* [PATCH 6.12 000/272] 6.12.92-rc1 review
@ 2026-05-28 19:46 Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 001/272] mptcp: sync the msk->sndbuf at accept() time Greg Kroah-Hartman
` (278 more replies)
0 siblings, 279 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.12.92 release.
There are 272 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat, 30 May 2026 19:45:52 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.92-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.12.92-rc1
Matthieu Buffet <matthieu@buffet.re>
landlock: Fix TCP handling of short AF_UNSPEC addresses
Tiezhu Yang <yangtiezhu@loongson.cn>
LoongArch: kprobes: Fix handling of fatal unrecoverable recursions
Sabrina Dubroca <sd@queasysnail.net>
net: gro: don't merge zcopy skbs
Nikhil P. Rao <nikhil.rao@amd.com>
pds_core: ensure null-termination for firmware version strings
Aditya Garg <gargaditya@linux.microsoft.com>
net: mana: validate rx_req_idx to prevent out-of-bounds array access
Ratheesh Kannoth <rkannoth@marvell.com>
octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs
Shuicheng Lin <shuicheng.lin@intel.com>
drm/xe/oa: Fix exec_queue leak on width check in stream open
Richard Fitzgerald <rf@opensource.cirrus.com>
ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove()
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
gpio: cdev: check if uAPI v2 config attributes are correctly zeroed
Andy Shevchenko <andy.shevchenko@gmail.com>
gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n)
Xingwang Xiang <v3rdant.xiang@gmail.com>
bpf, skmsg: fix verdict sk_data_ready racing with ktls rx
Rosen Penev <rosenp@gmail.com>
net: ag71xx: check error for platform_get_irq
Jiajia Liu <liujiajia@kylinos.cn>
Bluetooth: btmtk: fix urb->setup_packet leak in error paths
David Carlier <devnexen@gmail.com>
tracing: Avoid NULL return from hist_field_name() on truncation
Zhang Cen <rollkingzzc@gmail.com>
ALSA: seq: Serialize UMP output teardown with event_input
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: fix MLE defragmentation
Nikhil P. Rao <nikhil.rao@amd.com>
pds_core: fix debugfs_lookup dentry leak and error handling
Nikhil P. Rao <nikhil.rao@amd.com>
pds_core: fix error handling in pdsc_devcmd_wait
Ido Schimmel <idosch@nvidia.com>
bridge: mcast: Fix a possible use-after-free when removing a bridge port
Petr Machata <petrm@nvidia.com>
net: bridge: Flush multicast groups when snooping is disabled
Guangshuo Li <lgs201920130244@gmail.com>
RDMA/rtrs: Fix use-after-free in path file creation cleanup
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
platform/x86: intel-hid: Check ACPI_HANDLE() against NULL
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
platform/x86: hp_accel: Check ACPI_COMPANION() against NULL
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL
Oliver White <oliverjwhite07@gmail.com>
platform/surface: aggregator_registry: omit battery & AC nodes on Surface Laptop 7
Erni Sri Satya Vennela <ernis@linux.microsoft.com>
net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer
Daniel Golle <daniel@makrotopia.org>
net: dsa: mt7530: preserve VLAN tags on trapped link-local frames
Daniel Golle <daniel@makrotopia.org>
net: dsa: mt7530: fix FDB entries not aging out with short timeout
Viktor Jägersküpper <viktor_jaegerskuepper@freenet.de>
kbuild: pacman-pkg: make "rc" releases adhere to pacman versioning scheme
Ankit Nautiyal <ankit.k.nautiyal@intel.com>
drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP
Grzegorz Nitka <grzegorz.nitka@intel.com>
ice: ptp: serialize E825 PHY timer start with PTP lock
Matthew Leach <matthew.leach@collabora.com>
wifi: ath11k: fix peer resolution on rx path when peer_id=0
Mohanram Meenakshisundaram <mohanram.meenakshisundaram@intel.com>
drm/xe/pf: Fix CFI failure in debugfs access
Michal Wajdeczko <michal.wajdeczko@intel.com>
drm/xe/vf: Fix signature of print functions
Shuicheng Lin <shuicheng.lin@intel.com>
drm/xe/gsc: Fix double-free of managed BO in error path
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
drm/msm/snapshot: fix dumping of the unaligned regions
Felix Gu <ustc.gu@gmail.com>
spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache()
Boris Burkov <boris@bur.io>
btrfs: fix squota accounting during enable generation
Jens Axboe <axboe@kernel.dk>
io_uring/net: punt IORING_OP_BIND async if it needs file create
Robertus Diawan Chris <robertusdchris@gmail.com>
ALSA: scarlett2: Add missing error check when initialise Autogain Status
Mike Christie <michael.christie@oracle.com>
scsi: sd: Fix return code handling in sd_spinup_disk()
Jeroen Massar <jmassar@nvidia.com>
net/mlx5: Do not restore destination-less TC rules
Chuck Lever <chuck.lever@oracle.com>
tls: Preserve sk_err across recvmsg() when data has been copied
Juergen Gross <jgross@suse.com>
x86/xen: Fix xen_e820_swap_entry_with_ram()
Sven Schuchmann <schuchmann@schleissheimer.de>
net: phy: DP83TC811: add reading of abilities
Jakub Kicinski <kuba@kernel.org>
net: tls: prevent chain-after-chain in plain text SG
Jakub Kicinski <kuba@kernel.org>
net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring
Xiang Mei <xmei5@asu.edu>
net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot
Sayali Patil <sayalip@linux.ibm.com>
powerpc/time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise()
Mikko Perttunen <mperttunen@nvidia.com>
drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
drm/msm/dsi: don't dump registers past the mapped region
Chenguang Zhao <zhaochenguang@kylinos.cn>
ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics
Xiang Mei <xmei5@asu.edu>
net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint
Zack McKevitt <zachary.mckevitt@oss.qualcomm.com>
accel/qaic: Add overflow check to remap_pfn_range during mmap
Sungwoo Kim <iam@sung-woo.kim>
block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()
Keith Busch <kbusch@kernel.org>
blk-integrity: enable p2p source and destination
Keith Busch <kbusch@kernel.org>
blk-integrity: use simpler alignment check
Caleb Sander Mateos <csander@purestorage.com>
block: drop direction param from bio_integrity_copy_user()
Anuj Gupta <anuj20.g@samsung.com>
block: modify bio_integrity_map_user to accept iov_iter as argument
Lukas Bulwahn <lukas.bulwahn@redhat.com>
HID: quirks: really enable the intended work around for appledisplay
Casey Chen <cachen@purestorage.com>
block: recompute nr_integrity_segments in blk_insert_cloned_request
David Carlier <devnexen@gmail.com>
block: don't overwrite bip_vcnt in bio_integrity_copy_user()
Keith Busch <kbusch@kernel.org>
blk-integrity: remove seed for user mapped buffers
Kang Yang <kang.yang@oss.qualcomm.com>
wifi: ath10k: skip WMI and beacon transmission when device is wedged
Nicolas Escande <nico.escande@gmail.com>
wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm()
Nicolas Escande <nico.escande@gmail.com>
wifi: ath11k: fix error path leaks in some WMI WOW calls
Ethan Nelson-Moore <enelsonmoore@gmail.com>
net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference
Linus Walleij <linusw@kernel.org>
net: ethernet: cortina: Carry over frag counter
Andreas Haarmann-Thiemann <eitschman@nebelreich.de>
net: ethernet: cortina: Drop half-assembled SKB
Linus Walleij <linusw@kernel.org>
net: ethernet: cortina: Make RX SKB per-port
David Howells <dhowells@redhat.com>
netfs: Fix folio->private handling in netfs_perform_write()
Matthew Wilcox (Oracle) <willy@infradead.org>
netfs: Remove unnecessary references to pages
Matthew Wilcox (Oracle) <willy@infradead.org>
netfs: Fix a few minor bugs in netfs_page_mkwrite()
David Howells <dhowells@redhat.com>
netfs: Fix partial invalidation of streaming-write folio
David Howells <dhowells@redhat.com>
netfs: Fix early put of sink folio in netfs_read_gaps()
David Howells <dhowells@redhat.com>
netfs: Fix write streaming disablement if fd open O_RDWR
David Howells <dhowells@redhat.com>
netfs: Fix potential deadlock in write-through mode
David Howells <dhowells@redhat.com>
netfs: Fix streaming write being overwritten
David Howells <dhowells@redhat.com>
netfs: Defer the emission of trace_netfs_folio()
David Howells <dhowells@redhat.com>
netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes gone
David Howells <dhowells@redhat.com>
netfs: Fix overrun check in netfs_extract_user_iter()
Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call
Julian Braha <julianbraha@gmail.com>
powerpc: fix dead default for GUEST_STATE_BUFFER_TEST
Kuniyuki Iwashima <kuniyu@google.com>
tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key().
Johannes Thumshirn <johannes.thumshirn@wdc.com>
zonefs: handle integer overflow in zonefs_fname_to_fno
Jiayuan Chen <jiayuan.chen@linux.dev>
irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT
Zhihao Cheng <chengzhihao1@huawei.com>
nsfs: fix wrong error code returned for pidns ioctls
Ming Lei <tom.leiming@gmail.com>
ublk: reject max_sectors smaller than PAGE_SECTORS in parameter validation
Rosen Penev <rosenp@gmail.com>
irqchip/ath79-cpu: Remove unused function
Chuck Lever <chuck.lever@oracle.com>
NFSD: Fix infinite loop in layout state revocation
Gabor Juhos <j4g8y7@gmail.com>
phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access
Myeonghun Pak <mhun512@gmail.com>
net: lan966x: avoid unregistering netdev on register failure
Bart Van Assche <bvanassche@acm.org>
ice: fix locking in ice_dcb_rebuild()
Marcin Szycik <marcin.szycik@linux.intel.com>
ice: fix setting RSS VSI hash for E830
Kuniyuki Iwashima <kuniyu@google.com>
tcp: Fix imbalanced icsk_accept_queue count.
Martin Kaiser <martin@kaiser.cx>
test_kprobes: clear kprobes between test runs
Jianpeng Chang <jianpeng.chang.cn@windriver.com>
kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()
Florian Westphal <fw@strlen.de>
netfilter: bridge: eb_tables: close module init race
Florian Westphal <fw@strlen.de>
netfilter: x_tables: close dangling table module init race
Florian Westphal <fw@strlen.de>
netfilter: ebtables: close dangling table module init race
Florian Westphal <fw@strlen.de>
netfilter: ebtables: move to two-stage removal scheme
Florian Westphal <fw@strlen.de>
netfilter: x_tables: add and use xtables_unregister_table_exit
Florian Westphal <fw@strlen.de>
netfilter: x_tables: add and use xt_unregister_table_pre_exit
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: Exclude LEGACY TABLES on PREEMPT_RT.
Breno Leitao <leitao@debian.org>
netfilter: Make legacy configs user selectable
Florian Westphal <fw@strlen.de>
netfilter: x_tables: unregister the templates first
Filipe Manana <fdmanana@suse.com>
btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file()
Shuhao Fu <sfual@cse.ust.hk>
ALSA: hda: cs35l41: Put ACPI device on missing physical node
Shuhao Fu <sfual@cse.ust.hk>
ALSA: hda: cs35l56: Put ACPI device after setting companion
Guenter Roeck <linux@roeck-us.net>
ARM: integrator: Fix early initialization
Sudeep Holla <sudeep.holla@kernel.org>
firmware: arm_ffa: Fix sched-recv callback partition lookup
Sudeep Holla <sudeep.holla@kernel.org>
firmware: arm_ffa: Align RxTx buffer size before mapping
Sudeep Holla <sudeep.holla@kernel.org>
firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies
Sudeep Holla <sudeep.holla@arm.com>
firmware: arm_ffa: Fix big-endian support in __ffa_partition_info_regs_get()
Maulik Shah <maulik.shah@oss.qualcomm.com>
pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150
David Gow <david@davidgow.net>
kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS
David Gow <david@davidgow.net>
kunit: config: Enable KUNIT_DEBUGFS by default
Guo Ren (Alibaba DAMO Academy) <guoren@kernel.org>
riscv: mm: Fixup no5lvl failure when vaddr is invalid
Sudeep Holla <sudeep.holla@kernel.org>
firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0
Sudeep Holla <sudeep.holla@arm.com>
firmware: arm_ffa: Allow multiple UUIDs per partition to register SRI callback
Sudeep Holla <sudeep.holla@arm.com>
firmware: arm_ffa: Remove unnecessary declaration of ffa_partitions_cleanup()
Sudeep Holla <sudeep.holla@arm.com>
firmware: arm_ffa: Unregister the FF-A devices when cleaning up the partitions
Viresh Kumar <viresh.kumar@linaro.org>
firmware: arm_ffa: Refactor addition of partition information into XArray
Sudeep Holla <sudeep.holla@kernel.org>
firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue
Sudeep Holla <sudeep.holla@kernel.org>
firmware: arm_ffa: Skip free_pages on RX buffer alloc failure
Sudeep Holla <sudeep.holla@kernel.org>
firmware: arm_ffa: Check for NULL FF-A ID table while driver registration
Takashi Iwai <tiwai@suse.de>
HID: uclogic: Fix regression of input name assignment
Biju Das <biju.das.jz@bp.renesas.com>
pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high pins during suspend/resume
Marek Vasut <marek.vasut+renesas@mailbox.org>
ARM: dts: renesas: rskrza1: Drop superfluous cells
Marek Vasut <marek.vasut+renesas@mailbox.org>
ARM: dts: renesas: genmai: Drop superfluous cells
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in get_multiple
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) reject implausible blackbox record_count
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) seed timestamp from the real-time clock
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: fix negative tt_buff_len
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: fix negative last_changeset_len
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: fix race condition in send error reporting
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: avoid use of uninit sender vars
Sven Eckelmann <sven@narfation.org>
batman-adv: bla: fix report_work leak on backbone_gw purge
Sven Eckelmann <sven@narfation.org>
batman-adv: frag: disallow unicast fragment in fragment
Luxiao Xu <rakukuip@gmail.com>
batman-adv: fix tp_meter counter underflow during shutdown
Ruide Cao <caoruide123@gmail.com>
batman-adv: fix fragment reassembly length accounting
Sven Eckelmann <sven@narfation.org>
batman-adv: dat: handle forward allocation error
Ruijie Li <ruijieli51@gmail.com>
batman-adv: clear current gateway during teardown
Sven Eckelmann <sven@narfation.org>
batman-adv: mcast: fix use-after-free in orig_node RCU release
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Validate GPIO pin LUT table size before iterating
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Fix integer overflow in bios_get_image()
Osama Abdelkader <osama.abdelkader@gmail.com>
drm/bridge: megachips: remove bridge when irq request fails
Julien Chauveau <chauveau.julien@gmail.com>
drm/bridge: it66121: acquire reset GPIO in probe
Alan Liu <haoping.liu@amd.com>
drm/amdgpu/vpe: Force collaborate sync after TRAP
Deepanshu Kartikey <kartikey406@gmail.com>
drm/virtio: use uninterruptible resv lock for plane updates
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
device property: set fwnode->secondary to NULL in fwnode_init()
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Remove unused code to avoid build warning
Michael Bommarito <michael.bommarito@gmail.com>
RDMA/siw: Reject MPA FPDU length underflow before signed receive math
Johan Hovold <johan@kernel.org>
spi: ti-qspi: fix use-after-free after DMA setup failure
Johan Hovold <johan@kernel.org>
spi: sprd: fix error pointer deref after DMA setup failure
Johan Hovold <johan@kernel.org>
spi: ep93xx: fix error pointer deref after DMA setup failure
Michael Bommarito <michael.bommarito@gmail.com>
scsi: isci: Fix use-after-free in device removal path
Wayne Chang <waynec@nvidia.com>
phy: tegra: xusb: Fix per-pad high-speed termination calibration
Johan Hovold <johan@kernel.org>
spi: qup: fix error pointer deref after DMA setup failure
Osama Abdelkader <osama.abdelkader@gmail.com>
drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe
Osama Abdelkader <osama.abdelkader@gmail.com>
riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM
Michael Bommarito <michael.bommarito@gmail.com>
KVM: arm64: vgic: Free private_irqs when init fails after allocation
Michael Bommarito <michael.bommarito@gmail.com>
KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits
Vladimir Murzin <vladimir.murzin@arm.com>
arm64: probes: Handle probes on hinted conditional branch instructions
Masami Hiramatsu (Google) <mhiramat@kernel.org>
tracing: Do not call map->ops->elt_free() if elt_alloc() fails
Zhihao Cheng <chengzhihao1@huawei.com>
cifs: Fix busy dentry used after unmounting
Michael Bommarito <michael.bommarito@gmail.com>
wifi: mac80211: consume only present negotiated TTLM maps
Jann Horn <jannh@google.com>
af_unix: Fix UAF read of tail->len in unix_stream_data_wait()
John Walker <johnwalker0@gmail.com>
wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
Grzegorz Nitka <grzegorz.nitka@intel.com>
ice: restore PTP Rx timestamp config after ethtool set-channels
Marcin Szycik <marcin.szycik@intel.com>
ice: fix setting promisc mode while adding VID filter
Sam Daly <sam@samdaly.ie>
octeontx2-af: CGX: add bounds check to cgx_speed_mbps index
Stephen Smalley <stephen.smalley.work@gmail.com>
lsm: hold cred_guard_mutex for lsm_set_self_attr()
Ilya Dryomov <idryomov@gmail.com>
rbd: eliminate a race in lock_dwork draining on unmap
Michael Bommarito <michael.bommarito@gmail.com>
ixgbevf: fix use-after-free in VEPA multicast source pruning
Michael Bommarito <michael.bommarito@gmail.com>
ipv4: raw: reject IP_HDRINCL packets with ihl < 5
Kyle Farnung <kfarnung@gmail.com>
wifi: ath11k: clear shared SRNG pointer state on restart
Stefano Garzarella <sgarzare@redhat.com>
vsock/virtio: reset connection on receiving queue overflow
Minh Nguyen <minhnguyen.080505@gmail.com>
vsock/vmci: fix UAF when peer resets connection during handshake
Justin Iurman <justin.iurman@gmail.com>
ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()
Steven Rostedt <rostedt@goodmis.org>
ring-buffer: Fix reporting of missed events in iterator
Dawei Feng <dawei.feng@seu.edu.cn>
qed: fix double free in qed_cxt_tables_alloc()
Michael Bommarito <michael.bommarito@gmail.com>
l2tp: use list_del_rcu in l2tp_session_unhash
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
fs/ntfs3: handle attr_set_size() errors when truncating files
Guopeng Zhang <zhangguopeng@kylinos.cn>
cgroup/cpuset: Reset DL migration state on can_attach() failure
Tejun Heo <tj@kernel.org>
sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path
Samuele Mariotti <smariotti@disroot.org>
sched_ext: Fix missing warning in scx_set_task_state() default case
Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
netfilter: nft_inner: Fix IPv6 inner_thoff desync
Nan Li <tonanli66@gmail.com>
netfilter: ipset: stop hash:* range iteration at end
Haoze Xie <royenheart@gmail.com>
netfilter: nf_queue: hold bridge skb->dev while queued
Zhengchuan Liang <zcliangcn@gmail.com>
netfilter: ip6t_hbh: reject oversized option lists
Jonas Jelonek <jelonek.jonas@gmail.com>
net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis()
Michael Bommarito <michael.bommarito@gmail.com>
net: ifb: report ethtool stats over num_tx_queues
Nicolai Buchwitz <nb@tipi-net.de>
net: bcmgenet: keep RBUF EEE/PM disabled
Zijing Yin <yzjaurora@gmail.com>
phonet/pep: disable BH around forwarded sk_receive_skb()
Jiexun Wang <wangjiexun2025@gmail.com>
Bluetooth: serialize accept_q access
Michael Bommarito <michael.bommarito@gmail.com>
Bluetooth: MGMT: validate Add Extended Advertising Data length
Michael Bommarito <michael.bommarito@gmail.com>
Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer
Mingyu Wang <25181214217@stu.xidian.edu.cn>
Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
Jann Horn <jannh@google.com>
Bluetooth: bnep: Fix UAF read of dev->name
David Carlier <devnexen@gmail.com>
Bluetooth: ISO: drop ISO_END frames received without prior ISO_START
Safa Karakuş <safa.karakus@secunnix.com>
Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
Abdun Nihaal <nihaal@cse.iitm.ac.in>
net: wwan: iosm: fix potential memory leaks in ipc_imem_init()
Luiz Capitulino <luizcap@redhat.com>
selftests/mm: run_vmtests.sh: fix destructive tests invocation
Muchun Song <muchun.song@linux.dev>
mm/memory_hotplug: fix memory block reference leak on remove
Justin Iurman <justin.iurman@gmail.com>
ipv6: ioam: refresh hdr pointer before ioam6_event()
Muchun Song <muchun.song@linux.dev>
drivers/base/memory: fix memory block reference leak in poison accounting
Heechan Kang <gganji11@naver.com>
io_uring/waitid: clear waitid info before copying it to userspace
Ard Biesheuvel <ardb@kernel.org>
efi: Allocate runtime workqueue before ACPI init
Takashi Iwai <tiwai@suse.de>
ALSA: asihpi: Fix potential OOB array access at reading cache
Takashi Iwai <tiwai@suse.de>
ALSA: pcm: Don't setup bogus iov_iter for silencing
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: ua101: Reject too-short USB descriptors
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX
ChenXiaoSong <chenxiaosong@kylinos.cn>
smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close
Jeremy Erazo <mendozayt13@gmail.com>
smb: client: use data_len for SMB2 READ encrypted folioq copy
Henrique Carvalho <henrique.carvalho@suse.com>
smb: client: protect tc_count increment in smb2_find_smb_sess_tcon_unlocked()
Michael Bommarito <michael.bommarito@gmail.com>
smb: client: require net admin for CIFS SWN netlink
Junyi Liu <moss80199@gmail.com>
ksmbd: validate SID in parent security descriptor during ACL inheritance
Ferry Meng <mengferry@linux.alibaba.com>
ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow
Jeremy Laratro <research@aradex.io>
ksmbd: fix null pointer dereference in compare_guid_key()
SeongJae Park <sj@kernel.org>
mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
sysfs: don't remove existing directory on update failure
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue
Lukas Bulwahn <lukas.bulwahn@redhat.com>
arm64: Kconfig: Remove selecting replaced HAVE_FUNCTION_GRAPH_RETVAL
Guenter Roeck <linux@roeck-us.net>
hwmon: (pmbus/core) Protect regulator operations with mutex
Pu Lehui <pulehui@huawei.com>
riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler
Pu Lehui <pulehui@huawei.com>
riscv: fgraph: Select HAVE_FUNCTION_GRAPH_TRACER depends on HAVE_DYNAMIC_FTRACE_WITH_ARGS
Lu Baolu <baolu.lu@linux.intel.com>
iommu/vt-d: Draining PRQ in sva unbind path when FPD bit set
Jiri Olsa <jolsa@kernel.org>
x86/fgraph: Fix return_to_handler regs.rsp value
Jianbo Liu <jianbol@nvidia.com>
net/mlx5e: Use ip6_dst_lookup instead of ipv6_dst_lookup_flow for MAC init
Jianbo Liu <jianbol@nvidia.com>
net/mlx5e: Trigger neighbor resolution for unresolved destinations
Feng Yang <yangfeng@kylinos.cn>
tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64
Sasha Levin <sashal@kernel.org>
Revert "ice: Remove jumbo_remove step from TX path"
Sasha Levin <sashal@kernel.org>
Revert "ice: fix double-free of tx_buf skb"
Ian Rogers <irogers@google.com>
perf parse-events: Expose/rename config_term_name
Niklas Cassel <cassel@kernel.org>
ata: libata-scsi: do not needlessly defer commands when using PMP with FBS
Niklas Cassel <cassel@kernel.org>
ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS
Niklas Cassel <cassel@kernel.org>
ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT
Niklas Cassel <cassel@kernel.org>
ata: libata-scsi: improve readability of ata_scsi_qc_issue()
Asim Viladi Oglu Manizada <manizada@pm.me>
smb: client: reject userspace cifs.spnego descriptions
Alessio Belle <alessio.belle@imgtec.com>
drm/imagination: Synchronize interrupts before suspending the GPU
Kuniyuki Iwashima <kuniyu@google.com>
af_unix: Give up GC if MSG_PEEK intervened.
DaeMyung Kang <charsyam@gmail.com>
ksmbd: close durable scavenger races against m_fp_list lookups
Peter Zijlstra (Intel) <peterz@infradead.org>
sched/deadline: Stop dl_server before CPU goes offline
Peter Zijlstra <peterz@infradead.org>
sched/deadline: Fix dl_server behaviour
Peter Zijlstra <peterz@infradead.org>
sched/deadline: Fix dl_server getting stuck
Juri Lelli <juri.lelli@redhat.com>
sched/deadline: Always stop dl-server before changing parameters
Huacai Chen <chenhuacai@kernel.org>
sched/deadline: Fix dl_server_stopped()
Peter Zijlstra <peterz@infradead.org>
sched/deadline: Less agressive dl_server handling
Sasha Levin <sashal@kernel.org>
Revert "x86/vdso: Fix output operand size of RDPID"
Vladimir Yakovlev <vovchkir@gmail.com>
spi: spi-dw-dma: fix print error log when wait finish transaction
Xiang Mei <xmei5@asu.edu>
bridge: mrp: reject zero test interval to avoid OOM panic
Sasha Levin <sashal@kernel.org>
Revert "perf tool_pmu: Factor tool events into their own PMU"
Sasha Levin <sashal@kernel.org>
Revert "perf python: Add parse_events function"
Sasha Levin <sashal@kernel.org>
Revert "perf tool_pmu: Fix aggregation on duration_time"
Sasha Levin <sashal@kernel.org>
Revert "perf cgroup: Update metric leader in evlist__expand_cgroup"
Pengpeng Hou <pengpeng@iscas.ac.cn>
s390/debug: Reject zero-length input before trimming a newline
Gustavo Sousa <gustavo.sousa@intel.com>
drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: validate owner of durable handle on reconnect
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: free sk if last
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: always decrease sk refcount
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: allow ID 0
Gang Yan <yangang@kylinos.cn>
mptcp: sync the msk->sndbuf at accept() time
-------------
Diffstat:
Makefile | 4 +-
arch/arm/boot/dts/renesas/r7s72100-genmai.dts | 3 -
arch/arm/boot/dts/renesas/r7s72100-rskrza1.dts | 2 -
arch/arm/mach-versatile/integrator_cp.c | 13 +-
arch/arm64/Kconfig | 1 -
arch/arm64/include/asm/ftrace.h | 1 +
arch/arm64/include/asm/insn.h | 2 +-
arch/arm64/kvm/arm.c | 4 +-
arch/arm64/kvm/vgic/vgic-its.c | 4 +
arch/loongarch/kernel/kprobes.c | 4 +-
arch/loongarch/mm/init.c | 4 -
arch/powerpc/Kconfig.debug | 3 +-
arch/powerpc/kernel/time.c | 6 +-
arch/riscv/Kconfig | 2 +-
arch/riscv/kernel/mcount.S | 24 +-
arch/riscv/kvm/vcpu_pmu.c | 6 +-
arch/riscv/mm/init.c | 25 ++
arch/s390/kernel/debug.c | 3 +
arch/x86/include/asm/segment.h | 8 +-
arch/x86/kernel/ftrace_64.S | 5 +-
arch/x86/xen/setup.c | 2 +-
block/bio-integrity.c | 76 ++--
block/blk-integrity.c | 12 +-
block/blk-mq.c | 19 +
drivers/accel/qaic/qaic_data.c | 23 +-
drivers/ata/libata-core.c | 9 +-
drivers/ata/libata-eh.c | 8 +-
drivers/ata/libata-pmp.c | 18 +-
drivers/ata/libata-scsi.c | 102 ++---
drivers/ata/sata_sil24.c | 6 +-
drivers/base/memory.c | 8 +-
drivers/block/rbd.c | 20 +-
drivers/block/ublk_drv.c | 3 +
drivers/bluetooth/btmtk.c | 2 +
drivers/bluetooth/hci_ldisc.c | 48 ++-
drivers/firmware/arm_ffa/bus.c | 7 +-
drivers/firmware/arm_ffa/driver.c | 292 +++++++++++----
drivers/firmware/efi/efi.c | 28 +-
drivers/gpio/gpiolib-cdev.c | 21 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c | 7 +-
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 9 +
.../drm/amd/display/dc/bios/bios_parser_helper.c | 9 +-
drivers/gpu/drm/amd/display/dc/core/dc.c | 6 +-
drivers/gpu/drm/bridge/chipone-icn6211.c | 4 +-
drivers/gpu/drm/bridge/ite-it66121.c | 5 +
.../drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 16 +-
drivers/gpu/drm/i915/display/intel_dp.c | 2 +-
drivers/gpu/drm/imagination/pvr_power.c | 11 +-
drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 24 +-
drivers/gpu/drm/msm/dsi/dsi_host.c | 1 +
drivers/gpu/drm/msm/msm_iommu.c | 5 +-
drivers/gpu/drm/virtio/virtgpu_drv.h | 1 +
drivers/gpu/drm/virtio/virtgpu_gem.c | 17 +
drivers/gpu/drm/virtio/virtgpu_plane.c | 10 +-
drivers/gpu/drm/xe/display/xe_hdcp_gsc.c | 12 +-
drivers/gpu/drm/xe/xe_gsc.c | 5 +-
drivers/gpu/drm/xe/xe_gt_sriov_pf_monitor.c | 6 +-
drivers/gpu/drm/xe/xe_gt_sriov_pf_monitor.h | 2 +-
drivers/gpu/drm/xe/xe_gt_sriov_vf.c | 24 +-
drivers/gpu/drm/xe/xe_gt_sriov_vf.h | 6 +-
drivers/gpu/drm/xe/xe_oa.c | 6 +-
drivers/hid/hid-quirks.c | 2 +-
drivers/hid/hid-uclogic-core.c | 4 +-
drivers/hwmon/pmbus/adm1266.c | 32 +-
drivers/hwmon/pmbus/pmbus_core.c | 117 ++++--
drivers/i3c/master/mipi-i3c-hci/dma.c | 25 +-
drivers/infiniband/sw/siw/siw_qp_rx.c | 15 +
drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c | 2 +-
drivers/iommu/intel/pasid.c | 22 +-
drivers/iommu/intel/pasid.h | 6 +
drivers/irqchip/irq-ath79-cpu.c | 7 -
drivers/net/dsa/mt7530.c | 47 ++-
drivers/net/ethernet/amd/pds_core/debugfs.c | 7 +-
drivers/net/ethernet/amd/pds_core/dev.c | 11 +-
drivers/net/ethernet/amd/pds_core/devlink.c | 6 +-
drivers/net/ethernet/atheros/ag71xx.c | 3 +
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 9 +-
drivers/net/ethernet/cirrus/cs89x0.c | 2 -
drivers/net/ethernet/cortina/gemini.c | 21 +-
drivers/net/ethernet/intel/ice/ice_dcb_lib.c | 4 +-
drivers/net/ethernet/intel/ice/ice_main.c | 10 +-
drivers/net/ethernet/intel/ice/ice_ptp_hw.c | 15 +-
drivers/net/ethernet/intel/ice/ice_txrx.c | 7 +-
drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 1 +
drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 7 +-
.../net/ethernet/marvell/octeontx2/af/rvu_npc.c | 2 +-
.../ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 8 +-
.../net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c | 3 +-
.../net/ethernet/microchip/lan966x/lan966x_main.c | 8 +-
drivers/net/ethernet/microsoft/mana/hw_channel.c | 35 +-
drivers/net/ethernet/qlogic/qed/qed_cxt.c | 2 +
drivers/net/ifb.c | 11 +-
drivers/net/phy/dp83tc811.c | 1 +
drivers/net/pse-pd/pse_core.c | 2 +-
drivers/net/wireless/ath/ath10k/wmi.c | 17 +-
drivers/net/wireless/ath/ath11k/dp_rx.c | 3 +-
drivers/net/wireless/ath/ath11k/hal.c | 14 +-
drivers/net/wireless/ath/ath11k/hal_rx.c | 5 +-
drivers/net/wireless/ath/ath11k/testmode.c | 1 +
drivers/net/wireless/ath/ath11k/wmi.c | 19 +-
drivers/net/wwan/iosm/iosm_ipc_imem.c | 2 +
drivers/nvme/host/ioctl.c | 17 +-
drivers/phy/marvell/phy-mvebu-a3700-utmi.c | 5 +-
drivers/phy/tegra/xusb-tegra186.c | 33 +-
drivers/phy/tegra/xusb.h | 1 +
drivers/pinctrl/qcom/pinctrl-sm8150.c | 8 +-
drivers/pinctrl/renesas/pinctrl-rzg2l.c | 2 +-
.../platform/surface/surface_aggregator_registry.c | 2 -
drivers/platform/x86/adv_swbutton.c | 6 +-
drivers/platform/x86/hp/hp_accel.c | 3 +
drivers/platform/x86/intel/hid.c | 6 +-
drivers/platform/x86/intel/vbtn.c | 6 +-
drivers/scsi/isci/host.c | 3 +
drivers/scsi/sd.c | 3 +-
drivers/spi/spi-dw-dma.c | 2 +-
drivers/spi/spi-ep93xx.c | 2 +
drivers/spi/spi-mtk-snfi.c | 2 +-
drivers/spi/spi-qup.c | 3 +
drivers/spi/spi-sprd.c | 3 +-
drivers/spi/spi-ti-qspi.c | 1 +
fs/btrfs/fs.h | 1 +
fs/btrfs/qgroup.c | 31 +-
fs/netfs/buffered_read.c | 14 +-
fs/netfs/buffered_write.c | 213 +++++++----
fs/netfs/iterator.c | 26 +-
fs/netfs/misc.c | 8 +-
fs/netfs/read_retry.c | 11 +-
fs/netfs/write_issue.c | 41 +-
fs/nfsd/nfs4state.c | 7 +
fs/nsfs.c | 2 +-
fs/ntfs3/file.c | 12 +-
fs/smb/client/cifs_spnego.c | 16 +
fs/smb/client/cifsfs.c | 2 +
fs/smb/client/netlink.c | 6 +-
fs/smb/client/smb2ops.c | 4 +-
fs/smb/client/smb2transport.c | 2 +
fs/smb/server/mgmt/user_session.c | 7 +-
fs/smb/server/oplock.c | 13 +-
fs/smb/server/oplock.h | 1 +
fs/smb/server/smb2pdu.c | 3 +-
fs/smb/server/smbacl.c | 78 +++-
fs/smb/server/vfs_cache.c | 205 ++++++++--
fs/smb/server/vfs_cache.h | 12 +-
fs/sysfs/group.c | 2 +-
fs/zonefs/super.c | 6 +-
include/asm-generic/kprobes.h | 2 +-
include/linux/arm_ffa.h | 3 +
include/linux/bio-integrity.h | 5 +-
include/linux/blk-integrity.h | 5 +-
include/linux/fwnode.h | 1 +
include/linux/libata.h | 7 +-
include/linux/netfilter/x_tables.h | 3 +-
include/linux/netfilter_arp/arp_tables.h | 1 -
include/linux/netfilter_ipv4/ip_tables.h | 1 -
include/linux/netfilter_ipv6/ip6_tables.h | 1 -
include/linux/sched.h | 1 -
include/net/af_unix.h | 1 +
include/net/bluetooth/bluetooth.h | 1 +
include/net/netfilter/nf_queue.h | 1 +
include/trace/events/btrfs.h | 4 +-
include/trace/events/netfs.h | 8 +
io_uring/net.c | 26 +-
io_uring/waitid.c | 1 +
kernel/cgroup/cpuset.c | 8 +-
kernel/irq_work.c | 7 +
kernel/sched/core.c | 2 +
kernel/sched/deadline.c | 19 +-
kernel/sched/debug.c | 6 +-
kernel/sched/ext.c | 5 +-
kernel/sched/fair.c | 16 +-
kernel/sched/sched.h | 37 +-
kernel/trace/ring_buffer.c | 8 +-
kernel/trace/trace_events_hist.c | 6 +-
kernel/trace/tracing_map.c | 17 +-
lib/kunit/Kconfig | 5 +-
lib/test_kprobes.c | 29 +-
mm/damon/sysfs-schemes.c | 1 +
mm/memory_hotplug.c | 2 +
net/batman-adv/bridge_loop_avoidance.c | 54 ++-
net/batman-adv/distributed-arp-table.c | 3 +
net/batman-adv/fragmentation.c | 58 ++-
net/batman-adv/gateway_client.c | 4 +
net/batman-adv/originator.c | 4 +-
net/batman-adv/tp_meter.c | 64 +++-
net/batman-adv/types.h | 17 +-
net/bluetooth/af_bluetooth.c | 99 +++--
net/bluetooth/bnep/core.c | 2 +-
net/bluetooth/iso.c | 14 +-
net/bluetooth/l2cap_core.c | 2 +-
net/bluetooth/l2cap_sock.c | 51 ++-
net/bluetooth/mgmt.c | 6 +
net/bluetooth/rfcomm/sock.c | 9 +-
net/bluetooth/sco.c | 9 +-
net/bridge/br_mrp_netlink.c | 4 +-
net/bridge/br_multicast.c | 27 +-
net/bridge/netfilter/Kconfig | 14 +-
net/bridge/netfilter/ebtable_broute.c | 14 +-
net/bridge/netfilter/ebtable_filter.c | 14 +-
net/bridge/netfilter/ebtable_nat.c | 12 +-
net/bridge/netfilter/ebtables.c | 71 ++--
net/core/gro.c | 3 +
net/core/skmsg.c | 9 +-
net/ethtool/bitset.c | 8 +-
net/ipv4/inet_connection_sock.c | 2 +-
net/ipv4/netfilter/Kconfig | 32 +-
net/ipv4/netfilter/arp_tables.c | 18 +-
net/ipv4/netfilter/arptable_filter.c | 27 +-
net/ipv4/netfilter/ip_tables.c | 18 +-
net/ipv4/netfilter/iptable_filter.c | 27 +-
net/ipv4/netfilter/iptable_mangle.c | 29 +-
net/ipv4/netfilter/iptable_nat.c | 6 +-
net/ipv4/netfilter/iptable_raw.c | 26 +-
net/ipv4/netfilter/iptable_security.c | 27 +-
net/ipv4/raw.c | 2 +-
net/ipv4/tcp_ao.c | 3 +-
net/ipv6/exthdrs.c | 21 +-
net/ipv6/netfilter/Kconfig | 22 +-
net/ipv6/netfilter/ip6_tables.c | 18 +-
net/ipv6/netfilter/ip6t_hbh.c | 4 +
net/ipv6/netfilter/ip6table_filter.c | 26 +-
net/ipv6/netfilter/ip6table_mangle.c | 27 +-
net/ipv6/netfilter/ip6table_nat.c | 6 +-
net/ipv6/netfilter/ip6table_raw.c | 24 +-
net/ipv6/netfilter/ip6table_security.c | 27 +-
net/l2tp/l2tp_core.c | 2 +-
net/mac80211/mlme.c | 2 +-
net/mac80211/parse.c | 71 ++--
net/mptcp/pm_netlink.c | 35 +-
net/mptcp/protocol.c | 3 +-
net/netfilter/Kconfig | 10 +
net/netfilter/ipset/ip_set_hash_ipmark.c | 6 +-
net/netfilter/ipset/ip_set_hash_ipport.c | 5 +-
net/netfilter/ipset/ip_set_hash_ipportip.c | 5 +-
net/netfilter/ipset/ip_set_hash_ipportnet.c | 5 +-
net/netfilter/nf_queue.c | 4 +-
net/netfilter/nfnetlink_queue.c | 2 +
net/netfilter/nft_inner.c | 1 -
net/netfilter/x_tables.c | 116 +++++-
net/phonet/pep.c | 19 +-
net/smc/af_smc.c | 3 +-
net/smc/smc_tracepoint.h | 2 +-
net/tls/tls_sw.c | 46 ++-
net/unix/af_unix.c | 13 +-
net/unix/garbage.c | 79 ++--
net/vmw_vsock/virtio_transport_common.c | 20 +-
net/vmw_vsock/vmci_transport.c | 2 +-
net/wireless/scan.c | 3 +
scripts/package/PKGBUILD | 2 +-
security/landlock/net.c | 118 +++---
security/lsm_syscalls.c | 9 +-
sound/core/pcm_lib.c | 3 +
sound/core/seq/seq_ump_client.c | 22 +-
sound/pci/asihpi/hpicmn.c | 6 +
sound/pci/hda/cs35l41_hda.c | 4 +-
sound/pci/hda/cs35l56_hda.c | 1 +
sound/soc/codecs/cs35l56-sdw.c | 3 +-
sound/usb/misc/ua101.c | 5 +-
sound/usb/mixer_scarlett2.c | 2 +
tools/perf/builtin-list.c | 13 +-
tools/perf/builtin-stat.c | 1 -
tools/perf/util/Build | 1 -
tools/perf/util/cgroup.c | 30 +-
tools/perf/util/evsel.c | 291 ++++++++++++--
tools/perf/util/evsel.h | 30 +-
tools/perf/util/metricgroup.c | 1 -
tools/perf/util/parse-events.c | 59 ++-
tools/perf/util/parse-events.h | 5 +
tools/perf/util/parse-events.l | 11 +
tools/perf/util/parse-events.y | 16 +
tools/perf/util/pmu.c | 20 +-
tools/perf/util/pmu.h | 2 -
tools/perf/util/pmus.c | 9 -
tools/perf/util/print-events.c | 36 +-
tools/perf/util/print-events.h | 1 +
tools/perf/util/python.c | 61 ---
tools/perf/util/stat-display.c | 6 +-
tools/perf/util/stat-shadow.c | 1 -
tools/perf/util/tool_pmu.c | 417 ---------------------
tools/perf/util/tool_pmu.h | 51 ---
tools/testing/selftests/mm/run_vmtests.sh | 2 +-
280 files changed, 3293 insertions(+), 1966 deletions(-)
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 001/272] mptcp: sync the msk->sndbuf at accept() time
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 002/272] mptcp: pm: ADD_ADDR rtx: allow ID 0 Greg Kroah-Hartman
` (277 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gang Yan, Paolo Abeni,
Matthieu Baerts (NGI0), Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gang Yan <yangang@kylinos.cn>
commit fcf04b14334641f4b0b8647824480935e9416d52 upstream.
On passive MPTCP connections, the msk sndbuf is not updated correctly.
The root cause is an order issue in the accept path:
- tcp_check_req() -> subflow_syn_recv_sock() -> mptcp_sk_clone_init()
calls __mptcp_propagate_sndbuf() to copy the ssk sndbuf into msk
- Later, tcp_child_process() -> tcp_init_transfer() ->
tcp_sndbuf_expand() grows the ssk sndbuf.
So __mptcp_propagate_sndbuf() runs before the ssk sndbuf has been
expanded and the msk ends up with a much smaller sndbuf than the
subflow:
MPTCP: msk->sndbuf:20480, msk->first->sndbuf:2626560
Fix this by moving the __mptcp_propagate_sndbuf() call from
mptcp_sk_clone_init() -- the ssk sndbuf is not yet finalized there -- to
__mptcp_propagate_sndbuf() at accept() time, when the ssk sndbuf has
been fully expanded by tcp_sndbuf_expand().
Fixes: 8005184fd1ca ("mptcp: refactor sndbuf auto-tuning")
Cc: stable@vger.kernel.org
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/602
Signed-off-by: Gang Yan <yangang@kylinos.cn>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260420-net-mptcp-sync-sndbuf-accept-v1-1-e3523e3aeb44@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ No conflicts, but move __mptcp_propagate_sndbuf() above the for-loop
(mptcp_for_each_subflow()) present in this version, which will modify
'subflow' used by __mptcp_propagate_sndbuf() in this new patch. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mptcp/protocol.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index 7dbb666c72c30..c1b1fb0fe8bcb 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -3493,7 +3493,6 @@ struct sock *mptcp_sk_clone_init(const struct sock *sk,
* uses the correct data
*/
mptcp_copy_inaddrs(nsk, ssk);
- __mptcp_propagate_sndbuf(nsk, ssk);
mptcp_rcv_space_init(msk, ssk);
msk->rcvq_space.time = mptcp_stamp();
@@ -4101,6 +4100,8 @@ static int mptcp_stream_accept(struct socket *sock, struct socket *newsock,
msk = mptcp_sk(newsk);
msk->in_accept_queue = 0;
+ __mptcp_propagate_sndbuf(newsk, mptcp_subflow_tcp_sock(subflow));
+
/* set ssk->sk_socket of accept()ed flows to mptcp socket.
* This is needed so NOSPACE flag can be set from tcp stack.
*/
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 002/272] mptcp: pm: ADD_ADDR rtx: allow ID 0
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 001/272] mptcp: sync the msk->sndbuf at accept() time Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 003/272] mptcp: pm: ADD_ADDR rtx: always decrease sk refcount Greg Kroah-Hartman
` (276 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 03f324f3f1f7619a47b9c91282cb12775ab0a2f1 upstream.
ADD_ADDR can be sent for the ID 0, which corresponds to the local
address and port linked to the initial subflow.
Indeed, this address could be removed, and re-added later on, e.g. what
is done in the "delete re-add signal" MPTCP Join selftests. So no reason
to ignore it.
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-2-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ applied to net/mptcp/pm_netlink.c instead of upstream's pm_kernel.c ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mptcp/pm_netlink.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c
index 5d892583ab4ef..857e8db670a75 100644
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -304,9 +304,6 @@ static void mptcp_pm_add_timer(struct timer_list *timer)
if (inet_sk_state_load(sk) == TCP_CLOSE)
return;
- if (!entry->addr.id)
- return;
-
bh_lock_sock(sk);
if (sock_owned_by_user(sk)) {
/* Try again later. */
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 003/272] mptcp: pm: ADD_ADDR rtx: always decrease sk refcount
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 001/272] mptcp: sync the msk->sndbuf at accept() time Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 002/272] mptcp: pm: ADD_ADDR rtx: allow ID 0 Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 004/272] mptcp: pm: ADD_ADDR rtx: free sk if last Greg Kroah-Hartman
` (275 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 9634cb35af17019baec21ca648516ce376fa10e6 upstream.
When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer().
It should then be released in all cases at the end.
Some (unlikely) checks were returning directly instead of calling
sock_put() to decrease the refcount. Jump to a new 'exit' label to call
__sock_put() (which will become sock_put() in the next commit) to fix
this potential leak.
While at it, drop the '!msk' check which cannot happen because it is
never reset, and explicitly mark the remaining one as "unlikely".
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-4-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ applied to net/mptcp/pm_netlink.c instead of upstream's pm_kernel.c ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mptcp/pm_netlink.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c
index 857e8db670a75..be531df02c371 100644
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -298,11 +298,8 @@ static void mptcp_pm_add_timer(struct timer_list *timer)
pr_debug("msk=%p\n", msk);
- if (!msk)
- return;
-
- if (inet_sk_state_load(sk) == TCP_CLOSE)
- return;
+ if (unlikely(inet_sk_state_load(sk) == TCP_CLOSE))
+ goto exit;
bh_lock_sock(sk);
if (sock_owned_by_user(sk)) {
@@ -340,6 +337,7 @@ static void mptcp_pm_add_timer(struct timer_list *timer)
out:
bh_unlock_sock(sk);
+exit:
__sock_put(sk);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 004/272] mptcp: pm: ADD_ADDR rtx: free sk if last
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 003/272] mptcp: pm: ADD_ADDR rtx: always decrease sk refcount Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 005/272] ksmbd: validate owner of durable handle on reconnect Greg Kroah-Hartman
` (274 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit b7b9a461569734d33d3259d58d2507adfac107ed upstream.
When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(),
and released at the end.
If at that moment, it was the last reference being held, the sk would
not be freed. sock_put() should then be called instead of __sock_put().
But that's not enough: if it is the last reference, sock_put() will call
sk_free(), which will end up calling sk_stop_timer_sync() on the same
timer, and waiting indefinitely to finish. So it is needed to mark that
the timer is done at the end of the timer handler when it has not been
rescheduled, not to call sk_stop_timer_sync() on "itself".
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-5-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Applied to net/mptcp/pm_netlink.c instead of upstream's pm_kernel.c.
Also, there were conflicts, because commit 30549eebc4d8 ("mptcp: make
ADD_ADDR retransmission timeout adaptive") is not in this version and
changed the context. Also, other conflicts were due to newer patches
being backported with resolved conflicts before this one. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mptcp/pm_netlink.c | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c
index be531df02c371..4ff6721ad5c7a 100644
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -22,6 +22,7 @@ struct mptcp_pm_add_entry {
struct list_head list;
struct mptcp_addr_info addr;
u8 retrans_times;
+ bool timer_done;
struct timer_list add_timer;
struct mptcp_sock *sock;
struct rcu_head rcu;
@@ -294,22 +295,22 @@ static void mptcp_pm_add_timer(struct timer_list *timer)
struct mptcp_pm_add_entry *entry = from_timer(entry, timer, add_timer);
struct mptcp_sock *msk = entry->sock;
struct sock *sk = (struct sock *)msk;
- unsigned int timeout;
+ unsigned int timeout = 0;
pr_debug("msk=%p\n", msk);
+ bh_lock_sock(sk);
if (unlikely(inet_sk_state_load(sk) == TCP_CLOSE))
- goto exit;
+ goto out;
- bh_lock_sock(sk);
if (sock_owned_by_user(sk)) {
/* Try again later. */
- sk_reset_timer(sk, timer, jiffies + HZ / 20);
+ timeout = HZ / 20;
goto out;
}
if (mptcp_pm_should_add_signal_addr(msk)) {
- sk_reset_timer(sk, timer, jiffies + HZ);
+ timeout = HZ;
goto out;
}
@@ -326,9 +327,8 @@ static void mptcp_pm_add_timer(struct timer_list *timer)
entry->retrans_times++;
}
- if (entry->retrans_times < ADD_ADDR_RETRANS_MAX)
- sk_reset_timer(sk, timer,
- jiffies + timeout);
+ if (entry->retrans_times >= ADD_ADDR_RETRANS_MAX)
+ timeout = 0;
spin_unlock_bh(&msk->pm.lock);
@@ -336,9 +336,13 @@ static void mptcp_pm_add_timer(struct timer_list *timer)
mptcp_pm_subflow_established(msk);
out:
+ if (timeout)
+ sk_reset_timer(sk, timer, jiffies + timeout);
+ else
+ /* if sock_put calls sk_free: avoid waiting for this timer */
+ entry->timer_done = true;
bh_unlock_sock(sk);
-exit:
- __sock_put(sk);
+ sock_put(sk);
}
struct mptcp_pm_add_entry *
@@ -402,6 +406,7 @@ bool mptcp_pm_alloc_anno_list(struct mptcp_sock *msk,
timer_setup(&add_entry->add_timer, mptcp_pm_add_timer, 0);
reset_timer:
+ add_entry->timer_done = false;
timeout = mptcp_get_add_addr_timeout(net);
if (timeout)
sk_reset_timer(sk, &add_entry->add_timer, jiffies + timeout);
@@ -422,7 +427,8 @@ void mptcp_pm_free_anno_list(struct mptcp_sock *msk)
spin_unlock_bh(&msk->pm.lock);
list_for_each_entry_safe(entry, tmp, &free_list, list) {
- sk_stop_timer_sync(sk, &entry->add_timer);
+ if (!entry->timer_done)
+ sk_stop_timer_sync(sk, &entry->add_timer);
kfree_rcu(entry, rcu);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 005/272] ksmbd: validate owner of durable handle on reconnect
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 004/272] mptcp: pm: ADD_ADDR rtx: free sk if last Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 006/272] drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status() Greg Kroah-Hartman
` (273 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Davide Ornaghi, Navaneeth K,
Namjae Jeon, Steve French, Alva Lan, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit 49110a8ce654bbe56bef7c5e44cce31f4b102b8a ]
Currently, ksmbd does not verify if the user attempting to reconnect
to a durable handle is the same user who originally opened the file.
This allows any authenticated user to hijack an orphaned durable handle
by predicting or brute-forcing the persistent ID.
According to MS-SMB2, the server MUST verify that the SecurityContext
of the reconnect request matches the SecurityContext associated with
the existing open.
Add a durable_owner structure to ksmbd_file to store the original opener's
UID, GID, and account name. and catpure the owner information when a file
handle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner()
to validate the identity of the requester during SMB2_CREATE (DHnC).
Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2")
Reported-by: Davide Ornaghi <d.ornaghi97@gmail.com>
Reported-by: Navaneeth K <knavaneeth786@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ Minor context conflict resolved. ]
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/mgmt/user_session.c | 7 ++-
fs/smb/server/oplock.c | 7 +++
fs/smb/server/oplock.h | 1 +
fs/smb/server/smb2pdu.c | 3 +-
fs/smb/server/vfs_cache.c | 87 +++++++++++++++++++++++++++----
fs/smb/server/vfs_cache.h | 12 ++++-
6 files changed, 102 insertions(+), 15 deletions(-)
diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c
index 151248e02e9eb..ecd511351f19b 100644
--- a/fs/smb/server/mgmt/user_session.c
+++ b/fs/smb/server/mgmt/user_session.c
@@ -161,11 +161,10 @@ void ksmbd_session_destroy(struct ksmbd_session *sess)
if (!sess)
return;
+ ksmbd_tree_conn_session_logoff(sess);
+ ksmbd_destroy_file_table(sess);
if (sess->user)
ksmbd_free_user(sess->user);
-
- ksmbd_tree_conn_session_logoff(sess);
- ksmbd_destroy_file_table(&sess->file_table);
ksmbd_launch_ksmbd_durable_scavenger();
ksmbd_session_rpc_clear_list(sess);
free_channel_list(sess);
@@ -402,7 +401,7 @@ void destroy_previous_session(struct ksmbd_conn *conn,
goto out;
}
- ksmbd_destroy_file_table(&prev_sess->file_table);
+ ksmbd_destroy_file_table(prev_sess);
prev_sess->state = SMB2_SESSION_EXPIRED;
ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_SETUP);
ksmbd_launch_ksmbd_durable_scavenger();
diff --git a/fs/smb/server/oplock.c b/fs/smb/server/oplock.c
index 590ddd31a68da..bbb2cb3782d0c 100644
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -1841,6 +1841,7 @@ int smb2_check_durable_oplock(struct ksmbd_conn *conn,
struct ksmbd_share_config *share,
struct ksmbd_file *fp,
struct lease_ctx_info *lctx,
+ struct ksmbd_user *user,
char *name)
{
struct oplock_info *opinfo = opinfo_get(fp);
@@ -1849,6 +1850,12 @@ int smb2_check_durable_oplock(struct ksmbd_conn *conn,
if (!opinfo)
return 0;
+ if (ksmbd_vfs_compare_durable_owner(fp, user) == false) {
+ ksmbd_debug(SMB, "Durable handle reconnect failed: owner mismatch\n");
+ ret = -EBADF;
+ goto out;
+ }
+
if (opinfo->is_lease == false) {
if (lctx) {
pr_err("create context include lease\n");
diff --git a/fs/smb/server/oplock.h b/fs/smb/server/oplock.h
index 921e3199e4df4..d91a8266e065e 100644
--- a/fs/smb/server/oplock.h
+++ b/fs/smb/server/oplock.h
@@ -126,5 +126,6 @@ int smb2_check_durable_oplock(struct ksmbd_conn *conn,
struct ksmbd_share_config *share,
struct ksmbd_file *fp,
struct lease_ctx_info *lctx,
+ struct ksmbd_user *user,
char *name);
#endif /* __KSMBD_OPLOCK_H */
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 700d9da3c65a9..a691801e1d7bd 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -3016,7 +3016,8 @@ int smb2_open(struct ksmbd_work *work)
}
if (dh_info.reconnected == true) {
- rc = smb2_check_durable_oplock(conn, share, dh_info.fp, lc, name);
+ rc = smb2_check_durable_oplock(conn, share, dh_info.fp,
+ lc, sess->user, name);
if (rc) {
ksmbd_put_durable_fd(dh_info.fp);
goto err_out2;
diff --git a/fs/smb/server/vfs_cache.c b/fs/smb/server/vfs_cache.c
index 08f25a2d75416..d29cc1d01bd2c 100644
--- a/fs/smb/server/vfs_cache.c
+++ b/fs/smb/server/vfs_cache.c
@@ -18,6 +18,7 @@
#include "connection.h"
#include "mgmt/tree_connect.h"
#include "mgmt/user_session.h"
+#include "mgmt/user_config.h"
#include "smb_common.h"
#include "server.h"
@@ -383,6 +384,8 @@ static void __ksmbd_close_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp)
if (ksmbd_stream_fd(fp))
kfree(fp->stream.name);
+ kfree(fp->owner.name);
+
kmem_cache_free(filp_cache, fp);
}
@@ -694,11 +697,13 @@ void ksmbd_update_fstate(struct ksmbd_file_table *ft, struct ksmbd_file *fp,
}
static int
-__close_file_table_ids(struct ksmbd_file_table *ft,
+__close_file_table_ids(struct ksmbd_session *sess,
struct ksmbd_tree_connect *tcon,
bool (*skip)(struct ksmbd_tree_connect *tcon,
- struct ksmbd_file *fp))
+ struct ksmbd_file *fp,
+ struct ksmbd_user *user))
{
+ struct ksmbd_file_table *ft = &sess->file_table;
struct ksmbd_file *fp;
unsigned int id = 0;
int num = 0;
@@ -711,7 +716,7 @@ __close_file_table_ids(struct ksmbd_file_table *ft,
break;
}
- if (skip(tcon, fp) ||
+ if (skip(tcon, fp, sess->user) ||
!atomic_dec_and_test(&fp->refcount)) {
id++;
write_unlock(&ft->lock);
@@ -763,7 +768,8 @@ static inline bool is_reconnectable(struct ksmbd_file *fp)
}
static bool tree_conn_fd_check(struct ksmbd_tree_connect *tcon,
- struct ksmbd_file *fp)
+ struct ksmbd_file *fp,
+ struct ksmbd_user *user)
{
return fp->tcon != tcon;
}
@@ -898,8 +904,62 @@ void ksmbd_stop_durable_scavenger(void)
kthread_stop(server_conf.dh_task);
}
+/*
+ * ksmbd_vfs_copy_durable_owner - Copy owner info for durable reconnect
+ * @fp: ksmbd file pointer to store owner info
+ * @user: user pointer to copy from
+ *
+ * This function binds the current user's identity to the file handle
+ * to satisfy MS-SMB2 Step 8 (SecurityContext matching) during reconnect.
+ *
+ * Return: 0 on success, or negative error code on failure
+ */
+static int ksmbd_vfs_copy_durable_owner(struct ksmbd_file *fp,
+ struct ksmbd_user *user)
+{
+ if (!user)
+ return -EINVAL;
+
+ /* Duplicate the user name to ensure identity persistence */
+ fp->owner.name = kstrdup(user->name, GFP_KERNEL);
+ if (!fp->owner.name)
+ return -ENOMEM;
+
+ fp->owner.uid = user->uid;
+ fp->owner.gid = user->gid;
+
+ return 0;
+}
+
+/**
+ * ksmbd_vfs_compare_durable_owner - Verify if the requester is original owner
+ * @fp: existing ksmbd file pointer
+ * @user: user pointer of the reconnect requester
+ *
+ * Compares the UID, GID, and name of the current requester against the
+ * original owner stored in the file handle.
+ *
+ * Return: true if the user matches, false otherwise
+ */
+bool ksmbd_vfs_compare_durable_owner(struct ksmbd_file *fp,
+ struct ksmbd_user *user)
+{
+ if (!user || !fp->owner.name)
+ return false;
+
+ /* Check if the UID and GID match first (fast path) */
+ if (fp->owner.uid != user->uid || fp->owner.gid != user->gid)
+ return false;
+
+ /* Validate the account name to ensure the same SecurityContext */
+ if (strcmp(fp->owner.name, user->name))
+ return false;
+
+ return true;
+}
+
static bool session_fd_check(struct ksmbd_tree_connect *tcon,
- struct ksmbd_file *fp)
+ struct ksmbd_file *fp, struct ksmbd_user *user)
{
struct ksmbd_inode *ci;
struct oplock_info *op;
@@ -909,6 +969,9 @@ static bool session_fd_check(struct ksmbd_tree_connect *tcon,
if (!is_reconnectable(fp))
return false;
+ if (ksmbd_vfs_copy_durable_owner(fp, user))
+ return false;
+
conn = fp->conn;
ci = fp->f_ci;
down_write(&ci->m_lock);
@@ -940,7 +1003,7 @@ static bool session_fd_check(struct ksmbd_tree_connect *tcon,
void ksmbd_close_tree_conn_fds(struct ksmbd_work *work)
{
- int num = __close_file_table_ids(&work->sess->file_table,
+ int num = __close_file_table_ids(work->sess,
work->tcon,
tree_conn_fd_check);
@@ -949,7 +1012,7 @@ void ksmbd_close_tree_conn_fds(struct ksmbd_work *work)
void ksmbd_close_session_fds(struct ksmbd_work *work)
{
- int num = __close_file_table_ids(&work->sess->file_table,
+ int num = __close_file_table_ids(work->sess,
work->tcon,
session_fd_check);
@@ -1046,6 +1109,10 @@ int ksmbd_reopen_durable_fd(struct ksmbd_work *work, struct ksmbd_file *fp)
}
up_write(&ci->m_lock);
+ fp->owner.uid = fp->owner.gid = 0;
+ kfree(fp->owner.name);
+ fp->owner.name = NULL;
+
return 0;
}
@@ -1060,12 +1127,14 @@ int ksmbd_init_file_table(struct ksmbd_file_table *ft)
return 0;
}
-void ksmbd_destroy_file_table(struct ksmbd_file_table *ft)
+void ksmbd_destroy_file_table(struct ksmbd_session *sess)
{
+ struct ksmbd_file_table *ft = &sess->file_table;
+
if (!ft->idr)
return;
- __close_file_table_ids(ft, NULL, session_fd_check);
+ __close_file_table_ids(sess, NULL, session_fd_check);
idr_destroy(ft->idr);
kfree(ft->idr);
ft->idr = NULL;
diff --git a/fs/smb/server/vfs_cache.h b/fs/smb/server/vfs_cache.h
index 5bbb179736c29..1b2a947490ca5 100644
--- a/fs/smb/server/vfs_cache.h
+++ b/fs/smb/server/vfs_cache.h
@@ -67,6 +67,13 @@ enum {
FP_CLOSED
};
+/* Owner information for durable handle reconnect */
+struct durable_owner {
+ unsigned int uid;
+ unsigned int gid;
+ char *name;
+};
+
struct ksmbd_file {
struct file *filp;
u64 persistent_id;
@@ -111,6 +118,7 @@ struct ksmbd_file {
bool is_durable;
bool is_persistent;
bool is_resilient;
+ struct durable_owner owner;
};
static inline void set_ctx_actor(struct dir_context *ctx,
@@ -137,7 +145,7 @@ static inline bool ksmbd_stream_fd(struct ksmbd_file *fp)
}
int ksmbd_init_file_table(struct ksmbd_file_table *ft);
-void ksmbd_destroy_file_table(struct ksmbd_file_table *ft);
+void ksmbd_destroy_file_table(struct ksmbd_session *sess);
int ksmbd_close_fd(struct ksmbd_work *work, u64 id);
struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, u64 id);
struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, u64 id);
@@ -163,6 +171,8 @@ void ksmbd_free_global_file_table(void);
void ksmbd_set_fd_limit(unsigned long limit);
void ksmbd_update_fstate(struct ksmbd_file_table *ft, struct ksmbd_file *fp,
unsigned int state);
+bool ksmbd_vfs_compare_durable_owner(struct ksmbd_file *fp,
+ struct ksmbd_user *user);
/*
* INODE hash
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 006/272] drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 005/272] ksmbd: validate owner of durable handle on reconnect Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 007/272] s390/debug: Reject zero-length input before trimming a newline Greg Kroah-Hartman
` (272 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Roper, Shuicheng Lin,
Gustavo Sousa, Matthew Brost, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gustavo Sousa <gustavo.sousa@intel.com>
commit 60a1e131a811b68703da58fd805ab359b704ab03 upstream.
When media GT is disabled via configfs, there is no allocation for
media_gt, which is kept as NULL. In such scenario,
intel_hdcp_gsc_check_status() results in a kernel pagefault error due to
>->uc.gsc being evaluated as an invalid memory address.
Fix that by introducing a NULL check on media_gt and bailing out early
if so.
While at it, also drop the NULL check for gsc, since it can't be NULL if
media_gt is not NULL.
v2:
- Get address for gsc only after checking that gt is not NULL.
(Shuicheng)
- Drop the NULL check for gsc. (Shuicheng)
v3:
- Add "Fixes" and "Cc: <stable...>" tags. (Matt)
Fixes: 4af50beb4e0f ("drm/xe: Use gsc_proxy_init_done to check proxy status")
Cc: <stable@vger.kernel.org> # v6.10+
Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
Reviewed-by: Shuicheng Lin <shuicheng.lin@intel.com>
Link: https://patch.msgid.link/20260416-check-for-null-media_gt-in-intel_hdcp_gsc_check_status-v2-1-9adb9fd3b621@intel.com
Signed-off-by: Gustavo Sousa <gustavo.sousa@intel.com>
(cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Gustavo Sousa <gustavo.sousa@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/display/xe_hdcp_gsc.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c b/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c
index f4332f06b6c80..695d625c83ee6 100644
--- a/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c
+++ b/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c
@@ -39,10 +39,18 @@ bool intel_hdcp_gsc_check_status(struct xe_device *xe)
{
struct xe_tile *tile = xe_device_get_root_tile(xe);
struct xe_gt *gt = tile->media_gt;
- struct xe_gsc *gsc = >->uc.gsc;
+ struct xe_gsc *gsc;
bool ret = true;
- if (!gsc || !xe_uc_fw_is_enabled(&gsc->fw)) {
+ if (!gt) {
+ drm_dbg_kms(&xe->drm,
+ "not checking GSC status for HDCP2.x: media GT not present or disabled\n");
+ return false;
+ }
+
+ gsc = >->uc.gsc;
+
+ if (!xe_uc_fw_is_enabled(&gsc->fw)) {
drm_dbg_kms(&xe->drm,
"GSC Components not ready for HDCP2.x\n");
return false;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 007/272] s390/debug: Reject zero-length input before trimming a newline
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 006/272] drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status() Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 008/272] Revert "perf cgroup: Update metric leader in evlist__expand_cgroup" Greg Kroah-Hartman
` (271 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, Benjamin Block,
Vasily Gorbik, Alexander Gordeev, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit c366a7b5ed7564e41345c380285bd3f6cb98971b ]
debug_get_user_string() copies the userspace buffer into a newly
allocated NUL-terminated buffer and then unconditionally looks at
buffer[user_len - 1] to strip a trailing newline.
A zero-length write reaches this helper unchanged, so the newline trim
reads before the start of the allocated buffer.
Reject empty writes before accessing the last input byte.
Fixes: 66a464dbc8e0 ("[PATCH] s390: debug feature changes")
Cc: stable@vger.kernel.org
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Tested-by: Vasily Gorbik <gor@linux.ibm.com>
Link: https://lore.kernel.org/r/20260417073530.96002-1-pengpeng@iscas.ac.cn
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/kernel/debug.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/s390/kernel/debug.c b/arch/s390/kernel/debug.c
index e4b324dcfe0d3..16bb554a07fef 100644
--- a/arch/s390/kernel/debug.c
+++ b/arch/s390/kernel/debug.c
@@ -1256,6 +1256,9 @@ static inline char *debug_get_user_string(const char __user *user_buf,
{
char *buffer;
+ if (!user_len)
+ return ERR_PTR(-EINVAL);
+
buffer = kmalloc(user_len + 1, GFP_KERNEL);
if (!buffer)
return ERR_PTR(-ENOMEM);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 008/272] Revert "perf cgroup: Update metric leader in evlist__expand_cgroup"
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 007/272] s390/debug: Reject zero-length input before trimming a newline Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 009/272] Revert "perf tool_pmu: Fix aggregation on duration_time" Greg Kroah-Hartman
` (270 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit d26e31446c0fa96feca0b7701243b42447225d33.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/cgroup.c | 30 +++++++-----------------------
1 file changed, 7 insertions(+), 23 deletions(-)
diff --git a/tools/perf/util/cgroup.c b/tools/perf/util/cgroup.c
index e172bcdf7fcb1..fbcc0626f9ce2 100644
--- a/tools/perf/util/cgroup.c
+++ b/tools/perf/util/cgroup.c
@@ -417,6 +417,7 @@ int evlist__expand_cgroup(struct evlist *evlist, const char *str,
struct rblist *metric_events, bool open_cgroup)
{
struct evlist *orig_list, *tmp_list;
+ struct evsel *pos, *evsel, *leader;
struct rblist orig_metric_events;
struct cgroup *cgrp = NULL;
struct cgroup_name *cn;
@@ -455,7 +456,6 @@ int evlist__expand_cgroup(struct evlist *evlist, const char *str,
goto out_err;
list_for_each_entry(cn, &cgroup_list, list) {
- struct evsel *pos;
char *name;
if (!cn->used)
@@ -471,37 +471,21 @@ int evlist__expand_cgroup(struct evlist *evlist, const char *str,
if (cgrp == NULL)
continue;
- /* copy the list and set to the new cgroup. */
+ leader = NULL;
evlist__for_each_entry(orig_list, pos) {
- struct evsel *evsel = evsel__clone(/*dest=*/NULL, pos);
-
+ evsel = evsel__clone(/*dest=*/NULL, pos);
if (evsel == NULL)
goto out_err;
- /* stash the copy during the copying. */
- pos->priv = evsel;
cgroup__put(evsel->cgrp);
evsel->cgrp = cgroup__get(cgrp);
- evlist__add(tmp_list, evsel);
- }
- /* update leader information using stashed pointer to copy. */
- evlist__for_each_entry(orig_list, pos) {
- struct evsel *evsel = pos->priv;
-
- if (evsel__leader(pos))
- evsel__set_leader(evsel, evsel__leader(pos)->priv);
-
- if (pos->metric_leader)
- evsel->metric_leader = pos->metric_leader->priv;
+ if (evsel__is_group_leader(pos))
+ leader = evsel;
+ evsel__set_leader(evsel, leader);
- if (pos->first_wildcard_match)
- evsel->first_wildcard_match = pos->first_wildcard_match->priv;
+ evlist__add(tmp_list, evsel);
}
- /* the stashed copy is no longer used. */
- evlist__for_each_entry(orig_list, pos)
- pos->priv = NULL;
-
/* cgroup__new() has a refcount, release it here */
cgroup__put(cgrp);
nr_cgroups++;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 009/272] Revert "perf tool_pmu: Fix aggregation on duration_time"
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 008/272] Revert "perf cgroup: Update metric leader in evlist__expand_cgroup" Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 010/272] Revert "perf python: Add parse_events function" Greg Kroah-Hartman
` (269 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit 310be445ab1028315627b326516f193511cb1c97.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/tool_pmu.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/tools/perf/util/tool_pmu.c b/tools/perf/util/tool_pmu.c
index 3d1d6b3352ec7..f41fed39d70d8 100644
--- a/tools/perf/util/tool_pmu.c
+++ b/tools/perf/util/tool_pmu.c
@@ -392,14 +392,8 @@ int evsel__read_tool(struct evsel *evsel, int cpu_map_idx, int thread)
delta_start *= 1000000000 / ticks_per_sec;
}
count->val = delta_start;
+ count->ena = count->run = delta_start;
count->lost = 0;
- /*
- * The values of enabled and running must make a ratio of 100%. The
- * exact values don't matter as long as they are non-zero to avoid
- * issues with evsel__count_has_error.
- */
- count->ena++;
- count->run++;
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 010/272] Revert "perf python: Add parse_events function"
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 009/272] Revert "perf tool_pmu: Fix aggregation on duration_time" Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 011/272] Revert "perf tool_pmu: Factor tool events into their own PMU" Greg Kroah-Hartman
` (268 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit 9cd264079fab9867dbc9fbc8a1e521996e3d7212.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/cgroup.c | 2 +-
tools/perf/util/evsel.c | 19 +++++--------
tools/perf/util/evsel.h | 2 +-
tools/perf/util/python.c | 61 ----------------------------------------
4 files changed, 9 insertions(+), 75 deletions(-)
diff --git a/tools/perf/util/cgroup.c b/tools/perf/util/cgroup.c
index fbcc0626f9ce2..0f759dd96db71 100644
--- a/tools/perf/util/cgroup.c
+++ b/tools/perf/util/cgroup.c
@@ -473,7 +473,7 @@ int evlist__expand_cgroup(struct evlist *evlist, const char *str,
leader = NULL;
evlist__for_each_entry(orig_list, pos) {
- evsel = evsel__clone(/*dest=*/NULL, pos);
+ evsel = evsel__clone(pos);
if (evsel == NULL)
goto out_err;
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index 45a7ed5c7a473..d2965dc49bac2 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -332,7 +332,7 @@ static int evsel__copy_config_terms(struct evsel *dst, struct evsel *src)
* The assumption is that @orig is not configured nor opened yet.
* So we only care about the attributes that can be set while it's parsed.
*/
-struct evsel *evsel__clone(struct evsel *dest, struct evsel *orig)
+struct evsel *evsel__clone(struct evsel *orig)
{
struct evsel *evsel;
@@ -345,11 +345,7 @@ struct evsel *evsel__clone(struct evsel *dest, struct evsel *orig)
if (orig->bpf_obj)
return NULL;
- if (dest)
- evsel = dest;
- else
- evsel = evsel__new(&orig->core.attr);
-
+ evsel = evsel__new(&orig->core.attr);
if (evsel == NULL)
return NULL;
@@ -399,12 +395,11 @@ struct evsel *evsel__clone(struct evsel *dest, struct evsel *orig)
evsel->core.leader = orig->core.leader;
evsel->max_events = orig->max_events;
- zfree(&evsel->unit);
- if (orig->unit) {
- evsel->unit = strdup(orig->unit);
- if (evsel->unit == NULL)
- goto out_err;
- }
+ free((char *)evsel->unit);
+ evsel->unit = strdup(orig->unit);
+ if (evsel->unit == NULL)
+ goto out_err;
+
evsel->scale = orig->scale;
evsel->snapshot = orig->snapshot;
evsel->per_pkg = orig->per_pkg;
diff --git a/tools/perf/util/evsel.h b/tools/perf/util/evsel.h
index 0e64b9f17f0a6..b23fa3ca88883 100644
--- a/tools/perf/util/evsel.h
+++ b/tools/perf/util/evsel.h
@@ -241,7 +241,7 @@ static inline struct evsel *evsel__new(struct perf_event_attr *attr)
return evsel__new_idx(attr, 0);
}
-struct evsel *evsel__clone(struct evsel *dest, struct evsel *orig);
+struct evsel *evsel__clone(struct evsel *orig);
int copy_config_terms(struct list_head *dst, struct list_head *src);
void free_config_terms(struct list_head *config_terms);
diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
index 5060dc801dede..e7f36ea9e2fa1 100644
--- a/tools/perf/util/python.c
+++ b/tools/perf/util/python.c
@@ -13,7 +13,6 @@
#include "evsel.h"
#include "event.h"
#include "print_binary.h"
-#include "strbuf.h"
#include "thread_map.h"
#include "trace-event.h"
#include "mmap.h"
@@ -1248,60 +1247,6 @@ static PyObject *pyrf__tracepoint(struct pyrf_evsel *pevsel,
#endif // HAVE_LIBTRACEEVENT
}
-static PyObject *pyrf_evsel__from_evsel(struct evsel *evsel)
-{
- struct pyrf_evsel *pevsel = PyObject_New(struct pyrf_evsel, &pyrf_evsel__type);
-
- if (!pevsel)
- return NULL;
-
- memset(&pevsel->evsel, 0, sizeof(pevsel->evsel));
- evsel__init(&pevsel->evsel, &evsel->core.attr, evsel->core.idx);
-
- evsel__clone(&pevsel->evsel, evsel);
- return (PyObject *)pevsel;
-}
-
-static PyObject *pyrf_evlist__from_evlist(struct evlist *evlist)
-{
- struct pyrf_evlist *pevlist = PyObject_New(struct pyrf_evlist, &pyrf_evlist__type);
- struct evsel *pos;
-
- if (!pevlist)
- return NULL;
-
- memset(&pevlist->evlist, 0, sizeof(pevlist->evlist));
- evlist__init(&pevlist->evlist, evlist->core.all_cpus, evlist->core.threads);
- evlist__for_each_entry(evlist, pos) {
- struct pyrf_evsel *pevsel = (void *)pyrf_evsel__from_evsel(pos);
-
- evlist__add(&pevlist->evlist, &pevsel->evsel);
- }
- return (PyObject *)pevlist;
-}
-
-static PyObject *pyrf__parse_events(PyObject *self, PyObject *args)
-{
- const char *input;
- struct evlist evlist = {};
- struct parse_events_error err;
- PyObject *result;
-
- if (!PyArg_ParseTuple(args, "s", &input))
- return NULL;
-
- parse_events_error__init(&err);
- evlist__init(&evlist, NULL, NULL);
- if (parse_events(&evlist, input, &err)) {
- parse_events_error__print(&err, input);
- PyErr_SetFromErrno(PyExc_OSError);
- return NULL;
- }
- result = pyrf_evlist__from_evlist(&evlist);
- evlist__exit(&evlist);
- return result;
-}
-
static PyMethodDef perf__methods[] = {
{
.ml_name = "tracepoint",
@@ -1309,12 +1254,6 @@ static PyMethodDef perf__methods[] = {
.ml_flags = METH_VARARGS | METH_KEYWORDS,
.ml_doc = PyDoc_STR("Get tracepoint config.")
},
- {
- .ml_name = "parse_events",
- .ml_meth = (PyCFunction) pyrf__parse_events,
- .ml_flags = METH_VARARGS,
- .ml_doc = PyDoc_STR("Parse a string of events and return an evlist.")
- },
{ .ml_name = NULL, }
};
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 011/272] Revert "perf tool_pmu: Factor tool events into their own PMU"
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 010/272] Revert "perf python: Add parse_events function" Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 012/272] bridge: mrp: reject zero test interval to avoid OOM panic Greg Kroah-Hartman
` (267 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit 7cfcd01f33fc3400c60f923d2896a8cdc60cecc4.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-list.c | 13 +-
tools/perf/builtin-stat.c | 1 -
tools/perf/util/Build | 1 -
tools/perf/util/evsel.c | 272 ++++++++++++++++++++--
tools/perf/util/evsel.h | 28 ++-
tools/perf/util/metricgroup.c | 1 -
tools/perf/util/parse-events.c | 39 ++++
tools/perf/util/parse-events.h | 3 +
tools/perf/util/parse-events.l | 11 +
tools/perf/util/parse-events.y | 16 ++
tools/perf/util/pmu.c | 20 +-
tools/perf/util/pmu.h | 2 -
tools/perf/util/pmus.c | 9 -
tools/perf/util/print-events.c | 36 ++-
tools/perf/util/print-events.h | 1 +
tools/perf/util/stat-display.c | 6 +-
tools/perf/util/stat-shadow.c | 1 -
tools/perf/util/tool_pmu.c | 411 ---------------------------------
tools/perf/util/tool_pmu.h | 51 ----
19 files changed, 392 insertions(+), 530 deletions(-)
delete mode 100644 tools/perf/util/tool_pmu.c
delete mode 100644 tools/perf/util/tool_pmu.h
diff --git a/tools/perf/builtin-list.c b/tools/perf/builtin-list.c
index 9e7fdfcdd7ffb..c5331721dfee9 100644
--- a/tools/perf/builtin-list.c
+++ b/tools/perf/builtin-list.c
@@ -19,7 +19,6 @@
#include "util/string2.h"
#include "util/strlist.h"
#include "util/strbuf.h"
-#include "util/tool_pmu.h"
#include <subcmd/pager.h>
#include <subcmd/parse-options.h>
#include <linux/zalloc.h>
@@ -615,18 +614,9 @@ int cmd_list(int argc, const char **argv)
event_symbols_hw, PERF_COUNT_HW_MAX);
else if (strcmp(argv[i], "sw") == 0 ||
strcmp(argv[i], "software") == 0) {
- char *old_pmu_glob = default_ps.pmu_glob;
-
print_symbol_events(&print_cb, ps, PERF_TYPE_SOFTWARE,
event_symbols_sw, PERF_COUNT_SW_MAX);
- default_ps.pmu_glob = strdup("tool");
- if (!default_ps.pmu_glob) {
- ret = -1;
- goto out;
- }
- perf_pmus__print_pmu_events(&print_cb, ps);
- zfree(&default_ps.pmu_glob);
- default_ps.pmu_glob = old_pmu_glob;
+ print_tool_events(&print_cb, ps);
} else if (strcmp(argv[i], "cache") == 0 ||
strcmp(argv[i], "hwcache") == 0)
print_hwcache_events(&print_cb, ps);
@@ -674,6 +664,7 @@ int cmd_list(int argc, const char **argv)
event_symbols_hw, PERF_COUNT_HW_MAX);
print_symbol_events(&print_cb, ps, PERF_TYPE_SOFTWARE,
event_symbols_sw, PERF_COUNT_SW_MAX);
+ print_tool_events(&print_cb, ps);
print_hwcache_events(&print_cb, ps);
perf_pmus__print_pmu_events(&print_cb, ps);
print_tracepoint_events(&print_cb, ps);
diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c
index e8708f785e7f2..e476598de8083 100644
--- a/tools/perf/builtin-stat.c
+++ b/tools/perf/builtin-stat.c
@@ -46,7 +46,6 @@
#include "util/parse-events.h"
#include "util/pmus.h"
#include "util/pmu.h"
-#include "util/tool_pmu.h"
#include "util/event.h"
#include "util/evlist.h"
#include "util/evsel.h"
diff --git a/tools/perf/util/Build b/tools/perf/util/Build
index fa508e113dd0c..dc616292b2ddf 100644
--- a/tools/perf/util/Build
+++ b/tools/perf/util/Build
@@ -83,7 +83,6 @@ perf-util-y += pmu.o
perf-util-y += pmus.o
perf-util-y += pmu-flex.o
perf-util-y += pmu-bison.o
-perf-util-y += tool_pmu.o
perf-util-y += svghelper.o
perf-util-$(CONFIG_LIBTRACEEVENT) += trace-event-info.o
perf-util-y += trace-event-scripting.o
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index d2965dc49bac2..6e8d70ec05bad 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -10,6 +10,7 @@
#include <errno.h>
#include <inttypes.h>
#include <linux/bitops.h>
+#include <api/io.h>
#include <api/fs/fs.h>
#include <api/fs/tracing_path.h>
#include <linux/hw_breakpoint.h>
@@ -50,7 +51,6 @@
#include "off_cpu.h"
#include "pmu.h"
#include "pmus.h"
-#include "tool_pmu.h"
#include "rlimit.h"
#include "../perf-sys.h"
#include "util/parse-branch-options.h"
@@ -71,6 +71,33 @@ struct perf_missing_features perf_missing_features;
static clockid_t clockid;
+static const char *const perf_tool_event__tool_names[PERF_TOOL_MAX] = {
+ NULL,
+ "duration_time",
+ "user_time",
+ "system_time",
+};
+
+const char *perf_tool_event__to_str(enum perf_tool_event ev)
+{
+ if (ev > PERF_TOOL_NONE && ev < PERF_TOOL_MAX)
+ return perf_tool_event__tool_names[ev];
+
+ return NULL;
+}
+
+enum perf_tool_event perf_tool_event__from_str(const char *str)
+{
+ int i;
+
+ perf_tool_event__for_each_event(i) {
+ if (!strcmp(str, perf_tool_event__tool_names[i]))
+ return i;
+ }
+ return PERF_TOOL_NONE;
+}
+
+
static int evsel__no_extra_init(struct evsel *evsel __maybe_unused)
{
return 0;
@@ -395,6 +422,7 @@ struct evsel *evsel__clone(struct evsel *orig)
evsel->core.leader = orig->core.leader;
evsel->max_events = orig->max_events;
+ evsel->tool_event = orig->tool_event;
free((char *)evsel->unit);
evsel->unit = strdup(orig->unit);
if (evsel->unit == NULL)
@@ -592,6 +620,11 @@ static int evsel__sw_name(struct evsel *evsel, char *bf, size_t size)
return r + evsel__add_modifiers(evsel, bf + r, size - r);
}
+static int evsel__tool_name(enum perf_tool_event ev, char *bf, size_t size)
+{
+ return scnprintf(bf, size, "%s", perf_tool_event__to_str(ev));
+}
+
static int __evsel__bp_name(char *bf, size_t size, u64 addr, u64 type)
{
int r;
@@ -742,7 +775,10 @@ const char *evsel__name(struct evsel *evsel)
break;
case PERF_TYPE_SOFTWARE:
- evsel__sw_name(evsel, bf, sizeof(bf));
+ if (evsel__is_tool(evsel))
+ evsel__tool_name(evsel__tool_event(evsel), bf, sizeof(bf));
+ else
+ evsel__sw_name(evsel, bf, sizeof(bf));
break;
case PERF_TYPE_TRACEPOINT:
@@ -753,10 +789,6 @@ const char *evsel__name(struct evsel *evsel)
evsel__bp_name(evsel, bf, sizeof(bf));
break;
- case PERF_PMU_TYPE_TOOL:
- scnprintf(bf, sizeof(bf), "%s", evsel__tool_pmu_event_name(evsel));
- break;
-
default:
scnprintf(bf, sizeof(bf), "unknown attr type: %d",
evsel->core.attr.type);
@@ -782,7 +814,7 @@ const char *evsel__metric_id(const struct evsel *evsel)
return evsel->metric_id;
if (evsel__is_tool(evsel))
- return evsel__tool_pmu_event_name(evsel);
+ return perf_tool_event__to_str(evsel__tool_event(evsel));
return "unknown";
}
@@ -1666,6 +1698,167 @@ static int evsel__read_group(struct evsel *leader, int cpu_map_idx, int thread)
return evsel__process_group_data(leader, cpu_map_idx, thread, data);
}
+static bool read_until_char(struct io *io, char e)
+{
+ int c;
+
+ do {
+ c = io__get_char(io);
+ if (c == -1)
+ return false;
+ } while (c != e);
+ return true;
+}
+
+static int read_stat_field(int fd, struct perf_cpu cpu, int field, __u64 *val)
+{
+ char buf[256];
+ struct io io;
+ int i;
+
+ io__init(&io, fd, buf, sizeof(buf));
+
+ /* Skip lines to relevant CPU. */
+ for (i = -1; i < cpu.cpu; i++) {
+ if (!read_until_char(&io, '\n'))
+ return -EINVAL;
+ }
+ /* Skip to "cpu". */
+ if (io__get_char(&io) != 'c') return -EINVAL;
+ if (io__get_char(&io) != 'p') return -EINVAL;
+ if (io__get_char(&io) != 'u') return -EINVAL;
+
+ /* Skip N of cpuN. */
+ if (!read_until_char(&io, ' '))
+ return -EINVAL;
+
+ i = 1;
+ while (true) {
+ if (io__get_dec(&io, val) != ' ')
+ break;
+ if (field == i)
+ return 0;
+ i++;
+ }
+ return -EINVAL;
+}
+
+static int read_pid_stat_field(int fd, int field, __u64 *val)
+{
+ char buf[256];
+ struct io io;
+ int c, i;
+
+ io__init(&io, fd, buf, sizeof(buf));
+ if (io__get_dec(&io, val) != ' ')
+ return -EINVAL;
+ if (field == 1)
+ return 0;
+
+ /* Skip comm. */
+ if (io__get_char(&io) != '(' || !read_until_char(&io, ')'))
+ return -EINVAL;
+ if (field == 2)
+ return -EINVAL; /* String can't be returned. */
+
+ /* Skip state */
+ if (io__get_char(&io) != ' ' || io__get_char(&io) == -1)
+ return -EINVAL;
+ if (field == 3)
+ return -EINVAL; /* String can't be returned. */
+
+ /* Loop over numeric fields*/
+ if (io__get_char(&io) != ' ')
+ return -EINVAL;
+
+ i = 4;
+ while (true) {
+ c = io__get_dec(&io, val);
+ if (c == -1)
+ return -EINVAL;
+ if (c == -2) {
+ /* Assume a -ve was read */
+ c = io__get_dec(&io, val);
+ *val *= -1;
+ }
+ if (c != ' ')
+ return -EINVAL;
+ if (field == i)
+ return 0;
+ i++;
+ }
+ return -EINVAL;
+}
+
+static int evsel__read_tool(struct evsel *evsel, int cpu_map_idx, int thread)
+{
+ __u64 *start_time, cur_time, delta_start;
+ int fd, err = 0;
+ struct perf_counts_values *count;
+ bool adjust = false;
+
+ count = perf_counts(evsel->counts, cpu_map_idx, thread);
+
+ switch (evsel__tool_event(evsel)) {
+ case PERF_TOOL_DURATION_TIME:
+ /*
+ * Pretend duration_time is only on the first CPU and thread, or
+ * else aggregation will scale duration_time by the number of
+ * CPUs/threads.
+ */
+ start_time = &evsel->start_time;
+ if (cpu_map_idx == 0 && thread == 0)
+ cur_time = rdclock();
+ else
+ cur_time = *start_time;
+ break;
+ case PERF_TOOL_USER_TIME:
+ case PERF_TOOL_SYSTEM_TIME: {
+ bool system = evsel__tool_event(evsel) == PERF_TOOL_SYSTEM_TIME;
+
+ start_time = xyarray__entry(evsel->start_times, cpu_map_idx, thread);
+ fd = FD(evsel, cpu_map_idx, thread);
+ lseek(fd, SEEK_SET, 0);
+ if (evsel->pid_stat) {
+ /* The event exists solely on 1 CPU. */
+ if (cpu_map_idx == 0)
+ err = read_pid_stat_field(fd, system ? 15 : 14, &cur_time);
+ else
+ cur_time = 0;
+ } else {
+ /* The event is for all threads. */
+ if (thread == 0) {
+ struct perf_cpu cpu = perf_cpu_map__cpu(evsel->core.cpus,
+ cpu_map_idx);
+
+ err = read_stat_field(fd, cpu, system ? 3 : 1, &cur_time);
+ } else {
+ cur_time = 0;
+ }
+ }
+ adjust = true;
+ break;
+ }
+ case PERF_TOOL_NONE:
+ case PERF_TOOL_MAX:
+ default:
+ err = -EINVAL;
+ }
+ if (err)
+ return err;
+
+ delta_start = cur_time - *start_time;
+ if (adjust) {
+ __u64 ticks_per_sec = sysconf(_SC_CLK_TCK);
+
+ delta_start *= 1000000000 / ticks_per_sec;
+ }
+ count->val = delta_start;
+ count->ena = count->run = delta_start;
+ count->lost = 0;
+ return 0;
+}
+
bool __evsel__match(const struct evsel *evsel, u32 type, u64 config)
{
@@ -1881,7 +2074,6 @@ static struct perf_thread_map *empty_thread_map;
static int __evsel__prepare_open(struct evsel *evsel, struct perf_cpu_map *cpus,
struct perf_thread_map *threads)
{
- int ret = 0;
int nthreads = perf_thread_map__nr(threads);
if ((perf_missing_features.write_backward && evsel->core.attr.write_backward) ||
@@ -1912,14 +2104,19 @@ static int __evsel__prepare_open(struct evsel *evsel, struct perf_cpu_map *cpus,
perf_evsel__alloc_fd(&evsel->core, perf_cpu_map__nr(cpus), nthreads) < 0)
return -ENOMEM;
- if (evsel__is_tool(evsel))
- ret = evsel__tool_pmu_prepare_open(evsel, cpus, nthreads);
+ if ((evsel__tool_event(evsel) == PERF_TOOL_SYSTEM_TIME ||
+ evsel__tool_event(evsel) == PERF_TOOL_USER_TIME) &&
+ !evsel->start_times) {
+ evsel->start_times = xyarray__new(perf_cpu_map__nr(cpus), nthreads, sizeof(__u64));
+ if (!evsel->start_times)
+ return -ENOMEM;
+ }
evsel->open_flags = PERF_FLAG_FD_CLOEXEC;
if (evsel->cgrp)
evsel->open_flags |= PERF_FLAG_PID_CGROUP;
- return ret;
+ return 0;
}
static void evsel__disable_missing_features(struct evsel *evsel)
@@ -2097,6 +2294,13 @@ static int evsel__open_cpu(struct evsel *evsel, struct perf_cpu_map *cpus,
int pid = -1, err, old_errno;
enum rlimit_action set_rlimit = NO_CHANGE;
+ if (evsel__tool_event(evsel) == PERF_TOOL_DURATION_TIME) {
+ if (evsel->core.attr.sample_period) /* no sampling */
+ return -EINVAL;
+ evsel->start_time = rdclock();
+ return 0;
+ }
+
if (evsel__is_retire_lat(evsel))
return tpebs_start(evsel->evlist);
@@ -2121,12 +2325,6 @@ static int evsel__open_cpu(struct evsel *evsel, struct perf_cpu_map *cpus,
pr_debug3("Opening: %s\n", evsel__name(evsel));
display_attr(&evsel->core.attr);
- if (evsel__is_tool(evsel)) {
- return evsel__tool_pmu_open(evsel, threads,
- start_cpu_map_idx,
- end_cpu_map_idx);
- }
-
for (idx = start_cpu_map_idx; idx < end_cpu_map_idx; idx++) {
for (thread = 0; thread < nthreads; thread++) {
@@ -2138,6 +2336,46 @@ static int evsel__open_cpu(struct evsel *evsel, struct perf_cpu_map *cpus,
if (!evsel->cgrp && !evsel->core.system_wide)
pid = perf_thread_map__pid(threads, thread);
+ if (evsel__tool_event(evsel) == PERF_TOOL_USER_TIME ||
+ evsel__tool_event(evsel) == PERF_TOOL_SYSTEM_TIME) {
+ bool system = evsel__tool_event(evsel) == PERF_TOOL_SYSTEM_TIME;
+ __u64 *start_time = NULL;
+
+ if (evsel->core.attr.sample_period) {
+ /* no sampling */
+ err = -EINVAL;
+ goto out_close;
+ }
+ if (pid > -1) {
+ char buf[64];
+
+ snprintf(buf, sizeof(buf), "/proc/%d/stat", pid);
+ fd = open(buf, O_RDONLY);
+ evsel->pid_stat = true;
+ } else {
+ fd = open("/proc/stat", O_RDONLY);
+ }
+ FD(evsel, idx, thread) = fd;
+ if (fd < 0) {
+ err = -errno;
+ goto out_close;
+ }
+ start_time = xyarray__entry(evsel->start_times, idx, thread);
+ if (pid > -1) {
+ err = read_pid_stat_field(fd, system ? 15 : 14,
+ start_time);
+ } else {
+ struct perf_cpu cpu;
+
+ cpu = perf_cpu_map__cpu(evsel->core.cpus, idx);
+ err = read_stat_field(fd, cpu, system ? 3 : 1,
+ start_time);
+ }
+ if (err)
+ goto out_close;
+ continue;
+ }
+
group_fd = get_group_fd(evsel, idx, thread);
if (group_fd == -2) {
diff --git a/tools/perf/util/evsel.h b/tools/perf/util/evsel.h
index b23fa3ca88883..dc0d300776f16 100644
--- a/tools/perf/util/evsel.h
+++ b/tools/perf/util/evsel.h
@@ -11,7 +11,6 @@
#include <perf/evsel.h>
#include "symbol_conf.h"
#include "pmus.h"
-#include "pmu.h"
struct bpf_object;
struct cgroup;
@@ -23,9 +22,25 @@ struct target;
struct hashmap;
struct bperf_leader_bpf;
struct bperf_follower_bpf;
+struct perf_pmu;
typedef int (evsel__sb_cb_t)(union perf_event *event, void *data);
+enum perf_tool_event {
+ PERF_TOOL_NONE = 0,
+ PERF_TOOL_DURATION_TIME = 1,
+ PERF_TOOL_USER_TIME = 2,
+ PERF_TOOL_SYSTEM_TIME = 3,
+
+ PERF_TOOL_MAX,
+};
+
+const char *perf_tool_event__to_str(enum perf_tool_event ev);
+enum perf_tool_event perf_tool_event__from_str(const char *str);
+
+#define perf_tool_event__for_each_event(ev) \
+ for ((ev) = PERF_TOOL_DURATION_TIME; (ev) < PERF_TOOL_MAX; ev++)
+
/** struct evsel - event selector
*
* @evlist - evlist this evsel is in, if it is in one.
@@ -68,6 +83,7 @@ struct evsel {
const char *unit;
struct cgroup *cgrp;
const char *metric_id;
+ enum perf_tool_event tool_event;
/* parse modifier helper */
int exclude_GH;
int sample_read;
@@ -307,11 +323,21 @@ const char *evsel__name(struct evsel *evsel);
bool evsel__name_is(struct evsel *evsel, const char *name);
const char *evsel__metric_id(const struct evsel *evsel);
+static inline bool evsel__is_tool(const struct evsel *evsel)
+{
+ return evsel->tool_event != PERF_TOOL_NONE;
+}
+
static inline bool evsel__is_retire_lat(const struct evsel *evsel)
{
return evsel->retire_lat;
}
+static inline enum perf_tool_event evsel__tool_event(const struct evsel *evsel)
+{
+ return evsel->tool_event;
+}
+
const char *evsel__group_name(struct evsel *evsel);
int evsel__group_desc(struct evsel *evsel, char *buf, size_t size);
diff --git a/tools/perf/util/metricgroup.c b/tools/perf/util/metricgroup.c
index 9181548e88810..4dff3e925a47b 100644
--- a/tools/perf/util/metricgroup.c
+++ b/tools/perf/util/metricgroup.c
@@ -14,7 +14,6 @@
#include "pmus.h"
#include "print-events.h"
#include "smt.h"
-#include "tool_pmu.h"
#include "expr.h"
#include "rblist.h"
#include <string.h>
diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c
index ba84a451c70a3..fcc4dab618bee 100644
--- a/tools/perf/util/parse-events.c
+++ b/tools/perf/util/parse-events.c
@@ -302,6 +302,38 @@ static int add_event(struct list_head *list, int *idx,
alternate_hw_config) ? 0 : -ENOMEM;
}
+static int add_event_tool(struct list_head *list, int *idx,
+ enum perf_tool_event tool_event)
+{
+ struct evsel *evsel;
+ struct perf_event_attr attr = {
+ .type = PERF_TYPE_SOFTWARE,
+ .config = PERF_COUNT_SW_DUMMY,
+ };
+ struct perf_cpu_map *cpu_list = NULL;
+
+ if (tool_event == PERF_TOOL_DURATION_TIME) {
+ /* Duration time is gathered globally, pretend it is only on CPU0. */
+ cpu_list = perf_cpu_map__new("0");
+ }
+ evsel = __add_event(list, idx, &attr, /*init_attr=*/true, /*name=*/NULL,
+ /*metric_id=*/NULL, /*pmu=*/NULL,
+ /*config_terms=*/NULL, /*auto_merge_stats=*/false,
+ cpu_list,
+ /*alternate_hw_config=*/PERF_COUNT_HW_MAX);
+ perf_cpu_map__put(cpu_list);
+ if (!evsel)
+ return -ENOMEM;
+ evsel->tool_event = tool_event;
+ if (tool_event == PERF_TOOL_DURATION_TIME
+ || tool_event == PERF_TOOL_USER_TIME
+ || tool_event == PERF_TOOL_SYSTEM_TIME) {
+ free((char *)evsel->unit);
+ evsel->unit = strdup("ns");
+ }
+ return 0;
+}
+
/**
* parse_aliases - search names for entries beginning or equalling str ignoring
* case. If mutliple entries in names match str then the longest
@@ -1398,6 +1430,13 @@ int parse_events_add_numeric(struct parse_events_state *parse_state,
type, /*extended_type=*/0, config, head_config);
}
+int parse_events_add_tool(struct parse_events_state *parse_state,
+ struct list_head *list,
+ int tool_event)
+{
+ return add_event_tool(list, &parse_state->idx, tool_event);
+}
+
static bool config_term_percore(struct list_head *config_terms)
{
struct evsel_config_term *term;
diff --git a/tools/perf/util/parse-events.h b/tools/perf/util/parse-events.h
index e9f59de2304be..2b52f8d6aa29a 100644
--- a/tools/perf/util/parse-events.h
+++ b/tools/perf/util/parse-events.h
@@ -227,6 +227,9 @@ int parse_events_add_numeric(struct parse_events_state *parse_state,
u32 type, u64 config,
const struct parse_events_terms *head_config,
bool wildcard);
+int parse_events_add_tool(struct parse_events_state *parse_state,
+ struct list_head *list,
+ int tool_event);
int parse_events_add_cache(struct list_head *list, int *idx, const char *name,
struct parse_events_state *parse_state,
struct parse_events_terms *parsed_terms);
diff --git a/tools/perf/util/parse-events.l b/tools/perf/util/parse-events.l
index 14e5bd856a187..5a0bcd7f166ae 100644
--- a/tools/perf/util/parse-events.l
+++ b/tools/perf/util/parse-events.l
@@ -121,6 +121,14 @@ static int sym(yyscan_t scanner, int type, int config)
return type == PERF_TYPE_HARDWARE ? PE_VALUE_SYM_HW : PE_VALUE_SYM_SW;
}
+static int tool(yyscan_t scanner, enum perf_tool_event event)
+{
+ YYSTYPE *yylval = parse_events_get_lval(scanner);
+
+ yylval->num = event;
+ return PE_VALUE_SYM_TOOL;
+}
+
static int term(yyscan_t scanner, enum parse_events__term_type type)
{
YYSTYPE *yylval = parse_events_get_lval(scanner);
@@ -396,6 +404,9 @@ cpu-migrations|migrations { return sym(yyscanner, PERF_TYPE_SOFTWARE, PERF_COU
alignment-faults { return sym(yyscanner, PERF_TYPE_SOFTWARE, PERF_COUNT_SW_ALIGNMENT_FAULTS); }
emulation-faults { return sym(yyscanner, PERF_TYPE_SOFTWARE, PERF_COUNT_SW_EMULATION_FAULTS); }
dummy { return sym(yyscanner, PERF_TYPE_SOFTWARE, PERF_COUNT_SW_DUMMY); }
+duration_time { return tool(yyscanner, PERF_TOOL_DURATION_TIME); }
+user_time { return tool(yyscanner, PERF_TOOL_USER_TIME); }
+system_time { return tool(yyscanner, PERF_TOOL_SYSTEM_TIME); }
bpf-output { return sym(yyscanner, PERF_TYPE_SOFTWARE, PERF_COUNT_SW_BPF_OUTPUT); }
cgroup-switches { return sym(yyscanner, PERF_TYPE_SOFTWARE, PERF_COUNT_SW_CGROUP_SWITCHES); }
diff --git a/tools/perf/util/parse-events.y b/tools/perf/util/parse-events.y
index f888cbb076d67..dcf47fabdfdd7 100644
--- a/tools/perf/util/parse-events.y
+++ b/tools/perf/util/parse-events.y
@@ -56,6 +56,7 @@ static void free_list_evsel(struct list_head* list_evsel)
%token PE_START_EVENTS PE_START_TERMS
%token PE_VALUE PE_VALUE_SYM_HW PE_VALUE_SYM_SW PE_TERM
+%token PE_VALUE_SYM_TOOL
%token PE_EVENT_NAME
%token PE_RAW PE_NAME
%token PE_MODIFIER_EVENT PE_MODIFIER_BP PE_BP_COLON PE_BP_SLASH
@@ -67,6 +68,7 @@ static void free_list_evsel(struct list_head* list_evsel)
%type <num> PE_VALUE
%type <num> PE_VALUE_SYM_HW
%type <num> PE_VALUE_SYM_SW
+%type <num> PE_VALUE_SYM_TOOL
%type <mod> PE_MODIFIER_EVENT
%type <term_type> PE_TERM
%type <num> value_sym
@@ -348,6 +350,20 @@ value_sym sep_slash_slash_dc
PE_ABORT(err);
$$ = list;
}
+|
+PE_VALUE_SYM_TOOL sep_slash_slash_dc
+{
+ struct list_head *list;
+ int err;
+
+ list = alloc_list();
+ if (!list)
+ YYNOMEM;
+ err = parse_events_add_tool(_parse_state, list, $1);
+ if (err)
+ YYNOMEM;
+ $$ = list;
+}
event_legacy_cache:
PE_LEGACY_CACHE opt_event_config
diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c
index 15fb144e890f0..8885998c19530 100644
--- a/tools/perf/util/pmu.c
+++ b/tools/perf/util/pmu.c
@@ -19,7 +19,6 @@
#include "evsel.h"
#include "pmu.h"
#include "pmus.h"
-#include "tool_pmu.h"
#include <util/pmu-bison.h>
#include <util/pmu-flex.h>
#include "parse-events.h"
@@ -1512,9 +1511,6 @@ int perf_pmu__config(struct perf_pmu *pmu, struct perf_event_attr *attr,
{
bool zero = !!pmu->perf_event_attr_init_default;
- if (perf_pmu__is_tool(pmu))
- return tool_pmu__config_terms(attr, head_terms, err);
-
/* Fake PMU doesn't have proper terms so nothing to configure in attr. */
if (perf_pmu__is_fake(pmu))
return 0;
@@ -1627,8 +1623,8 @@ int perf_pmu__check_alias(struct perf_pmu *pmu, struct parse_events_terms *head_
info->scale = 0.0;
info->snapshot = false;
- /* Tool/fake PMU doesn't rewrite terms. */
- if (perf_pmu__is_tool(pmu) || perf_pmu__is_fake(pmu))
+ /* Fake PMU doesn't rewrite terms. */
+ if (perf_pmu__is_fake(pmu))
goto out;
list_for_each_entry_safe(term, h, &head_terms->terms, list) {
@@ -1798,8 +1794,6 @@ bool perf_pmu__have_event(struct perf_pmu *pmu, const char *name)
{
if (!name)
return false;
- if (perf_pmu__is_tool(pmu))
- return perf_tool_event__from_str(name) != PERF_TOOL_NONE;
if (perf_pmu__find_alias(pmu, name, /*load=*/ true) != NULL)
return true;
if (pmu->cpu_aliases_added || !pmu->events_table)
@@ -1811,9 +1805,6 @@ size_t perf_pmu__num_events(struct perf_pmu *pmu)
{
size_t nr;
- if (perf_pmu__is_tool(pmu))
- return tool_pmu__num_events();
-
pmu_aliases_parse(pmu);
nr = pmu->sysfs_aliases + pmu->sys_json_aliases;
@@ -1875,9 +1866,6 @@ int perf_pmu__for_each_event(struct perf_pmu *pmu, bool skip_duplicate_pmus,
int ret = 0;
struct strbuf sb;
- if (perf_pmu__is_tool(pmu))
- return tool_pmu__for_each_event_cb(pmu, state, cb);
-
strbuf_init(&sb, /*hint=*/ 0);
pmu_aliases_parse(pmu);
pmu_add_cpu_aliases(pmu);
@@ -1966,7 +1954,6 @@ bool perf_pmu__is_software(const struct perf_pmu *pmu)
case PERF_TYPE_HW_CACHE: return false;
case PERF_TYPE_RAW: return false;
case PERF_TYPE_BREAKPOINT: return true;
- case PERF_PMU_TYPE_TOOL: return true;
default: break;
}
for (size_t i = 0; i < ARRAY_SIZE(known_sw_pmus); i++) {
@@ -2294,9 +2281,6 @@ const char *perf_pmu__name_from_config(struct perf_pmu *pmu, u64 config)
if (!pmu)
return NULL;
- if (perf_pmu__is_tool(pmu))
- return perf_tool_event__to_str(config);
-
pmu_aliases_parse(pmu);
pmu_add_cpu_aliases(pmu);
list_for_each_entry(event, &pmu->aliases, list) {
diff --git a/tools/perf/util/pmu.h b/tools/perf/util/pmu.h
index 2dba1cfa20ddd..0222124b86b92 100644
--- a/tools/perf/util/pmu.h
+++ b/tools/perf/util/pmu.h
@@ -37,7 +37,6 @@ struct perf_pmu_caps {
};
enum {
- PERF_PMU_TYPE_TOOL = 0xFFFFFFFE,
PERF_PMU_TYPE_FAKE = 0xFFFFFFFF,
};
@@ -286,7 +285,6 @@ struct perf_pmu *perf_pmu__lookup(struct list_head *pmus, int dirfd, const char
struct perf_pmu *perf_pmu__create_placeholder_core_pmu(struct list_head *core_pmus);
void perf_pmu__delete(struct perf_pmu *pmu);
struct perf_pmu *perf_pmus__find_core_pmu(void);
-
const char *perf_pmu__name_from_config(struct perf_pmu *pmu, u64 config);
#endif /* __PMU_H */
diff --git a/tools/perf/util/pmus.c b/tools/perf/util/pmus.c
index 5af26a08fb915..362596ed27294 100644
--- a/tools/perf/util/pmus.c
+++ b/tools/perf/util/pmus.c
@@ -15,7 +15,6 @@
#include "evsel.h"
#include "pmus.h"
#include "pmu.h"
-#include "tool_pmu.h"
#include "print-events.h"
#include "strbuf.h"
@@ -201,7 +200,6 @@ static void pmu_read_sysfs(bool core_only)
int fd;
DIR *dir;
struct dirent *dent;
- struct perf_pmu *tool_pmu;
if (read_sysfs_all_pmus || (core_only && read_sysfs_core_pmus))
return;
@@ -231,10 +229,6 @@ static void pmu_read_sysfs(bool core_only)
pr_err("Failure to set up any core PMUs\n");
}
list_sort(NULL, &core_pmus, pmus_cmp);
- if (!core_only) {
- tool_pmu = perf_pmus__tool_pmu();
- list_add_tail(&tool_pmu->list, &other_pmus);
- }
list_sort(NULL, &other_pmus, pmus_cmp);
if (!list_empty(&core_pmus)) {
read_sysfs_core_pmus = true;
@@ -590,9 +584,6 @@ void perf_pmus__print_raw_pmu_events(const struct print_callbacks *print_cb, voi
int len = pmu_name_len_no_suffix(pmu->name);
const char *desc = "(see 'man perf-list' or 'man perf-record' on how to encode it)";
- if (perf_pmu__is_tool(pmu))
- continue;
-
if (!pmu->is_core)
desc = NULL;
diff --git a/tools/perf/util/print-events.c b/tools/perf/util/print-events.c
index 83aaf7cda6359..a1c71d9793bd8 100644
--- a/tools/perf/util/print-events.c
+++ b/tools/perf/util/print-events.c
@@ -29,7 +29,6 @@
#include "tracepoint.h"
#include "pfm.h"
#include "thread_map.h"
-#include "tool_pmu.h"
#include "util.h"
#define MAX_NAME_LEN 100
@@ -44,6 +43,21 @@ static const char * const event_type_descriptors[] = {
"Hardware breakpoint",
};
+static const struct event_symbol event_symbols_tool[PERF_TOOL_MAX] = {
+ [PERF_TOOL_DURATION_TIME] = {
+ .symbol = "duration_time",
+ .alias = "",
+ },
+ [PERF_TOOL_USER_TIME] = {
+ .symbol = "user_time",
+ .alias = "",
+ },
+ [PERF_TOOL_SYSTEM_TIME] = {
+ .symbol = "system_time",
+ .alias = "",
+ },
+};
+
/*
* Print the events from <debugfs_mount_point>/tracing/events
*/
@@ -328,6 +342,24 @@ int print_hwcache_events(const struct print_callbacks *print_cb, void *print_sta
return 0;
}
+void print_tool_events(const struct print_callbacks *print_cb, void *print_state)
+{
+ // Start at 1 because the first enum entry means no tool event.
+ for (int i = 1; i < PERF_TOOL_MAX; ++i) {
+ print_cb->print_event(print_state,
+ "tool",
+ /*pmu_name=*/NULL,
+ event_symbols_tool[i].symbol,
+ event_symbols_tool[i].alias,
+ /*scale_unit=*/NULL,
+ /*deprecated=*/false,
+ "Tool event",
+ /*desc=*/NULL,
+ /*long_desc=*/NULL,
+ /*encoding_desc=*/NULL);
+ }
+}
+
void print_symbol_events(const struct print_callbacks *print_cb, void *print_state,
unsigned int type, const struct event_symbol *syms,
unsigned int max)
@@ -391,6 +423,8 @@ void print_events(const struct print_callbacks *print_cb, void *print_state)
print_symbol_events(print_cb, print_state, PERF_TYPE_SOFTWARE,
event_symbols_sw, PERF_COUNT_SW_MAX);
+ print_tool_events(print_cb, print_state);
+
print_hwcache_events(print_cb, print_state);
perf_pmus__print_pmu_events(print_cb, print_state);
diff --git a/tools/perf/util/print-events.h b/tools/perf/util/print-events.h
index 445efa1636c1b..bf4290bef0cd6 100644
--- a/tools/perf/util/print-events.h
+++ b/tools/perf/util/print-events.h
@@ -36,6 +36,7 @@ void print_sdt_events(const struct print_callbacks *print_cb, void *print_state)
void print_symbol_events(const struct print_callbacks *print_cb, void *print_state,
unsigned int type, const struct event_symbol *syms,
unsigned int max);
+void print_tool_events(const struct print_callbacks *print_cb, void *print_state);
void print_tracepoint_events(const struct print_callbacks *print_cb, void *print_state);
bool is_event_supported(u8 type, u64 config);
diff --git a/tools/perf/util/stat-display.c b/tools/perf/util/stat-display.c
index a82a8ec79b399..ea96e4ebad8c8 100644
--- a/tools/perf/util/stat-display.c
+++ b/tools/perf/util/stat-display.c
@@ -21,7 +21,6 @@
#include "iostat.h"
#include "pmu.h"
#include "pmus.h"
-#include "tool_pmu.h"
#define CNTR_NOT_SUPPORTED "<not supported>"
#define CNTR_NOT_COUNTED "<not counted>"
@@ -947,10 +946,7 @@ static bool should_skip_zero_counter(struct perf_stat_config *config,
if (config->aggr_mode == AGGR_THREAD && config->system_wide)
return true;
- /*
- * Many tool events are only gathered on the first index, skip other
- * zero values.
