/hash - drop workqueue mechanism for SEC1 Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 398/518] crypto: talitos/hash - remove useless wrapper Greg Kroah-Hartman
` (124 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Louvel, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Louvel <paul.louvel@bootlin.com>
commit 8bcf00671400ac3b3a4cc3011e6c1496dbd880fd upstream.
In talitos_ahash_req_ctx and talitos_export_state, the fields
first_desc and last_desc describe request-level (not descriptor-level)
state. Rename them to first_request and last_request for clarity.
last_desc is also removed from talitos_ahash_req_ctx as it is no
longer used.
Cc: stable@vger.kernel.org
Signed-off-by: Paul Louvel <paul.louvel@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/talitos.c | 29 +++++++++++++----------------
1 file changed, 13 insertions(+), 16 deletions(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -944,8 +944,7 @@ struct talitos_ahash_req_ctx {
u8 buf[2][HASH_MAX_BLOCK_SIZE];
int buf_idx;
unsigned int swinit;
- unsigned int first_desc;
- unsigned int last_desc;
+ unsigned int first_request;
unsigned int last_request;
unsigned int to_hash_later;
unsigned int nbuf;
@@ -957,8 +956,8 @@ struct talitos_export_state {
u32 hw_context[TALITOS_MDEU_MAX_CONTEXT_SIZE / sizeof(u32)];
u8 buf[HASH_MAX_BLOCK_SIZE];
unsigned int swinit;
- unsigned int first_desc;
- unsigned int last_desc;
+ unsigned int first_request;
+ unsigned int last_request;
unsigned int to_hash_later;
unsigned int nbuf;
};
@@ -1822,8 +1821,7 @@ static void ahash_done(struct device *de
container_of(desc, struct talitos_edesc, desc);
struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
-
- if (!req_ctx->last_desc && req_ctx->to_hash_later) {
+ if (!req_ctx->last_request && req_ctx->to_hash_later) {
/* Position any partial block for next update/final/finup */
req_ctx->buf_idx = (req_ctx->buf_idx + 1) & 1;
req_ctx->nbuf = req_ctx->to_hash_later;
@@ -1872,7 +1870,7 @@ static void common_nonsnoop_hash(struct
/* first DWORD empty */
/* hash context in */
- if (!edesc->first || !req_ctx->first_desc || req_ctx->swinit) {
+ if (!edesc->first || !req_ctx->first_request || req_ctx->swinit) {
map_single_talitos_ptr_nosync(dev, &desc->ptr[1],
req_ctx->hw_context_size,
req_ctx->hw_context,
@@ -1880,7 +1878,7 @@ static void common_nonsnoop_hash(struct
req_ctx->swinit = 0;
}
/* Indicate next op is not the first. */
- req_ctx->first_desc = 0;
+ req_ctx->first_request = 0;
/* HMAC key */
if (ctx->keylen)
@@ -1975,14 +1973,14 @@ ahash_process_req_prepare(struct ahash_r
edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_CONT;
/* request SEC to INIT hash. */
- if (req_ctx->first_desc && edesc->first && !req_ctx->swinit)
+ if (req_ctx->first_request && edesc->first && !req_ctx->swinit)
edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_INIT;
/*
* When the tfm context has a keylen, it's an HMAC.
* A first or last (ie. not middle) descriptor must request HMAC.
*/
- if (ctx->keylen && ((req_ctx->first_desc && edesc->first) ||
+ if (ctx->keylen && ((req_ctx->first_request && edesc->first) ||
(req_ctx->last_request && edesc->last)))
edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_HMAC;
@@ -2103,14 +2101,13 @@ static int ahash_init(struct ahash_reque
/* Initialize the context */
req_ctx->buf_idx = 0;
req_ctx->nbuf = 0;
- req_ctx->first_desc = 1; /* first_desc indicates h/w must init its context */
+ req_ctx->first_request = 1;
req_ctx->swinit = 0; /* assume h/w init of context */
size = (crypto_ahash_digestsize(tfm) <= SHA256_DIGEST_SIZE)
? TALITOS_MDEU_CONTEXT_SIZE_MD5_SHA1_SHA256
: TALITOS_MDEU_CONTEXT_SIZE_SHA384_SHA512;
req_ctx->hw_context_size = size;
req_ctx->last_request = 0;
- req_ctx->last_desc = 0;
dma = dma_map_single(dev, req_ctx->hw_context, req_ctx->hw_context_size,
DMA_TO_DEVICE);
@@ -2202,8 +2199,8 @@ static int ahash_export(struct ahash_req
req_ctx->hw_context_size);
memcpy(export->buf, req_ctx->buf[req_ctx->buf_idx], req_ctx->nbuf);
export->swinit = req_ctx->swinit;
- export->first_desc = req_ctx->first_desc;
- export->last_desc = req_ctx->last_desc;
+ export->first_request = req_ctx->first_request;
+ export->last_request = req_ctx->last_request;
export->to_hash_later = req_ctx->to_hash_later;
export->nbuf = req_ctx->nbuf;
@@ -2228,8 +2225,8 @@ static int ahash_import(struct ahash_req
memcpy(req_ctx->hw_context, export->hw_context, size);
memcpy(req_ctx->buf[0], export->buf, export->nbuf);
req_ctx->swinit = export->swinit;
- req_ctx->first_desc = export->first_desc;
- req_ctx->last_desc = export->last_desc;
+ req_ctx->first_request = export->first_request;
+ req_ctx->last_request = export->last_request;
req_ctx->to_hash_later = export->to_hash_later;
req_ctx->nbuf = export->nbuf;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 398/518] crypto: talitos/hash - remove useless wrapper
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (396 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 397/518] crypto: talitos/hash - rename first_desc/last_desc to first_request/last_request Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 399/518] crypto: talitos/hash - fix SEC2 64k - 1 ahash request limitation Greg Kroah-Hartman
` (123 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Louvel, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Louvel <paul.louvel@bootlin.com>
commit 907ae6088c82c9abae2d26477fddd60df6ad003b upstream.
ahash_process_req() was a wrapper used in commit 655ef638a2bc ("crypto:
talitos - fix SEC1 32k ahash request limitation"). Rename
ahash_process_req_one() to ahash_process_req() and remove the wrapper.
Cc: stable@vger.kernel.org
Signed-off-by: Paul Louvel <paul.louvel@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/talitos.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -2003,7 +2003,7 @@ ahash_process_req_prepare(struct ahash_r
return first;
}
-static int ahash_process_req_one(struct ahash_request *areq, unsigned int nbytes)
+static int ahash_process_req(struct ahash_request *areq, unsigned int nbytes)
{
struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
struct talitos_ctx *ctx = crypto_ahash_ctx(tfm);
@@ -2084,11 +2084,6 @@ static int ahash_process_req_one(struct
return ret;
}
-static int ahash_process_req(struct ahash_request *areq, unsigned int nbytes)
-{
- return ahash_process_req_one(areq, nbytes);
-}
-
static int ahash_init(struct ahash_request *areq)
{
struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 399/518] crypto: talitos/hash - fix SEC2 64k - 1 ahash request limitation
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (397 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 398/518] crypto: talitos/hash - remove useless wrapper Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 400/518] arm64: fpsimd: Fix type mismatch in sme_{save,load}_state() Greg Kroah-Hartman
` (122 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Louvel, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Louvel <paul.louvel@bootlin.com>
commit 6e12daff6ec125102a6fdcafc5aa7199f7ce8933 upstream.
The problem described in commit 655ef638a2bc ("crypto: talitos - fix
SEC1 32k ahash request limitation") also apply for the SEC2 hardware,
but with a limitation of 64k - 1 bytes.
Split ahash_done() into SEC1 and SEC2 paths: SEC1 continues to free the
whole descriptor list at once, while SEC2 now iterates through
descriptors one by one, submitting the next only after the previous
completes, which is required since SEC2 cannot chain descriptors in
hardware.
Cc: stable@vger.kernel.org
Fixes: c662b043cdca ("crypto: af_alg/hash: Support MSG_SPLICE_PAGES")
Signed-off-by: Paul Louvel <paul.louvel@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/talitos.c | 49 ++++++++++++++++++++++++++++++++++++++---------
1 file changed, 40 insertions(+), 9 deletions(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1820,16 +1820,46 @@ static void ahash_done(struct device *de
struct talitos_edesc *edesc =
container_of(desc, struct talitos_edesc, desc);
struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
+ bool is_sec1 = has_ftr_sec1(dev_get_drvdata(dev));
+ struct talitos_ctx *ctx = crypto_ahash_ctx(tfm);
+ struct talitos_edesc *next;
- if (!req_ctx->last_request && req_ctx->to_hash_later) {
- /* Position any partial block for next update/final/finup */
- req_ctx->buf_idx = (req_ctx->buf_idx + 1) & 1;
- req_ctx->nbuf = req_ctx->to_hash_later;
+ if (is_sec1) {
+ if (!req_ctx->last_request && req_ctx->to_hash_later) {
+ /* Position any partial block for next update/final/finup */
+ req_ctx->buf_idx = (req_ctx->buf_idx + 1) & 1;
+ req_ctx->nbuf = req_ctx->to_hash_later;
+ }
+
+ free_edesc_list_from(areq, edesc);
+ ahash_request_complete(areq, err);
+ } else {
+ next = edesc->next_desc;
+
+ common_nonsnoop_hash_unmap(dev, edesc, areq);
+ kfree(edesc);
+
+ if (err)
+ goto out;
+
+ if (next) {
+ err = talitos_submit(dev, ctx->ch, &next->desc,
+ ahash_done, areq);
+ if (err != -EINPROGRESS)
+ goto out;
+ return;
+ }
+out:
+ if (!req_ctx->last_request && req_ctx->to_hash_later) {
+ /* Position any partial block for next update/final/finup */
+ req_ctx->buf_idx = (req_ctx->buf_idx + 1) & 1;
+ req_ctx->nbuf = req_ctx->to_hash_later;
+ }
+ if (err && next)
+ free_edesc_list_from(areq, next);
+ ahash_request_complete(areq, err);
}
-
- free_edesc_list_from(areq, edesc);
-
- ahash_request_complete(areq, err);
}
/*
@@ -1940,7 +1970,8 @@ ahash_process_req_prepare(struct ahash_r
struct talitos_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(areq));
struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
struct talitos_edesc *first = NULL, *prev_edesc = NULL, *edesc;
- size_t desc_max = is_sec1 ? TALITOS1_MAX_DATA_LEN : SIZE_MAX;
+ size_t desc_max = is_sec1 ? TALITOS1_MAX_DATA_LEN :
+ TALITOS2_MAX_DATA_LEN;
struct scatterlist tmp[2];
size_t to_hash_this_desc;
struct scatterlist *src;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 400/518] arm64: fpsimd: Fix type mismatch in sme_{save,load}_state()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (398 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 399/518] crypto: talitos/hash - fix SEC2 64k - 1 ahash request limitation Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 401/518] spi: fsl-lpspi: replace dmaengine_terminate_all() with dmaengine_terminate_sync() Greg Kroah-Hartman
` (121 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Fuad Tabba, James Morse, Marc Zyngier, Mark Brown, Oliver Upton,
Vladimir Murzin, Will Deacon
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit 247bd153905085c18ff9006cca1ccb96dfd18e7f upstream.
The sme_save_state() and sme_load_state() functions take a 32-bit int
argument that describes whether to save/restore ZT0. Their assembly
implementations consume the entire 64-bit register containing this
32-bit value, and will attempt to save/restore ZT0 if any bit of
that 64-bit register is non-zero.
Per the AAPCS64 parameter passing rules, the callee is responsible for
any necessary widening, and the upper 32-bits are permitted to contain
arbitrary values. If the upper 32 bits are non-zero, this could result
in an unexpected attempt to save/restore ZT0, and consequently could
lead to unexpected traps/undefs/faults.
In practice compilers are very unlikely to generate code where the upper
32-bits would be non-zero, but they are permitted to do so.
Fix this by only consuming the low 32 bits of the register, and update
comments accordingly.
Fixes: 95fcec713259 ("arm64/sme: Implement context switching for ZT0")
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Fuad Tabba <tabba@google.com>
Cc: James Morse <james.morse@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Oliver Upton <oupton@kernel.org>
Cc: Vladimir Murzin <vladimir.murzin@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/entry-fpsimd.S | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/arm64/kernel/entry-fpsimd.S
+++ b/arch/arm64/kernel/entry-fpsimd.S
@@ -103,13 +103,13 @@ SYM_FUNC_END(sme_set_vq)
* Save the ZA and ZT state
*
* x0 - pointer to buffer for state
- * x1 - number of ZT registers to save
+ * w1 - number of ZT registers to save
*/
SYM_FUNC_START(sme_save_state)
_sme_rdsvl 2, 1 // x2 = VL/8
sme_save_za 0, x2, 12 // Leaves x0 pointing to the end of ZA
- cbz x1, 1f
+ cbz w1, 1f
_str_zt 0
1:
ret
@@ -119,13 +119,13 @@ SYM_FUNC_END(sme_save_state)
* Load the ZA and ZT state
*
* x0 - pointer to buffer for state
- * x1 - number of ZT registers to save
+ * w1 - number of ZT registers to save
*/
SYM_FUNC_START(sme_load_state)
_sme_rdsvl 2, 1 // x2 = VL/8
sme_load_za 0, x2, 12 // Leaves x0 pointing to the end of ZA
- cbz x1, 1f
+ cbz w1, 1f
_ldr_zt 0
1:
ret
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 401/518] spi: fsl-lpspi: replace dmaengine_terminate_all() with dmaengine_terminate_sync()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (399 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 400/518] arm64: fpsimd: Fix type mismatch in sme_{save,load}_state() Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 402/518] spi: fsl-lpspi: terminate the RX channel on TX prepare failure path Greg Kroah-Hartman
` (120 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Carlos Song, Mark Brown
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Song <carlos.song@nxp.com>
commit e703ce47691b967fe9b4057fb1d062273211afa9 upstream.
dmaengine_terminate_all() has been deprecated, so replace it with
dmaengine_terminate_sync().
Fixes: 09c04466ce7e ("spi: lpspi: add dma mode support")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Song <carlos.song@nxp.com>
Link: https://patch.msgid.link/20260525062357.3191349-2-carlos.song@oss.nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-fsl-lpspi.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/drivers/spi/spi-fsl-lpspi.c
+++ b/drivers/spi/spi-fsl-lpspi.c
@@ -647,7 +647,7 @@ static int fsl_lpspi_dma_transfer(struct
tx->sgl, tx->nents, DMA_MEM_TO_DEV,
DMA_PREP_INTERRUPT | DMA_CTRL_ACK);
if (!desc_tx) {
- dmaengine_terminate_all(controller->dma_tx);
+ dmaengine_terminate_sync(controller->dma_tx);
return -EINVAL;
}
@@ -668,8 +668,8 @@ static int fsl_lpspi_dma_transfer(struct
transfer_timeout);
if (!time_left) {
dev_err(fsl_lpspi->dev, "I/O Error in DMA TX\n");
- dmaengine_terminate_all(controller->dma_tx);
- dmaengine_terminate_all(controller->dma_rx);
+ dmaengine_terminate_sync(controller->dma_tx);
+ dmaengine_terminate_sync(controller->dma_rx);
fsl_lpspi_reset(fsl_lpspi);
return -ETIMEDOUT;
}
@@ -678,8 +678,8 @@ static int fsl_lpspi_dma_transfer(struct
transfer_timeout);
if (!time_left) {
dev_err(fsl_lpspi->dev, "I/O Error in DMA RX\n");
- dmaengine_terminate_all(controller->dma_tx);
- dmaengine_terminate_all(controller->dma_rx);
+ dmaengine_terminate_sync(controller->dma_tx);
+ dmaengine_terminate_sync(controller->dma_rx);
fsl_lpspi_reset(fsl_lpspi);
return -ETIMEDOUT;
}
@@ -688,8 +688,8 @@ static int fsl_lpspi_dma_transfer(struct
fsl_lpspi->target_aborted) {
dev_dbg(fsl_lpspi->dev,
"I/O Error in DMA TX interrupted\n");
- dmaengine_terminate_all(controller->dma_tx);
- dmaengine_terminate_all(controller->dma_rx);
+ dmaengine_terminate_sync(controller->dma_tx);
+ dmaengine_terminate_sync(controller->dma_rx);
fsl_lpspi_reset(fsl_lpspi);
return -EINTR;
}
@@ -698,8 +698,8 @@ static int fsl_lpspi_dma_transfer(struct
fsl_lpspi->target_aborted) {
dev_dbg(fsl_lpspi->dev,
"I/O Error in DMA RX interrupted\n");
- dmaengine_terminate_all(controller->dma_tx);
- dmaengine_terminate_all(controller->dma_rx);
+ dmaengine_terminate_sync(controller->dma_tx);
+ dmaengine_terminate_sync(controller->dma_rx);
fsl_lpspi_reset(fsl_lpspi);
return -EINTR;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 402/518] spi: fsl-lpspi: terminate the RX channel on TX prepare failure path
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (400 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 401/518] spi: fsl-lpspi: replace dmaengine_terminate_all() with dmaengine_terminate_sync() Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 403/518] x86/mm: Fix freeing of PMD-sized vmemmap pages Greg Kroah-Hartman
` (119 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Carlos Song, Mark Brown
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Song <carlos.song@nxp.com>
commit 01980b5da56e573d62798d0ff6c86bcaa2b22cbe upstream.
When dmaengine_prep_slave_sg() fails for the TX channel, the error path
terminates the TX DMA channel but leaves the RX channel running. Since
the RX channel was already submitted and issued prior to preparing
the TX descriptor, returning -EINVAL causes the SPI core to unmap the
DMA buffers while the RX DMA engine continues writing to them, leading
to potential memory corruption or use-after-free.
Terminate the RX channel before returning on the TX prepare failure path.
Fixes: 09c04466ce7e ("spi: lpspi: add dma mode support")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Song <carlos.song@nxp.com>
Link: https://patch.msgid.link/20260525062357.3191349-3-carlos.song@oss.nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-fsl-lpspi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/spi/spi-fsl-lpspi.c
+++ b/drivers/spi/spi-fsl-lpspi.c
@@ -647,7 +647,7 @@ static int fsl_lpspi_dma_transfer(struct
tx->sgl, tx->nents, DMA_MEM_TO_DEV,
DMA_PREP_INTERRUPT | DMA_CTRL_ACK);
if (!desc_tx) {
- dmaengine_terminate_sync(controller->dma_tx);
+ dmaengine_terminate_sync(controller->dma_rx);
return -EINVAL;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 403/518] x86/mm: Fix freeing of PMD-sized vmemmap pages
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (401 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 402/518] spi: fsl-lpspi: terminate the RX channel on TX prepare failure path Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 404/518] EDAC/i10nm: Dont fail probing if ADXL is missing Greg Kroah-Hartman
` (118 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand (Arm),
Andrew Morton, Dave Hansen, Mike Rapoport (Microsoft), Lance Yang
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand (Arm) <david@kernel.org>
commit 39406c05f8f150f1685839acd38ffdd69ff92031 upstream.
Commit bf9e4e30f353 ("x86/mm: use pagetable_free()"), switched from
freeing non-boot page tables through __free_pages() to
pagetable_free().
However, the function is also called to free vmemmap pages.
Given that vmemmap pages are not page tables, already the page_ptdesc(page)
is wrong. But worse, pagetable_free() calls:
__free_pages(page, compound_order(page));
Since vmemmap pages are not compound pages (see vmemmap_alloc_block())
-- except for HVO, which doesn't apply here -- only first page of a
PMD-sized vmemmap page is freed, leaking the other ones.
Fix it by properly decoupling pagetable and vmemmap freeing.
free_pagetable() no longer has to mess with SECTION_INFO, as only the
vmemmap is marked like that in register_page_bootmem_memmap().
The indentation in remove_pmd_table() is messed up. Fix that while
touching it.
Bootmem info handling will soon be fixed up. For now, handle it
similar to free_pagetable(), just avoiding the ifdef.
[ dhansen: changelog munging. More imperative voice ]
Fixes: bf9e4e30f353 ("x86/mm: use pagetable_free()")
Signed-off-by: David Hildenbrand (Arm) <david@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Tested-by: Lance Yang <lance.yang@linux.dev>
Link: https://lore.kernel.org/20260429-vmemmap-v2-1-8dfcacffd877@kernel.org
Link: https://patch.msgid.link/20260429-vmemmap-v2-1-8dfcacffd877@kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/mm/init_64.c | 40 ++++++++++++++++++++++++++--------------
1 file changed, 26 insertions(+), 14 deletions(-)
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -1014,7 +1014,7 @@ static void __meminit free_pagetable(str
#ifdef CONFIG_HAVE_BOOTMEM_INFO_NODE
enum bootmem_type type = bootmem_type(page);
- if (type == SECTION_INFO || type == MIX_SECTION_INFO) {
+ if (type == MIX_SECTION_INFO) {
while (nr_pages--)
put_page_bootmem(page++);
} else {
@@ -1028,13 +1028,24 @@ static void __meminit free_pagetable(str
}
}
-static void __meminit free_hugepage_table(struct page *page,
+static void __meminit free_vmemmap_pages(struct page *page, unsigned int order,
struct vmem_altmap *altmap)
{
- if (altmap)
- vmem_altmap_free(altmap, PMD_SIZE / PAGE_SIZE);
- else
- free_pagetable(page, get_order(PMD_SIZE));
+ unsigned long nr_pages = 1u << order;
+
+ if (altmap) {
+ vmem_altmap_free(altmap, nr_pages);
+ } else if (PageReserved(page)) {
+ if (IS_ENABLED(CONFIG_HAVE_BOOTMEM_INFO_NODE) &&
+ bootmem_type(page) == SECTION_INFO) {
+ while (nr_pages--)
+ put_page_bootmem(page++);
+ } else {
+ free_reserved_pages(page, nr_pages);
+ }
+ } else {
+ __free_pages(page, order);
+ }
}
static void __meminit free_pte_table(pte_t *pte_start, pmd_t *pmd)
@@ -1118,7 +1129,8 @@ remove_pte_table(pte_t *pte_start, unsig
return;
if (!direct)
- free_pagetable(pte_page(*pte), 0);
+ /* We never populate base pages from the altmap. */
+ free_vmemmap_pages(pte_page(*pte), 0, NULL);
spin_lock(&init_mm.page_table_lock);
pte_clear(&init_mm, addr, pte);
@@ -1153,19 +1165,19 @@ remove_pmd_table(pmd_t *pmd_start, unsig
if (IS_ALIGNED(addr, PMD_SIZE) &&
IS_ALIGNED(next, PMD_SIZE)) {
if (!direct)
- free_hugepage_table(pmd_page(*pmd),
- altmap);
+ free_vmemmap_pages(pmd_page(*pmd),
+ PMD_ORDER, altmap);
spin_lock(&init_mm.page_table_lock);
pmd_clear(pmd);
spin_unlock(&init_mm.page_table_lock);
pages++;
} else if (vmemmap_pmd_is_unused(addr, next)) {
- free_hugepage_table(pmd_page(*pmd),
- altmap);
- spin_lock(&init_mm.page_table_lock);
- pmd_clear(pmd);
- spin_unlock(&init_mm.page_table_lock);
+ free_vmemmap_pages(pmd_page(*pmd), PMD_ORDER,
+ altmap);
+ spin_lock(&init_mm.page_table_lock);
+ pmd_clear(pmd);
+ spin_unlock(&init_mm.page_table_lock);
}
continue;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 404/518] EDAC/i10nm: Dont fail probing if ADXL is missing
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (402 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 403/518] x86/mm: Fix freeing of PMD-sized vmemmap pages Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 405/518] watchdog: apple: Add "apple,t8103-wdt" compatible Greg Kroah-Hartman
` (117 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vasily Khoruzhick, Tony Luck,
Qiuxu Zhuo
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasily Khoruzhick <vasilykh@arista.com>
commit e360a6d65bb46c527a5909430a31d640cdd5036e upstream.
ADXL is not present in Coreboot- or Slimbootloader-based BIOSes and as
result, the driver fails to probe there.
Since commit 2738c69a8813 ("EDAC/i10nm: Add driver decoder for Ice Lake
and Tremont CPUs"), i10nm_edac supports driver decoder. Switch to driver
decoding when ADXL is not present.
Signed-off-by: Vasily Khoruzhick <vasilykh@arista.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Reviewed-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Cc: stable@vger.kernel.org # v6.1+
Link: https://patch.msgid.link/20260414181735.87023-1-anarsoul@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/edac/i10nm_base.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/edac/i10nm_base.c
+++ b/drivers/edac/i10nm_base.c
@@ -79,6 +79,7 @@ static struct res_config *res_cfg;
static int retry_rd_err_log;
static int decoding_via_mca;
static bool mem_cfg_2lm;
+static bool no_adxl;
static struct reg_rrl icx_reg_rrl_ddr = {
.set_num = 2,
@@ -1222,8 +1223,14 @@ static int __init i10nm_init(void)
}
rc = skx_adxl_get();
- if (rc)
- goto fail;
+ if (rc) {
+ /* Decoding errors via MCA banks for 2LM isn't supported yet */
+ if (rc != -ENODEV || mem_cfg_2lm)
+ goto fail;
+ i10nm_printk(KERN_INFO, "ADXL not found, falling back to MCA-based decoding.\n");
+ no_adxl = true;
+ decoding_via_mca = true;
+ }
opstate_init();
mce_register_decode_chain(&i10nm_mce_dec);
@@ -1257,7 +1264,8 @@ static void __exit i10nm_exit(void)
skx_teardown_debug();
mce_unregister_decode_chain(&i10nm_mce_dec);
- skx_adxl_put();
+ if (!no_adxl)
+ skx_adxl_put();
skx_remove();
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 405/518] watchdog: apple: Add "apple,t8103-wdt" compatible
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (403 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 404/518] EDAC/i10nm: Dont fail probing if ADXL is missing Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 406/518] regulator: scmi: fix of_node refcount leak in scmi_regulator_probe() Greg Kroah-Hartman
` (116 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Neal Gompa, Janne Grunau,
Guenter Roeck
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janne Grunau <j@jannau.net>
commit 14ca4868886f2188401fe06cd7bf01a330b3fb99 upstream.
After discussion with the devicetree maintainers we agreed to not extend
lists with the generic compatible "apple,wdt" anymore [1]. Use
"apple,t8103-wdt" as base compatible as it is the SoC the driver and
bindings were written for.
[1]: https://lore.kernel.org/asahi/12ab93b7-1fc2-4ce0-926e-c8141cfe81bf@kernel.org/
Fixes: 4ed224aeaf66 ("watchdog: Add Apple SoC watchdog driver")
Cc: stable@vger.kernel.org
Reviewed-by: Neal Gompa <neal@gompa.dev>
Signed-off-by: Janne Grunau <j@jannau.net>
Link: https://lore.kernel.org/r/20251231-watchdog-apple-t8103-base-compat-v1-1-1702a02e0c45@jannau.net
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/watchdog/apple_wdt.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/watchdog/apple_wdt.c
+++ b/drivers/watchdog/apple_wdt.c
@@ -218,6 +218,7 @@ static int apple_wdt_suspend(struct devi
static DEFINE_SIMPLE_DEV_PM_OPS(apple_wdt_pm_ops, apple_wdt_suspend, apple_wdt_resume);
static const struct of_device_id apple_wdt_of_match[] = {
+ { .compatible = "apple,t8103-wdt" },
{ .compatible = "apple,wdt" },
{},
};
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 406/518] regulator: scmi: fix of_node refcount leak in scmi_regulator_probe()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (404 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 405/518] watchdog: apple: Add "apple,t8103-wdt" compatible Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 407/518] i2c: core: fix hang on adapter registration failure Greg Kroah-Hartman
` (115 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Mark Brown
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit fa11039d6cdff84584a3ef8cc1f5e1b56e045da2 upstream.
scmi_regulator_probe() calls of_find_node_by_name() which takes a
reference on the returned device node. On the error path where
process_scmi_regulator_of_node() fails, the function returns without
calling of_node_put() on the child node, leaking the reference.
Add of_node_put(np) on the error path to properly release the
reference.
Cc: stable@vger.kernel.org
Fixes: 0fbeae70ee7c ("regulator: add SCMI driver")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260527104850.872415-1-vulab@iscas.ac.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/scmi-regulator.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/regulator/scmi-regulator.c
+++ b/drivers/regulator/scmi-regulator.c
@@ -345,8 +345,10 @@ static int scmi_regulator_probe(struct s
for_each_child_of_node_scoped(np, child) {
ret = process_scmi_regulator_of_node(sdev, ph, child, rinfo);
/* abort on any mem issue */
- if (ret == -ENOMEM)
+ if (ret == -ENOMEM) {
+ of_node_put(np);
return ret;
+ }
}
of_node_put(np);
/*
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 407/518] i2c: core: fix hang on adapter registration failure
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (405 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 406/518] regulator: scmi: fix of_node refcount leak in scmi_regulator_probe() Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 408/518] perf/aux: Fix page UAF in map_range() Greg Kroah-Hartman
` (114 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Phil Reid, Johan Hovold,
Wolfram Sang
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 3c7e164344e5bcf6f274bbf59a3274f5caad9bc1 upstream.
Clients may be registered from bus notifier callbacks when the adapter
is registered. On a subsequent error during registration, the adapter
references taken by such clients prevent the wait for the references to
be released from ever completing.
Fix this by refactoring client deregistration and deregistering also on
late adapter registration failures.
Fixes: f8756c67b3de ("i2c: core: call of_i2c_setup_smbus_alert in i2c_register_adapter")
Cc: stable@vger.kernel.org # 4.15
Cc: Phil Reid <preid@electromag.com.au>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/i2c-core-base.c | 49 ++++++++++++++++++++++++++------------------
1 file changed, 29 insertions(+), 20 deletions(-)
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -63,6 +63,7 @@
static DEFINE_MUTEX(core_lock);
static DEFINE_IDR(i2c_adapter_idr);
+static void i2c_deregister_clients(struct i2c_adapter *adap);
static int i2c_detect(struct i2c_adapter *adapter, struct i2c_driver *driver);
static DEFINE_STATIC_KEY_FALSE(i2c_trace_msg_key);
@@ -1608,6 +1609,7 @@ static int i2c_register_adapter(struct i
return 0;
out_reg:
+ i2c_deregister_clients(adap);
debugfs_remove_recursive(adap->debugfs);
init_completion(&adap->dev_released);
device_unregister(&adap->dev);
@@ -1747,29 +1749,10 @@ static int __process_removed_adapter(str
return 0;
}
-/**
- * i2c_del_adapter - unregister I2C adapter
- * @adap: the adapter being unregistered
- * Context: can sleep
- *
- * This unregisters an I2C adapter which was previously registered
- * by @i2c_add_adapter or @i2c_add_numbered_adapter.
- */
-void i2c_del_adapter(struct i2c_adapter *adap)
+static void i2c_deregister_clients(struct i2c_adapter *adap)
{
- struct i2c_adapter *found;
struct i2c_client *client, *next;
- /* First make sure that this adapter was ever added */
- mutex_lock(&core_lock);
- found = idr_find(&i2c_adapter_idr, adap->nr);
- mutex_unlock(&core_lock);
- if (found != adap) {
- pr_debug("attempting to delete unregistered adapter [%s]\n", adap->name);
- return;
- }
-
- i2c_acpi_remove_space_handler(adap);
/* Tell drivers about this removal */
mutex_lock(&core_lock);
bus_for_each_drv(&i2c_bus_type, NULL, adap,
@@ -1795,6 +1778,32 @@ void i2c_del_adapter(struct i2c_adapter
* them up properly, so we give them a chance to do that first. */
device_for_each_child(&adap->dev, NULL, __unregister_client);
device_for_each_child(&adap->dev, NULL, __unregister_dummy);
+}
+
+/**
+ * i2c_del_adapter - unregister I2C adapter
+ * @adap: the adapter being unregistered
+ * Context: can sleep
+ *
+ * This unregisters an I2C adapter which was previously registered
+ * by @i2c_add_adapter or @i2c_add_numbered_adapter.
+ */
+void i2c_del_adapter(struct i2c_adapter *adap)
+{
+ struct i2c_adapter *found;
+
+ /* First make sure that this adapter was ever added */
+ mutex_lock(&core_lock);
+ found = idr_find(&i2c_adapter_idr, adap->nr);
+ mutex_unlock(&core_lock);
+ if (found != adap) {
+ pr_debug("attempting to delete unregistered adapter [%s]\n", adap->name);
+ return;
+ }
+
+ i2c_acpi_remove_space_handler(adap);
+
+ i2c_deregister_clients(adap);
/* device name is gone after device_unregister */
dev_dbg(&adap->dev, "adapter [%s] unregistered\n", adap->name);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 408/518] perf/aux: Fix page UAF in map_range()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (406 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 407/518] i2c: core: fix hang on adapter registration failure Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 409/518] liveupdate: reject LIVEUPDATE_IOCTL_CREATE_SESSION with invalid name length Greg Kroah-Hartman
` (113 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Jia Jie, Ingo Molnar,
Peter Zijlstra, Arnaldo Carvalho de Melo, Namhyung Kim
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jia Jie <jiajie.lee@starlabs.sg>
commit 5948aaf64f81f217a25dcc2bf6c0779bca19566c upstream.
map_range() reads rb->aux_pages[], rb->aux_nr_pages and rb->aux_pgoff via
perf_mmap_to_page() while holding only event->mmap_mutex. Those fields are
serialized by rb->aux_mutex, and mmap_mutex is per event.
Thus, two events sharing one rb via PERF_EVENT_IOC_SET_OUTPUT can race
rb_alloc_aux() with map_range(), leading to a page-UAF scenario as follows:
CPU 0 CPU 1
===== =====
rb_alloc_aux() map_range()
[1]: allocate rb->aux_pages[0]
[2]: rb->aux_nr_pages++
[3]: perf_mmap_to_page()
returns rb->aux_pages[0]
[4]: map it as VM_PFNMAP
[5]: rb->aux_pgoff = 1
munmap the page
[6]: free rb->aux_pages[0]
Pages mapped as VM_PFNMAP have no refcount protection, so CPU 1 holds a
mapping to a freed physical frame.
Fix this by taking rb->aux_mutex across the page walk in map_range().
Fixes: b709eb872e19 ("perf: map pages in advance")
Signed-off-by: Lee Jia Jie <jiajie.lee@starlabs.sg>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: stable@vger.kernel.org
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/events/core.c | 2 ++
1 file changed, 2 insertions(+)
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -7150,6 +7150,8 @@ static int map_range(struct perf_buffer
int err = 0;
unsigned long pagenum;
+ guard(mutex)(&rb->aux_mutex);
+
/*
* We map this as a VM_PFNMAP VMA.
*
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 409/518] liveupdate: reject LIVEUPDATE_IOCTL_CREATE_SESSION with invalid name length
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (407 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 408/518] perf/aux: Fix page UAF in map_range() Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 410/518] selftests/liveupdate: add test cases for LIVEUPDATE_IOCTL_CREATE_SESSION calls with invalid length Greg Kroah-Hartman
` (112 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Boccassi, Pasha Tatashin,
Pratyush Yadav, Mike Rapoport (Microsoft)
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Boccassi <luca.boccassi@gmail.com>
commit e947433cd0d2b95a277757451b9b9c2714136dc2 upstream.
A session name must not be an empty string, and must not exceed the
maximum size define in the uapi header, including null termination.
Fixes: 0153094d03df ("liveupdate: luo_session: add sessions support")
Cc: stable@vger.kernel.org
Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com>
Reviewed-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Link: https://lore.kernel.org/r/20260429212221.814107-2-luca.boccassi@gmail.com
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/liveupdate/luo_session.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/kernel/liveupdate/luo_session.c
+++ b/kernel/liveupdate/luo_session.c
@@ -382,9 +382,13 @@ static int luo_session_getfile(struct lu
int luo_session_create(const char *name, struct file **filep)
{
+ size_t len = strnlen(name, LIVEUPDATE_SESSION_NAME_LENGTH);
struct luo_session *session;
int err;
+ if (len == 0 || len > LIVEUPDATE_SESSION_NAME_LENGTH - 1)
+ return -EINVAL;
+
session = luo_session_alloc(name);
if (IS_ERR(session))
return PTR_ERR(session);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 410/518] selftests/liveupdate: add test cases for LIVEUPDATE_IOCTL_CREATE_SESSION calls with invalid length
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (408 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 409/518] liveupdate: reject LIVEUPDATE_IOCTL_CREATE_SESSION with invalid name length Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 411/518] tracing: Prevent out-of-bounds read in glob matching Greg Kroah-Hartman
` (111 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Boccassi, Pasha Tatashin,
Pratyush Yadav, Mike Rapoport (Microsoft)
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Boccassi <luca.boccassi@gmail.com>
commit dab2b4c66aa0f44ccb6a0096906e5680c604fe39 upstream.
Verify that LIVEUPDATE_IOCTL_CREATE_SESSION ioctl which provide a name
that is an empty string or too long are not allowed.
Cc: stable@vger.kernel.org
Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com>
Reviewed-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Link: https://lore.kernel.org/r/20260429212221.814107-3-luca.boccassi@gmail.com
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/liveupdate/liveupdate.c | 42 ++++++++++++++++++++++++
1 file changed, 42 insertions(+)
--- a/tools/testing/selftests/liveupdate/liveupdate.c
+++ b/tools/testing/selftests/liveupdate/liveupdate.c
@@ -386,4 +386,46 @@ TEST_F(liveupdate_device, prevent_double
ASSERT_EQ(close(session_fd2), 0);
}
+/*
+ * Test Case: Create Session with No Null Termination
+ *
+ * Verifies that filling the entire 64-byte name field with non-null characters
+ * (no '\0' terminator) is rejected by the kernel with EINVAL.
+ */
+TEST_F(liveupdate_device, create_session_no_null_termination)
+{
+ struct liveupdate_ioctl_create_session args = {};
+
+ self->fd1 = open(LIVEUPDATE_DEV, O_RDWR);
+ if (self->fd1 < 0 && errno == ENOENT)
+ SKIP(return, "%s does not exist", LIVEUPDATE_DEV);
+ ASSERT_GE(self->fd1, 0);
+
+ /* Fill entire name field with 'X', no null terminator */
+ args.size = sizeof(args);
+ memset(args.name, 'X', sizeof(args.name));
+
+ EXPECT_LT(ioctl(self->fd1, LIVEUPDATE_IOCTL_CREATE_SESSION, &args), 0);
+ EXPECT_EQ(errno, EINVAL);
+}
+
+/*
+ * Test Case: Create Session with Empty Name
+ *
+ * Verifies that creating a session with an empty string name fails
+ * with EINVAL.
+ */
+TEST_F(liveupdate_device, create_session_empty_name)
+{
+ int session_fd;
+
+ self->fd1 = open(LIVEUPDATE_DEV, O_RDWR);
+ if (self->fd1 < 0 && errno == ENOENT)
+ SKIP(return, "%s does not exist", LIVEUPDATE_DEV);
+ ASSERT_GE(self->fd1, 0);
+
+ session_fd = create_session(self->fd1, "");
+ EXPECT_EQ(session_fd, -EINVAL);
+}
+
TEST_HARNESS_MAIN
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 411/518] tracing: Prevent out-of-bounds read in glob matching
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (409 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 410/518] selftests/liveupdate: add test cases for LIVEUPDATE_IOCTL_CREATE_SESSION calls with invalid length Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 412/518] audit: fix potential integer overflow in audit_log_n_hex() Greg Kroah-Hartman
` (110 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Zhengchuan Liang, Xin Liu, Huihui Huang, Ren Wei,
Masami Hiramatsu (Google), Steven Rostedt
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huihui Huang <hhhuang@smu.edu.sg>
commit 0a6070839b1ef276d5b05bedfb787743e140fb17 upstream.
String event fields are not necessarily NUL-terminated, so the filter
predicate functions (filter_pred_string(), filter_pred_strloc() and
filter_pred_strrelloc()) pass the field length to the regex match
callbacks, and the length-aware matchers honour it.
regex_match_glob() was the exception: it ignored the length and called
glob_match(), which scans the string until it hits a NUL byte. Some
string fields are not NUL-terminated. One example is the dynamic char
array of the xfs_* namespace tracepoints, which is copied without a
trailing NUL. For such a field, glob matching reads past the end of
the event field, causing a KASAN slab-out-of-bounds read in
glob_match(), reached via regex_match_glob() and filter_match_preds()
from the xfs_lookup tracepoint.
Add a length-bounded glob_match_len() and use it from regex_match_glob()
so glob matching always stops at the field boundary. The matching loop
is factored into a shared helper so glob_match() keeps its behaviour.
Fixes: 60f1d5e3bac4 ("ftrace: Support full glob matching")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/da1aaf125fc3b63320b0c540fd6afa7c3d5b4f1a.1782836943.git.hhhuang@smu.edu.sg
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Huihui Huang <hhhuang@smu.edu.sg>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/glob.h | 1 +
kernel/trace/trace_events_filter.c | 6 ++----
lib/glob.c | 31 +++++++++++++++++++++++++++++--
3 files changed, 32 insertions(+), 6 deletions(-)
--- a/include/linux/glob.h
+++ b/include/linux/glob.h
@@ -6,5 +6,6 @@
#include <linux/compiler.h> /* For __pure */
bool __pure glob_match(char const *pat, char const *str);
+bool __pure glob_match_len(char const *pat, char const *str, size_t len);
#endif /* _LINUX_GLOB_H */
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -1056,11 +1056,9 @@ static int regex_match_end(char *str, st
return 0;
}
-static int regex_match_glob(char *str, struct regex *r, int len __maybe_unused)
+static int regex_match_glob(char *str, struct regex *r, int len)
{
- if (glob_match(r->pattern, str))
- return 1;
- return 0;
+ return glob_match_len(r->pattern, str, len) ? 1 : 0;
}
/**
--- a/lib/glob.c
+++ b/lib/glob.c
@@ -11,6 +11,9 @@
MODULE_DESCRIPTION("glob(7) matching");
MODULE_LICENSE("Dual MIT/GPL");
+static bool __pure glob_match_str(char const *pat, char const *str,
+ char const *str_end);
+
/**
* glob_match - Shell-style pattern matching, like !fnmatch(pat, str, 0)
* @pat: Shell-style pattern to match, e.g. "*.[ch]".
@@ -41,6 +44,29 @@ MODULE_LICENSE("Dual MIT/GPL");
*/
bool __pure glob_match(char const *pat, char const *str)
{
+ return glob_match_str(pat, str, NULL);
+}
+EXPORT_SYMBOL(glob_match);
+
+/**
+ * glob_match_len - glob match against a length-bounded string
+ * @pat: Shell-style pattern to match.
+ * @str: String to match. Need not be NUL-terminated.
+ * @len: Number of bytes of @str that may be read.
+ *
+ * Like glob_match(), but @str is only read up to @len bytes, so it can be
+ * used on buffers that are not NUL-terminated (e.g. trace event fields).
+ * A NUL byte within @len still terminates the string.
+ */
+bool __pure glob_match_len(char const *pat, char const *str, size_t len)
+{
+ return glob_match_str(pat, str, str + len);
+}
+EXPORT_SYMBOL(glob_match_len);
+
+static bool __pure glob_match_str(char const *pat, char const *str,
+ char const *str_end)
+{
/*
* Backtrack to previous * on mismatch and retry starting one
* character later in the string. Because * matches all characters
@@ -55,9 +81,11 @@ bool __pure glob_match(char const *pat,
* on mismatch, or true after matching the trailing nul bytes.
*/
for (;;) {
- unsigned char c = *str++;
+ unsigned char c = (str_end && str >= str_end) ? '\0' : *str;
unsigned char d = *pat++;
+ str++;
+
switch (d) {
case '?': /* Wildcard: anything but nul */
if (c == '\0')
@@ -125,4 +153,3 @@ backtrack:
}
}
}
-EXPORT_SYMBOL(glob_match);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 412/518] audit: fix potential integer overflow in audit_log_n_hex()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (410 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 411/518] tracing: Prevent out-of-bounds read in glob matching Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 413/518] NFSv4: include MAY_WRITE in open permission mask for O_TRUNC Greg Kroah-Hartman
` (109 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Guy Briggs, Ricardo Robaina,
Paul Moore
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Robaina <rrobaina@redhat.com>
commit 65dfde57d1e29ce2b76fc23dd565eccd5c0bc0f0 upstream.
The function calculates new_len as len << 1 for hex encoding. This
has two overflow risks: the shift itself can overflow when len is
large, and the result can be truncated when assigned to new_len
(declared as int) from the size_t calculation.
Fix by using check_shl_overflow() to catch shift overflow and
changing new_len and loop counter i to size_t to prevent truncation.
Cc: stable@vger.kernel.org
Fixes: 168b7173959f ("AUDIT: Clean up logging of untrusted strings")
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
[PM: remove vertical whitspace noise]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/audit.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -62,6 +62,7 @@
#include <net/ip.h>
#include <net/ipv6.h>
#include <linux/sctp.h>
+#include <linux/overflow.h>
#include "audit.h"
@@ -2080,7 +2081,8 @@ void audit_log_format(struct audit_buffe
void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf,
size_t len)
{
- int i, avail, new_len;
+ int avail;
+ size_t i, new_len;
unsigned char *ptr;
struct sk_buff *skb;
@@ -2090,7 +2092,12 @@ void audit_log_n_hex(struct audit_buffer
BUG_ON(!ab->skb);
skb = ab->skb;
avail = skb_tailroom(skb);
- new_len = len<<1;
+
+ if (check_shl_overflow(len, 1, &new_len)) {
+ audit_log_format(ab, "?");
+ return;
+ }
+
if (new_len >= avail) {
/* Round the buffer request up to the next multiple */
new_len = AUDIT_BUFSIZ*(((new_len-avail)/AUDIT_BUFSIZ) + 1);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 413/518] NFSv4: include MAY_WRITE in open permission mask for O_TRUNC
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (411 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 412/518] audit: fix potential integer overflow in audit_log_n_hex() Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 414/518] rqspinlock: Fix order in raw_res_spin_(un)lock_irq to allow schedule Greg Kroah-Hartman
` (108 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Benjamin Coddington,
Anna Schumaker
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Coddington <ben.coddington@hammerspace.com>
commit 5140f099ecd8a2f2808b7f7b720ee1bad8468974 upstream.
POSIX requires write permission to truncate a file, so an open() that
specifies O_TRUNC must be authorized for write access regardless of the
O_ACCMODE access mode.
nfs_open_permission_mask() builds the access mask passed to
nfs_may_open(), which is the local authorization gate for OPENs the
client serves itself from a cached write delegation via the
can_open_delegated() path in nfs4_try_open_cached(). The mask is
derived from O_ACCMODE alone, so an open(O_RDONLY | O_TRUNC) against a
file the caller cannot write requests only MAY_READ and passes the
local check. The OPEN is then satisfied locally and the truncation is
issued to the server as a SETATTR(size=0) over the delegation stateid,
which the server accepts under standard write-delegation semantics.
POSIX requires that this open fail with EACCES.
Include MAY_WRITE in the mask whenever O_TRUNC is set so the local
check matches the access the server would have enforced.
Suggested-by: Trond Myklebust <trondmy@kernel.org>
Fixes: af22f94ae02a ("NFSv4: Simplify _nfs4_do_access()")
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Coddington <bcodding@hammerspace.com>
Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/dir.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -3344,6 +3344,8 @@ static int nfs_open_permission_mask(int
mask |= MAY_READ;
if ((openflags & O_ACCMODE) != O_RDONLY)
mask |= MAY_WRITE;
+ if (openflags & O_TRUNC)
+ mask |= MAY_WRITE;
}
return mask;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 414/518] rqspinlock: Fix order in raw_res_spin_(un)lock_irq to allow schedule
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (412 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 413/518] NFSv4: include MAY_WRITE in open permission mask for O_TRUNC Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 415/518] module: decompress: check return value of module_extend_max_pages() Greg Kroah-Hartman
` (107 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Waiman Long, Kumar Kartikeya Dwivedi,
Gabriele Monaco, Alexei Starovoitov, Arnd Bergmann
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriele Monaco <gmonaco@redhat.com>
commit b48bd16eb9fc57a463a337ca148516cdf3212d61 upstream.
raw_res_spin_unlock_irqrestore() calls raw_res_spin_unlock() and then
restores interrupts, this means preemption is enabled when interrupts
are still disabled (as part of raw_res_spin_unlock()) so this cannot
trigger an actual preemption.
This is inconsistent with other spinlock implementations
(raw_spin_unlock_irqrestore() and bpf_res_spin_unlock_irqrestore()
itself).
Adjust the macro to ensure interrupts are enabled before enabling
preemption, allowing to schedule at that point. Make the same
modification in the error path of raw_res_spin_lock_irqsave().
Fixes: 101acd2e78b1 ("rqspinlock: Add macros for rqspinlock usage")
Cc: stable@vger.kernel.org
Acked-by: Arnd Bergmann <arnd@arndb.de> # asm-generic
Acked-by: Waiman Long <longman@redhat.com>
Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: Gabriele Monaco <gmonaco@redhat.com>
Link: https://lore.kernel.org/r/20260610090431.32427-1-gmonaco@redhat.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/asm-generic/rqspinlock.h | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/include/asm-generic/rqspinlock.h
+++ b/include/asm-generic/rqspinlock.h
@@ -243,12 +243,20 @@ static __always_inline void res_spin_unl
({ \
int __ret; \
local_irq_save(flags); \
- __ret = raw_res_spin_lock(lock); \
- if (__ret) \
+ preempt_disable(); \
+ __ret = res_spin_lock(lock); \
+ if (__ret) { \
local_irq_restore(flags); \
+ preempt_enable(); \
+ } \
__ret; \
})
-#define raw_res_spin_unlock_irqrestore(lock, flags) ({ raw_res_spin_unlock(lock); local_irq_restore(flags); })
+#define raw_res_spin_unlock_irqrestore(lock, flags) \
+ ({ \
+ res_spin_unlock(lock); \
+ local_irq_restore(flags); \
+ preempt_enable(); \
+ })
#endif /* __ASM_GENERIC_RQSPINLOCK_H */
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 415/518] module: decompress: check return value of module_extend_max_pages()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (413 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 414/518] rqspinlock: Fix order in raw_res_spin_(un)lock_irq to allow schedule Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 416/518] vt: fix spurious modifier in CSI/cursor key sequences Greg Kroah-Hartman
` (106 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov, Luis Chamberlain,
Andrii Kuchmenko, Christophe Leroy (CS GROUP), Sami Tolvanen
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Kuchmenko <capyenglishlite@gmail.com>
commit 786d2d84416a9a1c1a47b71a68d679d886284be2 upstream.
module_extend_max_pages() calls kvrealloc() internally and returns
-ENOMEM on allocation failure. The return value is never checked.
If the initial allocation fails, info->pages remains NULL and
info->max_pages remains 0. Subsequent calls to module_get_next_page()
will attempt to dynamically grow the array by calling
module_extend_max_pages(info, 0) since info->used_pages is 0. This
results in kvrealloc(NULL, 0) returning ZERO_SIZE_PTR, which is treated
as a success, leading to a dereference of ZERO_SIZE_PTR and a kernel
oops.
Fix: add the missing error check after module_extend_max_pages() and
return immediately on failure. This matches the pattern used by every
other kvrealloc() caller in the module loading path.
Fixes: b1ae6dc41eaa ("module: add in-kernel support for decompressing")
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Andrii Kuchmenko <capyenglishlite@gmail.com>
Reviewed-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
[Sami: Corrected the analysis in the commit message.]
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/module/decompress.c | 2 ++
1 file changed, 2 insertions(+)
--- a/kernel/module/decompress.c
+++ b/kernel/module/decompress.c
@@ -307,6 +307,8 @@ int module_decompress(struct load_info *
*/
n_pages = DIV_ROUND_UP(size, PAGE_SIZE) * 2;
error = module_extend_max_pages(info, n_pages);
+ if (error)
+ return error;
data_size = MODULE_DECOMPRESS_FN(info, buf, size);
if (data_size < 0) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 416/518] vt: fix spurious modifier in CSI/cursor key sequences
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (414 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 415/518] module: decompress: check return value of module_extend_max_pages() Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 417/518] exfat: preserve benign secondary entries during rename and move Greg Kroah-Hartman
` (105 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexey Gladkov, stable,
Nicolas Pitre
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Pitre <npitre@baylibre.com>
commit e9ad4d5ca309cb517d3f7a85251c3c5328f40f1f upstream.
csi_modifier_param() builds the xterm modifier parameter from
shift_state, counting KG_SHIFTL/KG_SHIFTR as Shift, KG_ALTGR as Alt
and KG_CTRLL/KG_CTRLR as Ctrl in addition to the canonical KG_SHIFT,
KG_ALT and KG_CTRL.
That is wrong when those weights are not plain modifiers. Keymaps
derived from XKB layouts (by kbd's xkbsupport, and by the
console-setup used in Debian, Ubuntu and others) encode the active
layout group using KG_SHIFTL/KG_SHIFTR:
group 1: -
group 2: shiftl
group 3: shiftr
group 4: shiftl | shiftr
So while a non-default layout group is selected, KG_SHIFTL and/or
KG_SHIFTR are set in shift_state with no Shift key held.
csi_modifier_param() then adds a spurious Shift to every cursor and
CSI key: pressing Up while group 2 is active emits ESC[1;2A (Shift+Up)
instead of ESC[A. KG_ALTGR has the same problem since it is the
standard third-level selector.
Normal keymaps bind the physical Shift/Ctrl/Alt keys to KG_SHIFT,
KG_CTRL and KG_ALT, leaving the left/right and AltGr weights free for
layout and level selection. Count only those canonical weights, so
genuine modifiers are still encoded while layout/level selectors are
not.
Fixes: 4af70f151671 ("vt: add modifier support to cursor keys")
Reported-by: Alexey Gladkov <legion@kernel.org>
Closes: https://lore.kernel.org/kbd/aj2gR0Y7sM6i9s2G@example.org/
Cc: stable <stable@kernel.org>
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Link: https://patch.msgid.link/20260626024833.3419086-1-nico@fluxnic.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/vt/keyboard.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
index dfdea0842149..763a3f1b7be0 100644
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -765,16 +765,22 @@ static void k_fn(struct vc_data *vc, unsigned char value, char up_flag)
/*
* Compute xterm-style modifier parameter for CSI sequences.
* Returns 1 + (shift ? 1 : 0) + (alt ? 2 : 0) + (ctrl ? 4 : 0)
+ *
+ * Only the canonical modifier weights are counted. The left/right variants
+ * (KG_SHIFTL, KG_SHIFTR, KG_CTRLL, KG_CTRLR) and KG_ALTGR are commonly
+ * repurposed as keymap layout-group or level selectors rather than as plain
+ * modifiers (for instance XKB-derived keymaps select the layout group with
+ * KG_SHIFTL/KG_SHIFTR), so counting them would encode a spurious modifier.
*/
static int csi_modifier_param(void)
{
int mod = 1;
- if (shift_state & (BIT(KG_SHIFT) | BIT(KG_SHIFTL) | BIT(KG_SHIFTR)))
+ if (shift_state & BIT(KG_SHIFT))
mod += 1;
- if (shift_state & (BIT(KG_ALT) | BIT(KG_ALTGR)))
+ if (shift_state & BIT(KG_ALT))
mod += 2;
- if (shift_state & (BIT(KG_CTRL) | BIT(KG_CTRLL) | BIT(KG_CTRLR)))
+ if (shift_state & BIT(KG_CTRL))
mod += 4;
return mod;
}
--
2.55.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 417/518] exfat: preserve benign secondary entries during rename and move
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (415 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 416/518] vt: fix spurious modifier in CSI/cursor key sequences Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 418/518] exfat: bound uniname advance in exfat_find_dir_entry() Greg Kroah-Hartman
` (104 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rochan Avlur, Yuezhang Mo,
Namjae Jeon
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rochan Avlur <rochan.avlur@gmail.com>
commit 942296784b2a9439651750c42f540bf2579b330f upstream.
Commit 8258ef28001a ("exfat: handle unreconized benign secondary
entries") added cluster freeing for benign secondary entries inside
exfat_remove_entries(). However, exfat_remove_entries() is also called
from the rename and move paths (exfat_rename_file and exfat_move_file),
where the old entry set is being relocated rather than deleted. This
causes benign secondary entries such as vendor extension entries to be
silently destroyed on rename or cross-directory move, violating the
exFAT spec requirement (section 8.2) that implementations preserve
unrecognized benign secondary entries.
Fix this by adding a free_benign parameter to exfat_remove_entries()
so callers can suppress cluster freeing during relocation, and
extending exfat_init_ext_entry() to copy trailing benign secondary
entries from the old entry set into the new one internally. Also
clean up the error paths to delete newly allocated entries on failure.
Fixes: 8258ef28001a ("exfat: handle unreconized benign secondary entries")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/linux-fsdevel/CAG7tbBV--waov7XVu2FHQEc6paR92dufS=em9DW5Kzsrpu3iQg@mail.gmail.com/
Signed-off-by: Rochan Avlur <rochan.avlur@gmail.com>
Reviewed-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/exfat/dir.c | 50 +++++++++++++++++++++++++----
fs/exfat/exfat_fs.h | 5 +-
fs/exfat/namei.c | 89 ++++++++++++++++++++++++++++++++++++++++------------
3 files changed, 116 insertions(+), 28 deletions(-)
--- a/fs/exfat/dir.c
+++ b/fs/exfat/dir.c
@@ -470,32 +470,70 @@ static void exfat_free_benign_secondary_
exfat_free_cluster(inode, &dir);
}
+/*
+ * exfat_init_ext_entry - initialize extension entries in a directory entry set
+ * @es: target entry set
+ * @num_entries: number of entries excluding benign secondary entries
+ * @p_uniname: filename to store
+ * @old_es: optional source entry set with benign secondary entries, or NULL
+ * @num_extra: number of benign secondary entries to copy from @old_es
+ *
+ * Set up the file, stream extension, and filename entries in @es, optionally
+ * preserving @num_extra benign secondary entries from @old_es. @es and @old_es
+ * may refer to the same entry set; excess entries are marked as deleted.
+ */
void exfat_init_ext_entry(struct exfat_entry_set_cache *es, int num_entries,
- struct exfat_uni_name *p_uniname)
+ struct exfat_uni_name *p_uniname,
+ struct exfat_entry_set_cache *old_es, int num_extra)
{
- int i;
+ int i, src_start = 0, old_num;
unsigned short *uniname = p_uniname->name;
struct exfat_dentry *ep;
- es->num_entries = num_entries;
+ if (WARN_ON(num_extra < 0 || (num_extra && (!old_es ||
+ old_es->num_entries < ES_IDX_FIRST_FILENAME + num_extra))))
+ num_extra = 0;
+
+ /*
+ * Save old entry count and source position before modifying
+ * es->num_entries, since old_es and es may point to the same
+ * entry set.
+ */
+ old_num = es->num_entries;
+ if (old_es && num_extra > 0)
+ src_start = old_es->num_entries - num_extra;
+
+ es->num_entries = num_entries + num_extra;
ep = exfat_get_dentry_cached(es, ES_IDX_FILE);
- ep->dentry.file.num_ext = (unsigned char)(num_entries - 1);
+ ep->dentry.file.num_ext = (unsigned char)(num_entries - 1 + num_extra);
ep = exfat_get_dentry_cached(es, ES_IDX_STREAM);
ep->dentry.stream.name_len = p_uniname->name_len;
ep->dentry.stream.name_hash = cpu_to_le16(p_uniname->name_hash);
+ if (old_es && num_extra > 0) {
+ for (i = 0; i < num_extra; i++)
+ *exfat_get_dentry_cached(es, num_entries + i) =
+ *exfat_get_dentry_cached(old_es, src_start + i);
+ }
+
for (i = ES_IDX_FIRST_FILENAME; i < num_entries; i++) {
ep = exfat_get_dentry_cached(es, i);
exfat_init_name_entry(ep, uniname);
uniname += EXFAT_FILE_NAME_LEN;
}
+ /* Mark excess old entries as deleted (in-place shrink) */
+ for (i = num_entries + num_extra; i < old_num; i++) {
+ ep = exfat_get_dentry_cached(es, i);
+ exfat_set_entry_type(ep, TYPE_DELETED);
+ }
+
exfat_update_dir_chksum(es);
}
void exfat_remove_entries(struct inode *inode, struct exfat_entry_set_cache *es,
- int order)
+ int order, bool free_benign)
{
int i;
struct exfat_dentry *ep;
@@ -503,7 +541,7 @@ void exfat_remove_entries(struct inode *
for (i = order; i < es->num_entries; i++) {
ep = exfat_get_dentry_cached(es, i);
- if (exfat_get_entry_type(ep) & TYPE_BENIGN_SEC)
+ if (free_benign && (exfat_get_entry_type(ep) & TYPE_BENIGN_SEC))
exfat_free_benign_secondary_clusters(inode, ep);
exfat_set_entry_type(ep, TYPE_DELETED);
--- a/fs/exfat/exfat_fs.h
+++ b/fs/exfat/exfat_fs.h
@@ -524,9 +524,10 @@ void exfat_init_dir_entry(struct exfat_e
unsigned int type, unsigned int start_clu,
unsigned long long size, struct timespec64 *ts);
void exfat_init_ext_entry(struct exfat_entry_set_cache *es, int num_entries,
- struct exfat_uni_name *p_uniname);
+ struct exfat_uni_name *p_uniname,
+ struct exfat_entry_set_cache *old_es, int num_extra);
void exfat_remove_entries(struct inode *inode, struct exfat_entry_set_cache *es,
- int order);
+ int order, bool free_benign);
void exfat_update_dir_chksum(struct exfat_entry_set_cache *es);
int exfat_calc_num_entries(struct exfat_uni_name *p_uniname);
int exfat_find_dir_entry(struct super_block *sb, struct exfat_inode_info *ei,
--- a/fs/exfat/namei.c
+++ b/fs/exfat/namei.c
@@ -503,7 +503,7 @@ static int exfat_add_entry(struct inode
* the first cluster is not determined yet. (0)
*/
exfat_init_dir_entry(&es, type, start_clu, clu_size, &ts);
- exfat_init_ext_entry(&es, num_entries, &uniname);
+ exfat_init_ext_entry(&es, num_entries, &uniname, NULL, 0);
ret = exfat_put_dentry_set(&es, IS_DIRSYNC(inode));
if (ret)
@@ -814,7 +814,7 @@ static int exfat_unlink(struct inode *di
exfat_set_volume_dirty(sb);
/* update the directory entry */
- exfat_remove_entries(inode, &es, ES_IDX_FILE);
+ exfat_remove_entries(inode, &es, ES_IDX_FILE, true);
err = exfat_put_dentry_set(&es, IS_DIRSYNC(inode));
if (err)
@@ -969,7 +969,7 @@ static int exfat_rmdir(struct inode *dir
exfat_set_volume_dirty(sb);
- exfat_remove_entries(inode, &es, ES_IDX_FILE);
+ exfat_remove_entries(inode, &es, ES_IDX_FILE, true);
err = exfat_put_dentry_set(&es, IS_DIRSYNC(dir));
if (err)
@@ -996,6 +996,23 @@ unlock:
return err;
}
+/*
+ * Count benign secondary entries beyond the filename entries.
+ * Returns the count, or -EIO if the entry set is inconsistent.
+ */
+static int exfat_count_extra_entries(struct exfat_entry_set_cache *es)
+{
+ struct exfat_dentry *stream;
+ unsigned int name_entries;
+ int extra;
+
+ stream = exfat_get_dentry_cached(es, ES_IDX_STREAM);
+ name_entries = EXFAT_FILENAME_ENTRY_NUM(stream->dentry.stream.name_len);
+ extra = es->num_entries - (ES_IDX_FIRST_FILENAME + name_entries);
+
+ return extra >= 0 ? extra : -EIO;
+}
+
static int exfat_rename_file(struct inode *parent_inode,
struct exfat_uni_name *p_uniname, struct exfat_inode_info *ei)
{
@@ -1004,6 +1021,7 @@ static int exfat_rename_file(struct inod
struct super_block *sb = parent_inode->i_sb;
struct exfat_entry_set_cache old_es, new_es;
int sync = IS_DIRSYNC(parent_inode);
+ unsigned int num_extra_entries, num_total_entries;
if (unlikely(exfat_forced_shutdown(sb)))
return -EIO;
@@ -1013,19 +1031,23 @@ static int exfat_rename_file(struct inod
return num_new_entries;
ret = exfat_get_dentry_set_by_ei(&old_es, sb, ei);
- if (ret) {
- ret = -EIO;
- return ret;
- }
+ if (ret)
+ return -EIO;
epold = exfat_get_dentry_cached(&old_es, ES_IDX_FILE);
- if (old_es.num_entries < num_new_entries) {
+ ret = exfat_count_extra_entries(&old_es);
+ if (ret < 0)
+ goto put_old_es;
+ num_extra_entries = ret;
+ num_total_entries = num_new_entries + num_extra_entries;
+
+ if (old_es.num_entries < num_total_entries) {
int newentry;
struct exfat_chain dir;
newentry = exfat_find_empty_entry(parent_inode, &dir,
- num_new_entries, &new_es);
+ num_total_entries, &new_es);
if (newentry < 0) {
ret = newentry; /* -EIO or -ENOSPC */
goto put_old_es;
@@ -1042,13 +1064,23 @@ static int exfat_rename_file(struct inod
epnew = exfat_get_dentry_cached(&new_es, ES_IDX_STREAM);
*epnew = *epold;
- exfat_init_ext_entry(&new_es, num_new_entries, p_uniname);
+ exfat_init_ext_entry(&new_es, num_new_entries, p_uniname,
+ &old_es, num_extra_entries);
ret = exfat_put_dentry_set(&new_es, sync);
- if (ret)
+ if (ret) {
+ /* Best-effort delete to avoid duplicate entries */
+ if (!exfat_get_dentry_set(&new_es, sb,
+ &dir, newentry,
+ ES_ALL_ENTRIES)) {
+ exfat_remove_entries(parent_inode, &new_es,
+ ES_IDX_FILE, false);
+ exfat_put_dentry_set(&new_es, false);
+ }
goto put_old_es;
+ }
- exfat_remove_entries(parent_inode, &old_es, ES_IDX_FILE);
+ exfat_remove_entries(parent_inode, &old_es, ES_IDX_FILE, false);
ei->dir = dir;
ei->entry = newentry;
} else {
@@ -1057,8 +1089,8 @@ static int exfat_rename_file(struct inod
ei->attr |= EXFAT_ATTR_ARCHIVE;
}
- exfat_remove_entries(parent_inode, &old_es, ES_IDX_FIRST_FILENAME + 1);
- exfat_init_ext_entry(&old_es, num_new_entries, p_uniname);
+ exfat_init_ext_entry(&old_es, num_new_entries, p_uniname,
+ &old_es, num_extra_entries);
}
return exfat_put_dentry_set(&old_es, sync);
@@ -1074,6 +1106,7 @@ static int exfat_move_file(struct inode
struct exfat_dentry *epmov, *epnew;
struct exfat_entry_set_cache mov_es, new_es;
struct exfat_chain newdir;
+ unsigned int num_extra_entries, num_total_entries;
num_new_entries = exfat_calc_num_entries(p_uniname);
if (num_new_entries < 0)
@@ -1083,8 +1116,14 @@ static int exfat_move_file(struct inode
if (ret)
return -EIO;
+ ret = exfat_count_extra_entries(&mov_es);
+ if (ret < 0)
+ goto put_mov_es;
+ num_extra_entries = ret;
+ num_total_entries = num_new_entries + num_extra_entries;
+
newentry = exfat_find_empty_entry(parent_inode, &newdir,
- num_new_entries, &new_es);
+ num_total_entries, &new_es);
if (newentry < 0) {
ret = newentry; /* -EIO or -ENOSPC */
goto put_mov_es;
@@ -1102,21 +1141,31 @@ static int exfat_move_file(struct inode
epnew = exfat_get_dentry_cached(&new_es, ES_IDX_STREAM);
*epnew = *epmov;
- exfat_init_ext_entry(&new_es, num_new_entries, p_uniname);
- exfat_remove_entries(parent_inode, &mov_es, ES_IDX_FILE);
+ exfat_init_ext_entry(&new_es, num_new_entries, p_uniname,
+ &mov_es, num_extra_entries);
+
+ exfat_remove_entries(parent_inode, &mov_es, ES_IDX_FILE, false);
ei->dir = newdir;
ei->entry = newentry;
ret = exfat_put_dentry_set(&new_es, IS_DIRSYNC(parent_inode));
- if (ret)
+ if (ret) {
+ /* Best-effort delete to avoid duplicate entries */
+ if (!exfat_get_dentry_set(&new_es, parent_inode->i_sb,
+ &newdir, newentry,
+ ES_ALL_ENTRIES)) {
+ exfat_remove_entries(parent_inode, &new_es,
+ ES_IDX_FILE, false);
+ exfat_put_dentry_set(&new_es, false);
+ }
goto put_mov_es;
+ }
return exfat_put_dentry_set(&mov_es, IS_DIRSYNC(parent_inode));
put_mov_es:
exfat_put_dentry_set(&mov_es, false);
-
return ret;
}
@@ -1190,7 +1239,7 @@ static int __exfat_rename(struct inode *
goto del_out;
}
- exfat_remove_entries(new_inode, &es, ES_IDX_FILE);
+ exfat_remove_entries(new_inode, &es, ES_IDX_FILE, true);
ret = exfat_put_dentry_set(&es, IS_DIRSYNC(new_inode));
if (ret)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 418/518] exfat: bound uniname advance in exfat_find_dir_entry()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (416 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 417/518] exfat: preserve benign secondary entries during rename and move Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 419/518] NTB: epf: Fix request_irq() unwind in ntb_epf_init_isr() Greg Kroah-Hartman
` (103 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Bryam Vargas
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryam Vargas <hexlabsecurity@proton.me>
commit 3a1230e7b043c62737b05a3e9275ca83a43ad20a upstream.
In exfat_find_dir_entry(), each TYPE_EXTEND (file name) entry advances the
output pointer by a fixed amount while the loop guard only tracks the
accumulated name length:
if (++order == 2)
uniname = p_uniname->name;
else
uniname += EXFAT_FILE_NAME_LEN;
len = exfat_extract_uni_name(ep, entry_uniname);
name_len += len;
unichar = *(uniname+len);
*(uniname+len) = 0x0;
uniname grows by EXFAT_FILE_NAME_LEN (15) per name entry, but name_len
grows only by the actual extracted length, which is shorter when a name
fragment contains an early NUL. The only guard is
`name_len >= MAX_NAME_LENGTH`, so a crafted directory with many short
name fragments lets uniname run far past the
p_uniname->name[MAX_NAME_LENGTH + 3] buffer while name_len stays small,
causing an out-of-bounds read and write at *(uniname+len).
The sibling extractor exfat_get_uniname_from_ext_entry() already stops
on a short fragment (the lockstep `len != EXFAT_FILE_NAME_LEN` guard
added in commit d42334578eba ("exfat: check if filename entries exceeds
max filename length")); exfat_find_dir_entry() never got the
equivalent. Track the per-entry write offset as a count and reject a
fragment once the offset, or the offset plus the extracted length, would
exceed MAX_NAME_LENGTH, before forming the output pointer.
Fixes: ca06197382bd ("exfat: add directory operations")
Cc: stable@vger.kernel.org
Suggested-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/exfat/dir.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/fs/exfat/dir.c
+++ b/fs/exfat/dir.c
@@ -1067,6 +1067,7 @@ rewind:
if (entry_type == TYPE_EXTEND) {
unsigned short entry_uniname[16], unichar;
+ unsigned int offset;
if (step != DIRENT_STEP_NAME ||
name_len >= MAX_NAME_LENGTH) {
@@ -1075,13 +1076,15 @@ rewind:
continue;
}
- if (++order == 2)
- uniname = p_uniname->name;
- else
- uniname += EXFAT_FILE_NAME_LEN;
-
+ offset = (++order - 2) * EXFAT_FILE_NAME_LEN;
len = exfat_extract_uni_name(ep, entry_uniname);
brelse(bh);
+ if (offset > MAX_NAME_LENGTH ||
+ len > MAX_NAME_LENGTH - offset) {
+ step = DIRENT_STEP_FILE;
+ continue;
+ }
+ uniname = p_uniname->name + offset;
name_len += len;
unichar = *(uniname+len);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 419/518] NTB: epf: Fix request_irq() unwind in ntb_epf_init_isr()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (417 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 418/518] exfat: bound uniname advance in exfat_find_dir_entry() Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 420/518] riscv: mm: Define DIRECT_MAP_PHYSMEM_END Greg Kroah-Hartman
` (102 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Koichiro Den, Manivannan Sadhasivam,
Bjorn Helgaas, Dave Jiang
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Koichiro Den <den@valinux.co.jp>
commit fcba26efe5efc7441f5505f4ccc69791214b40be upstream.
ntb_epf_init_isr() requests multiple MSI/MSI-X vectors in a loop. If
request_irq() fails part-way through, it jumps straight to
pci_free_irq_vectors() without freeing already requested IRQs.
Fix the error path by freeing any successfully requested IRQs before
releasing the vectors.
Fixes: 812ce2f8d14e ("NTB: Add support for EPF PCI Non-Transparent Bridge")
Signed-off-by: Koichiro Den <den@valinux.co.jp>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Cc: stable@vger.kernel.org # v5.12+
Link: https://patch.msgid.link/20260304083028.1391068-2-den@valinux.co.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ntb/hw/epf/ntb_hw_epf.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/ntb/hw/epf/ntb_hw_epf.c
+++ b/drivers/ntb/hw/epf/ntb_hw_epf.c
@@ -357,7 +357,7 @@ static int ntb_epf_init_isr(struct ntb_e
0, "ntb_epf", ndev);
if (ret) {
dev_err(dev, "Failed to request irq\n");
- goto err_request_irq;
+ goto err_free_irq;
}
}
@@ -367,16 +367,14 @@ static int ntb_epf_init_isr(struct ntb_e
argument | irq);
if (ret) {
dev_err(dev, "Failed to configure doorbell\n");
- goto err_configure_db;
+ goto err_free_irq;
}
return 0;
-err_configure_db:
- for (i = 0; i < ndev->db_count + 1; i++)
+err_free_irq:
+ while (i--)
free_irq(pci_irq_vector(pdev, i), ndev);
-
-err_request_irq:
pci_free_irq_vectors(pdev);
return ret;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 420/518] riscv: mm: Define DIRECT_MAP_PHYSMEM_END
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (418 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 419/518] NTB: epf: Fix request_irq() unwind in ntb_epf_init_isr() Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 421/518] riscv: mm: Unconditionally sfence.vma for spurious fault Greg Kroah-Hartman
` (101 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vivian Wang, Paul Walmsley, Han Gao
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vivian Wang <wangruikang@iscas.ac.cn>
commit f3336b48cf9d3f2d1fc78e3289c0ded2f00876ee upstream.
On RISC-V, the actual mappable range of physical address space is
dependent on the current MMU mode i.e. satp_mode (See
Documentation/arch/riscv/vm-layout.rst).
Define the DIRECT_MAP_PHYSMEM_END macro based on the existing virtual
address space layout macros to expose this information to
get_free_mem_region(). Otherwise, it returns a region that couldn't be
mapped, which breaks ZONE_DEVICE.
Cc: stable@vger.kernel.org # v6.13+
Tested-by: Han Gao <gaohan@iscas.ac.cn> # SG2044
Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn>
Link: https://patch.msgid.link/20260309-riscv-sparsemem-vmemmap-limits-v1-2-f40efe18e3cd@iscas.ac.cn
Signed-off-by: Paul Walmsley <pjw@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/include/asm/pgtable.h | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/arch/riscv/include/asm/pgtable.h
+++ b/arch/riscv/include/asm/pgtable.h
@@ -93,6 +93,16 @@
*/
#define vmemmap ((struct page *)VMEMMAP_START - vmemmap_start_pfn)
+/* Needed to limit get_free_mem_region() */
+#if defined(CONFIG_FLATMEM)
+#define DIRECT_MAP_PHYSMEM_END (phys_ram_base + KERN_VIRT_SIZE - 1)
+#elif defined(CONFIG_SPARSEMEM_VMEMMAP)
+#define DIRECT_MAP_PHYSMEM_END \
+ ((vmemmap_start_pfn + VMEMMAP_SIZE / sizeof(struct page)) * PAGE_SIZE - 1)
+#elif defined(CONFIG_SPARSEMEM)
+/* DIRECT_MAP_PHYSMEM_END is not limited by VA space assignment in this case */
+#endif
+
#define PCI_IO_SIZE SZ_16M
#define PCI_IO_END VMEMMAP_START
#define PCI_IO_START (PCI_IO_END - PCI_IO_SIZE)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 421/518] riscv: mm: Unconditionally sfence.vma for spurious fault
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (419 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 420/518] riscv: mm: Define DIRECT_MAP_PHYSMEM_END Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 422/518] lib/test_hmm: use kvfree() to free kvcalloc() allocations Greg Kroah-Hartman
` (100 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vivian Wang, Paul Walmsley
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vivian Wang <wangruikang@iscas.ac.cn>
commit 1b2c6b56a9fa0dcbef461039937de22b1cbecc7d upstream.
Svvptc does not guarantee that it's safe to just return here. Since we
have already cleared our bit, if, theoretically, the bounded timeframe
for the accessed page to become valid still hasn't happened after sret,
we could fault again and actually crash.
Hopefully, these spurious faults should be rare enough that this is an
acceptable slowdown.
Cc: stable@vger.kernel.org
Fixes: 503638e0babf ("riscv: Stop emitting preventive sfence.vma for new vmalloc mappings")
Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn>
Link: https://patch.msgid.link/20260303-handle-kfence-protect-spurious-fault-v2-5-f80d8354d79d@iscas.ac.cn
Signed-off-by: Paul Walmsley <pjw@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/kernel/entry.S | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/arch/riscv/kernel/entry.S
+++ b/arch/riscv/kernel/entry.S
@@ -75,8 +75,11 @@
/* Atomically reset the current cpu bit in new_vmalloc */
amoxor.d a0, a1, (a0)
- /* Only emit a sfence.vma if the uarch caches invalid entries */
- ALTERNATIVE("sfence.vma", "nop", 0, RISCV_ISA_EXT_SVVPTC, 1)
+ /*
+ * A sfence.vma is required here. Even if we had Svvptc, there's no
+ * guarantee that after returning we wouldn't just fault again.
+ */
+ sfence.vma
REG_L a0, TASK_TI_A0(tp)
REG_L a1, TASK_TI_A1(tp)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 422/518] lib/test_hmm: use kvfree() to free kvcalloc() allocations
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (420 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 421/518] riscv: mm: Unconditionally sfence.vma for spurious fault Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 423/518] mm: fix mmap errno value when MAP_DROPPABLE is not supported Greg Kroah-Hartman
` (99 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hao Ge, Balbir Singh,
Jason Gunthorpe, Leon Romanovsky, Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hao Ge <hao.ge@linux.dev>
commit 59f19bf6f119eecfa16355186b593abba8eb5198 upstream.
Coccinelle scripts/coccinelle/api/kfree_mismatch.cocci reports
the following warnings:
lib/test_hmm.c:1256:15-16: WARNING kvmalloc is used to allocate this memory at line 1191
lib/test_hmm.c:1257:15-16: WARNING kvmalloc is used to allocate this memory at line 1196
Fix this by replacing kfree() with kvfree() to correctly handle the
vmalloc() fallback path of kvcalloc().
Link: https://lore.kernel.org/20260513082525.154036-1-hao.ge@linux.dev
Fixes: 775465fd26a3 ("lib/test_hmm: add zone device private THP test infrastructure")
Signed-off-by: Hao Ge <hao.ge@linux.dev>
Acked-by: Balbir Singh <balbirs@nvidia.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/test_hmm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/test_hmm.c b/lib/test_hmm.c
index 213504915737..38996c4baa40 100644
--- a/lib/test_hmm.c
+++ b/lib/test_hmm.c
@@ -1253,8 +1253,8 @@ static int dmirror_migrate_to_device(struct dmirror *dmirror,
mmap_read_unlock(mm);
mmput(mm);
free_mem:
- kfree(src_pfns);
- kfree(dst_pfns);
+ kvfree(src_pfns);
+ kvfree(dst_pfns);
return ret;
}
--
2.55.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 423/518] mm: fix mmap errno value when MAP_DROPPABLE is not supported
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (421 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 422/518] lib/test_hmm: use kvfree() to free kvcalloc() allocations Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 424/518] selftests: mm: fix and speedup "droppable" test Greg Kroah-Hartman
` (98 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anthony Yznaga,
David Hildenbrand (Arm), Vlastimil Babka (SUSE), Mark Brown,
Pedro Falcato, Lorenzo Stoakes (Oracle), Jann Horn,
Jason A. Donenfeld, Liam Howlett, Michal Hocko, Mike Rapoport,
Shuah Khan, Suren Baghdasaryan, Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anthony Yznaga <anthony.yznaga@oracle.com>
commit d86c9e971af2315119a78c564a802fafcebf1b6b upstream.
Patch series "fix MAP_DROPPABLE not supported errno", v4.
Mark Brown reported seeing a regression in -next on 32 bit arm with the
mlock selftests. Before exiting and marking the tests failed, the
following message was logged after an attempt to create a MAP_DROPPABLE
mapping:
Bail out! mmap error: Unknown error 524
It turns out error 524 is ENOTSUPP which is an error that userspace is not
supposed to see, but it indicates in this instance that MAP_DROPPABLE is
not supported.
The first patch changes the errno returned to EOPNOTSUPP. The second
patch is a second version of a prior patch to introduce selftests to
verify locking behavior with droppable mappings with the additional change
to skip the tests when MAP_DROPPABLE is not supported. The third patch
fixes the MAP_DROPPABLE selftest so that it is run by the framework and
skips if MAP_DROPPABLE is not supported.
This patch (of 3):
On configs where MAP_DROPPABLE is not supported (currently any 32-bit
config except for PPC32), mmap fails with errno set to ENOTSUPP. However,
ENOTSUPP is not a standard error value that userspace knows about. The
acceptable userspace-visible errno to use is EOPNOTSUPP. checkpatch.pl
has a warning to this effect.
Link: https://lore.kernel.org/20260416033939.49981-1-anthony.yznaga@oracle.com
Link: https://lore.kernel.org/20260416033939.49981-2-anthony.yznaga@oracle.com
Fixes: 9651fcedf7b9 ("mm: add MAP_DROPPABLE for designating always lazily freeable mappings")
Signed-off-by: Anthony Yznaga <anthony.yznaga@oracle.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
Reported-by: Mark Brown <broonie@kernel.org>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
Reviewed-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Cc: Jann Horn <jannh@google.com>
Cc: Jason A. Donenfeld <jason@zx2c4.com>
Cc: Liam Howlett <liam@infradead.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/mmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -504,7 +504,7 @@ unsigned long do_mmap(struct file *file,
break;
case MAP_DROPPABLE:
if (VM_DROPPABLE == VM_NONE)
- return -ENOTSUPP;
+ return -EOPNOTSUPP;
/*
* A locked or stack area makes no sense to be droppable.
*
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 424/518] selftests: mm: fix and speedup "droppable" test
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (422 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 423/518] mm: fix mmap errno value when MAP_DROPPABLE is not supported Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 425/518] mm: page_ext: add count limit to page_ext_iter_next to prevent invalid PFN access Greg Kroah-Hartman
` (97 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand (Arm),
Aishwarya TCV, Sarthak Sharma, Lance Yang, Dev Jain,
SeongJae Park, Lorenzo Stoakes, Jason A. Donenfeld,
Anthony Yznaga, Liam R. Howlett, Mark Brown, Michal Hocko,
Mike Rapoport, Shuah Khan, Suren Baghdasaryan, Vlastimil Babka,
Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand (Arm) <david@kernel.org>
commit cc13a7a618fe8354f16d74c06aaf9565a68e9ebd upstream.
The droppable test currently relies on creating memory pressure in a child
process to trigger dropping the droppable pages.
That not only takes a long time on some machines (allocating and filling
all that memory), on large machines this will not work as we hardcode the
area size to 134217728 bytes.
... further, we rely on timeouts to detect that memory was not dropped,
which is really suboptimal.
Instead, let's just use MADV_PAGEOUT on a 2 MiB region. MADV_PAGEOUT
works with droppable memory even without swap.
There is the low chance of MADV_PAGEOUT failing to drop a page because of
speculative references. We'll wait 1s and retry 10 times to rule that
unlikely case out as best as we can.
On a machine without swap:
$ ./droppable
TAP version 13
1..1
ok 1 madvise(MADV_PAGEOUT) behavior
# Totals: pass:1 fail:0 xfail:0 xpass:0 skip:0 error:0
Link: https://lore.kernel.org/20260611-droppable_test-v1-1-b6a73d99f658@kernel.org
Fixes: 9651fcedf7b9 ("mm: add MAP_DROPPABLE for designating always lazily freeable mappings")
Signed-off-by: David Hildenbrand (Arm) <david@kernel.org>
Reported-by: Aishwarya TCV <Aishwarya.TCV@arm.com>
Tested-by: Sarthak Sharma <sarthak.sharma@arm.com>
Tested-by: Lance Yang <lance.yang@linux.dev>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Reviewed-by: SeongJae Park <sj@kernel.org>
Tested-by: Lorenzo Stoakes <ljs@kernel.org>
Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: Anthony Yznaga <anthony.yznaga@oracle.com>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/mm/droppable.c | 46 ++++++++++++++++++---------------
1 file changed, 26 insertions(+), 20 deletions(-)
--- a/tools/testing/selftests/mm/droppable.c
+++ b/tools/testing/selftests/mm/droppable.c
@@ -17,10 +17,10 @@
int main(int argc, char *argv[])
{
- size_t alloc_size = 134217728;
- size_t page_size = getpagesize();
+ const size_t alloc_size = 2 * 1024 * 1024;
+ int retry_count = 10;
+ bool dropped;
void *alloc;
- pid_t child;
ksft_print_header();
ksft_set_plan(1);
@@ -28,26 +28,32 @@ int main(int argc, char *argv[])
alloc = mmap(0, alloc_size, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_DROPPABLE, -1, 0);
assert(alloc != MAP_FAILED);
memset(alloc, 'A', alloc_size);
- for (size_t i = 0; i < alloc_size; i += page_size)
- assert(*(uint8_t *)(alloc + i));
- child = fork();
- assert(child >= 0);
- if (!child) {
- for (;;)
- *(char *)malloc(page_size) = 'B';
- }
-
- for (bool done = false; !done;) {
- for (size_t i = 0; i < alloc_size; i += page_size) {
- if (!*(uint8_t *)(alloc + i)) {
- done = true;
- break;
+ while (retry_count--) {
+ if (madvise(alloc, alloc_size, MADV_PAGEOUT)) {
+ if (errno == EINVAL) {
+ ksft_test_result_skip("madvise(MADV_PAGEOUT) not supported\n");
+ exit(KSFT_SKIP);
}
+ ksft_test_result_fail("madvise(MADV_PAGEOUT) error: %s\n", strerror(errno));
+ exit(KSFT_FAIL);
}
+
+ dropped = memchr(alloc, 'A', alloc_size) == NULL;
+
+ /*
+ * Speculative reference can temporarily prevent some
+ * pages from getting dropped. So sleep and retry.
+ *
+ * If a page is not droppable for 10s, something
+ * is seriously messed up and we want to fail.
+ */
+ if (dropped)
+ break;
+ sleep(1);
}
- kill(child, SIGTERM);
- ksft_test_result_pass("MAP_DROPPABLE: PASS\n");
- exit(KSFT_PASS);
+ ksft_test_result(dropped, "madvise(MADV_PAGEOUT) behavior\n");
+
+ ksft_finished();
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 425/518] mm: page_ext: add count limit to page_ext_iter_next to prevent invalid PFN access
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (423 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 424/518] selftests: mm: fix and speedup "droppable" test Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 426/518] mm: do file ownership checks with the proper mount idmap Greg Kroah-Hartman
` (96 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ketan Kishore, David Hildenbrand,
Matthew Wilcox, Zi Yan, David Hildenbrand (Arm), Brendan Jackman,
Johannes Weiner, Liam R. Howlett, Lorenzo Stoakes,
Luiz Capitulino, Michal Hocko, Mike Rapoport, Suren Baghdasaryan,
Vlastimil Babka, Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ketan <ketan.kishore@oss.qualcomm.com>
commit ffd017237cfe99e6e5602ab14179b0e6878a0840 upstream.
The page_ext iteration API does not validate if the PFN still belongs to a
valid section while advancing the iterator. When dynamically adding
memory in the hotplug path, it can lead to a NULL pointer dereference
during page_ext_lookup at the boundary of the last valid section when
iterator count equals __pgcount.
The for_each_page_ext() macro calls page_ext_iter_next() as its loop
increment. for_each_page_ext() does a "__page_ext =
page_ext_iter_next(&__iter)" at the end. This causes page_ext_iter_next()
to increment iter->index past __pgcount and call page_ext_lookup(start_pfn
+ __pgcount). During memory hotplug (online), the PFN at start_pfn +
__pgcount may belong to a section that has not yet been initialized,
causing page_ext_lookup() to trigger a NULL pointer dereference.
[ 14.555124][ T846] Call trace:
[ 14.555125][ T846] lookup_page_ext+0x6c/0x108 (P)
[ 14.555127][ T846] page_ext_lookup+0x30/0x3c
[ 14.555129][ T846] __reset_page_owner+0x11c/0x260
[ 14.571201][ T846] __free_pages_ok+0x5e8/0x8e0
[ 14.571204][ T846] __free_pages_core+0x78/0xf0
[ 14.571206][ T846] generic_online_page+0x14/0x24
[ 14.597782][ T846] online_pages+0x178/0x30c
[ 14.597784][ T846] memory_block_change_state+0x284/0x32c
[ 14.597787][ T846] memory_subsys_online+0x4c/0x64
[ 14.597789][ T846] device_online+0x88/0xb0
[ 14.597791][ T846] online_memory_block+0x30/0x40
[ 14.597793][ T846] walk_memory_blocks+0xac/0xe8
[ 14.597794][ T846] add_memory_resource+0x280/0x298
[ 14.656161][ T846] add_memory+0x60/0x98
Move the iteration boundary enforcement inside the iterator functions, so
callers cannot inadvertently access beyond the requested range.
Link: https://lore.kernel.org/20260623-page_ext-v3-1-a89799a5367c@oss.qualcomm.com
Fixes: 9039b9096ea2 ("mm: page_ext: add an iteration API for page extensions")
Signed-off-by: Ketan Kishore <ketan.kishore@oss.qualcomm.com>
Suggested-by: David Hildenbrand <david@redhat.com>
Suggested-by: Matthew Wilcox <willy@infradead.org>
Acked-by: Zi Yan <ziy@nvidia.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Luiz Capitulino <luizcap@redhat.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/page_ext.h | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
--- a/include/linux/page_ext.h
+++ b/include/linux/page_ext.h
@@ -120,14 +120,18 @@ struct page_ext_iter {
* page_ext_iter_begin() - Prepare for iterating through page extensions.
* @iter: page extension iterator.
* @pfn: PFN of the page we're interested in.
+ * @count: maximum number of page extensions to return.
*
* Must be called with RCU read lock taken.
*
* Return: NULL if no page_ext exists for this page.
*/
static inline struct page_ext *page_ext_iter_begin(struct page_ext_iter *iter,
- unsigned long pfn)
+ unsigned long pfn, unsigned long count)
{
+ if (!count)
+ return NULL;
+
iter->index = 0;
iter->start_pfn = pfn;
iter->page_ext = page_ext_lookup(pfn);
@@ -138,19 +142,22 @@ static inline struct page_ext *page_ext_
/**
* page_ext_iter_next() - Get next page extension
* @iter: page extension iterator.
+ * @count: maximum number of page extensions to return.
*
* Must be called with RCU read lock taken.
*
* Return: NULL if no next page_ext exists.
*/
-static inline struct page_ext *page_ext_iter_next(struct page_ext_iter *iter)
+static inline struct page_ext *page_ext_iter_next(struct page_ext_iter *iter,
+ unsigned long count)
{
unsigned long pfn;
if (WARN_ON_ONCE(!iter->page_ext))
return NULL;
- iter->index++;
+ if (++iter->index >= count)
+ return NULL;
pfn = iter->start_pfn + iter->index;
if (page_ext_iter_next_fast_possible(pfn))
@@ -183,9 +190,9 @@ static inline struct page_ext *page_ext_
* IMPORTANT: must be called with RCU read lock taken.
*/
#define for_each_page_ext(__page, __pgcount, __page_ext, __iter) \
- for (__page_ext = page_ext_iter_begin(&__iter, page_to_pfn(__page));\
- __page_ext && __iter.index < __pgcount; \
- __page_ext = page_ext_iter_next(&__iter))
+ for (__page_ext = page_ext_iter_begin(&__iter, page_to_pfn(__page), __pgcount); \
+ __page_ext; \
+ __page_ext = page_ext_iter_next(&__iter, __pgcount))
#else /* !CONFIG_PAGE_EXTENSION */
struct page_ext;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 426/518] mm: do file ownership checks with the proper mount idmap
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (424 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 425/518] mm: page_ext: add count limit to page_ext_iter_next to prevent invalid PFN access Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 427/518] selftests/mm: pagemap_ioctl: use the correct page size for transact_test() Greg Kroah-Hartman
` (95 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pedro Falcato, Jan Kara,
Christian Brauner (Amutable), David Hildenbrand (Arm), Al Viro,
Jann Horn, Liam R. Howlett, Matthew Wilcox (Oracle),
Vlastimil Babka, Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pedro Falcato <pfalcato@suse.de>
commit e187bc02f8fa4226d62814592cf064ee4557c470 upstream.
Ever since idmapped mounts were introduced, inode ownership checks (for
side-channel protection) in mincore() and madvise(MADV_PAGEOUT) were done
against the nop_mnt_idmap, which completely ignores the file's mount's
idmap. This results in odd edgecases like:
1) mount/bind-mount with an idmap userA:userB:1
2) userB runs an owner_or_capable() check on file that is owned by userA
on-disk/in-memory, but owned by userB after idmap translation
3) owner_or_capable() mysteriously fails as the correct idmap wasn't supplied
In the case of mincore/madvise MADV_PAGEOUT, this is usually benign,
because file_permission(file, MAY_WRITE) will probably succeed, as it uses
the proper idmap internally, but it does not need to be the case on e.g a
0444 file where even the owner itself doesn't have permissions to write to
it.
Since this is clearly not trivial to get right, introduce a
file_owner_or_capable() that can carry the correct semantics, and switch
the various users in mm to it.
The issue was found by manual code inspection & an off-list discussion
with Jan Kara.
Link: https://lore.kernel.org/20260625153853.913949-1-pfalcato@suse.de
Fixes: 9caccd41541a ("fs: introduce MOUNT_ATTR_IDMAP")
Signed-off-by: Pedro Falcato <pfalcato@suse.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Christian Brauner (Amutable) <brauner@kernel.org>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Jann Horn <jannh@google.com>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/fs.h | 5 +++++
mm/filemap.c | 2 +-
mm/madvise.c | 3 +--
mm/mincore.c | 3 +--
4 files changed, 8 insertions(+), 5 deletions(-)
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2438,6 +2438,11 @@ static inline struct mnt_idmap *file_mnt
return mnt_idmap(file->f_path.mnt);
}
+static inline bool file_owner_or_capable(const struct file *file)
+{
+ return inode_owner_or_capable(file_mnt_idmap(file), file_inode(file));
+}
+
/**
* is_idmapped_mnt - check whether a mount is mapped
* @mnt: the mount to check
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -4671,7 +4671,7 @@ static inline bool can_do_cachestat(stru
{
if (f->f_mode & FMODE_WRITE)
return true;
- if (inode_owner_or_capable(file_mnt_idmap(f), file_inode(f)))
+ if (file_owner_or_capable(f))
return true;
return file_permission(f, MAY_WRITE) == 0;
}
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -336,8 +336,7 @@ static inline bool can_do_file_pageout(s
* otherwise we'd be including shared non-exclusive mappings, which
* opens a side channel.
*/
- return inode_owner_or_capable(&nop_mnt_idmap,
- file_inode(vma->vm_file)) ||
+ return file_owner_or_capable(vma->vm_file) ||
file_permission(vma->vm_file, MAY_WRITE) == 0;
}
--- a/mm/mincore.c
+++ b/mm/mincore.c
@@ -227,8 +227,7 @@ static inline bool can_do_mincore(struct
* for writing; otherwise we'd be including shared non-exclusive
* mappings, which opens a side channel.
*/
- return inode_owner_or_capable(&nop_mnt_idmap,
- file_inode(vma->vm_file)) ||
+ return file_owner_or_capable(vma->vm_file) ||
file_permission(vma->vm_file, MAY_WRITE) == 0;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 427/518] selftests/mm: pagemap_ioctl: use the correct page size for transact_test()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (425 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 426/518] mm: do file ownership checks with the proper mount idmap Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 428/518] selftests/mm: fix ksft_process_madv.sh test category Greg Kroah-Hartman
` (94 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zenghui Yu, Muhammad Usama Anjum,
David Hildenbrand, Liam R. Howlett, Lorenzo Stoakes, Michal Hocko,
Mike Rapoport, Shuah Khan, Suren Baghdasaryan, Vlastimil Babka,
Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zenghui Yu <zenghui.yu@linux.dev>
commit dccf636bf1e68c3fda92f0c9e1018ab7e0ac8b2c upstream.