- */
+ /* Tool events have the software PMU but are only gathered on 1. */
if (evsel__is_tool(counter))
return true;
diff --git a/tools/perf/util/stat-shadow.c b/tools/perf/util/stat-shadow.c
index caffdaa8be9a1..7c49997fab3a3 100644
--- a/tools/perf/util/stat-shadow.c
+++ b/tools/perf/util/stat-shadow.c
@@ -15,7 +15,6 @@
#include <linux/zalloc.h>
#include "iostat.h"
#include "util/hashmap.h"
-#include "tool_pmu.h"
struct stats walltime_nsecs_stats;
struct rusage_stats ru_stats;
diff --git a/tools/perf/util/tool_pmu.c b/tools/perf/util/tool_pmu.c
deleted file mode 100644
index f41fed39d70d8..0000000000000
--- a/tools/perf/util/tool_pmu.c
+++ /dev/null
@@ -1,411 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0-only
-#include "cgroup.h"
-#include "counts.h"
-#include "evsel.h"
-#include "pmu.h"
-#include "print-events.h"
-#include "time-utils.h"
-#include "tool_pmu.h"
-#include <api/io.h>
-#include <internal/threadmap.h>
-#include <perf/threadmap.h>
-#include <fcntl.h>
-#include <strings.h>
-
-static const char *const tool_pmu__event_names[PERF_TOOL_MAX] = {
- NULL,
- "duration_time",
- "user_time",
- "system_time",
-};
-
-
-const char *perf_tool_event__to_str(enum perf_tool_event ev)
-{
- if (ev > PERF_TOOL_NONE && ev < PERF_TOOL_MAX)
- return tool_pmu__event_names[ev];
-
- return NULL;
-}
-
-enum perf_tool_event perf_tool_event__from_str(const char *str)
-{
- int i;
-
- perf_tool_event__for_each_event(i) {
- if (!strcasecmp(str, tool_pmu__event_names[i]))
- return i;
- }
- return PERF_TOOL_NONE;
-}
-
-static int tool_pmu__config_term(struct perf_event_attr *attr,
- struct parse_events_term *term,
- struct parse_events_error *err)
-{
- if (term->type_term == PARSE_EVENTS__TERM_TYPE_USER) {
- enum perf_tool_event ev = perf_tool_event__from_str(term->config);
-
- if (ev == PERF_TOOL_NONE)
- goto err_out;
-
- attr->config = ev;
- return 0;
- }
-err_out:
- if (err) {
- char *err_str;
-
- parse_events_error__handle(err, term->err_val,
- asprintf(&err_str,
- "unexpected tool event term (%s) %s",
- parse_events__term_type_str(term->type_term),
- term->config) < 0
- ? strdup("unexpected tool event term")
- : err_str,
- NULL);
- }
- return -EINVAL;
-}
-
-int tool_pmu__config_terms(struct perf_event_attr *attr,
- struct parse_events_terms *terms,
- struct parse_events_error *err)
-{
- struct parse_events_term *term;
-
- list_for_each_entry(term, &terms->terms, list) {
- if (tool_pmu__config_term(attr, term, err))
- return -EINVAL;
- }
-
- return 0;
-
-}
-
-int tool_pmu__for_each_event_cb(struct perf_pmu *pmu, void *state, pmu_event_callback cb)
-{
- struct pmu_event_info info = {
- .pmu = pmu,
- .event_type_desc = "Tool event",
- };
- int i;
-
- perf_tool_event__for_each_event(i) {
- int ret;
-
- info.name = perf_tool_event__to_str(i);
- info.alias = NULL;
- info.scale_unit = NULL;
- info.desc = NULL;
- info.long_desc = NULL;
- info.encoding_desc = NULL;
- info.topic = NULL;
- info.pmu_name = pmu->name;
- info.deprecated = false;
- ret = cb(state, &info);
- if (ret)
- return ret;
- }
- return 0;
-}
-
-bool perf_pmu__is_tool(const struct perf_pmu *pmu)
-{
- return pmu && pmu->type == PERF_PMU_TYPE_TOOL;
-}
-
-bool evsel__is_tool(const struct evsel *evsel)
-{
- return perf_pmu__is_tool(evsel->pmu);
-}
-
-enum perf_tool_event evsel__tool_event(const struct evsel *evsel)
-{
- if (!evsel__is_tool(evsel))
- return PERF_TOOL_NONE;
-
- return (enum perf_tool_event)evsel->core.attr.config;
-}
-
-const char *evsel__tool_pmu_event_name(const struct evsel *evsel)
-{
- return perf_tool_event__to_str(evsel->core.attr.config);
-}
-
-static bool read_until_char(struct io *io, char e)
-{
- int c;
-
- do {
- c = io__get_char(io);
- if (c == -1)
- return false;
- } while (c != e);
- return true;
-}
-
-static int read_stat_field(int fd, struct perf_cpu cpu, int field, __u64 *val)
-{
- char buf[256];
- struct io io;
- int i;
-
- io__init(&io, fd, buf, sizeof(buf));
-
- /* Skip lines to relevant CPU. */
- for (i = -1; i < cpu.cpu; i++) {
- if (!read_until_char(&io, '\n'))
- return -EINVAL;
- }
- /* Skip to "cpu". */
- if (io__get_char(&io) != 'c') return -EINVAL;
- if (io__get_char(&io) != 'p') return -EINVAL;
- if (io__get_char(&io) != 'u') return -EINVAL;
-
- /* Skip N of cpuN. */
- if (!read_until_char(&io, ' '))
- return -EINVAL;
-
- i = 1;
- while (true) {
- if (io__get_dec(&io, val) != ' ')
- break;
- if (field == i)
- return 0;
- i++;
- }
- return -EINVAL;
-}
-
-static int read_pid_stat_field(int fd, int field, __u64 *val)
-{
- char buf[256];
- struct io io;
- int c, i;
-
- io__init(&io, fd, buf, sizeof(buf));
- if (io__get_dec(&io, val) != ' ')
- return -EINVAL;
- if (field == 1)
- return 0;
-
- /* Skip comm. */
- if (io__get_char(&io) != '(' || !read_until_char(&io, ')'))
- return -EINVAL;
- if (field == 2)
- return -EINVAL; /* String can't be returned. */
-
- /* Skip state */
- if (io__get_char(&io) != ' ' || io__get_char(&io) == -1)
- return -EINVAL;
- if (field == 3)
- return -EINVAL; /* String can't be returned. */
-
- /* Loop over numeric fields*/
- if (io__get_char(&io) != ' ')
- return -EINVAL;
-
- i = 4;
- while (true) {
- c = io__get_dec(&io, val);
- if (c == -1)
- return -EINVAL;
- if (c == -2) {
- /* Assume a -ve was read */
- c = io__get_dec(&io, val);
- *val *= -1;
- }
- if (c != ' ')
- return -EINVAL;
- if (field == i)
- return 0;
- i++;
- }
- return -EINVAL;
-}
-
-int evsel__tool_pmu_prepare_open(struct evsel *evsel,
- struct perf_cpu_map *cpus,
- int nthreads)
-{
- if ((evsel__tool_event(evsel) == PERF_TOOL_SYSTEM_TIME ||
- evsel__tool_event(evsel) == PERF_TOOL_USER_TIME) &&
- !evsel->start_times) {
- evsel->start_times = xyarray__new(perf_cpu_map__nr(cpus),
- nthreads,
- sizeof(__u64));
- if (!evsel->start_times)
- return -ENOMEM;
- }
- return 0;
-}
-
-#define FD(e, x, y) (*(int *)xyarray__entry(e->core.fd, x, y))
-
-int evsel__tool_pmu_open(struct evsel *evsel,
- struct perf_thread_map *threads,
- int start_cpu_map_idx, int end_cpu_map_idx)
-{
- enum perf_tool_event ev = evsel__tool_event(evsel);
- int pid = -1, idx = 0, thread = 0, nthreads, err = 0, old_errno;
-
- if (ev == PERF_TOOL_DURATION_TIME) {
- if (evsel->core.attr.sample_period) /* no sampling */
- return -EINVAL;
- evsel->start_time = rdclock();
- return 0;
- }
-
- if (evsel->cgrp)
- pid = evsel->cgrp->fd;
-
- nthreads = perf_thread_map__nr(threads);
- for (idx = start_cpu_map_idx; idx < end_cpu_map_idx; idx++) {
- for (thread = 0; thread < nthreads; thread++) {
- if (thread >= nthreads)
- break;
-
- if (!evsel->cgrp && !evsel->core.system_wide)
- pid = perf_thread_map__pid(threads, thread);
-
- if (ev == PERF_TOOL_USER_TIME || ev == PERF_TOOL_SYSTEM_TIME) {
- bool system = ev == PERF_TOOL_SYSTEM_TIME;
- __u64 *start_time = NULL;
- int fd;
-
- if (evsel->core.attr.sample_period) {
- /* no sampling */
- err = -EINVAL;
- goto out_close;
- }
- if (pid > -1) {
- char buf[64];
-
- snprintf(buf, sizeof(buf), "/proc/%d/stat", pid);
- fd = open(buf, O_RDONLY);
- evsel->pid_stat = true;
- } else {
- fd = open("/proc/stat", O_RDONLY);
- }
- FD(evsel, idx, thread) = fd;
- if (fd < 0) {
- err = -errno;
- goto out_close;
- }
- start_time = xyarray__entry(evsel->start_times, idx, thread);
- if (pid > -1) {
- err = read_pid_stat_field(fd, system ? 15 : 14,
- start_time);
- } else {
- struct perf_cpu cpu;
-
- cpu = perf_cpu_map__cpu(evsel->core.cpus, idx);
- err = read_stat_field(fd, cpu, system ? 3 : 1,
- start_time);
- }
- if (err)
- goto out_close;
- }
-
- }
- }
- return 0;
-out_close:
- if (err)
- threads->err_thread = thread;
-
- old_errno = errno;
- do {
- while (--thread >= 0) {
- if (FD(evsel, idx, thread) >= 0)
- close(FD(evsel, idx, thread));
- FD(evsel, idx, thread) = -1;
- }
- thread = nthreads;
- } while (--idx >= 0);
- errno = old_errno;
- return err;
-}
-
-int evsel__read_tool(struct evsel *evsel, int cpu_map_idx, int thread)
-{
- __u64 *start_time, cur_time, delta_start;
- int fd, err = 0;
- struct perf_counts_values *count;
- bool adjust = false;
-
- count = perf_counts(evsel->counts, cpu_map_idx, thread);
-
- switch (evsel__tool_event(evsel)) {
- case PERF_TOOL_DURATION_TIME:
- /*
- * Pretend duration_time is only on the first CPU and thread, or
- * else aggregation will scale duration_time by the number of
- * CPUs/threads.
- */
- start_time = &evsel->start_time;
- if (cpu_map_idx == 0 && thread == 0)
- cur_time = rdclock();
- else
- cur_time = *start_time;
- break;
- case PERF_TOOL_USER_TIME:
- case PERF_TOOL_SYSTEM_TIME: {
- bool system = evsel__tool_event(evsel) == PERF_TOOL_SYSTEM_TIME;
-
- start_time = xyarray__entry(evsel->start_times, cpu_map_idx, thread);
- fd = FD(evsel, cpu_map_idx, thread);
- lseek(fd, SEEK_SET, 0);
- if (evsel->pid_stat) {
- /* The event exists solely on 1 CPU. */
- if (cpu_map_idx == 0)
- err = read_pid_stat_field(fd, system ? 15 : 14, &cur_time);
- else
- cur_time = 0;
- } else {
- /* The event is for all threads. */
- if (thread == 0) {
- struct perf_cpu cpu = perf_cpu_map__cpu(evsel->core.cpus,
- cpu_map_idx);
-
- err = read_stat_field(fd, cpu, system ? 3 : 1, &cur_time);
- } else {
- cur_time = 0;
- }
- }
- adjust = true;
- break;
- }
- case PERF_TOOL_NONE:
- case PERF_TOOL_MAX:
- default:
- err = -EINVAL;
- }
- if (err)
- return err;
-
- delta_start = cur_time - *start_time;
- if (adjust) {
- __u64 ticks_per_sec = sysconf(_SC_CLK_TCK);
-
- delta_start *= 1000000000 / ticks_per_sec;
- }
- count->val = delta_start;
- count->ena = count->run = delta_start;
- count->lost = 0;
- return 0;
-}
-
-struct perf_pmu *perf_pmus__tool_pmu(void)
-{
- static struct perf_pmu tool = {
- .name = "tool",
- .type = PERF_PMU_TYPE_TOOL,
- .aliases = LIST_HEAD_INIT(tool.aliases),
- .caps = LIST_HEAD_INIT(tool.caps),
- .format = LIST_HEAD_INIT(tool.format),
- };
-
- return &tool;
-}
diff --git a/tools/perf/util/tool_pmu.h b/tools/perf/util/tool_pmu.h
deleted file mode 100644
index 05a4052c8b9d8..0000000000000
--- a/tools/perf/util/tool_pmu.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-#ifndef __TOOL_PMU_H
-#define __TOOL_PMU_H
-
-#include "pmu.h"
-
-struct evsel;
-struct perf_thread_map;
-struct print_callbacks;
-
-enum perf_tool_event {
- PERF_TOOL_NONE = 0,
- PERF_TOOL_DURATION_TIME = 1,
- PERF_TOOL_USER_TIME = 2,
- PERF_TOOL_SYSTEM_TIME = 3,
-
- PERF_TOOL_MAX,
-};
-
-#define perf_tool_event__for_each_event(ev) \
- for ((ev) = PERF_TOOL_DURATION_TIME; (ev) < PERF_TOOL_MAX; ev++)
-
-static inline size_t tool_pmu__num_events(void)
-{
- return PERF_TOOL_MAX - 1;
-}
-
-const char *perf_tool_event__to_str(enum perf_tool_event ev);
-enum perf_tool_event perf_tool_event__from_str(const char *str);
-int tool_pmu__config_terms(struct perf_event_attr *attr,
- struct parse_events_terms *terms,
- struct parse_events_error *err);
-int tool_pmu__for_each_event_cb(struct perf_pmu *pmu, void *state, pmu_event_callback cb);
-
-bool perf_pmu__is_tool(const struct perf_pmu *pmu);
-
-
-bool evsel__is_tool(const struct evsel *evsel);
-enum perf_tool_event evsel__tool_event(const struct evsel *evsel);
-const char *evsel__tool_pmu_event_name(const struct evsel *evsel);
-int evsel__tool_pmu_prepare_open(struct evsel *evsel,
- struct perf_cpu_map *cpus,
- int nthreads);
-int evsel__tool_pmu_open(struct evsel *evsel,
- struct perf_thread_map *threads,
- int start_cpu_map_idx, int end_cpu_map_idx);
-int evsel__read_tool(struct evsel *evsel, int cpu_map_idx, int thread);
-
-struct perf_pmu *perf_pmus__tool_pmu(void);
-
-#endif /* __TOOL_PMU_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 012/272] bridge: mrp: reject zero test interval to avoid OOM panic
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 011/272] Revert "perf tool_pmu: Factor tool events into their own PMU" Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 013/272] spi: spi-dw-dma: fix print error log when wait finish transaction Greg Kroah-Hartman
` (266 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weiming Shi, Xiang Mei,
Nikolay Aleksandrov, Ido Schimmel, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit fa6e24963342de4370e3a3c9af41e38277b74cf3 ]
br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied
interval value from netlink without validation. When interval is 0,
usecs_to_jiffies(0) yields 0, causing the delayed work
(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule
itself with zero delay. This creates a tight loop on system_percpu_wq
that allocates and transmits MRP test frames at maximum rate, exhausting
all system memory and causing a kernel panic via OOM deadlock.
The same zero-interval issue applies to br_mrp_start_in_test_parse()
for interconnect test frames.
Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both
IFLA_BRIDGE_MRP_START_TEST_INTERVAL and
IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the
netlink attribute parsing layer before the value ever reaches the
workqueue scheduling code. This is consistent with how other bridge
subsystems (br_fdb, br_mst) enforce range constraints on netlink
attributes.
Fixes: 20f6a05ef635 ("bridge: mrp: Rework the MRP netlink interface")
Fixes: 7ab1748e4ce6 ("bridge: mrp: Extend MRP netlink interface for configuring MRP interconnect")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260328063000.1845376-1-xmei5@asu.edu
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_mrp_netlink.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/bridge/br_mrp_netlink.c b/net/bridge/br_mrp_netlink.c
index ce6f63c77cc0a..86f0e75d6e345 100644
--- a/net/bridge/br_mrp_netlink.c
+++ b/net/bridge/br_mrp_netlink.c
@@ -196,7 +196,7 @@ static const struct nla_policy
br_mrp_start_test_policy[IFLA_BRIDGE_MRP_START_TEST_MAX + 1] = {
[IFLA_BRIDGE_MRP_START_TEST_UNSPEC] = { .type = NLA_REJECT },
[IFLA_BRIDGE_MRP_START_TEST_RING_ID] = { .type = NLA_U32 },
- [IFLA_BRIDGE_MRP_START_TEST_INTERVAL] = { .type = NLA_U32 },
+ [IFLA_BRIDGE_MRP_START_TEST_INTERVAL] = NLA_POLICY_MIN(NLA_U32, 1),
[IFLA_BRIDGE_MRP_START_TEST_MAX_MISS] = { .type = NLA_U32 },
[IFLA_BRIDGE_MRP_START_TEST_PERIOD] = { .type = NLA_U32 },
[IFLA_BRIDGE_MRP_START_TEST_MONITOR] = { .type = NLA_U32 },
@@ -316,7 +316,7 @@ static const struct nla_policy
br_mrp_start_in_test_policy[IFLA_BRIDGE_MRP_START_IN_TEST_MAX + 1] = {
[IFLA_BRIDGE_MRP_START_IN_TEST_UNSPEC] = { .type = NLA_REJECT },
[IFLA_BRIDGE_MRP_START_IN_TEST_IN_ID] = { .type = NLA_U32 },
- [IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL] = { .type = NLA_U32 },
+ [IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL] = NLA_POLICY_MIN(NLA_U32, 1),
[IFLA_BRIDGE_MRP_START_IN_TEST_MAX_MISS] = { .type = NLA_U32 },
[IFLA_BRIDGE_MRP_START_IN_TEST_PERIOD] = { .type = NLA_U32 },
};
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 013/272] spi: spi-dw-dma: fix print error log when wait finish transaction
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 012/272] bridge: mrp: reject zero test interval to avoid OOM panic Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 014/272] Revert "x86/vdso: Fix output operand size of RDPID" Greg Kroah-Hartman
` (265 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Yakovlev, Mark Brown,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Yakovlev <vovchkir@gmail.com>
[ Upstream commit 3b46d61890632c8f8b117147b6923bff4b42ccb7 ]
If an error occurs, the device may not have a current message. In this
case, the system will crash.
In this case, it's better to use dev from the struct ctlr (struct spi_controller*).
Signed-off-by: Vladimir Yakovlev <vovchkir@gmail.com>
Link: https://patch.msgid.link/20260302222017.992228-2-vovchkir@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-dw-dma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-dw-dma.c b/drivers/spi/spi-dw-dma.c
index f4c209e5f52ba..4104e1bc2d5bd 100644
--- a/drivers/spi/spi-dw-dma.c
+++ b/drivers/spi/spi-dw-dma.c
@@ -271,7 +271,7 @@ static int dw_spi_dma_wait(struct dw_spi *dws, unsigned int len, u32 speed)
msecs_to_jiffies(ms));
if (ms == 0) {
- dev_err(&dws->host->cur_msg->spi->dev,
+ dev_err(&dws->host->dev,
"DMA transaction timed out\n");
return -ETIMEDOUT;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 014/272] Revert "x86/vdso: Fix output operand size of RDPID"
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 013/272] spi: spi-dw-dma: fix print error log when wait finish transaction Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 015/272] sched/deadline: Less agressive dl_server handling Greg Kroah-Hartman
` (264 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit d607e6b349b014df1d2d0399f6667322626450e0.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/segment.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h
index 00cefbb59fa98..9d6411c659205 100644
--- a/arch/x86/include/asm/segment.h
+++ b/arch/x86/include/asm/segment.h
@@ -244,7 +244,7 @@ static inline unsigned long vdso_encode_cpunode(int cpu, unsigned long node)
static inline void vdso_read_cpunode(unsigned *cpu, unsigned *node)
{
- unsigned long p;
+ unsigned int p;
/*
* Load CPU and node number from the GDT. LSL is faster than RDTSCP
@@ -254,10 +254,10 @@ static inline void vdso_read_cpunode(unsigned *cpu, unsigned *node)
*
* If RDPID is available, use it.
*/
- alternative_io ("lsl %[seg],%k[p]",
- "rdpid %[p]",
+ alternative_io ("lsl %[seg],%[p]",
+ ".byte 0xf3,0x0f,0xc7,0xf8", /* RDPID %eax/rax */
X86_FEATURE_RDPID,
- [p] "=r" (p), [seg] "r" (__CPUNODE_SEG));
+ [p] "=a" (p), [seg] "r" (__CPUNODE_SEG));
if (cpu)
*cpu = (p & VDSO_CPUNODE_MASK);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 015/272] sched/deadline: Less agressive dl_server handling
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 014/272] Revert "x86/vdso: Fix output operand size of RDPID" Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 016/272] sched/deadline: Fix dl_server_stopped() Greg Kroah-Hartman
` (263 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Mason, Peter Zijlstra (Intel),
Juri Lelli, Lukas Beckmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit cccb45d7c4295bbfeba616582d0249f2d21e6df5 upstream.
Chris reported that commit 5f6bd380c7bd ("sched/rt: Remove default
bandwidth control") caused a significant dip in his favourite
benchmark of the day. Simply disabling dl_server cured things.
His workload hammers the 0->1, 1->0 transitions, and the
dl_server_{start,stop}() overhead kills it -- fairly obviously a bad
idea in hind sight and all that.
Change things around to only disable the dl_server when there has not
been a fair task around for a whole period. Since the default period
is 1 second, this ensures the benchmark never trips this, overhead
gone.
Fixes: 557a6bfc662c ("sched/fair: Add trivial fair server")
Reported-by: Chris Mason <clm@meta.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
Acked-by: Juri Lelli <juri.lelli@redhat.com>
Link: https://lkml.kernel.org/r/20250702121158.465086194@infradead.org
[ adjust context for renamed/removed variable names ]
Signed-off-by: Lukas Beckmann <lbckmnn@mailbox.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/sched.h | 1 +
kernel/sched/deadline.c | 25 ++++++++++++++++++++++---
kernel/sched/fair.c | 9 ---------
3 files changed, 23 insertions(+), 12 deletions(-)
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 2e4c437c7c902..299a65a92d2e6 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -674,6 +674,7 @@ struct sched_dl_entity {
unsigned int dl_defer : 1;
unsigned int dl_defer_armed : 1;
unsigned int dl_defer_running : 1;
+ unsigned int dl_server_idle : 1;
/*
* Bandwidth enforcement timer. Each -deadline task has its
diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
index 1ef891f8e3f2f..9c5fa95b345a5 100644
--- a/kernel/sched/deadline.c
+++ b/kernel/sched/deadline.c
@@ -1201,6 +1201,8 @@ static void __push_dl_task(struct rq *rq, struct rq_flags *rf)
/* a defer timer will not be reset if the runtime consumed was < dl_server_min_res */
static const u64 dl_server_min_res = 1 * NSEC_PER_MSEC;
+static bool dl_server_stopped(struct sched_dl_entity *dl_se);
+
static enum hrtimer_restart dl_server_timer(struct hrtimer *timer, struct sched_dl_entity *dl_se)
{
struct rq *rq = rq_of_dl_se(dl_se);
@@ -1220,6 +1222,7 @@ static enum hrtimer_restart dl_server_timer(struct hrtimer *timer, struct sched_
if (!dl_se->server_has_tasks(dl_se)) {
replenish_dl_entity(dl_se);
+ dl_server_stopped(dl_se);
return HRTIMER_NORESTART;
}
@@ -1626,8 +1629,10 @@ void dl_server_update_idle_time(struct rq *rq, struct task_struct *p)
void dl_server_update(struct sched_dl_entity *dl_se, s64 delta_exec)
{
/* 0 runtime = fair server disabled */
- if (dl_se->dl_runtime)
+ if (dl_se->dl_runtime) {
+ dl_se->dl_server_idle = 0;
update_curr_dl_se(dl_se->rq, dl_se, delta_exec);
+ }
}
/*
@@ -1850,7 +1855,7 @@ void dl_server_start(struct sched_dl_entity *dl_se)
setup_new_dl_entity(dl_se);
}
- if (!dl_se->dl_runtime)
+ if (!dl_se->dl_runtime || dl_se->dl_server_active)
return;
dl_se->dl_server_active = 1;
@@ -1871,6 +1876,20 @@ void dl_server_stop(struct sched_dl_entity *dl_se)
dl_se->dl_server_active = 0;
}
+static bool dl_server_stopped(struct sched_dl_entity *dl_se)
+{
+ if (!dl_se->dl_server_active)
+ return false;
+
+ if (dl_se->dl_server_idle) {
+ dl_server_stop(dl_se);
+ return true;
+ }
+
+ dl_se->dl_server_idle = 1;
+ return false;
+}
+
void dl_server_init(struct sched_dl_entity *dl_se, struct rq *rq,
dl_server_has_tasks_f has_tasks,
dl_server_pick_f pick_task)
@@ -2628,7 +2647,7 @@ static struct task_struct *__pick_task_dl(struct rq *rq)
if (dl_server(dl_se)) {
p = dl_se->server_pick_task(dl_se);
if (!p) {
- if (dl_server_active(dl_se)) {
+ if (!dl_server_stopped(dl_se)) {
dl_se->dl_yielded = 1;
update_curr_dl_se(rq, dl_se, 0);
}
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index a0a47e50b71ca..d26e078d0623f 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -5972,7 +5972,6 @@ static bool throttle_cfs_rq(struct cfs_rq *cfs_rq)
struct cfs_bandwidth *cfs_b = tg_cfs_bandwidth(cfs_rq->tg);
struct sched_entity *se;
long queued_delta, runnable_delta, idle_task_delta, delayed_delta, dequeue = 1;
- long rq_h_nr_queued = rq->cfs.h_nr_queued;
raw_spin_lock(&cfs_b->lock);
/* This will start the period timer if necessary */
@@ -6059,10 +6058,6 @@ static bool throttle_cfs_rq(struct cfs_rq *cfs_rq)
/* At this point se is NULL and we are at root level*/
sub_nr_running(rq, queued_delta);
-
- /* Stop the fair server if throttling resulted in no runnable tasks */
- if (rq_h_nr_queued && !rq->cfs.h_nr_queued)
- dl_server_stop(&rq->fair_server);
done:
/*
* Note: distribution will already see us throttled via the
@@ -7162,7 +7157,6 @@ static void set_next_buddy(struct sched_entity *se);
static int dequeue_entities(struct rq *rq, struct sched_entity *se, int flags)
{
bool was_sched_idle = sched_idle_rq(rq);
- int rq_h_nr_queued = rq->cfs.h_nr_queued;
bool task_sleep = flags & DEQUEUE_SLEEP;
bool task_delayed = flags & DEQUEUE_DELAYED;
struct task_struct *p = NULL;
@@ -7251,9 +7245,6 @@ static int dequeue_entities(struct rq *rq, struct sched_entity *se, int flags)
sub_nr_running(rq, h_nr_queued);
- if (rq_h_nr_queued && !rq->cfs.h_nr_queued)
- dl_server_stop(&rq->fair_server);
-
/* balance early to pull high priority tasks */
if (unlikely(!was_sched_idle && sched_idle_rq(rq)))
rq->next_balance = jiffies;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 016/272] sched/deadline: Fix dl_server_stopped()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 015/272] sched/deadline: Less agressive dl_server handling Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 017/272] sched/deadline: Always stop dl-server before changing parameters Greg Kroah-Hartman
` (262 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huacai Chen, Peter Zijlstra (Intel),
Lukas Beckmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 4717432dfd99bbd015b6782adca216c6f9340038 upstream.
Commit cccb45d7c429 ("sched/deadline: Less agressive dl_server handling")
introduces dl_server_stopped(). But it is obvious that dl_server_stopped()
should return true if dl_se->dl_server_active is 0.
Fixes: cccb45d7c429 ("sched/deadline: Less agressive dl_server handling")
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20250809130419.1980742-1-chenhuacai@loongson.cn
Signed-off-by: Lukas Beckmann <lbckmnn@mailbox.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/deadline.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
index 9c5fa95b345a5..6ff9055a69811 100644
--- a/kernel/sched/deadline.c
+++ b/kernel/sched/deadline.c
@@ -1879,7 +1879,7 @@ void dl_server_stop(struct sched_dl_entity *dl_se)
static bool dl_server_stopped(struct sched_dl_entity *dl_se)
{
if (!dl_se->dl_server_active)
- return false;
+ return true;
if (dl_se->dl_server_idle) {
dl_server_stop(dl_se);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 017/272] sched/deadline: Always stop dl-server before changing parameters
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 016/272] sched/deadline: Fix dl_server_stopped() Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 018/272] sched/deadline: Fix dl_server getting stuck Greg Kroah-Hartman
` (261 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuri Andriaccio, Juri Lelli,
Peter Zijlstra (Intel), Valentin Schneider, Lukas Beckmann,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Juri Lelli <juri.lelli@redhat.com>
commit bb4700adc3abec34c0a38b64f66258e4e233fc16 upstream.
Commit cccb45d7c4295 ("sched/deadline: Less agressive dl_server
handling") reduced dl-server overhead by delaying disabling servers only
after there are no fair task around for a whole period, which means that
deadline entities are not dequeued right away on a server stop event.
However, the delay opens up a window in which a request for changing
server parameters can break per-runqueue running_bw tracking, as
reported by Yuri.
Close the problematic window by unconditionally calling dl_server_stop()
before applying the new parameters (ensuring deadline entities go
through an actual dequeue).
Fixes: cccb45d7c4295 ("sched/deadline: Less agressive dl_server handling")
Reported-by: Yuri Andriaccio <yurand2000@gmail.com>
Signed-off-by: Juri Lelli <juri.lelli@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Valentin Schneider <vschneid@redhat.com>
Link: https://lore.kernel.org/r/20250721-upstream-fix-dlserver-lessaggressive-b4-v1-1-4ebc10c87e40@redhat.com
Signed-off-by: Lukas Beckmann <lbckmnn@mailbox.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/debug.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/kernel/sched/debug.c b/kernel/sched/debug.c
index 7d14e9fa53ac3..564ea17ae405e 100644
--- a/kernel/sched/debug.c
+++ b/kernel/sched/debug.c
@@ -378,10 +378,8 @@ static ssize_t sched_fair_server_write(struct file *filp, const char __user *ubu
return -EINVAL;
}
- if (rq->cfs.h_nr_queued) {
- update_rq_clock(rq);
- dl_server_stop(&rq->fair_server);
- }
+ update_rq_clock(rq);
+ dl_server_stop(&rq->fair_server);
retval = dl_server_apply_params(&rq->fair_server, runtime, period, 0);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 018/272] sched/deadline: Fix dl_server getting stuck
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 017/272] sched/deadline: Always stop dl-server before changing parameters Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 019/272] sched/deadline: Fix dl_server behaviour Greg Kroah-Hartman
` (260 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Stultz, Peter Zijlstra (Intel),
Lukas Beckmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 4ae8d9aa9f9dc7137ea5e564d79c5aa5af1bc45c upstream.
John found it was easy to hit lockup warnings when running locktorture
on a 2 CPU VM, which he bisected down to: commit cccb45d7c429
("sched/deadline: Less agressive dl_server handling").
While debugging it seems there is a chance where we end up with the
dl_server dequeued, with dl_se->dl_server_active. This causes
dl_server_start() to return without enqueueing the dl_server, thus it
fails to run when RT tasks starve the cpu.
When this happens, dl_server_timer() catches the
'!dl_se->server_has_tasks(dl_se)' case, which then calls
replenish_dl_entity() and dl_server_stopped() and finally return
HRTIMER_NO_RESTART.
This ends in no new timer and also no enqueue, leaving the dl_server
'dead', allowing starvation.
What should have happened is for the bandwidth timer to start the
zero-laxity timer, which in turn would enqueue the dl_server and cause
dl_se->server_pick_task() to be called -- which will stop the
dl_server if no fair tasks are observed for a whole period.
IOW, it is totally irrelevant if there are fair tasks at the moment of
bandwidth refresh.
This removes all dl_se->server_has_tasks() users, so remove the whole
thing.
Fixes: cccb45d7c4295 ("sched/deadline: Less agressive dl_server handling")
Reported-by: John Stultz <jstultz@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: John Stultz <jstultz@google.com>
[ adjust renamed variable in fair_server_has_tasks (which this patch
removes) ]
Signed-off-by: Lukas Beckmann <lbckmnn@mailbox.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/sched.h | 1 -
kernel/sched/deadline.c | 12 +-----------
kernel/sched/fair.c | 7 +------
kernel/sched/sched.h | 4 ----
4 files changed, 2 insertions(+), 22 deletions(-)
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 299a65a92d2e6..464d281aa2e49 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -701,7 +701,6 @@ struct sched_dl_entity {
* runnable task.
*/
struct rq *rq;
- dl_server_has_tasks_f server_has_tasks;
dl_server_pick_f server_pick_task;
#ifdef CONFIG_RT_MUTEXES
diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
index 6ff9055a69811..609783d7de290 100644
--- a/kernel/sched/deadline.c
+++ b/kernel/sched/deadline.c
@@ -916,7 +916,7 @@ static void replenish_dl_entity(struct sched_dl_entity *dl_se)
*/
if (dl_se->dl_defer && !dl_se->dl_defer_running &&
dl_time_before(rq_clock(dl_se->rq), dl_se->deadline - dl_se->runtime)) {
- if (!is_dl_boosted(dl_se) && dl_se->server_has_tasks(dl_se)) {
+ if (!is_dl_boosted(dl_se)) {
/*
* Set dl_se->dl_defer_armed and dl_throttled variables to
@@ -1201,8 +1201,6 @@ static void __push_dl_task(struct rq *rq, struct rq_flags *rf)
/* a defer timer will not be reset if the runtime consumed was < dl_server_min_res */
static const u64 dl_server_min_res = 1 * NSEC_PER_MSEC;
-static bool dl_server_stopped(struct sched_dl_entity *dl_se);
-
static enum hrtimer_restart dl_server_timer(struct hrtimer *timer, struct sched_dl_entity *dl_se)
{
struct rq *rq = rq_of_dl_se(dl_se);
@@ -1220,12 +1218,6 @@ static enum hrtimer_restart dl_server_timer(struct hrtimer *timer, struct sched_
if (!dl_se->dl_runtime)
return HRTIMER_NORESTART;
- if (!dl_se->server_has_tasks(dl_se)) {
- replenish_dl_entity(dl_se);
- dl_server_stopped(dl_se);
- return HRTIMER_NORESTART;
- }
-
if (dl_se->dl_defer_armed) {
/*
* First check if the server could consume runtime in background.
@@ -1891,11 +1883,9 @@ static bool dl_server_stopped(struct sched_dl_entity *dl_se)
}
void dl_server_init(struct sched_dl_entity *dl_se, struct rq *rq,
- dl_server_has_tasks_f has_tasks,
dl_server_pick_f pick_task)
{
dl_se->rq = rq;
- dl_se->server_has_tasks = has_tasks;
dl_se->server_pick_task = pick_task;
}
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index d26e078d0623f..f36512892adf9 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -9058,11 +9058,6 @@ static struct task_struct *__pick_next_task_fair(struct rq *rq, struct task_stru
return pick_next_task_fair(rq, prev, NULL);
}
-static bool fair_server_has_tasks(struct sched_dl_entity *dl_se)
-{
- return !!dl_se->rq->cfs.nr_running;
-}
-
static struct task_struct *fair_server_pick_task(struct sched_dl_entity *dl_se)
{
return pick_task_fair(dl_se->rq);
@@ -9074,7 +9069,7 @@ void fair_server_init(struct rq *rq)
init_dl_entity(dl_se);
- dl_server_init(dl_se, rq, fair_server_has_tasks, fair_server_pick_task);
+ dl_server_init(dl_se, rq, fair_server_pick_task);
}
/*
diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
index a09e2d25edd57..9391ff62cdaaa 100644
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -371,9 +371,6 @@ extern s64 dl_scaled_delta_exec(struct rq *rq, struct sched_dl_entity *dl_se, s6
*
* dl_se::rq -- runqueue we belong to.
*
- * dl_se::server_has_tasks() -- used on bandwidth enforcement; we 'stop' the
- * server when it runs out of tasks to run.
- *
* dl_se::server_pick() -- nested pick_next_task(); we yield the period if this
* returns NULL.
*
@@ -389,7 +386,6 @@ extern void dl_server_update(struct sched_dl_entity *dl_se, s64 delta_exec);
extern void dl_server_start(struct sched_dl_entity *dl_se);
extern void dl_server_stop(struct sched_dl_entity *dl_se);
extern void dl_server_init(struct sched_dl_entity *dl_se, struct rq *rq,
- dl_server_has_tasks_f has_tasks,
dl_server_pick_f pick_task);
extern void dl_server_update_idle_time(struct rq *rq,
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 019/272] sched/deadline: Fix dl_server behaviour
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 018/272] sched/deadline: Fix dl_server getting stuck Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 020/272] sched/deadline: Stop dl_server before CPU goes offline Greg Kroah-Hartman
` (259 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Stultz, Peter Zijlstra (Intel),
Lukas Beckmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit a3a70caf7906708bf9bbc80018752a6b36543808 upstream.
John reported undesirable behaviour with the dl_server since commit:
cccb45d7c4295 ("sched/deadline: Less agressive dl_server handling").
When starving fair tasks on purpose (starting spinning FIFO tasks),
his fair workload, which often goes (briefly) idle, would delay fair
invocations for a second, running one invocation per second was both
unexpected and terribly slow.
The reason this happens is that when dl_se->server_pick_task() returns
NULL, indicating no runnable tasks, it would yield, pushing any later
jobs out a whole period (1 second).
Instead simply stop the server. This should restore behaviour in that
a later wakeup (which restarts the server) will be able to continue
running (subject to the CBS wakeup rules).
Notably, this does not re-introduce the behaviour cccb45d7c4295 set
out to solve, any start/stop cycle is naturally throttled by the timer
period (no active cancel).
Fixes: cccb45d7c4295 ("sched/deadline: Less agressive dl_server handling")
Reported-by: John Stultz <jstultz@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: John Stultz <jstultz@google.com>
Closes: https://lore.kernel.org/regressions/04657838-46d1-432d-95e1-eb73b930b032@mailbox.org
Signed-off-by: Lukas Beckmann <lbckmnn@mailbox.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/sched.h | 1 -
kernel/sched/deadline.c | 23 ++---------------------
kernel/sched/sched.h | 33 +++++++++++++++++++++++++++++++--
3 files changed, 33 insertions(+), 24 deletions(-)
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 464d281aa2e49..f9ffe42cae171 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -674,7 +674,6 @@ struct sched_dl_entity {
unsigned int dl_defer : 1;
unsigned int dl_defer_armed : 1;
unsigned int dl_defer_running : 1;
- unsigned int dl_server_idle : 1;
/*
* Bandwidth enforcement timer. Each -deadline task has its
diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
index 609783d7de290..a6c699e43111d 100644
--- a/kernel/sched/deadline.c
+++ b/kernel/sched/deadline.c
@@ -1621,10 +1621,8 @@ void dl_server_update_idle_time(struct rq *rq, struct task_struct *p)
void dl_server_update(struct sched_dl_entity *dl_se, s64 delta_exec)
{
/* 0 runtime = fair server disabled */
- if (dl_se->dl_runtime) {
- dl_se->dl_server_idle = 0;
+ if (dl_se->dl_runtime)
update_curr_dl_se(dl_se->rq, dl_se, delta_exec);
- }
}
/*
@@ -1868,20 +1866,6 @@ void dl_server_stop(struct sched_dl_entity *dl_se)
dl_se->dl_server_active = 0;
}
-static bool dl_server_stopped(struct sched_dl_entity *dl_se)
-{
- if (!dl_se->dl_server_active)
- return true;
-
- if (dl_se->dl_server_idle) {
- dl_server_stop(dl_se);
- return true;
- }
-
- dl_se->dl_server_idle = 1;
- return false;
-}
-
void dl_server_init(struct sched_dl_entity *dl_se, struct rq *rq,
dl_server_pick_f pick_task)
{
@@ -2637,10 +2621,7 @@ static struct task_struct *__pick_task_dl(struct rq *rq)
if (dl_server(dl_se)) {
p = dl_se->server_pick_task(dl_se);
if (!p) {
- if (!dl_server_stopped(dl_se)) {
- dl_se->dl_yielded = 1;
- update_curr_dl_se(rq, dl_se, 0);
- }
+ dl_server_stop(dl_se);
goto again;
}
rq->dl_server = dl_se;
diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
index 9391ff62cdaaa..7956abeb9154e 100644
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -377,10 +377,39 @@ extern s64 dl_scaled_delta_exec(struct rq *rq, struct sched_dl_entity *dl_se, s6
* dl_server_update() -- called from update_curr_common(), propagates runtime
* to the server.
*
- * dl_server_start()
- * dl_server_stop() -- start/stop the server when it has (no) tasks.
+ * dl_server_start() -- start the server when it has tasks; it will stop
+ * automatically when there are no more tasks, per
+ * dl_se::server_pick() returning NULL.
+ *
+ * dl_server_stop() -- (force) stop the server; use when updating
+ * parameters.
*
* dl_server_init() -- initializes the server.
+ *
+ * When started the dl_server will (per dl_defer) schedule a timer for its
+ * zero-laxity point -- that is, unlike regular EDF tasks which run ASAP, a
+ * server will run at the very end of its period.
+ *
+ * This is done such that any runtime from the target class can be accounted
+ * against the server -- through dl_server_update() above -- such that when it
+ * becomes time to run, it might already be out of runtime and get deferred
+ * until the next period. In this case dl_server_timer() will alternate
+ * between defer and replenish but never actually enqueue the server.
+ *
+ * Only when the target class does not manage to exhaust the server's runtime
+ * (there's actualy starvation in the given period), will the dl_server get on
+ * the runqueue. Once queued it will pick tasks from the target class and run
+ * them until either its runtime is exhaused, at which point its back to
+ * dl_server_timer, or until there are no more tasks to run, at which point
+ * the dl_server stops itself.
+ *
+ * By stopping at this point the dl_server retains bandwidth, which, if a new
+ * task wakes up imminently (starting the server again), can be used --
+ * subject to CBS wakeup rules -- without having to wait for the next period.
+ *
+ * Additionally, because of the dl_defer behaviour the start/stop behaviour is
+ * naturally thottled to once per period, avoiding high context switch
+ * workloads from spamming the hrtimer program/cancel paths.
*/
extern void dl_server_update(struct sched_dl_entity *dl_se, s64 delta_exec);
extern void dl_server_start(struct sched_dl_entity *dl_se);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 020/272] sched/deadline: Stop dl_server before CPU goes offline
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 019/272] sched/deadline: Fix dl_server behaviour Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 021/272] ksmbd: close durable scavenger races against m_fp_list lookups Greg Kroah-Hartman
` (258 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Zijlstra (Intel),
Venkat Rao Bagalkote, Shrikanth Hegde, Marek Szyprowski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra (Intel) <peterz@infradead.org>
[ Upstream commit ee6e44dfe6e50b4a5df853d933a96bdff5309e6e ]
IBM CI tool reported kernel warning[1] when running a CPU removal
operation through drmgr[2]. i.e "drmgr -c cpu -r -q 1"
WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170
NIP [c0000000002b6ed8] cpudl_set+0x58/0x170
LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0
Call Trace:
[c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable)
[c0000000002b7cb8] dl_server_timer+0x168/0x2a0
[c00000000034df84] __hrtimer_run_queues+0x1a4/0x390
[c00000000034f624] hrtimer_interrupt+0x124/0x300
[c00000000002a230] timer_interrupt+0x140/0x320
Git bisects to: commit 4ae8d9aa9f9d ("sched/deadline: Fix dl_server getting stuck")
This happens since:
- dl_server hrtimer gets enqueued close to cpu offline, when
kthread_park enqueues a fair task.
- CPU goes offline and drmgr removes it from cpu_present_mask.
- hrtimer fires and warning is hit.
Fix it by stopping the dl_server before CPU is marked dead.
[1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/
[2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr
[sshegde: wrote the changelog and tested it]
Fixes: 4ae8d9aa9f9d ("sched/deadline: Fix dl_server getting stuck")
Closes: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reported-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Signed-off-by: Shrikanth Hegde <sshegde@linux.ibm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Tested-by: Shrikanth Hegde <sshegde@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/core.c | 2 ++
kernel/sched/deadline.c | 3 +++
2 files changed, 5 insertions(+)
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 9b238c9c71c67..1b1ddd24cb227 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -8319,10 +8319,12 @@ int sched_cpu_dying(unsigned int cpu)
sched_tick_stop(cpu);
rq_lock_irqsave(rq, &rf);
+ update_rq_clock(rq);
if (rq->nr_running != 1 || rq_has_pinned_tasks(rq)) {
WARN(true, "Dying CPU not properly vacated!");
dump_rq_tasks(rq, KERN_WARNING);
}
+ dl_server_stop(&rq->fair_server);
rq_unlock_irqrestore(rq, &rf);
calc_load_migrate(rq);
diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
index a6c699e43111d..cb8eff0ebd228 100644
--- a/kernel/sched/deadline.c
+++ b/kernel/sched/deadline.c
@@ -1848,6 +1848,9 @@ void dl_server_start(struct sched_dl_entity *dl_se)
if (!dl_se->dl_runtime || dl_se->dl_server_active)
return;
+ if (WARN_ON_ONCE(!cpu_online(cpu_of(rq))))
+ return;
+
dl_se->dl_server_active = 1;
enqueue_dl_entity(dl_se, ENQUEUE_WAKEUP);
if (!dl_task(dl_se->rq->curr) || dl_entity_preempt(dl_se, &rq->curr->dl))
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 021/272] ksmbd: close durable scavenger races against m_fp_list lookups
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 020/272] sched/deadline: Stop dl_server before CPU goes offline Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 022/272] af_unix: Give up GC if MSG_PEEK intervened Greg Kroah-Hartman
` (257 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DaeMyung Kang, Namjae Jeon,
Steve French, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: DaeMyung Kang <charsyam@gmail.com>
[ Upstream commit bf736184d063da1a552ffeff0481813599a182cc ]
ksmbd_durable_scavenger() has two related races against any walker
that iterates f_ci->m_fp_list, including ksmbd_lookup_fd_inode()
(used by ksmbd_vfs_rename) and the share-mode checks in
fs/smb/server/smb_common.c.
(1) fp->node list-head reuse. Durable-preserved handles can remain
linked on f_ci->m_fp_list after session teardown so share-mode checks
still see them while the handle is reconnectable. The scavenger
collected expired handles by adding fp->node to a local
scavenger_list after removing them from the global durable idr.
Because fp->node is the same list_head used by m_fp_list,
list_add(&fp->node, &scavenger_list) overwrites the m_fp_list links
and corrupts both lists. CONFIG_DEBUG_LIST can report this on the
share-mode walk path.
(2) Refcount race against m_fp_list walkers. The scavenger qualifies
an expired durable handle with atomic_read(&fp->refcount) > 1 and
fp->conn under global_ft.lock, removes fp from global_ft, then drops
global_ft.lock before unlinking fp from m_fp_list and freeing it.
During that gap fp is still linked on m_fp_list with f_state ==
FP_INITED. ksmbd_lookup_fd_inode() under m_lock read calls
ksmbd_fp_get() (atomic_inc_not_zero on refcount that is still 1) and
takes a live reference; the scavenger then unlinks and frees fp
while the holder owns a reference, leading to UAF on the holder's
subsequent ksmbd_fd_put() and on any field reads performed by a
concurrent share-mode walker that iterates m_fp_list without taking
ksmbd_fp_get() (smb_check_perm_dleases-like paths).
Fix both:
* Stop reusing fp->node as a scavenger-private list node. Remove
one expired handle from global_ft under global_ft.lock, take an
explicit transient reference, drop the lock, unlink fp->node
from m_fp_list under f_ci->m_lock, then drop both the durable
lifetime and transient references with atomic_sub_and_test(2,
&fp->refcount). If the scavenger is the last putter the close
runs there; otherwise an in-flight holder that already raced
through the m_fp_list lookup owns the final close via its
ksmbd_fd_put() path. The one-at-a-time disposal can rescan the
durable idr when multiple handles expire in the same pass, but
durable scavenging is a background expiration path and the final
full scan recomputes min_timeout before the next wait.
* Clear fp->persistent_id inside __ksmbd_remove_durable_fd() right
after idr_remove(), so a delayed final close from a holder that
snatched fp does not re-issue idr_remove() on a persistent id
that idr_alloc_cyclic() in ksmbd_open_durable_fd() may have
already handed out to a brand-new durable handle.
* Bypass the per-conn open_files_count decrement in
__put_fd_final() when fp is detached from any session table
(fp->conn cleared by session_fd_check() at durable preserve --
paired with the volatile_id clear at unpublish, so checking
fp->conn alone is sufficient). The walker that owns the final
close runs from an unrelated work->conn whose
stats.open_files_count never tracked this durable fp; without
this guard the holder would underflow that unrelated counter.
The two races are folded into one patch because patch (1) alone
cleans up the corrupted list but leaves a deterministic UAF window
for m_fp_list walkers that the transient-reference and
persistent_id discipline in (2) close; bisecting onto an
intermediate state would land on a UAF that pre-patch chaos merely
made less reproducible.
Validation:
* CONFIG_DEBUG_LIST coverage for the list_head reuse path.
* KASAN-enabled direct SMB2 durable-handle coverage that exercised
ksmbd_durable_scavenger() and non-NULL ksmbd_lookup_fd_inode()
returns while durable handles expired under concurrent rename
lookups, with no KASAN, UAF, list-corruption, ODEBUG, or WARNING
reports.
* checkpatch --strict
* make -j$(nproc) M=fs/smb/server
Fixes: d484d621d40f ("ksmbd: add durable scavenger timer")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/vfs_cache.c | 104 ++++++++++++++++++++++++++++----------
1 file changed, 77 insertions(+), 27 deletions(-)
diff --git a/fs/smb/server/vfs_cache.c b/fs/smb/server/vfs_cache.c
index d29cc1d01bd2c..a8fed467e9b69 100644
--- a/fs/smb/server/vfs_cache.c
+++ b/fs/smb/server/vfs_cache.c
@@ -325,6 +325,14 @@ static void __ksmbd_remove_durable_fd(struct ksmbd_file *fp)
return;
idr_remove(global_ft.idr, fp->persistent_id);
+ /*
+ * Clear persistent_id so a later __ksmbd_close_fd() that runs from a
+ * delayed putter (e.g. when a concurrent ksmbd_lookup_fd_inode()
+ * walker held the final reference) does not re-issue idr_remove() on
+ * an id that idr_alloc_cyclic() may have already handed out to a new
+ * durable handle.
+ */
+ fp->persistent_id = KSMBD_NO_FID;
}
static void ksmbd_remove_durable_fd(struct ksmbd_file *fp)
@@ -417,6 +425,20 @@ static struct ksmbd_file *__ksmbd_lookup_fd(struct ksmbd_file_table *ft,
static void __put_fd_final(struct ksmbd_work *work, struct ksmbd_file *fp)
{
+ /*
+ * Detached durable fp -- session_fd_check() cleared fp->conn at
+ * preserve, so this fp is no longer tracked by any conn's
+ * stats.open_files_count. This happens when
+ * ksmbd_scavenger_dispose_dh() hands the final close off to an
+ * m_fp_list walker (e.g. ksmbd_lookup_fd_inode()) whose work->conn
+ * is unrelated to the conn that originally opened the handle; close
+ * via the NULL-ft path so we do not underflow that unrelated
+ * counter.
+ */
+ if (!fp->conn) {
+ __ksmbd_close_fd(NULL, fp);
+ return;
+ }
__ksmbd_close_fd(&work->sess->file_table, fp);
atomic_dec(&work->conn->stats.open_files_count);
}
@@ -788,24 +810,37 @@ static bool ksmbd_durable_scavenger_alive(void)
return true;
}
-static void ksmbd_scavenger_dispose_dh(struct list_head *head)
+static void ksmbd_scavenger_dispose_dh(struct ksmbd_file *fp)
{
- while (!list_empty(head)) {
- struct ksmbd_file *fp;
+ /*
+ * Durable-preserved fp can remain linked on f_ci->m_fp_list for
+ * share-mode checks. Unlink it before final close; fp->node is not
+ * available as a scavenger-private list node because re-adding it to
+ * another list corrupts m_fp_list.
+ */
+ down_write(&fp->f_ci->m_lock);
+ list_del_init(&fp->node);
+ up_write(&fp->f_ci->m_lock);
- fp = list_first_entry(head, struct ksmbd_file, node);
- list_del_init(&fp->node);
+ /*
+ * Drop both the durable lifetime reference and the transient reference
+ * taken by the scavenger under global_ft.lock. If a concurrent
+ * ksmbd_lookup_fd_inode() (or any other m_fp_list walker) snatched fp
+ * before the unlink above, that holder owns the final close via
+ * ksmbd_fd_put() -> __ksmbd_close_fd(). Otherwise the scavenger is
+ * the last putter and finalises fp here.
+ */
+ if (atomic_sub_and_test(2, &fp->refcount))
__ksmbd_close_fd(NULL, fp);
- }
}
static int ksmbd_durable_scavenger(void *dummy)
{
struct ksmbd_file *fp = NULL;
+ struct ksmbd_file *expired_fp;
unsigned int id;
unsigned int min_timeout = 1;
bool found_fp_timeout;
- LIST_HEAD(scavenger_list);
unsigned long remaining_jiffies;
__module_get(THIS_MODULE);
@@ -815,8 +850,6 @@ static int ksmbd_durable_scavenger(void *dummy)
if (try_to_freeze())
continue;
- found_fp_timeout = false;
-
remaining_jiffies = wait_event_timeout(dh_wq,
ksmbd_durable_scavenger_alive() == false,
__msecs_to_jiffies(min_timeout));
@@ -825,23 +858,39 @@ static int ksmbd_durable_scavenger(void *dummy)
else
min_timeout = DURABLE_HANDLE_MAX_TIMEOUT;
- write_lock(&global_ft.lock);
- idr_for_each_entry(global_ft.idr, fp, id) {
- if (!fp->durable_timeout)
- continue;
-
- if (atomic_read(&fp->refcount) > 1 ||
- fp->conn)
- continue;
-
- found_fp_timeout = true;
- if (fp->durable_scavenger_timeout <=
- jiffies_to_msecs(jiffies)) {
- __ksmbd_remove_durable_fd(fp);
- list_add(&fp->node, &scavenger_list);
- } else {
+ do {
+ expired_fp = NULL;
+ found_fp_timeout = false;
+
+ write_lock(&global_ft.lock);
+ idr_for_each_entry(global_ft.idr, fp, id) {
unsigned long durable_timeout;
+ if (!fp->durable_timeout)
+ continue;
+
+ if (atomic_read(&fp->refcount) > 1 ||
+ fp->conn)
+ continue;
+
+ found_fp_timeout = true;
+ if (fp->durable_scavenger_timeout <=
+ jiffies_to_msecs(jiffies)) {
+ __ksmbd_remove_durable_fd(fp);
+ /*
+ * Take a transient reference so fp
+ * cannot be freed by an in-flight
+ * ksmbd_lookup_fd_inode() that found
+ * it through f_ci->m_fp_list while we
+ * drop global_ft.lock and reach the
+ * m_fp_list unlink in
+ * ksmbd_scavenger_dispose_dh().
+ */
+ atomic_inc(&fp->refcount);
+ expired_fp = fp;
+ break;
+ }
+
durable_timeout =
fp->durable_scavenger_timeout -
jiffies_to_msecs(jiffies);
@@ -849,10 +898,11 @@ static int ksmbd_durable_scavenger(void *dummy)
if (min_timeout > durable_timeout)
min_timeout = durable_timeout;
}
- }
- write_unlock(&global_ft.lock);
+ write_unlock(&global_ft.lock);
- ksmbd_scavenger_dispose_dh(&scavenger_list);
+ if (expired_fp)
+ ksmbd_scavenger_dispose_dh(expired_fp);
+ } while (expired_fp);
if (found_fp_timeout == false)
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 022/272] af_unix: Give up GC if MSG_PEEK intervened.
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 021/272] ksmbd: close durable scavenger races against m_fp_list lookups Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 023/272] drm/imagination: Synchronize interrupts before suspending the GPU Greg Kroah-Hartman
` (256 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Igor Ushakov, Kuniyuki Iwashima,
Jakub Kicinski, Leon Chen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit e5b31d988a41549037b8d8721a3c3cae893d8670 ]
Igor Ushakov reported that GC purged the receive queue of
an alive socket due to a race with MSG_PEEK with a nice repro.
This is the exact same issue previously fixed by commit
cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK").
After GC was replaced with the current algorithm, the cited
commit removed the locking dance in unix_peek_fds() and
reintroduced the same issue.
The problem is that MSG_PEEK bumps a file refcount without
interacting with GC.
Consider an SCC containing sk-A and sk-B, where sk-A is
close()d but can be recv()ed via sk-B.
The bad thing happens if sk-A is recv()ed with MSG_PEEK from
sk-B and sk-B is close()d while GC is checking unix_vertex_dead()
for sk-A and sk-B.
GC thread User thread
--------- -----------
unix_vertex_dead(sk-A)
-> true <------.
\
`------ recv(sk-B, MSG_PEEK)
invalidate !! -> sk-A's file refcount : 1 -> 2
close(sk-B)
-> sk-B's file refcount : 2 -> 1
unix_vertex_dead(sk-B)
-> true
Initially, sk-A's file refcount is 1 by the inflight fd in sk-B
recvq. GC thinks sk-A is dead because the file refcount is the
same as the number of its inflight fds.
However, sk-A's file refcount is bumped silently by MSG_PEEK,
which invalidates the previous evaluation.
At this moment, sk-B's file refcount is 2; one by the open fd,
and one by the inflight fd in sk-A. The subsequent close()
releases one refcount by the former.
Finally, GC incorrectly concludes that both sk-A and sk-B are dead.
One option is to restore the locking dance in unix_peek_fds(),
but we can resolve this more elegantly thanks to the new algorithm.
The point is that the issue does not occur without the subsequent
close() and we actually do not need to synchronise MSG_PEEK with
the dead SCC detection.
When the issue occurs, close() and GC touch the same file refcount.
If GC sees the refcount being decremented by close(), it can just
give up garbage-collecting the SCC.
Therefore, we only need to signal the race during MSG_PEEK with
a proper memory barrier to make it visible to the GC.
Let's use seqcount_t to notify GC when MSG_PEEK occurs and let
it defer the SCC to the next run.
This way no locking is needed on the MSG_PEEK side, and we can
avoid imposing a penalty on every MSG_PEEK unnecessarily.
Note that we can retry within unix_scc_dead() if MSG_PEEK is
detected, but we do not do so to avoid hung task splat from
abusive MSG_PEEK calls.
Fixes: 118f457da9ed ("af_unix: Remove lock dance in unix_peek_fds().")
Reported-by: Igor Ushakov <sysroot314@gmail.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260311054043.1231316-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Using include/net/af_unix.h instead of net/unix/af_unix.h on 6.12.y ]
Signed-off-by: Leon Chen <leonchen.oss@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/af_unix.h | 1 +
net/unix/af_unix.c | 2 ++
net/unix/garbage.c | 79 ++++++++++++++++++++++++++++---------------
3 files changed, 54 insertions(+), 28 deletions(-)
diff --git a/include/net/af_unix.h b/include/net/af_unix.h
index 63129c79b8cbc..8cacc5290d8bb 100644
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -23,6 +23,7 @@ void unix_del_edges(struct scm_fp_list *fpl);
void unix_update_edges(struct unix_sock *receiver);
int unix_prepare_fpl(struct scm_fp_list *fpl);
void unix_destroy_fpl(struct scm_fp_list *fpl);
+void unix_peek_fpl(struct scm_fp_list *fpl);
void unix_gc(void);
void wait_for_unix_gc(struct scm_fp_list *fpl);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 77976f36c4aa4..9c5a812bd6813 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1878,6 +1878,8 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb)
static void unix_peek_fds(struct scm_cookie *scm, struct sk_buff *skb)
{
scm->fp = scm_fp_dup(UNIXCB(skb).fp);
+
+ unix_peek_fpl(scm->fp);
}
static void unix_destruct_scm(struct sk_buff *skb)
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index 66fd606c43f45..1cdb54c61619f 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -306,6 +306,25 @@ void unix_destroy_fpl(struct scm_fp_list *fpl)
unix_free_vertices(fpl);
}
+static bool gc_in_progress;
+static seqcount_t unix_peek_seq = SEQCNT_ZERO(unix_peek_seq);
+
+void unix_peek_fpl(struct scm_fp_list *fpl)
+{
+ static DEFINE_SPINLOCK(unix_peek_lock);
+
+ if (!fpl || !fpl->count_unix)
+ return;
+
+ if (!READ_ONCE(gc_in_progress))
+ return;
+
+ /* Invalidate the final refcnt check in unix_vertex_dead(). */
+ spin_lock(&unix_peek_lock);
+ raw_write_seqcount_barrier(&unix_peek_seq);
+ spin_unlock(&unix_peek_lock);
+}
+
static bool unix_vertex_dead(struct unix_vertex *vertex)
{
struct unix_edge *edge;
@@ -339,6 +358,36 @@ static bool unix_vertex_dead(struct unix_vertex *vertex)
return true;
}
+static LIST_HEAD(unix_visited_vertices);
+static unsigned long unix_vertex_grouped_index = UNIX_VERTEX_INDEX_MARK2;
+
+static bool unix_scc_dead(struct list_head *scc, bool fast)
+{
+ struct unix_vertex *vertex;
+ bool scc_dead = true;
+ unsigned int seq;
+
+ seq = read_seqcount_begin(&unix_peek_seq);
+
+ list_for_each_entry_reverse(vertex, scc, scc_entry) {
+ /* Don't restart DFS from this vertex. */
+ list_move_tail(&vertex->entry, &unix_visited_vertices);
+
+ /* Mark vertex as off-stack for __unix_walk_scc(). */
+ if (!fast)
+ vertex->index = unix_vertex_grouped_index;
+
+ if (scc_dead)
+ scc_dead = unix_vertex_dead(vertex);
+ }
+
+ /* If MSG_PEEK intervened, defer this SCC to the next round. */
+ if (read_seqcount_retry(&unix_peek_seq, seq))
+ return false;
+
+ return scc_dead;
+}
+
static void unix_collect_skb(struct list_head *scc, struct sk_buff_head *hitlist)
{
struct unix_vertex *vertex;
@@ -392,9 +441,6 @@ static bool unix_scc_cyclic(struct list_head *scc)
return false;
}
-static LIST_HEAD(unix_visited_vertices);
-static unsigned long unix_vertex_grouped_index = UNIX_VERTEX_INDEX_MARK2;
-
static void __unix_walk_scc(struct unix_vertex *vertex, unsigned long *last_index,
struct sk_buff_head *hitlist)
{
@@ -460,9 +506,7 @@ static void __unix_walk_scc(struct unix_vertex *vertex, unsigned long *last_inde
}
if (vertex->index == vertex->scc_index) {
- struct unix_vertex *v;
struct list_head scc;
- bool scc_dead = true;
/* SCC finalised.
*
@@ -471,18 +515,7 @@ static void __unix_walk_scc(struct unix_vertex *vertex, unsigned long *last_inde
*/
__list_cut_position(&scc, &vertex_stack, &vertex->scc_entry);
- list_for_each_entry_reverse(v, &scc, scc_entry) {
- /* Don't restart DFS from this vertex in unix_walk_scc(). */
- list_move_tail(&v->entry, &unix_visited_vertices);
-
- /* Mark vertex as off-stack. */
- v->index = unix_vertex_grouped_index;
-
- if (scc_dead)
- scc_dead = unix_vertex_dead(v);
- }
-
- if (scc_dead) {
+ if (unix_scc_dead(&scc, false)) {
unix_collect_skb(&scc, hitlist);
} else {
if (unix_vertex_max_scc_index < vertex->scc_index)
@@ -530,19 +563,11 @@ static void unix_walk_scc_fast(struct sk_buff_head *hitlist)
while (!list_empty(&unix_unvisited_vertices)) {
struct unix_vertex *vertex;
struct list_head scc;
- bool scc_dead = true;
vertex = list_first_entry(&unix_unvisited_vertices, typeof(*vertex), entry);
list_add(&scc, &vertex->scc_entry);
- list_for_each_entry_reverse(vertex, &scc, scc_entry) {
- list_move_tail(&vertex->entry, &unix_visited_vertices);
-
- if (scc_dead)
- scc_dead = unix_vertex_dead(vertex);
- }
-
- if (scc_dead)
+ if (unix_scc_dead(&scc, true))
unix_collect_skb(&scc, hitlist);
else if (!unix_graph_maybe_cyclic)
unix_graph_maybe_cyclic = unix_scc_cyclic(&scc);
@@ -553,8 +578,6 @@ static void unix_walk_scc_fast(struct sk_buff_head *hitlist)
list_replace_init(&unix_visited_vertices, &unix_unvisited_vertices);
}
-static bool gc_in_progress;
-
static void __unix_gc(struct work_struct *work)
{
struct sk_buff_head hitlist;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 023/272] drm/imagination: Synchronize interrupts before suspending the GPU
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 022/272] af_unix: Give up GC if MSG_PEEK intervened Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 024/272] smb: client: reject userspace cifs.spnego descriptions Greg Kroah-Hartman
` (255 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alessio Belle, Matt Coster,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alessio Belle <alessio.belle@imgtec.com>
commit 2d7f05cddf4c268cc36256a2476946041dbdd36d upstream.
The runtime PM suspend callback doesn't know whether the IRQ handler is
in progress on a different CPU core and doesn't wait for it to finish.
Depending on timing, the IRQ handler could be running while the GPU is
suspended, leading to it being killed when trying to access GPU
registers. See example signature below.
In a power off sequence initiated by the runtime PM suspend callback,
wait for any IRQ handlers in progress on other CPU cores to finish, by
calling synchronize_irq().
This version of the patch contains only the part of the upstream commit
that applies to 6.12; the rest was a revert of code added in 6.16.
The second paragraph above is different because on 6.12 this kind of bug
doesn't seem to crash the entire kernel, only the IRQ handler, leaving
the driver unusable in practice.
The crash signature below is also different, both because of the above,
and because there was no support for TI AM68 SK in 6.12.
Example signature on a TI AM62 SK platform:
[ 7827.189088] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP
[ 7827.197311] Modules linked in:
[ 7827.222015] CPU: 0 UID: 0 PID: 461 Comm: irq/405-gpu Tainted: G M 6.12.90 #5
[ 7827.230461] Tainted: [M]=MACHINE_CHECK
[ 7827.234203] Hardware name: Texas Instruments AM625 SK (DT)
[ 7827.239682] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 7827.246637] pc : pvr_device_irq_thread_handler+0x64/0x180 [powervr]
[ 7827.252941] lr : irq_thread_fn+0x2c/0xa8
[ 7827.256872] sp : ffff800082d8bd50
[ 7827.260179] x29: ffff800082d8bd70 x28: ffff8000800ce374 x27: ffff800081829cc0
[ 7827.267328] x26: ffff000004701e80 x25: ffff000005b884ac x24: ffff000005bd5780
[ 7827.274472] x23: ffff00000da40bc0 x22: ffff00000da40ba0 x21: ffff800082d8bd58
[ 7827.281614] x20: ffff00000da40000 x19: ffff000004701e80 x18: 08000000c6af9003
[ 7827.288750] x17: 0000000000000010 x16: 0000000000000068 x15: 0df234008df66400
[ 7827.295886] x14: 0000000000000000 x13: 000005c68f6e7191 x12: 000000000000025e
[ 7827.303020] x11: 00000000000000c0 x10: 0000000000000ac0 x9 : ffff800082d8bd00
[ 7827.310157] x8 : ffff000005bd62a0 x7 : ffff000077261380 x6 : 00000000000005c6
[ 7827.317292] x5 : 000000000000425e x4 : 0000000000000000 x3 : 0000000000000000
[ 7827.324428] x2 : 00000000000008a8 x1 : ffff800082d608a8 x0 : ffff000005bd5780
[ 7827.331568] Call trace:
[ 7827.334011] pvr_device_irq_thread_handler+0x64/0x180 [powervr]
[ 7827.339954] irq_thread_fn+0x2c/0xa8
[ 7827.343530] irq_thread+0x16c/0x2f4
[ 7827.347019] kthread+0x110/0x114
[ 7827.350248] ret_from_fork+0x10/0x20
[ 7827.353834] Code: f9446682 f943c281 b9404442 8b020021 (b9400021)
[ 7827.359921] ---[ end trace 0000000000000000 ]---
[ 7827.364820] genirq: exiting task "irq/405-gpu" (461) is an active IRQ thread (irq 405)
[ 8011.230278] powervr fd00000.gpu: Job timeout
[ 8011.230350] powervr fd00000.gpu: Job timeout
[ 8011.230426] powervr fd00000.gpu: Job timeout
Fixes: cc1aeedb98ad ("drm/imagination: Implement firmware infrastructure and META FW support")
Fixes: 96822d38ff57 ("drm/imagination: Handle Rogue safety event IRQs")
Cc: stable@vger.kernel.org
Signed-off-by: Alessio Belle <alessio.belle@imgtec.com>
Reviewed-by: Matt Coster <matt.coster@imgtec.com>
Link: https://patch.msgid.link/20260310-drain-irqs-before-suspend-v1-1-bf4f9ed68e75@imgtec.com
Signed-off-by: Matt Coster <matt.coster@imgtec.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/imagination/pvr_power.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/imagination/pvr_power.c b/drivers/gpu/drm/imagination/pvr_power.c
index bf4cf8426f913..077d2651798c8 100644
--- a/drivers/gpu/drm/imagination/pvr_power.c
+++ b/drivers/gpu/drm/imagination/pvr_power.c
@@ -84,7 +84,7 @@ pvr_power_request_pwr_off(struct pvr_device *pvr_dev)
}
static int
-pvr_power_fw_disable(struct pvr_device *pvr_dev, bool hard_reset)
+pvr_power_fw_disable(struct pvr_device *pvr_dev, bool hard_reset, bool rpm_suspend)
{
if (!hard_reset) {
int err;
@@ -100,6 +100,11 @@ pvr_power_fw_disable(struct pvr_device *pvr_dev, bool hard_reset)
return err;
}
+ if (rpm_suspend) {
+ /* Wait for late processing of GPU or firmware IRQs in other cores */
+ synchronize_irq(pvr_dev->irq);
+ }
+
return pvr_fw_stop(pvr_dev);
}
@@ -243,7 +248,7 @@ pvr_power_device_suspend(struct device *dev)
return -EIO;
if (pvr_dev->fw_dev.booted) {
- err = pvr_power_fw_disable(pvr_dev, false);
+ err = pvr_power_fw_disable(pvr_dev, false, true);
if (err)
goto err_drm_dev_exit;
}
@@ -425,7 +430,7 @@ pvr_power_reset(struct pvr_device *pvr_dev, bool hard_reset)
queues_disabled = true;
}
- err = pvr_power_fw_disable(pvr_dev, hard_reset);
+ err = pvr_power_fw_disable(pvr_dev, hard_reset, false);
if (!err) {
if (hard_reset) {
pvr_dev->fw_dev.booted = false;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 024/272] smb: client: reject userspace cifs.spnego descriptions
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 023/272] drm/imagination: Synchronize interrupts before suspending the GPU Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 025/272] ata: libata-scsi: improve readability of ata_scsi_qc_issue() Greg Kroah-Hartman
` (254 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells,
Asim Viladi Oglu Manizada, Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Asim Viladi Oglu Manizada <manizada@pm.me>
commit 3da1fdf4efbc490041eb4f836bf596201203f8f2 upstream.
cifs.spnego key descriptions contain authority-bearing fields such as
pid, uid, creduid, and upcall_target that cifs.upcall treats as
kernel-originating inputs. However, userspace can also create keys of
this type through request_key(2) or add_key(2), allowing those fields to
be supplied without CIFS origin.
Only accept cifs.spnego descriptions while CIFS is using its private
spnego_cred to request the key.
Fixes: f1d662a7d5e5 ("[CIFS] Add upcall files for cifs to use spnego/kerberos")
Assisted-by: avom-custom-harness:gpt-5.5-qwen3.6-mod-mix
Reviewed-by: David Howells <dhowells@redhat.com>
Signed-off-by: Asim Viladi Oglu Manizada <manizada@pm.me>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifs_spnego.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/fs/smb/client/cifs_spnego.c
+++ b/fs/smb/client/cifs_spnego.c
@@ -8,6 +8,7 @@
*/
#include <linux/list.h>
+#include <linux/cred.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <keys/user-type.h>
@@ -46,12 +47,27 @@ cifs_spnego_key_destroy(struct key *key)
kfree(key->payload.data[0]);
}
+static int
+cifs_spnego_key_vet_description(const char *description)
+{
+ /*
+ * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall.
+ * They are only valid when produced by CIFS while using the private
+ * spnego_cred installed below. Do not let userspace create this type
+ * of key through request_key(2)/add_key(2), since the helper treats
+ * pid/uid/creduid/upcall_target as kernel-originating fields.
+ */
+ if (current_cred() != spnego_cred)
+ return -EPERM;
+ return 0;
+}
/*
* keytype for CIFS spnego keys
*/
struct key_type cifs_spnego_key_type = {
.name = "cifs.spnego",
+ .vet_description = cifs_spnego_key_vet_description,
.instantiate = cifs_spnego_key_instantiate,
.destroy = cifs_spnego_key_destroy,
.describe = user_describe,
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 025/272] ata: libata-scsi: improve readability of ata_scsi_qc_issue()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 024/272] smb: client: reject userspace cifs.spnego descriptions Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 026/272] ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT Greg Kroah-Hartman
` (253 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tommy Kelly, Damien Le Moal,
Niklas Cassel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
commit 360190bd965f93794d5f5685a6de22ce6da2b672 upstream.
Improve readability of ata_scsi_qc_issue().
No functional changes.
Tested-by: Tommy Kelly <linux@tkel.ly>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/libata-scsi.c | 43 +++++++++++++++++++++----------------------
1 file changed, 21 insertions(+), 22 deletions(-)
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -1779,7 +1779,7 @@ static int ata_scsi_qc_issue(struct ata_
int ret;
if (!ap->ops->qc_defer)
- goto issue;
+ goto issue_qc;
/*
* If we already have a deferred qc, then rely on the SCSI layer to
@@ -1798,38 +1798,37 @@ static int ata_scsi_qc_issue(struct ata_
break;
case ATA_DEFER_LINK:
ret = SCSI_MLQUEUE_DEVICE_BUSY;
- break;
+ goto defer_qc;
case ATA_DEFER_PORT:
ret = SCSI_MLQUEUE_HOST_BUSY;
- break;
+ goto defer_qc;
default:
WARN_ON_ONCE(1);
ret = SCSI_MLQUEUE_HOST_BUSY;
- break;
+ goto defer_qc;
}
- if (ret) {
- /*
- * We must defer this qc: if this is not an NCQ command, keep
- * this qc as a deferred one and report to the SCSI layer that
- * we issued it so that it is not requeued. The deferred qc will
- * be issued with the port deferred_qc_work once all on-going
- * commands complete.
- */
- if (!ata_is_ncq(qc->tf.protocol)) {
- ap->deferred_qc = qc;
- return 0;
- }
+issue_qc:
+ ata_qc_issue(qc);
+ return 0;
- /* Force a requeue of the command to defer its execution. */
- ata_qc_free(qc);
- return ret;
+defer_qc:
+ /*
+ * We must defer this qc: if this is not an NCQ command, keep
+ * this qc as a deferred one and report to the SCSI layer that
+ * we issued it so that it is not requeued. The deferred qc will
+ * be issued with the port deferred_qc_work once all on-going
+ * commands complete.
+ */
+ if (!ata_is_ncq(qc->tf.protocol)) {
+ ap->deferred_qc = qc;
+ return 0;
}
-issue:
- ata_qc_issue(qc);
+ /* Force a requeue of the command to defer its execution. */
+ ata_qc_free(qc);
- return 0;
+ return ret;
}
/**
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 026/272] ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 025/272] ata: libata-scsi: improve readability of ata_scsi_qc_issue() Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 027/272] ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS Greg Kroah-Hartman
` (252 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tommy Kelly, Damien Le Moal,
Niklas Cassel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
commit ce4548807d2e4ae48fd0dbe38865467369877913 upstream.
The deferred QC feature was meant to handle mixed NCQ and non-NCQ commands,
i.e. for return value ATA_DEFER_LINK.
ATA_DEFER_PORT is returned by PATA drivers, but also certain SATA drivers
like sata_mv and sata_sil24 that uses ap->excl_link to workaround hardware
bugs in these HBAs. Regardless of the reason, using the deferred QC feature
for ATA_DEFER_PORT is always wrong, and will break the ap->excl_link usage
of the SATA drivers that rely on that feature.
Modify ata_scsi_qc_issue() to only use the deferred QC feature when mixing
NCQ and non-NCQ commands, i.e. ATA_DEFER_LINK.
Fixes: 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation")
Tested-by: Tommy Kelly <linux@tkel.ly>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/libata-scsi.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -1801,11 +1801,11 @@ static int ata_scsi_qc_issue(struct ata_
goto defer_qc;
case ATA_DEFER_PORT:
ret = SCSI_MLQUEUE_HOST_BUSY;
- goto defer_qc;
+ goto free_qc;
default:
WARN_ON_ONCE(1);
ret = SCSI_MLQUEUE_HOST_BUSY;
- goto defer_qc;
+ goto free_qc;
}
issue_qc:
@@ -1825,6 +1825,7 @@ defer_qc:
return 0;
}
+free_qc:
/* Force a requeue of the command to defer its execution. */
ata_qc_free(qc);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 027/272] ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 026/272] ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 028/272] ata: libata-scsi: do not needlessly defer commands when using PMP with FBS Greg Kroah-Hartman
` (251 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tommy Kelly, Damien Le Moal,
Niklas Cassel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
commit f233124fb36cd57ef09f96d517a38ab4b902e15e upstream.
When using Port Multipliers (PMPs) with Command-Based Switching (CBS), you
can only issue commands to one link at a time. For PMPs with CBS, there is
already code to handle commands being sent to different links in
sata_pmp_qc_defer_cmd_switch() using ap->excl_link. sata_sil24 also makes
use of ap->excl_link.
A user on the list reported that commit 0ea84089dbf6 ("ata: libata-scsi:
avoid Non-NCQ command starvation") broke PMPs with CBS. The commit
introduced code that stores a deferred qc in ap->deferred_qc, to later be
issued via a workqueue. It turns out that this change is incompatible with
the existing ap->excl_link handling used by PMPs with CBS.
Thus, modify sata_pmp_qc_defer_cmd_switch() and sil24_qc_defer() to return
ATA_DEFER_LINK_EXCL, and make sure that the deferred QC handling via
workqueue is not used for this return value.
This way, PMPs with CBS will work once again. Note that the starvation
referenced in commit 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ
command starvation") can only happen on libsas ports, and libsas does not
support Port Multipliers, thus there is no harm of reverting back to the
previous way of deferring commands for PMPs with CBS.
Non-libsas ports connected to anything but a PMP with CBS (e.g. a normal
drive or a PMP with FBS) will continue using the deferred workqueue, since
it does result in lower completion latencies for non-NCQ commands, even
though the workqueue is not strictly needed to avoid starvation for
non-libsas ports.
If we want to modify the scope of the workqueue issuing to also handle
PMPs with CBS, then we should ensure that we can save both NCQ and non-NCQ
commands in ap->deferred_qc, while also removing the existing PMP CBS
handling using ap->excl_link, such that we don't duplicate features.
While at it, also add a comment explaining how the ap->excl_link mechanism
works.
Fixes: 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation")
Tested-by: Tommy Kelly <linux@tkel.ly>
Reported-by: Tommy Kelly <linux@tkel.ly>
Closes: https://lore.kernel.org/linux-ide/ce09cc21-a8e9-4845-b205-35411e22fba9@tkel.ly/
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/libata-pmp.c | 13 ++++++++++++-
drivers/ata/libata-scsi.c | 8 ++++++++
drivers/ata/sata_sil24.c | 6 +++++-
include/linux/libata.h | 1 +
4 files changed, 26 insertions(+), 2 deletions(-)
--- a/drivers/ata/libata-pmp.c
+++ b/drivers/ata/libata-pmp.c
@@ -110,13 +110,24 @@ int sata_pmp_qc_defer_cmd_switch(struct
{
struct ata_link *link = qc->dev->link;
struct ata_port *ap = link->ap;
+ int ret;
if (ap->excl_link == NULL || ap->excl_link == link) {
if (ap->nr_active_links == 0 || ata_link_active(link)) {
qc->flags |= ATA_QCFLAG_CLEAR_EXCL;
- return ata_std_qc_defer(qc);
+ ret = ata_std_qc_defer(qc);
+ if (ret == ATA_DEFER_LINK)
+ return ATA_DEFER_LINK_EXCL;
+ return ret;
}
+ /*
+ * Note: ap->excl_link contains the link that is next in line,
+ * i.e. implicit round robin. If there is only one link
+ * dispatching, ap->excl_link will be left unclaimed, allowing
+ * other links to set ap->excl_link, ensuring that the currently
+ * active link cannot queue any more.
+ */
ap->excl_link = link;
}
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -1799,6 +1799,14 @@ static int ata_scsi_qc_issue(struct ata_
case ATA_DEFER_LINK:
ret = SCSI_MLQUEUE_DEVICE_BUSY;
goto defer_qc;
+ case ATA_DEFER_LINK_EXCL:
+ /*
+ * Drivers making use of ap->excl_link cannot store the QC in
+ * ap->deferred_qc, because the ap->excl_link handling is
+ * incompatible with the ap->deferred_qc workqueue handling.
+ */
+ ret = SCSI_MLQUEUE_DEVICE_BUSY;
+ goto free_qc;
case ATA_DEFER_PORT:
ret = SCSI_MLQUEUE_HOST_BUSY;
goto free_qc;
--- a/drivers/ata/sata_sil24.c
+++ b/drivers/ata/sata_sil24.c
@@ -790,6 +790,7 @@ static int sil24_qc_defer(struct ata_que
struct ata_link *link = qc->dev->link;
struct ata_port *ap = link->ap;
u8 prot = qc->tf.protocol;
+ int ret;
/*
* There is a bug in the chip:
@@ -827,7 +828,10 @@ static int sil24_qc_defer(struct ata_que
qc->flags |= ATA_QCFLAG_CLEAR_EXCL;
}
- return ata_std_qc_defer(qc);
+ ret = ata_std_qc_defer(qc);
+ if (ret == ATA_DEFER_LINK)
+ return ATA_DEFER_LINK_EXCL;
+ return ret;
}
static enum ata_completion_errors sil24_qc_prep(struct ata_queued_cmd *qc)
--- a/include/linux/libata.h
+++ b/include/linux/libata.h
@@ -348,6 +348,7 @@ enum {
/* return values for ->qc_defer */
ATA_DEFER_LINK = 1,
ATA_DEFER_PORT = 2,
+ ATA_DEFER_LINK_EXCL = 3,
/* desc_len for ata_eh_info and context */
ATA_EH_DESC_LEN = 80,
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 028/272] ata: libata-scsi: do not needlessly defer commands when using PMP with FBS
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 027/272] ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 029/272] perf parse-events: Expose/rename config_term_name Greg Kroah-Hartman
` (250 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tommy Kelly, Damien Le Moal,
Niklas Cassel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
commit 759e8756da00aa115d504a18155b1d1ee1cc12e8 upstream.
The ACS specification does not allow a non-NCQ command to be issued while
an NCQ command is outstanding.
Commit 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation")
introduced a feature where a deferred non-NCQ command gets issued from a
workqueue. The design stores a single non-NCQ command per port.
However, when using Port Multipliers (PMPs), specifically PMPs that
support FIS-Based Switching (FBS), non-NCQ and NCQ commands can be mixed
on the same port, just not for the same link, see e.g. ata_std_qc_defer()
which is, and always has operated on a per-link basis.
Therefore, move the deferred_qc from struct ata_port to struct ata_link.
This way, when using a PMP with FBS, we will not needlessly defer commands
to all other links, just because one link issued a non-NCQ command while
having an NCQ command outstanding. Only commands for that specific link
will be deferred. This is in line with how PMPs with FBS worked before
commit 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation").
Fixes: 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation")
Tested-by: Tommy Kelly <linux@tkel.ly>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/libata-core.c | 9 +++++--
drivers/ata/libata-eh.c | 8 +++---
drivers/ata/libata-pmp.c | 5 +++-
drivers/ata/libata-scsi.c | 54 +++++++++++++++++++++++++---------------------
include/linux/libata.h | 6 ++---
5 files changed, 47 insertions(+), 35 deletions(-)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -5444,6 +5444,7 @@ void ata_link_init(struct ata_port *ap,
link->pmp = pmp;
link->active_tag = ATA_TAG_POISON;
link->hw_sata_spd_limit = UINT_MAX;
+ INIT_WORK(&link->deferred_qc_work, ata_scsi_deferred_qc_work);
/* can't use iterator, ap isn't initialized yet */
for (i = 0; i < ATA_MAX_DEVICES; i++) {
@@ -5526,7 +5527,6 @@ struct ata_port *ata_port_alloc(struct a
mutex_init(&ap->scsi_scan_mutex);
INIT_DELAYED_WORK(&ap->hotplug_task, ata_scsi_hotplug);
INIT_DELAYED_WORK(&ap->scsi_rescan_task, ata_scsi_dev_rescan);
- INIT_WORK(&ap->deferred_qc_work, ata_scsi_deferred_qc_work);
INIT_LIST_HEAD(&ap->eh_done_q);
init_waitqueue_head(&ap->eh_wait_q);
init_completion(&ap->park_req_pending);
@@ -6149,12 +6149,15 @@ static void ata_port_detach(struct ata_p
/* It better be dead now and not have any remaining deferred qc. */
WARN_ON(!(ap->pflags & ATA_PFLAG_UNLOADED));
- WARN_ON(ap->deferred_qc);
- cancel_work_sync(&ap->deferred_qc_work);
cancel_delayed_work_sync(&ap->hotplug_task);
cancel_delayed_work_sync(&ap->scsi_rescan_task);
+ ata_for_each_link(link, ap, PMP_FIRST) {
+ WARN_ON(link->deferred_qc);
+ cancel_work_sync(&link->deferred_qc_work);
+ }
+
/* Delete port multiplier link transport devices */
if (ap->pmp_link) {
int i;
--- a/drivers/ata/libata-eh.c
+++ b/drivers/ata/libata-eh.c
@@ -645,11 +645,11 @@ void ata_scsi_cmd_error_handler(struct S
if (qc->scsicmd != scmd)
continue;
if ((qc->flags & ATA_QCFLAG_ACTIVE) ||
- qc == ap->deferred_qc)
+ qc == qc->dev->link->deferred_qc)
break;
}
- if (i < ATA_MAX_QUEUE && qc == ap->deferred_qc) {
+ if (i < ATA_MAX_QUEUE && qc == qc->dev->link->deferred_qc) {
/*
* This is a deferred command that timed out while
* waiting for the command queue to drain. Since the qc
@@ -660,8 +660,8 @@ void ata_scsi_cmd_error_handler(struct S
* deferred qc work from issuing this qc.
*/
WARN_ON_ONCE(qc->flags & ATA_QCFLAG_ACTIVE);
- ap->deferred_qc = NULL;
- cancel_work(&ap->deferred_qc_work);
+ qc->dev->link->deferred_qc = NULL;
+ cancel_work(&qc->dev->link->deferred_qc_work);
set_host_byte(scmd, DID_TIME_OUT);
scsi_eh_finish_cmd(scmd, &ap->eh_done_q);
} else if (i < ATA_MAX_QUEUE) {
--- a/drivers/ata/libata-pmp.c
+++ b/drivers/ata/libata-pmp.c
@@ -582,8 +582,11 @@ static void sata_pmp_detach(struct ata_d
if (ap->ops->pmp_detach)
ap->ops->pmp_detach(ap);
- ata_for_each_link(tlink, ap, EDGE)
+ ata_for_each_link(tlink, ap, EDGE) {
+ WARN_ON(tlink->deferred_qc);
+ cancel_work_sync(&tlink->deferred_qc_work);
ata_eh_detach_dev(tlink->device);
+ }
spin_lock_irqsave(ap->lock, flags);
ap->nr_pmp_links = 0;
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -1673,8 +1673,9 @@ static void ata_qc_done(struct ata_queue
void ata_scsi_deferred_qc_work(struct work_struct *work)
{
- struct ata_port *ap =
- container_of(work, struct ata_port, deferred_qc_work);
+ struct ata_link *link =
+ container_of(work, struct ata_link, deferred_qc_work);
+ struct ata_port *ap = link->ap;
struct ata_queued_cmd *qc;
unsigned long flags;
@@ -1685,10 +1686,10 @@ void ata_scsi_deferred_qc_work(struct wo
* such case, we should not need any more deferring the qc, so warn if
* qc_defer() says otherwise.
*/
- qc = ap->deferred_qc;
+ qc = link->deferred_qc;
if (qc && !ata_port_eh_scheduled(ap)) {
WARN_ON_ONCE(ap->ops->qc_defer(qc));
- ap->deferred_qc = NULL;
+ link->deferred_qc = NULL;
ata_qc_issue(qc);
}
@@ -1697,8 +1698,7 @@ void ata_scsi_deferred_qc_work(struct wo
void ata_scsi_requeue_deferred_qc(struct ata_port *ap)
{
- struct ata_queued_cmd *qc = ap->deferred_qc;
- struct scsi_cmnd *scmd;
+ struct ata_link *link;
lockdep_assert_held(ap->lock);
@@ -1707,20 +1707,25 @@ void ata_scsi_requeue_deferred_qc(struct
* do not try to be smart about what to do with this deferred command
* and simply requeue it by completing it with DID_REQUEUE.
*/
- if (!qc)
- return;
-
- scmd = qc->scsicmd;
- ap->deferred_qc = NULL;
- cancel_work(&ap->deferred_qc_work);
- ata_qc_free(qc);
- scmd->result = (DID_REQUEUE << 16);
- scsi_done(scmd);
+ ata_for_each_link(link, ap, PMP_FIRST) {
+ struct ata_queued_cmd *qc = link->deferred_qc;
+ struct scsi_cmnd *scmd;
+
+ if (qc) {
+ scmd = qc->scsicmd;
+ link->deferred_qc = NULL;
+ cancel_work(&link->deferred_qc_work);
+ ata_qc_free(qc);
+ scmd->result = (DID_REQUEUE << 16);
+ scsi_done(scmd);
+ }
+ }
}
-static void ata_scsi_schedule_deferred_qc(struct ata_port *ap)
+static void ata_scsi_schedule_deferred_qc(struct ata_link *link)
{
- struct ata_queued_cmd *qc = ap->deferred_qc;
+ struct ata_queued_cmd *qc = link->deferred_qc;
+ struct ata_port *ap = link->ap;
lockdep_assert_held(ap->lock);
@@ -1737,12 +1742,12 @@ static void ata_scsi_schedule_deferred_q
return;
}
if (!ap->ops->qc_defer(qc))
- queue_work(system_highpri_wq, &ap->deferred_qc_work);
+ queue_work(system_highpri_wq, &link->deferred_qc_work);
}
static void ata_scsi_qc_complete(struct ata_queued_cmd *qc)
{
- struct ata_port *ap = qc->ap;
+ struct ata_link *link = qc->dev->link;
struct scsi_cmnd *cmd = qc->scsicmd;
u8 *cdb = cmd->cmnd;
bool have_sense = qc->flags & ATA_QCFLAG_SENSE_VALID;
@@ -1771,11 +1776,12 @@ static void ata_scsi_qc_complete(struct
ata_qc_done(qc);
- ata_scsi_schedule_deferred_qc(ap);
+ ata_scsi_schedule_deferred_qc(link);
}
static int ata_scsi_qc_issue(struct ata_port *ap, struct ata_queued_cmd *qc)
{
+ struct ata_link *link = qc->dev->link;
int ret;
if (!ap->ops->qc_defer)
@@ -1786,7 +1792,7 @@ static int ata_scsi_qc_issue(struct ata_
* requeue and defer all incoming commands until the deferred qc is
* processed, once all on-going commands complete.
*/
- if (ap->deferred_qc) {
+ if (link->deferred_qc) {
ata_qc_free(qc);
return SCSI_MLQUEUE_DEVICE_BUSY;
}
@@ -1802,8 +1808,8 @@ static int ata_scsi_qc_issue(struct ata_
case ATA_DEFER_LINK_EXCL:
/*
* Drivers making use of ap->excl_link cannot store the QC in
- * ap->deferred_qc, because the ap->excl_link handling is
- * incompatible with the ap->deferred_qc workqueue handling.
+ * link->deferred_qc, because the ap->excl_link handling is
+ * incompatible with the link->deferred_qc workqueue handling.
*/
ret = SCSI_MLQUEUE_DEVICE_BUSY;
goto free_qc;
@@ -1829,7 +1835,7 @@ defer_qc:
* commands complete.
*/
if (!ata_is_ncq(qc->tf.protocol)) {
- ap->deferred_qc = qc;
+ link->deferred_qc = qc;
return 0;
}
--- a/include/linux/libata.h
+++ b/include/linux/libata.h
@@ -853,6 +853,9 @@ struct ata_link {
unsigned int sata_spd; /* current SATA PHY speed */
enum ata_lpm_policy lpm_policy;
+ struct work_struct deferred_qc_work;
+ struct ata_queued_cmd *deferred_qc;
+
/* record runtime error info, protected by host_set lock */
struct ata_eh_info eh_info;
/* EH context */
@@ -898,9 +901,6 @@ struct ata_port {
u64 qc_active;
int nr_active_links; /* #links with active qcs */
- struct work_struct deferred_qc_work;
- struct ata_queued_cmd *deferred_qc;
-
struct ata_link link; /* host default link */
struct ata_link *slave_link; /* see ata_slave_link_init() */
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 029/272] perf parse-events: Expose/rename config_term_name
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 028/272] ata: libata-scsi: do not needlessly defer commands when using PMP with FBS Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 030/272] Revert "ice: fix double-free of tx_buf skb" Greg Kroah-Hartman
` (249 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Rogers, Namhyung Kim,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit d2f3ecb0ca2099d13bf8bf69219214c1425dc453 ]
Expose config_term_name as parse_events__term_type_str so that PMUs not
in pmu.c may access it.
Signed-off-by: Ian Rogers <irogers@google.com>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Link: https://lore.kernel.org/r/20241002032016.333748-4-irogers@google.com
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/parse-events.c | 20 +++++++++++---------
tools/perf/util/parse-events.h | 2 ++
2 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c
index fcc4dab618bee..3d221608b13a5 100644
--- a/tools/perf/util/parse-events.c
+++ b/tools/perf/util/parse-events.c
@@ -801,7 +801,7 @@ static int check_type_val(struct parse_events_term *term,
static bool config_term_shrinked;
-static const char *config_term_name(enum parse_events__term_type term_type)
+const char *parse_events__term_type_str(enum parse_events__term_type term_type)
{
/*
* Update according to parse-events.l
@@ -887,7 +887,7 @@ config_term_avail(enum parse_events__term_type term_type, struct parse_events_er
/* term_type is validated so indexing is safe */
if (asprintf(&err_str, "'%s' is not usable in 'perf stat'",
- config_term_name(term_type)) >= 0)
+ parse_events__term_type_str(term_type)) >= 0)
parse_events_error__handle(err, -1, err_str, NULL);
return false;
}
@@ -1011,7 +1011,7 @@ do { \
case PARSE_EVENTS__TERM_TYPE_HARDWARE:
default:
parse_events_error__handle(err, term->err_term,
- strdup(config_term_name(term->type_term)),
+ strdup(parse_events__term_type_str(term->type_term)),
parse_events_formats_error_string(NULL));
return -EINVAL;
}
@@ -1135,8 +1135,9 @@ static int config_term_tracepoint(struct perf_event_attr *attr,
default:
if (err) {
parse_events_error__handle(err, term->err_term,
- strdup(config_term_name(term->type_term)),
- strdup("valid terms: call-graph,stack-size\n"));
+ strdup(parse_events__term_type_str(term->type_term)),
+ strdup("valid terms: call-graph,stack-size\n")
+ );
}
return -EINVAL;
}
@@ -2581,7 +2582,7 @@ int parse_events_term__num(struct parse_events_term **term,
struct parse_events_term temp = {
.type_val = PARSE_EVENTS__TERM_TYPE_NUM,
.type_term = type_term,
- .config = config ? : strdup(config_term_name(type_term)),
+ .config = config ? : strdup(parse_events__term_type_str(type_term)),
.no_value = no_value,
.err_term = loc_term ? loc_term->first_column : 0,
.err_val = loc_val ? loc_val->first_column : 0,
@@ -2615,7 +2616,7 @@ int parse_events_term__term(struct parse_events_term **term,
void *loc_term, void *loc_val)
{
return parse_events_term__str(term, term_lhs, NULL,
- strdup(config_term_name(term_rhs)),
+ strdup(parse_events__term_type_str(term_rhs)),
loc_term, loc_val);
}
@@ -2722,7 +2723,8 @@ int parse_events_terms__to_strbuf(const struct parse_events_terms *terms, struct
if (ret < 0)
return ret;
} else if ((unsigned int)term->type_term < __PARSE_EVENTS__TERM_TYPE_NR) {
- ret = strbuf_addf(sb, "%s=", config_term_name(term->type_term));
+ ret = strbuf_addf(sb, "%s=",
+ parse_events__term_type_str(term->type_term));
if (ret < 0)
return ret;
}
@@ -2742,7 +2744,7 @@ static void config_terms_list(char *buf, size_t buf_sz)
buf[0] = '\0';
for (i = 0; i < __PARSE_EVENTS__TERM_TYPE_NR; i++) {
- const char *name = config_term_name(i);
+ const char *name = parse_events__term_type_str(i);
if (!config_term_avail(i, NULL))
continue;
diff --git a/tools/perf/util/parse-events.h b/tools/perf/util/parse-events.h
index 2b52f8d6aa29a..ac1feaaeb8d5d 100644
--- a/tools/perf/util/parse-events.h
+++ b/tools/perf/util/parse-events.h
@@ -168,6 +168,8 @@ struct parse_events_state {
bool wild_card_pmus;
};
+const char *parse_events__term_type_str(enum parse_events__term_type term_type);
+
bool parse_events__filter_pmu(const struct parse_events_state *parse_state,
const struct perf_pmu *pmu);
void parse_events__shrink_config_terms(void);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 030/272] Revert "ice: fix double-free of tx_buf skb"
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 029/272] perf parse-events: Expose/rename config_term_name Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 031/272] Revert "ice: Remove jumbo_remove step from TX path" Greg Kroah-Hartman
` (248 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit fd95ef8d0f6dbe2daa95d6488c9e0f8a95a7e048.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_txrx.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c
index 48434a79869cb..08d1757f40888 100644
--- a/drivers/net/ethernet/intel/ice/ice_txrx.c
+++ b/drivers/net/ethernet/intel/ice/ice_txrx.c
@@ -2346,9 +2346,6 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_tx_ring *tx_ring)
ice_trace(xmit_frame_ring, tx_ring, skb);
- /* record the location of the first descriptor for this packet */
- first = &tx_ring->tx_buf[tx_ring->next_to_use];
-
count = ice_xmit_desc_count(skb);
if (ice_chk_linearize(skb, count)) {
if (__skb_linearize(skb))
@@ -2374,6 +2371,8 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_tx_ring *tx_ring)
offload.tx_ring = tx_ring;
+ /* record the location of the first descriptor for this packet */
+ first = &tx_ring->tx_buf[tx_ring->next_to_use];
first->skb = skb;
first->type = ICE_TX_BUF_SKB;
first->bytecount = max_t(unsigned int, skb->len, ETH_ZLEN);
@@ -2437,7 +2436,6 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_tx_ring *tx_ring)
out_drop:
ice_trace(xmit_frame_ring_drop, tx_ring, skb);
dev_kfree_skb_any(skb);
- first->type = ICE_TX_BUF_EMPTY;
return NETDEV_TX_OK;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 031/272] Revert "ice: Remove jumbo_remove step from TX path"
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 030/272] Revert "ice: fix double-free of tx_buf skb" Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 032/272] tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64 Greg Kroah-Hartman
` (247 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit 7332d208c9d2067546eb7af5339773c966ac5625.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_txrx.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c
index 08d1757f40888..431a6ed498a4e 100644
--- a/drivers/net/ethernet/intel/ice/ice_txrx.c
+++ b/drivers/net/ethernet/intel/ice/ice_txrx.c
@@ -2346,6 +2346,9 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_tx_ring *tx_ring)
ice_trace(xmit_frame_ring, tx_ring, skb);
+ if (unlikely(ipv6_hopopt_jumbo_remove(skb)))
+ goto out_drop;
+
count = ice_xmit_desc_count(skb);
if (ice_chk_linearize(skb, count)) {
if (__skb_linearize(skb))
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 032/272] tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 031/272] Revert "ice: Remove jumbo_remove step from TX path" Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 033/272] net/mlx5e: Trigger neighbor resolution for unresolved destinations Greg Kroah-Hartman
` (246 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Feng Yang, Jiri Olsa,
Masami Hiramatsu (Google), Will Deacon, Gyokhan Kochmarla,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Feng Yang <yangfeng@kylinos.cn>
commit fd2f74f8f3d3c1a524637caf5bead9757fae4332 upstream.
When using bpf_program__attach_kprobe_multi_opts on ARM64 to hook a BPF program
that contains the bpf_get_stackid function, the BPF program fails
to obtain the stack trace and returns -EFAULT.
This is because ftrace_partial_regs omits the configuration of the pstate register,
leaving pstate at the default value of 0. When get_perf_callchain executes,
it uses user_mode(regs) to determine whether it is in kernel mode.
This leads to a misjudgment that the code is in user mode,
so perf_callchain_kernel is not executed and the function returns directly.
As a result, trace->nr becomes 0, and finally -EFAULT is returned.
Therefore, the assignment of the pstate register is added here.
Fixes: b9b55c8912ce ("tracing: Add ftrace_partial_regs() for converting ftrace_regs to pt_regs")
Closes: https://lore.kernel.org/bpf/20250919071902.554223-1-yangfeng59949@163.com/
Signed-off-by: Feng Yang <yangfeng@kylinos.cn>
Tested-by: Jiri Olsa <jolsa@kernel.org>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Gyokhan Kochmarla <gyokhan@amazon.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/ftrace.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/include/asm/ftrace.h b/arch/arm64/include/asm/ftrace.h
index 10e56522122aa..46d4300dd48d3 100644
--- a/arch/arm64/include/asm/ftrace.h
+++ b/arch/arm64/include/asm/ftrace.h
@@ -145,6 +145,7 @@ ftrace_partial_regs(const struct ftrace_regs *fregs, struct pt_regs *regs)
regs->pc = afregs->pc;
regs->regs[29] = afregs->fp;
regs->regs[30] = afregs->lr;
+ regs->pstate = PSR_MODE_EL1h;
return regs;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 033/272] net/mlx5e: Trigger neighbor resolution for unresolved destinations
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 032/272] tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64 Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 034/272] net/mlx5e: Use ip6_dst_lookup instead of ipv6_dst_lookup_flow for MAC init Greg Kroah-Hartman
` (245 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianbo Liu, Leon Romanovsky,
Tariq Toukan, Paolo Abeni, Gyokhan Kochmarla, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianbo Liu <jianbol@nvidia.com>
commit 9ab89bde13e5251e1d0507e1cc426edcdfe19142 upstream.
When initializing the MAC addresses for an outbound IPsec packet offload
rule in mlx5e_ipsec_init_macs, the call to dst_neigh_lookup is used to
find the next-hop neighbor (typically the gateway in tunnel mode).
This call might create a new neighbor entry if one doesn't already
exist. This newly created entry starts in the INCOMPLETE state, as the
kernel hasn't yet sent an ARP or NDISC probe to resolve the MAC
address. In this case, neigh_ha_snapshot will correctly return an
all-zero MAC address.
IPsec packet offload requires the actual next-hop MAC address to
program the rule correctly. If the neighbor state is INCOMPLETE when
the rule is created, the hardware rule is programmed with an all-zero
destination MAC address. Packets sent using this rule will be
subsequently dropped by the receiving network infrastructure or host.
This patch adds a check specifically for the outbound offload path. If
neigh_ha_snapshot returns an all-zero MAC address, it proactively
calls neigh_event_send(n, NULL). This ensures the kernel immediately
sends the initial ARP or NDISC probe if one isn't already pending,
accelerating the resolution process. This helps prevent the hardware
rule from being programmed with an invalid MAC address and avoids
packet drops due to unresolved neighbors.
Fixes: 71670f766b8f ("net/mlx5e: Support routed networks during IPsec MACs initialization")
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1765284977-1363052-8-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Gyokhan Kochmarla <gyokhan@amazon.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index 486f05112f5a6..e2915d3143e6b 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -365,6 +365,9 @@ static void mlx5e_ipsec_init_macs(struct mlx5e_ipsec_sa_entry *sa_entry,
neigh_ha_snapshot(addr, n, netdev);
ether_addr_copy(dst, addr);
+ if (attrs->dir == XFRM_DEV_OFFLOAD_OUT &&
+ is_zero_ether_addr(addr))
+ neigh_event_send(n, NULL);
dst_release(rt_dst_entry);
neigh_release(n);
return;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 034/272] net/mlx5e: Use ip6_dst_lookup instead of ipv6_dst_lookup_flow for MAC init
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 033/272] net/mlx5e: Trigger neighbor resolution for unresolved destinations Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 035/272] x86/fgraph: Fix return_to_handler regs.rsp value Greg Kroah-Hartman
` (244 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianbo Liu, Leon Romanovsky,
Tariq Toukan, Paolo Abeni, Gyokhan Kochmarla, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianbo Liu <jianbol@nvidia.com>
commit e35d7da8dd9e55b37c3e8ab548f6793af0c2ab49 upstream.
Replace ipv6_stub->ipv6_dst_lookup_flow() with ip6_dst_lookup() in
mlx5e_ipsec_init_macs() since IPsec transformations are not needed
during Security Association setup - only basic routing information is
required for nexthop MAC address resolution.
This resolves an issue where XfrmOutNoStates error counter would be
incremented when xfrm policy is configured before xfrm state, as the
IPsec-aware routing function would attempt policy checks during SA
initialization.
Fixes: 71670f766b8f ("net/mlx5e: Support routed networks during IPsec MACs initialization")
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1765284977-1363052-7-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Gyokhan Kochmarla <gyokhan@amazon.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index e2915d3143e6b..c1b6893389fdf 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -348,9 +348,8 @@ static void mlx5e_ipsec_init_macs(struct mlx5e_ipsec_sa_entry *sa_entry,
rt_dst_entry = &rt->dst;
break;
case AF_INET6:
- rt_dst_entry = ipv6_stub->ipv6_dst_lookup_flow(
- dev_net(netdev), NULL, &fl6, NULL);
- if (IS_ERR(rt_dst_entry))
+ if (!IS_ENABLED(CONFIG_IPV6) ||
+ ip6_dst_lookup(dev_net(netdev), NULL, &rt_dst_entry, &fl6))
goto neigh;
break;
default:
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 035/272] x86/fgraph: Fix return_to_handler regs.rsp value
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 034/272] net/mlx5e: Use ip6_dst_lookup instead of ipv6_dst_lookup_flow for MAC init Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 036/272] iommu/vt-d: Draining PRQ in sva unbind path when FPD bit set Greg Kroah-Hartman
` (243 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Olsa, Andrii Nakryiko,
Steven Rostedt (Google), Gyokhan Kochmarla, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Olsa <jolsa@kernel.org>
commit 8bc11700e0d23d4fdb7d8d5a73b2e95de427cabc upstream.
The previous change (Fixes commit) messed up the rsp register value,
which is wrong because it's already adjusted with FRAME_SIZE, we need
the original rsp value.
This change does not affect fprobe current kernel unwind, the !perf_hw_regs
path perf_callchain_kernel:
if (perf_hw_regs(regs)) {
if (perf_callchain_store(entry, regs->ip))
return;
unwind_start(&state, current, regs, NULL);
} else {
unwind_start(&state, current, NULL, (void *)regs->sp);
}
which uses pt_regs.sp as first_frame boundary (FRAME_SIZE shift makes
no difference, unwind stil stops at the right frame).
This change fixes the other path when we want to unwind directly from
pt_regs sp/fp/ip state, which is coming in following change.
Fixes: 20a0bc10272f ("x86/fgraph,bpf: Fix stack ORC unwind from kprobe_multi return probe")
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Link: https://lore.kernel.org/bpf/20260126211837.472802-2-jolsa@kernel.org
Signed-off-by: Gyokhan Kochmarla <gyokhan@amazon.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/ftrace_64.S | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/ftrace_64.S b/arch/x86/kernel/ftrace_64.S
index 8a3cff618692c..143fc62bf6f88 100644
--- a/arch/x86/kernel/ftrace_64.S
+++ b/arch/x86/kernel/ftrace_64.S
@@ -349,6 +349,9 @@ SYM_CODE_START(return_to_handler)
UNWIND_HINT_UNDEFINED
ANNOTATE_NOENDBR
+ /* Store original rsp for pt_regs.sp value. */
+ movq %rsp, %rdi
+
/* Restore return_to_handler value that got eaten by previous ret instruction. */
subq $8, %rsp
UNWIND_HINT_FUNC
@@ -359,7 +362,7 @@ SYM_CODE_START(return_to_handler)
movq %rax, RAX(%rsp)
movq %rdx, RDX(%rsp)
movq %rbp, RBP(%rsp)
- movq %rsp, RSP(%rsp)
+ movq %rdi, RSP(%rsp)
movq %rsp, %rdi
call ftrace_return_to_handler
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 036/272] iommu/vt-d: Draining PRQ in sva unbind path when FPD bit set
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 035/272] x86/fgraph: Fix return_to_handler regs.rsp value Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 037/272] riscv: fgraph: Select HAVE_FUNCTION_GRAPH_TRACER depends on HAVE_DYNAMIC_FTRACE_WITH_ARGS Greg Kroah-Hartman
` (242 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kevin Tian, Lu Baolu, Joerg Roedel,
Gyokhan Kochmarla, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu <baolu.lu@linux.intel.com>
commit cf08ca81d08a04b3b304e8fb4e052f323a09783d upstream.
When a device uses a PASID for SVA (Shared Virtual Address), it's possible
that the PASID entry is marked as non-present and FPD bit set before the
device flushes all ongoing DMA requests and removes the SVA domain. This
can occur when an exception happens and the process terminates before the
device driver stops DMA and calls the iommu driver to unbind the PASID.
There's no need to drain the PRQ in the mm release path. Instead, the PRQ
will be drained in the SVA unbind path. But in such case,
intel_pasid_tear_down_entry() only checks the presence of the pasid entry
and returns directly.
Add the code to clear the FPD bit and drain the PRQ.
Fixes: c43e1ccdebf2 ("iommu/vt-d: Drain PRQs when domain removed from RID")
Suggested-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Link: https://lore.kernel.org/r/20241217024240.139615-1-baolu.lu@linux.intel.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Gyokhan Kochmarla <gyokhan@amazon.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/intel/pasid.c | 22 +++++++++++++++++++++-
drivers/iommu/intel/pasid.h | 6 ++++++
2 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/intel/pasid.c b/drivers/iommu/intel/pasid.c
index 3d1d43675bf22..74be6b547fc0c 100644
--- a/drivers/iommu/intel/pasid.c
+++ b/drivers/iommu/intel/pasid.c
@@ -245,11 +245,31 @@ void intel_pasid_tear_down_entry(struct intel_iommu *iommu, struct device *dev,
spin_lock(&iommu->lock);
pte = intel_pasid_get_entry(dev, pasid);
- if (WARN_ON(!pte) || !pasid_pte_is_present(pte)) {
+ if (WARN_ON(!pte)) {
spin_unlock(&iommu->lock);
return;
}
+ if (!pasid_pte_is_present(pte)) {
+ if (!pasid_pte_is_fault_disabled(pte)) {
+ WARN_ON(READ_ONCE(pte->val[0]) != 0);
+ spin_unlock(&iommu->lock);
+ return;
+ }
+
+ /*
+ * When a PASID is used for SVA by a device, it's possible
+ * that the pasid entry is non-present with the Fault
+ * Processing Disabled bit set. Clear the pasid entry and
+ * drain the PRQ for the PASID before return.
+ */
+ pasid_clear_entry(pte);
+ spin_unlock(&iommu->lock);
+ intel_iommu_drain_pasid_prq(dev, pasid);
+
+ return;
+ }
+
did = pasid_get_domain_id(pte);
pgtt = pasid_pte_get_pgtt(pte);
pasid_clear_present(pte);
diff --git a/drivers/iommu/intel/pasid.h b/drivers/iommu/intel/pasid.h
index 55cad7bfa294e..8ffb01163f0e6 100644
--- a/drivers/iommu/intel/pasid.h
+++ b/drivers/iommu/intel/pasid.h
@@ -80,6 +80,12 @@ static inline bool pasid_pte_is_present(struct pasid_entry *pte)
return READ_ONCE(pte->val[0]) & PASID_PTE_PRESENT;
}
+/* Get FPD(Fault Processing Disable) bit of a PASID table entry */
+static inline bool pasid_pte_is_fault_disabled(struct pasid_entry *pte)
+{
+ return READ_ONCE(pte->val[0]) & PASID_PTE_FPD;
+}
+
/* Get PGTT field of a PASID table entry */
static inline u16 pasid_pte_get_pgtt(struct pasid_entry *pte)
{
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 037/272] riscv: fgraph: Select HAVE_FUNCTION_GRAPH_TRACER depends on HAVE_DYNAMIC_FTRACE_WITH_ARGS
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 036/272] iommu/vt-d: Draining PRQ in sva unbind path when FPD bit set Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 038/272] riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler Greg Kroah-Hartman
` (241 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Pu Lehui,
Björn Töpel, Alexandre Ghiti, Gyokhan Kochmarla,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pu Lehui <pulehui@huawei.com>
commit e8eb8e1bdae94b9e003f5909519fd311d0936890 upstream.
Currently, fgraph on riscv relies on the infrastructure of
DYNAMIC_FTRACE_WITH_ARGS. However, DYNAMIC_FTRACE_WITH_ARGS may be
turned off on riscv, which will cause the enabled fgraph to be abnormal.
Therefore, let's select HAVE_FUNCTION_GRAPH_TRACER depends on
HAVE_DYNAMIC_FTRACE_WITH_ARGS.
Fixes: a3ed4157b7d8 ("fgraph: Replace fgraph_ret_regs with ftrace_regs")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202503160820.dvqMpH0g-lkp@intel.com/
Signed-off-by: Pu Lehui <pulehui@huawei.com>
Reviewed-by: Björn Töpel <bjorn@rivosinc.com>
Link: https://lore.kernel.org/r/20250317031214.4138436-1-pulehui@huaweicloud.com
Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Signed-off-by: Gyokhan Kochmarla <gyokhan@amazon.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index 9e8667a523d55..1c75758167956 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -143,7 +143,7 @@ config RISCV
select HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS
select HAVE_DYNAMIC_FTRACE_WITH_ARGS if HAVE_DYNAMIC_FTRACE
select HAVE_FTRACE_MCOUNT_RECORD if !XIP_KERNEL
- select HAVE_FUNCTION_GRAPH_TRACER
+ select HAVE_FUNCTION_GRAPH_TRACER if HAVE_DYNAMIC_FTRACE_WITH_ARGS
select HAVE_FUNCTION_GRAPH_FREGS
select HAVE_FUNCTION_TRACER if !XIP_KERNEL && !PREEMPTION
select HAVE_EBPF_JIT if MMU
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 038/272] riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 037/272] riscv: fgraph: Select HAVE_FUNCTION_GRAPH_TRACER depends on HAVE_DYNAMIC_FTRACE_WITH_ARGS Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 039/272] hwmon: (pmbus/core) Protect regulator operations with mutex Greg Kroah-Hartman
` (240 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linux Kernel Functional Testing,
Pu Lehui, Alexandre Ghiti, Björn Töpel,
Masami Hiramatsu (Google), Gyokhan Kochmarla, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pu Lehui <pulehui@huawei.com>
commit 67a5ba8f742f247bc83e46dd2313c142b1383276 upstream.
Naresh Kamboju reported a "Bad frame pointer" kernel warning while
running LTP trace ftrace_stress_test.sh in riscv. We can reproduce the
same issue with the following command:
```
$ cd /sys/kernel/debug/tracing
$ echo 'f:myprobe do_nanosleep%return args1=$retval' > dynamic_events
$ echo 1 > events/fprobes/enable
$ echo 1 > tracing_on
$ sleep 1
```
And we can get the following kernel warning:
[ 127.692888] ------------[ cut here ]------------
[ 127.693755] Bad frame pointer: expected ff2000000065be50, received ba34c141e9594000
[ 127.693755] from func do_nanosleep return to ffffffff800ccb16
[ 127.698699] WARNING: CPU: 1 PID: 129 at kernel/trace/fgraph.c:755 ftrace_return_to_handler+0x1b2/0x1be
[ 127.699894] Modules linked in:
[ 127.700908] CPU: 1 UID: 0 PID: 129 Comm: sleep Not tainted 6.14.0-rc3-g0ab191c74642 #32
[ 127.701453] Hardware name: riscv-virtio,qemu (DT)
[ 127.701859] epc : ftrace_return_to_handler+0x1b2/0x1be
[ 127.702032] ra : ftrace_return_to_handler+0x1b2/0x1be
[ 127.702151] epc : ffffffff8013b5e0 ra : ffffffff8013b5e0 sp : ff2000000065bd10
[ 127.702221] gp : ffffffff819c12f8 tp : ff60000080853100 t0 : 6e00000000000000
[ 127.702284] t1 : 0000000000000020 t2 : 6e7566206d6f7266 s0 : ff2000000065bd80
[ 127.702346] s1 : ff60000081262000 a0 : 000000000000007b a1 : ffffffff81894f20
[ 127.702408] a2 : 0000000000000010 a3 : fffffffffffffffe a4 : 0000000000000000
[ 127.702470] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038
[ 127.702530] s2 : ba34c141e9594000 s3 : 0000000000000000 s4 : ff2000000065bdd0
[ 127.702591] s5 : 00007fff8adcf400 s6 : 000055556dc1d8c0 s7 : 0000000000000068
[ 127.702651] s8 : 00007fff8adf5d10 s9 : 000000000000006d s10: 0000000000000001
[ 127.702710] s11: 00005555737377c8 t3 : ffffffff819d899e t4 : ffffffff819d899e
[ 127.702769] t5 : ffffffff819d89a0 t6 : ff2000000065bb18
[ 127.702826] status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003
[ 127.703292] [<ffffffff8013b5e0>] ftrace_return_to_handler+0x1b2/0x1be
[ 127.703760] [<ffffffff80017bce>] return_to_handler+0x16/0x26
[ 127.704009] [<ffffffff80017bb8>] return_to_handler+0x0/0x26
[ 127.704057] [<ffffffff800d3352>] common_nsleep+0x42/0x54
[ 127.704117] [<ffffffff800d44a2>] __riscv_sys_clock_nanosleep+0xba/0x10a
[ 127.704176] [<ffffffff80901c56>] do_trap_ecall_u+0x188/0x218
[ 127.704295] [<ffffffff8090cc3e>] handle_exception+0x14a/0x156
[ 127.705436] ---[ end trace 0000000000000000 ]---
The reason is that the stack layout for constructing argument for the
ftrace_return_to_handler in the return_to_handler does not match the
__arch_ftrace_regs structure of riscv, leading to unexpected results.
Fixes: a3ed4157b7d8 ("fgraph: Replace fgraph_ret_regs with ftrace_regs")
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
Closes: https://lore.kernel.org/all/CA+G9fYvp_oAxeDFj88Tk2rfEZ7jtYKAKSwfYS66=57Db9TBdyA@mail.gmail.com
Signed-off-by: Pu Lehui <pulehui@huawei.com>
Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Tested-by: Björn Töpel <bjorn@rivosinc.com>
Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Link: https://lore.kernel.org/r/20250317031214.4138436-2-pulehui@huaweicloud.com
Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Signed-off-by: Gyokhan Kochmarla <gyokhan@amazon.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/kernel/mcount.S | 24 +++++++++++-------------
1 file changed, 11 insertions(+), 13 deletions(-)
diff --git a/arch/riscv/kernel/mcount.S b/arch/riscv/kernel/mcount.S
index 068168046e0ef..da4a4000e57ea 100644
--- a/arch/riscv/kernel/mcount.S
+++ b/arch/riscv/kernel/mcount.S
@@ -12,8 +12,6 @@
#include <asm/asm-offsets.h>
#include <asm/ftrace.h>
-#define ABI_SIZE_ON_STACK 80
-
.text
.macro SAVE_ABI_STATE
@@ -28,12 +26,12 @@
* register if a0 was not saved.
*/
.macro SAVE_RET_ABI_STATE
- addi sp, sp, -ABI_SIZE_ON_STACK
- REG_S ra, 1*SZREG(sp)
- REG_S s0, 8*SZREG(sp)
- REG_S a0, 10*SZREG(sp)
- REG_S a1, 11*SZREG(sp)
- addi s0, sp, ABI_SIZE_ON_STACK
+ addi sp, sp, -FREGS_SIZE_ON_STACK
+ REG_S ra, FREGS_RA(sp)
+ REG_S s0, FREGS_S0(sp)
+ REG_S a0, FREGS_A0(sp)
+ REG_S a1, FREGS_A1(sp)
+ addi s0, sp, FREGS_SIZE_ON_STACK
.endm
.macro RESTORE_ABI_STATE
@@ -43,11 +41,11 @@
.endm
.macro RESTORE_RET_ABI_STATE
- REG_L ra, 1*SZREG(sp)
- REG_L s0, 8*SZREG(sp)
- REG_L a0, 10*SZREG(sp)
- REG_L a1, 11*SZREG(sp)
- addi sp, sp, ABI_SIZE_ON_STACK
+ REG_L ra, FREGS_RA(sp)
+ REG_L s0, FREGS_S0(sp)
+ REG_L a0, FREGS_A0(sp)
+ REG_L a1, FREGS_A1(sp)
+ addi sp, sp, FREGS_SIZE_ON_STACK
.endm
SYM_TYPED_FUNC_START(ftrace_stub)
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 039/272] hwmon: (pmbus/core) Protect regulator operations with mutex
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 038/272] riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 040/272] arm64: Kconfig: Remove selecting replaced HAVE_FUNCTION_GRAPH_RETVAL Greg Kroah-Hartman
` (239 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck,
Fang Wang, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit 754bd2b4a084b90b5e7b630e1f423061a9b9b761 ]
The regulator operations pmbus_regulator_get_voltage(),
pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage()
access PMBus registers and shared data but were not protected by
the update_lock mutex. This could lead to race conditions.
However, adding mutex protection directly to these functions causes
a deadlock because pmbus_regulator_notify() (which calls
regulator_notifier_call_chain()) is often called with the mutex
already held (e.g., from pmbus_fault_handler()). If a regulator
callback then calls one of the now-protected voltage functions,
it will attempt to acquire the same mutex.
Rework pmbus_regulator_notify() to utilize a worker function to
send notifications outside of the mutex protection. Events are
stored as atomics in a per-page bitmask and processed by the worker.
Initialize the worker and its associated data during regulator
registration, and ensure it is cancelled on device removal using
devm_add_action_or_reset().
While at it, remove the unnecessary include of linux/of.h.
Cc: Sanman Pradhan <psanman@juniper.net>
Fixes: ddbb4db4ced1b ("hwmon: (pmbus) Add regulator support")
Reviewed-by: Sanman Pradhan <psanman@juniper.net>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Fang Wang <32840572@qq.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/pmbus/pmbus_core.c | 117 ++++++++++++++++++++++++-------
1 file changed, 91 insertions(+), 26 deletions(-)
diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
index 41c66ece5177e..e37fd206510a6 100644
--- a/drivers/hwmon/pmbus/pmbus_core.c
+++ b/drivers/hwmon/pmbus/pmbus_core.c
@@ -6,6 +6,7 @@
* Copyright (c) 2012 Guenter Roeck
*/
+#include <linux/atomic.h>
#include <linux/debugfs.h>
#include <linux/delay.h>
#include <linux/kernel.h>
@@ -20,8 +21,8 @@
#include <linux/pmbus.h>
#include <linux/regulator/driver.h>
#include <linux/regulator/machine.h>
-#include <linux/of.h>
#include <linux/thermal.h>
+#include <linux/workqueue.h>
#include "pmbus.h"
/*
@@ -102,6 +103,11 @@ struct pmbus_data {
struct mutex update_lock;
+#if IS_ENABLED(CONFIG_REGULATOR)
+ atomic_t regulator_events[PMBUS_PAGES];
+ struct work_struct regulator_notify_work;
+#endif
+
bool has_status_word; /* device uses STATUS_WORD register */
int (*read_status)(struct i2c_client *client, int page);
@@ -3181,12 +3187,19 @@ static int pmbus_regulator_get_voltage(struct regulator_dev *rdev)
.class = PSC_VOLTAGE_OUT,
.convert = true,
};
+ int ret;
+ mutex_lock(&data->update_lock);
s.data = _pmbus_read_word_data(client, s.page, 0xff, PMBUS_READ_VOUT);
- if (s.data < 0)
- return s.data;
+ if (s.data < 0) {
+ ret = s.data;
+ goto unlock;
+ }
- return (int)pmbus_reg2data(data, &s) * 1000; /* unit is uV */
+ ret = (int)pmbus_reg2data(data, &s) * 1000; /* unit is uV */
+unlock:
+ mutex_unlock(&data->update_lock);
+ return ret;
}
static int pmbus_regulator_set_voltage(struct regulator_dev *rdev, int min_uv,
@@ -3203,16 +3216,22 @@ static int pmbus_regulator_set_voltage(struct regulator_dev *rdev, int min_uv,
};
int val = DIV_ROUND_CLOSEST(min_uv, 1000); /* convert to mV */
int low, high;
+ int ret;
*selector = 0;
+ mutex_lock(&data->update_lock);
low = pmbus_regulator_get_low_margin(client, s.page);
- if (low < 0)
- return low;
+ if (low < 0) {
+ ret = low;
+ goto unlock;
+ }
high = pmbus_regulator_get_high_margin(client, s.page);
- if (high < 0)
- return high;
+ if (high < 0) {
+ ret = high;
+ goto unlock;
+ }
/* Make sure we are within margins */
if (low > val)
@@ -3222,7 +3241,10 @@ static int pmbus_regulator_set_voltage(struct regulator_dev *rdev, int min_uv,
val = pmbus_data2reg(data, &s, val);
- return _pmbus_write_word_data(client, s.page, PMBUS_VOUT_COMMAND, (u16)val);
+ ret = _pmbus_write_word_data(client, s.page, PMBUS_VOUT_COMMAND, (u16)val);
+unlock:
+ mutex_unlock(&data->update_lock);
+ return ret;
}
static int pmbus_regulator_list_voltage(struct regulator_dev *rdev,
@@ -3230,7 +3252,9 @@ static int pmbus_regulator_list_voltage(struct regulator_dev *rdev,
{
struct device *dev = rdev_get_dev(rdev);
struct i2c_client *client = to_i2c_client(dev->parent);
+ struct pmbus_data *data = i2c_get_clientdata(client);
int val, low, high;
+ int ret;
if (selector >= rdev->desc->n_voltages ||
selector < rdev->desc->linear_min_sel)
@@ -3240,18 +3264,29 @@ static int pmbus_regulator_list_voltage(struct regulator_dev *rdev,
val = DIV_ROUND_CLOSEST(rdev->desc->min_uV +
(rdev->desc->uV_step * selector), 1000); /* convert to mV */
+ mutex_lock(&data->update_lock);
+
low = pmbus_regulator_get_low_margin(client, rdev_get_id(rdev));
- if (low < 0)
- return low;
+ if (low < 0) {
+ ret = low;
+ goto unlock;
+ }
high = pmbus_regulator_get_high_margin(client, rdev_get_id(rdev));
- if (high < 0)
- return high;
+ if (high < 0) {
+ ret = high;
+ goto unlock;
+ }
- if (val >= low && val <= high)
- return val * 1000; /* unit is uV */
+ if (val >= low && val <= high) {
+ ret = val * 1000; /* unit is uV */
+ goto unlock;
+ }
- return 0;
+ ret = 0;
+unlock:
+ mutex_unlock(&data->update_lock);
+ return ret;
}
const struct regulator_ops pmbus_regulator_ops = {
@@ -3266,12 +3301,42 @@ const struct regulator_ops pmbus_regulator_ops = {
};
EXPORT_SYMBOL_NS_GPL(pmbus_regulator_ops, PMBUS);
+static void pmbus_regulator_notify_work_cancel(void *data)
+{
+ struct pmbus_data *pdata = data;
+
+ cancel_work_sync(&pdata->regulator_notify_work);
+}
+
+static void pmbus_regulator_notify_worker(struct work_struct *work)
+{
+ struct pmbus_data *data =
+ container_of(work, struct pmbus_data, regulator_notify_work);
+ int i, j;
+
+ for (i = 0; i < data->info->pages; i++) {
+ int event;
+
+ event = atomic_xchg(&data->regulator_events[i], 0);
+ if (!event)
+ continue;
+
+ for (j = 0; j < data->info->num_regulators; j++) {
+ if (i == rdev_get_id(data->rdevs[j])) {
+ regulator_notifier_call_chain(data->rdevs[j],
+ event, NULL);
+ break;
+ }
+ }
+ }
+}
+
static int pmbus_regulator_register(struct pmbus_data *data)
{
struct device *dev = data->dev;
const struct pmbus_driver_info *info = data->info;
const struct pmbus_platform_data *pdata = dev_get_platdata(dev);
- int i;
+ int i, ret;
data->rdevs = devm_kzalloc(dev, sizeof(struct regulator_dev *) * info->num_regulators,
GFP_KERNEL);
@@ -3295,20 +3360,20 @@ static int pmbus_regulator_register(struct pmbus_data *data)
info->reg_desc[i].name);
}
+ INIT_WORK(&data->regulator_notify_work, pmbus_regulator_notify_worker);
+
+ ret = devm_add_action_or_reset(dev, pmbus_regulator_notify_work_cancel, data);
+ if (ret)
+ return ret;
+
return 0;
}
static int pmbus_regulator_notify(struct pmbus_data *data, int page, int event)
{
- int j;
-
- for (j = 0; j < data->info->num_regulators; j++) {
- if (page == rdev_get_id(data->rdevs[j])) {
- regulator_notifier_call_chain(data->rdevs[j], event, NULL);
- break;
- }
- }
- return 0;
+ atomic_or(event, &data->regulator_events[page]);
+ schedule_work(&data->regulator_notify_work);
+ return 0;
}
#else
static int pmbus_regulator_register(struct pmbus_data *data)
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 040/272] arm64: Kconfig: Remove selecting replaced HAVE_FUNCTION_GRAPH_RETVAL
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 039/272] hwmon: (pmbus/core) Protect regulator operations with mutex Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 041/272] i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue Greg Kroah-Hartman
` (238 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Bulwahn, Will Deacon,
Gyokhan Kochmarla, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Bulwahn <lukas.bulwahn@redhat.com>
commit f458b2165d7ac0f2401fff48f19c8f864e7e1e38 upstream.
Commit a3ed4157b7d8 ("fgraph: Replace fgraph_ret_regs with ftrace_regs")
replaces the config HAVE_FUNCTION_GRAPH_RETVAL with the config
HAVE_FUNCTION_GRAPH_FREGS, and it replaces all the select commands in the
various architecture Kconfig files. In the arm64 architecture, the commit
adds the 'select HAVE_FUNCTION_GRAPH_FREGS', but misses to remove the
'select HAVE_FUNCTION_GRAPH_RETVAL', i.e., the select on the replaced
config.
Remove selecting the replaced config. No functional change, just cleanup.
Fixes: a3ed4157b7d8 ("fgraph: Replace fgraph_ret_regs with ftrace_regs")
Signed-off-by: Lukas Bulwahn <lukas.bulwahn@redhat.com>
Link: https://lore.kernel.org/r/20250117125522.99071-1-lukas.bulwahn@redhat.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Gyokhan Kochmarla <gyokhan@amazon.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/Kconfig | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index f487c5e21e2f1..d4ebdc16cdb4f 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -219,7 +219,6 @@ config ARM64
select HAVE_FUNCTION_ERROR_INJECTION
select HAVE_FUNCTION_GRAPH_FREGS
select HAVE_FUNCTION_GRAPH_TRACER
- select HAVE_FUNCTION_GRAPH_RETVAL
select HAVE_GCC_PLUGINS
select HAVE_HARDLOCKUP_DETECTOR_PERF if PERF_EVENTS && \
HW_PERF_EVENTS && HAVE_PERF_EVENTS_NMI
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 041/272] i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 040/272] arm64: Kconfig: Remove selecting replaced HAVE_FUNCTION_GRAPH_RETVAL Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 042/272] sysfs: dont remove existing directory on update failure Greg Kroah-Hartman
` (237 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni, Jianqiang kang, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
[ Upstream commit b795e68bf3073d67bebbb5a44d93f49efc5b8cc7 ]
The logic used to abort the DMA ring contains several flaws:
1. The driver unconditionally issues a ring abort even when the ring has
already stopped.
2. The completion used to wait for abort completion is never
re-initialized, resulting in incorrect wait behavior.
3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which
resets hardware ring pointers and disrupts the controller state.
4. If the ring is already stopped, the abort operation should be
considered successful without attempting further action.
Fix the abort handling by checking whether the ring is running before
issuing an abort, re-initializing the completion when needed, ensuring that
RING_CTRL_ENABLE remains asserted during abort, and treating an already
stopped ring as a successful condition.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-9-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Jianqiang kang <jianqkang@sina.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/mipi-i3c-hci/dma.c | 27 +++++++++++++++++----------
1 file changed, 17 insertions(+), 10 deletions(-)
diff --git a/drivers/i3c/master/mipi-i3c-hci/dma.c b/drivers/i3c/master/mipi-i3c-hci/dma.c
index b9496e8c4784d..44461f13b54cd 100644
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -457,16 +457,23 @@ static bool hci_dma_dequeue_xfer(struct i3c_hci *hci,
struct hci_rh_data *rh = &rings->headers[xfer_list[0].ring_number];
unsigned int i;
bool did_unqueue = false;
-
- /* stop the ring */
- rh_reg_write(RING_CONTROL, RING_CTRL_ABORT);
- if (wait_for_completion_timeout(&rh->op_done, HZ) == 0) {
- /*
- * We're deep in it if ever this condition is ever met.
- * Hardware might still be writing to memory, etc.
- */
- dev_crit(&hci->master.dev, "unable to abort the ring\n");
- WARN_ON(1);
+ u32 ring_status;
+
+ ring_status = rh_reg_read(RING_STATUS);
+ if (ring_status & RING_STATUS_RUNNING) {
+ /* stop the ring */
+ reinit_completion(&rh->op_done);
+ rh_reg_write(RING_CONTROL, RING_CTRL_ENABLE | RING_CTRL_ABORT);
+ wait_for_completion_timeout(&rh->op_done, HZ);
+ ring_status = rh_reg_read(RING_STATUS);
+ if (ring_status & RING_STATUS_RUNNING) {
+ /*
+ * We're deep in it if ever this condition is ever met.
+ * Hardware might still be writing to memory, etc.
+ */
+ dev_crit(&hci->master.dev, "unable to abort the ring\n");
+ WARN_ON(1);
+ }
}
for (i = 0; i < n; i++) {
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 042/272] sysfs: dont remove existing directory on update failure
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 041/272] i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 043/272] mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break() Greg Kroah-Hartman
` (236 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rajat Jain, stable,
Rafael J. Wysocki (Intel), Danilo Krummrich
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 237557b8a81ab948e8332f7c0058e758f081c0a3 upstream.
When sysfs_update_group() is called for a named group and create_files()
fails (e.g. -ENOMEM), internal_create_group() calls kernfs_remove(kn) on
the group directory. In the update path, kn was obtained via
kernfs_find_and_get() and refers to a directory that already existed
before this call. Removing it silently destroys a sysfs group that the
caller did not create.
Only remove the directory if we created it ourselves. On update failure
the directory remains as it is left empty by remove_files() inside
create_files(), but can be repopulated by a retry.
Cc: Rajat Jain <rajatja@google.com>
Fixes: c855cf2759d2 ("sysfs: Fix internal_create_group() for named group updates")
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_t1000
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
Link: https://patch.msgid.link/2026052003-uniquely-hastily-c093@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/sysfs/group.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/sysfs/group.c
+++ b/fs/sysfs/group.c
@@ -179,7 +179,7 @@ static int internal_create_group(struct
kernfs_get(kn);
error = create_files(kn, kobj, uid, gid, grp, update);
if (error) {
- if (grp->name)
+ if (grp->name && !update)
kernfs_remove(kn);
}
kernfs_put(kn);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 043/272] mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 042/272] sysfs: dont remove existing directory on update failure Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 044/272] ksmbd: fix null pointer dereference in compare_guid_key() Greg Kroah-Hartman
` (235 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit d4e7b5c4cc353f154d5ab8bb2e1ce7714d77a6e9 upstream.
damon_sysfs_memcg_path_to_id() breaks mem_cgroup_iter() loop without
calling mem_cgroup_iter_break(). This leaks the cgroup reference. Fix
the issue by calling mem_cgroup_iter_break() before the break.
The issue was discovered [1] by Sashiko.
Link: https://lore.kernel.org/20260426173625.86521-1-sj@kernel.org
Link: https://lore.kernel.org/20260423004148.74722-1-sj@kernel.org [1]
Fixes: 29cbb9a13f05 ("mm/damon/sysfs-schemes: implement scheme filters")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 6.3.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/sysfs-schemes.c | 1 +
1 file changed, 1 insertion(+)
--- a/mm/damon/sysfs-schemes.c
+++ b/mm/damon/sysfs-schemes.c
@@ -1913,6 +1913,7 @@ static int damon_sysfs_memcg_path_to_id(
if (damon_sysfs_memcg_path_eq(memcg, path, memcg_path)) {
*id = mem_cgroup_id(memcg);
found = true;
+ mem_cgroup_iter_break(NULL, memcg);
break;
}
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 044/272] ksmbd: fix null pointer dereference in compare_guid_key()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 043/272] mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break() Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 045/272] ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow Greg Kroah-Hartman
` (234 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeremy Laratro, Namjae Jeon,
Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Laratro <research@aradex.io>
commit 4b83cbc4c15f09b000cc06f033f64b0824b6dc87 upstream.
session_fd_check() walks the per-inode m_op_list during durable-handle
session teardown and sets op->conn = NULL for every opinfo whose conn
matched the closing session's connection. The matching opinfo, however,
stays linked in its per-ClientGuid lease_table_list entry's lb->lease_list
because destroy_lease_table() only runs on full TCP-connection teardown,
not on SESSION_LOGOFF.
If the same TCP connection then negotiates a fresh session with the
same ClientGuid (ClientGuid is bound to NEGOTIATE, not the session, and
is unchanged across LOGOFF + SETUP) and issues a SMB2 CREATE with a
lease context on a different inode, find_same_lease_key() walks
lb->lease_list, reaches the stale opinfo, and calls compare_guid_key(),
which unconditionally dereferences opinfo->conn->ClientGUID. The conn
pointer is NULL and the kernel panics.
Reproducer requires only a successful SMB2 SESSION_SETUP and a share
configured with 'durable handles = yes'. KASAN report on mainline
70390501d194:
general protection fault, probably for non-canonical address
0xdffffc0000000069: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000348-0x000000000000034f]
Workqueue: ksmbd-io handle_ksmbd_work
RIP: 0010:bcmp+0x5b/0x230
Call Trace:
compare_guid_key+0x4b/0xd0
find_same_lease_key+0x324/0x690
smb2_open+0x6aea/0x8e60
handle_ksmbd_work+0x796/0xee0
...
Faulting address 0x348 is the offset of ClientGUID within struct
ksmbd_conn, confirming opinfo->conn was NULL.
Read opinfo->conn once and bail out if it has been cleared by a
concurrent session_fd_check(). A half-detached opinfo cannot be the
owner of an active lease, so returning 0 is the correct match result.
Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2")
Cc: stable@vger.kernel.org
Signed-off-by: Jeremy Laratro <research@aradex.io>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/oplock.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -484,8 +484,12 @@ static inline int compare_guid_key(struc
const char *guid1, const char *key1)
{
const char *guid2, *key2;
+ struct ksmbd_conn *conn;
- guid2 = opinfo->conn->ClientGUID;
+ conn = READ_ONCE(opinfo->conn);
+ if (!conn)
+ return 0;
+ guid2 = conn->ClientGUID;
key2 = opinfo->o_lease->lease_key;
if (!memcmp(guid1, guid2, SMB2_CLIENT_GUID_SIZE) &&
!memcmp(key1, key2, SMB2_LEASE_KEY_SIZE))
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 045/272] ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 044/272] ksmbd: fix null pointer dereference in compare_guid_key() Greg Kroah-Hartman
@ 2026-05-28 19:46 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 046/272] ksmbd: validate SID in parent security descriptor during ACL inheritance Greg Kroah-Hartman
` (233 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ferry Meng, Namjae Jeon,
Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ferry Meng <mengferry@linux.alibaba.com>
commit af92ee994cc7f7e83a41c2025f32257a2f82a7ef upstream.
Commit 299f962c0b02 ("ksmbd: use check_add_overflow() to prevent u16
DACL size overflow") added check_add_overflow() guards that break out
of the ACE-building loops in set_posix_acl_entries_dacl() when the
accumulated DACL size would wrap past 65535.
However, each iteration allocates a struct smb_sid via kmalloc_obj()
at the top of the loop and relies on the kfree(sid) call at the end
of the loop body (the 'pass_same_sid' label in the first loop, and
the explicit kfree at the tail of the second loop) to release it.
The newly introduced 'break' statements bypass those kfree() calls,
leaking the sid buffer every time an overflow is detected.
A malicious or malformed file with enough POSIX ACL entries to trip
the overflow check will leak one or more struct smb_sid allocations
on every request that touches the file's DACL, providing a trivial
kernel memory exhaustion vector.
Free sid before breaking out of the loops to plug the leak.
Fixes: 299f962c0b02 ("ksmbd: use check_add_overflow() to prevent u16 DACL size overflow")
Cc: stable@vger.kernel.org
Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smbacl.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -643,8 +643,10 @@ static void set_posix_acl_entries_dacl(s
ntace = (struct smb_ace *)((char *)pndace + *size);
ace_sz = fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, flags,
pace->e_perm, 0777);
- if (check_add_overflow(*size, ace_sz, size))
+ if (check_add_overflow(*size, ace_sz, size)) {
+ kfree(sid);
break;
+ }
(*num_aces)++;
if (pace->e_tag == ACL_USER)
ntace->access_req |=
@@ -655,8 +657,10 @@ static void set_posix_acl_entries_dacl(s
ntace = (struct smb_ace *)((char *)pndace + *size);
ace_sz = fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED,
0x03, pace->e_perm, 0777);
- if (check_add_overflow(*size, ace_sz, size))
+ if (check_add_overflow(*size, ace_sz, size)) {
+ kfree(sid);
break;
+ }
(*num_aces)++;
if (pace->e_tag == ACL_USER)
ntace->access_req |=
@@ -698,8 +702,10 @@ posix_default_acl:
ntace = (struct smb_ace *)((char *)pndace + *size);
ace_sz = fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, 0x0b,
pace->e_perm, 0777);
- if (check_add_overflow(*size, ace_sz, size))
+ if (check_add_overflow(*size, ace_sz, size)) {
+ kfree(sid);
break;
+ }
(*num_aces)++;
if (pace->e_tag == ACL_USER)
ntace->access_req |=
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 046/272] ksmbd: validate SID in parent security descriptor during ACL inheritance
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-05-28 19:46 ` [PATCH 6.12 045/272] ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 047/272] smb: client: require net admin for CIFS SWN netlink Greg Kroah-Hartman
` (232 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Junyi Liu, Namjae Jeon, Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junyi Liu <moss80199@gmail.com>
commit 69f030cf95488ae1186c72ac8c66fd279664ea7f upstream.
Introduce smb_validate_ntsd_sid() helper to safely validate Owner SID
and Group SID inside the NT Security Descriptor (smb_ntsd) retrieved
from the parent directory.
Cc: stable@vger.kernel.org
Signed-off-by: Junyi Liu <moss80199@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smbacl.c | 66 +++++++++++++++++++++++++++++++++++++------------
1 file changed, 50 insertions(+), 16 deletions(-)
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -1096,6 +1096,40 @@ static int smb_append_inherited_ace(stru
return 0;
}
+static int smb_validate_ntsd_sid(struct smb_ntsd *pntsd, size_t pntsd_size,
+ unsigned int sid_offset, struct smb_sid **sid,
+ size_t *sid_size)
+{
+ size_t sid_end;
+
+ *sid = NULL;
+ *sid_size = 0;
+
+ if (!sid_offset)
+ return 0;
+
+ if (sid_offset < sizeof(struct smb_ntsd) ||
+ check_add_overflow(sid_offset, (size_t)CIFS_SID_BASE_SIZE,
+ &sid_end) ||
+ sid_end > pntsd_size)
+ return -EINVAL;
+
+ *sid = (struct smb_sid *)((char *)pntsd + sid_offset);
+ if ((*sid)->num_subauth > SID_MAX_SUB_AUTHORITIES)
+ return -EINVAL;
+
+ if (check_add_overflow((size_t)CIFS_SID_BASE_SIZE,
+ sizeof(__le32) * (size_t)(*sid)->num_subauth,
+ &sid_end))
+ return -EINVAL;
+
+ if (sid_offset > pntsd_size || sid_end > pntsd_size - sid_offset)
+ return -EINVAL;
+
+ *sid_size = sid_end;
+ return 0;
+}
+
int smb_inherit_dacl(struct ksmbd_conn *conn,
const struct path *path,
unsigned int uid, unsigned int gid)
@@ -1108,28 +1142,28 @@ int smb_inherit_dacl(struct ksmbd_conn *
struct dentry *parent = path->dentry->d_parent;
struct mnt_idmap *idmap = mnt_idmap(path->mnt);
int inherited_flags = 0, flags = 0, i, nt_size = 0, pdacl_size;
- int rc = 0, pntsd_type, pntsd_size, acl_len, aces_size;
+ int rc = 0, pntsd_type, ppntsd_size, acl_len, aces_size;
unsigned int dacloffset;
size_t dacl_struct_end;
u16 num_aces, ace_cnt = 0;
char *aces_base;
bool is_dir = S_ISDIR(d_inode(path->dentry)->i_mode);
- pntsd_size = ksmbd_vfs_get_sd_xattr(conn, idmap,
+ ppntsd_size = ksmbd_vfs_get_sd_xattr(conn, idmap,
parent, &parent_pntsd);
- if (pntsd_size <= 0)
+ if (ppntsd_size <= 0)
return -ENOENT;
dacloffset = le32_to_cpu(parent_pntsd->dacloffset);
if (!dacloffset ||
check_add_overflow(dacloffset, sizeof(struct smb_acl), &dacl_struct_end) ||
- dacl_struct_end > (size_t)pntsd_size) {
+ dacl_struct_end > (size_t)ppntsd_size) {
rc = -EINVAL;
goto free_parent_pntsd;
}
parent_pdacl = (struct smb_acl *)((char *)parent_pntsd + dacloffset);
- acl_len = pntsd_size - dacloffset;
+ acl_len = ppntsd_size - dacloffset;
num_aces = le16_to_cpu(parent_pdacl->num_aces);
pntsd_type = le16_to_cpu(parent_pntsd->type);
pdacl_size = le16_to_cpu(parent_pdacl->size);
@@ -1243,19 +1277,19 @@ pass:
struct smb_ntsd *pntsd;
struct smb_acl *pdacl;
struct smb_sid *powner_sid = NULL, *pgroup_sid = NULL;
- int powner_sid_size = 0, pgroup_sid_size = 0, pntsd_size;
+ size_t powner_sid_size = 0, pgroup_sid_size = 0, pntsd_size;
size_t pntsd_alloc_size;
- if (parent_pntsd->osidoffset) {
- powner_sid = (struct smb_sid *)((char *)parent_pntsd +
- le32_to_cpu(parent_pntsd->osidoffset));
- powner_sid_size = 1 + 1 + 6 + (powner_sid->num_subauth * 4);
- }
- if (parent_pntsd->gsidoffset) {
- pgroup_sid = (struct smb_sid *)((char *)parent_pntsd +
- le32_to_cpu(parent_pntsd->gsidoffset));
- pgroup_sid_size = 1 + 1 + 6 + (pgroup_sid->num_subauth * 4);
- }
+ rc = smb_validate_ntsd_sid(parent_pntsd, ppntsd_size,
+ le32_to_cpu(parent_pntsd->osidoffset),
+ &powner_sid, &powner_sid_size);
+ if (rc)
+ goto free_aces_base;
+ rc = smb_validate_ntsd_sid(parent_pntsd, ppntsd_size,
+ le32_to_cpu(parent_pntsd->gsidoffset),
+ &pgroup_sid, &pgroup_sid_size);
+ if (rc)
+ goto free_aces_base;
if (check_add_overflow(sizeof(struct smb_ntsd),
(size_t)powner_sid_size,
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 047/272] smb: client: require net admin for CIFS SWN netlink
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 046/272] ksmbd: validate SID in parent security descriptor during ACL inheritance Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 048/272] smb: client: protect tc_count increment in smb2_find_smb_sess_tcon_unlocked() Greg Kroah-Hartman
` (231 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit d1ebfce2c1d161186a82e77590bf7da2ea1bce91 upstream.
CIFS_GENL_CMD_SWN_NOTIFY is the userspace witness-notify command. The
intended sender is the cifs.witness helper, but the generic-netlink
operation currently has no capability flag, so any local process can send
RESOURCE_CHANGE or CLIENT_MOVE notifications to the in-kernel witness
handler.
The same family exposes CIFS_GENL_MCGRP_SWN without multicast-group
capability flags. Register messages sent to that group include the witness
registration id and, for NTLM-authenticated mounts, the username, domain,
and password attributes copied from the CIFS session. An unprivileged
local process should not be able to join that group and receive those
messages.
Require CAP_NET_ADMIN for incoming SWN_NOTIFY commands with
GENL_ADMIN_PERM, and require CAP_NET_ADMIN over the network namespace for
joining the SWN multicast group with GENL_MCAST_CAP_NET_ADMIN. The
cifs.witness service runs with the privileges needed for both operations.
Fixes: fed979a7e082 ("cifs: Set witness notification handler for messages from userspace daemon")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/netlink.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/smb/client/netlink.c
+++ b/fs/smb/client/netlink.c
@@ -33,13 +33,17 @@ static const struct nla_policy cifs_genl
static const struct genl_ops cifs_genl_ops[] = {
{
.cmd = CIFS_GENL_CMD_SWN_NOTIFY,
+ .flags = GENL_ADMIN_PERM,
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
.doit = cifs_swn_notify,
},
};
static const struct genl_multicast_group cifs_genl_mcgrps[] = {
- [CIFS_GENL_MCGRP_SWN] = { .name = CIFS_GENL_MCGRP_SWN_NAME },
+ [CIFS_GENL_MCGRP_SWN] = {
+ .name = CIFS_GENL_MCGRP_SWN_NAME,
+ .flags = GENL_MCAST_CAP_NET_ADMIN,
+ },
};
struct genl_family cifs_genl_family = {
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 048/272] smb: client: protect tc_count increment in smb2_find_smb_sess_tcon_unlocked()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 047/272] smb: client: require net admin for CIFS SWN netlink Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 049/272] smb: client: use data_len for SMB2 READ encrypted folioq copy Greg Kroah-Hartman
` (230 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shyam Prasad N, Henrique Carvalho,
Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henrique Carvalho <henrique.carvalho@suse.com>
commit 4d8690dace005a38e6dbde9ecce2da3ad85c7c41 upstream.
Commit 96c4af418586 ("cifs: Fix locking usage for tcon fields")
refactored cifs code to change cifs_tcp_ses_lock for tc_lock around
tc_count changes.
There was missing lock around tc_count increment inside
smb2_find_smb_sess_tcon_unlocked().
Cc: stable@vger.kernel.org
Fixes: 96c4af418586 ("cifs: Fix locking usage for tcon fields")
Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2transport.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/smb/client/smb2transport.c
+++ b/fs/smb/client/smb2transport.c
@@ -214,7 +214,9 @@ smb2_find_smb_sess_tcon_unlocked(struct
list_for_each_entry(tcon, &ses->tcon_list, tcon_list) {
if (tcon->tid != tid)
continue;
+ spin_lock(&tcon->tc_lock);
++tcon->tc_count;
+ spin_unlock(&tcon->tc_lock);
trace_smb3_tcon_ref(tcon->debug_id, tcon->tc_count,
netfs_trace_tcon_ref_get_find_sess_tcon);
return tcon;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 049/272] smb: client: use data_len for SMB2 READ encrypted folioq copy
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 048/272] smb: client: protect tc_count increment in smb2_find_smb_sess_tcon_unlocked() Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 050/272] smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close Greg Kroah-Hartman
` (229 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeremy Erazo, David Howells,
Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Erazo <mendozayt13@gmail.com>
commit d4d76c9ee1997cc8c977a63f6c43551c253c1066 upstream.
In handle_read_data() the encrypted/folioq branch
(buf_len <= data_offset, reached via receive_encrypted_read for
transform PDUs > CIFSMaxBufSize + MAX_HEADER_SIZE) copies the READ
payload using buffer_len rather than data_len:
rdata->result = cifs_copy_folioq_to_iter(buffer, buffer_len,
cur_off,
&rdata->subreq.io_iter);
...
rdata->got_bytes = buffer_len;
buffer_len comes from the SMB3 transform header OriginalMessageSize
field (OriginalMessageSize - read_rsp_size); it represents the size
of the decrypted message after the SMB2 header. data_len comes from
the SMB2 READ response DataLength field; it represents the actual
READ payload size and may be smaller than buffer_len when the
decrypted message contains padding or other trailing bytes after the
READ payload. The existing check `data_len > buffer_len - pad_len`
only enforces an upper bound, so a server that emits
OriginalMessageSize larger than read_rsp_size + pad_len + data_len
passes the check and the kernel copies buffer_len bytes per response,
ignoring the server-asserted DataLength.
Two observable failures with a crafted server (DataLength=4,
buffer_len=20000):
- the kernel returns 20000 bytes per sub-request to userspace and
sets got_bytes = buffer_len, even though the response claimed
only 4 bytes of payload;
- on a partial netfs sub-request whose iterator is sized to
data_len, the over-large copy_folio_to_iter() short-reads,
cifs_copy_folioq_to_iter() returns -EIO via the n != len path,
and the entire netfs read collapses to -EIO even though the
leading sub-requests succeeded.
Use data_len for the copy length and for got_bytes so the kernel
honours the server-asserted READ payload size. For well-formed
servers (where buffer_len == pad_len + data_len) the change is
behaviour-equivalent.
Cc: stable@vger.kernel.org
Signed-off-by: Jeremy Erazo <mendozayt13@gmail.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2ops.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -4781,7 +4781,7 @@ handle_read_data(struct TCP_Server_Info
}
/* Copy the data to the output I/O iterator. */
- rdata->result = cifs_copy_folioq_to_iter(buffer, buffer_len,
+ rdata->result = cifs_copy_folioq_to_iter(buffer, data_len,
cur_off, &rdata->subreq.io_iter);
if (rdata->result != 0) {
if (is_offloaded)
@@ -4790,7 +4790,7 @@ handle_read_data(struct TCP_Server_Info
dequeue_mid(mid, rdata->result);
return 0;
}
- rdata->got_bytes = buffer_len;
+ rdata->got_bytes = data_len;
} else if (buf_len >= data_offset + data_len) {
/* read response payload is in buf */
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 050/272] smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 049/272] smb: client: use data_len for SMB2 READ encrypted folioq copy Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 051/272] hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX Greg Kroah-Hartman
` (228 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huiwen He, ChenXiaoSong,
Steve French, Namjae Jeon
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: ChenXiaoSong <chenxiaosong@kylinos.cn>
commit 4ec9c8e023c79f613fe4d5ad8cc737112efb2e44 upstream.
Reproducer:
1. server: systemctl start ksmbd
2. client: mount -t cifs //${server_ip}/export /mnt
3. client: C program: openat(AT_FDCWD, "/mnt", O_RDWR | O_TMPFILE, 0600)
Do not treat `FILE_DELETE_ON_CLOSE_LE` as delete pending while files
remain open.
This patch fixes xfstests generic/004.
Cc: stable@vger.kernel.org
Link: https://chenxiaosong.com/en/smb-xfstests-generic-004.html
Co-developed-by: Huiwen He <hehuiwen@kylinos.cn>
Signed-off-by: Huiwen He <hehuiwen@kylinos.cn>
Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Tested-by: Steve French <stfrench@microsoft.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/vfs_cache.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/fs/smb/server/vfs_cache.c
+++ b/fs/smb/server/vfs_cache.c
@@ -118,7 +118,7 @@ int ksmbd_query_inode_status(struct dent
return ret;
down_read(&ci->m_lock);
- if (ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS))
+ if (ci->m_flags & S_DEL_PENDING)
ret = KSMBD_INODE_STATUS_PENDING_DELETE;
else
ret = KSMBD_INODE_STATUS_OK;
@@ -134,7 +134,7 @@ bool ksmbd_inode_pending_delete(struct k
int ret;
down_read(&ci->m_lock);
- ret = (ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS));
+ ret = (ci->m_flags & S_DEL_PENDING);
up_read(&ci->m_lock);
return ret;
@@ -302,12 +302,20 @@ static void __ksmbd_inode_close(struct k
}
}
+ down_write(&ci->m_lock);
+ /* Promote S_DEL_ON_CLS to S_DEL_PENDING when close */
+ if (ci->m_flags & S_DEL_ON_CLS) {
+ ci->m_flags &= ~S_DEL_ON_CLS;
+ ci->m_flags |= S_DEL_PENDING;
+ }
+ up_write(&ci->m_lock);
+
if (atomic_dec_and_test(&ci->m_count)) {
bool do_unlink = false;
down_write(&ci->m_lock);
- if (ci->m_flags & (S_DEL_ON_CLS | S_DEL_PENDING)) {
- ci->m_flags &= ~(S_DEL_ON_CLS | S_DEL_PENDING);
+ if (ci->m_flags & S_DEL_PENDING) {
+ ci->m_flags &= ~S_DEL_PENDING;
do_unlink = true;
}
up_write(&ci->m_lock);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 051/272] hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 050/272] smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 052/272] ALSA: ua101: Reject too-short USB descriptors Greg Kroah-Hartman
` (227 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit eee213daa1e1b402eb631bcd1b8c5aa340a6b081 upstream.
adm1266_nvmem_read_blackbox() declares a 5-byte stack buffer and
passes it to i2c_smbus_read_block_data() to retrieve the 4-byte
BLACKBOX_INFO response. i2c_smbus_read_block_data() does not honour
caller buffer sizes -- it memcpy()s data.block[0] bytes from the
SMBus transaction (where data.block[0] is the length byte returned by
the slave device, up to I2C_SMBUS_BLOCK_MAX = 32):
memcpy(values, &data.block[1], data.block[0]);
If the device returns any block length above 5, the call overflows
the caller's 5-byte stack buffer before the post-call
if (ret != 4)
return -EIO;
check has a chance to reject the response.
Widen the local buffer to I2C_SMBUS_BLOCK_MAX so the helper has room
for any well-formed SMBus block response, matching the convention used
by the other i2c_smbus_read_block_data() callers in this driver.
Fixes: 15609d189302 ("hwmon: (pmbus/adm1266) read blackbox")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260515-adm1266-fixes-v1-2-1c1ea1349cfe@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -349,7 +349,7 @@ static int adm1266_nvmem_read_blackbox(s
{
int record_count;
char index;
- u8 buf[5];
+ u8 buf[I2C_SMBUS_BLOCK_MAX];
int ret;
ret = i2c_smbus_read_block_data(data->client, ADM1266_BLACKBOX_INFO, buf);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 052/272] ALSA: ua101: Reject too-short USB descriptors
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 051/272] hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 053/272] ALSA: pcm: Dont setup bogus iov_iter for silencing Greg Kroah-Hartman
` (226 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit b59d5c51bb328a60749b4dd5fe7e649bfb4089b4 upstream.
find_format_descriptor() walks the class-specific interface extras by
advancing with bLength. It rejects descriptors that extend past the
remaining buffer, but it does not reject descriptor lengths smaller than
a USB descriptor header.
Reject too-short descriptors before using bLength to advance the local
scan. This keeps the UA-101 parser robust against malformed descriptor
data and matches the usual USB descriptor walking rules.
Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260519-alsa-ua101-desc-len-v1-1-4307d1a5e054@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/misc/ua101.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/sound/usb/misc/ua101.c
+++ b/sound/usb/misc/ua101.c
@@ -914,8 +914,9 @@ find_format_descriptor(struct usb_interf
struct uac_format_type_i_discrete_descriptor *desc;
desc = (struct uac_format_type_i_discrete_descriptor *)extra;
- if (desc->bLength > extralen) {
- dev_err(&interface->dev, "descriptor overflow\n");
+ if (desc->bLength < sizeof(struct usb_descriptor_header) ||
+ desc->bLength > extralen) {
+ dev_err(&interface->dev, "invalid descriptor length\n");
return NULL;
}
if (desc->bLength == UAC_FORMAT_TYPE_I_DISCRETE_DESC_SIZE(1) &&
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 053/272] ALSA: pcm: Dont setup bogus iov_iter for silencing
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 052/272] ALSA: ua101: Reject too-short USB descriptors Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 054/272] ALSA: asihpi: Fix potential OOB array access at reading cache Greg Kroah-Hartman
` (225 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiakai Xu, Takashi Iwai
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit e4d3386b74fba8e01280484b67ee481ece00201e upstream.
At transition to the iov_iter for PCM data transfer, we blindly
applied the iov_iter setup also for silencing (i.e. data = NULL), and
it leads to a calculation of bogus iov_iter. Fortunately this didn't
cause troubles on most of architectures but it goes wrong on RISC-V
now, causing a NULL dereference.
Handle the NULL data case to treat the silencing in interleaved_copy()
for addressing the bug above. noninterleaved_copy() has already the
NULL data handling, so it doesn't need changes.
Reported-by: Jiakai Xu <xujiakai24@mails.ucas.ac.cn>
Closes: https://lore.kernel.org/20260515051516.3103036-1-xujiakai24@mails.ucas.ac.cn
Fixes: cf393babb37a ("ALSA: pcm: Add copy ops with iov_iter")
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260517165121.31399-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/pcm_lib.c | 3 +++
1 file changed, 3 insertions(+)
--- a/sound/core/pcm_lib.c
+++ b/sound/core/pcm_lib.c
@@ -2138,6 +2138,9 @@ static int interleaved_copy(struct snd_p
off = frames_to_bytes(runtime, off);
frames = frames_to_bytes(runtime, frames);
+ if (!data)
+ return fill_silence(substream, 0, hwoff, NULL, frames);
+
return do_transfer(substream, 0, hwoff, data + off, frames, transfer,
in_kernel);
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 054/272] ALSA: asihpi: Fix potential OOB array access at reading cache
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 053/272] ALSA: pcm: Dont setup bogus iov_iter for silencing Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 055/272] efi: Allocate runtime workqueue before ACPI init Greg Kroah-Hartman
` (224 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 7b7d6572145c1dab2dd9bfb550b188e5f0ff3c3f upstream.
find_control() to retrieve a cached info accesses the array with the
given index blindly, which may lead to an OOB array access.
Add a sanity check for avoiding it.
Link: https://sashiko.dev/#/patchset/20260511230121.28606-1-rosenp%40gmail.com
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260515085606.242284-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/asihpi/hpicmn.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/sound/pci/asihpi/hpicmn.c
+++ b/sound/pci/asihpi/hpicmn.c
@@ -276,6 +276,12 @@ static short find_control(u16 control_in
return 0;
}
+ if (control_index >= p_cache->control_count) {
+ HPI_DEBUG_LOG(VERBOSE, "control_index out of bounce %d\n",
+ control_index);
+ return 0;
+ }
+
*pI = p_cache->p_info[control_index];
if (!*pI) {
HPI_DEBUG_LOG(VERBOSE, "Uncached Control %d\n",
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 055/272] efi: Allocate runtime workqueue before ACPI init
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 054/272] ALSA: asihpi: Fix potential OOB array access at reading cache Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 056/272] io_uring/waitid: clear waitid info before copying it to userspace Greg Kroah-Hartman
` (223 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki (Intel),
Ard Biesheuvel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ardb@kernel.org>
commit 13c6da02e767152c9ac4330962247a5e47011035 upstream.
Since commit
5894cf571e14 ("acpi/prmt: Use EFI runtime sandbox to invoke PRM handlers")
ACPI PRM calls are delegated to a workqueue which runs in a kernel
thread, making it easier to detect and mitigate faulting memory accesses
performed by the firmware.
Rafael reports that such PRM accesses may occur before efisubsys_init()
executes, which is where the workqueue is allocated, leading to NULL
pointer dereferences. Since acpi_init() [which triggers the early PRM
accesses] executes as a subsys_initcall() as well, and has its own
dependencies that may be sensitive to initcall ordering, deferring
acpi_init() is not an option.
So instead, split off the workqueue allocation into its own postcore
initcall, as this is the only missing piece to allow EFI runtime calls
to be made. This ensures that EFI runtime call (including PRM calls) are
accessible to all code running at subsys_initcall() level.
Cc: <stable@vger.kernel.org>
Fixes: 5894cf571e14 ("acpi/prmt: Use EFI runtime sandbox to invoke PRM handlers")
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/efi/efi.c | 28 ++++++++++++++++------------
1 file changed, 16 insertions(+), 12 deletions(-)
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -387,21 +387,11 @@ static void __init efi_debugfs_init(void
static inline void efi_debugfs_init(void) {}
#endif
-/*
- * We register the efi subsystem with the firmware subsystem and the
- * efivars subsystem with the efi subsystem, if the system was booted with
- * EFI.
- */
-static int __init efisubsys_init(void)
+static int __init efipostcore_init(void)
{
- int error;
-
if (!efi_enabled(EFI_RUNTIME_SERVICES))
efi.runtime_supported_mask = 0;
- if (!efi_enabled(EFI_BOOT))
- return 0;
-
if (efi.runtime_supported_mask) {
/*
* Since we process only one efi_runtime_service() at a time, an
@@ -413,9 +403,23 @@ static int __init efisubsys_init(void)
pr_err("Creating efi_rts_wq failed, EFI runtime services disabled.\n");
clear_bit(EFI_RUNTIME_SERVICES, &efi.flags);
efi.runtime_supported_mask = 0;
- return 0;
}
}
+ return 0;
+}
+postcore_initcall(efipostcore_init);
+
+/*
+ * We register the efi subsystem with the firmware subsystem and the
+ * efivars subsystem with the efi subsystem, if the system was booted with
+ * EFI.
+ */
+static int __init efisubsys_init(void)
+{
+ int error;
+
+ if (!efi_enabled(EFI_BOOT))
+ return 0;
if (efi_rt_services_supported(EFI_RT_SUPPORTED_TIME_SERVICES))
platform_device_register_simple("rtc-efi", 0, NULL, 0);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 056/272] io_uring/waitid: clear waitid info before copying it to userspace
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 055/272] efi: Allocate runtime workqueue before ACPI init Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 057/272] drivers/base/memory: fix memory block reference leak in poison accounting Greg Kroah-Hartman
` (222 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Heechan Kang, Jens Axboe
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heechan Kang <gganji11@naver.com>
commit 93d93f5f8da791e98159795c6ef683f45bd95d13 upstream.
IORING_OP_WAITID stores its result fields in struct io_waitid::info and
later copies them to userspace siginfo. The prep path initializes the
request arguments, but it does not initialize info itself.
If the wait operation completes without reporting a child event, the common
wait code can return without writing wo_info. In that case io_waitid_finish()
still copies iw->info to userspace, exposing stale bytes from the reused
io_kiocb command storage.
Clear the result storage during prep so the io_uring path matches the
regular waitid syscall, which uses a zero-initialized struct waitid_info.
Fixes: f31ecf671ddc ("io_uring: add IORING_OP_WAITID support")
Cc: stable@vger.kernel.org # 6.7+
Signed-off-by: Heechan Kang <gganji11@naver.com>
Link: https://patch.msgid.link/20260516184709.852814-1-gganji11@naver.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/waitid.c | 1 +
1 file changed, 1 insertion(+)
--- a/io_uring/waitid.c
+++ b/io_uring/waitid.c
@@ -294,6 +294,7 @@ int io_waitid_prep(struct io_kiocb *req,
iw->upid = READ_ONCE(sqe->fd);
iw->options = READ_ONCE(sqe->file_index);
iw->infop = u64_to_user_ptr(READ_ONCE(sqe->addr2));
+ memset(&iw->info, 0, sizeof(iw->info));
return 0;
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 057/272] drivers/base/memory: fix memory block reference leak in poison accounting
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 056/272] io_uring/waitid: clear waitid info before copying it to userspace Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 058/272] ipv6: ioam: refresh hdr pointer before ioam6_event() Greg Kroah-Hartman
` (221 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muchun Song, Miaohe Lin,
Oscar Salvador, David Hildenbrand (Arm), Danilo Krummrich,
Huang, Ying, Naoya Horiguchi, Rafael J. Wysocki, Vishal Verma,
Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muchun Song <songmuchun@bytedance.com>
commit 03a2cc1756a0570f887d624cd6c535ea0cbd4951 upstream.
memblk_nr_poison_inc() and memblk_nr_poison_sub() look up a memory block
via find_memory_block_by_id(), which acquires a reference to the memory
block device.
Both helpers use the returned memory block without dropping that
reference, leaking the device reference on each successful lookup. Drop
the reference after updating nr_hwpoison.
Link: https://lore.kernel.org/20260428085219.1316047-3-songmuchun@bytedance.com
Fixes: 5033091de814 ("mm/hwpoison: introduce per-memory_block hwpoison counter")
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Oscar Salvador <osalvador@suse.de>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Cc: Danilo Krummrich <dakr@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Huang, Ying" <huang.ying.caritas@gmail.com>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: "Rafael J. Wysocki" <rafael@kernel.org>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/memory.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/base/memory.c
+++ b/drivers/base/memory.c
@@ -1232,8 +1232,10 @@ void memblk_nr_poison_inc(unsigned long
const unsigned long block_id = pfn_to_block_id(pfn);
struct memory_block *mem = find_memory_block_by_id(block_id);
- if (mem)
+ if (mem) {
atomic_long_inc(&mem->nr_hwpoison);
+ put_device(&mem->dev);
+ }
}
void memblk_nr_poison_sub(unsigned long pfn, long i)
@@ -1241,8 +1243,10 @@ void memblk_nr_poison_sub(unsigned long
const unsigned long block_id = pfn_to_block_id(pfn);
struct memory_block *mem = find_memory_block_by_id(block_id);
- if (mem)
+ if (mem) {
atomic_long_sub(i, &mem->nr_hwpoison);
+ put_device(&mem->dev);
+ }
}
static unsigned long memblk_nr_poison(struct memory_block *mem)
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 058/272] ipv6: ioam: refresh hdr pointer before ioam6_event()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 057/272] drivers/base/memory: fix memory block reference leak in poison accounting Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 059/272] mm/memory_hotplug: fix memory block reference leak on remove Greg Kroah-Hartman
` (220 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Iurman, Ido Schimmel,
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Iurman <justin.iurman@gmail.com>
commit e46e6bc97fb1f339730ff1ba74267fbf48e7a422 upstream.
Reported by Sashiko:
In ipv6_hop_ioam(), the hdr pointer is initialized to point into the
skb's linear data buffer. Later, the code calls skb_ensure_writable(),
which might reallocate the buffer:
if (skb_ensure_writable(skb, optoff + 2 + hdr->opt_len))
goto drop;
/* Trace pointer may have changed */
trace = (struct ioam6_trace_hdr *)(skb_network_header(skb)
+ optoff + sizeof(*hdr));
ioam6_fill_trace_data(skb, ns, trace, true);
ioam6_event(IOAM6_EVENT_TRACE, dev_net(skb->dev),
GFP_ATOMIC, (void *)trace, hdr->opt_len - 2);
If the skb is cloned or lacks sufficient linear headroom,
skb_ensure_writable() will invoke pskb_expand_head(), which reallocates
the skb's data buffer and frees the old one, invalidating pointers to
it. While the code recalculates the trace pointer immediately after the
call to skb_ensure_writable(), it fails to recalculate the hdr pointer.
This patch fixes the above by recalculating the hdr pointer before
passing hdr->opt_len to ioam6_event(), so that we avoid any UaF.
Fixes: f655c78d6225 ("net: exthdrs: ioam6: send trace event")
Cc: stable@vger.kernel.org
Signed-off-by: Justin Iurman <justin.iurman@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260520124242.32320-1-justin.iurman@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/exthdrs.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -957,9 +957,9 @@ static bool ipv6_hop_ioam(struct sk_buff
if (skb_ensure_writable(skb, optoff + 2 + hdr->opt_len))
goto drop;
- /* Trace pointer may have changed */
- trace = (struct ioam6_trace_hdr *)(skb_network_header(skb)
- + optoff + sizeof(*hdr));
+ /* Trace and hdr pointers may have changed */
+ hdr = (struct ioam6_hdr *)(skb_network_header(skb) + optoff);
+ trace = (struct ioam6_trace_hdr *)((u8 *)hdr + sizeof(*hdr));
ioam6_fill_trace_data(skb, ns, trace, true);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 059/272] mm/memory_hotplug: fix memory block reference leak on remove
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 058/272] ipv6: ioam: refresh hdr pointer before ioam6_event() Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 060/272] selftests/mm: run_vmtests.sh: fix destructive tests invocation Greg Kroah-Hartman
` (219 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muchun Song, Oscar Salvador,
David Hildenbrand (Arm), Danilo Krummrich, Huang, Ying,
Miaohe Lin, Naoya Horiguchi, Rafael J. Wysocki, Vishal Verma,
Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muchun Song <songmuchun@bytedance.com>
commit 93866f55f7e292fe3d47d36c9efe5ee10213a06b upstream.
Patch series "mm: Fix memory block leaks and locking", v2.
This series fixes two memory block device reference leaks and one locking
issue around the per-memory_block hwpoison counter.
This patch (of 2):
remove_memory_blocks_and_altmaps() looks up each memory block with
find_memory_block(), which acquires a reference to the memory block
device.
That reference is never dropped on this path, resulting in a leaked device
reference when removing memory blocks and their altmaps. Drop the
reference after retrieving mem->altmap and clearing mem->altmap, before
removing the memory block device.
Link: https://lore.kernel.org/20260428085219.1316047-1-songmuchun@bytedance.com
Link: https://lore.kernel.org/20260428085219.1316047-2-songmuchun@bytedance.com
Fixes: 6b8f0798b85a ("mm/memory_hotplug: split memmap_on_memory requests across memblocks")
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Acked-by: Oscar Salvador <osalvador@suse.de>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Cc: Danilo Krummrich <dakr@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Huang, Ying" <huang.ying.caritas@gmail.com>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: "Rafael J. Wysocki" <rafael@kernel.org>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory_hotplug.c | 2 ++
1 file changed, 2 insertions(+)
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -1406,6 +1406,8 @@ static void remove_memory_blocks_and_alt
altmap = mem->altmap;
mem->altmap = NULL;
+ /* drop the ref. we got via find_memory_block() */
+ put_device(&mem->dev);
remove_memory_block_devices(cur_start, memblock_size);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 060/272] selftests/mm: run_vmtests.sh: fix destructive tests invocation
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 059/272] mm/memory_hotplug: fix memory block reference leak on remove Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 061/272] net: wwan: iosm: fix potential memory leaks in ipc_imem_init() Greg Kroah-Hartman
` (218 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luiz Capitulino,
Mike Rapoport (Microsoft), SeongJae Park, David Hildenbrand,
Liam R. Howlett, Lorenzo Stoakes, Michal Hocko, Shuah Khan,
Suren Baghdasaryan, Vlastimil Babka, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Capitulino <luizcap@redhat.com>
commit 3432cbb291aabf85f8af4b9d1ec37179168ff999 upstream.
Destructive tests should be invoked with -d command-line option, but this
won't work today since 'd' is missing in getopts command-line. This
commit fixes it.
Link: https://lore.kernel.org/214fd9e4-5398-4c26-859e-c982c2e277c3@redhat.com
Fixes: f16ff3b692ad ("selftests/mm: run_vmtests.sh: add missing tests")
Signed-off-by: Luiz Capitulino <luizcap@redhat.com>
Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Reviewed-by: SeongJae Park <sj@kernel.org>
Cc: David Hildenbrand <david@kernel.org>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/mm/run_vmtests.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/testing/selftests/mm/run_vmtests.sh
+++ b/tools/testing/selftests/mm/run_vmtests.sh
@@ -85,7 +85,7 @@ RUN_ALL=false
RUN_DESTRUCTIVE=false
TAP_PREFIX="# "
-while getopts "aht:n" OPT; do
+while getopts "aht:nd" OPT; do
case ${OPT} in
"a") RUN_ALL=true ;;
"h") usage ;;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 061/272] net: wwan: iosm: fix potential memory leaks in ipc_imem_init()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 060/272] selftests/mm: run_vmtests.sh: fix destructive tests invocation Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 062/272] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() Greg Kroah-Hartman
` (217 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
commit c5d93b2c40355e999715262a824965aac025a427 upstream.
The memory allocated in ipc_protocol_init() is not freed on the error
paths that follow in ipc_imem_init(). Fix that by calling the
corresponding release function ipc_protocol_deinit() in the error path.
Fixes: 3670970dd8c6 ("net: iosm: shared memory IPC interface")
Cc: stable@vger.kernel.org
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Link: https://patch.msgid.link/20260519062815.55545-1-nihaal@cse.iitm.ac.in
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wwan/iosm/iosm_ipc_imem.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/wwan/iosm/iosm_ipc_imem.c
+++ b/drivers/net/wwan/iosm/iosm_ipc_imem.c
@@ -1430,6 +1430,8 @@ imem_config_fail:
protocol_init_fail:
cancel_work_sync(&ipc_imem->run_state_worker);
ipc_task_deinit(ipc_imem->ipc_task);
+ if (ipc_imem->ipc_protocol)
+ ipc_protocol_deinit(ipc_imem->ipc_protocol);
ipc_task_init_fail:
kfree(ipc_imem->ipc_task);
ipc_task_fail:
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 062/272] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 061/272] net: wwan: iosm: fix potential memory leaks in ipc_imem_init() Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 063/272] Bluetooth: ISO: drop ISO_END frames received without prior ISO_START Greg Kroah-Hartman
` (216 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Siwei Zhang, Safa Karakuş,
Luiz Augusto von Dentz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Safa Karakuş <safa.karakus@secunnix.com>
commit ab1513597c6cf17cd1ad2a21e3b045421b48e022 upstream.
bt_accept_dequeue() unlinks a not-yet-accepted child from the parent
accept queue and release_sock()s it before returning, so the returned
sk has no caller reference and is unlocked.
l2cap_sock_cleanup_listen() walks these children on listening-socket
close. A concurrent HCI disconnect drives hci_rx_work ->
l2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and
frees the child sk and its l2cap_chan; cleanup_listen() then uses both:
BUG: KASAN: slab-use-after-free in l2cap_sock_kill
l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close
Freed by: l2cap_conn_del -> l2cap_sock_close_cb -> l2cap_sock_kill
This is distinct from the two fixes already in this area: commit
e83f5e24da741 ("Bluetooth: serialize accept_q access") serialises the
accept_q list/poll and takes temporary refs inside bt_accept_dequeue(),
and CVE-2025-39860 serialises the userspace close()/accept() race by
calling cleanup_listen() under lock_sock() in l2cap_sock_release().
Neither covers l2cap_conn_del() running from hci_rx_work, so this UAF
still reproduces on current bluetooth/master.
Take the reference at the source: bt_accept_dequeue() does sock_hold()
while sk is still locked, before release_sock(); callers sock_put().
cleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under
a brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops
it before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on
SOCK_DEAD. conn->lock is not taken here: cleanup_listen() runs under
the parent sk lock and that would invert
conn->lock -> chan->lock -> sk_lock (lockdep).
KASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced
12 use-after-free reports per run before this change; 0, and no lockdep
report, over 1600+ raced iterations after it on bluetooth/master.
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Cc: stable@vger.kernel.org
Reported-by: Siwei Zhang <oss@fourdim.xyz>
Reviewed-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Safa Karakuş <safa.karakus@secunnix.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/af_bluetooth.c | 10 ++++++++
net/bluetooth/iso.c | 9 ++++++-
net/bluetooth/l2cap_sock.c | 51 +++++++++++++++++++++++++++++++++++++------
net/bluetooth/rfcomm/sock.c | 9 ++++++-
net/bluetooth/sco.c | 9 ++++++-
5 files changed, 78 insertions(+), 10 deletions(-)
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -306,6 +306,16 @@ restart:
if (newsock)
sock_graft(sk, newsock);
+ /* Hand the caller a reference taken while sk is
+ * still locked. bt_accept_unlink() just dropped
+ * the accept-queue reference; without this hold a
+ * concurrent teardown (e.g. l2cap_conn_del() ->
+ * l2cap_sock_kill()) could free sk between
+ * release_sock() and the caller using it. Every
+ * caller drops this with sock_put() when done.
+ */
+ sock_hold(sk);
+
release_sock(sk);
return sk;
}
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -722,6 +722,8 @@ static void iso_sock_cleanup_listen(stru
while ((sk = bt_accept_dequeue(parent, NULL))) {
iso_sock_close(sk);
iso_sock_kill(sk);
+ /* Drop the reference handed back by bt_accept_dequeue(). */
+ sock_put(sk);
}
/* If listening socket has a hcon, properly disconnect it */
@@ -1263,8 +1265,13 @@ static int iso_sock_accept(struct socket
}
ch = bt_accept_dequeue(sk, newsock);
- if (ch)
+ if (ch) {
+ /* Drop the bridging ref from bt_accept_dequeue();
+ * the grafted socket keeps ch alive from here.
+ */
+ sock_put(ch);
break;
+ }
if (!timeo) {
err = -EAGAIN;
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -349,8 +349,13 @@ static int l2cap_sock_accept(struct sock
}
nsk = bt_accept_dequeue(sk, newsock);
- if (nsk)
+ if (nsk) {
+ /* Drop the bridging ref from bt_accept_dequeue();
+ * the grafted socket keeps nsk alive from here.
+ */
+ sock_put(nsk);
break;
+ }
if (!timeo) {
err = -EAGAIN;
@@ -1444,22 +1449,54 @@ static void l2cap_sock_cleanup_listen(st
BT_DBG("parent %p state %s", parent,
state_to_string(parent->sk_state));
- /* Close not yet accepted channels */
+ /* Close not yet accepted channels.
+ *
+ * bt_accept_dequeue() now returns sk with an extra reference held
+ * (taken while sk was still locked) so a concurrent l2cap_conn_del()
+ * -> l2cap_sock_kill() cannot free sk under us.
+ *
+ * cleanup_listen() runs under the parent sk lock, so unlike
+ * l2cap_sock_shutdown() we must NOT take conn->lock here: that would
+ * establish sk_lock -> conn->lock and invert the established
+ * conn->lock -> chan->lock -> sk_lock order (lockdep deadlock).
+ *
+ * Instead, briefly take the child sk lock to fetch and pin its chan.
+ * l2cap_conn_del() reaches the chan free only via
+ * l2cap_chan_del() -> l2cap_sock_teardown_cb(), which itself takes
+ * the child sk lock; holding it across l2cap_chan_hold_unless_zero()
+ * therefore guarantees the chan cannot be freed while we read and
+ * pin it (hold_unless_zero() additionally skips a chan already past
+ * its last reference). We then drop the sk lock before taking
+ * chan->lock, so sk and chan locks are never held together.
+ */
while ((sk = bt_accept_dequeue(parent, NULL))) {
- struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+ struct l2cap_chan *chan;
+
+ lock_sock_nested(sk, L2CAP_NESTING_NORMAL);
+ chan = l2cap_chan_hold_unless_zero(l2cap_pi(sk)->chan);
+ release_sock(sk);
+ if (!chan) {
+ /* l2cap_conn_del() already tearing this child down */
+ sock_put(sk);
+ continue;
+ }
BT_DBG("child chan %p state %s", chan,
state_to_string(chan->state));
- l2cap_chan_hold(chan);
l2cap_chan_lock(chan);
-
__clear_chan_timer(chan);
l2cap_chan_close(chan, ECONNRESET);
- l2cap_sock_kill(sk);
-
+ /* l2cap_conn_del() may already have killed this socket
+ * (it sets SOCK_DEAD); skip the duplicate to avoid a
+ * double sock_put()/l2cap_chan_put().
+ */
+ if (!sock_flag(sk, SOCK_DEAD))
+ l2cap_sock_kill(sk);
l2cap_chan_unlock(chan);
+
l2cap_chan_put(chan);
+ sock_put(sk);
}
}
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -180,6 +180,8 @@ static void rfcomm_sock_cleanup_listen(s
while ((sk = bt_accept_dequeue(parent, NULL))) {
rfcomm_sock_close(sk);
rfcomm_sock_kill(sk);
+ /* Drop the reference handed back by bt_accept_dequeue(). */
+ sock_put(sk);
}
parent->sk_state = BT_CLOSED;
@@ -496,8 +498,13 @@ static int rfcomm_sock_accept(struct soc
}
nsk = bt_accept_dequeue(sk, newsock);
- if (nsk)
+ if (nsk) {
+ /* Drop the bridging ref from bt_accept_dequeue();
+ * the grafted socket keeps nsk alive from here.
+ */
+ sock_put(nsk);
break;
+ }
if (!timeo) {
err = -EAGAIN;
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -433,6 +433,8 @@ static void sco_sock_cleanup_listen(stru
while ((sk = bt_accept_dequeue(parent, NULL))) {
sco_sock_close(sk);
sco_sock_kill(sk);
+ /* Drop the reference handed back by bt_accept_dequeue(). */
+ sock_put(sk);
}
parent->sk_state = BT_CLOSED;
@@ -705,8 +707,13 @@ static int sco_sock_accept(struct socket
}
ch = bt_accept_dequeue(sk, newsock);
- if (ch)
+ if (ch) {
+ /* Drop the bridging ref from bt_accept_dequeue();
+ * the grafted socket keeps ch alive from here.
+ */
+ sock_put(ch);
break;
+ }
if (!timeo) {
err = -EAGAIN;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 063/272] Bluetooth: ISO: drop ISO_END frames received without prior ISO_START
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 062/272] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 064/272] Bluetooth: bnep: Fix UAF read of dev->name Greg Kroah-Hartman
` (215 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Carlier,
Luiz Augusto von Dentz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
commit 84c24fb151fc1179355296d7ff29129ac7c42129 upstream.
ISO data PDUs carry a packet-boundary flag indicating START, CONT, END
or SINGLE. The ISO_CONT branch of iso_recv() guards against a missing
ISO_START by checking conn->rx_len before touching conn->rx_skb, but
ISO_END does not.
If a peer sends an ISO_END as the first packet on a fresh ISO
connection, conn->rx_skb is still NULL and conn->rx_len is zero, so
skb_put(conn->rx_skb, ...) dereferences NULL and oopses. For BIS,
where receivers sync to a broadcaster without pairing, any broadcaster
on the air can trigger this.
Mirror the ISO_CONT check at the top of ISO_END so a stray end fragment
is logged and dropped instead of crashing the host.
Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/iso.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -2319,6 +2319,11 @@ void iso_recv(struct hci_conn *hcon, str
break;
case ISO_END:
+ if (!conn->rx_len) {
+ BT_ERR("Unexpected end frame (len %d)", skb->len);
+ goto drop;
+ }
+
skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
skb->len);
conn->rx_len -= skb->len;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 064/272] Bluetooth: bnep: Fix UAF read of dev->name
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 063/272] Bluetooth: ISO: drop ISO_END frames received without prior ISO_START Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 065/272] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths Greg Kroah-Hartman
` (214 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jann Horn, Luiz Augusto von Dentz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 59e932ded949fa6f0340bf7c6d7818f962fa4fd2 upstream.
bnep_add_connection() needs to keep holding the bnep_session_sem while
reading dev->name (just like bnep_get_connlist() does); otherwise the
bnep_session() thread can concurrently free the net_device, which can for
example be triggered by a concurrent bnep_del_connection().
(This UAF is fairly uninteresting from a security perspective;
calling bnep_add_connection() requires passing a capable(CAP_NET_ADMIN)
check. It also requires completely tearing down a netdev during a fairly
tight race window.)
Cc: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/bnep/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -638,8 +638,8 @@ int bnep_add_connection(struct bnep_conn
goto failed;
}
- up_write(&bnep_session_sem);
strcpy(req->device, dev->name);
+ up_write(&bnep_session_sem);
return 0;
failed:
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 065/272] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 064/272] Bluetooth: bnep: Fix UAF read of dev->name Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 066/272] Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer Greg Kroah-Hartman
` (213 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mingyu Wang, Luiz Augusto von Dentz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
commit c1bb9336ae6b54a5f6a353c4bd4ed9a4307e429b upstream.
Vulnerabilities leading to Use-After-Free (UAF) and Null Pointer
Dereference (NPD) conditions were observed in the lifecycle management
of hci_uart.
The primary issue arises because the workqueues (init_ready and
write_work) are only flushed/cancelled if the HCI_UART_PROTO_READY
flag is set during TTY close. If a hangup occurs before setup completes,
hci_uart_tty_close() skips the teardown of these workqueues and
proceeds to free the `hu` struct. When the scheduled work executes
later, it blindly dereferences the freed `hu` struct.
Furthermore, several data races and UAFs were identified in the teardown
sequence:
1. Calling hci_uart_flush() from hci_uart_close() without effectively
disabling write_work causes a race condition where both can concurrently
double-free hu->tx_skb. This happens because protocol timers can
concurrently invoke hci_uart_tx_wakeup() and requeue write_work.
2. Calling hci_free_dev(hdev) before hu->proto->close(hu) causes a UAF
when vendor specific protocol close callbacks dereference hu->hdev.
3. In the initialization error paths, failing to take the proto_lock
write lock before clearing PROTO_READY leads to races with active
readers. Additionally, hci_uart_tty_receive() accesses hu->hdev
outside the read lock, leading to UAFs if the initialization error
path frees hdev concurrently.
Fix these synchronization and lifecycle issues by:
1. Re-ordering hci_uart_tty_close() to clear HCI_UART_PROTO_READY first,
followed immediately by a cancel_work_sync(&hu->write_work). Clearing
the flag locks out concurrent protocol timers from successfully invoking
hci_uart_tx_wakeup(), effectively rendering the cancellation permanent
and preventing the tx_skb double-free.
2. Note: Clearing PROTO_READY early causes hci_uart_close() to skip
hu->proto->flush(). This is perfectly safe in the tty_close path
because hu->proto->close() executes shortly after, which intrinsically
purges all protocol SKB queues and tears down the state.
3. Relocating hu->proto->close(hu) strictly prior to hci_free_dev(hdev)
across all close and error paths to prevent vendor-level UAFs.
4. Moving the hdev->stat.byte_rx increment in hci_uart_tty_receive()
inside the proto_lock read-side critical section to safely synchronize
with device unregistration.
5. Adding cancel_work_sync(&hu->write_work) to hci_uart_close() to safely
flush the workqueue before hci_uart_flush() is invoked via the HCI core.
6. Utilizing cancel_work_sync() instead of disable_work_sync() across
all paths to prevent permanently breaking user-space retry capabilities.
Fixes: 3b799254cf6f ("Bluetooth: hci_uart: Cancel init work before unregistering")
Cc: stable@vger.kernel.org
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_ldisc.c | 48 +++++++++++++++++++++++++++++++++++-------
1 file changed, 40 insertions(+), 8 deletions(-)
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -194,7 +194,15 @@ void hci_uart_init_work(struct work_stru
err = hci_register_dev(hu->hdev);
if (err < 0) {
BT_ERR("Can't register HCI device");
+
+ percpu_down_write(&hu->proto_lock);
clear_bit(HCI_UART_PROTO_READY, &hu->flags);
+ percpu_up_write(&hu->proto_lock);
+
+ /* Safely cancel work after clearing flags */
+ cancel_work_sync(&hu->write_work);
+
+ /* Close protocol before freeing hdev */
hu->proto->close(hu);
hdev = hu->hdev;
hu->hdev = NULL;
@@ -263,8 +271,12 @@ static int hci_uart_open(struct hci_dev
/* Close device */
static int hci_uart_close(struct hci_dev *hdev)
{
+ struct hci_uart *hu = hci_get_drvdata(hdev);
+
BT_DBG("hdev %p", hdev);
+ cancel_work_sync(&hu->write_work);
+
hci_uart_flush(hdev);
hdev->flush = NULL;
return 0;
@@ -531,6 +543,7 @@ static void hci_uart_tty_close(struct tt
{
struct hci_uart *hu = tty->disc_data;
struct hci_dev *hdev;
+ bool proto_ready;
BT_DBG("tty %p", tty);
@@ -540,24 +553,38 @@ static void hci_uart_tty_close(struct tt
if (!hu)
return;
- hdev = hu->hdev;
- if (hdev)
- hci_uart_close(hdev);
+ /* Wait for init_ready to finish to prevent registration races */
+ cancel_work_sync(&hu->init_ready);
- if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) {
+ proto_ready = test_bit(HCI_UART_PROTO_READY, &hu->flags);
+ if (proto_ready) {
percpu_down_write(&hu->proto_lock);
clear_bit(HCI_UART_PROTO_READY, &hu->flags);
percpu_up_write(&hu->proto_lock);
+ }
- cancel_work_sync(&hu->init_ready);
- cancel_work_sync(&hu->write_work);
+ /*
+ * Unconditionally cancel write_work AFTER clearing PROTO_READY.
+ * This ensures that concurrent protocol timers cannot requeue
+ * write_work via hci_uart_tx_wakeup(), permanently preventing
+ * double-free races and UAFs.
+ */
+ cancel_work_sync(&hu->write_work);
+
+ hdev = hu->hdev;
+ if (hdev)
+ hci_uart_close(hdev); /* proto->flush is safely skipped */
+ if (proto_ready) {
if (hdev) {
if (test_bit(HCI_UART_REGISTERED, &hu->flags))
hci_unregister_dev(hdev);
- hci_free_dev(hdev);
}
+ /* Close protocol before freeing hdev (intrinsically purges queues) */
hu->proto->close(hu);
+
+ if (hdev)
+ hci_free_dev(hdev);
}
clear_bit(HCI_UART_PROTO_SET, &hu->flags);
@@ -625,11 +652,12 @@ static void hci_uart_tty_receive(struct
* tty caller
*/
hu->proto->recv(hu, data, count);
- percpu_up_read(&hu->proto_lock);
if (hu->hdev)
hu->hdev->stat.byte_rx += count;
+ percpu_up_read(&hu->proto_lock);
+
tty_unthrottle(tty);
}
@@ -695,6 +723,10 @@ static int hci_uart_register_dev(struct
percpu_down_write(&hu->proto_lock);
clear_bit(HCI_UART_PROTO_INIT, &hu->flags);
percpu_up_write(&hu->proto_lock);
+ /* Cancel work after clearing flags */
+ cancel_work_sync(&hu->write_work);
+
+ /* Close protocol before freeing hdev */
hu->proto->close(hu);
hu->hdev = NULL;
hci_free_dev(hdev);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 066/272] Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 065/272] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 067/272] Bluetooth: MGMT: validate Add Extended Advertising Data length Greg Kroah-Hartman
` (212 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito,
Luiz Augusto von Dentz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 3374ef8cf99368a40f7efd51a2a375a4c5dc6f0d upstream.
Commit 1c08108f3014 ("Bluetooth: L2CAP: Avoid -Wflex-array-member-not-at-end
warnings") converted the on-stack request PDU in l2cap_ecred_reconfigure()
from an explicit packed struct to DEFINE_RAW_FLEX(), but did not adjust the
size and source-pointer arguments to l2cap_send_cmd():
- struct {
- struct l2cap_ecred_reconf_req req;
- __le16 scid;
- } pdu;
+ DEFINE_RAW_FLEX(struct l2cap_ecred_reconf_req, pdu, scid, 1);
...
l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
sizeof(pdu), &pdu);
After the conversion, DEFINE_RAW_FLEX() expands to declare an anonymous
union pdu_u plus a local pointer "pdu" pointing at it. Therefore:
- sizeof(pdu) is now sizeof(struct l2cap_ecred_reconf_req *) = 8 on
64-bit (4 on 32-bit), not the 6 bytes of (mtu, mps, scid[1]).
- &pdu is the address of the local pointer's stack storage, not the
address of the request payload.
l2cap_send_cmd() forwards (data, count) to l2cap_build_cmd(), which calls
skb_put_data(skb, data, count). The L2CAP_ECRED_RECONFIGURE_REQ packet
body therefore contains 8 bytes copied from the kernel stack starting at
&pdu -- the 8 bytes overlap the pdu pointer's value, leaking a kernel
stack address to the paired Bluetooth peer. The intended (mtu, mps, scid)
fields are not transmitted at all, so the peer rejects the request as
malformed and the L2CAP_ECRED_RECONFIGURE feature itself has been broken
for the local-side initiator since the introducing commit landed.
The sibling site l2cap_ecred_conn_req() in the same commit was converted
correctly (sizeof(*pdu) + len, pdu); only this site was missed.
Restore the original semantics: pass the full flex-struct size via
struct_size(pdu, scid, 1) and the pdu pointer (the struct address) as
the source.
Validated on a stock 7.0-based host kernel via the real call path:
setsockopt(SOL_BLUETOOTH, BT_RCVMTU, ...) on a BT_CONNECTED
L2CAP_MODE_EXT_FLOWCTL socket emits an L2CAP_ECRED_RECONFIGURE_REQ
whose body is 8 bytes (the on-stack pdu local's value) rather than
the expected 6. Three captures from fresh socket / fresh hciemu peer
on the same host -- low bytes vary per call, high 0xffff confirms a
kernel virtual address (KASLR-randomised stack slot, not a fixed
string):
RECONF_REQ body (ident=0x02 len=8): 42 fb 54 af 0e ca ff ff
RECONF_REQ body (ident=0x02 len=8): 52 3d 2e af 0e ca ff ff
RECONF_REQ body (ident=0x02 len=8): b2 fc 5b af 0e ca ff ff
After this patch the body is 6 bytes carrying the expected
little-endian (mtu, mps, scid).
Cc: stable@vger.kernel.org
Fixes: 1c08108f3014 ("Bluetooth: L2CAP: Avoid -Wflex-array-member-not-at-end warnings")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -7199,7 +7199,7 @@ static void l2cap_ecred_reconfigure(stru
chan->ident = l2cap_get_ident(conn);
l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
- sizeof(pdu), &pdu);
+ struct_size(pdu, scid, 1), pdu);
}
int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu)
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 067/272] Bluetooth: MGMT: validate Add Extended Advertising Data length
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 066/272] Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 068/272] Bluetooth: serialize accept_q access Greg Kroah-Hartman
` (211 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito,
Luiz Augusto von Dentz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit d3f7d17960ed50df3a6709c5158caff989c8c905 upstream.
MGMT_OP_ADD_EXT_ADV_DATA is registered as a variable-length command,
with MGMT_ADD_EXT_ADV_DATA_SIZE as the fixed header size. The handler
then uses cp->adv_data_len and cp->scan_rsp_len to validate and copy
cp->data, but it never checks that those bytes are part of the mgmt
command payload.
A short command can therefore make add_ext_adv_data() pass an
out-of-bounds pointer into tlv_data_is_valid(). If the bytes beyond
the command buffer are addressable, they can also be copied into the
advertising instance as scan response data, where the caller can read
them back via MGMT_OP_GET_ADV_INSTANCE. The trigger requires
CAP_NET_ADMIN in the initial user namespace; KASAN reports an 8-byte
slab-out-of-bounds read.
Reject commands whose length does not match the fixed header plus both
advertising data lengths before parsing cp->data.
Fixes: 12410572833a ("Bluetooth: Break add adv into two mgmt commands")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/mgmt.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -9193,9 +9193,15 @@ static int add_ext_adv_data(struct sock
struct adv_info *adv_instance;
int err = 0;
struct mgmt_pending_cmd *cmd;
+ u16 expected_len;
BT_DBG("%s", hdev->name);
+ expected_len = struct_size(cp, data, cp->adv_data_len + cp->scan_rsp_len);
+ if (expected_len != data_len)
+ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
+ MGMT_STATUS_INVALID_PARAMS);
+
hci_dev_lock(hdev);
adv_instance = hci_find_adv_instance(hdev, cp->instance);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 068/272] Bluetooth: serialize accept_q access
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 067/272] Bluetooth: MGMT: validate Add Extended Advertising Data length Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 069/272] phonet/pep: disable BH around forwarded sk_receive_skb() Greg Kroah-Hartman
` (210 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Jiexun Wang, Ren Wei, Luiz Augusto von Dentz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
commit e83f5e24da741fa9405aeeff00b08c5ee7c37b88 upstream.
bt_sock_poll() walks the accept queue without synchronization, while
child teardown can unlink the same socket and drop its last reference.
The unsynchronized accept queue walk has existed since the initial
Bluetooth import.
Protect accept_q with a dedicated lock for queue updates and polling.
Also rework bt_accept_dequeue() to take temporary child references under
the queue lock before dropping it and locking the child socket.
Fixes: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reported-by: Jann Horn <jannh@google.com>
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Reviewed-by: Jann Horn <jannh@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/bluetooth/bluetooth.h | 1
net/bluetooth/af_bluetooth.c | 87 ++++++++++++++++++++++++++++----------
2 files changed, 66 insertions(+), 22 deletions(-)
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -380,6 +380,7 @@ void baswap(bdaddr_t *dst, const bdaddr_
struct bt_sock {
struct sock sk;
struct list_head accept_q;
+ spinlock_t accept_q_lock; /* protects accept_q */
struct sock *parent;
unsigned long flags;
void (*skb_msg_name)(struct sk_buff *, void *, int *);
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -151,6 +151,7 @@ struct sock *bt_sock_alloc(struct net *n
sock_init_data(sock, sk);
INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
+ spin_lock_init(&bt_sk(sk)->accept_q_lock);
sock_reset_flag(sk, SOCK_ZAPPED);
@@ -211,6 +212,7 @@ void bt_accept_enqueue(struct sock *pare
{
const struct cred *old_cred;
struct pid *old_pid;
+ struct bt_sock *par = bt_sk(parent);
BT_DBG("parent %p, sk %p", parent, sk);
@@ -221,9 +223,13 @@ void bt_accept_enqueue(struct sock *pare
else
lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
- list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q);
bt_sk(sk)->parent = parent;
+ spin_lock_bh(&par->accept_q_lock);
+ list_add_tail(&bt_sk(sk)->accept_q, &par->accept_q);
+ sk_acceptq_added(parent);
+ spin_unlock_bh(&par->accept_q_lock);
+
/* Copy credentials from parent since for incoming connections the
* socket is allocated by the kernel.
*/
@@ -241,8 +247,6 @@ void bt_accept_enqueue(struct sock *pare
bh_unlock_sock(sk);
else
release_sock(sk);
-
- sk_acceptq_added(parent);
}
EXPORT_SYMBOL(bt_accept_enqueue);
@@ -251,45 +255,72 @@ EXPORT_SYMBOL(bt_accept_enqueue);
*/
void bt_accept_unlink(struct sock *sk)
{
+ struct sock *parent = bt_sk(sk)->parent;
+
BT_DBG("sk %p state %d", sk, sk->sk_state);
+ spin_lock_bh(&bt_sk(parent)->accept_q_lock);
list_del_init(&bt_sk(sk)->accept_q);
- sk_acceptq_removed(bt_sk(sk)->parent);
+ sk_acceptq_removed(parent);
+ spin_unlock_bh(&bt_sk(parent)->accept_q_lock);
bt_sk(sk)->parent = NULL;
sock_put(sk);
}
EXPORT_SYMBOL(bt_accept_unlink);
+static struct sock *bt_accept_get(struct sock *parent, struct sock *sk)
+{
+ struct bt_sock *bt = bt_sk(parent);
+ struct sock *next = NULL;
+
+ /* accept_q is modified from child teardown paths too, so take a
+ * temporary reference before dropping the queue lock.
+ */
+ spin_lock_bh(&bt->accept_q_lock);
+
+ if (sk) {
+ if (bt_sk(sk)->parent != parent)
+ goto out;
+
+ if (!list_is_last(&bt_sk(sk)->accept_q, &bt->accept_q)) {
+ next = &list_next_entry(bt_sk(sk), accept_q)->sk;
+ sock_hold(next);
+ }
+ } else if (!list_empty(&bt->accept_q)) {
+ next = &list_first_entry(&bt->accept_q,
+ struct bt_sock, accept_q)->sk;
+ sock_hold(next);
+ }
+
+out:
+ spin_unlock_bh(&bt->accept_q_lock);
+ return next;
+}
+
struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock)
{
- struct bt_sock *s, *n;
- struct sock *sk;
+ struct sock *sk, *next;
BT_DBG("parent %p", parent);
restart:
- list_for_each_entry_safe(s, n, &bt_sk(parent)->accept_q, accept_q) {
- sk = (struct sock *)s;
-
+ for (sk = bt_accept_get(parent, NULL); sk; sk = next) {
/* Prevent early freeing of sk due to unlink and sock_kill */
- sock_hold(sk);
lock_sock(sk);
/* Check sk has not already been unlinked via
* bt_accept_unlink() due to serialisation caused by sk locking
*/
- if (!bt_sk(sk)->parent) {
+ if (bt_sk(sk)->parent != parent) {
BT_DBG("sk %p, already unlinked", sk);
release_sock(sk);
sock_put(sk);
- /* Restart the loop as sk is no longer in the list
- * and also avoid a potential infinite loop because
- * list_for_each_entry_safe() is not thread safe.
- */
goto restart;
}
+ next = bt_accept_get(parent, sk);
+
/* sk is safely in the parent list so reduce reference count */
sock_put(sk);
@@ -317,6 +348,8 @@ restart:
sock_hold(sk);
release_sock(sk);
+ if (next)
+ sock_put(next);
return sk;
}
@@ -518,18 +551,28 @@ EXPORT_SYMBOL(bt_sock_stream_recvmsg);
static inline __poll_t bt_accept_poll(struct sock *parent)
{
- struct bt_sock *s, *n;
+ struct bt_sock *bt = bt_sk(parent);
+ struct bt_sock *s;
struct sock *sk;
+ __poll_t mask = 0;
+
+ spin_lock_bh(&bt->accept_q_lock);
+ list_for_each_entry(s, &bt->accept_q, accept_q) {
+ int state;
- list_for_each_entry_safe(s, n, &bt_sk(parent)->accept_q, accept_q) {
sk = (struct sock *)s;
- if (sk->sk_state == BT_CONNECTED ||
- (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags) &&
- sk->sk_state == BT_CONNECT2))
- return EPOLLIN | EPOLLRDNORM;
+ state = READ_ONCE(sk->sk_state);
+
+ if (state == BT_CONNECTED ||
+ (test_bit(BT_SK_DEFER_SETUP, &bt->flags) &&
+ state == BT_CONNECT2)) {
+ mask = EPOLLIN | EPOLLRDNORM;
+ break;
+ }
}
+ spin_unlock_bh(&bt->accept_q_lock);
- return 0;
+ return mask;
}
__poll_t bt_sock_poll(struct file *file, struct socket *sock,
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 069/272] phonet/pep: disable BH around forwarded sk_receive_skb()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 068/272] Bluetooth: serialize accept_q access Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 070/272] net: bcmgenet: keep RBUF EEE/PM disabled Greg Kroah-Hartman
` (209 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zijing Yin, Rémi Denis-Courmont,
syzbot+9f4a135646b66c509935, Eric Dumazet, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijing Yin <yzjaurora@gmail.com>
commit dbc81608e3a653dea6cf403f20cae35468b8ab9c upstream.
The networking receive path is usually run from softirq context, but
protocols that take the socket lock may have packets stored in the
backlog and processed later from process context. In that case
release_sock() -> __release_sock() drops the slock with spin_unlock_bh()
and then calls sk->sk_backlog_rcv() with bottom halves enabled.
Typical sk_backlog_rcv handlers process the socket whose backlog is
being drained, so the BH state at entry is irrelevant for the slocks
they touch. pep_do_rcv() is different: when the inbound skb targets an
existing PEP pipe, it forwards the skb to a different *child* socket
via sk_receive_skb(). That helper takes the child slock with
bh_lock_sock_nested(), which is just spin_lock_nested() and assumes BH
is already off. The same child slock therefore ends up acquired with
BH on (process path) and with BH off (softirq path):
process context softirq context
--------------- ---------------
release_sock(listener) __netif_receive_skb()
__release_sock() phonet_rcv()
spin_unlock_bh() __sk_receive_skb(listener)
[BH now ENABLED] [BH already disabled]
sk_backlog_rcv: sk_backlog_rcv:
pep_do_rcv() pep_do_rcv()
sk_receive_skb(child) sk_receive_skb(child)
bh_lock_sock_nested(child) bh_lock_sock_nested(child)
=> SOFTIRQ-ON-W => IN-SOFTIRQ-W
Lockdep flags this as inconsistent lock state, and it can become a real
self-deadlock if a softirq on the same CPU tries to receive to the same
child socket while its slock is held in the BH-enabled path:
WARNING: inconsistent lock state
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
(slock-AF_PHONET/1){+.?.}-{3:3}, at: __sk_receive_skb+0x1cf/0x900
__sk_receive_skb net/core/sock.c:563
sk_receive_skb include/net/sock.h:2022 [inline]
pep_do_rcv net/phonet/pep.c:675
sk_backlog_rcv include/net/sock.h:1190
__release_sock net/core/sock.c:3216
release_sock net/core/sock.c:3815
pep_sock_accept net/phonet/pep.c:879
Wrap the forwarded sk_receive_skb() in local_bh_disable() /
local_bh_enable() so the child slock is always acquired with BH off.
local_bh_disable() nests safely on the softirq path.
Discovered via in-house syzkaller fuzzing; the same root cause also
on the linux-6.1.y syzbot dashboard as extid 44f0626dd6284f02663c.
Reproduced under KASAN + LOCKDEP + PROVE_LOCKING, reproducer:
https://pastebin.com/A3t8xzCR
Fixes: 9641458d3ec4 ("Phonet: Pipe End Point for Phonet Pipes protocol")
Link: https://syzkaller.appspot.com/bug?extid=44f0626dd6284f02663c
Cc: stable@vger.kernel.org
Signed-off-by: Zijing Yin <yzjaurora@gmail.com>
Acked-by: Rémi Denis-Courmont <remi@remlab.net>
Reported-by: syzbot+9f4a135646b66c509935@syzkaller.appspotmail.com
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260519172635.86304-1-yzjaurora@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/phonet/pep.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -671,8 +671,23 @@ static int pep_do_rcv(struct sock *sk, s
/* Look for an existing pipe handle */
sknode = pep_find_pipe(&pn->hlist, &dst, pipe_handle);
- if (sknode)
- return sk_receive_skb(sknode, skb, 1);
+ if (sknode) {
+ int rc;
+
+ /* pep_do_rcv() runs from two contexts: from softirq via
+ * phonet_rcv() -> __sk_receive_skb() with BH disabled,
+ * and from process context via
+ * release_sock() -> __release_sock(), which drops
+ * the listener slock with spin_unlock_bh() before draining
+ * the backlog. The child pipe slock is taken below via
+ * bh_lock_sock_nested(), which does not itself disable BH, so
+ * disable BH here to keep both acquire contexts consistent.
+ */
+ local_bh_disable();
+ rc = sk_receive_skb(sknode, skb, 1);
+ local_bh_enable();
+ return rc;
+ }
switch (hdr->message_id) {
case PNS_PEP_CONNECT_REQ:
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 070/272] net: bcmgenet: keep RBUF EEE/PM disabled
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 069/272] phonet/pep: disable BH around forwarded sk_receive_skb() Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 071/272] net: ifb: report ethtool stats over num_tx_queues Greg Kroah-Hartman
` (208 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolai Buchwitz, Florian Fainelli,
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolai Buchwitz <nb@tipi-net.de>
commit 9a1730245e416d11ad5c0f2c100061d61cc43f60 upstream.
Setting RBUF_EEE_EN | RBUF_PM_EN in RBUF_ENERGY_CTRL breaks the RX
path on GENET hardware once MAC EEE becomes active. RX traffic stops
flowing while the link stays up and the usual descriptor/RX error
counters remain quiet. In that state the MAC still accepts frames
(rbuf_ovflow_cnt keeps climbing) but RBUF no longer forwards them to
DMA, so rx_packets is no longer incremented at the netdev level. On
some boards the corruption ends up as a paging fault in
skb_release_data via bcmgenet_rx_poll on an LPI exit.
Reproduced on Pi 4B (BCM2711 + BCM54213PE) and confirmed by Florian
Fainelli on an internal Broadcom 4908-family board with the same crash
signature. RBUF_PM_EN is not publicly documented.
This shows up more often now that phy_support_eee() enables EEE by
default, but it also affects older kernels as soon as TX LPI is
turned on via ethtool, so it is not specific to recent changes.
Always clear RBUF_EEE_EN | RBUF_PM_EN in bcmgenet_eee_enable_set so
the bits stay off across resets. UMAC and TBUF setup is left alone so
TX-side EEE keeps working.
Link: https://github.com/raspberrypi/linux/issues/7304
Fixes: 6ef398ea60d9 ("net: bcmgenet: add EEE support")
Cc: stable@vger.kernel.org
Signed-off-by: Nicolai Buchwitz <nb@tipi-net.de>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20260520184320.652053-1-nb@tipi-net.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1325,13 +1325,12 @@ void bcmgenet_eee_enable_set(struct net_
reg &= ~(TBUF_EEE_EN | TBUF_PM_EN);
bcmgenet_writel(reg, priv->base + off);
- /* Do the same for thing for RBUF */
+ /* RBUF EEE/PM can break the RX path on GENET. Keep it disabled. */
reg = bcmgenet_rbuf_readl(priv, RBUF_ENERGY_CTRL);
- if (enable)
- reg |= RBUF_EEE_EN | RBUF_PM_EN;
- else
+ if (reg & (RBUF_EEE_EN | RBUF_PM_EN)) {
reg &= ~(RBUF_EEE_EN | RBUF_PM_EN);
- bcmgenet_rbuf_writel(priv, reg, RBUF_ENERGY_CTRL);
+ bcmgenet_rbuf_writel(priv, reg, RBUF_ENERGY_CTRL);
+ }
if (!enable && priv->clk_eee_enabled) {
clk_disable_unprepare(priv->clk_eee);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 071/272] net: ifb: report ethtool stats over num_tx_queues
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 070/272] net: bcmgenet: keep RBUF EEE/PM disabled Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 072/272] net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis() Greg Kroah-Hartman
` (207 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 5db89c99566fc4728cc92e941d8e1975711e24b5 upstream.
ifb_dev_init() allocates dp->tx_private to dev->num_tx_queues
entries via kzalloc_objs(*txp, dev->num_tx_queues). Both IFB
per-queue RX and TX stats live in those entries: ifb_xmit() updates
txp->rx_stats using the skb queue mapping, ifb_ri_tasklet() updates
txp->tx_stats, and ifb_stats64() aggregates both over
dev->num_tx_queues.
The ethtool stats callbacks instead size and walk the per-queue
stats with dev->real_num_rx_queues and dev->real_num_tx_queues. With
an asymmetric device where the RX queue count exceeds the TX queue
count, for example:
ip link add name ifb10 numtxqueues 1 numrxqueues 8 type ifb
ethtool -S ifb10
ifb_get_ethtool_stats() indexes past the tx_private allocation and
copies adjacent slab data through ETHTOOL_GSTATS.
Use dev->num_tx_queues consistently for the stats strings, the
stats count, and the stats data walks. This reports one RX stats
group and one TX stats group for each backing ifb_q_private entry,
which is the queue set IFB can actually populate.
Reproduced under UML+KASAN at v7.1-rc2:
BUG: KASAN: slab-out-of-bounds in ifb_fill_stats_data+0x3c/0xae
Read of size 8 at addr 0000000062dbd228 by task ethtool/36
ifb_fill_stats_data+0x3c/0xae
ifb_get_ethtool_stats+0xc0/0x129
__dev_ethtool+0x1ca5/0x363c
dev_ethtool+0x123/0x1b3
dev_ioctl+0x56c/0x744
sock_do_ioctl+0x15f/0x1b2
sock_ioctl+0x4d5/0x50a
sys_ioctl+0xd8b/0xde9
With the patch applied, the same UML+KASAN repro is silent and
ethtool -S ifb10 reports only the stats backed by the single
allocated tx_private entry.
Fixes: a21ee5b2fcb8 ("net: ifb: support ethtools stats")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260514013739.3549624-1-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ifb.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/drivers/net/ifb.c
+++ b/drivers/net/ifb.c
@@ -211,12 +211,12 @@ static void ifb_get_strings(struct net_d
switch (stringset) {
case ETH_SS_STATS:
- for (i = 0; i < dev->real_num_rx_queues; i++)
+ for (i = 0; i < dev->num_tx_queues; i++)
for (j = 0; j < IFB_Q_STATS_LEN; j++)
ethtool_sprintf(&p, "rx_queue_%u_%.18s",
i, ifb_q_stats_desc[j].desc);
- for (i = 0; i < dev->real_num_tx_queues; i++)
+ for (i = 0; i < dev->num_tx_queues; i++)
for (j = 0; j < IFB_Q_STATS_LEN; j++)
ethtool_sprintf(&p, "tx_queue_%u_%.18s",
i, ifb_q_stats_desc[j].desc);
@@ -229,8 +229,7 @@ static int ifb_get_sset_count(struct net
{
switch (sset) {
case ETH_SS_STATS:
- return IFB_Q_STATS_LEN * (dev->real_num_rx_queues +
- dev->real_num_tx_queues);
+ return IFB_Q_STATS_LEN * dev->num_tx_queues * 2;
default:
return -EOPNOTSUPP;
}
@@ -262,12 +261,12 @@ static void ifb_get_ethtool_stats(struct
struct ifb_q_private *txp;
int i;
- for (i = 0; i < dev->real_num_rx_queues; i++) {
+ for (i = 0; i < dev->num_tx_queues; i++) {
txp = dp->tx_private + i;
ifb_fill_stats_data(&data, &txp->rx_stats);
}
- for (i = 0; i < dev->real_num_tx_queues; i++) {
+ for (i = 0; i < dev->num_tx_queues; i++) {
txp = dp->tx_private + i;
ifb_fill_stats_data(&data, &txp->tx_stats);
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 072/272] net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 071/272] net: ifb: report ethtool stats over num_tx_queues Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 073/272] netfilter: ip6t_hbh: reject oversized option lists Greg Kroah-Hartman
` (206 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Jelonek, Oleksij Rempel,
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Jelonek <jelonek.jonas@gmail.com>
commit 33d35975cbead3fa6b738ee57e5e45e14fbe0886 upstream.
of_count_phandle_with_args() returns the count on success and a negative
errno on failure, including -ENOENT when the "pairsets" property is
absent. The existing comparison in of_load_pse_pis() checks against
ENOENT (positive 2) instead of -ENOENT, so the branch is taken for any
error return: legitimate DTs that omit "pairsets" trigger a spurious
"wrong number of pairsets" error and probe fails with -EINVAL.
Compare against -ENOENT so a missing "pairsets" property is correctly
treated as "this PI has no pairsets, continue".
Fixes: 9be9567a7c59 ("net: pse-pd: Add support for PSE PIs")
Cc: stable@vger.kernel.org
Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20260515143103.1721888-1-jelonek.jonas@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/pse-pd/pse_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/pse-pd/pse_core.c
+++ b/drivers/net/pse-pd/pse_core.c
@@ -184,7 +184,7 @@ static int of_load_pse_pis(struct pse_co
ret = of_load_pse_pi_pairsets(node, &pi, ret);
if (ret)
goto out;
- } else if (ret != ENOENT) {
+ } else if (ret != -ENOENT) {
dev_err(pcdev->dev,
"error: wrong number of pairsets. Should be 1 or 2, got %d (%pOF)\n",
ret, node);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 073/272] netfilter: ip6t_hbh: reject oversized option lists
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 072/272] net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis() Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 074/272] netfilter: nf_queue: hold bridge skb->dev while queued Greg Kroah-Hartman
` (205 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Zhengchuan Liang, Ren Wei, Pablo Neira Ayuso
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
commit 4322dcde6b4173c2d8e8e6118ed290794263bcc8 upstream.
struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors,
but hbh_mt6_check() does not reject larger optsnr values supplied from
userspace.
Validate optsnr in the rule setup path so only match data that fits the
fixed-size opts array can be installed. This follows the existing xtables
pattern of rejecting invalid user-provided counts in checkentry() and
keeps the packet matching path unchanged.
`struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array,
where `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible:
[ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29
[ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/netfilter/ip6t_hbh.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -168,6 +168,10 @@ static int hbh_mt6_check(const struct xt
pr_debug("unknown flags %X\n", optsinfo->invflags);
return -EINVAL;
}
+ if (optsinfo->optsnr > IP6T_OPTS_OPTSNR) {
+ pr_debug("too many supported opts specified\n");
+ return -EINVAL;
+ }
if (optsinfo->flags & IP6T_OPTS_NSTRICT) {
pr_debug("Not strict - not implemented");
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 074/272] netfilter: nf_queue: hold bridge skb->dev while queued
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 073/272] netfilter: ip6t_hbh: reject oversized option lists Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 075/272] netfilter: ipset: stop hash:* range iteration at end Greg Kroah-Hartman
` (204 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Haoze Xie, Ren Wei, Pablo Neira Ayuso
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoze Xie <royenheart@gmail.com>
commit e196115ec330a18de415bdb9f5071aa9f08e53ce upstream.
br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge
master before queueing bridge LOCAL_IN packets. NFQUEUE only holds
references on state.in/out and bridge physdevs, so a queued bridge
packet can retain a freed bridge master in skb->dev until reinjection.
When the verdict is reinjected later, br_netif_receive_skb() re-enters
the receive path with skb->dev still pointing at the freed bridge master,
triggering a use-after-free.
Store skb->dev in the queue entry, hold a reference on it for the queue
lifetime, and use the saved device when dropping queued packets during
NETDEV_DOWN handling.
Fixes: ac2863445686 ("netfilter: bridge: add nf_afinfo to enable queuing to userspace")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Haoze Xie <royenheart@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/netfilter/nf_queue.h | 1 +
net/netfilter/nf_queue.c | 4 +++-
net/netfilter/nfnetlink_queue.c | 2 ++
3 files changed, 6 insertions(+), 1 deletion(-)
--- a/include/net/netfilter/nf_queue.h
+++ b/include/net/netfilter/nf_queue.h
@@ -14,6 +14,7 @@ struct nf_queue_entry {
struct list_head list;
struct rhash_head hash_node;
struct sk_buff *skb;
+ struct net_device *skb_dev;
unsigned int id;
unsigned int hook_index; /* index in hook_entries->hook[] */
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -60,6 +60,7 @@ static void nf_queue_entry_release_refs(
struct nf_hook_state *state = &entry->state;
/* Release those devices we held, or Alexey will kill me. */
+ dev_put(entry->skb_dev);
dev_put(state->in);
dev_put(state->out);
if (state->sk)
@@ -101,6 +102,7 @@ bool nf_queue_entry_get_refs(struct nf_q
if (state->sk && !refcount_inc_not_zero(&state->sk->sk_refcnt))
return false;
+ dev_hold(entry->skb_dev);
dev_hold(state->in);
dev_hold(state->out);
@@ -201,11 +203,11 @@ static int __nf_queue(struct sk_buff *sk
*entry = (struct nf_queue_entry) {
.skb = skb,
+ .skb_dev = skb->dev,
.state = *state,
.hook_index = index,
.size = sizeof(*entry) + route_key_size,
};
-
__nf_queue_entry_init_physdevs(entry);
if (!nf_queue_entry_get_refs(entry)) {
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -1196,6 +1196,8 @@ dev_cmp(struct nf_queue_entry *entry, un
if (physinif == ifindex || physoutif == ifindex)
return 1;
#endif
+ if (entry->skb_dev && entry->skb_dev->ifindex == ifindex)
+ return 1;
if (entry->state.in)
if (entry->state.in->ifindex == ifindex)
return 1;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 075/272] netfilter: ipset: stop hash:* range iteration at end
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 074/272] netfilter: nf_queue: hold bridge skb->dev while queued Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 076/272] netfilter: nft_inner: Fix IPv6 inner_thoff desync Greg Kroah-Hartman
` (203 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Nan Li, Ren Wei, Pablo Neira Ayuso
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nan Li <tonanli66@gmail.com>
commit 0d3a282ab5f165fc207ff49ea5b6ad8f54616bd6 upstream.
The following hash set variants:
hash:ip,mark
hash:ip,port
hash:ip,port,ip
hash:ip,port,net
iterate IPv4 ranges with a 32-bit iterator.
The iterator must stop once the last address in the requested range has
been processed. Advancing it once more can move the traversal state past
the end of the request, so a later retry may continue from an unintended
position.
Handle the iterator increment explicitly at the end of the loop and stop
once the upper bound has been processed. This keeps the existing retry
behaviour intact for valid ranges while preventing traversal from
continuing past the original boundary.
Fixes: 48596a8ddc46 ("netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Nan Li <tonanli66@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/ipset/ip_set_hash_ipmark.c | 6 +++++-
net/netfilter/ipset/ip_set_hash_ipport.c | 5 ++++-
net/netfilter/ipset/ip_set_hash_ipportip.c | 5 ++++-
net/netfilter/ipset/ip_set_hash_ipportnet.c | 5 ++++-
4 files changed, 17 insertions(+), 4 deletions(-)
--- a/net/netfilter/ipset/ip_set_hash_ipmark.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmark.c
@@ -150,7 +150,7 @@ hash_ipmark4_uadt(struct ip_set *set, st
if (retried)
ip = ntohl(h->next.ip);
- for (; ip <= ip_to; ip++, i++) {
+ for (; ip <= ip_to; i++) {
e.ip = htonl(ip);
if (i > IPSET_MAX_RANGE) {
hash_ipmark4_data_next(&h->next, &e);
@@ -162,6 +162,10 @@ hash_ipmark4_uadt(struct ip_set *set, st
return ret;
ret = 0;
+
+ if (ip == ip_to)
+ break;
+ ip++;
}
return ret;
}
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -186,7 +186,7 @@ hash_ipport4_uadt(struct ip_set *set, st
if (retried)
ip = ntohl(h->next.ip);
- for (; ip <= ip_to; ip++) {
+ for (; ip <= ip_to;) {
p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
: port;
for (; p <= port_to; p++, i++) {
@@ -203,6 +203,9 @@ hash_ipport4_uadt(struct ip_set *set, st
ret = 0;
}
+ if (ip == ip_to)
+ break;
+ ip++;
}
return ret;
}
--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -182,7 +182,7 @@ hash_ipportip4_uadt(struct ip_set *set,
if (retried)
ip = ntohl(h->next.ip);
- for (; ip <= ip_to; ip++) {
+ for (; ip <= ip_to;) {
p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
: port;
for (; p <= port_to; p++, i++) {
@@ -199,6 +199,9 @@ hash_ipportip4_uadt(struct ip_set *set,
ret = 0;
}
+ if (ip == ip_to)
+ break;
+ ip++;
}
return ret;
}
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -274,7 +274,7 @@ hash_ipportnet4_uadt(struct ip_set *set,
p = port;
ip2 = ip2_from;
}
- for (; ip <= ip_to; ip++) {
+ for (; ip <= ip_to;) {
e.ip = htonl(ip);
for (; p <= port_to; p++) {
e.port = htons(p);
@@ -298,6 +298,9 @@ hash_ipportnet4_uadt(struct ip_set *set,
ip2 = ip2_from;
}
p = port;
+ if (ip == ip_to)
+ break;
+ ip++;
}
return ret;
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 076/272] netfilter: nft_inner: Fix IPv6 inner_thoff desync
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 075/272] netfilter: ipset: stop hash:* range iteration at end Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 077/272] sched_ext: Fix missing warning in scx_set_task_state() default case Greg Kroah-Hartman
` (202 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yizhou Zhao, Yuxiang Yang,
Xuewei Feng, Qi Li, Ke Xu, Fernando Fernandez Mancera,
Pablo Neira Ayuso
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
commit b6a91f68ebfed9c38e0e9150f58a9b85da07181c upstream.
In nft_inner_parse_l2l3(), when processing inner IPv6 packets,
ipv6_find_hdr() correctly computes the transport header offset
traversing all extension headers, but the result is immediately
overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only
accounts for the IPv6 base header. This creates a desync between
inner_thoff (wrong — points to extension header start) and l4proto
(correct — e.g., IPPROTO_TCP), enabling transport header forgery
and potential firewall bypass. This issue affects stable versions
from Linux 6.2.
For comparison, the normal (non-inner) IPv6 path correctly
preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite
ensures that ipv6_find_hdr()'s calculated transport header offset is
preserved, thereby fixing the desynchronization.
Fixes: 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching")
Cc: stable@vger.kernel.org
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Assisted-by: GLM:5.1 Z.ai
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nft_inner.c | 1 -
1 file changed, 1 deletion(-)
--- a/net/netfilter/nft_inner.c
+++ b/net/netfilter/nft_inner.c
@@ -156,7 +156,6 @@ static int nft_inner_parse_l2l3(const st
return -1;
if (fragoff == 0) {
- thoff = nhoff + sizeof(_ip6h);
ctx->flags |= NFT_PAYLOAD_CTX_INNER_TH;
ctx->inner_thoff = thoff;
ctx->l4proto = l4proto;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 077/272] sched_ext: Fix missing warning in scx_set_task_state() default case
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 076/272] netfilter: nft_inner: Fix IPv6 inner_thoff desync Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 078/272] sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path Greg Kroah-Hartman
` (201 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samuele Mariotti, Paolo Valente,
Andrea Righi, Tejun Heo, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samuele Mariotti <smariotti@disroot.org>
[ Upstream commit b905ee77d5f557a83a485b4146210f54f13365fc ]
In scx_set_task_state(), the default case was setting the
warn flag, but then returning immediately. This is problematic
because the only purpose of the warn flag is to trigger
WARN_ONCE, but the early return prevented it from ever firing,
leaving invalid task states undetected and untraced.
To fix this, a WARN_ONCE call is now added directly in the
default case.
The fix addresses two aspects:
- Guarantees the invalid task states are properly logged
and traced.
- Provides a distinct warning message
("sched_ext: Invalid task state") specifically for
states outside the defined scx_task_state enum values,
making it easier to distinguish from other transition
warnings.
This ensures proper detection and reporting of invalid states.
Signed-off-by: Samuele Mariotti <smariotti@disroot.org>
Signed-off-by: Paolo Valente <paolo.valente@unimore.it>
Reviewed-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Stable-dep-of: 9a415cc53711 ("sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -3637,7 +3637,8 @@ static void scx_set_task_state(struct ta
warn = prev_state != SCX_TASK_READY;
break;
default:
- warn = true;
+ WARN_ONCE(1, "sched_ext: Invalid task state %d -> %d for %s[%d]",
+ prev_state, state, p->comm, p->pid);
return;
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 078/272] sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 077/272] sched_ext: Fix missing warning in scx_set_task_state() default case Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 079/272] cgroup/cpuset: Reset DL migration state on can_attach() failure Greg Kroah-Hartman
` (200 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sashiko, Tejun Heo, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
[ Upstream commit 9a415cc53711f2238e0f0ca8a6bcc796c003b127 ]
In scx_root_enable_workfn(), put_task_struct(p) is called before scx_error()
dereferences p->comm and p->pid. If the iterator's reference is the last
drop, the task is freed synchronously and the deref becomes a UAF.
Move put_task_struct() past scx_error().
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/all/20260511214031.AF5E9C2BCB0@smtp.kernel.org/
Fixes: f0e1a0643a59 ("sched_ext: Implement BPF extensible scheduler class")
Cc: stable@vger.kernel.org # v6.12+
Signed-off-by: Tejun Heo <tj@kernel.org>
[ adapted fix to pre-refactor scx_ops_enable_workfn() with scx_task_iter_relock() instead of upstream scx_root_enable_workfn() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -5406,11 +5406,11 @@ static void scx_ops_enable_workfn(struct
ret = scx_ops_init_task(p, task_group(p), false);
if (ret) {
- put_task_struct(p);
scx_task_iter_relock(&sti);
scx_task_iter_stop(&sti);
scx_ops_error("ops.init_task() failed (%d) for %s[%d]",
ret, p->comm, p->pid);
+ put_task_struct(p);
goto err_disable_unlock_all;
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 079/272] cgroup/cpuset: Reset DL migration state on can_attach() failure
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 078/272] sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 080/272] fs/ntfs3: handle attr_set_size() errors when truncating files Greg Kroah-Hartman
` (199 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guopeng Zhang, Tejun Heo,
Chen Ridong, Waiman Long, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guopeng Zhang <zhangguopeng@kylinos.cn>
[ Upstream commit 4a39eda5fdd867fc39f3c039714dd432cee00268 ]
cpuset_can_attach() accumulates temporary SCHED_DEADLINE migration
state in the destination cpuset while walking the taskset.
If a later task_can_attach() or security_task_setscheduler() check
fails, cgroup_migrate_execute() treats cpuset as the failing subsystem
and does not call cpuset_cancel_attach() for it. The partially
accumulated state is then left behind and can be consumed by a later
attach, corrupting cpuset DL task accounting and pending DL bandwidth
accounting.
Reset the pending DL migration state from the common error exit when
ret is non-zero. Successful can_attach() keeps the state for
cpuset_attach() or cpuset_cancel_attach().
Fixes: 2ef269ef1ac0 ("cgroup/cpuset: Free DL BW in case can_attach() fails")
Cc: stable@vger.kernel.org # v6.10+
Signed-off-by: Guopeng Zhang <zhangguopeng@kylinos.cn>
Signed-off-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Chen Ridong <chenridong@huaweicloud.com>
Reviewed-by: Waiman Long <longman@redhat.com>
[ omitted upstream context line `cs->dl_bw_cpu = cpu;` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/cgroup/cpuset.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/kernel/cgroup/cpuset.c
+++ b/kernel/cgroup/cpuset.c
@@ -2996,16 +2996,13 @@ static int cpuset_can_attach(struct cgro
int cpu = cpumask_any_and(cpu_active_mask, cs->effective_cpus);
if (unlikely(cpu >= nr_cpu_ids)) {
- reset_migrate_dl_data(cs);
ret = -EINVAL;
goto out_unlock;
}
ret = dl_bw_alloc(cpu, cs->sum_migrate_dl_bw);
- if (ret) {
- reset_migrate_dl_data(cs);
+ if (ret)
goto out_unlock;
- }
}
out_success:
@@ -3014,7 +3011,10 @@ out_success:
* changes which zero cpus/mems_allowed.
*/
cs->attach_in_progress++;
+
out_unlock:
+ if (ret)
+ reset_migrate_dl_data(cs);
mutex_unlock(&cpuset_mutex);
return ret;
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 080/272] fs/ntfs3: handle attr_set_size() errors when truncating files
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 079/272] cgroup/cpuset: Reset DL migration state on can_attach() failure Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 081/272] l2tp: use list_del_rcu in l2tp_session_unhash Greg Kroah-Hartman
` (198 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Konstantin Komarov, Bin Lan
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
[ Upstream commit 576248a34b927e93b2fd3fff7df735ba73ad7d01 ]
If attr_set_size() fails while truncating down, the error is silently
ignored and the inode may be left in an inconsistent state.
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
[ Minor context conflict resolved. ]
Signed-off-by: Bin Lan <lanbincn@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/file.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
--- a/fs/ntfs3/file.c
+++ b/fs/ntfs3/file.c
@@ -500,8 +500,8 @@ static int ntfs_truncate(struct inode *i
{
struct super_block *sb = inode->i_sb;
struct ntfs_inode *ni = ntfs_i(inode);
- int err, dirty = 0;
u64 new_valid;
+ int err;
if (!S_ISREG(inode->i_mode))
return 0;
@@ -517,7 +517,6 @@ static int ntfs_truncate(struct inode *i
}
new_valid = ntfs_up_block(sb, min_t(u64, ni->i_valid, new_size));
-
truncate_setsize(inode, new_size);
ni_lock(ni);
@@ -531,22 +530,19 @@ static int ntfs_truncate(struct inode *i
ni->i_valid = new_valid;
ni_unlock(ni);
+ if (unlikely(err))
+ return err;
ni->std_fa |= FILE_ATTRIBUTE_ARCHIVE;
inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode));
if (!IS_DIRSYNC(inode)) {
- dirty = 1;
+ mark_inode_dirty(inode);
} else {
err = ntfs_sync_inode(inode);
if (err)
return err;
}
- if (dirty)
- mark_inode_dirty(inode);
-
- /*ntfs_flush_inodes(inode->i_sb, inode, NULL);*/
-
return 0;
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 081/272] l2tp: use list_del_rcu in l2tp_session_unhash
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 080/272] fs/ntfs3: handle attr_set_size() errors when truncating files Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 082/272] qed: fix double free in qed_cxt_tables_alloc() Greg Kroah-Hartman
` (197 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 979c017803c40829b03acd9e5236e354b7622360 upstream.
An unprivileged local user can pin a host CPU indefinitely in
l2tp_session_get_by_ifname() by issuing L2TP_CMD_SESSION_GET on
L2TP_ATTR_IFNAME concurrently with L2TP_CMD_SESSION_CREATE and
L2TP_CMD_SESSION_DELETE on the same tunnel. All three commands take
GENL_UNS_ADMIN_PERM, so CAP_NET_ADMIN in the netns user namespace
suffices; on any host that has l2tp_core loaded the trigger is
reachable from a standard `unshare -Urn` sandbox.
l2tp_session_unhash() removes a session from tunnel->session_list
with list_del_init(), but that list is walked by
l2tp_session_get_by_ifname() with list_for_each_entry_rcu() under
rcu_read_lock_bh(). list_del_init() leaves the deleted entry's
next/prev self-pointing; a reader that has loaded the entry and
then advances pos->list.next reads &session->list, container_of()s
back to the same session, and list_for_each_entry_rcu() never
reaches the list head. The CPU stays in strcmp() inside the
walker, with BH and preemption disabled, so RCU grace periods on
the host stall behind it and the wedged thread cannot be killed
(SIGKILL is delivered on syscall return).
Use list_del_rcu() to match the existing list_add_rcu() in
l2tp_session_register(); the deleted session remains visible to
in-flight walkers with consistent next/prev pointers until
kfree_rcu() in l2tp_session_free() releases it. tunnel->session_list
has exactly one list_del_init() call site; the list_del_init
(&session->clist) at l2tp_core.c:533 operates on the per-collision
list, which is not walked under RCU. list_empty(&session->list) is
not used anywhere in net/l2tp/ after the unhash point, so dropping
the post-delete self-init is safe; the fix has no userspace-visible
behavior change.
Fixes: 89b768ec2dfef ("l2tp: use rcu list add/del when updating lists")
Cc: stable@vger.kernel.org # 6.11+
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260518183447.64078-1-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/l2tp/l2tp_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1360,7 +1360,7 @@ static void l2tp_session_unhash(struct l
spin_lock_bh(&pn->l2tp_session_idr_lock);
/* Remove from the per-tunnel list */
- list_del_init(&session->list);
+ list_del_rcu(&session->list);
/* Remove from per-net IDR */
if (tunnel->version == L2TP_HDR_VER_3) {
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 082/272] qed: fix double free in qed_cxt_tables_alloc()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 081/272] l2tp: use list_del_rcu in l2tp_session_unhash Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 083/272] ring-buffer: Fix reporting of missed events in iterator Greg Kroah-Hartman
` (196 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zilin Guan, Dawei Feng,
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
commit 2bccfb8476ca5f3548afbd623dc7a6980d4e77de upstream.
If one of the later PF or VF CID bitmap allocations fails,
qed_cid_map_alloc() jumps to cid_map_fail and frees the previously
allocated CID bitmaps before returning an error. qed_cxt_tables_alloc()
then calls qed_cxt_mngr_free(), which invokes qed_cid_map_free()
again.
Fix this by setting each CID bitmap pointer to NULL after bitmap_free()
to avoid double free.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still
present in v7.1-rc3.
Runtime reproduction was not attempted because exercising the failing
allocation path requires device-specific setup.
Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Link: https://patch.msgid.link/20260520070323.2762379-1-dawei.feng@seu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/qlogic/qed/qed_cxt.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
@@ -1038,11 +1038,13 @@ static void qed_cid_map_free(struct qed_
for (type = 0; type < MAX_CONN_TYPES; type++) {
bitmap_free(p_mngr->acquired[type].cid_map);
+ p_mngr->acquired[type].cid_map = NULL;
p_mngr->acquired[type].max_count = 0;
p_mngr->acquired[type].start_cid = 0;
for (vf = 0; vf < MAX_NUM_VFS; vf++) {
bitmap_free(p_mngr->acquired_vf[type][vf].cid_map);
+ p_mngr->acquired_vf[type][vf].cid_map = NULL;
p_mngr->acquired_vf[type][vf].max_count = 0;
p_mngr->acquired_vf[type][vf].start_cid = 0;
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 083/272] ring-buffer: Fix reporting of missed events in iterator
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 082/272] qed: fix double free in qed_cxt_tables_alloc() Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 084/272] ipv6: ioam: add NULL check for idev in ipv6_hop_ioam() Greg Kroah-Hartman
` (195 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers,
Masami Hiramatsu (Google), Steven Rostedt
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit a254b6d13b0edd6272926674d2afc46d46e496b7 upstream.
When tracing is active while reading the trace file, if the iterator
reading the buffer detects that the writer has passed the iterator head,
it will reset and set a "missed events" flag. This flag is passed to the
output processing to show the user that events were missed:
CPU:4 [LOST EVENTS]
The problem is that the flag is reset after it is checked in
ring_buffer_iter_dropped(). But the "trace" file iterates over all the CPU
ring buffers and it will check if they are dropped when figuring out which
buffer to print next. This prematurely clears the missed_events flag if
the CPU buffer with the missed events is not the one that is printed next.
On the iteration where the CPU buffer with the missed events is printed,
the check if it had missed events would return false and the output does
not show that events were missed.
Do not reset the missed_events flag when checking if there were missed
events, but instead clear it when moving the iterator head to the next
event.
Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/20260520220801.4fd09d13@fedora
Fixes: c9b7a4a72ff64 ("ring-buffer/tracing: Have iterator acknowledge dropped events")
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ring_buffer.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -5120,6 +5120,7 @@ static void rb_iter_reset(struct ring_bu
iter->head_page = cpu_buffer->reader_page;
iter->head = cpu_buffer->reader_page->read;
iter->next_event = iter->head;
+ iter->missed_events = 0;
iter->cache_reader_page = iter->head_page;
iter->cache_read = cpu_buffer->read;
@@ -5735,10 +5736,7 @@ ring_buffer_peek(struct trace_buffer *bu
*/
bool ring_buffer_iter_dropped(struct ring_buffer_iter *iter)
{
- bool ret = iter->missed_events != 0;
-
- iter->missed_events = 0;
- return ret;
+ return iter->missed_events != 0;
}
EXPORT_SYMBOL_GPL(ring_buffer_iter_dropped);
@@ -5900,7 +5898,7 @@ void ring_buffer_iter_advance(struct rin
unsigned long flags;
raw_spin_lock_irqsave(&cpu_buffer->reader_lock, flags);
-
+ iter->missed_events = 0;
rb_advance_iter(iter);
raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 084/272] ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 083/272] ring-buffer: Fix reporting of missed events in iterator Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 085/272] vsock/vmci: fix UAF when peer resets connection during handshake Greg Kroah-Hartman
` (194 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Iurman, Ido Schimmel,
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Iurman <justin.iurman@gmail.com>
commit d4ea0dfd75011b78cebf3808f98ac4c4f51a6fb9 upstream.
Reported by Sashiko:
The function ipv6_hop_ioam() accesses
__in6_dev_get(skb->dev)->cnf.ioam6_enabled without validating the returned
idev pointer. Because addrconf_ifdown() can concurrently clear dev->ip6_ptr
via RCU, __in6_dev_get() can return NULL during interface teardown, which
could cause a NULL pointer dereference when processing an IOAM Hop-by-Hop
option.
Let's add a check and use SKB_DROP_REASON_IPV6DISABLED accordingly.
Fixes: 9ee11f0fff20 ("ipv6: ioam: Data plane support for Pre-allocated Trace")
Cc: stable@vger.kernel.org
Signed-off-by: Justin Iurman <justin.iurman@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260517183059.29140-1-justin.iurman@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/exthdrs.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -912,16 +912,27 @@ static bool ipv6_hop_ra(struct sk_buff *
static bool ipv6_hop_ioam(struct sk_buff *skb, int optoff)
{
+ enum skb_drop_reason drop_reason;
struct ioam6_trace_hdr *trace;
struct ioam6_namespace *ns;
+ struct inet6_dev *idev;
struct ioam6_hdr *hdr;
+ drop_reason = SKB_DROP_REASON_IP_INHDR;
+
/* Bad alignment (must be 4n-aligned) */
if (optoff & 3)
goto drop;
+ /* Does the device still have IPv6 configuration? */
+ idev = __in6_dev_get(skb->dev);
+ if (!idev) {
+ drop_reason = SKB_DROP_REASON_IPV6DISABLED;
+ goto drop;
+ }
+
/* Ignore if IOAM is not enabled on ingress */
- if (!READ_ONCE(__in6_dev_get(skb->dev)->cnf.ioam6_enabled))
+ if (!READ_ONCE(idev->cnf.ioam6_enabled))
goto ignore;
/* Truncated Option header */
@@ -974,7 +985,7 @@ ignore:
return true;
drop:
- kfree_skb_reason(skb, SKB_DROP_REASON_IP_INHDR);
+ kfree_skb_reason(skb, drop_reason);
return false;
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 085/272] vsock/vmci: fix UAF when peer resets connection during handshake
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 084/272] ipv6: ioam: add NULL check for idev in ipv6_hop_ioam() Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 086/272] vsock/virtio: reset connection on receiving queue overflow Greg Kroah-Hartman
` (193 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Minh Nguyen, Bryan Tan,
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minh Nguyen <minhnguyen.080505@gmail.com>
commit 99e22ddf4edb63dc8382bc028af928056d3450cf upstream.
vmci_transport_recv_connecting_server() returned err = 0 for a peer
RST in its default switch arm:
err = pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST ? 0 : -EINVAL;
That made vmci_transport_recv_listen() skip vsock_remove_pending(),
leaving the pending socket on the listener's pending_links with
sk_state = TCP_CLOSE while destroy: still dropped the explicit
reference taken before schedule_delayed_work().
One second later vsock_pending_work() observed is_pending=true and
performed full cleanup: vsock_remove_pending() then the two trailing
sock_put(sk) calls -- the first reached refcount 0 and __sk_freed
the socket, and the second wrote into the freed object:
BUG: KASAN: slab-use-after-free in refcount_warn_saturate
Write of size 4 at addr ffff88800b1cac80 by task kworker
Workqueue: events vsock_pending_work
Treat peer RST like any other unexpected packet type (err = -EINVAL).
All destroy: arms now return err < 0, so vmci_transport_recv_listen()
removes pending from pending_links synchronously and
vsock_pending_work() takes the is_pending=false / !rejected branch,
dropping only its own work reference. This also closes the
multi-packet race Sashiko reported on v2: pending is removed from
the list before any subsequent packet can find it.
The pre-existing sk_acceptq_removed() gap on the err < 0 path of
vmci_transport_recv_listen() that Sashiko also noted is not
introduced or changed by this patch.
Tested on lts-6.12.79 with KASAN: 52/100 unpatched -> 0/100 patched.
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Cc: stable@vger.kernel.org
Signed-off-by: Minh Nguyen <minhnguyen.080505@gmail.com>
Acked-by: Bryan Tan <bryan-bt.tan@broadcom.com>
Link: https://patch.msgid.link/20260519102310.237181-1-minhnguyen.080505@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/vmci_transport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1156,7 +1156,7 @@ vmci_transport_recv_connecting_server(st
/* Close and cleanup the connection. */
vmci_transport_send_reset(pending, pkt);
skerr = EPROTO;
- err = pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST ? 0 : -EINVAL;
+ err = -EINVAL;
goto destroy;
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 086/272] vsock/virtio: reset connection on receiving queue overflow
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 085/272] vsock/vmci: fix UAF when peer resets connection during handshake Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 087/272] wifi: ath11k: clear shared SRNG pointer state on restart Greg Kroah-Hartman
` (192 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stefano Garzarella, Paolo Abeni
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Garzarella <sgarzare@redhat.com>
commit a4f0b001782b21663d10df983b4b208195bec66c upstream.
When there is no more space to queue an incoming packet, the packet is
silently dropped. This causes data loss without any notification to
either peer, since there is no retransmission.
Under normal circumstances, this should never happen. However, it could
happen if the other peer doesn't respect the credit, or if the skb
overhead, which we recently began to take into account with commit
059b7dbd20a6 ("vsock/virtio: fix potential unbounded skb queue"),
is too high.
Fix this by resetting the connection and setting the local socket error
to ENOBUFS when virtio_transport_recv_enqueue() can no longer queue a
packet, so both peers are explicitly notified of the failure rather than
silently losing data.
Fixes: ae6fcfbf5f03 ("vsock/virtio: discard packets if credit is not respected")
Cc: stable@vger.kernel.org
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260518090656.134588-2-sgarzare@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/virtio_transport_common.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -1348,7 +1348,7 @@ destroy:
return err;
}
-static void
+static bool
virtio_transport_recv_enqueue(struct vsock_sock *vsk,
struct sk_buff *skb)
{
@@ -1363,10 +1363,8 @@ virtio_transport_recv_enqueue(struct vso
spin_lock_bh(&vvs->rx_lock);
can_enqueue = virtio_transport_inc_rx_pkt(vvs, len);
- if (!can_enqueue) {
- free_pkt = true;
+ if (!can_enqueue)
goto out;
- }
if (le32_to_cpu(hdr->flags) & VIRTIO_VSOCK_SEQ_EOM)
vvs->msg_count++;
@@ -1406,6 +1404,8 @@ out:
spin_unlock_bh(&vvs->rx_lock);
if (free_pkt)
kfree_skb(skb);
+
+ return can_enqueue;
}
static int
@@ -1418,7 +1418,17 @@ virtio_transport_recv_connected(struct s
switch (le16_to_cpu(hdr->op)) {
case VIRTIO_VSOCK_OP_RW:
- virtio_transport_recv_enqueue(vsk, skb);
+ if (!virtio_transport_recv_enqueue(vsk, skb)) {
+ /* There is no more space to queue the packet, so let's
+ * close the connection; otherwise, we'll lose data.
+ */
+ (void)virtio_transport_reset(vsk, skb);
+ virtio_transport_do_close(vsk, true);
+ sk->sk_err = ENOBUFS;
+ sk_error_report(sk);
+ vsock_remove_sock(vsk);
+ break;
+ }
vsock_data_ready(sk);
return err;
case VIRTIO_VSOCK_OP_CREDIT_REQUEST:
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 087/272] wifi: ath11k: clear shared SRNG pointer state on restart
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 086/272] vsock/virtio: reset connection on receiving queue overflow Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 088/272] ipv4: raw: reject IP_HDRINCL packets with ihl < 5 Greg Kroah-Hartman
` (191 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Farnung, Rameshkumar Sundaram,
Baochen Qiang, Jeff Johnson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Farnung <kfarnung@gmail.com>
commit f51e4b3b5574ad8cb5b16b11f8a1452147ece87a upstream.
LMAC rings reuse the shared rdp/wrp pointer buffers without going
through the normal SRNG hw-init path that zeros non-LMAC ring
pointers. After restart, ath11k_hal_srng_clear() can therefore hand
stale hp/tp state from the previous firmware instance back to the new
one.
Clear the shared pointer buffers while keeping the allocations in
place so restart still avoids reallocating SRNG DMA memory, but starts
with fresh ring-pointer state.
Fixes: 32be3ca4cf78b ("wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again")
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/all/CAOPSVF04q6uvVdq8GTRLHBrVMdpt9=o9wVcFMc6f-yhmSBcZqQ@mail.gmail.com/
Signed-off-by: Kyle Farnung <kfarnung@gmail.com>
Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Link: https://patch.msgid.link/20260513-kfarnung-ath11k-srng-clear-pointer-state-v1-1-bc700dd8b333@gmail.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath11k/hal.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/ath/ath11k/hal.c
+++ b/drivers/net/wireless/ath/ath11k/hal.c
@@ -1385,14 +1385,22 @@ EXPORT_SYMBOL(ath11k_hal_srng_deinit);
void ath11k_hal_srng_clear(struct ath11k_base *ab)
{
- /* No need to memset rdp and wrp memory since each individual
- * segment would get cleared in ath11k_hal_srng_src_hw_init()
- * and ath11k_hal_srng_dst_hw_init().
+ /*
+ * Preserve the shared pointer buffers, but clear the previous
+ * firmware instance's hp/tp state before handing them back to FW.
+ * LMAC rings reuse this shared memory without going through the
+ * normal SRNG hw-init path that zeros non-LMAC ring pointers.
*/
memset(ab->hal.srng_list, 0,
sizeof(ab->hal.srng_list));
memset(ab->hal.shadow_reg_addr, 0,
sizeof(ab->hal.shadow_reg_addr));
+ if (ab->hal.rdp.vaddr)
+ memset(ab->hal.rdp.vaddr, 0,
+ sizeof(*ab->hal.rdp.vaddr) * HAL_SRNG_RING_ID_MAX);
+ if (ab->hal.wrp.vaddr)
+ memset(ab->hal.wrp.vaddr, 0,
+ sizeof(*ab->hal.wrp.vaddr) * HAL_SRNG_NUM_LMAC_RINGS);
ab->hal.avail_blk_resource = 0;
ab->hal.current_blk_index = 0;
ab->hal.num_shadow_reg_configured = 0;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 088/272] ipv4: raw: reject IP_HDRINCL packets with ihl < 5
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 087/272] wifi: ath11k: clear shared SRNG pointer state on restart Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 089/272] ixgbevf: fix use-after-free in VEPA multicast source pruning Greg Kroah-Hartman
` (190 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Herbert Xu, Michael Bommarito,
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 915fab69823a14c170dbaa3b41978768e0fe62fc upstream.
raw_send_hdrinc() validates that the caller-supplied IPv4 header
fits within the message length:
iphlen = iph->ihl * 4;
err = -EINVAL;
if (iphlen > length)
goto error_free;
if (iphlen >= sizeof(*iph)) {
/* fix up saddr, tot_len, id, csum, transport_header */
}
It does not, however, reject ihl < 5. For such a packet the
"if (iphlen >= sizeof(*iph))" branch is skipped, leaving the
crafted iphdr untouched, but the packet is still handed to
__ip_local_out() and onward. Downstream consumers that read
iph->ihl assume a sane value: net/ipv4/ah4.c:ah_output() in
particular subtracts sizeof(struct iphdr) from top_iph->ihl * 4
and passes the (signed-int-negative, then cast to size_t)
result to memcpy(), producing an OOB access of length close to
SIZE_MAX and a host kernel panic.
An IPv4 header with ihl < 5 is malformed by definition (RFC 791:
"Internet Header Length is the length of the internet header in
32 bit words ... Note that the minimum value for a correct header
is 5."). The kernel should not be willing to inject such a
packet into its own output path.
Reject "iphlen < sizeof(*iph)" alongside the existing
"iphlen > length" check. This matches the principle that locally
constructed packets that re-enter the IP stack must pass the same
basic sanity tests that a foreign packet would be subjected to.
Once this lands, the "if (iphlen >= sizeof(*iph))" wrapper around
the fixup branch becomes redundant; left in place to keep the
patch minimal and backport-friendly. A follow-up can unwrap it.
Note that commit 86f4c90a1c5c ("ipv4, ipv6: ensure raw socket
message is big enough to hold an IP header") ensures the message
buffer is large enough to hold an iphdr, but does not constrain
the self-reported iph->ihl.
Reachability: the malformed packet source is any caller with
CAP_NET_RAW, including an unprivileged process in a user+net
namespace on a kernel with CONFIG_USER_NS=y. The reproduced AH
crash also requires a matching xfrm AH policy on the outgoing
route; a container granted CAP_NET_ADMIN can install that state
and policy in its netns. Loopback bypasses xfrm_output, so the
trigger uses a real netdev.
Reproduced on UML + KASAN: kernel-mode fault at addr 0x0 with
memcpy_orig at the crash site. Same shape reproduces inside a
rootless Docker container with --cap-add NET_ADMIN on a stock
distro kernel.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/77ec2b5e8111961c2c39883c92e8aa2709039c17.1778614451.git.michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/raw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -390,7 +390,7 @@ static int raw_send_hdrinc(struct sock *
* in, reject the frame as invalid
*/
err = -EINVAL;
- if (iphlen > length)
+ if (iphlen > length || iphlen < sizeof(*iph))
goto error_free;
if (iphlen >= sizeof(*iph)) {
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 089/272] ixgbevf: fix use-after-free in VEPA multicast source pruning
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 088/272] ipv4: raw: reject IP_HDRINCL packets with ihl < 5 Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 090/272] rbd: eliminate a race in lock_dwork draining on unmap Greg Kroah-Hartman
` (189 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Simon Horman,
Rafal Romanowski, Tony Nguyen, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 5d49b568c188dc77199d8d2b959c91da8cc27cf1 upstream.
ixgbevf_clean_rx_irq() prunes frames whose source MAC matches the VF's
own address (VEPA multicast workaround) by freeing the skb and
continuing to the next descriptor:
dev_kfree_skb_irq(skb);
continue;
The skb pointer is declared outside the while loop and persists across
iterations. Because the continue skips the "skb = NULL" reset at the
bottom of the loop, the next iteration enters the "else if (skb)" path
and calls ixgbevf_add_rx_frag() on the freed skb, dereferencing
skb_shinfo(skb)->nr_frags - a use-after-free in NAPI softirq context.
The sibling driver iavf already handles this correctly by nulling the
pointer before continuing. Apply the same pattern here.
I do not have ixgbevf hardware; the bug was found by static analysis
(scan_drop_continue_loops.py + semgrep drop_continue_in_loop, multi-tool
corroboration with the highest score in the scan). The UAF was confirmed
under KASAN by loading a test module that reproduces the exact code
pattern (alloc skb, kfree_skb, then read skb_shinfo(skb)->nr_frags):
BUG: KASAN: slab-use-after-free in ixgbevf_uaf_test_init+0x100/0x1000
Read of size 8 at addr 000000006163ae78 by task insmod/30
freed 208-byte region [000000006163adc0, 000000006163ae90)
QEMU emulates igb (82576) but not ixgbe (82599), and the igbvf VF
driver does not include the VEPA source pruning path, so a full
end-to-end reproduction with emulated hardware was not possible.
Fixes: bad17234ba70 ("ixgbevf: Change receive model to use double buffered page based receives")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Link: https://patch.msgid.link/20260515182419.1597859-8-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
@@ -1224,6 +1224,7 @@ static int ixgbevf_clean_rx_irq(struct i
ether_addr_equal(rx_ring->netdev->dev_addr,
eth_hdr(skb)->h_source)) {
dev_kfree_skb_irq(skb);
+ skb = NULL;
continue;
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 090/272] rbd: eliminate a race in lock_dwork draining on unmap
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 089/272] ixgbevf: fix use-after-free in VEPA multicast source pruning Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 091/272] lsm: hold cred_guard_mutex for lsm_set_self_attr() Greg Kroah-Hartman
` (188 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ilya Dryomov, Viacheslav Dubeyko
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 9fc75b71fdd38465c76c6f6a884cdd4ae3c72d90 upstream.
Given how rbd_lock_add_request() and rbd_img_exclusive_lock() are
written, lock_dwork may be (re)queued more than it's actually needed:
for example in case a new I/O request comes in while we are in the
middle of rbd_acquire_lock() on behalf of another I/O request. This is
expected and with rbd_release_lock() preemptively canceling lock_dwork
is benign under normal operation.
A more problematic example is maybe_kick_acquire():
if (have_requests || delayed_work_pending(&rbd_dev->lock_dwork)) {
dout("%s rbd_dev %p kicking lock_dwork\n", __func__, rbd_dev);
mod_delayed_work(rbd_dev->task_wq, &rbd_dev->lock_dwork, 0);
}
It's not unrealistic for lock_dwork to get canceled right after
delayed_work_pending() returns true and for mod_delayed_work() to
requeue it right there anyway. This is a classic TOCTOU race.
When it comes to unmapping the image, there is an implicit assumption
of no self-initiated exclusive lock activity past the point of return
from rbd_dev_image_unlock() which unlocks the lock if it happens to be
held. This unlock is assumed to be final and lock_dwork (as well as
all other exclusive lock tasks, really) isn't expected to get queued
again. However, lock_dwork is canceled only in cancel_tasks_sync()
(i.e. later in the unmap sequence) and on top of that the cancellation
can get in effect nullified by maybe_kick_acquire(). This may result
in rbd_acquire_lock() executing after rbd_dev_device_release() and
rbd_dev_image_release() run and free and/or reset a bunch of things.
One of the possible failure modes then is a violated
rbd_assert(rbd_image_format_valid(rbd_dev->image_format));
in rbd_dev_header_info() which is called via rbd_dev_refresh() from
rbd_post_acquire_action().
Redo exclusive lock task draining to provide saner semantics and try
to meet the assumptions around rbd_dev_image_unlock().
Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/rbd.c | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -4565,24 +4565,12 @@ out:
return ret;
}
-static void cancel_tasks_sync(struct rbd_device *rbd_dev)
-{
- dout("%s rbd_dev %p\n", __func__, rbd_dev);
-
- cancel_work_sync(&rbd_dev->acquired_lock_work);
- cancel_work_sync(&rbd_dev->released_lock_work);
- cancel_delayed_work_sync(&rbd_dev->lock_dwork);
- cancel_work_sync(&rbd_dev->unlock_work);
-}
-
/*
* header_rwsem must not be held to avoid a deadlock with
* rbd_dev_refresh() when flushing notifies.
*/
static void rbd_unregister_watch(struct rbd_device *rbd_dev)
{
- cancel_tasks_sync(rbd_dev);
-
mutex_lock(&rbd_dev->watch_mutex);
if (rbd_dev->watch_state == RBD_WATCH_STATE_REGISTERED)
__rbd_unregister_watch(rbd_dev);
@@ -6549,10 +6537,18 @@ out_err:
static void rbd_dev_image_unlock(struct rbd_device *rbd_dev)
{
+ dout("%s rbd_dev %p\n", __func__, rbd_dev);
+
+ disable_delayed_work_sync(&rbd_dev->lock_dwork);
+ disable_work_sync(&rbd_dev->unlock_work);
+
down_write(&rbd_dev->lock_rwsem);
if (__rbd_is_lock_owner(rbd_dev))
__rbd_release_lock(rbd_dev);
up_write(&rbd_dev->lock_rwsem);
+
+ flush_work(&rbd_dev->acquired_lock_work);
+ flush_work(&rbd_dev->released_lock_work);
}
/*
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 091/272] lsm: hold cred_guard_mutex for lsm_set_self_attr()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 090/272] rbd: eliminate a race in lock_dwork draining on unmap Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 092/272] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index Greg Kroah-Hartman
` (187 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Smalley, Casey Schaufler,
Paul Moore
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Smalley <stephen.smalley.work@gmail.com>
commit 4a9b16541ad3faf8bccb398532bf3f8b6bbf1188 upstream.
Just as proc_pid_attr_write() already does before calling the LSM
hook. This only matters for SELinux and AppArmor which check
whether the process is being ptraced and if so, whether to
allow the transition.
Cc: stable@vger.kernel.org
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/lsm_syscalls.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/security/lsm_syscalls.c
+++ b/security/lsm_syscalls.c
@@ -55,7 +55,14 @@ u64 lsm_name_to_attr(const char *name)
SYSCALL_DEFINE4(lsm_set_self_attr, unsigned int, attr, struct lsm_ctx __user *,
ctx, u32, size, u32, flags)
{
- return security_setselfattr(attr, ctx, size, flags);
+ int rc;
+
+ rc = mutex_lock_interruptible(¤t->signal->cred_guard_mutex);
+ if (rc < 0)
+ return rc;
+ rc = security_setselfattr(attr, ctx, size, flags);
+ mutex_unlock(¤t->signal->cred_guard_mutex);
+ return rc;
}
/**
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 092/272] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 091/272] lsm: hold cred_guard_mutex for lsm_set_self_attr() Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 093/272] ice: fix setting promisc mode while adding VID filter Greg Kroah-Hartman
` (186 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sunil Goutham, Linu Cherian,
Geetha sowjanya, hariprasad, Subbaraya Sundeep, Andrew Lunn,
stable, Sam Daly, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Daly <sam@samdaly.ie>
commit c0bf0a4f3f1f5f57aa83e1400ba4f56f0abfd542 upstream.
cgx_speed_mbps has 13 elements but RESP_LINKSTAT_SPEED can yield values
0-15. If it returns a value >= 13, this causes an out-of-bounds array
access. Add a bounds check and default to speed 0 if the index is out of
range.
Fixes: 61071a871ea6 ("octeontx2-af: Forward CGX link notifications to PFs")
Cc: Sunil Goutham <sgoutham@marvell.com>
Cc: Linu Cherian <lcherian@marvell.com>
Cc: Geetha sowjanya <gakula@marvell.com>
Cc: hariprasad <hkelam@marvell.com>
Cc: Subbaraya Sundeep <sbhatta@marvell.com>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Cc: stable <stable@kernel.org>
Signed-off-by: Sam Daly <sam@samdaly.ie>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026051352-refined-demise-e88d@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/marvell/octeontx2/af/cgx.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/cgx.c
@@ -1286,13 +1286,18 @@ static inline void link_status_user_form
struct cgx_link_user_info *linfo,
struct cgx *cgx, u8 lmac_id)
{
+ unsigned int speed;
+
linfo->link_up = FIELD_GET(RESP_LINKSTAT_UP, lstat);
linfo->full_duplex = FIELD_GET(RESP_LINKSTAT_FDUPLEX, lstat);
- linfo->speed = cgx_speed_mbps[FIELD_GET(RESP_LINKSTAT_SPEED, lstat)];
linfo->an = FIELD_GET(RESP_LINKSTAT_AN, lstat);
linfo->fec = FIELD_GET(RESP_LINKSTAT_FEC, lstat);
linfo->lmac_type_id = FIELD_GET(RESP_LINKSTAT_LMAC_TYPE, lstat);
+ speed = FIELD_GET(RESP_LINKSTAT_SPEED, lstat);
+ linfo->speed = speed < ARRAY_SIZE(cgx_speed_mbps) ?
+ cgx_speed_mbps[speed] : 0;
+
if (linfo->lmac_type_id >= LMAC_MODE_MAX) {
dev_err(&cgx->pdev->dev, "Unknown lmac_type_id %d reported by firmware on cgx port%d:%d",
linfo->lmac_type_id, cgx->cgx_id, lmac_id);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 093/272] ice: fix setting promisc mode while adding VID filter
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 092/272] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 094/272] ice: restore PTP Rx timestamp config after ethtool set-channels Greg Kroah-Hartman
` (185 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcin Szycik, Aleksandr Loktionov,
Simon Horman, Tony Nguyen, Jakub Kicinski, Rinitha S
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcin Szycik <marcin.szycik@intel.com>
commit ebc8de716c9ec2be384abdc2dd866da26c6580d1 upstream.
There are at least two paths through which VSI promiscuous mode can be
independently configured via ice_fltr_set_vsi_promisc():
- ice_vlan_rx_add_vid() (netdev op)
- ice_service_task() -> ... -> ice_set_promisc()
Both paths may try to program promiscuous mode concurrently. One such
scenario is:
1. Add ice netdev to bond
2. Add the bond netdev to bridge
3. ice netdev enters allmulticast mode (IFF_ALLMULTI)
4. Service task programs promisc mode filter
5. Bridge -> bond calls ice_vlan_rx_add_vid()
Crucially, ice_vlan_rx_add_vid() fails if ice_fltr_set_vsi_promisc()
returns any error, including -EEXIST. This causes VLAN filtering setup
to fail on the bond interface. ice_set_promisc() already handles -EEXIST
correctly.
Fix by adding the same -EEXIST check to ice_vlan_rx_add_vid(): if the
promisc filter is already programmed, continue without returning error.
Fixes: 1273f89578f2 ("ice: Fix broken IFF_ALLMULTI handling")
Cc: stable@vger.kernel.org
Signed-off-by: Marcin Szycik <marcin.szycik@intel.com>
Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Link: https://patch.msgid.link/20260515182419.1597859-4-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/ice/ice_main.c
+++ b/drivers/net/ethernet/intel/ice/ice_main.c
@@ -3808,7 +3808,7 @@ int ice_vlan_rx_add_vid(struct net_devic
ret = ice_fltr_set_vsi_promisc(&vsi->back->hw, vsi->idx,
ICE_MCAST_VLAN_PROMISC_BITS,
vid);
- if (ret)
+ if (ret && ret != -EEXIST)
goto finish;
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 094/272] ice: restore PTP Rx timestamp config after ethtool set-channels
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 093/272] ice: fix setting promisc mode while adding VID filter Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 095/272] wifi: cfg80211: advance loop vars in cfg80211_merge_profile() Greg Kroah-Hartman
` (184 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov, Grzegorz Nitka,
Simon Horman, Alexander Nowlin, Tony Nguyen, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Grzegorz Nitka <grzegorz.nitka@intel.com>
commit 975b564d195b13ca6ee1ef5e6a9561734898eb17 upstream.
When ethtool -L changes queue counts, ice_vsi_recfg_qs() closes and
rebuilds the VSI, reallocating Rx rings. The newly allocated rings have
ptp_rx cleared, so RX hardware timestamps are no longer attached to skb
until hwtstamp configuration is applied again.
Restore timestamp mode after ice_vsi_open() in the queue reconfiguration
path, matching reset/rebuild behavior and ensuring newly rebuilt Rx rings
have PTP RX timestamping re-enabled.
Testing hints:
- run ptp4l application in client synchronization mode:
ptp4l -i ethX -m -s
- run PTP traffic
- change queue number on ethX netdev interface:
ethtool -L ethX combined new_queue_size
- observe ptp4l output
- expected result: no "received DELAY_REQ without timestamp" messages
Fixes: 77a781155a65 ("ice: enable receive hardware timestamping")
Cc: stable@vger.kernel.org
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Alexander Nowlin <alexander.nowlin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Link: https://patch.msgid.link/20260515182419.1597859-7-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_main.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/net/ethernet/intel/ice/ice_main.c
+++ b/drivers/net/ethernet/intel/ice/ice_main.c
@@ -4197,6 +4197,12 @@ int ice_vsi_recfg_qs(struct ice_vsi *vsi
}
ice_pf_dcb_recfg(pf, locked);
ice_vsi_open(vsi);
+ /* Rx rings are reallocated during VSI rebuild and lose their ptp_rx
+ * flag. Restore timestamp mode so newly allocated rings are set up
+ * for hardware Rx timestamping.
+ */
+ if (test_bit(ICE_FLAG_PTP_SUPPORTED, pf->flags))
+ ice_ptp_restore_timestamp_mode(pf);
goto done;
rebuild_err:
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 095/272] wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 094/272] ice: restore PTP Rx timestamp config after ethtool set-channels Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 096/272] af_unix: Fix UAF read of tail->len in unix_stream_data_wait() Greg Kroah-Hartman
` (183 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John Walker, Johannes Berg
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Walker <johnwalker0@gmail.com>
commit 7666dbb1bacc4ba522b96740cba7283d243d16e1 upstream.
cfg80211_merge_profile() reassembles a Multi-BSSID non-transmitted BSS
profile that has been split across multiple consecutive MBSSID elements.
Its while-loop calls
cfg80211_get_profile_continuation(ie, ielen, mbssid_elem, sub_elem)
but never advances mbssid_elem or sub_elem inside the body. Each
iteration therefore searches for a continuation that follows the same
fixed pair; the helper returns the same next_mbssid; and the same
next_sub bytes are memcpy()'d into merged_ie at a growing offset until
the buffer fills.
Advance both mbssid_elem and sub_elem to the just-consumed continuation
so the next call to cfg80211_get_profile_continuation() searches for a
further continuation beyond it (or returns NULL when none exists).
A specially-crafted malicious beacon can take advantage of this bug
to cause the kernel to spend an excessive amount of time in
cfg80211_merge_profile (up to as much as 2ms per beacon received),
which could theoretically be abused in some way.
Cc: stable@vger.kernel.org
Fixes: fe806e4992c9 ("cfg80211: support profile split between elements")
Signed-off-by: John Walker <johnwalker0@gmail.com>
Link: https://patch.msgid.link/20260507230720.64783-1-johnwalker0@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/scan.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2421,6 +2421,9 @@ size_t cfg80211_merge_profile(const u8 *
memcpy(merged_ie + copied_len, next_sub->data,
next_sub->datalen);
copied_len += next_sub->datalen;
+
+ mbssid_elem = next_mbssid;
+ sub_elem = next_sub;
}
return copied_len;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 096/272] af_unix: Fix UAF read of tail->len in unix_stream_data_wait()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 095/272] wifi: cfg80211: advance loop vars in cfg80211_merge_profile() Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 097/272] wifi: mac80211: consume only present negotiated TTLM maps Greg Kroah-Hartman
` (182 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Kuniyuki Iwashima,
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit be309f8eae8b474a4a617eaae01324da996fc719 upstream.
unix_stream_data_wait() does skb_peek_tail(&sk->sk_receive_queue) without
holding any lock that prevents SKBs on that queue from being dequeued and
freed.
This has been the case since commit 79f632c71bea ("unix/stream: fix
peeking with an offset larger than data in queue").
The first consequence of this is that the pointer comparison
`tail != last` can be false even if `last` semantically refers to an
already-freed SKB while `tail` is a new SKB allocated at the same address;
which can cause unix_stream_data_wait() to wrongly keep blocking after new
data has arrived, but only in a weird scenario where a peeking recv() and
a normal recv() on the same socket are racing, which is probably not a
real problem.
But since commit 2b514574f7e8 ("net: af_unix: implement splice for stream
af_unix sockets"), `tail` is actually dereferenced, which can cause UAF in
the following race scenario (where test_setup() runs single-threaded,
and afterwards, test_thread1() and test_thread2() run concurrently in
two threads:
```
static int socks[2];
void test_setup(void) {
socketpair(AF_UNIX, SOCK_STREAM, 0, socks);
send(socks[1], "A", 1, 0);
int peekoff = 1;
setsockopt(socks[0], SOL_SOCKET, SO_PEEK_OFF, &peekoff, sizeof(peekoff));
}
void test_thread1(void) {
char dummy;
recv(socks[0], &dummy, 1, MSG_PEEK);
}
void test_thread2(void) {
char dummy;
recv(socks[0], &dummy, 1, 0);
shutdown(socks[1], SHUT_WR);
}
```
when racing like this:
```
thread1 thread2
unix_stream_read_generic
mutex_lock(&u->iolock)
skb_peek(&sk->sk_receive_queue)
skb_peek_next(skb, &sk->sk_receive_queue)
mutex_unlock(&u->iolock)
unix_stream_read_generic
unix_state_lock(sk)
skb_peek(&sk->sk_receive_queue)
unix_state_unlock(sk)
unix_stream_data_wait
unix_state_lock(sk)
tail = skb_peek_tail(&sk->sk_receive_queue)
spin_lock(&sk->sk_receive_queue.lock)
__skb_unlink(skb, &sk->sk_receive_queue)
spin_unlock(&sk->sk_receive_queue.lock)
consume_skb(skb) [frees the SKB]
`tail != last`: false
`tail`: true
`tail->len != last_len` ***UAF***
```
Fix the UAF by removing the read of tail->len; checking tail->len would
only make sense if SKBs in the receive queue of a UNIX socket could grow,
which can no longer happen.
Kuniyuki explained:
> When commit 869e7c62486e ("net: af_unix: implement stream sendpage
> support") added sendpage() support, data could be appended to the last
> skb in the receiver's queue.
>
> That's why we needed to check if the length of the last skb was changed
> while waiting for new data in unix_stream_data_wait().
>
> However, commit a0dbf5f818f9 ("af_unix: Support MSG_SPLICE_PAGES") and
> commit 57d44a354a43 ("unix: Convert unix_stream_sendpage() to use
> MSG_SPLICE_PAGES") refactored sendmsg(), and now data is always added
> to a new skb.
That means this fix is not suitable for kernels before 6.5.
Fixes: 2b514574f7e8 ("net: af_unix: implement splice for stream af_unix sockets")
Cc: stable@vger.kernel.org # 6.5.x
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260518-b4-unix-recv-wait-hotfix-v2-1-83e29ce8ad31@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/unix/af_unix.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2570,8 +2570,7 @@ static int unix_read_skb(struct sock *sk
* Sleep until more data has arrived. But check for races..
*/
static long unix_stream_data_wait(struct sock *sk, long timeo,
- struct sk_buff *last, unsigned int last_len,
- bool freezable)
+ struct sk_buff *last, bool freezable)
{
unsigned int state = TASK_INTERRUPTIBLE | freezable * TASK_FREEZABLE;
struct sk_buff *tail;
@@ -2584,7 +2583,6 @@ static long unix_stream_data_wait(struct
tail = skb_peek_tail(&sk->sk_receive_queue);
if (tail != last ||
- (tail && tail->len != last_len) ||
sk->sk_err ||
(sk->sk_shutdown & RCV_SHUTDOWN) ||
signal_pending(current) ||
@@ -2779,7 +2777,6 @@ static int unix_stream_read_generic(stru
int flags = state->flags;
bool check_creds = false;
struct scm_cookie scm;
- unsigned int last_len;
struct unix_sock *u;
int copied = 0;
int err = 0;
@@ -2825,7 +2822,6 @@ redo:
goto unlock;
}
last = skb = skb_peek(&sk->sk_receive_queue);
- last_len = last ? last->len : 0;
again:
#if IS_ENABLED(CONFIG_AF_UNIX_OOB)
@@ -2859,8 +2855,7 @@ again:
mutex_unlock(&u->iolock);
- timeo = unix_stream_data_wait(sk, timeo, last,
- last_len, freezable);
+ timeo = unix_stream_data_wait(sk, timeo, last, freezable);
if (signal_pending(current)) {
err = sock_intr_errno(timeo);
@@ -2877,7 +2872,6 @@ unlock:
while (skip >= unix_skb_len(skb)) {
skip -= unix_skb_len(skb);
last = skb;
- last_len = skb->len;
skb = skb_peek_next(skb, &sk->sk_receive_queue);
if (!skb)
goto again;
@@ -2950,7 +2944,6 @@ unlock:
skip = 0;
last = skb;
- last_len = skb->len;
unix_state_lock(sk);
skb = skb_peek_next(skb, &sk->sk_receive_queue);
if (skb)
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 097/272] wifi: mac80211: consume only present negotiated TTLM maps
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 096/272] af_unix: Fix UAF read of tail->len in unix_stream_data_wait() Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 098/272] cifs: Fix busy dentry used after unmounting Greg Kroah-Hartman
` (181 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Johannes Berg
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit a6e6ccd5bd07155c2add6c74ce1a5e68ad3b95ea upstream.
ieee80211_tid_to_link_map_size_ok() validates negotiated TTLM elements
against the number of link-map entries indicated by link_map_presence.
ieee80211_parse_neg_ttlm() must consume the same layout.
The parser advanced its cursor for every TID, including TIDs whose
presence bit is clear and therefore have no map bytes in the element.
A sparse map can then make a later present TID read past the validated
element.
The bad bytes land in neg_ttlm->{up,down}link[tid] but are gated by
valid_links before being applied to driver state, so a peer cannot
turn the read into a policy change. Under KUnit + KASAN with an
exact-sized element allocation the OOB read is reported as a
slab-out-of-bounds; whether the same trigger fires under the
production RX path depends on surrounding allocator state.
Advance the cursor only when the current TID has a map present.
Fixes: 8f500fbc6c65 ("wifi: mac80211: process and save negotiated TID to Link mapping request")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260515151719.1317659-2-michael.bommarito@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/mlme.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -7290,6 +7290,7 @@ ieee80211_parse_neg_ttlm(struct ieee8021
"No active links for TID %d", tid);
return -EINVAL;
}
+ pos += map_size;
} else {
map = 0;
}
@@ -7308,7 +7309,6 @@ ieee80211_parse_neg_ttlm(struct ieee8021
default:
return -EINVAL;
}
- pos += map_size;
}
return 0;
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 098/272] cifs: Fix busy dentry used after unmounting
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 097/272] wifi: mac80211: consume only present negotiated TTLM maps Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 099/272] tracing: Do not call map->ops->elt_free() if elt_alloc() fails Greg Kroah-Hartman
` (180 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shyam Prasad N, Zhihao Cheng,
Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhihao Cheng <chengzhihao1@huawei.com>
commit c68337442f03953237a94577beb468ab2662a851 upstream.
Since commit 340cea84f691c ("cifs: open files should not hold ref on
superblock"), cifs file only holds the dentry ref_cnt, the cifs file
close work(cfile->deferred) could be executed after unmounting, which
will trigger a warning in generic_shutdown_super:
BUG: Dentry 00000000a14a6845{i=c,n=file} still in use (1) [unmount of
cifs cifs]
The detailed processs is:
process A process B kworker
fd = open(PATH)
vfs_open
file->__f_path = *path // dentry->d_lockref.count = 1
cifs_open
cifs_new_fileinfo
cfile->dentry = dget(dentry) // dentry->d_lockref.count = 2
close(fd)
__fput
cifs_close
queue_delayed_work(deferredclose_wq, cfile->deferred)
dput(dentry) // dentry->d_lockref.count = 1
smb2_deferred_work_close
_cifsFileInfo_put
list_del(&cifs_file->flist)
umount
cleanup_mnt
deactivate_super
cifs_kill_sb
cifs_close_all_deferred_files_sb
cifs_close_all_deferred_files
// cannot find cfile, skip _cifsFileInfo_put
kill_anon_super
generic_shutdown_super
shrink_dcache_for_umount
umount_check
WARN ! // dentry->d_lockref.count = 1
cifsFileInfo_put_final
dput(cifs_file->dentry)
// dentry->d_lockref.count = 0
Fix it by flushing 'deferredclose_wq' before calling kill_anon_super.
Fetch a reproducer in https://bugzilla.kernel.org/show_bug.cgi?id=221548.
Fixes: 340cea84f691c ("cifs: open files should not hold ref on superblock")
Cc: stable@vger.kernel.org
Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsfs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/smb/client/cifsfs.c
+++ b/fs/smb/client/cifsfs.c
@@ -299,6 +299,8 @@ static void cifs_kill_sb(struct super_bl
/* Wait for all pending oplock breaks to complete */
flush_workqueue(cifsoplockd_wq);
+ /* Wait for all opened files to release */
+ flush_workqueue(deferredclose_wq);
/* finally release root dentry */
dput(cifs_sb->root);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 099/272] tracing: Do not call map->ops->elt_free() if elt_alloc() fails
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 098/272] cifs: Fix busy dentry used after unmounting Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 100/272] arm64: probes: Handle probes on hinted conditional branch instructions Greg Kroah-Hartman
` (179 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Zanussi, Mathieu Desnoyers,
Rosen Penev, Sashiko, Masami Hiramatsu (Google), Steven Rostedt
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
commit 8f0f5c4fb9df0e19a341e0c6ed8dc4fda9124f03 upstream.
In paths where tracing_map_elt_alloc() failed to allocate objects,
the map->ops->elt_alloc() call was never successful. In this case,
map->ops->elt_free() should not be called.
Link: https://sashiko.dev/#/patchset/20260520223101.34710-1-rosenp%40gmail.com
Cc: stable@vger.kernel.org
Cc: Tom Zanussi <tom.zanussi@linux.intel.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Rosen Penev <rosenp@gmail.com>
Reported-by: Sashiko <sashiko-bot@kernel.org>
Fixes: 2734b629525a ("tracing: Add per-element variable support to tracing_map")
Link: https://patch.msgid.link/177933895460.108746.5396070821443932634.stgit@devnote2
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/tracing_map.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
--- a/kernel/trace/tracing_map.c
+++ b/kernel/trace/tracing_map.c
@@ -386,13 +386,11 @@ static void tracing_map_elt_init_fields(
}
}
-static void tracing_map_elt_free(struct tracing_map_elt *elt)
+static void __tracing_map_elt_free(struct tracing_map_elt *elt)
{
if (!elt)
return;
- if (elt->map->ops && elt->map->ops->elt_free)
- elt->map->ops->elt_free(elt);
kfree(elt->fields);
kfree(elt->vars);
kfree(elt->var_set);
@@ -400,6 +398,17 @@ static void tracing_map_elt_free(struct
kfree(elt);
}
+static void tracing_map_elt_free(struct tracing_map_elt *elt)
+{
+ if (!elt)
+ return;
+
+ /* Only objects initialized with alloc_elt() should be passed to free_elt().*/
+ if (elt->map->ops && elt->map->ops->elt_free)
+ elt->map->ops->elt_free(elt);
+ __tracing_map_elt_free(elt);
+}
+
static struct tracing_map_elt *tracing_map_elt_alloc(struct tracing_map *map)
{
struct tracing_map_elt *elt;
@@ -444,7 +453,7 @@ static struct tracing_map_elt *tracing_m
}
return elt;
free:
- tracing_map_elt_free(elt);
+ __tracing_map_elt_free(elt);
return ERR_PTR(err);
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 100/272] arm64: probes: Handle probes on hinted conditional branch instructions
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 099/272] tracing: Do not call map->ops->elt_free() if elt_alloc() fails Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 101/272] KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits Greg Kroah-Hartman
` (178 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vladimir Murzin, Catalin Marinas
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Murzin <vladimir.murzin@arm.com>
commit 2ccd8ff980b50e842481bae71102fa3883fc4377 upstream.
BC.cond instructions introduced by FEAT_HBC cannot be executed
out-of-line, like other branch instructions. However, they can be
simulated in the same way as B.cond instructions.
Extend the B.cond decoder mask to match BC.cond instructions as well,
and handle them using the existing B.cond simulation path.
Fixes: 7f86d128e437 ("arm64: add HWCAP for FEAT_HBC (hinted conditional branches)")
Cc: <stable@vger.kernel.org>
Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/insn.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/include/asm/insn.h
+++ b/arch/arm64/include/asm/insn.h
@@ -405,7 +405,7 @@ __AARCH64_INSN_FUNCS(cbz, 0x7F000000, 0x
__AARCH64_INSN_FUNCS(cbnz, 0x7F000000, 0x35000000)
__AARCH64_INSN_FUNCS(tbz, 0x7F000000, 0x36000000)
__AARCH64_INSN_FUNCS(tbnz, 0x7F000000, 0x37000000)
-__AARCH64_INSN_FUNCS(bcond, 0xFF000010, 0x54000000)
+__AARCH64_INSN_FUNCS(bcond, 0xFF000000, 0x54000000)
__AARCH64_INSN_FUNCS(svc, 0xFFE0001F, 0xD4000001)
__AARCH64_INSN_FUNCS(hvc, 0xFFE0001F, 0xD4000002)
__AARCH64_INSN_FUNCS(smc, 0xFFE0001F, 0xD4000003)
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 101/272] KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 100/272] arm64: probes: Handle probes on hinted conditional branch instructions Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 102/272] KVM: arm64: vgic: Free private_irqs when init fails after allocation Greg Kroah-Hartman
` (177 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Marc Zyngier
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 9ce754ed8e7ab4e3999767ce1505f85c449ccb07 upstream.
Userspace can restore an ITS Device Table Entry whose Size field encodes
more EventID bits than the virtual ITS supports. The live MAPD path
rejects that state, but vgic_its_restore_dte() accepts it and stores the
out-of-range value in dev->num_eventid_bits.
Reject restored DTEs with num_eventid_bits > VITS_TYPER_IDBITS before
allocating the device. This mirrors the MAPD check and prevents the
restored state from reaching vgic_its_restore_itt(), where the unchecked
value can be converted into an oversized scan_its_table() range.
Fixes: 57a9a117154c ("KVM: arm64: vgic-its: Device table save/restore")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://lore.kernel.org/r/20260519132519.2142458-1-michael.bommarito@gmail.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/vgic/vgic-its.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/arm64/kvm/vgic/vgic-its.c
+++ b/arch/arm64/kvm/vgic/vgic-its.c
@@ -2295,6 +2295,10 @@ static int vgic_its_restore_dte(struct v
/* dte entry is valid */
offset = (entry & KVM_ITS_DTE_NEXT_MASK) >> KVM_ITS_DTE_NEXT_SHIFT;
+ /* Mimic the MAPD behaviour and reject invalid EID bits. */
+ if (num_eventid_bits > VITS_TYPER_IDBITS)
+ return -EINVAL;
+
if (!vgic_its_check_id(its, baser, id, NULL))
return -EINVAL;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 102/272] KVM: arm64: vgic: Free private_irqs when init fails after allocation
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 101/272] KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 103/272] riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM Greg Kroah-Hartman
` (176 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Will Deacon, Yuan Yao,
Michael Bommarito, Marc Zyngier
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit f19c354dbd457759dfcf1195ab4bdba2bb568323 upstream.
Companion to commit 250f25367b58 ("KVM: arm64: Tear down vGIC on
failed vCPU creation"), which added the missing kvm_vgic_vcpu_destroy()
call to the kvm_share_hyp() failure path in kvm_arch_vcpu_create(). The
kvm_vgic_vcpu_init() failure path immediately above it has the same
shape and still needs the same cleanup.
Call kvm_vgic_vcpu_destroy() when kvm_vgic_vcpu_init() fails so private
IRQs allocated before a redistributor iodev registration failure are
released before the failed vCPU is freed.
Fixes: 03b3d00a70b5 ("KVM: arm64: vgic: Allocate private interrupts on demand")
Cc: stable@vger.kernel.org
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Yuan Yao <yaoyuan@linux.alibaba.com>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://lore.kernel.org/r/20260519135042.2219239-1-michael.bommarito@gmail.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/arm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -490,8 +490,10 @@ int kvm_arch_vcpu_create(struct kvm_vcpu
kvm_destroy_mpidr_data(vcpu->kvm);
err = kvm_vgic_vcpu_init(vcpu);
- if (err)
+ if (err) {
+ kvm_vgic_vcpu_destroy(vcpu);
return err;
+ }
err = kvm_share_hyp(vcpu, vcpu + 1);
if (err)
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 103/272] riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 102/272] KVM: arm64: vgic: Free private_irqs when init fails after allocation Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 104/272] drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe Greg Kroah-Hartman
` (175 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Osama Abdelkader, Anup Patel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Osama Abdelkader <osama.abdelkader@gmail.com>
commit 0835ee26938e15eccd70f7d33da386b6490f9449 upstream.
kvm_riscv_vcpu_pmu_snapshot_set_shmem() returned -ENOMEM from the
SBI extension handler, which caused kvm_riscv_vcpu_sbi_ecall() to
abort KVM_RUN and surface the error to userspace instead of
ompleting the ECALL with a negative SBI error in a0.
Use SBI_ERR_FAILURE and the normal retdata path, matching other PMU
handlers and kvm_sbi_ext_pmu_handler comment.
Fixes: c2f41ddbcdd7 ("RISC-V: KVM: Implement SBI PMU Snapshot feature")
Cc: stable@vger.kernel.org
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260514173642.41448-1-osama.abdelkader@gmail.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/kvm/vcpu_pmu.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/arch/riscv/kvm/vcpu_pmu.c
+++ b/arch/riscv/kvm/vcpu_pmu.c
@@ -435,8 +435,10 @@ int kvm_riscv_vcpu_pmu_snapshot_set_shme
}
kvpmu->sdata = kzalloc(snapshot_area_size, GFP_ATOMIC);
- if (!kvpmu->sdata)
- return -ENOMEM;
+ if (!kvpmu->sdata) {
+ sbiret = SBI_ERR_FAILURE;
+ goto out;
+ }
if (kvm_vcpu_write_guest(vcpu, saddr, kvpmu->sdata, snapshot_area_size)) {
kfree(kvpmu->sdata);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 104/272] drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 103/272] riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 105/272] spi: qup: fix error pointer deref after DMA setup failure Greg Kroah-Hartman
` (174 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Osama Abdelkader, Luca Ceresoli
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Osama Abdelkader <osama.abdelkader@gmail.com>
commit 73d01051e8040c0b1de7fd26b3b8d0c2ffa6895c upstream.
Use devm_drm_bridge_add() so the bridge is released if probe
fails after registration, and drop drm_bridge_remove() in chipone_i2c_probe.
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Fixes: 8dde6f7452a1 ("drm: bridge: icn6211: Add I2C configuration support")
Cc: stable@vger.kernel.org
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Link: https://patch.msgid.link/20260430194944.78119-1-osama.abdelkader@gmail.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/chipone-icn6211.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/bridge/chipone-icn6211.c
+++ b/drivers/gpu/drm/bridge/chipone-icn6211.c
@@ -757,7 +757,9 @@ static int chipone_i2c_probe(struct i2c_
dev_set_drvdata(dev, icn);
i2c_set_clientdata(client, icn);
- drm_bridge_add(&icn->bridge);
+ ret = devm_drm_bridge_add(dev, &icn->bridge);
+ if (ret)
+ return ret;
return chipone_dsi_host_attach(icn);
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 105/272] spi: qup: fix error pointer deref after DMA setup failure
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 104/272] drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe Greg Kroah-Hartman
@ 2026-05-28 19:47 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 106/272] phy: tegra: xusb: Fix per-pad high-speed termination calibration Greg Kroah-Hartman
` (173 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Mark Brown
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit a7e8f3efd50a165ba0189f6dc57f7e51a7d149db upstream.
The driver falls back to PIO mode if DMA setup fails during probe.
Make sure to the clear the DMA channel pointers on setup failure to
avoid dereferencing an error pointer (or attempting to release a channel
a second time) on later probe errors or driver unbind.
This issue was flagged by Sashiko when reviewing a devres allocation
conversion patch.
Fixes: 612762e82ae6 ("spi: qup: Add DMA capabilities")
Link: https://sashiko.dev/#/patchset/20260505072909.618363-1-johan%40kernel.org?part=4
Cc: stable@vger.kernel.org # 4.1
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260512074334.914735-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-qup.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/spi/spi-qup.c
+++ b/drivers/spi/spi-qup.c
@@ -996,8 +996,11 @@ static int spi_qup_init_dma(struct spi_c
err:
dma_release_channel(host->dma_tx);
+ host->dma_tx = NULL;
err_tx:
dma_release_channel(host->dma_rx);
+ host->dma_rx = NULL;
+
return ret;
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 106/272] phy: tegra: xusb: Fix per-pad high-speed termination calibration
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-05-28 19:47 ` [PATCH 6.12 105/272] spi: qup: fix error pointer deref after DMA setup failure Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 107/272] scsi: isci: Fix use-after-free in device removal path Greg Kroah-Hartman
` (172 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wayne Chang, Wei-Cheng Chen,
Jon Hunter, Vinod Koul
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wayne Chang <waynec@nvidia.com>
commit da110228b54f2e2143d97ea7151e0dc22e539d67 upstream.
The existing code reads a single hs_term_range_adj value from bit field
[10:7] of FUSE_SKU_CALIB_0 and applies it to all USB2 pads uniformly.
However, on SoCs that support per-pad termination, each pad has its own
hs_term_range_adj field: pad 0 in FUSE_SKU_CALIB_0[10:7], and pads 1-3
in FUSE_USB_CALIB_EXT_0 at bit offsets [8:5], [12:9], and [16:13]
respectively.
Fix the calibration by reading per-pad values from the appropriate fuse
registers. For SoCs that do not support per-pad termination, replicate
pad 0's value to all pads to maintain existing behavior.
Add a has_per_pad_term flag to the SoC data to indicate whether per-pad
termination values are available in FUSE_USB_CALIB_EXT_0.
Fixes: 1ef535c6ba8e ("phy: tegra: xusb: Add Tegra194 support")
Cc: stable@vger.kernel.org
Signed-off-by: Wayne Chang <waynec@nvidia.com>
Signed-off-by: Wei-Cheng Chen <weichengc@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260504033305.2283145-1-weichengc@nvidia.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/tegra/xusb-tegra186.c | 33 ++++++++++++++++++++++++++-------
drivers/phy/tegra/xusb.h | 1 +
2 files changed, 27 insertions(+), 7 deletions(-)
--- a/drivers/phy/tegra/xusb-tegra186.c
+++ b/drivers/phy/tegra/xusb-tegra186.c
@@ -20,8 +20,8 @@
/* FUSE USB_CALIB registers */
#define HS_CURR_LEVEL_PADX_SHIFT(x) ((x) ? (11 + (x - 1) * 6) : 0)
#define HS_CURR_LEVEL_PAD_MASK 0x3f
-#define HS_TERM_RANGE_ADJ_SHIFT 7
-#define HS_TERM_RANGE_ADJ_MASK 0xf
+#define HS_TERM_RANGE_ADJ_PADX_SHIFT(x) ((x) ? (5 + (x - 1) * 4) : 7)
+#define HS_TERM_RANGE_ADJ_PAD_MASK 0xf
#define HS_SQUELCH_SHIFT 29
#define HS_SQUELCH_MASK 0x7
@@ -253,7 +253,7 @@
struct tegra_xusb_fuse_calibration {
u32 *hs_curr_level;
u32 hs_squelch;
- u32 hs_term_range_adj;
+ u32 *hs_term_range_adj;
u32 rpd_ctrl;
};
@@ -930,7 +930,7 @@ static int tegra186_utmi_phy_power_on(st
value = padctl_readl(padctl, XUSB_PADCTL_USB2_OTG_PADX_CTL1(index));
value &= ~TERM_RANGE_ADJ(~0);
- value |= TERM_RANGE_ADJ(priv->calib.hs_term_range_adj);
+ value |= TERM_RANGE_ADJ(priv->calib.hs_term_range_adj[index]);
value &= ~RPD_CTRL(~0);
value |= RPD_CTRL(priv->calib.rpd_ctrl);
padctl_writel(padctl, value, XUSB_PADCTL_USB2_OTG_PADX_CTL1(index));
@@ -1464,17 +1464,23 @@ static const char * const tegra186_usb3_
static int
tegra186_xusb_read_fuse_calibration(struct tegra186_xusb_padctl *padctl)
{
+ const struct tegra_xusb_padctl_soc *soc = padctl->base.soc;
struct device *dev = padctl->base.dev;
unsigned int i, count;
u32 value, *level;
+ u32 *hs_term_range_adj;
int err;
- count = padctl->base.soc->ports.usb2.count;
+ count = soc->ports.usb2.count;
level = devm_kcalloc(dev, count, sizeof(u32), GFP_KERNEL);
if (!level)
return -ENOMEM;
+ hs_term_range_adj = devm_kcalloc(dev, count, sizeof(u32), GFP_KERNEL);
+ if (!hs_term_range_adj)
+ return -ENOMEM;
+
err = tegra_fuse_readl(TEGRA_FUSE_SKU_CALIB_0, &value);
if (err)
return dev_err_probe(dev, err,
@@ -1490,8 +1496,8 @@ tegra186_xusb_read_fuse_calibration(stru
padctl->calib.hs_squelch = (value >> HS_SQUELCH_SHIFT) &
HS_SQUELCH_MASK;
- padctl->calib.hs_term_range_adj = (value >> HS_TERM_RANGE_ADJ_SHIFT) &
- HS_TERM_RANGE_ADJ_MASK;
+ hs_term_range_adj[0] = (value >> HS_TERM_RANGE_ADJ_PADX_SHIFT(0)) &
+ HS_TERM_RANGE_ADJ_PAD_MASK;
err = tegra_fuse_readl(TEGRA_FUSE_USB_CALIB_EXT_0, &value);
if (err) {
@@ -1503,6 +1509,17 @@ tegra186_xusb_read_fuse_calibration(stru
padctl->calib.rpd_ctrl = (value >> RPD_CTRL_SHIFT) & RPD_CTRL_MASK;
+ for (i = 1; i < count; i++) {
+ if (soc->has_per_pad_term)
+ hs_term_range_adj[i] =
+ (value >> HS_TERM_RANGE_ADJ_PADX_SHIFT(i)) &
+ HS_TERM_RANGE_ADJ_PAD_MASK;
+ else
+ hs_term_range_adj[i] = hs_term_range_adj[0];
+ }
+
+ padctl->calib.hs_term_range_adj = hs_term_range_adj;
+
return 0;
}
@@ -1708,6 +1725,7 @@ const struct tegra_xusb_padctl_soc tegra
.num_supplies = ARRAY_SIZE(tegra194_xusb_padctl_supply_names),
.supports_gen2 = true,
.poll_trk_completed = true,
+ .has_per_pad_term = true,
};
EXPORT_SYMBOL_GPL(tegra194_xusb_padctl_soc);
@@ -1732,6 +1750,7 @@ const struct tegra_xusb_padctl_soc tegra
.trk_hw_mode = false,
.trk_update_on_idle = true,
.supports_lp_cfg_en = true,
+ .has_per_pad_term = true,
};
EXPORT_SYMBOL_GPL(tegra234_xusb_padctl_soc);
#endif
--- a/drivers/phy/tegra/xusb.h
+++ b/drivers/phy/tegra/xusb.h
@@ -436,6 +436,7 @@ struct tegra_xusb_padctl_soc {
bool trk_hw_mode;
bool trk_update_on_idle;
bool supports_lp_cfg_en;
+ bool has_per_pad_term;
};
struct tegra_xusb_padctl {
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 107/272] scsi: isci: Fix use-after-free in device removal path
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 106/272] phy: tegra: xusb: Fix per-pad high-speed termination calibration Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 108/272] spi: ep93xx: fix error pointer deref after DMA setup failure Greg Kroah-Hartman
` (171 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito,
Martin K. Petersen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit b52a8d52c3125ec9a93106ed816582368de34426 upstream.
The ISCI completion tasklet is initialized in isci_host_alloc()
(drivers/scsi/isci/init.c:496) and scheduled from both MSI-X and legacy
interrupt handlers (drivers/scsi/isci/host.c:223,613).
isci_host_deinit() stops the controller and waits for stop completion,
but it never kills completion_tasklet before teardown continues. A
top-of-function tasklet_kill() is not sufficient here: interrupts are
only disabled when isci_host_stop_complete() runs, so until
wait_for_stop() returns the IRQ handlers can still requeue the
tasklet. The tasklet callback also re-enables interrupts after draining
completions, so killing the tasklet before the source is quiesced leaves
the same race open.
Once wait_for_stop() returns, no further IRQ-driven scheduling can
occur. Kill completion_tasklet there so teardown cannot race a queued
tasklet running on a dead ihost. On remove or unload, the stale callback
can otherwise dereference ihost and touch ihost->smu_registers after the
host lifetime ends.
A UML + KASAN analogue reproduced the failure class both with no
tasklet_kill() and with tasklet_kill() placed before source quiesce, and
stayed clean once the kill happened after quiescing the scheduling
source.
This mirrors commit f6ab594672d4 ("scsi: aic94xx: fix use-after-free in
device removal path"), but ISCI needs the kill after wait_for_stop().
Fixes: 6f231dda6808 ("isci: Intel(R) C600 Series Chipset Storage Control Unit Driver")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260419210420.2134639-1-michael.bommarito@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/isci/host.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/scsi/isci/host.c
+++ b/drivers/scsi/isci/host.c
@@ -1252,6 +1252,9 @@ void isci_host_deinit(struct isci_host *
wait_for_stop(ihost);
+ /* No further IRQ-driven scheduling can happen past wait_for_stop(). */
+ tasklet_kill(&ihost->completion_tasklet);
+
/* phy stop is after controller stop to allow port and device to
* go idle before shutting down the phys, but the expectation is
* that i/o has been shut off well before we reach this
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 108/272] spi: ep93xx: fix error pointer deref after DMA setup failure
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 107/272] scsi: isci: Fix use-after-free in device removal path Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 109/272] spi: sprd: " Greg Kroah-Hartman
` (170 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nikita Shubin, Johan Hovold,
Mark Brown
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 5e121a81667a83e9a01d62b429e340f5a4a84abc upstream.
The driver falls back to PIO mode if DMA setup fails during probe.
Make sure to the clear the DMA channel pointers on setup failure to
avoid dereferencing an error pointer on later probe errors or driver
unbind.
This issue was flagged by Sashiko when reviewing a devres allocation
conversion patch.
Fixes: e79e7c2df627 ("spi: ep93xx: add DT support for Cirrus EP93xx")
Link: https://sashiko.dev/#/patchset/20260429091333.165363-1-johan%40kernel.org?part=10
Cc: stable@vger.kernel.org # 6.12
Cc: Nikita Shubin <nikita.shubin@maquefel.me>
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Nikita Shubin <nikita.shubin@maquefel.me>
Link: https://patch.msgid.link/20260512074849.915143-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-ep93xx.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/spi/spi-ep93xx.c b/drivers/spi/spi-ep93xx.c
index db50018050e5..f716c9607be4 100644
--- a/drivers/spi/spi-ep93xx.c
+++ b/drivers/spi/spi-ep93xx.c
@@ -582,12 +582,14 @@ static int ep93xx_spi_setup_dma(struct device *dev, struct ep93xx_spi *espi)
espi->dma_rx = dma_request_chan(dev, "rx");
if (IS_ERR(espi->dma_rx)) {
ret = dev_err_probe(dev, PTR_ERR(espi->dma_rx), "rx DMA setup failed");
+ espi->dma_rx = NULL;
goto fail_free_page;
}
espi->dma_tx = dma_request_chan(dev, "tx");
if (IS_ERR(espi->dma_tx)) {
ret = dev_err_probe(dev, PTR_ERR(espi->dma_tx), "tx DMA setup failed");
+ espi->dma_tx = NULL;
goto fail_release_rx;
}
--
2.54.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 109/272] spi: sprd: fix error pointer deref after DMA setup failure
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 108/272] spi: ep93xx: fix error pointer deref after DMA setup failure Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 110/272] spi: ti-qspi: fix use-after-free " Greg Kroah-Hartman
` (169 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lanqing Liu, Johan Hovold,
Mark Brown
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 3d67fffb74267772d461c02c67f1eff893ad547d upstream.
The driver falls back to PIO mode if DMA setup fails during probe.
Make sure to check the dma.enabled flag before trying to release the DMA
channels also on late probe errors to avoid dereferencing an error
pointer (or attempting to release a channel a second time).
This issue was flagged by Sashiko when reviewing a devres allocation
conversion patch.
Fixes: 386119bc7be9 ("spi: sprd: spi: sprd: Add DMA mode support")
Link: https://sashiko.dev/#/patchset/20260505072909.618363-1-johan%40kernel.org?part=10
Cc: stable@vger.kernel.org # 5.1
Cc: Lanqing Liu <lanqing.liu@unisoc.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260512074733.915029-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sprd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-sprd.c
+++ b/drivers/spi/spi-sprd.c
@@ -993,7 +993,8 @@ err_rpm_put:
disable_clk:
clk_disable_unprepare(ss->clk);
release_dma:
- sprd_spi_dma_release(ss);
+ if (ss->dma.enable)
+ sprd_spi_dma_release(ss);
free_controller:
spi_controller_put(sctlr);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 110/272] spi: ti-qspi: fix use-after-free after DMA setup failure
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 109/272] spi: sprd: " Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 111/272] RDMA/siw: Reject MPA FPDU length underflow before signed receive math Greg Kroah-Hartman
` (168 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vignesh R, Johan Hovold, Mark Brown
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit ea6ec3343e05f7937a53eb6d7617b3abdb4abc19 upstream.
The driver falls back to PIO mode if DMA setup fails during probe.
Make sure to clear the DMA channel pointer also if buffer allocation
fails to avoid passing a pointer to the released channel to the DMA
engine (or trying to free the channel a second time on late probe errors
or driver unbind).
This issue was flagged by Sashiko when reviewing a devres allocation
conversion patch.
Fixes: c687c46e9e45 ("spi: spi-ti-qspi: Use bounce buffer if read buffer is not DMA'ble")
Link: https://sashiko.dev/#/patchset/20260505072909.618363-1-johan%40kernel.org?part=17
Cc: stable@vger.kernel.org # 4.12
Cc: Vignesh R <vigneshr@ti.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260512074809.915084-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-ti-qspi.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/spi/spi-ti-qspi.c
+++ b/drivers/spi/spi-ti-qspi.c
@@ -874,6 +874,7 @@ static int ti_qspi_probe(struct platform
dev_err(qspi->dev,
"dma_alloc_coherent failed, using PIO mode\n");
dma_release_channel(qspi->rx_chan);
+ qspi->rx_chan = NULL;
goto no_dma;
}
host->dma_rx = qspi->rx_chan;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 111/272] RDMA/siw: Reject MPA FPDU length underflow before signed receive math
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 110/272] spi: ti-qspi: fix use-after-free " Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 112/272] LoongArch: Remove unused code to avoid build warning Greg Kroah-Hartman
` (167 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Bernard Metzler,
Jason Gunthorpe
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 0ce1bc9e46ecabe84772bb561e373c0d9876d6f2 upstream.
A malicious connected siw peer can send an iWARP FPDU whose MPA length
field (c_hdr->mpa_len, 16 bit big-endian, peer-controlled) is smaller
than the fixed DDP/RDMAP header for the announced opcode. Soft-iWARP
parses the full header in siw_get_hdr() based on iwarp_pktinfo[opcode]
.hdr_len, but never compares mpa_len against that header length.
siw_tcp_rx_data() then derives
srx->fpdu_part_rem = be16_to_cpu(mpa_len) - fpdu_part_rcvd
+ MPA_HDR_SIZE;
where fpdu_part_rcvd equals iwarp_pktinfo[opcode].hdr_len at this
point. For a tagged WRITE (hdr_len 16, MPA_HDR_SIZE 2) the smallest
on-wire mpa_len of 0 yields fpdu_part_rem = -14, and any mpa_len below
hdr_len - MPA_HDR_SIZE underflows to a negative int.
The signed value then flows into siw_proc_write()/siw_proc_rresp() as
bytes = min(srx->fpdu_part_rem, srx->skb_new);
is handed to siw_check_mem() as an int len (whose interval check
addr + len > mem->va + mem->len is satisfied for a valid base when
len is negative), and reaches siw_rx_data() -> siw_rx_kva() /
siw_rx_umem() -> skb_copy_bits() as a signed copy length. The header
copy branch in skb_copy_bits() promotes that to size_t, producing a
multi-gigabyte read.
KASAN under a KUnit harness that drives the real kernel TCP receive
path -- a loopback AF_INET socketpair, the malformed FPDU written via
kernel_sendmsg, sk_data_ready firing in softirq, tcp_read_sock
dispatching to siw_tcp_rx_data -- reports:
BUG: KASAN: use-after-free in skb_copy_bits+0x284/0x480
Read of size 4294967295 at addr ffff888...
Call Trace:
skb_copy_bits
siw_rx_kva
siw_rx_data
siw_check_mem
siw_proc_write
siw_tcp_rx_data
__tcp_read_sock
siw_qp_llp_data_ready
tcp_data_ready
tcp_data_queue
Add the missing invariant at the earliest point where the peer header
is fully assembled. iwarp_pktinfo[*].hdr_len - MPA_HDR_SIZE is exactly
the value the siw transmitter uses as the minimum mpa_len for each
opcode (drivers/infiniband/sw/siw/siw_qp.c:33), so this matches the
protocol contract. Out-of-range FPDUs terminate the connection with
TERM_ERROR_LAYER_LLP / LLP_ETYPE_MPA / LLP_ECODE_FPDU_START -- which
is RFC 5044 Section 8 error code 3 ("Marker and ULPDU Length fields
do not agree on the start of an FPDU"), the correct framing-error
class for this inconsistency.
Fixes: 8b6a361b8c48 ("rdma/siw: receive path")
Link: https://patch.msgid.link/r/20260513175325.2042630-2-michael.bommarito@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Acked-by: Bernard Metzler <bernard.metzler@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/sw/siw/siw_qp_rx.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/drivers/infiniband/sw/siw/siw_qp_rx.c
+++ b/drivers/infiniband/sw/siw/siw_qp_rx.c
@@ -1082,6 +1082,21 @@ static int siw_get_hdr(struct siw_rx_str
}
/*
+ * Peer-controlled mpa_len must not underflow srx->fpdu_part_rem
+ * in siw_tcp_rx_data(); a negative value flows as a signed copy
+ * length into siw_check_mem() and skb_copy_bits().
+ */
+ if (unlikely(be16_to_cpu(c_hdr->mpa_len) + MPA_HDR_SIZE <
+ iwarp_pktinfo[opcode].hdr_len)) {
+ pr_warn_ratelimited("siw: short mpa_len %u for opcode %u (hdr_len %u)\n",
+ be16_to_cpu(c_hdr->mpa_len), opcode,
+ iwarp_pktinfo[opcode].hdr_len);
+ siw_init_terminate(rx_qp(srx), TERM_ERROR_LAYER_LLP,
+ LLP_ETYPE_MPA, LLP_ECODE_FPDU_START, 0);
+ return -EINVAL;
+ }
+
+ /*
* DDP/RDMAP header receive completed. Check if the current
* DDP segment starts a new RDMAP message or continues a previously
* started RDMAP message.
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 112/272] LoongArch: Remove unused code to avoid build warning
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 111/272] RDMA/siw: Reject MPA FPDU length underflow before signed receive math Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 113/272] device property: set fwnode->secondary to NULL in fwnode_init() Greg Kroah-Hartman
` (166 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guo Ren, Huacai Chen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 0ccc9d47cf020994097ff51827cebd04aa2b0bf4 upstream.
After commit feee6b2989165631b1 ("mm/memory_hotplug: shrink zones when
offlining memory"), __remove_pages() doesn't need the "zone" parameter
so the "page" variable is also unused. Remove the unused code to avoid
such build warning:
arch/loongarch/mm/init.c: In function 'arch_remove_memory':
arch/loongarch/mm/init.c:134:22: warning: variable 'page' set but not used [-Wunused-but-set-variable=]
134 | struct page *page = pfn_to_page(start_pfn);
Cc: <stable@vger.kernel.org>
Reviewed-by: Guo Ren <guoren@kernel.org>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/mm/init.c | 4 ----
1 file changed, 4 deletions(-)
--- a/arch/loongarch/mm/init.c
+++ b/arch/loongarch/mm/init.c
@@ -107,11 +107,7 @@ void arch_remove_memory(u64 start, u64 s
{
unsigned long start_pfn = start >> PAGE_SHIFT;
unsigned long nr_pages = size >> PAGE_SHIFT;
- struct page *page = pfn_to_page(start_pfn);
- /* With altmap the first mapped page is offset from @start */
- if (altmap)
- page += vmem_altmap_offset(altmap);
__remove_pages(start_pfn, nr_pages, altmap);
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 113/272] device property: set fwnode->secondary to NULL in fwnode_init()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 112/272] LoongArch: Remove unused code to avoid build warning Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 114/272] drm/virtio: use uninterruptible resv lock for plane updates Greg Kroah-Hartman
` (165 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Bartosz Golaszewski,
Rafael J. Wysocki (Intel), Andy Shevchenko, Sakari Ailus
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
commit 215c90ee656114f5e8c32408228d97082f8e0eef upstream.
If a firmware node is allocated on the stack (for instance: temporary
software node whose life-time we control) or on the heap - but using a
non-zeroing allocation function - and initialized using fwnode_init(),
its secondary pointer will contain uninitalized memory which likely will
be neither NULL nor IS_ERR() and so may end up being dereferenced (for
example: in dev_to_swnode()). Set fwnode->secondary to NULL on
initialization.
Cc: stable <stable@kernel.org>
Fixes: 01bb86b380a3 ("driver core: Add fwnode_init()")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Link: https://patch.msgid.link/20260506115701.23035-1-bartosz.golaszewski@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/fwnode.h | 1 +
1 file changed, 1 insertion(+)
--- a/include/linux/fwnode.h
+++ b/include/linux/fwnode.h
@@ -200,6 +200,7 @@ struct fwnode_operations {
static inline void fwnode_init(struct fwnode_handle *fwnode,
const struct fwnode_operations *ops)
{
+ fwnode->secondary = NULL;
fwnode->ops = ops;
INIT_LIST_HEAD(&fwnode->consumers);
INIT_LIST_HEAD(&fwnode->suppliers);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 114/272] drm/virtio: use uninterruptible resv lock for plane updates
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 113/272] device property: set fwnode->secondary to NULL in fwnode_init() Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 115/272] drm/amdgpu/vpe: Force collaborate sync after TRAP Greg Kroah-Hartman
` (164 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+72bd3dd3a5d5f39a0271,
Deepanshu Kartikey, Dmitry Osipenko
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit 9af1b6e175c82daf4b423da339a722d8e67a735a upstream.
virtio_gpu_cursor_plane_update() and virtio_gpu_resource_flush() lock
the framebuffer BO's dma_resv via virtio_gpu_array_lock_resv() and
ignore its return value. The function can fail with -EINTR from
dma_resv_lock_interruptible() (signal during lock wait) or with
-ENOMEM from dma_resv_reserve_fences() (fence slot allocation),
leaving the resv lock not held. The queue path then walks the object
array and calls dma_resv_add_fence(), which requires the lock held;
with lockdep enabled this trips dma_resv_assert_held():
WARNING: drivers/dma-buf/dma-resv.c:296 at dma_resv_add_fence+0x71e/0x840
Call Trace:
virtio_gpu_array_add_fence
virtio_gpu_queue_ctrl_sgs
virtio_gpu_queue_fenced_ctrl_buffer
virtio_gpu_cursor_plane_update
drm_atomic_helper_commit_planes
drm_atomic_helper_commit_tail
commit_tail
drm_atomic_helper_commit
drm_atomic_commit
drm_atomic_helper_update_plane
__setplane_atomic
drm_mode_cursor_universal
drm_mode_cursor_common
drm_mode_cursor_ioctl
drm_ioctl
__x64_sys_ioctl
Beyond the WARN, mutating the dma_resv fence list without the lock
races with concurrent readers/writers and can corrupt the list.
Both call sites run inside the .atomic_update plane callback, which
DRM atomic helpers do not allow to fail (by the time it runs, the
commit has been signed off to userspace and there is no clean
rollback path). Moving the lock acquisition to .prepare_fb was
rejected because the broader lock scope deadlocks against other BO
locking paths in the same atomic commit.
Introduce virtio_gpu_lock_one_resv_uninterruptible() that uses
dma_resv_lock() instead of dma_resv_lock_interruptible(). This
eliminates the -EINTR failure mode -- the realistic syzbot trigger
-- without extending the lock hold across the commit. The helper
locks a single BO and rejects nents > 1 with -EINVAL; both fix
sites lock exactly one BO.
Use it from virtio_gpu_cursor_plane_update() and
virtio_gpu_resource_flush(); check the return value to handle the
remaining -ENOMEM case from dma_resv_reserve_fences() by freeing
the objs and skipping the plane update for that frame. The
framebuffer BOs touched here are not shared with other contexts
and lock contention is expected to be brief, so the loss of
signal-interruptibility is acceptable.
Other callers of virtio_gpu_array_lock_resv() (the ioctl paths)
continue to use the interruptible variant.
The bug was reported by syzbot, triggered via fault injection
(fail_nth) on the DRM_IOCTL_MODE_CURSOR path, which forces the
-ENOMEM branch in dma_resv_reserve_fences().
Reported-by: syzbot+72bd3dd3a5d5f39a0271@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=72bd3dd3a5d5f39a0271
Fixes: 5cfd31c5b3a3 ("drm/virtio: fix virtio_gpu_cursor_plane_update().")
Cc: stable@vger.kernel.org
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Link: https://patch.msgid.link/20260519082247.34470-1-kartikey406@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/virtio/virtgpu_drv.h | 1 +
drivers/gpu/drm/virtio/virtgpu_gem.c | 17 +++++++++++++++++
drivers/gpu/drm/virtio/virtgpu_plane.c | 10 ++++++++--
3 files changed, 26 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/virtio/virtgpu_drv.h
+++ b/drivers/gpu/drm/virtio/virtgpu_drv.h
@@ -318,6 +318,7 @@ virtio_gpu_array_from_handles(struct drm
void virtio_gpu_array_add_obj(struct virtio_gpu_object_array *objs,
struct drm_gem_object *obj);
int virtio_gpu_array_lock_resv(struct virtio_gpu_object_array *objs);
+int virtio_gpu_lock_one_resv_uninterruptible(struct virtio_gpu_object_array *objs);
void virtio_gpu_array_unlock_resv(struct virtio_gpu_object_array *objs);
void virtio_gpu_array_add_fence(struct virtio_gpu_object_array *objs,
struct dma_fence *fence);
--- a/drivers/gpu/drm/virtio/virtgpu_gem.c
+++ b/drivers/gpu/drm/virtio/virtgpu_gem.c
@@ -236,6 +236,23 @@ int virtio_gpu_array_lock_resv(struct vi
return ret;
}
+int virtio_gpu_lock_one_resv_uninterruptible(struct virtio_gpu_object_array *objs)
+{
+ int ret;
+
+ if (objs->nents != 1)
+ return -EINVAL;
+
+ dma_resv_lock(objs->objs[0]->resv, NULL);
+
+ ret = dma_resv_reserve_fences(objs->objs[0]->resv, 1);
+ if (ret) {
+ virtio_gpu_array_unlock_resv(objs);
+ return ret;
+ }
+ return 0;
+}
+
void virtio_gpu_array_unlock_resv(struct virtio_gpu_object_array *objs)
{
if (objs->nents == 1) {
--- a/drivers/gpu/drm/virtio/virtgpu_plane.c
+++ b/drivers/gpu/drm/virtio/virtgpu_plane.c
@@ -168,7 +168,10 @@ static void virtio_gpu_resource_flush(st
if (!objs)
return;
virtio_gpu_array_add_obj(objs, vgfb->base.obj[0]);
- virtio_gpu_array_lock_resv(objs);
+ if (virtio_gpu_lock_one_resv_uninterruptible(objs)) {
+ virtio_gpu_array_put_free(objs);
+ return;
+ }
virtio_gpu_cmd_resource_flush(vgdev, bo->hw_res_handle, x, y,
width, height, objs,
vgplane_st->fence);
@@ -339,7 +342,10 @@ static void virtio_gpu_cursor_plane_upda
if (!objs)
return;
virtio_gpu_array_add_obj(objs, vgfb->base.obj[0]);
- virtio_gpu_array_lock_resv(objs);
+ if (virtio_gpu_lock_one_resv_uninterruptible(objs)) {
+ virtio_gpu_array_put_free(objs);
+ return;
+ }
virtio_gpu_cmd_transfer_to_host_2d
(vgdev, 0,
plane->state->crtc_w,
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 115/272] drm/amdgpu/vpe: Force collaborate sync after TRAP
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 114/272] drm/virtio: use uninterruptible resv lock for plane updates Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 116/272] drm/bridge: it66121: acquire reset GPIO in probe Greg Kroah-Hartman
` (163 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello (AMD), Alan liu,
Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Liu <haoping.liu@amd.com>
commit b6074630a461b1322a814988779005cbc43612ea upstream.
VPE1 could possibly hang and fail to power off at the end of commands in
collaboration mode. This workaround adds a COLLAB_SYNC after TRAP to
force instances synchronized to avoid VPE1 fail to power off.
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Alan liu <haoping.liu@amd.com>
Closes: https://gitlab.freedesktop.org/drm/amd/-/work_items/5171
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit a8b749c5c5afb7e5daa2bfb95d958fb3c6b8f055)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c
@@ -556,6 +556,11 @@ static void vpe_ring_emit_fence(struct a
amdgpu_ring_write(ring, 0);
}
+ /* WA: Force sync after TRAP to avoid VPE1 fail to power off */
+ if (ring->adev->vpe.collaborate_mode) {
+ amdgpu_ring_write(ring, VPE_CMD_HEADER(VPE_CMD_OPCODE_COLLAB_SYNC, 0));
+ amdgpu_ring_write(ring, 0xabcd);
+ }
}
static void vpe_ring_emit_pipeline_sync(struct amdgpu_ring *ring)
@@ -904,7 +909,7 @@ static const struct amdgpu_ring_funcs vp
.emit_frame_size =
5 + /* vpe_ring_init_cond_exec */
6 + /* vpe_ring_emit_pipeline_sync */
- 10 + 10 + 10 + /* vpe_ring_emit_fence */
+ 12 + 12 + 12 + /* vpe_ring_emit_fence */
/* vpe_ring_emit_vm_flush */
SOC15_FLUSH_GPU_TLB_NUM_WREG * 3 +
SOC15_FLUSH_GPU_TLB_NUM_REG_WAIT * 6,
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 116/272] drm/bridge: it66121: acquire reset GPIO in probe
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 115/272] drm/amdgpu/vpe: Force collaborate sync after TRAP Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 117/272] drm/bridge: megachips: remove bridge when irq request fails Greg Kroah-Hartman
` (162 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julien Chauveau,
Javier Martinez Canillas
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julien Chauveau <chauveau.julien@gmail.com>
commit e02b5262fd288cc235f14e12233ea54e78c04611 upstream.
The it66121_ctx structure has a gpio_reset field, and it66121_hw_reset()
calls gpiod_set_value() on it. However, the GPIO descriptor is never
acquired via devm_gpiod_get(), leaving gpio_reset as NULL throughout
the driver lifetime.
gpiod_set_value() silently returns when passed a NULL descriptor, so
the hardware reset sequence in it66121_hw_reset() is a no-op. This
leaves the chip in an undefined state at probe time, which can prevent
it from responding on the I2C bus.
The DT binding marks reset-gpios as a required property, so all
compliant device trees provide this GPIO. Add the missing
devm_gpiod_get() call after enabling power supplies and before the
hardware reset, so the chip is properly reset with power applied.
Fixes: 988156dc2fc9 ("drm: bridge: add it66121 driver")
Cc: stable@vger.kernel.org
Signed-off-by: Julien Chauveau <chauveau.julien@gmail.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Tested-by: Javier Martinez Canillas <javierm@redhat.com>
Link: https://patch.msgid.link/20260324193011.16583-1-chauveau.julien@gmail.com
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/ite-it66121.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/gpu/drm/bridge/ite-it66121.c
+++ b/drivers/gpu/drm/bridge/ite-it66121.c
@@ -1559,6 +1559,11 @@ static int it66121_probe(struct i2c_clie
return ret;
}
+ ctx->gpio_reset = devm_gpiod_get(dev, "reset", GPIOD_OUT_LOW);
+ if (IS_ERR(ctx->gpio_reset))
+ return dev_err_probe(dev, PTR_ERR(ctx->gpio_reset),
+ "Failed to get reset GPIO\n");
+
it66121_hw_reset(ctx);
ctx->regmap = devm_regmap_init_i2c(client, &it66121_regmap_config);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 117/272] drm/bridge: megachips: remove bridge when irq request fails
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 116/272] drm/bridge: it66121: acquire reset GPIO in probe Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 118/272] drm/amd/display: Fix integer overflow in bios_get_image() Greg Kroah-Hartman
` (161 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Osama Abdelkader, Luca Ceresoli,
Ian Ray
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Osama Abdelkader <osama.abdelkader@gmail.com>
commit d45d5c819f2cd0b6b5d76a194a537a5f4aeefecb upstream.
If devm_request_threaded_irq() fails after drm_bridge_add(), remove the
bridge before returning.
Keep drm_bridge_add() rather than devm_drm_bridge_add(): registration is
tied to the STDP4028 device while ge_b850v3_register() may complete from
either I2C probe; devm would not unwind the bridge if the other client's
probe fails.
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Fixes: fcfa0ddc18ed ("drm/bridge: Drivers for megachips-stdpxxxx-ge-b850v3-fw (LVDS-DP++)")
Cc: stable@vger.kernel.org
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Tested-by: Ian Ray <ian.ray@gehealthcare.com>
Link: https://patch.msgid.link/20260430195700.80317-1-osama.abdelkader@gmail.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 16 +++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
+++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
@@ -258,7 +258,6 @@ static void ge_b850v3_lvds_remove(void)
goto out;
drm_bridge_remove(&ge_b850v3_lvds_ptr->bridge);
-
ge_b850v3_lvds_ptr = NULL;
out:
mutex_unlock(&ge_b850v3_lvds_dev_mutex);
@@ -268,6 +267,7 @@ static int ge_b850v3_register(void)
{
struct i2c_client *stdp4028_i2c = ge_b850v3_lvds_ptr->stdp4028_i2c;
struct device *dev = &stdp4028_i2c->dev;
+ int ret;
/* drm bridge initialization */
ge_b850v3_lvds_ptr->bridge.funcs = &ge_b850v3_lvds_funcs;
@@ -285,11 +285,15 @@ static int ge_b850v3_register(void)
if (!stdp4028_i2c->irq)
return 0;
- return devm_request_threaded_irq(&stdp4028_i2c->dev,
- stdp4028_i2c->irq, NULL,
- ge_b850v3_lvds_irq_handler,
- IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
- "ge-b850v3-lvds-dp", ge_b850v3_lvds_ptr);
+ ret = devm_request_threaded_irq(&stdp4028_i2c->dev,
+ stdp4028_i2c->irq, NULL,
+ ge_b850v3_lvds_irq_handler,
+ IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
+ "ge-b850v3-lvds-dp", ge_b850v3_lvds_ptr);
+ if (ret)
+ drm_bridge_remove(&ge_b850v3_lvds_ptr->bridge);
+
+ return ret;
}
static int stdp4028_ge_b850v3_fw_probe(struct i2c_client *stdp4028_i2c)
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 118/272] drm/amd/display: Fix integer overflow in bios_get_image()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 117/272] drm/bridge: megachips: remove bridge when irq request fails Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 119/272] drm/amd/display: Validate GPIO pin LUT table size before iterating Greg Kroah-Hartman
` (160 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland,
Ivan Lipski, Dan Wheeler, Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit cd86529ec61474a38c3837fb7823790a7c3f8cce upstream.
[Why&How]
The bounds check in bios_get_image() computes 'offset + size' using
unsigned 32-bit arithmetic before comparing against bios_size. If a
VBIOS image contains a near-UINT32_MAX offset the addition wraps to a
small value, the comparison passes, and the function returns a wild
pointer past the VBIOS mapping.
Additionally, the comparison uses '<' (strict), which incorrectly
rejects the valid exact-fit case where offset + size == bios_size.
Fix both issues by restructuring the check to avoid the addition
entirely: first reject if offset alone exceeds bios_size, then check
size against the remaining space (bios_size - offset). This eliminates
the overflow and correctly permits exact-fit accesses.
Assisted-by: GitHub Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit d40fb392af659c4a02b560319f226842f6ec1a95)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.c
@@ -37,10 +37,13 @@ uint8_t *bios_get_image(struct dc_bios *
uint32_t offset,
uint32_t size)
{
- if (bp->bios && offset + size < bp->bios_size)
- return bp->bios + offset;
- else
+ if (!bp->bios)
return NULL;
+
+ if (offset > bp->bios_size || size > bp->bios_size - offset)
+ return NULL;
+
+ return bp->bios + offset;
}
#include "reg_helper.h"
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 119/272] drm/amd/display: Validate GPIO pin LUT table size before iterating
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 118/272] drm/amd/display: Fix integer overflow in bios_get_image() Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 120/272] drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async Greg Kroah-Hartman
` (159 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland,
Ivan Lipski, Dan Wheeler, Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit 86d2b20644b11d21fe52c596e6e922b4590a3e3f upstream.
[Why&How]
The GPIO pin table parsers in get_gpio_i2c_info() and
bios_parser_get_gpio_pin_info() derive an element count from the VBIOS
table_header.structuresize field, then iterate over gpio_pin[] entries.
However, GET_IMAGE() only validates that the table header itself fits
within the BIOS image. If the VBIOS reports a structuresize larger than
the actual mapped data, the loop reads past the end of the BIOS image,
causing an out-of-bounds read.
Fix this by calling bios_get_image() to validate that the full claimed
structuresize is accessible within the BIOS image before entering the
loop in both functions.
Assisted-by: GitHub Copilot:claude-opus-4-6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit ba5e95b43b773ae1bf1f66ee6b31eb774e65afe3)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
@@ -492,6 +492,10 @@ static enum bp_result get_gpio_i2c_info(
- sizeof(struct atom_common_table_header))
/ sizeof(struct atom_gpio_pin_assignment);
+ if (!bios_get_image(&bp->base, DATA_TABLES(gpio_pin_lut),
+ le16_to_cpu(header->table_header.structuresize)))
+ return BP_RESULT_BADBIOSTABLE;
+
pin = (struct atom_gpio_pin_assignment *) header->gpio_pin;
for (table_index = 0; table_index < count; table_index++) {
@@ -680,6 +684,11 @@ static enum bp_result bios_parser_get_gp
count = (le16_to_cpu(header->table_header.structuresize)
- sizeof(struct atom_common_table_header))
/ sizeof(struct atom_gpio_pin_assignment);
+
+ if (!bios_get_image(&bp->base, DATA_TABLES(gpio_pin_lut),
+ le16_to_cpu(header->table_header.structuresize)))
+ return BP_RESULT_BADBIOSTABLE;
+
for (i = 0; i < count; ++i) {
if (header->gpio_pin[i].gpio_id != gpio_id)
continue;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 120/272] drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 119/272] drm/amd/display: Validate GPIO pin LUT table size before iterating Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 121/272] batman-adv: mcast: fix use-after-free in orig_node RCU release Greg Kroah-Hartman
` (158 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland,
Ivan Lipski, Dan Wheeler, Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit 6c92f6d9600efa3ef0d9e560a2b52776d9803c29 upstream.
[Why&How]
dc_process_dmub_aux_transfer_async() copies payload->length bytes into a
16-byte stack buffer (dpaux.data[16]) guarded only by an ASSERT(), which
is a no-op in release builds. If a caller ever passes length > 16 this
results in a stack buffer overflow via memcpy.
Additionally, link_index is used to dereference dc->links[] without
bounds checking against dc->link_count, risking an out-of-bounds access.
Replace the ASSERT with a hard runtime check that returns false when
payload->length exceeds the destination buffer size, and add a bounds
check for link_index before it is used.
Assisted-by: GitHub Copilot:Claude claude-4-opus
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit ba4caa9fecdf7a38f98c878ad05a8a64148b6881)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/core/dc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
@@ -5661,7 +5661,11 @@ bool dc_process_dmub_aux_transfer_async(
uint8_t action;
union dmub_rb_cmd cmd = {0};
- ASSERT(payload->length <= 16);
+ if (link_index >= dc->link_count || !dc->links[link_index])
+ return false;
+
+ if (payload->length > sizeof(cmd.dp_aux_access.aux_control.dpaux.data))
+ return false;
cmd.dp_aux_access.header.type = DMUB_CMD__DP_AUX_ACCESS;
cmd.dp_aux_access.header.payload_bytes = 0;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 121/272] batman-adv: mcast: fix use-after-free in orig_node RCU release
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 120/272] drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 122/272] batman-adv: clear current gateway during teardown Greg Kroah-Hartman
` (157 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Linus Lüssing,
Sven Eckelmann
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 20c2d6a20ca936f5aaa6dd40f73f262ac45c87cc upstream.
batadv_mcast_purge_orig() removes entries from RCU-protected hlists but
does not wait for an RCU grace period before returning. Concurrent RCU
readers may still accesses references to those entries at the point of
removal. RCU-protected readers trying to operate on entries like
orig->mcast_want_all_ipv6_node will then access already freed memory.
Fix this by moving batadv_mcast_purge_orig() to batadv_orig_node_release(),
just before the call_rcu() invocation. This ensures RCU readers that were
active at purge time have drained before the orig_node memory is reclaimed.
Cc: stable@kernel.org
Fixes: ab49886e3da7 ("batman-adv: Add IPv4 link-local/IPv6-ll-all-nodes multicast support")
Acked-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/originator.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/batman-adv/originator.c
+++ b/net/batman-adv/originator.c
@@ -850,8 +850,6 @@ static void batadv_orig_node_free_rcu(st
orig_node = container_of(rcu, struct batadv_orig_node, rcu);
- batadv_mcast_purge_orig(orig_node);
-
batadv_frag_purge_orig(orig_node, NULL);
kfree(orig_node->tt_buff);
@@ -905,6 +903,8 @@ void batadv_orig_node_release(struct kre
/* Free nc_nodes */
batadv_nc_purge_orig(orig_node->bat_priv, orig_node, NULL);
+ batadv_mcast_purge_orig(orig_node);
+
call_rcu(&orig_node->rcu, batadv_orig_node_free_rcu);
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 122/272] batman-adv: clear current gateway during teardown
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 121/272] batman-adv: mcast: fix use-after-free in orig_node RCU release Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 123/272] batman-adv: dat: handle forward allocation error Greg Kroah-Hartman
` (156 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Ruijie Li, Zhanpeng Li, Ren Wei,
Sven Eckelmann
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruijie Li <ruijieli51@gmail.com>
commit a340a51ed801eab7bb454150c226323b865263cc upstream.
batadv_gw_node_free() removes the gateway list entries during mesh teardown,
but it does not clear the currently selected gateway. This leaves stale
gateway state behind across cleanup and can break a later mesh recreation.
Clear bat_priv->gw.curr_gw before walking the gateway list so the selected
gateway reference is dropped as part of teardown.
Fixes: 2265c1410864 ("batman-adv: gateway election code refactoring")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
Signed-off-by: Zhanpeng Li <lzhanpeng2025@lzu.edu.cn>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/gateway_client.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/batman-adv/gateway_client.c
+++ b/net/batman-adv/gateway_client.c
@@ -479,10 +479,14 @@ void batadv_gw_node_delete(struct batadv
*/
void batadv_gw_node_free(struct batadv_priv *bat_priv)
{
+ struct batadv_gw_node *curr_gw;
struct batadv_gw_node *gw_node;
struct hlist_node *node_tmp;
spin_lock_bh(&bat_priv->gw.list_lock);
+ curr_gw = rcu_replace_pointer(bat_priv->gw.curr_gw, NULL, true);
+ batadv_gw_node_put(curr_gw);
+
hlist_for_each_entry_safe(gw_node, node_tmp,
&bat_priv->gw.gateway_list, list) {
hlist_del_init_rcu(&gw_node->list);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 123/272] batman-adv: dat: handle forward allocation error
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 122/272] batman-adv: clear current gateway during teardown Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 124/272] batman-adv: fix fragment reassembly length accounting Greg Kroah-Hartman
` (155 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Sven Eckelmann
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 2d8826a2d3657cea66fb0370f9e521575a673871 upstream.
batadv_dat_forward_data() calls pskb_copy_for_clone() to duplicate an skb
for each DHT candidate, but does not check the return value before passing
it to batadv_send_skb_prepare_unicast_4addr(). That function dereferences
the skb unconditionally, so a failed allocation triggers a NULL pointer
dereference.
Skip forwarding to the current DHT candidate on allocation failure.
Cc: stable@kernel.org
Fixes: 785ea1144182 ("batman-adv: Distributed ARP Table - create DHT helper functions")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reviewed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/distributed-arp-table.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -698,6 +698,9 @@ static bool batadv_dat_forward_data(stru
goto free_orig;
tmp_skb = pskb_copy_for_clone(skb, GFP_ATOMIC);
+ if (!tmp_skb)
+ goto free_neigh;
+
if (!batadv_send_skb_prepare_unicast_4addr(bat_priv, tmp_skb,
cand[i].orig_node,
packet_subtype)) {
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 124/272] batman-adv: fix fragment reassembly length accounting
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 123/272] batman-adv: dat: handle forward allocation error Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 125/272] batman-adv: fix tp_meter counter underflow during shutdown Greg Kroah-Hartman
` (154 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Ruide Cao, Ren Wei, Ren Wei, Sven Eckelmann
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruide Cao <caoruide123@gmail.com>
commit 9cd3f16c320bfdadd4509358122368deb56a5741 upstream.
batman-adv keeps a running payload length for queued fragments and uses it
to validate a fragment chain before reassembly.
That accounting currently allows the accumulated fragment length to be
truncated during updates. As a result, malformed fragment chains can
bypass the intended validation and drive reassembly with inconsistent
length state, leading to a local denial of service.
Fix the accounting by storing the accumulated length in a length-typed
field and rejecting update overflows before the existing validation logic
runs.
The fix was verified against the original reproducer and against valid
fragment reassembly paths.
Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruide Cao <caoruide123@gmail.com>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/fragmentation.c | 23 +++++++++++++++++------
net/batman-adv/types.h | 2 +-
2 files changed, 18 insertions(+), 7 deletions(-)
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -17,6 +17,7 @@
#include <linux/lockdep.h>
#include <linux/minmax.h>
#include <linux/netdevice.h>
+#include <linux/overflow.h>
#include <linux/skbuff.h>
#include <linux/slab.h>
#include <linux/spinlock.h>
@@ -80,9 +81,9 @@ void batadv_frag_purge_orig(struct batad
*
* Return: the maximum size of payload that can be fragmented.
*/
-static int batadv_frag_size_limit(void)
+static size_t batadv_frag_size_limit(void)
{
- int limit = BATADV_FRAG_MAX_FRAG_SIZE;
+ size_t limit = BATADV_FRAG_MAX_FRAG_SIZE;
limit -= sizeof(struct batadv_frag_packet);
limit *= BATADV_FRAG_MAX_FRAGMENTS;
@@ -143,7 +144,9 @@ static bool batadv_frag_insert_packet(st
struct batadv_frag_packet *frag_packet;
u8 bucket;
u16 seqno, hdr_size = sizeof(struct batadv_frag_packet);
+ bool overflow = false;
bool ret = false;
+ size_t data_len;
/* Linearize packet to avoid linearizing 16 packets in a row when doing
* the later merge. Non-linear merge should be added to remove this
@@ -153,6 +156,7 @@ static bool batadv_frag_insert_packet(st
goto err;
frag_packet = (struct batadv_frag_packet *)skb->data;
+ data_len = skb->len - hdr_size;
seqno = ntohs(frag_packet->seqno);
bucket = seqno % BATADV_FRAG_BUFFER_COUNT;
@@ -171,7 +175,7 @@ static bool batadv_frag_insert_packet(st
spin_lock_bh(&chain->lock);
if (batadv_frag_init_chain(chain, seqno)) {
hlist_add_head(&frag_entry_new->list, &chain->fragment_list);
- chain->size = skb->len - hdr_size;
+ chain->size = data_len;
chain->timestamp = jiffies;
chain->total_size = ntohs(frag_packet->total_size);
ret = true;
@@ -188,7 +192,11 @@ static bool batadv_frag_insert_packet(st
if (frag_entry_curr->no < frag_entry_new->no) {
hlist_add_before(&frag_entry_new->list,
&frag_entry_curr->list);
- chain->size += skb->len - hdr_size;
+
+ if (check_add_overflow(chain->size, data_len,
+ &chain->size))
+ overflow = true;
+
chain->timestamp = jiffies;
ret = true;
goto out;
@@ -201,13 +209,16 @@ static bool batadv_frag_insert_packet(st
/* Reached the end of the list, so insert after 'frag_entry_last'. */
if (likely(frag_entry_last)) {
hlist_add_behind(&frag_entry_new->list, &frag_entry_last->list);
- chain->size += skb->len - hdr_size;
+
+ if (check_add_overflow(chain->size, data_len, &chain->size))
+ overflow = true;
+
chain->timestamp = jiffies;
ret = true;
}
out:
- if (chain->size > batadv_frag_size_limit() ||
+ if (overflow || chain->size > batadv_frag_size_limit() ||
chain->total_size != ntohs(frag_packet->total_size) ||
chain->total_size > batadv_frag_size_limit()) {
/* Clear chain if total size of either the list or the packet
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -295,7 +295,7 @@ struct batadv_frag_table_entry {
u16 seqno;
/** @size: accumulated size of packets in list */
- u16 size;
+ size_t size;
/** @total_size: expected size of the assembled packet */
u16 total_size;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 125/272] batman-adv: fix tp_meter counter underflow during shutdown
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 124/272] batman-adv: fix fragment reassembly length accounting Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 126/272] batman-adv: frag: disallow unicast fragment in fragment Greg Kroah-Hartman
` (153 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Luxiao Xu, Ren Wei, Sven Eckelmann
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luxiao Xu <rakukuip@gmail.com>
commit 94f3b133168d1c49895e7cc6afbcf1cc0b354602 upstream.
batadv_tp_sender_shutdown() unconditionally decrements the "sending"
atomic counter. If multiple paths (e.g. timeout, user cancel, and
normal finish) call this function, the counter can underflow to -1.
Since the sender logic treats any non-zero value as "still sending",
a negative value causes the sender kthread to loop indefinitely.
This leads to a use-after-free when the interface is removed while
the zombie thread is still active.
Fix this by using atomic_xchg() to ensure the counter only transitions
from 1 to 0 once.
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
[sven: added missing change in batadv_tp_send]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/tp_meter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -451,7 +451,7 @@ static void batadv_tp_sender_end(struct
static void batadv_tp_sender_shutdown(struct batadv_tp_vars *tp_vars,
enum batadv_tp_meter_reason reason)
{
- if (!atomic_dec_and_test(&tp_vars->sending))
+ if (atomic_xchg(&tp_vars->sending, 0) != 1)
return;
tp_vars->reason = reason;
@@ -885,7 +885,7 @@ static int batadv_tp_send(void *arg)
"Meter: %s() cannot send packets (%d)\n",
__func__, err);
/* ensure nobody else tries to stop the thread now */
- if (atomic_dec_and_test(&tp_vars->sending))
+ if (atomic_xchg(&tp_vars->sending, 0) == 1)
tp_vars->reason = err;
break;
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 126/272] batman-adv: frag: disallow unicast fragment in fragment
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 125/272] batman-adv: fix tp_meter counter underflow during shutdown Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 127/272] batman-adv: bla: fix report_work leak on backbone_gw purge Greg Kroah-Hartman
` (152 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Sven Eckelmann
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit bc62216dc8e221e3781afa14430f45208bfa9af9 upstream.
batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a
BATADV_UNICAST_FRAG packet is received. Once all fragments are collected
and the packet is reassembled, batadv_recv_frag_packet() calls
batadv_batman_skb_recv() again to process the defragmented payload.
A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled
payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting).
Each nesting level recurses through batadv_batman_skb_recv() without bound,
growing the kernel stack until it is exhausted.
Since refragmentation or fragments in fragments are not actually allowed,
discard all packets which are still BATADV_UNICAST_FRAG packets after the
defragmentation process.
Cc: stable@kernel.org
Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reviewed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/fragmentation.c | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -305,6 +305,31 @@ free:
}
/**
+ * batadv_skb_is_frag() - check if newly merged skb is gain a unicast packet
+ * @skb: newly merged skb
+ *
+ * Return: if newly skb is of type BATADV_UNICAST_FRAG
+ */
+static bool batadv_skb_is_frag(struct sk_buff *skb)
+{
+ struct batadv_ogm_packet *batadv_ogm_packet;
+
+ /* packet should hold at least type and version */
+ if (unlikely(!pskb_may_pull(skb, 2)))
+ return false;
+
+ batadv_ogm_packet = (struct batadv_ogm_packet *)skb->data;
+
+ if (batadv_ogm_packet->version != BATADV_COMPAT_VERSION)
+ return false;
+
+ if (batadv_ogm_packet->packet_type != BATADV_UNICAST_FRAG)
+ return false;
+
+ return true;
+}
+
+/**
* batadv_frag_skb_buffer() - buffer fragment for later merge
* @skb: skb to buffer
* @orig_node_src: originator that the skb is received from
@@ -337,6 +362,16 @@ bool batadv_frag_skb_buffer(struct sk_bu
if (!skb_out)
goto out_err;
+ /* fragment in fragment is not allowed. otherwise it is possible
+ * to exhaust the stack when receiving a matryoshka-style
+ * "fragments in a fragment packet"
+ */
+ if (batadv_skb_is_frag(skb_out)) {
+ kfree_skb(skb_out);
+ skb_out = NULL;
+ goto out_err;
+ }
+
out:
ret = true;
out_err:
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 127/272] batman-adv: bla: fix report_work leak on backbone_gw purge
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 126/272] batman-adv: frag: disallow unicast fragment in fragment Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 128/272] batman-adv: tp_meter: avoid use of uninit sender vars Greg Kroah-Hartman
` (151 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Simon Wunderlich,
Sven Eckelmann
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 0459430add32ea41f3e2ef9351610e6d33627a6b upstream.
batadv_bla_purge_backbone_gw() removes stale backbone gateway entries,
but fails to properly handle their associated report_work:
- If report_work is running, the purge must wait for it to finish before
freeing the backbone_gw, otherwise the worker may access freed memory
(e.g. bat_priv).
- If report_work is pending, the purge must cancel it and release the
reference held for that pending work item.
The previous implementation called hlist_for_each_entry_safe() inside a
spin_lock_bh() section, but cancel_work_sync() may sleep and therefore
cannot be called from within a spinlock-protected region.
Restructure the loop to handle one entry per spinlock critical section:
acquire the lock, find the next entry to purge, remove it from the hash
list, then release the lock before calling cancel_work_sync() and
dropping the hash_entry reference. Repeat until no more entries require
purging.
Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Reviewed-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bridge_loop_avoidance.c | 60 ++++++++++++++++++++-------------
1 file changed, 38 insertions(+), 22 deletions(-)
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -1224,6 +1224,7 @@ static void batadv_bla_purge_backbone_gw
struct hlist_head *head;
struct batadv_hashtable *hash;
spinlock_t *list_lock; /* protects write access to the hash lists */
+ bool purged;
int i;
hash = bat_priv->bla.backbone_hash;
@@ -1234,30 +1235,45 @@ static void batadv_bla_purge_backbone_gw
head = &hash->table[i];
list_lock = &hash->list_locks[i];
- spin_lock_bh(list_lock);
- hlist_for_each_entry_safe(backbone_gw, node_tmp,
- head, hash_entry) {
- if (now)
- goto purge_now;
- if (!batadv_has_timed_out(backbone_gw->lasttime,
- BATADV_BLA_BACKBONE_TIMEOUT))
- continue;
-
- batadv_dbg(BATADV_DBG_BLA, backbone_gw->bat_priv,
- "%s(): backbone gw %pM timed out\n",
- __func__, backbone_gw->orig);
+ do {
+ purged = false;
+
+ spin_lock_bh(list_lock);
+ hlist_for_each_entry_safe(backbone_gw, node_tmp,
+ head, hash_entry) {
+ if (now)
+ goto purge_now;
+ if (!batadv_has_timed_out(backbone_gw->lasttime,
+ BATADV_BLA_BACKBONE_TIMEOUT))
+ continue;
+
+ batadv_dbg(BATADV_DBG_BLA, backbone_gw->bat_priv,
+ "%s(): backbone gw %pM timed out\n",
+ __func__, backbone_gw->orig);
purge_now:
- /* don't wait for the pending request anymore */
- if (atomic_read(&backbone_gw->request_sent))
- atomic_dec(&bat_priv->bla.num_requests);
-
- batadv_bla_del_backbone_claims(backbone_gw);
-
- hlist_del_rcu(&backbone_gw->hash_entry);
- batadv_backbone_gw_put(backbone_gw);
- }
- spin_unlock_bh(list_lock);
+ purged = true;
+
+ /* don't wait for the pending request anymore */
+ if (atomic_read(&backbone_gw->request_sent))
+ atomic_dec(&bat_priv->bla.num_requests);
+
+ batadv_bla_del_backbone_claims(backbone_gw);
+
+ hlist_del_rcu(&backbone_gw->hash_entry);
+ break;
+ }
+ spin_unlock_bh(list_lock);
+
+ if (purged) {
+ /* reference for pending report_work */
+ if (cancel_work_sync(&backbone_gw->report_work))
+ batadv_backbone_gw_put(backbone_gw);
+
+ /* reference for hash_entry */
+ batadv_backbone_gw_put(backbone_gw);
+ }
+ } while (purged);
}
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 128/272] batman-adv: tp_meter: avoid use of uninit sender vars
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 127/272] batman-adv: bla: fix report_work leak on backbone_gw purge Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 129/272] batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown Greg Kroah-Hartman
` (150 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Sven Eckelmann
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 6c65cf23d4c6170fcf5714c32aa64689718cb142 upstream.
batadv_tp_recv_ack() and batadv_tp_stop() are only valid for tp_vars in the
BATADV_TP_SENDER role. When called with a BATADV_TP_RECEIVER role, it
proceeds to read sender-only members that were never initialized, leading
to undefined behavior.
This can be triggered when a node that is currently acting as a receiver in
an ongoing tp_meter session receives a malicious ACK packet.
Guard against this by checking tp_vars->role immediately after the
lookup and bailing out if it is not BATADV_TP_SENDER, before any of
those members are accessed.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reviewed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/tp_meter.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -663,6 +663,9 @@ static void batadv_tp_recv_ack(struct ba
if (unlikely(!tp_vars))
return;
+ if (unlikely(tp_vars->role != BATADV_TP_SENDER))
+ goto out;
+
if (unlikely(atomic_read(&tp_vars->sending) == 0))
goto out;
@@ -1100,12 +1103,16 @@ void batadv_tp_stop(struct batadv_priv *
if (!tp_vars) {
batadv_dbg(BATADV_DBG_TP_METER, bat_priv,
"Meter: trying to interrupt an already over connection\n");
- goto out;
+ goto out_put_orig_node;
}
+ if (unlikely(tp_vars->role != BATADV_TP_SENDER))
+ goto out_put_tp_vars;
+
batadv_tp_sender_shutdown(tp_vars, return_value);
+out_put_tp_vars:
batadv_tp_vars_put(tp_vars);
-out:
+out_put_orig_node:
batadv_orig_node_put(orig_node);
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 129/272] batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 128/272] batman-adv: tp_meter: avoid use of uninit sender vars Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 130/272] batman-adv: tp_meter: fix race condition in send error reporting Greg Kroah-Hartman
` (149 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 77098e4bea37af51d3962efa88a5af2ea5e1ac57 upstream.
The receiver shutdown timer handler, batadv_tp_receiver_shutdown(), is
responsible for releasing the tp_vars reference it holds. However, the
existing logic for coordinating this release with batadv_tp_stop_all() was
flawed.
timer_shutdown_sync() guarantees the timer will not fire again after it
returns, but it returns non-zero only when the timer was pending at the
time of the call. If the timer had already expired (and
batadv_tp_stop_all() would unsucessfully try to rearm itself),
batadv_tp_stop_all() skips its batadv_tp_vars_put(), and
batadv_tp_receiver_shutdown() fails to put its own reference as well.
Fix this by introducing a new atomic variable receiving that is set to 1
when the receiver is initialized and cleared atomically with atomic_xchg()
by whichever side claims it first. Only the side that observes the
transition from 1 to 0 is responsible for releasing the tp_vars timer
reference, eliminating the uncertainty.
Cc: stable@kernel.org
Fixes: 3d3cf6a7314a ("batman-adv: stop tp_meter sessions during mesh teardown")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/tp_meter.c | 13 +++++++++++--
net/batman-adv/types.h | 3 +++
2 files changed, 14 insertions(+), 2 deletions(-)
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -8,6 +8,7 @@
#include "main.h"
#include <linux/atomic.h>
+#include <linux/bug.h>
#include <linux/build_bug.h>
#include <linux/byteorder/generic.h>
#include <linux/cache.h>
@@ -1163,6 +1164,9 @@ static void batadv_tp_receiver_shutdown(
spin_unlock_bh(&tp_vars->unacked_lock);
/* drop reference of timer */
+ if (WARN_ON(atomic_xchg(&tp_vars->receiving, 0) != 1))
+ return;
+
batadv_tp_vars_put(tp_vars);
}
@@ -1381,6 +1385,7 @@ batadv_tp_init_recv(struct batadv_priv *
ether_addr_copy(tp_vars->other_end, icmp->orig);
tp_vars->role = BATADV_TP_RECEIVER;
+ atomic_set(&tp_vars->receiving, 1);
memcpy(tp_vars->session, icmp->session, sizeof(tp_vars->session));
tp_vars->last_recv = BATADV_TP_FIRST_SEQ;
tp_vars->bat_priv = bat_priv;
@@ -1553,8 +1558,12 @@ void batadv_tp_stop_all(struct batadv_pr
break;
case BATADV_TP_RECEIVER:
batadv_tp_list_detach(tp_var);
- if (timer_shutdown_sync(&tp_var->timer))
- batadv_tp_vars_put(tp_var);
+ timer_shutdown_sync(&tp_var->timer);
+
+ if (atomic_xchg(&tp_var->receiving, 0) != 1)
+ break;
+
+ batadv_tp_vars_put(tp_var);
break;
}
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1461,6 +1461,9 @@ struct batadv_tp_vars {
/** @sending: sending binary semaphore: 1 if sending, 0 is not */
atomic_t sending;
+ /** @receiving: receiving binary semaphore: 1 if receiving, 0 is not */
+ atomic_t receiving;
+
/** @reason: reason for a stopped session */
enum batadv_tp_meter_reason reason;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 130/272] batman-adv: tp_meter: fix race condition in send error reporting
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 129/272] batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 131/272] batman-adv: tt: fix negative last_changeset_len Greg Kroah-Hartman
` (148 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 71dce47f0758537fff78fddb5fb0d4632d29b29f upstream.
batadv_tp_sender_shutdown() previously used two separate variables to track
session state: sending (an atomic flag indicating whether the session was
active) and reason (a plain enum storing the stop reason). This introduced
a race window between the two writes: after sending was cleared to 0,
batadv_tp_send() could observe the stopped state and call
batadv_tp_sender_end() before reason was written, causing the wrong stop
reason to be reported to the caller.
Fix this by consolidating both variables into a single atomic send_result,
which holds 0 while the session is running and the stop reason once it
ends.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/tp_meter.c | 40 +++++++++++++++++++++++++---------------
net/batman-adv/types.h | 10 +++++-----
2 files changed, 30 insertions(+), 20 deletions(-)
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -419,11 +419,14 @@ static void batadv_tp_sender_cleanup(str
static void batadv_tp_sender_end(struct batadv_priv *bat_priv,
struct batadv_tp_vars *tp_vars)
{
+ enum batadv_tp_meter_reason reason;
u32 session_cookie;
+ reason = atomic_read(&tp_vars->send_result);
+
batadv_dbg(BATADV_DBG_TP_METER, bat_priv,
"Test towards %pM finished..shutting down (reason=%d)\n",
- tp_vars->other_end, tp_vars->reason);
+ tp_vars->other_end, reason);
batadv_dbg(BATADV_DBG_TP_METER, bat_priv,
"Last timing stats: SRTT=%ums RTTVAR=%ums RTO=%ums\n",
@@ -436,7 +439,7 @@ static void batadv_tp_sender_end(struct
session_cookie = batadv_tp_session_cookie(tp_vars->session,
tp_vars->icmp_uid);
- batadv_tp_batctl_notify(tp_vars->reason,
+ batadv_tp_batctl_notify(reason,
tp_vars->other_end,
bat_priv,
tp_vars->start_time,
@@ -452,10 +455,18 @@ static void batadv_tp_sender_end(struct
static void batadv_tp_sender_shutdown(struct batadv_tp_vars *tp_vars,
enum batadv_tp_meter_reason reason)
{
- if (atomic_xchg(&tp_vars->sending, 0) != 1)
- return;
+ atomic_cmpxchg(&tp_vars->send_result, 0, reason);
+}
- tp_vars->reason = reason;
+/**
+ * batadv_tp_sender_stopped() - check if tp session was stopped with reason
+ * @tp_vars: the private data of the current TP meter session
+ *
+ * Return: whether stop reason was found
+ */
+static bool batadv_tp_sender_stopped(struct batadv_tp_vars *tp_vars)
+{
+ return atomic_read(&tp_vars->send_result) != 0;
}
/**
@@ -485,7 +496,7 @@ static void batadv_tp_reset_sender_timer
/* most of the time this function is invoked while normal packet
* reception...
*/
- if (unlikely(atomic_read(&tp_vars->sending) == 0))
+ if (unlikely(batadv_tp_sender_stopped(tp_vars)))
/* timer ref will be dropped in batadv_tp_sender_cleanup */
return;
@@ -505,7 +516,7 @@ static void batadv_tp_sender_timeout(str
struct batadv_tp_vars *tp_vars = from_timer(tp_vars, t, timer);
struct batadv_priv *bat_priv = tp_vars->bat_priv;
- if (atomic_read(&tp_vars->sending) == 0)
+ if (batadv_tp_sender_stopped(tp_vars))
return;
/* if the user waited long enough...shutdown the test */
@@ -667,7 +678,7 @@ static void batadv_tp_recv_ack(struct ba
if (unlikely(tp_vars->role != BATADV_TP_SENDER))
goto out;
- if (unlikely(atomic_read(&tp_vars->sending) == 0))
+ if (unlikely(batadv_tp_sender_stopped(tp_vars)))
goto out;
/* old ACK? silently drop it.. */
@@ -833,21 +844,21 @@ static int batadv_tp_send(void *arg)
if (unlikely(tp_vars->role != BATADV_TP_SENDER)) {
err = BATADV_TP_REASON_DST_UNREACHABLE;
- tp_vars->reason = err;
+ batadv_tp_sender_shutdown(tp_vars, err);
goto out;
}
orig_node = batadv_orig_hash_find(bat_priv, tp_vars->other_end);
if (unlikely(!orig_node)) {
err = BATADV_TP_REASON_DST_UNREACHABLE;
- tp_vars->reason = err;
+ batadv_tp_sender_shutdown(tp_vars, err);
goto out;
}
primary_if = batadv_primary_if_get_selected(bat_priv);
if (unlikely(!primary_if)) {
err = BATADV_TP_REASON_DST_UNREACHABLE;
- tp_vars->reason = err;
+ batadv_tp_sender_shutdown(tp_vars, err);
goto out;
}
@@ -866,7 +877,7 @@ static int batadv_tp_send(void *arg)
queue_delayed_work(batadv_event_workqueue, &tp_vars->finish_work,
msecs_to_jiffies(tp_vars->test_length));
- while (atomic_read(&tp_vars->sending) != 0) {
+ while (!batadv_tp_sender_stopped(tp_vars)) {
if (unlikely(!batadv_tp_avail(tp_vars, payload_len))) {
batadv_tp_wait_available(tp_vars, payload_len);
continue;
@@ -889,8 +900,7 @@ static int batadv_tp_send(void *arg)
"Meter: %s() cannot send packets (%d)\n",
__func__, err);
/* ensure nobody else tries to stop the thread now */
- if (atomic_xchg(&tp_vars->sending, 0) == 1)
- tp_vars->reason = err;
+ batadv_tp_sender_shutdown(tp_vars, err);
break;
}
@@ -1012,7 +1022,7 @@ void batadv_tp_start(struct batadv_priv
ether_addr_copy(tp_vars->other_end, dst);
kref_init(&tp_vars->refcount);
tp_vars->role = BATADV_TP_SENDER;
- atomic_set(&tp_vars->sending, 1);
+ atomic_set(&tp_vars->send_result, 0);
memcpy(tp_vars->session, session_id, sizeof(session_id));
tp_vars->icmp_uid = icmp_uid;
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1458,15 +1458,15 @@ struct batadv_tp_vars {
/** @role: receiver/sender modi */
enum batadv_tp_meter_role role;
- /** @sending: sending binary semaphore: 1 if sending, 0 is not */
- atomic_t sending;
+ /**
+ * @send_result: 0 when sending is ongoing and otherwise
+ * enum batadv_tp_meter_reason
+ */
+ atomic_t send_result;
/** @receiving: receiving binary semaphore: 1 if receiving, 0 is not */
atomic_t receiving;
- /** @reason: reason for a stopped session */
- enum batadv_tp_meter_reason reason;
-
/** @finish_work: work item for the finishing procedure */
struct delayed_work finish_work;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 131/272] batman-adv: tt: fix negative last_changeset_len
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 130/272] batman-adv: tp_meter: fix race condition in send error reporting Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 132/272] batman-adv: tt: fix negative tt_buff_len Greg Kroah-Hartman
` (147 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit fc92cdfcb295cefa4344d71a527d61b638b7bfc4 upstream.
batadv_piv_tt::last_changeset_len len was declared as s16, but the field is
never intended to hold a negative value. When a value greater than 32767 is
assigned, it wraps to a negative signed integer.