There are several places in transact_test() where we use the hardcoded
0x1000 (4k) as page size, which is not always correct for architectures
supporting multiple page sizes.
Switch to use the correct page size. Otherwise ./ksft_pagemap.sh on a
16k-page-size arm64 box fails with
$ ./ksft_pagemap.sh
[...]
# ok 96 mprotect_tests Both pages written after remap and mprotect
# ok 97 mprotect_tests Clear and make the pages written
# Bail out! ioctl failed
# # Planned tests != run tests (117 != 97)
# # Totals: pass:97 fail:0 xfail:0 xpass:0 skip:0 error:0
# [FAIL]
not ok 1 pagemap_ioctl # exit=1
# SUMMARY: PASS=0 SKIP=0 FAIL=1
1..1
Link: https://lore.kernel.org/20260628101118.35861-1-zenghui.yu@linux.dev
Fixes: 46fd75d4a3c9 ("selftests: mm: add pagemap ioctl tests")
Signed-off-by: Zenghui Yu <zenghui.yu@linux.dev>
Cc: Muhammad Usama Anjum <usama.anjum@arm.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: Zenghui Yu <zenghui.yu@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/mm/pagemap_ioctl.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/tools/testing/selftests/mm/pagemap_ioctl.c
+++ b/tools/testing/selftests/mm/pagemap_ioctl.c
@@ -1366,7 +1366,7 @@ void *thread_proc(void *mem)
ksft_exit_fail_msg("pthread_barrier_wait\n");
for (i = 0; i < access_per_thread; ++i)
- __atomic_add_fetch(m + i * (0x1000 / sizeof(*m)), 1, __ATOMIC_SEQ_CST);
+ __atomic_add_fetch(m + i * (page_size / sizeof(*m)), 1, __ATOMIC_SEQ_CST);
ret = pthread_barrier_wait(&end_barrier);
if (ret && ret != PTHREAD_BARRIER_SERIAL_THREAD)
@@ -1401,15 +1401,15 @@ static void transact_test(int page_size)
if (pthread_barrier_init(&end_barrier, NULL, nthreads + 1))
ksft_exit_fail_msg("pthread_barrier_init\n");
- mem = mmap(NULL, 0x1000 * nthreads * pages_per_thread, PROT_READ | PROT_WRITE,
+ mem = mmap(NULL, page_size * nthreads * pages_per_thread, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
if (mem == MAP_FAILED)
ksft_exit_fail_msg("Error mmap %s.\n", strerror(errno));
- wp_init(mem, 0x1000 * nthreads * pages_per_thread);
- wp_addr_range(mem, 0x1000 * nthreads * pages_per_thread);
+ wp_init(mem, page_size * nthreads * pages_per_thread);
+ wp_addr_range(mem, page_size * nthreads * pages_per_thread);
- memset(mem, 0, 0x1000 * nthreads * pages_per_thread);
+ memset(mem, 0, page_size * nthreads * pages_per_thread);
count = get_dirty_pages_reset(mem, nthreads * pages_per_thread, 1, page_size);
ksft_test_result(count > 0, "%s count %u\n", __func__, count);
@@ -1418,7 +1418,7 @@ static void transact_test(int page_size)
finish = 0;
for (i = 0; i < nthreads; ++i)
- pthread_create(&th, NULL, thread_proc, mem + 0x1000 * i * pages_per_thread);
+ pthread_create(&th, NULL, thread_proc, mem + page_size * i * pages_per_thread);
extra_pages = 0;
for (i = 0; i < iter_count; ++i) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 428/518] selftests/mm: fix ksft_process_madv.sh test category
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (426 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 427/518] selftests/mm: pagemap_ioctl: use the correct page size for transact_test() Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 429/518] nouveau/vmm: fix another SPT/LPT race Greg Kroah-Hartman
` (93 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sarthak Sharma, Mark Brown, Dev Jain,
David Hildenbrand (Arm), Liam R. Howlett, Lorenzo Stoakes,
Michal Hocko, Mike Rapoport, Shuah Khan, Suren Baghdasaryan,
Vlastimil Babka, Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sarthak Sharma <sarthak.sharma@arm.com>
commit 4b0363cb1f3ec42b0b1346e5ab0b8a3dceeee9be upstream.
ksft_process_madv.sh currently runs run_vmtests.sh with the mmap category.
Update it to run the process_madv category, since ksft_mmap.sh already
runs the mmap category tests.
This avoids running mmap tests twice and ensures that process_madv tests
are run through the kselftest harness.
Link: https://lore.kernel.org/20260608103224.344101-1-sarthak.sharma@arm.com
Fixes: 6ce964c02f1c ("selftests/mm: have the harness run each test category separately")
Signed-off-by: Sarthak Sharma <sarthak.sharma@arm.com>
Reviewed-by: Mark Brown <broonie@kernel.org>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/mm/ksft_process_madv.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/mm/ksft_process_madv.sh b/tools/testing/selftests/mm/ksft_process_madv.sh
index 2c3137ae8bc8..edad2d2d888f 100755
--- a/tools/testing/selftests/mm/ksft_process_madv.sh
+++ b/tools/testing/selftests/mm/ksft_process_madv.sh
@@ -1,4 +1,4 @@
#!/bin/sh -e
# SPDX-License-Identifier: GPL-2.0
-./run_vmtests.sh -t mmap
+./run_vmtests.sh -t process_madv
--
2.55.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 429/518] nouveau/vmm: fix another SPT/LPT race
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (427 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 428/518] selftests/mm: fix ksft_process_madv.sh test category Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 430/518] bpf: Reject BPF_MAP_TYPE_INODE_STORAGE creation if BPF LSM is uninitialized Greg Kroah-Hartman
` (92 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dave Airlie, Danilo Krummrich
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Airlie <airlied@redhat.com>
commit 6763a0aea6d658d69b9215ab9151d7bd4c1c314b upstream.
We've had an unknown Turing issue for a while with page faults since
large pages and compression.
I've got a patch series that syncs all our L2 handling with ogkm and it
made this fault happen more.
After writing a bunch of debugging patches, I spotted an invalid LPT
entry where there should have been a valid one.
A 64K MAP succeeds on a range, but a subsequent SPT put drops SPT refs
across multiple ranges,
We shouldn't assume all ranges where SPTEs go away will have the same
sparse/invalid/valid state, just iterate over each instead and do the
right thing.
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Fixes: d19512f5abb1 ("nouveau/vmm: start tracking if the LPT PTE is valid. (v6)")
Link: https://patch.msgid.link/20260615044737.3419585-1-airlied@gmail.com
[ Properly format commit message. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
(cherry picked from commit d008141ed4ce924167a03d46fbce9ad1fe4efa29)
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 31 +++++++++++---------------
1 file changed, 14 insertions(+), 17 deletions(-)
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
@@ -230,29 +230,26 @@ nvkm_vmm_unref_sptes(struct nvkm_vmm_ite
* covered by a number of LPTEs, the LPTEs once again take
* control over their address range.
*
- * Determine how many LPTEs need to transition state.
+ * Transition each LPTE individually as each may have a
+ * different target state (sparse, invalid, or valid).
*/
- pgt->pte[ptei].s.spte_valid = false;
- for (ptes = 1, ptei++; ptei < lpti; ptes++, ptei++) {
+ for (ptei++; ptei < lpti; ptei++) {
if (pgt->pte[ptei].s.sptes)
break;
- pgt->pte[ptei].s.spte_valid = false;
}
- if (pgt->pte[pteb].s.sparse) {
- TRA(it, "LPTE %05x: U -> S %d PTEs", pteb, ptes);
- pair->func->sparse(vmm, pgt->pt[0], pteb, ptes);
- } else if (!pgt->pte[pteb].s.lpte_valid) {
- if (pair->func->invalid) {
- /* If the MMU supports it, restore the LPTE to the
- * INVALID state to tell the MMU there is no point
- * trying to fetch the corresponding SPTEs.
- */
- TRA(it, "LPTE %05x: U -> I %d PTEs", pteb, ptes);
- pair->func->invalid(vmm, pgt->pt[0], pteb, ptes);
+ while (pteb < ptei) {
+ pgt->pte[pteb].s.spte_valid = false;
+ if (pgt->pte[pteb].s.sparse) {
+ TRA(it, "LPTE %05x: U -> S", pteb);
+ pair->func->sparse(vmm, pgt->pt[0], pteb, 1);
+ } else if (!pgt->pte[pteb].s.lpte_valid) {
+ if (pair->func->invalid) {
+ TRA(it, "LPTE %05x: U -> I", pteb);
+ pair->func->invalid(vmm, pgt->pt[0], pteb, 1);
+ }
}
- } else {
- TRA(it, "LPTE %05x: V %d PTEs", pteb, ptes);
+ pteb++;
}
}
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 430/518] bpf: Reject BPF_MAP_TYPE_INODE_STORAGE creation if BPF LSM is uninitialized
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (428 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 429/518] nouveau/vmm: fix another SPT/LPT race Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 431/518] iommu/vt-d: Avoid WARNING in sva unbind path Greg Kroah-Hartman
` (91 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, oxsignal, Matt Bobrowski,
Daniel Borkmann, Emil Tsalapatis, Amery Hung
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Bobrowski <mattbobrowski@google.com>
commit a6f0643e4f63cfaa0d5d4a69de4f132eac4b8fe4 upstream.
When CONFIG_BPF_LSM=y is set, BPF inode storage maps
(BPF_MAP_TYPE_INODE_STORAGE) are compiled into the kernel. However,
if the BPF LSM is not explicitly enabled at boot time (e.g. omitted
from the "lsm=" boot parameter), lsm_prepare() is never executed for
the BPF LSM.
Consequently, the BPF inode security blob offset
(bpf_lsm_blob_sizes.lbs_inode) is never initialized and remains at
its default compiled size of 8 bytes instead of being updated to a
valid offset past the reserved struct rcu_head (typically 16 bytes
or more).
When a privileged user creates and updates a BPF_MAP_TYPE_INODE_STORAGE
map, bpf_inode() evaluates inode->i_security + 8. This erroneously
aliases the struct rcu_head.func callback pointer at the beginning
of the inode->i_security blob. During subsequent map element cleanup
or inode destruction, writing NULL to owner_storage clears the queued
RCU callback pointer. When rcu_do_batch() later executes the queued
callback, it attempts an instruction fetch at address 0x0, triggering
an immediate kernel panic.
Fix this by introducing a global bpf_lsm_initialized boolean flag
marked with __ro_after_init. Set this flag to true inside bpf_lsm_init()
when the LSM framework successfully registers the BPF LSM. Gate map
allocation in inode_storage_map_alloc() on this flag, returning
-EOPNOTSUPP if the BPF LSM is in turn uninitialized.
This fail-fast approach prevents userspace from allocating inode
storage maps when the supporting BPF LSM infrastructure is absent,
avoiding zombie map states.
Fixes: 8ea636848aca ("bpf: Implement bpf_local_storage for inodes")
Reported-by: oxsignal <awo@kakao.com>
Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Reviewed-by: Amery Hung <ameryhung@gmail.com>
Link: https://lore.kernel.org/bpf/20260628201103.3624525-1-mattbobrowski@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/bpf_lsm.h | 4 ++++
kernel/bpf/bpf_inode_storage.c | 9 +++++++++
security/bpf/hooks.c | 3 +++
3 files changed, 16 insertions(+)
--- a/include/linux/bpf_lsm.h
+++ b/include/linux/bpf_lsm.h
@@ -14,6 +14,8 @@
#ifdef CONFIG_BPF_LSM
+extern bool bpf_lsm_initialized __ro_after_init;
+
#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
RET bpf_lsm_##NAME(__VA_ARGS__);
#include <linux/lsm_hook_defs.h>
@@ -55,6 +57,8 @@ bool bpf_lsm_has_d_inode_locked(const st
#else /* !CONFIG_BPF_LSM */
+#define bpf_lsm_initialized false
+
static inline bool bpf_lsm_is_sleepable_hook(u32 btf_id)
{
return false;
--- a/kernel/bpf/bpf_inode_storage.c
+++ b/kernel/bpf/bpf_inode_storage.c
@@ -178,6 +178,15 @@ static int notsupp_get_next_key(struct b
static struct bpf_map *inode_storage_map_alloc(union bpf_attr *attr)
{
+ /*
+ * Do not allow allocation of BPF_MAP_TYPE_INODE_STORAGE if the BPF LSM
+ * was not initialized by the LSM framework at boot. Without proper
+ * initialization, the BPF inode security blob offset remains unprepared,
+ * causing bpf_inode() to calculate an invalid memory offset and corrupt
+ * inode->i_security.
+ */
+ if (!bpf_lsm_initialized)
+ return ERR_PTR(-EOPNOTSUPP);
return bpf_local_storage_map_alloc(attr, &inode_cache);
}
--- a/security/bpf/hooks.c
+++ b/security/bpf/hooks.c
@@ -7,6 +7,8 @@
#include <linux/bpf_lsm.h>
#include <uapi/linux/lsm.h>
+bool bpf_lsm_initialized __ro_after_init;
+
static struct security_hook_list bpf_lsm_hooks[] __ro_after_init = {
#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
LSM_HOOK_INIT(NAME, bpf_lsm_##NAME),
@@ -24,6 +26,7 @@ static int __init bpf_lsm_init(void)
{
security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks),
&bpf_lsmid);
+ bpf_lsm_initialized = true;
pr_info("LSM support for eBPF active\n");
return 0;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 431/518] iommu/vt-d: Avoid WARNING in sva unbind path
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (429 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 430/518] bpf: Reject BPF_MAP_TYPE_INODE_STORAGE creation if BPF LSM is uninitialized Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 432/518] iommu/amd: Dont split flush for amd_iommu_domain_flush_all() Greg Kroah-Hartman
` (90 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nareshkumar Gollakoti, Lu Baolu,
Kevin Tian, Joerg Roedel
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu <baolu.lu@linux.intel.com>
commit 534b5f98ab7319d8004bbc7dab6481462243e883 upstream.
The Intel IOMMU driver allows SVA on devices even if they do not support
PCI/PRI. Commit 39c20c4e83b9 ("iommu/vt-d: Only handle IOPF for SVA when
PRI is supported") modified the SVA bind path to allow this configuration
by skipping IOPF enablement when PRI is missing. However, it failed to
update the unbind path.
This creates an imbalance: the unbind path attempts to disable IOPF for
a device that never had it enabled, triggering a WARNING in
intel_iommu_disable_iopf():
WARNING: drivers/iommu/intel/iommu.c:3475 at intel_iommu_disable_iopf+0x4f/0x90d
Call Trace:
<TASK>
blocking_domain_set_dev_pasid+0x50/0x70
iommu_detach_device_pasid+0x89/0xc0
iommu_sva_unbind_device+0x73/0x150
xe_vm_close_and_put+0x4d2/0x1200 [xe]
Fix this by bypassing IOPF operations for SVA domains on non-PRI hardware
in both the bind and unbind paths.
Fixes: 39c20c4e83b9 ("iommu/vt-d: Only handle IOPF for SVA when PRI is supported")
Cc: stable@vger.kernel.org
Reported-by: Nareshkumar Gollakoti <naresh.kumar.g@intel.com>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Link: https://lore.kernel.org/r/20260519052917.3729796-1-baolu.lu@linux.intel.com
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/intel/iommu.h | 11 +++++++++++
drivers/iommu/intel/svm.c | 12 ++++--------
2 files changed, 15 insertions(+), 8 deletions(-)
--- a/drivers/iommu/intel/iommu.h
+++ b/drivers/iommu/intel/iommu.h
@@ -1254,18 +1254,29 @@ void intel_iommu_disable_iopf(struct dev
static inline int iopf_for_domain_set(struct iommu_domain *domain,
struct device *dev)
{
+ struct device_domain_info *info = dev_iommu_priv_get(dev);
+
if (!domain || !domain->iopf_handler)
return 0;
+ /* SVA with non-IOMMU/PRI IOPF handling is allowed. */
+ if (domain->type == IOMMU_DOMAIN_SVA && !info->pri_supported)
+ return 0;
+
return intel_iommu_enable_iopf(dev);
}
static inline void iopf_for_domain_remove(struct iommu_domain *domain,
struct device *dev)
{
+ struct device_domain_info *info = dev_iommu_priv_get(dev);
+
if (!domain || !domain->iopf_handler)
return;
+ if (domain->type == IOMMU_DOMAIN_SVA && !info->pri_supported)
+ return;
+
intel_iommu_disable_iopf(dev);
}
--- a/drivers/iommu/intel/svm.c
+++ b/drivers/iommu/intel/svm.c
@@ -164,12 +164,9 @@ static int intel_svm_set_dev_pasid(struc
if (IS_ERR(dev_pasid))
return PTR_ERR(dev_pasid);
- /* SVA with non-IOMMU/PRI IOPF handling is allowed. */
- if (info->pri_supported) {
- ret = iopf_for_domain_replace(domain, old, dev);
- if (ret)
- goto out_remove_dev_pasid;
- }
+ ret = iopf_for_domain_replace(domain, old, dev);
+ if (ret)
+ goto out_remove_dev_pasid;
/* Setup the pasid table: */
sflags = cpu_feature_enabled(X86_FEATURE_LA57) ? PASID_FLAG_FL5LP : 0;
@@ -184,8 +181,7 @@ static int intel_svm_set_dev_pasid(struc
return 0;
out_unwind_iopf:
- if (info->pri_supported)
- iopf_for_domain_replace(old, domain, dev);
+ iopf_for_domain_replace(old, domain, dev);
out_remove_dev_pasid:
domain_remove_dev_pasid(domain, dev, pasid);
return ret;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 432/518] iommu/amd: Dont split flush for amd_iommu_domain_flush_all()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (430 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 431/518] iommu/vt-d: Avoid WARNING in sva unbind path Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 433/518] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read Greg Kroah-Hartman
` (89 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josef Bacik, Jason Gunthorpe,
Weinan Liu, Wei Wang, Samiullah Khawaja, Suravee Suthikulpanit,
Vasant Hegde, Joerg Roedel
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weinan Liu <wnliu@google.com>
commit 69fe699afe1afcb730164b86c228483c2da05f94 upstream.
We have observed multiple full invalidations occurring during device
detach when we are done using the vfio-device.
blocked_domain_attach_device()
-> detach_device()
-> amd_iommu_domain_flush_all()
-> amd_iommu_domain_flush_pages(..., CMD_INV_IOMMU_ALL_PAGES_ADDRESS)
while (size != 0) {
-> __domain_flush_pages( flush_size /* power of 2 flush_size */)
-> domain_flush_pages_v1()
-> build_inv_iommu_pages()
-> build_inv_address()
}
build_inv_address() will trigger a full invalidation if the chunk
size > (1 << 51). Consequently, the guest will issue multiple full
invalidations for a single call to amd_iommu_domain_flush_all()
Without this patch, we will see 10 time instead of 1 time full
invalidations for every amd_iommu_domain_flush_all().
Cc: stable@vger.kernel.org
Fixes: a270be1b3fdf ("iommu/amd: Use only natural aligned flushes in a VM")
Suggested-by: Josef Bacik <josef@toxicpanda.com>
Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Weinan Liu <wnliu@google.com>
Reviewed-by: Wei Wang <wei.w.wang@hotmail.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Samiullah Khawaja <skhawaja@google.com>
Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/amd/iommu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -1774,7 +1774,8 @@ void amd_iommu_domain_flush_pages(struct
{
lockdep_assert_held(&domain->lock);
- if (likely(!amd_iommu_np_cache)) {
+ if (likely(!amd_iommu_np_cache) ||
+ size >= (1ULL<<52)) {
__domain_flush_pages(domain, address, size);
/* Wait until IOMMU TLB and all device IOTLB flushes are complete */
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 433/518] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (431 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 432/518] iommu/amd: Dont split flush for amd_iommu_domain_flush_all() Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 434/518] iommufd: Fix data_len byte-count vs element-count mismatch Greg Kroah-Hartman
` (88 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kai Aizen, Kevin Tian, Nicolin Chen,
Lu Baolu, Jason Gunthorpe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai Aizen <kai.aizen.dev@gmail.com>
commit be93d186ae88a92e7aa77e122d4e661fa57b1e39 upstream.
The bound-check in iommufd_veventq_fops_read() for the normal vEVENT
path uses sizeof(hdr) where the surrounding code uses sizeof(*hdr):
if (!vevent_for_lost_events_header(cur) &&
sizeof(hdr) + cur->data_len > count - done) {
hdr is declared as struct iommufd_vevent_header *, so sizeof(hdr)
evaluates to the size of the pointer. Surrounding code uses
sizeof(*hdr) consistently:
if (done >= count || sizeof(*hdr) > count - done) {
...
if (copy_to_user(buf + done, hdr, sizeof(*hdr))) {
...
done += sizeof(*hdr);
struct iommufd_vevent_header is currently 8 bytes (two __u32 fields,
flags and sequence), so on 64-bit (sizeof(void *) == 8) the two
expressions happen to be equal and the check works as intended.
On 32-bit (sizeof(void *) == 4) the check under-counts the header by
4 bytes: a vEVENT whose data_len causes 8 + cur->data_len to exceed
count - done while 4 + cur->data_len does not will pass the check,
then the loop will copy_to_user 8 bytes of header followed by data_len
bytes of payload, writing past the user-supplied buffer.
It is also a latent bug for any future expansion of struct
iommufd_vevent_header beyond sizeof(void *) on 64-bit; the check
should not depend on the type happening to match the host pointer
width.
Use sizeof(*hdr) to match the rest of the function and the actual
amount that will be copied.
Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC")
Link: https://patch.msgid.link/r/20260430175630.67078-1-kai.aizen.dev@gmail.com
Cc: stable@vger.kernel.org
Reported-by: Kai Aizen <kai.aizen.dev@gmail.com>
Signed-off-by: Kai Aizen <kai.aizen.dev@gmail.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/eventq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iommu/iommufd/eventq.c
+++ b/drivers/iommu/iommufd/eventq.c
@@ -321,7 +321,7 @@ static ssize_t iommufd_veventq_fops_read
/* If being a normal vEVENT, validate against the full size */
if (!vevent_for_lost_events_header(cur) &&
- sizeof(hdr) + cur->data_len > count - done) {
+ sizeof(*hdr) + cur->data_len > count - done) {
iommufd_veventq_deliver_restore(veventq, cur);
break;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 434/518] iommufd: Fix data_len byte-count vs element-count mismatch
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (432 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 433/518] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 435/518] iommufd: Move vevent memory allocation outside spinlock Greg Kroah-Hartman
` (87 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Nicolin Chen,
Kevin Tian
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
commit 85345becfead3255a5f875d4b4d82ea01d926239 upstream.
kzalloc_flex() computes the allocation size. With event_data typed as u64,
data_len is interpreted as a u64 element count. Yet, every caller and the
read path treat data_len as a byte count. The current code over-allocates
by sizeof(u64) and the __counted_by() annotation overstates the length by
the same factor.
Re-type event_data as u8. No functional change in user-visible behavior.
Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC")
Link: https://patch.msgid.link/r/f7665f839b9dce917d6bd394375a1cf56568d86b.1779408671.git.nicolinc@nvidia.com
Cc: stable@vger.kernel.org
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/iommufd_private.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iommu/iommufd/iommufd_private.h
+++ b/drivers/iommu/iommufd/iommufd_private.h
@@ -602,7 +602,7 @@ struct iommufd_vevent {
struct iommufd_vevent_header header;
struct list_head node; /* for iommufd_eventq::deliver */
ssize_t data_len;
- u64 event_data[] __counted_by(data_len);
+ u8 event_data[] __counted_by(data_len);
};
#define vevent_for_lost_events_header(vevent) \
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 435/518] iommufd: Move vevent memory allocation outside spinlock
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (433 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 434/518] iommufd: Fix data_len byte-count vs element-count mismatch Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 436/518] iommufd: Set veventq_depth upper bound Greg Kroah-Hartman
` (86 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Nicolin Chen,
Kevin Tian
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
commit 47443565d10c51366c9382dbc8597cd6c460b8a2 upstream.
The veventq memory allocation happens inside the spinlock. Given its depth
is decided by the user space, this leaves a vulnerability, where userspace
can allocate large queues to exhaust atomic memory reserves.
Move the allocation outside the spinlock and use GFP_NOWAIT, which can fail
fast under memory pressure without dipping into the GFP_ATOMIC reserves or
direct-reclaiming from the threaded IRQ handler. On allocation failure,
queue the lost_events_header (so userspace learns of the drop) and return
-ENOMEM so the caller learns of the kernel-side memory pressure.
This is intentionally distinct from the queue-overflow path, which also
queues the lost_events_header but returns 0: a full queue is an expected
userspace-pacing condition rather than a kernel error.
A subsequent change will cap the upper bound of the veventq_depth.
Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC")
Link: https://patch.msgid.link/r/5ff36b5d80f7f6299f851be532a5195c1d2f1dae.1779408671.git.nicolinc@nvidia.com
Cc: stable@vger.kernel.org
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/driver.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/iommu/iommufd/driver.c
+++ b/drivers/iommu/iommufd/driver.c
@@ -149,15 +149,18 @@ int iommufd_viommu_report_event(struct i
goto out_unlock_veventqs;
}
- spin_lock(&veventq->common.lock);
- if (veventq->num_events == veventq->depth) {
+ /* Pre-allocate to avoid GFP_ATOMIC; use GFP_NOWAIT to avoid sleeping */
+ vevent = kzalloc_flex(*vevent, event_data, data_len, GFP_NOWAIT);
+ if (!vevent) {
+ spin_lock(&veventq->common.lock);
vevent = &veventq->lost_events_header;
+ rc = -ENOMEM;
goto out_set_header;
}
- vevent = kzalloc_flex(*vevent, event_data, data_len, GFP_ATOMIC);
- if (!vevent) {
- rc = -ENOMEM;
+ spin_lock(&veventq->common.lock);
+ if (veventq->num_events == veventq->depth) {
+ kfree(vevent);
vevent = &veventq->lost_events_header;
goto out_set_header;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 436/518] iommufd: Set veventq_depth upper bound
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (434 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 435/518] iommufd: Move vevent memory allocation outside spinlock Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 437/518] iommufd: Rewind header length in done if iommufd_veventq_fops_read() fails Greg Kroah-Hartman
` (85 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Nicolin Chen,
Kevin Tian
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
commit 6ebf2eb46fbd5b40393ff8fbb847ba96925beaff upstream.
iommufd_veventq_alloc() accepts any !0 veventq_depth from userspace, with
an upper bound at U32_MAX.
This leaves a vulnerability where userspace can allocate excessively large
queues to exhaust kernel memory reserves.
Cap the veventq_depth (maximum number of entries) to 1 << 19, matching the
maximum number of entries in the SMMUv3 EVTQ (the largest use case today).
Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC")
Link: https://patch.msgid.link/r/8426cbaa5e8294472ec7f076ef427cc473be5985.1779408671.git.nicolinc@nvidia.com
Cc: stable@vger.kernel.org
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/eventq.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/iommu/iommufd/eventq.c
+++ b/drivers/iommu/iommufd/eventq.c
@@ -473,6 +473,9 @@ int iommufd_fault_iopf_handler(struct io
static const struct file_operations iommufd_veventq_fops =
INIT_EVENTQ_FOPS(iommufd_veventq_fops_read, NULL);
+/* An arbitrary upper bound for veventq_depth that fits all existing HWs */
+#define VEVENTQ_MAX_DEPTH (1U << 19)
+
int iommufd_veventq_alloc(struct iommufd_ucmd *ucmd)
{
struct iommu_veventq_alloc *cmd = ucmd->cmd;
@@ -484,7 +487,7 @@ int iommufd_veventq_alloc(struct iommufd
if (cmd->flags || cmd->__reserved ||
cmd->type == IOMMU_VEVENTQ_TYPE_DEFAULT)
return -EOPNOTSUPP;
- if (!cmd->veventq_depth)
+ if (!cmd->veventq_depth || cmd->veventq_depth > VEVENTQ_MAX_DEPTH)
return -EINVAL;
viommu = iommufd_get_viommu(ucmd, cmd->viommu_id);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 437/518] iommufd: Rewind header length in done if iommufd_veventq_fops_read() fails
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (435 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 436/518] iommufd: Set veventq_depth upper bound Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 438/518] iommufd: Reject invalid read count in iommufd_veventq_fops_read() Greg Kroah-Hartman
` (84 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolin Chen, Pranjal Shrivastava,
Kevin Tian, Jason Gunthorpe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
commit 01e41ad76c12ae5c49ab4ef4fc7dd54e9b8784d6 upstream.
When the first event copy fails, rc = -EFAULT will not be reported as done
is set to the length of the copied header.
Rewind it to report rc correctly.
Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC")
Link: https://patch.msgid.link/r/78f8caeb6a5d667a26b870e3068cec47dd4b5be1.1780343944.git.nicolinc@nvidia.com
Cc: stable@vger.kernel.org
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Pranjal Shrivastava <praan@google.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/eventq.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iommu/iommufd/eventq.c
+++ b/drivers/iommu/iommufd/eventq.c
@@ -336,6 +336,7 @@ static ssize_t iommufd_veventq_fops_read
if (cur->data_len &&
copy_to_user(buf + done, cur->event_data, cur->data_len)) {
iommufd_veventq_deliver_restore(veventq, cur);
+ done -= sizeof(*hdr);
rc = -EFAULT;
break;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 438/518] iommufd: Reject invalid read count in iommufd_veventq_fops_read()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (436 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 437/518] iommufd: Rewind header length in done if iommufd_veventq_fops_read() fails Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 439/518] iommufd: Propagate allocation failure in iommufd_veventq_deliver_fetch() Greg Kroah-Hartman
` (83 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolin Chen, Pranjal Shrivastava,
Kevin Tian, Jason Gunthorpe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
commit 00203ca8323f9714630408c19a209b52397975e6 upstream.
The read count must be large enough to hold a vEVENT header. For a normal
vEVENT, it must also hold the trailing data following the header.
iommufd_veventq_fops_read() does not validate the count, but returns 0 as
if the read had succeeded while leaving the pending event in the queue.
Return -EINVAL in both undersize cases.
Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC")
Link: https://patch.msgid.link/r/e1111adcc8a8882fbfd84accd6674dc846dc5689.1780343944.git.nicolinc@nvidia.com
Cc: stable@vger.kernel.org
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Pranjal Shrivastava <praan@google.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/eventq.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/iommu/iommufd/eventq.c
+++ b/drivers/iommu/iommufd/eventq.c
@@ -310,6 +310,9 @@ static ssize_t iommufd_veventq_fops_read
if (*ppos)
return -ESPIPE;
+ /* Minimum read count is a vEVENT header */
+ if (count < sizeof(*hdr))
+ return -EINVAL;
while ((cur = iommufd_veventq_deliver_fetch(veventq))) {
/* Validate the remaining bytes against the header size */
@@ -323,6 +326,9 @@ static ssize_t iommufd_veventq_fops_read
if (!vevent_for_lost_events_header(cur) &&
sizeof(*hdr) + cur->data_len > count - done) {
iommufd_veventq_deliver_restore(veventq, cur);
+ /* Read count doesn't fit a single normal vEVENT */
+ if (done == 0)
+ rc = -EINVAL;
break;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 439/518] iommufd: Propagate allocation failure in iommufd_veventq_deliver_fetch()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (437 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 438/518] iommufd: Reject invalid read count in iommufd_veventq_fops_read() Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 440/518] iommufd: Reject invalid read count in iommufd_fault_fops_read() Greg Kroah-Hartman
` (82 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolin Chen, Pranjal Shrivastava,
Kevin Tian, Jason Gunthorpe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
commit 489e63dd120bad52eba63f5506c214750cd5bc75 upstream.
When the kzalloc_obj() fails in iommufd_veventq_deliver_fetch(), it returns
NULL, falsely advertising to userspace that the queue is empty.
Propagate the -ENOMEM properly to the caller.
Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC")
Link: https://patch.msgid.link/r/25d29feac909e36f78c145fa99ef2d4cb7a415da.1780343944.git.nicolinc@nvidia.com
Cc: stable@vger.kernel.org
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Pranjal Shrivastava <praan@google.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/eventq.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/iommu/iommufd/eventq.c
+++ b/drivers/iommu/iommufd/eventq.c
@@ -264,8 +264,10 @@ iommufd_veventq_deliver_fetch(struct iom
/* Make a copy of the lost_events_header for copy_to_user */
if (next == &veventq->lost_events_header) {
vevent = kzalloc_obj(*vevent, GFP_ATOMIC);
- if (!vevent)
+ if (!vevent) {
+ vevent = ERR_PTR(-ENOMEM);
goto out_unlock;
+ }
}
list_del(&next->node);
if (vevent)
@@ -315,6 +317,12 @@ static ssize_t iommufd_veventq_fops_read
return -EINVAL;
while ((cur = iommufd_veventq_deliver_fetch(veventq))) {
+ if (IS_ERR(cur)) {
+ if (done == 0)
+ rc = PTR_ERR(cur);
+ break;
+ }
+
/* Validate the remaining bytes against the header size */
if (done >= count || sizeof(*hdr) > count - done) {
iommufd_veventq_deliver_restore(veventq, cur);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 440/518] iommufd: Reject invalid read count in iommufd_fault_fops_read()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (438 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 439/518] iommufd: Propagate allocation failure in iommufd_veventq_deliver_fetch() Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 441/518] iommufd: Break the loop on failure " Greg Kroah-Hartman
` (81 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolin Chen, Pranjal Shrivastava,
Kevin Tian, Jason Gunthorpe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
commit 47916a54eeb2a9e654512ee609f71bd5b29db702 upstream.
The read count must be large enough to hold one fault or a group's faults.
iommufd_fault_fops_read() does not validate the count, but returns 0 as if
the read had succeeded while leaving the pending fault in the queue.
Return -EINVAL in the undersize cases.
Fixes: 07838f7fd529 ("iommufd: Add iommufd fault object")
Link: https://patch.msgid.link/r/85c118a606fbedc5c132a1f5ec223a5ba23b92d2.1780343944.git.nicolinc@nvidia.com
Cc: stable@vger.kernel.org
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Pranjal Shrivastava <praan@google.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/eventq.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/iommu/iommufd/eventq.c
+++ b/drivers/iommu/iommufd/eventq.c
@@ -142,6 +142,9 @@ static ssize_t iommufd_fault_fops_read(s
if (done >= count ||
group->fault_count * fault_size > count - done) {
iommufd_fault_deliver_restore(fault, group);
+ /* Read count doesn't fit the first fault group */
+ if (done == 0)
+ rc = -EINVAL;
break;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 441/518] iommufd: Break the loop on failure in iommufd_fault_fops_read()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (439 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 440/518] iommufd: Reject invalid read count in iommufd_fault_fops_read() Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 442/518] iommufd: Avoid partial fault group delivery " Greg Kroah-Hartman
` (80 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolin Chen, Pranjal Shrivastava,
Kevin Tian, Jason Gunthorpe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
commit 172fc8b19825a0f5884c38f2289188284e2d45ee upstream.
On a copy_to_user() failure inside the inner list_for_each_entry, only the
inner loop breaks; the outer while re-fetches the just-restored fault group
and retries the failing copy_to_user() forever, spinning the reader at 100%
CPU with fault->mutex held.
Check rc after the inner loop and break the outer while as well.
Fixes: 07838f7fd529 ("iommufd: Add iommufd fault object")
Link: https://patch.msgid.link/r/336a9b6e44fe66a24199d3be777c405c85c98622.1780343944.git.nicolinc@nvidia.com
Cc: stable@vger.kernel.org
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Pranjal Shrivastava <praan@google.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/eventq.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/iommufd/eventq.c
+++ b/drivers/iommu/iommufd/eventq.c
@@ -168,6 +168,8 @@ static ssize_t iommufd_fault_fops_read(s
}
done += fault_size;
}
+ if (rc)
+ break;
}
mutex_unlock(&fault->mutex);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 442/518] iommufd: Avoid partial fault group delivery in iommufd_fault_fops_read()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (440 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 441/518] iommufd: Break the loop on failure " Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 443/518] iommufd: Set upper bounds on cache invalidation entry_num and entry_len Greg Kroah-Hartman
` (79 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolin Chen, Pranjal Shrivastava,
Kevin Tian, Jason Gunthorpe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
commit 091ab6d70dc444f56ed14faedbcacfc979f4c613 upstream.
The cookie returned by xa_alloc() in iommufd_fault_fops_read() is per fault
group, but the inner copy_to_user() runs per fault inside the group. If a
copy fails mid-group, xa_erase clears the cookie and the group is restored
to the deliver list, yet done is not rolled back. The function returns the
partial byte count, with the successfully copied faults sitting at offsets
below done carrying the now-erased cookie. The next read() then re-fetches
the group, allocates a fresh cookie, and re-delivers every fault including
the ones already copied; userspace sees duplicates carrying the new cookie,
and a stale cookie that can never be responded to.
Use a local group_done variable that tracks the per-group progress inside
the inner loop, and only commit done = group_done after the inner loop has
finished successfully. On a copy_to_user failure the outer break skips the
commit, so done remains at its prior start-of-group baseline; the partial
bytes already written past done are undefined to userspace per the read(2)
contract, and the next read re-delivers the whole group atomically.
Fixes: 07838f7fd529 ("iommufd: Add iommufd fault object")
Link: https://patch.msgid.link/r/360cab4d4aeccb0bae275a970e2b3c340a71e0e0.1780343944.git.nicolinc@nvidia.com
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Pranjal Shrivastava <praan@google.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/eventq.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/iommu/iommufd/eventq.c
+++ b/drivers/iommu/iommufd/eventq.c
@@ -139,6 +139,8 @@ static ssize_t iommufd_fault_fops_read(s
mutex_lock(&fault->mutex);
while ((group = iommufd_fault_deliver_fetch(fault))) {
+ size_t group_done = done;
+
if (done >= count ||
group->fault_count * fault_size > count - done) {
iommufd_fault_deliver_restore(fault, group);
@@ -160,16 +162,17 @@ static ssize_t iommufd_fault_fops_read(s
iommufd_compose_fault_message(&iopf->fault,
&data, idev,
group->cookie);
- if (copy_to_user(buf + done, &data, fault_size)) {
+ if (copy_to_user(buf + group_done, &data, fault_size)) {
xa_erase(&fault->response, group->cookie);
iommufd_fault_deliver_restore(fault, group);
rc = -EFAULT;
break;
}
- done += fault_size;
+ group_done += fault_size;
}
if (rc)
break;
+ done = group_done;
}
mutex_unlock(&fault->mutex);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 443/518] iommufd: Set upper bounds on cache invalidation entry_num and entry_len
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (441 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 442/518] iommufd: Avoid partial fault group delivery " Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 444/518] audit: fix removal of dangling executable rules Greg Kroah-Hartman
` (78 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nicolin Chen, Lu Baolu,
Jason Gunthorpe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
commit 4d70986002f2f3eaaed89124fb2522bded38b016 upstream.
iommufd_hwpt_invalidate() takes a user-controlled entry_num and entry_len,
each bounded only by U32_MAX. An entry_len beyond the kernel's struct size
makes the copy helper verify the extra bytes are zero, scanning that excess
in one uninterruptible pass; a multi-gigabyte value over zeroed user memory
trips the soft-lockup watchdog.
A large entry_num is the other half, driving the backend invalidation loop
with no reschedule. The VT-d nested handler, for one, copies each entry and
flushes caches per iteration, pinning the CPU on a non-preemptible kernel.
Cap both in the ioctl. entry_len is held under PAGE_SIZE, above any request
struct, and entry_num under 1 << 19, the order of a hardware invalidation
queue and well beyond any real batch, bounding the per-call loop length.
Fixes: 8c6eabae3807 ("iommufd: Add IOMMU_HWPT_INVALIDATE")
Link: https://patch.msgid.link/r/447fa93663f7526eb361719e83fa8b649464483d.1780521606.git.nicolinc@nvidia.com
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/hw_pagetable.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/drivers/iommu/iommufd/hw_pagetable.c
+++ b/drivers/iommu/iommufd/hw_pagetable.c
@@ -489,6 +489,9 @@ int iommufd_hwpt_get_dirty_bitmap(struct
return rc;
}
+/* An arbitrary entry_num cap, far above any realistic invalidation batch */
+#define IOMMU_HWPT_INVALIDATE_ENTRY_NUM_MAX (1U << 19)
+
int iommufd_hwpt_invalidate(struct iommufd_ucmd *ucmd)
{
struct iommu_hwpt_invalidate *cmd = ucmd->cmd;
@@ -507,7 +510,13 @@ int iommufd_hwpt_invalidate(struct iommu
goto out;
}
- if (cmd->entry_num && (!cmd->data_uptr || !cmd->entry_len)) {
+ /*
+ * Bound entry_num and entry_len so a single call cannot pin the CPU;
+ * entry_len also caps the copy_struct_from_user() trailing-zero scan.
+ */
+ if (cmd->entry_num &&
+ (!cmd->data_uptr || !cmd->entry_len || cmd->entry_len > PAGE_SIZE ||
+ cmd->entry_num > IOMMU_HWPT_INVALIDATE_ENTRY_NUM_MAX)) {
rc = -EINVAL;
goto out;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 444/518] audit: fix removal of dangling executable rules
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (442 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 443/518] iommufd: Set upper bounds on cache invalidation entry_num and entry_len Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 445/518] landlock: Set audit_net.sk for socket access checks Greg Kroah-Hartman
` (77 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Waiman Long,
Richard Guy Briggs, Ricardo Robaina, Paul Moore
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Robaina <rrobaina@redhat.com>
commit 888a0396e154524f4027f27da84bdbec9eb68916 upstream.
When an audited executable is deleted from the disk, its dentry
becomes negative. Any later attempt to delete the associated audit
rule will lead to audit_alloc_mark() encountering this negative
dentry and immediately aborting, returning -ENOENT.
This early abort prevents the subsystem from allocating the temporary
fsnotify mark needed to construct the search key, meaning the kernel
cannot find the existing rule in its own lists to delete it. This
leaves a dangling rule in memory, resulting in the following error
while attempting to delete the rule:
# ./audit-dupe-exe-deadlock.sh
No rules
Error deleting rule (No such file or directory)
There was an error while processing parameters
# auditctl -l
-a always,exit -S all -F exe=/tmp/file -F path=/tmp/file -F key=dr
# auditctl -D
Error deleting rule (No such file or directory)
There was an error while processing parameters
This patch fixes this issue by removing the d_really_is_negative()
check. By doing so, a dummy mark can be successfully generated for
the deleted path, which allows the audit subsystem to properly match
and flush the dangling rule.
Cc: stable@kernel.org
Fixes: 76a53de6f7ff ("VFS/audit: introduce kern_path_parent() for audit")
Acked-by: Waiman Long <longman@redhat.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/audit_fsnotify.c | 4 ----
1 file changed, 4 deletions(-)
--- a/kernel/audit_fsnotify.c
+++ b/kernel/audit_fsnotify.c
@@ -84,10 +84,6 @@ struct audit_fsnotify_mark *audit_alloc_
dentry = kern_path_parent(pathname, &path);
if (IS_ERR(dentry))
return ERR_CAST(dentry); /* returning an error */
- if (d_really_is_negative(dentry)) {
- audit_mark = ERR_PTR(-ENOENT);
- goto out;
- }
audit_mark = kzalloc_obj(*audit_mark);
if (unlikely(!audit_mark)) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 445/518] landlock: Set audit_net.sk for socket access checks
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (443 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 444/518] audit: fix removal of dangling executable rules Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 446/518] selftests/landlock: Explicitly disable audit in teardowns Greg Kroah-Hartman
` (76 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Günther Noack, Tingmao Wang,
Mickaël Salaün
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mickaël Salaün <mic@digikod.net>
commit d936e1a9170f9cadaa5f37586b1dfe6f20f98799 upstream.
Set audit_net.sk in current_check_access_socket() to provide the socket
object to audit_log_lsm_data(). This makes Landlock consistent with
AppArmor, which always sets .sk for socket operations, and with
SELinux's generic socket permission checks.
The socket's local and foreign address information (laddr, lport, faddr,
fport) is logged by the shared lsm_audit.c infrastructure when the
socket has bound or connected state. Fields with zero values are
suppressed by print_ipv4_addr()/print_ipv6_addr(), so the audit output
is unchanged for the common case of bind denials on unbound sockets.
For connect denials after a prior bind, the bound local address (laddr,
lport) appears before the existing sockaddr fields (daddr, dest).
No existing fields are removed or reordered, and the new field names
(laddr, lport, faddr, fport) are standard audit fields already emitted
by other LSMs through the same lsm_audit.c code path.
Add a connect_tcp_bound audit test that binds to an allowed port and
then connects to a denied one, verifying that the denial record reports
laddr/lport from the bound socket in addition to the connect
destination.
Cc: Günther Noack <gnoack@google.com>
Cc: Tingmao Wang <m@maowtm.org>
Cc: stable@vger.kernel.org
Fixes: 9f74411a40ce ("landlock: Log TCP bind and connect denials")
Link: https://patch.msgid.link/20260612172757.1003481-1-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/landlock/net.c | 1
tools/testing/selftests/landlock/net_test.c | 62 ++++++++++++++++++++++++++++
2 files changed, 63 insertions(+)
--- a/security/landlock/net.c
+++ b/security/landlock/net.c
@@ -198,6 +198,7 @@ static int current_check_access_socket(s
return 0;
audit_net.family = address->sa_family;
+ audit_net.sk = sock->sk;
landlock_log_denial(subject,
&(struct landlock_request){
.type = LANDLOCK_REQUEST_NET_ACCESS,
--- a/tools/testing/selftests/landlock/net_test.c
+++ b/tools/testing/selftests/landlock/net_test.c
@@ -2026,4 +2026,66 @@ TEST_F(audit, connect)
EXPECT_EQ(0, close(sock_fd));
}
+static int matches_log_tcp_bound(int audit_fd, const char *const addr,
+ __u16 lport, __u16 dport)
+{
+ static const char log_template[] = REGEX_LANDLOCK_PREFIX
+ " blockers=net\\.connect_tcp laddr=%s lport=%u daddr=%s dest=%u$";
+ /* Slack for two addresses and two port numbers. */
+ char log_match[sizeof(log_template) + 40];
+ int log_match_len;
+
+ log_match_len = snprintf(log_match, sizeof(log_match), log_template,
+ addr, lport, addr, dport);
+ if (log_match_len > sizeof(log_match))
+ return -E2BIG;
+
+ return audit_match_record(audit_fd, AUDIT_LANDLOCK_ACCESS, log_match,
+ NULL);
+}
+
+/*
+ * After a bind() to an allowed port, a denied connect must report laddr/lport
+ * from the bound socket (made available through audit_net.sk) in addition to
+ * the connect sockaddr's daddr/dest.
+ */
+TEST_F(audit, connect_tcp_bound)
+{
+ const struct landlock_ruleset_attr ruleset_attr = {
+ .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
+ LANDLOCK_ACCESS_NET_CONNECT_TCP,
+ };
+ const struct landlock_net_port_attr rule_bind = {
+ .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
+ .port = self->srv0.port,
+ };
+ struct service_fixture srv_remote;
+ struct audit_records records;
+ int ruleset_fd, sock_fd;
+
+ /* Uses a second port as the denied connect target. */
+ ASSERT_EQ(0, set_service(&srv_remote, variant->prot, 1));
+
+ ruleset_fd =
+ landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
+ ASSERT_LE(0, ruleset_fd);
+ ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
+ &rule_bind, 0));
+ enforce_ruleset(_metadata, ruleset_fd);
+ EXPECT_EQ(0, close(ruleset_fd));
+
+ sock_fd = socket_variant(&self->srv0);
+ ASSERT_LE(0, sock_fd);
+ EXPECT_EQ(0, bind_variant(sock_fd, &self->srv0));
+ EXPECT_EQ(-EACCES, connect_variant(sock_fd, &srv_remote));
+ EXPECT_EQ(0, matches_log_tcp_bound(self->audit_fd, variant->addr,
+ self->srv0.port, srv_remote.port));
+
+ EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
+ EXPECT_EQ(0, records.access);
+ EXPECT_EQ(1, records.domain);
+
+ EXPECT_EQ(0, close(sock_fd));
+}
+
TEST_HARNESS_MAIN
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 446/518] selftests/landlock: Explicitly disable audit in teardowns
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (444 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 445/518] landlock: Set audit_net.sk for socket access checks Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 447/518] landlock: Account all audit data allocations to user space Greg Kroah-Hartman
` (75 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maximilian Heyne,
Mickaël Salaün
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maximilian Heyne <mheyne@amazon.de>
commit 0302cd72fe196aee933e3fb76f6d175d1ab0e843 upstream.