In batadv_send_my_tt_response(), last_changeset_len is temporarily widened
to s32. The incorrectly negative s16 value propagates into the s32, causing
batadv_tt_prepare_tvlv_local_data() to allocate a full sized buffer but
populates only a small portion of it with the collected changeset. All
remaining bits are kept uninitialized.
Using an u16 avoids this type confusion and ensures that no (negative) sign
extension is performed in batadv_send_my_tt_response().
Cc: stable@kernel.org
Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/types.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1058,7 +1058,7 @@ struct batadv_priv_tt {
* @last_changeset_len: length of last tt changeset this host has
* generated
*/
- s16 last_changeset_len;
+ u16 last_changeset_len;
/**
* @last_changeset_lock: lock protecting last_changeset &
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 132/272] batman-adv: tt: fix negative tt_buff_len
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 131/272] batman-adv: tt: fix negative last_changeset_len Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 133/272] hwmon: (pmbus/adm1266) seed timestamp from the real-time clock Greg Kroah-Hartman
` (146 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit b64963a2ceeb7529310b6cf253a1e540784422f4 upstream.
batadv_orig_node::tt_buff_len was declared as s16, but the field is never
intended to hold a negative value. When a value greater than 32767 is
assigned, it wraps to a negative signed integer.
In batadv_send_other_tt_response(), tt_buff_len is temporarily widened to
s32. The incorrectly negative s16 value propagates into the s32, causing
batadv_tt_prepare_tvlv_global_data() to allocate a full sized buffer but
populates only a small portion of it with the collected changeset. All
remaining bits are kept uninitialized.
Using an u16 avoids this type confusion and ensures that no (negative) sign
extension is performed in batadv_send_other_tt_response().
Cc: stable@kernel.org
Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/types.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -446,7 +446,7 @@ struct batadv_orig_node {
* @tt_buff_len: length of the last tt changeset this node received
* from the orig node
*/
- s16 tt_buff_len;
+ u16 tt_buff_len;
/** @tt_buff_lock: lock that protects tt_buff and tt_buff_len */
spinlock_t tt_buff_lock;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 133/272] hwmon: (pmbus/adm1266) seed timestamp from the real-time clock
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 132/272] batman-adv: tt: fix negative tt_buff_len Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 134/272] hwmon: (pmbus/adm1266) reject implausible blackbox record_count Greg Kroah-Hartman
` (145 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit b86095e3d7dcf2bf80c747349a35912a87a85098 upstream.
adm1266_set_rtc() seeds the chip's SET_RTC register from
ktime_get_seconds(), which returns CLOCK_MONOTONIC -- i.e. seconds
since the host last booted, not seconds since the Unix epoch.
The chip stamps that value into every blackbox record it captures.
Userspace reading those timestamps back expects wall-clock seconds:
that's what the SET_RTC frame layout documents (datasheet Rev. D,
Table 84) and what every other consumer of "seconds since epoch"
assumes. Seeding from CLOCK_MONOTONIC gives blackbox records a
timestamp that is only meaningful within a single boot of the host
and silently resets to small values on every reboot.
Switch to ktime_get_real_seconds() so the seed matches what the
register is documented to hold.
Fixes: 15609d189302 ("hwmon: (pmbus/adm1266) read blackbox")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260515-adm1266-fixes-v1-1-1c1ea1349cfe@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -432,7 +432,7 @@ static int adm1266_set_rtc(struct adm126
char write_buf[6];
int i;
- kt = ktime_get_seconds();
+ kt = ktime_get_real_seconds();
memset(write_buf, 0, sizeof(write_buf));
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 134/272] hwmon: (pmbus/adm1266) reject implausible blackbox record_count
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 133/272] hwmon: (pmbus/adm1266) seed timestamp from the real-time clock Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 135/272] hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer Greg Kroah-Hartman
` (144 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit 4afca954622d672ea65ed961bed01cf91caa034e upstream.
adm1266_nvmem_read_blackbox() loops over a record_count that comes
straight from byte 3 of the BLACKBOX_INFO response. The destination
buffer is data->dev_mem, sized for the nvmem cell's declared 2048
bytes (ADM1266_BLACKBOX_MAX_RECORDS * ADM1266_BLACKBOX_SIZE = 32 * 64).
A device that reports a record_count greater than 32 -- whether due
to firmware bugs, bus corruption, or a non-responsive slave returning
0xff -- would walk read_buff past the end of the dev_mem allocation
on the trailing iterations.
Cap record_count at ADM1266_BLACKBOX_MAX_RECORDS (introduced here)
before entering the loop and return -EIO on any larger value, so a
malformed BLACKBOX_INFO response cannot drive the loop out of bounds.
Fixes: 15609d189302 ("hwmon: (pmbus/adm1266) read blackbox")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260515-adm1266-fixes-v1-3-1c1ea1349cfe@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -46,6 +46,7 @@
#define ADM1266_BLACKBOX_OFFSET 0
#define ADM1266_BLACKBOX_SIZE 64
+#define ADM1266_BLACKBOX_MAX_RECORDS 32
#define ADM1266_PMBUS_BLOCK_MAX 255
@@ -360,6 +361,8 @@ static int adm1266_nvmem_read_blackbox(s
return -EIO;
record_count = buf[3];
+ if (record_count > ADM1266_BLACKBOX_MAX_RECORDS)
+ return -EIO;
for (index = 0; index < record_count; index++) {
ret = adm1266_pmbus_block_xfer(data, ADM1266_READ_BLACKBOX, 1, &index, read_buff);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 135/272] hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 134/272] hwmon: (pmbus/adm1266) reject implausible blackbox record_count Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 136/272] hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer Greg Kroah-Hartman
` (143 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit 487566cb1ccdf3756fdd7bf8d875e612ff3169bb upstream.
adm1266_pmbus_block_xfer() sets up the read transaction with
.buf = data->read_buf,
.len = ADM1266_PMBUS_BLOCK_MAX + 2,
but read_buf in struct adm1266_data is declared as
u8 read_buf[ADM1266_PMBUS_BLOCK_MAX + 1];
For a max-length block response (length byte = 255 + up to 1 PEC
byte), the i2c controller is told to write 257 bytes into a 256-byte
buffer, putting one byte past the end of read_buf. The same response
also makes the subsequent PEC compare
if (crc != msgs[1].buf[msgs[1].buf[0] + 1])
read a byte beyond the array.
Bump the read_buf declaration to ADM1266_PMBUS_BLOCK_MAX + 2 so the
buffer can hold the length byte, up to 255 payload bytes, and the PEC
byte the i2c_msg length already accounts for.
Fixes: 407dc802a9c0 ("hwmon: (pmbus/adm1266) Add Block process call")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260515-adm1266-fixes-v1-4-1c1ea1349cfe@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -61,7 +61,7 @@ struct adm1266_data {
u8 *dev_mem;
struct mutex buf_mutex;
u8 write_buf[ADM1266_PMBUS_BLOCK_MAX + 1] ____cacheline_aligned;
- u8 read_buf[ADM1266_PMBUS_BLOCK_MAX + 1] ____cacheline_aligned;
+ u8 read_buf[ADM1266_PMBUS_BLOCK_MAX + 2] ____cacheline_aligned;
};
static const struct nvmem_cell_info adm1266_nvmem_cells[] = {
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 136/272] hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 135/272] hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 137/272] hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR Greg Kroah-Hartman
` (142 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit 43cae21424ff8e33894a0f86c6b80b840c049fd7 upstream.
adm1266_pmbus_block_xfer() copies the device-supplied block payload
into the caller-provided buffer using the device-supplied length:
memcpy(data_r, &msgs[1].buf[1], msgs[1].buf[0]);
The helper does not know how large data_r is and trusts the device to
return at most one record's worth of bytes. adm1266_nvmem_read_blackbox()
violates that contract: it advances read_buff inside data->dev_mem in
ADM1266_BLACKBOX_SIZE (64-byte) strides while the helper is willing to
write up to ADM1266_PMBUS_BLOCK_MAX (255) bytes. A device that returns
more than 64 bytes on the trailing record (read_buff offset 1984 in
the 2048-byte dev_mem allocation) overflows dev_mem by up to 191 bytes
before the post-call
if (ret != ADM1266_BLACKBOX_SIZE)
return -EIO;
can reject the response.
Contain the fix in the caller without changing the helper signature:
read each record into a 255-byte local bounce buffer that matches the
helper's maximum output, validate the returned length, and only then
copy exactly ADM1266_BLACKBOX_SIZE bytes into the dev_mem slot.
Fixes: 407dc802a9c0 ("hwmon: (pmbus/adm1266) Add Block process call")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260515-adm1266-fixes-v1-5-1c1ea1349cfe@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -348,6 +348,7 @@ static void adm1266_init_debugfs(struct
static int adm1266_nvmem_read_blackbox(struct adm1266_data *data, u8 *read_buff)
{
+ u8 record[ADM1266_PMBUS_BLOCK_MAX];
int record_count;
char index;
u8 buf[I2C_SMBUS_BLOCK_MAX];
@@ -365,13 +366,14 @@ static int adm1266_nvmem_read_blackbox(s
return -EIO;
for (index = 0; index < record_count; index++) {
- ret = adm1266_pmbus_block_xfer(data, ADM1266_READ_BLACKBOX, 1, &index, read_buff);
+ ret = adm1266_pmbus_block_xfer(data, ADM1266_READ_BLACKBOX, 1, &index, record);
if (ret < 0)
return ret;
if (ret != ADM1266_BLACKBOX_SIZE)
return -EIO;
+ memcpy(read_buff, record, ADM1266_BLACKBOX_SIZE);
read_buff += ADM1266_BLACKBOX_SIZE;
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 137/272] hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 136/272] hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 138/272] hwmon: (pmbus/adm1266) dont clobber GPIO bits before PDIO read in get_multiple Greg Kroah-Hartman
` (141 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain,
Bartosz Golaszewski, Linus Walleij, Guenter Roeck
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit d7834d92251baade796812876e95555e2066fa9f upstream.
adm1266_gpio_get_multiple() iterates the PDIO portion of the
caller-supplied mask using
for_each_set_bit_from(gpio_nr, mask,
ADM1266_GPIO_NR + ADM1266_PDIO_STATUS) {
...
}
where ADM1266_PDIO_STATUS is the PMBus command code (0xE9, i.e. 233),
not the number of PDIO pins. The intended upper bound is
ADM1266_GPIO_NR + ADM1266_PDIO_NR = 25.
gpiolib hands in a mask sized for gc.ngpio (= 25 bits on this chip),
so the iteration walks find_next_bit() up to 242, reading up to 217
extra bits (a handful of unsigned-long words: four on 64-bit, seven
on 32-bit) of whatever lives past the end of the mask in the
caller's stack. Any incidental set bit in that range then drives a
set_bit(gpio_nr, bits) call that writes past the end of the
caller-supplied bits array too -- both out-of-bounds.
Substitute ADM1266_PDIO_NR for the constant so the scan stops at the
last real PDIO bit.
Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-1-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -212,7 +212,7 @@ static int adm1266_gpio_get_multiple(str
status = read_buf[0] + (read_buf[1] << 8);
*bits = 0;
- for_each_set_bit_from(gpio_nr, mask, ADM1266_GPIO_NR + ADM1266_PDIO_STATUS) {
+ for_each_set_bit_from(gpio_nr, mask, ADM1266_GPIO_NR + ADM1266_PDIO_NR) {
if (test_bit(gpio_nr - ADM1266_GPIO_NR, &status))
set_bit(gpio_nr, bits);
}
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 138/272] hwmon: (pmbus/adm1266) dont clobber GPIO bits before PDIO read in get_multiple
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 137/272] hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 139/272] hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe() Greg Kroah-Hartman
` (140 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain,
Bartosz Golaszewski, Linus Walleij, Guenter Roeck
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit 3327a12aee9e10ffa903e28b8445dfd1af5307c0 upstream.
adm1266_gpio_get_multiple() zeroes *bits before the GPIO_STATUS loop
and then a second time before the PDIO_STATUS loop:
*bits = 0;
for_each_set_bit(gpio_nr, mask, ADM1266_GPIO_NR) {
...
set_bit(gpio_nr, bits);
}
ret = i2c_smbus_read_block_data(data->client, ADM1266_PDIO_STATUS, ...);
...
*bits = 0;
for_each_set_bit_from(gpio_nr, mask, ADM1266_GPIO_NR + ADM1266_PDIO_NR) {
...
set_bit(gpio_nr, bits);
}
The second *bits = 0 throws away every GPIO bit the first loop just
populated, so callers asking for any combination of GPIO and PDIO
pins always see the GPIO portion of the returned bits as zero.
Drop the redundant second assignment so both halves of the result
survive.
Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-2-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -211,7 +211,6 @@ static int adm1266_gpio_get_multiple(str
status = read_buf[0] + (read_buf[1] << 8);
- *bits = 0;
for_each_set_bit_from(gpio_nr, mask, ADM1266_GPIO_NR + ADM1266_PDIO_NR) {
if (test_bit(gpio_nr - ADM1266_GPIO_NR, &status))
set_bit(gpio_nr, bits);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 139/272] hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 138/272] hwmon: (pmbus/adm1266) dont clobber GPIO bits before PDIO read in get_multiple Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 140/272] hwmon: (pmbus/adm1266) register the nvmem device " Greg Kroah-Hartman
` (139 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain,
Bartosz Golaszewski, Guenter Roeck
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit 491403b9b76cf66abd81301c5901aa4a4549f1e8 upstream.
adm1266_probe() calls adm1266_config_gpio() -- which goes on to
devm_gpiochip_add_data() and exposes the gpio_chip callbacks to
gpiolib -- before pmbus_do_probe() has initialised the per-client
PMBus state (notably the pmbus_lock mutex the core hands out via
pmbus_get_data()).
That ordering is already a latent hazard: any GPIO access that lands
between adm1266_config_gpio() and the end of pmbus_do_probe() (for
example a sysfs read from a user space agent that opens the gpiochip
the instant gpiolib advertises it) races pmbus_do_probe()'s own
device accesses with no serialisation.
Move adm1266_config_gpio() down past pmbus_do_probe() so the chip
isn't reachable from userspace until the PMBus state it depends on
is fully initialised.
Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-4-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -466,10 +466,6 @@ static int adm1266_probe(struct i2c_clie
crc8_populate_msb(pmbus_crc_table, 0x7);
mutex_init(&data->buf_mutex);
- ret = adm1266_config_gpio(data);
- if (ret < 0)
- return ret;
-
ret = adm1266_set_rtc(data);
if (ret < 0)
return ret;
@@ -482,6 +478,10 @@ static int adm1266_probe(struct i2c_clie
if (ret)
return ret;
+ ret = adm1266_config_gpio(data);
+ if (ret < 0)
+ return ret;
+
adm1266_init_debugfs(data);
return 0;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 140/272] hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 139/272] hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe() Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 141/272] hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors Greg Kroah-Hartman
` (138 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit 6af713af91d5c34ec049eb3cc2c5b3f5eba953b8 upstream.
adm1266_probe() calls adm1266_config_nvmem() -- which goes on to
devm_nvmem_register() and exposes adm1266_nvmem_read() to userspace --
before pmbus_do_probe() has initialised the per-client PMBus state.
Same latent hazard as the gpio_chip one fixed in the previous patch:
once the nvmem device is registered, gpiolib's nvmem char-dev / sysfs
interface is reachable, and any concurrent read triggers
adm1266_nvmem_read() -> adm1266_nvmem_read_blackbox(), which issues
PMBus traffic that races pmbus_do_probe()'s own device accesses with
no serialisation.
Move adm1266_config_nvmem() down past pmbus_do_probe() so the nvmem
device isn't reachable from userspace until the PMBus state the
nvmem accessors depend on is fully initialised.
Fixes: 15609d189302 ("hwmon: (pmbus/adm1266) read blackbox")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-5-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -470,14 +470,14 @@ static int adm1266_probe(struct i2c_clie
if (ret < 0)
return ret;
- ret = adm1266_config_nvmem(data);
- if (ret < 0)
- return ret;
-
ret = pmbus_do_probe(client, &data->info);
if (ret)
return ret;
+ ret = adm1266_config_nvmem(data);
+ if (ret < 0)
+ return ret;
+
ret = adm1266_config_gpio(data);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 141/272] hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 140/272] hwmon: (pmbus/adm1266) register the nvmem device " Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 142/272] ARM: dts: renesas: genmai: Drop superfluous cells Greg Kroah-Hartman
` (137 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain,
Bartosz Golaszewski, Guenter Roeck
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit a7232f68c43ca62f545049b7f5fbfc75137b843b upstream.
adm1266_gpio_get() and adm1266_gpio_get_multiple() both compose the
pin-status word as
pins_status = read_buf[0] + (read_buf[1] << 8);
right after i2c_smbus_read_block_data(), guarding only against an
error return. A well-behaved device returns 2 bytes for
GPIO_STATUS/PDIO_STATUS, but the helper happily reports a 0- or
1-byte response too. If the device returns 0 bytes, both read_buf
slots are uninitialized stack memory; if it returns 1 byte, read_buf[1]
is.
The composed value then flows through set_bit() into the caller's
*bits in adm1266_gpio_get_multiple(), or into the return value of
adm1266_gpio_get(), and ends up in userspace via gpiolib (sysfs and
the char-dev ioctls). That leaks a few bits of kernel stack per
request on any device whose firmware glitch, bus error, or hostile
slave produces a short block-read response.
Add the missing length check to both call sites and surface a short
response as -EIO.
Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-3-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -176,6 +176,8 @@ static int adm1266_gpio_get(struct gpio_
ret = i2c_smbus_read_block_data(data->client, pmbus_cmd, read_buf);
if (ret < 0)
return ret;
+ if (ret < 2)
+ return -EIO;
pins_status = read_buf[0] + (read_buf[1] << 8);
if (offset < ADM1266_GPIO_NR)
@@ -196,6 +198,8 @@ static int adm1266_gpio_get_multiple(str
ret = i2c_smbus_read_block_data(data->client, ADM1266_GPIO_STATUS, read_buf);
if (ret < 0)
return ret;
+ if (ret < 2)
+ return -EIO;
status = read_buf[0] + (read_buf[1] << 8);
@@ -208,6 +212,8 @@ static int adm1266_gpio_get_multiple(str
ret = i2c_smbus_read_block_data(data->client, ADM1266_PDIO_STATUS, read_buf);
if (ret < 0)
return ret;
+ if (ret < 2)
+ return -EIO;
status = read_buf[0] + (read_buf[1] << 8);
^ permalink raw reply [flat|nested] 284+ messages in thread
* [PATCH 6.12 142/272] ARM: dts: renesas: genmai: Drop superfluous cells
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 141/272] hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 143/272] ARM: dts: renesas: rskrza1: " Greg Kroah-Hartman
` (136 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Vasut, Geert Uytterhoeven,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marek.vasut+renesas@mailbox.org>
[ Upstream commit 714e1d6bba0e0abe5c87c8e189a35fa690540df4 ]
Drop superfluous address-cells and size-cells to fix DTC W=1 warning:
arch/arm/boot/dts/renesas/r7s72100-genmai.dts:28.17-55.4: Warning (avoid_unnecessary_addr_size): /flash@18000000: unnecessary #address-cells/#size-cells without "ranges", "dma-ranges" or child "reg" or "ranges" property
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Fixes: 30e0a8cf886cb459 ("ARM: dts: renesas: genmai: Add FLASH nodes")
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20260327234244.91707-6-marek.vasut+renesas@mailbox.org
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/renesas/r7s72100-genmai.dts | 3 ---
1 file changed, 3 deletions(-)
diff --git a/arch/arm/boot/dts/renesas/r7s72100-genmai.dts b/arch/arm/boot/dts/renesas/r7s72100-genmai.dts
index 28e703e0f152b..9bfbd25b25a24 100644
--- a/arch/arm/boot/dts/renesas/r7s72100-genmai.dts
+++ b/arch/arm/boot/dts/renesas/r7s72100-genmai.dts
@@ -38,9 +38,6 @@ flash@18000000 {
clocks = <&mstp9_clks R7S72100_CLK_SPIBSC0>;
power-domains = <&cpg_clocks>;
- #address-cells = <1>;
- #size-cells = <1>;
-
partitions {
compatible = "fixed-partitions";
#address-cells = <1>;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 143/272] ARM: dts: renesas: rskrza1: Drop superfluous cells
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 142/272] ARM: dts: renesas: genmai: Drop superfluous cells Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 144/272] pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high pins during suspend/resume Greg Kroah-Hartman
` (135 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Vasut, Geert Uytterhoeven,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marek.vasut+renesas@mailbox.org>
[ Upstream commit ab83176d3cf1cf1c1f6e604432905bda4515d17f ]
Drop superfluous address-cells and size-cells to fix DTC W=1 warning:
arch/arm/boot/dts/renesas/r7s72100-rskrza1.dts:32.17-72.4: Warning (avoid_unnecessary_addr_size): /flash@18000000: unnecessary #address-cells/#size-cells without "ranges", "dma-ranges" or child "reg" or "ranges" property
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Fixes: 98537eb77d3ef185 ("ARM: dts: renesas: rskrza1: Add FLASH nodes")
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20260327234244.91707-7-marek.vasut+renesas@mailbox.org
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/renesas/r7s72100-rskrza1.dts | 2 --
1 file changed, 2 deletions(-)
diff --git a/arch/arm/boot/dts/renesas/r7s72100-rskrza1.dts b/arch/arm/boot/dts/renesas/r7s72100-rskrza1.dts
index b547216d48014..416c741034482 100644
--- a/arch/arm/boot/dts/renesas/r7s72100-rskrza1.dts
+++ b/arch/arm/boot/dts/renesas/r7s72100-rskrza1.dts
@@ -36,8 +36,6 @@ flash@18000000 {
power-domains = <&cpg_clocks>;
bank-width = <4>;
device-width = <1>;
- #address-cells = <1>;
- #size-cells = <1>;
partitions {
compatible = "fixed-partitions";
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 144/272] pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high pins during suspend/resume
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 143/272] ARM: dts: renesas: rskrza1: " Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 145/272] HID: uclogic: Fix regression of input name assignment Greg Kroah-Hartman
` (134 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Biju Das, Geert Uytterhoeven,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biju Das <biju.das.jz@bp.renesas.com>
[ Upstream commit 6dba9b7268cc50166bce47608670192fd874e363 ]
When saving/restoring pull-up/down register state during suspend/resume,
the second PUPD register access was incorrectly using the same base offset
as the first, effectively reading/writing the same register twice instead
of the adjacent one.
Add the correct + 4 byte offset to the second RZG2L_PCTRL_REG_ACCESS32
call so that pupd[1][port] is properly saved and restored from the next
32-bit register in the PUPD register pair, covering pins 4–7 of ports
with 4 or more pins.
Fixes: b2bd65fbb617 ("pinctrl: renesas: rzg2l: Add suspend/resume support for pull up/down")
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20260328090548.84124-1-biju.das.jz@bp.renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/renesas/pinctrl-rzg2l.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c
index bcb0c39369e05..17e27879fd623 100644
--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c
+++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c
@@ -2849,7 +2849,7 @@ static void rzg2l_pinctrl_pm_setup_regs(struct rzg2l_pinctrl *pctrl, bool suspen
RZG2L_PCTRL_REG_ACCESS32(suspend, pctrl->base + PUPD(off),
cache->pupd[0][port]);
if (pincnt >= 4) {
- RZG2L_PCTRL_REG_ACCESS32(suspend, pctrl->base + PUPD(off),
+ RZG2L_PCTRL_REG_ACCESS32(suspend, pctrl->base + PUPD(off) + 4,
cache->pupd[1][port]);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 145/272] HID: uclogic: Fix regression of input name assignment
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 144/272] pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high pins during suspend/resume Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 146/272] firmware: arm_ffa: Check for NULL FF-A ID table while driver registration Greg Kroah-Hartman
` (133 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Jiri Kosina,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 487359284509a6745e14b8c0518768bc277809b0 ]
The previous fix for adding the devm_kasprintf() return check in the
commit bd07f751208b ("HID: uclogic: Add NULL check in
uclogic_input_configured()") changed the condition of hi->input->name
assignment, and it resulted in missing the proper input device name
when no custom suffix is defined.
Restore the conditional to the original content to address the
regression.
Fixes: bd07f751208b ("HID: uclogic: Add NULL check in uclogic_input_configured()")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-uclogic-core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-uclogic-core.c b/drivers/hid/hid-uclogic-core.c
index 321c43fb06ae0..f8708a1ec7cc8 100644
--- a/drivers/hid/hid-uclogic-core.c
+++ b/drivers/hid/hid-uclogic-core.c
@@ -142,7 +142,9 @@ static int uclogic_input_configured(struct hid_device *hdev,
suffix = "System Control";
break;
}
- } else {
+ }
+
+ if (suffix) {
hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL,
"%s %s", hdev->name, suffix);
if (!hi->input->name)
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 146/272] firmware: arm_ffa: Check for NULL FF-A ID table while driver registration
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 145/272] HID: uclogic: Fix regression of input name assignment Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 147/272] firmware: arm_ffa: Skip free_pages on RX buffer alloc failure Greg Kroah-Hartman
` (132 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sudeep Holla, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sudeep Holla <sudeep.holla@kernel.org>
[ Upstream commit 0a5e695095c557d2380131b613dea4e8d90371be ]
The bus match callback assumes that every FF-A driver provides an
id_table and dereferences it unconditionally. Enforce that contract at
registration time so a buggy client driver cannot crash the bus during
match.
Fixes: 92743071464f ("firmware: arm_ffa: Ensure drivers provide a probe function")
Link: https://patch.msgid.link/20260428-ffa_fixes-v2-1-8595ae450034@kernel.org
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_ffa/bus.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/arm_ffa/bus.c b/drivers/firmware/arm_ffa/bus.c
index dea3eb741d95d..ef41815c0109e 100644
--- a/drivers/firmware/arm_ffa/bus.c
+++ b/drivers/firmware/arm_ffa/bus.c
@@ -26,6 +26,8 @@ static int ffa_device_match(struct device *dev, const struct device_driver *drv)
id_table = to_ffa_driver(drv)->id_table;
ffa_dev = to_ffa_dev(dev);
+ if (!id_table)
+ return 0;
while (!uuid_is_null(&id_table->uuid)) {
/*
@@ -123,7 +125,7 @@ int ffa_driver_register(struct ffa_driver *driver, struct module *owner,
{
int ret;
- if (!driver->probe)
+ if (!driver->probe || !driver->id_table)
return -EINVAL;
driver->driver.bus = &ffa_bus_type;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 147/272] firmware: arm_ffa: Skip free_pages on RX buffer alloc failure
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 146/272] firmware: arm_ffa: Check for NULL FF-A ID table while driver registration Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 148/272] firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue Greg Kroah-Hartman
` (131 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sudeep Holla, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sudeep Holla <sudeep.holla@kernel.org>
[ Upstream commit 09527e2c534911619d7e098729711100290bc3e1 ]
If the RX buffer allocation fails in ffa_init(), the error path jumps to
free_pages even though no buffer has been allocated yet. Route that case
directly to free_drv_info so the cleanup path is only used after at
least one RX/TX buffer allocation has succeeded.
Fixes: 3bbfe9871005 ("firmware: arm_ffa: Add initial Arm FFA driver support")
Link: https://patch.msgid.link/20260428-ffa_fixes-v2-2-8595ae450034@kernel.org
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_ffa/driver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index 15e71a53956e2..61d4a4b7d97b6 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -1793,7 +1793,7 @@ static int __init ffa_init(void)
drv_info->rx_buffer = alloc_pages_exact(rxtx_bufsz, GFP_KERNEL);
if (!drv_info->rx_buffer) {
ret = -ENOMEM;
- goto free_pages;
+ goto free_drv_info;
}
drv_info->tx_buffer = alloc_pages_exact(rxtx_bufsz, GFP_KERNEL);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 148/272] firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 147/272] firmware: arm_ffa: Skip free_pages on RX buffer alloc failure Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 149/272] firmware: arm_ffa: Refactor addition of partition information into XArray Greg Kroah-Hartman
` (130 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sudeep Holla, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sudeep Holla <sudeep.holla@kernel.org>
[ Upstream commit 9985d5357ed93af0d1933969c247e966957730e1 ]
Per-vcpu notification handling already runs from a per-cpu work item on
the target cpu. Routing that path back through smp_call_function_single()
re-enters the call-function IPI path and executes the notification
handler with interrupts disabled. That makes the framework path unsafe,
since it takes a mutex, allocates memory with GFP_KERNEL, and invokes
client callbacks.
Handle per-vcpu self notifications directly from the existing per-cpu
work item instead. This keeps the per-vcpu path in task context and
avoids the extra IPI hop entirely.
Fixes: 3a3e2b83e805 ("firmware: arm_ffa: Avoid queuing work when running on the worker queue")
Link: https://patch.msgid.link/20260428-ffa_fixes-v2-4-8595ae450034@kernel.org
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_ffa/driver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index 61d4a4b7d97b6..39f19acdce904 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -1336,7 +1336,7 @@ static void notif_pcpu_irq_work_fn(struct work_struct *work)
struct ffa_drv_info *info = container_of(work, struct ffa_drv_info,
notif_pcpu_work);
- ffa_self_notif_handle(smp_processor_id(), true, info);
+ notif_get_and_handle(info);
}
static const struct ffa_info_ops ffa_drv_info_ops = {
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 149/272] firmware: arm_ffa: Refactor addition of partition information into XArray
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 148/272] firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 150/272] firmware: arm_ffa: Unregister the FF-A devices when cleaning up the partitions Greg Kroah-Hartman
` (129 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Viresh Kumar, Sudeep Holla,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viresh Kumar <viresh.kumar@linaro.org>
[ Upstream commit 3c3d6767466ea316869c9f2bdd976aec8ce44545 ]
Move the common code handling addition of the FF-A partition information
into the XArray as a new routine. No functional change.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Message-Id: <20250217-ffa_updates-v3-6-bd1d9de615e7@arm.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Stable-dep-of: 6d3daa9b8d31 ("firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_ffa/driver.c | 47 +++++++++++++++----------------
1 file changed, 22 insertions(+), 25 deletions(-)
diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index 39f19acdce904..84c4fe40d5279 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -1421,11 +1421,30 @@ static struct notifier_block ffa_bus_nb = {
.notifier_call = ffa_bus_notifier,
};
+static int ffa_xa_add_partition_info(int vm_id)
+{
+ struct ffa_dev_part_info *info;
+ int ret;
+
+ info = kzalloc(sizeof(*info), GFP_KERNEL);
+ if (!info)
+ return -ENOMEM;
+
+ rwlock_init(&info->rw_lock);
+ ret = xa_insert(&drv_info->partition_info, vm_id, info, GFP_KERNEL);
+ if (ret) {
+ pr_err("%s: failed to save partition ID 0x%x - ret:%d. Abort.\n",
+ __func__, vm_id, ret);
+ kfree(info);
+ }
+
+ return ret;
+}
+
static int ffa_setup_partitions(void)
{
int count, idx, ret;
struct ffa_device *ffa_dev;
- struct ffa_dev_part_info *info;
struct ffa_partition_info *pbuf, *tpbuf;
if (drv_info->version == FFA_VERSION_1_0) {
@@ -1459,20 +1478,10 @@ static int ffa_setup_partitions(void)
!(tpbuf->properties & FFA_PARTITION_AARCH64_EXEC))
ffa_mode_32bit_set(ffa_dev);
- info = kzalloc(sizeof(*info), GFP_KERNEL);
- if (!info) {
+ if (ffa_xa_add_partition_info(ffa_dev->vm_id)) {
ffa_device_unregister(ffa_dev);
continue;
}
- rwlock_init(&info->rw_lock);
- ret = xa_insert(&drv_info->partition_info, tpbuf->id,
- info, GFP_KERNEL);
- if (ret) {
- pr_err("%s: failed to save partition ID 0x%x - ret:%d\n",
- __func__, tpbuf->id, ret);
- ffa_device_unregister(ffa_dev);
- kfree(info);
- }
}
kfree(pbuf);
@@ -1482,20 +1491,8 @@ static int ffa_setup_partitions(void)
return 0;
/* Allocate for the host */
- info = kzalloc(sizeof(*info), GFP_KERNEL);
- if (!info) {
- /* Already registered devices are freed on bus_exit */
- ffa_partitions_cleanup();
- return -ENOMEM;
- }
-
- rwlock_init(&info->rw_lock);
- ret = xa_insert(&drv_info->partition_info, drv_info->vm_id,
- info, GFP_KERNEL);
+ ret = ffa_xa_add_partition_info(drv_info->vm_id);
if (ret) {
- pr_err("%s: failed to save Host partition ID 0x%x - ret:%d. Abort.\n",
- __func__, drv_info->vm_id, ret);
- kfree(info);
/* Already registered devices are freed on bus_exit */
ffa_partitions_cleanup();
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 150/272] firmware: arm_ffa: Unregister the FF-A devices when cleaning up the partitions
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 149/272] firmware: arm_ffa: Refactor addition of partition information into XArray Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 151/272] firmware: arm_ffa: Remove unnecessary declaration of ffa_partitions_cleanup() Greg Kroah-Hartman
` (128 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Viresh Kumar, Sudeep Holla,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sudeep Holla <sudeep.holla@arm.com>
[ Upstream commit 46dcd68aaccac0812c12ec3f4e59c8963e2760ad ]
Both the FF-A core and the bus were in a single module before the
commit 18c250bd7ed0 ("firmware: arm_ffa: Split bus and driver into distinct modules").
The arm_ffa_bus_exit() takes care of unregistering all the FF-A devices.
Now that there are 2 distinct modules, if the core driver is unloaded and
reloaded, it will end up adding duplicate FF-A devices as the previously
registered devices weren't unregistered when we cleaned up the modules.
Fix the same by unregistering all the FF-A devices on the FF-A bus during
the cleaning up of the partitions and hence the cleanup of the module.
Fixes: 18c250bd7ed0 ("firmware: arm_ffa: Split bus and driver into distinct modules")
Tested-by: Viresh Kumar <viresh.kumar@linaro.org>
Message-Id: <20250217-ffa_updates-v3-8-bd1d9de615e7@arm.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Stable-dep-of: 6d3daa9b8d31 ("firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_ffa/bus.c | 3 ++-
drivers/firmware/arm_ffa/driver.c | 7 ++++---
include/linux/arm_ffa.h | 3 +++
3 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/firmware/arm_ffa/bus.c b/drivers/firmware/arm_ffa/bus.c
index ef41815c0109e..50bbc18599f74 100644
--- a/drivers/firmware/arm_ffa/bus.c
+++ b/drivers/firmware/arm_ffa/bus.c
@@ -162,11 +162,12 @@ static int __ffa_devices_unregister(struct device *dev, void *data)
return 0;
}
-static void ffa_devices_unregister(void)
+void ffa_devices_unregister(void)
{
bus_for_each_dev(&ffa_bus_type, NULL, NULL,
__ffa_devices_unregister);
}
+EXPORT_SYMBOL_GPL(ffa_devices_unregister);
bool ffa_device_is_valid(struct ffa_device *ffa_dev)
{
diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index 84c4fe40d5279..63030a3849a87 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -1492,10 +1492,8 @@ static int ffa_setup_partitions(void)
/* Allocate for the host */
ret = ffa_xa_add_partition_info(drv_info->vm_id);
- if (ret) {
- /* Already registered devices are freed on bus_exit */
+ if (ret)
ffa_partitions_cleanup();
- }
return ret;
}
@@ -1505,6 +1503,9 @@ static void ffa_partitions_cleanup(void)
struct ffa_dev_part_info *info;
unsigned long idx;
+ /* Clean up/free all registered devices */
+ ffa_devices_unregister();
+
xa_for_each(&drv_info->partition_info, idx, info) {
xa_erase(&drv_info->partition_info, idx);
kfree(info);
diff --git a/include/linux/arm_ffa.h b/include/linux/arm_ffa.h
index 74169dd0f6594..53f2837ce7df4 100644
--- a/include/linux/arm_ffa.h
+++ b/include/linux/arm_ffa.h
@@ -176,6 +176,7 @@ void ffa_device_unregister(struct ffa_device *ffa_dev);
int ffa_driver_register(struct ffa_driver *driver, struct module *owner,
const char *mod_name);
void ffa_driver_unregister(struct ffa_driver *driver);
+void ffa_devices_unregister(void);
bool ffa_device_is_valid(struct ffa_device *ffa_dev);
#else
@@ -188,6 +189,8 @@ ffa_device_register(const struct ffa_partition_info *part_info,
static inline void ffa_device_unregister(struct ffa_device *dev) {}
+static inline void ffa_devices_unregister(void) {}
+
static inline int
ffa_driver_register(struct ffa_driver *driver, struct module *owner,
const char *mod_name)
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 151/272] firmware: arm_ffa: Remove unnecessary declaration of ffa_partitions_cleanup()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 150/272] firmware: arm_ffa: Unregister the FF-A devices when cleaning up the partitions Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 152/272] firmware: arm_ffa: Allow multiple UUIDs per partition to register SRI callback Greg Kroah-Hartman
` (127 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Viresh Kumar, Sudeep Holla,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sudeep Holla <sudeep.holla@arm.com>
[ Upstream commit 9982cabf403fbd06a120a2d5b21830effd32b370 ]
In order to keep the uniformity, just move the ffa_partitions_cleanup()
before it's first usage and drop the unnecessary forward declaration.
No functional change.
Tested-by: Viresh Kumar <viresh.kumar@linaro.org>
Message-Id: <20250217-ffa_updates-v3-13-bd1d9de615e7@arm.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Stable-dep-of: 6d3daa9b8d31 ("firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_ffa/driver.c | 33 +++++++++++++++----------------
1 file changed, 16 insertions(+), 17 deletions(-)
diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index 63030a3849a87..eaaebb841b782 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -114,7 +114,6 @@ struct ffa_drv_info {
};
static struct ffa_drv_info *drv_info;
-static void ffa_partitions_cleanup(void);
/*
* The driver must be able to support all the versions from the earliest
@@ -1441,6 +1440,22 @@ static int ffa_xa_add_partition_info(int vm_id)
return ret;
}
+static void ffa_partitions_cleanup(void)
+{
+ struct ffa_dev_part_info *info;
+ unsigned long idx;
+
+ /* Clean up/free all registered devices */
+ ffa_devices_unregister();
+
+ xa_for_each(&drv_info->partition_info, idx, info) {
+ xa_erase(&drv_info->partition_info, idx);
+ kfree(info);
+ }
+
+ xa_destroy(&drv_info->partition_info);
+}
+
static int ffa_setup_partitions(void)
{
int count, idx, ret;
@@ -1498,22 +1513,6 @@ static int ffa_setup_partitions(void)
return ret;
}
-static void ffa_partitions_cleanup(void)
-{
- struct ffa_dev_part_info *info;
- unsigned long idx;
-
- /* Clean up/free all registered devices */
- ffa_devices_unregister();
-
- xa_for_each(&drv_info->partition_info, idx, info) {
- xa_erase(&drv_info->partition_info, idx);
- kfree(info);
- }
-
- xa_destroy(&drv_info->partition_info);
-}
-
/* FFA FEATURE IDs */
#define FFA_FEAT_NOTIFICATION_PENDING_INT (1)
#define FFA_FEAT_SCHEDULE_RECEIVER_INT (2)
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 152/272] firmware: arm_ffa: Allow multiple UUIDs per partition to register SRI callback
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 151/272] firmware: arm_ffa: Remove unnecessary declaration of ffa_partitions_cleanup() Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 153/272] firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0 Greg Kroah-Hartman
` (126 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Viresh Kumar, Sudeep Holla,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sudeep Holla <sudeep.holla@arm.com>
[ Upstream commit be61da938576671c664382a059f961d7b4b2fc41 ]
A partition can implement multiple UUIDs and currently we successfully
register each UUID service as a FF-A device. However when adding the
same partition info to the XArray which tracks the SRI callbacks more
than once, it fails.
In order to allow multiple UUIDs per partition to register SRI callbacks
the partition information stored in the XArray needs to be extended to
a listed list.
A function to remove the list of partition information in the XArray
is not added as there are no users at the time. All the partitions are
added at probe/initialisation and removed at cleanup stage.
Tested-by: Viresh Kumar <viresh.kumar@linaro.org>
Message-Id: <20250217-ffa_updates-v3-18-bd1d9de615e7@arm.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Stable-dep-of: 6d3daa9b8d31 ("firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_ffa/driver.c | 159 ++++++++++++++++++++++--------
1 file changed, 117 insertions(+), 42 deletions(-)
diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index eaaebb841b782..6961cb44194a1 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -871,27 +871,32 @@ struct ffa_dev_part_info {
ffa_sched_recv_cb callback;
void *cb_data;
rwlock_t rw_lock;
+ struct ffa_device *dev;
+ struct list_head node;
};
static void __do_sched_recv_cb(u16 part_id, u16 vcpu, bool is_per_vcpu)
{
- struct ffa_dev_part_info *partition;
+ struct ffa_dev_part_info *partition = NULL, *tmp;
ffa_sched_recv_cb callback;
+ struct list_head *phead;
void *cb_data;
- partition = xa_load(&drv_info->partition_info, part_id);
- if (!partition) {
+ phead = xa_load(&drv_info->partition_info, part_id);
+ if (!phead) {
pr_err("%s: Invalid partition ID 0x%x\n", __func__, part_id);
return;
}
- read_lock(&partition->rw_lock);
- callback = partition->callback;
- cb_data = partition->cb_data;
- read_unlock(&partition->rw_lock);
+ list_for_each_entry_safe(partition, tmp, phead, node) {
+ read_lock(&partition->rw_lock);
+ callback = partition->callback;
+ cb_data = partition->cb_data;
+ read_unlock(&partition->rw_lock);
- if (callback)
- callback(vcpu, is_per_vcpu, cb_data);
+ if (callback)
+ callback(vcpu, is_per_vcpu, cb_data);
+ }
}
/*
@@ -1101,18 +1106,29 @@ struct notifier_cb_info {
enum notify_type type;
};
-static int ffa_sched_recv_cb_update(u16 part_id, ffa_sched_recv_cb callback,
- void *cb_data, bool is_registration)
+static int
+ffa_sched_recv_cb_update(struct ffa_device *dev, ffa_sched_recv_cb callback,
+ void *cb_data, bool is_registration)
{
- struct ffa_dev_part_info *partition;
+ struct ffa_dev_part_info *partition = NULL, *tmp;
+ struct list_head *phead;
bool cb_valid;
if (ffa_notifications_disabled())
return -EOPNOTSUPP;
- partition = xa_load(&drv_info->partition_info, part_id);
+ phead = xa_load(&drv_info->partition_info, dev->vm_id);
+ if (!phead) {
+ pr_err("%s: Invalid partition ID 0x%x\n", __func__, dev->vm_id);
+ return -EINVAL;
+ }
+
+ list_for_each_entry_safe(partition, tmp, phead, node)
+ if (partition->dev == dev)
+ break;
+
if (!partition) {
- pr_err("%s: Invalid partition ID 0x%x\n", __func__, part_id);
+ pr_err("%s: No such partition ID 0x%x\n", __func__, dev->vm_id);
return -EINVAL;
}
@@ -1134,12 +1150,12 @@ static int ffa_sched_recv_cb_update(u16 part_id, ffa_sched_recv_cb callback,
static int ffa_sched_recv_cb_register(struct ffa_device *dev,
ffa_sched_recv_cb cb, void *cb_data)
{
- return ffa_sched_recv_cb_update(dev->vm_id, cb, cb_data, true);
+ return ffa_sched_recv_cb_update(dev, cb, cb_data, true);
}
static int ffa_sched_recv_cb_unregister(struct ffa_device *dev)
{
- return ffa_sched_recv_cb_update(dev->vm_id, NULL, NULL, false);
+ return ffa_sched_recv_cb_update(dev, NULL, NULL, false);
}
static int ffa_notification_bind(u16 dst_id, u64 bitmap, u32 flags)
@@ -1420,37 +1436,101 @@ static struct notifier_block ffa_bus_nb = {
.notifier_call = ffa_bus_notifier,
};
-static int ffa_xa_add_partition_info(int vm_id)
+static int ffa_xa_add_partition_info(struct ffa_device *dev)
{
struct ffa_dev_part_info *info;
- int ret;
+ struct list_head *head, *phead;
+ int ret = -ENOMEM;
+
+ phead = xa_load(&drv_info->partition_info, dev->vm_id);
+ if (phead) {
+ head = phead;
+ list_for_each_entry(info, head, node) {
+ if (info->dev == dev) {
+ pr_err("%s: duplicate dev %p part ID 0x%x\n",
+ __func__, dev, dev->vm_id);
+ return -EEXIST;
+ }
+ }
+ }
info = kzalloc(sizeof(*info), GFP_KERNEL);
if (!info)
- return -ENOMEM;
+ return ret;
rwlock_init(&info->rw_lock);
- ret = xa_insert(&drv_info->partition_info, vm_id, info, GFP_KERNEL);
- if (ret) {
- pr_err("%s: failed to save partition ID 0x%x - ret:%d. Abort.\n",
- __func__, vm_id, ret);
- kfree(info);
+ info->dev = dev;
+
+ if (!phead) {
+ phead = kzalloc(sizeof(*phead), GFP_KERNEL);
+ if (!phead)
+ goto free_out;
+
+ INIT_LIST_HEAD(phead);
+
+ ret = xa_insert(&drv_info->partition_info, dev->vm_id, phead,
+ GFP_KERNEL);
+ if (ret) {
+ pr_err("%s: failed to save part ID 0x%x Ret:%d\n",
+ __func__, dev->vm_id, ret);
+ goto free_out;
+ }
}
+ list_add(&info->node, phead);
+ return 0;
+
+free_out:
+ kfree(phead);
+ kfree(info);
+ return ret;
+}
+
+static int ffa_setup_host_partition(int vm_id)
+{
+ struct ffa_partition_info buf = { 0 };
+ struct ffa_device *ffa_dev;
+ int ret;
+
+ buf.id = vm_id;
+ ffa_dev = ffa_device_register(&buf, &ffa_drv_ops);
+ if (!ffa_dev) {
+ pr_err("%s: failed to register host partition ID 0x%x\n",
+ __func__, vm_id);
+ return -EINVAL;
+ }
+
+ ret = ffa_xa_add_partition_info(ffa_dev);
+ if (ret)
+ return ret;
+
+ if (ffa_notifications_disabled())
+ return 0;
+
+ ret = ffa_sched_recv_cb_update(ffa_dev, ffa_self_notif_handle,
+ drv_info, true);
+ if (ret)
+ pr_info("Failed to register driver sched callback %d\n", ret);
return ret;
}
static void ffa_partitions_cleanup(void)
{
- struct ffa_dev_part_info *info;
+ struct list_head *phead;
unsigned long idx;
/* Clean up/free all registered devices */
ffa_devices_unregister();
- xa_for_each(&drv_info->partition_info, idx, info) {
+ xa_for_each(&drv_info->partition_info, idx, phead) {
+ struct ffa_dev_part_info *info, *tmp;
+
xa_erase(&drv_info->partition_info, idx);
- kfree(info);
+ list_for_each_entry_safe(info, tmp, phead, node) {
+ list_del(&info->node);
+ kfree(info);
+ }
+ kfree(phead);
}
xa_destroy(&drv_info->partition_info);
@@ -1493,7 +1573,7 @@ static int ffa_setup_partitions(void)
!(tpbuf->properties & FFA_PARTITION_AARCH64_EXEC))
ffa_mode_32bit_set(ffa_dev);
- if (ffa_xa_add_partition_info(ffa_dev->vm_id)) {
+ if (ffa_xa_add_partition_info(ffa_dev)) {
ffa_device_unregister(ffa_dev);
continue;
}
@@ -1501,12 +1581,16 @@ static int ffa_setup_partitions(void)
kfree(pbuf);
- /* Check if the host is already added as part of partition info */
+ /*
+ * Check if the host is already added as part of partition info
+ * No multiple UUID possible for the host, so just checking if
+ * there is an entry will suffice
+ */
if (xa_load(&drv_info->partition_info, drv_info->vm_id))
return 0;
/* Allocate for the host */
- ret = ffa_xa_add_partition_info(drv_info->vm_id);
+ ret = ffa_setup_host_partition(drv_info->vm_id);
if (ret)
ffa_partitions_cleanup();
@@ -1815,19 +1899,10 @@ static int __init ffa_init(void)
ffa_notifications_setup();
ret = ffa_setup_partitions();
- if (ret) {
- pr_err("failed to setup partitions\n");
- goto cleanup_notifs;
- }
-
- ret = ffa_sched_recv_cb_update(drv_info->vm_id, ffa_self_notif_handle,
- drv_info, true);
- if (ret)
- pr_info("Failed to register driver sched callback %d\n", ret);
-
- return 0;
+ if (!ret)
+ return ret;
-cleanup_notifs:
+ pr_err("failed to setup partitions\n");
ffa_notifications_cleanup();
ffa_rxtx_unmap();
free_pages:
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 153/272] firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 152/272] firmware: arm_ffa: Allow multiple UUIDs per partition to register SRI callback Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 154/272] riscv: mm: Fixup no5lvl failure when vaddr is invalid Greg Kroah-Hartman
` (125 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sudeep Holla, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sudeep Holla <sudeep.holla@kernel.org>
[ Upstream commit 6d3daa9b8d313f42d52e75590310f26a29b61b44 ]
For FF-A v1.0 the driver registers a bus notifier to backfill UUID
matching, but the notifier was never unregistered on cleanup paths.
Track the registration state and unregister it during teardown and early
partition-setup failure.
Fixes: 9dd15934f60d ("firmware: arm_ffa: Move the FF-A v1.0 NULL UUID workaround to bus notifier")
Link: https://patch.msgid.link/20260428-ffa_fixes-v2-5-8595ae450034@kernel.org
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_ffa/driver.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index 6961cb44194a1..a6c5f89476c06 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -100,6 +100,7 @@ struct ffa_drv_info {
bool mem_ops_native;
bool msg_direct_req2_supp;
bool bitmap_created;
+ bool bus_notifier_registered;
bool notif_enabled;
unsigned int sched_recv_irq;
unsigned int notif_pend_irq;
@@ -1436,6 +1437,15 @@ static struct notifier_block ffa_bus_nb = {
.notifier_call = ffa_bus_notifier,
};
+static void ffa_bus_notifier_unregister(void)
+{
+ if (!drv_info->bus_notifier_registered)
+ return;
+
+ bus_unregister_notifier(&ffa_bus_type, &ffa_bus_nb);
+ drv_info->bus_notifier_registered = false;
+}
+
static int ffa_xa_add_partition_info(struct ffa_device *dev)
{
struct ffa_dev_part_info *info;
@@ -1519,6 +1529,8 @@ static void ffa_partitions_cleanup(void)
struct list_head *phead;
unsigned long idx;
+ ffa_bus_notifier_unregister();
+
/* Clean up/free all registered devices */
ffa_devices_unregister();
@@ -1546,11 +1558,14 @@ static int ffa_setup_partitions(void)
ret = bus_register_notifier(&ffa_bus_type, &ffa_bus_nb);
if (ret)
pr_err("Failed to register FF-A bus notifiers\n");
+ else
+ drv_info->bus_notifier_registered = true;
}
count = ffa_partition_probe(&uuid_null, &pbuf);
if (count <= 0) {
pr_info("%s: No partitions found, error %d\n", __func__, count);
+ ffa_bus_notifier_unregister();
return -EINVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 154/272] riscv: mm: Fixup no5lvl failure when vaddr is invalid
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 153/272] firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0 Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 155/272] kunit: config: Enable KUNIT_DEBUGFS by default Greg Kroah-Hartman
` (124 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Ghiti,
Björn Töpel, Guo Ren (Alibaba DAMO Academy), Fangyu Yu,
Paul Walmsley, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guo Ren (Alibaba DAMO Academy) <guoren@kernel.org>
[ Upstream commit db909bd7986c10da074917af3dae83a60fa65093 ]
Unlike no4lvl, no5lvl still continues to detect satp, which
requires va=pa mapping. When pa=0x800000000000, no5lvl
would fail in Sv48 mode due to an illegal VA value of
0x800000000000.
So, prevent detecting the satp flow for no5lvl, when
vaddr is invalid. Add the is_vaddr_valid() function for
checking.
Fixes: 26e7aacb83df ("riscv: Allow to downgrade paging mode from the command line")
Cc: Alexandre Ghiti <alexghiti@rivosinc.com>
Cc: Björn Töpel <bjorn@rivosinc.com>
Signed-off-by: Guo Ren (Alibaba DAMO Academy) <guoren@kernel.org>
Tested-by: Fangyu Yu <fangyu.yu@linux.alibaba.com>
Link: https://patch.msgid.link/20260125055212.433163-1-guoren@kernel.org
[pjw@kernel.org: cleaned up commit message]
Signed-off-by: Paul Walmsley <pjw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/mm/init.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
index 8d167e09f1fea..8cd8bc9b82cb2 100644
--- a/arch/riscv/mm/init.c
+++ b/arch/riscv/mm/init.c
@@ -807,6 +807,27 @@ static void __init set_mmap_rnd_bits_max(void)
mmap_rnd_bits_max = MMAP_VA_BITS - PAGE_SHIFT - 3;
}
+static bool __init is_vaddr_valid(unsigned long va)
+{
+ unsigned long up = 0;
+
+ switch (satp_mode) {
+ case SATP_MODE_39:
+ up = 1UL << 38;
+ break;
+ case SATP_MODE_48:
+ up = 1UL << 47;
+ break;
+ case SATP_MODE_57:
+ up = 1UL << 56;
+ break;
+ default:
+ return false;
+ }
+
+ return (va < up) || (va >= (ULONG_MAX - up + 1));
+}
+
/*
* There is a simple way to determine if 4-level is supported by the
* underlying hardware: establish 1:1 mapping in 4-level page table mode
@@ -842,6 +863,9 @@ static __init void set_satp_mode(uintptr_t dtb_pa)
set_satp_mode_pmd + PMD_SIZE,
PMD_SIZE, PAGE_KERNEL_EXEC);
retry:
+ if (!is_vaddr_valid(set_satp_mode_pmd))
+ goto out;
+
create_pgd_mapping(early_pg_dir,
set_satp_mode_pmd,
pgtable_l5_enabled ?
@@ -864,6 +888,7 @@ static __init void set_satp_mode(uintptr_t dtb_pa)
disable_pgtable_l4();
}
+out:
memset(early_pg_dir, 0, PAGE_SIZE);
memset(early_p4d, 0, PAGE_SIZE);
memset(early_pud, 0, PAGE_SIZE);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 155/272] kunit: config: Enable KUNIT_DEBUGFS by default
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 154/272] riscv: mm: Fixup no5lvl failure when vaddr is invalid Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 156/272] kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS Greg Kroah-Hartman
` (123 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Gow, Shuah Khan, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Gow <david@davidgow.net>
[ Upstream commit 17e4c68ff35090d8cb743e3c82c09f92fda1ebda ]
The KUNIT_DEBUGFS option is currently enabled based on the value of
KUNIT_ALL_TESTS, but it really doesn't have anything to do with the set of
enabled tests, so just enable it by default anyway. In particular, this
shouldn't be only visible if KUNIT_ALL_TESTS is set, which is quite
confusing.
Link: https://lore.kernel.org/r/20260425034155.53913-1-david@davidgow.net
Fixes: beaed42c427d ("kunit: default KUNIT_* fragments to KUNIT_ALL_TESTS")
Signed-off-by: David Gow <david@davidgow.net>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/kunit/Kconfig | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/kunit/Kconfig b/lib/kunit/Kconfig
index 34d7242d526dc..8a30ad48f3c07 100644
--- a/lib/kunit/Kconfig
+++ b/lib/kunit/Kconfig
@@ -16,8 +16,8 @@ menuconfig KUNIT
if KUNIT
config KUNIT_DEBUGFS
- bool "KUnit - Enable /sys/kernel/debug/kunit debugfs representation" if !KUNIT_ALL_TESTS
- default KUNIT_ALL_TESTS
+ bool "KUnit - Enable /sys/kernel/debug/kunit debugfs representation"
+ default y
help
Enable debugfs representation for kunit. Currently this consists
of /sys/kernel/debug/kunit/<test_suite>/results files for each
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 156/272] kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 155/272] kunit: config: Enable KUNIT_DEBUGFS by default Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 157/272] pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150 Greg Kroah-Hartman
` (122 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Gow, Shuah Khan, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Gow <david@davidgow.net>
[ Upstream commit 8f80b5b227ef9ea422080487715c841856339aed ]
CONFIG_KUNIT_DEBUGFS is totally useless without debugfs, so it should
depend on CONFIG_DEBUG_FS.
Link: https://lore.kernel.org/r/20260425034155.53913-2-david@davidgow.net
Fixes: e2219db280e3 ("kunit: add debugfs /sys/kernel/debug/kunit/<suite>/results display")
Signed-off-by: David Gow <david@davidgow.net>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/kunit/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/kunit/Kconfig b/lib/kunit/Kconfig
index 8a30ad48f3c07..e22cbee60ab25 100644
--- a/lib/kunit/Kconfig
+++ b/lib/kunit/Kconfig
@@ -17,6 +17,7 @@ if KUNIT
config KUNIT_DEBUGFS
bool "KUnit - Enable /sys/kernel/debug/kunit debugfs representation"
+ depends on DEBUG_FS
default y
help
Enable debugfs representation for kunit. Currently this consists
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 157/272] pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 156/272] kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 158/272] firmware: arm_ffa: Fix big-endian support in __ffa_partition_info_regs_get() Greg Kroah-Hartman
` (121 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Maulik Shah,
Navya Malempati, Linus Walleij, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maulik Shah <maulik.shah@oss.qualcomm.com>
[ Upstream commit 52ac35b8a151446481496404af3a8e5e889b3c5a ]
PDC interrupts 122-125 were meant for ibi_i3c wakeup but sm8150 do not
support i3c. GPIOs 39,51,88 and 144 are also connected to different PDC
pin and already reflected in the wake irq map.
Remove the unsupported wakeup interrupts from the map.
Fixes: 90337380c809 ("pinctrl: qcom: sm8150: Specify PDC map")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Maulik Shah <maulik.shah@oss.qualcomm.com>
Signed-off-by: Navya Malempati <navya.malempati@oss.qualcomm.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/qcom/pinctrl-sm8150.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/pinctrl/qcom/pinctrl-sm8150.c b/drivers/pinctrl/qcom/pinctrl-sm8150.c
index f8f5bee74f1dc..565aab84835cb 100644
--- a/drivers/pinctrl/qcom/pinctrl-sm8150.c
+++ b/drivers/pinctrl/qcom/pinctrl-sm8150.c
@@ -1496,18 +1496,18 @@ static const struct msm_gpio_wakeirq_map sm8150_pdc_map[] = {
{ 3, 31 }, { 5, 32 }, { 8, 33 }, { 9, 34 }, { 10, 100 },
{ 12, 104 }, { 24, 37 }, { 26, 38 }, { 27, 41 }, { 28, 42 },
{ 30, 39 }, { 36, 43 }, { 37, 44 }, { 38, 30 }, { 39, 118 },
- { 39, 125 }, { 41, 47 }, { 42, 48 }, { 46, 50 }, { 47, 49 },
- { 48, 51 }, { 49, 53 }, { 50, 52 }, { 51, 116 }, { 51, 123 },
+ { 41, 47 }, { 42, 48 }, { 46, 50 }, { 47, 49 },
+ { 48, 51 }, { 49, 53 }, { 50, 52 }, { 51, 116 },
{ 53, 54 }, { 54, 55 }, { 55, 56 }, { 56, 57 }, { 58, 58 },
{ 60, 60 }, { 61, 61 }, { 68, 62 }, { 70, 63 }, { 76, 71 },
{ 77, 66 }, { 81, 64 }, { 83, 65 }, { 86, 67 }, { 87, 84 },
- { 88, 117 }, { 88, 124 }, { 90, 69 }, { 91, 70 }, { 93, 75 },
+ { 88, 117 }, { 90, 69 }, { 91, 70 }, { 93, 75 },
{ 95, 72 }, { 96, 73 }, { 97, 74 }, { 101, 40 }, { 103, 77 },
{ 104, 78 }, { 108, 79 }, { 112, 80 }, { 113, 81 }, { 114, 82 },
{ 117, 85 }, { 118, 101 }, { 119, 87 }, { 120, 88 }, { 121, 89 },
{ 122, 90 }, { 123, 91 }, { 124, 92 }, { 125, 93 }, { 129, 94 },
{ 132, 105 }, { 133, 83 }, { 134, 36 }, { 136, 97 }, { 142, 103 },
- { 144, 115 }, { 144, 122 }, { 147, 102 }, { 150, 107 },
+ { 144, 115 }, { 147, 102 }, { 150, 107 },
{ 152, 108 }, { 153, 109 }
};
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 158/272] firmware: arm_ffa: Fix big-endian support in __ffa_partition_info_regs_get()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 157/272] pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150 Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 159/272] firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies Greg Kroah-Hartman
` (120 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Viresh Kumar, Sudeep Holla,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sudeep Holla <sudeep.holla@arm.com>
[ Upstream commit 7bc0f589c81d62bc95f9ed142847219fc5d8ef6c ]
Currently the FF-A driver doesn't support big-endian correctly. It is
hard to regularly test the setup due to lack of test infrastructure and
tools.
In order to support full stack, we need to take small steps in getting
the support for big-endian kernel added slowly. This change fixes the
support in __ffa_partition_info_regs_get() so that the response from the
firmware are converted correctly as required. With this change, we can
enumerate all the FF-A devices correctly in the big-endian kernel if the
FFA_PARTITION_INFO_REGS_GET is supported.
Tested-by: Viresh Kumar <viresh.kumar@linaro.org>
Message-Id: <20250217-ffa_updates-v3-5-bd1d9de615e7@arm.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Stable-dep-of: 3974ea193840 ("firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_ffa/driver.c | 31 +++++++++++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index a6c5f89476c06..f033bd8ee816d 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -304,14 +304,24 @@ __ffa_partition_info_get(u32 uuid0, u32 uuid1, u32 uuid2, u32 uuid3,
#define CURRENT_INDEX(x) ((u16)(FIELD_GET(CURRENT_INDEX_MASK, (x))))
#define UUID_INFO_TAG(x) ((u16)(FIELD_GET(UUID_INFO_TAG_MASK, (x))))
#define PARTITION_INFO_SZ(x) ((u16)(FIELD_GET(PARTITION_INFO_SZ_MASK, (x))))
+#define PART_INFO_ID_MASK GENMASK(15, 0)
+#define PART_INFO_EXEC_CXT_MASK GENMASK(31, 16)
+#define PART_INFO_PROPS_MASK GENMASK(63, 32)
+#define PART_INFO_ID(x) ((u16)(FIELD_GET(PART_INFO_ID_MASK, (x))))
+#define PART_INFO_EXEC_CXT(x) ((u16)(FIELD_GET(PART_INFO_EXEC_CXT_MASK, (x))))
+#define PART_INFO_PROPERTIES(x) ((u32)(FIELD_GET(PART_INFO_PROPS_MASK, (x))))
static int
__ffa_partition_info_get_regs(u32 uuid0, u32 uuid1, u32 uuid2, u32 uuid3,
struct ffa_partition_info *buffer, int num_parts)
{
u16 buf_sz, start_idx, cur_idx, count = 0, prev_idx = 0, tag = 0;
+ struct ffa_partition_info *buf = buffer;
ffa_value_t partition_info;
do {
+ __le64 *regs;
+ int idx;
+
start_idx = prev_idx ? prev_idx + 1 : 0;
invoke_ffa_fn((ffa_value_t){
@@ -335,8 +345,25 @@ __ffa_partition_info_get_regs(u32 uuid0, u32 uuid1, u32 uuid2, u32 uuid3,
if (buf_sz > sizeof(*buffer))
buf_sz = sizeof(*buffer);
- memcpy(buffer + prev_idx * buf_sz, &partition_info.a3,
- (cur_idx - start_idx + 1) * buf_sz);
+ regs = (void *)&partition_info.a3;
+ for (idx = 0; idx < cur_idx - start_idx + 1; idx++, buf++) {
+ union {
+ uuid_t uuid;
+ u64 regs[2];
+ } uuid_regs = {
+ .regs = {
+ le64_to_cpu(*(regs + 1)),
+ le64_to_cpu(*(regs + 2)),
+ }
+ };
+ u64 val = *(u64 *)regs;
+
+ buf->id = PART_INFO_ID(val);
+ buf->exec_ctxt = PART_INFO_EXEC_CXT(val);
+ buf->properties = PART_INFO_PROPERTIES(val);
+ uuid_copy(&buf->uuid, &uuid_regs.uuid);
+ regs += 3;
+ }
prev_idx = cur_idx;
} while (cur_idx < (count - 1));
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 159/272] firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 158/272] firmware: arm_ffa: Fix big-endian support in __ffa_partition_info_regs_get() Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 160/272] firmware: arm_ffa: Align RxTx buffer size before mapping Greg Kroah-Hartman
` (119 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sudeep Holla, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sudeep Holla <sudeep.holla@kernel.org>
[ Upstream commit 3974ea1938406f9bfa7c1f48d4e43533f447bb08 ]
The register-based PARTITION_INFO_GET path trusted the firmware-provided
indices when copying partition descriptors into the caller buffer.
Reject inconsistent counts or index progressions so the copy loop cannot
write past the allocated array.
Fixes: ba85c644ac8d ("firmware: arm_ffa: Add support for FFA_PARTITION_INFO_GET_REGS")
Link: https://patch.msgid.link/20260428-ffa_fixes-v2-6-8595ae450034@kernel.org
(fixed cur_idx when exactly one descriptor in the first fragment)
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_ffa/driver.c | 29 +++++++++++++++++++++++------
1 file changed, 23 insertions(+), 6 deletions(-)
diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index f033bd8ee816d..521007bfa35a4 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -307,6 +307,12 @@ __ffa_partition_info_get(u32 uuid0, u32 uuid1, u32 uuid2, u32 uuid3,
#define PART_INFO_ID_MASK GENMASK(15, 0)
#define PART_INFO_EXEC_CXT_MASK GENMASK(31, 16)
#define PART_INFO_PROPS_MASK GENMASK(63, 32)
+#define FFA_PART_INFO_GET_REGS_FIRST_REG 3
+#define FFA_PART_INFO_GET_REGS_REGS_PER_DESC 3
+#define FFA_PART_INFO_GET_REGS_MAX_DESC \
+ (((sizeof(ffa_value_t) / sizeof_field(ffa_value_t, a0)) - \
+ FFA_PART_INFO_GET_REGS_FIRST_REG) / \
+ FFA_PART_INFO_GET_REGS_REGS_PER_DESC)
#define PART_INFO_ID(x) ((u16)(FIELD_GET(PART_INFO_ID_MASK, (x))))
#define PART_INFO_EXEC_CXT(x) ((u16)(FIELD_GET(PART_INFO_EXEC_CXT_MASK, (x))))
#define PART_INFO_PROPERTIES(x) ((u32)(FIELD_GET(PART_INFO_PROPS_MASK, (x))))
@@ -314,15 +320,13 @@ static int
__ffa_partition_info_get_regs(u32 uuid0, u32 uuid1, u32 uuid2, u32 uuid3,
struct ffa_partition_info *buffer, int num_parts)
{
- u16 buf_sz, start_idx, cur_idx, count = 0, prev_idx = 0, tag = 0;
+ u16 buf_sz, start_idx = 0, cur_idx, count = 0, tag = 0;
struct ffa_partition_info *buf = buffer;
ffa_value_t partition_info;
do {
__le64 *regs;
- int idx;
-
- start_idx = prev_idx ? prev_idx + 1 : 0;
+ int idx, nr_desc, buf_idx;
invoke_ffa_fn((ffa_value_t){
.a0 = FFA_PARTITION_INFO_GET_REGS,
@@ -338,15 +342,28 @@ __ffa_partition_info_get_regs(u32 uuid0, u32 uuid1, u32 uuid2, u32 uuid3,
count = PARTITION_COUNT(partition_info.a2);
if (!buffer || !num_parts) /* count only */
return count;
+ if (count > num_parts)
+ return -EINVAL;
cur_idx = CURRENT_INDEX(partition_info.a2);
+ if (cur_idx < start_idx || cur_idx >= count)
+ return -EINVAL;
+
+ nr_desc = cur_idx - start_idx + 1;
+ if (nr_desc > FFA_PART_INFO_GET_REGS_MAX_DESC)
+ return -EINVAL;
+
+ buf_idx = buf - buffer;
+ if (buf_idx + nr_desc > num_parts)
+ return -EINVAL;
+
tag = UUID_INFO_TAG(partition_info.a2);
buf_sz = PARTITION_INFO_SZ(partition_info.a2);
if (buf_sz > sizeof(*buffer))
buf_sz = sizeof(*buffer);
regs = (void *)&partition_info.a3;
- for (idx = 0; idx < cur_idx - start_idx + 1; idx++, buf++) {
+ for (idx = 0; idx < nr_desc; idx++, buf++) {
union {
uuid_t uuid;
u64 regs[2];
@@ -364,7 +381,7 @@ __ffa_partition_info_get_regs(u32 uuid0, u32 uuid1, u32 uuid2, u32 uuid3,
uuid_copy(&buf->uuid, &uuid_regs.uuid);
regs += 3;
}
- prev_idx = cur_idx;
+ start_idx = cur_idx + 1;
} while (cur_idx < (count - 1));
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 160/272] firmware: arm_ffa: Align RxTx buffer size before mapping
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 159/272] firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 161/272] firmware: arm_ffa: Fix sched-recv callback partition lookup Greg Kroah-Hartman
` (118 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Ene, Sudeep Holla,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sudeep Holla <sudeep.holla@kernel.org>
[ Upstream commit 0399e3f872ca3d78044bb715a73ea645806d2c7b ]
Commit 83210251fd70 ("firmware: arm_ffa: Use the correct buffer size during
RXTX_MAP") advertises PAGE_ALIGN(rxtx_bufsz) to firmware when mapping the
buffers but the driver continues to stores the minimum FF-A buffer size
in drv_info->rxtx_bufsz which is used elsewhere in the driver.
Align the size before storing it so that the allocation, validation and
FFA_RXTX_MAP all use the same buffer size.
Fixes: 83210251fd70 ("firmware: arm_ffa: Use the correct buffer size during RXTX_MAP")
Cc: Sebastian Ene <sebastianene@google.com>
Link: https://sashiko.dev/#/patchset/20260402113939.930221-1-sebastianene@google.com
Reviewed-by: Sebastian Ene <sebastianene@google.com>
Link: https://patch.msgid.link/20260428-ffa_fixes-v2-9-8595ae450034@kernel.org
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_ffa/driver.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index 521007bfa35a4..f35c3a56326c7 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -1929,6 +1929,7 @@ static int __init ffa_init(void)
rxtx_bufsz = SZ_4K;
}
+ rxtx_bufsz = PAGE_ALIGN(rxtx_bufsz);
drv_info->rxtx_bufsz = rxtx_bufsz;
drv_info->rx_buffer = alloc_pages_exact(rxtx_bufsz, GFP_KERNEL);
if (!drv_info->rx_buffer) {
@@ -1944,7 +1945,7 @@ static int __init ffa_init(void)
ret = ffa_rxtx_map(virt_to_phys(drv_info->tx_buffer),
virt_to_phys(drv_info->rx_buffer),
- PAGE_ALIGN(rxtx_bufsz) / FFA_PAGE_SIZE);
+ rxtx_bufsz / FFA_PAGE_SIZE);
if (ret) {
pr_err("failed to register FFA RxTx buffers\n");
goto free_pages;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 161/272] firmware: arm_ffa: Fix sched-recv callback partition lookup
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 160/272] firmware: arm_ffa: Align RxTx buffer size before mapping Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 162/272] ARM: integrator: Fix early initialization Greg Kroah-Hartman
` (117 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sudeep Holla, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sudeep Holla <sudeep.holla@kernel.org>
[ Upstream commit a6848a50404eefb6f0b131c21881a2d8d21b31a9 ]
ffa_sched_recv_cb_update() used list_for_each_entry_safe() to search for
a matching partition and then tested the iterator against NULL. That is
not a valid end-of-list check for circular lists and can fall through
with an invalid pointer. Use a normal iterator and detect the not-found
case correctly before touching the partition state.
Fixes: be61da938576 ("firmware: arm_ffa: Allow multiple UUIDs per partition to register SRI callback")
Link: https://patch.msgid.link/20260428-ffa_fixes-v2-11-8595ae450034@kernel.org
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_ffa/driver.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index f35c3a56326c7..89474fa3c80e5 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -1155,7 +1155,7 @@ static int
ffa_sched_recv_cb_update(struct ffa_device *dev, ffa_sched_recv_cb callback,
void *cb_data, bool is_registration)
{
- struct ffa_dev_part_info *partition = NULL, *tmp;
+ struct ffa_dev_part_info *partition = NULL;
struct list_head *phead;
bool cb_valid;
@@ -1168,11 +1168,11 @@ ffa_sched_recv_cb_update(struct ffa_device *dev, ffa_sched_recv_cb callback,
return -EINVAL;
}
- list_for_each_entry_safe(partition, tmp, phead, node)
+ list_for_each_entry(partition, phead, node)
if (partition->dev == dev)
break;
- if (!partition) {
+ if (&partition->node == phead) {
pr_err("%s: No such partition ID 0x%x\n", __func__, dev->vm_id);
return -EINVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 162/272] ARM: integrator: Fix early initialization
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 161/272] firmware: arm_ffa: Fix sched-recv callback partition lookup Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 163/272] ALSA: hda: cs35l56: Put ACPI device after setting companion Greg Kroah-Hartman
` (116 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Guenter Roeck,
Arnd Bergmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit 90d77b30a666049ad24df463f52e5d529c44e8cd ]
Starting with commit bdb249fce9ad4 ("ARM: integrator: read counter using
syscon/regmap"), intcp_init_early calls syscon_regmap_lookup_by_compatible
which in turn calls of_syscon_register. This function allocates memory.
Since the memory management code has not been initialized at that time,
the call always fails. It either returns -ENOMEM or crashes as follows.
Unable to handle kernel NULL pointer dereference at virtual address 0000000c when read
[0000000c] *pgd=00000000
Internal error: Oops: 5 [#1] ARM
Modules linked in:
CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.15.0-rc5-00026-g5fcc9bf84ee5 #1 PREEMPT
Hardware name: ARM Integrator/CP (Device Tree)
PC is at __kmalloc_cache_noprof+0xec/0x39c
LR is at __kmalloc_cache_noprof+0x34/0x39c
...
Call trace:
__kmalloc_cache_noprof from of_syscon_register+0x7c/0x310
of_syscon_register from device_node_get_regmap+0xa4/0xb0
device_node_get_regmap from intcp_init_early+0xc/0x40
intcp_init_early from start_kernel+0x60/0x688
start_kernel from 0x0
The crash is seen due to a dereferenced pointer which is not supposed to be
NULL but is NULL if the memory management subsystem has not been
initialized. The crash is not seen with all versions of gcc. Some versions
such as gcc 9.x apparently do not dereference the pointer, presumably if
tracing is disabled. The problem has been reproduced with gcc 10.x, 11.x,
and 13.x. Either case, if the crash is not seen, the call to
syscon_regmap_lookup_by_compatible returns -ENOMEM, and
sched_clock_register is never called.
Fix the problem by moving the early initialization code into the standard
machine initialization code.
Fixes: bdb249fce9ad4 ("ARM: integrator: read counter using syscon/regmap")
Cc: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/20250518164118.3859567-1-linux@roeck-us.net
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20260505-integrator-fixes-v1-1-56ab9aac59db@kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-versatile/integrator_cp.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/arch/arm/mach-versatile/integrator_cp.c b/arch/arm/mach-versatile/integrator_cp.c
index 2ed4ded56b3fe..03dfb5f720b7b 100644
--- a/arch/arm/mach-versatile/integrator_cp.c
+++ b/arch/arm/mach-versatile/integrator_cp.c
@@ -86,14 +86,6 @@ static u64 notrace intcp_read_sched_clock(void)
return val;
}
-static void __init intcp_init_early(void)
-{
- cm_map = syscon_regmap_lookup_by_compatible("arm,core-module-integrator");
- if (IS_ERR(cm_map))
- return;
- sched_clock_register(intcp_read_sched_clock, 32, 24000000);
-}
-
static void __init intcp_init_irq_of(void)
{
cm_init();
@@ -119,6 +111,10 @@ static void __init intcp_init_of(void)
{
struct device_node *cpcon;
+ cm_map = syscon_regmap_lookup_by_compatible("arm,core-module-integrator");
+ if (!IS_ERR(cm_map))
+ sched_clock_register(intcp_read_sched_clock, 32, 24000000);
+
cpcon = of_find_matching_node(NULL, intcp_syscon_match);
if (!cpcon)
return;
@@ -138,7 +134,6 @@ static const char * intcp_dt_board_compat[] = {
DT_MACHINE_START(INTEGRATOR_CP_DT, "ARM Integrator/CP (Device Tree)")
.reserve = integrator_reserve,
.map_io = intcp_map_io,
- .init_early = intcp_init_early,
.init_irq = intcp_init_irq_of,
.init_machine = intcp_init_of,
.dt_compat = intcp_dt_board_compat,
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 163/272] ALSA: hda: cs35l56: Put ACPI device after setting companion
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 162/272] ARM: integrator: Fix early initialization Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 164/272] ALSA: hda: cs35l41: Put ACPI device on missing physical node Greg Kroah-Hartman
` (115 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuhao Fu, Simon Trimmer,
Takashi Iwai, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuhao Fu <sfual@cse.ust.hk>
[ Upstream commit aa2fbece1b07954ef26488c800d126a36a8ab93e ]
acpi_dev_get_first_match_dev() returns a refcounted ACPI device and
callers are expected to balance it with acpi_dev_put().
When no companion is already attached, cs35l56_hda_read_acpi() looks
up an ACPI device and sets it with ACPI_COMPANION_SET(), but leaves
the lookup reference held.
ACPI_COMPANION_SET() does not take ownership of that reference, so
drop it with acpi_dev_put() after attaching the companion.
Fixes: 73cfbfa9caea ("ALSA: hda/cs35l56: Add driver for Cirrus Logic CS35L56 amplifier")
Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
Tested-by: Simon Trimmer <simont@opensource.cirrus.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260428080139.GA1649104@chcpu16
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/cs35l56_hda.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/cs35l56_hda.c b/sound/pci/hda/cs35l56_hda.c
index ee5387140ae48..5c0c4b79f5197 100644
--- a/sound/pci/hda/cs35l56_hda.c
+++ b/sound/pci/hda/cs35l56_hda.c
@@ -953,6 +953,7 @@ static int cs35l56_hda_read_acpi(struct cs35l56_hda *cs35l56, int hid, int id)
return -ENODEV;
}
ACPI_COMPANION_SET(cs35l56->base.dev, adev);
+ acpi_dev_put(adev);
}
/* Initialize things that could be overwritten by a fixup */
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 164/272] ALSA: hda: cs35l41: Put ACPI device on missing physical node
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 163/272] ALSA: hda: cs35l56: Put ACPI device after setting companion Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 165/272] btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file() Greg Kroah-Hartman
` (114 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuhao Fu, Simon Trimmer,
Takashi Iwai, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuhao Fu <sfual@cse.ust.hk>
[ Upstream commit fca7401fe37f7abc6e54147ea560f37279231137 ]
acpi_dev_get_first_match_dev() returns a refcounted ACPI device and
callers must balance it with acpi_dev_put().
cs35l41_hda_read_acpi() stores the returned ACPI device in
cs35l41->dacpi. That reference is normally released by the later
probe cleanup or the remove path, but the NULL-check on
physdev exits before either of those paths can run.
Drop the lookup reference before returning -ENODEV.
Fixes: c34b04cc6178 ("ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()")
Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
Tested-by: Simon Trimmer <simont@opensource.cirrus.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260428081238.GA1659932@chcpu16
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/cs35l41_hda.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/pci/hda/cs35l41_hda.c b/sound/pci/hda/cs35l41_hda.c
index e115b9bd7ce3d..42c576d9f1179 100644
--- a/sound/pci/hda/cs35l41_hda.c
+++ b/sound/pci/hda/cs35l41_hda.c
@@ -1865,8 +1865,10 @@ static int cs35l41_hda_read_acpi(struct cs35l41_hda *cs35l41, const char *hid, i
cs35l41->dacpi = adev;
physdev = get_device(acpi_get_first_physical_node(adev));
- if (!physdev)
+ if (!physdev) {
+ acpi_dev_put(adev);
return -ENODEV;
+ }
sub = acpi_get_subsystem_id(ACPI_HANDLE(physdev));
if (IS_ERR(sub))
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 165/272] btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 164/272] ALSA: hda: cs35l41: Put ACPI device on missing physical node Greg Kroah-Hartman
@ 2026-05-28 19:48 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 166/272] netfilter: x_tables: unregister the templates first Greg Kroah-Hartman
` (113 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boris Burkov, Filipe Manana,
David Sterba, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit c73370c677646e86fc4b1780fb07027bdf847375 ]
The trace event btrfs_sync_file() is called in an atomic context (all trace
events are) and its call to dput(), which is needed due to the call to
dget_parent(), can sleep, triggering a kernel splat.
This can be reproduced by enabling the trace event and running btrfs/056
from fstests for example. The splat shown in dmesg is the following:
[53.919] BUG: sleeping function called from invalid context at fs/dcache.c:970
[53.947] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 32773, name: xfs_io
[53.988] preempt_count: 2, expected: 0
[53.967] RCU nest depth: 0, expected: 0
[53.943] Preemption disabled at:
[53.944] [<0000000000000000>] 0x0
[54.078] CPU: 0 UID: 0 PID: 32773 Comm: xfs_io Tainted: G W 7.1.0-rc1-btrfs-next-232+ #1 PREEMPT(full)
[54.070] Tainted: [W]=WARN
[54.071] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[54.072] Call Trace:
[54.074] <TASK>
[54.076] dump_stack_lvl+0x56/0x80
[54.079] __might_resched.cold+0xd6/0x10f
[54.072] dput.part.0+0x24/0x110
[54.078] trace_event_raw_event_btrfs_sync_file+0x75/0x140 [btrfs]
[54.089] btrfs_sync_file+0x1ed/0x530 [btrfs]
[54.087] ? __handle_mm_fault+0x8ae/0xed0
[54.089] btrfs_do_write_iter+0x172/0x210 [btrfs]
[54.091] vfs_write+0x21f/0x450
[54.094] __x64_sys_pwrite64+0x8d/0xc0
[54.096] ? do_user_addr_fault+0x20c/0x670
[54.099] do_syscall_64+0x60/0xf20
[54.092] ? clear_bhb_loop+0x60/0xb0
[54.094] entry_SYSCALL_64_after_hwframe+0x76/0x7e
So stop using dget_parent() and dput() and access the parent dentry
directly as dentry->d_parent. This is also what ext4 is doing in
its equivalent trace event ext4_sync_file_enter().
Fixes: a85b46db143f ("btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()")
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/btrfs.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h
index b964cba4169c2..6382a570c76c5 100644
--- a/include/trace/events/btrfs.h
+++ b/include/trace/events/btrfs.h
@@ -773,10 +773,8 @@ TRACE_EVENT(btrfs_sync_file,
TP_fast_assign(
struct dentry *dentry = file_dentry(file);
struct inode *inode = file_inode(file);
- struct dentry *parent = dget_parent(dentry);
- struct inode *parent_inode = d_inode(parent);
+ struct inode *parent_inode = d_inode(dentry->d_parent);
- dput(parent);
TP_fast_assign_fsid(btrfs_sb(inode->i_sb));
__entry->ino = btrfs_ino(BTRFS_I(inode));
__entry->parent = btrfs_ino(BTRFS_I(parent_inode));
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 166/272] netfilter: x_tables: unregister the templates first
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-05-28 19:48 ` [PATCH 6.12 165/272] btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file() Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 167/272] netfilter: Make legacy configs user selectable Greg Kroah-Hartman
` (112 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tristan Madani, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit d338693d778579b676a61346849bebd892427158 ]
When the module is going away we need to zap the template
first. Else there is a small race window where userspace
could instantiate a new table after the pernet exit function
has removed the current table.
Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default")
Reported-by: Tristan Madani <tristan@talencesecurity.com>
Reviewed-by: Tristan Madani <tristan@talencesecurity.com>
Closes: https://lore.kernel.org/netfilter-devel/20260429175613.1459342-1-tristmd@gmail.com/
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/arptable_filter.c | 2 +-
net/ipv4/netfilter/iptable_filter.c | 2 +-
net/ipv4/netfilter/iptable_mangle.c | 2 +-
net/ipv4/netfilter/iptable_raw.c | 2 +-
net/ipv4/netfilter/iptable_security.c | 2 +-
net/ipv6/netfilter/ip6table_filter.c | 2 +-
net/ipv6/netfilter/ip6table_mangle.c | 2 +-
net/ipv6/netfilter/ip6table_raw.c | 2 +-
net/ipv6/netfilter/ip6table_security.c | 2 +-
9 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 78cd5ee24448f..359d00d74095b 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -82,8 +82,8 @@ static int __init arptable_filter_init(void)
static void __exit arptable_filter_fini(void)
{
- unregister_pernet_subsys(&arptable_filter_net_ops);
xt_unregister_template(&packet_filter);
+ unregister_pernet_subsys(&arptable_filter_net_ops);
kfree(arpfilter_ops);
}
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 3ab908b747951..595bfb492b1c1 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -101,8 +101,8 @@ static int __init iptable_filter_init(void)
static void __exit iptable_filter_fini(void)
{
- unregister_pernet_subsys(&iptable_filter_net_ops);
xt_unregister_template(&packet_filter);
+ unregister_pernet_subsys(&iptable_filter_net_ops);
kfree(filter_ops);
}
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 385d945d8ebea..db90db7057cc4 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -135,8 +135,8 @@ static int __init iptable_mangle_init(void)
static void __exit iptable_mangle_fini(void)
{
- unregister_pernet_subsys(&iptable_mangle_net_ops);
xt_unregister_template(&packet_mangler);
+ unregister_pernet_subsys(&iptable_mangle_net_ops);
kfree(mangle_ops);
}
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 0e7f53964d0af..b46a790917306 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -100,9 +100,9 @@ static int __init iptable_raw_init(void)
static void __exit iptable_raw_fini(void)
{
+ xt_unregister_template(&packet_raw);
unregister_pernet_subsys(&iptable_raw_net_ops);
kfree(rawtable_ops);
- xt_unregister_template(&packet_raw);
}
module_init(iptable_raw_init);
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index d885443cb2679..2b89adc1e5751 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -89,9 +89,9 @@ static int __init iptable_security_init(void)
static void __exit iptable_security_fini(void)
{
+ xt_unregister_template(&security_table);
unregister_pernet_subsys(&iptable_security_net_ops);
kfree(sectbl_ops);
- xt_unregister_template(&security_table);
}
module_init(iptable_security_init);
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index e8992693e14a0..9dcd4501fe800 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -100,8 +100,8 @@ static int __init ip6table_filter_init(void)
static void __exit ip6table_filter_fini(void)
{
- unregister_pernet_subsys(&ip6table_filter_net_ops);
xt_unregister_template(&packet_filter);
+ unregister_pernet_subsys(&ip6table_filter_net_ops);
kfree(filter_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 8dd4cd0c47bd4..ce2cbce9e3ed3 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -128,8 +128,8 @@ static int __init ip6table_mangle_init(void)
static void __exit ip6table_mangle_fini(void)
{
- unregister_pernet_subsys(&ip6table_mangle_net_ops);
xt_unregister_template(&packet_mangler);
+ unregister_pernet_subsys(&ip6table_mangle_net_ops);
kfree(mangle_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index fc9f6754028f2..8af0f8bd036dc 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -98,8 +98,8 @@ static int __init ip6table_raw_init(void)
static void __exit ip6table_raw_fini(void)
{
- unregister_pernet_subsys(&ip6table_raw_net_ops);
xt_unregister_template(&packet_raw);
+ unregister_pernet_subsys(&ip6table_raw_net_ops);
kfree(rawtable_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 4df14a9bae782..66018b169b010 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -88,8 +88,8 @@ static int __init ip6table_security_init(void)
static void __exit ip6table_security_fini(void)
{
- unregister_pernet_subsys(&ip6table_security_net_ops);
xt_unregister_template(&security_table);
+ unregister_pernet_subsys(&ip6table_security_net_ops);
kfree(sectbl_ops);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 167/272] netfilter: Make legacy configs user selectable
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 166/272] netfilter: x_tables: unregister the templates first Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 168/272] netfilter: Exclude LEGACY TABLES on PREEMPT_RT Greg Kroah-Hartman
` (111 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Pablo Neira Ayuso,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 6c959fd5e17387201dba3619b2e6af213939a0a7 ]
This option makes legacy Netfilter Kconfig user selectable, giving users
the option to configure iptables without enabling any other config.
Make the following KConfig entries user selectable:
* BRIDGE_NF_EBTABLES_LEGACY
* IP_NF_ARPTABLES
* IP_NF_IPTABLES_LEGACY
* IP6_NF_IPTABLES_LEGACY
Signed-off-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: b4597d5fd7d2 ("netfilter: x_tables: add and use xtables_unregister_table_exit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/Kconfig | 8 +++++++-
net/ipv4/netfilter/Kconfig | 16 ++++++++++++++--
net/ipv6/netfilter/Kconfig | 9 ++++++++-
3 files changed, 29 insertions(+), 4 deletions(-)
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 104c0125e32e8..f16bbbbb94817 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -41,7 +41,13 @@ config NF_CONNTRACK_BRIDGE
# old sockopt interface and eval loop
config BRIDGE_NF_EBTABLES_LEGACY
- tristate
+ tristate "Legacy EBTABLES support"
+ depends on BRIDGE && NETFILTER_XTABLES
+ default n
+ help
+ Legacy ebtables packet/frame classifier.
+ This is not needed if you are using ebtables over nftables
+ (iptables-nft).
menuconfig BRIDGE_NF_EBTABLES
tristate "Ethernet Bridge tables (ebtables) support"
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 1b991b889506a..ef8009281da5c 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -12,7 +12,13 @@ config NF_DEFRAG_IPV4
# old sockopt interface and eval loop
config IP_NF_IPTABLES_LEGACY
- tristate
+ tristate "Legacy IP tables support"
+ default n
+ select NETFILTER_XTABLES
+ help
+ iptables is a legacy packet classifier.
+ This is not needed if you are using iptables over nftables
+ (iptables-nft).
config NF_SOCKET_IPV4
tristate "IPv4 socket lookup support"
@@ -318,7 +324,13 @@ endif # IP_NF_IPTABLES
# ARP tables
config IP_NF_ARPTABLES
- tristate
+ tristate "Legacy ARPTABLES support"
+ depends on NETFILTER_XTABLES
+ default n
+ help
+ arptables is a legacy packet classifier.
+ This is not needed if you are using arptables over nftables
+ (iptables-nft).
config NFT_COMPAT_ARP
tristate
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index f3c8e2d918e13..e087a8e97ba78 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -8,7 +8,14 @@ menu "IPv6: Netfilter Configuration"
# old sockopt interface and eval loop
config IP6_NF_IPTABLES_LEGACY
- tristate
+ tristate "Legacy IP6 tables support"
+ depends on INET && IPV6
+ select NETFILTER_XTABLES
+ default n
+ help
+ ip6tables is a legacy packet classifier.
+ This is not needed if you are using iptables over nftables
+ (iptables-nft).
config NF_SOCKET_IPV6
tristate "IPv6 socket lookup support"
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 168/272] netfilter: Exclude LEGACY TABLES on PREEMPT_RT.
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 167/272] netfilter: Make legacy configs user selectable Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 169/272] netfilter: x_tables: add and use xt_unregister_table_pre_exit Greg Kroah-Hartman
` (110 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Pablo Neira Ayuso, Sasha Levin, Florian Westphal
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 9fce66583f06c212e95e4b76dd61d8432ffa56b6 ]
The seqcount xt_recseq is used to synchronize the replacement of
xt_table::private in xt_replace_table() against all readers such as
ipt_do_table()
To ensure that there is only one writer, the writing side disables
bottom halves. The sequence counter can be acquired recursively. Only the
first invocation modifies the sequence counter (signaling that a writer
is in progress) while the following (recursive) writer does not modify
the counter.
The lack of a proper locking mechanism for the sequence counter can lead
to live lock on PREEMPT_RT if the high prior reader preempts the
writer. Additionally if the per-CPU lock on PREEMPT_RT is removed from
local_bh_disable() then there is no synchronisation for the per-CPU
sequence counter.
The affected code is "just" the legacy netfilter code which is replaced
by "netfilter tables". That code can be disabled without sacrificing
functionality because everything is provided by the newer
implementation. This will only requires the usage of the "-nft" tools
instead of the "-legacy" ones.
The long term plan is to remove the legacy code so lets accelerate the
progress.
Relax dependencies on iptables legacy, replace select with depends on,
this should cause no harm to existing kernel configs and users can still
toggle IP{6}_NF_IPTABLES_LEGACY in any case.
Make EBTABLES_LEGACY, IPTABLES_LEGACY and ARPTABLES depend on
NETFILTER_XTABLES_LEGACY. Hide xt_recseq and its users,
xt_register_table() and xt_percpu_counter_alloc() behind
NETFILTER_XTABLES_LEGACY. Let NETFILTER_XTABLES_LEGACY depend on
!PREEMPT_RT.
This will break selftest expecing the legacy options enabled and will be
addressed in a following patch.
Co-developed-by: Florian Westphal <fw@strlen.de>
Co-developed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: b4597d5fd7d2 ("netfilter: x_tables: add and use xtables_unregister_table_exit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/Kconfig | 10 +++++-----
net/ipv4/netfilter/Kconfig | 24 ++++++++++++------------
net/ipv6/netfilter/Kconfig | 19 +++++++++----------
net/netfilter/Kconfig | 10 ++++++++++
net/netfilter/x_tables.c | 16 +++++++++++-----
5 files changed, 47 insertions(+), 32 deletions(-)
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index f16bbbbb94817..60f28e4fb5c0a 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -42,8 +42,8 @@ config NF_CONNTRACK_BRIDGE
# old sockopt interface and eval loop
config BRIDGE_NF_EBTABLES_LEGACY
tristate "Legacy EBTABLES support"
- depends on BRIDGE && NETFILTER_XTABLES
- default n
+ depends on BRIDGE && NETFILTER_XTABLES_LEGACY
+ default n
help
Legacy ebtables packet/frame classifier.
This is not needed if you are using ebtables over nftables
@@ -65,7 +65,7 @@ if BRIDGE_NF_EBTABLES
#
config BRIDGE_EBT_BROUTE
tristate "ebt: broute table support"
- select BRIDGE_NF_EBTABLES_LEGACY
+ depends on BRIDGE_NF_EBTABLES_LEGACY
help
The ebtables broute table is used to define rules that decide between
bridging and routing frames, giving Linux the functionality of a
@@ -76,7 +76,7 @@ config BRIDGE_EBT_BROUTE
config BRIDGE_EBT_T_FILTER
tristate "ebt: filter table support"
- select BRIDGE_NF_EBTABLES_LEGACY
+ depends on BRIDGE_NF_EBTABLES_LEGACY
help
The ebtables filter table is used to define frame filtering rules at
local input, forwarding and local output. See the man page for
@@ -86,7 +86,7 @@ config BRIDGE_EBT_T_FILTER
config BRIDGE_EBT_T_NAT
tristate "ebt: nat table support"
- select BRIDGE_NF_EBTABLES_LEGACY
+ depends on BRIDGE_NF_EBTABLES_LEGACY
help
The ebtables nat table is used to define rules that alter the MAC
source address (MAC SNAT) or the MAC destination address (MAC DNAT).
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index ef8009281da5c..2c438b140e88f 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -13,8 +13,8 @@ config NF_DEFRAG_IPV4
# old sockopt interface and eval loop
config IP_NF_IPTABLES_LEGACY
tristate "Legacy IP tables support"
- default n
- select NETFILTER_XTABLES
+ depends on NETFILTER_XTABLES_LEGACY
+ default m if NETFILTER_XTABLES_LEGACY
help
iptables is a legacy packet classifier.
This is not needed if you are using iptables over nftables
@@ -182,8 +182,8 @@ config IP_NF_MATCH_TTL
# `filter', generic and specific targets
config IP_NF_FILTER
tristate "Packet filtering"
- default m if NETFILTER_ADVANCED=n
- select IP_NF_IPTABLES_LEGACY
+ default m if NETFILTER_ADVANCED=n || IP_NF_IPTABLES_LEGACY
+ depends on IP_NF_IPTABLES_LEGACY
help
Packet filtering defines a table `filter', which has a series of
rules for simple packet filtering at local input, forwarding and
@@ -220,10 +220,10 @@ config IP_NF_TARGET_SYNPROXY
config IP_NF_NAT
tristate "iptables NAT support"
depends on NF_CONNTRACK
+ depends on IP_NF_IPTABLES_LEGACY
default m if NETFILTER_ADVANCED=n
select NF_NAT
select NETFILTER_XT_NAT
- select IP_NF_IPTABLES_LEGACY
help
This enables the `nat' table in iptables. This allows masquerading,
port forwarding and other forms of full Network Address Port
@@ -263,8 +263,8 @@ endif # IP_NF_NAT
# mangle + specific targets
config IP_NF_MANGLE
tristate "Packet mangling"
- default m if NETFILTER_ADVANCED=n
- select IP_NF_IPTABLES_LEGACY
+ default m if NETFILTER_ADVANCED=n || IP_NF_IPTABLES_LEGACY
+ depends on IP_NF_IPTABLES_LEGACY
help
This option adds a `mangle' table to iptables: see the man page for
iptables(8). This table is used for various packet alterations
@@ -299,7 +299,7 @@ config IP_NF_TARGET_TTL
# raw + specific targets
config IP_NF_RAW
tristate 'raw table support (required for NOTRACK/TRACE)'
- select IP_NF_IPTABLES_LEGACY
+ depends on IP_NF_IPTABLES_LEGACY
help
This option adds a `raw' table to iptables. This table is the very
first in the netfilter framework and hooks in at the PREROUTING
@@ -313,7 +313,7 @@ config IP_NF_SECURITY
tristate "Security table"
depends on SECURITY
depends on NETFILTER_ADVANCED
- select IP_NF_IPTABLES_LEGACY
+ depends on IP_NF_IPTABLES_LEGACY
help
This option adds a `security' table to iptables, for use
with Mandatory Access Control (MAC) policy.
@@ -325,8 +325,8 @@ endif # IP_NF_IPTABLES
# ARP tables
config IP_NF_ARPTABLES
tristate "Legacy ARPTABLES support"
- depends on NETFILTER_XTABLES
- default n
+ depends on NETFILTER_XTABLES_LEGACY
+ default n
help
arptables is a legacy packet classifier.
This is not needed if you are using arptables over nftables
@@ -342,7 +342,7 @@ config IP_NF_ARPFILTER
tristate "arptables-legacy packet filtering support"
select IP_NF_ARPTABLES
select NETFILTER_FAMILY_ARP
- depends on NETFILTER_XTABLES
+ depends on NETFILTER_XTABLES_LEGACY
help
ARP packet filtering defines a table `filter', which has a series of
rules for simple ARP packet filtering at local input and
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index e087a8e97ba78..276860f65baae 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -9,9 +9,8 @@ menu "IPv6: Netfilter Configuration"
# old sockopt interface and eval loop
config IP6_NF_IPTABLES_LEGACY
tristate "Legacy IP6 tables support"
- depends on INET && IPV6
- select NETFILTER_XTABLES
- default n
+ depends on INET && IPV6 && NETFILTER_XTABLES_LEGACY
+ default m if NETFILTER_XTABLES_LEGACY
help
ip6tables is a legacy packet classifier.
This is not needed if you are using iptables over nftables
@@ -196,8 +195,8 @@ config IP6_NF_TARGET_HL
config IP6_NF_FILTER
tristate "Packet filtering"
- default m if NETFILTER_ADVANCED=n
- select IP6_NF_IPTABLES_LEGACY
+ default m if NETFILTER_ADVANCED=n || IP6_NF_IPTABLES_LEGACY
+ depends on IP6_NF_IPTABLES_LEGACY
tristate
help
Packet filtering defines a table `filter', which has a series of
@@ -233,8 +232,8 @@ config IP6_NF_TARGET_SYNPROXY
config IP6_NF_MANGLE
tristate "Packet mangling"
- default m if NETFILTER_ADVANCED=n
- select IP6_NF_IPTABLES_LEGACY
+ default m if NETFILTER_ADVANCED=n || IP6_NF_IPTABLES_LEGACY
+ depends on IP6_NF_IPTABLES_LEGACY
help
This option adds a `mangle' table to iptables: see the man page for
iptables(8). This table is used for various packet alterations
@@ -244,7 +243,7 @@ config IP6_NF_MANGLE
config IP6_NF_RAW
tristate 'raw table support (required for TRACE)'
- select IP6_NF_IPTABLES_LEGACY
+ depends on IP6_NF_IPTABLES_LEGACY
help
This option adds a `raw' table to ip6tables. This table is the very
first in the netfilter framework and hooks in at the PREROUTING
@@ -258,7 +257,7 @@ config IP6_NF_SECURITY
tristate "Security table"
depends on SECURITY
depends on NETFILTER_ADVANCED
- select IP6_NF_IPTABLES_LEGACY
+ depends on IP6_NF_IPTABLES_LEGACY
help
This option adds a `security' table to iptables, for use
with Mandatory Access Control (MAC) policy.
@@ -269,8 +268,8 @@ config IP6_NF_NAT
tristate "ip6tables NAT support"
depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED
+ depends on IP6_NF_IPTABLES_LEGACY
select NF_NAT
- select IP6_NF_IPTABLES_LEGACY
select NETFILTER_XT_NAT
help
This enables the `nat' table in ip6tables. This allows masquerading,
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index df2dc21304efb..0d1d997abe191 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -762,6 +762,16 @@ config NETFILTER_XTABLES_COMPAT
If unsure, say N.
+config NETFILTER_XTABLES_LEGACY
+ bool "Netfilter legacy tables support"
+ depends on !PREEMPT_RT
+ help
+ Say Y here if you still require support for legacy tables. This is
+ required by the legacy tools (iptables-legacy) and is not needed if
+ you use iptables over nftables (iptables-nft).
+ Legacy support is not limited to IP, it also includes EBTABLES and
+ ARPTABLES.
+
comment "Xtables combined modules"
config NETFILTER_XT_MARK
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index efe7b7d71e7f7..1ca4fa9d249b8 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1340,12 +1340,13 @@ void xt_compat_unlock(u_int8_t af)
EXPORT_SYMBOL_GPL(xt_compat_unlock);
#endif
-DEFINE_PER_CPU(seqcount_t, xt_recseq);
-EXPORT_PER_CPU_SYMBOL_GPL(xt_recseq);
-
struct static_key xt_tee_enabled __read_mostly;
EXPORT_SYMBOL_GPL(xt_tee_enabled);
+#ifdef CONFIG_NETFILTER_XTABLES_LEGACY
+DEFINE_PER_CPU(seqcount_t, xt_recseq);
+EXPORT_PER_CPU_SYMBOL_GPL(xt_recseq);
+
static int xt_jumpstack_alloc(struct xt_table_info *i)
{
unsigned int size;
@@ -1537,6 +1538,7 @@ void *xt_unregister_table(struct xt_table *table)
return private;
}
EXPORT_SYMBOL_GPL(xt_unregister_table);
+#endif
#ifdef CONFIG_PROC_FS
static void *xt_table_seq_start(struct seq_file *seq, loff_t *pos)
@@ -1920,6 +1922,7 @@ void xt_proto_fini(struct net *net, u_int8_t af)
}
EXPORT_SYMBOL_GPL(xt_proto_fini);
+#ifdef CONFIG_NETFILTER_XTABLES_LEGACY
/**
* xt_percpu_counter_alloc - allocate x_tables rule counter
*
@@ -1974,6 +1977,7 @@ void xt_percpu_counter_free(struct xt_counters *counters)
free_percpu((void __percpu *)pcnt);
}
EXPORT_SYMBOL_GPL(xt_percpu_counter_free);
+#endif
static int __net_init xt_net_init(struct net *net)
{
@@ -2006,8 +2010,10 @@ static int __init xt_init(void)
unsigned int i;
int rv;
- for_each_possible_cpu(i) {
- seqcount_init(&per_cpu(xt_recseq, i));
+ if (IS_ENABLED(CONFIG_NETFILTER_XTABLES_LEGACY)) {
+ for_each_possible_cpu(i) {
+ seqcount_init(&per_cpu(xt_recseq, i));
+ }
}
xt = kcalloc(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 169/272] netfilter: x_tables: add and use xt_unregister_table_pre_exit
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 168/272] netfilter: Exclude LEGACY TABLES on PREEMPT_RT Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 170/272] netfilter: x_tables: add and use xtables_unregister_table_exit Greg Kroah-Hartman
` (109 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tristan Madani, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 527d6931473b75d90e38942aae6537d1a527f1fd ]
Remove the copypasted variants of _pre_exit and add one single
function in the xtables core. ebtables is not compatible with
x_tables and therefore unchanged.
This is a preparation patch to reduce noise in the followup
bug fixes.
Reviewed-by: Tristan Madani <tristan@talencesecurity.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: b4597d5fd7d2 ("netfilter: x_tables: add and use xtables_unregister_table_exit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netfilter/x_tables.h | 1 +
include/linux/netfilter_arp/arp_tables.h | 1 -
include/linux/netfilter_ipv4/ip_tables.h | 1 -
include/linux/netfilter_ipv6/ip6_tables.h | 1 -
net/ipv4/netfilter/arp_tables.c | 9 -------
net/ipv4/netfilter/arptable_filter.c | 2 +-
net/ipv4/netfilter/ip_tables.c | 9 -------
net/ipv4/netfilter/iptable_filter.c | 2 +-
net/ipv4/netfilter/iptable_mangle.c | 2 +-
net/ipv4/netfilter/iptable_nat.c | 1 +
net/ipv4/netfilter/iptable_raw.c | 2 +-
net/ipv4/netfilter/iptable_security.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 9 -------
net/ipv6/netfilter/ip6table_filter.c | 2 +-
net/ipv6/netfilter/ip6table_mangle.c | 2 +-
net/ipv6/netfilter/ip6table_nat.c | 1 +
net/ipv6/netfilter/ip6table_raw.c | 2 +-
net/ipv6/netfilter/ip6table_security.c | 2 +-
net/netfilter/x_tables.c | 29 +++++++++++++++++++++++
19 files changed, 41 insertions(+), 39 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 5897f3dbaf7c3..df2022fe440b0 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -310,6 +310,7 @@ struct xt_table *xt_register_table(struct net *net,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo);
void *xt_unregister_table(struct xt_table *table);
+void xt_unregister_table_pre_exit(struct net *net, u8 af, const char *name);
struct xt_table_info *xt_replace_table(struct xt_table *table,
unsigned int num_counters,
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index a40aaf645fa47..05631a25e6229 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -53,7 +53,6 @@ int arpt_register_table(struct net *net, const struct xt_table *table,
const struct arpt_replace *repl,
const struct nf_hook_ops *ops);
void arpt_unregister_table(struct net *net, const char *name);
-void arpt_unregister_table_pre_exit(struct net *net, const char *name);
extern unsigned int arpt_do_table(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state);
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 132b0e4a6d4df..13593391d6058 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -26,7 +26,6 @@ int ipt_register_table(struct net *net, const struct xt_table *table,
const struct ipt_replace *repl,
const struct nf_hook_ops *ops);
-void ipt_unregister_table_pre_exit(struct net *net, const char *name);
void ipt_unregister_table_exit(struct net *net, const char *name);
/* Standard entry. */
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 8b8885a73c764..c6d5b927830dd 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -27,7 +27,6 @@ extern void *ip6t_alloc_initial_table(const struct xt_table *);
int ip6t_register_table(struct net *net, const struct xt_table *table,
const struct ip6t_replace *repl,
const struct nf_hook_ops *ops);
-void ip6t_unregister_table_pre_exit(struct net *net, const char *name);
void ip6t_unregister_table_exit(struct net *net, const char *name);
extern unsigned int ip6t_do_table(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state);
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 97ead883e4a13..d19fce8589809 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1581,15 +1581,6 @@ int arpt_register_table(struct net *net,
return ret;
}
-void arpt_unregister_table_pre_exit(struct net *net, const char *name)
-{
- struct xt_table *table = xt_find_table(net, NFPROTO_ARP, name);
-
- if (table)
- nf_unregister_net_hooks(net, table->ops, hweight32(table->valid_hooks));
-}
-EXPORT_SYMBOL(arpt_unregister_table_pre_exit);
-
void arpt_unregister_table(struct net *net, const char *name)
{
struct xt_table *table = xt_find_table(net, NFPROTO_ARP, name);
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 359d00d74095b..382345567a600 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -43,7 +43,7 @@ static int arptable_filter_table_init(struct net *net)
static void __net_exit arptable_filter_net_pre_exit(struct net *net)
{
- arpt_unregister_table_pre_exit(net, "filter");
+ xt_unregister_table_pre_exit(net, NFPROTO_ARP, "filter");
}
static void __net_exit arptable_filter_net_exit(struct net *net)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 3d101613f27fa..49b7989c24e08 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1789,14 +1789,6 @@ int ipt_register_table(struct net *net, const struct xt_table *table,
return ret;
}
-void ipt_unregister_table_pre_exit(struct net *net, const char *name)
-{
- struct xt_table *table = xt_find_table(net, NFPROTO_IPV4, name);
-
- if (table)
- nf_unregister_net_hooks(net, table->ops, hweight32(table->valid_hooks));
-}
-
void ipt_unregister_table_exit(struct net *net, const char *name)
{
struct xt_table *table = xt_find_table(net, NFPROTO_IPV4, name);
@@ -1887,7 +1879,6 @@ static void __exit ip_tables_fini(void)
}
EXPORT_SYMBOL(ipt_register_table);
-EXPORT_SYMBOL(ipt_unregister_table_pre_exit);
EXPORT_SYMBOL(ipt_unregister_table_exit);
EXPORT_SYMBOL(ipt_do_table);
module_init(ip_tables_init);
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 595bfb492b1c1..0dea754a91209 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -61,7 +61,7 @@ static int __net_init iptable_filter_net_init(struct net *net)
static void __net_exit iptable_filter_net_pre_exit(struct net *net)
{
- ipt_unregister_table_pre_exit(net, "filter");
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV4, "filter");
}
static void __net_exit iptable_filter_net_exit(struct net *net)
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index db90db7057cc4..4d3b124923080 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -96,7 +96,7 @@ static int iptable_mangle_table_init(struct net *net)
static void __net_exit iptable_mangle_net_pre_exit(struct net *net)
{
- ipt_unregister_table_pre_exit(net, "mangle");
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV4, "mangle");
}
static void __net_exit iptable_mangle_net_exit(struct net *net)
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index a5db7c67d61be..d6c5824943f8e 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -129,6 +129,7 @@ static int iptable_nat_table_init(struct net *net)
static void __net_exit iptable_nat_net_pre_exit(struct net *net)
{
ipt_nat_unregister_lookups(net);
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV4, "nat");
}
static void __net_exit iptable_nat_net_exit(struct net *net)
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index b46a790917306..6f7afec7954bd 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -53,7 +53,7 @@ static int iptable_raw_table_init(struct net *net)
static void __net_exit iptable_raw_net_pre_exit(struct net *net)
{
- ipt_unregister_table_pre_exit(net, "raw");
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV4, "raw");
}
static void __net_exit iptable_raw_net_exit(struct net *net)
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 2b89adc1e5751..81175c20ccbe8 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -50,7 +50,7 @@ static int iptable_security_table_init(struct net *net)
static void __net_exit iptable_security_net_pre_exit(struct net *net)
{
- ipt_unregister_table_pre_exit(net, "security");
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV4, "security");
}
static void __net_exit iptable_security_net_exit(struct net *net)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 7d5602950ae72..6b431b3f90ddb 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1795,14 +1795,6 @@ int ip6t_register_table(struct net *net, const struct xt_table *table,
return ret;
}
-void ip6t_unregister_table_pre_exit(struct net *net, const char *name)
-{
- struct xt_table *table = xt_find_table(net, NFPROTO_IPV6, name);
-
- if (table)
- nf_unregister_net_hooks(net, table->ops, hweight32(table->valid_hooks));
-}
-
void ip6t_unregister_table_exit(struct net *net, const char *name)
{
struct xt_table *table = xt_find_table(net, NFPROTO_IPV6, name);
@@ -1894,7 +1886,6 @@ static void __exit ip6_tables_fini(void)
}
EXPORT_SYMBOL(ip6t_register_table);
-EXPORT_SYMBOL(ip6t_unregister_table_pre_exit);
EXPORT_SYMBOL(ip6t_unregister_table_exit);
EXPORT_SYMBOL(ip6t_do_table);
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 9dcd4501fe800..cf561919bde84 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -60,7 +60,7 @@ static int __net_init ip6table_filter_net_init(struct net *net)
static void __net_exit ip6table_filter_net_pre_exit(struct net *net)
{
- ip6t_unregister_table_pre_exit(net, "filter");
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV6, "filter");
}
static void __net_exit ip6table_filter_net_exit(struct net *net)
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index ce2cbce9e3ed3..1a758f2bc5379 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -89,7 +89,7 @@ static int ip6table_mangle_table_init(struct net *net)
static void __net_exit ip6table_mangle_net_pre_exit(struct net *net)
{
- ip6t_unregister_table_pre_exit(net, "mangle");
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV6, "mangle");
}
static void __net_exit ip6table_mangle_net_exit(struct net *net)
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index e119d4f090cc8..4ce45f3d11109 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -131,6 +131,7 @@ static int ip6table_nat_table_init(struct net *net)
static void __net_exit ip6table_nat_net_pre_exit(struct net *net)
{
ip6t_nat_unregister_lookups(net);
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV6, "nat");
}
static void __net_exit ip6table_nat_net_exit(struct net *net)
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 8af0f8bd036dc..923455921c1dd 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -52,7 +52,7 @@ static int ip6table_raw_table_init(struct net *net)
static void __net_exit ip6table_raw_net_pre_exit(struct net *net)
{
- ip6t_unregister_table_pre_exit(net, "raw");
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV6, "raw");
}
static void __net_exit ip6table_raw_net_exit(struct net *net)
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 66018b169b010..c44834d93fc79 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -49,7 +49,7 @@ static int ip6table_security_table_init(struct net *net)
static void __net_exit ip6table_security_net_pre_exit(struct net *net)
{
- ip6t_unregister_table_pre_exit(net, "security");
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV6, "security");
}
static void __net_exit ip6table_security_net_exit(struct net *net)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 1ca4fa9d249b8..2d93f189a79b9 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1538,6 +1538,35 @@ void *xt_unregister_table(struct xt_table *table)
return private;
}
EXPORT_SYMBOL_GPL(xt_unregister_table);
+
+/**
+ * xt_unregister_table_pre_exit - pre-shutdown unregister of a table
+ * @net: network namespace
+ * @af: address family (e.g., NFPROTO_IPV4, NFPROTO_IPV6)
+ * @name: name of the table to unregister
+ *
+ * Unregisters the specified netfilter table from the given network namespace
+ * and also unregisters the hooks from netfilter core: no new packets will be
+ * processed.
+ */
+void xt_unregister_table_pre_exit(struct net *net, u8 af, const char *name)
+{
+ struct xt_pernet *xt_net = net_generic(net, xt_pernet_id);
+ struct xt_table *t;
+
+ mutex_lock(&xt[af].mutex);
+ list_for_each_entry(t, &xt_net->tables[af], list) {
+ if (strcmp(t->name, name) == 0) {
+ mutex_unlock(&xt[af].mutex);
+
+ if (t->ops) /* nat table registers with nat core, t->ops is NULL. */
+ nf_unregister_net_hooks(net, t->ops, hweight32(t->valid_hooks));
+ return;
+ }
+ }
+ mutex_unlock(&xt[af].mutex);
+}
+EXPORT_SYMBOL(xt_unregister_table_pre_exit);
#endif
#ifdef CONFIG_PROC_FS
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 170/272] netfilter: x_tables: add and use xtables_unregister_table_exit
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 169/272] netfilter: x_tables: add and use xt_unregister_table_pre_exit Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 171/272] netfilter: ebtables: move to two-stage removal scheme Greg Kroah-Hartman
` (108 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tristan Madani, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit b4597d5fd7d2f8cebfffd40dffb5e003cc78964c ]
Previous change added xtables_unregister_table_pre_exit to detach the
table from the packetpath and to unlink it from the active table list.
In case of rmmod, userspace that is doing set/getsockopt for this table
will not be able to re-instantiate the table:
1. The larval table has been removed already
2. existing instantiated table is no longer on the xt pernet table list.
This adds the second stage helper:
unlink the table from the dying list, free the hook ops (if any) and do
the audit notification. It replaces xt_unregister_table().
Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default")
Reported-by: Tristan Madani <tristan@talencesecurity.com>
Reviewed-by: Tristan Madani <tristan@talencesecurity.com>
Closes: https://lore.kernel.org/netfilter-devel/20260429175613.1459342-1-tristmd@gmail.com/
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netfilter/x_tables.h | 2 +-
net/ipv4/netfilter/arp_tables.c | 9 ++--
net/ipv4/netfilter/ip_tables.c | 9 ++--
net/ipv4/netfilter/iptable_nat.c | 5 +-
net/ipv6/netfilter/ip6_tables.c | 9 ++--
net/ipv6/netfilter/ip6table_nat.c | 5 +-
net/netfilter/x_tables.c | 81 +++++++++++++++++++++++-------
7 files changed, 83 insertions(+), 37 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index df2022fe440b0..706f08839050a 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -309,8 +309,8 @@ struct xt_table *xt_register_table(struct net *net,
const struct xt_table *table,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo);
-void *xt_unregister_table(struct xt_table *table);
void xt_unregister_table_pre_exit(struct net *net, u8 af, const char *name);
+struct xt_table *xt_unregister_table_exit(struct net *net, u8 af, const char *name);
struct xt_table_info *xt_replace_table(struct xt_table *table,
unsigned int num_counters,
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index d19fce8589809..f3dadbc416a3a 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1501,13 +1501,11 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
static void __arpt_unregister_table(struct net *net, struct xt_table *table)
{
- struct xt_table_info *private;
- void *loc_cpu_entry;
+ struct xt_table_info *private = table->private;
struct module *table_owner = table->me;
+ void *loc_cpu_entry;
struct arpt_entry *iter;
- private = xt_unregister_table(table);
-
/* Decrease module usage counts and free resources */
loc_cpu_entry = private->entries;
xt_entry_foreach(iter, loc_cpu_entry, private->size)
@@ -1515,6 +1513,7 @@ static void __arpt_unregister_table(struct net *net, struct xt_table *table)
if (private->number > private->initial_entries)
module_put(table_owner);
xt_free_table_info(private);
+ kfree(table);
}
int arpt_register_table(struct net *net,
@@ -1583,7 +1582,7 @@ int arpt_register_table(struct net *net,
void arpt_unregister_table(struct net *net, const char *name)
{
- struct xt_table *table = xt_find_table(net, NFPROTO_ARP, name);
+ struct xt_table *table = xt_unregister_table_exit(net, NFPROTO_ARP, name);
if (table)
__arpt_unregister_table(net, table);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 49b7989c24e08..84b1f49ddbc5c 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1704,12 +1704,10 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
static void __ipt_unregister_table(struct net *net, struct xt_table *table)
{
- struct xt_table_info *private;
- void *loc_cpu_entry;
+ struct xt_table_info *private = table->private;
struct module *table_owner = table->me;
struct ipt_entry *iter;
-
- private = xt_unregister_table(table);
+ void *loc_cpu_entry;
/* Decrease module usage counts and free resources */
loc_cpu_entry = private->entries;
@@ -1718,6 +1716,7 @@ static void __ipt_unregister_table(struct net *net, struct xt_table *table)
if (private->number > private->initial_entries)
module_put(table_owner);
xt_free_table_info(private);
+ kfree(table);
}
int ipt_register_table(struct net *net, const struct xt_table *table,
@@ -1791,7 +1790,7 @@ int ipt_register_table(struct net *net, const struct xt_table *table,
void ipt_unregister_table_exit(struct net *net, const char *name)
{
- struct xt_table *table = xt_find_table(net, NFPROTO_IPV4, name);
+ struct xt_table *table = xt_unregister_table_exit(net, NFPROTO_IPV4, name);
if (table)
__ipt_unregister_table(net, table);
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index d6c5824943f8e..4dae3da4586b8 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -119,8 +119,11 @@ static int iptable_nat_table_init(struct net *net)
}
ret = ipt_nat_register_lookups(net);
- if (ret < 0)
+ if (ret < 0) {
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV4, "nat");
+ synchronize_rcu();
ipt_unregister_table_exit(net, "nat");
+ }
kfree(repl);
return ret;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 6b431b3f90ddb..1eac22dbb957c 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1713,12 +1713,10 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
static void __ip6t_unregister_table(struct net *net, struct xt_table *table)
{
- struct xt_table_info *private;
- void *loc_cpu_entry;
+ struct xt_table_info *private = table->private;
struct module *table_owner = table->me;
struct ip6t_entry *iter;
-
- private = xt_unregister_table(table);
+ void *loc_cpu_entry;
/* Decrease module usage counts and free resources */
loc_cpu_entry = private->entries;
@@ -1727,6 +1725,7 @@ static void __ip6t_unregister_table(struct net *net, struct xt_table *table)
if (private->number > private->initial_entries)
module_put(table_owner);
xt_free_table_info(private);
+ kfree(table);
}
int ip6t_register_table(struct net *net, const struct xt_table *table,
@@ -1797,7 +1796,7 @@ int ip6t_register_table(struct net *net, const struct xt_table *table,
void ip6t_unregister_table_exit(struct net *net, const char *name)
{
- struct xt_table *table = xt_find_table(net, NFPROTO_IPV6, name);
+ struct xt_table *table = xt_unregister_table_exit(net, NFPROTO_IPV6, name);
if (table)
__ip6t_unregister_table(net, table);
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index 4ce45f3d11109..8088ebaf9b352 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -121,8 +121,11 @@ static int ip6table_nat_table_init(struct net *net)
}
ret = ip6t_nat_register_lookups(net);
- if (ret < 0)
+ if (ret < 0) {
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV6, "nat");
+ synchronize_rcu();
ip6t_unregister_table_exit(net, "nat");
+ }
kfree(repl);
return ret;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 2d93f189a79b9..76fd0999db4a8 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -55,6 +55,9 @@ static struct list_head xt_templates[NFPROTO_NUMPROTO];
struct xt_pernet {
struct list_head tables[NFPROTO_NUMPROTO];
+
+ /* stash area used during netns exit */
+ struct list_head dead_tables[NFPROTO_NUMPROTO];
};
struct compat_delta {
@@ -1522,23 +1525,6 @@ struct xt_table *xt_register_table(struct net *net,
}
EXPORT_SYMBOL_GPL(xt_register_table);
-void *xt_unregister_table(struct xt_table *table)
-{
- struct xt_table_info *private;
-
- mutex_lock(&xt[table->af].mutex);
- private = table->private;
- list_del(&table->list);
- mutex_unlock(&xt[table->af].mutex);
- audit_log_nfcfg(table->name, table->af, private->number,
- AUDIT_XT_OP_UNREGISTER, GFP_KERNEL);
- kfree(table->ops);
- kfree(table);
-
- return private;
-}
-EXPORT_SYMBOL_GPL(xt_unregister_table);
-
/**
* xt_unregister_table_pre_exit - pre-shutdown unregister of a table
* @net: network namespace
@@ -1548,6 +1534,14 @@ EXPORT_SYMBOL_GPL(xt_unregister_table);
* Unregisters the specified netfilter table from the given network namespace
* and also unregisters the hooks from netfilter core: no new packets will be
* processed.
+ *
+ * This must be called prior to xt_unregister_table_exit() from the pernet
+ * .pre_exit callback. After this call, the table is no longer visible to
+ * the get/setsockopt path. In case of rmmod, module exit path must have
+ * called xt_unregister_template() prior to unregistering pernet ops to
+ * prevent re-instantiation of the table.
+ *
+ * See also: xt_unregister_table_exit()
*/
void xt_unregister_table_pre_exit(struct net *net, u8 af, const char *name)
{
@@ -1557,6 +1551,7 @@ void xt_unregister_table_pre_exit(struct net *net, u8 af, const char *name)
mutex_lock(&xt[af].mutex);
list_for_each_entry(t, &xt_net->tables[af], list) {
if (strcmp(t->name, name) == 0) {
+ list_move(&t->list, &xt_net->dead_tables[af]);
mutex_unlock(&xt[af].mutex);
if (t->ops) /* nat table registers with nat core, t->ops is NULL. */
@@ -1567,6 +1562,50 @@ void xt_unregister_table_pre_exit(struct net *net, u8 af, const char *name)
mutex_unlock(&xt[af].mutex);
}
EXPORT_SYMBOL(xt_unregister_table_pre_exit);
+
+/**
+ * xt_unregister_table_exit - remove a table during namespace teardown
+ * @net: the network namespace from which to unregister the table
+ * @af: address family (e.g., NFPROTO_IPV4, NFPROTO_IPV6)
+ * @name: name of the table to unregister
+ *
+ * Completes the unregister process for a table. This must be called from
+ * the pernet ops .exit callback. This is the second stage after
+ * xt_unregister_table_pre_exit().
+ *
+ * pair with xt_unregister_table_pre_exit() during namespace shutdown.
+ *
+ * Return: the unregistered table or NULL if the table was never
+ * instantiated. The caller needs to kfree() the table after it
+ * has removed the family specific matches/targets.
+ */
+struct xt_table *xt_unregister_table_exit(struct net *net, u8 af, const char *name)
+{
+ struct xt_pernet *xt_net = net_generic(net, xt_pernet_id);
+ struct xt_table *table;
+
+ mutex_lock(&xt[af].mutex);
+ list_for_each_entry(table, &xt_net->dead_tables[af], list) {
+ struct nf_hook_ops *ops = NULL;
+
+ if (strcmp(table->name, name) != 0)
+ continue;
+
+ list_del(&table->list);
+
+ audit_log_nfcfg(table->name, table->af, table->private->number,
+ AUDIT_XT_OP_UNREGISTER, GFP_KERNEL);
+ swap(table->ops, ops);
+ mutex_unlock(&xt[af].mutex);
+
+ kfree(ops);
+ return table;
+ }
+ mutex_unlock(&xt[af].mutex);
+
+ return NULL;
+}
+EXPORT_SYMBOL_GPL(xt_unregister_table_exit);
#endif
#ifdef CONFIG_PROC_FS
@@ -2013,8 +2052,10 @@ static int __net_init xt_net_init(struct net *net)
struct xt_pernet *xt_net = net_generic(net, xt_pernet_id);
int i;
- for (i = 0; i < NFPROTO_NUMPROTO; i++)
+ for (i = 0; i < NFPROTO_NUMPROTO; i++) {
INIT_LIST_HEAD(&xt_net->tables[i]);
+ INIT_LIST_HEAD(&xt_net->dead_tables[i]);
+ }
return 0;
}
@@ -2023,8 +2064,10 @@ static void __net_exit xt_net_exit(struct net *net)
struct xt_pernet *xt_net = net_generic(net, xt_pernet_id);
int i;
- for (i = 0; i < NFPROTO_NUMPROTO; i++)
+ for (i = 0; i < NFPROTO_NUMPROTO; i++) {
WARN_ON_ONCE(!list_empty(&xt_net->tables[i]));
+ WARN_ON_ONCE(!list_empty(&xt_net->dead_tables[i]));
+ }
}
static struct pernet_operations xt_net_ops = {
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 171/272] netfilter: ebtables: move to two-stage removal scheme
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 170/272] netfilter: x_tables: add and use xtables_unregister_table_exit Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 172/272] netfilter: ebtables: close dangling table module init race Greg Kroah-Hartman
` (107 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tristan Madani, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit b7f0544d86d439cb946515d2ef6a0a75e8626710 ]
Like previous patches for x_tables, follow same pattern in ebtables.
We can't reuse xt helpers: ebt_table struct layout is incompatible.
table->ops assignment is now done while still holding the ebt mutex
to make sure we never expose partially-filled table struct.
Fixes: 87663c39f898 ("netfilter: ebtables: do not hook tables by default")
Reviewed-by: Tristan Madani <tristan@talencesecurity.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/ebtable_broute.c | 2 +-
net/bridge/netfilter/ebtable_filter.c | 2 +-
net/bridge/netfilter/ebtable_nat.c | 2 +-
net/bridge/netfilter/ebtables.c | 60 +++++++++++++++++----------
4 files changed, 40 insertions(+), 26 deletions(-)
diff --git a/net/bridge/netfilter/ebtable_broute.c b/net/bridge/netfilter/ebtable_broute.c
index 7413602195525..e6f9e343b41f1 100644
--- a/net/bridge/netfilter/ebtable_broute.c
+++ b/net/bridge/netfilter/ebtable_broute.c
@@ -128,8 +128,8 @@ static int __init ebtable_broute_init(void)
static void __exit ebtable_broute_fini(void)
{
- unregister_pernet_subsys(&broute_net_ops);
ebt_unregister_template(&broute_table);
+ unregister_pernet_subsys(&broute_net_ops);
}
module_init(ebtable_broute_init);
diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c
index dacd81b12e626..02b6501c15a5e 100644
--- a/net/bridge/netfilter/ebtable_filter.c
+++ b/net/bridge/netfilter/ebtable_filter.c
@@ -109,8 +109,8 @@ static int __init ebtable_filter_init(void)
static void __exit ebtable_filter_fini(void)
{
- unregister_pernet_subsys(&frame_filter_net_ops);
ebt_unregister_template(&frame_filter);
+ unregister_pernet_subsys(&frame_filter_net_ops);
}
module_init(ebtable_filter_init);
diff --git a/net/bridge/netfilter/ebtable_nat.c b/net/bridge/netfilter/ebtable_nat.c
index 0f2a8c6118d42..9985a82555c41 100644
--- a/net/bridge/netfilter/ebtable_nat.c
+++ b/net/bridge/netfilter/ebtable_nat.c
@@ -109,8 +109,8 @@ static int __init ebtable_nat_init(void)
static void __exit ebtable_nat_fini(void)
{
- unregister_pernet_subsys(&frame_nat_net_ops);
ebt_unregister_template(&frame_nat);
+ unregister_pernet_subsys(&frame_nat_net_ops);
}
module_init(ebtable_nat_init);
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index a461c59ad2859..6240bb2b5b5b7 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -42,6 +42,7 @@
struct ebt_pernet {
struct list_head tables;
+ struct list_head dead_tables;
};
struct ebt_template {
@@ -1162,11 +1163,6 @@ static int do_replace(struct net *net, sockptr_t arg, unsigned int len)
static void __ebt_unregister_table(struct net *net, struct ebt_table *table)
{
- mutex_lock(&ebt_mutex);
- list_del(&table->list);
- mutex_unlock(&ebt_mutex);
- audit_log_nfcfg(table->name, AF_BRIDGE, table->private->nentries,
- AUDIT_XT_OP_UNREGISTER, GFP_KERNEL);
EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
ebt_cleanup_entry, net, NULL);
if (table->private->nentries)
@@ -1267,13 +1263,15 @@ int ebt_register_table(struct net *net, const struct ebt_table *input_table,
for (i = 0; i < num_ops; i++)
ops[i].priv = table;
- list_add(&table->list, &ebt_net->tables);
- mutex_unlock(&ebt_mutex);
-
table->ops = ops;
ret = nf_register_net_hooks(net, ops, num_ops);
- if (ret)
+ if (ret) {
+ synchronize_rcu();
__ebt_unregister_table(net, table);
+ } else {
+ list_add(&table->list, &ebt_net->tables);
+ }
+ mutex_unlock(&ebt_mutex);
audit_log_nfcfg(repl->name, AF_BRIDGE, repl->nentries,
AUDIT_XT_OP_REGISTER, GFP_KERNEL);
@@ -1339,7 +1337,7 @@ void ebt_unregister_template(const struct ebt_table *t)
}
EXPORT_SYMBOL(ebt_unregister_template);
-static struct ebt_table *__ebt_find_table(struct net *net, const char *name)
+void ebt_unregister_table_pre_exit(struct net *net, const char *name)
{
struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id);
struct ebt_table *t;
@@ -1348,30 +1346,36 @@ static struct ebt_table *__ebt_find_table(struct net *net, const char *name)
list_for_each_entry(t, &ebt_net->tables, list) {
if (strcmp(t->name, name) == 0) {
+ list_move(&t->list, &ebt_net->dead_tables);
mutex_unlock(&ebt_mutex);
- return t;
+ nf_unregister_net_hooks(net, t->ops, hweight32(t->valid_hooks));
+ return;
}
}
mutex_unlock(&ebt_mutex);
- return NULL;
-}
-
-void ebt_unregister_table_pre_exit(struct net *net, const char *name)
-{
- struct ebt_table *table = __ebt_find_table(net, name);
-
- if (table)
- nf_unregister_net_hooks(net, table->ops, hweight32(table->valid_hooks));
}
EXPORT_SYMBOL(ebt_unregister_table_pre_exit);
void ebt_unregister_table(struct net *net, const char *name)
{
- struct ebt_table *table = __ebt_find_table(net, name);
+ struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id);
+ struct ebt_table *t;
- if (table)
- __ebt_unregister_table(net, table);
+ mutex_lock(&ebt_mutex);
+
+ list_for_each_entry(t, &ebt_net->dead_tables, list) {
+ if (strcmp(t->name, name) == 0) {
+ list_del(&t->list);
+ audit_log_nfcfg(t->name, AF_BRIDGE, t->private->nentries,
+ AUDIT_XT_OP_UNREGISTER, GFP_KERNEL);
+ __ebt_unregister_table(net, t);
+ mutex_unlock(&ebt_mutex);
+ return;
+ }
+ }
+
+ mutex_unlock(&ebt_mutex);
}
/* userspace just supplied us with counters */
@@ -2556,11 +2560,21 @@ static int __net_init ebt_pernet_init(struct net *net)
struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id);
INIT_LIST_HEAD(&ebt_net->tables);
+ INIT_LIST_HEAD(&ebt_net->dead_tables);
return 0;
}
+static void __net_exit ebt_pernet_exit(struct net *net)
+{
+ struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id);
+
+ WARN_ON_ONCE(!list_empty(&ebt_net->tables));
+ WARN_ON_ONCE(!list_empty(&ebt_net->dead_tables));
+}
+
static struct pernet_operations ebt_net_ops = {
.init = ebt_pernet_init,
+ .exit = ebt_pernet_exit,
.id = &ebt_pernet_id,
.size = sizeof(struct ebt_pernet),
};
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 172/272] netfilter: ebtables: close dangling table module init race
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 171/272] netfilter: ebtables: move to two-stage removal scheme Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 173/272] netfilter: x_tables: " Greg Kroah-Hartman
` (106 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tristan Madani, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 92c603fa07bc0d6a17345de3ad7954730b8de44b ]
sashiko reported for a related patch:
In modules like iptable_raw.c, [..], if register_pernet_subsys() fails,
the rollback might call kfree(rawtable_ops) before [..]
During this window, could a concurrent userspace process find the globally
visible template, trigger table_init(), [..]
The table init functions must always register the template last.
Otherwise, set/getsockopt can instantiate a table in a namespace
while the required pernet ops (contain the destructor) isn't available.
This change is also required in x_tables, handled in followup change.
Fixes: 87663c39f898 ("netfilter: ebtables: do not hook tables by default")
Reviewed-by: Tristan Madani <tristan@talencesecurity.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/ebtable_broute.c | 12 +++++-------
net/bridge/netfilter/ebtable_filter.c | 12 +++++-------
net/bridge/netfilter/ebtable_nat.c | 10 ++++------
3 files changed, 14 insertions(+), 20 deletions(-)
diff --git a/net/bridge/netfilter/ebtable_broute.c b/net/bridge/netfilter/ebtable_broute.c
index e6f9e343b41f1..f05c79f215ea0 100644
--- a/net/bridge/netfilter/ebtable_broute.c
+++ b/net/bridge/netfilter/ebtable_broute.c
@@ -112,18 +112,16 @@ static struct pernet_operations broute_net_ops = {
static int __init ebtable_broute_init(void)
{
- int ret = ebt_register_template(&broute_table, broute_table_init);
+ int ret = register_pernet_subsys(&broute_net_ops);
if (ret)
return ret;
- ret = register_pernet_subsys(&broute_net_ops);
- if (ret) {
- ebt_unregister_template(&broute_table);
- return ret;
- }
+ ret = ebt_register_template(&broute_table, broute_table_init);
+ if (ret)
+ unregister_pernet_subsys(&broute_net_ops);
- return 0;
+ return ret;
}
static void __exit ebtable_broute_fini(void)
diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c
index 02b6501c15a5e..0fc03b07e62ae 100644
--- a/net/bridge/netfilter/ebtable_filter.c
+++ b/net/bridge/netfilter/ebtable_filter.c
@@ -93,18 +93,16 @@ static struct pernet_operations frame_filter_net_ops = {
static int __init ebtable_filter_init(void)
{
- int ret = ebt_register_template(&frame_filter, frame_filter_table_init);
+ int ret = register_pernet_subsys(&frame_filter_net_ops);
if (ret)
return ret;
- ret = register_pernet_subsys(&frame_filter_net_ops);
- if (ret) {
- ebt_unregister_template(&frame_filter);
- return ret;
- }
+ ret = ebt_register_template(&frame_filter, frame_filter_table_init);
+ if (ret)
+ unregister_pernet_subsys(&frame_filter_net_ops);
- return 0;
+ return ret;
}
static void __exit ebtable_filter_fini(void)
diff --git a/net/bridge/netfilter/ebtable_nat.c b/net/bridge/netfilter/ebtable_nat.c
index 9985a82555c41..8a10375d89099 100644
--- a/net/bridge/netfilter/ebtable_nat.c
+++ b/net/bridge/netfilter/ebtable_nat.c
@@ -93,16 +93,14 @@ static struct pernet_operations frame_nat_net_ops = {
static int __init ebtable_nat_init(void)
{
- int ret = ebt_register_template(&frame_nat, frame_nat_table_init);
+ int ret = register_pernet_subsys(&frame_nat_net_ops);
if (ret)
return ret;
- ret = register_pernet_subsys(&frame_nat_net_ops);
- if (ret) {
- ebt_unregister_template(&frame_nat);
- return ret;
- }
+ ret = ebt_register_template(&frame_nat, frame_nat_table_init);
+ if (ret)
+ unregister_pernet_subsys(&frame_nat_net_ops);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 173/272] netfilter: x_tables: close dangling table module init race
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 172/272] netfilter: ebtables: close dangling table module init race Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 174/272] netfilter: bridge: eb_tables: close " Greg Kroah-Hartman
` (105 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 16bc4b6686b2c112c10e67d6b493adc3607256d3 ]
Similar to the previous ebtables patch:
template add exposes the table to userspace, we must do this last to
rnsure the pernet ops are set up (contain the destructors).
Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/arptable_filter.c | 23 ++++++++++++-----------
net/ipv4/netfilter/iptable_filter.c | 23 ++++++++++++-----------
net/ipv4/netfilter/iptable_mangle.c | 25 +++++++++++++------------
net/ipv4/netfilter/iptable_raw.c | 22 +++++++++++-----------
net/ipv4/netfilter/iptable_security.c | 23 ++++++++++++-----------
net/ipv6/netfilter/ip6table_filter.c | 22 +++++++++++-----------
net/ipv6/netfilter/ip6table_mangle.c | 23 ++++++++++++-----------
net/ipv6/netfilter/ip6table_raw.c | 20 ++++++++++----------
net/ipv6/netfilter/ip6table_security.c | 23 ++++++++++++-----------
9 files changed, 105 insertions(+), 99 deletions(-)
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 382345567a600..370b635e3523b 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -58,25 +58,26 @@ static struct pernet_operations arptable_filter_net_ops = {
static int __init arptable_filter_init(void)
{
- int ret = xt_register_template(&packet_filter,
- arptable_filter_table_init);
-
- if (ret < 0)
- return ret;
+ int ret;
arpfilter_ops = xt_hook_ops_alloc(&packet_filter, arpt_do_table);
- if (IS_ERR(arpfilter_ops)) {
- xt_unregister_template(&packet_filter);
+ if (IS_ERR(arpfilter_ops))
return PTR_ERR(arpfilter_ops);
- }
ret = register_pernet_subsys(&arptable_filter_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(&packet_filter,
+ arptable_filter_table_init);
if (ret < 0) {
- xt_unregister_template(&packet_filter);
- kfree(arpfilter_ops);
- return ret;
+ unregister_pernet_subsys(&arptable_filter_net_ops);
+ goto err_free;
}
+ return 0;
+err_free:
+ kfree(arpfilter_ops);
return ret;
}
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 0dea754a91209..672d7da1071d3 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -77,26 +77,27 @@ static struct pernet_operations iptable_filter_net_ops = {
static int __init iptable_filter_init(void)
{
- int ret = xt_register_template(&packet_filter,
- iptable_filter_table_init);
-
- if (ret < 0)
- return ret;
+ int ret;
filter_ops = xt_hook_ops_alloc(&packet_filter, ipt_do_table);
- if (IS_ERR(filter_ops)) {
- xt_unregister_template(&packet_filter);
+ if (IS_ERR(filter_ops))
return PTR_ERR(filter_ops);
- }
ret = register_pernet_subsys(&iptable_filter_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(&packet_filter,
+ iptable_filter_table_init);
if (ret < 0) {
- xt_unregister_template(&packet_filter);
- kfree(filter_ops);
- return ret;
+ unregister_pernet_subsys(&iptable_filter_net_ops);
+ goto err_free;
}
return 0;
+err_free:
+ kfree(filter_ops);
+ return ret;
}
static void __exit iptable_filter_fini(void)
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 4d3b124923080..13d25d9a4610e 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -111,25 +111,26 @@ static struct pernet_operations iptable_mangle_net_ops = {
static int __init iptable_mangle_init(void)
{
- int ret = xt_register_template(&packet_mangler,
- iptable_mangle_table_init);
- if (ret < 0)
- return ret;
+ int ret;
mangle_ops = xt_hook_ops_alloc(&packet_mangler, iptable_mangle_hook);
- if (IS_ERR(mangle_ops)) {
- xt_unregister_template(&packet_mangler);
- ret = PTR_ERR(mangle_ops);
- return ret;
- }
+ if (IS_ERR(mangle_ops))
+ return PTR_ERR(mangle_ops);
ret = register_pernet_subsys(&iptable_mangle_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(&packet_mangler,
+ iptable_mangle_table_init);
if (ret < 0) {
- xt_unregister_template(&packet_mangler);
- kfree(mangle_ops);
- return ret;
+ unregister_pernet_subsys(&iptable_mangle_net_ops);
+ goto err_free;
}
+ return 0;
+err_free:
+ kfree(mangle_ops);
return ret;
}
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 6f7afec7954bd..2745c22f4034d 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -77,24 +77,24 @@ static int __init iptable_raw_init(void)
pr_info("Enabling raw table before defrag\n");
}
- ret = xt_register_template(table,
- iptable_raw_table_init);
- if (ret < 0)
- return ret;
-
rawtable_ops = xt_hook_ops_alloc(table, ipt_do_table);
- if (IS_ERR(rawtable_ops)) {
- xt_unregister_template(table);
+ if (IS_ERR(rawtable_ops))
return PTR_ERR(rawtable_ops);
- }
ret = register_pernet_subsys(&iptable_raw_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(table,
+ iptable_raw_table_init);
if (ret < 0) {
- xt_unregister_template(table);
- kfree(rawtable_ops);
- return ret;
+ unregister_pernet_subsys(&iptable_raw_net_ops);
+ goto err_free;
}
+ return 0;
+err_free:
+ kfree(rawtable_ops);
return ret;
}
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 81175c20ccbe8..491894511c544 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -65,25 +65,26 @@ static struct pernet_operations iptable_security_net_ops = {
static int __init iptable_security_init(void)
{
- int ret = xt_register_template(&security_table,
- iptable_security_table_init);
-
- if (ret < 0)
- return ret;
+ int ret;
sectbl_ops = xt_hook_ops_alloc(&security_table, ipt_do_table);
- if (IS_ERR(sectbl_ops)) {
- xt_unregister_template(&security_table);
+ if (IS_ERR(sectbl_ops))
return PTR_ERR(sectbl_ops);
- }
ret = register_pernet_subsys(&iptable_security_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(&security_table,
+ iptable_security_table_init);
if (ret < 0) {
- xt_unregister_template(&security_table);
- kfree(sectbl_ops);
- return ret;
+ unregister_pernet_subsys(&iptable_security_net_ops);
+ goto err_free;
}
+ return 0;
+err_free:
+ kfree(sectbl_ops);
return ret;
}
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index cf561919bde84..b074fc4776764 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -76,25 +76,25 @@ static struct pernet_operations ip6table_filter_net_ops = {
static int __init ip6table_filter_init(void)
{
- int ret = xt_register_template(&packet_filter,
- ip6table_filter_table_init);
-
- if (ret < 0)
- return ret;
+ int ret;
filter_ops = xt_hook_ops_alloc(&packet_filter, ip6t_do_table);
- if (IS_ERR(filter_ops)) {
- xt_unregister_template(&packet_filter);
+ if (IS_ERR(filter_ops))
return PTR_ERR(filter_ops);
- }
ret = register_pernet_subsys(&ip6table_filter_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(&packet_filter, ip6table_filter_table_init);
if (ret < 0) {
- xt_unregister_template(&packet_filter);
- kfree(filter_ops);
- return ret;
+ unregister_pernet_subsys(&ip6table_filter_net_ops);
+ goto err_free;
}
+ return 0;
+err_free:
+ kfree(filter_ops);
return ret;
}
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 1a758f2bc5379..e6ee036a9b2c5 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -104,25 +104,26 @@ static struct pernet_operations ip6table_mangle_net_ops = {
static int __init ip6table_mangle_init(void)
{
- int ret = xt_register_template(&packet_mangler,
- ip6table_mangle_table_init);
-
- if (ret < 0)
- return ret;
+ int ret;
mangle_ops = xt_hook_ops_alloc(&packet_mangler, ip6table_mangle_hook);
- if (IS_ERR(mangle_ops)) {
- xt_unregister_template(&packet_mangler);
+ if (IS_ERR(mangle_ops))
return PTR_ERR(mangle_ops);
- }
ret = register_pernet_subsys(&ip6table_mangle_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(&packet_mangler,
+ ip6table_mangle_table_init);
if (ret < 0) {
- xt_unregister_template(&packet_mangler);
- kfree(mangle_ops);
- return ret;
+ unregister_pernet_subsys(&ip6table_mangle_net_ops);
+ goto err_free;
}
+ return 0;
+err_free:
+ kfree(mangle_ops);
return ret;
}
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 923455921c1dd..3b161ee875bcc 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -75,24 +75,24 @@ static int __init ip6table_raw_init(void)
pr_info("Enabling raw table before defrag\n");
}
- ret = xt_register_template(table, ip6table_raw_table_init);
- if (ret < 0)
- return ret;
-
/* Register hooks */
rawtable_ops = xt_hook_ops_alloc(table, ip6t_do_table);
- if (IS_ERR(rawtable_ops)) {
- xt_unregister_template(table);
+ if (IS_ERR(rawtable_ops))
return PTR_ERR(rawtable_ops);
- }
ret = register_pernet_subsys(&ip6table_raw_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(table, ip6table_raw_table_init);
if (ret < 0) {
- kfree(rawtable_ops);
- xt_unregister_template(table);
- return ret;
+ unregister_pernet_subsys(&ip6table_raw_net_ops);
+ goto err_free;
}
+ return 0;
+err_free:
+ kfree(rawtable_ops);
return ret;
}
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index c44834d93fc79..4bd5d97b8ab65 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -64,25 +64,26 @@ static struct pernet_operations ip6table_security_net_ops = {
static int __init ip6table_security_init(void)
{
- int ret = xt_register_template(&security_table,
- ip6table_security_table_init);
-
- if (ret < 0)
- return ret;
+ int ret;
sectbl_ops = xt_hook_ops_alloc(&security_table, ip6t_do_table);
- if (IS_ERR(sectbl_ops)) {
- xt_unregister_template(&security_table);
+ if (IS_ERR(sectbl_ops))
return PTR_ERR(sectbl_ops);
- }
ret = register_pernet_subsys(&ip6table_security_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(&security_table,
+ ip6table_security_table_init);
if (ret < 0) {
- kfree(sectbl_ops);
- xt_unregister_template(&security_table);
- return ret;
+ unregister_pernet_subsys(&ip6table_security_net_ops);
+ goto err_free;
}
+ return 0;
+err_free:
+ kfree(sectbl_ops);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 174/272] netfilter: bridge: eb_tables: close module init race
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 173/272] netfilter: x_tables: " Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 175/272] kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist() Greg Kroah-Hartman
` (104 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 27414ff1b287ea9a2a11675149ec28e05539f3cc ]
sashiko reports for unrelated patch:
Does the core ebtables initialization in ebtables.c suffer from a similar race?
Once nf_register_sockopt() completes, the sockopts are exposed globally.
sockopt has to be registered last, just like in ip/ip6/arptables.
Fixes: 5b53951cfc85 ("netfilter: ebtables: use net_generic infra")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/ebtables.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 6240bb2b5b5b7..d480a91f081d3 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2583,19 +2583,20 @@ static int __init ebtables_init(void)
{
int ret;
- ret = xt_register_target(&ebt_standard_target);
+ ret = register_pernet_subsys(&ebt_net_ops);
if (ret < 0)
return ret;
- ret = nf_register_sockopt(&ebt_sockopts);
+
+ ret = xt_register_target(&ebt_standard_target);
if (ret < 0) {
- xt_unregister_target(&ebt_standard_target);
+ unregister_pernet_subsys(&ebt_net_ops);
return ret;
}
- ret = register_pernet_subsys(&ebt_net_ops);
+ ret = nf_register_sockopt(&ebt_sockopts);
if (ret < 0) {
- nf_unregister_sockopt(&ebt_sockopts);
xt_unregister_target(&ebt_standard_target);
+ unregister_pernet_subsys(&ebt_net_ops);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 175/272] kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 174/272] netfilter: bridge: eb_tables: close " Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 176/272] test_kprobes: clear kprobes between test runs Greg Kroah-Hartman
` (103 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianpeng Chang,
Masami Hiramatsu (Google), Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
[ Upstream commit 307abfac04a254c09c5705d816b33354acee97a0 ]
When kprobe_add_area_blacklist() iterates through a section like
.kprobes.text, the start address may not correspond to a named symbol.
On ARM64 with CONFIG_DYNAMIC_FTRACE_WITH_CALL_OPS=y (introduced by
commit baaf553d3bc3 ("arm64: Implement
HAVE_DYNAMIC_FTRACE_WITH_CALL_OPS")), the compiler flag
-fpatchable-function-entry=4,2 inserts 2 NOPs before each function entry
point for ftrace call_ops. These pre-function NOPs sit at the section base
address, before the first named function symbol. The compiler emits a $x
mapping symbol at offset 0x00 to mark the start of code, but
find_kallsyms_symbol() ignores mapping symbols.
Without CONFIG_DYNAMIC_FTRACE_WITH_CALL_OPS (e.g. defconfig), no
pre-function NOPs are inserted, the first function starts at offset
0x00, and the bug does not trigger.
This only affects modules that have a .kprobes.text section (i.e. those
using the __kprobes annotation). Modules using NOKPROBE_SYMBOL() instead
(like kretprobe_example.ko) blacklist exact function addresses via the
_kprobe_blacklist section and are not affected.
For kprobe_example.ko on ARM64 with -fpatchable-function-entry=4,2,
the .kprobes.text section layout is:
offset 0x00: $x + 2 NOPs (mapping symbol + ftrace preamble)
offset 0x08: handler_post (64 bytes)
offset 0x50: handler_pre (68 bytes)
kprobe_add_area_blacklist() starts iterating from the section base
address (offset 0x00), which only has the $x mapping symbol.
kprobe_add_ksym_blacklist() then calls kallsyms_lookup_size_offset()
for this address, which goes through:
kallsyms_lookup_size_offset()
-> module_address_lookup()
-> find_kallsyms_symbol()
find_kallsyms_symbol() scans all module symbols to find the closest
preceding symbol.
Since no named text symbol exists at offset 0x00,
find_kallsyms_symbol() picks __UNIQUE_ID_vermagic (a .modinfo symbol
whose address is in the temporary image) as the "best" match. The
computed "size" = next_text_symbol - modinfo_symbol spans across
these two unrelated memory regions, creating a blacklist entry with
a bogus range of tens of terabytes.
Whether this causes a visible failure depends on address randomization,
here is what happens on Raspberry Pi 4/5:
- On RPi5, the bogus size was ~35 TB. start + size stayed within
64-bit range, so the blacklist entry covered the entire kernel
text. register_kprobe() in the module's own init function failed
with -EINVAL.
- On RPi4, the bogus size was ~75 TB. start + size overflowed
64 bits and wrapped to a small address near zero. The range
check (addr >= start && addr < end) then failed because end
wrapped around, so the bogus entry was accidentally harmless
and kprobes worked by luck.
The same bug exists on both machines, but randomization determines whether
the integer overflow masks it or not.
Fix this by adding notrace to the __kprobes macro. Functions in
.kprobes.text are kprobe infrastructure handlers that should never be
traced by ftrace. With notrace, the compiler stops inserting them and the
non-symbol gap at the section start disappears entirely.
Link: https://lore.kernel.org/all/20260506012706.2785785-1-jianpeng.chang.cn@windriver.com/
Fixes: baaf553d3bc3 ("arm64: Implement HAVE_DYNAMIC_FTRACE_WITH_CALL_OPS")
Signed-off-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/asm-generic/kprobes.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/asm-generic/kprobes.h b/include/asm-generic/kprobes.h
index 060eab094e5a2..5290a2b2e15a0 100644
--- a/include/asm-generic/kprobes.h
+++ b/include/asm-generic/kprobes.h
@@ -14,7 +14,7 @@ static unsigned long __used \
_kbl_addr_##fname = (unsigned long)fname;
# define NOKPROBE_SYMBOL(fname) __NOKPROBE_SYMBOL(fname)
/* Use this to forbid a kprobes attach on very low level functions */
-# define __kprobes __section(".kprobes.text")
+# define __kprobes notrace __section(".kprobes.text")
# define nokprobe_inline __always_inline
#else
# define NOKPROBE_SYMBOL(fname)
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 176/272] test_kprobes: clear kprobes between test runs
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 175/272] kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist() Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 177/272] tcp: Fix imbalanced icsk_accept_queue count Greg Kroah-Hartman
` (102 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Kaiser,
Masami Hiramatsu (Google), Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Kaiser <martin@kaiser.cx>
[ Upstream commit ef5581bb30efb939cc2bf093475c6cc85258e5cd ]
Running the kprobes sanity tests twice makes all tests fail and
eventually crashes the kernel.
[root@martin-riscv-1 ~]# echo 1 > /sys/kernel/debug/kunit/kprobes_test/run
...
# Totals: pass:5 fail:0 skip:0 total:5
ok 1 kprobes_test
[root@martin-riscv-1 ~]# echo 1 > /sys/kernel/debug/kunit/kprobes_test/run
...
# test_kprobe: EXPECTATION FAILED at lib/tests/test_kprobes.c:64
Expected 0 == register_kprobe(&kp), but
register_kprobe(&kp) == -22 (0xffffffffffffffea)
...
Unable to handle kernel paging request ...
The testsuite defines several kprobes and kretprobes as static variables
that are preserved across test runs.
After register_kprobe and unregister_kprobe, a kprobe contains some
leftover data that must be cleared before the kprobe can be registered
again. The tests are setting symbol_name to define the probe location.
Address and flags must be cleared.
The existing code clears some of the probes between subsequent tests, but
not between two test runs. The leftover data from a previous test run
makes the registrations fail in the next run.
Move the cleanups for all kprobes into kprobes_test_init, this function
is called before each single test (including the first test of a test
run).
Link: https://lore.kernel.org/all/20260507134615.1010905-1-martin@kaiser.cx/
Fixes: e44e81c5b90f ("kprobes: convert tests to kunit")
Signed-off-by: Martin Kaiser <martin@kaiser.cx>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/test_kprobes.c | 29 ++++++++++++++++++-----------
1 file changed, 18 insertions(+), 11 deletions(-)
diff --git a/lib/test_kprobes.c b/lib/test_kprobes.c
index b7582010125c3..06e729e4de051 100644
--- a/lib/test_kprobes.c
+++ b/lib/test_kprobes.c
@@ -12,6 +12,12 @@
#define div_factor 3
+#define KP_CLEAR(_kp) \
+do { \
+ (_kp).addr = NULL; \
+ (_kp).flags = 0; \
+} while (0)
+
static u32 rand1, preh_val, posth_val;
static u32 (*target)(u32 value);
static u32 (*recursed_target)(u32 value);
@@ -125,10 +131,6 @@ static void test_kprobes(struct kunit *test)
current_test = test;
- /* addr and flags should be cleard for reusing kprobe. */
- kp.addr = NULL;
- kp.flags = 0;
-
KUNIT_EXPECT_EQ(test, 0, register_kprobes(kps, 2));
preh_val = 0;
posth_val = 0;
@@ -226,9 +228,6 @@ static void test_kretprobes(struct kunit *test)
struct kretprobe *rps[2] = {&rp, &rp2};
current_test = test;
- /* addr and flags should be cleard for reusing kprobe. */
- rp.kp.addr = NULL;
- rp.kp.flags = 0;
KUNIT_EXPECT_EQ(test, 0, register_kretprobes(rps, 2));
krph_val = 0;
@@ -290,8 +289,6 @@ static void test_stacktrace_on_kretprobe(struct kunit *test)
unsigned long myretaddr = (unsigned long)__builtin_return_address(0);
current_test = test;
- rp3.kp.addr = NULL;
- rp3.kp.flags = 0;
/*
* Run the stacktrace_driver() to record correct return address in
@@ -352,8 +349,6 @@ static void test_stacktrace_on_nested_kretprobe(struct kunit *test)
struct kretprobe *rps[2] = {&rp3, &rp4};
current_test = test;
- rp3.kp.addr = NULL;
- rp3.kp.flags = 0;
//KUNIT_ASSERT_NE(test, myretaddr, stacktrace_driver());
@@ -367,6 +362,18 @@ static void test_stacktrace_on_nested_kretprobe(struct kunit *test)
static int kprobes_test_init(struct kunit *test)
{
+ KP_CLEAR(kp);
+ KP_CLEAR(kp2);
+ KP_CLEAR(kp_missed);
+#ifdef CONFIG_KRETPROBES
+ KP_CLEAR(rp.kp);
+ KP_CLEAR(rp2.kp);
+#ifdef CONFIG_ARCH_CORRECT_STACKTRACE_ON_KRETPROBE
+ KP_CLEAR(rp3.kp);
+ KP_CLEAR(rp4.kp);
+#endif
+#endif
+
target = kprobe_target;
target2 = kprobe_target2;
recursed_target = kprobe_recursed_target;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 177/272] tcp: Fix imbalanced icsk_accept_queue count.
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 176/272] test_kprobes: clear kprobes between test runs Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 178/272] ice: fix setting RSS VSI hash for E830 Greg Kroah-Hartman
` (101 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damiano Melotti, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 7eca3292cac7c26dad4c236f51ba225c39a0523f ]
When TCP socket migration happens in reqsk_timer_handler(),
@sk_listener will be updated with the new listener.
When we call __inet_csk_reqsk_queue_drop(), the listener must
be the one stored in req->rsk_listener.
The cited commit accidentally replaced oreq->rsk_listener with
sk_listener, leading to imbalanced icsk_accept_queue count.
Let's pass the correct listener to __inet_csk_reqsk_queue_drop().
Fixes: e8c526f2bdf1 ("tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().")
Reported-by: Damiano Melotti <melotti@google.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260506035954.1563147-3-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/inet_connection_sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index bf4e5f49030b7..dd39cabb39001 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -1172,7 +1172,7 @@ static void reqsk_timer_handler(struct timer_list *t)
}
drop:
- __inet_csk_reqsk_queue_drop(sk_listener, oreq, true);
+ __inet_csk_reqsk_queue_drop(oreq->rsk_listener, oreq, true);
reqsk_put(oreq);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 178/272] ice: fix setting RSS VSI hash for E830
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 177/272] tcp: Fix imbalanced icsk_accept_queue count Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 179/272] ice: fix locking in ice_dcb_rebuild() Greg Kroah-Hartman
` (100 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov, Przemek Kitszel,
Marcin Szycik, Jacob Keller, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcin Szycik <marcin.szycik@linux.intel.com>
[ Upstream commit b3cda96feb60d91fe88d52b974ff110dcfa91239 ]
ice_set_rss_hfunc() performs a VSI update, in which it sets hashing
function, leaving other VSI options unchanged. However, ::q_opt_flags is
mistakenly set to the value of another field, instead of its original
value, probably due to a typo. What happens next is hardware-dependent:
On E810, only the first bit is meaningful (see
ICE_AQ_VSI_Q_OPT_PE_FLTR_EN) and can potentially end up in a different
state than before VSI update.
On E830, some of the remaining bits are not reserved. Setting them
to some unrelated values can cause the firmware to reject the update
because of invalid settings, or worse - succeed.
Reproducer:
sudo ethtool -X $PF1 equal 8
Output in dmesg:
Failed to configure RSS hash for VSI 6, error -5
Fixes: 352e9bf23813 ("ice: enable symmetric-xor RSS for Toeplitz hash function")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Marcin Szycik <marcin.szycik@linux.intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260506-jk-iwl-net-2026-05-04-v2-5-a5ea4dc837a9@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
index 2a629b9a9e03a..664bedfbd8054 100644
--- a/drivers/net/ethernet/intel/ice/ice_main.c
+++ b/drivers/net/ethernet/intel/ice/ice_main.c
@@ -8108,7 +8108,7 @@ int ice_set_rss_hfunc(struct ice_vsi *vsi, u8 hfunc)
ctx->info.q_opt_rss |=
FIELD_PREP(ICE_AQ_VSI_Q_OPT_RSS_HASH_M, hfunc);
ctx->info.q_opt_tc = vsi->info.q_opt_tc;
- ctx->info.q_opt_flags = vsi->info.q_opt_rss;
+ ctx->info.q_opt_flags = vsi->info.q_opt_flags;
err = ice_update_vsi(hw, vsi->idx, ctx, NULL);
if (err) {
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 179/272] ice: fix locking in ice_dcb_rebuild()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 178/272] ice: fix setting RSS VSI hash for E830 Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 180/272] net: lan966x: avoid unregistering netdev on register failure Greg Kroah-Hartman
` (99 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, intel-wired-lan, Bart Van Assche,
Aleksandr Loktionov, Przemek Kitszel, Arpana Arland, Jacob Keller,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit 0ded1f36ba4021cba50513e80be6b6e173710168 ]
Move the mutex_lock() call up to prevent that DCB settings change after
the first ice_query_port_ets() call. The second ice_query_port_ets()
call in ice_dcb_rebuild() is already protected by pf->tc_mutex.
This also fixes a bug in an error path, as before taking the first
"goto dcb_error" in the function jumped over mutex_lock() to
mutex_unlock().
This bug has been detected by the clang thread-safety analyzer.
Cc: intel-wired-lan@lists.osuosl.org
Fixes: 242b5e068b25 ("ice: Fix DCB rebuild after reset")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Tested-by: Arpana Arland <arpanax.arland@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260506-jk-iwl-net-2026-05-04-v2-6-a5ea4dc837a9@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_dcb_lib.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_dcb_lib.c b/drivers/net/ethernet/intel/ice/ice_dcb_lib.c
index a7c5108328240..d185b1aba7a47 100644
--- a/drivers/net/ethernet/intel/ice/ice_dcb_lib.c
+++ b/drivers/net/ethernet/intel/ice/ice_dcb_lib.c
@@ -537,14 +537,14 @@ void ice_dcb_rebuild(struct ice_pf *pf)
struct ice_dcbx_cfg *err_cfg;
int ret;
+ mutex_lock(&pf->tc_mutex);
+
ret = ice_query_port_ets(pf->hw.port_info, &buf, sizeof(buf), NULL);
if (ret) {
dev_err(dev, "Query Port ETS failed\n");
goto dcb_error;
}
- mutex_lock(&pf->tc_mutex);
-
if (!pf->hw.port_info->qos_cfg.is_sw_lldp)
ice_cfg_etsrec_defaults(pf->hw.port_info);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 180/272] net: lan966x: avoid unregistering netdev on register failure
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 179/272] ice: fix locking in ice_dcb_rebuild() Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 181/272] phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access Greg Kroah-Hartman
` (98 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ijae Kim, Myeonghun Pak,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myeonghun Pak <mhun512@gmail.com>
[ Upstream commit c4f3d6eb1fcf6cd9ce4644f604d5aad1ce594dfc ]
lan966x_probe_port() stores the newly allocated net_device in the
port before calling register_netdev(). If register_netdev() fails,
the probe error path calls lan966x_cleanup_ports(), which sees
port->dev and calls unregister_netdev() for a device that was never
registered.
Destroy the phylink instance created for this port and clear port->dev
before returning the registration error. The common cleanup path now skips
ports without port->dev before reaching the registered netdev cleanup, so
it only handles ports that reached the registered-netdev lifetime.
This also avoids treating an uninitialized FDMA netdev and the failed port
as a NULL == NULL match in the common cleanup path.
Fixes: d28d6d2e37d1 ("net: lan966x: add port module support")
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Link: https://patch.msgid.link/20260506124331.31945-1-mhun512@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microchip/lan966x/lan966x_main.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
index b5dc65a4d6403..9acba25a30586 100644
--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
+++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
@@ -749,11 +749,10 @@ static void lan966x_cleanup_ports(struct lan966x *lan966x)
for (p = 0; p < lan966x->num_phys_ports; p++) {
port = lan966x->ports[p];
- if (!port)
+ if (!port || !port->dev)
continue;
- if (port->dev)
- unregister_netdev(port->dev);
+ unregister_netdev(port->dev);
lan966x_xdp_port_deinit(port);
if (lan966x->fdma && lan966x->fdma_ndev == port->dev)
@@ -874,6 +873,9 @@ static int lan966x_probe_port(struct lan966x *lan966x, u32 p,
err = register_netdev(dev);
if (err) {
dev_err(lan966x->dev, "register_netdev failed\n");
+ phylink_destroy(phylink);
+ port->phylink = NULL;
+ port->dev = NULL;
return err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 181/272] phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 180/272] net: lan966x: avoid unregistering netdev on register failure Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 182/272] NFSD: Fix infinite loop in layout state revocation Greg Kroah-Hartman
` (97 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabor Juhos, Miquel Raynal,
Vinod Koul, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
[ Upstream commit 91ddf6f722084383fb05be731c0107814b055c0c ]
The mvebu_a3700_utmi_phy_power_off() function tries to modify the
USB2_PHY_CTRL register by using the IO address of the PHY IP block along
with the readl/writel IO accessors. However, the register exist in the
USB miscellaneous register space, and as such it must be accessed via
regmap like it is done in the mvebu_a3700_utmi_phy_power_on() function.
Change the code to use regmap_update_bits() for modífying the register
to fix this.
Fixes: cc8b7a0ae866 ("phy: add A3700 UTMI PHY driver")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://patch.msgid.link/20260321-a3700-utmi-fix-usb2_phy_ctrl-access-v1-1-6005ff4b5058@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/marvell/phy-mvebu-a3700-utmi.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/phy/marvell/phy-mvebu-a3700-utmi.c b/drivers/phy/marvell/phy-mvebu-a3700-utmi.c
index 04f4fb4bed702..f882bc57649c7 100644
--- a/drivers/phy/marvell/phy-mvebu-a3700-utmi.c
+++ b/drivers/phy/marvell/phy-mvebu-a3700-utmi.c
@@ -168,9 +168,8 @@ static int mvebu_a3700_utmi_phy_power_off(struct phy *phy)
u32 reg;
/* Disable PHY pull-up and enable USB2 suspend */
- reg = readl(utmi->regs + USB2_PHY_CTRL(usb32));
- reg &= ~(RB_USB2PHY_PU | RB_USB2PHY_SUSPM(usb32));
- writel(reg, utmi->regs + USB2_PHY_CTRL(usb32));
+ regmap_update_bits(utmi->usb_misc, USB2_PHY_CTRL(usb32),
+ RB_USB2PHY_PU | RB_USB2PHY_SUSPM(usb32), 0);
/* Power down OTG module */
if (usb32) {
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 182/272] NFSD: Fix infinite loop in layout state revocation
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 181/272] phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 183/272] irqchip/ath79-cpu: Remove unused function Greg Kroah-Hartman
` (96 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dai Ngo, Jeff Layton, Chuck Lever,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 4f8ef58c10bfe5f86a643c7c8331b37e69e3dae1 ]
find_one_sb_stid() skips stids whose sc_status is non-zero, but the
SC_TYPE_LAYOUT case in nfsd4_revoke_states() never sets sc_status
before calling nfsd4_close_layout(). The retry loop therefore finds
the same layout stid on every iteration, hanging the revoker
indefinitely.
Fixes: 1e33e1414bec ("nfsd: allow layout state to be admin-revoked.")
Reported-by: Dai Ngo <dai.ngo@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Tested-by: Dai Ngo <dai.ngo@oracle.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfs4state.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 1a15e458b178a..2d91747297820 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -1832,6 +1832,13 @@ void nfsd4_revoke_states(struct nfsd_net *nn, struct super_block *sb)
break;
case SC_TYPE_LAYOUT:
ls = layoutstateid(stid);
+ spin_lock(&clp->cl_lock);
+ if (stid->sc_status == 0) {
+ stid->sc_status |=
+ SC_STATUS_ADMIN_REVOKED;
+ atomic_inc(&clp->cl_admin_revoked);
+ }
+ spin_unlock(&clp->cl_lock);
nfsd4_close_layout(ls);
break;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 183/272] irqchip/ath79-cpu: Remove unused function
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 182/272] NFSD: Fix infinite loop in layout state revocation Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 184/272] ublk: reject max_sectors smaller than PAGE_SECTORS in parameter validation Greg Kroah-Hartman
` (95 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Rosen Penev,
Thomas Gleixner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rosen Penev <rosenp@gmail.com>
[ Upstream commit 0fa10fb77069fb67aa51384868ef3702b7791465 ]
ath79_cpu_irq_init() was part of the legacy pre-OF code that got removed a
while back.
Remove it to get rid of a missing prototype warning, reported by the kernel test
robot.
[ tglx: Fix the subject prefix. Sigh ... ]
Fixes: 51fa4f8912c0 ("MIPS: ath79: drop legacy IRQ code")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260506085522.1210143-1-rosenp@gmail.com
Closes: https://lore.kernel.org/oe-kbuild-all/202412011509.kGQkDr1y-lkp@intel.com/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-ath79-cpu.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/drivers/irqchip/irq-ath79-cpu.c b/drivers/irqchip/irq-ath79-cpu.c
index 923e4bba37767..9b7273a7f8ced 100644
--- a/drivers/irqchip/irq-ath79-cpu.c
+++ b/drivers/irqchip/irq-ath79-cpu.c
@@ -85,10 +85,3 @@ static int __init ar79_cpu_intc_of_init(
}
IRQCHIP_DECLARE(ar79_cpu_intc, "qca,ar7100-cpu-intc",
ar79_cpu_intc_of_init);
-
-void __init ath79_cpu_irq_init(unsigned irq_wb_chan2, unsigned irq_wb_chan3)
-{
- irq_wb_chan[2] = irq_wb_chan2;
- irq_wb_chan[3] = irq_wb_chan3;
- mips_cpu_irq_init();
-}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 184/272] ublk: reject max_sectors smaller than PAGE_SECTORS in parameter validation
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 183/272] irqchip/ath79-cpu: Remove unused function Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 185/272] nsfs: fix wrong error code returned for pidns ioctls Greg Kroah-Hartman
` (94 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ming Lei, Jens Axboe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <tom.leiming@gmail.com>
[ Upstream commit 1860c2f85922917d8a46f16a6f4bd2298ffa0fb5 ]
blk_validate_limits() requires max_hw_sectors >= PAGE_SECTORS and fires
a WARN_ON_ONCE if this invariant is violated. ublk_validate_params()
only checked the upper bound of max_sectors against max_io_buf_bytes,
allowing userspace to pass small values (including zero) that trigger
the warning when blk_mq_alloc_disk() is called from
ublk_ctrl_start_dev().
Before 494ea040bcb5, ublk used blk_queue_max_hw_sectors() which silently
clamped small values up to PAGE_SECTORS. The conversion to passing
queue_limits directly to blk_mq_alloc_disk() lost that clamping and now
hits blk_validate_limits()'s WARN_ON_ONCE instead.
Validate that max_sectors is at least PAGE_SECTORS in
ublk_validate_params() so invalid values are rejected early with
-EINVAL instead of reaching the block layer.
Fixes: 494ea040bcb5 ("ublk: pass queue_limits to blk_mq_alloc_disk")
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Link: https://patch.msgid.link/20260510144843.769031-1-tom.leiming@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/ublk_drv.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index c6a59f02944fc..6854b847bccef 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -540,6 +540,9 @@ static int ublk_validate_params(const struct ublk_device *ub)
if (p->max_sectors > (ub->dev_info.max_io_buf_bytes >> 9))
return -EINVAL;
+ if (p->max_sectors < PAGE_SECTORS)
+ return -EINVAL;
+
if (ublk_dev_is_zoned(ub) && !p->chunk_sectors)
return -EINVAL;
} else
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 185/272] nsfs: fix wrong error code returned for pidns ioctls
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 184/272] ublk: reject max_sectors smaller than PAGE_SECTORS in parameter validation Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 186/272] irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT Greg Kroah-Hartman
` (93 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhihao Cheng, Yang Erkun,
Christian Brauner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhihao Cheng <chengzhihao1@huawei.com>
[ Upstream commit 725ecd80688bf3c57ca9205431f2c06174ff0756 ]
When executing NS_GET_PID_FROM_PIDNS (or similar pidns ioctls), if the
target task cannot be found in the corresponding pid_ns, the error code
should be ESRCH instead of ENOTTY.
This bug was introduced when the extensible ioctl handling was added.
Without proper return, ret would be overwritten by the default case in
the extensible ioctl switch statement.
Fixes: a1d220d9dafa8 ("nsfs: iterate through mount namespaces")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Link: https://patch.msgid.link/20260507112301.1042757-1-chengzhihao1@huawei.com
Reviewed-by: Yang Erkun <yangerkun@huawei.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nsfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nsfs.c b/fs/nsfs.c
index 0f4b0fed9265f..eb232f5292f8f 100644
--- a/fs/nsfs.c
+++ b/fs/nsfs.c
@@ -235,7 +235,7 @@ static long ns_ioctl(struct file *filp, unsigned int ioctl,
else
tsk = find_task_by_pid_ns(arg, pid_ns);
if (!tsk)
- break;
+ return ret;
switch (ioctl) {
case NS_GET_PID_FROM_PIDNS:
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 186/272] irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 185/272] nsfs: fix wrong error code returned for pidns ioctls Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 187/272] zonefs: handle integer overflow in zonefs_fname_to_fno Greg Kroah-Hartman
` (92 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Steven Rostedt, Jiayuan Chen, Thomas Gleixner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 91840be8f710370607f949a627e070896faeddb8 ]
On PREEMPT_RT, non-HARD irq_work runs in per-CPU kthreads via
run_irq_workd(), so irq_work_sync() uses rcuwait() to wait for BUSY==0.
After irq_work_single() clears BUSY via atomic_cmpxchg(), it still
dereferences @work for irq_work_is_hard() and rcuwait_wake_up().
An irq_work_sync() caller on another CPU that enters after BUSY is cleared
can observe BUSY==0 immediately, return, and free the work before those
accesses complete — causing a use-after-free.
Fix this by wrapping run_irq_workd() in guard(rcu)() so that the entire
irq_work_single() execution is within an RCU read-side critical
section. Then add synchronize_rcu() in irq_work_sync() after
rcuwait_wait_event() to ensure the caller waits for the RCU grace period
before returning, preventing premature frees.
Fixes: 810979682ccc ("irq_work: Allow irq_work_sync() to sleep if irq_work() no IRQ support.")
Suggested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Suggested-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://patch.msgid.link/20260330073234.303732-1-jiayuan.chen@linux.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/irq_work.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/kernel/irq_work.c b/kernel/irq_work.c
index 2f4fb336dda17..188721af8eb31 100644
--- a/kernel/irq_work.c
+++ b/kernel/irq_work.c
@@ -292,6 +292,12 @@ void irq_work_sync(struct irq_work *work)
!arch_irq_work_has_interrupt()) {
rcuwait_wait_event(&work->irqwait, !irq_work_is_busy(work),
TASK_UNINTERRUPTIBLE);
+ /*
+ * Ensure irq_work_single() does not access @work
+ * after removing IRQ_WORK_BUSY. It is always
+ * accessed within a RCU-read section.
+ */
+ synchronize_rcu();
return;
}
@@ -302,6 +308,7 @@ EXPORT_SYMBOL_GPL(irq_work_sync);
static void run_irq_workd(unsigned int cpu)
{
+ guard(rcu)();
irq_work_run_list(this_cpu_ptr(&lazy_list));
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 187/272] zonefs: handle integer overflow in zonefs_fname_to_fno
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 186/272] irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 188/272] tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key() Greg Kroah-Hartman
` (91 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Dobriyan, Johannes Thumshirn,
Damien Le Moal, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
[ Upstream commit 3a8389d42bdf4213730f4067f8bfa78bae6564ef ]
In zonefs the file name in one of the two directories corresponds to the
zone number.
Here Alexey reported a possible integer overflow in zonefs_fname_to_fno(),
where the parsing of the zone number from the file name can overflow the
'long' data type.
Add a check for integer overflows and if the fno 'long' did overflow
return -ENOENT.
Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
Fixes: d207794ababe ("zonefs: Dynamically create file inodes when needed")
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/zonefs/super.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/zonefs/super.c b/fs/zonefs/super.c
index faf1eb87895d0..72408d8f9345c 100644
--- a/fs/zonefs/super.c
+++ b/fs/zonefs/super.c
@@ -610,10 +610,14 @@ static long zonefs_fname_to_fno(const struct qstr *fname)
return c - '0';
for (i = 0, rname = name + len - 1; i < len; i++, rname--) {
+ long digit;
+
c = *rname;
if (!isdigit(c))
return -ENOENT;
- fno += (c - '0') * shift;
+ digit = (c - '0') * shift;
+ if (check_add_overflow(fno, digit, &fno))
+ return -ENOENT;
shift *= 10;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 188/272] tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key().
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 187/272] zonefs: handle integer overflow in zonefs_fname_to_fno Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 189/272] powerpc: fix dead default for GUEST_STATE_BUFFER_TEST Greg Kroah-Hartman
` (90 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damiano Melotti, Kuniyuki Iwashima,
Eric Dumazet, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 03cb001ef87b3f8d859cf7f96329acf3d6235d29 ]
lockdep_sock_is_held() was added in tcp_ao_established_key()
by the cited commit.
It can be called from tcp_v[46]_timewait_ack() with twsk.
Since it does not have sk->sk_lock, the lockdep annotation
results in out-of-bound access.
$ pahole -C tcp_timewait_sock vmlinux | grep size
/* size: 288, cachelines: 5, members: 8 */
$ pahole -C sock vmlinux | grep sk_lock
socket_lock_t sk_lock; /* 440 192 */
Let's not use lockdep_sock_is_held() for TCP_TIME_WAIT.
Fixes: 6b2d11e2d8fc ("net/tcp: Add missing lockdep annotations for TCP-AO hlist traversals")
Reported-by: Damiano Melotti <melotti@google.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260508120853.4098365-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_ao.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index 72957523c2eca..be38712265c37 100644
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -116,7 +116,8 @@ struct tcp_ao_key *tcp_ao_established_key(const struct sock *sk,
{
struct tcp_ao_key *key;
- hlist_for_each_entry_rcu(key, &ao->head, node, lockdep_sock_is_held(sk)) {
+ hlist_for_each_entry_rcu(key, &ao->head, node,
+ sk_fullsock(sk) && lockdep_sock_is_held(sk)) {
if ((sndid >= 0 && key->sndid != sndid) ||
(rcvid >= 0 && key->rcvid != rcvid))
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 189/272] powerpc: fix dead default for GUEST_STATE_BUFFER_TEST
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 188/272] tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key() Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 190/272] netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call Greg Kroah-Hartman
` (89 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julian Braha, Gautam Menghani,
Amit Machhiwal, Harsh Prateek Bora, Madhavan Srinivasan,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julian Braha <julianbraha@gmail.com>
[ Upstream commit aef656a0e6c01796190bb5bd2bdba1c644ed7811 ]
The GUEST_STATE_BUFFER_TEST config option should default
to KUNIT_ALL_TESTS so that if all tests are enabled then
it is included, but currently the 'default KUNIT_ALL_TESTS'
statement is shadowed by 'def_tristate n',
meaning that this second default statement is currently dead code.
It looks to me like the commit
6ccbbc33f06a ("KVM: PPC: Add helper library for Guest State Buffers")
intended to set the default to KUNIT_ALL_TESTS, but mistakenly
missed the def_tristate.
This dead code was found by kconfirm, a static analysis tool for Kconfig.
Fixes: 6ccbbc33f06a ("KVM: PPC: Add helper library for Guest State Buffers")
Signed-off-by: Julian Braha <julianbraha@gmail.com>
Tested-by: Gautam Menghani <gautam@linux.ibm.com>
Reviewed-by: Amit Machhiwal <amachhiw@linux.ibm.com>
Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260405161545.161006-1-julianbraha@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/Kconfig.debug | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/arch/powerpc/Kconfig.debug b/arch/powerpc/Kconfig.debug
index 0bbec4afc0d59..1e2b51280e602 100644
--- a/arch/powerpc/Kconfig.debug
+++ b/arch/powerpc/Kconfig.debug
@@ -83,11 +83,10 @@ config MSI_BITMAP_SELFTEST
depends on DEBUG_KERNEL
config GUEST_STATE_BUFFER_TEST
- def_tristate n
+ def_tristate KUNIT_ALL_TESTS
prompt "Enable Guest State Buffer unit tests"
depends on KUNIT
depends on KVM_BOOK3S_HV_POSSIBLE
- default KUNIT_ALL_TESTS
help
The Guest State Buffer is a data format specified in the PAPR.
It is by hcalls to communicate the state of L2 guests between
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 190/272] netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 189/272] powerpc: fix dead default for GUEST_STATE_BUFFER_TEST Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 191/272] netfs: Fix overrun check in netfs_extract_user_iter() Greg Kroah-Hartman
` (88 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko, David Howells,
Paulo Alcantara (Red Hat), netfs, linux-fsdevel, Ceph Development,
Christian Brauner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
[ Upstream commit dc7832d05deb4d632e8035e3299e31a3528fa0d0 ]
The multiple runs of generic/013 test-case is capable
to reproduce a kernel BUG at mm/filemap.c:1504 with
probability of 30%.
while true; do
sudo ./check generic/013
done
[ 9849.452376] page: refcount:3 mapcount:0 mapping:00000000e58ff252 index:0x10781 pfn:0x1c322
[ 9849.452412] memcg:ffff8881a1915800
[ 9849.452417] aops:ceph_aops ino:1000058db9e dentry name(?):"f9XXXXXX"
[ 9849.452432] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
[ 9849.452441] raw: 0017ffffc0000000 0000000000000000 dead000000000122 ffff88816110d248
[ 9849.452445] raw: 0000000000010781 0000000000000000 00000003ffffffff ffff8881a1915800
[ 9849.452447] page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio))
[ 9849.452474] ------------[ cut here ]------------
[ 9849.452476] kernel BUG at mm/filemap.c:1504!
[ 9849.478635] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
[ 9849.481772] CPU: 2 UID: 0 PID: 84223 Comm: fsstress Not tainted 7.0.0-rc1+ #18 PREEMPT(full)
[ 9849.482881] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-9.fc43 06/1
0/2025
[ 9849.484539] RIP: 0010:folio_unlock+0x85/0xa0
[ 9849.485076] Code: 89 df 31 f6 e8 1c f3 ff ff 48 8b 5d f8 c9 31 c0 31 d2 31 f6 31 ff c3 cc
cc cc cc 48 c7 c6 80 6c d9 a7 48 89 df e8 4b b3 10 00 <0f> 0b 48 89 df e8 21 e6 2c 00 eb 9d 0f 1f 40 00 66 66 2e 0f 1f 84
[ 9849.493818] RSP: 0018:ffff8881bb8076b0 EFLAGS: 00010246
[ 9849.495740] RAX: 0000000000000000 RBX: ffffea00070c8980 RCX: 0000000000000000
[ 9849.498678] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 9849.500559] RBP: ffff8881bb8076b8 R08: 0000000000000000 R09: 0000000000000000
[ 9849.501097] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000010782000
[ 9849.502108] R13: ffff8881935de738 R14: ffff88816110d010 R15: 0000000000001000
[ 9849.502516] FS: 00007e36cbe94740(0000) GS:ffff88824a899000(0000) knlGS:0000000000000000
[ 9849.502996] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9849.503810] CR2: 000000c0002b0000 CR3: 000000011bbf6004 CR4: 0000000000772ef0
[ 9849.504459] PKRU: 55555554
[ 9849.504626] Call Trace:
[ 9849.505242] <TASK>
[ 9849.505379] netfs_write_begin+0x7c8/0x10a0
[ 9849.505877] ? __kasan_check_read+0x11/0x20
[ 9849.506384] ? __pfx_netfs_write_begin+0x10/0x10
[ 9849.507178] ceph_write_begin+0x8c/0x1c0
[ 9849.507934] generic_perform_write+0x391/0x8f0
[ 9849.508503] ? __pfx_generic_perform_write+0x10/0x10
[ 9849.509062] ? file_update_time_flags+0x19a/0x4b0
[ 9849.509581] ? ceph_get_caps+0x63/0xf0
[ 9849.510259] ? ceph_get_caps+0x63/0xf0
[ 9849.510530] ceph_write_iter+0xe79/0x1ae0
[ 9849.511282] ? __pfx_ceph_write_iter+0x10/0x10
[ 9849.511839] ? lock_acquire+0x1ad/0x310
[ 9849.512334] ? ksys_write+0xf9/0x230
[ 9849.512582] ? lock_is_held_type+0xaa/0x140
[ 9849.513128] vfs_write+0x512/0x1110
[ 9849.513634] ? __fget_files+0x33/0x350
[ 9849.513893] ? __pfx_vfs_write+0x10/0x10
[ 9849.514143] ? mutex_lock_nested+0x1b/0x30
[ 9849.514394] ksys_write+0xf9/0x230
[ 9849.514621] ? __pfx_ksys_write+0x10/0x10
[ 9849.514887] ? do_syscall_64+0x25e/0x1520
[ 9849.515122] ? __kasan_check_read+0x11/0x20
[ 9849.515366] ? trace_hardirqs_on_prepare+0x178/0x1c0
[ 9849.515655] __x64_sys_write+0x72/0xd0
[ 9849.515885] ? trace_hardirqs_on+0x24/0x1c0
[ 9849.516130] x64_sys_call+0x22f/0x2390
[ 9849.516341] do_syscall_64+0x12b/0x1520
[ 9849.516545] ? do_syscall_64+0x27c/0x1520
[ 9849.516783] ? do_syscall_64+0x27c/0x1520
[ 9849.517003] ? lock_release+0x318/0x480
[ 9849.517220] ? __x64_sys_io_getevents+0x143/0x2d0
[ 9849.517479] ? percpu_ref_put_many.constprop.0+0x8f/0x210
[ 9849.517779] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 9849.518073] ? do_syscall_64+0x25e/0x1520
[ 9849.518291] ? __kasan_check_read+0x11/0x20
[ 9849.518519] ? trace_hardirqs_on_prepare+0x178/0x1c0
[ 9849.518799] ? do_syscall_64+0x27c/0x1520
[ 9849.519024] ? local_clock_noinstr+0xf/0x120
[ 9849.519262] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 9849.519544] ? do_syscall_64+0x25e/0x1520
[ 9849.519781] ? __kasan_check_read+0x11/0x20
[ 9849.520008] ? trace_hardirqs_on_prepare+0x178/0x1c0
[ 9849.520273] ? do_syscall_64+0x27c/0x1520
[ 9849.520491] ? trace_hardirqs_on_prepare+0x178/0x1c0
[ 9849.520767] ? irqentry_exit+0x10c/0x6c0
[ 9849.520984] ? trace_hardirqs_off+0x86/0x1b0
[ 9849.521224] ? exc_page_fault+0xab/0x130
[ 9849.521472] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 9849.521766] RIP: 0033:0x7e36cbd14907
[ 9849.521989] Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
[ 9849.523057] RSP: 002b:00007ffff2d2a968 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 9849.523484] RAX: ffffffffffffffda RBX: 000000000000e549 RCX: 00007e36cbd14907
[ 9849.523885] RDX: 000000000000e549 RSI: 00005bd797ec6370 RDI: 0000000000000004
[ 9849.524277] RBP: 0000000000000004 R08: 0000000000000047 R09: 00005bd797ec6370
[ 9849.524652] R10: 0000000000000078 R11: 0000000000000246 R12: 0000000000000049
[ 9849.525062] R13: 0000000010781a37 R14: 00005bd797ec6370 R15: 0000000000000000
[ 9849.525447] </TASK>
[ 9849.525574] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass ghash_clmulni_intel aesni_intel input_leds rapl mac_hid psmouse vga16fb serio_raw vgastate floppy i2c_piix4 bochs qemu_fw_cfg i2c_smbus pata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore
[ 9849.529150] ---[ end trace 0000000000000000 ]---
[ 9849.529502] RIP: 0010:folio_unlock+0x85/0xa0
[ 9849.530813] Code: 89 df 31 f6 e8 1c f3 ff ff 48 8b 5d f8 c9 31 c0 31 d2 31 f6 31 ff c3 cc cc cc cc 48 c7 c6 80 6c d9 a7 48 89 df e8 4b b3 10 00 <0f> 0b 48 89 df e8 21 e6 2c 00 eb 9d 0f 1f 40 00 66 66 2e 0f 1f 84
[ 9849.534986] RSP: 0018:ffff8881bb8076b0 EFLAGS: 00010246
[ 9849.536198] RAX: 0000000000000000 RBX: ffffea00070c8980 RCX: 0000000000000000
[ 9849.537718] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 9849.539321] RBP: ffff8881bb8076b8 R08: 0000000000000000 R09: 0000000000000000
[ 9849.540862] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000010782000
[ 9849.542438] R13: ffff8881935de738 R14: ffff88816110d010 R15: 0000000000001000
[ 9849.543996] FS: 00007e36cbe94740(0000) GS:ffff88824b899000(0000) knlGS:0000000000000000
[ 9849.545854] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9849.547092] CR2: 00007e36cb3ff000 CR3: 000000011bbf6006 CR4: 0000000000772ef0
[ 9849.548679] PKRU: 55555554
The race sequence:
1. Read completes -> netfs_read_collection() runs
2. netfs_wake_rreq_flag(rreq, NETFS_RREQ_IN_PROGRESS, ...)
3. netfs_wait_for_read() returns -EFAULT to netfs_write_begin()
4. The netfs_unlock_abandoned_read_pages() unlocks the folio
5. netfs_write_begin() calls folio_unlock(folio) -> VM_BUG_ON_FOLIO()
The key reason of the issue that netfs_unlock_abandoned_read_pages()
doesn't check the flag NETFS_RREQ_NO_UNLOCK_FOLIO and executes
folio_unlock() unconditionally. This patch implements in
netfs_unlock_abandoned_read_pages() logic similar to
netfs_unlock_read_folio().
Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
Signed-off-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/20260512123404.719402-8-dhowells@redhat.com
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
cc: Ceph Development <ceph-devel@vger.kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/read_retry.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/fs/netfs/read_retry.c b/fs/netfs/read_retry.c
index 48fb0303f7eee..42abf574e6788 100644
--- a/fs/netfs/read_retry.c
+++ b/fs/netfs/read_retry.c
@@ -249,8 +249,15 @@ void netfs_unlock_abandoned_read_pages(struct netfs_io_request *rreq)
struct folio *folio = folioq_folio(p, slot);
if (folio && !folioq_is_marked2(p, slot)) {
- trace_netfs_folio(folio, netfs_folio_trace_abandon);
- folio_unlock(folio);
+ if (folio->index == rreq->no_unlock_folio &&
+ test_bit(NETFS_RREQ_NO_UNLOCK_FOLIO,
+ &rreq->flags)) {
+ _debug("no unlock");
+ } else {
+ trace_netfs_folio(folio,
+ netfs_folio_trace_abandon);
+ folio_unlock(folio);
+ }
}
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 191/272] netfs: Fix overrun check in netfs_extract_user_iter()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 190/272] netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 192/272] netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes gone Greg Kroah-Hartman
` (87 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Paulo Alcantara,
netfs, linux-fsdevel, Christian Brauner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 0ef37eef83fad3542ee06db2940433ae1a92b39d ]
Fix netfs_extract_user_iter() so that if iov_iter_extract_pages() overfills
pages[], then those pages don't get included in the iterator constructed at
the end of the function. If there was an overfill, memory corruption has
already happened.
Fixes: 85dd2c8ff368 ("netfs: Add a function to extract a UBUF or IOVEC into a BVEC iterator")
Closes: https://sashiko.dev/#/patchset/20260427154639.180684-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/20260512123404.719402-11-dhowells@redhat.com
cc: Paulo Alcantara <pc@manguebit.org>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/iterator.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/fs/netfs/iterator.c b/fs/netfs/iterator.c
index 429e4396e1b00..b375567e0520e 100644
--- a/fs/netfs/iterator.c
+++ b/fs/netfs/iterator.c
@@ -72,21 +72,24 @@ ssize_t netfs_extract_user_iter(struct iov_iter *orig, size_t orig_len,
break;
}
- if (ret > count) {
- pr_err("get_pages rc=%zd more than %zu\n", ret, count);
+ if (WARN(ret > count,
+ "%s: extract_pages overrun %zd > %zu bytes\n",
+ __func__, ret, count)) {
+ ret = -EIO;
break;
}
- count -= ret;
- ret += offset;
- cur_npages = DIV_ROUND_UP(ret, PAGE_SIZE);
-
- if (npages + cur_npages > max_pages) {
- pr_err("Out of bvec array capacity (%u vs %u)\n",
- npages + cur_npages, max_pages);
+ cur_npages = DIV_ROUND_UP(offset + ret, PAGE_SIZE);
+ if (WARN(cur_npages > max_pages - npages,
+ "%s: extract_pages overrun %u > %u pages\n",
+ __func__, npages + cur_npages, max_pages)) {
+ ret = -EIO;
break;
}
+ count -= ret;
+ ret += offset;
+
for (i = 0; i < cur_npages; i++) {
len = ret > PAGE_SIZE ? PAGE_SIZE : ret;
bvec_set_page(bv + npages + i, *pages++, len - offset, offset);
@@ -97,6 +100,11 @@ ssize_t netfs_extract_user_iter(struct iov_iter *orig, size_t orig_len,
npages += cur_npages;
}
+ /* Note: Don't try to clean up after EIO. Either we got no pages, so
+ * nothing to clean up, or we got a buffer overrun, memory corruption
+ * and can't trust the stuff in the buffer (a WARN was emitted).
+ */
+
if (ret < 0 && (ret == -ENOMEM || npages == 0)) {
for (i = 0; i < npages; i++)
unpin_user_page(bv[i].bv_page);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 192/272] netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes gone
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 191/272] netfs: Fix overrun check in netfs_extract_user_iter() Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 193/272] netfs: Defer the emission of trace_netfs_folio() Greg Kroah-Hartman
` (86 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Dionne, David Howells,
Paulo Alcantara, Matthew Wilcox, netfs, linux-fsdevel,
Christian Brauner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 156ac2ec2ee77c44c4eb7439d6d165247ba12247 ]
If a streaming write is made, this will leave the relevant modified folio
in a not-uptodate, but dirty state with a netfs_folio struct hung off of
folio->private indicating the dirty range. Subsequently truncating the
file such that the dirty data in the folio is removed, but the first part
of the folio theoretically remains will cause the netfs_folio struct to be
discarded... but will leave the dirty flag set.
If the folio is then read via mmap(), netfs_read_folio() will see that the
page is dirty and jump to netfs_read_gaps() to fill in the missing bits.
netfs_read_gaps(), however, expects there to be a netfs_folio struct
present and can oops because truncate removed it.
Fix this by calling folio_cancel_dirty() in netfs_invalidate_folio() in the
event that all the dirty data in the folio is erased (as nfs does).
Also add some tracepoints to log modifications to a dirty page.
This can be reproduced with something like:
dd if=/dev/zero of=/xfstest.test/foo bs=1M count=1
umount /xfstest.test
mount /xfstest.test
xfs_io -c "w 0xbbbf 0xf96c" \
-c "truncate 0xbbbf" \
-c "mmap -r 0xb000 0x11000" \
-c "mr 0xb000 0x11000" \
/xfstest.test/foo
with fscaching disabled (otherwise streaming writes are suppressed) and a
change to netfs_perform_write() to disallow streaming writes if the fd is
open O_RDWR:
if (//(file->f_mode & FMODE_READ) || <--- comment this out
netfs_is_cache_enabled(ctx)) {
It should be reproducible even without this change, but if prevents the
above trivial xfs_io command from reproducing it.
Note that the initial dd is important: the file must start out sufficiently
large that the zero-point logic doesn't just clear the gaps because it
knows there's nothing in the file to read yet. Unmounting and mounting is
needed to clear the pagecache (there are other ways to do that that may
also work).
This was initially reproduced with the generic/522 xfstest on some patches
that remove the FMODE_READ restriction.
Fixes: 9ebff83e6481 ("netfs: Prep to use folio->private for write grouping and streaming write")
Reported-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/20260512123404.719402-12-dhowells@redhat.com
cc: Paulo Alcantara <pc@manguebit.org>
cc: Matthew Wilcox <willy@infradead.org>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/misc.c | 6 +++++-
include/trace/events/netfs.h | 4 ++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/fs/netfs/misc.c b/fs/netfs/misc.c
index 78fe5796b2b2f..488a4b1914300 100644
--- a/fs/netfs/misc.c
+++ b/fs/netfs/misc.c
@@ -268,6 +268,7 @@ void netfs_invalidate_folio(struct folio *folio, size_t offset, size_t length)
/* Move the start of the data. */
finfo->dirty_len = fend - iend;
finfo->dirty_offset = offset;
+ trace_netfs_folio(folio, netfs_folio_trace_invalidate_front);
return;
}
@@ -276,12 +277,14 @@ void netfs_invalidate_folio(struct folio *folio, size_t offset, size_t length)
*/
if (iend >= fend) {
finfo->dirty_len = offset - fstart;
+ trace_netfs_folio(folio, netfs_folio_trace_invalidate_tail);
return;
}
/* A partial write was split. The caller has already zeroed
* it, so just absorb the hole.
*/
+ trace_netfs_folio(folio, netfs_folio_trace_invalidate_middle);
}
return;
@@ -289,8 +292,9 @@ void netfs_invalidate_folio(struct folio *folio, size_t offset, size_t length)
netfs_put_group(netfs_folio_group(folio));
folio_detach_private(folio);
folio_clear_uptodate(folio);
+ folio_cancel_dirty(folio);
kfree(finfo);
- return;
+ trace_netfs_folio(folio, netfs_folio_trace_invalidate_all);
}
EXPORT_SYMBOL(netfs_invalidate_folio);
diff --git a/include/trace/events/netfs.h b/include/trace/events/netfs.h
index 69975c9c68239..f3e386c69cc8b 100644
--- a/include/trace/events/netfs.h
+++ b/include/trace/events/netfs.h
@@ -161,6 +161,10 @@
EM(netfs_folio_trace_copy_to_cache, "mark-copy") \
EM(netfs_folio_trace_end_copy, "end-copy") \
EM(netfs_folio_trace_filled_gaps, "filled-gaps") \
+ EM(netfs_folio_trace_invalidate_all, "inval-all") \
+ EM(netfs_folio_trace_invalidate_front, "inval-front") \
+ EM(netfs_folio_trace_invalidate_middle, "inval-mid") \
+ EM(netfs_folio_trace_invalidate_tail, "inval-tail") \
EM(netfs_folio_trace_kill, "kill") \
EM(netfs_folio_trace_kill_cc, "kill-cc") \
EM(netfs_folio_trace_kill_g, "kill-g") \
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 193/272] netfs: Defer the emission of trace_netfs_folio()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 192/272] netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes gone Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 194/272] netfs: Fix streaming write being overwritten Greg Kroah-Hartman
` (85 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Paulo Alcantara,
Matthew Wilcox, netfs, linux-fsdevel, Christian Brauner,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit daeb443b92817021c1234e8eded219e164b7c35d ]
Change netfs_perform_write() to keep the netfs_folio trace value in a
variable and emit it later to make it easier to choose the value displayed.
This is a prerequisite for a subsequent patch.
Closes: https://sashiko.dev/#/patchset/20260414082004.3756080-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/20260512123404.719402-13-dhowells@redhat.com
cc: Paulo Alcantara <pc@manguebit.org>
cc: Matthew Wilcox <willy@infradead.org>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Stable-dep-of: 7b4dcf1b9455 ("netfs: Fix streaming write being overwritten")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/buffered_write.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/fs/netfs/buffered_write.c b/fs/netfs/buffered_write.c
index be77a137cc871..48c66d26e7b7e 100644
--- a/fs/netfs/buffered_write.c
+++ b/fs/netfs/buffered_write.c
@@ -143,6 +143,7 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
}
do {
+ enum netfs_folio_trace trace;
struct netfs_folio *finfo;
struct netfs_group *group;
unsigned long long fpos;
@@ -216,7 +217,7 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
if (unlikely(copied == 0))
goto copy_failed;
netfs_set_group(folio, netfs_group);
- trace_netfs_folio(folio, netfs_folio_is_uptodate);
+ trace = netfs_folio_is_uptodate;
goto copied;
}
@@ -232,7 +233,7 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
zero_user_segment(&folio->page, offset + copied, flen);
__netfs_set_group(folio, netfs_group);
folio_mark_uptodate(folio);
- trace_netfs_folio(folio, netfs_modify_and_clear);
+ trace = netfs_modify_and_clear;
goto copied;
}
@@ -250,7 +251,7 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
}
__netfs_set_group(folio, netfs_group);
folio_mark_uptodate(folio);
- trace_netfs_folio(folio, netfs_whole_folio_modify);
+ trace = netfs_whole_folio_modify;
goto copied;
}
@@ -277,7 +278,7 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
if (unlikely(copied == 0))
goto copy_failed;
netfs_set_group(folio, netfs_group);
- trace_netfs_folio(folio, netfs_just_prefetch);
+ trace = netfs_just_prefetch;
goto copied;
}
@@ -291,7 +292,7 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
if (offset == 0 && copied == flen) {
__netfs_set_group(folio, netfs_group);
folio_mark_uptodate(folio);
- trace_netfs_folio(folio, netfs_streaming_filled_page);
+ trace = netfs_streaming_filled_page;
goto copied;
}
@@ -306,7 +307,7 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
finfo->dirty_len = copied;
folio_attach_private(folio, (void *)((unsigned long)finfo |
NETFS_FOLIO_INFO));
- trace_netfs_folio(folio, netfs_streaming_write);
+ trace = netfs_streaming_write;
goto copied;
}
@@ -326,9 +327,9 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
folio_detach_private(folio);
folio_mark_uptodate(folio);
kfree(finfo);
- trace_netfs_folio(folio, netfs_streaming_cont_filled_page);
+ trace = netfs_streaming_cont_filled_page;
} else {
- trace_netfs_folio(folio, netfs_streaming_write_cont);
+ trace = netfs_streaming_write_cont;
}
goto copied;
}
@@ -344,6 +345,7 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
continue;
copied:
+ trace_netfs_folio(folio, trace);
flush_dcache_folio(folio);
/* Update the inode size if we moved the EOF marker */
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 194/272] netfs: Fix streaming write being overwritten
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 193/272] netfs: Defer the emission of trace_netfs_folio() Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 195/272] netfs: Fix potential deadlock in write-through mode Greg Kroah-Hartman
` (84 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Paulo Alcantara,
Matthew Wilcox, netfs, linux-fsdevel, Christian Brauner,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 7b4dcf1b9455a6e52ac7478b4057dbe10359576d ]
In order to avoid reading whilst writing, netfslib will allow "streaming
writes" in which dirty data is stored directly into folios without reading
them first. Such folios are marked dirty but may not be marked uptodate.
If a folio is entirely written by a streaming write, uptodate will be set,
otherwise it will have a netfs_folio struct attached to ->private recording
the dirty region.
In the event that a partially written streaming write page is to be
overwritten entirely by a single write(), netfs_perform_write() will try to
copy over it, but doesn't discard the netfs_folio if it succeeds; further,
it doesn't correctly handle a partial copy that overwrites some of the
dirty data.
Fix this by the following:
(1) If the folio is successfully overwritten, free the netfs_folio struct
before marking the page uptodate.
(2) If the copy to the folio partially fails, but short of the dirty data,
just ignore the copy.
(3) If the copy partially fails and overwrites some of the dirty data,
accept the copy, update the netfs_folio struct to record the new data.
If the folio is now filled, free the netfs_folio and set uptodate,
otherwise return a partial write.
Found with:
fsx -q -N 1000000 -p 10000 -o 128000 -l 600000 \
/xfstest.test/junk --replay-ops=junk.fsxops
using the following as junk.fsxops:
truncate 0x0 0 0x927c0
write 0x63fb8 0x53c8 0
copy_range 0xb704 0x19b9 0x24429 0x79380
write 0x2402b 0x144a2 0x90660 *
write 0x204d5 0x140a0 0x927c0 *
copy_range 0x1f72c 0x137d0 0x7a906 0x927c0 *
read 0x00000 0x20000 0x9157c
read 0x20000 0x20000 0x9157c
read 0x40000 0x20000 0x9157c
read 0x60000 0x20000 0x9157c
read 0x7e1a0 0xcfb9 0x9157c
on cifs with the default cache option.
It shows folio 0x24 misbehaving if the FMODE_READ check is commented out in
netfs_perform_write():
if (//(file->f_mode & FMODE_READ) ||
netfs_is_cache_enabled(ctx)) {
and no fscache. This was initially found with the generic/522 xfstest.
Fixes: 8f52de0077ba ("netfs: Reduce number of conditional branches in netfs_perform_write()")
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/20260512123404.719402-14-dhowells@redhat.com
cc: Paulo Alcantara <pc@manguebit.org>
cc: Matthew Wilcox <willy@infradead.org>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/buffered_write.c | 47 ++++++++++++++++++++++++++----------
include/trace/events/netfs.h | 3 +++
2 files changed, 37 insertions(+), 13 deletions(-)
diff --git a/fs/netfs/buffered_write.c b/fs/netfs/buffered_write.c
index 48c66d26e7b7e..19a58aea670cb 100644
--- a/fs/netfs/buffered_write.c
+++ b/fs/netfs/buffered_write.c
@@ -240,18 +240,38 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
/* See if we can write a whole folio in one go. */
if (!maybe_trouble && offset == 0 && part >= flen) {
copied = copy_folio_from_iter_atomic(folio, offset, part, iter);
- if (unlikely(copied == 0))
+ if (likely(copied == part)) {
+ if (finfo) {
+ trace = netfs_whole_folio_modify_filled;
+ goto folio_now_filled;
+ }
+ __netfs_set_group(folio, netfs_group);
+ folio_mark_uptodate(folio);
+ trace = netfs_whole_folio_modify;
+ goto copied;
+ }
+ if (copied == 0)
goto copy_failed;
- if (unlikely(copied < part)) {
+ if (!finfo || copied <= finfo->dirty_offset) {
maybe_trouble = true;
iov_iter_revert(iter, copied);
copied = 0;
folio_unlock(folio);
goto retry;
}
- __netfs_set_group(folio, netfs_group);
- folio_mark_uptodate(folio);
- trace = netfs_whole_folio_modify;
+
+ /* We overwrote some existing dirty data, so we have to
+ * accept the partial write.
+ */
+ finfo->dirty_len += finfo->dirty_offset;
+ if (finfo->dirty_len == flen) {
+ trace = netfs_whole_folio_modify_filled_efault;
+ goto folio_now_filled;
+ }
+ if (copied > finfo->dirty_len)
+ finfo->dirty_len = copied;
+ finfo->dirty_offset = 0;
+ trace = netfs_whole_folio_modify_efault;
goto copied;
}
@@ -321,16 +341,10 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
goto copy_failed;
finfo->dirty_len += copied;
if (finfo->dirty_offset == 0 && finfo->dirty_len == flen) {
- if (finfo->netfs_group)
- folio_change_private(folio, finfo->netfs_group);
- else
- folio_detach_private(folio);
- folio_mark_uptodate(folio);
- kfree(finfo);
trace = netfs_streaming_cont_filled_page;
- } else {
- trace = netfs_streaming_write_cont;
+ goto folio_now_filled;
}
+ trace = netfs_streaming_write_cont;
goto copied;
}
@@ -344,6 +358,13 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
goto out;
continue;
+ folio_now_filled:
+ if (finfo->netfs_group)
+ folio_change_private(folio, finfo->netfs_group);
+ else
+ folio_detach_private(folio);
+ folio_mark_uptodate(folio);
+ kfree(finfo);
copied:
trace_netfs_folio(folio, trace);
flush_dcache_folio(folio);
diff --git a/include/trace/events/netfs.h b/include/trace/events/netfs.h
index f3e386c69cc8b..6395827e83954 100644
--- a/include/trace/events/netfs.h
+++ b/include/trace/events/netfs.h
@@ -145,6 +145,9 @@
EM(netfs_folio_is_uptodate, "mod-uptodate") \
EM(netfs_just_prefetch, "mod-prefetch") \
EM(netfs_whole_folio_modify, "mod-whole-f") \
+ EM(netfs_whole_folio_modify_efault, "mod-whole-f!") \
+ EM(netfs_whole_folio_modify_filled, "mod-whole-f+") \
+ EM(netfs_whole_folio_modify_filled_efault, "mod-whole-f+!") \
EM(netfs_modify_and_clear, "mod-n-clear") \
EM(netfs_streaming_write, "mod-streamw") \
EM(netfs_streaming_write_cont, "mod-streamw+") \
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 195/272] netfs: Fix potential deadlock in write-through mode
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 194/272] netfs: Fix streaming write being overwritten Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 196/272] netfs: Fix write streaming disablement if fd open O_RDWR Greg Kroah-Hartman
` (83 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Paulo Alcantara,
netfs, linux-fsdevel, Christian Brauner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit b6a4ae1634b3ad2aaa05222e53d36da532852faf ]
Fix netfs_advance_writethrough() to always unlock the supplied folio and to
mark it dirty if it isn't yet written to the end. Unfortunately, it can't
be marked for writeback until the folio is done with as that may cause a
deadlock against mmapped reads and writes.
Even though it has been marked dirty, premature writeback can't occur as
the caller is holding both inode->i_rwsem (which will prevent concurrent
truncation, fallocation, DIO and other writes) and ictx->wb_lock (which
will cause flushing to wait and writeback to skip or wait).
Note that this may be easier to deal with once the queuing of folios is
split from the generation of subrequests.
Fixes: 288ace2f57c9 ("netfs: New writeback implementation")
Closes: https://sashiko.dev/#/patchset/20260427154639.180684-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/20260512123404.719402-15-dhowells@redhat.com
cc: Paulo Alcantara <pc@manguebit.org>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/write_issue.c | 39 +++++++++++++++++++++++++--------------
1 file changed, 25 insertions(+), 14 deletions(-)
diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c
index b7830a15ae40f..2789ac4c80272 100644
--- a/fs/netfs/write_issue.c
+++ b/fs/netfs/write_issue.c
@@ -402,12 +402,7 @@ static int netfs_write_folio(struct netfs_io_request *wreq,
if (streamw)
netfs_issue_write(wreq, cache);
- /* Flip the page to the writeback state and unlock. If we're called
- * from write-through, then the page has already been put into the wb
- * state.
- */
- if (wreq->origin == NETFS_WRITEBACK)
- folio_start_writeback(folio);
+ folio_start_writeback(folio);
folio_unlock(folio);
if (fgroup == NETFS_FOLIO_COPY_TO_CACHE) {
@@ -632,29 +627,41 @@ int netfs_advance_writethrough(struct netfs_io_request *wreq, struct writeback_c
struct folio *folio, size_t copied, bool to_page_end,
struct folio **writethrough_cache)
{
+ int ret;
+
_enter("R=%x ic=%zu ws=%u cp=%zu tp=%u",
wreq->debug_id, wreq->iter.count, wreq->wsize, copied, to_page_end);
- if (!*writethrough_cache) {
- if (folio_test_dirty(folio))
- /* Sigh. mmap. */
- folio_clear_dirty_for_io(folio);
+ /* The folio is locked. */
+ if (*writethrough_cache != folio) {
+ if (*writethrough_cache) {
+ /* Did the folio get moved? */
+ folio_put(*writethrough_cache);
+ *writethrough_cache = NULL;
+ }
/* We can make multiple writes to the folio... */
- folio_start_writeback(folio);
if (wreq->len == 0)
trace_netfs_folio(folio, netfs_folio_trace_wthru);
else
trace_netfs_folio(folio, netfs_folio_trace_wthru_plus);
*writethrough_cache = folio;
+ folio_get(folio);
}
wreq->len += copied;
- if (!to_page_end)
+
+ if (!to_page_end) {
+ folio_mark_dirty(folio);
+ folio_unlock(folio);
return 0;
+ }
+ ret = netfs_write_folio(wreq, wbc, folio);
+ folio_put(*writethrough_cache);
*writethrough_cache = NULL;
- return netfs_write_folio(wreq, wbc, folio);
+ wreq->submitted = wreq->len;
+ return ret;
}
/*
@@ -668,8 +675,12 @@ int netfs_end_writethrough(struct netfs_io_request *wreq, struct writeback_contr
_enter("R=%x", wreq->debug_id);
- if (writethrough_cache)
+ if (writethrough_cache) {
+ folio_lock(writethrough_cache);
netfs_write_folio(wreq, wbc, writethrough_cache);
+ folio_put(writethrough_cache);
+ wreq->submitted = wreq->len;
+ }
netfs_end_issue_write(wreq);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 196/272] netfs: Fix write streaming disablement if fd open O_RDWR
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 195/272] netfs: Fix potential deadlock in write-through mode Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 197/272] netfs: Fix early put of sink folio in netfs_read_gaps() Greg Kroah-Hartman
` (82 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Paulo Alcantara,
Matthew Wilcox, netfs, linux-fsdevel, Christian Brauner,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 70a7b9193bbbfceaab5974de66834c64ccc875dd ]
In netfs_perform_write(), "write streaming" (the caching of dirty data in
dirty but !uptodate folios) is performed to avoid the need to read data
that is just going to get immediately overwritten. However, this is/will
be disabled in three circumstances: if the fd is open O_RDWR, if fscache is
in use (as we need to round out the blocks for DIO) or if content
encryption is enabled (again for rounding out purposes).
The idea behind disabling it if the fd is open O_RDWR is that we'd need to
flush the write-streaming page before we could read the data, particularly
through mmap. But netfs now fills in the gaps if ->read_folio() is called
on the page, so that is unnecessary. Further, this doesn't actually work
if a separate fd is open for reading.
Fix this by removing the check for O_RDWR, thereby allowing streaming
writes even when we might read.
This caused a number of problems with the generic/522 xfstest, but those
are now fixed.
Fixes: c38f4e96e605 ("netfs: Provide func to copy data to pagecache for buffered write")
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/20260512123404.719402-17-dhowells@redhat.com
cc: Paulo Alcantara <pc@manguebit.org>
cc: Matthew Wilcox <willy@infradead.org>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/buffered_write.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
diff --git a/fs/netfs/buffered_write.c b/fs/netfs/buffered_write.c
index 19a58aea670cb..08da4c2512f52 100644
--- a/fs/netfs/buffered_write.c
+++ b/fs/netfs/buffered_write.c
@@ -197,11 +197,11 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
}
/* Decide how we should modify a folio. We might be attempting
- * to do write-streaming, in which case we don't want to a
- * local RMW cycle if we can avoid it. If we're doing local
- * caching or content crypto, we award that priority over
- * avoiding RMW. If the file is open readably, then we also
- * assume that we may want to read what we wrote.
+ * to do write-streaming, as we don't want to a local RMW cycle
+ * if we can avoid it. If we're doing local caching or content
+ * crypto, we award that priority over avoiding RMW. If the
+ * file is open readably, then we let ->read_folio() fill in
+ * the gaps.
*/
finfo = netfs_folio_info(folio);
group = netfs_folio_group(folio);
@@ -277,12 +277,9 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
/* We don't want to do a streaming write on a file that loses
* caching service temporarily because the backing store got
- * culled and we don't really want to get a streaming write on
- * a file that's open for reading as ->read_folio() then has to
- * be able to flush it.
+ * culled.
*/
- if ((file->f_mode & FMODE_READ) ||
- netfs_is_cache_enabled(ctx)) {
+ if (netfs_is_cache_enabled(ctx)) {
if (finfo) {
netfs_stat(&netfs_n_wh_wstream_conflict);
goto flush_content;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 197/272] netfs: Fix early put of sink folio in netfs_read_gaps()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 196/272] netfs: Fix write streaming disablement if fd open O_RDWR Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 198/272] netfs: Fix partial invalidation of streaming-write folio Greg Kroah-Hartman
` (81 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steve French, David Howells,
Paulo Alcantara (Red Hat), Matthew Wilcox, netfs, linux-fsdevel,
Christian Brauner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 3e5dd91b87a8b1450217b56a336bee315f40da7d ]
Fix netfs_read_gaps() to release the sink page it uses after waiting for
the request to complete. The way the sink page is used is that an
ITER_BVEC-class iterator is created that has the gaps from the target folio
at either end, but has the sink page tiled over the middle so that a single
read op can fill in both gaps.
The bug was found by KASAN detecting a UAF on the generic/075 xfstest in
the cifsd kernel thread that handles reception of data from the TCP socket:
BUG: KASAN: use-after-free in _copy_to_iter+0x48a/0xa20
Write of size 885 at addr ffff888107f92000 by task cifsd/1285
CPU: 2 UID: 0 PID: 1285 Comm: cifsd Not tainted 7.0.0 #6 PREEMPT(lazy)
Call Trace:
dump_stack_lvl+0x5d/0x80
print_report+0x17f/0x4f1
kasan_report+0x100/0x1e0
kasan_check_range+0x10f/0x1e0
__asan_memcpy+0x3c/0x60
_copy_to_iter+0x48a/0xa20
__skb_datagram_iter+0x2c9/0x430
skb_copy_datagram_iter+0x6e/0x160
tcp_recvmsg_locked+0xce0/0x1130
tcp_recvmsg+0xeb/0x300
inet_recvmsg+0xcf/0x3a0
sock_recvmsg+0xea/0x100
cifs_readv_from_socket+0x3a6/0x4d0 [cifs]
cifs_read_iter_from_socket+0xdd/0x130 [cifs]
cifs_readv_receive+0xaad/0xb10 [cifs]
cifs_demultiplex_thread+0x1148/0x1740 [cifs]
kthread+0x1cf/0x210
Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
Reported-by: Steve French <sfrench@samba.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/20260512123404.719402-18-dhowells@redhat.com
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
cc: Paulo Alcantara <pc@manguebit.org>
cc: Matthew Wilcox <willy@infradead.org>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/buffered_read.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/netfs/buffered_read.c b/fs/netfs/buffered_read.c
index 2dd2260352dbf..1c906035fef02 100644
--- a/fs/netfs/buffered_read.c
+++ b/fs/netfs/buffered_read.c
@@ -525,14 +525,14 @@ static int netfs_read_gaps(struct file *file, struct folio *folio)
netfs_read_to_pagecache(rreq);
- if (sink)
- folio_put(sink);
-
ret = netfs_wait_for_read(rreq);
if (ret == 0) {
flush_dcache_folio(folio);
folio_mark_uptodate(folio);
}
+
+ if (sink)
+ folio_put(sink);
folio_unlock(folio);
netfs_put_request(rreq, false, netfs_rreq_trace_put_return);
return ret < 0 ? ret : 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 198/272] netfs: Fix partial invalidation of streaming-write folio
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 197/272] netfs: Fix early put of sink folio in netfs_read_gaps() Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 199/272] netfs: Fix a few minor bugs in netfs_page_mkwrite() Greg Kroah-Hartman
` (80 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Paulo Alcantara,
Matthew Wilcox, netfs, linux-fsdevel, Christian Brauner,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 6d91acc7fb85d33ea58fca9b964a32a453937f4b ]
In netfs_invalidate_folio(), if the region of a partial invalidation
overlaps the front (but not all) of a dirty write cached in a streaming
write page (dirty, but not uptodate, with the dirty region tracked by a
netfs_folio struct), the function modifies the dirty region - but
incorrectly as it moves the region forward by setting the start to the
start, not the end, of the invalidation region.
Fix this by setting finfo->dirty_offset to the end of the invalidation
region (iend).
Fixes: cce6bfa6ca0e ("netfs: Fix trimming of streaming-write folios in netfs_inval_folio()")
Closes: https://sashiko.dev/#/patchset/20260414082004.3756080-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/20260512123404.719402-21-dhowells@redhat.com
cc: Paulo Alcantara <pc@manguebit.org>
cc: Matthew Wilcox <willy@infradead.org>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/misc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/netfs/misc.c b/fs/netfs/misc.c
index 488a4b1914300..9672904232ad5 100644
--- a/fs/netfs/misc.c
+++ b/fs/netfs/misc.c
@@ -267,7 +267,7 @@ void netfs_invalidate_folio(struct folio *folio, size_t offset, size_t length)
goto erase_completely;
/* Move the start of the data. */
finfo->dirty_len = fend - iend;
- finfo->dirty_offset = offset;
+ finfo->dirty_offset = iend;
trace_netfs_folio(folio, netfs_folio_trace_invalidate_front);
return;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 199/272] netfs: Fix a few minor bugs in netfs_page_mkwrite()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 198/272] netfs: Fix partial invalidation of streaming-write folio Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 200/272] netfs: Remove unnecessary references to pages Greg Kroah-Hartman
` (79 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Christian Brauner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit c6a90fe7f080d71271b723490454cfda1f81e4b0 ]
We can't return with VM_FAULT_SIGBUS | VM_FAULT_LOCKED; the core
code will not unlock the folio in this instance. Introduce a new
"unlock" error exit to handle this case. Use it to handle
the "folio is truncated" check, and change the "writeback interrupted
by a fatal signal" to do a NOPAGE exit instead of letting the core
code install the folio currently under writeback before killing the
process.
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Link: https://lore.kernel.org/r/20241005182307.3190401-3-willy@infradead.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Stable-dep-of: ccde2ac757c7 ("netfs: Fix folio->private handling in netfs_perform_write()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/buffered_write.c | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
diff --git a/fs/netfs/buffered_write.c b/fs/netfs/buffered_write.c
index 08da4c2512f52..a02bd071cee77 100644
--- a/fs/netfs/buffered_write.c
+++ b/fs/netfs/buffered_write.c
@@ -513,7 +513,9 @@ EXPORT_SYMBOL(netfs_file_write_iter);
/*
* Notification that a previously read-only page is about to become writable.
- * Note that the caller indicates a single page of a multipage folio.
+ * The caller indicates the precise page that needs to be written to, but
+ * we only track group on a per-folio basis, so we block more often than
+ * we might otherwise.
*/
vm_fault_t netfs_page_mkwrite(struct vm_fault *vmf, struct netfs_group *netfs_group)
{
@@ -523,7 +525,7 @@ vm_fault_t netfs_page_mkwrite(struct vm_fault *vmf, struct netfs_group *netfs_gr
struct address_space *mapping = file->f_mapping;
struct inode *inode = file_inode(file);
struct netfs_inode *ictx = netfs_inode(inode);
- vm_fault_t ret = VM_FAULT_RETRY;
+ vm_fault_t ret = VM_FAULT_NOPAGE;
int err;
_enter("%lx", folio->index);
@@ -532,21 +534,15 @@ vm_fault_t netfs_page_mkwrite(struct vm_fault *vmf, struct netfs_group *netfs_gr
if (folio_lock_killable(folio) < 0)
goto out;
- if (folio->mapping != mapping) {
- folio_unlock(folio);
- ret = VM_FAULT_NOPAGE;
- goto out;
- }
-
- if (folio_wait_writeback_killable(folio)) {
- ret = VM_FAULT_LOCKED;
- goto out;
- }
+ if (folio->mapping != mapping)
+ goto unlock;
+ if (folio_wait_writeback_killable(folio) < 0)
+ goto unlock;
/* Can we see a streaming write here? */
if (WARN_ON(!folio_test_uptodate(folio))) {
- ret = VM_FAULT_SIGBUS | VM_FAULT_LOCKED;
- goto out;
+ ret = VM_FAULT_SIGBUS;
+ goto unlock;
}
group = netfs_folio_group(folio);
@@ -581,5 +577,8 @@ vm_fault_t netfs_page_mkwrite(struct vm_fault *vmf, struct netfs_group *netfs_gr
out:
sb_end_pagefault(inode->i_sb);
return ret;
+unlock:
+ folio_unlock(folio);
+ goto out;
}
EXPORT_SYMBOL(netfs_page_mkwrite);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 200/272] netfs: Remove unnecessary references to pages
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 199/272] netfs: Fix a few minor bugs in netfs_page_mkwrite() Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 201/272] netfs: Fix folio->private handling in netfs_perform_write() Greg Kroah-Hartman
` (78 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Christian Brauner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit e995e8b600260cff3cfaf2607a62be8bdc4aa9c7 ]
These places should all use folios instead of pages.
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Link: https://lore.kernel.org/r/20241005182307.3190401-4-willy@infradead.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Stable-dep-of: ccde2ac757c7 ("netfs: Fix folio->private handling in netfs_perform_write()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/buffered_read.c | 8 ++++----
fs/netfs/buffered_write.c | 14 +++++++-------
2 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/fs/netfs/buffered_read.c b/fs/netfs/buffered_read.c
index 1c906035fef02..3b418fed46027 100644
--- a/fs/netfs/buffered_read.c
+++ b/fs/netfs/buffered_read.c
@@ -631,7 +631,7 @@ static bool netfs_skip_folio_read(struct folio *folio, loff_t pos, size_t len,
if (unlikely(always_fill)) {
if (pos - offset + len <= i_size)
return false; /* Page entirely before EOF */
- zero_user_segment(&folio->page, 0, plen);
+ folio_zero_segment(folio, 0, plen);
folio_mark_uptodate(folio);
return true;
}
@@ -650,7 +650,7 @@ static bool netfs_skip_folio_read(struct folio *folio, loff_t pos, size_t len,
return false;
zero_out:
- zero_user_segments(&folio->page, 0, offset, offset + len, plen);
+ folio_zero_segments(folio, 0, offset, offset + len, plen);
return true;
}
@@ -717,7 +717,7 @@ int netfs_write_begin(struct netfs_inode *ctx,
if (folio_test_uptodate(folio))
goto have_folio;
- /* If the page is beyond the EOF, we want to clear it - unless it's
+ /* If the folio is beyond the EOF, we want to clear it - unless it's
* within the cache granule containing the EOF, in which case we need
* to preload the granule.
*/
@@ -777,7 +777,7 @@ int netfs_write_begin(struct netfs_inode *ctx,
EXPORT_SYMBOL(netfs_write_begin);
/*
- * Preload the data into a page we're proposing to write into.
+ * Preload the data into a folio we're proposing to write into.
*/
int netfs_prefetch_for_write(struct file *file, struct folio *folio,
size_t offset, size_t len)
diff --git a/fs/netfs/buffered_write.c b/fs/netfs/buffered_write.c
index a02bd071cee77..8ba74556bccab 100644
--- a/fs/netfs/buffered_write.c
+++ b/fs/netfs/buffered_write.c
@@ -85,13 +85,13 @@ static void netfs_update_i_size(struct netfs_inode *ctx, struct inode *inode,
* netfs_perform_write - Copy data into the pagecache.
* @iocb: The operation parameters
* @iter: The source buffer
- * @netfs_group: Grouping for dirty pages (eg. ceph snaps).
+ * @netfs_group: Grouping for dirty folios (eg. ceph snaps).
*
- * Copy data into pagecache pages attached to the inode specified by @iocb.
+ * Copy data into pagecache folios attached to the inode specified by @iocb.
* The caller must hold appropriate inode locks.
*
- * Dirty pages are tagged with a netfs_folio struct if they're not up to date
- * to indicate the range modified. Dirty pages may also be tagged with a
+ * Dirty folios are tagged with a netfs_folio struct if they're not up to date
+ * to indicate the range modified. Dirty folios may also be tagged with a
* netfs-specific grouping such that data from an old group gets flushed before
* a new one is started.
*/
@@ -226,11 +226,11 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
* we try to read it.
*/
if (fpos >= ctx->zero_point) {
- zero_user_segment(&folio->page, 0, offset);
+ folio_zero_segment(folio, 0, offset);
copied = copy_folio_from_iter_atomic(folio, offset, part, iter);
if (unlikely(copied == 0))
goto copy_failed;
- zero_user_segment(&folio->page, offset + copied, flen);
+ folio_zero_segment(folio, offset + copied, flen);
__netfs_set_group(folio, netfs_group);
folio_mark_uptodate(folio);
trace = netfs_modify_and_clear;
@@ -429,7 +429,7 @@ EXPORT_SYMBOL(netfs_perform_write);
* netfs_buffered_write_iter_locked - write data to a file
* @iocb: IO state structure (file, offset, etc.)
* @from: iov_iter with data to write
- * @netfs_group: Grouping for dirty pages (eg. ceph snaps).
+ * @netfs_group: Grouping for dirty folios (eg. ceph snaps).
*
* This function does all the work needed for actually writing data to a
* file. It does all basic checks, removes SUID from the file, updates
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 201/272] netfs: Fix folio->private handling in netfs_perform_write()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 200/272] netfs: Remove unnecessary references to pages Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 202/272] net: ethernet: cortina: Make RX SKB per-port Greg Kroah-Hartman
` (77 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Paulo Alcantara,
Matthew Wilcox, netfs, linux-fsdevel, Christian Brauner,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit ccde2ac757c713535b224233a296de40efe5212d ]
Under some circumstances, netfs_perform_write() doesn't correctly
manipulate folio->private between NULL, NETFS_FOLIO_COPY_TO_CACHE, pointing
to a group and pointing to a netfs_folio struct, leading to potential
multiple attachments of private data with associated folio ref leaks and
also leaks of netfs_folio structs or netfs_group refs.
Fix this by consolidating the place at which a folio is marked uptodate in
one place and having that look at what's attached to folio->private and
decide how to clean it up and then set the new group. Also, the content
shouldn't be flushed if group is NULL, even if a group is specified in the
netfs_group parameter, as that would be the case for a new folio. A
filesystem should always specify netfs_group or never specify netfs_group.
The Sashiko auto-review tool noted that it was theoretically possible that
the fpos >= ctx->zero_point section might leak if it modified a streaming
write folio. This is unlikely, but with a network filesystem, third party
changes can happen. It also pointed out that __netfs_set_group() would
leak if called multiple times on the same folio from the "whole folio
modify section".
Fixes: 8f52de0077ba ("netfs: Reduce number of conditional branches in netfs_perform_write()")
Closes: https://sashiko.dev/#/patchset/20260414082004.3756080-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/20260512123404.719402-22-dhowells@redhat.com
cc: Paulo Alcantara <pc@manguebit.org>
cc: Matthew Wilcox <willy@infradead.org>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/buffered_write.c | 134 +++++++++++++++++++++--------------
include/trace/events/netfs.h | 1 +
2 files changed, 82 insertions(+), 53 deletions(-)
diff --git a/fs/netfs/buffered_write.c b/fs/netfs/buffered_write.c
index 8ba74556bccab..f4e9d88a0a7bf 100644
--- a/fs/netfs/buffered_write.c
+++ b/fs/netfs/buffered_write.c
@@ -13,24 +13,6 @@
#include <linux/pagevec.h>
#include "internal.h"
-static void __netfs_set_group(struct folio *folio, struct netfs_group *netfs_group)
-{
- if (netfs_group)
- folio_attach_private(folio, netfs_get_group(netfs_group));
-}
-
-static void netfs_set_group(struct folio *folio, struct netfs_group *netfs_group)
-{
- void *priv = folio_get_private(folio);
-
- if (unlikely(priv != netfs_group)) {
- if (netfs_group && (!priv || priv == NETFS_FOLIO_COPY_TO_CACHE))
- folio_attach_private(folio, netfs_get_group(netfs_group));
- else if (!netfs_group && priv == NETFS_FOLIO_COPY_TO_CACHE)
- folio_detach_private(folio);
- }
-}
-
/*
* Grab a folio for writing and lock it. Attempt to allocate as large a folio
* as possible to hold as much of the remaining length as possible in one go.
@@ -151,6 +133,7 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
size_t offset; /* Offset into pagecache folio */
size_t part; /* Bytes to write to folio */
size_t copied; /* Bytes copied from user */
+ void *priv;
offset = pos & (max_chunk - 1);
part = min(max_chunk - offset, iov_iter_count(iter));
@@ -196,6 +179,25 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
goto error_folio_unlock;
}
+ finfo = netfs_folio_info(folio);
+ group = netfs_folio_group(folio);
+
+ /* If the requested group differs from the group set on the
+ * page, then we need to flush out the folio if it has a group
+ * set (ie. is non-NULL). Note that COPY_TO_CACHE is a special
+ * case, being a netfs annotation rather than an actual group.
+ *
+ * The filesystem isn't permitted to mix writes with groups and
+ * writes without groups as the NULL group is used to indicate
+ * that no group is set.
+ */
+ if (unlikely(group != netfs_group) &&
+ group != NETFS_FOLIO_COPY_TO_CACHE &&
+ group) {
+ WARN_ON_ONCE(!netfs_group);
+ goto flush_content;
+ }
+
/* Decide how we should modify a folio. We might be attempting
* to do write-streaming, as we don't want to a local RMW cycle
* if we can avoid it. If we're doing local caching or content
@@ -203,22 +205,14 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
* file is open readably, then we let ->read_folio() fill in
* the gaps.
*/
- finfo = netfs_folio_info(folio);
- group = netfs_folio_group(folio);
-
- if (unlikely(group != netfs_group) &&
- group != NETFS_FOLIO_COPY_TO_CACHE)
- goto flush_content;
-
if (folio_test_uptodate(folio)) {
if (mapping_writably_mapped(mapping))
flush_dcache_folio(folio);
copied = copy_folio_from_iter_atomic(folio, offset, part, iter);
if (unlikely(copied == 0))
goto copy_failed;
- netfs_set_group(folio, netfs_group);
trace = netfs_folio_is_uptodate;
- goto copied;
+ goto copied_uptodate;
}
/* If the page is above the zero-point then we assume that the
@@ -231,24 +225,22 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
if (unlikely(copied == 0))
goto copy_failed;
folio_zero_segment(folio, offset + copied, flen);
- __netfs_set_group(folio, netfs_group);
- folio_mark_uptodate(folio);
- trace = netfs_modify_and_clear;
- goto copied;
+ if (finfo)
+ trace = netfs_modify_and_clear_rm_finfo;
+ else
+ trace = netfs_modify_and_clear;
+ goto mark_uptodate;
}
/* See if we can write a whole folio in one go. */
if (!maybe_trouble && offset == 0 && part >= flen) {
copied = copy_folio_from_iter_atomic(folio, offset, part, iter);
if (likely(copied == part)) {
- if (finfo) {
+ if (finfo)
trace = netfs_whole_folio_modify_filled;
- goto folio_now_filled;
- }
- __netfs_set_group(folio, netfs_group);
- folio_mark_uptodate(folio);
- trace = netfs_whole_folio_modify;
- goto copied;
+ else
+ trace = netfs_whole_folio_modify;
+ goto mark_uptodate;
}
if (copied == 0)
goto copy_failed;
@@ -266,7 +258,7 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
finfo->dirty_len += finfo->dirty_offset;
if (finfo->dirty_len == flen) {
trace = netfs_whole_folio_modify_filled_efault;
- goto folio_now_filled;
+ goto mark_uptodate;
}
if (copied > finfo->dirty_len)
finfo->dirty_len = copied;
@@ -294,11 +286,11 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
copied = copy_folio_from_iter_atomic(folio, offset, part, iter);
if (unlikely(copied == 0))
goto copy_failed;
- netfs_set_group(folio, netfs_group);
trace = netfs_just_prefetch;
- goto copied;
+ goto copied_uptodate;
}
+ /* Do a streaming write on a folio that has nothing in it yet. */
if (!finfo) {
ret = -EIO;
if (WARN_ON(folio_get_private(folio)))
@@ -307,10 +299,8 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
if (unlikely(copied == 0))
goto copy_failed;
if (offset == 0 && copied == flen) {
- __netfs_set_group(folio, netfs_group);
- folio_mark_uptodate(folio);
trace = netfs_streaming_filled_page;
- goto copied;
+ goto mark_uptodate;
}
finfo = kzalloc(sizeof(*finfo), GFP_KERNEL);
@@ -339,7 +329,7 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
finfo->dirty_len += copied;
if (finfo->dirty_offset == 0 && finfo->dirty_len == flen) {
trace = netfs_streaming_cont_filled_page;
- goto folio_now_filled;
+ goto mark_uptodate;
}
trace = netfs_streaming_write_cont;
goto copied;
@@ -355,13 +345,36 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
goto out;
continue;
- folio_now_filled:
- if (finfo->netfs_group)
- folio_change_private(folio, finfo->netfs_group);
- else
- folio_detach_private(folio);
+ /* Mark a folio as being up to data when we've filled it
+ * completely. If the folio has a group attached, then it must
+ * be the same group, otherwise we should have flushed it out
+ * above. We have to get rid of the netfs_folio struct if
+ * there was one.
+ */
+ mark_uptodate:
folio_mark_uptodate(folio);
- kfree(finfo);
+
+ copied_uptodate:
+ priv = folio_get_private(folio);
+ if (likely(priv == netfs_group)) {
+ /* Already set correctly; no change required. */
+ } else if (priv == NETFS_FOLIO_COPY_TO_CACHE) {
+ if (!netfs_group)
+ folio_detach_private(folio);
+ else
+ folio_change_private(folio, netfs_get_group(netfs_group));
+ } else if (!priv) {
+ folio_attach_private(folio, netfs_get_group(netfs_group));
+ } else {
+ WARN_ON_ONCE(!finfo);
+ if (netfs_group)
+ /* finfo->netfs_group has a ref */
+ folio_change_private(folio, netfs_group);
+ else
+ folio_detach_private(folio);
+ kfree(finfo);
+ }
+
copied:
trace_netfs_folio(folio, trace);
flush_dcache_folio(folio);
@@ -526,6 +539,7 @@ vm_fault_t netfs_page_mkwrite(struct vm_fault *vmf, struct netfs_group *netfs_gr
struct inode *inode = file_inode(file);
struct netfs_inode *ictx = netfs_inode(inode);
vm_fault_t ret = VM_FAULT_NOPAGE;
+ void *priv;
int err;
_enter("%lx", folio->index);
@@ -546,7 +560,9 @@ vm_fault_t netfs_page_mkwrite(struct vm_fault *vmf, struct netfs_group *netfs_gr
}
group = netfs_folio_group(folio);
- if (group != netfs_group && group != NETFS_FOLIO_COPY_TO_CACHE) {
+ if (group &&
+ group != netfs_group &&
+ group != NETFS_FOLIO_COPY_TO_CACHE) {
folio_unlock(folio);
err = filemap_fdatawrite_range(mapping,
folio_pos(folio),
@@ -568,7 +584,19 @@ vm_fault_t netfs_page_mkwrite(struct vm_fault *vmf, struct netfs_group *netfs_gr
trace_netfs_folio(folio, netfs_folio_trace_mkwrite_plus);
else
trace_netfs_folio(folio, netfs_folio_trace_mkwrite);
- netfs_set_group(folio, netfs_group);
+
+ priv = folio_get_private(folio);
+ if (priv != netfs_group) {
+ if (!netfs_group && priv == NETFS_FOLIO_COPY_TO_CACHE)
+ folio_detach_private(folio);
+ else if (netfs_group && priv == NETFS_FOLIO_COPY_TO_CACHE)
+ folio_change_private(folio, netfs_get_group(netfs_group));
+ else if (netfs_group && !priv)
+ folio_attach_private(folio, netfs_get_group(netfs_group));
+ else
+ WARN_ON_ONCE(1);
+ }
+
file_update_time(file);
set_bit(NETFS_ICTX_MODIFIED_ATTR, &ictx->flags);
if (ictx->ops->post_modify)
diff --git a/include/trace/events/netfs.h b/include/trace/events/netfs.h
index 6395827e83954..1d9b068bb1758 100644
--- a/include/trace/events/netfs.h
+++ b/include/trace/events/netfs.h
@@ -149,6 +149,7 @@
EM(netfs_whole_folio_modify_filled, "mod-whole-f+") \
EM(netfs_whole_folio_modify_filled_efault, "mod-whole-f+!") \
EM(netfs_modify_and_clear, "mod-n-clear") \
+ EM(netfs_modify_and_clear_rm_finfo, "mod-n-clear+") \
EM(netfs_streaming_write, "mod-streamw") \
EM(netfs_streaming_write_cont, "mod-streamw+") \
EM(netfs_flush_content, "flush") \
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 202/272] net: ethernet: cortina: Make RX SKB per-port
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 201/272] netfs: Fix folio->private handling in netfs_perform_write() Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 203/272] net: ethernet: cortina: Drop half-assembled SKB Greg Kroah-Hartman
` (76 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Linus Walleij, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linusw@kernel.org>
[ Upstream commit 06937db21ee311ed07eba47954447245041a982d ]
The SKB used to assemble packets from fragments in gmac_rx()
is static local, but the Gemini has two ethernet ports, meaning
there can be races between the ports on a bad day if a device
is using both.
Make the RX SKB a per-port variable and carry it over between
invocations in the port struct instead.
Zero the pointer once we call napi_gro_frags(), on error (after
calling napi_free_frags()) or if the port is stopped.
Zero it in some place where not strictly necessary just to
emphasize what is going on.
This was found by Sashiko during normal patch review.
Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet")
Link: https://sashiko.dev/#/patchset/20260505-gemini-ethernet-fix-v2-1-997c31d06079%40kernel.org
Signed-off-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20260509-gemini-ethernet-fixes-v1-2-6c5d20ddc35b@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cortina/gemini.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
index 92833eefc04b4..47072fbabcaee 100644
--- a/drivers/net/ethernet/cortina/gemini.c
+++ b/drivers/net/ethernet/cortina/gemini.c
@@ -121,6 +121,8 @@ struct gemini_ethernet_port {
struct napi_struct napi;
struct hrtimer rx_coalesce_timer;
unsigned int rx_coalesce_nsecs;
+ struct sk_buff *rx_skb;
+
unsigned int freeq_refill;
struct gmac_txq txq[TX_QUEUE_NUM];
unsigned int txq_order;
@@ -1442,10 +1444,10 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
unsigned short m = (1 << port->rxq_order) - 1;
struct gemini_ethernet *geth = port->geth;
void __iomem *ptr_reg = port->rxq_rwptr;
+ struct sk_buff *skb = port->rx_skb;
unsigned int frame_len, frag_len;
struct gmac_rxdesc *rx = NULL;
struct gmac_queue_page *gpage;
- static struct sk_buff *skb;
union gmac_rxdesc_0 word0;
union gmac_rxdesc_1 word1;
union gmac_rxdesc_3 word3;
@@ -1499,6 +1501,7 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
if (skb) {
napi_free_frags(&port->napi);
port->stats.rx_dropped++;
+ skb = NULL;
}
skb = gmac_skb_if_good_frame(port, word0, frame_len);
@@ -1549,6 +1552,7 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
port->stats.rx_dropped++;
}
+ port->rx_skb = skb;
writew(r, ptr_reg);
return budget;
}
@@ -1877,6 +1881,7 @@ static int gmac_stop(struct net_device *netdev)
gmac_disable_tx_rx(netdev);
gmac_stop_dma(port);
napi_disable(&port->napi);
+ port->rx_skb = NULL;
gmac_enable_irq(netdev, 0);
gmac_cleanup_rxq(netdev);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 203/272] net: ethernet: cortina: Drop half-assembled SKB
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 202/272] net: ethernet: cortina: Make RX SKB per-port Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 204/272] net: ethernet: cortina: Carry over frag counter Greg Kroah-Hartman
` (75 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andreas Haarmann-Thiemann,
Linus Walleij, Alexander Lobakin, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Haarmann-Thiemann <eitschman@nebelreich.de>
[ Upstream commit b266bacba796ff5c4dcd2ae2fc08aacf7ab39153 ]
In gmac_rx() (drivers/net/ethernet/cortina/gemini.c), when
gmac_get_queue_page() returns NULL for the second page of a multi-page
fragment, the driver logs an error and continues — but does not free the
partially assembled skb that was being assembled via napi_build_skb() /
napi_get_frags().
Free the in-progress partially assembled skb via napi_free_frags()
and increase the number of dropped frames appropriately
and assign the skb pointer NULL to make sure it is not lingering
around, matching the pattern already used elsewhere in the driver.
Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet")
Signed-off-by: Andreas Haarmann-Thiemann <eitschman@nebelreich.de>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Link: https://patch.msgid.link/20260505-gemini-ethernet-fix-v2-1-997c31d06079@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cortina/gemini.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
index 47072fbabcaee..8fee13bd056ad 100644
--- a/drivers/net/ethernet/cortina/gemini.c
+++ b/drivers/net/ethernet/cortina/gemini.c
@@ -1493,6 +1493,11 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
gpage = gmac_get_queue_page(geth, port, mapping + PAGE_SIZE);
if (!gpage) {
dev_err(geth->dev, "could not find mapping\n");
+ if (skb) {
+ napi_free_frags(&port->napi);
+ port->stats.rx_dropped++;
+ skb = NULL;
+ }
continue;
}
page = gpage->page;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 204/272] net: ethernet: cortina: Carry over frag counter
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 203/272] net: ethernet: cortina: Drop half-assembled SKB Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 205/272] net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference Greg Kroah-Hartman
` (74 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Linus Walleij, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linusw@kernel.org>
[ Upstream commit ebd8ec2b309e3a447851b456ccaf8fb39f3661e7 ]
The gmac_rx() NAPI poll function assembles packets in an
SKB from a ring buffer.
If the ring buffer gets completely emptied during a poll cycle,
we exit gmac_rx(), but the packet is not yet completely
assembled in the SKB, yet the fragment counter frag_nr is
reset to zero on the next invocation.
Solve this by making the RX fragment counter a part of the
port struct, and carry it over between invocations.
Reset the fragment counter only right after calling
napi_gro_frags(), on error (after calling napi_free_frags())
or if stopping the port.
Reset it in some place where not strictly necessary just to
emphasize what is going on.
This was found by Sashiko during normal patch review.
Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet")
Link: https://sashiko.dev/#/patchset/20260505-gemini-ethernet-fix-v2-1-997c31d06079%40kernel.org
Signed-off-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20260509-gemini-ethernet-fixes-v1-3-6c5d20ddc35b@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cortina/gemini.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
index 8fee13bd056ad..2ce8191ad5007 100644
--- a/drivers/net/ethernet/cortina/gemini.c
+++ b/drivers/net/ethernet/cortina/gemini.c
@@ -122,6 +122,7 @@ struct gemini_ethernet_port {
struct hrtimer rx_coalesce_timer;
unsigned int rx_coalesce_nsecs;
struct sk_buff *rx_skb;
+ unsigned int rx_frag_nr;
unsigned int freeq_refill;
struct gmac_txq txq[TX_QUEUE_NUM];
@@ -1444,6 +1445,7 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
unsigned short m = (1 << port->rxq_order) - 1;
struct gemini_ethernet *geth = port->geth;
void __iomem *ptr_reg = port->rxq_rwptr;
+ unsigned int frag_nr = port->rx_frag_nr;
struct sk_buff *skb = port->rx_skb;
unsigned int frame_len, frag_len;
struct gmac_rxdesc *rx = NULL;
@@ -1457,7 +1459,6 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
unsigned short r, w;
union dma_rwptr rw;
dma_addr_t mapping;
- int frag_nr = 0;
spin_lock_irqsave(&geth->irq_lock, flags);
rw.bits32 = readl(ptr_reg);
@@ -1497,6 +1498,7 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
napi_free_frags(&port->napi);
port->stats.rx_dropped++;
skb = NULL;
+ frag_nr = 0;
}
continue;
}
@@ -1507,6 +1509,7 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
napi_free_frags(&port->napi);
port->stats.rx_dropped++;
skb = NULL;
+ frag_nr = 0;
}
skb = gmac_skb_if_good_frame(port, word0, frame_len);
@@ -1541,6 +1544,7 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
if (word3.bits32 & EOF_BIT) {
napi_gro_frags(&port->napi);
skb = NULL;
+ frag_nr = 0;
--budget;
}
continue;
@@ -1549,6 +1553,7 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
if (skb) {
napi_free_frags(&port->napi);
skb = NULL;
+ frag_nr = 0;
}
if (mapping)
@@ -1558,6 +1563,7 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
}
port->rx_skb = skb;
+ port->rx_frag_nr = frag_nr;
writew(r, ptr_reg);
return budget;
}
@@ -1887,6 +1893,7 @@ static int gmac_stop(struct net_device *netdev)
gmac_stop_dma(port);
napi_disable(&port->napi);
port->rx_skb = NULL;
+ port->rx_frag_nr = 0;
gmac_enable_irq(netdev, 0);
gmac_cleanup_rxq(netdev);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 205/272] net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 204/272] net: ethernet: cortina: Carry over frag counter Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 206/272] wifi: ath11k: fix error path leaks in some WMI WOW calls Greg Kroah-Hartman
` (73 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Nelson-Moore, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Nelson-Moore <enelsonmoore@gmail.com>
[ Upstream commit 36a8d04a8293afcb9304cf0cd3741f67698f2a1a ]
The legacy ARM board file for MACH_MX31ADS was removed in commit
c93197b0041d ("ARM: imx: Remove i.MX31 board files"), but a reference
to it remained in the cs89x0 driver. Drop this unused code.
Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
Fixes: c93197b0041d ("ARM: imx: Remove i.MX31 board files")
Link: https://patch.msgid.link/20260509023732.42256-1-enelsonmoore@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cirrus/cs89x0.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/net/ethernet/cirrus/cs89x0.c b/drivers/net/ethernet/cirrus/cs89x0.c
index 0a21a10a791c5..6b01c44a5f728 100644
--- a/drivers/net/ethernet/cirrus/cs89x0.c
+++ b/drivers/net/ethernet/cirrus/cs89x0.c
@@ -1271,7 +1271,6 @@ static const struct net_device_ops net_ops = {
static void __init reset_chip(struct net_device *dev)
{
-#if !defined(CONFIG_MACH_MX31ADS)
struct net_local *lp = netdev_priv(dev);
unsigned long reset_start_time;
@@ -1298,7 +1297,6 @@ static void __init reset_chip(struct net_device *dev)
while ((readreg(dev, PP_SelfST) & INIT_DONE) == 0 &&
time_before(jiffies, reset_start_time + 2))
;
-#endif /* !CONFIG_MACH_MX31ADS */
}
/* This is the real probe routine.
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 206/272] wifi: ath11k: fix error path leaks in some WMI WOW calls
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 205/272] net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 207/272] wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm() Greg Kroah-Hartman
` (72 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolas Escande, Baochen Qiang,
Rameshkumar Sundaram, Jeff Johnson, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Escande <nico.escande@gmail.com>
[ Upstream commit 55dda532bbc261aef495e403c8900c5e2ab5fa34 ]
Fix two instances where we used to directly return the result of
ath11k_wmi_cmd_send(...). Because we did not check the return value, we
also did not free the skb in the error path.
Fixes: 79802b13a492 ("ath11k: implement WoW enable and wakeup commands")
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
Link: https://patch.msgid.link/20260506134240.2284016-2-nico.escande@gmail.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/wmi.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
index 3b41bc5b125f4..5f15f7acd5132 100644
--- a/drivers/net/wireless/ath/ath11k/wmi.c
+++ b/drivers/net/wireless/ath/ath11k/wmi.c
@@ -9191,6 +9191,7 @@ int ath11k_wmi_wow_host_wakeup_ind(struct ath11k *ar)
struct wmi_wow_host_wakeup_ind *cmd;
struct sk_buff *skb;
size_t len;
+ int ret;
len = sizeof(*cmd);
skb = ath11k_wmi_alloc_skb(ar->wmi->wmi_ab, len);
@@ -9204,14 +9205,20 @@ int ath11k_wmi_wow_host_wakeup_ind(struct ath11k *ar)
ath11k_dbg(ar->ab, ATH11K_DBG_WMI, "tlv wow host wakeup ind\n");
- return ath11k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_HOSTWAKEUP_FROM_SLEEP_CMDID);
+ ret = ath11k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_HOSTWAKEUP_FROM_SLEEP_CMDID);
+ if (ret) {
+ ath11k_warn(ar->ab, "failed to send WMI_WOW_HOSTWAKEUP_FROM_SLEEP_CMDID\n");
+ dev_kfree_skb(skb);
+ }
+
+ return ret;
}
int ath11k_wmi_wow_enable(struct ath11k *ar)
{
struct wmi_wow_enable_cmd *cmd;
struct sk_buff *skb;
- int len;
+ int ret, len;
len = sizeof(*cmd);
skb = ath11k_wmi_alloc_skb(ar->wmi->wmi_ab, len);
@@ -9226,7 +9233,13 @@ int ath11k_wmi_wow_enable(struct ath11k *ar)
cmd->pause_iface_config = WOW_IFACE_PAUSE_ENABLED;
ath11k_dbg(ar->ab, ATH11K_DBG_WMI, "tlv wow enable\n");
- return ath11k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_ENABLE_CMDID);
+ ret = ath11k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_ENABLE_CMDID);
+ if (ret) {
+ ath11k_warn(ar->ab, "failed to send WMI_WOW_ENABLE_CMDID\n");
+ dev_kfree_skb(skb);
+ }
+
+ return ret;
}
int ath11k_wmi_scan_prob_req_oui(struct ath11k *ar,
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 207/272] wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 206/272] wifi: ath11k: fix error path leaks in some WMI WOW calls Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 208/272] wifi: ath10k: skip WMI and beacon transmission when device is wedged Greg Kroah-Hartman
` (71 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolas Escande, Baochen Qiang,
Rameshkumar Sundaram, Jeff Johnson, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Escande <nico.escande@gmail.com>
[ Upstream commit 7320d6eb861e9913193a7801834c661381756a79 ]
This is similar to what was fixed by previous patches. We have a call
to ath11k_wmi_cmd_send() which does check the return value, but forgot
to free the related skb on error.
Fixes: b43310e44edc ("wifi: ath11k: factory test mode support")
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
Link: https://patch.msgid.link/20260506134240.2284016-4-nico.escande@gmail.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/testmode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/ath/ath11k/testmode.c b/drivers/net/wireless/ath/ath11k/testmode.c
index 302d66092b973..7aa62a7d9a272 100644
--- a/drivers/net/wireless/ath/ath11k/testmode.c
+++ b/drivers/net/wireless/ath/ath11k/testmode.c
@@ -457,6 +457,7 @@ static int ath11k_tm_cmd_wmi_ftm(struct ath11k *ar, struct nlattr *tb[])
ret = ath11k_wmi_cmd_send(wmi, skb, cmd_id);
if (ret) {
ath11k_warn(ar->ab, "failed to send wmi ftm command: %d\n", ret);
+ dev_kfree_skb(skb);
goto out;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 208/272] wifi: ath10k: skip WMI and beacon transmission when device is wedged
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 207/272] wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm() Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 209/272] blk-integrity: remove seed for user mapped buffers Greg Kroah-Hartman
` (70 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kang Yang, Rameshkumar Sundaram,
Baochen Qiang, Jeff Johnson, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kang Yang <kang.yang@oss.qualcomm.com>
[ Upstream commit 54a5b38e4396530e5b2f12b54d3844e860ab6784 ]
In ath10k_wmi_cmd_send(), the current code detects ATH10K_STATE_WEDGED
and sets ret to -ESHUTDOWN, but still proceeds to transmit pending
beacons and calls ath10k_wmi_cmd_send_nowait().
This can lead to incorrect behavior, as WMI commands and beacons are
still sent after the device has been marked as wedged, and the original
-ESHUTDOWN return value may be overwritten by the result of the send
path.
The wedged state indicates the hardware is already unreliable, and no
further interaction with firmware is expected or meaningful in this
state.
Fix this by skipping beacon transmission and the WMI send path entirely
once ATH10K_STATE_WEDGED is detected, ensuring consistent return values
and avoiding unnecessary firmware interaction.
Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1
Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189
Fixes: c256a94d1b1b ("wifi: ath10k: shutdown driver when hardware is unreliable")
Signed-off-by: Kang Yang <kang.yang@oss.qualcomm.com>
Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Link: https://patch.msgid.link/20260428061737.37-1-kang.yang@oss.qualcomm.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath10k/wmi.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
index 408f062a4306f..c9f41309d18d4 100644
--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -3,7 +3,6 @@
* Copyright (c) 2005-2011 Atheros Communications Inc.
* Copyright (c) 2011-2017 Qualcomm Atheros, Inc.
* Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
- * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
* Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
*/
@@ -1947,15 +1946,15 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id)
ret = -ESHUTDOWN;
ath10k_dbg(ar, ATH10K_DBG_WMI,
"drop wmi command %d, hardware is wedged\n", cmd_id);
- }
- /* try to send pending beacons first. they take priority */
- ath10k_wmi_tx_beacons_nowait(ar);
+ } else {
+ /* try to send pending beacons first. they take priority */
+ ath10k_wmi_tx_beacons_nowait(ar);
- ret = ath10k_wmi_cmd_send_nowait(ar, skb, cmd_id);
-
- if (ret && test_bit(ATH10K_FLAG_CRASH_FLUSH, &ar->dev_flags))
- ret = -ESHUTDOWN;
+ ret = ath10k_wmi_cmd_send_nowait(ar, skb, cmd_id);
+ if (ret && test_bit(ATH10K_FLAG_CRASH_FLUSH, &ar->dev_flags))
+ ret = -ESHUTDOWN;
+ }
(ret != -EAGAIN);
}), 3 * HZ);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 209/272] blk-integrity: remove seed for user mapped buffers
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 208/272] wifi: ath10k: skip WMI and beacon transmission when device is wedged Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 210/272] block: dont overwrite bip_vcnt in bio_integrity_copy_user() Greg Kroah-Hartman
` (69 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Keith Busch, Christoph Hellwig,
Anuj Gupta, Kanchan Joshi, Jens Axboe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit 133008e84b99e4f5f8cf3d8b768c995732df9406 ]
The seed is only used for kernel generation and verification. That
doesn't happen for user buffers, so passing the seed around doesn't
accomplish anything.
Signed-off-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Anuj Gupta <anuj20.g@samsung.com>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Link: https://lore.kernel.org/r/20241016201309.1090320-1-kbusch@meta.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: 637ad3a56a3b ("block: don't overwrite bip_vcnt in bio_integrity_copy_user()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/bio-integrity.c | 13 +++++--------
block/blk-integrity.c | 4 ++--
drivers/nvme/host/ioctl.c | 17 ++++++++---------
include/linux/bio-integrity.h | 4 ++--
include/linux/blk-integrity.h | 5 ++---
5 files changed, 19 insertions(+), 24 deletions(-)
diff --git a/block/bio-integrity.c b/block/bio-integrity.c
index 6641ecbf69678..ab58f44058e96 100644
--- a/block/bio-integrity.c
+++ b/block/bio-integrity.c
@@ -197,7 +197,7 @@ EXPORT_SYMBOL(bio_integrity_add_page);
static int bio_integrity_copy_user(struct bio *bio, struct bio_vec *bvec,
int nr_vecs, unsigned int len,
- unsigned int direction, u32 seed)
+ unsigned int direction)
{
bool write = direction == ITER_SOURCE;
struct bio_integrity_payload *bip;
@@ -245,7 +245,6 @@ static int bio_integrity_copy_user(struct bio *bio, struct bio_vec *bvec,
}
bip->bip_flags |= BIP_COPY_USER;
- bip->bip_iter.bi_sector = seed;
bip->bip_vcnt = nr_vecs;
return 0;
free_bip:
@@ -256,7 +255,7 @@ static int bio_integrity_copy_user(struct bio *bio, struct bio_vec *bvec,
}
static int bio_integrity_init_user(struct bio *bio, struct bio_vec *bvec,
- int nr_vecs, unsigned int len, u32 seed)
+ int nr_vecs, unsigned int len)
{
struct bio_integrity_payload *bip;
@@ -265,7 +264,6 @@ static int bio_integrity_init_user(struct bio *bio, struct bio_vec *bvec,
return PTR_ERR(bip);
memcpy(bip->bip_vec, bvec, nr_vecs * sizeof(*bvec));
- bip->bip_iter.bi_sector = seed;
bip->bip_iter.bi_size = len;
bip->bip_vcnt = nr_vecs;
return 0;
@@ -301,8 +299,7 @@ static unsigned int bvec_from_pages(struct bio_vec *bvec, struct page **pages,
return nr_bvecs;
}
-int bio_integrity_map_user(struct bio *bio, void __user *ubuf, ssize_t bytes,
- u32 seed)
+int bio_integrity_map_user(struct bio *bio, void __user *ubuf, ssize_t bytes)
{
struct request_queue *q = bdev_get_queue(bio->bi_bdev);
unsigned int align = blk_lim_dma_alignment_and_pad(&q->limits);
@@ -348,9 +345,9 @@ int bio_integrity_map_user(struct bio *bio, void __user *ubuf, ssize_t bytes,
if (copy)
ret = bio_integrity_copy_user(bio, bvec, nr_bvecs, bytes,
- direction, seed);
+ direction);
else
- ret = bio_integrity_init_user(bio, bvec, nr_bvecs, bytes, seed);
+ ret = bio_integrity_init_user(bio, bvec, nr_bvecs, bytes);
if (ret)
goto release_pages;
if (bvec != stack_vec)
diff --git a/block/blk-integrity.c b/block/blk-integrity.c
index 3fe0681399f6e..013469faa5e7c 100644
--- a/block/blk-integrity.c
+++ b/block/blk-integrity.c
@@ -113,9 +113,9 @@ int blk_rq_map_integrity_sg(struct request *rq, struct scatterlist *sglist)
EXPORT_SYMBOL(blk_rq_map_integrity_sg);
int blk_rq_integrity_map_user(struct request *rq, void __user *ubuf,
- ssize_t bytes, u32 seed)
+ ssize_t bytes)
{
- int ret = bio_integrity_map_user(rq->bio, ubuf, bytes, seed);
+ int ret = bio_integrity_map_user(rq->bio, ubuf, bytes);
if (ret)
return ret;
diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
index 64ae8af01d9a4..930521c633d23 100644
--- a/drivers/nvme/host/ioctl.c
+++ b/drivers/nvme/host/ioctl.c
@@ -114,7 +114,7 @@ static struct request *nvme_alloc_user_request(struct request_queue *q,
static int nvme_map_user_request(struct request *req, u64 ubuffer,
unsigned bufflen, void __user *meta_buffer, unsigned meta_len,
- u32 meta_seed, struct io_uring_cmd *ioucmd, unsigned int flags)
+ struct io_uring_cmd *ioucmd, unsigned int flags)
{
struct request_queue *q = req->q;
struct nvme_ns *ns = q->queuedata;
@@ -164,8 +164,7 @@ static int nvme_map_user_request(struct request *req, u64 ubuffer,
bio_set_dev(bio, bdev);
if (has_metadata) {
- ret = blk_rq_integrity_map_user(req, meta_buffer, meta_len,
- meta_seed);
+ ret = blk_rq_integrity_map_user(req, meta_buffer, meta_len);
if (ret)
goto out_unmap;
}
@@ -182,7 +181,7 @@ static int nvme_map_user_request(struct request *req, u64 ubuffer,
static int nvme_submit_user_cmd(struct request_queue *q,
struct nvme_command *cmd, u64 ubuffer, unsigned bufflen,
- void __user *meta_buffer, unsigned meta_len, u32 meta_seed,
+ void __user *meta_buffer, unsigned meta_len,
u64 *result, unsigned timeout, unsigned int flags)
{
struct nvme_ns *ns = q->queuedata;
@@ -199,7 +198,7 @@ static int nvme_submit_user_cmd(struct request_queue *q,
req->timeout = timeout;
if (ubuffer && bufflen) {
ret = nvme_map_user_request(req, ubuffer, bufflen, meta_buffer,
- meta_len, meta_seed, NULL, flags);
+ meta_len, NULL, flags);
if (ret)
return ret;
}
@@ -280,7 +279,7 @@ static int nvme_submit_io(struct nvme_ns *ns, struct nvme_user_io __user *uio)
c.rw.lbatm = cpu_to_le16(io.appmask);
return nvme_submit_user_cmd(ns->queue, &c, io.addr, length, metadata,
- meta_len, lower_32_bits(io.slba), NULL, 0, 0);
+ meta_len, NULL, 0, 0);
}
static bool nvme_validate_passthru_nsid(struct nvme_ctrl *ctrl,
@@ -334,7 +333,7 @@ static int nvme_user_cmd(struct nvme_ctrl *ctrl, struct nvme_ns *ns,
status = nvme_submit_user_cmd(ns ? ns->queue : ctrl->admin_q, &c,
cmd.addr, cmd.data_len, nvme_to_user_ptr(cmd.metadata),
- cmd.metadata_len, 0, &result, timeout, 0);
+ cmd.metadata_len, &result, timeout, 0);
if (status >= 0) {
if (put_user(result, &ucmd->result))
@@ -381,7 +380,7 @@ static int nvme_user_cmd64(struct nvme_ctrl *ctrl, struct nvme_ns *ns,
status = nvme_submit_user_cmd(ns ? ns->queue : ctrl->admin_q, &c,
cmd.addr, cmd.data_len, nvme_to_user_ptr(cmd.metadata),
- cmd.metadata_len, 0, &cmd.result, timeout, flags);
+ cmd.metadata_len, &cmd.result, timeout, flags);
if (status >= 0) {
if (put_user(cmd.result, &ucmd->result))
@@ -511,7 +510,7 @@ static int nvme_uring_cmd_io(struct nvme_ctrl *ctrl, struct nvme_ns *ns,
if (d.addr && d.data_len) {
ret = nvme_map_user_request(req, d.addr,
d.data_len, nvme_to_user_ptr(d.metadata),
- d.metadata_len, 0, ioucmd, vec);
+ d.metadata_len, ioucmd, vec);
if (ret)
return ret;
}
diff --git a/include/linux/bio-integrity.h b/include/linux/bio-integrity.h
index dd831c269e994..dbf0f74c15291 100644
--- a/include/linux/bio-integrity.h
+++ b/include/linux/bio-integrity.h
@@ -72,7 +72,7 @@ struct bio_integrity_payload *bio_integrity_alloc(struct bio *bio, gfp_t gfp,
unsigned int nr);
int bio_integrity_add_page(struct bio *bio, struct page *page, unsigned int len,
unsigned int offset);
-int bio_integrity_map_user(struct bio *bio, void __user *ubuf, ssize_t len, u32 seed);
+int bio_integrity_map_user(struct bio *bio, void __user *ubuf, ssize_t len);
void bio_integrity_unmap_user(struct bio *bio);
bool bio_integrity_prep(struct bio *bio);
void bio_integrity_advance(struct bio *bio, unsigned int bytes_done);
@@ -99,7 +99,7 @@ static inline void bioset_integrity_free(struct bio_set *bs)
}
static inline int bio_integrity_map_user(struct bio *bio, void __user *ubuf,
- ssize_t len, u32 seed)
+ ssize_t len)
{
return -EINVAL;
}
diff --git a/include/linux/blk-integrity.h b/include/linux/blk-integrity.h
index 676f8f860c474..c7eae0bfb013f 100644
--- a/include/linux/blk-integrity.h
+++ b/include/linux/blk-integrity.h
@@ -28,7 +28,7 @@ static inline bool queue_limits_stack_integrity_bdev(struct queue_limits *t,
int blk_rq_map_integrity_sg(struct request *, struct scatterlist *);
int blk_rq_count_integrity_sg(struct request_queue *, struct bio *);
int blk_rq_integrity_map_user(struct request *rq, void __user *ubuf,
- ssize_t bytes, u32 seed);
+ ssize_t bytes);
static inline bool
blk_integrity_queue_supports_integrity(struct request_queue *q)
@@ -104,8 +104,7 @@ static inline int blk_rq_map_integrity_sg(struct request *q,
}
static inline int blk_rq_integrity_map_user(struct request *rq,
void __user *ubuf,
- ssize_t bytes,
- u32 seed)
+ ssize_t bytes)
{
return -EINVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 210/272] block: dont overwrite bip_vcnt in bio_integrity_copy_user()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 209/272] blk-integrity: remove seed for user mapped buffers Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 211/272] block: recompute nr_integrity_segments in blk_insert_cloned_request Greg Kroah-Hartman
` (68 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Christoph Hellwig,
Jens Axboe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit 637ad3a56a3b889527d1dacea6fea2a8bd648140 ]
bio_integrity_add_page() already sets bip_vcnt to 1 for the bounce
segment. Overwriting it with nr_vecs breaks bip_vcnt <= bip_max_vcnt
on WRITE (bip_max_vcnt is 1), so the gap-merge checks in block/blk.h
read past the bip_vec[] flex array. On READ the read is in bounds
but lands on a saved user bvec instead of the bounce.
The line was added for split propagation, but bio_integrity_clone()
doesn't copy bip_vcnt and BIP_CLONE_FLAGS excludes BIP_COPY_USER.
Fixes: 3991657ae707 ("block: set bip_vcnt correctly")
Signed-off-by: David Carlier <devnexen@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://patch.msgid.link/20260511215151.346228-1-devnexen@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/bio-integrity.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/block/bio-integrity.c b/block/bio-integrity.c
index ab58f44058e96..9c490fa07a795 100644
--- a/block/bio-integrity.c
+++ b/block/bio-integrity.c
@@ -245,7 +245,6 @@ static int bio_integrity_copy_user(struct bio *bio, struct bio_vec *bvec,
}
bip->bip_flags |= BIP_COPY_USER;
- bip->bip_vcnt = nr_vecs;
return 0;
free_bip:
bio_integrity_free(bio);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 211/272] block: recompute nr_integrity_segments in blk_insert_cloned_request
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 210/272] block: dont overwrite bip_vcnt in bio_integrity_copy_user() Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 212/272] HID: quirks: really enable the intended work around for appledisplay Greg Kroah-Hartman
` (67 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Casey Chen, Christoph Hellwig,
Jens Axboe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Casey Chen <cachen@purestorage.com>
[ Upstream commit 2c6e6a18a37b905cb584eb0dda3ae482162a81ca ]
blk_insert_cloned_request() already recomputes nr_phys_segments
against the bottom queue, because "the queue settings related to
segment counting may differ from the original queue." The exact same
reasoning applies to integrity segments: a stacked driver's underlying
queue can have tighter virt_boundary_mask, seg_boundary_mask, or
max_segment_size than the top queue, in which case
blk_rq_count_integrity_sg() against the bottom queue produces a
different count than the cached rq->nr_integrity_segments inherited
from the source request by blk_rq_prep_clone().
When the cached count is lower than the bottom queue's actual count,
blk_rq_map_integrity_sg() trips
BUG_ON(segments > rq->nr_integrity_segments);
on dispatch. The same families of stacked setups that motivated the
existing nr_phys_segments recompute -- dm-multipath fanning out to
nvme-rdma in particular -- can produce this.
Mirror the nr_phys_segments handling: when the request carries
integrity, recompute nr_integrity_segments against the bottom queue
and reject the request if it exceeds the bottom queue's
max_integrity_segments. blk_rq_count_integrity_sg() and
queue_max_integrity_segments() are both already available via
<linux/blk-integrity.h>, which blk-mq.c includes.
This closes a latent gap in the stacking contract and brings the
integrity-segment accounting in line with the existing
phys-segment accounting.
Fixes: 76c313f658d2 ("blk-integrity: improved sg segment mapping")
Signed-off-by: Casey Chen <cachen@purestorage.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://patch.msgid.link/20260511212230.27511-1-cachen@purestorage.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-mq.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/block/blk-mq.c b/block/blk-mq.c
index 1891863dcba17..5bfaa8e4b9cf6 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -3215,6 +3215,25 @@ blk_status_t blk_insert_cloned_request(struct request *rq)
return BLK_STS_IOERR;
}
+ /*
+ * Integrity segment counting depends on the same queue limits
+ * (virt_boundary_mask, seg_boundary_mask, max_segment_size) that
+ * vary across stacked queues, so recompute against the bottom
+ * queue just like nr_phys_segments above.
+ */
+ if (blk_integrity_rq(rq) && rq->bio) {
+ unsigned short max_int_segs = queue_max_integrity_segments(q);
+
+ rq->nr_integrity_segments =
+ blk_rq_count_integrity_sg(rq->q, rq->bio);
+ if (rq->nr_integrity_segments > max_int_segs) {
+ printk(KERN_ERR "%s: over max integrity segments limit. (%u > %u)\n",
+ __func__, rq->nr_integrity_segments,
+ max_int_segs);
+ return BLK_STS_IOERR;
+ }
+ }
+
if (q->disk && should_fail_request(q->disk->part0, blk_rq_bytes(rq)))
return BLK_STS_IOERR;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 212/272] HID: quirks: really enable the intended work around for appledisplay
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 211/272] block: recompute nr_integrity_segments in blk_insert_cloned_request Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 213/272] block: modify bio_integrity_map_user to accept iov_iter as argument Greg Kroah-Hartman
` (66 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lukas Bulwahn, Jiri Kosina,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Bulwahn <lukas.bulwahn@redhat.com>
[ Upstream commit 5f90dcfa8dc32a488581b78e575cdd7808ba5c78 ]
Commit c7fabe4ad921 ("HID: quirks: work around VID/PID conflict for
appledisplay") intends to add a quirk for kernels built with Apple Cinema
Display support, but it refers to the non-existing config option
CONFIG_APPLEDISPLAY, whereas the config option for Apple Cinema Display
support is named CONFIG_USB_APPLEDISPLAY.
Refer to the intended config option CONFIG_USB_APPLEDISPLAY in the ifdef
directive.
Fixes: c7fabe4ad921 ("HID: quirks: work around VID/PID conflict for appledisplay")
Signed-off-by: Lukas Bulwahn <lukas.bulwahn@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-quirks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
index d9e33dde89899..9d396d2e534d0 100644
--- a/drivers/hid/hid-quirks.c
+++ b/drivers/hid/hid-quirks.c
@@ -234,7 +234,7 @@ static const struct hid_device_id hid_quirks[] = {
* used as a driver. See hid_scan_report().
*/
static const struct hid_device_id hid_have_special_driver[] = {
-#if IS_ENABLED(CONFIG_APPLEDISPLAY)
+#if IS_ENABLED(CONFIG_USB_APPLEDISPLAY)
{ HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9218) },
{ HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9219) },
{ HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921c) },
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 213/272] block: modify bio_integrity_map_user to accept iov_iter as argument
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 212/272] HID: quirks: really enable the intended work around for appledisplay Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 214/272] block: drop direction param from bio_integrity_copy_user() Greg Kroah-Hartman
` (65 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anuj Gupta, Kanchan Joshi,
Christoph Hellwig, Keith Busch, Jens Axboe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anuj Gupta <anuj20.g@samsung.com>
[ Upstream commit fe8f4ca7107e968b0eb7328155c8811f2a19424a ]
This patch refactors bio_integrity_map_user to accept iov_iter as
argument. This is a prep patch.
Signed-off-by: Anuj Gupta <anuj20.g@samsung.com>
Signed-off-by: Kanchan Joshi <joshi.k@samsung.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20241128112240.8867-4-anuj20.g@samsung.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: 8582792cf23b ("block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/bio-integrity.c | 12 +++++-------
block/blk-integrity.c | 10 +++++++++-
include/linux/bio-integrity.h | 5 ++---
3 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/block/bio-integrity.c b/block/bio-integrity.c
index 9c490fa07a795..785adefc5f3c3 100644
--- a/block/bio-integrity.c
+++ b/block/bio-integrity.c
@@ -298,16 +298,15 @@ static unsigned int bvec_from_pages(struct bio_vec *bvec, struct page **pages,
return nr_bvecs;
}
-int bio_integrity_map_user(struct bio *bio, void __user *ubuf, ssize_t bytes)
+int bio_integrity_map_user(struct bio *bio, struct iov_iter *iter)
{
struct request_queue *q = bdev_get_queue(bio->bi_bdev);
unsigned int align = blk_lim_dma_alignment_and_pad(&q->limits);
struct page *stack_pages[UIO_FASTIOV], **pages = stack_pages;
struct bio_vec stack_vec[UIO_FASTIOV], *bvec = stack_vec;
+ size_t offset, bytes = iter->count;
unsigned int direction, nr_bvecs;
- struct iov_iter iter;
int ret, nr_vecs;
- size_t offset;
bool copy;
if (bio_integrity(bio))
@@ -320,8 +319,7 @@ int bio_integrity_map_user(struct bio *bio, void __user *ubuf, ssize_t bytes)
else
direction = ITER_SOURCE;
- iov_iter_ubuf(&iter, direction, ubuf, bytes);
- nr_vecs = iov_iter_npages(&iter, BIO_MAX_VECS + 1);
+ nr_vecs = iov_iter_npages(iter, BIO_MAX_VECS + 1);
if (nr_vecs > BIO_MAX_VECS)
return -E2BIG;
if (nr_vecs > UIO_FASTIOV) {
@@ -331,8 +329,8 @@ int bio_integrity_map_user(struct bio *bio, void __user *ubuf, ssize_t bytes)
pages = NULL;
}
- copy = !iov_iter_is_aligned(&iter, align, align);
- ret = iov_iter_extract_pages(&iter, &pages, bytes, nr_vecs, 0, &offset);
+ copy = !iov_iter_is_aligned(iter, align, align);
+ ret = iov_iter_extract_pages(iter, &pages, bytes, nr_vecs, 0, &offset);
if (unlikely(ret < 0))
goto free_bvec;
diff --git a/block/blk-integrity.c b/block/blk-integrity.c
index 013469faa5e7c..a1678f0a9f81f 100644
--- a/block/blk-integrity.c
+++ b/block/blk-integrity.c
@@ -115,8 +115,16 @@ EXPORT_SYMBOL(blk_rq_map_integrity_sg);
int blk_rq_integrity_map_user(struct request *rq, void __user *ubuf,
ssize_t bytes)
{
- int ret = bio_integrity_map_user(rq->bio, ubuf, bytes);
+ int ret;
+ struct iov_iter iter;
+ unsigned int direction;
+ if (op_is_write(req_op(rq)))
+ direction = ITER_DEST;
+ else
+ direction = ITER_SOURCE;
+ iov_iter_ubuf(&iter, direction, ubuf, bytes);
+ ret = bio_integrity_map_user(rq->bio, &iter);
if (ret)
return ret;
diff --git a/include/linux/bio-integrity.h b/include/linux/bio-integrity.h
index dbf0f74c15291..be91479b2c42d 100644
--- a/include/linux/bio-integrity.h
+++ b/include/linux/bio-integrity.h
@@ -72,7 +72,7 @@ struct bio_integrity_payload *bio_integrity_alloc(struct bio *bio, gfp_t gfp,
unsigned int nr);
int bio_integrity_add_page(struct bio *bio, struct page *page, unsigned int len,
unsigned int offset);
-int bio_integrity_map_user(struct bio *bio, void __user *ubuf, ssize_t len);
+int bio_integrity_map_user(struct bio *bio, struct iov_iter *iter);
void bio_integrity_unmap_user(struct bio *bio);
bool bio_integrity_prep(struct bio *bio);
void bio_integrity_advance(struct bio *bio, unsigned int bytes_done);
@@ -98,8 +98,7 @@ static inline void bioset_integrity_free(struct bio_set *bs)
{
}
-static inline int bio_integrity_map_user(struct bio *bio, void __user *ubuf,
- ssize_t len)
+static int bio_integrity_map_user(struct bio *bio, struct iov_iter *iter)
{
return -EINVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 214/272] block: drop direction param from bio_integrity_copy_user()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 213/272] block: modify bio_integrity_map_user to accept iov_iter as argument Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 215/272] blk-integrity: use simpler alignment check Greg Kroah-Hartman
` (64 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Caleb Sander Mateos, Keith Busch,
Anuj Gupta, Jens Axboe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Caleb Sander Mateos <csander@purestorage.com>
[ Upstream commit c09a8b00f850d3ca0af998bff1fac4a3f6d11768 ]
direction is determined from bio, which is already passed in. Compute
op_is_write(bio_op(bio)) directly instead of converting it to an iter
direction and back to a bool.
Signed-off-by: Caleb Sander Mateos <csander@purestorage.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Anuj Gupta <anuj20.g@samsung.com>
Link: https://lore.kernel.org/r/20250603183133.1178062-1-csander@purestorage.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: 8582792cf23b ("block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/bio-integrity.c | 17 +++++------------
1 file changed, 5 insertions(+), 12 deletions(-)
diff --git a/block/bio-integrity.c b/block/bio-integrity.c
index 785adefc5f3c3..6801754838bc1 100644
--- a/block/bio-integrity.c
+++ b/block/bio-integrity.c
@@ -196,10 +196,9 @@ int bio_integrity_add_page(struct bio *bio, struct page *page,
EXPORT_SYMBOL(bio_integrity_add_page);
static int bio_integrity_copy_user(struct bio *bio, struct bio_vec *bvec,
- int nr_vecs, unsigned int len,
- unsigned int direction)
+ int nr_vecs, unsigned int len)
{
- bool write = direction == ITER_SOURCE;
+ bool write = op_is_write(bio_op(bio));
struct bio_integrity_payload *bip;
struct iov_iter iter;
void *buf;
@@ -210,7 +209,7 @@ static int bio_integrity_copy_user(struct bio *bio, struct bio_vec *bvec,
return -ENOMEM;
if (write) {
- iov_iter_bvec(&iter, direction, bvec, nr_vecs, len);
+ iov_iter_bvec(&iter, ITER_SOURCE, bvec, nr_vecs, len);
if (!copy_from_iter_full(buf, len, &iter)) {
ret = -EFAULT;
goto free_buf;
@@ -305,7 +304,7 @@ int bio_integrity_map_user(struct bio *bio, struct iov_iter *iter)
struct page *stack_pages[UIO_FASTIOV], **pages = stack_pages;
struct bio_vec stack_vec[UIO_FASTIOV], *bvec = stack_vec;
size_t offset, bytes = iter->count;
- unsigned int direction, nr_bvecs;
+ unsigned int nr_bvecs;
int ret, nr_vecs;
bool copy;
@@ -314,11 +313,6 @@ int bio_integrity_map_user(struct bio *bio, struct iov_iter *iter)
if (bytes >> SECTOR_SHIFT > queue_max_hw_sectors(q))
return -E2BIG;
- if (bio_data_dir(bio) == READ)
- direction = ITER_DEST;
- else
- direction = ITER_SOURCE;
-
nr_vecs = iov_iter_npages(iter, BIO_MAX_VECS + 1);
if (nr_vecs > BIO_MAX_VECS)
return -E2BIG;
@@ -341,8 +335,7 @@ int bio_integrity_map_user(struct bio *bio, struct iov_iter *iter)
copy = true;
if (copy)
- ret = bio_integrity_copy_user(bio, bvec, nr_bvecs, bytes,
- direction);
+ ret = bio_integrity_copy_user(bio, bvec, nr_bvecs, bytes);
else
ret = bio_integrity_init_user(bio, bvec, nr_bvecs, bytes);
if (ret)
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 215/272] blk-integrity: use simpler alignment check
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 214/272] block: drop direction param from bio_integrity_copy_user() Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 216/272] blk-integrity: enable p2p source and destination Greg Kroah-Hartman
` (63 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Keith Busch, Hannes Reinecke,
Martin K. Petersen, Christoph Hellwig, Jens Axboe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit 69d7ed5b9ef661230264bfa0db4c96fa25b8efa4 ]
We're checking length and addresses against the same alignment value, so
use the more simple iterator check.
Signed-off-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: 8582792cf23b ("block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/bio-integrity.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/block/bio-integrity.c b/block/bio-integrity.c
index 6801754838bc1..a7788bbe35979 100644
--- a/block/bio-integrity.c
+++ b/block/bio-integrity.c
@@ -300,7 +300,6 @@ static unsigned int bvec_from_pages(struct bio_vec *bvec, struct page **pages,
int bio_integrity_map_user(struct bio *bio, struct iov_iter *iter)
{
struct request_queue *q = bdev_get_queue(bio->bi_bdev);
- unsigned int align = blk_lim_dma_alignment_and_pad(&q->limits);
struct page *stack_pages[UIO_FASTIOV], **pages = stack_pages;
struct bio_vec stack_vec[UIO_FASTIOV], *bvec = stack_vec;
size_t offset, bytes = iter->count;
@@ -323,7 +322,8 @@ int bio_integrity_map_user(struct bio *bio, struct iov_iter *iter)
pages = NULL;
}
- copy = !iov_iter_is_aligned(iter, align, align);
+ copy = iov_iter_alignment(iter) &
+ blk_lim_dma_alignment_and_pad(&q->limits);
ret = iov_iter_extract_pages(iter, &pages, bytes, nr_vecs, 0, &offset);
if (unlikely(ret < 0))
goto free_bvec;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 216/272] blk-integrity: enable p2p source and destination
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 215/272] blk-integrity: use simpler alignment check Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 217/272] block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user() Greg Kroah-Hartman
` (62 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig,
Martin K. Petersen, Keith Busch, Jens Axboe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit 05ceea5d3ec9a1b1d6858ffd4739fdb0ed1b8eaf ]
Set the extraction flags to allow p2p pages for the metadata buffer if
the block device allows it. Similar to data payloads, ensure the bio
does not use merging if we see a p2p page.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: 8582792cf23b ("block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/bio-integrity.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/block/bio-integrity.c b/block/bio-integrity.c
index a7788bbe35979..2a02222f4298c 100644
--- a/block/bio-integrity.c
+++ b/block/bio-integrity.c
@@ -268,7 +268,8 @@ static int bio_integrity_init_user(struct bio *bio, struct bio_vec *bvec,
}
static unsigned int bvec_from_pages(struct bio_vec *bvec, struct page **pages,
- int nr_vecs, ssize_t bytes, ssize_t offset)
+ int nr_vecs, ssize_t bytes, ssize_t offset,
+ bool *is_p2p)
{
unsigned int nr_bvecs = 0;
int i, j;
@@ -289,6 +290,9 @@ static unsigned int bvec_from_pages(struct bio_vec *bvec, struct page **pages,
bytes -= next;
}
+ if (is_pci_p2pdma_page(pages[i]))
+ *is_p2p = true;
+
bvec_set_page(&bvec[nr_bvecs], pages[i], size, offset);
offset = 0;
nr_bvecs++;
@@ -302,10 +306,11 @@ int bio_integrity_map_user(struct bio *bio, struct iov_iter *iter)
struct request_queue *q = bdev_get_queue(bio->bi_bdev);
struct page *stack_pages[UIO_FASTIOV], **pages = stack_pages;
struct bio_vec stack_vec[UIO_FASTIOV], *bvec = stack_vec;
+ iov_iter_extraction_t extraction_flags = 0;
size_t offset, bytes = iter->count;
+ bool copy, is_p2p = false;
unsigned int nr_bvecs;
int ret, nr_vecs;
- bool copy;
if (bio_integrity(bio))
return -EINVAL;
@@ -324,15 +329,23 @@ int bio_integrity_map_user(struct bio *bio, struct iov_iter *iter)
copy = iov_iter_alignment(iter) &
blk_lim_dma_alignment_and_pad(&q->limits);
- ret = iov_iter_extract_pages(iter, &pages, bytes, nr_vecs, 0, &offset);
+
+ if (blk_queue_pci_p2pdma(q))
+ extraction_flags |= ITER_ALLOW_P2PDMA;
+
+ ret = iov_iter_extract_pages(iter, &pages, bytes, nr_vecs,
+ extraction_flags, &offset);
if (unlikely(ret < 0))
goto free_bvec;
- nr_bvecs = bvec_from_pages(bvec, pages, nr_vecs, bytes, offset);
+ nr_bvecs = bvec_from_pages(bvec, pages, nr_vecs, bytes, offset,
+ &is_p2p);
if (pages != stack_pages)
kvfree(pages);
if (nr_bvecs > queue_max_integrity_segments(q))
copy = true;
+ if (is_p2p)
+ bio->bi_opf |= REQ_NOMERGE;
if (copy)
ret = bio_integrity_copy_user(bio, bvec, nr_bvecs, bytes);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 217/272] block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 216/272] blk-integrity: enable p2p source and destination Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 218/272] accel/qaic: Add overflow check to remap_pfn_range during mmap Greg Kroah-Hartman
` (61 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Shi, Weidong Zhu, Dave Tian,
Sungwoo Kim, Shinichiro Kawasaki, Jens Axboe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sungwoo Kim <iam@sung-woo.kim>
[ Upstream commit 8582792cf23b3d94674d4d838f7cde9a28d0fcaf ]
pin_user_pages_fast() can partially succeed and return the number of
pages that were actually pinned. However, the bio_integrity_map_user()
does not handle this partial pinning. This leads to a general protection
fault since bvec_from_pages() dereferences an unpinned page address,
which is 0.
To fix this, add a check to verify that all requested memory is pinned.
If partial pinning occurs, unpin the memory and return -EFAULT.
Kernel Oops:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 UID: 0 PID: 1061 Comm: nvme-passthroug Not tainted 7.0.0-11783-g90957f9314e8-dirty #16 PREEMPT(lazy)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
RIP: 0010:bio_integrity_map_user.cold+0x1b0/0x9d6
Fixes: 492c5d455969 ("block: bio-integrity: directly map user buffers")
Acked-by: Chao Shi <cshi008@fiu.edu>
Acked-by: Weidong Zhu <weizhu@fiu.edu>
Acked-by: Dave Tian <daveti@purdue.edu>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Link: https://github.com/linux-blktests/blktests/pull/244
Link: https://patch.msgid.link/20260512050929.541397-2-iam@sung-woo.kim
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/bio-integrity.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/block/bio-integrity.c b/block/bio-integrity.c
index 2a02222f4298c..04bab987b0878 100644
--- a/block/bio-integrity.c
+++ b/block/bio-integrity.c
@@ -338,6 +338,24 @@ int bio_integrity_map_user(struct bio *bio, struct iov_iter *iter)
if (unlikely(ret < 0))
goto free_bvec;
+ /*
+ * Handle partial pinning. This can happen when pin_user_pages_fast()
+ * returns fewer pages than requested.
+ */
+ if (user_backed_iter(iter) && unlikely(ret != bytes)) {
+ if (ret > 0) {
+ int npinned = DIV_ROUND_UP(offset + ret, PAGE_SIZE);
+ int i;
+
+ for (i = 0; i < npinned; i++)
+ unpin_user_page(pages[i]);
+ }
+ if (pages != stack_pages)
+ kvfree(pages);
+ ret = -EFAULT;
+ goto free_bvec;
+ }
+
nr_bvecs = bvec_from_pages(bvec, pages, nr_vecs, bytes, offset,
&is_p2p);
if (pages != stack_pages)
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 218/272] accel/qaic: Add overflow check to remap_pfn_range during mmap
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 217/272] block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user() Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 219/272] net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint Greg Kroah-Hartman
` (60 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Maar, Karol Wachowski,
Zack McKevitt, Jeff Hugo, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zack McKevitt <zachary.mckevitt@oss.qualcomm.com>
[ Upstream commit aa16b2bc0f02709919e2435f531406531e5bcc69 ]
The call to remap_pfn_range in qaic_gem_object_mmap is susceptible to
(re)mapping beyond the VMA if the BO is too large. This can cause use
after free issues when munmap() unmaps only the VMA region and not the
additional mappings. To prevent this, check the remaining size of the
VMA before remapping and truncate the remapped length if sg->length is
too large.
Reported-by: Lukas Maar <lukas.maar@tugraz.at>
Fixes: ff13be830333 ("accel/qaic: Add datapath")
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Signed-off-by: Zack McKevitt <zachary.mckevitt@oss.qualcomm.com>
Reviewed-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
[jhugo: fix braces from checkpatch --strict]
Signed-off-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
Link: https://patch.msgid.link/20260430193858.1178641-1-zachary.mckevitt@oss.qualcomm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/accel/qaic/qaic_data.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
index 265eeb4e156fc..aa89571b37f0e 100644
--- a/drivers/accel/qaic/qaic_data.c
+++ b/drivers/accel/qaic/qaic_data.c
@@ -605,8 +605,11 @@ static const struct vm_operations_struct drm_vm_ops = {
static int qaic_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma)
{
struct qaic_bo *bo = to_qaic_bo(obj);
+ unsigned long remap_start;
unsigned long offset = 0;
+ unsigned long remap_end;
struct scatterlist *sg;
+ unsigned long length;
int ret = 0;
if (obj->import_attach)
@@ -614,11 +617,27 @@ static int qaic_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struc
for (sg = bo->sgt->sgl; sg; sg = sg_next(sg)) {
if (sg_page(sg)) {
+ /* if sg is too large for the VMA, so truncate it to fit */
+ if (check_add_overflow(vma->vm_start, offset, &remap_start))
+ return -EINVAL;
+ if (check_add_overflow(remap_start, sg->length, &remap_end))
+ return -EINVAL;
+
+ if (remap_end > vma->vm_end) {
+ if (check_sub_overflow(vma->vm_end, remap_start, &length))
+ return -EINVAL;
+ } else {
+ length = sg->length;
+ }
+
+ if (length == 0)
+ goto out;
+
ret = remap_pfn_range(vma, vma->vm_start + offset, page_to_pfn(sg_page(sg)),
- sg->length, vma->vm_page_prot);
+ length, vma->vm_page_prot);
if (ret)
goto out;
- offset += sg->length;
+ offset += length;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 219/272] net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 218/272] accel/qaic: Add overflow check to remap_pfn_range during mmap Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 220/272] ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics Greg Kroah-Hartman
` (59 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weiming Shi, Xiang Mei, Dust Li,
Sidraya Jayagond, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit 7bf563badd37cb796df5477d2b78bb64148a1268 ]
The smc_msg_event tracepoint class, shared by smc_tx_sendmsg and
smc_rx_recvmsg, unconditionally dereferences smc->conn.lnk:
__string(name, smc->conn.lnk->ibname)
conn->lnk is only set for SMC-R; for SMC-D it is NULL. Other code on
these paths already handles this (e.g. !conn->lnk in
SMC_STAT_RMB_TX_SIZE_SMALL()). With the tracepoint enabled, the first
sendmsg()/recvmsg() on an SMC-D socket crashes:
Oops: general protection fault, probably for non-canonical address
KASAN: null-ptr-deref in range [...]
RIP: 0010:strlen+0x1e/0xa0
Call Trace:
trace_event_raw_event_smc_msg_event (net/smc/smc_tracepoint.h:44)
smc_rx_recvmsg (net/smc/smc_rx.c:515)
smc_recvmsg (net/smc/af_smc.c:2859)
__sys_recvfrom (net/socket.c:2315)
__x64_sys_recvfrom (net/socket.c:2326)
do_syscall_64
The faulting address 0x3e0 is offsetof(struct smc_link, ibname),
confirming the NULL ->lnk deref. Enabling the tracepoint requires
root, but the trigger itself is unprivileged: socket(AF_SMC, ...) has
no capability check, and SMC-D negotiation needs no admin step on
s390 or on x86 with the loopback ISM device loaded.
Log an empty device name for SMC-D instead of dereferencing NULL.
Fixes: aff3083f10bf ("net/smc: Introduce tracepoints for tx and rx msg")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Reviewed-by: Sidraya Jayagond <sidraya@linux.ibm.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/smc/smc_tracepoint.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/smc/smc_tracepoint.h b/net/smc/smc_tracepoint.h
index a9a6e3c1113aa..53da84f57fd6f 100644
--- a/net/smc/smc_tracepoint.h
+++ b/net/smc/smc_tracepoint.h
@@ -51,7 +51,7 @@ DECLARE_EVENT_CLASS(smc_msg_event,
__field(const void *, smc)
__field(u64, net_cookie)
__field(size_t, len)
- __string(name, smc->conn.lnk->ibname)
+ __string(name, smc->conn.lnk ? smc->conn.lnk->ibname : "")
),
TP_fast_assign(
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 220/272] ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 219/272] net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 221/272] drm/msm/dsi: dont dump registers past the mapped region Greg Kroah-Hartman
` (58 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenguang Zhao, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenguang Zhao <zhaochenguang@kylinos.cn>
[ Upstream commit 3d042592ebd4c7e44974d556de0b727cb7db4dab ]
ethnl_bitmap32_not_zero() should return true if some bit in [start, end)
is set:
- Fix inverted memchr_inv() sense: return true when the scan finds a
non-zero byte, not when the middle words are all zero.
- Return false for an empty interval (end <= start).
- When end is 32-bit aligned, indices in [start, end) do not include any
bits from map[end_word]; return false after earlier checks found no
non-zero data.
Fixes: 10b518d4e6dd ("ethtool: netlink bitset handling")
Signed-off-by: Chenguang Zhao <zhaochenguang@kylinos.cn>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/bitset.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/ethtool/bitset.c b/net/ethtool/bitset.c
index f0883357d12e5..4691d6d0f2b75 100644
--- a/net/ethtool/bitset.c
+++ b/net/ethtool/bitset.c
@@ -91,7 +91,7 @@ static bool ethnl_bitmap32_not_zero(const u32 *map, unsigned int start,
u32 mask;
if (end <= start)
- return true;
+ return false;
if (start % 32) {
mask = ethnl_upper_bits(start);
@@ -104,11 +104,11 @@ static bool ethnl_bitmap32_not_zero(const u32 *map, unsigned int start,
start_word++;
}
- if (!memchr_inv(map + start_word, '\0',
- (end_word - start_word) * sizeof(u32)))
+ if (memchr_inv(map + start_word, '\0',
+ (end_word - start_word) * sizeof(u32)))
return true;
if (end % 32 == 0)
- return true;
+ return false;
return map[end_word] & ethnl_lower_bits(end);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 221/272] drm/msm/dsi: dont dump registers past the mapped region
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 220/272] ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 222/272] drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN Greg Kroah-Hartman
` (57 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 5b49a46baa853b26dbefa65c6c75dd9ff69f63d4 ]
On DSI 6G platforms the IO address space is internally adjusted by
io_offset. Later this adjusted address might be used for memory dumping.
However the size that is used for memory dumping isn't adjusted to
account for the io_offset, leading to the potential access to the
unmapped region. Lower ctrl_size by the io_offset value to prevent
access past the mapped area.
msm_disp_snapshot_add_block+0x1d4/0x3c8 [msm] (P)
msm_dsi_host_snapshot+0x4c/0x78 [msm]
msm_dsi_snapshot+0x28/0x50 [msm]
msm_disp_snapshot_capture_state+0x74/0x140 [msm]
msm_disp_snapshot_state_sync+0x60/0x90 [msm]
_msm_disp_snapshot_work+0x30/0x90 [msm]
kthread_worker_fn+0xdc/0x460
kthread+0x120/0x140
Fixes: bac2c6a62ed9 ("drm/msm: get rid of msm_iomap_size")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/721747/
Link: https://lore.kernel.org/r/20260428-msm-fix-dsi-dump-v1-1-5d4cb5ccfac7@oss.qualcomm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dsi/dsi_host.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
index 6f538c578f740..c9b580771609b 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
@@ -1942,6 +1942,7 @@ int msm_dsi_host_init(struct msm_dsi *msm_dsi)
/* fixup base address by io offset */
msm_host->ctrl_base += cfg->io_offset;
+ msm_host->ctrl_size -= cfg->io_offset;
ret = devm_regulator_bulk_get_const(&pdev->dev, cfg->num_regulators,
cfg->regulator_data,
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 222/272] drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 221/272] drm/msm/dsi: dont dump registers past the mapped region Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 223/272] powerpc/time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise() Greg Kroah-Hartman
` (56 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikko Perttunen, Rob Clark,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikko Perttunen <mperttunen@nvidia.com>
[ Upstream commit 55e0f0d1c1a4ee1e46da7da4d443eb3044fb3851 ]
Commit "iommu: return full error code from iommu_map_sg[_atomic]()"
changed iommu_map_sgtable() to return an ssize_t and negative values
in error cases, rather than a size_t and a zero.
Store the return value in the appropriate type and in case of error,
return it rather than WARNing.
Fixes: ad8f36e4b6b1 ("iommu: return full error code from iommu_map_sg[_atomic]()")
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Patchwork: https://patchwork.freedesktop.org/patch/719685/
Message-ID: <20260421-iommu_map_sgtable-return-v1-3-fb484c07d2a1@nvidia.com>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_iommu.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_iommu.c b/drivers/gpu/drm/msm/msm_iommu.c
index 2a94e82316f95..8231488577f4d 100644
--- a/drivers/gpu/drm/msm/msm_iommu.c
+++ b/drivers/gpu/drm/msm/msm_iommu.c
@@ -362,14 +362,15 @@ static int msm_iommu_map(struct msm_mmu *mmu, uint64_t iova,
struct sg_table *sgt, size_t len, int prot)
{
struct msm_iommu *iommu = to_msm_iommu(mmu);
- size_t ret;
+ ssize_t ret;
/* The arm-smmu driver expects the addresses to be sign extended */
if (iova & BIT_ULL(48))
iova |= GENMASK_ULL(63, 49);
ret = iommu_map_sgtable(iommu->domain, iova, sgt, prot);
- WARN_ON(!ret);
+ if (ret < 0)
+ return ret;
return (ret == len) ? 0 : -EINVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 223/272] powerpc/time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 222/272] drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 224/272] net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot Greg Kroah-Hartman
` (55 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mahesh Salgaonkar, Shrikanth Hegde,
Ritesh Harjani (IBM), Sayali Patil, Madhavan Srinivasan,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sayali Patil <sayalip@linux.ibm.com>
[ Upstream commit 31467b23823ffec1f6fff407f8e3ca9af8b7491a ]
A kernel panic is observed when handling machine check exceptions from
real mode.
BUG: Unable to handle kernel data access on read at 0xc00000006be21300
Oops: Kernel access of bad area, sig: 11 [#1]
MSR: 8000000000001003 <SF,ME,RI,LE> CR: 88222248 XER: 00000005
CFAR: c00000000003ffc4 DAR: c00000006be21300 DSISR: 40000000 IRQMASK: 0
NIP [c000000000029e40] arch_irq_work_raise+0x10/0x70
LR [c00000000003ffc8] machine_check_queue_event+0xa8/0x150
Call Trace:
[c0000000179d3c70] [c00000000003ff64] machine_check_queue_event+0x44/0x150
[c0000000179d3d30] [c0000000000084e0] machine_check_early_common+0x1f0/0x2c0
The crash occurs because arch_irq_work_raise() calls preempt_disable()
from machine check exception (MCE) handlers running in real mode. In
this context, accessing the preempt_count can fault, leading to the panic.
The preempt_disable()/preempt_enable() pair in arch_irq_work_raise()
was originally added by commit 0fe1ac48bef0 ("powerpc/perf_event: Fix
oops due to perf_event_do_pending call") to avoid races while raising
irq work from exception context.
Later, commit 471ba0e686cb ("irq_work: Do not raise an IPI when
queueing work on the local CPU") added preemption protection in
irq_work_queue() path, while commit 20b876918c06 ("irq_work: Use per
cpu atomics instead of regular atomics") added equivalent
protection in irq_work_queue_on() before reaching arch_irq_work_raise():
irq_work_queue() / irq_work_queue_on()
-> preempt_disable()
-> __irq_work_queue_local()
-> irq_work_raise()
-> arch_irq_work_raise()
As a result, callers other than mce_irq_work_raise() already execute
with preemption disabled, making the additional
preempt_disable()/preempt_enable() pair in arch_irq_work_raise()
redundant.
The arch_irq_work_raise() function executes in NMI context when called
from MCE handler. Hence we will not be preempted or scheduled out since
we are in NMI context with MSR[EE]=0. Therefore, it is safe to remove
the preempt_disable()/preempt_enable() calls from here.
Remove it to avoid accessing preempt_count from real mode context.
Fixes: cc15ff327569 ("powerpc/mce: Avoid using irq_work_queue() in realmode")
Suggested-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
Acked-by: Shrikanth Hegde <sshegde@linux.ibm.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Sayali Patil <sayalip@linux.ibm.com>
[Maddy: Fixed the commit title]
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260513081413.222490-1-sayalip@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/time.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel/time.c b/arch/powerpc/kernel/time.c
index 0ff9f038e800d..ce7f91172ec2b 100644
--- a/arch/powerpc/kernel/time.c
+++ b/arch/powerpc/kernel/time.c
@@ -458,6 +458,10 @@ DEFINE_PER_CPU(u8, irq_work_pending);
#endif /* 32 vs 64 bit */
+/*
+ * Must be called with preemption disabled since it updates
+ * per-CPU irq_work state and programs the local CPU decrementer.
+ */
void arch_irq_work_raise(void)
{
/*
@@ -471,10 +475,8 @@ void arch_irq_work_raise(void)
* which could get tangled up if we're messing with the same state
* here.
*/
- preempt_disable();
set_irq_work_pending_flag();
set_dec(1);
- preempt_enable();
}
static void set_dec_or_work(u64 val)
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 224/272] net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 223/272] powerpc/time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise() Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 225/272] net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring Greg Kroah-Hartman
` (54 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weiming Shi, Xiang Mei, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit 277740023def559a4a2ddc3e8e784ee37a0f16a9 ]
On the SMC-D client, slot 0 of ini->ism_dev[]/ini->ism_chid[] is
reserved for an SMC-Dv1 device. smc_find_ism_v2_device_clnt()
populates V2 entries starting at index 1, so when no V1 device is
selected slot 0 is left in its kzalloc()'ed state with ism_dev[0] ==
NULL and ism_chid[0] == 0.
smc_v2_determine_accepted_chid() then matches the peer's CHID against
the array starting from index 0 using the CHID alone. A malicious
peer replying to a SMC-Dv2-only proposal with d1.chid == 0 matches
the empty slot, ini->ism_selected becomes 0, and the subsequent
ism_dev[0]->lgr_lock dereference in smc_conn_create() faults at
offsetof(struct smcd_dev, lgr_lock) == 0x68:
BUG: KASAN: null-ptr-deref in _raw_spin_lock_bh+0x79/0xe0
Write of size 4 at addr 0000000000000068 by task exploit/144
Call Trace:
_raw_spin_lock_bh
smc_conn_create (net/smc/smc_core.c:1997)
__smc_connect (net/smc/af_smc.c:1447)
smc_connect (net/smc/af_smc.c:1720)
__sys_connect
__x64_sys_connect
do_syscall_64
Require ism_dev[i] to be non-NULL before accepting a CHID match.
Fixes: a7c9c5f4af7f ("net/smc: CLC accept / confirm V2")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Link: https://patch.msgid.link/20260511062138.2839584-1-xmei5@asu.edu
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/smc/af_smc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 23bb360ebd07b..c96abb1386be4 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -1398,7 +1398,8 @@ smc_v2_determine_accepted_chid(struct smc_clc_msg_accept_confirm *aclc,
int i;
for (i = 0; i < ini->ism_offered_cnt + 1; i++) {
- if (ini->ism_chid[i] == ntohs(aclc->d1.chid)) {
+ if (ini->ism_dev[i] &&
+ ini->ism_chid[i] == ntohs(aclc->d1.chid)) {
ini->ism_selected = i;
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 225/272] net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 224/272] net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot Greg Kroah-Hartman
@ 2026-05-28 19:49 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 226/272] net: tls: prevent chain-after-chain in plain text SG Greg Kroah-Hartman
` (53 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, 钱一铭,
Jakub Kicinski, Sabrina Dubroca, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 285943c6e7ca309bbea84b253745154241d9788a ]
When an sk_msg scatterlist ring wraps (sg.end < sg.start),
tls_push_record() chains the tail portion of the ring to the head
using sg_chain(). An extra entry in the sg array is reserved for
this:
struct sk_msg_sg {
[...]
/* The extra two elements:
* 1) used for chaining the front and sections when the list becomes
* partitioned (e.g. end < start). The crypto APIs require the
* chaining;
* 2) to chain tailer SG entries after the message.
*/
struct scatterlist data[MAX_MSG_FRAGS + 2];
The current code uses MAX_SKB_FRAGS + 1 as the ring size:
sg_chain(&msg_pl->sg.data[msg_pl->sg.start],
MAX_SKB_FRAGS - msg_pl->sg.start + 1,
msg_pl->sg.data);
This places the chain pointer at
sg_chain(data[start], (MAX_SKB_FRAGS - msg_start + 1) .. =
&data[start] + (MAX_SKB_FRAGS - msg_start + 1) - 1 =
data[start + (MAX_SKB_FRAGS - start + 1) - 1] =
data[MAX_SKB_FRAGS]
instead of the true last entry. This is likely due to a "race" of
the commit under Fixes landing close to
commit 031097d9e079 ("bpf: sk_msg, zap ingress queue on psock down")
Convert to ARRAY_SIZE and drop the data[start] / - start (as suggested
by Sabrina).
Reported-by: 钱一铭 <yimingqian591@gmail.com>
Fixes: 9aaaa56845a0 ("bpf: Sockmap/tls, skmsg can have wrapped skmsg that needs extra chaining")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/20260511174920.433155-2-kuba@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_sw.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 4550f15d052dc..834cb01f8e0e8 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -800,11 +800,9 @@ static int tls_push_record(struct sock *sk, int flags,
sg_mark_end(sk_msg_elem(msg_pl, i));
}
- if (msg_pl->sg.end < msg_pl->sg.start) {
- sg_chain(&msg_pl->sg.data[msg_pl->sg.start],
- MAX_SKB_FRAGS - msg_pl->sg.start + 1,
+ if (msg_pl->sg.end < msg_pl->sg.start)
+ sg_chain(msg_pl->sg.data, ARRAY_SIZE(msg_pl->sg.data),
msg_pl->sg.data);
- }
i = msg_pl->sg.start;
sg_chain(rec->sg_aead_in, 2, &msg_pl->sg.data[i]);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 226/272] net: tls: prevent chain-after-chain in plain text SG
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-05-28 19:49 ` [PATCH 6.12 225/272] net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 227/272] net: phy: DP83TC811: add reading of abilities Greg Kroah-Hartman
` (52 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko, Jakub Kicinski, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit ff26a0e8377dec07e4a7230db7675bed1b9a6d03 ]
Sashiko points out that if end = 0 (start != 0) the current
code will create a chain link to content type right after
the wrap link:
This would create a chain where the wrap link points directly
to another chain link. The scatterlist API sg_next iterator
does not recursively resolve consecutive chain links.
meaning this is illegal input to crypto.
The wrapping link is unnecessary if end = 0. end is the entry after
the last one used so end = 0 means there's nothing pushed after
the wrap:
end start i
v v v
[ ]...[ ][ d ][ d ][ d ][ d ][rsv for wrap]
Skip the wrapping in this case.
TLS 1.3 can use the "wrapping slot" for it's chaining if end = 0.
This avoids the chain-after-chain.
Move the wrap chaining before marking END and chaining off content
type, that feels like more logical ordering to me, but should not
matter from functional perspective.
Reported-by: Sashiko <sashiko-bot@kernel.org>
Fixes: 9aaaa56845a0 ("bpf: Sockmap/tls, skmsg can have wrapped skmsg that needs extra chaining")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Link: https://patch.msgid.link/20260511174920.433155-3-kuba@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_sw.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 834cb01f8e0e8..7511cce76fbbf 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -789,21 +789,33 @@ static int tls_push_record(struct sock *sk, int flags,
i = msg_pl->sg.end;
sk_msg_iter_var_prev(i);
+ /* msg_pl->sg.data is a ring; data[MAX+1] is reserved for the wrap
+ * link (frags won't use it). 'i' is now the last filled entry:
+ *
+ * i end start
+ * v v v [ rsv ]
+ * [ d ][ d ][ ][ ]...[ ][ d ][ d ][ d ][chain]
+ * ^ END v
+ * `-----------------------------------------'
+ *
+ * Note that SGL does not allow chain-after-chain, so for TLS 1.3,
+ * we must make sure we don't create the wrap entry and then chain
+ * link to content_type immediately at index 0.
+ */
+ if (i < msg_pl->sg.start)
+ sg_chain(msg_pl->sg.data, ARRAY_SIZE(msg_pl->sg.data),
+ msg_pl->sg.data);
+
rec->content_type = record_type;
if (prot->version == TLS_1_3_VERSION) {
/* Add content type to end of message. No padding added */
sg_set_buf(&rec->sg_content_type, &rec->content_type, 1);
sg_mark_end(&rec->sg_content_type);
- sg_chain(msg_pl->sg.data, msg_pl->sg.end + 1,
- &rec->sg_content_type);
+ sg_chain(msg_pl->sg.data, i + 2, &rec->sg_content_type);
} else {
sg_mark_end(sk_msg_elem(msg_pl, i));
}
- if (msg_pl->sg.end < msg_pl->sg.start)
- sg_chain(msg_pl->sg.data, ARRAY_SIZE(msg_pl->sg.data),
- msg_pl->sg.data);
-
i = msg_pl->sg.start;
sg_chain(rec->sg_aead_in, 2, &msg_pl->sg.data[i]);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 227/272] net: phy: DP83TC811: add reading of abilities
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 226/272] net: tls: prevent chain-after-chain in plain text SG Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 228/272] x86/xen: Fix xen_e820_swap_entry_with_ram() Greg Kroah-Hartman
` (51 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Sven Schuchmann,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Schuchmann <schuchmann@schleissheimer.de>
[ Upstream commit c78bdba7b9666020c0832150a4fc4c0aebc7c6ac ]
At this time the driver is not listing any speeds
it supports. This should be ETHTOOL_LINK_MODE_100baseT1_Full_BIT
for DP83TC811. Add the missing call for phylib to read the abilities.
Fixes: b753a9faaf9a ("net: phy: DP83TC811: Introduce support for the DP83TC811 phy")
Suggested-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Sven Schuchmann <schuchmann@schleissheimer.de>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20260512071949.6218-1-schuchmann@schleissheimer.de
[pabeni@redhat.com: dropped revision history]
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/dp83tc811.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/phy/dp83tc811.c b/drivers/net/phy/dp83tc811.c
index 7ea32fb77190c..5425a95352f9f 100644
--- a/drivers/net/phy/dp83tc811.c
+++ b/drivers/net/phy/dp83tc811.c
@@ -393,6 +393,7 @@ static struct phy_driver dp83811_driver[] = {
.config_init = dp83811_config_init,
.config_aneg = dp83811_config_aneg,
.soft_reset = dp83811_phy_reset,
+ .get_features = genphy_c45_pma_read_ext_abilities,
.get_wol = dp83811_get_wol,
.set_wol = dp83811_set_wol,
.config_intr = dp83811_config_intr,
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 228/272] x86/xen: Fix xen_e820_swap_entry_with_ram()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 227/272] net: phy: DP83TC811: add reading of abilities Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 229/272] tls: Preserve sk_err across recvmsg() when data has been copied Greg Kroah-Hartman
` (50 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Beulich, Juergen Gross,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Juergen Gross <jgross@suse.com>
[ Upstream commit 28e03f78e69cf6628b81f24777799778528a84c1 ]
When swapping a not page-aligned E820 map entry with RAM, the start
address of the modified entry is calculated wrong (the offset into the
page is subtracted instead of being added to the page address).
Fixes: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory")
Reported-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20260505102417.208138-1-jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/xen/setup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
index 3823e52aef523..6260f65a78c5e 100644
--- a/arch/x86/xen/setup.c
+++ b/arch/x86/xen/setup.c
@@ -655,7 +655,7 @@ static void __init xen_e820_swap_entry_with_ram(struct e820_entry *swap_entry)
/* Fill new entry (keep size and page offset). */
entry->type = swap_entry->type;
entry->addr = entry_end - swap_size +
- swap_addr - swap_entry->addr;
+ swap_entry->addr - swap_addr;
entry->size = swap_entry->size;
/* Convert old entry to RAM, align to pages. */
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 229/272] tls: Preserve sk_err across recvmsg() when data has been copied
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 228/272] x86/xen: Fix xen_e820_swap_entry_with_ram() Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 230/272] net/mlx5: Do not restore destination-less TC rules Greg Kroah-Hartman
` (49 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Chuck Lever,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit f508262ae9f21fe0e6c0749948b9dc7dd5a62a70 ]
The sk_err check in tls_rx_rec_wait() consumes the error via
sock_error(), which clears sk_err atomically. When the caller
(tls_sw_recvmsg, tls_sw_splice_read, or tls_sw_read_sock) already
has bytes copied to userspace, it returns those bytes and discards
the error from this call. sk_err is now zero on the socket, so the
next read syscall observes only RCV_SHUTDOWN and reports a clean
EOF instead of the actual error (typically -ECONNRESET).
The race is reachable when tls_read_flush_backlog()'s periodic
sk_flush_backlog() triggers tcp_reset() in the middle of a
multi-record read.
Pass a has_copied flag to tls_rx_rec_wait(). When has_copied is
false, consume sk_err via sock_error() as before. When has_copied
is true, report the error from READ_ONCE() but leave sk_err set:
the caller returns the byte count and discards the err from this
call, and the next read syscall surfaces the preserved sk_err. This
mirrors the tcp_recvmsg() preserve-and-surface pattern.
The decrypt-abort path is unaffected: tls_err_abort() raises
sk_err to EBADMSG after tls_rx_rec_wait() returns, and nothing
on the caller's return path consumes it, so the EBADMSG surfaces
on the next read.
tls_sw_splice_read() passes has_copied=false: it processes
one record per call, so no bytes have been copied within the
function when tls_rx_rec_wait() runs. A reset that arrives
between iterations of splice_direct_to_actor() (the sendfile()
path) is still consumed by sock_error() in the later call, and the
outer loop returns the prior iterations' byte count and drops the
error. tcp_splice_read() exhibits the same pattern at the iteration
boundary; addressing it belongs at the splice_direct_to_actor()
layer and is out of scope here.
Fixes: c46b01839f7a ("tls: rx: periodically flush socket backlog")
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Link: https://patch.msgid.link/20260513125825.205189-1-cel@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_sw.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 7511cce76fbbf..129a8c778d32d 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1366,9 +1366,14 @@ void tls_sw_splice_eof(struct socket *sock)
mutex_unlock(&tls_ctx->tx_lock);
}
+/* When has_copied is true the caller has already moved bytes to
+ * userspace. Report sk_err but leave it set so the next read
+ * surfaces it instead of a spurious EOF, otherwise sk_err is
+ * consumed via sock_error().
+ */
static int
tls_rx_rec_wait(struct sock *sk, struct sk_psock *psock, bool nonblock,
- bool released)
+ bool released, bool has_copied)
{
struct tls_context *tls_ctx = tls_get_ctx(sk);
struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
@@ -1382,8 +1387,11 @@ tls_rx_rec_wait(struct sock *sk, struct sk_psock *psock, bool nonblock,
if (!sk_psock_queue_empty(psock))
return 0;
- if (sk->sk_err)
+ if (sk->sk_err) {
+ if (has_copied)
+ return -READ_ONCE(sk->sk_err);
return sock_error(sk);
+ }
if (ret < 0)
return ret;
@@ -1419,7 +1427,7 @@ tls_rx_rec_wait(struct sock *sk, struct sk_psock *psock, bool nonblock,
}
if (unlikely(!tls_strp_msg_load(&ctx->strp, released)))
- return tls_rx_rec_wait(sk, psock, nonblock, false);
+ return tls_rx_rec_wait(sk, psock, nonblock, false, has_copied);
return 1;
}
@@ -2077,7 +2085,7 @@ int tls_sw_recvmsg(struct sock *sk,
int to_decrypt, chunk;
err = tls_rx_rec_wait(sk, psock, flags & MSG_DONTWAIT,
- released);
+ released, !!(decrypted + copied));
if (err <= 0) {
if (psock) {
chunk = sk_msg_recvmsg(sk, psock, msg, len,
@@ -2264,7 +2272,7 @@ ssize_t tls_sw_splice_read(struct socket *sock, loff_t *ppos,
struct tls_decrypt_arg darg;
err = tls_rx_rec_wait(sk, NULL, flags & SPLICE_F_NONBLOCK,
- true);
+ true, false);
if (err <= 0)
goto splice_read_end;
@@ -2350,7 +2358,7 @@ int tls_sw_read_sock(struct sock *sk, read_descriptor_t *desc,
} else {
struct tls_decrypt_arg darg;
- err = tls_rx_rec_wait(sk, NULL, true, released);
+ err = tls_rx_rec_wait(sk, NULL, true, released, !!copied);
if (err <= 0)
goto read_sock_end;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 230/272] net/mlx5: Do not restore destination-less TC rules
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 229/272] tls: Preserve sk_err across recvmsg() when data has been copied Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 231/272] scsi: sd: Fix return code handling in sd_spinup_disk() Greg Kroah-Hartman
` (48 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeroen Massar, Jianbo Liu,
Cosmin Ratiu, Tariq Toukan, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeroen Massar <jmassar@nvidia.com>
[ Upstream commit 8d0a5af8b1ba598e7340761729801624e7a9330e ]
After IPsec policy/state TX rules are added, any TC flow rule, which
forwards packets to uplink, is modified to forward to IPsec TX tables.
As these tables are destroyed dynamically, whenever there is no
reference to them, the destinations of this kind of rules must be
restored to uplink, unless there is no destination for that rule.
The flow rules FLOW_ACTION_ACCEPT, DROP, TRAP, GOTO and SAMPLE do not
have a destination port, and thus out_count = 0.
At cleanup time of the rules in mlx5_esw_ipsec_modify_flow_dests
we call mlx5_eswitch_restore_ipsec_rule but as the above types
do not have a destination we get an underflow of out_count, as
the port is passed, which is esw_attr->out_count - 1.
This change avoids calling mlx5_eswitch_restore_ipsec_rule when
there are no output destinations and thus avoids the underflow.
Fixes: d1569537a837 ("net/mlx5e: Modify and restore TC rules for IPSec TX rules")
Signed-off-by: Jeroen Massar <jmassar@nvidia.com>
Reviewed-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260513063302.333761-1-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c
index 4bba2884c1c05..b4fec9d6bff41 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c
@@ -142,7 +142,8 @@ static int mlx5_esw_ipsec_modify_flow_dests(struct mlx5_eswitch *esw,
attr = flow->attr;
esw_attr = attr->esw_attr;
- if (esw_attr->out_count - esw_attr->split_count > 1)
+ if (!esw_attr->out_count ||
+ esw_attr->out_count - esw_attr->split_count > 1)
return 0;
err = mlx5_eswitch_restore_ipsec_rule(esw, flow->rule[0], esw_attr,
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 231/272] scsi: sd: Fix return code handling in sd_spinup_disk()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 230/272] net/mlx5: Do not restore destination-less TC rules Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 232/272] ALSA: scarlett2: Add missing error check when initialise Autogain Status Greg Kroah-Hartman
` (47 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Mike Christie,
Bart Van Assche, Martin K. Petersen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Christie <michael.christie@oracle.com>
[ Upstream commit 6ea68a8dc7d2711504d944811981a5304af7d7a9 ]
As found by smatch-ci, scsi_execute_cmd() can return negative or positve
values so we should use a int instead of unsigned int.
Fixes: b4d0c33a32c3 ("scsi: sd: Fix sshdr use in sd_spinup_disk")
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/linux-scsi/agFbI7E6JQwd3wGW@stanley.mountain/T/#u
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260511175317.114007-1-michael.christie@oracle.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/sd.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index f37f031971dfd..ab5cf8460aca5 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -2392,8 +2392,7 @@ sd_spinup_disk(struct scsi_disk *sdkp)
{
static const u8 cmd[10] = { TEST_UNIT_READY };
unsigned long spintime_expire = 0;
- int spintime, sense_valid = 0;
- unsigned int the_result;
+ int the_result, spintime, sense_valid = 0;
struct scsi_sense_hdr sshdr;
struct scsi_failure failure_defs[] = {
/* Do not retry Medium Not Present */
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 232/272] ALSA: scarlett2: Add missing error check when initialise Autogain Status
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 231/272] scsi: sd: Fix return code handling in sd_spinup_disk() Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 233/272] io_uring/net: punt IORING_OP_BIND async if it needs file create Greg Kroah-Hartman
` (46 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robertus Diawan Chris, Takashi Iwai,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robertus Diawan Chris <robertusdchris@gmail.com>
[ Upstream commit c0e4fffc0f474b7ed10adee4ab2bc1a66d36fc72 ]
When initialise new control with scarlett2_add_new_ctl() function for
Autogain Status, scarlett2_add_new_ctl() might throw an error. So, add
error check after initialise new control for Autogain Status.
This is reported by Coverity Scan with CID 1598781 as UNUSED_VALUE.
Fixes: 0a995e38dc44 ("ALSA: scarlett2: Add support for software-controllable input gain")
Signed-off-by: Robertus Diawan Chris <robertusdchris@gmail.com>
Link: https://patch.msgid.link/20260508033914.111596-1-robertusdchris@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/mixer_scarlett2.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/usb/mixer_scarlett2.c b/sound/usb/mixer_scarlett2.c
index ef5945aa40e4a..d767a89e452d1 100644
--- a/sound/usb/mixer_scarlett2.c
+++ b/sound/usb/mixer_scarlett2.c
@@ -6956,6 +6956,8 @@ static int scarlett2_add_line_in_ctls(struct usb_mixer_interface *mixer)
err = scarlett2_add_new_ctl(
mixer, &scarlett2_autogain_status_ctl,
i, 1, s, &private->autogain_status_ctls[i]);
+ if (err < 0)
+ return err;
}
/* Add autogain target controls */
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 233/272] io_uring/net: punt IORING_OP_BIND async if it needs file create
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 232/272] ALSA: scarlett2: Add missing error check when initialise Autogain Status Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 234/272] btrfs: fix squota accounting during enable generation Greg Kroah-Hartman
` (45 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabriel Krisman Bertazi, Jens Axboe,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
[ Upstream commit ccd25890f73c082fe2657ed227b497d6ac5fdc40 ]
For two reasons:
1) An opcode cannot block inside io_uring_enter() doing submissions, as
it'll stall the submission side pipeline.
2) Ending up in sb_start_write() -> __sb_start_write() ->
percpu_down_read_freezable() introduces a new lockdep edge, which it
correctly complains about.
Check if the socket type is AF_UNIX and has a non-empty pathname. If it
does, mark it REQ_F_FORCE_ASYNC to punt the submission to io-wq rather
than attempt to do it inline.
Fixes: 7481fd93fa0a ("io_uring: Introduce IORING_OP_BIND")
Reviewed-by: Gabriel Krisman Bertazi <krisman@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
io_uring/net.c | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/io_uring/net.c b/io_uring/net.c
index 0b730c3a7de46..94b6a15245afb 100644
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -4,6 +4,7 @@
#include <linux/file.h>
#include <linux/slab.h>
#include <linux/net.h>
+#include <linux/un.h>
#include <linux/compat.h>
#include <net/compat.h>
#include <linux/io_uring.h>
@@ -1785,11 +1786,29 @@ int io_connect(struct io_kiocb *req, unsigned int issue_flags)
return IOU_OK;
}
+/*
+ * Check if bind request would potentially end up with filename_create(),
+ * which in turn end up in mnt_want_write() which will grab the fs
+ * percpu start write sem. This can trigger a lockdep warning.
+ */
+static int io_bind_file_create(const struct io_async_msghdr *io, int addr_len)
+{
+ const struct sockaddr_un *sun;
+
+ if (io->addr.ss_family != AF_UNIX)
+ return 0;
+ if (addr_len <= offsetof(struct sockaddr_un, sun_path))
+ return 0;
+ sun = (const struct sockaddr_un *) &io->addr;
+ return sun->sun_path[0] != '\0';
+}
+
int io_bind_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
{
struct io_bind *bind = io_kiocb_to_cmd(req, struct io_bind);
struct sockaddr __user *uaddr;
struct io_async_msghdr *io;
+ int ret;
if (sqe->len || sqe->buf_index || sqe->rw_flags || sqe->splice_fd_in)
return -EINVAL;
@@ -1800,7 +1819,12 @@ int io_bind_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
io = io_msg_alloc_async(req);
if (unlikely(!io))
return -ENOMEM;
- return move_addr_to_kernel(uaddr, bind->addr_len, &io->addr);
+ ret = move_addr_to_kernel(uaddr, bind->addr_len, &io->addr);
+ if (unlikely(ret))
+ return ret;
+ if (io_bind_file_create(io, bind->addr_len))
+ req->flags |= REQ_F_FORCE_ASYNC;
+ return 0;
}
int io_bind(struct io_kiocb *req, unsigned int issue_flags)
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 234/272] btrfs: fix squota accounting during enable generation
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 233/272] io_uring/net: punt IORING_OP_BIND async if it needs file create Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 235/272] spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache() Greg Kroah-Hartman
` (44 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Boris Burkov,
David Sterba, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Burkov <boris@bur.io>
[ Upstream commit d7c600554816b8ef70adffe078a0e360c055d82b ]
The first transaction that enables squotas is special and a bit tricky.
We have to set BTRFS_FS_QUOTA_ENABLED after the transaction to avoid a
deadlock, so any delayed refs that run before we set the bit are not
squota accounted. For data this is fine, we don't get an owner_ref, so
there is no real harm, it's as if the extent predated squotas. However
for metadata, the tree block will have gen == enable_gen so when we free
it later, we will decrement the squota accounting, which can result in
an underflow. Before it is freed, btrfs check shows errors, as we have
mismatched usage between the node generations/owners and the squota
values.
There are two angles to this fix:
1. For extents that come in delayed_refs that run during the
enable_gen transaction, we must actually set enable_gen to the *next*
transaction. That is the first transaction that we can really
properly account in any way.
2. For extents that come in between the end of our transaction handle
and the time we set the BTRFS_FS_QUOTA_ENABLED bit, we need an
additional bit, BTRFS_FS_SQUOTA_ENABLING which only affects recording
squota deltas, so we do pick up those extents. Otherwise, we would
miss them, even for enable_gen + 1.
Fixes: bd7c1ea3a302 ("btrfs: qgroup: check generation when recording simple quota delta")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Boris Burkov <boris@bur.io>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/fs.h | 1 +
fs/btrfs/qgroup.c | 31 +++++++++++++++++++++++++++----
2 files changed, 28 insertions(+), 4 deletions(-)
diff --git a/fs/btrfs/fs.h b/fs/btrfs/fs.h
index 93ff1db75af48..c49ffaeee769a 100644
--- a/fs/btrfs/fs.h
+++ b/fs/btrfs/fs.h
@@ -114,6 +114,7 @@ enum {
BTRFS_FS_LOG_RECOVERING,
BTRFS_FS_OPEN,
BTRFS_FS_QUOTA_ENABLED,
+ BTRFS_FS_SQUOTA_ENABLING,
BTRFS_FS_UPDATE_UUID_TREE_GEN,
BTRFS_FS_CREATING_FREE_SPACE_TREE,
BTRFS_FS_BTREE_ERR,
diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
index 71ccba22752cb..5b158eb25d181 100644
--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -1130,7 +1130,13 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info,
if (simple) {
fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE;
btrfs_set_fs_incompat(fs_info, SIMPLE_QUOTA);
- btrfs_set_qgroup_status_enable_gen(leaf, ptr, trans->transid);
+ /*
+ * Set the enable generation to the next transaction, as we cannot
+ * ensure that extents written during this transaction will see any
+ * state we have set here. So we should treat all extents of the
+ * transaction as coming in before squotas was enabled.
+ */
+ btrfs_set_qgroup_status_enable_gen(leaf, ptr, trans->transid + 1);
} else {
fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT;
}
@@ -1240,7 +1246,15 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info,
goto out_free_path;
}
- fs_info->qgroup_enable_gen = trans->transid;
+ /*
+ * Set fs_info->qgroup_enable_gen and BTRFS_FS_SQUOTA_ENABLING
+ * under the transaction handle. We want to ensure that all extents in
+ * the next transaction definitely see them.
+ */
+ if (simple) {
+ fs_info->qgroup_enable_gen = trans->transid + 1;
+ set_bit(BTRFS_FS_SQUOTA_ENABLING, &fs_info->flags);
+ }
mutex_unlock(&fs_info->qgroup_ioctl_lock);
/*
@@ -1254,9 +1268,15 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info,
*/
ret = btrfs_commit_transaction(trans);
trans = NULL;
+
mutex_lock(&fs_info->qgroup_ioctl_lock);
- if (ret)
+ if (ret) {
+ if (simple) {
+ clear_bit(BTRFS_FS_SQUOTA_ENABLING, &fs_info->flags);
+ fs_info->qgroup_enable_gen = 0;
+ }
goto out_free_path;
+ }
/*
* Set quota enabled flag after committing the transaction, to avoid
@@ -1266,6 +1286,8 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info,
spin_lock(&fs_info->qgroup_lock);
fs_info->quota_root = quota_root;
set_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags);
+ if (simple)
+ clear_bit(BTRFS_FS_SQUOTA_ENABLING, &fs_info->flags);
spin_unlock(&fs_info->qgroup_lock);
/* Skip rescan for simple qgroups. */
@@ -4966,7 +4988,8 @@ int btrfs_record_squota_delta(struct btrfs_fs_info *fs_info,
u64 num_bytes = delta->num_bytes;
const int sign = (delta->is_inc ? 1 : -1);
- if (btrfs_qgroup_mode(fs_info) != BTRFS_QGROUP_MODE_SIMPLE)
+ if (btrfs_qgroup_mode(fs_info) != BTRFS_QGROUP_MODE_SIMPLE &&
+ !test_bit(BTRFS_FS_SQUOTA_ENABLING, &fs_info->flags))
return 0;
if (!is_fstree(root))
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 235/272] spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 234/272] btrfs: fix squota accounting during enable generation Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 236/272] drm/msm/snapshot: fix dumping of the unaligned regions Greg Kroah-Hartman
` (43 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Felix Gu, Mark Brown, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 496ba79b9496b8b3747cbc764ebd33ee7325e806 ]
When DMA read times out in mtk_snand_read_page_cache(), the original code
erroneously jumped to cleanup label which skips DMA unmapping and ECC
disable, causing a resource leak.
Fixes: 764f1b748164 ("spi: add driver for MTK SPI NAND Flash Interface")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Link: https://patch.msgid.link/20260510-snfi-v1-1-bc375cf1af8e@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-mtk-snfi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-mtk-snfi.c b/drivers/spi/spi-mtk-snfi.c
index 8234064921f36..20260f577f056 100644
--- a/drivers/spi/spi-mtk-snfi.c
+++ b/drivers/spi/spi-mtk-snfi.c
@@ -961,7 +961,7 @@ static int mtk_snand_read_page_cache(struct mtk_snand *snf,
&snf->op_done, usecs_to_jiffies(SNFI_POLL_INTERVAL))) {
dev_err(snf->dev, "DMA timed out for reading from cache.\n");
ret = -ETIMEDOUT;
- goto cleanup;
+ goto cleanup2;
}
// Wait for BUS_SEC_CNTR returning expected value
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 236/272] drm/msm/snapshot: fix dumping of the unaligned regions
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 235/272] spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache() Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 237/272] drm/xe/gsc: Fix double-free of managed BO in error path Greg Kroah-Hartman
` (42 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salendarsingh Gaud, Dmitry Baryshkov,
Rob Clark, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 76824d2467feb1828b745d6add2541918d7be3da ]
The snapshotting code internally aligns data segment to 16 bytes. This
works fine for DPU code (where most of the regions are aligned), but
fails for snapshotting of the DSI data (because DSI data region is
shifted by 4 bytes). Fix the code by removing length alignment and by
accurately printing last registers in the region. While reworking the
code also fix the 16x memory overallocation in
msm_disp_state_dump_regs().
Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot")
Reported-by: Salendarsingh Gaud <sgaud@qti.qualcomm.com>
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/725449/
Message-ID: <20260516-msm-fix-dsi-dump-2-v2-1-9e49fb2d240e@oss.qualcomm.com>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/msm/disp/msm_disp_snapshot_util.c | 24 ++++++++++++++-----
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
index 4d55e3cf570f0..a966a03167cc0 100644
--- a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
+++ b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
@@ -9,7 +9,7 @@
#include "msm_disp_snapshot.h"
-static void msm_disp_state_dump_regs(u32 **reg, u32 aligned_len, void __iomem *base_addr)
+static void msm_disp_state_dump_regs(u32 **reg, u32 len, void __iomem *base_addr)
{
u32 len_padded;
u32 num_rows;
@@ -19,11 +19,11 @@ static void msm_disp_state_dump_regs(u32 **reg, u32 aligned_len, void __iomem *b
void __iomem *end_addr;
int i;
- len_padded = aligned_len * REG_DUMP_ALIGN;
- num_rows = aligned_len / REG_DUMP_ALIGN;
+ len_padded = round_up(len, REG_DUMP_ALIGN);
+ num_rows = DIV_ROUND_UP(len, REG_DUMP_ALIGN);
addr = base_addr;
- end_addr = base_addr + aligned_len;
+ end_addr = base_addr + len;
if (!(*reg))
*reg = kvzalloc(len_padded, GFP_KERNEL);
@@ -51,8 +51,8 @@ static void msm_disp_state_dump_regs(u32 **reg, u32 aligned_len, void __iomem *b
static void msm_disp_state_print_regs(const u32 *dump_addr, u32 len,
void __iomem *base_addr, struct drm_printer *p)
{
+ void __iomem *addr, *end_addr;
int i;
- void __iomem *addr;
u32 num_rows;
if (!dump_addr) {
@@ -61,6 +61,7 @@ static void msm_disp_state_print_regs(const u32 *dump_addr, u32 len,
}
addr = base_addr;
+ end_addr = base_addr + len;
num_rows = len / REG_DUMP_ALIGN;
for (i = 0; i < num_rows; i++) {
@@ -70,6 +71,17 @@ static void msm_disp_state_print_regs(const u32 *dump_addr, u32 len,
dump_addr[i * 4 + 2], dump_addr[i * 4 + 3]);
addr += REG_DUMP_ALIGN;
}
+
+ if (addr != end_addr) {
+ drm_printf(p, "0x%lx : %08x",
+ (unsigned long)(addr - base_addr),
+ dump_addr[i * 4]);
+ if (addr + 0x4 < end_addr)
+ drm_printf(p, " %08x", dump_addr[i * 4 + 1]);
+ if (addr + 0x8 < end_addr)
+ drm_printf(p, " %08x", dump_addr[i * 4 + 2]);
+ drm_printf(p, "\n");
+ }
}
void msm_disp_state_print(struct msm_disp_state *state, struct drm_printer *p)
@@ -189,7 +201,7 @@ void msm_disp_snapshot_add_block(struct msm_disp_state *disp_state, u32 len,
va_end(va);
INIT_LIST_HEAD(&new_blk->node);
- new_blk->size = ALIGN(len, REG_DUMP_ALIGN);
+ new_blk->size = len;
new_blk->base_addr = base_addr;
msm_disp_state_dump_regs(&new_blk->state, new_blk->size, base_addr);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 237/272] drm/xe/gsc: Fix double-free of managed BO in error path
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 236/272] drm/msm/snapshot: fix dumping of the unaligned regions Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 238/272] drm/xe/vf: Fix signature of print functions Greg Kroah-Hartman
` (41 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniele Ceraolo Spurio,
Shuicheng Lin, Rodrigo Vivi, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuicheng Lin <shuicheng.lin@intel.com>
[ Upstream commit d3ded53fab90996e7d94a39049e11962dd066725 ]
The error path in xe_gsc_init_post_hwconfig() explicitly frees a BO
allocated with xe_managed_bo_create_pin_map() via
xe_bo_unpin_map_no_vm(). Since the managed BO already has a devm
cleanup action registered, this causes a double-free when devm
unwinds during probe failure.
Remove the explicit free and let devm handle it, consistent with
all other xe_managed_bo_create_pin_map() callers.
Fixes: 2e5d47fe7839 ("drm/xe/uc: Use managed bo for HuC and GSC objects")
Reviewed-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
Assisted-by: Claude:claude-opus-4.6
Link: https://patch.msgid.link/20260511154134.223696-1-shuicheng.lin@intel.com
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
(cherry picked from commit 71d61e3e299a17139e47f980a4d6f425b2c59bf7)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_gsc.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_gsc.c b/drivers/gpu/drm/xe/xe_gsc.c
index efc480d34c9dd..6786773f4560b 100644
--- a/drivers/gpu/drm/xe/xe_gsc.c
+++ b/drivers/gpu/drm/xe/xe_gsc.c
@@ -485,8 +485,7 @@ int xe_gsc_init_post_hwconfig(struct xe_gsc *gsc)
EXEC_QUEUE_FLAG_PERMANENT, 0);
if (IS_ERR(q)) {
xe_gt_err(gt, "Failed to create queue for GSC submission\n");
- err = PTR_ERR(q);
- goto out_bo;
+ return PTR_ERR(q);
}
wq = alloc_ordered_workqueue("gsc-ordered-wq", 0);
@@ -509,8 +508,6 @@ int xe_gsc_init_post_hwconfig(struct xe_gsc *gsc)
out_q:
xe_exec_queue_put(q);
-out_bo:
- xe_bo_unpin_map_no_vm(bo);
return err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 238/272] drm/xe/vf: Fix signature of print functions
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 237/272] drm/xe/gsc: Fix double-free of managed BO in error path Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 239/272] drm/xe/pf: Fix CFI failure in debugfs access Greg Kroah-Hartman
` (40 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Wajdeczko,
Mohanram Meenakshisundaram, Shuicheng Lin, Rodrigo Vivi,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Wajdeczko <michal.wajdeczko@intel.com>
[ Upstream commit 9bb2f1d7e6e58b8e434ddc2048c661bf87ccdf2a ]
We have plugged-in existing VF print functions into our GT debugfs
show helper as-is, but we missed that the helper expects functions
to return int, while they were defined as void. This can lead to
errors being reported when CFI is enabled.
Fixes: 63d8cb8fe3dd ("drm/xe/vf: Expose SR-IOV VF attributes to GT debugfs")
Signed-off-by: Michal Wajdeczko <michal.wajdeczko@intel.com>
Cc: Mohanram Meenakshisundaram <mohanram.meenakshisundaram@intel.com>
Reviewed-by: Shuicheng Lin <shuicheng.lin@intel.com>
Link: https://patch.msgid.link/20260514155726.7165-1-michal.wajdeczko@intel.com
(cherry picked from commit 314e31c9a8a1c421ee4f7f755b9348aefbbca090)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_gt_sriov_vf.c | 24 ++++++++++++++++++------
drivers/gpu/drm/xe/xe_gt_sriov_vf.h | 6 +++---
2 files changed, 21 insertions(+), 9 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_gt_sriov_vf.c b/drivers/gpu/drm/xe/xe_gt_sriov_vf.c
index 29badbd829ab6..3604d324550e0 100644
--- a/drivers/gpu/drm/xe/xe_gt_sriov_vf.c
+++ b/drivers/gpu/drm/xe/xe_gt_sriov_vf.c
@@ -959,13 +959,15 @@ void xe_gt_sriov_vf_write32(struct xe_gt *gt, struct xe_reg reg, u32 val)
}
/**
- * xe_gt_sriov_vf_print_config - Print VF self config.
+ * xe_gt_sriov_vf_print_config() - Print VF self config.
* @gt: the &xe_gt
* @p: the &drm_printer
*
* This function is for VF use only.
+ *
+ * Return: always 0.
*/
-void xe_gt_sriov_vf_print_config(struct xe_gt *gt, struct drm_printer *p)
+int xe_gt_sriov_vf_print_config(struct xe_gt *gt, struct drm_printer *p)
{
struct xe_gt_sriov_vf_selfconfig *config = >->sriov.vf.self_config;
struct xe_device *xe = gt_to_xe(gt);
@@ -987,16 +989,20 @@ void xe_gt_sriov_vf_print_config(struct xe_gt *gt, struct drm_printer *p)
drm_printf(p, "GuC contexts:\t%u\n", config->num_ctxs);
drm_printf(p, "GuC doorbells:\t%u\n", config->num_dbs);
+
+ return 0;
}
/**
- * xe_gt_sriov_vf_print_runtime - Print VF's runtime regs received from PF.
+ * xe_gt_sriov_vf_print_runtime() - Print VF's runtime regs received from PF.
* @gt: the &xe_gt
* @p: the &drm_printer
*
* This function is for VF use only.
+ *
+ * Return: always 0.
*/
-void xe_gt_sriov_vf_print_runtime(struct xe_gt *gt, struct drm_printer *p)
+int xe_gt_sriov_vf_print_runtime(struct xe_gt *gt, struct drm_printer *p)
{
struct vf_runtime_reg *vf_regs = gt->sriov.vf.runtime.regs;
unsigned int size = gt->sriov.vf.runtime.num_regs;
@@ -1005,16 +1011,20 @@ void xe_gt_sriov_vf_print_runtime(struct xe_gt *gt, struct drm_printer *p)
for (; size--; vf_regs++)
drm_printf(p, "%#x = %#x\n", vf_regs->offset, vf_regs->value);
+
+ return 0;
}
/**
- * xe_gt_sriov_vf_print_version - Print VF ABI versions.
+ * xe_gt_sriov_vf_print_version() - Print VF ABI versions.
* @gt: the &xe_gt
* @p: the &drm_printer
*
* This function is for VF use only.
+ *
+ * Return: always 0.
*/
-void xe_gt_sriov_vf_print_version(struct xe_gt *gt, struct drm_printer *p)
+int xe_gt_sriov_vf_print_version(struct xe_gt *gt, struct drm_printer *p)
{
struct xe_gt_sriov_vf_guc_version *guc_version = >->sriov.vf.guc_version;
struct xe_gt_sriov_vf_relay_version *pf_version = >->sriov.vf.pf_version;
@@ -1042,4 +1052,6 @@ void xe_gt_sriov_vf_print_version(struct xe_gt *gt, struct drm_printer *p)
GUC_RELAY_VERSION_LATEST_MAJOR, GUC_RELAY_VERSION_LATEST_MINOR);
drm_printf(p, "\thandshake:\t%u.%u\n",
pf_version->major, pf_version->minor);
+
+ return 0;
}
diff --git a/drivers/gpu/drm/xe/xe_gt_sriov_vf.h b/drivers/gpu/drm/xe/xe_gt_sriov_vf.h
index 576ff5e795a8b..cf745ea4ee99f 100644
--- a/drivers/gpu/drm/xe/xe_gt_sriov_vf.h
+++ b/drivers/gpu/drm/xe/xe_gt_sriov_vf.h
@@ -25,8 +25,8 @@ u64 xe_gt_sriov_vf_lmem(struct xe_gt *gt);
u32 xe_gt_sriov_vf_read32(struct xe_gt *gt, struct xe_reg reg);
void xe_gt_sriov_vf_write32(struct xe_gt *gt, struct xe_reg reg, u32 val);
-void xe_gt_sriov_vf_print_config(struct xe_gt *gt, struct drm_printer *p);
-void xe_gt_sriov_vf_print_runtime(struct xe_gt *gt, struct drm_printer *p);
-void xe_gt_sriov_vf_print_version(struct xe_gt *gt, struct drm_printer *p);
+int xe_gt_sriov_vf_print_config(struct xe_gt *gt, struct drm_printer *p);
+int xe_gt_sriov_vf_print_runtime(struct xe_gt *gt, struct drm_printer *p);
+int xe_gt_sriov_vf_print_version(struct xe_gt *gt, struct drm_printer *p);
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 239/272] drm/xe/pf: Fix CFI failure in debugfs access
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 238/272] drm/xe/vf: Fix signature of print functions Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 240/272] wifi: ath11k: fix peer resolution on rx path when peer_id=0 Greg Kroah-Hartman
` (39 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mohanram Meenakshisundaram,
Michal Wajdeczko, Rodrigo Vivi, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mohanram Meenakshisundaram <mohanram.meenakshisundaram@intel.com>
[ Upstream commit 96bf49b526e2d03a2b7f6e861925a08f46ed0d28 ]
Reading debugfs file (/sys/kernel/debug/dri/0/gt*/pf/adverse_events)
with CFI (Control Flow Integrity) enabled, the kernel panics at
xe_gt_debugfs_simple_show+0x82/0xc0.
xe_gt_debugfs_simple_show() declare a function pointer expecting int
return type, but xe_gt_sriov_pf_monitor_print_events() is void return
type, leading to CFI failure and kernel panic.
[507620.973657] CFI failure at xe_gt_debugfs_simple_show+0x82/0xc0 [xe]
(target: xe_gt_sriov_pf_monitor_print_events+0x0/0x130 [xe]; expected
type: 0xd72c7139)
Fix xe_gt_sriov_pf_monitor_print_events() function by updating to return
an int type.
Fixes: 1c99d3d3edab ("drm/xe/pf: Expose PF monitor details via debugfs")
Signed-off-by: Mohanram Meenakshisundaram <mohanram.meenakshisundaram@intel.com>
Reviewed-by: Michal Wajdeczko <michal.wajdeczko@intel.com>
Signed-off-by: Michal Wajdeczko <michal.wajdeczko@intel.com>
Link: https://patch.msgid.link/20260514174918.1556357-2-mohanram.meenakshisundaram@intel.com
(cherry picked from commit ff1d386a8359746d9699ac30336e3b0684c68958)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_gt_sriov_pf_monitor.c | 6 +++++-
drivers/gpu/drm/xe/xe_gt_sriov_pf_monitor.h | 2 +-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_gt_sriov_pf_monitor.c b/drivers/gpu/drm/xe/xe_gt_sriov_pf_monitor.c
index 7d532bded02a8..a85ba44353789 100644
--- a/drivers/gpu/drm/xe/xe_gt_sriov_pf_monitor.c
+++ b/drivers/gpu/drm/xe/xe_gt_sriov_pf_monitor.c
@@ -114,8 +114,10 @@ int xe_gt_sriov_pf_monitor_process_guc2pf(struct xe_gt *gt, const u32 *msg, u32
* VFs with no events are not printed.
*
* This function can only be called on PF.
+ *
+ * Return: always 0
*/
-void xe_gt_sriov_pf_monitor_print_events(struct xe_gt *gt, struct drm_printer *p)
+int xe_gt_sriov_pf_monitor_print_events(struct xe_gt *gt, struct drm_printer *p)
{
unsigned int n, total_vfs = xe_gt_sriov_pf_get_totalvfs(gt);
const struct xe_gt_sriov_monitor *data;
@@ -144,4 +146,6 @@ void xe_gt_sriov_pf_monitor_print_events(struct xe_gt *gt, struct drm_printer *p
#undef __format
#undef __value
}
+
+ return 0;
}
diff --git a/drivers/gpu/drm/xe/xe_gt_sriov_pf_monitor.h b/drivers/gpu/drm/xe/xe_gt_sriov_pf_monitor.h
index 7ca9351a271b7..0b8f088d3a16a 100644
--- a/drivers/gpu/drm/xe/xe_gt_sriov_pf_monitor.h
+++ b/drivers/gpu/drm/xe/xe_gt_sriov_pf_monitor.h
@@ -13,7 +13,7 @@ struct drm_printer;
struct xe_gt;
void xe_gt_sriov_pf_monitor_flr(struct xe_gt *gt, u32 vfid);
-void xe_gt_sriov_pf_monitor_print_events(struct xe_gt *gt, struct drm_printer *p);
+int xe_gt_sriov_pf_monitor_print_events(struct xe_gt *gt, struct drm_printer *p);
#ifdef CONFIG_PCI_IOV
int xe_gt_sriov_pf_monitor_process_guc2pf(struct xe_gt *gt, const u32 *msg, u32 len);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 240/272] wifi: ath11k: fix peer resolution on rx path when peer_id=0
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 239/272] drm/xe/pf: Fix CFI failure in debugfs access Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 241/272] ice: ptp: serialize E825 PHY timer start with PTP lock Greg Kroah-Hartman
` (38 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baochen Qiang, Matthew Leach,
P Praneesh, Jeff Johnson, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Leach <matthew.leach@collabora.com>
[ Upstream commit 2a2451a34afdf563b3102d36a4b6cf335cf813e2 ]
It has been observed that on certain chipsets a peer can be assigned
peer_id=0. For reception of non-aggregated MPDUs this is fine as
ath11k_dp_rx_h_find_peer() has a fallback case where it locates the peer
based upon the source MAC address. On an aggregated link, the mpdu_start
header is only populated by hardware on the first sub-MSDU. This causes
the peer resolution to be skipped for the subsequent MSDUs and the
encryption type of these frames to be set to an incorrect value,
resulting in these MSDUs being dropped by ieee80211.
ath11k_pci 0000:03:00.0: data rx skb 000000002f4b704d len 1534 peer xx:xx:xx:xx:xx:xx 0 ucast sn 3063 he160 rate_idx 9 vht_nss 2 freq 5240 band 1 flag 0x40d1a fcs-err 0 mic-err 0 amsdu-more 0 peer_id 0 first_msdu 1 last_msdu 0
ath11k_pci 0000:03:00.0: data rx skb 0000000038acd580 len 1534 peer (null) 0 ucast sn 3063 he160 rate_idx 9 vht_nss 2 freq 5240 band 1 flag 0x40d00 fcs-err 0 mic-err 0 amsdu-more 0 peer_id 0 first_msdu 0 last_msdu 1
Remove the null peer_id checks in ath11k_dp_rx_h_find_peer() and
ath11k_hal_rx_parse_mon_status_tlv(), allowing peers with an assigned ID
of 0 to be resolved.
Tested-on: QCA2066 hw2.1 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.9
Fixes: 2167fa606c0f ("ath11k: Add support for RX decapsulation offload")
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Signed-off-by: Matthew Leach <matthew.leach@collabora.com>
Reviewed-by: P Praneesh <praneesh.p@oss.qualcomm.com>
Link: https://patch.msgid.link/20260424-ath11k-null-peerid-workaround-v4-1-252b224d3cf6@collabora.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/dp_rx.c | 3 +--
drivers/net/wireless/ath/ath11k/hal_rx.c | 5 +----
2 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index e3eabd9e223aa..78b0fa8d4f339 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -2214,8 +2214,7 @@ ath11k_dp_rx_h_find_peer(struct ath11k_base *ab, struct sk_buff *msdu)
lockdep_assert_held(&ab->base_lock);
- if (rxcb->peer_id)
- peer = ath11k_peer_find_by_id(ab, rxcb->peer_id);
+ peer = ath11k_peer_find_by_id(ab, rxcb->peer_id);
if (peer)
return peer;
diff --git a/drivers/net/wireless/ath/ath11k/hal_rx.c b/drivers/net/wireless/ath/ath11k/hal_rx.c
index 753bd93f02123..51e0840bc0d1e 100644
--- a/drivers/net/wireless/ath/ath11k/hal_rx.c
+++ b/drivers/net/wireless/ath/ath11k/hal_rx.c
@@ -1467,11 +1467,8 @@ ath11k_hal_rx_parse_mon_status_tlv(struct ath11k_base *ab,
case HAL_RX_MPDU_START: {
struct hal_rx_mpdu_info *mpdu_info =
(struct hal_rx_mpdu_info *)tlv_data;
- u16 peer_id;
- peer_id = ath11k_hal_rx_mpduinfo_get_peerid(ab, mpdu_info);
- if (peer_id)
- ppdu_info->peer_id = peer_id;
+ ppdu_info->peer_id = ath11k_hal_rx_mpduinfo_get_peerid(ab, mpdu_info);
break;
}
case HAL_RXPCU_PPDU_END_INFO: {
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 241/272] ice: ptp: serialize E825 PHY timer start with PTP lock
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 240/272] wifi: ath11k: fix peer resolution on rx path when peer_id=0 Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 242/272] drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP Greg Kroah-Hartman
` (37 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arkadiusz Kubalewski, Grzegorz Nitka,
Aleksandr Loktionov, Alexander Nowlin, Tony Nguyen,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Grzegorz Nitka <grzegorz.nitka@intel.com>
[ Upstream commit 781ff8f2d575a794a2a4f11605288ae06757f5eb ]
ice_start_phy_timer_eth56g() programs TIMETUS registers and issues
INIT_INCVAL without holding the global PTP semaphore.