I'm seeing sporadic selftest failures, such as
# RUN scoped_audit.connect_to_child ...
# scoped_abstract_unix_test.c:314:connect_to_child:Expected 0 (0) == records.access (8)
# connect_to_child: Test failed
# FAIL scoped_audit.connect_to_child
not ok 19 scoped_audit.connect_to_child
This seems similar to what commit 3647a4977fb73d ("selftests/landlock:
Drain stale audit records on init") tried to fix. However, the added
drain loop is not effective. When setting the AUDIT_STATUS_PID, the
kauditd_thread is woken up starting to send messages from the hold queue
to the netlink. Depending on scheduling of this kthread not all messages
might be send via the netlink in the 1 us interval.
Therefore, instead of trying to drain the queue, let's just disable
audit when running non-audit tests or more precisely disable it after
audit-tests. This way we won't generate any new audit message that could
interfere with the other tests.
The comment saying that on process exit audit will be disabled is wrong.
The closed file descriptor just causes an auditd_reset(), not a
disablement. So future messages will be queued in the hold queue.
Cc: stable@vger.kernel.org
Fixes: 6a500b22971c ("selftests/landlock: Add tests for audit flags and domain IDs")
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
Link: https://patch.msgid.link/20260529-welsh-nagoya-b4d9ca60@mheyne-amazon
[mic: Fix FD leak, update subject, call audit_cleanup() in audit_exec teardown]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/landlock/audit.h | 21 ++++++++-------------
tools/testing/selftests/landlock/audit_test.c | 4 +---
2 files changed, 9 insertions(+), 16 deletions(-)
--- a/tools/testing/selftests/landlock/audit.h
+++ b/tools/testing/selftests/landlock/audit.h
@@ -494,10 +494,9 @@ static int audit_init_filter_exe(struct
static int audit_cleanup(int audit_fd, struct audit_filter *filter)
{
struct audit_filter new_filter;
+ int err = 0;
if (audit_fd < 0 || !filter) {
- int err;
-
/*
* Simulates audit_init_with_exe_filter() when called from
* FIXTURE_TEARDOWN_PARENT().
@@ -508,23 +507,19 @@ static int audit_cleanup(int audit_fd, s
filter = &new_filter;
err = audit_init_filter_exe(filter, NULL);
- if (err) {
- close(audit_fd);
- return err;
- }
+ if (err)
+ goto err_close;
}
/* Filters might not be in place. */
audit_filter_exe(audit_fd, filter, AUDIT_DEL_RULE);
audit_filter_drop(audit_fd, AUDIT_DEL_RULE);
- /*
- * Because audit_cleanup() might not be called by the test auditd
- * process, it might not be possible to explicitly set it. Anyway,
- * AUDIT_STATUS_ENABLED will implicitly be set to 0 when the auditd
- * process will exit.
- */
- return close(audit_fd);
+ err = audit_set_status(audit_fd, AUDIT_STATUS_ENABLED, 0);
+
+err_close:
+ close(audit_fd);
+ return err;
}
static int audit_init_with_exe_filter(struct audit_filter *filter)
--- a/tools/testing/selftests/landlock/audit_test.c
+++ b/tools/testing/selftests/landlock/audit_test.c
@@ -849,10 +849,8 @@ FIXTURE_SETUP(audit_exec)
FIXTURE_TEARDOWN(audit_exec)
{
set_cap(_metadata, CAP_AUDIT_CONTROL);
- EXPECT_EQ(0, audit_filter_exe(self->audit_fd, &self->audit_filter,
- AUDIT_DEL_RULE));
+ EXPECT_EQ(0, audit_cleanup(self->audit_fd, &self->audit_filter));
clear_cap(_metadata, CAP_AUDIT_CONTROL);
- EXPECT_EQ(0, close(self->audit_fd));
}
TEST_F(audit_exec, signal_and_open)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 447/518] landlock: Account all audit data allocations to user space
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (445 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 446/518] selftests/landlock: Explicitly disable audit in teardowns Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 448/518] selftests/landlock: Filter dealloc records in audit_count_records() Greg Kroah-Hartman
` (74 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Günther Noack, Paul Moore,
Mickaël Salaün
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mickaël Salaün <mic@digikod.net>
commit b232bd12789fa57405b5092f28788be97aae9999 upstream.
Mark the kzalloc_flex() of struct landlock_details with
GFP_KERNEL_ACCOUNT so the allocation is charged to the calling task,
like the other Landlock per-domain allocations which have used
GFP_KERNEL_ACCOUNT forever.
Every property of landlock_details is caller-attributable: allocated by
landlock_restrict_self(2), owned by the caller's landlock_hierarchy,
contents are the caller's pid, uid, comm, and exe_path, lifetime bounded
by the caller's domain. While the caller may not know nor control the
size of this allocation (i.e. exe_path), this data should still be
accounted for it.
The deciding factor is whether userspace can trigger the allocation, not
whether the size of the data is known nor controlled by the caller.
This aligns with the kmemcg accounting policy established by commit
5d097056c9a0 ("kmemcg: account certain kmem allocations to memcg").
No new failure modes: the hierarchy and ruleset are allocated before
details and are already accounted, so landlock_restrict_self(2) already
returns -ENOMEM under memcg pressure. This change widens that existing
failure window slightly; it does not introduce a new error code.
Cc: Günther Noack <gnoack@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: stable@vger.kernel.org
Fixes: 1d636984e088 ("landlock: Add AUDIT_LANDLOCK_DOMAIN and log domain status")
Link: https://patch.msgid.link/20260513180309.165840-1-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/landlock/domain.c | 9 +++++----
security/landlock/domain.h | 5 +----
2 files changed, 6 insertions(+), 8 deletions(-)
--- a/security/landlock/domain.c
+++ b/security/landlock/domain.c
@@ -90,11 +90,12 @@ static struct landlock_details *get_curr
return ERR_CAST(buffer);
/*
- * Create the new details according to the path's length. Do not
- * allocate with GFP_KERNEL_ACCOUNT because it is independent from the
- * caller.
+ * Create the new details according to the path's length. Account to
+ * the calling task's memcg, like the other Landlock per-domain
+ * allocations, even if it may not control the related size.
*/
- details = kzalloc_flex(*details, exe_path, path_size);
+ details =
+ kzalloc_flex(*details, exe_path, path_size, GFP_KERNEL_ACCOUNT);
if (!details)
return ERR_PTR(-ENOMEM);
--- a/security/landlock/domain.h
+++ b/security/landlock/domain.h
@@ -33,10 +33,7 @@ enum landlock_log_status {
* Rarely accessed, mainly when logging the first domain's denial.
*
* The contained pointers are initialized at the domain creation time and never
- * changed again. Contrary to most other Landlock object types, this one is
- * not allocated with GFP_KERNEL_ACCOUNT because its size may not be under the
- * caller's control (e.g. unknown exe_path) and the data is not explicitly
- * requested nor used by tasks.
+ * changed again.
*/
struct landlock_details {
/**
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 448/518] selftests/landlock: Filter dealloc records in audit_count_records()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (446 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 447/518] landlock: Account all audit data allocations to user space Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 449/518] selftests/landlock: Increase default audit socket timeout Greg Kroah-Hartman
` (73 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Günther Noack,
Günther Noack, Mickaël Salaün
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mickaël Salaün <mic@digikod.net>
commit 26679fad81a471428707d2dd7b0418204c52b7e4 upstream.
audit_count_records() counts both AUDIT_LANDLOCK_DOMAIN allocation and
deallocation records in records.domain . Domain deallocation is tied to
asynchronous credential freeing via kworker threads
(landlock_put_ruleset_deferred), so the dealloc record can arrive after
the drain in audit_init() and after the preceding audit_match_record()
call. This causes flaky failures in tests that assert an exact
records.domain count: a stale dealloc record from a previous test's
domain inflates the count by one.
Observed on x86_64 under build configurations that delay the kworker
firing the dealloc callback (e.g. coverage instrumentation): the
audit_layout1 tests in fs_test.c intermittently saw records.domain == 2
where 1 was expected. The fix is in the shared helper, so those
existing checks become robust without needing a fs_test.c edit.
Filter audit_count_records() with a regex to skip records containing
deallocation status. The remaining domain records (allocation, emitted
synchronously during landlock_log_denial()) are deterministic.
Deallocation records are already tested explicitly via
matches_log_domain_deallocated() in audit_test.c, which uses its own
domain-ID-based filtering and longer timeout.
With this filter in place, re-add the records.domain == 0 checks that
were removed in commit 3647a4977fb7 ("selftests/landlock: Drain stale
audit records on init") as a workaround for this race.
Cc: Günther Noack <gnoack@google.com>
Cc: stable@vger.kernel.org
Depends-on: 07c2572a8757 ("selftests/landlock: Skip stale records in audit_match_record()")
Fixes: 6a500b22971c ("selftests/landlock: Add tests for audit flags and domain IDs")
Tested-by: Günther Noack <gnoack3000@gmail.com>
Link: https://patch.msgid.link/20260513105112.140137-1-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/landlock/audit.h | 39 +++++++----
tools/testing/selftests/landlock/audit_test.c | 2
tools/testing/selftests/landlock/ptrace_test.c | 1
tools/testing/selftests/landlock/scoped_abstract_unix_test.c | 1
4 files changed, 30 insertions(+), 13 deletions(-)
--- a/tools/testing/selftests/landlock/audit.h
+++ b/tools/testing/selftests/landlock/audit.h
@@ -381,18 +381,24 @@ struct audit_records {
};
/*
- * WARNING: Do not assert records.domain == 0 without a preceding
- * audit_match_record() call. Domain deallocation records are emitted
- * asynchronously from kworker threads and can arrive after the drain in
- * audit_init(), corrupting the domain count. A preceding audit_match_record()
- * call consumes stale records while scanning, making the assertion safe in
- * practice because stale deallocation records arrive before the expected access
- * records.
+ * Counts remaining audit records by type, skipping domain deallocation records.
+ * Deallocation records are emitted asynchronously from kworker threads after a
+ * previous test's child has exited, so they can arrive after the drain in
+ * audit_init() and after the preceding audit_match_record() call. Allocation
+ * records are emitted synchronously during landlock_log_denial() in the current
+ * test's syscall context, so only those are counted in records->domain.
*/
static int audit_count_records(int audit_fd, struct audit_records *records)
{
+ static const char dealloc_pattern[] = REGEX_LANDLOCK_PREFIX
+ " status=deallocated ";
struct audit_message msg;
- int err;
+ regex_t dealloc_re;
+ int ret, err = 0;
+
+ ret = regcomp(&dealloc_re, dealloc_pattern, 0);
+ if (ret)
+ return -ENOMEM;
records->access = 0;
records->domain = 0;
@@ -402,9 +408,8 @@ static int audit_count_records(int audit
err = audit_recv(audit_fd, &msg);
if (err) {
if (err == -EAGAIN)
- return 0;
- else
- return err;
+ err = 0;
+ break;
}
switch (msg.header.nlmsg_type) {
@@ -412,12 +417,20 @@ static int audit_count_records(int audit
records->access++;
break;
case AUDIT_LANDLOCK_DOMAIN:
- records->domain++;
+ ret = regexec(&dealloc_re, msg.data, 0, NULL, 0);
+ if (ret == REG_NOMATCH) {
+ records->domain++;
+ } else if (ret != 0) {
+ err = -EIO;
+ goto out;
+ }
break;
}
} while (true);
- return 0;
+out:
+ regfree(&dealloc_re);
+ return err;
}
static int audit_init(void)
--- a/tools/testing/selftests/landlock/audit_test.c
+++ b/tools/testing/selftests/landlock/audit_test.c
@@ -730,6 +730,7 @@ TEST_F(audit_flags, signal)
} else {
EXPECT_EQ(1, records.access);
}
+ EXPECT_EQ(0, records.domain);
/* Updates filter rules to match the drop record. */
set_cap(_metadata, CAP_AUDIT_CONTROL);
@@ -915,6 +916,7 @@ TEST_F(audit_exec, signal_and_open)
/* Tests that there was no denial until now. */
EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
EXPECT_EQ(0, records.access);
+ EXPECT_EQ(0, records.domain);
/*
* Wait for the child to do a first denied action by layer1 and
--- a/tools/testing/selftests/landlock/ptrace_test.c
+++ b/tools/testing/selftests/landlock/ptrace_test.c
@@ -342,6 +342,7 @@ TEST_F(audit, trace)
/* Makes sure there is no superfluous logged records. */
EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
EXPECT_EQ(0, records.access);
+ EXPECT_EQ(0, records.domain);
yama_ptrace_scope = get_yama_ptrace_scope();
ASSERT_LE(0, yama_ptrace_scope);
--- a/tools/testing/selftests/landlock/scoped_abstract_unix_test.c
+++ b/tools/testing/selftests/landlock/scoped_abstract_unix_test.c
@@ -312,6 +312,7 @@ TEST_F(scoped_audit, connect_to_child)
/* Makes sure there is no superfluous logged records. */
EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
EXPECT_EQ(0, records.access);
+ EXPECT_EQ(0, records.domain);
ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC));
ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 449/518] selftests/landlock: Increase default audit socket timeout
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (447 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 448/518] selftests/landlock: Filter dealloc records in audit_count_records() Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 450/518] KVM: arm64: nv: Avoid dereferencing NULL VNCR pseudo-TLB Greg Kroah-Hartman
` (72 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Günther Noack,
Thomas Weißschuh, Günther Noack, kernel test robot,
Mickaël Salaün
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mickaël Salaün <mic@digikod.net>
commit d8dfb4c7faa87c3e41a8678f38f136c2c7c036fa upstream.
matches_log_fs() and other audit_match_record() callers intermittently
return -EAGAIN under heavy debug configs (KASAN, lockdep). The audit
record delivery pipeline is asynchronous: landlock_log_denial() queues
the record to audit_queue, and kauditd_thread dequeues and delivers via
netlink. Under debug configs, kauditd scheduling between
audit_log_end() and netlink_unicast() can exceed a syscall round trip
(more than 1 usec), which was the value of the socket timeout used for
the recvfrom() calls.
The observed failure [1] is an EAGAIN error code (-11) which means that
the access record had not arrived within the 1 usec timeout of
recvfrom(). The expected record does arrive, but only after
matches_log_fs() has already returned. It is then consumed by a later
audit_count_records() call, making records.access == 1 instead of 0.
Switch the default socket timeout to the slow value (1 second) so all
audit_match_record() callers wait long enough for kauditd delivery, and
lower it to the fast value (1 usec) only on the two paths that expect no
record: audit_count_records() and the expected_domain_id == 0 probe in
matches_log_domain_deallocated(). audit_init() drains stale records
with the fast timeout (terminating on -EAGAIN once the backlog is empty)
and switches to the patient default before returning. 1 second gives
~10x margin over the observed maximum (~100 ms, while the happy path is
~23 us).
Rename the timeval constants to reflect their new roles:
- audit_tv_dom_drop (1 second) -> audit_tv_default: default socket
timeout, patient enough for asynchronous kauditd delivery.
- audit_tv_default (1 usec) -> audit_tv_fast: fast timeout for paths
that expect no record (drain, audit_count_records(), probes).
Invert the conditional in matches_log_domain_deallocated(). Check
setsockopt returns on both the lower and restore paths; preserve the
first error via !err when the restore fails after a prior error so the
actionable return code is not masked by a bookkeeping failure.
Cc: Günther Noack <gnoack@google.com>
Cc: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Cc: stable@vger.kernel.org
Depends-on: 07c2572a8757 ("selftests/landlock: Skip stale records in audit_match_record()")
Fixes: 6a500b22971c ("selftests/landlock: Add tests for audit flags and domain IDs")
Reported-by: Günther Noack <gnoack3000@gmail.com>
Closes: https://lore.kernel.org/r/20260402.eb5c4e85f472@gnoack.org [1]
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202605111649.a8b30a62-lkp@intel.com
Closes: https://lore.kernel.org/oe-lkp/202604300436.a07fae12-lkp@intel.com
Tested-by: Günther Noack <gnoack3000@gmail.com>
Link: https://patch.msgid.link/20260513105112.140137-2-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/landlock/audit.h | 80 ++++++++++++++++++++++++-------
1 file changed, 63 insertions(+), 17 deletions(-)
--- a/tools/testing/selftests/landlock/audit.h
+++ b/tools/testing/selftests/landlock/audit.h
@@ -45,17 +45,25 @@ struct audit_message {
};
};
-static const struct timeval audit_tv_dom_drop = {
+static const struct timeval audit_tv_default = {
/*
- * Because domain deallocation is tied to asynchronous credential
- * freeing, receiving such event may take some time. In practice,
- * on a small VM, it should not exceed 100k usec, but let's wait up
- * to 1 second to be safe.
+ * Default socket timeout for audit_match_record() callers that expect a
+ * record to arrive. Asynchronous kauditd delivery can exceed 1 usec
+ * under heavy debug configs (KASAN, lockdep), where kauditd_thread
+ * scheduling between audit_log_end() and netlink_unicast() takes longer
+ * than the previous 1 usec timeout. 1 second is a generous ceiling: on
+ * the happy path, kauditd delivers within dozens of usec.
*/
.tv_sec = 1,
};
-static const struct timeval audit_tv_default = {
+static const struct timeval audit_tv_fast = {
+ /*
+ * Fast timeout for paths that expect no record (audit_init() drain,
+ * audit_count_records(), probes). Causes audit_recv() to return
+ * -EAGAIN once the socket buffer is empty, naturally terminating the
+ * read loop.
+ */
.tv_usec = 1,
};
@@ -334,8 +342,13 @@ static int __maybe_unused matches_log_do
* Matches a domain deallocation record. When expected_domain_id is non-zero,
* the pattern includes the specific domain ID so that stale deallocation
* records from a previous test (with a different domain ID) are skipped by
- * audit_match_record(), and the socket timeout is temporarily increased to
- * audit_tv_dom_drop to wait for the asynchronous kworker deallocation.
+ * audit_match_record(), waiting for the asynchronous kworker deallocation with
+ * the default patient timeout.
+ *
+ * When expected_domain_id is zero, the caller is probing for any dealloc record
+ * that may or may not arrive. Temporarily lowers the socket timeout to
+ * audit_tv_fast for this probe so it returns promptly when no record is
+ * pending; restores audit_tv_default after.
*/
static int __maybe_unused
matches_log_domain_deallocated(int audit_fd, unsigned int num_denials,
@@ -361,16 +374,21 @@ matches_log_domain_deallocated(int audit
if (log_match_len >= sizeof(log_match))
return -E2BIG;
- if (expected_domain_id)
- setsockopt(audit_fd, SOL_SOCKET, SO_RCVTIMEO,
- &audit_tv_dom_drop, sizeof(audit_tv_dom_drop));
+ if (!expected_domain_id) {
+ if (setsockopt(audit_fd, SOL_SOCKET, SO_RCVTIMEO,
+ &audit_tv_fast, sizeof(audit_tv_fast)))
+ return -errno;
+ }
err = audit_match_record(audit_fd, AUDIT_LANDLOCK_DOMAIN, log_match,
domain_id);
- if (expected_domain_id)
- setsockopt(audit_fd, SOL_SOCKET, SO_RCVTIMEO, &audit_tv_default,
- sizeof(audit_tv_default));
+ if (!expected_domain_id) {
+ if (setsockopt(audit_fd, SOL_SOCKET, SO_RCVTIMEO,
+ &audit_tv_default, sizeof(audit_tv_default)) &&
+ !err)
+ err = -errno;
+ }
return err;
}
@@ -387,6 +405,11 @@ struct audit_records {
* audit_init() and after the preceding audit_match_record() call. Allocation
* records are emitted synchronously during landlock_log_denial() in the current
* test's syscall context, so only those are counted in records->domain.
+ *
+ * Temporarily lowers SO_RCVTIMEO to audit_tv_fast for the read loop: this is a
+ * "no record expected" path that should terminate on the first -EAGAIN. The
+ * default patient timeout is restored on exit for subsequent
+ * audit_match_record() callers.
*/
static int audit_count_records(int audit_fd, struct audit_records *records)
{
@@ -403,6 +426,12 @@ static int audit_count_records(int audit
records->access = 0;
records->domain = 0;
+ if (setsockopt(audit_fd, SOL_SOCKET, SO_RCVTIMEO, &audit_tv_fast,
+ sizeof(audit_tv_fast))) {
+ err = -errno;
+ goto out;
+ }
+
do {
memset(&msg, 0, sizeof(msg));
err = audit_recv(audit_fd, &msg);
@@ -429,6 +458,10 @@ static int audit_count_records(int audit
} while (true);
out:
+ if (setsockopt(audit_fd, SOL_SOCKET, SO_RCVTIMEO, &audit_tv_default,
+ sizeof(audit_tv_default)) &&
+ !err)
+ err = -errno;
regfree(&dealloc_re);
return err;
}
@@ -449,9 +482,9 @@ static int audit_init(void)
if (err)
goto err_close;
- /* Sets a timeout for negative tests. */
- err = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &audit_tv_default,
- sizeof(audit_tv_default));
+ /* Uses the fast timeout to drain stale records below. */
+ err = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &audit_tv_fast,
+ sizeof(audit_tv_fast));
if (err) {
err = -errno;
goto err_close;
@@ -467,6 +500,19 @@ static int audit_init(void)
while (audit_recv(fd, NULL) == 0)
;
+ /*
+ * Restores the default timeout for audit_match_record() callers that
+ * expect a record to arrive. Paths that expect no record restore the
+ * fast timeout locally (audit_count_records(), the expected_domain_id
+ * == 0 probe in matches_log_domain_deallocated()).
+ */
+ err = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &audit_tv_default,
+ sizeof(audit_tv_default));
+ if (err) {
+ err = -errno;
+ goto err_close;
+ }
+
return fd;
err_close:
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 450/518] KVM: arm64: nv: Avoid dereferencing NULL VNCR pseudo-TLB
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (448 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 449/518] selftests/landlock: Increase default audit socket timeout Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:31 ` [PATCH 7.1 451/518] LoongArch: KVM: Add missing slots_lock for device register/unregister Greg Kroah-Hartman
` (71 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Oliver Upton,
Marc Zyngier
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit 4be6cbeb93d26994bd1827ddbce391e3c4395c8f upstream.
VNCR TLB invalidation occurs from MMU notifiers or TLBI instructions,
and either can race against a vcpu not being onlined yet (no pseudo-TLB
allocated). Similarly, the TLB might be invalid, and the invalidation
should be skipped in this case.
Both kvm_invalidate_vncr_ipa() and kvm_invalidate_vncr_va() are
expected to perform the same checks, except that the latter doesn't
check for the allocation and blindly dereferences the pointer.
Solve this by introducing a new iterator built on top of the usual
kvm_for_each_vcpu() that checks for both of the above conditions,
and convert the two users to it.
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Link: https://lore.kernel.org/r/aiUvSbrWndQeUPc8@v4bel
Fixes: 4ffa72ad8f37 ("KVM: arm64: nv: Add S1 TLB invalidation primitive for VNCR_EL2")
Cc: stable@vger.kernel.org
Reviewed-by: Oliver Upton <oupton@kernel.org>
Link: https://patch.msgid.link/20260607175745.297793-1-maz@kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/nested.c | 36 +++++++++++++++---------------------
1 file changed, 15 insertions(+), 21 deletions(-)
--- a/arch/arm64/kvm/nested.c
+++ b/arch/arm64/kvm/nested.c
@@ -904,9 +904,21 @@ static void invalidate_vncr(struct vncr_
clear_fixmap(vncr_fixmap(vt->cpu));
}
+/*
+ * VNCR TLB invalidation occurs from MMU notifiers or TLBI instructions, and
+ * either can race against a vcpu not being onlined yet (no pseudo-TLB
+ * allocated). Similarly, the TLB might be invalid. Skip those, as they
+ * obviously don't participate in the invalidation at this stage.
+ */
+#define kvm_for_each_vncr_tlb(idx, vcpup, tlbp, kvm) \
+ kvm_for_each_vcpu(idx, vcpup, kvm) \
+ if (((tlbp) = vcpup->arch.vncr_tlb) && \
+ (tlbp)->valid)
+
static void kvm_invalidate_vncr_ipa(struct kvm *kvm, u64 start, u64 end)
{
struct kvm_vcpu *vcpu;
+ struct vncr_tlb *vt;
unsigned long i;
lockdep_assert_held_write(&kvm->mmu_lock);
@@ -914,24 +926,9 @@ static void kvm_invalidate_vncr_ipa(stru
if (!kvm_has_feat(kvm, ID_AA64MMFR4_EL1, NV_frac, NV2_ONLY))
return;
- kvm_for_each_vcpu(i, vcpu, kvm) {
- struct vncr_tlb *vt = vcpu->arch.vncr_tlb;
+ kvm_for_each_vncr_tlb(i, vcpu, vt, kvm) {
u64 ipa_start, ipa_end, ipa_size;
- /*
- * Careful here: We end-up here from an MMU notifier,
- * and this can race against a vcpu not being onlined
- * yet, without the pseudo-TLB being allocated.
- *
- * Skip those, as they obviously don't participate in
- * the invalidation at this stage.
- */
- if (!vt)
- continue;
-
- if (!vt->valid)
- continue;
-
ipa_size = ttl_to_size(pgshift_level_to_ttl(vt->wi.pgshift,
vt->wr.level));
ipa_start = vt->wr.pa & ~(ipa_size - 1);
@@ -961,17 +958,14 @@ static void invalidate_vncr_va(struct kv
struct s1e2_tlbi_scope *scope)
{
struct kvm_vcpu *vcpu;
+ struct vncr_tlb *vt;
unsigned long i;
lockdep_assert_held_write(&kvm->mmu_lock);
- kvm_for_each_vcpu(i, vcpu, kvm) {
- struct vncr_tlb *vt = vcpu->arch.vncr_tlb;
+ kvm_for_each_vncr_tlb(i, vcpu, vt, kvm) {
u64 va_start, va_end, va_size;
- if (!vt->valid)
- continue;
-
va_size = ttl_to_size(pgshift_level_to_ttl(vt->wi.pgshift,
vt->wr.level));
va_start = vt->gva & ~(va_size - 1);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 451/518] LoongArch: KVM: Add missing slots_lock for device register/unregister
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (449 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 450/518] KVM: arm64: nv: Avoid dereferencing NULL VNCR pseudo-TLB Greg Kroah-Hartman
@ 2026-07-16 13:31 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 452/518] KVM: arm64: Bound used_lrs when flushing the pKVM hyp vCPU Greg Kroah-Hartman
` (70 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bibo Mao, Zeng Chi, Huacai Chen
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zeng Chi <zengchi@kylinos.cn>
commit aeded601d6aceb57cdda4b2701d2ee00c43a8b69 upstream.
kvm_io_bus_register_dev() and kvm_io_bus_unregister_dev() should be
called under kvm->slots_lock. The unregister calls in ipi.c, eiointc.c
and pch_pic.c were also missing this protection. Add it to match the
register side.
Cc: stable@vger.kernel.org
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Zeng Chi <zengchi@kylinos.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kvm/intc/eiointc.c | 6 ++++++
arch/loongarch/kvm/intc/ipi.c | 2 ++
arch/loongarch/kvm/intc/pch_pic.c | 2 ++
3 files changed, 10 insertions(+)
--- a/arch/loongarch/kvm/intc/eiointc.c
+++ b/arch/loongarch/kvm/intc/eiointc.c
@@ -645,10 +645,14 @@ static int kvm_eiointc_create(struct kvm
device = &s->device_vext;
kvm_iodevice_init(device, &kvm_eiointc_virt_ops);
+ mutex_lock(&kvm->slots_lock);
ret = kvm_io_bus_register_dev(kvm, KVM_IOCSR_BUS,
EIOINTC_VIRT_BASE, EIOINTC_VIRT_SIZE, device);
+ mutex_unlock(&kvm->slots_lock);
if (ret < 0) {
+ mutex_lock(&kvm->slots_lock);
kvm_io_bus_unregister_dev(kvm, KVM_IOCSR_BUS, &s->device);
+ mutex_unlock(&kvm->slots_lock);
kfree(s);
return ret;
}
@@ -667,8 +671,10 @@ static void kvm_eiointc_destroy(struct k
kvm = dev->kvm;
eiointc = kvm->arch.eiointc;
+ mutex_lock(&kvm->slots_lock);
kvm_io_bus_unregister_dev(kvm, KVM_IOCSR_BUS, &eiointc->device);
kvm_io_bus_unregister_dev(kvm, KVM_IOCSR_BUS, &eiointc->device_vext);
+ mutex_unlock(&kvm->slots_lock);
kfree(eiointc);
kfree(dev);
}
--- a/arch/loongarch/kvm/intc/ipi.c
+++ b/arch/loongarch/kvm/intc/ipi.c
@@ -447,7 +447,9 @@ static void kvm_ipi_destroy(struct kvm_d
kvm = dev->kvm;
ipi = kvm->arch.ipi;
+ mutex_lock(&kvm->slots_lock);
kvm_io_bus_unregister_dev(kvm, KVM_IOCSR_BUS, &ipi->device);
+ mutex_unlock(&kvm->slots_lock);
kfree(ipi);
kfree(dev);
}
--- a/arch/loongarch/kvm/intc/pch_pic.c
+++ b/arch/loongarch/kvm/intc/pch_pic.c
@@ -481,7 +481,9 @@ static void kvm_pch_pic_destroy(struct k
kvm = dev->kvm;
s = kvm->arch.pch_pic;
/* unregister pch pic device and free it's memory */
+ mutex_lock(&kvm->slots_lock);
kvm_io_bus_unregister_dev(kvm, KVM_MMIO_BUS, &s->device);
+ mutex_unlock(&kvm->slots_lock);
kfree(s);
kfree(dev);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 452/518] KVM: arm64: Bound used_lrs when flushing the pKVM hyp vCPU
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (450 preceding siblings ...)
2026-07-16 13:31 ` [PATCH 7.1 451/518] LoongArch: KVM: Add missing slots_lock for device register/unregister Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 453/518] KVM: arm64: Clear __hyp_running_vcpu " Greg Kroah-Hartman
` (69 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Fuad Tabba,
Marc Zyngier
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
commit 8cc8bbbfab14c22c5551d0dd19b208a44b141c76 upstream.
flush_hyp_vcpu() copies the host vGIC state into the hyp's private vCPU
on every run. The vGIC list register save and restore use used_lrs as
their loop bound and expect it to stay within the number of implemented
list registers. While this is generally the case, flush_hyp_vcpu()
copies vgic_v3 verbatim and does not enforce this, so a value provided
by the host is used at EL2 to index vgic_lr[] and access ICH_LR<n>_EL2
(host -> EL2).
Fix by clamping used_lrs to the number of implemented list registers
after the copy, as the trusted path already does in
vgic_flush_lr_state(). The number of implemented list registers is
constant after init, so it is replicated once from
kvm_vgic_global_state.nr_lr into hyp_gicv3_nr_lr rather than read on
every entry.
Cc: stable@vger.kernel.org
Fixes: be66e67f1750 ("KVM: arm64: Use the pKVM hyp vCPU structure in handle___kvm_vcpu_run()")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reviewed-by: Fuad Tabba <tabba@google.com>
Tested-by: Fuad Tabba <tabba@google.com>
Link: https://patch.msgid.link/20260606175614.83273-3-imv4bel@gmail.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/kvm_hyp.h | 1 +
arch/arm64/kvm/arm.c | 2 ++
arch/arm64/kvm/hyp/nvhe/hyp-main.c | 9 +++++++++
3 files changed, 12 insertions(+)
--- a/arch/arm64/include/asm/kvm_hyp.h
+++ b/arch/arm64/include/asm/kvm_hyp.h
@@ -157,5 +157,6 @@ extern unsigned long kvm_nvhe_sym(__icac
extern unsigned int kvm_nvhe_sym(kvm_arm_vmid_bits);
extern unsigned int kvm_nvhe_sym(kvm_host_sve_max_vl);
extern unsigned long kvm_nvhe_sym(hyp_nr_cpus);
+extern unsigned int kvm_nvhe_sym(hyp_gicv3_nr_lr);
#endif /* __ARM64_KVM_HYP_H__ */
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -2426,6 +2426,8 @@ static int __init init_subsystems(void)
switch (err) {
case 0:
vgic_present = true;
+ if (static_branch_unlikely(&kvm_vgic_global_state.gicv3_cpuif))
+ kvm_nvhe_sym(hyp_gicv3_nr_lr) = kvm_vgic_global_state.nr_lr;
break;
case -ENODEV:
case -ENXIO:
--- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c
+++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
@@ -24,6 +24,9 @@
DEFINE_PER_CPU(struct kvm_nvhe_init_params, kvm_init_params);
+/* Number of implemented GICv3 LRs. Used by flush_hyp_vcpu(). */
+unsigned int hyp_gicv3_nr_lr;
+
void __kvm_hyp_host_forward_smc(struct kvm_cpu_context *host_ctxt);
static void __hyp_sve_save_guest(struct kvm_vcpu *vcpu)
@@ -139,6 +142,12 @@ static void flush_hyp_vcpu(struct pkvm_h
hyp_vcpu->vcpu.arch.vgic_cpu.vgic_v3 = host_vcpu->arch.vgic_cpu.vgic_v3;
+ /* Bound used_lrs by the number of implemented list registers. */
+ hyp_vcpu->vcpu.arch.vgic_cpu.vgic_v3.used_lrs =
+ min_t(unsigned int,
+ hyp_vcpu->vcpu.arch.vgic_cpu.vgic_v3.used_lrs,
+ hyp_gicv3_nr_lr);
+
hyp_vcpu->vcpu.arch.pid = host_vcpu->arch.pid;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 453/518] KVM: arm64: Clear __hyp_running_vcpu when flushing the pKVM hyp vCPU
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (451 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 452/518] KVM: arm64: Bound used_lrs when flushing the pKVM hyp vCPU Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 454/518] KVM: SEV: Pin source page for write when adding CPUID data for SNP guest Greg Kroah-Hartman
` (68 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Fuad Tabba,
Marc Zyngier
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
commit e8042f6e1d7befb2fb6b10a75918642bcd0acf9a upstream.
flush_hyp_vcpu() copies the host vCPU context into the hyp's private
vCPU on every run. ctxt_to_vcpu() expects a guest context to have a
NULL __hyp_running_vcpu, which is only ever set on the host context, so
that it resolves the vCPU via container_of(). While this is generally
the case, flush_hyp_vcpu() copies the context verbatim and does not
enforce this, so a value provided by the host is dereferenced at EL2
(host -> EL2).
Fix by clearing __hyp_running_vcpu after the copy.
Cc: stable@vger.kernel.org
Fixes: be66e67f1750 ("KVM: arm64: Use the pKVM hyp vCPU structure in handle___kvm_vcpu_run()")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reviewed-by: Fuad Tabba <tabba@google.com>
Tested-by: Fuad Tabba <tabba@google.com>
Link: https://patch.msgid.link/20260606175614.83273-2-imv4bel@gmail.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/hyp/nvhe/hyp-main.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c
+++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
@@ -131,6 +131,9 @@ static void flush_hyp_vcpu(struct pkvm_h
hyp_vcpu->vcpu.arch.ctxt = host_vcpu->arch.ctxt;
+ /* __hyp_running_vcpu must be NULL in a guest context. */
+ hyp_vcpu->vcpu.arch.ctxt.__hyp_running_vcpu = NULL;
+
hyp_vcpu->vcpu.arch.mdcr_el2 = host_vcpu->arch.mdcr_el2;
hyp_vcpu->vcpu.arch.hcr_el2 &= ~(HCR_TWI | HCR_TWE);
hyp_vcpu->vcpu.arch.hcr_el2 |= READ_ONCE(host_vcpu->arch.hcr_el2) &
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 454/518] KVM: SEV: Pin source page for write when adding CPUID data for SNP guest
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (452 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 453/518] KVM: arm64: Clear __hyp_running_vcpu " Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 455/518] KVM: SVM: Disable x2AVIC RDMSR interception for MSRs KVM actually supports Greg Kroah-Hartman
` (67 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ackerley Tng, Sean Christopherson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit f13e900599089b10113ceb36013423f0837c6792 upstream.
When populating a guest_memfd instance with the initial CPUID data for an
SNP guest, acquire a writable pin on the source page as KVM will write back
the "correct" CPUID information if the userspace provided data is rejected
by trusted firmware. Because KVM writes to the source page using a kernel
mapping, pinning for read could result in KVM clobbering read-only memory.
Note, well-behaved VMMs are unlikely to be affected, as CPUID information
is almost always dynamically generated by userspace, i.e. it's unlikely for
the CPUID information to be backed by a read-only mapping.
Fixes: 2a62345b30529 ("KVM: guest_memfd: GUP source pages prior to populating guest memory")
Cc: stable@vger.kernel.org
Signed-off-by: Ackerley Tng <ackerleytng@google.com>
Link: https://patch.msgid.link/20260522-fix-sev-gmem-post-populate-v2-1-3f196bfad5a1@google.com
[sean: rewrite shortlog and changelog, tag for stable@]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 1 +
arch/x86/kvm/vmx/tdx.c | 2 +-
include/linux/kvm_host.h | 3 ++-
virt/kvm/guest_memfd.c | 6 ++++--
4 files changed, 8 insertions(+), 4 deletions(-)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -2470,6 +2470,7 @@ static int snp_launch_update(struct kvm
sev_populate_args.type = params.type;
count = kvm_gmem_populate(kvm, params.gfn_start, src, npages,
+ params.type == KVM_SEV_SNP_PAGE_TYPE_CPUID,
sev_gmem_post_populate, &sev_populate_args);
if (count < 0) {
argp->error = sev_populate_args.fw_error;
--- a/arch/x86/kvm/vmx/tdx.c
+++ b/arch/x86/kvm/vmx/tdx.c
@@ -3185,7 +3185,7 @@ static int tdx_vcpu_init_mem_region(stru
};
gmem_ret = kvm_gmem_populate(kvm, gpa_to_gfn(region.gpa),
u64_to_user_ptr(region.source_addr),
- 1, tdx_gmem_post_populate, &arg);
+ 1, false, tdx_gmem_post_populate, &arg);
if (gmem_ret < 0) {
ret = gmem_ret;
break;
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -2601,7 +2601,8 @@ int kvm_arch_gmem_prepare(struct kvm *kv
typedef int (*kvm_gmem_populate_cb)(struct kvm *kvm, gfn_t gfn, kvm_pfn_t pfn,
struct page *page, void *opaque);
-long kvm_gmem_populate(struct kvm *kvm, gfn_t gfn, void __user *src, long npages,
+long kvm_gmem_populate(struct kvm *kvm, gfn_t start_gfn, void __user *src,
+ long npages, bool may_writeback_src,
kvm_gmem_populate_cb post_populate, void *opaque);
#endif
--- a/virt/kvm/guest_memfd.c
+++ b/virt/kvm/guest_memfd.c
@@ -858,7 +858,8 @@ out_unlock:
return ret;
}
-long kvm_gmem_populate(struct kvm *kvm, gfn_t start_gfn, void __user *src, long npages,
+long kvm_gmem_populate(struct kvm *kvm, gfn_t start_gfn, void __user *src,
+ long npages, bool may_writeback_src,
kvm_gmem_populate_cb post_populate, void *opaque)
{
struct kvm_memory_slot *slot;
@@ -892,8 +893,9 @@ long kvm_gmem_populate(struct kvm *kvm,
if (src) {
unsigned long uaddr = (unsigned long)src + i * PAGE_SIZE;
+ unsigned int flags = may_writeback_src ? FOLL_WRITE : 0;
- ret = get_user_pages_fast(uaddr, 1, 0, &src_page);
+ ret = get_user_pages_fast(uaddr, 1, flags, &src_page);
if (ret < 0)
break;
if (ret != 1) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 455/518] KVM: SVM: Disable x2AVIC RDMSR interception for MSRs KVM actually supports
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (453 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 454/518] KVM: SEV: Pin source page for write when adding CPUID data for SNP guest Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 456/518] KVM: SVM: Only disable x2AVIC WRMSR interception for MSRs that are accelerated Greg Kroah-Hartman
` (66 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Naveen N Rao (AMD),
Sean Christopherson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 7f4b7092d9a173a4271e28c0ed1fc235994e309b upstream.
When toggling x2AVIC on/off, use KVM's curated mask of x2APIC MSRs that
can/should be passed through to the guest (or not) when 2AVIC is enabled.
Using the effective list provided by the local APIC emulation fixes
multiple (classes of) bugs, as the existing hand-coded list of MSRs is
wrong on multiple fronts:
- ARBPRI isn't supported by KVM, isn't accelerated by AVIC (for read or
write), and its #VMEXIT is fault-like, i.e. requires decoding the
instruction. Disabling interception is nonsensical and suboptimal.
- DFR and ICR2 aren't supported by x2APIC and so don't need their
intercepts disabled for performance reasons. While the #GP due to
x2APIC being abled has higher priority than the trap-like #VMEXIT,
disabling interception of unsupported MSRs is confusing and unnecessary.
- RRR is completely unsupported.
- AVIC currently fails to pass through the "range of vectors" registers,
IRR, ISR, and TMR, as e.g. X2APIC_MSR(APIC_IRR) only affects IRR0, and
thus only disables intercept for vectors 31:0 (which are the *least*
interesting registers).
- TMCCT (the current APIC timer count) isn't accelerated by hardware, and
generates a fault-like AVIC_UNACCELERATED_ACCESS #VMEXIT, i.e. requires
KVM to decode the instruction to figure out what the guest was trying to
access. Note, the only reason this isn't a fatal bug is that the AVIC
architecture had the foresight to guard against buggy hypervisors. E.g.
if hardware simply read from the virtual APIC page, the guest would get
garbage (because the timer is emulated in software).
Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode")
Cc: stable@vger.kernel.org
Reviewed-by: Naveen N Rao (AMD) <naveen@kernel.org>
Link: https://patch.msgid.link/20260514213115.1637082-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/avic.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -122,6 +122,9 @@ static u32 x2avic_max_physical_id;
static void avic_set_x2apic_msr_interception(struct vcpu_svm *svm,
bool intercept)
{
+ struct kvm_vcpu *vcpu = &svm->vcpu;
+ u64 rd_regs;
+
static const u32 x2avic_passthrough_msrs[] = {
X2APIC_MSR(APIC_ID),
X2APIC_MSR(APIC_LVR),
@@ -162,9 +165,15 @@ static void avic_set_x2apic_msr_intercep
if (!x2avic_enabled)
return;
+ rd_regs = kvm_x2apic_disable_read_intercept_reg_mask(vcpu);
+
+ for_each_set_bit(i, (unsigned long *)&rd_regs, BITS_PER_TYPE(rd_regs))
+ svm_set_intercept_for_msr(vcpu, APIC_BASE_MSR + i,
+ MSR_TYPE_R, intercept);
+
for (i = 0; i < ARRAY_SIZE(x2avic_passthrough_msrs); i++)
- svm_set_intercept_for_msr(&svm->vcpu, x2avic_passthrough_msrs[i],
- MSR_TYPE_RW, intercept);
+ svm_set_intercept_for_msr(vcpu, x2avic_passthrough_msrs[i],
+ MSR_TYPE_W, intercept);
svm->x2avic_msrs_intercepted = intercept;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 456/518] KVM: SVM: Only disable x2AVIC WRMSR interception for MSRs that are accelerated
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (454 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 455/518] KVM: SVM: Disable x2AVIC RDMSR interception for MSRs KVM actually supports Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 457/518] KVM: VMX: Refresh GUEST_PENDING_DBG_EXCEPTIONS.BS on all injected #DBs Greg Kroah-Hartman
` (65 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Naveen N Rao (AMD),
Sean Christopherson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 8c63179d975f2029c948ecce622f72af616dbff7 upstream.
When x2AVIC is enabled, disable WRMSR interception only for MSRs that are
actually accelerated by hardware. Disabling interception for MSRs that
aren't accelerated is functionally "fine", and in some cases a weird "win"
for performance, but only for cases that should never be triggered by a
well-behaved VM (writes to read-only registers; the #GP will typically
occur in the guest without taking a #VMEXIT, even for fault-like exits).
But overall, disabling interception for MSRs that aren't accelerated is at
best confusing and unintuitive, and at worst introduces avoidable risk, as
the APM's documentation is imperfect and contradictory. The table in
"15.29.3.1 Virtual APIC Register Accesses" of simply states that such
writes generate exits, where as "Section 15.29.10 x2AVIC" says:
x2APIC MSR intercept checks and access checks have higher priority than
AVIC access permission checks.
CPU behavior follows the latter (which makes perfect sense), but all in
all there's simply no reason to disable interception just to make a #GP
faster.
Note, the set of MSRs that are passed through for write is identical to
VMX's set when IPI virtualization is enabled. This is not a coincidence,
and is another motiviating factor for cleaning up the intercepts, as x2AVIC
is functionally equivalent to APICv+IPIv.
Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode")
Cc: stable@vger.kernel.org
Reviewed-by: Naveen N Rao (AMD) <naveen@kernel.org>
Link: https://patch.msgid.link/20260514213115.1637082-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/avic.c | 40 ++++------------------------------------
1 file changed, 4 insertions(+), 36 deletions(-)
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -124,39 +124,6 @@ static void avic_set_x2apic_msr_intercep
{
struct kvm_vcpu *vcpu = &svm->vcpu;
u64 rd_regs;
-
- static const u32 x2avic_passthrough_msrs[] = {
- X2APIC_MSR(APIC_ID),
- X2APIC_MSR(APIC_LVR),
- X2APIC_MSR(APIC_TASKPRI),
- X2APIC_MSR(APIC_ARBPRI),
- X2APIC_MSR(APIC_PROCPRI),
- X2APIC_MSR(APIC_EOI),
- X2APIC_MSR(APIC_RRR),
- X2APIC_MSR(APIC_LDR),
- X2APIC_MSR(APIC_DFR),
- X2APIC_MSR(APIC_SPIV),
- X2APIC_MSR(APIC_ISR),
- X2APIC_MSR(APIC_TMR),
- X2APIC_MSR(APIC_IRR),
- X2APIC_MSR(APIC_ESR),
- X2APIC_MSR(APIC_ICR),
- X2APIC_MSR(APIC_ICR2),
-
- /*
- * Note! Always intercept LVTT, as TSC-deadline timer mode
- * isn't virtualized by hardware, and the CPU will generate a
- * #GP instead of a #VMEXIT.
- */
- X2APIC_MSR(APIC_LVTTHMR),
- X2APIC_MSR(APIC_LVTPC),
- X2APIC_MSR(APIC_LVT0),
- X2APIC_MSR(APIC_LVT1),
- X2APIC_MSR(APIC_LVTERR),
- X2APIC_MSR(APIC_TMICT),
- X2APIC_MSR(APIC_TMCCT),
- X2APIC_MSR(APIC_TDCR),
- };
int i;
if (intercept == svm->x2avic_msrs_intercepted)
@@ -171,9 +138,10 @@ static void avic_set_x2apic_msr_intercep
svm_set_intercept_for_msr(vcpu, APIC_BASE_MSR + i,
MSR_TYPE_R, intercept);
- for (i = 0; i < ARRAY_SIZE(x2avic_passthrough_msrs); i++)
- svm_set_intercept_for_msr(vcpu, x2avic_passthrough_msrs[i],
- MSR_TYPE_W, intercept);
+ svm_set_intercept_for_msr(vcpu, X2APIC_MSR(APIC_TASKPRI), MSR_TYPE_W, intercept);
+ svm_set_intercept_for_msr(vcpu, X2APIC_MSR(APIC_EOI), MSR_TYPE_W, intercept);
+ svm_set_intercept_for_msr(vcpu, X2APIC_MSR(APIC_SELF_IPI), MSR_TYPE_W, intercept);
+ svm_set_intercept_for_msr(vcpu, X2APIC_MSR(APIC_ICR), MSR_TYPE_W, intercept);
svm->x2avic_msrs_intercepted = intercept;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 457/518] KVM: VMX: Refresh GUEST_PENDING_DBG_EXCEPTIONS.BS on all injected #DBs
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (455 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 456/518] KVM: SVM: Only disable x2AVIC WRMSR interception for MSRs that are accelerated Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 458/518] KVM: SEV: Dont terminate SNP VMs on #VMGEXIT without a registered GHCB Greg Kroah-Hartman
` (64 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hou Wenlong, Sean Christopherson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit c5bad4fa2d5dfd8c25140051a9807eba387a19b8 upstream.
Move KVM's stuffing of GUEST_PENDING_DBG_EXCEPTIONS.BS when RFLAGS.TF=1 and
MOV/POP SS or STI blocking is active into the exception injection code so
that KVM fixes up the VMCS for all injected #DBs, not only those that are
reflected back into the guest after #DB interception. E.g. if KVM queues
a #DB in the emulator, or more importantly if userspace does save/restore
exactly on the #DB+shadow boundary, then KVM needs to massage the VMCS to
avoid the VM-Entry consistency check.
Opportunistically update the wording of the comment to describe the
behavior as a workaround of flawed CPU behavior/architecture, to make it
clear that the *only* thing KVM is doing is fudging around a consistency
check. Per the SDM:
There are no pending debug exceptions after VM entry if any of the
following are true:
* The VM entry is vectoring with one of the following interruption
types: external interrupt, non-maskable interrupt (NMI), hardware
exception, or privileged software exception.
I.e. forcing GUEST_PENDING_DBG_EXCEPTIONS.BS does *not* impact guest-
visible behavior.
Fixes: b9bed78e2fa9 ("KVM: VMX: Set vmcs.PENDING_DBG.BS on #DB in STI/MOVSS blocking shadow")
Cc: stable@vger.kernel.org
Reported-by: Hou Wenlong <houwenlong.hwl@antgroup.com>
Closes: https://lore.kernel.org/all/b1a294bc9ed4dae532474a5dc6c8cb6e5962de7c.1757416809.git.houwenlong.hwl@antgroup.com
Reviewed-by: Hou Wenlong <houwenlong.hwl@antgroup.com>
Link: https://patch.msgid.link/20260515222638.1949982-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/vmx.c | 35 ++++++++++++++++++-----------------
1 file changed, 18 insertions(+), 17 deletions(-)
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -1908,6 +1908,24 @@ void vmx_inject_exception(struct kvm_vcp
u32 intr_info = ex->vector | INTR_INFO_VALID_MASK;
struct vcpu_vmx *vmx = to_vmx(vcpu);
+ /*
+ * When injecting a #DB, single-stepping is enabled in RFLAGS, and STI
+ * or MOV-SS blocking is active, set vmcs.PENDING_DBG_EXCEPTIONS.BS to
+ * prevent a false positive from VM-Entry consistency check. VM-Entry
+ * asserts that a single-step #DB _must_ be pending in this scenario,
+ * as the previous instruction cannot have toggled RFLAGS.TF 0=>1
+ * (because STI and POP/MOV don't modify RFLAGS), therefore the one
+ * instruction delay when activating single-step breakpoints must have
+ * already expired. However, the CPU isn't smart enough to peek at
+ * vmcs.VM_ENTRY_INTR_INFO_FIELD and so doesn't realize that yes, there
+ * is indeed a #DB pending/imminent.
+ */
+ if (ex->vector == DB_VECTOR &&
+ (vmx_get_rflags(vcpu) & X86_EFLAGS_TF) &&
+ vmx_get_interrupt_shadow(vcpu))
+ vmcs_writel(GUEST_PENDING_DBG_EXCEPTIONS,
+ vmcs_readl(GUEST_PENDING_DBG_EXCEPTIONS) | DR6_BS);
+
kvm_deliver_exception_payload(vcpu, ex);
if (ex->has_error_code) {
@@ -5477,26 +5495,9 @@ static int handle_exception_nmi(struct k
* avoid single-step #DB and MTF updates, as ICEBP is
* higher priority. Note, skipping ICEBP still clears
* STI and MOVSS blocking.
- *
- * For all other #DBs, set vmcs.PENDING_DBG_EXCEPTIONS.BS
- * if single-step is enabled in RFLAGS and STI or MOVSS
- * blocking is active, as the CPU doesn't set the bit
- * on VM-Exit due to #DB interception. VM-Entry has a
- * consistency check that a single-step #DB is pending
- * in this scenario as the previous instruction cannot
- * have toggled RFLAGS.TF 0=>1 (because STI and POP/MOV
- * don't modify RFLAGS), therefore the one instruction
- * delay when activating single-step breakpoints must
- * have already expired. Note, the CPU sets/clears BS
- * as appropriate for all other VM-Exits types.
*/
if (is_icebp(intr_info))
WARN_ON(!skip_emulated_instruction(vcpu));
- else if ((vmx_get_rflags(vcpu) & X86_EFLAGS_TF) &&
- (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) &
- (GUEST_INTR_STATE_STI | GUEST_INTR_STATE_MOV_SS)))
- vmcs_writel(GUEST_PENDING_DBG_EXCEPTIONS,
- vmcs_readl(GUEST_PENDING_DBG_EXCEPTIONS) | DR6_BS);
kvm_queue_exception_p(vcpu, DB_VECTOR, dr6);
return 1;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 458/518] KVM: SEV: Dont terminate SNP VMs on #VMGEXIT without a registered GHCB
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (456 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 457/518] KVM: VMX: Refresh GUEST_PENDING_DBG_EXCEPTIONS.BS on all injected #DBs Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 459/518] KVM: VMX: Handle bad values on proxied writes to LBR MSRs Greg Kroah-Hartman
` (63 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Michael Roth,
Sean Christopherson, Paolo Bonzini
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 1797e00bf802d64b859ea18505087daad92019c8 upstream.
If the guest attempts a non-MSR #VMGEXIT without the registered GHCB,
return a GHCB_HV_RESP_MALFORMED_INPUT+GHCB_ERR_NOT_REGISTERED error to the
guest instead of exiting KVM_RUN with -EINVAL (and in likelihood killing
the VM). KVM has already mapped the requested GHCB, i.e. can cleanly
report an error, and so exiting with -EINVAL is completely unjustified.
Fixes: 0c76b1d08280 ("KVM: SEV: Add support to handle GHCB GPA register VMGEXIT")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-19-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <20260529183549.1104619-19-pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -4522,9 +4522,12 @@ int sev_handle_vmgexit(struct kvm_vcpu *
sev_es_sync_from_ghcb(svm);
/* SEV-SNP guest requires that the GHCB GPA must be registered */
- if (is_sev_snp_guest(vcpu) && !ghcb_gpa_is_registered(svm, ghcb_gpa)) {
- vcpu_unimpl(&svm->vcpu, "vmgexit: GHCB GPA [%#llx] is not registered.\n", ghcb_gpa);
- return -EINVAL;
+ if (is_sev_snp_guest(vcpu) &&
+ !ghcb_gpa_is_registered(svm, control->ghcb_gpa)) {
+ vcpu_unimpl(vcpu, "vmgexit: GHCB GPA [%#llx] is not registered.\n",
+ control->ghcb_gpa);
+ svm_vmgexit_bad_input(svm, GHCB_ERR_NOT_REGISTERED);
+ return 1;
}
ret = sev_es_validate_vmgexit(svm);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 459/518] KVM: VMX: Handle bad values on proxied writes to LBR MSRs
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (457 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 458/518] KVM: SEV: Dont terminate SNP VMs on #VMGEXIT without a registered GHCB Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 460/518] KVM: TDX: Account all non-transient page allocations for per-TD structures Greg Kroah-Hartman
` (62 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xuanqing Shi, Sean Christopherson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xuanqing Shi <1356292400@qq.com>
commit ca674df13b195eb6d124ab059799d4e03fa40624 upstream.
Use the "safe" WRMSR API when writing LBRs on behalf of the guest (or host
userspace), and propagate any errors back to the instigator, as the value
being written is untrusted. E.g. if the guest (or host userspace) attempts
to set reserved bits in LBR_SELECT, then KVM needs to return an error, and
not WARN on the bad value.
Continue using the "unsafe" version of RDMSR, as it should be impossible to
reach the helper with a completely bogus MSR, i.e. WARNing on RDMSR failure
is very desirable, e.g. to make KVM bugs more visible.
unchecked MSR access error: WRMSR to 0x1c8 (tried to write 0x0000000000004000)
Call Trace:
intel_pmu_set_msr+0x4e0/0x7f0 [kvm_intel]
kvm_pmu_set_msr+0x17e/0x1c0 [kvm]
kvm_set_msr_common+0xc76/0x1440 [kvm]
vmx_set_msr+0x5e6/0x1570 [kvm_intel]
kvm_emulate_wrmsr+0x54/0x1d0 [kvm]
vmx_handle_exit+0x7fc/0x970 [kvm_intel]
Fixes: 1b5ac3226a1a ("KVM: vmx/pmu: Pass-through LBR msrs when the guest LBR event is ACTIVE")
Cc: stable@vger.kernel.org
Signed-off-by: Xuanqing Shi <1356292400@qq.com>
[sean: rework changelog, only modify WRMSR path, tag for stable@]
Link: https://patch.msgid.link/20260527022617.3973884-1-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/pmu_intel.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/vmx/pmu_intel.c
+++ b/arch/x86/kvm/vmx/pmu_intel.c
@@ -308,13 +308,15 @@ static bool intel_pmu_handle_lbr_msrs_ac
*/
local_irq_disable();
if (lbr_desc->event->state == PERF_EVENT_STATE_ACTIVE) {
+ int err = 0;
+
if (read)
rdmsrq(index, msr_info->data);
else
- wrmsrq(index, msr_info->data);
+ err = wrmsrq_safe(index, msr_info->data);
__set_bit(INTEL_PMC_IDX_FIXED_VLBR, vcpu_to_pmu(vcpu)->pmc_in_use);
local_irq_enable();
- return true;
+ return !err;
}
clear_bit(INTEL_PMC_IDX_FIXED_VLBR, vcpu_to_pmu(vcpu)->pmc_in_use);
local_irq_enable();
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 460/518] KVM: TDX: Account all non-transient page allocations for per-TD structures
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (458 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 459/518] KVM: VMX: Handle bad values on proxied writes to LBR MSRs Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 461/518] KVM: x86: Ensure vendors exit handler runs before fastpath userspace exits Greg Kroah-Hartman
` (61 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kai Huang, Rick Edgecombe,
Sean Christopherson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit a8b2924676ec42d76597f849baba31acc3ba1bfc upstream.
Account all non-transient allocations associated with a single TD (or its
vCPUs), as KVM's ABI is that allocations that are active for the lifetime
of a VM are accounted. Leave temporary allocations, i.e. allocations that
are freed within a single function/ioctl, unaccounted, to again align with
KVM's existing behavior, e.g. see commit dd103407ca31 ("KVM: X86: Remove
unnecessary GFP_KERNEL_ACCOUNT for temporary variables").
Fixes: 8d032b683c29 ("KVM: TDX: create/destroy VM structure")
Fixes: a50f673f25e0 ("KVM: TDX: Do TDX specific vcpu initialization")
Cc: stable@vger.kernel.org
Reviewed-by: Kai Huang <kai.huang@intel.com>
Reviewed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Link: https://patch.msgid.link/20260129011517.3545883-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/tdx.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/arch/x86/kvm/vmx/tdx.c
+++ b/arch/x86/kvm/vmx/tdx.c
@@ -2387,20 +2387,20 @@ static int __tdx_td_init(struct kvm *kvm
ret = -ENOMEM;
- tdr_page = alloc_page(GFP_KERNEL);
+ tdr_page = alloc_page(GFP_KERNEL_ACCOUNT);
if (!tdr_page)
goto free_hkid;
kvm_tdx->td.tdcs_nr_pages = tdx_sysinfo->td_ctrl.tdcs_base_size / PAGE_SIZE;
/* TDVPS = TDVPR(4K page) + TDCX(multiple 4K pages), -1 for TDVPR. */
kvm_tdx->td.tdcx_nr_pages = tdx_sysinfo->td_ctrl.tdvps_base_size / PAGE_SIZE - 1;
- tdcs_pages = kzalloc_objs(*kvm_tdx->td.tdcs_pages,
- kvm_tdx->td.tdcs_nr_pages);
+ tdcs_pages = kzalloc_objs(*kvm_tdx->td.tdcs_pages, kvm_tdx->td.tdcs_nr_pages,
+ GFP_KERNEL_ACCOUNT);
if (!tdcs_pages)
goto free_tdr;
for (i = 0; i < kvm_tdx->td.tdcs_nr_pages; i++) {
- tdcs_pages[i] = alloc_page(GFP_KERNEL);
+ tdcs_pages[i] = alloc_page(GFP_KERNEL_ACCOUNT);
if (!tdcs_pages[i])
goto free_tdcs;
}
@@ -2875,7 +2875,7 @@ static int tdx_td_vcpu_init(struct kvm_v
int ret, i;
u64 err;
- page = alloc_page(GFP_KERNEL);
+ page = alloc_page(GFP_KERNEL_ACCOUNT);
if (!page)
return -ENOMEM;
tdx->vp.tdvpr_page = page;
@@ -2888,14 +2888,14 @@ static int tdx_td_vcpu_init(struct kvm_v
tdx->vp.tdvpr_pa = page_to_phys(tdx->vp.tdvpr_page);
tdx->vp.tdcx_pages = kcalloc(kvm_tdx->td.tdcx_nr_pages, sizeof(*tdx->vp.tdcx_pages),
- GFP_KERNEL);
+ GFP_KERNEL_ACCOUNT);
if (!tdx->vp.tdcx_pages) {
ret = -ENOMEM;
goto free_tdvpr;
}
for (i = 0; i < kvm_tdx->td.tdcx_nr_pages; i++) {
- page = alloc_page(GFP_KERNEL);
+ page = alloc_page(GFP_KERNEL_ACCOUNT);
if (!page) {
ret = -ENOMEM;
goto free_tdcx;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 461/518] KVM: x86: Ensure vendors exit handler runs before fastpath userspace exits
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (459 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 460/518] KVM: TDX: Account all non-transient page allocations for per-TD structures Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 462/518] KVM: guest_memfd: Treat memslot binding offset+size as unsigned values Greg Kroah-Hartman
` (60 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikunj A. Dadhania, Kai Huang,
Sean Christopherson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 0ffedf43910e44b76c2c1db4e9fbf12b268190c1 upstream.
Move the handling of fastpath userspace exits into vendor code to ensure
KVM runs vendor specific operations that need to run before userspace gains
control of the vCPU. E.g. for VMX (and soon to be for SVM as well), KVM
needs to flush the PML buffer prior to exiting to userspace, otherwise any
memory written by the final KVM_RUN might never be flagged as dirty.
Note, waiting to snapshot CR0 and CR3 until svm_handle_exit() is flawed in
general, as that risks consuming stale state in a fastpath handler. That
will be addressed in a future change.
Fixes: f7f39c50edb9 ("KVM: x86: Exit to userspace if fastpath triggers one on instruction skip")
Cc: stable@vger.kernel.org
Cc: Nikunj A. Dadhania <nikunj@amd.com>
Reviewed-by: Nikunj A. Dadhania <nikunj@amd.com>
Reviewed-by: Kai Huang <kai.huang@intel.com>
Link: https://patch.msgid.link/20260423162628.490962-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 3 +++
arch/x86/kvm/vmx/vmx.c | 3 +++
arch/x86/kvm/x86.c | 3 ---
3 files changed, 6 insertions(+), 3 deletions(-)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -3663,6 +3663,9 @@ static int svm_handle_exit(struct kvm_vc
vcpu->arch.cr3 = svm->vmcb->save.cr3;
}
+ if (unlikely(exit_fastpath == EXIT_FASTPATH_EXIT_USERSPACE))
+ return 0;
+
if (is_guest_mode(vcpu)) {
int vmexit;
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -6698,6 +6698,9 @@ static int __vmx_handle_exit(struct kvm_
if (enable_pml && !is_guest_mode(vcpu))
vmx_flush_pml_buffer(vcpu);
+ if (unlikely(exit_fastpath == EXIT_FASTPATH_EXIT_USERSPACE))
+ return 0;
+
/*
* KVM should never reach this point with a pending nested VM-Enter.
* More specifically, short-circuiting VM-Entry to emulate L2 due to
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -11578,9 +11578,6 @@ static int vcpu_enter_guest(struct kvm_v
if (vcpu->arch.apic_attention)
kvm_lapic_sync_from_vapic(vcpu);
- if (unlikely(exit_fastpath == EXIT_FASTPATH_EXIT_USERSPACE))
- return 0;
-
r = kvm_x86_call(handle_exit)(vcpu, exit_fastpath);
return r;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 462/518] KVM: guest_memfd: Treat memslot binding offset+size as unsigned values
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (460 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 461/518] KVM: x86: Ensure vendors exit handler runs before fastpath userspace exits Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 463/518] KVM: x86: Add dedicated API for getting mask of accelerated x2APIC MSRs Greg Kroah-Hartman
` (59 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ackerley Tng, Michael Roth,
Sean Christopherson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit eba85fee7fc6cf28fec38a5bf3c378bef9a79ca6 upstream.
When binding a memslot to a guest_memfd file, treat the offset and size as
unsigned values to fix a bug where the sum of the two can result in a false
negative when checking for overflow against the size of the file. Passing
unsigned values also avoids relying on somewhat obscure checks in other
flows for safety, and tracks the offset and size as they are intended to be
tracked, as unsigned values.
On 64-bit kernels, the number of pages a memslot contains and thus the size
(and offset) of its guest_memfd binding are unsigned 64-bit values. Taking
the offset+size as an loff_t instead of a uoff_t inadvertently converts
the unsigned value to a signed value if the offset and/or size is massive.
Locally storing the offset and size as signed values is benign in and of
itself (though even that is *extremely* difficult to discern), but
operating on their sum is not.
For the offset, KVM explicitly checks against a negative value, which might
seem like a bug as KVM could incorrectly reject a legitimate binding, but
that's not actually the case as KVM_CREATE_GUEST_MEMFD takes a signed value
for its size, i.e. a would-be-negative offset is also greater than the
maximum possible size of any guest_memfd file.
Regarding the size, while KVM lacks an explicit check for a negative value,
i.e. seemingly has a flawed overflow check, KVM restricts the number of
pages in a single memslot to the largest positive signed 32-bit value:
if (id < KVM_USER_MEM_SLOTS &&
(mem->memory_size >> PAGE_SHIFT) > KVM_MEM_MAX_NR_PAGES)
return -EINVAL;
and so that maximum "size" will ever be is 0x7fffffff000.
The sum of the two is, however, problematic. While the size is restricted
by KVM's memslot logic, the offset is not, i.e. the offset is completely
unchecked until the "offset + size > i_size_read(inode)" check. If the
offset is the (nearly) largest possible _positive_ value, then adding size
to the offset can result in a signed, negative 64-bit value. When compared
against the size of the file (guaranteed to be positive), the negative sum
is always smaller, and KVM incorrectly allows the absurd offset.
Opportunistically add missing includes in kvm_mm.h (instead of relying on
its parents).
Fixes: a7800aa80ea4 ("KVM: Add KVM_CREATE_GUEST_MEMFD ioctl() for guest-specific backing memory")
Cc: stable@vger.kernel.org
Cc: Ackerley Tng <ackerleytng@google.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Reviewed-by: Ackerley Tng <ackerleytng@google.com>
Link: https://patch.msgid.link/20260602170921.1304394-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
virt/kvm/guest_memfd.c | 8 ++++----
virt/kvm/kvm_mm.h | 7 +++++--
2 files changed, 9 insertions(+), 6 deletions(-)
--- a/virt/kvm/guest_memfd.c
+++ b/virt/kvm/guest_memfd.c
@@ -640,15 +640,16 @@ int kvm_gmem_create(struct kvm *kvm, str
}
int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot,
- unsigned int fd, loff_t offset)
+ unsigned int fd, uoff_t offset)
{
- loff_t size = slot->npages << PAGE_SHIFT;
+ uoff_t size = slot->npages << PAGE_SHIFT;
unsigned long start, end;
struct gmem_file *f;
struct inode *inode;
struct file *file;
int r = -EINVAL;
+ BUILD_BUG_ON(sizeof(gpa_t) != sizeof(offset));
BUILD_BUG_ON(sizeof(gfn_t) != sizeof(slot->gmem.pgoff));
file = fget(fd);
@@ -664,8 +665,7 @@ int kvm_gmem_bind(struct kvm *kvm, struc
inode = file_inode(file);
- if (offset < 0 || !PAGE_ALIGNED(offset) ||
- offset + size > i_size_read(inode))
+ if (!PAGE_ALIGNED(offset) || offset + size > i_size_read(inode))
goto err;
filemap_invalidate_lock(inode->i_mapping);
--- a/virt/kvm/kvm_mm.h
+++ b/virt/kvm/kvm_mm.h
@@ -3,6 +3,9 @@
#ifndef __KVM_MM_H__
#define __KVM_MM_H__ 1
+#include <linux/kvm.h>
+#include <linux/kvm_types.h>
+
/*
* Architectures can choose whether to use an rwlock or spinlock
* for the mmu_lock. These macros, for use in common code
@@ -72,7 +75,7 @@ int kvm_gmem_init(struct module *module)
void kvm_gmem_exit(void);
int kvm_gmem_create(struct kvm *kvm, struct kvm_create_guest_memfd *args);
int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot,
- unsigned int fd, loff_t offset);
+ unsigned int fd, uoff_t offset);
void kvm_gmem_unbind(struct kvm_memory_slot *slot);
#else
static inline int kvm_gmem_init(struct module *module)
@@ -82,7 +85,7 @@ static inline int kvm_gmem_init(struct m
static inline void kvm_gmem_exit(void) {};
static inline int kvm_gmem_bind(struct kvm *kvm,
struct kvm_memory_slot *slot,
- unsigned int fd, loff_t offset)
+ unsigned int fd, uoff_t offset)
{
WARN_ON_ONCE(1);
return -EIO;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 463/518] KVM: x86: Add dedicated API for getting mask of accelerated x2APIC MSRs
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (461 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 462/518] KVM: guest_memfd: Treat memslot binding offset+size as unsigned values Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 464/518] KVM: arm64: Dont leak PFN when kvm_translate_vncr() races MMU notifier Greg Kroah-Hartman
` (58 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Naveen N Rao (AMD),
Sean Christopherson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 8ba621f335a519b47cb7d3e3f4f15b5101b3a56f upstream.
Add a dedicated local APIC API, kvm_x2apic_disable_intercept_reg_mask(),
to provide the mask of x2APIC registers whose MSRs can and should be passed
through to the guest when x2APIC virtualization is enable, and use it in
lieu of the open-coded equivalent VMX logic. Providing a common helper
will allow sharing the logic with SVM (x2AVIC), and as a bonus eliminates
the somewhat confusing code where KVM enables interception for MSR_TYPE_RW,
even though only the READ case actually needs to be updated.
No functional change intended.
Cc: stable@vger.kernel.org
Reviewed-by: Naveen N Rao (AMD) <naveen@kernel.org>
Link: https://patch.msgid.link/20260514213115.1637082-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/lapic.c | 21 +++++++++++++++++++--
arch/x86/kvm/lapic.h | 2 +-
arch/x86/kvm/vmx/vmx.c | 3 +--
3 files changed, 21 insertions(+), 5 deletions(-)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -1732,7 +1732,7 @@ static inline struct kvm_lapic *to_lapic
#define APIC_REGS_MASK(first, count) \
(APIC_REG_MASK(first) * ((1ull << (count)) - 1))
-u64 kvm_lapic_readable_reg_mask(struct kvm_lapic *apic)
+static u64 kvm_lapic_readable_reg_mask(struct kvm_lapic *apic)
{
/* Leave bits '0' for reserved and write-only registers. */
u64 valid_reg_mask =
@@ -1768,7 +1768,24 @@ u64 kvm_lapic_readable_reg_mask(struct k
return valid_reg_mask;
}
-EXPORT_SYMBOL_FOR_KVM_INTERNAL(kvm_lapic_readable_reg_mask);
+
+u64 kvm_x2apic_disable_read_intercept_reg_mask(struct kvm_vcpu *vcpu)
+{
+ if (WARN_ON_ONCE(!lapic_in_kernel(vcpu)))
+ return 0;
+
+ /*
+ * TMMCT, a.k.a. the current APIC timer count, reads aren't accelerated
+ * by hardware (Intel or AMD) as the timer is emulated in software (by
+ * KVM), i.e. reads from the virtual APIC page would return garbage.
+ * Intercept RDMSR, as handling the fault-like APIC-access VM-Exit is
+ * more expensive than handling a RDMSR VM-Exit (the APIC-access exit
+ * requires slow emulation of the code stream).
+ */
+ return kvm_lapic_readable_reg_mask(vcpu->arch.apic) &
+ ~APIC_REG_MASK(APIC_TMCCT);
+}
+EXPORT_SYMBOL_FOR_KVM_INTERNAL(kvm_x2apic_disable_read_intercept_reg_mask);
static int kvm_lapic_reg_read(struct kvm_lapic *apic, u32 offset, int len,
void *data)
--- a/arch/x86/kvm/lapic.h
+++ b/arch/x86/kvm/lapic.h
@@ -157,7 +157,7 @@ int kvm_hv_vapic_msr_read(struct kvm_vcp
int kvm_lapic_set_pv_eoi(struct kvm_vcpu *vcpu, u64 data, unsigned long len);
void kvm_lapic_exit(void);
-u64 kvm_lapic_readable_reg_mask(struct kvm_lapic *apic);
+u64 kvm_x2apic_disable_read_intercept_reg_mask(struct kvm_vcpu *vcpu);
static inline void kvm_lapic_set_irr(int vec, struct kvm_lapic *apic)
{
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -4159,7 +4159,7 @@ static void vmx_update_msr_bitmap_x2apic
* mode, only the current timer count needs on-demand emulation by KVM.
*/
if (mode & MSR_BITMAP_MODE_X2APIC_APICV)
- msr_bitmap[read_idx] = ~kvm_lapic_readable_reg_mask(vcpu->arch.apic);
+ msr_bitmap[read_idx] = ~kvm_x2apic_disable_read_intercept_reg_mask(vcpu);
else
msr_bitmap[read_idx] = ~0ull;
msr_bitmap[write_idx] = ~0ull;
@@ -4172,7 +4172,6 @@ static void vmx_update_msr_bitmap_x2apic
!(mode & MSR_BITMAP_MODE_X2APIC));
if (mode & MSR_BITMAP_MODE_X2APIC_APICV) {
- vmx_enable_intercept_for_msr(vcpu, X2APIC_MSR(APIC_TMCCT), MSR_TYPE_RW);
vmx_disable_intercept_for_msr(vcpu, X2APIC_MSR(APIC_EOI), MSR_TYPE_W);
vmx_disable_intercept_for_msr(vcpu, X2APIC_MSR(APIC_SELF_IPI), MSR_TYPE_W);
if (enable_ipiv)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 464/518] KVM: arm64: Dont leak PFN when kvm_translate_vncr() races MMU notifier
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (462 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 463/518] KVM: x86: Add dedicated API for getting mask of accelerated x2APIC MSRs Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 465/518] udmabuf: fix DMA direction mismatch in release_udmabuf() Greg Kroah-Hartman
` (57 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Upton, Marc Zyngier
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Upton <oupton@kernel.org>
commit 9f76b039a72d7e06374aa96862f0232ed53f7787 upstream.
In the case that kvm_translate_vncr() races with an MMU notifier the
early return does not release a reference on the faulted in PFN. Add
the necessary call to kvm_release_faultin_page() for the unused PFN.
Cc: stable@vger.kernel.org
Fixes: 069a05e535496 ("KVM: arm64: nv: Handle VNCR_EL2-triggered faults")
Reported-by: Sashiko (local):gemini-3.1-pro
Signed-off-by: Oliver Upton <oupton@kernel.org>
Link: https://patch.msgid.link/20260602235450.103057-2-oupton@kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/nested.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/arm64/kvm/nested.c
+++ b/arch/arm64/kvm/nested.c
@@ -1327,8 +1327,10 @@ static int kvm_translate_vncr(struct kvm
}
scoped_guard(write_lock, &vcpu->kvm->mmu_lock) {
- if (mmu_invalidate_retry(vcpu->kvm, mmu_seq))
+ if (mmu_invalidate_retry(vcpu->kvm, mmu_seq)) {
+ kvm_release_faultin_page(vcpu->kvm, page, true, false);
return -EAGAIN;
+ }
vt->gva = va;
vt->hpa = pfn << PAGE_SHIFT;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 465/518] udmabuf: fix DMA direction mismatch in release_udmabuf()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (463 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 464/518] KVM: arm64: Dont leak PFN when kvm_translate_vncr() races MMU notifier Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 466/518] dma-buf/udmabuf: skip redundant cpu sync to fix cacheline EEXIST warning Greg Kroah-Hartman
` (56 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikhail Gavrilov, Vivek Kasireddy
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
commit fb7b1a0ab25a6077d26cb3829e31743972d4f31d upstream.
begin_cpu_udmabuf() maps the sg_table with the caller-provided direction
(e.g., DMA_TO_DEVICE for a write-only sync), and caches it in ubuf->sg
for reuse. However, release_udmabuf() always unmaps this sg_table with
a hardcoded DMA_BIDIRECTIONAL, regardless of the direction that was
originally used for the mapping.
With CONFIG_DMA_API_DEBUG=y this produces:
DMA-API: misc udmabuf: device driver frees DMA memory with different
direction [device address=0x000000044a123000] [size=4096 bytes]
[mapped with DMA_TO_DEVICE] [unmapped with DMA_BIDIRECTIONAL]
The issue was found during video playback when GStreamer performed a
write-only DMA_BUF_IOCTL_SYNC on a udmabuf. It can be reproduced
with CONFIG_DMA_API_DEBUG=y by creating a udmabuf from a memfd,
performing a write-only sync (DMA_BUF_SYNC_WRITE without
DMA_BUF_SYNC_READ), and closing the file descriptor.
Fix this by storing the DMA direction used when the sg_table is first
created in begin_cpu_udmabuf(), and passing that same direction to
put_sg_table() in release_udmabuf().
Fixes: 284562e1f348 ("udmabuf: implement begin_cpu_access/end_cpu_access hooks")
Cc: stable@vger.kernel.org
Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Reviewed-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Link: https://patch.msgid.link/20260314232722.15555-1-mikhail.v.gavrilov@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma-buf/udmabuf.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -40,6 +40,7 @@ struct udmabuf {
struct folio **pinned_folios;
struct sg_table *sg;
+ enum dma_data_direction sg_dir;
struct miscdevice *device;
pgoff_t *offsets;
};
@@ -235,7 +236,7 @@ static void release_udmabuf(struct dma_b
struct device *dev = ubuf->device->this_device;
if (ubuf->sg)
- put_sg_table(dev, ubuf->sg, DMA_BIDIRECTIONAL);
+ put_sg_table(dev, ubuf->sg, ubuf->sg_dir);
deinit_udmabuf(ubuf);
kfree(ubuf);
@@ -253,6 +254,8 @@ static int begin_cpu_udmabuf(struct dma_
if (IS_ERR(ubuf->sg)) {
ret = PTR_ERR(ubuf->sg);
ubuf->sg = NULL;
+ } else {
+ ubuf->sg_dir = direction;
}
} else {
dma_sync_sgtable_for_cpu(dev, ubuf->sg, direction);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 466/518] dma-buf/udmabuf: skip redundant cpu sync to fix cacheline EEXIST warning
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (464 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 465/518] udmabuf: fix DMA direction mismatch in release_udmabuf() Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 467/518] svcrdma: wake sq waiters when the transport closes Greg Kroah-Hartman
` (55 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikhail Gavrilov, Vivek Kasireddy
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
commit 504e2b4ab97a51d56d966cd36d0997ad30b65b2d upstream.
When CONFIG_DMA_API_DEBUG_SG is enabled, importing a udmabuf into a DRM
driver (e.g. amdgpu for video playback in GNOME Videos / Showtime)
triggers a spurious warning:
DMA-API: amdgpu 0000:03:00.0: cacheline tracking EEXIST, \
overlapping mappings aren't supported
WARNING: kernel/dma/debug.c:619 at add_dma_entry+0x473/0x5f0
The call chain is:
amdgpu_cs_ioctl
-> amdgpu_ttm_backend_bind
-> dma_buf_map_attachment
-> [udmabuf] map_udmabuf -> get_sg_table
-> dma_map_sgtable(dev, sg, direction, 0) // attrs=0
-> debug_dma_map_sg -> add_dma_entry -> EEXIST
This happens because udmabuf builds a per-page scatter-gather list via
sg_set_folio(). When begin_cpu_udmabuf() has already created an sg
table mapped for the misc device, and an importer such as amdgpu maps
the same pages for its own device via map_udmabuf(), the DMA debug
infrastructure sees two active mappings whose physical addresses share
cacheline boundaries and warns about the overlap.
The DMA_ATTR_SKIP_CPU_SYNC flag suppresses this check in
add_dma_entry() because it signals that no CPU cache maintenance is
performed at map/unmap time, making the cacheline overlap harmless.
All other major dma-buf exporters already pass this flag:
- drm_gem_map_dma_buf() passes DMA_ATTR_SKIP_CPU_SYNC
- amdgpu_dma_buf_map() passes DMA_ATTR_SKIP_CPU_SYNC
The CPU sync at map/unmap time is also redundant for udmabuf:
begin_cpu_udmabuf() and end_cpu_udmabuf() already perform explicit
cache synchronization via dma_sync_sgtable_for_cpu/device() when CPU
access is requested through the dma-buf interface.
Pass DMA_ATTR_SKIP_CPU_SYNC to dma_map_sgtable() and
dma_unmap_sgtable() in udmabuf to suppress the spurious warning and
skip the redundant sync.
Fixes: 284562e1f348 ("udmabuf: implement begin_cpu_access/end_cpu_access hooks")
Cc: stable@vger.kernel.org
Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Link: https://patch.msgid.link/20260331061657.79983-1-mikhail.v.gavrilov@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma-buf/udmabuf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -163,7 +163,7 @@ static struct sg_table *get_sg_table(str
sg_set_folio(sgl, ubuf->folios[i], PAGE_SIZE,
ubuf->offsets[i]);
- ret = dma_map_sgtable(dev, sg, direction, 0);
+ ret = dma_map_sgtable(dev, sg, direction, DMA_ATTR_SKIP_CPU_SYNC);
if (ret < 0)
goto err_map;
return sg;
@@ -178,7 +178,7 @@ err_alloc:
static void put_sg_table(struct device *dev, struct sg_table *sg,
enum dma_data_direction direction)
{
- dma_unmap_sgtable(dev, sg, direction, 0);
+ dma_unmap_sgtable(dev, sg, direction, DMA_ATTR_SKIP_CPU_SYNC);
sg_free_table(sg);
kfree(sg);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 467/518] svcrdma: wake sq waiters when the transport closes
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (465 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 466/518] dma-buf/udmabuf: skip redundant cpu sync to fix cacheline EEXIST warning Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 468/518] Revert "svcrdma: Use contiguous pages for RDMA Read sink buffers" Greg Kroah-Hartman
` (54 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chris Mason, Chuck Lever
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit e5248a7426030db1e126363f72afdb3b71339a5c upstream.
Threads parked in svc_rdma_sq_wait() on sc_sq_ticket_wait or
sc_send_wait can hang indefinitely in TASK_UNINTERRUPTIBLE state
across transport teardown, pinning svc_xprt references and
blocking svc_rdma_free().
The close path sets XPT_CLOSE before invoking xpo_detach and both
wait_event predicates include an XPT_CLOSE term, but the
predicates are re-evaluated only on wakeup. sc_sq_ticket_wait has
no completion-driven wake path; it is advanced solely by the
chained ticket handoff inside svc_rdma_sq_wait() itself. Without
an explicit wake at close, parked threads never observe
XPT_CLOSE, hold their svc_xprt_get reference forever, and
svc_rdma_free() blocks on xpt_ref dropping to zero.
Two close entry points reach this transport. Local teardown runs
svc_rdma_detach() from svc_handle_xprt() -> svc_delete_xprt() ->
xpo_detach() on a worker thread. A remote disconnect arrives at
svc_rdma_cma_handler(), which calls svc_xprt_deferred_close():
that sets XPT_CLOSE and enqueues the transport but does not
access either RDMA waitqueue, so a worker already parked in
svc_rdma_sq_wait() never re-evaluates its predicate. With every
worker parked on this transport, no thread is available to run
the local teardown either, and the wake site there is
unreachable.
Introduce svc_rdma_xprt_deferred_close(), a thin svcrdma wrapper
that calls svc_xprt_deferred_close() and then wakes both
sc_sq_ticket_wait and sc_send_wait. Convert the svcrdma producers
that called svc_xprt_deferred_close() directly:
svc_rdma_cma_handler(), qp_event_handler(),
svc_rdma_post_send_err(), svc_rdma_wc_send(), the sendto drop
path, the rw completion error paths, and the recvfrom flush and
read-list error paths.
Wake both waitqueues from svc_rdma_detach() as well. The
synchronous svc_xprt_close() path (backchannel ENOTCONN, device
removal via svc_rdma_xprt_done) reaches detach without flowing
through svc_xprt_deferred_close() and therefore does not invoke
the new helper.
Fixes: ccc89b9d1ed2 ("svcrdma: Add fair queuing for Send Queue access")
Cc: stable@vger.kernel.org
Assisted-by: kres (claude-opus-4-7)
Signed-off-by: Chris Mason <clm@meta.com>
[ cel: add svc_rdma_xprt_deferred_close() to complete the fix ]
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/sunrpc/svc_rdma.h | 1 +
net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 4 ++--
net/sunrpc/xprtrdma/svc_rdma_rw.c | 6 +++---
net/sunrpc/xprtrdma/svc_rdma_sendto.c | 6 +++---
net/sunrpc/xprtrdma/svc_rdma_transport.c | 30 ++++++++++++++++++++++++++++--
5 files changed, 37 insertions(+), 10 deletions(-)
--- a/include/linux/sunrpc/svc_rdma.h
+++ b/include/linux/sunrpc/svc_rdma.h
@@ -328,6 +328,7 @@ extern int svc_rdma_result_payload(struc
unsigned int length);
/* svc_rdma_transport.c */
+extern void svc_rdma_xprt_deferred_close(struct svcxprt_rdma *rdma);
extern struct svc_xprt_class svc_rdma_class;
#ifdef CONFIG_SUNRPC_BACKCHANNEL
extern struct svc_xprt_class svc_rdma_bc_class;
--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
@@ -377,7 +377,7 @@ flushed:
trace_svcrdma_wc_recv_err(wc, &ctxt->rc_cid);
dropped:
svc_rdma_recv_ctxt_put(rdma, ctxt);
- svc_xprt_deferred_close(&rdma->sc_xprt);
+ svc_rdma_xprt_deferred_close(rdma);
}
/**
@@ -1001,7 +1001,7 @@ out_readlist:
if (ret == -EINVAL)
svc_rdma_send_error(rdma_xprt, ctxt, ret);
svc_rdma_recv_ctxt_put(rdma_xprt, ctxt);
- svc_xprt_deferred_close(xprt);
+ svc_rdma_xprt_deferred_close(rdma_xprt);
return ret;
}
return 0;
--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c
@@ -313,7 +313,7 @@ static void svc_rdma_reply_done(struct i
trace_svcrdma_wc_reply_err(wc, &cc->cc_cid);
}
- svc_xprt_deferred_close(&rdma->sc_xprt);
+ svc_rdma_xprt_deferred_close(rdma);
}
/**
@@ -345,7 +345,7 @@ static void svc_rdma_write_done(struct i
* some of the outgoing RPC message. Signal the loss
* to the client by closing the connection.
*/
- svc_xprt_deferred_close(&rdma->sc_xprt);
+ svc_rdma_xprt_deferred_close(rdma);
}
/**
@@ -390,7 +390,7 @@ static void svc_rdma_wc_read_done(struct
*/
svc_rdma_cc_release(rdma, cc, DMA_FROM_DEVICE);
svc_rdma_recv_ctxt_put(rdma, ctxt);
- svc_xprt_deferred_close(&rdma->sc_xprt);
+ svc_rdma_xprt_deferred_close(rdma);
}
/*
--- a/net/sunrpc/xprtrdma/svc_rdma_sendto.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_sendto.c
@@ -395,7 +395,7 @@ int svc_rdma_post_send_err(struct svcxpr
int sqecount, int ret)
{
trace_svcrdma_sq_post_err(rdma, cid, ret);
- svc_xprt_deferred_close(&rdma->sc_xprt);
+ svc_rdma_xprt_deferred_close(rdma);
/* If even one WR was posted, a Send completion will
* return the reserved SQ slots.
@@ -437,7 +437,7 @@ flushed:
else
trace_svcrdma_wc_send_flush(wc, &ctxt->sc_cid);
svc_rdma_send_ctxt_put(rdma, ctxt);
- svc_xprt_deferred_close(&rdma->sc_xprt);
+ svc_rdma_xprt_deferred_close(rdma);
}
/**
@@ -1158,7 +1158,7 @@ put_ctxt:
svc_rdma_send_ctxt_put(rdma, sctxt);
drop_connection:
trace_svcrdma_send_err(rqstp, ret);
- svc_xprt_deferred_close(&rdma->sc_xprt);
+ svc_rdma_xprt_deferred_close(rdma);
return -ENOTCONN;
}
--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c
@@ -98,10 +98,27 @@ struct svc_xprt_class svc_rdma_class = {
.xcl_ident = XPRT_TRANSPORT_RDMA,
};
+/**
+ * svc_rdma_xprt_deferred_close - Close an RDMA transport (deferred)
+ * @rdma: transport to close
+ */
+void svc_rdma_xprt_deferred_close(struct svcxprt_rdma *rdma)
+{
+ svc_xprt_deferred_close(&rdma->sc_xprt);
+
+ /* Release parked sc_sq_ticket_wait and sc_send_wait waiters.
+ * Once XPT_CLOSE is observed each returns -ENOTCONN.
+ */
+ wake_up_all(&rdma->sc_sq_ticket_wait);
+ wake_up_all(&rdma->sc_send_wait);
+}
+
/* QP event handler */
static void qp_event_handler(struct ib_event *event, void *context)
{
struct svc_xprt *xprt = context;
+ struct svcxprt_rdma *rdma =
+ container_of(xprt, struct svcxprt_rdma, sc_xprt);
trace_svcrdma_qp_error(event, (struct sockaddr *)&xprt->xpt_remote);
switch (event->event) {
@@ -119,7 +136,7 @@ static void qp_event_handler(struct ib_e
case IB_EVENT_QP_ACCESS_ERR:
case IB_EVENT_DEVICE_FATAL:
default:
- svc_xprt_deferred_close(xprt);
+ svc_rdma_xprt_deferred_close(rdma);
break;
}
}
@@ -340,7 +357,7 @@ static int svc_rdma_cma_handler(struct r
svc_xprt_enqueue(xprt);
break;
case RDMA_CM_EVENT_DISCONNECTED:
- svc_xprt_deferred_close(xprt);
+ svc_rdma_xprt_deferred_close(rdma);
break;
default:
break;
@@ -597,6 +614,15 @@ static void svc_rdma_detach(struct svc_x
container_of(xprt, struct svcxprt_rdma, sc_xprt);
rdma_disconnect(rdma->sc_cm_id);
+
+ /*
+ * Most close paths go through svc_rdma_xprt_deferred_close(),
+ * which wakes the SQ waitqueues. svc_xprt_close() reaches
+ * detach without that helper, so wake any threads parked in
+ * svc_rdma_sq_wait() here as well.
+ */
+ wake_up_all(&rdma->sc_sq_ticket_wait);
+ wake_up_all(&rdma->sc_send_wait);
}
/**
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 468/518] Revert "svcrdma: Use contiguous pages for RDMA Read sink buffers"
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (466 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 467/518] svcrdma: wake sq waiters when the transport closes Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 469/518] fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region() Greg Kroah-Hartman
` (53 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Flynn, Mike Snitzer,
Chuck Lever
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit a39f0ce0c9da20986b429e2db3e4e8739035d61b upstream.
Jonathan Flynn reports that commit 18755b8c2f24 ("svcrdma: Use
contiguous pages for RDMA Read sink buffers") regresses NFS/RDMA
WRITE throughput from 73.9 GiB/s to 30.3 GiB/s on a 128-core
single-NUMA-node server driving dual 400Gb/s links with 640 nfsd
threads. Server CPU utilization rises from 8.5% to 76%, with
roughly three quarters of all cycles spent spinning on zone->lock.
The sink buffers are allocated as high-order page blocks, split
into single pages so each sub-page carries an independent refcount,
and later released one page at a time through folio batches. The
per-CPU page caches cannot satisfy an allocation stream whose alloc
order differs from its free order, so every sink buffer page makes
a round trip through the buddy allocator's free lists, serialized
on the zone lock of the single NUMA node. The rq_pages entries that
the split pages displace, bulk-allocated moments earlier by
svc_alloc_arg(), are freed without ever being used, doubling the
allocator traffic.
The regression cannot be addressed trivially. Revert the commit
now; a reworked approach can return in an upcoming merge window.
Reported-by: Jonathan Flynn <jonathan.flynn@hammerspace.com>
Reported-by: Mike Snitzer <snitzer@kernel.org>
Closes: https://lore.kernel.org/linux-nfs/aiHlPmeZq3WgMwoJ@kernel.org/
Closes: https://lore.kernel.org/linux-nfs/3cb119b4b2a8aada30c0c60286778a54@mail.gmail.com/
Fixes: 18755b8c2f24 ("svcrdma: Use contiguous pages for RDMA Read sink buffers")
Cc: stable@vger.kernel.org
Tested-by: Jonathan Flynn <jonathan.flynn@hammerspace.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/xprtrdma/svc_rdma_rw.c | 223 --------------------------------------
1 file changed, 223 deletions(-)
--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c
@@ -754,216 +754,6 @@ int svc_rdma_prepare_reply_chunk(struct
return xdr->len;
}
-/*
- * Cap contiguous RDMA Read sink allocations at order-4.
- * Higher orders risk allocation failure under
- * __GFP_NORETRY, which would negate the benefit of the
- * contiguous fast path.
- */
-#define SVC_RDMA_CONTIG_MAX_ORDER 4
-
-/**
- * svc_rdma_alloc_read_pages - Allocate physically contiguous pages
- * @nr_pages: number of pages needed
- * @order: on success, set to the allocation order
- *
- * Attempts a higher-order allocation, falling back to smaller orders.
- * The returned pages are split immediately so each sub-page has its
- * own refcount and can be freed independently.
- *
- * Returns a pointer to the first page on success, or NULL if even
- * order-1 allocation fails.
- */
-static struct page *
-svc_rdma_alloc_read_pages(unsigned int nr_pages, unsigned int *order)
-{
- unsigned int o;
- struct page *page;
-
- o = min(get_order(nr_pages << PAGE_SHIFT),
- SVC_RDMA_CONTIG_MAX_ORDER);
-
- while (o >= 1) {
- page = alloc_pages(GFP_KERNEL | __GFP_NORETRY | __GFP_NOWARN,
- o);
- if (page) {
- split_page(page, o);
- *order = o;
- return page;
- }
- o--;
- }
- return NULL;
-}
-
-/*
- * svc_rdma_fill_contig_bvec - Replace rq_pages with a contiguous allocation
- * @rqstp: RPC transaction context
- * @head: context for ongoing I/O
- * @bv: bvec entry to fill
- * @pages_left: number of data pages remaining in the segment
- * @len_left: bytes remaining in the segment
- *
- * On success, fills @bv with a bvec spanning the contiguous range and
- * advances rc_curpage/rc_page_count. Returns the byte length covered,
- * or zero if the allocation failed or would overrun rq_maxpages.
- */
-static unsigned int
-svc_rdma_fill_contig_bvec(struct svc_rqst *rqstp,
- struct svc_rdma_recv_ctxt *head,
- struct bio_vec *bv, unsigned int pages_left,
- unsigned int len_left)
-{
- unsigned int order, npages, chunk_pages, chunk_len, i;
- struct page *page;
-
- page = svc_rdma_alloc_read_pages(pages_left, &order);
- if (!page)
- return 0;
- npages = 1 << order;
-
- if (head->rc_curpage + npages > rqstp->rq_maxpages) {
- for (i = 0; i < npages; i++)
- __free_page(page + i);
- return 0;
- }
-
- /*
- * Replace rq_pages[] entries with pages from the contiguous
- * allocation. If npages exceeds chunk_pages, the extra pages
- * stay in rq_pages[] for later reuse or normal rqst teardown.
- */
- for (i = 0; i < npages; i++) {
- svc_rqst_page_release(rqstp,
- rqstp->rq_pages[head->rc_curpage + i]);
- rqstp->rq_pages[head->rc_curpage + i] = page + i;
- }
-
- chunk_pages = min(npages, pages_left);
- chunk_len = min_t(unsigned int, chunk_pages << PAGE_SHIFT, len_left);
- bvec_set_page(bv, page, chunk_len, 0);
- head->rc_page_count += chunk_pages;
- head->rc_curpage += chunk_pages;
- return chunk_len;
-}
-
-/*
- * svc_rdma_fill_page_bvec - Add a single rq_page to the bvec array
- * @head: context for ongoing I/O
- * @ctxt: R/W context whose bvec array is being filled
- * @cur: page to add
- * @bvec_idx: pointer to current bvec index, not advanced on merge
- * @len_left: bytes remaining in the segment
- *
- * If @cur is physically contiguous with the preceding bvec, it is
- * merged by extending that bvec's length. Otherwise a new bvec
- * entry is created. Returns the byte length covered.
- */
-static unsigned int
-svc_rdma_fill_page_bvec(struct svc_rdma_recv_ctxt *head,
- struct svc_rdma_rw_ctxt *ctxt, struct page *cur,
- unsigned int *bvec_idx, unsigned int len_left)
-{
- unsigned int chunk_len = min_t(unsigned int, PAGE_SIZE, len_left);
-
- head->rc_page_count++;
- head->rc_curpage++;
-
- if (*bvec_idx > 0) {
- struct bio_vec *prev = &ctxt->rw_bvec[*bvec_idx - 1];
-
- if (page_to_phys(prev->bv_page) + prev->bv_offset +
- prev->bv_len == page_to_phys(cur)) {
- prev->bv_len += chunk_len;
- return chunk_len;
- }
- }
-
- bvec_set_page(&ctxt->rw_bvec[*bvec_idx], cur, chunk_len, 0);
- (*bvec_idx)++;
- return chunk_len;
-}
-
-/**
- * svc_rdma_build_read_segment_contig - Build RDMA Read WR with contiguous pages
- * @rqstp: RPC transaction context
- * @head: context for ongoing I/O
- * @segment: co-ordinates of remote memory to be read
- *
- * Greedily allocates higher-order pages to cover the segment,
- * building one bvec per contiguous chunk. Each allocation is
- * split so sub-pages have independent refcounts. When a
- * higher-order allocation fails, remaining pages are covered
- * individually, merging adjacent pages into the preceding bvec
- * when they are physically contiguous. The split sub-pages
- * replace entries in rq_pages[] so downstream cleanup is
- * unchanged.
- *
- * Returns:
- * %0: the Read WR was constructed successfully
- * %-ENOMEM: allocation failed
- * %-EIO: a DMA mapping error occurred
- */
-static int svc_rdma_build_read_segment_contig(struct svc_rqst *rqstp,
- struct svc_rdma_recv_ctxt *head,
- const struct svc_rdma_segment *segment)
-{
- struct svcxprt_rdma *rdma = svc_rdma_rqst_rdma(rqstp);
- struct svc_rdma_chunk_ctxt *cc = &head->rc_cc;
- unsigned int nr_data_pages, bvec_idx;
- struct svc_rdma_rw_ctxt *ctxt;
- unsigned int len_left;
- int ret;
-
- nr_data_pages = PAGE_ALIGN(segment->rs_length) >> PAGE_SHIFT;
- if (head->rc_curpage + nr_data_pages > rqstp->rq_maxpages)
- return -ENOMEM;
-
- ctxt = svc_rdma_get_rw_ctxt(rdma, nr_data_pages);
- if (!ctxt)
- return -ENOMEM;
-
- bvec_idx = 0;
- len_left = segment->rs_length;
- while (len_left) {
- unsigned int pages_left = PAGE_ALIGN(len_left) >> PAGE_SHIFT;
- unsigned int chunk_len = 0;
-
- if (pages_left >= 2)
- chunk_len = svc_rdma_fill_contig_bvec(rqstp, head,
- &ctxt->rw_bvec[bvec_idx],
- pages_left, len_left);
- if (chunk_len) {
- bvec_idx++;
- } else {
- struct page *cur =
- rqstp->rq_pages[head->rc_curpage];
- chunk_len = svc_rdma_fill_page_bvec(head, ctxt, cur,
- &bvec_idx,
- len_left);
- }
-
- len_left -= chunk_len;
- }
-
- ctxt->rw_nents = bvec_idx;
-
- head->rc_pageoff = offset_in_page(segment->rs_length);
- if (head->rc_pageoff)
- head->rc_curpage--;
-
- ret = svc_rdma_rw_ctx_init(rdma, ctxt, segment->rs_offset,
- segment->rs_handle, segment->rs_length,
- DMA_FROM_DEVICE);
- if (ret < 0)
- return -EIO;
- percpu_counter_inc(&svcrdma_stat_read);
-
- list_add(&ctxt->rw_list, &cc->cc_rwctxts);
- cc->cc_sqecount += ret;
- return 0;
-}
-
/**
* svc_rdma_build_read_segment - Build RDMA Read WQEs to pull one RDMA segment
* @rqstp: RPC transaction context
@@ -990,14 +780,6 @@ static int svc_rdma_build_read_segment(s
if (check_add_overflow(head->rc_pageoff, len, &total))
return -EINVAL;
nr_bvec = PAGE_ALIGN(total) >> PAGE_SHIFT;
-
- if (head->rc_pageoff == 0 && nr_bvec >= 2) {
- ret = svc_rdma_build_read_segment_contig(rqstp, head,
- segment);
- if (ret != -ENOMEM)
- return ret;
- }
-
ctxt = svc_rdma_get_rw_ctxt(rdma, nr_bvec);
if (!ctxt)
return -ENOMEM;
@@ -1343,11 +1125,6 @@ static void svc_rdma_clear_rqst_pages(st
{
unsigned int i;
- /*
- * Move only pages containing RPC data into rc_pages[]. Pages
- * from a contiguous allocation that were not used for the
- * payload remain in rq_pages[] for subsequent reuse.
- */
for (i = 0; i < head->rc_page_count; i++) {
head->rc_pages[i] = rqstp->rq_pages[i];
rqstp->rq_pages[i] = NULL;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 469/518] fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (467 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 468/518] Revert "svcrdma: Use contiguous pages for RDMA Read sink buffers" Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 470/518] i2c: core: fix adapter probe deferral loop Greg Kroah-Hartman
` (52 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Alba Vives, Xu Yilun,
Xu Yilun
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Alba Vives <sebasjosue84@gmail.com>
commit fc3b071a7c8dc0f5d56defddf6e6fd5aaa3e1e27 upstream.
afu_ioctl_dma_map() accepts a 64-bit length from userspace via
DFL_FPGA_PORT_DMA_MAP ioctl without an upper bound check. The value
is passed to afu_dma_pin_pages() where npages is derived as
length >> PAGE_SHIFT and passed to pin_user_pages_fast() which takes
int nr_pages, causing implicit truncation if length is very large.
Validate map.length at the ioctl entry point before calling
afu_dma_map_region(), rejecting values whose page count exceeds
INT_MAX.
Fixes: fa8dda1edef9 ("fpga: dfl: afu: add DFL_FPGA_PORT_DMA_MAP/UNMAP ioctls support")
Cc: stable@vger.kernel.org
Signed-off-by: Sebastian Alba Vives <sebasjosue84@gmail.com>
Reviewed-by: Xu Yilun <yilun.xu@intel.com>
Link: https://lore.kernel.org/r/20260518190742.61426-3-sebasjosue84@gmail.com
Signed-off-by: Xu Yilun <yilun.xu@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/fpga/dfl-afu-main.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/fpga/dfl-afu-main.c
+++ b/drivers/fpga/dfl-afu-main.c
@@ -723,6 +723,9 @@ afu_ioctl_dma_map(struct dfl_feature_dev
if (map.argsz < minsz || map.flags)
return -EINVAL;
+ if (map.length >> PAGE_SHIFT > (u64)INT_MAX)
+ return -EINVAL;
+
ret = afu_dma_map_region(fdata, map.user_addr, map.length, &map.iova);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 470/518] i2c: core: fix adapter probe deferral loop
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (468 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 469/518] fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region() Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 471/518] i2c: core: fix irq domain leak on adapter registration failure Greg Kroah-Hartman
` (51 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Codrin Ciubotariu, Johan Hovold,
Wolfram Sang
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 158efa411c57111d87bf265a3776614f32d70007 upstream.
Drivers must not probe defer after having registered devices as that
will trigger a probe loop if the devices bind to a driver (cf. commit
fbc35b45f9f6 ("Add documentation on meaning of -EPROBE_DEFER")).
Move the recovery initialisation, where the GPIO lookup may fail, before
registering the adapter to prevent this.
Fixes: 75820314de26 ("i2c: core: add generic I2C GPIO recovery")
Cc: stable@vger.kernel.org # 5.9
Cc: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/i2c-core-base.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -1561,6 +1561,10 @@ static int i2c_register_adapter(struct i
adap->dev.type = &i2c_adapter_type;
device_initialize(&adap->dev);
+ res = i2c_init_recovery(adap);
+ if (res == -EPROBE_DEFER)
+ goto err_put_adap;
+
/*
* This adapter can be used as a parent immediately after device_add(),
* setup runtime-pm (especially ignore-children) before hand.
@@ -1587,10 +1591,6 @@ static int i2c_register_adapter(struct i
if (res)
goto out_reg;
- res = i2c_init_recovery(adap);
- if (res == -EPROBE_DEFER)
- goto out_reg;
-
dev_dbg(&adap->dev, "adapter [%s] registered\n", adap->name);
/* create pre-declared device nodes */
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 471/518] i2c: core: fix irq domain leak on adapter registration failure
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (469 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 470/518] i2c: core: fix adapter probe deferral loop Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 472/518] i2c: core: fix NULL-deref " Greg Kroah-Hartman
` (50 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Tissoires, Johan Hovold,
Wolfram Sang
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 8ce19524e4cc2462685f596a6402fbd8fb984ab2 upstream.
Make sure to tear down the host notify irq domain on adapter
registration failure to avoid leaking it.
This issue was flagged by Sashiko when reviewing another adapter
registration fix.
Fixes: 4d5538f5882a ("i2c: use an IRQ to report Host Notify events, not alert")
Cc: stable@vger.kernel.org # 4.10
Cc: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/i2c-core-base.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -1582,7 +1582,7 @@ static int i2c_register_adapter(struct i
if (res) {
pr_err("adapter '%s': can't register device (%d)\n", adap->name, res);
put_device(&adap->dev);
- goto out_list;
+ goto err_remove_irq_domain;
}
adap->debugfs = debugfs_create_dir(dev_name(&adap->dev), i2c_debugfs_root);
@@ -1614,6 +1614,8 @@ out_reg:
init_completion(&adap->dev_released);
device_unregister(&adap->dev);
wait_for_completion(&adap->dev_released);
+err_remove_irq_domain:
+ i2c_host_notify_irq_teardown(adap);
out_list:
mutex_lock(&core_lock);
idr_remove(&i2c_adapter_idr, adap->nr);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 472/518] i2c: core: fix NULL-deref on adapter registration failure
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (470 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 471/518] i2c: core: fix irq domain leak on adapter registration failure Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 473/518] i2c: core: fix adapter debugfs creation Greg Kroah-Hartman
` (49 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joe Hattori, Johan Hovold,
Wolfram Sang
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 2295d2bb101faa663fbc45fadbb3fec45f107441 upstream.
If adapter registration ever fails the release callback would trigger a
NULL-pointer dereference as the completion struct has not been
initialised.
Note that before the offending commit this would instead have resulted
in a minor memory leak of the adapter name.
Fixes: 3f8c4f5e9a57 ("i2c: core: fix reference leak in i2c_register_adapter()")
Cc: stable@vger.kernel.org
Cc: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/i2c-core-base.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -1581,8 +1581,7 @@ static int i2c_register_adapter(struct i
res = device_add(&adap->dev);
if (res) {
pr_err("adapter '%s': can't register device (%d)\n", adap->name, res);
- put_device(&adap->dev);
- goto err_remove_irq_domain;
+ goto err_put_adap;
}
adap->debugfs = debugfs_create_dir(dev_name(&adap->dev), i2c_debugfs_root);
@@ -1611,10 +1610,12 @@ static int i2c_register_adapter(struct i
out_reg:
i2c_deregister_clients(adap);
debugfs_remove_recursive(adap->debugfs);
+ device_del(&adap->dev);
+err_put_adap:
init_completion(&adap->dev_released);
- device_unregister(&adap->dev);
+ put_device(&adap->dev);
wait_for_completion(&adap->dev_released);
-err_remove_irq_domain:
+
i2c_host_notify_irq_teardown(adap);
out_list:
mutex_lock(&core_lock);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 473/518] i2c: core: fix adapter debugfs creation
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (471 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 472/518] i2c: core: fix NULL-deref " Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 474/518] i2c: core: fix adapter deregistration race Greg Kroah-Hartman
` (48 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Johan Hovold
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 07d5fb537928aad4369aaff0cbae73ba38a719af upstream.
Clients can be registered from bus notifier callbacks so the debugfs
directory needs to be created before registering the adapter as clients
use that directory as their debugfs parent.
Move debugfs creation before adapter registration to avoid having
clients create their debugfs directories in the debugfs root (which is
also more likely to fail due to name collisions).
Note that failure to allocate the adapter name must now be handled
explicitly as debugfs_create_dir() cannot handle a NULL name (unlike
device_add() which returns an error).
Fixes: 73febd775bdb ("i2c: create debugfs entry per adapter")
Cc: stable@vger.kernel.org # 6.8
Cc: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/i2c-core-base.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -1556,7 +1556,10 @@ static int i2c_register_adapter(struct i
goto out_list;
}
- dev_set_name(&adap->dev, "i2c-%d", adap->nr);
+ res = dev_set_name(&adap->dev, "i2c-%d", adap->nr);
+ if (res)
+ goto err_remove_irq_domain;
+
adap->dev.bus = &i2c_bus_type;
adap->dev.type = &i2c_adapter_type;
device_initialize(&adap->dev);
@@ -1578,14 +1581,14 @@ static int i2c_register_adapter(struct i
idr_replace(&i2c_adapter_idr, adap, adap->nr);
mutex_unlock(&core_lock);
+ adap->debugfs = debugfs_create_dir(dev_name(&adap->dev), i2c_debugfs_root);
+
res = device_add(&adap->dev);
if (res) {
pr_err("adapter '%s': can't register device (%d)\n", adap->name, res);
- goto err_put_adap;
+ goto err_remove_debugfs;
}
- adap->debugfs = debugfs_create_dir(dev_name(&adap->dev), i2c_debugfs_root);
-
res = i2c_setup_smbus_alert(adap);
if (res)
goto out_reg;
@@ -1609,13 +1612,14 @@ static int i2c_register_adapter(struct i
out_reg:
i2c_deregister_clients(adap);
- debugfs_remove_recursive(adap->debugfs);
device_del(&adap->dev);
+err_remove_debugfs:
+ debugfs_remove_recursive(adap->debugfs);
err_put_adap:
init_completion(&adap->dev_released);
put_device(&adap->dev);
wait_for_completion(&adap->dev_released);
-
+err_remove_irq_domain:
i2c_host_notify_irq_teardown(adap);
out_list:
mutex_lock(&core_lock);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 474/518] i2c: core: fix adapter deregistration race
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (472 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 473/518] i2c: core: fix adapter debugfs creation Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 475/518] i2c: mpc: Fix timeout calculations Greg Kroah-Hartman
` (47 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean Delvare, Johan Hovold,
Wolfram Sang
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b1a58ed9eab146b36f41a55db8f5d7ce9fdedf3f upstream.
Adapters can be looked up by their id using i2c_get_adapter() which
takes a reference to the embedded struct device.
Remove the adapter from the IDR before tearing it down during
deregistration (and on registration failure) to make sure its resources
are not accessed after having been freed (e.g. the device name).
Fixes: 35fc37f81881 ("i2c: Limit core locking to the necessary sections")
Cc: stable@vger.kernel.org # 2.6.31
Cc: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/i2c-core-base.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -1586,7 +1586,7 @@ static int i2c_register_adapter(struct i
res = device_add(&adap->dev);
if (res) {
pr_err("adapter '%s': can't register device (%d)\n", adap->name, res);
- goto err_remove_debugfs;
+ goto err_replace_id;
}
res = i2c_setup_smbus_alert(adap);
@@ -1613,7 +1613,10 @@ static int i2c_register_adapter(struct i
out_reg:
i2c_deregister_clients(adap);
device_del(&adap->dev);
-err_remove_debugfs:
+err_replace_id:
+ mutex_lock(&core_lock);
+ idr_replace(&i2c_adapter_idr, NULL, adap->nr);
+ mutex_unlock(&core_lock);
debugfs_remove_recursive(adap->debugfs);
err_put_adap:
init_completion(&adap->dev_released);
@@ -1802,6 +1805,8 @@ void i2c_del_adapter(struct i2c_adapter
/* First make sure that this adapter was ever added */
mutex_lock(&core_lock);
found = idr_find(&i2c_adapter_idr, adap->nr);
+ if (found == adap)
+ idr_replace(&i2c_adapter_idr, NULL, adap->nr);
mutex_unlock(&core_lock);
if (found != adap) {
pr_debug("attempting to delete unregistered adapter [%s]\n", adap->name);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 475/518] i2c: mpc: Fix timeout calculations
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (473 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 474/518] i2c: core: fix adapter deregistration race Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 476/518] i2c: davinci: Unregister cpufreq notifier on probe failure Greg Kroah-Hartman
` (46 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Chris Packham,
Andi Shyti
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit 2e9a7f68329be41792c0b123c28e6c53c2fa2249 upstream.
At first glance the harmless cleanup of the driver does nothing bad.
However, as the operator precedence list states the '*' (multiplication)
and '/' division operators have order 5 with left-to-right associativity
the *= has order 17 and associativity right-to-left. It wouldn't be
a problem to replace
foo = foo * HZ / 1000000;
with
foo *= HZ / 1000000;
if HZ constant is in Hertz. The problem is that in the Linux kernel HZ is
defined in jiffy units, which is order of magnitude smaller than a million.
That's why operator precedence has a crucial role here. Fix the regression
by reverting pre-optimized calculations.
Fixes: be40a3ae719f ("i2c: mpc: Use of_property_read_u32 instead of of_get_property")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: <stable@vger.kernel.org> # v6.4+
Reviewed-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260618144934.3249950-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-mpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-mpc.c
+++ b/drivers/i2c/busses/i2c-mpc.c
@@ -844,7 +844,7 @@ static int fsl_i2c_probe(struct platform
"fsl,timeout", &mpc_ops.timeout);
if (!result) {
- mpc_ops.timeout *= HZ / 1000000;
+ mpc_ops.timeout = mpc_ops.timeout * HZ / 1000000;
if (mpc_ops.timeout < 5)
mpc_ops.timeout = 5;
} else {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 476/518] i2c: davinci: Unregister cpufreq notifier on probe failure
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (474 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 475/518] i2c: mpc: Fix timeout calculations Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 477/518] i2c: stm32f7: truncate clock period instead of rounding it Greg Kroah-Hartman
` (45 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Bartosz Golaszewski,
Andi Shyti
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit e43f32816a1b1fe5a86279411626fe3a9be56d45 upstream.
davinci_i2c_probe() registers a cpufreq transition notifier before adding
the I2C adapter. If i2c_add_numbered_adapter() fails, the probe error path
releases the device resources without unregistering the notifier.
Add a dedicated error path to unregister the cpufreq notifier after
i2c_add_numbered_adapter() fails.
Fixes: 82c0de11b734 ("i2c: davinci: Add cpufreq support")
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Cc: <stable@vger.kernel.org> # v2.6.36+
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260610030513.2651018-1-haoxiang_li2024@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-davinci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-davinci.c
+++ b/drivers/i2c/busses/i2c-davinci.c
@@ -818,12 +818,14 @@ static int davinci_i2c_probe(struct plat
adap->nr = pdev->id;
r = i2c_add_numbered_adapter(adap);
if (r)
- goto err_unuse_clocks;
+ goto err_cpufreq;
pm_runtime_put_autosuspend(dev->dev);
return 0;
+err_cpufreq:
+ i2c_davinci_cpufreq_deregister(dev);
err_unuse_clocks:
pm_runtime_dont_use_autosuspend(dev->dev);
pm_runtime_put_sync(dev->dev);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 477/518] i2c: stm32f7: truncate clock period instead of rounding it
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (475 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 476/518] i2c: davinci: Unregister cpufreq notifier on probe failure Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 478/518] i2c: imx-lpi2c: mark I2C adapter when hardware is powered down Greg Kroah-Hartman
` (44 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillermo Rodríguez,
Alain Volmat, Pierre-Yves MORDRET, Andi Shyti
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guillermo Rodríguez <guille.rodriguez@gmail.com>
commit 111bb7f9f4a90b32e495d70a607c67b137f3074a upstream.
stm32f7_i2c_compute_timing() derives the I2C clock source period
(i2cclk) with DIV_ROUND_CLOSEST, which may round it up. When the
period is overestimated, all timings computed from it (SCLDEL,
SDADEL, SCLL, SCLH) come out shorter on the wire than calculated,
and the resulting bus rate can exceed the requested speed, violating
the I2C specification minimums for tLOW and tHIGH.
For example, with a 104.45 MHz clock source (e.g. PCLK1, the
reset-default I2C clock source on STM32MP1), i2cclk is rounded from
9.574 ns up to 10 ns. Requesting a 400 kHz fast mode bus with
72/27 ns rise/fall times and no analog/digital filters then produces
an actual bus rate of 415.6 kHz with tLOW = 1254 ns, violating both
the 400 kHz maximum rate and the 1300 ns tLOW minimum of the
specification.
Truncate the period instead, so that it can only be underestimated.
The error then falls on the safe side: the programmed timings come
out slightly longer than computed and the bus runs marginally below
the target rate (375.3 kHz in the example above) while meeting the
specification.
i2cbus is left rounded-to-closest: it is only used as the target of
the clk_error comparison and is never multiplied into the programmed
timings, so nearest rounding remains accurate there.
Fixes: aeb068c57214 ("i2c: i2c-stm32f7: add driver")
Signed-off-by: Guillermo Rodríguez <guille.rodriguez@gmail.com>
Cc: <stable@vger.kernel.org> # v4.14+
Acked-by: Alain Volmat <alain.volmat@foss.st.com>
Reviewed-by: Pierre-Yves MORDRET <pierre-yves.mordret@foss.st.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260611104857.242153-1-guille.rodriguez@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-stm32f7.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/i2c/busses/i2c-stm32f7.c
+++ b/drivers/i2c/busses/i2c-stm32f7.c
@@ -464,8 +464,13 @@ static int stm32f7_i2c_compute_timing(st
{
struct stm32f7_i2c_spec *specs;
u32 p_prev = STM32F7_PRESC_MAX;
- u32 i2cclk = DIV_ROUND_CLOSEST(NSEC_PER_SEC,
- setup->clock_src);
+ /*
+ * Truncate instead of rounding to closest: if the clock period is
+ * overestimated, the computed SCL timings will come out shorter on
+ * the wire, which can push the bus above the target rate and below
+ * the spec's tLOW/tHIGH minimums.
+ */
+ u32 i2cclk = NSEC_PER_SEC / setup->clock_src;
u32 i2cbus = DIV_ROUND_CLOSEST(NSEC_PER_SEC,
setup->speed_freq);
u32 clk_error_prev = i2cbus;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 478/518] i2c: imx-lpi2c: mark I2C adapter when hardware is powered down
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (476 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 477/518] i2c: stm32f7: truncate clock period instead of rounding it Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 479/518] i2c: i801: fix hardware state machine corruption in error path Greg Kroah-Hartman
` (43 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carlos Song, Mukesh Savaliya,
Frank Li, Andi Shyti
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Song <carlos.song@nxp.com>
commit 218cfe364b55b2768221629bd4a69ad190b7fbbc upstream.
On some i.MX platforms, certain I2C client drivers keep a periodic
workqueue which continues to trigger I2C transfers.
During system suspend/resume, there exists a time window between:
- suspend_noirq and the system entering suspend
- the system starting to resume and resume_noirq
In this window, the I2C controller resources such as clock and pinctrl
may already be disabled or not yet restored.
If a workqueue triggers an I2C transfer in this period, the driver
attempts to access I2C registers while the hardware resources are
unavailable, which may lead to system hang.
Mark the I2C adapter as suspended during noirq suspend and block new
transfers until resume, ensuring that I2C transfers are only issued
when hardware resources are available.
Fixes: 1ee867e465c1 ("i2c: imx-lpi2c: add target mode support")
Signed-off-by: Carlos Song <carlos.song@nxp.com>
Cc: <stable@vger.kernel.org> # v6.14+
Acked-by: Mukesh Savaliya <mukesh.savaliya@oss.qualcomm.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260525031450.3183421-1-carlos.song@oss.nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-imx-lpi2c.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-imx-lpi2c.c
+++ b/drivers/i2c/busses/i2c-imx-lpi2c.c
@@ -1646,7 +1646,18 @@ static int __maybe_unused lpi2c_runtime_
static int __maybe_unused lpi2c_suspend_noirq(struct device *dev)
{
- return pm_runtime_force_suspend(dev);
+ struct lpi2c_imx_struct *lpi2c_imx = dev_get_drvdata(dev);
+ int ret;
+
+ i2c_mark_adapter_suspended(&lpi2c_imx->adapter);
+
+ ret = pm_runtime_force_suspend(dev);
+ if (ret) {
+ i2c_mark_adapter_resumed(&lpi2c_imx->adapter);
+ return ret;
+ }
+
+ return 0;
}
static int __maybe_unused lpi2c_resume_noirq(struct device *dev)
@@ -1666,6 +1677,8 @@ static int __maybe_unused lpi2c_resume_n
if (lpi2c_imx->target)
lpi2c_imx_target_init(lpi2c_imx);
+ i2c_mark_adapter_resumed(&lpi2c_imx->adapter);
+
return 0;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 479/518] i2c: i801: fix hardware state machine corruption in error path
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (477 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 478/518] i2c: imx-lpi2c: mark I2C adapter when hardware is powered down Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 480/518] Input: synaptics-rmi4 - unregister function handlers on physical driver registration failure Greg Kroah-Hartman
` (42 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mingyu Wang, Andi Shyti
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
commit 10dd1a736d557e310a77117832874729a0175d57 upstream.
A severe livelock and subsequent Hung Task panic were observed in the
i2c-i801 driver during concurrent Fuzzing. The crash is caused by an
unconditional hardware register cleanup in the error handling path of
i801_access().
When i801_check_pre() fails (e.g., returning -EBUSY because the SMBus
controller is actively used by BIOS/ACPI), the kernel does not actually
acquire the hardware ownership. However, the code jumps to the 'out'
label and executes:
iowrite8(SMBHSTSTS_INUSE_STS | STATUS_FLAGS, SMBHSTSTS(priv));
This forcefully clears the INUSE_STS lock and resets the hardware status
flags without owning the controller. Doing so interrupts ongoing BIOS/ACPI
transactions and totally corrupts the SMBus hardware state machine.
Consequently, all subsequent i801_access() calls fail at the pre-check
stage, triggering an endless stream of "SMBus is busy, can't use it!"
error logs. Over a slow serial console, this printk flood monopolizes
the CPU (Console Livelock), starving other processes trying to acquire
the mmap_lock down_read semaphore, ultimately triggering the hung task
watchdog.
Fix this by moving the 'out' label below the hardware register cleanup.
If i801_check_pre() fails, we safely bypass the iowrite8() and only
release the software locks (pm_runtime and mutex), strictly adhering to
the rule of not releasing resources that were never acquired.
Fixes: 1f760b87e54c ("i2c: i801: Call i801_check_pre() from i801_access()")
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
Cc: <stable@vger.kernel.org> # v6.3+
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260512093534.348655-1-w15303746062@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-i801.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-i801.c
+++ b/drivers/i2c/busses/i2c-i801.c
@@ -931,13 +931,13 @@ static s32 i801_access(struct i2c_adapte
*/
if (hwpec)
iowrite8(ioread8(SMBAUXCTL(priv)) & ~SMBAUXCTL_CRC, SMBAUXCTL(priv));
-out:
/*
* Unlock the SMBus device for use by BIOS/ACPI,
* and clear status flags if not done already.
*/
iowrite8(SMBHSTSTS_INUSE_STS | STATUS_FLAGS, SMBHSTSTS(priv));
+out:
pm_runtime_put_autosuspend(&priv->pci_dev->dev);
mutex_unlock(&priv->acpi_lock);
return ret;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 480/518] Input: synaptics-rmi4 - unregister function handlers on physical driver registration failure
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (478 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 479/518] i2c: i801: fix hardware state machine corruption in error path Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 481/518] Input: synaptics-rmi4 - bound the F3A keymap to the GPIO count Greg Kroah-Hartman
` (41 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Dmitry Torokhov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit 6251f7d3472c0409e30f8d6a24f10d33d12e3f9a upstream.
If rmi_register_physical_driver() fails, the current error path
unregisters only the RMI bus. The function handlers registered
earlier remain registered with the driver core.
Add a separate error path to unregister the function handlers
before unregistering the bus in this failure case.
Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260610064633.2837084-1-haoxiang_li2024@163.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/rmi4/rmi_bus.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/input/rmi4/rmi_bus.c
+++ b/drivers/input/rmi4/rmi_bus.c
@@ -455,11 +455,13 @@ static int __init rmi_bus_init(void)
if (error) {
pr_err("%s: error registering the RMI physical driver: %d\n",
__func__, error);
- goto err_unregister_bus;
+ goto err_unregister_function_handlers;
}
return 0;
+err_unregister_function_handlers:
+ rmi_unregister_function_handlers();
err_unregister_bus:
bus_unregister(&rmi_bus_type);
return error;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 481/518] Input: synaptics-rmi4 - bound the F3A keymap to the GPIO count
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (479 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 480/518] Input: synaptics-rmi4 - unregister function handlers on physical driver registration failure Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 482/518] Input: synaptics-rmi4 - bound the F30 keymap to the GPIO/LED count Greg Kroah-Hartman
` (40 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bryam Vargas, Dmitry Torokhov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryam Vargas <hexlabsecurity@proton.me>
commit 57c10915f2c16c90e0d46ad00876bf39ece40fc2 upstream.
rmi_f3a_initialize() takes the GPIO count from the device query register
(f3a->gpio_count = buf & RMI_F3A_GPIO_COUNT, range 0..127).
rmi_f3a_map_gpios() then allocates gpio_key_map with
min(gpio_count, TRACKSTICK_RANGE_END) == at most 6 entries, but
rmi_f3a_attention() iterates the full gpio_count and dereferences
gpio_key_map[i], and input->keycodemax is set to the full gpio_count
while input->keycode points at the 6-entry allocation.
A device that reports gpio_count > 6 therefore causes an out-of-bounds
read of gpio_key_map[] on every attention interrupt, and out-of-bounds
accesses through the input core's default keymap ioctls: EVIOCGKEYCODE
reads past the buffer (leaking adjacent slab memory to user space) and
EVIOCSKEYCODE writes a caller-controlled value past it, for any process
able to open the evdev node, since input_default_getkeycode() and
input_default_setkeycode() only bound the index against keycodemax.
Size the keymap for the full gpio_count. The mapping loop is unchanged:
it still assigns only the first min(gpio_count, TRACKSTICK_RANGE_END)
entries; the remaining slots stay KEY_RESERVED (devm_kcalloc zero-fills)
and are skipped when reporting.
Fixes: 9e4c596bfd00 ("Input: synaptics-rmi4 - add support for F3A")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Link: https://patch.msgid.link/20260614-b4-disp-818d6bda-v1-1-cf39a3615085@proton.me
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/rmi4/rmi_f3a.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/rmi4/rmi_f3a.c
+++ b/drivers/input/rmi4/rmi_f3a.c
@@ -132,7 +132,7 @@ static int rmi_f3a_map_gpios(struct rmi_
int button_count = min_t(u8, f3a->gpio_count, TRACKSTICK_RANGE_END);
f3a->gpio_key_map = devm_kcalloc(&fn->dev,
- button_count,
+ f3a->gpio_count,
sizeof(f3a->gpio_key_map[0]),
GFP_KERNEL);
if (!f3a->gpio_key_map) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 482/518] Input: synaptics-rmi4 - bound the F30 keymap to the GPIO/LED count
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (480 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 481/518] Input: synaptics-rmi4 - bound the F3A keymap to the GPIO count Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 483/518] Input: elan_i2c - prevent division by zero and arithmetic underflow Greg Kroah-Hartman
` (39 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bryam Vargas, Dmitry Torokhov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryam Vargas <hexlabsecurity@proton.me>
commit d577e46785d45484b2ab7e7309c49b18764bf56c upstream.
rmi_f30_map_gpios() allocates gpioled_key_map with
min(gpioled_count, TRACKSTICK_RANGE_END) == at most 6 entries, but
rmi_f30_attention() iterates the full f30->gpioled_count (device query
register, range 0..31) and dereferences gpioled_key_map[i], and
input->keycodemax is set to the full gpioled_count while input->keycode
points at the 6-entry allocation.
A device that reports gpioled_count > 6 with GPIO support enabled
therefore causes an out-of-bounds read on the attention interrupt and
out-of-bounds read/write through the EVIOCGKEYCODE/EVIOCSKEYCODE ioctls,
which bound the index only against keycodemax. This is the same defect
as the F3A handler, which was copied from F30.
Size the keymap for the full gpioled_count; the mapping loop still
assigns only the first min(gpioled_count, TRACKSTICK_RANGE_END) entries.
Fixes: 3e64fcbdbd10 ("Input: synaptics-rmi4 - limit the range of what GPIOs are buttons")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Link: https://patch.msgid.link/20260614-b4-disp-818d6bda-v1-2-cf39a3615085@proton.me
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/rmi4/rmi_f30.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/rmi4/rmi_f30.c
+++ b/drivers/input/rmi4/rmi_f30.c
@@ -233,7 +233,7 @@ static int rmi_f30_map_gpios(struct rmi_
int button_count = min_t(u8, f30->gpioled_count, TRACKSTICK_RANGE_END);
f30->gpioled_key_map = devm_kcalloc(&fn->dev,
- button_count,
+ f30->gpioled_count,
sizeof(f30->gpioled_key_map[0]),
GFP_KERNEL);
if (!f30->gpioled_key_map) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 483/518] Input: elan_i2c - prevent division by zero and arithmetic underflow
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (481 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 482/518] Input: synaptics-rmi4 - bound the F30 keymap to the GPIO/LED count Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 484/518] Input: goodix - clamp the device-reported contact count Greg Kroah-Hartman
` (38 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ranjan Kumar, Dmitry Torokhov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <kumarranja@chromium.org>
commit df2b818fa009c10ff6ba875a1663ff001cda9558 upstream.
The Elan I2C touchpad driver queries the device for its physical
dimensions and trace counts to calculate the device resolution and width.
However, if the device firmware or device tree provides invalid zero
values for x_traces or y_traces, it results in a fatal division-by-zero
exception leading to a kernel panic during device probe.
Add checks to ensure these parameters are non-zero before performing
the division. If invalid trace values are detected, fall back to a safe
default of 1.
Additionally, prevent an arithmetic underflow in the touch reporting
logic. Previously, if the calculated or fallback width was smaller than
ETP_FWIDTH_REDUCE (90), the subtraction would underflow, resulting in a
massive unsigned integer being reported to userspace. Clamp the adjusted
width to a minimum of 0 to safely handle small physical dimensions and
fallback scenarios.
Completing the probe with safe fallback values ensures the sysfs nodes
are created, keeping the firmware update path intact so a recovery
firmware can be flashed to the device.
Fixes: 6696777c6506 ("Input: add driver for Elan I2C/SMbus touchpad")
Fixes: e3a9a1290688 ("Input: elan_i2c - do not query the info if they are provided")
Signed-off-by: Ranjan Kumar <kumarranja@chromium.org>
Link: https://patch.msgid.link/20260612060339.3829666-1-kumarranja@chromium.org
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/mouse/elan_i2c_core.c | 36 ++++++++++++++++++++++++++++++------
1 file changed, 30 insertions(+), 6 deletions(-)
--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -428,8 +428,17 @@ static int elan_query_device_parameters(
if (error)
return error;
}
- data->width_x = data->max_x / x_traces;
- data->width_y = data->max_y / y_traces;
+
+ if (!x_traces || !y_traces) {
+ dev_warn(&client->dev,
+ "invalid trace numbers: x=%u, y=%u\n",
+ x_traces, y_traces);
+ data->width_x = 1;
+ data->width_y = 1;
+ } else {
+ data->width_x = data->max_x / x_traces;
+ data->width_y = data->max_y / y_traces;
+ }
if (device_property_read_u32(&client->dev,
"touchscreen-x-mm", &x_mm) ||
@@ -443,8 +452,16 @@ static int elan_query_device_parameters(
data->x_res = elan_convert_resolution(hw_x_res, data->pattern);
data->y_res = elan_convert_resolution(hw_y_res, data->pattern);
} else {
- data->x_res = (data->max_x + 1) / x_mm;
- data->y_res = (data->max_y + 1) / y_mm;
+ if (unlikely(x_mm == 0 || y_mm == 0)) {
+ dev_warn(&client->dev,
+ "invalid physical dimensions: x_mm=%u, y_mm=%u\n",
+ x_mm, y_mm);
+ data->x_res = 1;
+ data->y_res = 1;
+ } else {
+ data->x_res = (data->max_x + 1) / x_mm;
+ data->y_res = (data->max_y + 1) / y_mm;
+ }
}
if (device_property_read_bool(&client->dev, "elan,clickpad"))
@@ -956,6 +973,7 @@ static void elan_report_contact(struct e
if (data->report_features & ETP_FEATURE_REPORT_MK) {
unsigned int mk_x, mk_y, area_x, area_y;
+ int adj_width_x, adj_width_y;
u8 mk_data = high_precision ?
packet[ETP_MK_DATA_OFFSET + contact_num] :
finger_data[3];
@@ -967,8 +985,14 @@ static void elan_report_contact(struct e
* To avoid treating large finger as palm, let's reduce
* the width x and y per trace.
*/
- area_x = mk_x * (data->width_x - ETP_FWIDTH_REDUCE);
- area_y = mk_y * (data->width_y - ETP_FWIDTH_REDUCE);
+
+ adj_width_x = data->width_x > ETP_FWIDTH_REDUCE ?
+ data->width_x - ETP_FWIDTH_REDUCE : 0;
+ adj_width_y = data->width_y > ETP_FWIDTH_REDUCE ?
+ data->width_y - ETP_FWIDTH_REDUCE : 0;
+
+ area_x = mk_x * adj_width_x;
+ area_y = mk_y * adj_width_y;
input_report_abs(input, ABS_TOOL_WIDTH, mk_x);
input_report_abs(input, ABS_MT_TOUCH_MAJOR,
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 484/518] Input: goodix - clamp the device-reported contact count
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (482 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 483/518] Input: elan_i2c - prevent division by zero and arithmetic underflow Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 485/518] Input: iforce - bound the device-reported force-feedback effect index Greg Kroah-Hartman
` (37 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bryam Vargas, Hans de Goede,
Dmitry Torokhov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryam Vargas <hexlabsecurity@proton.me>
commit 5ed62a96e06be4e94b8296b7932afee550a70e04 upstream.
goodix_ts_read_input_report() copies the number of touch points reported
by the device into an on-stack buffer
u8 point_data[2 + GOODIX_MAX_CONTACT_SIZE * GOODIX_MAX_CONTACTS];
which is sized for at most GOODIX_MAX_CONTACTS (10) contacts. The only
runtime check bounds the per-interrupt count against ts->max_touch_num,
but that value is taken verbatim from a 4-bit field of the device
configuration block and is never clamped:
ts->max_touch_num = ts->config[MAX_CONTACTS_LOC] & 0x0f;
The nibble can be 0..15, so a malfunctioning, malicious or counterfeit
controller (or an attacker tampering with the I2C bus) can advertise up
to 15 contacts. goodix_ts_read_input_report() then accepts a touch_num
of up to 15 and the second goodix_i2c_read() writes
ts->contact_size * (touch_num - 1) bytes past the one-contact header into
point_data - up to 30 bytes (45 with the 9-byte report format) beyond the
92-byte buffer: a stack out-of-bounds write.
Clamp max_touch_num to GOODIX_MAX_CONTACTS, the number of contacts
point_data[] is sized for, when reading it from the configuration.
Fixes: a7ac7c95d468 ("Input: goodix - use max touch number from device config")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Link: https://patch.msgid.link/20260612-b4-disp-6844625d-v1-1-df0aed080c9d@proton.me
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/goodix.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/input/touchscreen/goodix.c
+++ b/drivers/input/touchscreen/goodix.c
@@ -1057,7 +1057,8 @@ static void goodix_read_config(struct go
}
ts->int_trigger_type = ts->config[TRIGGER_LOC] & 0x03;
- ts->max_touch_num = ts->config[MAX_CONTACTS_LOC] & 0x0f;
+ ts->max_touch_num = min(ts->config[MAX_CONTACTS_LOC] & 0x0f,
+ GOODIX_MAX_CONTACTS);
x_max = get_unaligned_le16(&ts->config[RESOLUTION_LOC]);
y_max = get_unaligned_le16(&ts->config[RESOLUTION_LOC + 2]);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 485/518] Input: iforce - bound the device-reported force-feedback effect index
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (483 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 484/518] Input: goodix - clamp the device-reported contact count Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 486/518] Input: mms114 - fix touch indexing for MMS134S and MMS136 Greg Kroah-Hartman
` (36 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bryam Vargas, Dmitry Torokhov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryam Vargas <hexlabsecurity@proton.me>
commit 0e9943d2e4c63496b6ca84bc66fd3c71d40558e2 upstream.
iforce_process_packet() handles a status report (packet id 0x02) by
taking a force-feedback effect index straight from the device wire and
using it to address the per-effect state array:
i = data[1] & 0x7f;
if (data[1] & 0x80) {
if (!test_and_set_bit(FF_CORE_IS_PLAYED,
iforce->core_effects[i].flags))
...
} else if (test_and_clear_bit(FF_CORE_IS_PLAYED,
iforce->core_effects[i].flags)) {
...
}
The index is masked only with 0x7f, so it ranges 0..127, but
core_effects[] holds only IFORCE_EFFECTS_MAX (32) entries. For an index
of 32..127 the test_and_set_bit()/test_and_clear_bit() is an
out-of-bounds single-bit read-modify-write past the array. core_effects[]
is the second-to-last member of struct iforce, so the write lands in the
trailing members and beyond the embedding kzalloc()'d iforce_serio /
iforce_usb object.
data[1] is unvalidated device payload on both transports (the USB
interrupt endpoint and serio), and the status path is not gated on force
feedback being present, so a malicious or counterfeit device can set or
clear a bit at an attacker-chosen offset past the object.
Reject an out-of-range index instead of indexing with it. Bound against
the array dimension IFORCE_EFFECTS_MAX rather than dev->ff->max_effects so
the check guarantees memory safety regardless of how many effects the
device registered. A legitimate "effect started/stopped" status always
carries an index below IFORCE_EFFECTS_MAX, so well-formed devices are
unaffected; the neighbouring mark_core_as_ready() loop is already bounded
and is left untouched.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260613-b4-disp-4828d263-v1-1-02320e1a89dd@proton.me
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/joystick/iforce/iforce-packets.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
--- a/drivers/input/joystick/iforce/iforce-packets.c
+++ b/drivers/input/joystick/iforce/iforce-packets.c
@@ -186,14 +186,18 @@ void iforce_process_packet(struct iforce
/* Check if an effect was just started or stopped */
i = data[1] & 0x7f;
- if (data[1] & 0x80) {
- if (!test_and_set_bit(FF_CORE_IS_PLAYED, iforce->core_effects[i].flags)) {
- /* Report play event */
- input_report_ff_status(dev, i, FF_STATUS_PLAYING);
+ if (i < IFORCE_EFFECTS_MAX) {
+ if (data[1] & 0x80) {
+ if (!test_and_set_bit(FF_CORE_IS_PLAYED,
+ iforce->core_effects[i].flags)) {
+ /* Report play event */
+ input_report_ff_status(dev, i, FF_STATUS_PLAYING);
+ }
+ } else if (test_and_clear_bit(FF_CORE_IS_PLAYED,
+ iforce->core_effects[i].flags)) {
+ /* Report stop event */
+ input_report_ff_status(dev, i, FF_STATUS_STOPPED);
}
- } else if (test_and_clear_bit(FF_CORE_IS_PLAYED, iforce->core_effects[i].flags)) {
- /* Report stop event */
- input_report_ff_status(dev, i, FF_STATUS_STOPPED);
}
for (j = 3; j < len; j += 2)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 486/518] Input: mms114 - fix touch indexing for MMS134S and MMS136
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (484 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 485/518] Input: iforce - bound the device-reported force-feedback effect index Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 487/518] Input: ads7846 - dont use scratch for tx_buf when clearing register Greg Kroah-Hartman
` (35 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, sashiko-bot, Bryam Vargas,
Dmitry Torokhov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit a6ac4e24c1a8a533bb61035184fdcc7eede4cc8d upstream.
The MMS134S and MMS136 touch controllers have an event size of 6 bytes
rather than 8 bytes. When __mms114_read_reg() reads the touch data
packet from the device into the touch buffer, the events are packed
tightly at 6-byte intervals. However, the driver iterates through the
events using standard C array indexing (touch[index]), where each
element is sizeof(struct mms114_touch) (8 bytes) apart. As a result, any
touch events beyond the first one are read from incorrect offsets and
parsed improperly.
Fix this by explicitly calculating the byte offset for each touch event
based on the device's specific event size.
Fixes: 53fefdd1d3a3 ("Input: mms114 - support MMS136")
Fixes: ab108678195f ("Input: mms114 - support MMS134S")
Reported-by: sashiko-bot@kernel.org
Assisted-by: Antigravity:gemini-3.5-flash
Reviewed-by: Bryam Vargas <hexlabsecurity@proton.me>
Link: https://patch.msgid.link/20260616050912.1531241-1-dmitry.torokhov@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/mms114.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
--- a/drivers/input/touchscreen/mms114.c
+++ b/drivers/input/touchscreen/mms114.c
@@ -217,7 +217,9 @@ static irqreturn_t mms114_interrupt(int
struct mms114_data *data = dev_id;
struct i2c_client *client = data->client;
struct mms114_touch touch[MMS114_MAX_TOUCH];
+ struct mms114_touch *t;
int packet_size;
+ int event_size;
int touch_size;
int index;
int error;
@@ -228,9 +230,11 @@ static irqreturn_t mms114_interrupt(int
/* MMS136 has slightly different event size */
if (data->type == TYPE_MMS134S || data->type == TYPE_MMS136)
- touch_size = packet_size / MMS136_EVENT_SIZE;
+ event_size = MMS136_EVENT_SIZE;
else
- touch_size = packet_size / MMS114_EVENT_SIZE;
+ event_size = MMS114_EVENT_SIZE;
+
+ touch_size = packet_size / event_size;
error = __mms114_read_reg(data, MMS114_INFORMATION, packet_size,
(u8 *)touch);
@@ -238,18 +242,20 @@ static irqreturn_t mms114_interrupt(int
goto out;
for (index = 0; index < touch_size; index++) {
- switch (touch[index].type) {
+ t = (struct mms114_touch *)((u8 *)touch + index * event_size);
+
+ switch (t->type) {
case MMS114_TYPE_TOUCHSCREEN:
- mms114_process_mt(data, touch + index);
+ mms114_process_mt(data, t);
break;
case MMS114_TYPE_TOUCHKEY:
- mms114_process_touchkey(data, touch + index);
+ mms114_process_touchkey(data, t);
break;
default:
dev_err(&client->dev, "Wrong touch type (%d)\n",
- touch[index].type);
+ t->type);
break;
}
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 487/518] Input: ads7846 - dont use scratch for tx_buf when clearing register
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (485 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 486/518] Input: mms114 - fix touch indexing for MMS134S and MMS136 Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 488/518] Input: touchwin - reset the packet index on every complete packet Greg Kroah-Hartman
` (34 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Featherston, Kris Bahnsen,
Dmitry Torokhov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kris Bahnsen <kris@embeddedTS.com>
commit 856668312685d9a8f32d49a135a89c429d309f81 upstream.
The workaround for XPT2046 clears the command register, giving the
touchscreen controller a NOP. The change incorrectly re-uses the
req->scratch variable which is used as rx_buf for xfer[5], so by
the time xfer[6] occurs, the contents of req->scratch may not be
0. It was found that the touchscreen controller can end up in
a completely unresponsive state due to it being given a command
the driver does not expect.
Instead, rely on the spi_transfer behavior of tx_buf being NULL to
transmit all 0 bits and use the scratch variable for the rx_buf for
both the 1 byte command to and 2 byte response from the controller.
Also relocates the scratch member of struct ser_req to force it
into a different cache line to prevent any potential issues of
DMA stepping on unrelated data in other struct members due to
sharing the same cache line.
This change was tested on real TSC2046 and ADS7843 controllers,
but not the XPT2046 the workaround was originally created for.
Confirming that the original modification to clear the command
register does not impact either real controller.
Fixes: 781a07da9bb94 ("Input: ads7846 - add dummy command register clearing cycle")
Cc: stable@vger.kernel.org
Co-developed-by: Mark Featherston <mark@embeddedTS.com>
Signed-off-by: Mark Featherston <mark@embeddedTS.com>
Signed-off-by: Kris Bahnsen <kris@embeddedTS.com>
Link: https://patch.msgid.link/20260507164943.760009-1-kris@embeddedTS.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/ads7846.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/input/touchscreen/ads7846.c
+++ b/drivers/input/touchscreen/ads7846.c
@@ -325,7 +325,6 @@ struct ser_req {
u8 ref_on;
u8 command;
u8 ref_off;
- u16 scratch;
struct spi_message msg;
struct spi_transfer xfer[8];
/*
@@ -333,6 +332,7 @@ struct ser_req {
* transfer buffers to live in their own cache lines.
*/
__be16 sample ____cacheline_aligned;
+ u16 scratch;
};
struct ads7845_ser_req {
@@ -403,8 +403,7 @@ static int ads7846_read12_ser(struct dev
spi_message_add_tail(&req->xfer[5], &req->msg);
/* clear the command register */
- req->scratch = 0;
- req->xfer[6].tx_buf = &req->scratch;
+ req->xfer[6].rx_buf = &req->scratch;
req->xfer[6].len = 1;
spi_message_add_tail(&req->xfer[6], &req->msg);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 488/518] Input: touchwin - reset the packet index on every complete packet
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (486 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 487/518] Input: ads7846 - dont use scratch for tx_buf when clearing register Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 489/518] Input: mms114 - reject an oversized device packet size Greg Kroah-Hartman
` (33 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bryam Vargas, Dmitry Torokhov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryam Vargas <hexlabsecurity@proton.me>
commit 478cdd736f2ce3114f90e775d7358136d3977b94 upstream.
tw_interrupt() accumulates each non-zero serial byte into a fixed
three-byte buffer with a running index that is only reset once a full
packet has been received *and* the device's two Y bytes agree:
tw->data[tw->idx++] = data;
if (tw->idx == TW_LENGTH && tw->data[1] == tw->data[2]) {
...
tw->idx = 0;
}
The reset is gated on tw->data[1] == tw->data[2], a value the device
controls. A malicious, malfunctioning or counterfeit Touchwindow
peripheral can stream non-zero bytes whose 2nd and 3rd bytes differ: the
index reaches TW_LENGTH without the equality holding, is never reset, and
keeps growing, so tw->data[tw->idx++] walks off the end of the three-byte
array and the rest of the heap-allocated struct tw, one attacker-chosen
byte at a time -- an unbounded, device-driven heap out-of-bounds write.
Reset the index on every completed packet and report an event only when
the two Y bytes match, like the other serio touchscreen drivers do.
Fixes: 11ea3173d5f2 ("Input: add driver for Touchwin serial touchscreens")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Link: https://patch.msgid.link/20260613-b4-disp-69921bfd-v1-1-82c036899959@proton.me
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/touchwin.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/drivers/input/touchscreen/touchwin.c
+++ b/drivers/input/touchscreen/touchwin.c
@@ -63,12 +63,15 @@ static irqreturn_t tw_interrupt(struct s
if (data) { /* touch */
tw->touched = 1;
tw->data[tw->idx++] = data;
- /* verify length and that the two Y's are the same */
- if (tw->idx == TW_LENGTH && tw->data[1] == tw->data[2]) {
- input_report_abs(dev, ABS_X, tw->data[0]);
- input_report_abs(dev, ABS_Y, tw->data[1]);
- input_report_key(dev, BTN_TOUCH, 1);
- input_sync(dev);
+ /* a full packet ends the accumulation, valid or not */
+ if (tw->idx == TW_LENGTH) {
+ /* report only if the two Y's are the same */
+ if (tw->data[1] == tw->data[2]) {
+ input_report_abs(dev, ABS_X, tw->data[0]);
+ input_report_abs(dev, ABS_Y, tw->data[1]);
+ input_report_key(dev, BTN_TOUCH, 1);
+ input_sync(dev);
+ }
tw->idx = 0;
}
} else if (tw->touched) { /* untouch */
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 489/518] Input: mms114 - reject an oversized device packet size
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (487 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 488/518] Input: touchwin - reset the packet index on every complete packet Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 490/518] Input: gscps2 - advance receive buffer write index Greg Kroah-Hartman
` (32 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bryam Vargas, Dmitry Torokhov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryam Vargas <hexlabsecurity@proton.me>
commit 66725039f7090afe14c31bd259e2059a68f04023 upstream.
mms114_interrupt() reads a packet of touch data from the device into a
fixed-size on-stack buffer
struct mms114_touch touch[MMS114_MAX_TOUCH];
which holds MMS114_MAX_TOUCH (10) events of MMS114_EVENT_SIZE (8) bytes,
i.e. 80 bytes. The length of the I2C read into it is taken verbatim from
the device:
packet_size = mms114_read_reg(data, MMS114_PACKET_SIZE);
if (packet_size <= 0)
goto out;
...
error = __mms114_read_reg(data, MMS114_INFORMATION, packet_size,
(u8 *)touch);
packet_size is a single device register byte (0x0F) and the only check
is the lower bound packet_size <= 0; it is never bounded against the
size of touch[]. A malfunctioning, malicious or counterfeit controller
(or an attacker tampering with the I2C bus) can report a packet_size of
up to 255, so __mms114_read_reg() writes up to 175 bytes past the end of
touch[] on the IRQ-thread stack: a stack out-of-bounds write that can
overwrite the stack canary, saved registers and the return address.
A well-formed device never reports more than the buffer holds, so reject
an oversized packet and drop the report, consistent with the handler's
other error paths, rather than reading past the buffer.
Fixes: 07b8481d4aff ("Input: add MELFAS mms114 touchscreen driver")
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260612-b4-disp-dc4b8dc4-v1-1-d7cb0a828d92@proton.me
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/mms114.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/input/touchscreen/mms114.c
+++ b/drivers/input/touchscreen/mms114.c
@@ -228,6 +228,12 @@ static irqreturn_t mms114_interrupt(int
if (packet_size <= 0)
goto out;
+ if (packet_size > sizeof(touch)) {
+ dev_err(&client->dev, "Invalid packet size %d (max %zu)\n",
+ packet_size, sizeof(touch));
+ goto out;
+ }
+
/* MMS136 has slightly different event size */
if (data->type == TYPE_MMS134S || data->type == TYPE_MMS136)
event_size = MMS136_EVENT_SIZE;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 490/518] Input: gscps2 - advance receive buffer write index
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (488 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 489/518] Input: mms114 - reject an oversized device packet size Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 491/518] Input: maplemouse - fix NULL pointer dereference in open() Greg Kroah-Hartman
` (31 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xu Rao, Dmitry Torokhov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Rao <raoxu@uniontech.com>
commit d86d4f8cbb5a55a3b9b86f7b5ab8c4cdda600a3f upstream.
Commit 44f920069911 ("Input: gscps2 - use guard notation when
acquiring spinlock") moved the receive loop into gscps2_read_data()
and gscps2_report_data().
While moving the code, it preserved the writes to
buffer[ps2port->append], but omitted the following producer index
update from the original loop:
ps2port->append = (ps2port->append + 1) & BUFFER_SIZE;
As a result, append never advances. Since gscps2_report_data() only
reports bytes while act != append, the receive buffer always appears
empty and no keyboard or mouse data reaches the serio core.
Restore the omitted index update.
Fixes: 44f920069911 ("Input: gscps2 - use guard notation when acquiring spinlock")
Cc: stable@vger.kernel.org # 6.13+
Signed-off-by: Xu Rao <raoxu@uniontech.com>
Link: https://patch.msgid.link/460B5655BA580C60+20260624094739.850306-1-raoxu@uniontech.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/serio/gscps2.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/input/serio/gscps2.c
+++ b/drivers/input/serio/gscps2.c
@@ -219,6 +219,7 @@ static void gscps2_read_data(struct gscp
ps2port->buffer[ps2port->append].str = status;
ps2port->buffer[ps2port->append].data =
gscps2_readb_input(ps2port->addr);
+ ps2port->append = (ps2port->append + 1) & BUFFER_SIZE;
} while (true);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 491/518] Input: maplemouse - fix NULL pointer dereference in open()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (489 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 490/518] Input: gscps2 - advance receive buffer write index Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 492/518] Input: mms114 - fix multi-touch slot corruption Greg Kroah-Hartman
` (30 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florian Fuchs, Dmitry Torokhov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fuchs <fuchsfl@gmail.com>
commit ee89db004238bd0b034f2a6176e175561658750b upstream.
Commit 555c765b0cc2 ("Input: mouse - drop unnecessary calls to
input_set_drvdata") dropped the input_set_drvdata() call in probe
because the data appeared to be unused. However, dc_mouse_open() and
dc_mouse_close() were using maple_get_drvdata(to_maple_dev(&dev->dev)).
This appears to be accessing the data attached to an instance of
maple_device structure, while in reality this actually retrieves driver
data from the input device's embedded struct device (doing invalid
conversion of input device structure to maple device). After
input_set_drvdata() was removed, that lookup started returning NULL and
opening the input device dereferences mse->mdev.
Restore input_set_drvdata() and convert open() and close() to use
input_get_drvdata() so the dependency is no longer hidden.
Fixes: 6b3480855aad ("maple: input: fix up maple mouse driver")
Fixes: 555c765b0cc2 ("Input: mouse - drop unnecessary calls to input_set_drvdata")
Signed-off-by: Florian Fuchs <fuchsfl@gmail.com>
Link: https://patch.msgid.link/20260628230715.2982552-1-fuchsfl@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/mouse/maplemouse.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/input/mouse/maplemouse.c
+++ b/drivers/input/mouse/maplemouse.c
@@ -48,7 +48,7 @@ static void dc_mouse_callback(struct map
static int dc_mouse_open(struct input_dev *dev)
{
- struct dc_mouse *mse = maple_get_drvdata(to_maple_dev(&dev->dev));
+ struct dc_mouse *mse = input_get_drvdata(dev);
maple_getcond_callback(mse->mdev, dc_mouse_callback, HZ/50,
MAPLE_FUNC_MOUSE);
@@ -58,7 +58,7 @@ static int dc_mouse_open(struct input_de
static void dc_mouse_close(struct input_dev *dev)
{
- struct dc_mouse *mse = maple_get_drvdata(to_maple_dev(&dev->dev));
+ struct dc_mouse *mse = input_get_drvdata(dev);
maple_getcond_callback(mse->mdev, dc_mouse_callback, 0,
MAPLE_FUNC_MOUSE);
@@ -88,6 +88,7 @@ static int probe_maple_mouse(struct devi
mse->dev = input_dev;
mse->mdev = mdev;
+ input_set_drvdata(input_dev, mse);
input_dev->evbit[0] = BIT_MASK(EV_KEY) | BIT_MASK(EV_REL);
input_dev->keybit[BIT_WORD(BTN_MOUSE)] = BIT_MASK(BTN_LEFT) |
BIT_MASK(BTN_RIGHT) | BIT_MASK(BTN_MIDDLE);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 492/518] Input: mms114 - fix multi-touch slot corruption
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (490 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 491/518] Input: maplemouse - fix NULL pointer dereference in open() Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 493/518] Input: maple_keyb - set driver data before registering input device Greg Kroah-Hartman
` (29 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, sashiko-bot, Dmitry Torokhov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit adea84ee6cdea611146c4251d3c1616f5a09feca upstream.
If the touchscreen controller reports a touch ID of 0, the driver
calculates the slot ID as touch->id - 1, which underflows to UINT_MAX.
This is passed to input_mt_slot() as -1.
Since the input core ignores negative slot values, the active slot remains
unchanged. The driver then reports the touch coordinates for the previously
active slot, corrupting its state.
Fix this by rejecting touch reports with ID 0.
Fixes: 07b8481d4aff ("Input: add MELFAS mms114 touchscreen driver")
Cc: stable@vger.kernel.org
Reported-by: sashiko-bot@kernel.org
Assisted-by: Antigravity:gemini-3.5-flash
Link: https://patch.msgid.link/20260704060115.353049-1-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/mms114.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/touchscreen/mms114.c
+++ b/drivers/input/touchscreen/mms114.c
@@ -165,7 +165,7 @@ static void mms114_process_mt(struct mms
unsigned int x;
unsigned int y;
- if (touch->id > MMS114_MAX_TOUCH) {
+ if (touch->id == 0 || touch->id > MMS114_MAX_TOUCH) {
dev_err(&client->dev, "Wrong touch id (%d)\n", touch->id);
return;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 493/518] Input: maple_keyb - set driver data before registering input device
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (491 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 492/518] Input: mms114 - fix multi-touch slot corruption Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 494/518] Input: maplemouse " Greg Kroah-Hartman
` (28 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 536394ec81419b67d9f4f0028812c4372397be1b upstream.
Set maple driver data before calling input_register_device() to
ensure that it is available if the device is opened immediately and
the callback is triggered.
Cc: stable@vger.kernel.org
Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/keyboard/maple_keyb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/input/keyboard/maple_keyb.c
+++ b/drivers/input/keyboard/maple_keyb.c
@@ -166,6 +166,8 @@ static int probe_maple_kbd(struct device
kbd->dev = idev;
memcpy(kbd->keycode, dc_kbd_keycode, sizeof(kbd->keycode));
+ maple_set_drvdata(mdev, kbd);
+
idev->name = mdev->product_name;
idev->evbit[0] = BIT(EV_KEY) | BIT(EV_REP);
idev->keycode = kbd->keycode;
@@ -190,8 +192,6 @@ static int probe_maple_kbd(struct device
mdev->driver = mdrv;
- maple_set_drvdata(mdev, kbd);
-
return error;
fail_register:
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 494/518] Input: maplemouse - set driver data before registering input device
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (492 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 493/518] Input: maple_keyb - set driver data before registering input device Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 495/518] Input: maplecontrol " Greg Kroah-Hartman
` (27 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florian Fuchs, Dmitry Torokhov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 738f24bbbc95dd50cb4229d1ed62a05f29db2bda upstream.
Set maple driver data before calling input_register_device() to
ensure that it is available if the device is opened immediately and
the callback is triggered.
Cc: stable@vger.kernel.org
Assisted-by: Antigravity:gemini-3.5-flash
Tested-by: Florian Fuchs <fuchsfl@gmail.com>
Link: https://patch.msgid.link/akNXw45L_8bxD6QV@google.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/mouse/maplemouse.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/input/mouse/maplemouse.c
+++ b/drivers/input/mouse/maplemouse.c
@@ -88,6 +88,8 @@ static int probe_maple_mouse(struct devi
mse->dev = input_dev;
mse->mdev = mdev;
+ maple_set_drvdata(mdev, mse);
+
input_set_drvdata(input_dev, mse);
input_dev->evbit[0] = BIT_MASK(EV_KEY) | BIT_MASK(EV_REL);
input_dev->keybit[BIT_WORD(BTN_MOUSE)] = BIT_MASK(BTN_LEFT) |
@@ -103,12 +105,12 @@ static int probe_maple_mouse(struct devi
goto fail_register;
mdev->driver = mdrv;
- maple_set_drvdata(mdev, mse);
return error;
fail_register:
input_free_device(input_dev);
+ maple_set_drvdata(mdev, NULL);
fail_nomem:
kfree(mse);
fail:
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 495/518] Input: maplecontrol - set driver data before registering input device
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (493 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 494/518] Input: maplemouse " Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 496/518] RDMA/rtrs-srv: Bound RDMA-Write length to chunk size in rdma_write_sg Greg Kroah-Hartman
` (26 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florian Fuchs, Dmitry Torokhov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit fe938ee497d58c644f6910cfe6ae155f6fb3e523 upstream.
Set maple driver data before calling input_register_device() to
ensure that it is available if the device is opened immediately and
the callback is triggered.
Cc: stable@vger.kernel.org
Assisted-by: Antigravity:gemini-3.5-flash
Tested-by: Florian Fuchs <fuchsfl@gmail.com>
Link: https://patch.msgid.link/akNYib9hQFNN1fA9@google.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/joystick/maplecontrol.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/input/joystick/maplecontrol.c
+++ b/drivers/input/joystick/maplecontrol.c
@@ -112,6 +112,8 @@ static int probe_maple_controller(struct
pad->dev = idev;
pad->mdev = mdev;
+ maple_set_drvdata(mdev, pad);
+
idev->open = dc_pad_open;
idev->close = dc_pad_close;
@@ -146,7 +148,6 @@ static int probe_maple_controller(struct
goto fail;
mdev->driver = mdrv;
- maple_set_drvdata(mdev, pad);
return 0;
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 496/518] RDMA/rtrs-srv: Bound RDMA-Write length to chunk size in rdma_write_sg
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (494 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 495/518] Input: maplecontrol " Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 497/518] RDMA/core: Fix broadcast address falsely detected as local Greg Kroah-Hartman
` (25 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Zhenhao Wan,
Md Haris Iqbal, Jason Gunthorpe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenhao Wan <whi4ed0g@gmail.com>
commit 963af8d97a8c6a117134a8d0db1415e0489200b1 upstream.
When the server answers an RTRS READ, rdma_write_sg() builds the source
scatter/gather entry for the IB_WR_RDMA_WRITE that returns data to the
peer. Its length is taken directly from the wire descriptor:
plist->length = le32_to_cpu(id->rd_msg->desc[0].len);
rd_msg points into the chunk buffer that the remote peer filled via
RDMA-WRITE-WITH-IMM (rtrs_srv_rdma_done() -> process_io_req() ->
process_read()), so desc[0].len is attacker-controlled and, before this
change, was only rejected when zero. The source address is the fixed
chunk start (dma_addr[msg_id]) and the source lkey is the PD-wide
local_dma_lkey, which is not tied to the chunk's MR mapping, so the verbs
layer does not constrain the transfer length to max_chunk_size. msg_id
and off are bounded against queue_depth and max_chunk_size in
rtrs_srv_rdma_done(), but desc[0].len is a separate field that was not
checked against the chunk size.
A peer that advertises desc[0].len larger than max_chunk_size can make
the posted RDMA write read past the chunk's mapped region. The resulting
behaviour depends on the IOMMU configuration: with no IOMMU or in
passthrough mode the read may extend into memory adjacent to the chunk
and be returned to the peer, which can disclose host memory; with a
translating IOMMU the out-of-range access is expected to fault and abort
the connection. In either case the transfer exceeds what the protocol
permits and is driven by a remote peer.
Reject a descriptor length above max_chunk_size, mirroring the existing
off >= max_chunk_size bound in rtrs_srv_rdma_done(). Legitimate clients
do not exceed it: the client sets desc[0].len to its MR length, which is
capped at the negotiated max_io_size (max_chunk_size - MAX_HDR_SIZE).
Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality")
Link: https://patch.msgid.link/r/20260612-master-v1-1-70cde5c6fdc9@gmail.com
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Zhenhao Wan <whi4ed0g@gmail.com>
Reviewed-by: Md Haris Iqbal <haris.iqbal@ionos.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
@@ -225,8 +225,9 @@ static int rdma_write_sg(struct rtrs_srv
/* WR will fail with length error
* if this is 0
*/
- if (plist->length == 0) {
- rtrs_err(s, "Invalid RDMA-Write sg list length 0\n");
+ if (plist->length == 0 || plist->length > max_chunk_size) {
+ rtrs_err(s, "Invalid RDMA-Write sg list length %u\n",
+ plist->length);
return -EINVAL;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 497/518] RDMA/core: Fix broadcast address falsely detected as local
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (495 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 496/518] RDMA/rtrs-srv: Bound RDMA-Write length to chunk size in rdma_write_sg Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 498/518] RDMA/siw: bound Read Response placement to the RREAD length Greg Kroah-Hartman
` (24 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maher Sanalla, Vlad Dumitrescu,
Edward Srouji, Parav Pandit, Jason Gunthorpe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maher Sanalla <msanalla@nvidia.com>
commit 942cd47faa2047b46dfd85745603eba9006973e6 upstream.
When rdma_resolve_addr() is invoked with a broadcast destination on an
IPoIB interface, is_dst_local() inspects the resolved route and
incorrectly concludes that the address is local. As a result, the
resolution fails with -ENODEV.
The issue stems from using '&' to compare rt_type with RTN_LOCAL. The
RTN_* values form a sequential enum, not a bitmask (RTN_LOCAL=2,
RTN_BROADCAST=3). Thus, "rt_type & RTN_LOCAL" yields a non-zero result
for a broadcast route as well.
Replace '&' with '==' when comparing rt_type against RTN_LOCAL.
Link: https://patch.msgid.link/r/20260609-fix-rdma-resolve-addr-v1-1-449b8b4e6c09@nvidia.com
Cc: stable@vger.kernel.org
Fixes: c31e4038c97f ("RDMA/core: Use route entry flag to decide on loopback traffic")
Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
Reviewed-by: Vlad Dumitrescu <vdumitrescu@nvidia.com>
Signed-off-by: Edward Srouji <edwards@nvidia.com>
Reviewed-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/addr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -438,7 +438,7 @@ static int addr6_resolve(struct sockaddr
static bool is_dst_local(const struct dst_entry *dst)
{
if (dst->ops->family == AF_INET)
- return !!(dst_rtable(dst)->rt_type & RTN_LOCAL);
+ return dst_rtable(dst)->rt_type == RTN_LOCAL;
else if (dst->ops->family == AF_INET6)
return !!(dst_rt6_info(dst)->rt6i_flags & RTF_LOCAL);
else
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 498/518] RDMA/siw: bound Read Response placement to the RREAD length
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (496 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 497/518] RDMA/core: Fix broadcast address falsely detected as local Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 499/518] fuse: back uncached readdir buffers with pages Greg Kroah-Hartman
` (23 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jason Gunthorpe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 7d29f7e9dbd844cae4d3e559cf78324b9642fd6b upstream.
In drivers/infiniband/sw/siw/siw_qp_rx.c, siw_proc_rresp() places each
inbound Read Response DDP segment at sge->laddr + wqe->processed and then
accumulates wqe->processed, but it never checks the running total against
the sink buffer length on continuation segments. siw_check_sge() resolves
and validates the sink memory only on the first fragment (the if (!*mem)
branch), and siw_rresp_check_ntoh() compares the cumulative length against
wqe->bytes only on the final segment (the !frx->more_ddp_segs guard).
A connected siw peer that answers an outstanding RREAD with Read Response
segments that keep the DDP Last flag clear, carrying more total payload
than the RREAD requested, drives wqe->processed past the validated sink
buffer; the next siw_rx_data() call writes out of bounds at
sge->laddr + wqe->processed. siw runs iWARP over ordinary routable TCP,
so the peer is the remote end of an established RDMA connection and needs
no local privilege.
Bound every segment before placement, exactly as siw_proc_send() and
siw_proc_write() already do for their tagged and untagged paths, and
terminate the connection with a base-or-bounds DDP error when the
Read Response would overrun the sink buffer.
This is the second receive-path length fix for this file. A separate
change rejects an MPA FPDU length that underflows the per-fragment
remainder in the header decode; that guard does not cover this case,
because here each individual segment length is self-consistent and only
the accumulated placement offset overruns the buffer.
Fixes: 8b6a361b8c48 ("rdma/siw: receive path")
Link: https://patch.msgid.link/r/20260602194700.2273758-1-michael.bommarito@gmail.com
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/sw/siw/siw_qp_rx.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/infiniband/sw/siw/siw_qp_rx.c
+++ b/drivers/infiniband/sw/siw/siw_qp_rx.c
@@ -844,6 +844,15 @@ int siw_proc_rresp(struct siw_qp *qp)
}
mem_p = *mem;
+ if (unlikely(wqe->processed + srx->fpdu_part_rem > wqe->bytes)) {
+ siw_dbg_qp(qp, "rresp len: %d + %d > %d\n",
+ wqe->processed, srx->fpdu_part_rem, wqe->bytes);
+ wqe->wc_status = SIW_WC_LOC_LEN_ERR;
+ siw_init_terminate(qp, TERM_ERROR_LAYER_DDP,
+ DDP_ETYPE_TAGGED_BUF,
+ DDP_ECODE_T_BASE_BOUNDS, 0);
+ return -EINVAL;
+ }
bytes = min(srx->fpdu_part_rem, srx->skb_new);
rv = siw_rx_data(mem_p, srx, &frx->pbl_idx,
sge->laddr + wqe->processed, bytes);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 499/518] fuse: back uncached readdir buffers with pages
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (497 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 498/518] RDMA/siw: bound Read Response placement to the RREAD length Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 500/518] fuse: avoid 32-bit prune notification count wrap Greg Kroah-Hartman
` (22 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matthew R. Ochs, Miklos Szeredi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew R. Ochs <mochs@nvidia.com>
commit 4dd6f6d3085a84e74b0a1efec3a05ed0b5125dce upstream.
Commit dabb90391028 ("fuse: increase readdir buffer size") changed
fuse_readdir_uncached() to size its temporary buffer from ctx->count.
This is useful for overlayfs and other in-kernel callers that use
INT_MAX to indicate an unlimited directory read.
The larger buffer is currently supplied as a kvec output argument. For
virtiofs, kvec arguments are copied through req->argbuf, which is
allocated with kmalloc(..., GFP_ATOMIC). A large uncached readdir buffer
can therefore require a multi-megabyte contiguous atomic allocation
before the request is queued.
Avoid the large bounce-buffer allocation by backing uncached readdir
output with pages and setting out_pages. Transports such as virtiofs can
then pass the pages as scatter-gather entries instead of copying the
output through argbuf.
Map the pages with vm_map_ram() only while parsing the returned dirents.
The existing parser can then continue to use a linear kernel mapping.
[SzM: separate allocation of pages into a helper function]
Fixes: dabb90391028 ("fuse: increase readdir buffer size")
Cc: stable@vger.kernel.org
Signed-off-by: Matthew R. Ochs <mochs@nvidia.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/readdir.c | 85 ++++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 67 insertions(+), 18 deletions(-)
--- a/fs/fuse/readdir.c
+++ b/fs/fuse/readdir.c
@@ -12,6 +12,7 @@
#include <linux/posix_acl.h>
#include <linux/pagemap.h>
#include <linux/highmem.h>
+#include <linux/vmalloc.h>
static bool fuse_use_readdirplus(struct inode *dir, struct dir_context *ctx)
{
@@ -335,6 +336,43 @@ static int parse_dirplusfile(char *buf,
return 0;
}
+static struct page **fuse_readdir_alloc_buf(struct fuse_args_pages *ap, size_t *bufsize)
+{
+ unsigned int i, nr_alloc, nr_pages = DIV_ROUND_UP(*bufsize, PAGE_SIZE);
+ struct page **pages = kcalloc(nr_pages, sizeof(*pages), GFP_KERNEL);
+
+ if (!pages)
+ return NULL;
+
+ nr_alloc = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages);
+ if (!nr_alloc)
+ goto free_array;
+
+ if (nr_alloc < nr_pages) {
+ nr_pages = nr_alloc;
+ *bufsize = (size_t) nr_pages << PAGE_SHIFT;
+ }
+
+ ap->folios = fuse_folios_alloc(nr_pages, GFP_KERNEL, &ap->descs);
+ if (!ap->folios)
+ goto release_pages;
+
+ for (i = 0; i < nr_pages; i++) {
+ ap->folios[i] = page_folio(pages[i]);
+ ap->descs[i].length = min_t(size_t, *bufsize - (size_t)i * PAGE_SIZE, PAGE_SIZE);
+ }
+ ap->num_folios = nr_pages;
+ ap->args.out_pages = true;
+
+ return pages;
+
+release_pages:
+ release_pages(pages, nr_pages);
+free_array:
+ kfree(pages);
+ return NULL;
+}
+
static int fuse_readdir_uncached(struct file *file, struct dir_context *ctx)
{
int plus;
@@ -343,18 +381,16 @@ static int fuse_readdir_uncached(struct
struct fuse_mount *fm = get_fuse_mount(inode);
struct fuse_conn *fc = fm->fc;
struct fuse_io_args ia = {};
- struct fuse_args *args = &ia.ap.args;
+ struct fuse_args_pages *ap = &ia.ap;
void *buf;
size_t bufsize = clamp((unsigned int) ctx->count, PAGE_SIZE, fc->max_pages << PAGE_SHIFT);
u64 attr_version = 0, evict_ctr = 0;
bool locked;
+ struct page **pages = fuse_readdir_alloc_buf(ap, &bufsize);
- buf = kvmalloc(bufsize, GFP_KERNEL);
- if (!buf)
+ if (!pages)
return -ENOMEM;
- args->out_args[0].value = buf;
-
plus = fuse_use_readdirplus(inode, ctx);
if (plus) {
attr_version = fuse_get_attr_version(fm->fc);
@@ -364,24 +400,37 @@ static int fuse_readdir_uncached(struct
fuse_read_args_fill(&ia, file, ctx->pos, bufsize, FUSE_READDIR);
}
locked = fuse_lock_inode(inode);
- res = fuse_simple_request(fm, args);
+ res = fuse_simple_request(fm, &ap->args);
fuse_unlock_inode(inode, locked);
- if (res >= 0) {
- if (!res) {
- struct fuse_file *ff = file->private_data;
-
- if (ff->open_flags & FOPEN_CACHE_DIR)
- fuse_readdir_cache_end(file, ctx->pos);
- } else if (plus) {
- res = parse_dirplusfile(buf, res, file, ctx, attr_version,
- evict_ctr);
- } else {
+ if (res < 0)
+ goto out;
+
+ if (!res) {
+ struct fuse_file *ff = file->private_data;
+
+ if (ff->open_flags & FOPEN_CACHE_DIR)
+ fuse_readdir_cache_end(file, ctx->pos);
+ goto out;
+ }
+
+ buf = vm_map_ram(pages, ap->num_folios, -1);
+ if (!buf) {
+ res = -ENOMEM;
+ } else {
+ if (plus)
+ res = parse_dirplusfile(buf, res, file, ctx, attr_version, evict_ctr);
+ else
res = parse_dirfile(buf, res, file, ctx);
- }
+
+ vm_unmap_ram(buf, ap->num_folios);
}
+out:
+ kfree(ap->folios);
+ release_pages(pages, ap->num_folios);
+ kfree(pages);
- kvfree(buf);
fuse_invalidate_atime(inode);
+
return res;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 500/518] fuse: avoid 32-bit prune notification count wrap
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (498 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 499/518] fuse: back uncached readdir buffers with pages Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 501/518] Revert "fuse: fix conversion of fuse_reverse_inval_entry() to start_removing()" Greg Kroah-Hartman
` (21 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samuel Moelius, Joanne Koong,
Miklos Szeredi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samuel Moelius <sam.moelius@trailofbits.com>
commit 54243797cedf55447b4c5d560e8cd709900061ae upstream.
FUSE_NOTIFY_PRUNE validates the nodeid payload length with:
size - sizeof(outarg) != outarg.count * sizeof(u64)
On 32-bit kernels, size_t is also 32 bits, so the daemon-controlled
count multiplication can wrap. A prune notification with count
0x20000000 and no nodeid payload passes the check, enters the copy
loop, and asks the device copy path to read nodeids that are not
present in the userspace write buffer. In QEMU this reaches the
fuse_copy_fill() BUG_ON(!err) path.
Validate the payload length with array_size() instead. That accepts
exactly the same valid messages, but avoids wrapping arithmetic before
the copy loop consumes the count.
Assisted-by: Codex:gpt-5.5-cyber-preview
Fixes: 3f29d59e92a9 ("fuse: add prune notification")
Cc: stable@vger.kernel.org
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 2
fs/fuse/notify.c | 434 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 435 insertions(+), 1 deletion(-)
create mode 100644 fs/fuse/notify.c
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -2072,7 +2072,7 @@ static int fuse_notify_prune(struct fuse
if (err)
return err;
- if (size - sizeof(outarg) != outarg.count * sizeof(u64))
+ if (size - sizeof(outarg) != array_size(outarg.count, sizeof(u64)))
return -EINVAL;
for (; outarg.count; outarg.count -= num) {
--- /dev/null
+++ b/fs/fuse/notify.c
@@ -0,0 +1,434 @@
+// SPDX-License-Identifier: GPL-2.0-only
+
+#include "dev.h"
+#include "fuse_i.h"
+#include <linux/pagemap.h>
+
+static int fuse_notify_poll(struct fuse_conn *fc, unsigned int size,
+ struct fuse_copy_state *cs)
+{
+ struct fuse_notify_poll_wakeup_out outarg;
+ int err;
+
+ if (size != sizeof(outarg))
+ return -EINVAL;
+
+ err = fuse_copy_one(cs, &outarg, sizeof(outarg));
+ if (err)
+ return err;
+
+ fuse_copy_finish(cs);
+ return fuse_notify_poll_wakeup(fc, &outarg);
+}
+
+static int fuse_notify_inval_inode(struct fuse_conn *fc, unsigned int size,
+ struct fuse_copy_state *cs)
+{
+ struct fuse_notify_inval_inode_out outarg;
+ int err;
+
+ if (size != sizeof(outarg))
+ return -EINVAL;
+
+ err = fuse_copy_one(cs, &outarg, sizeof(outarg));
+ if (err)
+ return err;
+ fuse_copy_finish(cs);
+
+ down_read(&fc->killsb);
+ err = fuse_reverse_inval_inode(fc, outarg.ino,
+ outarg.off, outarg.len);
+ up_read(&fc->killsb);
+ return err;
+}
+
+static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size,
+ struct fuse_copy_state *cs)
+{
+ struct fuse_notify_inval_entry_out outarg;
+ int err;
+ char *buf;
+ struct qstr name;
+
+ if (size < sizeof(outarg))
+ return -EINVAL;
+
+ err = fuse_copy_one(cs, &outarg, sizeof(outarg));
+ if (err)
+ return err;
+
+ if (outarg.namelen > fc->name_max)
+ return -ENAMETOOLONG;
+
+ err = -EINVAL;
+ if (size != sizeof(outarg) + outarg.namelen + 1)
+ return -EINVAL;
+
+ buf = kzalloc(outarg.namelen + 1, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+ name.name = buf;
+ name.len = outarg.namelen;
+ err = fuse_copy_one(cs, buf, outarg.namelen + 1);
+ if (err)
+ goto err;
+ fuse_copy_finish(cs);
+ buf[outarg.namelen] = 0;
+
+ down_read(&fc->killsb);
+ err = fuse_reverse_inval_entry(fc, outarg.parent, 0, &name, outarg.flags);
+ up_read(&fc->killsb);
+err:
+ kfree(buf);
+ return err;
+}
+
+static int fuse_notify_delete(struct fuse_conn *fc, unsigned int size,
+ struct fuse_copy_state *cs)
+{
+ struct fuse_notify_delete_out outarg;
+ int err;
+ char *buf;
+ struct qstr name;
+
+ if (size < sizeof(outarg))
+ return -EINVAL;
+
+ err = fuse_copy_one(cs, &outarg, sizeof(outarg));
+ if (err)
+ return err;
+
+ if (outarg.namelen > fc->name_max)
+ return -ENAMETOOLONG;
+
+ if (size != sizeof(outarg) + outarg.namelen + 1)
+ return -EINVAL;
+
+ buf = kzalloc(outarg.namelen + 1, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+ name.name = buf;
+ name.len = outarg.namelen;
+ err = fuse_copy_one(cs, buf, outarg.namelen + 1);
+ if (err)
+ goto err;
+ fuse_copy_finish(cs);
+ buf[outarg.namelen] = 0;
+
+ down_read(&fc->killsb);
+ err = fuse_reverse_inval_entry(fc, outarg.parent, outarg.child, &name, 0);
+ up_read(&fc->killsb);
+err:
+ kfree(buf);
+ return err;
+}
+
+static int fuse_notify_store(struct fuse_conn *fc, unsigned int size,
+ struct fuse_copy_state *cs)
+{
+ struct fuse_notify_store_out outarg;
+ struct inode *inode;
+ struct address_space *mapping;
+ u64 nodeid;
+ int err;
+ unsigned int num;
+ loff_t file_size;
+ loff_t pos;
+ loff_t end;
+
+ if (size < sizeof(outarg))
+ return -EINVAL;
+
+ err = fuse_copy_one(cs, &outarg, sizeof(outarg));
+ if (err)
+ return err;
+
+ if (size - sizeof(outarg) != outarg.size)
+ return -EINVAL;
+
+ if (outarg.offset >= MAX_LFS_FILESIZE)
+ return -EINVAL;
+
+ nodeid = outarg.nodeid;
+ pos = outarg.offset;
+ num = min(outarg.size, MAX_LFS_FILESIZE - pos);
+
+ down_read(&fc->killsb);
+
+ err = -ENOENT;
+ inode = fuse_ilookup(fc, nodeid, NULL);
+ if (!inode)
+ goto out_up_killsb;
+
+ mapping = inode->i_mapping;
+ file_size = i_size_read(inode);
+ end = pos + num;
+ if (end > file_size) {
+ file_size = end;
+ fuse_write_update_attr(inode, file_size, num);
+ }
+
+ while (num) {
+ struct folio *folio;
+ unsigned int folio_offset;
+ unsigned int nr_bytes;
+ pgoff_t index = pos >> PAGE_SHIFT;
+
+ folio = filemap_grab_folio(mapping, index);
+ err = PTR_ERR(folio);
+ if (IS_ERR(folio))
+ goto out_iput;
+
+ folio_offset = offset_in_folio(folio, pos);
+ nr_bytes = min(num, folio_size(folio) - folio_offset);
+
+ err = fuse_copy_folio(cs, &folio, folio_offset, nr_bytes, 0);
+ if (!folio_test_uptodate(folio) && !err && folio_offset == 0 &&
+ (nr_bytes == folio_size(folio) || file_size == end)) {
+ folio_zero_segment(folio, nr_bytes, folio_size(folio));
+ folio_mark_uptodate(folio);
+ }
+ folio_unlock(folio);
+ folio_put(folio);
+
+ if (err)
+ goto out_iput;
+
+ pos += nr_bytes;
+ num -= nr_bytes;
+ }
+
+ err = 0;
+
+out_iput:
+ iput(inode);
+out_up_killsb:
+ up_read(&fc->killsb);
+ return err;
+}
+
+struct fuse_retrieve_args {
+ struct fuse_args_pages ap;
+ struct fuse_notify_retrieve_in inarg;
+};
+
+static void fuse_retrieve_end(struct fuse_args *args, int error)
+{
+ struct fuse_retrieve_args *ra =
+ container_of(args, typeof(*ra), ap.args);
+
+ release_pages(ra->ap.folios, ra->ap.num_folios);
+ kfree(ra);
+}
+
+static int fuse_retrieve(struct fuse_mount *fm, struct inode *inode,
+ struct fuse_notify_retrieve_out *outarg)
+{
+ int err;
+ struct address_space *mapping = inode->i_mapping;
+ loff_t file_size;
+ unsigned int num;
+ unsigned int offset;
+ size_t total_len = 0;
+ unsigned int num_pages;
+ struct fuse_conn *fc = fm->fc;
+ struct fuse_retrieve_args *ra;
+ size_t args_size = sizeof(*ra);
+ struct fuse_args_pages *ap;
+ struct fuse_args *args;
+ loff_t pos = outarg->offset;
+
+ offset = offset_in_page(pos);
+ file_size = i_size_read(inode);
+
+ num = min(outarg->size, fc->max_write);
+ if (pos > file_size)
+ num = 0;
+ else if (num > file_size - pos)
+ num = file_size - pos;
+
+ num_pages = DIV_ROUND_UP(num + offset, PAGE_SIZE);
+ num_pages = min(num_pages, fc->max_pages);
+ num = min(num, num_pages << PAGE_SHIFT);
+
+ args_size += num_pages * (sizeof(ap->folios[0]) + sizeof(ap->descs[0]));
+
+ ra = kzalloc(args_size, GFP_KERNEL);
+ if (!ra)
+ return -ENOMEM;
+
+ ap = &ra->ap;
+ ap->folios = (void *) (ra + 1);
+ ap->descs = (void *) (ap->folios + num_pages);
+
+ args = &ap->args;
+ args->nodeid = outarg->nodeid;
+ args->opcode = FUSE_NOTIFY_REPLY;
+ args->in_numargs = 3;
+ args->in_pages = true;
+ args->end = fuse_retrieve_end;
+
+ while (num && ap->num_folios < num_pages) {
+ struct folio *folio;
+ unsigned int folio_offset;
+ unsigned int nr_bytes;
+ pgoff_t index = pos >> PAGE_SHIFT;
+
+ folio = filemap_get_folio(mapping, index);
+ if (IS_ERR(folio))
+ break;
+
+ folio_offset = offset_in_folio(folio, pos);
+ nr_bytes = min(folio_size(folio) - folio_offset, num);
+
+ ap->folios[ap->num_folios] = folio;
+ ap->descs[ap->num_folios].offset = folio_offset;
+ ap->descs[ap->num_folios].length = nr_bytes;
+ ap->num_folios++;
+
+ pos += nr_bytes;
+ num -= nr_bytes;
+ total_len += nr_bytes;
+ }
+ ra->inarg.offset = outarg->offset;
+ ra->inarg.size = total_len;
+ fuse_set_zero_arg0(args);
+ args->in_args[1].size = sizeof(ra->inarg);
+ args->in_args[1].value = &ra->inarg;
+ args->in_args[2].size = total_len;
+
+ err = fuse_simple_notify_reply(fm, args, outarg->notify_unique);
+ if (err)
+ fuse_retrieve_end(args, err);
+
+ return err;
+}
+
+static int fuse_notify_retrieve(struct fuse_conn *fc, unsigned int size,
+ struct fuse_copy_state *cs)
+{
+ struct fuse_notify_retrieve_out outarg;
+ struct fuse_mount *fm;
+ struct inode *inode;
+ u64 nodeid;
+ int err;
+
+ if (size != sizeof(outarg))
+ return -EINVAL;
+
+ err = fuse_copy_one(cs, &outarg, sizeof(outarg));
+ if (err)
+ return err;
+
+ fuse_copy_finish(cs);
+
+ if (outarg.offset >= MAX_LFS_FILESIZE)
+ return -EINVAL;
+
+ down_read(&fc->killsb);
+ err = -ENOENT;
+ nodeid = outarg.nodeid;
+
+ inode = fuse_ilookup(fc, nodeid, &fm);
+ if (inode) {
+ err = fuse_retrieve(fm, inode, &outarg);
+ iput(inode);
+ }
+ up_read(&fc->killsb);
+
+ return err;
+}
+
+static int fuse_notify_resend(struct fuse_conn *fc)
+{
+ fuse_chan_resend(fc->chan);
+ return 0;
+}
+
+/*
+ * Increments the fuse connection epoch. This will result of dentries from
+ * previous epochs to be invalidated. Additionally, if inval_wq is set, a work
+ * queue is scheduled to trigger the invalidation.
+ */
+static int fuse_notify_inc_epoch(struct fuse_conn *fc)
+{
+ atomic_inc(&fc->epoch);
+ if (inval_wq)
+ schedule_work(&fc->epoch_work);
+
+ return 0;
+}
+
+static int fuse_notify_prune(struct fuse_conn *fc, unsigned int size,
+ struct fuse_copy_state *cs)
+{
+ struct fuse_notify_prune_out outarg;
+ const unsigned int batch = 512;
+ u64 *nodeids __free(kfree) = kmalloc(sizeof(u64) * batch, GFP_KERNEL);
+ unsigned int num, i;
+ int err;
+
+ if (!nodeids)
+ return -ENOMEM;
+
+ if (size < sizeof(outarg))
+ return -EINVAL;
+
+ err = fuse_copy_one(cs, &outarg, sizeof(outarg));
+ if (err)
+ return err;
+
+ if (size - sizeof(outarg) != array_size(outarg.count, sizeof(u64)))
+ return -EINVAL;
+
+ for (; outarg.count; outarg.count -= num) {
+ num = min(batch, outarg.count);
+ err = fuse_copy_one(cs, nodeids, num * sizeof(u64));
+ if (err)
+ return err;
+
+ scoped_guard(rwsem_read, &fc->killsb) {
+ for (i = 0; i < num; i++)
+ fuse_try_prune_one_inode(fc, nodeids[i]);
+ }
+ }
+ return 0;
+}
+
+int fuse_notify(struct fuse_conn *fc, enum fuse_notify_code code,
+ unsigned int size, struct fuse_copy_state *cs)
+{
+ switch (code) {
+ case FUSE_NOTIFY_POLL:
+ return fuse_notify_poll(fc, size, cs);
+
+ case FUSE_NOTIFY_INVAL_INODE:
+ return fuse_notify_inval_inode(fc, size, cs);
+
+ case FUSE_NOTIFY_INVAL_ENTRY:
+ return fuse_notify_inval_entry(fc, size, cs);
+
+ case FUSE_NOTIFY_STORE:
+ return fuse_notify_store(fc, size, cs);
+
+ case FUSE_NOTIFY_RETRIEVE:
+ return fuse_notify_retrieve(fc, size, cs);
+
+ case FUSE_NOTIFY_DELETE:
+ return fuse_notify_delete(fc, size, cs);
+
+ case FUSE_NOTIFY_RESEND:
+ return fuse_notify_resend(fc);
+
+ case FUSE_NOTIFY_INC_EPOCH:
+ return fuse_notify_inc_epoch(fc);
+
+ case FUSE_NOTIFY_PRUNE:
+ return fuse_notify_prune(fc, size, cs);
+
+ default:
+ return -EINVAL;
+ }
+}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 501/518] Revert "fuse: fix conversion of fuse_reverse_inval_entry() to start_removing()"
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (499 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 500/518] fuse: avoid 32-bit prune notification count wrap Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 502/518] fuse: fix device node leak in cuse_process_init_reply() Greg Kroah-Hartman
` (20 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
Артем Лабазов,
NeilBrown, Miklos Szeredi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
commit c12bbaf7c2d19325913ffd7002e580e63952d9e2 upstream.
This reverts commit cab012375122304a6343c1ed09404e5143b9dc01.
Commit c9ba789dad15 ("VFS: introduce start_creating_noperm() and
start_removing_noperm()") caused a regression in FUSE_NOTIFY_INVAL_ENTRY,
which failed to invalidate negative dentries.
This manifests in the filesystem returning -ENOENT for operations on an
existing file.
Fixing it properly while still keeping the start_removing* infrastructure
would add much additional complexity.
Instead revert to the original simple implementation.
The start_removing* infrastructure is needed in VFS to abstract the
filesystem locking. However filesystem code can still safely use the raw
locking primitives without affacting other filesystems.
This is part one of the revert.
Reported-by: Артем Лабазов <123321artyom@gmail.com>
Closes: https://lore.kernel.org/all/CAFbF8N7++zopZuEcsKRxBV_sgOGCbzCY0hOyMw1SiGAtuzGhyQ@mail.gmail.com/
Fixes: c9ba789dad15 ("VFS: introduce start_creating_noperm() and start_removing_noperm()")
Cc: stable@vger.kernel.org # 6.19
Cc: NeilBrown <neilb@ownmail.net>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dir.c | 23 +++++++----------------
1 file changed, 7 insertions(+), 16 deletions(-)
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index b658b6baf72f..6b05846c9bed 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1587,8 +1587,8 @@ int fuse_reverse_inval_entry(struct fuse_conn *fc, u64 parent_nodeid,
{
int err = -ENOTDIR;
struct inode *parent;
- struct dentry *dir = NULL;
- struct dentry *entry = NULL;
+ struct dentry *dir;
+ struct dentry *entry;
parent = fuse_ilookup(fc, parent_nodeid, NULL);
if (!parent)
@@ -1601,19 +1601,11 @@ int fuse_reverse_inval_entry(struct fuse_conn *fc, u64 parent_nodeid,
dir = d_find_alias(parent);
if (!dir)
goto put_parent;
- while (!entry) {
- struct dentry *child = try_lookup_noperm(name, dir);
- if (!child || IS_ERR(child))
- goto put_parent;
- entry = start_removing_dentry(dir, child);
- dput(child);
- if (IS_ERR(entry))
- goto put_parent;
- if (!d_same_name(entry, dir, name)) {
- end_removing(entry);
- entry = NULL;
- }
- }
+
+ entry = start_removing_noperm(dir, name);
+ dput(dir);
+ if (IS_ERR(entry))
+ goto put_parent;
fuse_dir_changed(parent);
if (!(flags & FUSE_EXPIRE_ONLY))
@@ -1651,7 +1643,6 @@ int fuse_reverse_inval_entry(struct fuse_conn *fc, u64 parent_nodeid,
end_removing(entry);
put_parent:
- dput(dir);
iput(parent);
return err;
}
--
2.55.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 502/518] fuse: fix device node leak in cuse_process_init_reply()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (500 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 501/518] Revert "fuse: fix conversion of fuse_reverse_inval_entry() to start_removing()" Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 503/518] fuse: do not use start_removing_noperm() Greg Kroah-Hartman
` (19 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alberto Ruiz, Miklos Szeredi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alberto Ruiz <aruiz@redhat.com>
commit 9fa4f7a53406430ee9982f2f636a15b338185122 upstream.
If device_add() succeeds during CUSE initialization but a subsequent
step (cdev_alloc() or cdev_add()) fails, the error path calls
put_device() without first calling device_del(). This leaks the
devtmpfs entry created by device_add(), leaving a stale /dev/<name>
node that persists until reboot.
Since the cuse_conn is never linked into cuse_conntbl on the failure
path, cuse_channel_release() sees cc->dev == NULL and skips
device_unregister(), so no other code path cleans up the node.
This has several consequences:
- The device name is permanently poisoned: any subsequent attempt to
create a CUSE device with the same name hits the stale sysfs entry,
device_add() fails, and the new device is aborted.
- The collision manifests as ENODEV returned to userspace with no
dmesg diagnostic, making it very difficult to debug.
- The failure is self-perpetuating: once a name is leaked, all future
attempts with that name fail identically.
Fix this by introducing an err_dev label that calls device_del() to
undo device_add() before falling through to err_unlock. The existing
err_unlock path from a device_add() failure correctly skips device_del()
since the device was never added.
Testing instructions can be found at the lore link below.
Link: https://lore.kernel.org/all/20260408-wip-cuse-leak-fix-v1-0-1c028d575e97@redhat.com/
Signed-off-by: Alberto Ruiz <aruiz@redhat.com>
Fixes: 151060ac1314 ("CUSE: implement CUSE - Character device in Userspace")
Cc: stable@vger.kernel.org
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/cuse.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/fuse/cuse.c
+++ b/fs/fuse/cuse.c
@@ -391,7 +391,7 @@ static void cuse_process_init_reply(stru
rc = -ENOMEM;
cdev = cdev_alloc();
if (!cdev)
- goto err_unlock;
+ goto err_dev;
cdev->owner = THIS_MODULE;
cdev->ops = &cuse_frontend_fops;
@@ -417,6 +417,8 @@ out:
err_cdev:
cdev_del(cdev);
+err_dev:
+ device_del(dev);
err_unlock:
mutex_unlock(&cuse_lock);
put_device(dev);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 503/518] fuse: do not use start_removing_noperm()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (501 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 502/518] fuse: fix device node leak in cuse_process_init_reply() Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 504/518] fuse: re-lock request before returning from fuse_ref_folio() Greg Kroah-Hartman
` (18 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
Артем Лабазов,
NeilBrown, Miklos Szeredi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
commit 6e1b235627bb1172d27c1b2ea7bf53e67dbced8d upstream.
Revert the fuse part of commit c9ba789dad15 ("VFS: introduce
start_creating_noperm() and start_removing_noperm()").
Commit c9ba789dad15 ("VFS: introduce start_creating_noperm() and
start_removing_noperm()") caused a regression in FUSE_NOTIFY_INVAL_ENTRY,
which failed to invalidate negative dentries.
This manifests in the filesystem returning -ENOENT for operations on an
existing file.
Fixing it properly while still keeping the start_removing* infrastructure
would add much additional complexity.
Instead revert to the original simple implementation.
The start_removing* infrastructure is needed in VFS to abstract the
filesystem locking. However filesystem code can still safely use the raw
locking primitives without affacting other filesystems.
This is part two of the revert.
Reported-by: Артем Лабазов <123321artyom@gmail.com>
Closes: https://lore.kernel.org/all/CAFbF8N7++zopZuEcsKRxBV_sgOGCbzCY0hOyMw1SiGAtuzGhyQ@mail.gmail.com/
Fixes: c9ba789dad15 ("VFS: introduce start_creating_noperm() and start_removing_noperm()")
Cc: stable@vger.kernel.org # 6.19
Cc: NeilBrown <neilb@ownmail.net>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dir.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index 6b05846c9bed..97751bacb79c 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1594,25 +1594,27 @@ int fuse_reverse_inval_entry(struct fuse_conn *fc, u64 parent_nodeid,
if (!parent)
return -ENOENT;
+ inode_lock_nested(parent, I_MUTEX_PARENT);
if (!S_ISDIR(parent->i_mode))
- goto put_parent;
+ goto unlock;
err = -ENOENT;
dir = d_find_alias(parent);
if (!dir)
- goto put_parent;
+ goto unlock;
- entry = start_removing_noperm(dir, name);
+ name->hash = full_name_hash(dir, name->name, name->len);
+ entry = d_lookup(dir, name);
dput(dir);
- if (IS_ERR(entry))
- goto put_parent;
+ if (!entry)
+ goto unlock;
fuse_dir_changed(parent);
if (!(flags & FUSE_EXPIRE_ONLY))
d_invalidate(entry);
fuse_invalidate_entry_cache(entry);
- if (child_nodeid != 0) {
+ if (child_nodeid != 0 && d_really_is_positive(entry)) {
inode_lock(d_inode(entry));
if (get_node_id(d_inode(entry)) != child_nodeid) {
err = -ENOENT;
@@ -1640,9 +1642,10 @@ int fuse_reverse_inval_entry(struct fuse_conn *fc, u64 parent_nodeid,
} else {
err = 0;
}
+ dput(entry);
- end_removing(entry);
- put_parent:
+ unlock:
+ inode_unlock(parent);
iput(parent);
return err;
}
--
2.55.0
^ permalink raw reply related [flat|nested] 524+ messages in thread* [PATCH 7.1 504/518] fuse: re-lock request before returning from fuse_ref_folio()
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (502 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 503/518] fuse: do not use start_removing_noperm() Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 505/518] fuse: fix io-uring background queue dispatch on request completion Greg Kroah-Hartman
` (17 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joanne Koong, Miklos Szeredi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
commit b5befa80fdbe287a98480effed9564712924add5 upstream.
fuse_ref_folio() unlocks the request but does not re-lock it before
returning. fuse_chan_abort() can end the request and the async end
callback (eg fuse_writepage_free()) can free the args while the
subsequent copy chain logic after fuse_ref_folio() accesses them,
leading to use-after-free issues.
Fix this by locking the request in fuse_ref_folio() before returning.
Fixes: c3021629a0d8 ("fuse: support splice() reading from fuse device")
Cc: stable@vger.kernel.org
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1106,7 +1106,7 @@ static int fuse_ref_folio(struct fuse_co
cs->nr_segs++;
cs->len = 0;
- return 0;
+ return lock_request(cs->req);
}
/*
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 505/518] fuse: fix io-uring background queue dispatch on request completion
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (503 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 504/518] fuse: re-lock request before returning from fuse_ref_folio() Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 506/518] fuse: dont block in fuse_get_dev() for non-sync_init case Greg Kroah-Hartman
` (16 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bernd Schubert, Joanne Koong,
Miklos Szeredi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
commit 31da059891bd3be9c6e59280b8e1777ead90db34 upstream.
When a background request completes via the io_uring path, the
background queue gets flushed to dispatch pending background requests,
but this is done before the connection-level background counters
(fc->num_background, fc->active_background) are properly accounted,
which may reduce effective queue depth to one.
The connection-level counters are decremented in fuse_request_end(), but
flush_bg_queue() flushes the /dev/fuse path queue (fc->bg_queue), not
the io_uring per-queue bg one, which means pending uring background
requests on the queue are never dispatched in this path.
Fix this by accounting the connection-level background counters first
before flushing the queue's background queue. Since
fuse_request_bg_finish() clears FR_BACKGROUND, fuse_request_end() will
skip the background cleanup branch entirely, which avoids any
double-decrements; it will call the wake_up(&req->waitq) branch but this
is effectively a no-op as background requests have no waiters on
req->waitq.
Reviewed-by: Bernd Schubert <bernd@bsbernd.com>
Fixes: 857b0263f30e ("fuse: Allow to queue bg requests through io-uring")
Cc: stable@vger.kernel.org
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 41 ++++++++++++++++++++++++-----------------
fs/fuse/dev_uring.c | 1 +
fs/fuse/fuse_dev_i.h | 1 +
3 files changed, 26 insertions(+), 17 deletions(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -447,6 +447,29 @@ static void flush_bg_queue(struct fuse_c
}
}
+void fuse_request_bg_finish(struct fuse_conn *fc, struct fuse_req *req)
+{
+ lockdep_assert_held(&fc->bg_lock);
+
+ clear_bit(FR_BACKGROUND, &req->flags);
+ if (fc->num_background == fc->max_background) {
+ fc->blocked = 0;
+ wake_up(&fc->blocked_waitq);
+ } else if (!fc->blocked) {
+ /*
+ * Wake up next waiter, if any. It's okay to use
+ * waitqueue_active(), as we've already synced up
+ * fc->blocked with waiters with the wake_up() call
+ * above.
+ */
+ if (waitqueue_active(&fc->blocked_waitq))
+ wake_up(&fc->blocked_waitq);
+ }
+
+ fc->num_background--;
+ fc->active_background--;
+}
+
/*
* This function is called when a request is finished. Either a reply
* has arrived or it was aborted (and not yet sent) or some error
@@ -479,23 +502,7 @@ void fuse_request_end(struct fuse_req *r
WARN_ON(test_bit(FR_SENT, &req->flags));
if (test_bit(FR_BACKGROUND, &req->flags)) {
spin_lock(&fc->bg_lock);
- clear_bit(FR_BACKGROUND, &req->flags);
- if (fc->num_background == fc->max_background) {
- fc->blocked = 0;
- wake_up(&fc->blocked_waitq);
- } else if (!fc->blocked) {
- /*
- * Wake up next waiter, if any. It's okay to use
- * waitqueue_active(), as we've already synced up
- * fc->blocked with waiters with the wake_up() call
- * above.
- */
- if (waitqueue_active(&fc->blocked_waitq))
- wake_up(&fc->blocked_waitq);
- }
-
- fc->num_background--;
- fc->active_background--;
+ fuse_request_bg_finish(fc, req);
flush_bg_queue(fc);
spin_unlock(&fc->bg_lock);
} else {
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -90,6 +90,7 @@ static void fuse_uring_req_end(struct fu
if (test_bit(FR_BACKGROUND, &req->flags)) {
queue->active_background--;
spin_lock(&fc->bg_lock);
+ fuse_request_bg_finish(fc, req);
fuse_uring_flush_bg(queue);
spin_unlock(&fc->bg_lock);
}
--- a/fs/fuse/fuse_dev_i.h
+++ b/fs/fuse/fuse_dev_i.h
@@ -77,6 +77,7 @@ unsigned int fuse_req_hash(u64 unique);
struct fuse_req *fuse_request_find(struct fuse_pqueue *fpq, u64 unique);
void fuse_dev_end_requests(struct list_head *head);
+void fuse_request_bg_finish(struct fuse_conn *fc, struct fuse_req *req);
void fuse_copy_init(struct fuse_copy_state *cs, bool write,
struct iov_iter *iter);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 506/518] fuse: dont block in fuse_get_dev() for non-sync_init case
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (504 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 505/518] fuse: fix io-uring background queue dispatch on request completion Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 507/518] fuse: clear intr_entry in fuse_resend and fuse_remove_pending_req Greg Kroah-Hartman
` (15 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Brown, Joanne Koong,
Miklos Szeredi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
commit 9f6f44aa5a58aaae0838126dc09460c3e1f56ccb upstream.
Commit a8dd5f1b73bc ("fuse: create fuse_dev on /dev/fuse open instead of
mount") changed behavior so that fuse_get_dev() now unconditionally
blocks waiting for a connection, even in the case where sync_init was
not set. Previously, non-sync_init opens returned -EPERM immediately.
Restore the previous behavior of returning -EPERM.
Fixes: a8dd5f1b73bc ("fuse: create fuse_dev on /dev/fuse open instead of mount")
Reported-by: Mark Brown <broonie@kernel.org>
Closes: https://lore.kernel.org/all/3c9f8396-41f4-4c88-b883-34bede72b427@sirena.org.uk/
Cc: <stable@vger.kernel.org>
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Tested-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1560,9 +1560,15 @@ struct fuse_dev *fuse_get_dev(struct fil
struct fuse_dev *fud = fuse_file_to_fud(file);
int err;
- err = wait_event_interruptible(fuse_dev_waitq, fuse_dev_fc_get(fud) != NULL);
- if (err)
- return ERR_PTR(err);
+ if (unlikely(!fuse_dev_fc_get(fud))) {
+ /* only block waiting for mount if sync init was requested */
+ if (!fud->sync_init)
+ return ERR_PTR(-EPERM);
+
+ err = wait_event_interruptible(fuse_dev_waitq, fuse_dev_fc_get(fud) != NULL);
+ if (err)
+ return ERR_PTR(err);
+ }
return fud;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 507/518] fuse: clear intr_entry in fuse_resend and fuse_remove_pending_req
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (505 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 506/518] fuse: dont block in fuse_get_dev() for non-sync_init case Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 508/518] fuse-uring: fix EFAULT clobber in fuse_uring_commit Greg Kroah-Hartman
` (14 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jian Zhou, Miklos Szeredi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
commit f8fce75fedf73ac72aa09163deb8f4291fdcaad2 upstream.
When fuse_resend() moves a request from fpq->processing back to
fiq->pending, it sets FR_PENDING and clears FR_SENT but does not
remove the requests intr_entry from fiq->interrupts. If the
request had FR_INTERRUPTED set from a prior signal, intr_entry
remains dangling on fiq->interrupts. When the requesting task
then receives a fatal signal, fuse_remove_pending_req() sees
FR_PENDING=1, removes the request from fiq->pending and frees it
via the refcount path, also without cleaning intr_entry. The
stale intr_entry causes use-after-free when fuse_read_interrupt()
iterates fiq->interrupts:
- list_del_init(&req->intr_entry) -> UAF write on freed slab
- req->in.h.unique -> UAF read, data leaked to userspace
Remove intr_entry from fiq->interrupts in fuse_resend() for
interrupted requests before they are placed back on fiq->pending.
Add a WARN_ON if the intr_entry is not empty on request destruction.
Fixes: 760eac73f9f6 ("fuse: Introduce a new notification type for resend pending requests")
Cc: stable@vger.kernel.org # 6.9
Signed-off-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -148,6 +148,7 @@ static struct fuse_req *fuse_request_all
static void fuse_request_free(struct fuse_req *req)
{
+ WARN_ON(!list_empty(&req->intr_entry));
kmem_cache_free(fuse_req_cachep, req);
}
@@ -2041,6 +2042,14 @@ static void fuse_resend(struct fuse_conn
fuse_dev_end_requests(&to_queue);
return;
}
+ /*
+ * Remove interrupt entries for resent requests to prevent stale
+ * intr_entry on fiq->interrupts after the request is re-queued.
+ */
+ list_for_each_entry(req, &to_queue, list) {
+ if (test_bit(FR_INTERRUPTED, &req->flags))
+ list_del_init(&req->intr_entry);
+ }
/* iq and pq requests are both oldest to newest */
list_splice(&to_queue, &fiq->pending);
fuse_dev_wake_and_unlock(fiq);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 508/518] fuse-uring: fix EFAULT clobber in fuse_uring_commit
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (506 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 507/518] fuse: clear intr_entry in fuse_resend and fuse_remove_pending_req Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 509/518] fuse-uring: fix data races on ring->ready Greg Kroah-Hartman
` (13 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joanne Koong, Chris Mason,
Bernd Schubert, Miklos Szeredi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Mason <clm@meta.com>
commit 3a0a8bc51a13951c5141262bf770eeea3e0b6228 upstream.
copy_from_user() returns the number of bytes not copied as an unsigned
residual on failure (1..sizeof(struct fuse_out_header)). fuse_uring_commit
stores that residual in ssize_t err, sets req->out.h.error to -EFAULT,
then jumps to out: with err still holding the positive residual.
err = copy_from_user(&req->out.h, &ent->headers->in_out,
sizeof(req->out.h));
if (err) {
req->out.h.error = -EFAULT;
goto out; /* err is the positive residual */
}
...
out:
fuse_uring_req_end(ent, req, err);
fuse_uring_req_end() then runs
if (error)
req->out.h.error = error;
which overwrites the just-assigned -EFAULT with the positive residual.
FUSE callers such as fuse_simple_request() test err < 0 to detect
failure, so the positive value is interpreted as success and the
caller proceeds with an uninitialised or partial req->out.args.
Fix by assigning err = -EFAULT in the failure branch before jumping
to out, so fuse_uring_req_end() receives a negative errno and sets
req->out.h.error to -EFAULT.
Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
Cc: stable@vger.kernel.org
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Assisted-by: kres (claude-opus-4-7)
Signed-off-by: Chris Mason <clm@meta.com>
Reviewed-by: Bernd Schubert <bernd@bsbernd.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev_uring.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -814,14 +814,11 @@ static void fuse_uring_commit(struct fus
{
struct fuse_ring *ring = ent->queue->ring;
struct fuse_conn *fc = ring->fc;
- ssize_t err = 0;
+ ssize_t err = -EFAULT;
- err = copy_from_user(&req->out.h, &ent->headers->in_out,
- sizeof(req->out.h));
- if (err) {
- req->out.h.error = -EFAULT;
+ if (copy_from_user(&req->out.h, &ent->headers->in_out,
+ sizeof(req->out.h)))
goto out;
- }
err = fuse_uring_out_header_has_err(&req->out.h, req, fc);
if (err) {
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 509/518] fuse-uring: fix data races on ring->ready
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (507 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 508/518] fuse-uring: fix EFAULT clobber in fuse_uring_commit Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 510/518] fuse-uring: fix moving cancelled entry to ent_in_userspace list Greg Kroah-Hartman
` (12 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joanne Koong, Chris Mason,
Bernd Schubert, Miklos Szeredi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Mason <clm@meta.com>
commit 46725a0056c884cf58a6897f222892807327d82d upstream.
On weakly-ordered architectures, the store to fiq->ops can be
reordered past the store to ring->ready, allowing a CPU that sees
ring->ready == true via fuse_uring_ready() to dispatch requests
through a stale fiq->ops pointer. Upgrade the store to
smp_store_release() and the load in fuse_uring_ready() to
smp_load_acquire() so that the preceding WRITE_ONCE(fiq->ops, ...)
is visible to any CPU that observes ring->ready == true.
Additionally, fuse_uring_do_register() publishes ring->ready with
WRITE_ONCE() but the fast-path check reads it with a plain load.
This is a marked-vs-unmarked access that KCSAN will flag. Wrap it in
READ_ONCE() to mark it without adding unnecessary ordering.
Also wrap the fc->ring load in fuse_uring_ready() in READ_ONCE() to
prevent the compiler from reloading it between the NULL check and the
dereference.
Fixes: c2c9af9a0b13 ("fuse: Allow to queue fg requests through io-uring")
Cc: stable@vger.kernel.org
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Assisted-by: kres (claude-opus-4-7)
Signed-off-by: Chris Mason <clm@meta.com>
Reviewed-by: Bernd Schubert <bernd@bsbernd.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev_uring.c | 4 ++--
fs/fuse/dev_uring_i.h | 4 +++-
2 files changed, 5 insertions(+), 3 deletions(-)
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -989,12 +989,12 @@ static void fuse_uring_do_register(struc
fuse_uring_ent_avail(ent, queue);
spin_unlock(&queue->lock);
- if (!ring->ready) {
+ if (!READ_ONCE(ring->ready)) {
bool ready = is_ring_ready(ring, queue->qid);
if (ready) {
WRITE_ONCE(fiq->ops, &fuse_io_uring_ops);
- WRITE_ONCE(ring->ready, true);
+ smp_store_release(&ring->ready, true);
wake_up_all(&fc->blocked_waitq);
}
}
--- a/fs/fuse/dev_uring_i.h
+++ b/fs/fuse/dev_uring_i.h
@@ -169,7 +169,9 @@ static inline void fuse_uring_wait_stopp
static inline bool fuse_uring_ready(struct fuse_conn *fc)
{
- return fc->ring && fc->ring->ready;
+ struct fuse_ring *ring = READ_ONCE(fc->ring);
+
+ return ring && smp_load_acquire(&ring->ready);
}
#else /* CONFIG_FUSE_IO_URING */
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 510/518] fuse-uring: fix moving cancelled entry to ent_in_userspace list
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (508 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 509/518] fuse-uring: fix data races on ring->ready Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:32 ` [PATCH 7.1 511/518] fuse-uring: end fuse_req on io-uring cancel task work Greg Kroah-Hartman
` (11 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heechan Kang, Bernd Schubert,
Jian Huang Li, Horst Birthelmer, Joanne Koong, Miklos Szeredi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
commit 198f45eeb9f78b2a2d6d8be95e4e43468eb2c6bc upstream.
fuse_uring_cancel() moves entries that are available (these have no reqs
attached) to the ent_in_userspace list. ent_list_request_expired()
checks the first entry on ent_in_userspace and dereferences
ent->fuse_req unconditionally, which will crash on a cancelled entry
that was moved to this list.
Fix this by freeing the entry and dropping queue_refs directly in
fuse_uring_cancel(). This is safe because cancel is the cancel handler
itself - after io_uring_cmd_done(), no more cancels will be dispatched
for this command, and teardown serializes with cancel via queue->lock.
Since cancel now decrements queue_refs, fuse_uring_abort() must no
longer gate fuse_uring_abort_end_requests() on queue_refs > 0, as
cancelled entries may have already dropped queue_refs while requests are
still queued. Remove the gate so abort always flushes requests and stops
queues.
Reported-by: Heechan Kang <gganji11@naver.com>
Tested-by: Heechan Kang <gganji11@naver.com>
Reviewed-by: Bernd Schubert <bernd@bsbernd.com>
Fixes: 4fea593e625c ("fuse: optimize over-io-uring request expiration check")
Cc: stable@vger.kernel.org
Suggested-by: Jian Huang Li <ali@ddn.com>
Suggested-by: Horst Birthelmer <horst@birthelmer.de>
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev_uring.c | 6 ++++--
fs/fuse/dev_uring_i.h | 6 +++---
2 files changed, 7 insertions(+), 5 deletions(-)
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -508,8 +508,7 @@ static void fuse_uring_cancel(struct io_
queue = ent->queue;
spin_lock(&queue->lock);
if (ent->state == FRRS_AVAILABLE) {
- ent->state = FRRS_USERSPACE;
- list_move_tail(&ent->list, &queue->ent_in_userspace);
+ list_del_init(&ent->list);
need_cmd_done = true;
ent->cmd = NULL;
}
@@ -518,6 +517,9 @@ static void fuse_uring_cancel(struct io_
if (need_cmd_done) {
/* no queue lock to avoid lock order issues */
io_uring_cmd_done(cmd, -ENOTCONN, issue_flags);
+ kfree(ent);
+ if (atomic_dec_and_test(&queue->ring->queue_refs))
+ wake_up_all(&queue->ring->stop_waitq);
}
}
--- a/fs/fuse/dev_uring_i.h
+++ b/fs/fuse/dev_uring_i.h
@@ -152,10 +152,10 @@ static inline void fuse_uring_abort(stru
if (ring == NULL)
return;
- if (atomic_read(&ring->queue_refs) > 0) {
- fuse_uring_abort_end_requests(ring);
+ fuse_uring_abort_end_requests(ring);
+
+ if (atomic_read(&ring->queue_refs) > 0)
fuse_uring_stop_queues(ring);
- }
}
static inline void fuse_uring_wait_stopped_queues(struct fuse_conn *fc)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 511/518] fuse-uring: end fuse_req on io-uring cancel task work
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (509 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 510/518] fuse-uring: fix moving cancelled entry to ent_in_userspace list Greg Kroah-Hartman
@ 2026-07-16 13:32 ` Greg Kroah-Hartman
2026-07-16 13:33 ` [PATCH 7.1 512/518] fuse-uring: Avoid use-after-free in fuse_uring_async_stop_queues Greg Kroah-Hartman
` (10 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joanne Koong, Chris Mason,
Miklos Szeredi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Mason <clm@meta.com>
commit bea4fe98204b6ce7eb8e29f7bf867dd7619b3ddd upstream.
When io_uring delivers task work with tw.cancel set (PF_EXITING,
PF_KTHREAD fallback, or percpu_ref_is_dying on the ring context),
fuse_uring_send_in_task() takes the cancel branch, assigns
-ECANCELED, and falls through to fuse_uring_send(). That path only
flips the entry to FRRS_USERSPACE and completes the io_uring cmd;
it never discharges the ring entry's owning reference to the
fuse_req that fuse_uring_add_req_to_ring_ent() handed it at
dispatch time.
fuse_uring_send_in_task()
tw.cancel == true
err = -ECANCELED
fuse_uring_send(ent, cmd, err, issue_flags)
ent->state = FRRS_USERSPACE
list_move(&ent->list, &queue->ent_in_userspace)
ent->cmd = NULL
io_uring_cmd_done(-ECANCELED)
/* ent->fuse_req still set, req still hashed */
The fuse_req stays linked on fpq->processing[hash] and
fuse_request_end() is never invoked. The originating syscall
thread blocks in D-state in request_wait_answer() until
fuse_abort_conn() runs, which can be the entire connection
lifetime. For FR_BACKGROUND requests fc->num_background is never
decremented either, so repeated cancels inflate the counter until
max_background is hit and all later background ops stall. tw.cancel does
not imply a connection abort (e.g. a single io_uring worker thread exits
while the fuse connection stays up), so this cannot be left for
fuse_abort_conn() to clean up.
Ending the req but still routing the entry through fuse_uring_send()
is not enough: that leaves a req-less entry on ent_in_userspace, and
ent_list_request_expired() dereferences ent->fuse_req unconditionally
on the head of that list, which would then NULL-deref.
Fix the cancel branch to release the entry directly. Remove it from the
queue, complete the io_uring cmd, end the fuse_req, free the entry, and
drop its queue_refs (waking the teardown waiter if it was the last).
Fixes: c2c9af9a0b13 ("fuse: Allow to queue fg requests through io-uring")
Cc: stable@vger.kernel.org
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Assisted-by: kres (claude-opus-4-7)
Signed-off-by: Chris Mason <clm@meta.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev_uring.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -1225,11 +1225,21 @@ static void fuse_uring_send_in_task(stru
fuse_uring_next_fuse_req(ent, queue, issue_flags);
return;
}
+ fuse_uring_send(ent, cmd, err, issue_flags);
} else {
err = -ECANCELED;
- }
- fuse_uring_send(ent, cmd, err, issue_flags);
+ spin_lock(&queue->lock);
+ list_del_init(&ent->list);
+ spin_unlock(&queue->lock);
+
+ io_uring_cmd_done(cmd, err, issue_flags);
+
+ fuse_uring_req_end(ent, ent->fuse_req, err);
+ kfree(ent);
+ if (atomic_dec_and_test(&queue->ring->queue_refs))
+ wake_up_all(&queue->ring->stop_waitq);
+ }
}
static struct fuse_ring_queue *fuse_uring_task_to_queue(struct fuse_ring *ring)
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 512/518] fuse-uring: Avoid use-after-free in fuse_uring_async_stop_queues
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (510 preceding siblings ...)
2026-07-16 13:32 ` [PATCH 7.1 511/518] fuse-uring: end fuse_req on io-uring cancel task work Greg Kroah-Hartman
@ 2026-07-16 13:33 ` Greg Kroah-Hartman
2026-07-16 13:33 ` [PATCH 7.1 513/518] fuse-uring: Avoid queue->stopped races and set/read that value under lock Greg Kroah-Hartman
` (9 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Berkant Koc, Bernd Schubert,
Joanne Koong, Miklos Szeredi, stable
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernd Schubert <bernd@bsbernd.com>
commit d351da75066955144515cb2f9aa959f24a04287a upstream.
fuse_uring_async_stop_queues() might run when the last reference
on ring->queue_refs was already dropped.
In order to avoid an early destruction a reference on struct fuse_conn
is now taken before starting fuse_uring_async_stop_queues() and that
reference is only released when that delayed work queue terminates.
Fixes: 4a9bfb9b6850 ("fuse: {io-uring} Handle teardown of ring entries")
Cc: stable@kernel.org # 6.14
Reported-by: Berkant Koc <me@berkoc.com>
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev_uring.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -467,6 +467,7 @@ static void fuse_uring_async_stop_queues
FUSE_URING_TEARDOWN_INTERVAL);
} else {
wake_up_all(&ring->stop_waitq);
+ fuse_conn_put(ring->chan->conn);
}
}
@@ -478,6 +479,7 @@ void fuse_uring_stop_queues(struct fuse_
fuse_uring_teardown_all_queues(ring);
if (atomic_read(&ring->queue_refs) > 0) {
+ fuse_conn_get(ring->chan->conn);
ring->teardown_time = jiffies;
INIT_DELAYED_WORK(&ring->async_teardown_work,
fuse_uring_async_stop_queues);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 513/518] fuse-uring: Avoid queue->stopped races and set/read that value under lock
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (511 preceding siblings ...)
2026-07-16 13:33 ` [PATCH 7.1 512/518] fuse-uring: Avoid use-after-free in fuse_uring_async_stop_queues Greg Kroah-Hartman
@ 2026-07-16 13:33 ` Greg Kroah-Hartman
2026-07-16 13:33 ` [PATCH 7.1 514/518] fuse-uring: make a fuse_req on SQE commit only findable after memcpy Greg Kroah-Hartman
` (8 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Berkant Koc, xlabai, Bernd Schubert,
Joanne Koong, Miklos Szeredi, stable
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernd Schubert <bernd@bsbernd.com>
commit b70a3aca16934c196f92abb17b01c1647b9bb63c upstream.
There are several readers of queue->stopped that check the value
under lock, but fuse_uring_commit_fetch() did not and actually
the value was not set under the lock in fuse_uring_abort_end_requests()
either. Especially in fuse_uring_commit_fetch it is important
to check under a lock, because due to races 'struct fuse_req'
might be freed with fuse_request_end, but another thread/cpu
might already do teardown work.
Cc: stable@kernel.org # 6.14
Fixes: 4a9bfb9b6850fec ("fuse: {io-uring} Handle teardown of ring entries")
Reported-by: Berkant Koc <me@berkoc.com>
Reported-by: xlabai <xlabai@tencent.com>
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev_uring.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -131,10 +131,9 @@ void fuse_uring_abort_end_requests(struc
if (!queue)
continue;
- queue->stopped = true;
-
WARN_ON_ONCE(ring->fc->max_background != UINT_MAX);
spin_lock(&queue->lock);
+ queue->stopped = true;
spin_lock(&fc->bg_lock);
fuse_uring_flush_bg(queue);
spin_unlock(&fc->bg_lock);
@@ -467,7 +466,7 @@ static void fuse_uring_async_stop_queues
FUSE_URING_TEARDOWN_INTERVAL);
} else {
wake_up_all(&ring->stop_waitq);
- fuse_conn_put(ring->chan->conn);
+ fuse_conn_put(ring->fc);
}
}
@@ -479,7 +478,7 @@ void fuse_uring_stop_queues(struct fuse_
fuse_uring_teardown_all_queues(ring);
if (atomic_read(&ring->queue_refs) > 0) {
- fuse_conn_get(ring->chan->conn);
+ fuse_conn_get(ring->fc);
ring->teardown_time = jiffies;
INIT_DELAYED_WORK(&ring->async_teardown_work,
fuse_uring_async_stop_queues);
@@ -900,10 +899,15 @@ static int fuse_uring_commit_fetch(struc
return err;
fpq = &queue->fpq;
- if (!READ_ONCE(fc->connected) || READ_ONCE(queue->stopped))
+ if (!READ_ONCE(fc->connected))
return err;
spin_lock(&queue->lock);
+ if (unlikely(queue->stopped)) {
+ spin_unlock(&queue->lock);
+ return err;
+ }
+
/* Find a request based on the unique ID of the fuse request
* This should get revised, as it needs a hash calculation and list
* search. And full struct fuse_pqueue is needed (memory overhead).
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 514/518] fuse-uring: make a fuse_req on SQE commit only findable after memcpy
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (512 preceding siblings ...)
2026-07-16 13:33 ` [PATCH 7.1 513/518] fuse-uring: Avoid queue->stopped races and set/read that value under lock Greg Kroah-Hartman
@ 2026-07-16 13:33 ` Greg Kroah-Hartman
2026-07-16 13:33 ` [PATCH 7.1 515/518] fuse-uring: remove request-less entries from ent_w_req_queue to fix NULL deref Greg Kroah-Hartman
` (7 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, xlabai, Berkant Koc, Bernd Schubert,
Joanne Koong, Miklos Szeredi, stable
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernd Schubert <bernd@bsbernd.com>
commit 1efd3d474fc0ba74dfd984249bca78807d739812 upstream.
Bad userspace might try to trick us and send commit SQEs request
unique / commit-id of requests that are not even send to
fuse-server (io_uring_cmd_done() not called) yet.
fuse_uring_commit_fetch() ends the fuse request when the ring entry
has a wrong state, but that could have caused a use-after-free
with the memcpy operations in fuse_uring_send_in_task().
In order to avoid such races the call of fuse_uring_add_to_pq()
is moved after the copy operations and just before completing
the io-uring request - malicious userspace cannot find the request
anymore until all prepration work in fuse-client/kernel is completed.
This also moves fuse_uring_add_to_pq() a bit up in the code to
avoid a forward declaration. Also not with a preparation commit,
to make it easier to back port to older kernels.
Reported-by: xlabai <xlabai@tencent.com>
Reported-by: Berkant Koc <me@berkoc.com>
Fixes: c090c8abae4b6b ("fuse: Add io-uring sqe commit and fetch support")
Cc: stable@kernel.org # 6.14
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev_uring.c | 33 +++++++++++++++++++--------------
1 file changed, 19 insertions(+), 14 deletions(-)
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -714,6 +714,19 @@ static int fuse_uring_prepare_send(struc
return err;
}
+/* Used to find the request on SQE commit */
+static void fuse_uring_add_to_pq(struct fuse_ring_ent *ent)
+{
+ struct fuse_ring_queue *queue = ent->queue;
+ struct fuse_pqueue *fpq = &queue->fpq;
+ unsigned int hash;
+ struct fuse_req *req = ent->fuse_req;
+
+ req->ring_entry = ent;
+ hash = fuse_req_hash(req->in.h.unique);
+ list_move_tail(&req->list, &fpq->processing[hash]);
+}
+
/*
* Write data to the ring buffer and send the request to userspace,
* userspace will read it
@@ -736,6 +749,7 @@ static int fuse_uring_send_next_to_ring(
ent->cmd = NULL;
ent->state = FRRS_USERSPACE;
list_move_tail(&ent->list, &queue->ent_in_userspace);
+ fuse_uring_add_to_pq(ent);
spin_unlock(&queue->lock);
io_uring_cmd_done(cmd, 0, issue_flags);
@@ -753,19 +767,6 @@ static void fuse_uring_ent_avail(struct
ent->state = FRRS_AVAILABLE;
}
-/* Used to find the request on SQE commit */
-static void fuse_uring_add_to_pq(struct fuse_ring_ent *ent,
- struct fuse_req *req)
-{
- struct fuse_ring_queue *queue = ent->queue;
- struct fuse_pqueue *fpq = &queue->fpq;
- unsigned int hash;
-
- req->ring_entry = ent;
- hash = fuse_req_hash(req->in.h.unique);
- list_move_tail(&req->list, &fpq->processing[hash]);
-}
-
/*
* Assign a fuse queue entry to the given entry
*/
@@ -783,10 +784,13 @@ static void fuse_uring_add_req_to_ring_e
}
clear_bit(FR_PENDING, &req->flags);
+
+ /* Until fuse_uring_add_to_pq() the req is not attached to any list */
+ list_del_init(&req->list);
+
ent->fuse_req = req;
ent->state = FRRS_FUSE_REQ;
list_move_tail(&ent->list, &queue->ent_w_req_queue);
- fuse_uring_add_to_pq(ent, req);
}
/* Fetch the next fuse request if available */
@@ -1207,6 +1211,7 @@ static void fuse_uring_send(struct fuse_
ent->state = FRRS_USERSPACE;
list_move_tail(&ent->list, &queue->ent_in_userspace);
ent->cmd = NULL;
+ fuse_uring_add_to_pq(ent);
spin_unlock(&queue->lock);
io_uring_cmd_done(cmd, ret, issue_flags);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 515/518] fuse-uring: remove request-less entries from ent_w_req_queue to fix NULL deref
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (513 preceding siblings ...)
2026-07-16 13:33 ` [PATCH 7.1 514/518] fuse-uring: make a fuse_req on SQE commit only findable after memcpy Greg Kroah-Hartman
@ 2026-07-16 13:33 ` Greg Kroah-Hartman
2026-07-16 13:33 ` [PATCH 7.1 516/518] ALSA: doc: usb-audio: Add doc for QUIRK_FLAG_IFB_SILENCE_ON_EMPTY Greg Kroah-Hartman
` (6 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Joanne Koong, Miklos Szeredi
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
commit 1c57a69be962d459c5e705f5cb4355b841b3461c upstream.
If a copy into the userspace ring buffer fails, a request will be
terminated and fuse_uring_req_end() will set ent->fuse_req to NULL but
it will leave the entry on ent_w_req_queue in FRRS_FUSE_REQ state. This
can lead to a NULL deref if the request expiration logic scans
ent_w_req_queue in the window before the entry is moved off it.
Fix this by taking the entry off ent_w_req_queue and changing its state
from FRRS_FUSE_REQ to FRRS_INVALID before terminating the request.
Fixes: 4fea593e625c ("fuse: optimize over-io-uring request expiration check")
Cc: stable@kernel.org
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev_uring.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -706,10 +706,20 @@ static int fuse_uring_prepare_send(struc
int err;
err = fuse_uring_copy_to_ring(ent, req);
- if (!err)
+ if (!err) {
set_bit(FR_SENT, &req->flags);
- else
+ } else {
+ /*
+ * Copying the request failed. Remove the entry from the
+ * ent_w_req_queue list and terminate the request
+ */
+ spin_lock(&ent->queue->lock);
+ list_del_init(&ent->list);
+ ent->state = FRRS_INVALID;
+ spin_unlock(&ent->queue->lock);
+
fuse_uring_req_end(ent, req, err);
+ }
return err;
}
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 516/518] ALSA: doc: usb-audio: Add doc for QUIRK_FLAG_IFB_SILENCE_ON_EMPTY
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (514 preceding siblings ...)
2026-07-16 13:33 ` [PATCH 7.1 515/518] fuse-uring: remove request-less entries from ent_w_req_queue to fix NULL deref Greg Kroah-Hartman
@ 2026-07-16 13:33 ` Greg Kroah-Hartman
2026-07-16 13:33 ` [PATCH 7.1 517/518] timekeeping: Register default clocksource before taking tk_core.lock Greg Kroah-Hartman
` (5 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rong Zhang, Takashi Iwai
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rong Zhang <i@rong.moe>
commit 06363f96e3d6b54ff7b5d2ce85cab95bd5e874b0 upstream.
QUIRK_FLAG_IFB_SILENCE_ON_EMPTY was introduced into usb-audio before
without appropriate documentation, so add it.
Fixes: a23812004228 ("ALSA: usb-audio: add IFB_SILENCE_ON_EMPTY quirk for Behringer Flow 8")
Signed-off-by: Rong Zhang <i@rong.moe>
Link: https://patch.msgid.link/20260527-uac-quirk-get-cur-vol-v1-1-e9362b712e5e@rong.moe
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/sound/alsa-configuration.rst | 6 ++++++
1 file changed, 6 insertions(+)
--- a/Documentation/sound/alsa-configuration.rst
+++ b/Documentation/sound/alsa-configuration.rst
@@ -2383,6 +2383,12 @@ quirk_flags
``V(x) = k * x``; ``dB(x) = 20 * log10(x)``. Overrides bit 24
* bit 28: ``mixer_capture_linear_vol``
Similar to bit 27 but for capture streams. Overrides bit 25
+ * bit 29: ``ifb_silence_on_empty``
+ In implicit feedback mode, when an entire capture URB returns with
+ all iso_frame_desc[i].status != 0 (bytes==0), do not silently return
+ from snd_usb_handle_sync_urb. Instead fall through and enqueue a
+ packet_info containing only size-0 packets, so the OUT ring keeps
+ moving (emits silence). Needed by Behringer Flow 8 (1397:050c).
This module supports multiple devices, autoprobe and hotplugging.
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 517/518] timekeeping: Register default clocksource before taking tk_core.lock
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (515 preceding siblings ...)
2026-07-16 13:33 ` [PATCH 7.1 516/518] ALSA: doc: usb-audio: Add doc for QUIRK_FLAG_IFB_SILENCE_ON_EMPTY Greg Kroah-Hartman
@ 2026-07-16 13:33 ` Greg Kroah-Hartman
2026-07-16 13:33 ` [PATCH 7.1 518/518] Bluetooth: 6lowpan: Fix using chan->conn as indication to no remote netdev Greg Kroah-Hartman
` (4 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikhail Gavrilov, Thomas Gleixner,
Breno Leitao, Oleg Nesterov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
commit 8fa30821180a9a19e78e9f4df1c0ba710252801e upstream.
Commit f24df84cbe05 ("time/jiffies: Register jiffies clocksource before
usage") moved the jiffies clocksource registration into
clocksource_default_clock(), so that it is registered lazily on the first
call. __clocksource_register() acquires clocksource_mutex, but the first
caller is timekeeping_init(), which invokes clocksource_default_clock()
while holding tk_core.lock, a raw spinlock.
Acquiring a sleeping mutex while holding a raw spinlock is invalid.
The default clocksource only has to be registered before
tk_setup_internals() consumes its mult/shift/maxadj. Neither
clocksource_default_clock(), the ->enable() callback, nor the registration
itself need tk_core.lock, so fetch and enable the clock before acquiring
the lock. This preserves the "register before usage" ordering while
keeping clocksource_mutex out of the raw spinlock section.
clocksource_default_clock() has a second caller,
clocksource_done_booting(), which invokes it with clocksource_mutex already
held. That path avoids a recursive lock because timekeeping_init() has
already run and set cs_jiffies_registered, so the registration is skipped
there. This change does not alter that; it only fixes the invalid wait
context in timekeeping_init().
Fixes: f24df84cbe05 ("time/jiffies: Register jiffies clocksource before usage")
Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Reported-by: Breno Leitao <leitao@debian.org>
Reported-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Breno Leitao <leitao@debian.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260616070914.65818-1-mikhail.v.gavrilov@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/timekeeping.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -1980,13 +1980,14 @@ void __init timekeeping_init(void)
*/
wall_to_mono = timespec64_sub(boot_offset, wall_time);
+ clock = clocksource_default_clock();
+ if (clock->enable)
+ clock->enable(clock);
+
guard(raw_spinlock_irqsave)(&tk_core.lock);
ntp_init();
- clock = clocksource_default_clock();
- if (clock->enable)
- clock->enable(clock);
tk_setup_internals(tks, clock);
tk_set_xtime(tks, &wall_time);
^ permalink raw reply [flat|nested] 524+ messages in thread* [PATCH 7.1 518/518] Bluetooth: 6lowpan: Fix using chan->conn as indication to no remote netdev
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (516 preceding siblings ...)
2026-07-16 13:33 ` [PATCH 7.1 517/518] timekeeping: Register default clocksource before taking tk_core.lock Greg Kroah-Hartman
@ 2026-07-16 13:33 ` Greg Kroah-Hartman
2026-07-16 14:37 ` [PATCH 7.1 000/518] 7.1.4-rc1 review Ronald Warsow
` (3 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-16 13:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit d38eaf611839b85ade3dd3db309dbc8aaaaf0095 upstream.
b66774b48dd9 ("Bluetooth: L2CAP: Fix UAF in channel timeout by holding
conn ref") don't reset the chan->conn to NULL anymore making the bt#
netdev not be remove once the last l2cap_chan_del is removed.
Instead of restoring the original behavior this remove the logic of
keeping the interface after the last channel is removed because it
never worked as intended and the l2cap_chan_del always detach its
l2cap_conn which results in always removing the channel anyway.
Fixes: b66774b48dd9 ("Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/6lowpan.c | 18 +++---------------
1 file changed, 3 insertions(+), 15 deletions(-)
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -777,20 +777,10 @@ static void chan_close_cb(struct l2cap_c
struct lowpan_btle_dev *dev = NULL;
struct lowpan_peer *peer;
int err = -ENOENT;
- bool last = false, remove = true;
+ bool last = false;
BT_DBG("chan %p conn %p", chan, chan->conn);
- if (chan->conn && chan->conn->hcon) {
- if (!is_bt_6lowpan(chan->conn->hcon))
- return;
-
- /* If conn is set, then the netdev is also there and we should
- * not remove it.
- */
- remove = false;
- }
-
spin_lock(&devices_lock);
list_for_each_entry_rcu(entry, &bt_6lowpan_devices, list) {
@@ -817,10 +807,8 @@ static void chan_close_cb(struct l2cap_c
ifdown(dev->netdev);
- if (remove) {
- INIT_WORK(&entry->delete_netdev, delete_netdev);
- schedule_work(&entry->delete_netdev);
- }
+ INIT_WORK(&entry->delete_netdev, delete_netdev);
+ schedule_work(&entry->delete_netdev);
} else {
spin_unlock(&devices_lock);
}
^ permalink raw reply [flat|nested] 524+ messages in thread* Re: [PATCH 7.1 000/518] 7.1.4-rc1 review
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (517 preceding siblings ...)
2026-07-16 13:33 ` [PATCH 7.1 518/518] Bluetooth: 6lowpan: Fix using chan->conn as indication to no remote netdev Greg Kroah-Hartman
@ 2026-07-16 14:37 ` Ronald Warsow
2026-07-16 14:55 ` Brett A C Sheffield
` (2 subsequent siblings)
521 siblings, 0 replies; 524+ messages in thread
From: Ronald Warsow @ 2026-07-16 14:37 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
conor, hargar, broonie, achill, sr
Hi
kernel build / boot test on x86_64 (Intel).
No regressions here.
Thanks
Tested-by: Ronald Warsow <rwarsow@gmx.de>
^ permalink raw reply [flat|nested] 524+ messages in thread* Re: [PATCH 7.1 000/518] 7.1.4-rc1 review
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (518 preceding siblings ...)
2026-07-16 14:37 ` [PATCH 7.1 000/518] 7.1.4-rc1 review Ronald Warsow
@ 2026-07-16 14:55 ` Brett A C Sheffield
2026-07-16 17:30 ` Florian Fainelli
2026-07-16 20:05 ` Justin Forbes
521 siblings, 0 replies; 524+ messages in thread
From: Brett A C Sheffield @ 2026-07-16 14:55 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 7.1.4-rc1-g01c8c5ba0d4c #1 SMP PREEMPT_DYNAMIC Thu Jul 16 14:50:32 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 524+ messages in thread* Re: [PATCH 7.1 000/518] 7.1.4-rc1 review
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (519 preceding siblings ...)
2026-07-16 14:55 ` Brett A C Sheffield
@ 2026-07-16 17:30 ` Florian Fainelli
2026-07-16 20:05 ` Justin Forbes
521 siblings, 0 replies; 524+ messages in thread
From: Florian Fainelli @ 2026-07-16 17:30 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill, sr
On 7/16/26 06:24, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 7.1.4 release.
> There are 518 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 18 Jul 2026 13:30:01 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v7.x/stable-review/patch-7.1.4-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-7.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 524+ messages in thread* Re: [PATCH 7.1 000/518] 7.1.4-rc1 review
2026-07-16 13:24 [PATCH 7.1 000/518] 7.1.4-rc1 review Greg Kroah-Hartman
` (520 preceding siblings ...)
2026-07-16 17:30 ` Florian Fainelli
@ 2026-07-16 20:05 ` Justin Forbes
521 siblings, 0 replies; 524+ messages in thread
From: Justin Forbes @ 2026-07-16 20:05 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Thu, Jul 16, 2026 at 03:24:28PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 7.1.4 release.
> There are 518 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 18 Jul 2026 13:30:01 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v7.x/stable-review/patch-7.1.4-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-7.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Tested rc1 against the Fedora build system (aarch64, ppc64le, s390x,
x86_64), and boot tested x86_64. No regressions noted.
Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
^ permalink raw reply [flat|nested] 524+ messages in thread