This allows concurrent PTP command paths to interleave with PHY timer
start, which can make the sequence fail and leave timer initialization
inconsistent.
Take the PTP lock around TIMETUS registers programming and INIT_INCVAL
command execution, and make sure the lock is released on all error paths.
Keep the subsequent sync step outside of this critical section, since
ice_sync_phy_timer_eth56g() takes the same semaphore internally.
Fixes: 7cab44f1c35f ("ice: Introduce ETH56G PHY model for E825C products")
Reviewed-by: Arkadiusz Kubalewski <Arkadiusz.kubalewski@intel.com>
Signed-off-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Alexander Nowlin <alexander.nowlin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Link: https://patch.msgid.link/20260515182419.1597859-5-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_ptp_hw.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_ptp_hw.c b/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
index 478ee1c540142..9bf34fc28533e 100644
--- a/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
+++ b/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
@@ -2597,16 +2597,23 @@ int ice_start_phy_timer_eth56g(struct ice_hw *hw, u8 port)
hi = rd32(hw, GLTSYN_INCVAL_H(tmr_idx));
incval = (u64)hi << 32 | lo;
+ if (!ice_ptp_lock(hw)) {
+ dev_err(ice_hw_to_dev(hw), "Failed to acquire PTP semaphore\n");
+ return -EBUSY;
+ }
+
err = ice_write_40b_ptp_reg_eth56g(hw, port, PHY_REG_TIMETUS_L, incval);
if (err)
- return err;
+ goto err_ptp_unlock;
err = ice_ptp_one_port_cmd(hw, port, ICE_PTP_INIT_INCVAL);
if (err)
- return err;
+ goto err_ptp_unlock;
ice_ptp_exec_tmr_cmd(hw);
+ ice_ptp_unlock(hw);
+
err = ice_sync_phy_timer_eth56g(hw, port);
if (err)
return err;
@@ -2622,6 +2629,10 @@ int ice_start_phy_timer_eth56g(struct ice_hw *hw, u8 port)
ice_debug(hw, ICE_DBG_PTP, "Enabled clock on PHY port %u\n", port);
return 0;
+
+err_ptp_unlock:
+ ice_ptp_unlock(hw);
+ return err;
}
/**
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 242/272] drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 241/272] ice: ptp: serialize E825 PHY timer start with PTP lock Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 243/272] kbuild: pacman-pkg: make "rc" releases adhere to pacman versioning scheme Greg Kroah-Hartman
` (36 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mitul Golani, Ankit Nautiyal,
Ville Syrjälä, Tvrtko Ursulin, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
[ Upstream commit f87abd0c6604fb6cc31cc86fc7ccc6a576924352 ]
Correct the bit-shift logic to properly readback the 10 bit target_rr from
DB3 and DB4.
v2: Align the style with readback for vtotal. (Ville)
Fixes: 12ea89291603 ("drm/i915/dp: Add Read/Write support for Adaptive Sync SDP")
Cc: Mitul Golani <mitulkumar.ajitkumar.golani@intel.com>
Cc: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
Signed-off-by: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patch.msgid.link/20260511123218.1589830-2-ankit.k.nautiyal@intel.com
(cherry picked from commit f7abc4af2b19240a145a221461dfe756cc01d74a)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_dp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c
index 756bb0b1c83be..bb5a2a40b64c6 100644
--- a/drivers/gpu/drm/i915/display/intel_dp.c
+++ b/drivers/gpu/drm/i915/display/intel_dp.c
@@ -4583,7 +4583,7 @@ int intel_dp_as_sdp_unpack(struct drm_dp_as_sdp *as_sdp,
as_sdp->length = sdp->sdp_header.HB3 & DP_ADAPTIVE_SYNC_SDP_LENGTH;
as_sdp->mode = sdp->db[0] & DP_ADAPTIVE_SYNC_SDP_OPERATION_MODE;
as_sdp->vtotal = (sdp->db[2] << 8) | sdp->db[1];
- as_sdp->target_rr = (u64)sdp->db[3] | ((u64)sdp->db[4] & 0x3);
+ as_sdp->target_rr = ((sdp->db[4] & 0x3) << 8) | sdp->db[3];
as_sdp->target_rr_divider = sdp->db[4] & 0x20 ? true : false;
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 243/272] kbuild: pacman-pkg: make "rc" releases adhere to pacman versioning scheme
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 242/272] drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 244/272] net: dsa: mt7530: fix FDB entries not aging out with short timeout Greg Kroah-Hartman
` (35 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Viktor Jägersküpper, Nathan Chancellor, Nicolas Schier,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viktor Jägersküpper <viktor_jaegerskuepper@freenet.de>
[ Upstream commit 202550713128da20d9381d6d2dc0f6b73839f434 ]
The package versioning scheme does not enable smooth upgrades from "rc"
releases to the corresponding stable releases (e.g. 7.0.0-rc7 -> 7.0.0)
because pacman considers that a downgrade due to the underscore in
pkgver (e.g. 7.0.0_rc7), see e.g. vercmp(8) for an explanation of the
package version comparison used by pacman. Package versions which are
derived from said releases (e.g. built from git revisions) are
similarly affected. Fix this by modifying pkgver in order to remove the
hyphen from kernel versions containing "-rcN", where N is a
non-negative integer.
Acked-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Viktor Jägersküpper <viktor_jaegerskuepper@freenet.de>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Link: https://patch.msgid.link/20260515215913.92481-1-viktor_jaegerskuepper@freenet.de
Fixes: c8578539deba ("kbuild: add script and target to generate pacman package")
Signed-off-by: Nicolas Schier <nsc@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/package/PKGBUILD | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/package/PKGBUILD b/scripts/package/PKGBUILD
index dca706617adc7..e7a077d483347 100644
--- a/scripts/package/PKGBUILD
+++ b/scripts/package/PKGBUILD
@@ -10,7 +10,7 @@ for pkg in $_extrapackages; do
pkgname+=("${pkgbase}-${pkg}")
done
-pkgver="${KERNELRELEASE//-/_}"
+pkgver="$(echo "${KERNELRELEASE}" | sed 's/-\(rc[0-9]\+\)/\1/;s/-/_/g')"
# The PKGBUILD is evaluated multiple times.
# Running scripts/build-version from here would introduce inconsistencies.
pkgrel="${KBUILD_REVISION}"
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 244/272] net: dsa: mt7530: fix FDB entries not aging out with short timeout
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 243/272] kbuild: pacman-pkg: make "rc" releases adhere to pacman versioning scheme Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 245/272] net: dsa: mt7530: preserve VLAN tags on trapped link-local frames Greg Kroah-Hartman
` (34 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Daniel Golle, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Golle <daniel@makrotopia.org>
[ Upstream commit e824e40d0e841fab66ab7897d6c7b14dc81c66a7 ]
The DSA forwarding selftests bridge_vlan_aware.sh and
bridge_vlan_unaware.sh configure the bridge with ageing_time set to
LOW_AGEING_TIME (1000 centiseconds, i.e. 10 seconds) and then run
learning_test() in lib.sh, which expects a learned FDB entry to be
removed after ageing_time + 10 seconds. On MT7530/MT7531 the entry
persisted past the deadline and the "Found FDB record when should
not" assertion failed.
With msecs=10000, the algorithm in mt7530_set_ageing_time() finds
AGE_CNT=0 and AGE_UNIT=9 as the first exact match (starting the
search from tmp_age_count=0). The per-entry aging counter is
initialized to AGE_CNT when a MAC address is learned, so with
AGE_CNT=0 new entries start with a counter value of 0, which the
hardware treats as "already aged" and never removes, effectively
disabling aging.
Fix this by starting the search from tmp_age_count=1 to ensure
entries always have a non-zero initial aging counter. For a
10-second ageing time this yields AGE_CNT=1 and AGE_UNIT=4 instead:
the timer ticks every 5 seconds and entries are removed after 2
ticks.
Starting the search at AGE_CNT=1 raises the minimum representable
ageing time from 1 to 2 seconds. Without bounds, a stale ageing_time
of 1 second would now make the loop fall through without setting
age_count and age_unit, leaving them uninitialized when written to
the MT7530_AAC hardware register. Set ds->ageing_time_min and
ds->ageing_time_max so the DSA core validates the range before the
callback is invoked, and drop the now-redundant range check from
mt7530_set_ageing_time().
Fixes: ea6d5c924e39 ("net: dsa: mt7530: support setting ageing time")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Link: https://patch.msgid.link/7788ded12dc07b1bce329ec35fa70f4b45f3f9b7.1778766629.git.daniel@makrotopia.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/mt7530.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
index 93bf085a61d39..7187efb41dbc8 100644
--- a/drivers/net/dsa/mt7530.c
+++ b/drivers/net/dsa/mt7530.c
@@ -828,12 +828,16 @@ mt7530_set_ageing_time(struct dsa_switch *ds, unsigned int msecs)
unsigned int age_count;
unsigned int age_unit;
- /* Applied timer is (AGE_CNT + 1) * (AGE_UNIT + 1) seconds */
- if (secs < 1 || secs > (AGE_CNT_MAX + 1) * (AGE_UNIT_MAX + 1))
- return -ERANGE;
-
- /* iterate through all possible age_count to find the closest pair */
- for (tmp_age_count = 0; tmp_age_count <= AGE_CNT_MAX; ++tmp_age_count) {
+ /* Applied timer is (AGE_CNT + 1) * (AGE_UNIT + 1) seconds.
+ * The DSA core has already validated the range using
+ * ds->ageing_time_min and ds->ageing_time_max.
+ *
+ * Iterate through all possible age_count values to find the closest
+ * pair. Start from 1 because the per-entry aging counter is
+ * initialized to AGE_CNT and a value of 0 means the entry will
+ * never be aged out.
+ */
+ for (tmp_age_count = 1; tmp_age_count <= AGE_CNT_MAX; ++tmp_age_count) {
unsigned int tmp_age_unit = secs / (tmp_age_count + 1) - 1;
if (tmp_age_unit <= AGE_UNIT_MAX) {
@@ -2353,6 +2357,8 @@ mt7530_setup(struct dsa_switch *ds)
ds->assisted_learning_on_cpu_port = true;
ds->mtu_enforcement_ingress = true;
+ ds->ageing_time_min = 2 * 1000;
+ ds->ageing_time_max = (AGE_CNT_MAX + 1) * (AGE_UNIT_MAX + 1) * 1000;
if (priv->id == ID_MT7530) {
regulator_set_voltage(priv->core_pwr, 1000000, 1000000);
@@ -2542,6 +2548,8 @@ mt7531_setup_common(struct dsa_switch *ds)
ds->assisted_learning_on_cpu_port = true;
ds->mtu_enforcement_ingress = true;
+ ds->ageing_time_min = 2 * 1000;
+ ds->ageing_time_max = (AGE_CNT_MAX + 1) * (AGE_UNIT_MAX + 1) * 1000;
mt753x_trap_frames(priv);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 245/272] net: dsa: mt7530: preserve VLAN tags on trapped link-local frames
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 244/272] net: dsa: mt7530: fix FDB entries not aging out with short timeout Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 246/272] net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer Greg Kroah-Hartman
` (33 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Golle, Chester A. Unal,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Golle <daniel@makrotopia.org>
[ Upstream commit 3ac85bcfd404b588298c95c6fba8aad4ad334f57 ]
The BPC, RGAC1 and RGAC2 registers control the handling of link-local
frames with reserved MAC DAs (01:80:C2:00:00:0x). These frames are
correctly trapped to the CPU port, but the egress VLAN tag attribute was
set to MT7530_VLAN_EG_UNTAGGED which causes the switch to strip any
VLAN tags from trapped frames before they reach the CPU.
This causes VLAN-tagged link-local frames (STP BPDUs, LLDP, PTP Peer
Delay Requests) to arrive at the CPU without their VLAN tag, so they
are delivered to the base network interface instead of the VLAN
sub-interface. The DSA local_termination selftest confirms this: all
link-local protocol tests on VLAN upper interfaces fail.
Set the EG_TAG attribute to MT7530_VLAN_EG_DISABLED (system default)
so that the switch does not modify VLAN tags in trapped frames. This
way VLAN-tagged frames retain their original tag and are delivered to
the correct VLAN sub-interface, matching the behavior of non-trapped
frames which pass through without VLAN tag modification.
Fixes: 69ddba9d170b ("net: dsa: mt7530: fix handling of all link-local frames")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Acked-by: Chester A. Unal <chester.a.unal@arinc9.com>
Link: https://patch.msgid.link/891e0cd34db2a5fe20ceb73283a81fb5f71427ca.1778766629.git.daniel@makrotopia.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/mt7530.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
index 7187efb41dbc8..21437ce57b64f 100644
--- a/drivers/net/dsa/mt7530.c
+++ b/drivers/net/dsa/mt7530.c
@@ -1105,37 +1105,40 @@ static void mt7530_setup_port5(struct dsa_switch *ds, phy_interface_t interface)
static void
mt753x_trap_frames(struct mt7530_priv *priv)
{
- /* Trap 802.1X PAE frames and BPDUs to the CPU port(s) and egress them
- * VLAN-untagged.
+ /* Trap 802.1X PAE frames and BPDUs to the CPU port(s) and egress
+ * them with the EG_TAG attribute set to disabled (system default)
+ * so that any VLAN tags in the frame are not modified by the
+ * switch egress VLAN tag processing. This preserves VLAN tags
+ * for reception on VLAN sub-interfaces.
*/
mt7530_rmw(priv, MT753X_BPC,
PAE_BPDU_FR | PAE_EG_TAG_MASK | PAE_PORT_FW_MASK |
BPDU_EG_TAG_MASK | BPDU_PORT_FW_MASK,
- PAE_BPDU_FR | PAE_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ PAE_BPDU_FR | PAE_EG_TAG(MT7530_VLAN_EG_DISABLED) |
PAE_PORT_FW(TO_CPU_FW_CPU_ONLY) |
- BPDU_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ BPDU_EG_TAG(MT7530_VLAN_EG_DISABLED) |
TO_CPU_FW_CPU_ONLY);
- /* Trap frames with :01 and :02 MAC DAs to the CPU port(s) and egress
- * them VLAN-untagged.
+ /* Trap frames with :01 and :02 MAC DAs to the CPU port(s) and
+ * egress them with EG_TAG disabled.
*/
mt7530_rmw(priv, MT753X_RGAC1,
R02_BPDU_FR | R02_EG_TAG_MASK | R02_PORT_FW_MASK |
R01_BPDU_FR | R01_EG_TAG_MASK | R01_PORT_FW_MASK,
- R02_BPDU_FR | R02_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ R02_BPDU_FR | R02_EG_TAG(MT7530_VLAN_EG_DISABLED) |
R02_PORT_FW(TO_CPU_FW_CPU_ONLY) | R01_BPDU_FR |
- R01_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ R01_EG_TAG(MT7530_VLAN_EG_DISABLED) |
TO_CPU_FW_CPU_ONLY);
- /* Trap frames with :03 and :0E MAC DAs to the CPU port(s) and egress
- * them VLAN-untagged.
+ /* Trap frames with :03 and :0E MAC DAs to the CPU port(s) and
+ * egress them with EG_TAG disabled.
*/
mt7530_rmw(priv, MT753X_RGAC2,
R0E_BPDU_FR | R0E_EG_TAG_MASK | R0E_PORT_FW_MASK |
R03_BPDU_FR | R03_EG_TAG_MASK | R03_PORT_FW_MASK,
- R0E_BPDU_FR | R0E_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ R0E_BPDU_FR | R0E_EG_TAG(MT7530_VLAN_EG_DISABLED) |
R0E_PORT_FW(TO_CPU_FW_CPU_ONLY) | R03_BPDU_FR |
- R03_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ R03_EG_TAG(MT7530_VLAN_EG_DISABLED) |
TO_CPU_FW_CPU_ONLY);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 246/272] net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 245/272] net: dsa: mt7530: preserve VLAN tags on trapped link-local frames Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 247/272] platform/surface: aggregator_registry: omit battery & AC nodes on Surface Laptop 7 Greg Kroah-Hartman
` (32 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erni Sri Satya Vennela, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
[ Upstream commit 35f0f0a2536a4d604b4dbad92c85c4a8fdebb870 ]
In mana_hwc_rx_event_handler(), resp->response.hwc_msg_id is read from
DMA-coherent memory and bounds-checked, then mana_hwc_handle_resp()
re-reads the same field from the same DMA buffer for test_bit() and
pointer arithmetic.
DMA-coherent memory is mapped uncacheable on x86 and is shared,
unencrypted, in Confidential VMs (SEV-SNP/TDX), so each load goes
directly to host-visible memory. A H/W can modify the value
between the check and the use, bypassing the bounds validation.
Fix this by reading hwc_msg_id exactly once using READ_ONCE() into a
stack-local variable in mana_hwc_rx_event_handler(), and passing the
validated value as a parameter to mana_hwc_handle_resp().
Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
Link: https://patch.msgid.link/20260514194156.466823-1-ernis@linux.microsoft.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/microsoft/mana/hw_channel.c | 23 +++++++++++--------
1 file changed, 13 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c
index e07d0a9529782..f8971844e6d8e 100644
--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c
+++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c
@@ -76,21 +76,19 @@ static int mana_hwc_post_rx_wqe(const struct hwc_wq *hwc_rxq,
}
static void mana_hwc_handle_resp(struct hw_channel_context *hwc, u32 resp_len,
- struct hwc_work_request *rx_req)
+ struct hwc_work_request *rx_req, u16 msg_id)
{
const struct gdma_resp_hdr *resp_msg = rx_req->buf_va;
struct hwc_caller_ctx *ctx;
int err;
- if (!test_bit(resp_msg->response.hwc_msg_id,
- hwc->inflight_msg_res.map)) {
- dev_err(hwc->dev, "hwc_rx: invalid msg_id = %u\n",
- resp_msg->response.hwc_msg_id);
+ if (!test_bit(msg_id, hwc->inflight_msg_res.map)) {
+ dev_err(hwc->dev, "hwc_rx: invalid msg_id = %u\n", msg_id);
mana_hwc_post_rx_wqe(hwc->rxq, rx_req);
return;
}
- ctx = hwc->caller_ctx + resp_msg->response.hwc_msg_id;
+ ctx = hwc->caller_ctx + msg_id;
err = mana_hwc_verify_resp_msg(ctx, resp_msg, resp_len);
if (err)
goto out;
@@ -219,6 +217,7 @@ static void mana_hwc_rx_event_handler(void *ctx, u32 gdma_rxq_id,
struct gdma_sge *sge;
u64 rq_base_addr;
u64 rx_req_idx;
+ u16 msg_id;
u8 *wqe;
if (WARN_ON_ONCE(hwc_rxq->gdma_wq->id != gdma_rxq_id))
@@ -237,13 +236,17 @@ static void mana_hwc_rx_event_handler(void *ctx, u32 gdma_rxq_id,
rx_req = &hwc_rxq->msg_buf->reqs[rx_req_idx];
resp = (struct gdma_resp_hdr *)rx_req->buf_va;
- if (resp->response.hwc_msg_id >= hwc->num_inflight_msg) {
- dev_err(hwc->dev, "HWC RX: wrong msg_id=%u\n",
- resp->response.hwc_msg_id);
+ /* Read msg_id once from DMA buffer to prevent TOCTOU:
+ * DMA memory is shared/unencrypted in CVMs - host can
+ * modify it between reads.
+ */
+ msg_id = READ_ONCE(resp->response.hwc_msg_id);
+ if (msg_id >= hwc->num_inflight_msg) {
+ dev_err(hwc->dev, "HWC RX: wrong msg_id=%u\n", msg_id);
return;
}
- mana_hwc_handle_resp(hwc, rx_oob->tx_oob_data_size, rx_req);
+ mana_hwc_handle_resp(hwc, rx_oob->tx_oob_data_size, rx_req, msg_id);
/* Can no longer use 'resp', because the buffer is posted to the HW
* in mana_hwc_handle_resp() above.
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 247/272] platform/surface: aggregator_registry: omit battery & AC nodes on Surface Laptop 7
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 246/272] net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 248/272] platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL Greg Kroah-Hartman
` (31 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver White, Ilpo Järvinen,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver White <oliverjwhite07@gmail.com>
[ Upstream commit 0488073a6c84571dd3cffe581a4a73a5fceb099d ]
Surface Laptop 7 exposes battery and AC status via Qualcomm PMIC GLINK
qcom_battmgr. Registering the standard SSAM battery and AC client
devices on this platform causes duplicate power-supply devices to
appear.
Drop the SSAM battery and AC nodes from the Surface Laptop 7 registry
group so that only the qcom_battmgr power supplies are instantiated.
Fixes: b27622f13172 ("platform/surface: Add OF support")
Signed-off-by: Oliver White <oliverjwhite07@gmail.com>
Link: https://patch.msgid.link/20260409034347.17381-1-oliverjwhite07@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/surface/surface_aggregator_registry.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/platform/surface/surface_aggregator_registry.c b/drivers/platform/surface/surface_aggregator_registry.c
index 25c8aa2131d63..9826feb9c2825 100644
--- a/drivers/platform/surface/surface_aggregator_registry.c
+++ b/drivers/platform/surface/surface_aggregator_registry.c
@@ -295,8 +295,6 @@ static const struct software_node *ssam_node_group_sl6[] = {
/* Devices for Surface Laptop 7. */
static const struct software_node *ssam_node_group_sl7[] = {
&ssam_node_root,
- &ssam_node_bat_ac,
- &ssam_node_bat_main,
&ssam_node_tmp_perf_profile_with_fan,
&ssam_node_fan_speed,
&ssam_node_hid_sam_keyboard,
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 248/272] platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 247/272] platform/surface: aggregator_registry: omit battery & AC nodes on Surface Laptop 7 Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 249/272] platform/x86: hp_accel: Check ACPI_COMPANION() " Greg Kroah-Hartman
` (30 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Andy Shevchenko,
Ilpo Järvinen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit e7a9a6ea40e352cd7977f6a8c80bdeadf65ad838 ]
Every platform driver can be forced to match a device that doesn't match
its list of device IDs because of device_match_driver_override(), so
platform drivers that rely on the existence of a device's ACPI companion
object need to verify its presence.
Accordingly, add a requisite ACPI_HANDLE() check against NULL to the
platform/x86 adv_swbutton driver.
Fixes: 3d904005f686 ("platform/x86: add support for Advantech software defined button")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/5115425.31r3eYUQgx@rafael.j.wysocki
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/adv_swbutton.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/adv_swbutton.c b/drivers/platform/x86/adv_swbutton.c
index 6b23ba78e028f..f7bc252650d5a 100644
--- a/drivers/platform/x86/adv_swbutton.c
+++ b/drivers/platform/x86/adv_swbutton.c
@@ -48,10 +48,14 @@ static int adv_swbutton_probe(struct platform_device *device)
{
struct adv_swbutton *button;
struct input_dev *input;
- acpi_handle handle = ACPI_HANDLE(&device->dev);
+ acpi_handle handle;
acpi_status status;
int error;
+ handle = ACPI_HANDLE(&device->dev);
+ if (!handle)
+ return -ENODEV;
+
button = devm_kzalloc(&device->dev, sizeof(*button), GFP_KERNEL);
if (!button)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 249/272] platform/x86: hp_accel: Check ACPI_COMPANION() against NULL
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 248/272] platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 250/272] platform/x86: intel-hid: Check ACPI_HANDLE() " Greg Kroah-Hartman
` (29 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Andy Shevchenko,
Ilpo Järvinen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit abfbe5ee8ae89f1f5449790423d5dd3e423545bd ]
Every platform driver can be forced to match a device that doesn't match
its list of device IDs because of device_match_driver_override(), so
platform drivers that rely on the existence of a device's ACPI companion
object need to verify its presence.
Accordingly, add a requisite ACPI_COMPANION() check against NULL to the
platform/x86 hp_accel driver.
Fixes: 8ebcb6c94c71 ("platform/x86: hp_accel: Convert to be a platform driver")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/2425918.ElGaqSPkdT@rafael.j.wysocki
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/hp/hp_accel.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/platform/x86/hp/hp_accel.c b/drivers/platform/x86/hp/hp_accel.c
index 52535576772ad..aeedc77bed7fc 100644
--- a/drivers/platform/x86/hp/hp_accel.c
+++ b/drivers/platform/x86/hp/hp_accel.c
@@ -300,6 +300,9 @@ static int lis3lv02d_probe(struct platform_device *device)
int ret;
lis3_dev.bus_priv = ACPI_COMPANION(&device->dev);
+ if (!lis3_dev.bus_priv)
+ return -ENODEV;
+
lis3_dev.init = lis3lv02d_acpi_init;
lis3_dev.read = lis3lv02d_acpi_read;
lis3_dev.write = lis3lv02d_acpi_write;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 250/272] platform/x86: intel-hid: Check ACPI_HANDLE() against NULL
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 249/272] platform/x86: hp_accel: Check ACPI_COMPANION() " Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 251/272] platform/x86: intel-vbtn: " Greg Kroah-Hartman
` (28 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Andy Shevchenko,
Ilpo Järvinen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 5c69e090ae5dd93d910f70db0796357080707d26 ]
Every platform driver can be forced to match a device that doesn't match
its list of device IDs because of device_match_driver_override(), so
platform drivers that rely on the existence of a device's ACPI companion
object need to verify its presence.
Accordingly, add a requisite ACPI_HANDLE() check against NULL to the
platform/x86 intel-hid driver.
Fixes: ecc83e52b28c ("intel-hid: new hid event driver for hotkeys")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/1971512.tdWV9SEqCh@rafael.j.wysocki
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel/hid.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/intel/hid.c b/drivers/platform/x86/intel/hid.c
index 0e81904548f36..7d0c5b986b259 100644
--- a/drivers/platform/x86/intel/hid.c
+++ b/drivers/platform/x86/intel/hid.c
@@ -673,12 +673,16 @@ static bool button_array_present(struct platform_device *device)
static int intel_hid_probe(struct platform_device *device)
{
- acpi_handle handle = ACPI_HANDLE(&device->dev);
unsigned long long mode, dummy;
struct intel_hid_priv *priv;
+ acpi_handle handle;
acpi_status status;
int err;
+ handle = ACPI_HANDLE(&device->dev);
+ if (!handle)
+ return -ENODEV;
+
intel_hid_init_dsm(handle);
if (!intel_hid_evaluate_method(handle, INTEL_HID_DSM_HDMM_FN, &mode)) {
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 251/272] platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 250/272] platform/x86: intel-hid: Check ACPI_HANDLE() " Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 252/272] RDMA/rtrs: Fix use-after-free in path file creation cleanup Greg Kroah-Hartman
` (27 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Andy Shevchenko,
Ilpo Järvinen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit a9f305c5a355efeb240d406d378491d9eec02d07 ]
Every platform driver can be forced to match a device that doesn't match
its list of device IDs because of device_match_driver_override(), so
platform drivers that rely on the existence of a device's ACPI companion
object need to verify its presence.
Accordingly, add a requisite ACPI_HANDLE() check against NULL to the
platform/x86 intel-vbtn driver.
Fixes: 26173179fae1 ("platform/x86: intel-vbtn: Eval VBDL after registering our notifier")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/3426431.aeNJFYEL58@rafael.j.wysocki
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel/vbtn.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/intel/vbtn.c b/drivers/platform/x86/intel/vbtn.c
index a353e830b65fd..d64aac2895f37 100644
--- a/drivers/platform/x86/intel/vbtn.c
+++ b/drivers/platform/x86/intel/vbtn.c
@@ -275,12 +275,16 @@ static bool intel_vbtn_has_switches(acpi_handle handle, bool dual_accel)
static int intel_vbtn_probe(struct platform_device *device)
{
- acpi_handle handle = ACPI_HANDLE(&device->dev);
bool dual_accel, has_buttons, has_switches;
struct intel_vbtn_priv *priv;
+ acpi_handle handle;
acpi_status status;
int err;
+ handle = ACPI_HANDLE(&device->dev);
+ if (!handle)
+ return -ENODEV;
+
dual_accel = dual_accel_detect();
has_buttons = acpi_has_method(handle, "VBDL");
has_switches = intel_vbtn_has_switches(handle, dual_accel);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 252/272] RDMA/rtrs: Fix use-after-free in path file creation cleanup
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 251/272] platform/x86: intel-vbtn: " Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 253/272] net: bridge: Flush multicast groups when snooping is disabled Greg Kroah-Hartman
` (26 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Leon Romanovsky,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
[ Upstream commit 5b74373390113fba798a76b483837029ab010fef ]
In the error path of rtrs_srv_create_path_files(), the sysfs root folders
may already have been created and srv_path->kobj may already have been
initialized. If a later step fails, the cleanup currently calls
kobject_put(&srv_path->kobj) before
rtrs_srv_destroy_once_sysfs_root_folders(srv_path).
kobject_put() may drop the last reference to srv_path->kobj and invoke the
release callback, rtrs_srv_release(), which frees srv_path. The following
call to rtrs_srv_destroy_once_sysfs_root_folders(srv_path) then
dereferences srv_path internally to access srv_path->srv, resulting in a
use-after-free.
This failure path is reached before rtrs_srv_create_path_files() returns
success, so the successful-path lifetime handling is not involved.
Fix this by destroying the sysfs root folders before calling
kobject_put(&srv_path->kobj), so srv_path is still valid while the helper
accesses it.
This issue was found by a static analysis tool I am developing.
Fixes: ae4c81644e91 ("RDMA/rtrs-srv: Rename rtrs_srv_sess to rtrs_srv_path")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Link: https://patch.msgid.link/20260514113834.865530-1-lgs201920130244@gmail.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c b/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c
index 3f305e694fe8c..1b1c6ea4ee5a4 100644
--- a/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c
@@ -295,8 +295,8 @@ int rtrs_srv_create_path_files(struct rtrs_srv_path *srv_path)
put_kobj:
kobject_del(&srv_path->kobj);
destroy_root:
- kobject_put(&srv_path->kobj);
rtrs_srv_destroy_once_sysfs_root_folders(srv_path);
+ kobject_put(&srv_path->kobj);
return err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 253/272] net: bridge: Flush multicast groups when snooping is disabled
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 252/272] RDMA/rtrs: Fix use-after-free in path file creation cleanup Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 254/272] bridge: mcast: Fix a possible use-after-free when removing a bridge port Greg Kroah-Hartman
` (25 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Machata, Ido Schimmel,
Nikolay Aleksandrov, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Machata <petrm@nvidia.com>
[ Upstream commit 68800bbf583f26f71491141e4b3c8582f9cfcbde ]
When forwarding multicast packets, the bridge takes MDB into account when
IGMP / MLD snooping is enabled. Currently, when snooping is disabled, the
MDB is retained, even though it is not used anymore.
At the same time, during the time that snooping is disabled, the IGMP / MLD
control packets are obviously ignored, and after the snooping is reenabled,
the administrator has to assume it is out of sync. In particular, missed
join and leave messages would lead to traffic being forwarded to wrong
interfaces.
Keeping the MDB entries around thus serves no purpose, and just takes
memory. Note also that disabling per-VLAN snooping does actually flush the
relevant MDB entries.
This patch flushes non-permanent MDB entries as global snooping is
disabled.
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/5e992df1bb93b88e19c0ea5819e23b669e3dde5d.1761228273.git.petrm@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 4df78ff02629 ("bridge: mcast: Fix a possible use-after-free when removing a bridge port")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_multicast.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 9bd2914006df7..3d91f5a057509 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -4642,6 +4642,14 @@ static void br_multicast_start_querier(struct net_bridge_mcast *brmctx,
rcu_read_unlock();
}
+static void br_multicast_del_grps(struct net_bridge *br)
+{
+ struct net_bridge_port *port;
+
+ list_for_each_entry(port, &br->port_list, list)
+ __br_multicast_disable_port_ctx(&port->multicast_ctx);
+}
+
int br_multicast_toggle(struct net_bridge *br, unsigned long val,
struct netlink_ext_ack *extack)
{
@@ -4662,6 +4670,7 @@ int br_multicast_toggle(struct net_bridge *br, unsigned long val,
br_opt_toggle(br, BROPT_MULTICAST_ENABLED, !!val);
if (!br_opt_get(br, BROPT_MULTICAST_ENABLED)) {
change_snoopers = true;
+ br_multicast_del_grps(br);
goto unlock;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 254/272] bridge: mcast: Fix a possible use-after-free when removing a bridge port
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 253/272] net: bridge: Flush multicast groups when snooping is disabled Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 255/272] pds_core: fix error handling in pdsc_devcmd_wait Greg Kroah-Hartman
` (24 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ae231e0552fa77b26ea1,
Thomas Gleixner, Nikolay Aleksandrov, Ido Schimmel,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 4df78ff02629c7729168f0696a7a2123c389818d ]
When per-VLAN multicast snooping is enabled, the bridge iterates over
all the bridge ports, disables the per-port multicast context on each
port and enables the per-{port, VLAN} multicast contexts instead. The
reverse happens when per-VLAN multicast snooping is disabled.
When global multicast snooping is enabled, the bridge iterates over all
the bridge ports and enables the per-port multicast context on each
port. The reverse happens when multicast snooping is disabled.
The above scheme can result in a situation where both types of contexts
(per-port and per-{port, VLAN}) are enabled on a single bridge port:
# ip link add name br1 up type bridge mcast_snooping 1 mcast_querier 1 vlan_filtering 1
# ip link add name dummy1 up master br1 type dummy
# ip link set dev br1 type bridge mcast_vlan_snooping 1
# ip link set dev br1 type bridge mcast_snooping 0
# ip link set dev br1 type bridge mcast_snooping 1
This is not intended and it is a problem since the commit cited below.
Prior to this commit, when removing a bridge port,
br_multicast_disable_port() would disable the per-port multicast context
and the per-{port, VLAN} multicast contexts would get disabled when
flushing VLANs.
After this commit, br_multicast_disable_port() only disables the
per-port multicast context if per-VLAN multicast snooping is disabled.
If both types of contexts were enabled on the port when it was removed,
the per-port multicast context would remain enabled when freeing the
bridge port, leading to a use-after-free [1].
Fix by preventing the bridge from enabling / disabling the per-port
multicast contexts when toggling global multicast snooping if per-VLAN
multicast snooping is enabled.
[1]
ODEBUG: free active (active state 0) object: ffff88810f8bda78 object type: timer_list hint: br_ip6_multicast_port_query_expired (net/bridge/br_multicast.c:1927)
WARNING: lib/debugobjects.c:629 at debug_print_object+0x1b1/0x3e0, CPU#5: swapper/5/0
[...]
Call Trace:
<IRQ>
__debug_check_no_obj_freed (lib/debugobjects.c:1116)
kfree (mm/slub.c:2620 mm/slub.c:6250 mm/slub.c:6565)
kobject_cleanup (lib/kobject.c:689)
rcu_do_batch (kernel/rcu/tree.c:2617)
rcu_core (kernel/rcu/tree.c:2869)
handle_softirqs (kernel/softirq.c:622)
__irq_exit_rcu (kernel/softirq.c:656 kernel/softirq.c:496 kernel/softirq.c:735)
irq_exit_rcu (kernel/softirq.c:752)
sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1061 (discriminator 47) arch/x86/kernel/apic/apic.c:1061 (discriminator 47))
</IRQ>
Fixes: 4b30ae9adb04 ("net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions")
Reported-by: syzbot+ae231e0552fa77b26ea1@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/87qznowlfs.ffs@tglx/
Reported-by: Thomas Gleixner <tglx@kernel.org>
Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260517121122.188333-2-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_multicast.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 3d91f5a057509..3194344529a54 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -4642,10 +4642,24 @@ static void br_multicast_start_querier(struct net_bridge_mcast *brmctx,
rcu_read_unlock();
}
-static void br_multicast_del_grps(struct net_bridge *br)
+static void br_multicast_enable_all_ports(struct net_bridge *br)
{
struct net_bridge_port *port;
+ if (br_opt_get(br, BROPT_MCAST_VLAN_SNOOPING_ENABLED))
+ return;
+
+ list_for_each_entry(port, &br->port_list, list)
+ __br_multicast_enable_port_ctx(&port->multicast_ctx);
+}
+
+static void br_multicast_disable_all_ports(struct net_bridge *br)
+{
+ struct net_bridge_port *port;
+
+ if (br_opt_get(br, BROPT_MCAST_VLAN_SNOOPING_ENABLED))
+ return;
+
list_for_each_entry(port, &br->port_list, list)
__br_multicast_disable_port_ctx(&port->multicast_ctx);
}
@@ -4653,7 +4667,6 @@ static void br_multicast_del_grps(struct net_bridge *br)
int br_multicast_toggle(struct net_bridge *br, unsigned long val,
struct netlink_ext_ack *extack)
{
- struct net_bridge_port *port;
bool change_snoopers = false;
int err = 0;
@@ -4670,7 +4683,7 @@ int br_multicast_toggle(struct net_bridge *br, unsigned long val,
br_opt_toggle(br, BROPT_MULTICAST_ENABLED, !!val);
if (!br_opt_get(br, BROPT_MULTICAST_ENABLED)) {
change_snoopers = true;
- br_multicast_del_grps(br);
+ br_multicast_disable_all_ports(br);
goto unlock;
}
@@ -4678,8 +4691,7 @@ int br_multicast_toggle(struct net_bridge *br, unsigned long val,
goto unlock;
br_multicast_open(br);
- list_for_each_entry(port, &br->port_list, list)
- __br_multicast_enable_port_ctx(&port->multicast_ctx);
+ br_multicast_enable_all_ports(br);
change_snoopers = true;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 255/272] pds_core: fix error handling in pdsc_devcmd_wait
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 254/272] bridge: mcast: Fix a possible use-after-free when removing a bridge port Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 256/272] pds_core: fix debugfs_lookup dentry leak and error handling Greg Kroah-Hartman
` (23 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikhil P. Rao, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikhil P. Rao <nikhil.rao@amd.com>
[ Upstream commit 0e46b6635b03d29807f810c3b415c4755a3f958d ]
Fix two cases where pdsc_devcmd_wait() returns stale success from
the completion register instead of an error:
1. FW crash: If firmware stops running, the wait loop breaks early with
running=false. The condition "if ((!done || timeout) && running)" is
false, so error handling is bypassed and stale status is returned.
Check !running first and return -ENXIO.
2. Timeout: If a command times out, err is set to -ETIMEDOUT but then
overwritten by pdsc_err_to_errno(status) which reads stale status.
Return -ETIMEDOUT immediately after cleaning up.
Both errors now propagate to pdsc_devcmd_locked() which queues
health_work for recovery.
Fixes: 45d76f492938 ("pds_core: set up device and adminq")
Signed-off-by: Nikhil P. Rao <nikhil.rao@amd.com>
Link: https://patch.msgid.link/20260515212907.998028-1-nikhil.rao@amd.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/pds_core/dev.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/amd/pds_core/dev.c b/drivers/net/ethernet/amd/pds_core/dev.c
index 495ef4ef8c103..1d1e559bd99d3 100644
--- a/drivers/net/ethernet/amd/pds_core/dev.c
+++ b/drivers/net/ethernet/amd/pds_core/dev.c
@@ -162,12 +162,19 @@ static int pdsc_devcmd_wait(struct pdsc *pdsc, u8 opcode, int max_seconds)
dev_dbg(dev, "DEVCMD %d %s after %ld secs\n",
opcode, pdsc_devcmd_str(opcode), duration / HZ);
- if ((!done || timeout) && running) {
+ if (!running) {
+ dev_err(dev, "DEVCMD %d %s fw not running\n",
+ opcode, pdsc_devcmd_str(opcode));
+ pdsc_devcmd_clean(pdsc);
+ return -ENXIO;
+ }
+
+ if (!done || timeout) {
dev_err(dev, "DEVCMD %d %s timeout, done %d timeout %d max_seconds=%d\n",
opcode, pdsc_devcmd_str(opcode), done, timeout,
max_seconds);
- err = -ETIMEDOUT;
pdsc_devcmd_clean(pdsc);
+ return -ETIMEDOUT;
}
status = pdsc_devcmd_status(pdsc);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 256/272] pds_core: fix debugfs_lookup dentry leak and error handling
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 255/272] pds_core: fix error handling in pdsc_devcmd_wait Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 257/272] wifi: mac80211: fix MLE defragmentation Greg Kroah-Hartman
` (22 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikhil P. Rao, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikhil P. Rao <nikhil.rao@amd.com>
[ Upstream commit dc416e32baaeb620b9809e9e25fc7b30889686e9 ]
debugfs_lookup() returns a dentry with an elevated reference count that
must be released with dput(). The current code discards the returned
dentry without calling dput(), causing a reference leak on every
firmware reset recovery.
Additionally, when CONFIG_DEBUG_FS is disabled, debugfs_lookup()
returns ERR_PTR(-ENODEV), not NULL. The current check passes for error
pointers and would call dput() on an invalid pointer, causing a crash.
Fixes: bc90fbe0c318 ("pds_core: Rework teardown/setup flow to be more common")
Signed-off-by: Nikhil P. Rao <nikhil.rao@amd.com>
Link: https://patch.msgid.link/20260515212907.998028-3-nikhil.rao@amd.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/pds_core/debugfs.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/amd/pds_core/debugfs.c b/drivers/net/ethernet/amd/pds_core/debugfs.c
index 04c5e3abd8d70..810a0cd9bcac8 100644
--- a/drivers/net/ethernet/amd/pds_core/debugfs.c
+++ b/drivers/net/ethernet/amd/pds_core/debugfs.c
@@ -64,9 +64,14 @@ DEFINE_SHOW_ATTRIBUTE(identity);
void pdsc_debugfs_add_ident(struct pdsc *pdsc)
{
+ struct dentry *dentry;
+
/* This file will already exist in the reset flow */
- if (debugfs_lookup("identity", pdsc->dentry))
+ dentry = debugfs_lookup("identity", pdsc->dentry);
+ if (!IS_ERR_OR_NULL(dentry)) {
+ dput(dentry);
return;
+ }
debugfs_create_file("identity", 0400, pdsc->dentry,
pdsc, &identity_fops);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 257/272] wifi: mac80211: fix MLE defragmentation
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 256/272] pds_core: fix debugfs_lookup dentry leak and error handling Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 258/272] ALSA: seq: Serialize UMP output teardown with event_input Greg Kroah-Hartman
` (21 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miriam Rachel Korenblit, Ilan Peer,
Johannes Berg, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit a74e893f30db64cdce0fc7a96d3baa417bcd55f5 ]
If either reconf or EPCS multi-link element (MLE) is contained in
a non-transmitted profile, the defragmentation routine is called
with a pointer to the defragmented copy, but the original elements.
This is incorrect for two reasons:
- if the original defragmentation was needed, it will not find the
correct data
- if the original frame is at a higher address, the parsing will
potentially overrun the heap data (though given the layout of
the buffers, only into the new defragmentation buffer, and then
it has to stop and fail once that's filled with copied data.
Fix it by tracking the container along with the pointer and in
doing so also unify the two almost identical defragmentation
routines.
Fixes: 4d70e9c5488d ("wifi: mac80211: defragment reconfiguration MLE when parsing")
Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Link: https://patch.msgid.link/20260508091031.8a6c34613178.I4de16ebbce2d27f2f8f98fc49949c7a376c2fe8d@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/parse.c | 71 +++++++++++++++++++-------------------------
1 file changed, 31 insertions(+), 40 deletions(-)
diff --git a/net/mac80211/parse.c b/net/mac80211/parse.c
index 922ea9a6e2412..530f01575bc17 100644
--- a/net/mac80211/parse.c
+++ b/net/mac80211/parse.c
@@ -34,6 +34,13 @@
#include "led.h"
#include "wep.h"
+struct ieee80211_elem_defrag {
+ const struct element *elem;
+ /* container start/len */
+ const u8 *start;
+ size_t len;
+};
+
struct ieee80211_elems_parse {
/* must be first for kfree to work */
struct ieee802_11_elems elems;
@@ -41,11 +48,7 @@ struct ieee80211_elems_parse {
/* The basic Multi-Link element in the original elements */
const struct element *ml_basic_elem;
- /* The reconfiguration Multi-Link element in the original elements */
- const struct element *ml_reconf_elem;
-
- /* The EPCS Multi-Link element in the original elements */
- const struct element *ml_epcs_elem;
+ struct ieee80211_elem_defrag ml_reconf, ml_epcs;
bool multi_link_inner;
bool skip_vendor;
@@ -162,10 +165,14 @@ ieee80211_parse_extension_element(u32 *crc,
}
break;
case IEEE80211_ML_CONTROL_TYPE_RECONF:
- elems_parse->ml_reconf_elem = elem;
+ elems_parse->ml_reconf.elem = elem;
+ elems_parse->ml_reconf.start = params->start;
+ elems_parse->ml_reconf.len = params->len;
break;
case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS:
- elems_parse->ml_epcs_elem = elem;
+ elems_parse->ml_epcs.elem = elem;
+ elems_parse->ml_epcs.start = params->start;
+ elems_parse->ml_epcs.len = params->len;
break;
default:
break;
@@ -950,46 +957,27 @@ ieee80211_prep_mle_link_parse(struct ieee80211_elems_parse *elems_parse,
sub->start, sub->len);
}
-static void
-ieee80211_mle_defrag_reconf(struct ieee80211_elems_parse *elems_parse)
-{
- struct ieee802_11_elems *elems = &elems_parse->elems;
- ssize_t ml_len;
-
- ml_len = cfg80211_defragment_element(elems_parse->ml_reconf_elem,
- elems->ie_start,
- elems->total_len,
- elems_parse->scratch_pos,
- elems_parse->scratch +
- elems_parse->scratch_len -
- elems_parse->scratch_pos,
- WLAN_EID_FRAGMENT);
- if (ml_len < 0)
- return;
- elems->ml_reconf = (void *)elems_parse->scratch_pos;
- elems->ml_reconf_len = ml_len;
- elems_parse->scratch_pos += ml_len;
-}
-
-static void
-ieee80211_mle_defrag_epcs(struct ieee80211_elems_parse *elems_parse)
+static const void *
+ieee80211_mle_defrag(struct ieee80211_elems_parse *elems_parse,
+ struct ieee80211_elem_defrag *defrag,
+ size_t *out_len)
{
- struct ieee802_11_elems *elems = &elems_parse->elems;
+ const void *ret;
ssize_t ml_len;
- ml_len = cfg80211_defragment_element(elems_parse->ml_epcs_elem,
- elems->ie_start,
- elems->total_len,
+ ml_len = cfg80211_defragment_element(defrag->elem,
+ defrag->start, defrag->len,
elems_parse->scratch_pos,
elems_parse->scratch +
elems_parse->scratch_len -
elems_parse->scratch_pos,
WLAN_EID_FRAGMENT);
if (ml_len < 0)
- return;
- elems->ml_epcs = (void *)elems_parse->scratch_pos;
- elems->ml_epcs_len = ml_len;
+ return NULL;
+ ret = elems_parse->scratch_pos;
+ *out_len = ml_len;
elems_parse->scratch_pos += ml_len;
+ return ret;
}
struct ieee802_11_elems *
@@ -1069,9 +1057,12 @@ ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params)
_ieee802_11_parse_elems_full(&sub, elems_parse, NULL);
}
- ieee80211_mle_defrag_reconf(elems_parse);
-
- ieee80211_mle_defrag_epcs(elems_parse);
+ elems->ml_reconf = ieee80211_mle_defrag(elems_parse,
+ &elems_parse->ml_reconf,
+ &elems->ml_reconf_len);
+ elems->ml_epcs = ieee80211_mle_defrag(elems_parse,
+ &elems_parse->ml_epcs,
+ &elems->ml_epcs_len);
if (elems->tim && !elems->parse_error) {
const struct ieee80211_tim_ie *tim_ie = elems->tim;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 258/272] ALSA: seq: Serialize UMP output teardown with event_input
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 257/272] wifi: mac80211: fix MLE defragmentation Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 259/272] tracing: Avoid NULL return from hist_field_name() on truncation Greg Kroah-Hartman
` (20 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Zhang Cen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
[ Upstream commit 60a1969fae6209644698fca91c185d153674f631 ]
seq_ump_process_event() borrows client->out_rfile.output without
synchronizing with the first-open and last-close transition in
seq_ump_client_open() and seq_ump_client_close().
The last output unuse can therefore drop opened[STR_OUT] to zero and
release the rawmidi file while an in-flight event_input callback is still
inside snd_rawmidi_kernel_write(). That leaves the rawmidi substream
runtime exposed to teardown before the write path has taken its own
buffer reference.
Add a per-client rwlock for the event_input-visible output file. Publish
a newly opened output file under the write side, and hold the read side
from the output lookup through snd_rawmidi_kernel_write(). The last
output close copies and clears the visible output file under the write
side, then drops the lock and releases the saved rawmidi file. Use
IRQ-safe rwlock guards because event_input can also be reached from
atomic sequencer delivery.
The buggy scenario involves two paths, with each column showing the
order within that path:
path A label: event_input path path B label: last unuse path
1. seq_ump_process_event() reads 1. seq_ump_client_close()
client->out_rfile.output. drops opened[STR_OUT] to zero.
2. snd_rawmidi_kernel_write1() 2. snd_rawmidi_kernel_release()
has not yet pinned runtime. closes the output file.
3. The writer continues using 3. close_substream() frees
the borrowed substream. substream->runtime.
This keeps the output substream and runtime alive for the full
event_input write while keeping rawmidi release outside the rwlock.
KASAN reproduced this as a slab-use-after-free in
snd_rawmidi_kernel_write1(), with allocation through
seq_ump_use()/snd_seq_port_connect() and free through
seq_ump_unuse()/snd_seq_port_disconnect().
Suggested-by: Takashi Iwai <tiwai@suse.de>
Validation reproduced this kernel report:
KASAN slab-use-after-free in snd_rawmidi_kernel_write1+0x9d/0x400
RIP: 0033:0x7f5528af837f
Read of size 8
Call trace:
dump_stack_lvl+0x73/0xb0 (?:?)
print_report+0xd1/0x650 (?:?)
srso_alias_return_thunk+0x5/0xfbef5 (?:?)
__virt_addr_valid+0x1a7/0x340 (?:?)
kasan_complete_mode_report_info+0x64/0x200 (?:?)
kasan_report+0xf7/0x130 (?:?)
snd_rawmidi_kernel_write1+0x9d/0x400 (?:?)
__asan_load8+0x82/0xb0 (?:?)
update_stack_state+0x1ef/0x2d0 (?:?)
snd_rawmidi_kernel_write+0x1a/0x20 (?:?)
seq_ump_process_event+0xd4/0x120 (sound/core/seq/seq_ump_client.c:82)
__snd_seq_deliver_single_event+0x8a/0xe0 (?:?)
snd_seq_deliver_from_ump+0x2b2/0xd60 (?:?)
lock_acquire+0x14e/0x2e0 (?:?)
find_held_lock+0x31/0x90 (?:?)
snd_seq_port_use_ptr+0xa6/0xe0 (?:?)
__kasan_check_write+0x18/0x20 (?:?)
do_raw_read_unlock+0x32/0xa0 (?:?)
_raw_read_unlock+0x26/0x50 (?:?)
snd_seq_deliver_single_event+0x45c/0x4b0 (?:?)
snd_seq_deliver_event+0x10d/0x1b0 (?:?)
snd_seq_client_enqueue_event+0x192/0x240 (?:?)
snd_seq_write+0x2cd/0x450 (?:?)
apparmor_file_permission+0x20/0x30 (?:?)
security_file_permission+0x51/0x60 (?:?)
vfs_write+0x1ce/0x850 (?:?)
__fget_files+0x12b/0x220 (?:?)
lock_release+0xc8/0x2a0 (?:?)
__rcu_read_unlock+0x74/0x2d0 (?:?)
__fget_files+0x135/0x220 (?:?)
ksys_write+0x15a/0x180 (?:?)
rcu_is_watching+0x24/0x60 (?:?)
__x64_sys_write+0x46/0x60 (?:?)
x64_sys_call+0x7d/0x20d0 (?:?)
do_syscall_64+0xc1/0x360 (arch/x86/entry/syscall_64.c:87)
entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)
Fixes: 81fd444aa371 ("ALSA: seq: Bind UMP device")
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Link: https://patch.msgid.link/20260520103249.3048345-1-rollkingzzc@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/seq/seq_ump_client.c | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/sound/core/seq/seq_ump_client.c b/sound/core/seq/seq_ump_client.c
index d39cea7f341d4..0d5d5ade87e68 100644
--- a/sound/core/seq/seq_ump_client.c
+++ b/sound/core/seq/seq_ump_client.c
@@ -37,6 +37,7 @@ struct seq_ump_client {
struct snd_ump_endpoint *ump; /* assigned endpoint */
int seq_client; /* sequencer client id */
int opened[2]; /* current opens for each direction */
+ rwlock_t output_lock; /* protects out_rfile output access */
struct snd_rawmidi_file out_rfile; /* rawmidi for output */
struct seq_ump_input_buffer input; /* input parser context */
void *ump_info[SNDRV_UMP_MAX_BLOCKS + 1]; /* shadow of seq client ump_info */
@@ -88,6 +89,7 @@ static int seq_ump_process_event(struct snd_seq_event *ev, int direct,
unsigned char type;
int len;
+ guard(read_lock_irqsave)(&client->output_lock);
substream = client->out_rfile.output;
if (!substream)
return -ENODEV;
@@ -106,6 +108,7 @@ static int seq_ump_process_event(struct snd_seq_event *ev, int direct,
static int seq_ump_client_open(struct seq_ump_client *client, int dir)
{
struct snd_ump_endpoint *ump = client->ump;
+ struct snd_rawmidi_file rfile = {};
int err;
guard(mutex)(&ump->open_mutex);
@@ -113,9 +116,11 @@ static int seq_ump_client_open(struct seq_ump_client *client, int dir)
err = snd_rawmidi_kernel_open(&ump->core, 0,
SNDRV_RAWMIDI_LFLG_OUTPUT |
SNDRV_RAWMIDI_LFLG_APPEND,
- &client->out_rfile);
+ &rfile);
if (err < 0)
return err;
+ scoped_guard(write_lock_irqsave, &client->output_lock)
+ client->out_rfile = rfile;
}
client->opened[dir]++;
return 0;
@@ -125,11 +130,19 @@ static int seq_ump_client_open(struct seq_ump_client *client, int dir)
static int seq_ump_client_close(struct seq_ump_client *client, int dir)
{
struct snd_ump_endpoint *ump = client->ump;
+ struct snd_rawmidi_file rfile = {};
guard(mutex)(&ump->open_mutex);
- if (!--client->opened[dir])
- if (dir == STR_OUT)
- snd_rawmidi_kernel_release(&client->out_rfile);
+ if (!--client->opened[dir]) {
+ if (dir == STR_OUT) {
+ scoped_guard(write_lock_irqsave, &client->output_lock) {
+ rfile = client->out_rfile;
+ client->out_rfile = (struct snd_rawmidi_file){};
+ }
+ if (rfile.rmidi)
+ snd_rawmidi_kernel_release(&rfile);
+ }
+ }
return 0;
}
@@ -432,6 +445,7 @@ static int snd_seq_ump_probe(struct device *_dev)
INIT_WORK(&client->group_notify_work, handle_group_notify);
client->ump = ump;
+ rwlock_init(&client->output_lock);
client->seq_client =
snd_seq_create_kernel_client(card, ump->core.device,
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 259/272] tracing: Avoid NULL return from hist_field_name() on truncation
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 258/272] ALSA: seq: Serialize UMP output teardown with event_input Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 260/272] Bluetooth: btmtk: fix urb->setup_packet leak in error paths Greg Kroah-Hartman
` (19 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Steven Rostedt,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit 576ec047d20b368b43c4d5db98c4f2e0f3c101ec ]
hist_field_name() returns "" everywhere except the fully-qualified
VAR_REF/EXPR case, where snprintf() truncation returns NULL early
and bypasses the bottom NULL->"" guard. Callers don't expect NULL:
strcat(expr, hist_field_name(field, 0)) at trace_events_hist.c:1758
and the strcmp() in the sort-key match loop at :4804 both deref it.
system and event_name are bounded by MAX_EVENT_NAME_LEN, but the
field name on a VAR_REF is kstrdup'd from a histogram variable
name parsed out of the trigger string and has no length cap, so
a long enough var name in a fully qualified reference can reach
the truncation path.
Keep the length check but leave field_name as "" on overflow.
Link: https://patch.msgid.link/20260508195747.25492-1-devnexen@gmail.com
Fixes: 5ec1d1e97de1 ("tracing: Rebuild full_name on each hist_field_name() call")
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_events_hist.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index 2d085115afde3..2a1e3537332d5 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -1347,10 +1347,8 @@ static const char *hist_field_name(struct hist_field *field,
len = snprintf(full_name, sizeof(full_name), "%s.%s.%s",
field->system, field->event_name,
field->name);
- if (len >= sizeof(full_name))
- return NULL;
-
- field_name = full_name;
+ if (len < sizeof(full_name))
+ field_name = full_name;
} else
field_name = field->name;
} else if (field->flags & HIST_FIELD_FL_TIMESTAMP)
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 260/272] Bluetooth: btmtk: fix urb->setup_packet leak in error paths
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 259/272] tracing: Avoid NULL return from hist_field_name() on truncation Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 261/272] net: ag71xx: check error for platform_get_irq Greg Kroah-Hartman
` (18 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiajia Liu, Luiz Augusto von Dentz,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiajia Liu <liujiajia@kylinos.cn>
[ Upstream commit dd1dda6b8d6e1f4376a5b3055a04f0ecbdb4d6bd ]
The setup_packet of control urb is not freed if usb_submit_urb fails or
the submitted urb is killed. Add free in these two paths.
Fixes: a1c49c434e150 ("Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices")
Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btmtk.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index 98cb8529d8bcd..08a8c3a5d7b7d 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -496,6 +496,7 @@ static void btmtk_usb_wmt_recv(struct urb *urb)
return;
} else if (urb->status == -ENOENT) {
/* Avoid suspend failed when usb_kill_urb */
+ kfree(urb->setup_packet);
return;
}
@@ -569,6 +570,7 @@ static int btmtk_usb_submit_wmt_recv_urb(struct hci_dev *hdev)
if (err != -EPERM && err != -ENODEV)
bt_dev_err(hdev, "urb %p submission failed (%d)",
urb, -err);
+ kfree(dr);
usb_unanchor_urb(urb);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 261/272] net: ag71xx: check error for platform_get_irq
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 260/272] Bluetooth: btmtk: fix urb->setup_packet leak in error paths Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 262/272] bpf, skmsg: fix verdict sk_data_ready racing with ktls rx Greg Kroah-Hartman
` (17 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rosen Penev, Oleksij Rempel,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rosen Penev <rosenp@gmail.com>
[ Upstream commit e7c70bf97e90d974cd575e4c90f8f9b07d056da3 ]
Complete error handling for a failed platform_get_irq() call
Fixes: d51b6ce441d3 ("net: ethernet: add ag71xx driver")
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20260516212616.11758-1-rosenp@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/atheros/ag71xx.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/atheros/ag71xx.c b/drivers/net/ethernet/atheros/ag71xx.c
index bccc7e7b2a848..f5570061abe7f 100644
--- a/drivers/net/ethernet/atheros/ag71xx.c
+++ b/drivers/net/ethernet/atheros/ag71xx.c
@@ -1861,6 +1861,9 @@ static int ag71xx_probe(struct platform_device *pdev)
ag71xx_int_disable(ag, AG71XX_INT_POLL);
ndev->irq = platform_get_irq(pdev, 0);
+ if (ndev->irq < 0)
+ return ndev->irq;
+
err = devm_request_irq(&pdev->dev, ndev->irq, ag71xx_interrupt,
0x0, dev_name(&pdev->dev), ndev);
if (err) {
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 262/272] bpf, skmsg: fix verdict sk_data_ready racing with ktls rx
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 261/272] net: ag71xx: check error for platform_get_irq Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 263/272] gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n) Greg Kroah-Hartman
` (16 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xingwang Xiang, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xingwang Xiang <v3rdant.xiang@gmail.com>
[ Upstream commit ddf8029623a1af20e984c040e89ff918158397ab ]
sk_psock_strp_data_ready() already checks tls_sw_has_ctx_rx() and
defers to psock->saved_data_ready when a TLS RX context is present,
avoiding a conflict with the TLS strparser's ownership of the receive
queue (commit e91de6afa81c, "bpf: Fix running sk_skb program types
with ktls").
sk_psock_verdict_data_ready() has no equivalent guard. When a socket
is inserted into a sockmap (BPF_SK_SKB_VERDICT) before TLS RX is
configured, tls_sw_strparser_arm() saves sk_psock_verdict_data_ready
as rx_ctx->saved_data_ready. On data arrival:
tls_data_ready -> tls_strp_data_ready -> tls_rx_msg_ready
-> saved_data_ready() = sk_psock_verdict_data_ready()
-> tcp_read_skb() drains sk_receive_queue via __skb_unlink()
without calling tcp_eat_skb(), so copied_seq is not advanced.
tls_strp_msg_load() then finds tcp_inq() >= full_len (stale), calls
tcp_recv_skb() on the now-empty queue, hits WARN_ON_ONCE(!first), and
returns with rx_ctx->strp.anchor.frag_list pointing at a psock-owned
(potentially freed) skb. tls_decrypt_sg() subsequently walks that
frag_list: use-after-free.
Apply the same fix as sk_psock_strp_data_ready(): if a TLS RX context
is present, call psock->saved_data_ready (sock_def_readable) to wake
recv() waiters and return immediately, leaving the receive queue
untouched. TLS retains sole ownership of the queue and decrypts the
record normally through tls_sw_recvmsg().
Fixes: ef5659280eb1 ("bpf, sockmap: Allow skipping sk_skb parser program")
Signed-off-by: Xingwang Xiang <v3rdant.xiang@gmail.com>
Link: https://patch.msgid.link/20260517145630.20521-2-v3rdant.xiang@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skmsg.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index e1e0283e53c1d..fbaee3d09990b 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -1267,12 +1267,19 @@ static int sk_psock_verdict_recv(struct sock *sk, struct sk_buff *skb)
static void sk_psock_verdict_data_ready(struct sock *sk)
{
const struct proto_ops *ops = NULL;
+ struct sk_psock *psock;
struct socket *sock;
int copied;
trace_sk_data_ready(sk);
rcu_read_lock();
+ psock = sk_psock(sk);
+ if (psock && tls_sw_has_ctx_rx(sk)) {
+ psock->saved_data_ready(sk);
+ rcu_read_unlock();
+ return;
+ }
sock = READ_ONCE(sk->sk_socket);
if (likely(sock))
ops = READ_ONCE(sock->ops);
@@ -1282,8 +1289,6 @@ static void sk_psock_verdict_data_ready(struct sock *sk)
copied = ops->read_skb(sk, sk_psock_verdict_recv);
if (copied >= 0) {
- struct sk_psock *psock;
-
rcu_read_lock();
psock = sk_psock(sk);
if (psock)
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 263/272] gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n)
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 262/272] bpf, skmsg: fix verdict sk_data_ready racing with ktls rx Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 264/272] gpio: cdev: check if uAPI v2 config attributes are correctly zeroed Greg Kroah-Hartman
` (15 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Bartosz Golaszewski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andy.shevchenko@gmail.com>
[ Upstream commit e106b1dd38e723ec2bb2bf57ea9b2aff464b9423 ]
Use the mem_is_zero() helper where possible.
Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20241110201706.16614-1-andy.shevchenko@gmail.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Stable-dep-of: 3e6ccd790ed6 ("gpio: cdev: check if uAPI v2 config attributes are correctly zeroed")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib-cdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index bd2921ef29a14..d44a3e4c2a09c 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -16,7 +16,6 @@
#include <linux/hte.h>
#include <linux/interrupt.h>
#include <linux/irqreturn.h>
-#include <linux/kernel.h>
#include <linux/kfifo.h>
#include <linux/module.h>
#include <linux/mutex.h>
@@ -26,6 +25,7 @@
#include <linux/rbtree.h>
#include <linux/seq_file.h>
#include <linux/spinlock.h>
+#include <linux/string.h>
#include <linux/timekeeping.h>
#include <linux/uaccess.h>
#include <linux/workqueue.h>
@@ -1331,7 +1331,7 @@ static int gpio_v2_line_config_validate(struct gpio_v2_line_config *lc,
if (lc->num_attrs > GPIO_V2_LINE_NUM_ATTRS_MAX)
return -EINVAL;
- if (memchr_inv(lc->padding, 0, sizeof(lc->padding)))
+ if (!mem_is_zero(lc->padding, sizeof(lc->padding)))
return -EINVAL;
for (i = 0; i < num_lines; i++) {
@@ -1746,7 +1746,7 @@ static int linereq_create(struct gpio_device *gdev, void __user *ip)
if ((ulr.num_lines == 0) || (ulr.num_lines > GPIO_V2_LINES_MAX))
return -EINVAL;
- if (memchr_inv(ulr.padding, 0, sizeof(ulr.padding)))
+ if (!mem_is_zero(ulr.padding, sizeof(ulr.padding)))
return -EINVAL;
lc = &ulr.config;
@@ -2516,7 +2516,7 @@ static int lineinfo_get(struct gpio_chardev_data *cdev, void __user *ip,
if (copy_from_user(&lineinfo, ip, sizeof(lineinfo)))
return -EFAULT;
- if (memchr_inv(lineinfo.padding, 0, sizeof(lineinfo.padding)))
+ if (!mem_is_zero(lineinfo.padding, sizeof(lineinfo.padding)))
return -EINVAL;
desc = gpio_device_get_desc(cdev->gdev, lineinfo.offset);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 264/272] gpio: cdev: check if uAPI v2 config attributes are correctly zeroed
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 263/272] gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n) Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 265/272] ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove() Greg Kroah-Hartman
` (14 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kent Gibson, Bartosz Golaszewski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
[ Upstream commit 3e6ccd790ed69bedd3d9626d01dd35cf9821c121 ]
We check the padding of other uAPI v2 structures but not that of line
config attributes. For used attributes: check if their padding is
zeroed, for unused: check if the entire structure is zeroed.
Fixes: 3c0d9c635ae2 ("gpiolib: cdev: support GPIO_V2_GET_LINE_IOCTL and GPIO_V2_LINE_GET_VALUES_IOCTL")
Reviewed-by: Kent Gibson <warthog618@gmail.com>
Link: https://patch.msgid.link/20260521-gpio-cdev-attr-padding-check-v3-1-ec3bcbe2e358@oss.qualcomm.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib-cdev.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index d44a3e4c2a09c..e77ec4b205f42 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -1324,6 +1324,7 @@ static int gpio_v2_line_flags_validate(u64 flags)
static int gpio_v2_line_config_validate(struct gpio_v2_line_config *lc,
unsigned int num_lines)
{
+ size_t unused_attrs;
unsigned int i;
u64 flags;
int ret;
@@ -1331,9 +1332,21 @@ static int gpio_v2_line_config_validate(struct gpio_v2_line_config *lc,
if (lc->num_attrs > GPIO_V2_LINE_NUM_ATTRS_MAX)
return -EINVAL;
+ unused_attrs = GPIO_V2_LINE_NUM_ATTRS_MAX - lc->num_attrs;
+
if (!mem_is_zero(lc->padding, sizeof(lc->padding)))
return -EINVAL;
+ for (i = 0; i < lc->num_attrs; i++) {
+ if (lc->attrs[i].attr.padding != 0)
+ return -EINVAL;
+ }
+
+ if (unused_attrs) {
+ if (!mem_is_zero(&lc->attrs[lc->num_attrs], unused_attrs * sizeof(*lc->attrs)))
+ return -EINVAL;
+ }
+
for (i = 0; i < num_lines; i++) {
flags = gpio_v2_line_config_flags(lc, i);
ret = gpio_v2_line_flags_validate(flags);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 265/272] ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove()
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 264/272] gpio: cdev: check if uAPI v2 config attributes are correctly zeroed Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 266/272] drm/xe/oa: Fix exec_queue leak on width check in stream open Greg Kroah-Hartman
` (13 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Fitzgerald, Mark Brown,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Fitzgerald <rf@opensource.cirrus.com>
[ Upstream commit 18e7bd9f2446664053f8c34b72abd4606d22d858 ]
Use flush_work() instead of cancel_work_sync() to terminate pending IRQ
work in cs35l56_sdw_remove(). And flush_work() again after masking the
interrupts to flush any queueing that was racing with the masking. This is
the same sequence as cs35l56_sdw_system_suspend().
cs35l56_sdw_interrupt() takes the pm_runtime to prevent the bus powering-
down before the interrupt status can be read and handled. The work releases
this pm_runtime. So cancelling it, instead of flushing, could leave an
unbalanced pm_runtime.
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Fixes: e49611252900 ("ASoC: cs35l56: Add driver for Cirrus Logic CS35L56")
Link: https://patch.msgid.link/20260521123057.988732-1-rf@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/cs35l56-sdw.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/soc/codecs/cs35l56-sdw.c b/sound/soc/codecs/cs35l56-sdw.c
index 7c9a17fe2195c..b9cc447b6e5c7 100644
--- a/sound/soc/codecs/cs35l56-sdw.c
+++ b/sound/soc/codecs/cs35l56-sdw.c
@@ -544,10 +544,11 @@ static int cs35l56_sdw_remove(struct sdw_slave *peripheral)
/* Disable SoundWire interrupts */
cs35l56->sdw_irq_no_unmask = true;
- cancel_work_sync(&cs35l56->sdw_irq_work);
+ flush_work(&cs35l56->sdw_irq_work);
sdw_write_no_pm(peripheral, CS35L56_SDW_GEN_INT_MASK_1, 0);
sdw_read_no_pm(peripheral, CS35L56_SDW_GEN_INT_STAT_1);
sdw_write_no_pm(peripheral, CS35L56_SDW_GEN_INT_STAT_1, 0xFF);
+ flush_work(&cs35l56->sdw_irq_work);
cs35l56_remove(cs35l56);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 266/272] drm/xe/oa: Fix exec_queue leak on width check in stream open
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 265/272] ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove() Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 267/272] octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs Greg Kroah-Hartman
` (12 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ashutosh Dixit, Shuicheng Lin,
Rodrigo Vivi, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuicheng Lin <shuicheng.lin@intel.com>
[ Upstream commit 4d25342543c01310fc4e0cba7cb17c775e2421e2 ]
In xe_oa_stream_open_ioctl(), when param.exec_q->width > 1 the
function returns -EOPNOTSUPP directly, skipping the existing
err_exec_q cleanup path. The exec_queue reference obtained by
xe_exec_queue_lookup() is leaked.
The exec queue holds a reference on the xe_file, which is only
dropped during queue teardown. The leaked lookup ref is not on
the file's exec_queue xarray, so file close cannot release it.
This keeps both the exec queue and the file private state pinned
indefinitely.
Jump to err_exec_q instead of returning directly so the reference
is released.
Fixes: f0ed39830e60 ("xe/oa: Fix query mode of operation for OAR/OAC")
Assisted-by: Claude:claude-opus-4.6
Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
Link: https://patch.msgid.link/20260514203210.593488-1-shuicheng.lin@intel.com
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
(cherry picked from commit 339fa0be9e4a5d69fa47e91f4a36574224fb478f)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_oa.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_oa.c b/drivers/gpu/drm/xe/xe_oa.c
index fe997494a6f99..5e38afc46e20e 100644
--- a/drivers/gpu/drm/xe/xe_oa.c
+++ b/drivers/gpu/drm/xe/xe_oa.c
@@ -2019,8 +2019,10 @@ int xe_oa_stream_open_ioctl(struct drm_device *dev, u64 data, struct drm_file *f
if (XE_IOCTL_DBG(oa->xe, !param.exec_q))
return -ENOENT;
- if (XE_IOCTL_DBG(oa->xe, param.exec_q->width > 1))
- return -EOPNOTSUPP;
+ if (XE_IOCTL_DBG(oa->xe, param.exec_q->width > 1)) {
+ ret = -EOPNOTSUPP;
+ goto err_exec_q;
+ }
}
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 267/272] octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 266/272] drm/xe/oa: Fix exec_queue leak on width check in stream open Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 268/272] net: mana: validate rx_req_idx to prevent out-of-bounds array access Greg Kroah-Hartman
` (11 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geetha sowjanya, Ratheesh Kannoth,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ratheesh Kannoth <rkannoth@marvell.com>
[ Upstream commit 9eddc819f00b5b74bb4ac91396f80bd35f5f3561 ]
When installing the allmulticast NPC rule, rvu_npc_install_allmulti_entry()
should skip LBK and SDP VFs (only CGX PF/VF may add the entry). The
code combined is_lbk_vf() and is_sdp_vf() with logical AND, which is
never true for a single pcifunc, so the intended early return never ran.
Use logical OR instead.
Cc: Geetha sowjanya <gakula@marvell.com>
Fixes: ae703539f49d2 ("octeontx2-af: Cleanup loopback device checks")
Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
Link: https://patch.msgid.link/20260520043036.1523798-1-rkannoth@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
index a78923d7811dc..e3038a912a580 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
@@ -853,7 +853,7 @@ void rvu_npc_install_allmulti_entry(struct rvu *rvu, u16 pcifunc, int nixlf,
u16 vf_func;
/* Only CGX PF/VF can add allmulticast entry */
- if (is_lbk_vf(rvu, pcifunc) && is_sdp_vf(rvu, pcifunc))
+ if (is_lbk_vf(rvu, pcifunc) || is_sdp_vf(rvu, pcifunc))
return;
blkaddr = rvu_get_blkaddr(rvu, BLKTYPE_NPC, 0);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 268/272] net: mana: validate rx_req_idx to prevent out-of-bounds array access
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 267/272] octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 269/272] pds_core: ensure null-termination for firmware version strings Greg Kroah-Hartman
` (10 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aditya Garg, Haiyang Zhang,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aditya Garg <gargaditya@linux.microsoft.com>
[ Upstream commit b809d0409991b75a6cff846a5ac27c3062953f84 ]
In mana_hwc_rx_event_handler(), rx_req_idx is derived from
sge->address in DMA-coherent memory. In Confidential VMs
(SEV-SNP/TDX), this memory is shared unencrypted and HW can modify
WQE contents at any time. No bounds check exists on rx_req_idx,
which can lead to an out-of-bounds access into reqs[].
Add bounds check on rx_req_idx in mana_hwc_rx_event_handler() before
using it to index the reqs[] array.
Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
Signed-off-by: Aditya Garg <gargaditya@linux.microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Link: https://patch.msgid.link/20260520051553.857120-1-gargaditya@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c
index f8971844e6d8e..fef0edc90eac9 100644
--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c
+++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c
@@ -233,6 +233,12 @@ static void mana_hwc_rx_event_handler(void *ctx, u32 gdma_rxq_id,
rq_base_addr = hwc_rxq->msg_buf->mem_info.dma_handle;
rx_req_idx = (sge->address - rq_base_addr) / hwc->max_req_msg_size;
+ if (rx_req_idx >= hwc_rxq->msg_buf->num_reqs) {
+ dev_err(hwc->dev, "HWC RX: wrong rx_req_idx=%llu, num_reqs=%u\n",
+ rx_req_idx, hwc_rxq->msg_buf->num_reqs);
+ return;
+ }
+
rx_req = &hwc_rxq->msg_buf->reqs[rx_req_idx];
resp = (struct gdma_resp_hdr *)rx_req->buf_va;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 269/272] pds_core: ensure null-termination for firmware version strings
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 268/272] net: mana: validate rx_req_idx to prevent out-of-bounds array access Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 270/272] net: gro: dont merge zcopy skbs Greg Kroah-Hartman
` (9 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikhil P. Rao, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikhil P. Rao <nikhil.rao@amd.com>
[ Upstream commit 3d4432d34c1992701289cbe12df9fd024f315998 ]
The driver passes fw_version directly to devlink_info_version_stored_put()
without ensuring null-termination. While current firmware null-terminates
these strings, the driver should not rely on this behavior. Add explicit
null-termination to prevent potential issues if firmware behavior changes.
Fixes: 45d76f492938 ("pds_core: set up device and adminq")
Signed-off-by: Nikhil P. Rao <nikhil.rao@amd.com>
Link: https://patch.msgid.link/20260520205842.1486718-1-nikhil.rao@amd.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/pds_core/devlink.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/amd/pds_core/devlink.c b/drivers/net/ethernet/amd/pds_core/devlink.c
index d8dc39da4161f..621791a3c543b 100644
--- a/drivers/net/ethernet/amd/pds_core/devlink.c
+++ b/drivers/net/ethernet/amd/pds_core/devlink.c
@@ -121,12 +121,14 @@ int pdsc_dl_info_get(struct devlink *dl, struct devlink_info_req *req,
listlen = min(fw_list.num_fw_slots, ARRAY_SIZE(fw_list.fw_names));
for (i = 0; i < listlen; i++) {
+ char *fw_ver = fw_list.fw_names[i].fw_version;
+
if (i < ARRAY_SIZE(fw_slotnames))
strscpy(buf, fw_slotnames[i], sizeof(buf));
else
snprintf(buf, sizeof(buf), "fw.slot_%d", i);
- err = devlink_info_version_stored_put(req, buf,
- fw_list.fw_names[i].fw_version);
+ fw_ver[sizeof(fw_list.fw_names[i].fw_version) - 1] = '\0';
+ err = devlink_info_version_stored_put(req, buf, fw_ver);
if (err)
return err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 270/272] net: gro: dont merge zcopy skbs
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 269/272] pds_core: ensure null-termination for firmware version strings Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 271/272] LoongArch: kprobes: Fix handling of fatal unrecoverable recursions Greg Kroah-Hartman
` (8 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huzaifa Sidhpurwala, Sabrina Dubroca,
Willem de Bruijn, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 4db79a322db8c97f7b73b8a347395ef4d685eb40 ]
skb_gro_receive() can currently copy frags between the source and GRO
skb, without checking the zerocopy status, and in particular the
SKBFL_MANAGED_FRAG_REFS flag.
When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference
on the pages in shinfo->frags. Appending those frags to another skb's
frags without fixing up the page refcount can lead to UAF.
When either the last skb in the GRO chain (the one we would append
frags to) or the source skb is zerocopy, don't merge the skbs.
Fixes: 753f1ca4e1e5 ("net: introduce managed frags infrastructure")
Reported-by: Huzaifa Sidhpurwala <huzaifas@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/c3b7f906bbfcbdfd7b4fa9d6c18a438870df85be.1779307748.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/gro.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/gro.c b/net/core/gro.c
index f5c80c2f69df7..e4cebf162efb7 100644
--- a/net/core/gro.c
+++ b/net/core/gro.c
@@ -108,6 +108,9 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
if (p->pp_recycle != skb->pp_recycle)
return -ETOOMANYREFS;
+ if (skb_zcopy(p) || skb_zcopy(skb))
+ return -ETOOMANYREFS;
+
if (unlikely(p->len + len >= netif_get_gro_max_size(p->dev, p) ||
NAPI_GRO_CB(skb)->flush))
return -E2BIG;
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 271/272] LoongArch: kprobes: Fix handling of fatal unrecoverable recursions
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 270/272] net: gro: dont merge zcopy skbs Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 272/272] landlock: Fix TCP handling of short AF_UNSPEC addresses Greg Kroah-Hartman
` (7 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tiezhu Yang, Huacai Chen,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tiezhu Yang <yangtiezhu@loongson.cn>
[ Upstream commit 1c856e158fd34ef2c4475a81c1dc386329989938 ]
KPROBE_HIT_SS and KPROBE_REENTER are two types of fatal recursions that
can not be safely recovered in kprobes.
KPROBE_HIT_SS means that a kprobe is hit during single-stepping. At
this point, the architecture-specific single-step context is already
active. Nested single-stepping would corrupt the state, as the kprobe
control block (kcb) and hardware registers cannot safely store multiple
levels of stepping state.
KPROBE_REENTER means that a third-level recursion occurs when a probe
is hit while the system is already handling a nested probe (second-
level). The kcb only provides a single slot (prev_kprobe) to backup the
state. When a third probe is hit, there is no more space to save the
state without corrupting the first-level backup.
Kprobes work by replacing instructions with breakpoints. In order to
execute the original instruction and continue, it must be moved to a
temporary "single-step" slot. Since there is no backup space left to
set up this slot safely, the CPU would be forced to return to the same
original breakpoint address, triggering an endless loop.
Currently, the code only prints a warning and returns. This leads to
an infinite re-entry loop as the CPU repeatedly hits the same trap and
a "stuck" CPU core because preemption was disabled at the start of the
handler and never re-enabled in this early return path.
Fix the logic by:
1. Merging KPROBE_HIT_SS and KPROBE_REENTER cases, as both represent
fatal recursions that cannot be safely recovered.
2. Replacing WARN_ON_ONCE() with BUG() to terminate the system. This
aligns LoongArch with other architectures (x86, arm64, riscv) and
prevents stack overflow while providing diagnostic information.
Fixes: 6d4cc40fb5f5 ("LoongArch: Add kprobes support")
Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/loongarch/kernel/kprobes.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/loongarch/kernel/kprobes.c b/arch/loongarch/kernel/kprobes.c
index 8ba391cfabb00..bd783ebed4cc9 100644
--- a/arch/loongarch/kernel/kprobes.c
+++ b/arch/loongarch/kernel/kprobes.c
@@ -184,16 +184,16 @@ static bool reenter_kprobe(struct kprobe *p, struct pt_regs *regs,
struct kprobe_ctlblk *kcb)
{
switch (kcb->kprobe_status) {
- case KPROBE_HIT_SS:
case KPROBE_HIT_SSDONE:
case KPROBE_HIT_ACTIVE:
kprobes_inc_nmissed_count(p);
setup_singlestep(p, regs, kcb, 1);
break;
+ case KPROBE_HIT_SS:
case KPROBE_REENTER:
pr_warn("Failed to recover from reentered kprobes.\n");
dump_kprobe(p);
- WARN_ON_ONCE(1);
+ BUG();
break;
default:
WARN_ON(1);
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* [PATCH 6.12 272/272] landlock: Fix TCP handling of short AF_UNSPEC addresses
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 271/272] LoongArch: kprobes: Fix handling of fatal unrecoverable recursions Greg Kroah-Hartman
@ 2026-05-28 19:50 ` Greg Kroah-Hartman
2026-05-29 3:23 ` [PATCH 6.12 000/272] 6.12.92-rc1 review Dominique Martinet
` (6 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-28 19:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Buffet,
Mickaël Salaün, Maximilian Heyne, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Buffet <matthieu@buffet.re>
[ Upstream commit e4d82cbce2258f454634307fdabf33aa46b61ab0 ]
current_check_access_socket() treats AF_UNSPEC addresses as
AF_INET ones, and only later adds special case handling to
allow connect(AF_UNSPEC), and on IPv4 sockets
bind(AF_UNSPEC+INADDR_ANY).
This would be fine except AF_UNSPEC addresses can be as
short as a bare AF_UNSPEC sa_family_t field, and nothing
more. The AF_INET code path incorrectly enforces a length of
sizeof(struct sockaddr_in) instead.
Move AF_UNSPEC edge case handling up inside the switch-case,
before the address is (potentially incorrectly) treated as
AF_INET.
Fixes: fff69fb03dde ("landlock: Support network rules with TCP bind and connect")
Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
Link: https://lore.kernel.org/r/20251027190726.626244-4-matthieu@buffet.re
Signed-off-by: Mickaël Salaün <mic@digikod.net>
[ There was a conflict due to missing commit 9f74411a40ce ("landlock:
Log TCP bind and connect denials") ]
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/landlock/net.c | 118 +++++++++++++++++++++++-----------------
1 file changed, 67 insertions(+), 51 deletions(-)
diff --git a/security/landlock/net.c b/security/landlock/net.c
index 104b6c01fe503..53d479893475f 100644
--- a/security/landlock/net.c
+++ b/security/landlock/net.c
@@ -72,6 +72,61 @@ static int current_check_access_socket(struct socket *const sock,
switch (address->sa_family) {
case AF_UNSPEC:
+ if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) {
+ /*
+ * Connecting to an address with AF_UNSPEC dissolves
+ * the TCP association, which have the same effect as
+ * closing the connection while retaining the socket
+ * object (i.e., the file descriptor). As for dropping
+ * privileges, closing connections is always allowed.
+ *
+ * For a TCP access control system, this request is
+ * legitimate. Let the network stack handle potential
+ * inconsistencies and return -EINVAL if needed.
+ */
+ return 0;
+ } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
+ /*
+ * Binding to an AF_UNSPEC address is treated
+ * differently by IPv4 and IPv6 sockets. The socket's
+ * family may change under our feet due to
+ * setsockopt(IPV6_ADDRFORM), but that's ok: we either
+ * reject entirely or require
+ * %LANDLOCK_ACCESS_NET_BIND_TCP for the given port, so
+ * it cannot be used to bypass the policy.
+ *
+ * IPv4 sockets map AF_UNSPEC to AF_INET for
+ * retrocompatibility for bind accesses, only if the
+ * address is INADDR_ANY (cf. __inet_bind). IPv6
+ * sockets always reject it.
+ *
+ * Checking the address is required to not wrongfully
+ * return -EACCES instead of -EAFNOSUPPORT or -EINVAL.
+ * We could return 0 and let the network stack handle
+ * these checks, but it is safer to return a proper
+ * error and test consistency thanks to kselftest.
+ */
+ if (sock->sk->__sk_common.skc_family == AF_INET) {
+ const struct sockaddr_in *const sockaddr =
+ (struct sockaddr_in *)address;
+
+ if (addrlen < sizeof(struct sockaddr_in))
+ return -EINVAL;
+
+ if (sockaddr->sin_addr.s_addr !=
+ htonl(INADDR_ANY))
+ return -EAFNOSUPPORT;
+ } else {
+ if (addrlen < SIN6_LEN_RFC2133)
+ return -EINVAL;
+ else
+ return -EAFNOSUPPORT;
+ }
+ } else {
+ WARN_ON_ONCE(1);
+ }
+ /* Only for bind(AF_UNSPEC+INADDR_ANY) on IPv4 socket. */
+ fallthrough;
case AF_INET:
if (addrlen < sizeof(struct sockaddr_in))
return -EINVAL;
@@ -90,57 +145,18 @@ static int current_check_access_socket(struct socket *const sock,
return 0;
}
- /* Specific AF_UNSPEC handling. */
- if (address->sa_family == AF_UNSPEC) {
- /*
- * Connecting to an address with AF_UNSPEC dissolves the TCP
- * association, which have the same effect as closing the
- * connection while retaining the socket object (i.e., the file
- * descriptor). As for dropping privileges, closing
- * connections is always allowed.
- *
- * For a TCP access control system, this request is legitimate.
- * Let the network stack handle potential inconsistencies and
- * return -EINVAL if needed.
- */
- if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP)
- return 0;
-
- /*
- * For compatibility reason, accept AF_UNSPEC for bind
- * accesses (mapped to AF_INET) only if the address is
- * INADDR_ANY (cf. __inet_bind). Checking the address is
- * required to not wrongfully return -EACCES instead of
- * -EAFNOSUPPORT.
- *
- * We could return 0 and let the network stack handle these
- * checks, but it is safer to return a proper error and test
- * consistency thanks to kselftest.
- */
- if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
- /* addrlen has already been checked for AF_UNSPEC. */
- const struct sockaddr_in *const sockaddr =
- (struct sockaddr_in *)address;
-
- if (sock->sk->__sk_common.skc_family != AF_INET)
- return -EINVAL;
-
- if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY))
- return -EAFNOSUPPORT;
- }
- } else {
- /*
- * Checks sa_family consistency to not wrongfully return
- * -EACCES instead of -EINVAL. Valid sa_family changes are
- * only (from AF_INET or AF_INET6) to AF_UNSPEC.
- *
- * We could return 0 and let the network stack handle this
- * check, but it is safer to return a proper error and test
- * consistency thanks to kselftest.
- */
- if (address->sa_family != sock->sk->__sk_common.skc_family)
- return -EINVAL;
- }
+ /*
+ * Checks sa_family consistency to not wrongfully return
+ * -EACCES instead of -EINVAL. Valid sa_family changes are
+ * only (from AF_INET or AF_INET6) to AF_UNSPEC.
+ *
+ * We could return 0 and let the network stack handle this
+ * check, but it is safer to return a proper error and test
+ * consistency thanks to kselftest.
+ */
+ if (address->sa_family != sock->sk->__sk_common.skc_family &&
+ address->sa_family != AF_UNSPEC)
+ return -EINVAL;
id.key.data = (__force uintptr_t)port;
BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
--
2.53.0
^ permalink raw reply related [flat|nested] 284+ messages in thread
* Re: [PATCH 6.12 000/272] 6.12.92-rc1 review
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-05-28 19:50 ` [PATCH 6.12 272/272] landlock: Fix TCP handling of short AF_UNSPEC addresses Greg Kroah-Hartman
@ 2026-05-29 3:23 ` Dominique Martinet
2026-05-29 5:39 ` Ron Economos
` (5 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Dominique Martinet @ 2026-05-29 3:23 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
Greg Kroah-Hartman wrote on Thu, May 28, 2026 at 09:46:14PM +0200:
> This is the start of the stable review cycle for the 6.12.92 release.
> There are 272 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 30 May 2026 19:45:52 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.92-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
> and the diffstat can be found below.
Tested 97928cc88900 ("Linux 6.12.92-rc1") on:
- arm i.MX6ULL (Armadillo 640)
- arm64 i.MX8ULP (Armadillo IoT A9E)
No obvious regression in dmesg or basic tests:
Tested-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
--
Dominique Martinet
^ permalink raw reply [flat|nested] 284+ messages in thread
* Re: [PATCH 6.12 000/272] 6.12.92-rc1 review
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-05-29 3:23 ` [PATCH 6.12 000/272] 6.12.92-rc1 review Dominique Martinet
@ 2026-05-29 5:39 ` Ron Economos
2026-05-29 6:09 ` Miguel Ojeda
` (4 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Ron Economos @ 2026-05-29 5:39 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
On 5/28/26 12:46, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.92 release.
> There are 272 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 30 May 2026 19:45:52 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.92-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 284+ messages in thread
* Re: [PATCH 6.12 000/272] 6.12.92-rc1 review
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-05-29 5:39 ` Ron Economos
@ 2026-05-29 6:09 ` Miguel Ojeda
2026-05-29 8:27 ` Pavel Machek
2026-05-29 10:59 ` Peter Schneider
2026-05-29 6:23 ` Francesco Dolcini
` (3 subsequent siblings)
278 siblings, 2 replies; 284+ messages in thread
From: Miguel Ojeda @ 2026-05-29 6:09 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda, Anuj Gupta, Kanchan Joshi, Christoph Hellwig,
Keith Busch, Jens Axboe, linux-block
On Thu, 28 May 2026 21:46:14 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.12.92 release.
> There are 272 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 30 May 2026 19:45:52 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64, arm64 and riscv64; built-tested
for loongarch64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
I am seeing:
In file included from kernel/trace/blktrace.c:23:
In file included from kernel/trace/../../block/blk.h:5:
./include/linux/bio-integrity.h:101:12: error: unused function 'bio_integrity_map_user' [-Werror,-Wunused-function]
101 | static int bio_integrity_map_user(struct bio *bio, struct iov_iter *iter)
| ^~~~~~~~~~~~~~~~~~~~~~
This looks like it needs:
546d191427cf ("block: make bio_integrity_map_user() static inline")
(and indeed in my run `CONFIG_BLK_DEV_INTEGRITY` is not set like the
commit message says).
Cc: Anuj Gupta <anuj20.g@samsung.com>
Cc: Kanchan Joshi <joshi.k@samsung.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Keith Busch <kbusch@kernel.org>
Cc: Jens Axboe <axboe@kernel.dk>
CC: linux-block@vger.kernel.org
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 284+ messages in thread
* Re: [PATCH 6.12 000/272] 6.12.92-rc1 review
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-05-29 6:09 ` Miguel Ojeda
@ 2026-05-29 6:23 ` Francesco Dolcini
2026-05-29 6:33 ` Brett A C Sheffield
` (2 subsequent siblings)
278 siblings, 0 replies; 284+ messages in thread
From: Francesco Dolcini @ 2026-05-29 6:23 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Thu, May 28, 2026 at 09:46:14PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.92 release.
> There are 272 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com>
^ permalink raw reply [flat|nested] 284+ messages in thread
* Re: [PATCH 6.12 000/272] 6.12.92-rc1 review
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-05-29 6:23 ` Francesco Dolcini
@ 2026-05-29 6:33 ` Brett A C Sheffield
2026-05-29 19:19 ` Florian Fainelli
2026-05-29 21:50 ` Mark Brown
278 siblings, 0 replies; 284+ messages in thread
From: Brett A C Sheffield @ 2026-05-29 6:33 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 6.12.92-rc1-g97928cc88900 #1 SMP PREEMPT_DYNAMIC Fri May 29 06:06:22 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 284+ messages in thread
* Re: [PATCH 6.12 000/272] 6.12.92-rc1 review
2026-05-29 6:09 ` Miguel Ojeda
@ 2026-05-29 8:27 ` Pavel Machek
2026-05-29 12:44 ` Sasha Levin
2026-05-29 10:59 ` Peter Schneider
1 sibling, 1 reply; 284+ messages in thread
From: Pavel Machek @ 2026-05-29 8:27 UTC (permalink / raw)
To: Miguel Ojeda
Cc: gregkh, achill, akpm, broonie, conor, f.fainelli, hargar,
jonathanh, linux-kernel, linux, lkft-triage, patches, patches,
pavel, rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Anuj Gupta, Kanchan Joshi, Christoph Hellwig, Keith Busch,
Jens Axboe, linux-block
[-- Attachment #1: Type: text/plain, Size: 1134 bytes --]
Hi!
> > This is the start of the stable review cycle for the 6.12.92 release.
> > There are 272 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat, 30 May 2026 19:45:52 +0000.
> > Anything received after that time might be too late.
>
> Boot-tested under QEMU for Rust x86_64, arm64 and riscv64; built-tested
> for loongarch64:
>
> Tested-by: Miguel Ojeda <ojeda@kernel.org>
>
> I am seeing:
>
> In file included from kernel/trace/blktrace.c:23:
> In file included from kernel/trace/../../block/blk.h:5:
> ./include/linux/bio-integrity.h:101:12: error: unused function 'bio_integrity_map_user' [-Werror,-Wunused-function]
> 101 | static int bio_integrity_map_user(struct bio *bio, struct iov_iter *iter)
> | ^~~~~~~~~~~~~~~~~~~~~~
>
We see that, too:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/jobs/14592368004
We don't see the problem on 6.6, 6.18 or 7.0-stable.
Best regards,
Pavel
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 284+ messages in thread
* Re: [PATCH 6.12 000/272] 6.12.92-rc1 review
2026-05-29 6:09 ` Miguel Ojeda
2026-05-29 8:27 ` Pavel Machek
@ 2026-05-29 10:59 ` Peter Schneider
1 sibling, 0 replies; 284+ messages in thread
From: Peter Schneider @ 2026-05-29 10:59 UTC (permalink / raw)
To: Miguel Ojeda, gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Anuj Gupta, Kanchan Joshi, Christoph Hellwig, Keith Busch,
Jens Axboe, linux-block
Am 29.05.2026 um 08:09 schrieb Miguel Ojeda:
> On Thu, 28 May 2026 21:46:14 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>>
>> This is the start of the stable review cycle for the 6.12.92 release.
>> There are 272 patches in this series, all will be posted as a response
>> to this one. If anyone has any issues with these being applied, please
>> let me know.
>>
>> Responses should be made by Sat, 30 May 2026 19:45:52 +0000.
>> Anything received after that time might be too late.
>
> Boot-tested under QEMU for Rust x86_64, arm64 and riscv64; built-tested
> for loongarch64:
>
> Tested-by: Miguel Ojeda <ojeda@kernel.org>
>
> I am seeing:
>
> In file included from kernel/trace/blktrace.c:23:
> In file included from kernel/trace/../../block/blk.h:5:
> ./include/linux/bio-integrity.h:101:12: error: unused function 'bio_integrity_map_user' [-Werror,-Wunused-function]
> 101 | static int bio_integrity_map_user(struct bio *bio, struct iov_iter *iter)
> | ^~~~~~~~~~~~~~~~~~~~~~
>
> This looks like it needs:
>
> 546d191427cf ("block: make bio_integrity_map_user() static inline")
>
> (and indeed in my run `CONFIG_BLK_DEV_INTEGRITY` is not set like the
> commit message says).
I didn't see this error message on x86_64; I built with CONFIG_WERROR=y and CONFIG_BLK_DEV_INTEGRITY=y
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 284+ messages in thread
* Re: [PATCH 6.12 000/272] 6.12.92-rc1 review
2026-05-29 8:27 ` Pavel Machek
@ 2026-05-29 12:44 ` Sasha Levin
2026-05-29 19:33 ` Florian Fainelli
0 siblings, 1 reply; 284+ messages in thread
From: Sasha Levin @ 2026-05-29 12:44 UTC (permalink / raw)
To: Miguel Ojeda
Cc: Sasha Levin, gregkh, achill, akpm, broonie, conor, f.fainelli,
hargar, jonathanh, linux-kernel, linux, lkft-triage, patches,
patches, pavel, rwarsow, shuah, sr, stable, sudipm.mukherjee,
torvalds, Anuj Gupta, Kanchan Joshi, Christoph Hellwig,
Keith Busch, Jens Axboe, linux-block
On Fri, May 29, 2026 at 10:27:21AM +0200, Pavel Machek wrote:
> > I am seeing:
> >
> > ./include/linux/bio-integrity.h:101:12: error: unused function 'bio_integrity_map_user' [-Werror,-Wunused-function]
> >
> > This looks like it needs:
> >
> > 546d191427cf ("block: make bio_integrity_map_user() static inline")
> >
> We see that, too:
> https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/jobs/14592368004
> We don't see the problem on 6.6, 6.18 or 7.0-stable.
Thanks! I've queued up 546d191427cf ("block: make bio_integrity_map_user()
static inline").
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 284+ messages in thread
* Re: [PATCH 6.12 000/272] 6.12.92-rc1 review
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-05-29 6:33 ` Brett A C Sheffield
@ 2026-05-29 19:19 ` Florian Fainelli
2026-05-29 21:50 ` Mark Brown
278 siblings, 0 replies; 284+ messages in thread
From: Florian Fainelli @ 2026-05-29 19:19 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill, sr
On 5/28/26 12:46, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.92 release.
> There are 272 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 30 May 2026 19:45:52 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.92-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 284+ messages in thread
* Re: [PATCH 6.12 000/272] 6.12.92-rc1 review
2026-05-29 12:44 ` Sasha Levin
@ 2026-05-29 19:33 ` Florian Fainelli
0 siblings, 0 replies; 284+ messages in thread
From: Florian Fainelli @ 2026-05-29 19:33 UTC (permalink / raw)
To: Sasha Levin, Miguel Ojeda
Cc: gregkh, achill, akpm, broonie, conor, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Anuj Gupta, Kanchan Joshi, Christoph Hellwig, Keith Busch,
Jens Axboe, linux-block
On 5/29/26 05:44, Sasha Levin wrote:
> On Fri, May 29, 2026 at 10:27:21AM +0200, Pavel Machek wrote:
>>> I am seeing:
>>>
>>> ./include/linux/bio-integrity.h:101:12: error: unused function 'bio_integrity_map_user' [-Werror,-Wunused-function]
>>>
>>> This looks like it needs:
>>>
>>> 546d191427cf ("block: make bio_integrity_map_user() static inline")
>>>
>> We see that, too:
>> https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/jobs/14592368004
>> We don't see the problem on 6.6, 6.18 or 7.0-stable.
>
> Thanks! I've queued up 546d191427cf ("block: make bio_integrity_map_user()
> static inline").
Thanks, also seen here, FWIW.
--
Florian
^ permalink raw reply [flat|nested] 284+ messages in thread
* Re: [PATCH 6.12 000/272] 6.12.92-rc1 review
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-05-29 19:19 ` Florian Fainelli
@ 2026-05-29 21:50 ` Mark Brown
278 siblings, 0 replies; 284+ messages in thread
From: Mark Brown @ 2026-05-29 21:50 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, achill, sr
[-- Attachment #1: Type: text/plain, Size: 346 bytes --]
On Thu, May 28, 2026 at 09:46:14PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.92 release.
> There are 272 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 284+ messages in thread
end of thread, other threads:[~2026-05-29 21:50 UTC | newest]
Thread overview: 284+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-28 19:46 [PATCH 6.12 000/272] 6.12.92-rc1 review Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 001/272] mptcp: sync the msk->sndbuf at accept() time Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 002/272] mptcp: pm: ADD_ADDR rtx: allow ID 0 Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 003/272] mptcp: pm: ADD_ADDR rtx: always decrease sk refcount Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 004/272] mptcp: pm: ADD_ADDR rtx: free sk if last Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 005/272] ksmbd: validate owner of durable handle on reconnect Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 006/272] drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status() Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 007/272] s390/debug: Reject zero-length input before trimming a newline Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 008/272] Revert "perf cgroup: Update metric leader in evlist__expand_cgroup" Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 009/272] Revert "perf tool_pmu: Fix aggregation on duration_time" Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 010/272] Revert "perf python: Add parse_events function" Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 011/272] Revert "perf tool_pmu: Factor tool events into their own PMU" Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 012/272] bridge: mrp: reject zero test interval to avoid OOM panic Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 013/272] spi: spi-dw-dma: fix print error log when wait finish transaction Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 014/272] Revert "x86/vdso: Fix output operand size of RDPID" Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 015/272] sched/deadline: Less agressive dl_server handling Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 016/272] sched/deadline: Fix dl_server_stopped() Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 017/272] sched/deadline: Always stop dl-server before changing parameters Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 018/272] sched/deadline: Fix dl_server getting stuck Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 019/272] sched/deadline: Fix dl_server behaviour Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 020/272] sched/deadline: Stop dl_server before CPU goes offline Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 021/272] ksmbd: close durable scavenger races against m_fp_list lookups Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 022/272] af_unix: Give up GC if MSG_PEEK intervened Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 023/272] drm/imagination: Synchronize interrupts before suspending the GPU Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 024/272] smb: client: reject userspace cifs.spnego descriptions Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 025/272] ata: libata-scsi: improve readability of ata_scsi_qc_issue() Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 026/272] ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 027/272] ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 028/272] ata: libata-scsi: do not needlessly defer commands when using PMP with FBS Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 029/272] perf parse-events: Expose/rename config_term_name Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 030/272] Revert "ice: fix double-free of tx_buf skb" Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 031/272] Revert "ice: Remove jumbo_remove step from TX path" Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 032/272] tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64 Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 033/272] net/mlx5e: Trigger neighbor resolution for unresolved destinations Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 034/272] net/mlx5e: Use ip6_dst_lookup instead of ipv6_dst_lookup_flow for MAC init Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 035/272] x86/fgraph: Fix return_to_handler regs.rsp value Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 036/272] iommu/vt-d: Draining PRQ in sva unbind path when FPD bit set Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 037/272] riscv: fgraph: Select HAVE_FUNCTION_GRAPH_TRACER depends on HAVE_DYNAMIC_FTRACE_WITH_ARGS Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 038/272] riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 039/272] hwmon: (pmbus/core) Protect regulator operations with mutex Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 040/272] arm64: Kconfig: Remove selecting replaced HAVE_FUNCTION_GRAPH_RETVAL Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 041/272] i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 042/272] sysfs: dont remove existing directory on update failure Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 043/272] mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break() Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 044/272] ksmbd: fix null pointer dereference in compare_guid_key() Greg Kroah-Hartman
2026-05-28 19:46 ` [PATCH 6.12 045/272] ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 046/272] ksmbd: validate SID in parent security descriptor during ACL inheritance Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 047/272] smb: client: require net admin for CIFS SWN netlink Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 048/272] smb: client: protect tc_count increment in smb2_find_smb_sess_tcon_unlocked() Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 049/272] smb: client: use data_len for SMB2 READ encrypted folioq copy Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 050/272] smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 051/272] hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 052/272] ALSA: ua101: Reject too-short USB descriptors Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 053/272] ALSA: pcm: Dont setup bogus iov_iter for silencing Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 054/272] ALSA: asihpi: Fix potential OOB array access at reading cache Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 055/272] efi: Allocate runtime workqueue before ACPI init Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 056/272] io_uring/waitid: clear waitid info before copying it to userspace Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 057/272] drivers/base/memory: fix memory block reference leak in poison accounting Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 058/272] ipv6: ioam: refresh hdr pointer before ioam6_event() Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 059/272] mm/memory_hotplug: fix memory block reference leak on remove Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 060/272] selftests/mm: run_vmtests.sh: fix destructive tests invocation Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 061/272] net: wwan: iosm: fix potential memory leaks in ipc_imem_init() Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 062/272] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 063/272] Bluetooth: ISO: drop ISO_END frames received without prior ISO_START Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 064/272] Bluetooth: bnep: Fix UAF read of dev->name Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 065/272] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 066/272] Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 067/272] Bluetooth: MGMT: validate Add Extended Advertising Data length Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 068/272] Bluetooth: serialize accept_q access Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 069/272] phonet/pep: disable BH around forwarded sk_receive_skb() Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 070/272] net: bcmgenet: keep RBUF EEE/PM disabled Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 071/272] net: ifb: report ethtool stats over num_tx_queues Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 072/272] net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis() Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 073/272] netfilter: ip6t_hbh: reject oversized option lists Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 074/272] netfilter: nf_queue: hold bridge skb->dev while queued Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 075/272] netfilter: ipset: stop hash:* range iteration at end Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 076/272] netfilter: nft_inner: Fix IPv6 inner_thoff desync Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 077/272] sched_ext: Fix missing warning in scx_set_task_state() default case Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 078/272] sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 079/272] cgroup/cpuset: Reset DL migration state on can_attach() failure Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 080/272] fs/ntfs3: handle attr_set_size() errors when truncating files Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 081/272] l2tp: use list_del_rcu in l2tp_session_unhash Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 082/272] qed: fix double free in qed_cxt_tables_alloc() Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 083/272] ring-buffer: Fix reporting of missed events in iterator Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 084/272] ipv6: ioam: add NULL check for idev in ipv6_hop_ioam() Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 085/272] vsock/vmci: fix UAF when peer resets connection during handshake Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 086/272] vsock/virtio: reset connection on receiving queue overflow Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 087/272] wifi: ath11k: clear shared SRNG pointer state on restart Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 088/272] ipv4: raw: reject IP_HDRINCL packets with ihl < 5 Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 089/272] ixgbevf: fix use-after-free in VEPA multicast source pruning Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 090/272] rbd: eliminate a race in lock_dwork draining on unmap Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 091/272] lsm: hold cred_guard_mutex for lsm_set_self_attr() Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 092/272] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 093/272] ice: fix setting promisc mode while adding VID filter Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 094/272] ice: restore PTP Rx timestamp config after ethtool set-channels Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 095/272] wifi: cfg80211: advance loop vars in cfg80211_merge_profile() Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 096/272] af_unix: Fix UAF read of tail->len in unix_stream_data_wait() Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 097/272] wifi: mac80211: consume only present negotiated TTLM maps Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 098/272] cifs: Fix busy dentry used after unmounting Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 099/272] tracing: Do not call map->ops->elt_free() if elt_alloc() fails Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 100/272] arm64: probes: Handle probes on hinted conditional branch instructions Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 101/272] KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 102/272] KVM: arm64: vgic: Free private_irqs when init fails after allocation Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 103/272] riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 104/272] drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe Greg Kroah-Hartman
2026-05-28 19:47 ` [PATCH 6.12 105/272] spi: qup: fix error pointer deref after DMA setup failure Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 106/272] phy: tegra: xusb: Fix per-pad high-speed termination calibration Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 107/272] scsi: isci: Fix use-after-free in device removal path Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 108/272] spi: ep93xx: fix error pointer deref after DMA setup failure Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 109/272] spi: sprd: " Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 110/272] spi: ti-qspi: fix use-after-free " Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 111/272] RDMA/siw: Reject MPA FPDU length underflow before signed receive math Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 112/272] LoongArch: Remove unused code to avoid build warning Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 113/272] device property: set fwnode->secondary to NULL in fwnode_init() Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 114/272] drm/virtio: use uninterruptible resv lock for plane updates Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 115/272] drm/amdgpu/vpe: Force collaborate sync after TRAP Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 116/272] drm/bridge: it66121: acquire reset GPIO in probe Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 117/272] drm/bridge: megachips: remove bridge when irq request fails Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 118/272] drm/amd/display: Fix integer overflow in bios_get_image() Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 119/272] drm/amd/display: Validate GPIO pin LUT table size before iterating Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 120/272] drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 121/272] batman-adv: mcast: fix use-after-free in orig_node RCU release Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 122/272] batman-adv: clear current gateway during teardown Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 123/272] batman-adv: dat: handle forward allocation error Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 124/272] batman-adv: fix fragment reassembly length accounting Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 125/272] batman-adv: fix tp_meter counter underflow during shutdown Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 126/272] batman-adv: frag: disallow unicast fragment in fragment Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 127/272] batman-adv: bla: fix report_work leak on backbone_gw purge Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 128/272] batman-adv: tp_meter: avoid use of uninit sender vars Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 129/272] batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 130/272] batman-adv: tp_meter: fix race condition in send error reporting Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 131/272] batman-adv: tt: fix negative last_changeset_len Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 132/272] batman-adv: tt: fix negative tt_buff_len Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 133/272] hwmon: (pmbus/adm1266) seed timestamp from the real-time clock Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 134/272] hwmon: (pmbus/adm1266) reject implausible blackbox record_count Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 135/272] hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 136/272] hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 137/272] hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 138/272] hwmon: (pmbus/adm1266) dont clobber GPIO bits before PDIO read in get_multiple Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 139/272] hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe() Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 140/272] hwmon: (pmbus/adm1266) register the nvmem device " Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 141/272] hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 142/272] ARM: dts: renesas: genmai: Drop superfluous cells Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 143/272] ARM: dts: renesas: rskrza1: " Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 144/272] pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high pins during suspend/resume Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 145/272] HID: uclogic: Fix regression of input name assignment Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 146/272] firmware: arm_ffa: Check for NULL FF-A ID table while driver registration Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 147/272] firmware: arm_ffa: Skip free_pages on RX buffer alloc failure Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 148/272] firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 149/272] firmware: arm_ffa: Refactor addition of partition information into XArray Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 150/272] firmware: arm_ffa: Unregister the FF-A devices when cleaning up the partitions Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 151/272] firmware: arm_ffa: Remove unnecessary declaration of ffa_partitions_cleanup() Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 152/272] firmware: arm_ffa: Allow multiple UUIDs per partition to register SRI callback Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 153/272] firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0 Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 154/272] riscv: mm: Fixup no5lvl failure when vaddr is invalid Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 155/272] kunit: config: Enable KUNIT_DEBUGFS by default Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 156/272] kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 157/272] pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150 Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 158/272] firmware: arm_ffa: Fix big-endian support in __ffa_partition_info_regs_get() Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 159/272] firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 160/272] firmware: arm_ffa: Align RxTx buffer size before mapping Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 161/272] firmware: arm_ffa: Fix sched-recv callback partition lookup Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 162/272] ARM: integrator: Fix early initialization Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 163/272] ALSA: hda: cs35l56: Put ACPI device after setting companion Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 164/272] ALSA: hda: cs35l41: Put ACPI device on missing physical node Greg Kroah-Hartman
2026-05-28 19:48 ` [PATCH 6.12 165/272] btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file() Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 166/272] netfilter: x_tables: unregister the templates first Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 167/272] netfilter: Make legacy configs user selectable Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 168/272] netfilter: Exclude LEGACY TABLES on PREEMPT_RT Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 169/272] netfilter: x_tables: add and use xt_unregister_table_pre_exit Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 170/272] netfilter: x_tables: add and use xtables_unregister_table_exit Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 171/272] netfilter: ebtables: move to two-stage removal scheme Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 172/272] netfilter: ebtables: close dangling table module init race Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 173/272] netfilter: x_tables: " Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 174/272] netfilter: bridge: eb_tables: close " Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 175/272] kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist() Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 176/272] test_kprobes: clear kprobes between test runs Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 177/272] tcp: Fix imbalanced icsk_accept_queue count Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 178/272] ice: fix setting RSS VSI hash for E830 Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 179/272] ice: fix locking in ice_dcb_rebuild() Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 180/272] net: lan966x: avoid unregistering netdev on register failure Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 181/272] phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 182/272] NFSD: Fix infinite loop in layout state revocation Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 183/272] irqchip/ath79-cpu: Remove unused function Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 184/272] ublk: reject max_sectors smaller than PAGE_SECTORS in parameter validation Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 185/272] nsfs: fix wrong error code returned for pidns ioctls Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 186/272] irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 187/272] zonefs: handle integer overflow in zonefs_fname_to_fno Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 188/272] tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key() Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 189/272] powerpc: fix dead default for GUEST_STATE_BUFFER_TEST Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 190/272] netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 191/272] netfs: Fix overrun check in netfs_extract_user_iter() Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 192/272] netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes gone Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 193/272] netfs: Defer the emission of trace_netfs_folio() Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 194/272] netfs: Fix streaming write being overwritten Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 195/272] netfs: Fix potential deadlock in write-through mode Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 196/272] netfs: Fix write streaming disablement if fd open O_RDWR Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 197/272] netfs: Fix early put of sink folio in netfs_read_gaps() Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 198/272] netfs: Fix partial invalidation of streaming-write folio Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 199/272] netfs: Fix a few minor bugs in netfs_page_mkwrite() Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 200/272] netfs: Remove unnecessary references to pages Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 201/272] netfs: Fix folio->private handling in netfs_perform_write() Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 202/272] net: ethernet: cortina: Make RX SKB per-port Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 203/272] net: ethernet: cortina: Drop half-assembled SKB Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 204/272] net: ethernet: cortina: Carry over frag counter Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 205/272] net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 206/272] wifi: ath11k: fix error path leaks in some WMI WOW calls Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 207/272] wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm() Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 208/272] wifi: ath10k: skip WMI and beacon transmission when device is wedged Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 209/272] blk-integrity: remove seed for user mapped buffers Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 210/272] block: dont overwrite bip_vcnt in bio_integrity_copy_user() Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 211/272] block: recompute nr_integrity_segments in blk_insert_cloned_request Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 212/272] HID: quirks: really enable the intended work around for appledisplay Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 213/272] block: modify bio_integrity_map_user to accept iov_iter as argument Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 214/272] block: drop direction param from bio_integrity_copy_user() Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 215/272] blk-integrity: use simpler alignment check Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 216/272] blk-integrity: enable p2p source and destination Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 217/272] block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user() Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 218/272] accel/qaic: Add overflow check to remap_pfn_range during mmap Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 219/272] net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 220/272] ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 221/272] drm/msm/dsi: dont dump registers past the mapped region Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 222/272] drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 223/272] powerpc/time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise() Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 224/272] net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot Greg Kroah-Hartman
2026-05-28 19:49 ` [PATCH 6.12 225/272] net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 226/272] net: tls: prevent chain-after-chain in plain text SG Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 227/272] net: phy: DP83TC811: add reading of abilities Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 228/272] x86/xen: Fix xen_e820_swap_entry_with_ram() Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 229/272] tls: Preserve sk_err across recvmsg() when data has been copied Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 230/272] net/mlx5: Do not restore destination-less TC rules Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 231/272] scsi: sd: Fix return code handling in sd_spinup_disk() Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 232/272] ALSA: scarlett2: Add missing error check when initialise Autogain Status Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 233/272] io_uring/net: punt IORING_OP_BIND async if it needs file create Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 234/272] btrfs: fix squota accounting during enable generation Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 235/272] spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache() Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 236/272] drm/msm/snapshot: fix dumping of the unaligned regions Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 237/272] drm/xe/gsc: Fix double-free of managed BO in error path Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 238/272] drm/xe/vf: Fix signature of print functions Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 239/272] drm/xe/pf: Fix CFI failure in debugfs access Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 240/272] wifi: ath11k: fix peer resolution on rx path when peer_id=0 Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 241/272] ice: ptp: serialize E825 PHY timer start with PTP lock Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 242/272] drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 243/272] kbuild: pacman-pkg: make "rc" releases adhere to pacman versioning scheme Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 244/272] net: dsa: mt7530: fix FDB entries not aging out with short timeout Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 245/272] net: dsa: mt7530: preserve VLAN tags on trapped link-local frames Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 246/272] net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 247/272] platform/surface: aggregator_registry: omit battery & AC nodes on Surface Laptop 7 Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 248/272] platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 249/272] platform/x86: hp_accel: Check ACPI_COMPANION() " Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 250/272] platform/x86: intel-hid: Check ACPI_HANDLE() " Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 251/272] platform/x86: intel-vbtn: " Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 252/272] RDMA/rtrs: Fix use-after-free in path file creation cleanup Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 253/272] net: bridge: Flush multicast groups when snooping is disabled Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 254/272] bridge: mcast: Fix a possible use-after-free when removing a bridge port Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 255/272] pds_core: fix error handling in pdsc_devcmd_wait Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 256/272] pds_core: fix debugfs_lookup dentry leak and error handling Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 257/272] wifi: mac80211: fix MLE defragmentation Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 258/272] ALSA: seq: Serialize UMP output teardown with event_input Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 259/272] tracing: Avoid NULL return from hist_field_name() on truncation Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 260/272] Bluetooth: btmtk: fix urb->setup_packet leak in error paths Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 261/272] net: ag71xx: check error for platform_get_irq Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 262/272] bpf, skmsg: fix verdict sk_data_ready racing with ktls rx Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 263/272] gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n) Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 264/272] gpio: cdev: check if uAPI v2 config attributes are correctly zeroed Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 265/272] ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove() Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 266/272] drm/xe/oa: Fix exec_queue leak on width check in stream open Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 267/272] octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 268/272] net: mana: validate rx_req_idx to prevent out-of-bounds array access Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 269/272] pds_core: ensure null-termination for firmware version strings Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 270/272] net: gro: dont merge zcopy skbs Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 271/272] LoongArch: kprobes: Fix handling of fatal unrecoverable recursions Greg Kroah-Hartman
2026-05-28 19:50 ` [PATCH 6.12 272/272] landlock: Fix TCP handling of short AF_UNSPEC addresses Greg Kroah-Hartman
2026-05-29 3:23 ` [PATCH 6.12 000/272] 6.12.92-rc1 review Dominique Martinet
2026-05-29 5:39 ` Ron Economos
2026-05-29 6:09 ` Miguel Ojeda
2026-05-29 8:27 ` Pavel Machek
2026-05-29 12:44 ` Sasha Levin
2026-05-29 19:33 ` Florian Fainelli
2026-05-29 10:59 ` Peter Schneider
2026-05-29 6:23 ` Francesco Dolcini
2026-05-29 6:33 ` Brett A C Sheffield
2026-05-29 19:19 ` Florian Fainelli
2026-05-29 21:50 ` Mark Brown
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox