* [PATCH 6.1 000/129] 6.1.177-rc1 review
@ 2026-07-02 16:18 Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 001/129] fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios Greg Kroah-Hartman
` (135 more replies)
0 siblings, 136 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.1.177 release.
There are 129 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat, 04 Jul 2026 15:50:58 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.177-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.1.177-rc1
Wongi Lee <qw3rtyp0@gmail.com>
ipv6: account for fraggap on the paged allocation path
Giovanni Cabiddu <giovanni.cabiddu@intel.com>
crypto: qat - remove unused character device and IOCTLs
Herbert Xu <herbert@gondor.apana.org.au>
crypto: qat - Return pointer directly in adf_ctl_alloc_resources
Thorsten Blum <thorsten.blum@linux.dev>
crypto: qat - Replace kzalloc() + copy_from_user() with memdup_user()
Bagas Sanjaya <bagasdotme@gmail.com>
Documentation: ioctl-number: Extend "Include File" column width
Stepan Ionichev <sozdayvek@gmail.com>
serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails
Joanne Koong <joannelkoong@gmail.com>
fuse: re-lock request before replacing page cache folio
Santosh Kalluri <santosh.kalluri129@gmail.com>
net: phonet: free phonet_device after RCU grace period
Kuniyuki Iwashima <kuniyu@amazon.com>
phonet: Pass net and ifindex to phonet_address_notify().
Kuniyuki Iwashima <kuniyu@amazon.com>
phonet: Pass ifindex to fill_addr().
Davidlohr Bueso <dave@stgolabs.net>
locking/rtmutex: Skip remove_waiter() when waiter is not enqueued
Dexuan Cui <decui@microsoft.com>
Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs
Ji'an Zhou <eilaimemedsnaimel@gmail.com>
futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock
Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
Abel Vesa <abel.vesa@linaro.org>
misc: fastrpc: Add dma_mask to fastrpc_channel_ctx
Thorsten Blum <thorsten.blum@linux.dev>
hv: utils: handle and propagate errors in kvp_register
Paolo Abeni <pabeni@redhat.com>
mptcp: fix missing wakeups in edge scenarios
Tao Cui <cuitao@kylinos.cn>
mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation
Deepak Kumar Singh <quic_deesin@quicinc.com>
rpmsg: char: Add lock to avoid race when rpmsg device is released
Hem Parekh <hemparekh1596@gmail.com>
ksmbd: fix out-of-bounds read in smb_check_perm_dacl()
Michael Bommarito <michael.bommarito@gmail.com>
NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr
Dominik Woźniak <stalion@gmail.com>
nfsd: check get_user() return when reading princhashlen
Jeff Layton <jlayton@kernel.org>
nfsd: fix posix_acl leak on SETACL decode failure
Guannan Wang <wgnbuaa@gmail.com>
NFSD: Fix SECINFO_NO_NAME decode error cleanup
Steffen Persvold <spersvold@gmail.com>
fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode
Ian Bridges <icb@fastmail.org>
fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var
Wentao Liang <vulab@iscas.ac.cn>
power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init()
Ashutosh Desai <ashutoshdesai993@gmail.com>
KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path
Jonas Jelonek <jelonek.jonas@gmail.com>
MIPS: smp: report dying CPU to RCU in stop_this_cpu()
Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
9p: avoid putting oldfid in p9_client_walk() error path
Zhang Cen <rollkingzzc@gmail.com>
ocfs2: reject oversized group bitmap descriptors
Wentao Liang <vulab@iscas.ac.cn>
fpga: region: fix use-after-free in child_regions_with_firmware()
Qingshuang Fu <fuqingshuang@kylinos.cn>
irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove
Wentao Liang <vulab@iscas.ac.cn>
pNFS: Fix use-after-free in pnfs_update_layout()
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Report dying CPU to RCU in stop_this_cpu()
Doruk Tan Ozturk <doruk@0sec.ai>
tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done
Fan Wu <fanwu01@zju.edu.cn>
hdlc_ppp: sync per-proto timers before freeing hdlc state
Michael Bommarito <michael.bommarito@gmail.com>
exfat: fix potential use-after-free in exfat_find_dir_entry()
Maciej W. Rozycki <macro@orcam.me.uk>
MIPS: DEC: Prevent initial console buffer from landing in XKPHYS
Dawei Feng <dawei.feng@seu.edu.cn>
bpf: use kvfree() for replaced sysctl write buffer
Zhang Cen <rollkingzzc@gmail.com>
f2fs: validate ACL entry sizes in f2fs_acl_from_disk()
Sunmin Jeong <s_min.jeong@samsung.com>
f2fs: fix to round down start offset of fallocate for pin file
Wenjie Qi <qwjhust@gmail.com>
f2fs: validate compress cache inode only when enabled
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor
Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
wifi: ath11k: fix warning when unbinding
Zenm Chen <zenmchen@gmail.com>
wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S
Shaomin Chen <eeesssooo020@gmail.com>
keys: Pin request_key_auth payload in instantiate paths
Jarkko Sakkinen <jarkko@kernel.org>
KEYS: fix overflow in keyctl_pkey_params_get_2()
Koichiro Den <den@valinux.co.jp>
NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR
Ruslan Valiyev <linuxoid@gmail.com>
apparmor: fix use-after-free in rawdata dedup loop
Bryam Vargas <hexlabsecurity@proton.me>
apparmor: mediate the implicit connect of TCP fast open sendmsg
Yiming Qian <yimingqian591@gmail.com>
net: skmsg: preserve sg.copy across SG transforms
Doruk Tan Ozturk <doruk@0sec.ai>
mac802154: llsec: add skb_cow_data() before in-place crypto
Yuto Ohnuki <ytohnuki@amazon.com>
ext4: add bounds check for inline data length in ext4_read_inline_page
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
ntfs3: reject direct userspace writes to reserved $LX* xattrs
Sven Eckelmann <sven@narfation.org>
batman-adv: tvlv: avoid race of cifsnotfound handler state
Sven Eckelmann <sven@narfation.org>
batman-adv: tvlv: enforce 2-byte alignment
Sven Eckelmann <sven@narfation.org>
batman-adv: dat: prevent false sharing between VLANs
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: track roam count per VID
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: don't merge change entries with different VIDs
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: handle overlapping packets
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: prevent parallel modifications of last_recv
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: restrict number of unacked list entries
Sven Eckelmann <sven@narfation.org>
batman-adv: v: prevent OGM aggregation on disabled hardif
Sven Eckelmann <sven@narfation.org>
batman-adv: frag: avoid underflow of TTL
Sven Eckelmann <sven@narfation.org>
batman-adv: frag: ensure fragment is writable before modifying TTL
Sven Eckelmann <sven@narfation.org>
batman-adv: fix (m|b)cast csum after decrementing TTL
Sven Eckelmann <sven@narfation.org>
batman-adv: ensure bcast is writable before modifying TTL
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: initialize last_recv_time during init
Sven Eckelmann <sven@narfation.org>
batman-adv: prevent ELP transmission interval underflow
Sven Eckelmann <sven@narfation.org>
batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: add only finished tp_vars to lists
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: fix fast recovery precondition
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: avoid window underflow
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: initialize dec_cwnd explicitly
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: initialize dup_acks explicitly
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: keep unacked list in ascending ordered
Yu Zhao <yuzhao@google.com>
mm/mglru: skip special VMAs in lru_gen_look_around()
Petr Machata <petrm@nvidia.com>
Revert "ptp: add testptp mask test"
Sean Christopherson <seanjc@google.com>
KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level
Paolo Bonzini <pbonzini@redhat.com>
KVM: x86: Fix shadow paging use-after-free due to unexpected role
Ian Rogers <irogers@google.com>
perf block-range: Move debug code behind ifndef NDEBUG
Ian Rogers <irogers@google.com>
perf bench: Avoid NDEBUG warning
Miklos Szeredi <mszeredi@redhat.com>
virtiofs: fix UAF on submount umount
Ruslan Valiyev <linuxoid@gmail.com>
media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si
Gil Portnoy <dddhkts1@gmail.com>
ksmbd: reject non-VALID session in compound request branch
Yi Yang <yiyang13@huawei.com>
vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write
Florian Westphal <fw@strlen.de>
netfilter: nf_tables: always walk all pending catchall elements
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
dlm: prevent NPD when writing a positive value to event_done
André Draszik <andre.draszik@linaro.org>
regulator: core: fix locking in regulator_resolve_supply() error path
Bjoern Doebel <doebel@amazon.de>
ring-buffer: Remove ring_buffer_read_prepare_sync()
Jiexun Wang <wangjiexun2025@gmail.com>
af_unix: Reject SIOCATMARK on non-stream sockets
Mingyu Wang <25181214217@stu.xidian.edu.cn>
agp/amd64: Fix broken error propagation in agp_amd64_probe()
Weiming Shi <bestswngs@gmail.com>
net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink()
Weiming Shi <bestswngs@gmail.com>
i2c: stub: Reject I2C block transfers with invalid length
Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
RDMA/bnxt_re: zero shared page before exposing to userspace
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
ARM: fix branch predictor hardening
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
ARM: fix hash_name() fault
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
ARM: allow __do_kernel_fault() to report execution of memory faults
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
ARM: group is_permission_fault() with is_translation_fault()
Waiman Long <longman@redhat.com>
debugobjects: Dont call fill_pool() in early boot hardirq context
Helen Koike <koike@igalia.com>
debugobjects: Do not fill_pool() if pi_blocked_on
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
debugobjects: Use LD_WAIT_CONFIG instead of LD_WAIT_SLEEP
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
debugobjects: Allow to refill the pool before SYSTEM_SCHEDULING
Peter Zijlstra <peterz@infradead.org>
debugobjects,locking: Annotate debug_object_fill_pool() wait type violation
Eric Dumazet <edumazet@google.com>
net: annotate data-races around sk->sk_{data_ready,write_space}
Sean Christopherson <seanjc@google.com>
KVM: nVMX: Fold requested virtual interrupt check into has_nested_events()
Sean Christopherson <seanjc@google.com>
KVM: nVMX: Check for pending posted interrupts when looking for nested events
Sean Christopherson <seanjc@google.com>
KVM: nVMX: Add a helper to get highest pending from Posted Interrupt vector
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: prevent TVLV entry number overflow
Maíra Canal <mcanal@igalia.com>
drm/v3d: Skip CSD when it has zeroed workgroups
Maíra Canal <mcanal@igalia.com>
drm/v3d: Store the active job inside the queue's state
Ihor Solodrai <ihor.solodrai@pm.me>
selftests/bpf: Check for timeout in perf_link test
Jiri Olsa <jolsa@kernel.org>
selftests/bpf: Move get_time_ns to testing_helpers.h
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: unconditionally bump set->nelems before insertion
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: fix set size with rbtree backend
Florian Westphal <fw@strlen.de>
netfilter: nf_tables: always increment set element count
Eric Dumazet <edumazet@google.com>
ip6_vti: set netns_immutable on the fallback device.
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Bound VBIOS record-chain walk loops
Sean Christopherson <seanjc@google.com>
KVM: VMX: Make vmread_error_trampoline() uncallable from C code
Hangbin Liu <liuhangbin@gmail.com>
selftests/bpf: move SYS() macro into the test_progs.h
Pedro Tammela <pctammela@mojatatu.com>
net/sched: act_pedit: free pedit keys on bail from offset check
Rajat Gupta <rajat.gupta@oss.qualcomm.com>
net/sched: fix pedit partial COW leading to page cache corruption
Pedro Tammela <pctammela@mojatatu.com>
net/sched: act_pedit: rate limit datapath messages
Pedro Tammela <pctammela@mojatatu.com>
net/sched: act_pedit: check static offsets a priori
Jann Horn <jannh@google.com>
fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios
-------------
Diffstat:
Documentation/userspace-api/ioctl/ioctl-number.rst | 463 ++++++++++-----------
Makefile | 4 +-
arch/arm/mm/alignment.c | 4 +
arch/arm/mm/fault.c | 94 ++++-
arch/loongarch/kernel/smp.c | 1 +
arch/mips/dec/prom/console.c | 7 +-
arch/mips/kernel/smp.c | 2 +
arch/x86/include/asm/kvm-x86-ops.h | 1 -
arch/x86/include/asm/kvm_host.h | 1 -
arch/x86/kvm/mmu/mmu.c | 28 +-
arch/x86/kvm/svm/sev.c | 1 +
arch/x86/kvm/vmx/nested.c | 45 +-
arch/x86/kvm/vmx/posted_intr.h | 10 +
arch/x86/kvm/vmx/vmenter.S | 2 +
arch/x86/kvm/vmx/vmx.c | 21 -
arch/x86/kvm/vmx/vmx_ops.h | 18 +-
arch/x86/kvm/x86.c | 10 +-
drivers/char/agp/amd64-agp.c | 2 +-
drivers/crypto/qat/qat_common/adf_cfg_common.h | 32 --
drivers/crypto/qat/qat_common/adf_cfg_user.h | 38 --
drivers/crypto/qat/qat_common/adf_common_drv.h | 3 -
drivers/crypto/qat/qat_common/adf_ctl_drv.c | 425 +------------------
drivers/crypto/qat/qat_common/adf_dev_mgr.c | 70 ----
drivers/fpga/of-fpga-region.c | 3 +-
drivers/gpu/drm/amd/display/dc/bios/bios_parser.c | 15 +-
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 27 +-
.../drm/amd/display/dc/bios/bios_parser_helper.h | 5 +
drivers/gpu/drm/v3d/v3d_drv.h | 8 +-
drivers/gpu/drm/v3d/v3d_gem.c | 5 +-
drivers/gpu/drm/v3d/v3d_irq.c | 24 +-
drivers/gpu/drm/v3d/v3d_sched.c | 36 +-
drivers/hv/hv_kvp.c | 25 +-
drivers/hv/vmbus_drv.c | 29 +-
drivers/i2c/i2c-stub.c | 5 +
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +-
drivers/irqchip/irq-imgpdc.c | 6 +
drivers/media/test-drivers/vidtv/vidtv_mux.c | 8 +-
drivers/misc/fastrpc.c | 7 +-
drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c | 8 +-
drivers/net/ethernet/qualcomm/rmnet/rmnet_config.h | 1 +
drivers/net/wan/hdlc_ppp.c | 15 +-
drivers/net/wireless/ath/ath11k/dp.c | 1 +
drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 +
.../net/wireless/realtek/rtlwifi/rtl8821ae/trx.h | 2 +-
drivers/ntb/hw/epf/ntb_hw_epf.c | 3 +-
drivers/power/reset/linkstation-poweroff.c | 2 +-
drivers/regulator/core.c | 10 +-
drivers/rpmsg/rpmsg_char.c | 8 +
drivers/tty/serial/8250/8250_dw.c | 4 +-
drivers/tty/vt/vc_screen.c | 2 +-
drivers/video/fbdev/core/fbmem.c | 12 +
drivers/video/fbdev/core/modedb.c | 2 +-
fs/dlm/lockspace.c | 2 +-
fs/exfat/dir.c | 4 +-
fs/ext4/inline.c | 8 +
fs/f2fs/acl.c | 18 +-
fs/f2fs/file.c | 9 +-
fs/f2fs/inode.c | 9 +-
fs/fuse/dev.c | 23 +-
fs/fuse/file.c | 8 +-
fs/nfs/pnfs.c | 2 +-
fs/nfs/pnfs_nfs.c | 4 +-
fs/nfsd/nfs2acl.c | 17 +-
fs/nfsd/nfs3acl.c | 17 +-
fs/nfsd/nfs4recover.c | 3 +-
fs/nfsd/nfs4xdr.c | 3 +-
fs/ntfs3/xattr.c | 12 +
fs/ocfs2/suballoc.c | 22 +
fs/smb/server/smb2pdu.c | 5 +
fs/smb/server/smbacl.c | 4 +-
include/keys/request_key_auth-type.h | 2 +
include/linux/kvm_host.h | 7 +-
include/linux/lockdep.h | 14 +
include/linux/lockdep_types.h | 1 +
include/linux/ring_buffer.h | 4 +-
include/linux/skmsg.h | 15 +-
include/net/netfilter/nf_tables.h | 6 +
include/net/phonet/pn_dev.h | 2 +-
include/net/tc_act/tc_pedit.h | 1 -
kernel/bpf/cgroup.c | 2 +-
kernel/futex/requeue.c | 6 +
kernel/locking/lockdep.c | 28 +-
kernel/locking/rtmutex.c | 3 +
kernel/locking/rtmutex_api.c | 2 +-
kernel/trace/ring_buffer.c | 67 +--
kernel/trace/trace.c | 14 +-
kernel/trace/trace_kdb.c | 8 +-
lib/debugobjects.c | 57 ++-
mm/vmscan.c | 13 +-
net/9p/client.c | 3 +-
net/batman-adv/bat_iv_ogm.c | 11 +-
net/batman-adv/bat_v.c | 1 +
net/batman-adv/bat_v_ogm.c | 23 +-
net/batman-adv/bridge_loop_avoidance.c | 28 +-
net/batman-adv/distributed-arp-table.c | 12 +-
net/batman-adv/fragmentation.c | 22 +-
net/batman-adv/fragmentation.h | 3 +-
net/batman-adv/netlink.c | 10 +-
net/batman-adv/routing.c | 64 ++-
net/batman-adv/tp_meter.c | 115 +++--
net/batman-adv/translation-table.c | 32 +-
net/batman-adv/tvlv.c | 69 ++-
net/batman-adv/types.h | 21 +-
net/core/filter.c | 27 ++
net/core/skmsg.c | 16 +-
net/ipv4/tcp.c | 4 +-
net/ipv4/tcp_bpf.c | 2 +-
net/ipv4/tcp_input.c | 14 +-
net/ipv4/tcp_minisocks.c | 2 +-
net/ipv4/udp.c | 2 +-
net/ipv4/udp_bpf.c | 2 +-
net/ipv6/ip6_output.c | 4 +-
net/ipv6/ip6_vti.c | 1 +
net/mac802154/llsec.c | 14 +
net/mptcp/pm_userspace.c | 13 +-
net/mptcp/protocol.c | 4 +-
net/netfilter/nf_tables_api.c | 74 +++-
net/netfilter/nft_set_rbtree.c | 43 ++
net/phonet/pn_dev.c | 12 +-
net/phonet/pn_netlink.c | 23 +-
net/sched/act_pedit.c | 101 +++--
net/tipc/crypto.c | 9 +
net/tls/tls_sw.c | 4 +
net/unix/af_unix.c | 11 +-
security/apparmor/include/policy_unpack.h | 19 +
security/apparmor/lsm.c | 16 +-
security/apparmor/policy.c | 8 +-
security/keys/internal.h | 2 +
security/keys/keyctl.c | 24 +-
security/keys/keyctl_pkey.c | 9 +-
security/keys/request_key_auth.c | 33 +-
tools/perf/bench/find-bit-bench.c | 8 +-
tools/perf/util/block-range.c | 6 +-
tools/testing/selftests/bpf/bench.h | 9 -
tools/testing/selftests/bpf/prog_tests/empty_skb.c | 25 +-
.../selftests/bpf/prog_tests/kprobe_multi_test.c | 8 -
tools/testing/selftests/bpf/prog_tests/perf_link.c | 15 +-
.../testing/selftests/bpf/prog_tests/tc_redirect.c | 154 ++++---
.../testing/selftests/bpf/prog_tests/test_tunnel.c | 71 ++--
.../testing/selftests/bpf/prog_tests/xdp_bonding.c | 38 +-
.../selftests/bpf/prog_tests/xdp_do_redirect.c | 30 +-
.../selftests/bpf/prog_tests/xdp_synproxy.c | 41 +-
tools/testing/selftests/bpf/test_progs.h | 15 +
tools/testing/selftests/bpf/testing_helpers.h | 10 +
tools/testing/selftests/ptp/testptp.c | 19 +-
145 files changed, 1807 insertions(+), 1529 deletions(-)
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 001/129] fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 002/129] net/sched: act_pedit: check static offsets a priori Greg Kroah-Hartman
` (134 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jann Horn, Miklos Szeredi,
Christian Brauner (Amutable), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
[ Upstream commit 4e3d1b2c48ca6c55f1e9ca7f8dccc76f120f276c ]
FUSE_NOTIFY_RETRIEVE must be limited to uptodate folios; !uptodate folios
can contain uninitialized data.
Since FUSE_NOTIFY_RETRIEVE is intended to only return data that is already
in the page cache and not wait for data from the FUSE daemon, treat
!uptodate folios as if they weren't present.
This only has security impact on systems that don't enable automatic
zero-initialization of all page allocations via
CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1.
Cc: stable@kernel.org
Fixes: 2d45ba381a74 ("fuse: add retrieve request")
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://patch.msgid.link/20260519-fuse-retrieve-uptodate-v1-1-a7a1912a37f9@google.com
Acked-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
[adjusted for stable: page instead of folio]
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/dev.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 58ec5bac6ce9d1..abee0cd67182f3 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1718,6 +1718,10 @@ static int fuse_retrieve(struct fuse_mount *fm, struct inode *inode,
page = find_get_page(mapping, index);
if (!page)
break;
+ if (!PageUptodate(page)) {
+ put_page(page);
+ break;
+ }
this_num = min_t(unsigned, num, PAGE_SIZE - offset);
ap->pages[ap->num_pages] = page;
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 002/129] net/sched: act_pedit: check static offsets a priori
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 001/129] fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 003/129] net/sched: act_pedit: rate limit datapath messages Greg Kroah-Hartman
` (133 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jamal Hadi Salim, Simon Horman,
Pedro Tammela, David S. Miller, Wentao Guan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pedro Tammela <pctammela@mojatatu.com>
[ Upstream commit e1201bc781c28766720e78a5e099ffa568be4d74 ]
Static key offsets should always be on 32 bit boundaries. Validate them on
create/update time for static offsets and move the datapath validation
for runtime offsets only.
iproute2 already errors out if a given offset and data size cannot be
packed to a 32 bit boundary. This change will make sure users which
create/update pedit instances directly via netlink also error out,
instead of finding out when packets are traversing.
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit e1201bc781c28766720e78a5e099ffa568be4d74)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_pedit.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index aee2e13f1db624..2bdc44efee779a 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -250,8 +250,16 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
memcpy(nparms->tcfp_keys, parm->keys, ksize);
for (i = 0; i < nparms->tcfp_nkeys; ++i) {
+ u32 offmask = nparms->tcfp_keys[i].offmask;
u32 cur = nparms->tcfp_keys[i].off;
+ /* The AT option can be added to static offsets in the datapath */
+ if (!offmask && cur % 4) {
+ NL_SET_ERR_MSG_MOD(extack, "Offsets must be on 32bit boundaries");
+ ret = -EINVAL;
+ goto put_chain;
+ }
+
/* sanitize the shift value for any later use */
nparms->tcfp_keys[i].shift = min_t(size_t,
BITS_PER_TYPE(int) - 1,
@@ -260,7 +268,7 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
/* The AT option can read a single byte, we can bound the actual
* value with uchar max.
*/
- cur += (0xff & nparms->tcfp_keys[i].offmask) >> nparms->tcfp_keys[i].shift;
+ cur += (0xff & offmask) >> nparms->tcfp_keys[i].shift;
/* Each key touches 4 bytes starting from the computed offset */
nparms->tcfp_off_max_hint =
@@ -429,12 +437,12 @@ static int tcf_pedit_act(struct sk_buff *skb, const struct tc_action *a,
sizeof(_d), &_d);
if (!d)
goto bad;
- offset += (*d & tkey->offmask) >> tkey->shift;
- }
- if (offset % 4) {
- pr_info("tc action pedit offset must be on 32 bit boundaries\n");
- goto bad;
+ offset += (*d & tkey->offmask) >> tkey->shift;
+ if (offset % 4) {
+ pr_info("tc action pedit offset must be on 32 bit boundaries\n");
+ goto bad;
+ }
}
if (!offset_valid(skb, hoffset + offset)) {
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 003/129] net/sched: act_pedit: rate limit datapath messages
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 001/129] fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 002/129] net/sched: act_pedit: check static offsets a priori Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 004/129] net/sched: fix pedit partial COW leading to page cache corruption Greg Kroah-Hartman
` (132 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jamal Hadi Salim, Simon Horman,
Pedro Tammela, David S. Miller, Wentao Guan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pedro Tammela <pctammela@mojatatu.com>
[ Upstream commit e3c9673e2f6e1b3aa4bb87c570336e10f364c28a ]
Unbounded info messages in the pedit datapath can flood the printk
ring buffer quite easily depending on the action created.
As these messages are informational, usually printing some, not all,
is enough to bring attention to the real issue.
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit e3c9673e2f6e1b3aa4bb87c570336e10f364c28a)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_pedit.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 2bdc44efee779a..7ba460fda1f4e9 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -429,8 +429,8 @@ static int tcf_pedit_act(struct sk_buff *skb, const struct tc_action *a,
u8 *d, _d;
if (!offset_valid(skb, hoffset + tkey->at)) {
- pr_info("tc action pedit 'at' offset %d out of bounds\n",
- hoffset + tkey->at);
+ pr_info_ratelimited("tc action pedit 'at' offset %d out of bounds\n",
+ hoffset + tkey->at);
goto bad;
}
d = skb_header_pointer(skb, hoffset + tkey->at,
@@ -440,14 +440,13 @@ static int tcf_pedit_act(struct sk_buff *skb, const struct tc_action *a,
offset += (*d & tkey->offmask) >> tkey->shift;
if (offset % 4) {
- pr_info("tc action pedit offset must be on 32 bit boundaries\n");
+ pr_info_ratelimited("tc action pedit offset must be on 32 bit boundaries\n");
goto bad;
}
}
if (!offset_valid(skb, hoffset + offset)) {
- pr_info("tc action pedit offset %d out of bounds\n",
- hoffset + offset);
+ pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset);
goto bad;
}
@@ -464,8 +463,7 @@ static int tcf_pedit_act(struct sk_buff *skb, const struct tc_action *a,
val = (*ptr + tkey->val) & ~tkey->mask;
break;
default:
- pr_info("tc action pedit bad command (%d)\n",
- cmd);
+ pr_info_ratelimited("tc action pedit bad command (%d)\n", cmd);
goto bad;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 004/129] net/sched: fix pedit partial COW leading to page cache corruption
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 003/129] net/sched: act_pedit: rate limit datapath messages Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 005/129] net/sched: act_pedit: free pedit keys on bail from offset check Greg Kroah-Hartman
` (131 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Keenan Dong,
Han Guidong, Zhang Cen, Davide Caratti,
Toke Høiland-Jørgensen, Victor Nogueira,
Jamal Hadi Salim, Rajat Gupta, Jakub Kicinski, Wentao Guan,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
[ Upstream commit 899ee91156e57784090c5565e4f31bd7dbffbc5a ]
tcf_pedit_act() computes the COW range for skb_ensure_writable()
once before the key loop using tcfp_off_max_hint, but the hint does
not account for the runtime header offset added by typed keys. This
can leave part of the write region un-COW'd.
Fix by moving skb_ensure_writable() inside the per-key loop where
the actual write offset is known, and add overflow checking on the
offset arithmetic. For negative offsets (e.g. Ethernet header edits
at ingress), use skb_cow() to COW the headroom instead. Guard
offset_valid() against INT_MIN, where negation is undefined.
Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Reported-by: Han Guidong <2045gemini@gmail.com>
Reported-by: Zhang Cen <rollkingzzc@gmail.com>
Reviewed-by: Han Guidong <2045gemini@gmail.com>
Tested-by: Han Guidong <2045gemini@gmail.com>
Reviewed-by: Davide Caratti <dcaratti@redhat.com>
Tested-by: Davide Caratti <dcaratti@redhat.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Tested-by: Toke Høiland-Jørgensen <toke@redhat.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Tested-by: Victor Nogueira <victor@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
Link: https://patch.msgid.link/20260531123221.48732-1-jhs@mojatatu.com
[rename include file from linux/unaligned.h to asm/unaligned.h]
Conflicts:
include/net/tc_act/tc_pedit.h
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/tc_act/tc_pedit.h | 1 -
net/sched/act_pedit.c | 77 +++++++++++++++++++----------------
2 files changed, 41 insertions(+), 37 deletions(-)
diff --git a/include/net/tc_act/tc_pedit.h b/include/net/tc_act/tc_pedit.h
index 83fe3993178180..a26d4cd3b8d6f3 100644
--- a/include/net/tc_act/tc_pedit.h
+++ b/include/net/tc_act/tc_pedit.h
@@ -14,7 +14,6 @@ struct tcf_pedit_key_ex {
struct tcf_pedit_parms {
struct tc_pedit_key *tcfp_keys;
struct tcf_pedit_key_ex *tcfp_keys_ex;
- u32 tcfp_off_max_hint;
unsigned char tcfp_nkeys;
unsigned char tcfp_flags;
struct rcu_head rcu;
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 7ba460fda1f4e9..1b076c4f2d1af5 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -16,6 +16,8 @@
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/slab.h>
+#include <linux/overflow.h>
+#include <asm/unaligned.h>
#include <net/ipv6.h>
#include <net/netlink.h>
#include <net/pkt_sched.h>
@@ -237,7 +239,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
goto out_free_ex;
}
- nparms->tcfp_off_max_hint = 0;
nparms->tcfp_flags = parm->flags;
nparms->tcfp_nkeys = parm->nkeys;
@@ -265,14 +266,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
BITS_PER_TYPE(int) - 1,
nparms->tcfp_keys[i].shift);
- /* The AT option can read a single byte, we can bound the actual
- * value with uchar max.
- */
- cur += (0xff & offmask) >> nparms->tcfp_keys[i].shift;
-
- /* Each key touches 4 bytes starting from the computed offset */
- nparms->tcfp_off_max_hint =
- max(nparms->tcfp_off_max_hint, cur + 4);
}
p = to_pedit(*a);
@@ -313,15 +306,12 @@ static void tcf_pedit_cleanup(struct tc_action *a)
call_rcu(&parms->rcu, tcf_pedit_cleanup_rcu);
}
-static bool offset_valid(struct sk_buff *skb, int offset)
+static bool offset_valid(struct sk_buff *skb, int offset, int len)
{
- if (offset > 0 && offset > skb->len)
- return false;
-
- if (offset < 0 && -offset > skb_headroom(skb))
+ if (offset < -(int)skb_headroom(skb))
return false;
- return true;
+ return offset <= (int)skb->len - len;
}
static int pedit_l4_skb_offset(struct sk_buff *skb, int *hoffset, const int header_type)
@@ -387,18 +377,10 @@ static int tcf_pedit_act(struct sk_buff *skb, const struct tc_action *a,
struct tcf_pedit_key_ex *tkey_ex;
struct tcf_pedit_parms *parms;
struct tc_pedit_key *tkey;
- u32 max_offset;
int i;
parms = rcu_dereference_bh(p->parms);
- max_offset = (skb_transport_header_was_set(skb) ?
- skb_transport_offset(skb) :
- skb_network_offset(skb)) +
- parms->tcfp_off_max_hint;
- if (skb_ensure_writable(skb, min(skb->len, max_offset)))
- goto done;
-
tcf_lastuse_update(&p->tcf_tm);
tcf_action_update_bstats(&p->common, skb);
@@ -406,10 +388,11 @@ static int tcf_pedit_act(struct sk_buff *skb, const struct tc_action *a,
tkey_ex = parms->tcfp_keys_ex;
for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) {
+ int write_offset, write_len;
int offset = tkey->off;
int hoffset = 0;
- u32 *ptr, hdata;
- u32 val;
+ u32 cur_val, val;
+ u32 *ptr;
int rc;
if (tkey_ex) {
@@ -427,13 +410,15 @@ static int tcf_pedit_act(struct sk_buff *skb, const struct tc_action *a,
if (tkey->offmask) {
u8 *d, _d;
+ int at_offset;
- if (!offset_valid(skb, hoffset + tkey->at)) {
+ if (check_add_overflow(hoffset, (int)tkey->at, &at_offset) ||
+ !offset_valid(skb, at_offset, sizeof(_d))) {
pr_info_ratelimited("tc action pedit 'at' offset %d out of bounds\n",
hoffset + tkey->at);
goto bad;
}
- d = skb_header_pointer(skb, hoffset + tkey->at,
+ d = skb_header_pointer(skb, at_offset,
sizeof(_d), &_d);
if (!d)
goto bad;
@@ -445,31 +430,51 @@ static int tcf_pedit_act(struct sk_buff *skb, const struct tc_action *a,
}
}
- if (!offset_valid(skb, hoffset + offset)) {
- pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset);
+ if (check_add_overflow(hoffset, offset, &write_offset)) {
+ pr_info_ratelimited("tc action pedit offset overflow\n");
goto bad;
}
- ptr = skb_header_pointer(skb, hoffset + offset,
- sizeof(hdata), &hdata);
- if (!ptr)
+ if (!offset_valid(skb, write_offset, sizeof(*ptr))) {
+ pr_info_ratelimited("tc action pedit offset %d out of bounds\n",
+ write_offset);
goto bad;
+ }
+
+ if (write_offset < 0) {
+ if (skb_cow(skb, -write_offset))
+ goto bad;
+ if (write_offset + (int)sizeof(*ptr) > 0) {
+ if (skb_ensure_writable(skb,
+ min_t(int, skb->len,
+ write_offset + (int)sizeof(*ptr))))
+ goto bad;
+ }
+ } else {
+ if (check_add_overflow(write_offset, (int)sizeof(*ptr),
+ &write_len))
+ goto bad;
+ if (skb_ensure_writable(skb, min_t(int, skb->len,
+ write_len)))
+ goto bad;
+ }
+
+ ptr = (u32 *)(skb->data + write_offset);
+ cur_val = get_unaligned(ptr);
/* just do it, baby */
switch (cmd) {
case TCA_PEDIT_KEY_EX_CMD_SET:
val = tkey->val;
break;
case TCA_PEDIT_KEY_EX_CMD_ADD:
- val = (*ptr + tkey->val) & ~tkey->mask;
+ val = (cur_val + tkey->val) & ~tkey->mask;
break;
default:
pr_info_ratelimited("tc action pedit bad command (%d)\n", cmd);
goto bad;
}
- *ptr = ((*ptr & tkey->mask) ^ val);
- if (ptr == &hdata)
- skb_store_bits(skb, hoffset + offset, ptr, 4);
+ put_unaligned((cur_val & tkey->mask) ^ val, ptr);
}
goto done;
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 005/129] net/sched: act_pedit: free pedit keys on bail from offset check
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 004/129] net/sched: fix pedit partial COW leading to page cache corruption Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 006/129] selftests/bpf: move SYS() macro into the test_progs.h Greg Kroah-Hartman
` (130 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ido Schimmel, Pedro Tammela,
Ido Schimmel, Paolo Abeni, Wentao Guan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pedro Tammela <pctammela@mojatatu.com>
[ Upstream commit 1b483d9f5805c7e3d628d4995e97f4311fcb82eb ]
Ido Schimmel reports a memleak on a syzkaller instance:
BUG: memory leak
unreferenced object 0xffff88803d45e400 (size 1024):
comm "syz-executor292", pid 563, jiffies 4295025223 (age 51.781s)
hex dump (first 32 bytes):
28 bd 70 00 fb db df 25 02 00 14 1f ff 02 00 02 (.p....%........
00 32 00 00 1f 00 00 00 ac 14 14 3e 08 00 07 00 .2.........>....
backtrace:
[<ffffffff81bd0f2c>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline]
[<ffffffff81bd0f2c>] slab_post_alloc_hook mm/slab.h:772 [inline]
[<ffffffff81bd0f2c>] slab_alloc_node mm/slub.c:3452 [inline]
[<ffffffff81bd0f2c>] __kmem_cache_alloc_node+0x25c/0x320 mm/slub.c:3491
[<ffffffff81a865d9>] __do_kmalloc_node mm/slab_common.c:966 [inline]
[<ffffffff81a865d9>] __kmalloc+0x59/0x1a0 mm/slab_common.c:980
[<ffffffff83aa85c3>] kmalloc include/linux/slab.h:584 [inline]
[<ffffffff83aa85c3>] tcf_pedit_init+0x793/0x1ae0 net/sched/act_pedit.c:245
[<ffffffff83a90623>] tcf_action_init_1+0x453/0x6e0 net/sched/act_api.c:1394
[<ffffffff83a90e58>] tcf_action_init+0x5a8/0x950 net/sched/act_api.c:1459
[<ffffffff83a96258>] tcf_action_add+0x118/0x4e0 net/sched/act_api.c:1985
[<ffffffff83a96997>] tc_ctl_action+0x377/0x490 net/sched/act_api.c:2044
[<ffffffff83920a8d>] rtnetlink_rcv_msg+0x46d/0xd70 net/core/rtnetlink.c:6395
[<ffffffff83b24305>] netlink_rcv_skb+0x185/0x490 net/netlink/af_netlink.c:2575
[<ffffffff83901806>] rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6413
[<ffffffff83b21cae>] netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
[<ffffffff83b21cae>] netlink_unicast+0x5be/0x8a0 net/netlink/af_netlink.c:1365
[<ffffffff83b2293f>] netlink_sendmsg+0x9af/0xed0 net/netlink/af_netlink.c:1942
[<ffffffff8380c39f>] sock_sendmsg_nosec net/socket.c:724 [inline]
[<ffffffff8380c39f>] sock_sendmsg net/socket.c:747 [inline]
[<ffffffff8380c39f>] ____sys_sendmsg+0x3ef/0xaa0 net/socket.c:2503
[<ffffffff838156d2>] ___sys_sendmsg+0x122/0x1c0 net/socket.c:2557
[<ffffffff8381594f>] __sys_sendmsg+0x11f/0x200 net/socket.c:2586
[<ffffffff83815ab0>] __do_sys_sendmsg net/socket.c:2595 [inline]
[<ffffffff83815ab0>] __se_sys_sendmsg net/socket.c:2593 [inline]
[<ffffffff83815ab0>] __x64_sys_sendmsg+0x80/0xc0 net/socket.c:2593
The recently added static offset check missed a free to the key buffer when
bailing out on error.
Fixes: e1201bc781c2 ("net/sched: act_pedit: check static offsets a priori")
Reported-by: Ido Schimmel <idosch@idosch.org>
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Tested-by: Ido Schimmel <idosch@nvidia.com>
Link: https://lore.kernel.org/r/20230425144725.669262-1-pctammela@mojatatu.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
(cherry picked from commit 1b483d9f5805c7e3d628d4995e97f4311fcb82eb)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_pedit.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 1b076c4f2d1af5..09310b56b45beb 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -258,7 +258,7 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
if (!offmask && cur % 4) {
NL_SET_ERR_MSG_MOD(extack, "Offsets must be on 32bit boundaries");
ret = -EINVAL;
- goto put_chain;
+ goto out_free_keys;
}
/* sanitize the shift value for any later use */
@@ -283,6 +283,8 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
return ret;
+out_free_keys:
+ kfree(nparms->tcfp_keys);
put_chain:
if (goto_ch)
tcf_chain_put_by_act(goto_ch);
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 006/129] selftests/bpf: move SYS() macro into the test_progs.h
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 005/129] net/sched: act_pedit: free pedit keys on bail from offset check Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 007/129] KVM: VMX: Make vmread_error_trampoline() uncallable from C code Greg Kroah-Hartman
` (129 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin KaFai Lau, Hangbin Liu,
Martin KaFai Lau, Shung-Hsi Yu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
commit b61987d37cbee3c44e80304598c60b163553926b upstream.
A lot of tests defined SYS() macro to run system calls with goto label.
Let's move this macro to test_progs.h and add configurable
"goto_label" as the first arg.
Suggested-by: Martin KaFai Lau <martin.lau@linux.dev>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://lore.kernel.org/r/20230224061343.506571-2-liuhangbin@gmail.com
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Stable-dep-of: 967e8def1100 ("selftests/bpf: Fix bpf_nf selftest failure")
[shung-hsi.yu: changes to several files are dropped because they don't exist
yet: decap_sanity.c, fib_lookup.c, xdp_metadata.c, and xfrm_info.c. Addional
changes are introdced to tc_redirect.c to patch SYS() macro usage not found
in upstream. ]
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../selftests/bpf/prog_tests/empty_skb.c | 25 ++-
.../selftests/bpf/prog_tests/tc_redirect.c | 154 +++++++++---------
.../selftests/bpf/prog_tests/test_tunnel.c | 71 ++++----
.../selftests/bpf/prog_tests/xdp_bonding.c | 40 ++---
.../bpf/prog_tests/xdp_do_redirect.c | 30 ++--
.../selftests/bpf/prog_tests/xdp_synproxy.c | 41 ++---
tools/testing/selftests/bpf/test_progs.h | 15 ++
7 files changed, 171 insertions(+), 205 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/empty_skb.c b/tools/testing/selftests/bpf/prog_tests/empty_skb.c
index 329e34e5226e3a..33c8631fc1a7f0 100644
--- a/tools/testing/selftests/bpf/prog_tests/empty_skb.c
+++ b/tools/testing/selftests/bpf/prog_tests/empty_skb.c
@@ -4,11 +4,6 @@
#include <net/if.h>
#include "empty_skb.skel.h"
-#define SYS(cmd) ({ \
- if (!ASSERT_OK(system(cmd), (cmd))) \
- goto out; \
-})
-
void serial_test_empty_skb(void)
{
LIBBPF_OPTS(bpf_test_run_opts, tattr);
@@ -97,18 +92,18 @@ void serial_test_empty_skb(void)
},
};
- SYS("ip netns add empty_skb");
+ SYS(out, "ip netns add empty_skb");
tok = open_netns("empty_skb");
- SYS("ip link add veth0 type veth peer veth1");
- SYS("ip link set dev veth0 up");
- SYS("ip link set dev veth1 up");
- SYS("ip addr add 10.0.0.1/8 dev veth0");
- SYS("ip addr add 10.0.0.2/8 dev veth1");
+ SYS(out, "ip link add veth0 type veth peer veth1");
+ SYS(out, "ip link set dev veth0 up");
+ SYS(out, "ip link set dev veth1 up");
+ SYS(out, "ip addr add 10.0.0.1/8 dev veth0");
+ SYS(out, "ip addr add 10.0.0.2/8 dev veth1");
veth_ifindex = if_nametoindex("veth0");
- SYS("ip link add ipip0 type ipip local 10.0.0.1 remote 10.0.0.2");
- SYS("ip link set ipip0 up");
- SYS("ip addr add 192.168.1.1/16 dev ipip0");
+ SYS(out, "ip link add ipip0 type ipip local 10.0.0.1 remote 10.0.0.2");
+ SYS(out, "ip link set ipip0 up");
+ SYS(out, "ip addr add 192.168.1.1/16 dev ipip0");
ipip_ifindex = if_nametoindex("ipip0");
bpf_obj = empty_skb__open_and_load();
@@ -150,5 +145,5 @@ void serial_test_empty_skb(void)
empty_skb__destroy(bpf_obj);
if (tok)
close_netns(tok);
- system("ip netns del empty_skb");
+ SYS_NOFAIL("ip netns del empty_skb");
}
diff --git a/tools/testing/selftests/bpf/prog_tests/tc_redirect.c b/tools/testing/selftests/bpf/prog_tests/tc_redirect.c
index cb6a53b3e023c6..c01733b5c4beb0 100644
--- a/tools/testing/selftests/bpf/prog_tests/tc_redirect.c
+++ b/tools/testing/selftests/bpf/prog_tests/tc_redirect.c
@@ -160,24 +160,16 @@ static int get_ifindex(const char *name)
return atoi(buf);
}
-#define SYS(fmt, ...) \
- ({ \
- char cmd[1024]; \
- snprintf(cmd, sizeof(cmd), fmt, ##__VA_ARGS__); \
- if (!ASSERT_OK(system(cmd), cmd)) \
- goto fail; \
- })
-
static int netns_setup_links_and_routes(struct netns_setup_result *result)
{
struct nstoken *nstoken = NULL;
char veth_src_fwd_addr[IFADDR_STR_LEN+1] = {};
- SYS("ip link add veth_src type veth peer name veth_src_fwd");
- SYS("ip link add veth_dst type veth peer name veth_dst_fwd");
+ SYS(fail, "ip link add veth_src type veth peer name veth_src_fwd");
+ SYS(fail, "ip link add veth_dst type veth peer name veth_dst_fwd");
- SYS("ip link set veth_dst_fwd address " MAC_DST_FWD);
- SYS("ip link set veth_dst address " MAC_DST);
+ SYS(fail, "ip link set veth_dst_fwd address " MAC_DST_FWD);
+ SYS(fail, "ip link set veth_dst address " MAC_DST);
if (get_ifaddr("veth_src_fwd", veth_src_fwd_addr))
goto fail;
@@ -189,27 +181,27 @@ static int netns_setup_links_and_routes(struct netns_setup_result *result)
if (result->ifindex_veth_dst_fwd < 0)
goto fail;
- SYS("ip link set veth_src netns " NS_SRC);
- SYS("ip link set veth_src_fwd netns " NS_FWD);
- SYS("ip link set veth_dst_fwd netns " NS_FWD);
- SYS("ip link set veth_dst netns " NS_DST);
+ SYS(fail, "ip link set veth_src netns " NS_SRC);
+ SYS(fail, "ip link set veth_src_fwd netns " NS_FWD);
+ SYS(fail, "ip link set veth_dst_fwd netns " NS_FWD);
+ SYS(fail, "ip link set veth_dst netns " NS_DST);
/** setup in 'src' namespace */
nstoken = open_netns(NS_SRC);
if (!ASSERT_OK_PTR(nstoken, "setns src"))
goto fail;
- SYS("ip addr add " IP4_SRC "/32 dev veth_src");
- SYS("ip addr add " IP6_SRC "/128 dev veth_src nodad");
- SYS("ip link set dev veth_src up");
+ SYS(fail, "ip addr add " IP4_SRC "/32 dev veth_src");
+ SYS(fail, "ip addr add " IP6_SRC "/128 dev veth_src nodad");
+ SYS(fail, "ip link set dev veth_src up");
- SYS("ip route add " IP4_DST "/32 dev veth_src scope global");
- SYS("ip route add " IP4_NET "/16 dev veth_src scope global");
- SYS("ip route add " IP6_DST "/128 dev veth_src scope global");
+ SYS(fail, "ip route add " IP4_DST "/32 dev veth_src scope global");
+ SYS(fail, "ip route add " IP4_NET "/16 dev veth_src scope global");
+ SYS(fail, "ip route add " IP6_DST "/128 dev veth_src scope global");
- SYS("ip neigh add " IP4_DST " dev veth_src lladdr %s",
+ SYS(fail, "ip neigh add " IP4_DST " dev veth_src lladdr %s",
veth_src_fwd_addr);
- SYS("ip neigh add " IP6_DST " dev veth_src lladdr %s",
+ SYS(fail, "ip neigh add " IP6_DST " dev veth_src lladdr %s",
veth_src_fwd_addr);
close_netns(nstoken);
@@ -223,15 +215,15 @@ static int netns_setup_links_and_routes(struct netns_setup_result *result)
* needs v4 one in order to start ARP probing. IP4_NET route is added
* to the endpoints so that the ARP processing will reply.
*/
- SYS("ip addr add " IP4_SLL "/32 dev veth_src_fwd");
- SYS("ip addr add " IP4_DLL "/32 dev veth_dst_fwd");
- SYS("ip link set dev veth_src_fwd up");
- SYS("ip link set dev veth_dst_fwd up");
+ SYS(fail, "ip addr add " IP4_SLL "/32 dev veth_src_fwd");
+ SYS(fail, "ip addr add " IP4_DLL "/32 dev veth_dst_fwd");
+ SYS(fail, "ip link set dev veth_src_fwd up");
+ SYS(fail, "ip link set dev veth_dst_fwd up");
- SYS("ip route add " IP4_SRC "/32 dev veth_src_fwd scope global");
- SYS("ip route add " IP6_SRC "/128 dev veth_src_fwd scope global");
- SYS("ip route add " IP4_DST "/32 dev veth_dst_fwd scope global");
- SYS("ip route add " IP6_DST "/128 dev veth_dst_fwd scope global");
+ SYS(fail, "ip route add " IP4_SRC "/32 dev veth_src_fwd scope global");
+ SYS(fail, "ip route add " IP6_SRC "/128 dev veth_src_fwd scope global");
+ SYS(fail, "ip route add " IP4_DST "/32 dev veth_dst_fwd scope global");
+ SYS(fail, "ip route add " IP6_DST "/128 dev veth_dst_fwd scope global");
close_netns(nstoken);
@@ -240,16 +232,16 @@ static int netns_setup_links_and_routes(struct netns_setup_result *result)
if (!ASSERT_OK_PTR(nstoken, "setns dst"))
goto fail;
- SYS("ip addr add " IP4_DST "/32 dev veth_dst");
- SYS("ip addr add " IP6_DST "/128 dev veth_dst nodad");
- SYS("ip link set dev veth_dst up");
+ SYS(fail, "ip addr add " IP4_DST "/32 dev veth_dst");
+ SYS(fail, "ip addr add " IP6_DST "/128 dev veth_dst nodad");
+ SYS(fail, "ip link set dev veth_dst up");
- SYS("ip route add " IP4_SRC "/32 dev veth_dst scope global");
- SYS("ip route add " IP4_NET "/16 dev veth_dst scope global");
- SYS("ip route add " IP6_SRC "/128 dev veth_dst scope global");
+ SYS(fail, "ip route add " IP4_SRC "/32 dev veth_dst scope global");
+ SYS(fail, "ip route add " IP4_NET "/16 dev veth_dst scope global");
+ SYS(fail, "ip route add " IP6_SRC "/128 dev veth_dst scope global");
- SYS("ip neigh add " IP4_SRC " dev veth_dst lladdr " MAC_DST_FWD);
- SYS("ip neigh add " IP6_SRC " dev veth_dst lladdr " MAC_DST_FWD);
+ SYS(fail, "ip neigh add " IP4_SRC " dev veth_dst lladdr " MAC_DST_FWD);
+ SYS(fail, "ip neigh add " IP6_SRC " dev veth_dst lladdr " MAC_DST_FWD);
close_netns(nstoken);
@@ -262,16 +254,16 @@ static int netns_setup_links_and_routes(struct netns_setup_result *result)
static int netns_load_bpf(void)
{
- SYS("tc qdisc add dev veth_src_fwd clsact");
- SYS("tc filter add dev veth_src_fwd ingress bpf da object-pinned "
+ SYS(fail, "tc qdisc add dev veth_src_fwd clsact");
+ SYS(fail, "tc filter add dev veth_src_fwd ingress bpf da object-pinned "
SRC_PROG_PIN_FILE);
- SYS("tc filter add dev veth_src_fwd egress bpf da object-pinned "
+ SYS(fail, "tc filter add dev veth_src_fwd egress bpf da object-pinned "
CHK_PROG_PIN_FILE);
- SYS("tc qdisc add dev veth_dst_fwd clsact");
- SYS("tc filter add dev veth_dst_fwd ingress bpf da object-pinned "
+ SYS(fail, "tc qdisc add dev veth_dst_fwd clsact");
+ SYS(fail, "tc filter add dev veth_dst_fwd ingress bpf da object-pinned "
DST_PROG_PIN_FILE);
- SYS("tc filter add dev veth_dst_fwd egress bpf da object-pinned "
+ SYS(fail, "tc filter add dev veth_dst_fwd egress bpf da object-pinned "
CHK_PROG_PIN_FILE);
return 0;
@@ -330,7 +322,7 @@ static void test_tcp(int family, const char *addr, __u16 port)
static int test_ping(int family, const char *addr)
{
- SYS("ip netns exec " NS_SRC " %s " PING_ARGS " %s > /dev/null", ping_command(family), addr);
+ SYS(fail, "ip netns exec " NS_SRC " %s " PING_ARGS " %s > /dev/null", ping_command(family), addr);
return 0;
fail:
return -1;
@@ -516,10 +508,10 @@ static int netns_load_dtime_bpf(struct test_tc_dtime *skel)
return -1;
PIN(egress_host);
PIN(ingress_host);
- SYS("tc qdisc add dev veth_src clsact");
- SYS("tc filter add dev veth_src ingress bpf da object-pinned "
+ SYS(fail, "tc qdisc add dev veth_src clsact");
+ SYS(fail, "tc filter add dev veth_src ingress bpf da object-pinned "
PIN_FNAME(ingress_host));
- SYS("tc filter add dev veth_src egress bpf da object-pinned "
+ SYS(fail, "tc filter add dev veth_src egress bpf da object-pinned "
PIN_FNAME(egress_host));
close_netns(nstoken);
@@ -529,10 +521,10 @@ static int netns_load_dtime_bpf(struct test_tc_dtime *skel)
return -1;
PIN(egress_host);
PIN(ingress_host);
- SYS("tc qdisc add dev veth_dst clsact");
- SYS("tc filter add dev veth_dst ingress bpf da object-pinned "
+ SYS(fail, "tc qdisc add dev veth_dst clsact");
+ SYS(fail, "tc filter add dev veth_dst ingress bpf da object-pinned "
PIN_FNAME(ingress_host));
- SYS("tc filter add dev veth_dst egress bpf da object-pinned "
+ SYS(fail, "tc filter add dev veth_dst egress bpf da object-pinned "
PIN_FNAME(egress_host));
close_netns(nstoken);
@@ -544,23 +536,23 @@ static int netns_load_dtime_bpf(struct test_tc_dtime *skel)
PIN(egress_fwdns_prio100);
PIN(ingress_fwdns_prio101);
PIN(egress_fwdns_prio101);
- SYS("tc qdisc add dev veth_dst_fwd clsact");
- SYS("tc filter add dev veth_dst_fwd ingress prio 100 bpf da object-pinned "
+ SYS(fail, "tc qdisc add dev veth_dst_fwd clsact");
+ SYS(fail, "tc filter add dev veth_dst_fwd ingress prio 100 bpf da object-pinned "
PIN_FNAME(ingress_fwdns_prio100));
- SYS("tc filter add dev veth_dst_fwd ingress prio 101 bpf da object-pinned "
+ SYS(fail, "tc filter add dev veth_dst_fwd ingress prio 101 bpf da object-pinned "
PIN_FNAME(ingress_fwdns_prio101));
- SYS("tc filter add dev veth_dst_fwd egress prio 100 bpf da object-pinned "
+ SYS(fail, "tc filter add dev veth_dst_fwd egress prio 100 bpf da object-pinned "
PIN_FNAME(egress_fwdns_prio100));
- SYS("tc filter add dev veth_dst_fwd egress prio 101 bpf da object-pinned "
+ SYS(fail, "tc filter add dev veth_dst_fwd egress prio 101 bpf da object-pinned "
PIN_FNAME(egress_fwdns_prio101));
- SYS("tc qdisc add dev veth_src_fwd clsact");
- SYS("tc filter add dev veth_src_fwd ingress prio 100 bpf da object-pinned "
+ SYS(fail, "tc qdisc add dev veth_src_fwd clsact");
+ SYS(fail, "tc filter add dev veth_src_fwd ingress prio 100 bpf da object-pinned "
PIN_FNAME(ingress_fwdns_prio100));
- SYS("tc filter add dev veth_src_fwd ingress prio 101 bpf da object-pinned "
+ SYS(fail, "tc filter add dev veth_src_fwd ingress prio 101 bpf da object-pinned "
PIN_FNAME(ingress_fwdns_prio101));
- SYS("tc filter add dev veth_src_fwd egress prio 100 bpf da object-pinned "
+ SYS(fail, "tc filter add dev veth_src_fwd egress prio 100 bpf da object-pinned "
PIN_FNAME(egress_fwdns_prio100));
- SYS("tc filter add dev veth_src_fwd egress prio 101 bpf da object-pinned "
+ SYS(fail, "tc filter add dev veth_src_fwd egress prio 101 bpf da object-pinned "
PIN_FNAME(egress_fwdns_prio101));
close_netns(nstoken);
@@ -941,7 +933,7 @@ static int tun_open(char *name)
if (!ASSERT_OK(err, "ioctl TUNSETIFF"))
goto fail;
- SYS("ip link set dev %s up", name);
+ SYS(fail, "ip link set dev %s up", name);
return fd;
fail:
@@ -1061,34 +1053,34 @@ static void test_tc_redirect_peer_l3(struct netns_setup_result *setup_result)
* towards dst, and "tc_dst" to redirect packets
* and "tc_chk" on veth_dst_fwd to drop non-redirected packets.
*/
- SYS("tc qdisc add dev tun_fwd clsact");
- SYS("tc filter add dev tun_fwd ingress bpf da object-pinned "
+ SYS(fail, "tc qdisc add dev tun_fwd clsact");
+ SYS(fail, "tc filter add dev tun_fwd ingress bpf da object-pinned "
SRC_PROG_PIN_FILE);
- SYS("tc qdisc add dev veth_dst_fwd clsact");
- SYS("tc filter add dev veth_dst_fwd ingress bpf da object-pinned "
+ SYS(fail, "tc qdisc add dev veth_dst_fwd clsact");
+ SYS(fail, "tc filter add dev veth_dst_fwd ingress bpf da object-pinned "
DST_PROG_PIN_FILE);
- SYS("tc filter add dev veth_dst_fwd egress bpf da object-pinned "
+ SYS(fail, "tc filter add dev veth_dst_fwd egress bpf da object-pinned "
CHK_PROG_PIN_FILE);
/* Setup route and neigh tables */
- SYS("ip -netns " NS_SRC " addr add dev tun_src " IP4_TUN_SRC "/24");
- SYS("ip -netns " NS_FWD " addr add dev tun_fwd " IP4_TUN_FWD "/24");
+ SYS(fail, "ip -netns " NS_SRC " addr add dev tun_src " IP4_TUN_SRC "/24");
+ SYS(fail, "ip -netns " NS_FWD " addr add dev tun_fwd " IP4_TUN_FWD "/24");
- SYS("ip -netns " NS_SRC " addr add dev tun_src " IP6_TUN_SRC "/64 nodad");
- SYS("ip -netns " NS_FWD " addr add dev tun_fwd " IP6_TUN_FWD "/64 nodad");
+ SYS(fail, "ip -netns " NS_SRC " addr add dev tun_src " IP6_TUN_SRC "/64 nodad");
+ SYS(fail, "ip -netns " NS_FWD " addr add dev tun_fwd " IP6_TUN_FWD "/64 nodad");
- SYS("ip -netns " NS_SRC " route del " IP4_DST "/32 dev veth_src scope global");
- SYS("ip -netns " NS_SRC " route add " IP4_DST "/32 via " IP4_TUN_FWD
+ SYS(fail, "ip -netns " NS_SRC " route del " IP4_DST "/32 dev veth_src scope global");
+ SYS(fail, "ip -netns " NS_SRC " route add " IP4_DST "/32 via " IP4_TUN_FWD
" dev tun_src scope global");
- SYS("ip -netns " NS_DST " route add " IP4_TUN_SRC "/32 dev veth_dst scope global");
- SYS("ip -netns " NS_SRC " route del " IP6_DST "/128 dev veth_src scope global");
- SYS("ip -netns " NS_SRC " route add " IP6_DST "/128 via " IP6_TUN_FWD
+ SYS(fail, "ip -netns " NS_DST " route add " IP4_TUN_SRC "/32 dev veth_dst scope global");
+ SYS(fail, "ip -netns " NS_SRC " route del " IP6_DST "/128 dev veth_src scope global");
+ SYS(fail, "ip -netns " NS_SRC " route add " IP6_DST "/128 via " IP6_TUN_FWD
" dev tun_src scope global");
- SYS("ip -netns " NS_DST " route add " IP6_TUN_SRC "/128 dev veth_dst scope global");
+ SYS(fail, "ip -netns " NS_DST " route add " IP6_TUN_SRC "/128 dev veth_dst scope global");
- SYS("ip -netns " NS_DST " neigh add " IP4_TUN_SRC " dev veth_dst lladdr " MAC_DST_FWD);
- SYS("ip -netns " NS_DST " neigh add " IP6_TUN_SRC " dev veth_dst lladdr " MAC_DST_FWD);
+ SYS(fail, "ip -netns " NS_DST " neigh add " IP4_TUN_SRC " dev veth_dst lladdr " MAC_DST_FWD);
+ SYS(fail, "ip -netns " NS_DST " neigh add " IP6_TUN_SRC " dev veth_dst lladdr " MAC_DST_FWD);
if (!ASSERT_OK(set_forwarding(false), "disable forwarding"))
goto fail;
diff --git a/tools/testing/selftests/bpf/prog_tests/test_tunnel.c b/tools/testing/selftests/bpf/prog_tests/test_tunnel.c
index eea2741102673c..e0823c2472fe70 100644
--- a/tools/testing/selftests/bpf/prog_tests/test_tunnel.c
+++ b/tools/testing/selftests/bpf/prog_tests/test_tunnel.c
@@ -91,30 +91,15 @@
#define PING_ARGS "-i 0.01 -c 3 -w 10 -q"
-#define SYS(fmt, ...) \
- ({ \
- char cmd[1024]; \
- snprintf(cmd, sizeof(cmd), fmt, ##__VA_ARGS__); \
- if (!ASSERT_OK(system(cmd), cmd)) \
- goto fail; \
- })
-
-#define SYS_NOFAIL(fmt, ...) \
- ({ \
- char cmd[1024]; \
- snprintf(cmd, sizeof(cmd), fmt, ##__VA_ARGS__); \
- system(cmd); \
- })
-
static int config_device(void)
{
- SYS("ip netns add at_ns0");
- SYS("ip link add veth0 address " MAC_VETH1 " type veth peer name veth1");
- SYS("ip link set veth0 netns at_ns0");
- SYS("ip addr add " IP4_ADDR1_VETH1 "/24 dev veth1");
- SYS("ip link set dev veth1 up mtu 1500");
- SYS("ip netns exec at_ns0 ip addr add " IP4_ADDR_VETH0 "/24 dev veth0");
- SYS("ip netns exec at_ns0 ip link set dev veth0 up mtu 1500");
+ SYS(fail, "ip netns add at_ns0");
+ SYS(fail, "ip link add veth0 address " MAC_VETH1 " type veth peer name veth1");
+ SYS(fail, "ip link set veth0 netns at_ns0");
+ SYS(fail, "ip addr add " IP4_ADDR1_VETH1 "/24 dev veth1");
+ SYS(fail, "ip link set dev veth1 up mtu 1500");
+ SYS(fail, "ip netns exec at_ns0 ip addr add " IP4_ADDR_VETH0 "/24 dev veth0");
+ SYS(fail, "ip netns exec at_ns0 ip link set dev veth0 up mtu 1500");
return 0;
fail:
@@ -132,23 +117,23 @@ static void cleanup(void)
static int add_vxlan_tunnel(void)
{
/* at_ns0 namespace */
- SYS("ip netns exec at_ns0 ip link add dev %s type vxlan external gbp dstport 4789",
+ SYS(fail, "ip netns exec at_ns0 ip link add dev %s type vxlan external gbp dstport 4789",
VXLAN_TUNL_DEV0);
- SYS("ip netns exec at_ns0 ip link set dev %s address %s up",
+ SYS(fail, "ip netns exec at_ns0 ip link set dev %s address %s up",
VXLAN_TUNL_DEV0, MAC_TUNL_DEV0);
- SYS("ip netns exec at_ns0 ip addr add dev %s %s/24",
+ SYS(fail, "ip netns exec at_ns0 ip addr add dev %s %s/24",
VXLAN_TUNL_DEV0, IP4_ADDR_TUNL_DEV0);
- SYS("ip netns exec at_ns0 ip neigh add %s lladdr %s dev %s",
+ SYS(fail, "ip netns exec at_ns0 ip neigh add %s lladdr %s dev %s",
IP4_ADDR_TUNL_DEV1, MAC_TUNL_DEV1, VXLAN_TUNL_DEV0);
- SYS("ip netns exec at_ns0 ip neigh add %s lladdr %s dev veth0",
+ SYS(fail, "ip netns exec at_ns0 ip neigh add %s lladdr %s dev veth0",
IP4_ADDR2_VETH1, MAC_VETH1);
/* root namespace */
- SYS("ip link add dev %s type vxlan external gbp dstport 4789",
+ SYS(fail, "ip link add dev %s type vxlan external gbp dstport 4789",
VXLAN_TUNL_DEV1);
- SYS("ip link set dev %s address %s up", VXLAN_TUNL_DEV1, MAC_TUNL_DEV1);
- SYS("ip addr add dev %s %s/24", VXLAN_TUNL_DEV1, IP4_ADDR_TUNL_DEV1);
- SYS("ip neigh add %s lladdr %s dev %s",
+ SYS(fail, "ip link set dev %s address %s up", VXLAN_TUNL_DEV1, MAC_TUNL_DEV1);
+ SYS(fail, "ip addr add dev %s %s/24", VXLAN_TUNL_DEV1, IP4_ADDR_TUNL_DEV1);
+ SYS(fail, "ip neigh add %s lladdr %s dev %s",
IP4_ADDR_TUNL_DEV0, MAC_TUNL_DEV0, VXLAN_TUNL_DEV1);
return 0;
@@ -165,26 +150,26 @@ static void delete_vxlan_tunnel(void)
static int add_ip6vxlan_tunnel(void)
{
- SYS("ip netns exec at_ns0 ip -6 addr add %s/96 dev veth0",
+ SYS(fail, "ip netns exec at_ns0 ip -6 addr add %s/96 dev veth0",
IP6_ADDR_VETH0);
- SYS("ip netns exec at_ns0 ip link set dev veth0 up");
- SYS("ip -6 addr add %s/96 dev veth1", IP6_ADDR1_VETH1);
- SYS("ip -6 addr add %s/96 dev veth1", IP6_ADDR2_VETH1);
- SYS("ip link set dev veth1 up");
+ SYS(fail, "ip netns exec at_ns0 ip link set dev veth0 up");
+ SYS(fail, "ip -6 addr add %s/96 dev veth1", IP6_ADDR1_VETH1);
+ SYS(fail, "ip -6 addr add %s/96 dev veth1", IP6_ADDR2_VETH1);
+ SYS(fail, "ip link set dev veth1 up");
/* at_ns0 namespace */
- SYS("ip netns exec at_ns0 ip link add dev %s type vxlan external dstport 4789",
+ SYS(fail, "ip netns exec at_ns0 ip link add dev %s type vxlan external dstport 4789",
IP6VXLAN_TUNL_DEV0);
- SYS("ip netns exec at_ns0 ip addr add dev %s %s/24",
+ SYS(fail, "ip netns exec at_ns0 ip addr add dev %s %s/24",
IP6VXLAN_TUNL_DEV0, IP4_ADDR_TUNL_DEV0);
- SYS("ip netns exec at_ns0 ip link set dev %s address %s up",
+ SYS(fail, "ip netns exec at_ns0 ip link set dev %s address %s up",
IP6VXLAN_TUNL_DEV0, MAC_TUNL_DEV0);
/* root namespace */
- SYS("ip link add dev %s type vxlan external dstport 4789",
+ SYS(fail, "ip link add dev %s type vxlan external dstport 4789",
IP6VXLAN_TUNL_DEV1);
- SYS("ip addr add dev %s %s/24", IP6VXLAN_TUNL_DEV1, IP4_ADDR_TUNL_DEV1);
- SYS("ip link set dev %s address %s up",
+ SYS(fail, "ip addr add dev %s %s/24", IP6VXLAN_TUNL_DEV1, IP4_ADDR_TUNL_DEV1);
+ SYS(fail, "ip link set dev %s address %s up",
IP6VXLAN_TUNL_DEV1, MAC_TUNL_DEV1);
return 0;
@@ -205,7 +190,7 @@ static void delete_ip6vxlan_tunnel(void)
static int test_ping(int family, const char *addr)
{
- SYS("%s %s %s > /dev/null", ping_command(family), PING_ARGS, addr);
+ SYS(fail, "%s %s %s > /dev/null", ping_command(family), PING_ARGS, addr);
return 0;
fail:
return -1;
diff --git a/tools/testing/selftests/bpf/prog_tests/xdp_bonding.c b/tools/testing/selftests/bpf/prog_tests/xdp_bonding.c
index 5e3a26b15ec623..d19f79048ff6fb 100644
--- a/tools/testing/selftests/bpf/prog_tests/xdp_bonding.c
+++ b/tools/testing/selftests/bpf/prog_tests/xdp_bonding.c
@@ -141,41 +141,33 @@ static const char * const xmit_policy_names[] = {
static int bonding_setup(struct skeletons *skeletons, int mode, int xmit_policy,
int bond_both_attach)
{
-#define SYS(fmt, ...) \
- ({ \
- char cmd[1024]; \
- snprintf(cmd, sizeof(cmd), fmt, ##__VA_ARGS__); \
- if (!ASSERT_OK(system(cmd), cmd)) \
- return -1; \
- })
-
- SYS("ip netns add ns_dst");
- SYS("ip link add veth1_1 type veth peer name veth2_1 netns ns_dst");
- SYS("ip link add veth1_2 type veth peer name veth2_2 netns ns_dst");
-
- SYS("ip link add bond1 type bond mode %s xmit_hash_policy %s",
+ SYS(fail, "ip netns add ns_dst");
+ SYS(fail, "ip link add veth1_1 type veth peer name veth2_1 netns ns_dst");
+ SYS(fail, "ip link add veth1_2 type veth peer name veth2_2 netns ns_dst");
+
+ SYS(fail, "ip link add bond1 type bond mode %s xmit_hash_policy %s",
mode_names[mode], xmit_policy_names[xmit_policy]);
- SYS("ip link set bond1 up address " BOND1_MAC_STR " addrgenmode none");
- SYS("ip -netns ns_dst link add bond2 type bond mode %s xmit_hash_policy %s",
+ SYS(fail, "ip link set bond1 up address " BOND1_MAC_STR " addrgenmode none");
+ SYS(fail, "ip -netns ns_dst link add bond2 type bond mode %s xmit_hash_policy %s",
mode_names[mode], xmit_policy_names[xmit_policy]);
- SYS("ip -netns ns_dst link set bond2 up address " BOND2_MAC_STR " addrgenmode none");
+ SYS(fail, "ip -netns ns_dst link set bond2 up address " BOND2_MAC_STR " addrgenmode none");
- SYS("ip link set veth1_1 master bond1");
+ SYS(fail, "ip link set veth1_1 master bond1");
if (bond_both_attach == BOND_BOTH_AND_ATTACH) {
- SYS("ip link set veth1_2 master bond1");
+ SYS(fail, "ip link set veth1_2 master bond1");
} else {
- SYS("ip link set veth1_2 up addrgenmode none");
+ SYS(fail, "ip link set veth1_2 up addrgenmode none");
if (xdp_attach(skeletons, skeletons->xdp_dummy->progs.xdp_dummy_prog, "veth1_2"))
return -1;
}
- SYS("ip -netns ns_dst link set veth2_1 master bond2");
+ SYS(fail, "ip -netns ns_dst link set veth2_1 master bond2");
if (bond_both_attach == BOND_BOTH_AND_ATTACH)
- SYS("ip -netns ns_dst link set veth2_2 master bond2");
+ SYS(fail, "ip -netns ns_dst link set veth2_2 master bond2");
else
- SYS("ip -netns ns_dst link set veth2_2 up addrgenmode none");
+ SYS(fail, "ip -netns ns_dst link set veth2_2 up addrgenmode none");
/* Load a dummy program on sending side as with veth peer needs to have a
* XDP program loaded as well.
@@ -194,8 +186,8 @@ static int bonding_setup(struct skeletons *skeletons, int mode, int xmit_policy,
}
return 0;
-
-#undef SYS
+fail:
+ return -1;
}
static void bonding_cleanup(struct skeletons *skeletons)
diff --git a/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c b/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c
index 15ad3366916136..b97b0818177251 100644
--- a/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c
+++ b/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c
@@ -10,14 +10,6 @@
#include <bpf/bpf_endian.h>
#include "test_xdp_do_redirect.skel.h"
-#define SYS(fmt, ...) \
- ({ \
- char cmd[1024]; \
- snprintf(cmd, sizeof(cmd), fmt, ##__VA_ARGS__); \
- if (!ASSERT_OK(system(cmd), cmd)) \
- goto out; \
- })
-
struct udp_packet {
struct ethhdr eth;
struct ipv6hdr iph;
@@ -124,19 +116,19 @@ void serial_test_xdp_do_redirect(void)
* iface and NUM_PKTS-2 in the TC hook. We match the packets on the UDP
* payload.
*/
- SYS("ip netns add testns");
+ SYS(out, "ip netns add testns");
nstoken = open_netns("testns");
if (!ASSERT_OK_PTR(nstoken, "setns"))
goto out;
- SYS("ip link add veth_src type veth peer name veth_dst");
- SYS("ip link set dev veth_src address 00:11:22:33:44:55");
- SYS("ip link set dev veth_dst address 66:77:88:99:aa:bb");
- SYS("ip link set dev veth_src up");
- SYS("ip link set dev veth_dst up");
- SYS("ip addr add dev veth_src fc00::1/64");
- SYS("ip addr add dev veth_dst fc00::2/64");
- SYS("ip neigh add fc00::2 dev veth_src lladdr 66:77:88:99:aa:bb");
+ SYS(out, "ip link add veth_src type veth peer name veth_dst");
+ SYS(out, "ip link set dev veth_src address 00:11:22:33:44:55");
+ SYS(out, "ip link set dev veth_dst address 66:77:88:99:aa:bb");
+ SYS(out, "ip link set dev veth_src up");
+ SYS(out, "ip link set dev veth_dst up");
+ SYS(out, "ip addr add dev veth_src fc00::1/64");
+ SYS(out, "ip addr add dev veth_dst fc00::2/64");
+ SYS(out, "ip neigh add fc00::2 dev veth_src lladdr 66:77:88:99:aa:bb");
/* We enable forwarding in the test namespace because that will cause
* the packets that go through the kernel stack (with XDP_PASS) to be
@@ -149,7 +141,7 @@ void serial_test_xdp_do_redirect(void)
* code didn't have this, so we keep the test behaviour to make sure the
* bug doesn't resurface.
*/
- SYS("sysctl -qw net.ipv6.conf.all.forwarding=1");
+ SYS(out, "sysctl -qw net.ipv6.conf.all.forwarding=1");
ifindex_src = if_nametoindex("veth_src");
ifindex_dst = if_nametoindex("veth_dst");
@@ -200,6 +192,6 @@ void serial_test_xdp_do_redirect(void)
out:
if (nstoken)
close_netns(nstoken);
- system("ip netns del testns");
+ SYS_NOFAIL("ip netns del testns");
test_xdp_do_redirect__destroy(skel);
}
diff --git a/tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c b/tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c
index 13daa3746064af..0327c10fe6e971 100644
--- a/tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c
+++ b/tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c
@@ -8,11 +8,6 @@
#define CMD_OUT_BUF_SIZE 1023
-#define SYS(cmd) ({ \
- if (!ASSERT_OK(system(cmd), (cmd))) \
- goto out; \
-})
-
#define SYS_OUT(cmd, ...) ({ \
char buf[1024]; \
snprintf(buf, sizeof(buf), (cmd), ##__VA_ARGS__); \
@@ -69,37 +64,37 @@ static void test_synproxy(bool xdp)
char buf[CMD_OUT_BUF_SIZE];
size_t size;
- SYS("ip netns add synproxy");
+ SYS(out, "ip netns add synproxy");
- SYS("ip link add tmp0 type veth peer name tmp1");
- SYS("ip link set tmp1 netns synproxy");
- SYS("ip link set tmp0 up");
- SYS("ip addr replace 198.18.0.1/24 dev tmp0");
+ SYS(out, "ip link add tmp0 type veth peer name tmp1");
+ SYS(out, "ip link set tmp1 netns synproxy");
+ SYS(out, "ip link set tmp0 up");
+ SYS(out, "ip addr replace 198.18.0.1/24 dev tmp0");
/* When checksum offload is enabled, the XDP program sees wrong
* checksums and drops packets.
*/
- SYS("ethtool -K tmp0 tx off");
+ SYS(out, "ethtool -K tmp0 tx off");
if (xdp)
/* Workaround required for veth. */
- SYS("ip link set tmp0 xdp object xdp_dummy.bpf.o section xdp 2> /dev/null");
+ SYS(out, "ip link set tmp0 xdp object xdp_dummy.bpf.o section xdp 2> /dev/null");
ns = open_netns("synproxy");
if (!ASSERT_OK_PTR(ns, "setns"))
goto out;
- SYS("ip link set lo up");
- SYS("ip link set tmp1 up");
- SYS("ip addr replace 198.18.0.2/24 dev tmp1");
- SYS("sysctl -w net.ipv4.tcp_syncookies=2");
- SYS("sysctl -w net.ipv4.tcp_timestamps=1");
- SYS("sysctl -w net.netfilter.nf_conntrack_tcp_loose=0");
- SYS("iptables-legacy -t raw -I PREROUTING \
+ SYS(out, "ip link set lo up");
+ SYS(out, "ip link set tmp1 up");
+ SYS(out, "ip addr replace 198.18.0.2/24 dev tmp1");
+ SYS(out, "sysctl -w net.ipv4.tcp_syncookies=2");
+ SYS(out, "sysctl -w net.ipv4.tcp_timestamps=1");
+ SYS(out, "sysctl -w net.netfilter.nf_conntrack_tcp_loose=0");
+ SYS(out, "iptables-legacy -t raw -I PREROUTING \
-i tmp1 -p tcp -m tcp --syn --dport 8080 -j CT --notrack");
- SYS("iptables-legacy -t filter -A INPUT \
+ SYS(out, "iptables-legacy -t filter -A INPUT \
-i tmp1 -p tcp -m tcp --dport 8080 -m state --state INVALID,UNTRACKED \
-j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460");
- SYS("iptables-legacy -t filter -A INPUT \
+ SYS(out, "iptables-legacy -t filter -A INPUT \
-i tmp1 -m state --state INVALID -j DROP");
ctrl_file = SYS_OUT("./xdp_synproxy --iface tmp1 --ports 8080 \
@@ -170,8 +165,8 @@ static void test_synproxy(bool xdp)
if (ns)
close_netns(ns);
- system("ip link del tmp0");
- system("ip netns del synproxy");
+ SYS_NOFAIL("ip link del tmp0");
+ SYS_NOFAIL("ip netns del synproxy");
}
void serial_test_xdp_synproxy(void)
diff --git a/tools/testing/selftests/bpf/test_progs.h b/tools/testing/selftests/bpf/test_progs.h
index ff1caffefa5256..b47606eebdb9b3 100644
--- a/tools/testing/selftests/bpf/test_progs.h
+++ b/tools/testing/selftests/bpf/test_progs.h
@@ -376,6 +376,21 @@ int test__join_cgroup(const char *path);
___ok; \
})
+#define SYS(goto_label, fmt, ...) \
+ ({ \
+ char cmd[1024]; \
+ snprintf(cmd, sizeof(cmd), fmt, ##__VA_ARGS__); \
+ if (!ASSERT_OK(system(cmd), cmd)) \
+ goto goto_label; \
+ })
+
+#define SYS_NOFAIL(fmt, ...) \
+ ({ \
+ char cmd[1024]; \
+ snprintf(cmd, sizeof(cmd), fmt, ##__VA_ARGS__); \
+ system(cmd); \
+ })
+
static inline __u64 ptr_to_u64(const void *ptr)
{
return (__u64) (unsigned long) ptr;
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 007/129] KVM: VMX: Make vmread_error_trampoline() uncallable from C code
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 006/129] selftests/bpf: move SYS() macro into the test_progs.h Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 008/129] drm/amd/display: Bound VBIOS record-chain walk loops Greg Kroah-Hartman
` (128 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uros Bizjak, Sean Christopherson,
Hanne-Lotta Mäenpää, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 0b5e7a16a0a79a3742f0df9e45bca46f01b40e6a ]
Declare vmread_error_trampoline() as an opaque symbol so that it cannot
be called from C code, at least not without some serious fudging. The
trampoline always passes parameters on the stack so that the inline
VMREAD sequence doesn't need to clobber registers. regparm(0) was
originally added to document the stack behavior, but it ended up being
confusing because regparm(0) is a nop for 64-bit targets.
Opportunustically wrap the trampoline and its declaration in #ifdeffery
to make it even harder to invoke incorrectly, to document why it exists,
and so that it's not left behind if/when CONFIG_CC_HAS_ASM_GOTO_OUTPUT
is true for all supported toolchains.
No functional change intended.
Cc: Uros Bizjak <ubizjak@gmail.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Link: https://lore.kernel.org/r/20220928232015.745948-1-seanjc@google.com
(cherry picked from commit 0b5e7a16a0a79a3742f0df9e45bca46f01b40e6a)
Signed-off-by: Hanne-Lotta Mäenpää <hannelotta@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/vmx/vmenter.S | 2 ++
arch/x86/kvm/vmx/vmx_ops.h | 18 ++++++++++++++++--
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kvm/vmx/vmenter.S b/arch/x86/kvm/vmx/vmenter.S
index b4f8937226c211..ea7be3a74b6d02 100644
--- a/arch/x86/kvm/vmx/vmenter.S
+++ b/arch/x86/kvm/vmx/vmenter.S
@@ -274,6 +274,7 @@ SYM_FUNC_END(__vmx_vcpu_run)
.section .text, "ax"
+#ifndef CONFIG_CC_HAS_ASM_GOTO_OUTPUT
/**
* vmread_error_trampoline - Trampoline from inline asm to vmread_error()
* @field: VMCS field encoding that failed
@@ -322,6 +323,7 @@ SYM_FUNC_START(vmread_error_trampoline)
RET
SYM_FUNC_END(vmread_error_trampoline)
+#endif
SYM_FUNC_START(vmx_do_interrupt_nmi_irqoff)
/*
diff --git a/arch/x86/kvm/vmx/vmx_ops.h b/arch/x86/kvm/vmx/vmx_ops.h
index 5edab28dfb2efe..d23705df6a5250 100644
--- a/arch/x86/kvm/vmx/vmx_ops.h
+++ b/arch/x86/kvm/vmx/vmx_ops.h
@@ -11,14 +11,28 @@
#include "../x86.h"
void vmread_error(unsigned long field, bool fault);
-__attribute__((regparm(0))) void vmread_error_trampoline(unsigned long field,
- bool fault);
void vmwrite_error(unsigned long field, unsigned long value);
void vmclear_error(struct vmcs *vmcs, u64 phys_addr);
void vmptrld_error(struct vmcs *vmcs, u64 phys_addr);
void invvpid_error(unsigned long ext, u16 vpid, gva_t gva);
void invept_error(unsigned long ext, u64 eptp, gpa_t gpa);
+#ifndef CONFIG_CC_HAS_ASM_GOTO_OUTPUT
+/*
+ * The VMREAD error trampoline _always_ uses the stack to pass parameters, even
+ * for 64-bit targets. Preserving all registers allows the VMREAD inline asm
+ * blob to avoid clobbering GPRs, which in turn allows the compiler to better
+ * optimize sequences of VMREADs.
+ *
+ * Declare the trampoline as an opaque label as it's not safe to call from C
+ * code; there is no way to tell the compiler to pass params on the stack for
+ * 64-bit targets.
+ *
+ * void vmread_error_trampoline(unsigned long field, bool fault);
+ */
+extern unsigned long vmread_error_trampoline;
+#endif
+
static __always_inline void vmcs_check16(unsigned long field)
{
BUILD_BUG_ON_MSG(__builtin_constant_p(field) && ((field) & 0x6001) == 0x2000,
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 008/129] drm/amd/display: Bound VBIOS record-chain walk loops
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 007/129] KVM: VMX: Make vmread_error_trampoline() uncallable from C code Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 009/129] ip6_vti: set netns_immutable on the fallback device Greg Kroah-Hartman
` (127 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
[ Upstream commit ff287df16a1a58aca78b08d1f3ee09fc44da0351 ]
[Why & How]
All record-chain walk loops in bios_parser.c and bios_parser2.c use
for(;;) and only terminate on a 0xFF record_type sentinel or zero
record_size. A malformed VBIOS image missing the terminator record
causes unbounded iteration at probe time, potentially hundreds of
thousands of iterations with record_size=1. In the final iterations
near the BIOS image boundary, struct casts beyond the 2-byte header
validated by GET_IMAGE can also read out of bounds.
Cap all 14 record-chain walk loops to BIOS_MAX_NUM_RECORD (256)
iterations. The atombios.h defines up to 22 distinct record types
and atomfirmware.h has 13. Assuming an average of less than 10
records per type (which is reasonable since most are connector-
based) 256 is a generous upper bound.
Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
Assisted-by: Copilot:claude-opus-4.6 Mythos
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 95700a3d660287ed657d6892f7be9ffc0e294a93)
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/amd/display/dc/bios/bios_parser.c | 15 +++++++----
.../drm/amd/display/dc/bios/bios_parser2.c | 27 ++++++++++++-------
.../amd/display/dc/bios/bios_parser_helper.h | 5 ++++
3 files changed, 33 insertions(+), 14 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c
index d8982aca8ef680..d2730af8e8030f 100644
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c
@@ -223,6 +223,7 @@ static enum bp_result bios_parser_get_i2c_info(struct dc_bios *dcb,
ATOM_COMMON_RECORD_HEADER *header;
ATOM_I2C_RECORD *record;
struct bios_parser *bp = BP_FROM_DCB(dcb);
+ int i;
if (!info)
return BP_RESULT_BADINPUT;
@@ -235,7 +236,7 @@ static enum bp_result bios_parser_get_i2c_info(struct dc_bios *dcb,
offset = le16_to_cpu(object->usRecordOffset)
+ bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(ATOM_COMMON_RECORD_HEADER, offset);
if (!header)
@@ -294,11 +295,12 @@ static enum bp_result bios_parser_get_device_tag_record(
{
ATOM_COMMON_RECORD_HEADER *header;
uint32_t offset;
+ int i;
offset = le16_to_cpu(object->usRecordOffset)
+ bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(ATOM_COMMON_RECORD_HEADER, offset);
if (!header)
@@ -870,6 +872,7 @@ static ATOM_HPD_INT_RECORD *get_hpd_record(struct bios_parser *bp,
{
ATOM_COMMON_RECORD_HEADER *header;
uint32_t offset;
+ int i;
if (!object) {
BREAK_TO_DEBUGGER(); /* Invalid object */
@@ -879,7 +882,7 @@ static ATOM_HPD_INT_RECORD *get_hpd_record(struct bios_parser *bp,
offset = le16_to_cpu(object->usRecordOffset)
+ bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(ATOM_COMMON_RECORD_HEADER, offset);
if (!header)
@@ -1572,6 +1575,7 @@ static ATOM_ENCODER_CAP_RECORD_V2 *get_encoder_cap_record(
{
ATOM_COMMON_RECORD_HEADER *header;
uint32_t offset;
+ int i;
if (!object) {
BREAK_TO_DEBUGGER(); /* Invalid object */
@@ -1581,7 +1585,7 @@ static ATOM_ENCODER_CAP_RECORD_V2 *get_encoder_cap_record(
offset = le16_to_cpu(object->usRecordOffset)
+ bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(ATOM_COMMON_RECORD_HEADER, offset);
if (!header)
@@ -2665,6 +2669,7 @@ static enum bp_result update_slot_layout_info(
unsigned int record_offset)
{
unsigned int j;
+ unsigned int n;
struct bios_parser *bp;
ATOM_BRACKET_LAYOUT_RECORD *record;
ATOM_COMMON_RECORD_HEADER *record_header;
@@ -2674,7 +2679,7 @@ static enum bp_result update_slot_layout_info(
record = NULL;
record_header = NULL;
- for (;;) {
+ for (n = 0; n < BIOS_MAX_NUM_RECORD; n++) {
record_header = (ATOM_COMMON_RECORD_HEADER *)
GET_IMAGE(ATOM_COMMON_RECORD_HEADER, record_offset);
diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
index af8c6682e6bee1..5d6428b2e4f5c8 100644
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
@@ -393,6 +393,7 @@ static enum bp_result bios_parser_get_i2c_info(struct dc_bios *dcb,
struct atom_i2c_record *record;
struct atom_i2c_record dummy_record = {0};
struct bios_parser *bp = BP_FROM_DCB(dcb);
+ int i;
if (!info)
return BP_RESULT_BADINPUT;
@@ -426,7 +427,7 @@ static enum bp_result bios_parser_get_i2c_info(struct dc_bios *dcb,
break;
}
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(struct atom_common_record_header, offset);
if (!header)
@@ -532,6 +533,7 @@ static struct atom_hpd_int_record *get_hpd_record_for_path_v3(
{
struct atom_common_record_header *header;
uint32_t offset;
+ int i;
if (!object) {
BREAK_TO_DEBUGGER(); /* Invalid object */
@@ -540,7 +542,7 @@ static struct atom_hpd_int_record *get_hpd_record_for_path_v3(
offset = object->disp_recordoffset + bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(struct atom_common_record_header, offset);
if (!header)
@@ -610,6 +612,7 @@ static struct atom_hpd_int_record *get_hpd_record(
{
struct atom_common_record_header *header;
uint32_t offset;
+ int i;
if (!object) {
BREAK_TO_DEBUGGER(); /* Invalid object */
@@ -619,7 +622,7 @@ static struct atom_hpd_int_record *get_hpd_record(
offset = le16_to_cpu(object->disp_recordoffset)
+ bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(struct atom_common_record_header, offset);
if (!header)
@@ -2127,6 +2130,7 @@ static struct atom_encoder_caps_record *get_encoder_cap_record(
{
struct atom_common_record_header *header;
uint32_t offset;
+ int i;
if (!object) {
BREAK_TO_DEBUGGER(); /* Invalid object */
@@ -2135,7 +2139,7 @@ static struct atom_encoder_caps_record *get_encoder_cap_record(
offset = object->encoder_recordoffset + bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(struct atom_common_record_header, offset);
if (!header)
@@ -2164,6 +2168,7 @@ static struct atom_disp_connector_caps_record *get_disp_connector_caps_record(
{
struct atom_common_record_header *header;
uint32_t offset;
+ int i;
if (!object) {
BREAK_TO_DEBUGGER(); /* Invalid object */
@@ -2172,7 +2177,7 @@ static struct atom_disp_connector_caps_record *get_disp_connector_caps_record(
offset = object->disp_recordoffset + bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(struct atom_common_record_header, offset);
if (!header)
@@ -2201,6 +2206,7 @@ static struct atom_connector_caps_record *get_connector_caps_record(
{
struct atom_common_record_header *header;
uint32_t offset;
+ int i;
if (!object) {
BREAK_TO_DEBUGGER(); /* Invalid object */
@@ -2209,7 +2215,7 @@ static struct atom_connector_caps_record *get_connector_caps_record(
offset = object->disp_recordoffset + bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(struct atom_common_record_header, offset);
if (!header)
@@ -2290,6 +2296,7 @@ static struct atom_connector_speed_record *get_connector_speed_cap_record(
{
struct atom_common_record_header *header;
uint32_t offset;
+ int i;
if (!object) {
BREAK_TO_DEBUGGER(); /* Invalid object */
@@ -2298,7 +2305,7 @@ static struct atom_connector_speed_record *get_connector_speed_cap_record(
offset = object->disp_recordoffset + bp->object_info_tbl_offset;
- for (;;) {
+ for (i = 0; i < BIOS_MAX_NUM_RECORD; i++) {
header = GET_IMAGE(struct atom_common_record_header, offset);
if (!header)
@@ -3162,6 +3169,7 @@ static enum bp_result update_slot_layout_info(
{
unsigned int record_offset;
unsigned int j;
+ unsigned int n;
struct atom_display_object_path_v2 *object;
struct atom_bracket_layout_record *record;
struct atom_common_record_header *record_header;
@@ -3183,7 +3191,7 @@ static enum bp_result update_slot_layout_info(
(object->disp_recordoffset) +
(unsigned int)(bp->object_info_tbl_offset);
- for (;;) {
+ for (n = 0; n < BIOS_MAX_NUM_RECORD; n++) {
record_header = (struct atom_common_record_header *)
GET_IMAGE(struct atom_common_record_header,
@@ -3277,6 +3285,7 @@ static enum bp_result update_slot_layout_info_v2(
struct slot_layout_info *slot_layout_info)
{
unsigned int record_offset;
+ unsigned int n;
struct atom_display_object_path_v3 *object;
struct atom_bracket_layout_record_v2 *record;
struct atom_common_record_header *record_header;
@@ -3299,7 +3308,7 @@ static enum bp_result update_slot_layout_info_v2(
(object->disp_recordoffset) +
(unsigned int)(bp->object_info_tbl_offset);
- for (;;) {
+ for (n = 0; n < BIOS_MAX_NUM_RECORD; n++) {
record_header = (struct atom_common_record_header *)
GET_IMAGE(struct atom_common_record_header,
diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.h b/drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.h
index e1b4a40a353db1..da1e30de3c59a0 100644
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.h
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.h
@@ -38,4 +38,9 @@ uint32_t bios_get_vga_enabled_displays(struct dc_bios *bios);
#define GET_IMAGE(type, offset) ((type *) bios_get_image(&bp->base, offset, sizeof(type)))
+/* Upper bound on the number of records in a VBIOS record chain. Prevents
+ * unbounded looping if the VBIOS image is malformed and lacks a terminator.
+ */
+#define BIOS_MAX_NUM_RECORD 256
+
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 009/129] ip6_vti: set netns_immutable on the fallback device.
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 008/129] drm/amd/display: Bound VBIOS record-chain walk loops Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 010/129] netfilter: nf_tables: always increment set element count Greg Kroah-Hartman
` (126 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Noam Rathaus, Eric Dumazet,
Steffen Klassert, Nicolas Dichtel, Jakub Kicinski,
Salvatore Bonaccorso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d289d5307762d1838aaece22c6b6fcad9e8865f9 ]
john1988 and Noam Rathaus reported that vti6_init_net() does not set the
netns_immutable flag on the per-netns fallback tunnel device (ip6_vti0).
Other similar tunnel drivers (like ip6_tunnel, sit, ip6_gre, and ip_tunnel)
correctly set this flag during their fallback device initialization to
prevent them from being moved to another network namespace.
Fixes: 61220ab34948 ("vti6: Enable namespace changing")
Reported-by: Noam Rathaus <noamr@ssd-disclosure.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Link: https://patch.msgid.link/20260608155918.787644-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[Salvatore Bonaccorso: Backport for version without 0c493da86374 ("net:
rename netns_local to netns_immutable") in v6.15-rc1 and without
05c1280a2bcf ("netdev_features: convert NETIF_F_NETNS_LOCAL to
dev->netns_local") in v6.12-rc1 and use NETIF_F_NETNS_LOCAL device
feature.]
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_vti.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index 8808067df5168c..aa37ce710cf49a 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -1168,6 +1168,7 @@ static int __net_init vti6_init_net(struct net *net)
goto err_alloc_dev;
dev_net_set(ip6n->fb_tnl_dev, net);
ip6n->fb_tnl_dev->rtnl_link_ops = &vti6_link_ops;
+ ip6n->fb_tnl_dev->features |= NETIF_F_NETNS_LOCAL;
err = vti6_fb_tnl_dev_init(ip6n->fb_tnl_dev);
if (err < 0)
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 010/129] netfilter: nf_tables: always increment set element count
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 009/129] ip6_vti: set netns_immutable on the fallback device Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 011/129] netfilter: nf_tables: fix set size with rbtree backend Greg Kroah-Hartman
` (125 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Shivani Agarwal,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit d4b7f29eb85c93893bc27388b37709efbc3c9a0e ]
At this time, set->nelems counter only increments when the set has
a maximum size.
All set elements decrement the counter unconditionally, this is
confusing.
Increment the counter unconditionally to make this symmetrical.
This would also allow changing the set maximum size after set creation
in a later patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
[ Shivani: Modified to apply on 6.1.y ]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 201e2cc0453992..b6b7b0b3539dc9 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6699,10 +6699,13 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
goto err_element_clash;
}
- if (!(flags & NFT_SET_ELEM_CATCHALL) && set->size &&
- !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
- err = -ENFILE;
- goto err_set_full;
+ if (!(flags & NFT_SET_ELEM_CATCHALL)) {
+ unsigned int max = set->size ? set->size + set->ndeact : UINT_MAX;
+
+ if (!atomic_add_unless(&set->nelems, 1, max)) {
+ err = -ENFILE;
+ goto err_set_full;
+ }
}
nft_trans_elem(trans) = elem;
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 011/129] netfilter: nf_tables: fix set size with rbtree backend
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 010/129] netfilter: nf_tables: always increment set element count Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 012/129] netfilter: nf_tables: unconditionally bump set->nelems before insertion Greg Kroah-Hartman
` (124 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Sasha Levin,
Shivani Agarwal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 8d738c1869f611955d91d8d0fd0012d9ef207201 ]
The existing rbtree implementation uses singleton elements to represent
ranges, however, userspace provides a set size according to the number
of ranges in the set.
Adjust provided userspace set size to the number of singleton elements
in the kernel by multiplying the range by two.
Check if the no-match all-zero element is already in the set, in such
case release one slot in the set size.
Fixes: 0ed6389c483d ("netfilter: nf_tables: rename set implementations")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Shivani: Modified to apply on 6.1.y ]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_tables.h | 6 ++++
net/netfilter/nf_tables_api.c | 49 +++++++++++++++++++++++++++++--
net/netfilter/nft_set_rbtree.c | 43 +++++++++++++++++++++++++++
3 files changed, 96 insertions(+), 2 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index dafa0a32e6e1df..3329c2eaea9f07 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -422,6 +422,9 @@ struct nft_set_ext;
* @remove: remove element from set
* @walk: iterate over all set elements
* @get: get set elements
+ * @ksize: kernel set size
+ * @usize: userspace set size
+ * @adjust_maxsize: delta to adjust maximum set size
* @privsize: function to return size of set private data
* @init: initialize private data of new set instance
* @destroy: destroy private data of set instance
@@ -470,6 +473,9 @@ struct nft_set_ops {
const struct nft_set *set,
const struct nft_set_elem *elem,
unsigned int flags);
+ u32 (*ksize)(u32 size);
+ u32 (*usize)(u32 size);
+ u32 (*adjust_maxsize)(const struct nft_set *set);
void (*commit)(struct nft_set *set);
void (*abort)(const struct nft_set *set);
u64 (*privsize)(const struct nlattr * const nla[],
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index b6b7b0b3539dc9..0d406dab5cac19 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4277,6 +4277,14 @@ static int nf_tables_fill_set_concat(struct sk_buff *skb,
return 0;
}
+static u32 nft_set_userspace_size(const struct nft_set_ops *ops, u32 size)
+{
+ if (ops->usize)
+ return ops->usize(size);
+
+ return size;
+}
+
static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
const struct nft_set *set, u16 event, u16 flags)
{
@@ -4341,7 +4349,8 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
if (!nest)
goto nla_put_failure;
if (set->size &&
- nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
+ nla_put_be32(skb, NFTA_SET_DESC_SIZE,
+ htonl(nft_set_userspace_size(set->ops, set->size))))
goto nla_put_failure;
if (set->field_count > 1 &&
@@ -4711,6 +4720,15 @@ static bool nft_set_is_same(const struct nft_set *set,
return true;
}
+static u32 nft_set_kernel_size(const struct nft_set_ops *ops,
+ const struct nft_set_desc *desc)
+{
+ if (ops->ksize)
+ return ops->ksize(desc->size);
+
+ return desc->size;
+}
+
static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
const struct nlattr * const nla[])
{
@@ -4893,6 +4911,9 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
if (err < 0)
return err;
+ if (desc.size)
+ desc.size = nft_set_kernel_size(set->ops, &desc);
+
err = 0;
if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
@@ -4915,6 +4936,9 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
if (IS_ERR(ops))
return PTR_ERR(ops);
+ if (desc.size)
+ desc.size = nft_set_kernel_size(ops, &desc);
+
udlen = 0;
if (nla[NFTA_SET_USERDATA])
udlen = nla_len(nla[NFTA_SET_USERDATA]);
@@ -6356,6 +6380,27 @@ static bool nft_setelem_valid_key_end(const struct nft_set *set,
return true;
}
+static u32 nft_set_maxsize(const struct nft_set *set)
+{
+ u32 maxsize, delta;
+
+ if (!set->size)
+ return UINT_MAX;
+
+ if (set->ops->adjust_maxsize)
+ delta = set->ops->adjust_maxsize(set);
+ else
+ delta = 0;
+
+ if (check_add_overflow(set->size, set->ndeact, &maxsize))
+ return UINT_MAX;
+
+ if (check_add_overflow(maxsize, delta, &maxsize))
+ return UINT_MAX;
+
+ return maxsize;
+}
+
static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
const struct nlattr *attr, u32 nlmsg_flags)
{
@@ -6700,7 +6745,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
}
if (!(flags & NFT_SET_ELEM_CATCHALL)) {
- unsigned int max = set->size ? set->size + set->ndeact : UINT_MAX;
+ unsigned int max = nft_set_maxsize(set);
if (!atomic_add_unless(&set->nelems, 1, max)) {
err = -ENFILE;
diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
index 23e4e656f7f0cb..433094c4200f97 100644
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -773,6 +773,46 @@ static bool nft_rbtree_estimate(const struct nft_set_desc *desc, u32 features,
return true;
}
+/* rbtree stores ranges as singleton elements, each range is composed of two
+ * elements ...
+ */
+static u32 nft_rbtree_ksize(u32 size)
+{
+ return size * 2;
+}
+
+/* ... hide this detail to userspace. */
+static u32 nft_rbtree_usize(u32 size)
+{
+ if (!size)
+ return 0;
+
+ return size / 2;
+}
+
+static u32 nft_rbtree_adjust_maxsize(const struct nft_set *set)
+{
+ struct nft_rbtree *priv = nft_set_priv(set);
+ struct nft_rbtree_elem *rbe;
+ struct rb_node *node;
+ const void *key;
+
+ node = rb_last(&priv->root);
+ if (!node)
+ return 0;
+
+ rbe = rb_entry(node, struct nft_rbtree_elem, node);
+ if (!nft_rbtree_interval_end(rbe))
+ return 0;
+
+ key = nft_set_ext_key(&rbe->ext);
+ if (memchr(key, 1, set->klen))
+ return 0;
+
+ /* this is the all-zero no-match element. */
+ return 1;
+}
+
const struct nft_set_type nft_set_rbtree_type = {
.features = NFT_SET_INTERVAL | NFT_SET_MAP | NFT_SET_OBJECT | NFT_SET_TIMEOUT,
.ops = {
@@ -789,5 +829,8 @@ const struct nft_set_type nft_set_rbtree_type = {
.lookup = nft_rbtree_lookup,
.walk = nft_rbtree_walk,
.get = nft_rbtree_get,
+ .ksize = nft_rbtree_ksize,
+ .usize = nft_rbtree_usize,
+ .adjust_maxsize = nft_rbtree_adjust_maxsize,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 012/129] netfilter: nf_tables: unconditionally bump set->nelems before insertion
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 011/129] netfilter: nf_tables: fix set size with rbtree backend Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 013/129] selftests/bpf: Move get_time_ns to testing_helpers.h Greg Kroah-Hartman
` (123 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Inseo An, Pablo Neira Ayuso,
Florian Westphal, Li hongliang, Sasha Levin, Shivani Agarwal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit def602e498a4f951da95c95b1b8ce8ae68aa733a ]
In case that the set is full, a new element gets published then removed
without waiting for the RCU grace period, while RCU reader can be
walking over it already.
To address this issue, add the element transaction even if set is full,
but toggle the set_full flag to report -ENFILE so the abort path safely
unwinds the set to its previous state.
As for element updates, decrement set->nelems to restore it.
A simpler fix is to call synchronize_rcu() in the error path.
However, with a large batch adding elements to already maxed-out set,
this could cause noticeable slowdown of such batches.
Fixes: 35d0ac9070ef ("netfilter: nf_tables: fix set->nelems counting with no NLM_F_EXCL")
Reported-by: Inseo An <y0un9sa@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
[ Minor conflict resolved. ]
Signed-off-by: Li hongliang <1468888505@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Shivani: Modified to apply on 6.1.y ]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0d406dab5cac19..735c0210104076 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6417,6 +6417,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
struct nft_data_desc desc;
enum nft_registers dreg;
struct nft_trans *trans;
+ bool set_full = false;
u64 timeout;
u64 expiration;
int err, i;
@@ -6709,10 +6710,18 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
if (err < 0)
goto err_elem_free;
+ if (!(flags & NFT_SET_ELEM_CATCHALL)) {
+ unsigned int max = nft_set_maxsize(set), nelems;
+
+ nelems = atomic_inc_return(&set->nelems);
+ if (nelems > max)
+ set_full = true;
+ }
+
trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
if (trans == NULL) {
err = -ENOMEM;
- goto err_elem_free;
+ goto err_set_size;
}
ext->genmask = nft_genmask_cur(ctx->net);
@@ -6744,23 +6753,16 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
goto err_element_clash;
}
- if (!(flags & NFT_SET_ELEM_CATCHALL)) {
- unsigned int max = nft_set_maxsize(set);
-
- if (!atomic_add_unless(&set->nelems, 1, max)) {
- err = -ENFILE;
- goto err_set_full;
- }
- }
-
nft_trans_elem(trans) = elem;
nft_trans_commit_list_add_tail(ctx->net, trans);
- return 0;
-err_set_full:
- nft_setelem_remove(ctx->net, set, &elem);
+ return set_full ? -ENFILE : 0;
+
err_element_clash:
kfree(trans);
+err_set_size:
+ if (!(flags & NFT_SET_ELEM_CATCHALL))
+ atomic_dec(&set->nelems);
err_elem_free:
nf_tables_set_elem_destroy(ctx, set, elem.priv);
err_parse_data:
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 013/129] selftests/bpf: Move get_time_ns to testing_helpers.h
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 012/129] netfilter: nf_tables: unconditionally bump set->nelems before insertion Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 014/129] selftests/bpf: Check for timeout in perf_link test Greg Kroah-Hartman
` (122 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Olsa, Alexei Starovoitov,
Shung-Hsi Yu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Olsa <jolsa@kernel.org>
commit 3830d04a7401f277185e4439eb259c1b13e76788 upstream.
We'd like to have single copy of get_time_ns used b bench and test_progs,
but we can't just include bench.h, because of conflicting 'struct env'
objects.
Moving get_time_ns to testing_helpers.h which is being included by both
bench and test_progs objects.
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/r/20230809083440.3209381-19-jolsa@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Stable-dep-of: e6c209da7e0e ("selftests/bpf: Check for timeout in perf_link test")
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/bench.h | 9 ---------
.../selftests/bpf/prog_tests/kprobe_multi_test.c | 8 --------
tools/testing/selftests/bpf/testing_helpers.h | 10 ++++++++++
3 files changed, 10 insertions(+), 17 deletions(-)
diff --git a/tools/testing/selftests/bpf/bench.h b/tools/testing/selftests/bpf/bench.h
index 66959387148375..2c94c57885af85 100644
--- a/tools/testing/selftests/bpf/bench.h
+++ b/tools/testing/selftests/bpf/bench.h
@@ -79,15 +79,6 @@ void grace_period_latency_basic_stats(struct bench_res res[], int res_cnt,
void grace_period_ticks_basic_stats(struct bench_res res[], int res_cnt,
struct basic_stats *gp_stat);
-static inline __u64 get_time_ns(void)
-{
- struct timespec t;
-
- clock_gettime(CLOCK_MONOTONIC, &t);
-
- return (u64)t.tv_sec * 1000000000 + t.tv_nsec;
-}
-
static inline void atomic_inc(long *value)
{
(void)__atomic_add_fetch(value, 1, __ATOMIC_RELAXED);
diff --git a/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c b/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
index 0d82e28aed1ac0..8086e28346466f 100644
--- a/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
+++ b/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
@@ -304,14 +304,6 @@ static void test_attach_api_fails(void)
kprobe_multi__destroy(skel);
}
-static inline __u64 get_time_ns(void)
-{
- struct timespec t;
-
- clock_gettime(CLOCK_MONOTONIC, &t);
- return (__u64) t.tv_sec * 1000000000 + t.tv_nsec;
-}
-
static size_t symbol_hash(const void *key, void *ctx __maybe_unused)
{
return str_hash((const char *) key);
diff --git a/tools/testing/selftests/bpf/testing_helpers.h b/tools/testing/selftests/bpf/testing_helpers.h
index f72fb24f8e90fb..ba4f205e7bc757 100644
--- a/tools/testing/selftests/bpf/testing_helpers.h
+++ b/tools/testing/selftests/bpf/testing_helpers.h
@@ -7,6 +7,7 @@
#include <stdbool.h>
#include <bpf/bpf.h>
#include <bpf/libbpf.h>
+#include <time.h>
int parse_num_list(const char *s, bool **set, int *set_len);
__u32 link_info_prog_id(const struct bpf_link *link, struct bpf_link_info *info);
@@ -30,4 +31,13 @@ int load_bpf_testmod(bool verbose);
void unload_bpf_testmod(bool verbose);
int kern_sync_rcu(void);
+static inline __u64 get_time_ns(void)
+{
+ struct timespec t;
+
+ clock_gettime(CLOCK_MONOTONIC, &t);
+
+ return (u64)t.tv_sec * 1000000000 + t.tv_nsec;
+}
+
#endif /* __TESTING_HELPERS_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 014/129] selftests/bpf: Check for timeout in perf_link test
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 013/129] selftests/bpf: Move get_time_ns to testing_helpers.h Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 015/129] drm/v3d: Store the active job inside the queues state Greg Kroah-Hartman
` (121 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ihor Solodrai, Andrii Nakryiko,
Shung-Hsi Yu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ihor Solodrai <ihor.solodrai@pm.me>
commit e6c209da7e0e9aaf955a7b59e91ed78c2b6c96fb upstream.
Recently perf_link test started unreliably failing on libbpf CI:
* https://github.com/libbpf/libbpf/actions/runs/11260672407/job/31312405473
* https://github.com/libbpf/libbpf/actions/runs/11260992334/job/31315514626
* https://github.com/libbpf/libbpf/actions/runs/11263162459/job/31320458251
Part of the test is running a dummy loop for a while and then checking
for a counter incremented by the test program.
Instead of waiting for an arbitrary number of loop iterations once,
check for the test counter in a loop and use get_time_ns() helper to
enforce a 100ms timeout.
v1: https://lore.kernel.org/bpf/zuRd072x9tumn2iN4wDNs5av0nu5nekMNV4PkR-YwCT10eFFTrUtZBRkLWFbrcCe7guvLStGQlhibo8qWojCO7i2-NGajes5GYIyynexD-w=@pm.me/
Signed-off-by: Ihor Solodrai <ihor.solodrai@pm.me>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20241011153104.249800-1-ihor.solodrai@pm.me
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../testing/selftests/bpf/prog_tests/perf_link.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/perf_link.c b/tools/testing/selftests/bpf/prog_tests/perf_link.c
index 224eba6fef2ee1..d734526d6a16b1 100644
--- a/tools/testing/selftests/bpf/prog_tests/perf_link.c
+++ b/tools/testing/selftests/bpf/prog_tests/perf_link.c
@@ -4,8 +4,12 @@
#include <pthread.h>
#include <sched.h>
#include <test_progs.h>
+#include "testing_helpers.h"
#include "test_perf_link.skel.h"
+#define BURN_TIMEOUT_MS 100
+#define BURN_TIMEOUT_NS BURN_TIMEOUT_MS * 1000000
+
static void burn_cpu(void)
{
volatile int j = 0;
@@ -32,6 +36,7 @@ void serial_test_perf_link(void)
int run_cnt_before, run_cnt_after;
struct bpf_link_info info;
__u32 info_len = sizeof(info);
+ __u64 timeout_time_ns;
/* create perf event */
memset(&attr, 0, sizeof(attr));
@@ -63,8 +68,14 @@ void serial_test_perf_link(void)
ASSERT_GT(info.prog_id, 0, "link_prog_id");
/* ensure we get at least one perf_event prog execution */
- burn_cpu();
- ASSERT_GT(skel->bss->run_cnt, 0, "run_cnt");
+ timeout_time_ns = get_time_ns() + BURN_TIMEOUT_NS;
+ while (true) {
+ burn_cpu();
+ if (skel->bss->run_cnt > 0)
+ break;
+ if (!ASSERT_LT(get_time_ns(), timeout_time_ns, "run_cnt_timeout"))
+ break;
+ }
/* perf_event is still active, but we close link and BPF program
* shouldn't be executed anymore
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 015/129] drm/v3d: Store the active job inside the queues state
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 014/129] selftests/bpf: Check for timeout in perf_link test Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 016/129] drm/v3d: Skip CSD when it has zeroed workgroups Greg Kroah-Hartman
` (120 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Iago Toral Quiroga, Melissa Wen,
Maíra Canal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
[ Upstream commit 0d3768826d38c0ac740f8b45cd13346630535f2b ]
Instead of storing the queue's active job in four different variables,
store the active job inside the queue's state. This way, it's possible
to access all active jobs using an index based in `enum v3d_queue`.
Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
Reviewed-by: Melissa Wen <mwen@igalia.com>
Link: https://lore.kernel.org/r/20250826-v3d-queue-lock-v3-2-979efc43e490@igalia.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Stable-dep-of: 7f93fad5ea0a ("drm/v3d: Skip CSD when it has zeroed workgroups")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/v3d/v3d_drv.h | 8 +++-----
drivers/gpu/drm/v3d/v3d_gem.c | 5 +++--
drivers/gpu/drm/v3d/v3d_irq.c | 24 ++++++++++++++----------
drivers/gpu/drm/v3d/v3d_sched.c | 26 ++++++++++++++++++--------
4 files changed, 38 insertions(+), 25 deletions(-)
diff --git a/drivers/gpu/drm/v3d/v3d_drv.h b/drivers/gpu/drm/v3d/v3d_drv.h
index a366ea208787df..c1e389635de816 100644
--- a/drivers/gpu/drm/v3d/v3d_drv.h
+++ b/drivers/gpu/drm/v3d/v3d_drv.h
@@ -26,6 +26,9 @@ struct v3d_queue_state {
u64 fence_context;
u64 emit_seqno;
+
+ /* Currently active job for this queue */
+ struct v3d_job *active_job;
};
/* Performance monitor object. The perform lifetime is controlled by userspace
@@ -110,11 +113,6 @@ struct v3d_dev {
struct work_struct overflow_mem_work;
- struct v3d_bin_job *bin_job;
- struct v3d_render_job *render_job;
- struct v3d_tfu_job *tfu_job;
- struct v3d_csd_job *csd_job;
-
struct v3d_queue_state queue[V3D_MAX_QUEUES];
/* Spinlock used to synchronize the overflow memory
diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c
index 97755a6b556335..71019a57958ba3 100644
--- a/drivers/gpu/drm/v3d/v3d_gem.c
+++ b/drivers/gpu/drm/v3d/v3d_gem.c
@@ -1120,14 +1120,15 @@ void
v3d_gem_destroy(struct drm_device *dev)
{
struct v3d_dev *v3d = to_v3d_dev(dev);
+ enum v3d_queue q;
v3d_sched_fini(v3d);
/* Waiting for jobs to finish would need to be done before
* unregistering V3D.
*/
- WARN_ON(v3d->bin_job);
- WARN_ON(v3d->render_job);
+ for (q = 0; q < V3D_MAX_QUEUES; q++)
+ WARN_ON(v3d->queue[q].active_job);
drm_mm_takedown(&v3d->mm);
diff --git a/drivers/gpu/drm/v3d/v3d_irq.c b/drivers/gpu/drm/v3d/v3d_irq.c
index 641315dbee8b29..1717504742a665 100644
--- a/drivers/gpu/drm/v3d/v3d_irq.c
+++ b/drivers/gpu/drm/v3d/v3d_irq.c
@@ -40,6 +40,8 @@ v3d_overflow_mem_work(struct work_struct *work)
container_of(work, struct v3d_dev, overflow_mem_work);
struct drm_device *dev = &v3d->drm;
struct v3d_bo *bo = v3d_bo_create(dev, NULL /* XXX: GMP */, 256 * 1024);
+ struct v3d_queue_state *queue = &v3d->queue[V3D_BIN];
+ struct v3d_bin_job *bin_job;
struct drm_gem_object *obj;
unsigned long irqflags;
@@ -59,13 +61,15 @@ v3d_overflow_mem_work(struct work_struct *work)
* some binner pool anyway.
*/
spin_lock_irqsave(&v3d->job_lock, irqflags);
- if (!v3d->bin_job) {
+ bin_job = (struct v3d_bin_job *)queue->active_job;
+
+ if (!bin_job) {
spin_unlock_irqrestore(&v3d->job_lock, irqflags);
goto out;
}
drm_gem_object_get(obj);
- list_add_tail(&bo->unref_head, &v3d->bin_job->render->unref_list);
+ list_add_tail(&bo->unref_head, &bin_job->render->unref_list);
spin_unlock_irqrestore(&v3d->job_lock, irqflags);
V3D_CORE_WRITE(0, V3D_PTB_BPOA, bo->node.start << PAGE_SHIFT);
@@ -99,11 +103,11 @@ v3d_irq(int irq, void *arg)
if (intsts & V3D_INT_FLDONE) {
struct v3d_fence *fence =
- to_v3d_fence(v3d->bin_job->base.irq_fence);
+ to_v3d_fence(v3d->queue[V3D_BIN].active_job->irq_fence);
trace_v3d_bcl_irq(&v3d->drm, fence->seqno);
- v3d->bin_job = NULL;
+ v3d->queue[V3D_BIN].active_job = NULL;
dma_fence_signal(&fence->base);
status = IRQ_HANDLED;
@@ -111,11 +115,11 @@ v3d_irq(int irq, void *arg)
if (intsts & V3D_INT_FRDONE) {
struct v3d_fence *fence =
- to_v3d_fence(v3d->render_job->base.irq_fence);
+ to_v3d_fence(v3d->queue[V3D_RENDER].active_job->irq_fence);
trace_v3d_rcl_irq(&v3d->drm, fence->seqno);
- v3d->render_job = NULL;
+ v3d->queue[V3D_RENDER].active_job = NULL;
dma_fence_signal(&fence->base);
status = IRQ_HANDLED;
@@ -123,11 +127,11 @@ v3d_irq(int irq, void *arg)
if (intsts & V3D_INT_CSDDONE) {
struct v3d_fence *fence =
- to_v3d_fence(v3d->csd_job->base.irq_fence);
+ to_v3d_fence(v3d->queue[V3D_CSD].active_job->irq_fence);
trace_v3d_csd_irq(&v3d->drm, fence->seqno);
- v3d->csd_job = NULL;
+ v3d->queue[V3D_CSD].active_job = NULL;
dma_fence_signal(&fence->base);
status = IRQ_HANDLED;
@@ -162,11 +166,11 @@ v3d_hub_irq(int irq, void *arg)
if (intsts & V3D_HUB_INT_TFUC) {
struct v3d_fence *fence =
- to_v3d_fence(v3d->tfu_job->base.irq_fence);
+ to_v3d_fence(v3d->queue[V3D_TFU].active_job->irq_fence);
trace_v3d_tfu_irq(&v3d->drm, fence->seqno);
- v3d->tfu_job = NULL;
+ v3d->queue[V3D_TFU].active_job = NULL;
dma_fence_signal(&fence->base);
status = IRQ_HANDLED;
diff --git a/drivers/gpu/drm/v3d/v3d_sched.c b/drivers/gpu/drm/v3d/v3d_sched.c
index 41493cf3d03b81..ff91cdb75bb912 100644
--- a/drivers/gpu/drm/v3d/v3d_sched.c
+++ b/drivers/gpu/drm/v3d/v3d_sched.c
@@ -80,14 +80,18 @@ static struct dma_fence *v3d_bin_job_run(struct drm_sched_job *sched_job)
struct dma_fence *fence;
unsigned long irqflags;
- if (unlikely(job->base.base.s_fence->finished.error))
+ if (unlikely(job->base.base.s_fence->finished.error)) {
+ spin_lock_irqsave(&v3d->job_lock, irqflags);
+ v3d->queue[V3D_BIN].active_job = NULL;
+ spin_unlock_irqrestore(&v3d->job_lock, irqflags);
return NULL;
+ }
/* Lock required around bin_job update vs
* v3d_overflow_mem_work().
*/
spin_lock_irqsave(&v3d->job_lock, irqflags);
- v3d->bin_job = job;
+ v3d->queue[V3D_BIN].active_job = &job->base;
/* Clear out the overflow allocation, so we don't
* reuse the overflow attached to a previous job.
*/
@@ -134,10 +138,12 @@ static struct dma_fence *v3d_render_job_run(struct drm_sched_job *sched_job)
struct drm_device *dev = &v3d->drm;
struct dma_fence *fence;
- if (unlikely(job->base.base.s_fence->finished.error))
+ if (unlikely(job->base.base.s_fence->finished.error)) {
+ v3d->queue[V3D_RENDER].active_job = NULL;
return NULL;
+ }
- v3d->render_job = job;
+ v3d->queue[V3D_RENDER].active_job = &job->base;
/* Can we avoid this flush? We need to be careful of
* scheduling, though -- imagine job0 rendering to texture and
@@ -179,10 +185,12 @@ v3d_tfu_job_run(struct drm_sched_job *sched_job)
struct drm_device *dev = &v3d->drm;
struct dma_fence *fence;
- if (unlikely(job->base.base.s_fence->finished.error))
+ if (unlikely(job->base.base.s_fence->finished.error)) {
+ v3d->queue[V3D_TFU].active_job = NULL;
return NULL;
+ }
- v3d->tfu_job = job;
+ v3d->queue[V3D_TFU].active_job = &job->base;
fence = v3d_fence_create(v3d, V3D_TFU);
if (IS_ERR(fence))
@@ -221,10 +229,12 @@ v3d_csd_job_run(struct drm_sched_job *sched_job)
struct dma_fence *fence;
int i;
- if (unlikely(job->base.base.s_fence->finished.error))
+ if (unlikely(job->base.base.s_fence->finished.error)) {
+ v3d->queue[V3D_CSD].active_job = NULL;
return NULL;
+ }
- v3d->csd_job = job;
+ v3d->queue[V3D_CSD].active_job = &job->base;
v3d_invalidate_caches(v3d);
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 016/129] drm/v3d: Skip CSD when it has zeroed workgroups
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 015/129] drm/v3d: Store the active job inside the queues state Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 017/129] batman-adv: tt: prevent TVLV entry number overflow Greg Kroah-Hartman
` (119 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jose Maria Casanova Crespo,
Iago Toral Quiroga, Maíra Canal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
[ Upstream commit 7f93fad5ea0affc9e1505dd0f7596c0fdb496213 ]
A compute shader dispatch encodes its workgroup counts in the CFG0..CFG2
registers. Kicking off a dispatch with a zero count in any of the three
dimensions is invalid. First, the hardware will process 0 as 65536,
while the user-space driver exposes a maximum of 65535. Over that, a
submission with a zeroed workgroup dimension should be a no-op.
These zeroed counts can reach the dispatch path through an indirect CSD
job, whose workgroup counts are only known once the indirect buffer is
read and may legitimately be zero, but such scenario should only result in
a no-op.
Overwrite the indirect CSD job workgroup counts with the indirect BO
ones, even if they are zeroed, and don't submit the job to the hardware
when any of the workgroup counts is zero, so the job completes immediately
instead of running the shader.
Cc: stable@vger.kernel.org
Fixes: d223f98f0209 ("drm/v3d: Add support for compute shader dispatch.")
Suggested-by: Jose Maria Casanova Crespo <jmcasanova@igalia.com>
Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
Link: https://patch.msgid.link/20260602-v3d-fix-indirect-csd-v4-2-654309e32bc0@igalia.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/v3d/v3d_sched.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/gpu/drm/v3d/v3d_sched.c b/drivers/gpu/drm/v3d/v3d_sched.c
index ff91cdb75bb912..ab872bc818004a 100644
--- a/drivers/gpu/drm/v3d/v3d_sched.c
+++ b/drivers/gpu/drm/v3d/v3d_sched.c
@@ -234,6 +234,16 @@ v3d_csd_job_run(struct drm_sched_job *sched_job)
return NULL;
}
+ /* The HW interprets a workgroup size of 0 as 65536; however, the
+ * user-space driver exposes a maximum of 65535. Therefore, a 0 in
+ * any dimension means that we have no workgroups and the compute
+ * shader should not be dispatched.
+ */
+ if (!V3D_GET_FIELD(job->args.cfg[0], V3D_CSD_QUEUED_CFG0_NUM_WGS_X) ||
+ !V3D_GET_FIELD(job->args.cfg[1], V3D_CSD_QUEUED_CFG1_NUM_WGS_Y) ||
+ !V3D_GET_FIELD(job->args.cfg[2], V3D_CSD_QUEUED_CFG2_NUM_WGS_Z))
+ return NULL;
+
v3d->queue[V3D_CSD].active_job = &job->base;
v3d_invalidate_caches(v3d);
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 017/129] batman-adv: tt: prevent TVLV entry number overflow
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 016/129] drm/v3d: Skip CSD when it has zeroed workgroups Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 018/129] KVM: nVMX: Add a helper to get highest pending from Posted Interrupt vector Greg Kroah-Hartman
` (118 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 99d9958fa10fb684b2a8e2c48a8d704122721420 upstream.
The helpers to prepare the buffers for the local and global TT based
replies are trying to sum up all TT entries which can be found for each
VLAN. In theory, this sum can be too big for an u16 and therefore overflow.
A too small buffer would then be allocated for the TVLV.
The too small buffer will be handled gracefully by
batadv_tt_tvlv_generate() and is not causing a buffer overflow - just a
truncated reply. But this overflow shouldn't have happened in the first and
the too small buffer should never have been allocated when an overflow was
detected.
Cc: stable@kernel.org
Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/translation-table.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index e0503c8f24c353..53d2aadcafa154 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -850,11 +850,18 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node,
u16 total_entries = 0;
u8 *tt_change_ptr;
int vlan_entries;
+ u16 sum_entries;
spin_lock_bh(&orig_node->vlan_list_lock);
hlist_for_each_entry(vlan, &orig_node->vlan_list, list) {
vlan_entries = atomic_read(&vlan->tt.num_entries);
- total_entries += vlan_entries;
+
+ if (check_add_overflow(vlan_entries, total_entries, &sum_entries)) {
+ *tt_len = 0;
+ goto out;
+ }
+
+ total_entries = sum_entries;
num_vlan++;
}
@@ -941,15 +948,22 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
struct batadv_softif_vlan *vlan;
size_t change_offset;
u16 num_vlan = 0;
- u16 vlan_entries = 0;
u16 total_entries = 0;
u16 tvlv_len;
u8 *tt_change_ptr;
+ int vlan_entries;
+ u16 sum_entries;
spin_lock_bh(&bat_priv->softif_vlan_list_lock);
hlist_for_each_entry(vlan, &bat_priv->softif_vlan_list, list) {
vlan_entries = atomic_read(&vlan->tt.num_entries);
- total_entries += vlan_entries;
+
+ if (check_add_overflow(vlan_entries, total_entries, &sum_entries)) {
+ tvlv_len = 0;
+ goto out;
+ }
+
+ total_entries = sum_entries;
num_vlan++;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 018/129] KVM: nVMX: Add a helper to get highest pending from Posted Interrupt vector
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 017/129] batman-adv: tt: prevent TVLV entry number overflow Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 019/129] KVM: nVMX: Check for pending posted interrupts when looking for nested events Greg Kroah-Hartman
` (117 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Nicholas Dudar,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit d83c36d822be44db4bad0c43bea99c8908f54117 upstream.
Add a helper to retrieve the highest pending vector given a Posted
Interrupt descriptor. While the actual operation is straightforward, it's
surprisingly easy to mess up, e.g. if one tries to reuse lapic.c's
find_highest_vector(), which doesn't work with PID.PIR due to the APIC's
IRR and ISR component registers being physically discontiguous (they're
4-byte registers aligned at 16-byte intervals).
To make PIR handling more consistent with respect to IRR and ISR handling,
return -1 to indicate "no interrupt pending".
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240607172609.3205077-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[ Nicholas Dudar: backport to 6.1.y. 6.1.y defines struct pi_desc in
posted_intr.h and predates the move to <asm/posted_intr.h>, so the helper
and the <linux/find.h> include go in posted_intr.h. ]
Signed-off-by: Nicholas Dudar <main.kalliope@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/vmx/nested.c | 5 +++--
arch/x86/kvm/vmx/posted_intr.h | 10 ++++++++++
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index bdc462944cb082..7d8e18dbe8531b 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -12,6 +12,7 @@
#include "mmu.h"
#include "nested.h"
#include "pmu.h"
+#include "posted_intr.h"
#include "sgx.h"
#include "trace.h"
#include "vmx.h"
@@ -3818,8 +3819,8 @@ static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
if (!pi_test_and_clear_on(vmx->nested.pi_desc))
return 0;
- max_irr = find_last_bit((unsigned long *)vmx->nested.pi_desc->pir, 256);
- if (max_irr != 256) {
+ max_irr = pi_find_highest_vector(vmx->nested.pi_desc);
+ if (max_irr > 0) {
vapic_page = vmx->nested.virtual_apic_map.hva;
if (!vapic_page)
goto mmio_needed;
diff --git a/arch/x86/kvm/vmx/posted_intr.h b/arch/x86/kvm/vmx/posted_intr.h
index 26992076552ef1..88cea0dac7204b 100644
--- a/arch/x86/kvm/vmx/posted_intr.h
+++ b/arch/x86/kvm/vmx/posted_intr.h
@@ -2,6 +2,8 @@
#ifndef __KVM_X86_VMX_POSTED_INTR_H
#define __KVM_X86_VMX_POSTED_INTR_H
+#include <linux/find.h>
+
#define POSTED_INTR_ON 0
#define POSTED_INTR_SN 1
@@ -103,4 +105,12 @@ int vmx_pi_update_irte(struct kvm *kvm, unsigned int host_irq,
uint32_t guest_irq, bool set);
void vmx_pi_start_assignment(struct kvm *kvm);
+static inline int pi_find_highest_vector(struct pi_desc *pi_desc)
+{
+ int vec;
+
+ vec = find_last_bit((unsigned long *)pi_desc->pir, 256);
+ return vec < 256 ? vec : -1;
+}
+
#endif /* __KVM_X86_VMX_POSTED_INTR_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 019/129] KVM: nVMX: Check for pending posted interrupts when looking for nested events
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 018/129] KVM: nVMX: Add a helper to get highest pending from Posted Interrupt vector Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 020/129] KVM: nVMX: Fold requested virtual interrupt check into has_nested_events() Greg Kroah-Hartman
` (116 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxim Levitsky, Jim Mattson,
Sean Christopherson, Nicholas Dudar, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 27c4fa42b11af780d49ce704f7fa67b3c2544df4 upstream.
Check for pending (and notified!) posted interrupts when checking if L2
has a pending wake event, as fully posted/notified virtual interrupt is a
valid wake event for HLT.
Note that KVM must check vmx->nested.pi_pending to avoid prematurely
waking L2, e.g. even if KVM sees a non-zero PID.PIR and PID.0N=1, the
virtual interrupt won't actually be recognized until a notification IRQ is
received by the vCPU or the vCPU does (nested) VM-Enter.
Fixes: 26844fee6ade ("KVM: x86: never write to memory from kvm_vcpu_check_block()")
Cc: stable@vger.kernel.org
Cc: Maxim Levitsky <mlevitsk@redhat.com>
Reported-by: Jim Mattson <jmattson@google.com>
Closes: https://lore.kernel.org/all/20231207010302.2240506-1-jmattson@google.com
Link: https://lore.kernel.org/r/20240607172609.3205077-5-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[ Nicholas Dudar: backport to 6.1.y. Prerequisite for the next patch, which
folds its check into the vmx_has_nested_events() body this patch builds.
Applies cleanly. The for_injection path still returns preemption_timer ||
mtf, as the previous 6.1.y body did. ]
Signed-off-by: Nicholas Dudar <main.kalliope@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/vmx/nested.c | 36 ++++++++++++++++++++++++++++++++++--
1 file changed, 34 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 7d8e18dbe8531b..ad07e83d2c1d5b 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3953,8 +3953,40 @@ static bool nested_vmx_preemption_timer_pending(struct kvm_vcpu *vcpu)
static bool vmx_has_nested_events(struct kvm_vcpu *vcpu, bool for_injection)
{
- return nested_vmx_preemption_timer_pending(vcpu) ||
- to_vmx(vcpu)->nested.mtf_pending;
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+ void *vapic = vmx->nested.virtual_apic_map.hva;
+ int max_irr, vppr;
+
+ if (nested_vmx_preemption_timer_pending(vcpu) ||
+ vmx->nested.mtf_pending)
+ return true;
+
+ /*
+ * Virtual Interrupt Delivery doesn't require manual injection. Either
+ * the interrupt is already in GUEST_RVI and will be recognized by CPU
+ * at VM-Entry, or there is a KVM_REQ_EVENT pending and KVM will move
+ * the interrupt from the PIR to RVI prior to entering the guest.
+ */
+ if (for_injection)
+ return false;
+
+ if (!nested_cpu_has_vid(get_vmcs12(vcpu)) ||
+ __vmx_interrupt_blocked(vcpu))
+ return false;
+
+ if (!vapic)
+ return false;
+
+ vppr = *((u32 *)(vapic + APIC_PROCPRI));
+
+ if (vmx->nested.pi_pending && vmx->nested.pi_desc &&
+ pi_test_on(vmx->nested.pi_desc)) {
+ max_irr = pi_find_highest_vector(vmx->nested.pi_desc);
+ if (max_irr > 0 && (max_irr & 0xf0) > (vppr & 0xf0))
+ return true;
+ }
+
+ return false;
}
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 020/129] KVM: nVMX: Fold requested virtual interrupt check into has_nested_events()
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 019/129] KVM: nVMX: Check for pending posted interrupts when looking for nested events Greg Kroah-Hartman
@ 2026-07-02 16:18 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 021/129] net: annotate data-races around sk->sk_{data_ready,write_space} Greg Kroah-Hartman
` (115 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Nicholas Dudar,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 321ef62b0c5f6f57bb8500a2ca5986052675abbf upstream.
Check for a Requested Virtual Interrupt, i.e. a virtual interrupt that is
pending delivery, in vmx_has_nested_events() and drop the one-off
kvm_x86_ops.guest_apic_has_interrupt() hook.
In addition to dropping a superfluous hook, this fixes a bug where KVM
would incorrectly treat virtual interrupts _for L2_ as always enabled due
to kvm_arch_interrupt_allowed(), by way of vmx_interrupt_blocked(),
treating IRQs as enabled if L2 is active and vmcs12 is configured to exit
on IRQs, i.e. KVM would treat a virtual interrupt for L2 as a valid wake
event based on L1's IRQ blocking status.
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240607172609.3205077-6-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[ Nicholas Dudar: backport to 6.1.y. 6.1.y predates the vmx main.c /
x86_ops.h split, so drop .guest_apic_has_interrupt from vmx_x86_ops in
vmx.c rather than vt_x86_ops in main.c. The function is static in vmx.c, so
upstream's x86_ops.h prototype removal does not apply. 6.1.y keeps the
current hwapic_isr_update signature. ]
Signed-off-by: Nicholas Dudar <main.kalliope@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/kvm-x86-ops.h | 1 -
arch/x86/include/asm/kvm_host.h | 1 -
arch/x86/kvm/vmx/nested.c | 4 ++++
arch/x86/kvm/vmx/vmx.c | 21 ---------------------
arch/x86/kvm/x86.c | 10 +---------
5 files changed, 5 insertions(+), 32 deletions(-)
diff --git a/arch/x86/include/asm/kvm-x86-ops.h b/arch/x86/include/asm/kvm-x86-ops.h
index c068565fe95474..1cfe83263b213b 100644
--- a/arch/x86/include/asm/kvm-x86-ops.h
+++ b/arch/x86/include/asm/kvm-x86-ops.h
@@ -81,7 +81,6 @@ KVM_X86_OP(check_apicv_inhibit_reasons)
KVM_X86_OP(refresh_apicv_exec_ctrl)
KVM_X86_OP_OPTIONAL(hwapic_irr_update)
KVM_X86_OP_OPTIONAL(hwapic_isr_update)
-KVM_X86_OP_OPTIONAL_RET0(guest_apic_has_interrupt)
KVM_X86_OP_OPTIONAL(load_eoi_exitmap)
KVM_X86_OP_OPTIONAL(set_virtual_apic_mode)
KVM_X86_OP_OPTIONAL(set_apic_access_page_addr)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index fe5c0f86ae389d..31395c43416dd7 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -1549,7 +1549,6 @@ struct kvm_x86_ops {
void (*refresh_apicv_exec_ctrl)(struct kvm_vcpu *vcpu);
void (*hwapic_irr_update)(struct kvm_vcpu *vcpu, int max_irr);
void (*hwapic_isr_update)(struct kvm_vcpu *vcpu, int isr);
- bool (*guest_apic_has_interrupt)(struct kvm_vcpu *vcpu);
void (*load_eoi_exitmap)(struct kvm_vcpu *vcpu, u64 *eoi_exit_bitmap);
void (*set_virtual_apic_mode)(struct kvm_vcpu *vcpu);
void (*set_apic_access_page_addr)(struct kvm_vcpu *vcpu);
diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index ad07e83d2c1d5b..f7a790a28b9eee 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3979,6 +3979,10 @@ static bool vmx_has_nested_events(struct kvm_vcpu *vcpu, bool for_injection)
vppr = *((u32 *)(vapic + APIC_PROCPRI));
+ max_irr = vmx_get_rvi();
+ if ((max_irr & 0xf0) > (vppr & 0xf0))
+ return true;
+
if (vmx->nested.pi_pending && vmx->nested.pi_desc &&
pi_test_on(vmx->nested.pi_desc)) {
max_irr = pi_find_highest_vector(vmx->nested.pi_desc);
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index e5d162e97f5031..2e6454e4cca4b4 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -4063,26 +4063,6 @@ void pt_update_intercept_for_msr(struct kvm_vcpu *vcpu)
}
}
-static bool vmx_guest_apic_has_interrupt(struct kvm_vcpu *vcpu)
-{
- struct vcpu_vmx *vmx = to_vmx(vcpu);
- void *vapic_page;
- u32 vppr;
- int rvi;
-
- if (WARN_ON_ONCE(!is_guest_mode(vcpu)) ||
- !nested_cpu_has_vid(get_vmcs12(vcpu)) ||
- WARN_ON_ONCE(!vmx->nested.virtual_apic_map.gfn))
- return false;
-
- rvi = vmx_get_rvi();
-
- vapic_page = vmx->nested.virtual_apic_map.hva;
- vppr = *((u32 *)(vapic_page + APIC_PROCPRI));
-
- return ((rvi & 0xf0) > (vppr & 0xf0));
-}
-
static void vmx_msr_filter_changed(struct kvm_vcpu *vcpu)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -8266,7 +8246,6 @@ static struct kvm_x86_ops vmx_x86_ops __initdata = {
.check_apicv_inhibit_reasons = vmx_check_apicv_inhibit_reasons,
.hwapic_irr_update = vmx_hwapic_irr_update,
.hwapic_isr_update = vmx_hwapic_isr_update,
- .guest_apic_has_interrupt = vmx_guest_apic_has_interrupt,
.sync_pir_to_irr = vmx_sync_pir_to_irr,
.deliver_interrupt = vmx_deliver_interrupt,
.dy_apicv_has_pending_interrupt = pi_has_pending_interrupt,
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 10ef8a4353b32e..208a713d7ecd75 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -13046,12 +13046,6 @@ void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
kvm_page_track_flush_slot(kvm, slot);
}
-static inline bool kvm_guest_apic_has_interrupt(struct kvm_vcpu *vcpu)
-{
- return (is_guest_mode(vcpu) &&
- static_call(kvm_x86_guest_apic_has_interrupt)(vcpu));
-}
-
static inline bool kvm_vcpu_has_events(struct kvm_vcpu *vcpu)
{
if (!list_empty_careful(&vcpu->async_pf.done))
@@ -13077,9 +13071,7 @@ static inline bool kvm_vcpu_has_events(struct kvm_vcpu *vcpu)
static_call(kvm_x86_smi_allowed)(vcpu, false)))
return true;
- if (kvm_arch_interrupt_allowed(vcpu) &&
- (kvm_cpu_has_interrupt(vcpu) ||
- kvm_guest_apic_has_interrupt(vcpu)))
+ if (kvm_arch_interrupt_allowed(vcpu) && kvm_cpu_has_interrupt(vcpu))
return true;
if (kvm_hv_has_stimer_pending(vcpu))
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 021/129] net: annotate data-races around sk->sk_{data_ready,write_space}
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-07-02 16:18 ` [PATCH 6.1 020/129] KVM: nVMX: Fold requested virtual interrupt check into has_nested_events() Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 022/129] debugobjects,locking: Annotate debug_object_fill_pool() wait type violation Greg Kroah-Hartman
` (114 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+87f770387a9e5dc6b79b,
Eric Dumazet, Daniel Borkmann, John Fastabend, Jakub Sitnicki,
Willem de Bruijn, Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 2ef2b20cf4e04ac8a6ba68493f8780776ff84300 ]
skmsg (and probably other layers) are changing these pointers
while other cpus might read them concurrently.
Add corresponding READ_ONCE()/WRITE_ONCE() annotations
for UDP, TCP and AF_UNIX.
Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
Reported-by: syzbot+87f770387a9e5dc6b79b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/699ee9fc.050a0220.1cd54b.0009.GAE@google.com/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jakub Sitnicki <jakub@cloudflare.com>
Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260225131547.1085509-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skmsg.c | 14 +++++++-------
net/ipv4/tcp.c | 4 ++--
net/ipv4/tcp_bpf.c | 2 +-
net/ipv4/tcp_input.c | 14 ++++++++------
net/ipv4/tcp_minisocks.c | 2 +-
net/ipv4/udp.c | 2 +-
net/ipv4/udp_bpf.c | 2 +-
net/unix/af_unix.c | 8 ++++----
8 files changed, 25 insertions(+), 23 deletions(-)
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index 444b9b25ade28d..fd1a2464db0aab 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -1198,8 +1198,8 @@ void sk_psock_start_strp(struct sock *sk, struct sk_psock *psock)
return;
psock->saved_data_ready = sk->sk_data_ready;
- sk->sk_data_ready = sk_psock_strp_data_ready;
- sk->sk_write_space = sk_psock_write_space;
+ WRITE_ONCE(sk->sk_data_ready, sk_psock_strp_data_ready);
+ WRITE_ONCE(sk->sk_write_space, sk_psock_write_space);
}
void sk_psock_stop_strp(struct sock *sk, struct sk_psock *psock)
@@ -1209,8 +1209,8 @@ void sk_psock_stop_strp(struct sock *sk, struct sk_psock *psock)
if (!psock->saved_data_ready)
return;
- sk->sk_data_ready = psock->saved_data_ready;
- psock->saved_data_ready = NULL;
+ WRITE_ONCE(sk->sk_data_ready, psock->saved_data_ready);
+ WRITE_ONCE(psock->saved_data_ready, NULL);
strp_stop(&psock->strp);
}
@@ -1283,8 +1283,8 @@ void sk_psock_start_verdict(struct sock *sk, struct sk_psock *psock)
return;
psock->saved_data_ready = sk->sk_data_ready;
- sk->sk_data_ready = sk_psock_verdict_data_ready;
- sk->sk_write_space = sk_psock_write_space;
+ WRITE_ONCE(sk->sk_data_ready, sk_psock_verdict_data_ready);
+ WRITE_ONCE(sk->sk_write_space, sk_psock_write_space);
}
void sk_psock_stop_verdict(struct sock *sk, struct sk_psock *psock)
@@ -1295,6 +1295,6 @@ void sk_psock_stop_verdict(struct sock *sk, struct sk_psock *psock)
if (!psock->saved_data_ready)
return;
- sk->sk_data_ready = psock->saved_data_ready;
+ WRITE_ONCE(sk->sk_data_ready, psock->saved_data_ready);
psock->saved_data_ready = NULL;
}
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 076aa73c99fa81..82d6c01c7885c2 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1479,7 +1479,7 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size)
err = sk_stream_error(sk, flags, err);
/* make sure we wake any epoll edge trigger waiter */
if (unlikely(tcp_rtx_and_write_queues_empty(sk) && err == -EAGAIN)) {
- sk->sk_write_space(sk);
+ READ_ONCE(sk->sk_write_space)(sk);
tcp_chrono_stop(sk, TCP_CHRONO_SNDBUF_LIMITED);
}
return err;
@@ -3844,7 +3844,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname,
break;
case TCP_NOTSENT_LOWAT:
WRITE_ONCE(tp->notsent_lowat, val);
- sk->sk_write_space(sk);
+ READ_ONCE(sk->sk_write_space)(sk);
break;
case TCP_INQ:
if (val > 1 || val < 0)
diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
index 8e6c0737bfe128..9af7595bf8c452 100644
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -750,7 +750,7 @@ int tcp_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool restore)
WRITE_ONCE(sk->sk_prot->unhash, psock->saved_unhash);
tcp_update_ulp(sk, psock->sk_proto, psock->saved_write_space);
} else {
- sk->sk_write_space = psock->saved_write_space;
+ WRITE_ONCE(sk->sk_write_space, psock->saved_write_space);
/* Pairs with lockless read in sk_clone_lock() */
sock_replace_proto(sk, psock->sk_proto);
}
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 645ff379c42544..91b019df7ddf79 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4898,7 +4898,7 @@ static void tcp_data_queue_ofo(struct sock *sk, struct sk_buff *skb)
if (unlikely(tcp_try_rmem_schedule(sk, skb, skb->truesize))) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPOFODROP);
- sk->sk_data_ready(sk);
+ READ_ONCE(sk->sk_data_ready)(sk);
tcp_drop_reason(sk, skb, SKB_DROP_REASON_PROTO_MEM);
return;
}
@@ -5104,7 +5104,7 @@ int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size)
void tcp_data_ready(struct sock *sk)
{
if (tcp_epollin_ready(sk, sk->sk_rcvlowat) || sock_flag(sk, SOCK_DONE))
- sk->sk_data_ready(sk);
+ READ_ONCE(sk->sk_data_ready)(sk);
}
static void tcp_data_queue(struct sock *sk, struct sk_buff *skb)
@@ -5150,7 +5150,7 @@ static void tcp_data_queue(struct sock *sk, struct sk_buff *skb)
else if (tcp_try_rmem_schedule(sk, skb, skb->truesize)) {
reason = SKB_DROP_REASON_PROTO_MEM;
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPRCVQDROP);
- sk->sk_data_ready(sk);
+ READ_ONCE(sk->sk_data_ready)(sk);
goto drop;
}
@@ -5570,7 +5570,9 @@ static void tcp_new_space(struct sock *sk)
tp->snd_cwnd_stamp = tcp_jiffies32;
}
- INDIRECT_CALL_1(sk->sk_write_space, sk_stream_write_space, sk);
+ INDIRECT_CALL_1(READ_ONCE(sk->sk_write_space),
+ sk_stream_write_space,
+ sk);
}
/* Caller made space either from:
@@ -5768,7 +5770,7 @@ static void tcp_urg(struct sock *sk, struct sk_buff *skb, const struct tcphdr *t
BUG();
WRITE_ONCE(tp->urg_data, TCP_URG_VALID | tmp);
if (!sock_flag(sk, SOCK_DEAD))
- sk->sk_data_ready(sk);
+ READ_ONCE(sk->sk_data_ready)(sk);
}
}
}
@@ -7133,7 +7135,7 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
sock_put(fastopen_sk);
goto drop_and_free;
}
- sk->sk_data_ready(sk);
+ READ_ONCE(sk->sk_data_ready)(sk);
bh_unlock_sock(fastopen_sk);
sock_put(fastopen_sk);
} else {
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 0b934b6ebb55b0..22b5748a6ee2c6 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -858,7 +858,7 @@ int tcp_child_process(struct sock *parent, struct sock *child,
ret = tcp_rcv_state_process(child, skb);
/* Wakeup parent, send SIGIO */
if (state == TCP_SYN_RECV && child->sk_state != state)
- parent->sk_data_ready(parent);
+ READ_ONCE(parent->sk_data_ready)(parent);
} else {
/* Alas, it is possible again, because we do lookup
* in main socket hash table and lock on listening
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index a8bfab80d66a5f..d1714aaedf1768 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1580,7 +1580,7 @@ int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb)
spin_unlock(&list->lock);
if (!sock_flag(sk, SOCK_DEAD))
- sk->sk_data_ready(sk);
+ READ_ONCE(sk->sk_data_ready)(sk);
busylock_release(busy);
return 0;
diff --git a/net/ipv4/udp_bpf.c b/net/ipv4/udp_bpf.c
index 0735d820e413f3..44271ba1adec15 100644
--- a/net/ipv4/udp_bpf.c
+++ b/net/ipv4/udp_bpf.c
@@ -143,7 +143,7 @@ int udp_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool restore)
int family = sk->sk_family == AF_INET ? UDP_BPF_IPV4 : UDP_BPF_IPV6;
if (restore) {
- sk->sk_write_space = psock->saved_write_space;
+ WRITE_ONCE(sk->sk_write_space, psock->saved_write_space);
sock_replace_proto(sk, psock->sk_proto);
return 0;
}
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index a268a483efcd3f..f5b215ca76d249 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1610,7 +1610,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
__skb_queue_tail(&other->sk_receive_queue, skb);
spin_unlock(&other->sk_receive_queue.lock);
unix_state_unlock(other);
- other->sk_data_ready(other);
+ READ_ONCE(other->sk_data_ready)(other);
sock_put(other);
return 0;
@@ -2082,7 +2082,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
scm_stat_add(other, skb);
skb_queue_tail(&other->sk_receive_queue, skb);
unix_state_unlock(other);
- other->sk_data_ready(other);
+ READ_ONCE(other->sk_data_ready)(other);
sock_put(other);
scm_destroy(&scm);
return len;
@@ -2150,7 +2150,7 @@ static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other
sk_send_sigurg(other);
unix_state_unlock(other);
- other->sk_data_ready(other);
+ READ_ONCE(other->sk_data_ready)(other);
return err;
}
@@ -2243,7 +2243,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg,
scm_stat_add(other, skb);
skb_queue_tail(&other->sk_receive_queue, skb);
unix_state_unlock(other);
- other->sk_data_ready(other);
+ READ_ONCE(other->sk_data_ready)(other);
sent += size;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 022/129] debugobjects,locking: Annotate debug_object_fill_pool() wait type violation
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 021/129] net: annotate data-races around sk->sk_{data_ready,write_space} Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 023/129] debugobjects: Allow to refill the pool before SYSTEM_SCHEDULING Greg Kroah-Hartman
` (113 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vlastimil Babka, Qi Zheng,
Peter Zijlstra (Intel), Thomas Gleixner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 0cce06ba859a515bd06224085d3addb870608b6d upstream.
There is an explicit wait-type violation in debug_object_fill_pool()
for PREEMPT_RT=n kernels which allows them to more easily fill the
object pool and reduce the chance of allocation failures.
Lockdep's wait-type checks are designed to check the PREEMPT_RT
locking rules even for PREEMPT_RT=n kernels and object to this, so
create a lockdep annotation to allow this to stand.
Specifically, create a 'lock' type that overrides the inner wait-type
while it is held -- allowing one to temporarily raise it, such that
the violation is hidden.
Reported-by: Vlastimil Babka <vbabka@suse.cz>
Reported-by: Qi Zheng <zhengqi.arch@bytedance.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Qi Zheng <zhengqi.arch@bytedance.com>
Link: https://lkml.kernel.org/r/20230429100614.GA1489784@hirez.programming.kicks-ass.net
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/lockdep.h | 14 ++++++++++++++
include/linux/lockdep_types.h | 1 +
kernel/locking/lockdep.c | 28 +++++++++++++++++++++-------
lib/debugobjects.c | 15 +++++++++++++--
4 files changed, 49 insertions(+), 9 deletions(-)
diff --git a/include/linux/lockdep.h b/include/linux/lockdep.h
index 43d8734ac0eb0b..90aa802a30669c 100644
--- a/include/linux/lockdep.h
+++ b/include/linux/lockdep.h
@@ -339,6 +339,16 @@ extern void lock_unpin_lock(struct lockdep_map *lock, struct pin_cookie);
#define lockdep_repin_lock(l,c) lock_repin_lock(&(l)->dep_map, (c))
#define lockdep_unpin_lock(l,c) lock_unpin_lock(&(l)->dep_map, (c))
+/*
+ * Must use lock_map_aquire_try() with override maps to avoid
+ * lockdep thinking they participate in the block chain.
+ */
+#define DEFINE_WAIT_OVERRIDE_MAP(_name, _wait_type) \
+ struct lockdep_map _name = { \
+ .name = #_name "-wait-type-override", \
+ .wait_type_inner = _wait_type, \
+ .lock_type = LD_LOCK_WAIT_OVERRIDE, }
+
#else /* !CONFIG_LOCKDEP */
static inline void lockdep_init_task(struct task_struct *task)
@@ -427,6 +437,9 @@ extern int lockdep_is_held(const void *);
#define lockdep_repin_lock(l, c) do { (void)(l); (void)(c); } while (0)
#define lockdep_unpin_lock(l, c) do { (void)(l); (void)(c); } while (0)
+#define DEFINE_WAIT_OVERRIDE_MAP(_name, _wait_type) \
+ struct lockdep_map __maybe_unused _name = {}
+
#endif /* !LOCKDEP */
enum xhlock_context_t {
@@ -552,6 +565,7 @@ do { \
#define rwsem_release(l, i) lock_release(l, i)
#define lock_map_acquire(l) lock_acquire_exclusive(l, 0, 0, NULL, _THIS_IP_)
+#define lock_map_acquire_try(l) lock_acquire_exclusive(l, 0, 1, NULL, _THIS_IP_)
#define lock_map_acquire_read(l) lock_acquire_shared_recursive(l, 0, 0, NULL, _THIS_IP_)
#define lock_map_acquire_tryread(l) lock_acquire_shared_recursive(l, 0, 1, NULL, _THIS_IP_)
#define lock_map_release(l) lock_release(l, _THIS_IP_)
diff --git a/include/linux/lockdep_types.h b/include/linux/lockdep_types.h
index d22430840b53f9..59f4fb1626ea60 100644
--- a/include/linux/lockdep_types.h
+++ b/include/linux/lockdep_types.h
@@ -33,6 +33,7 @@ enum lockdep_wait_type {
enum lockdep_lock_type {
LD_LOCK_NORMAL = 0, /* normal, catch all */
LD_LOCK_PERCPU, /* percpu */
+ LD_LOCK_WAIT_OVERRIDE, /* annotation */
LD_LOCK_MAX,
};
diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
index 5f8ce961cd9a3f..463834778b4b04 100644
--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -2245,6 +2245,9 @@ static inline bool usage_match(struct lock_list *entry, void *mask)
static inline bool usage_skip(struct lock_list *entry, void *mask)
{
+ if (entry->class->lock_type == LD_LOCK_NORMAL)
+ return false;
+
/*
* Skip local_lock() for irq inversion detection.
*
@@ -2271,14 +2274,16 @@ static inline bool usage_skip(struct lock_list *entry, void *mask)
* As a result, we will skip local_lock(), when we search for irq
* inversion bugs.
*/
- if (entry->class->lock_type == LD_LOCK_PERCPU) {
- if (DEBUG_LOCKS_WARN_ON(entry->class->wait_type_inner < LD_WAIT_CONFIG))
- return false;
+ if (entry->class->lock_type == LD_LOCK_PERCPU &&
+ DEBUG_LOCKS_WARN_ON(entry->class->wait_type_inner < LD_WAIT_CONFIG))
+ return false;
- return true;
- }
+ /*
+ * Skip WAIT_OVERRIDE for irq inversion detection -- it's not actually
+ * a lock and only used to override the wait_type.
+ */
- return false;
+ return true;
}
/*
@@ -4745,7 +4750,8 @@ static int check_wait_context(struct task_struct *curr, struct held_lock *next)
for (; depth < curr->lockdep_depth; depth++) {
struct held_lock *prev = curr->held_locks + depth;
- u8 prev_inner = hlock_class(prev)->wait_type_inner;
+ struct lock_class *class = hlock_class(prev);
+ u8 prev_inner = class->wait_type_inner;
if (prev_inner) {
/*
@@ -4755,6 +4761,14 @@ static int check_wait_context(struct task_struct *curr, struct held_lock *next)
* Also due to trylocks.
*/
curr_inner = min(curr_inner, prev_inner);
+
+ /*
+ * Allow override for annotations -- this is typically
+ * only valid/needed for code that only exists when
+ * CONFIG_PREEMPT_RT=n.
+ */
+ if (unlikely(class->lock_type == LD_LOCK_WAIT_OVERRIDE))
+ curr_inner = prev_inner;
}
}
diff --git a/lib/debugobjects.c b/lib/debugobjects.c
index 1e193a5f6b4a72..46eabbae69ccfc 100644
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -601,10 +601,21 @@ static void debug_objects_fill_pool(void)
{
/*
* On RT enabled kernels the pool refill must happen in preemptible
- * context:
+ * context -- for !RT kernels we rely on the fact that spinlock_t and
+ * raw_spinlock_t are basically the same type and this lock-type
+ * inversion works just fine.
*/
- if (!IS_ENABLED(CONFIG_PREEMPT_RT) || preemptible())
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) || preemptible()) {
+ /*
+ * Annotate away the spinlock_t inside raw_spinlock_t warning
+ * by temporarily raising the wait-type to WAIT_SLEEP, matching
+ * the preemptible() condition above.
+ */
+ static DEFINE_WAIT_OVERRIDE_MAP(fill_pool_map, LD_WAIT_SLEEP);
+ lock_map_acquire_try(&fill_pool_map);
fill_pool();
+ lock_map_release(&fill_pool_map);
+ }
}
static void
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 023/129] debugobjects: Allow to refill the pool before SYSTEM_SCHEDULING
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 022/129] debugobjects,locking: Annotate debug_object_fill_pool() wait type violation Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 024/129] debugobjects: Use LD_WAIT_CONFIG instead of LD_WAIT_SLEEP Greg Kroah-Hartman
` (112 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Thomas Gleixner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
commit 06e0ae988f6e3499785c407429953ade19c1096b upstream.
The pool of free objects is refilled on several occasions such as object
initialisation. On PREEMPT_RT refilling is limited to preemptible
sections due to sleeping locks used by the memory allocator. The system
boots with disabled interrupts so the pool can not be refilled.
If too many objects are initialized and the pool gets empty then
debugobjects disables itself.
Refiling can also happen early in the boot with disabled interrupts as
long as the scheduler is not operational. If the scheduler can not
preempt a task then a sleeping lock can not be contended.
Allow to additionally refill the pool if the scheduler is not
operational.
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://patch.msgid.link/20251127153652.291697-2-bigeasy@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/debugobjects.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/debugobjects.c b/lib/debugobjects.c
index 46eabbae69ccfc..bb5c909458535b 100644
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -605,7 +605,7 @@ static void debug_objects_fill_pool(void)
* raw_spinlock_t are basically the same type and this lock-type
* inversion works just fine.
*/
- if (!IS_ENABLED(CONFIG_PREEMPT_RT) || preemptible()) {
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) || preemptible() || system_state < SYSTEM_SCHEDULING) {
/*
* Annotate away the spinlock_t inside raw_spinlock_t warning
* by temporarily raising the wait-type to WAIT_SLEEP, matching
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 024/129] debugobjects: Use LD_WAIT_CONFIG instead of LD_WAIT_SLEEP
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 023/129] debugobjects: Allow to refill the pool before SYSTEM_SCHEDULING Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 025/129] debugobjects: Do not fill_pool() if pi_blocked_on Greg Kroah-Hartman
` (111 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Thomas Gleixner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
commit 37de2dbc318ee10577c1c2704de5a803e75e55a2 upstream.
fill_pool_map is used to suppress nesting violations caused by acquiring
a spinlock_t (from within the memory allocator) while holding a
raw_spinlock_t. The used annotation is wrong.
LD_WAIT_SLEEP is for always sleeping lock types such as mutex_t.
LD_WAIT_CONFIG is for lock type which are sleeping while spinning on
PREEMPT_RT such as spinlock_t.
Use LD_WAIT_CONFIG as override.
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://patch.msgid.link/20251127153652.291697-3-bigeasy@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/debugobjects.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/debugobjects.c b/lib/debugobjects.c
index bb5c909458535b..a7f3c6f15125a9 100644
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -608,10 +608,10 @@ static void debug_objects_fill_pool(void)
if (!IS_ENABLED(CONFIG_PREEMPT_RT) || preemptible() || system_state < SYSTEM_SCHEDULING) {
/*
* Annotate away the spinlock_t inside raw_spinlock_t warning
- * by temporarily raising the wait-type to WAIT_SLEEP, matching
+ * by temporarily raising the wait-type to LD_WAIT_CONFIG, matching
* the preemptible() condition above.
*/
- static DEFINE_WAIT_OVERRIDE_MAP(fill_pool_map, LD_WAIT_SLEEP);
+ static DEFINE_WAIT_OVERRIDE_MAP(fill_pool_map, LD_WAIT_CONFIG);
lock_map_acquire_try(&fill_pool_map);
fill_pool();
lock_map_release(&fill_pool_map);
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 025/129] debugobjects: Do not fill_pool() if pi_blocked_on
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 024/129] debugobjects: Use LD_WAIT_CONFIG instead of LD_WAIT_SLEEP Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 026/129] debugobjects: Dont call fill_pool() in early boot hardirq context Greg Kroah-Hartman
` (110 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b8ca586b9fc235f0c0df,
Helen Koike, Thomas Gleixner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helen Koike <koike@igalia.com>
commit 5f41161059fd0f1bbf18c90f3180e38cc45a14eb upstream.
On RT enabled kernels, fill_pool() ends up calling rtlock_lock(), which
asserts if current::pi_blocked_on is set, because a task can obviously only
block on one lock as otherwise the priority inheritenace chain gets
corrupted.
Prevent this by expanding the conditional to take current::pi_blocked_on
into account.
Fixes: 4bedcc28469a ("debugobjects: Make them PREEMPT_RT aware")
Reported-by: syzbot+b8ca586b9fc235f0c0df@syzkaller.appspotmail.com
Signed-off-by: Helen Koike <koike@igalia.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260511215359.3351259-1-koike@igalia.com
Closes: https://syzkaller.appspot.com/bug?extid=b8ca586b9fc235f0c0df
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/debugobjects.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/lib/debugobjects.c b/lib/debugobjects.c
index a7f3c6f15125a9..5e653e2ffa8dac 100644
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -597,15 +597,25 @@ static struct debug_obj *lookup_object_or_alloc(void *addr, struct debug_bucket
return NULL;
}
+static inline bool debug_objects_is_pi_blocked_on(void)
+{
+#ifdef CONFIG_RT_MUTEXES
+ return current->pi_blocked_on != NULL;
+#else
+ return false;
+#endif
+}
+
static void debug_objects_fill_pool(void)
{
/*
* On RT enabled kernels the pool refill must happen in preemptible
- * context -- for !RT kernels we rely on the fact that spinlock_t and
- * raw_spinlock_t are basically the same type and this lock-type
- * inversion works just fine.
+ * context and not enqueued on an rt_mutex -- for !RT kernels we rely
+ * on the fact that spinlock_t and raw_spinlock_t are basically the
+ * same type and this lock-type inversion works just fine.
*/
- if (!IS_ENABLED(CONFIG_PREEMPT_RT) || preemptible() || system_state < SYSTEM_SCHEDULING) {
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) || system_state < SYSTEM_SCHEDULING ||
+ (preemptible() && !debug_objects_is_pi_blocked_on())) {
/*
* Annotate away the spinlock_t inside raw_spinlock_t warning
* by temporarily raising the wait-type to LD_WAIT_CONFIG, matching
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 026/129] debugobjects: Dont call fill_pool() in early boot hardirq context
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 025/129] debugobjects: Do not fill_pool() if pi_blocked_on Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 027/129] ARM: group is_permission_fault() with is_translation_fault() Greg Kroah-Hartman
` (109 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Thomas Gleixner, Waiman Long, Thomas Gleixner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
commit 0d046ae106255cba5eb83b23f78ee93f3620247d upstream.
When booting a debug PREEMPT_RT kernel on an ARM64 system, a "inconsistent
{HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage" lockdep warning message was
reported to the console.
During early boot, interrupts are enabled before the scheduler is
enabled. In this window (before SYSTEM_SCHEDULING is set) interrupts can
fire and in the hard interrupt context handler attempt to fill the pool
This can lead to a deadlock when the interrupt occurred when the interrupt
hits a region which holds a lock that is required to be taken in the
allocation path.
Add a new can_fill_pool() helper and reorder the exception rule and forbid
this scenario by excluding allocations from hard interrupt context.
Fixes: 06e0ae988f6e ("debugobjects: Allow to refill the pool before SYSTEM_SCHEDULING")
Suggested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260605173038.495075-1-longman@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/debugobjects.c | 44 ++++++++++++++++++++++++++++++++++++--------
1 file changed, 36 insertions(+), 8 deletions(-)
diff --git a/lib/debugobjects.c b/lib/debugobjects.c
index 5e653e2ffa8dac..ef1fea990df70a 100644
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -606,20 +606,48 @@ static inline bool debug_objects_is_pi_blocked_on(void)
#endif
}
-static void debug_objects_fill_pool(void)
+static inline bool can_fill_pool(void)
{
/*
- * On RT enabled kernels the pool refill must happen in preemptible
- * context and not enqueued on an rt_mutex -- for !RT kernels we rely
- * on the fact that spinlock_t and raw_spinlock_t are basically the
- * same type and this lock-type inversion works just fine.
+ * On !RT enabled kernels there are no restrictions and spinlock_t and
+ * raw_spinlock_t are the same types.
+ */
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT))
+ return true;
+
+ /*
+ * On RT enabled kernels, the task must not be blocked on a lock as
+ * that could corrupt the PI state when blocking on a lock in the
+ * allocation path.
+ */
+ if (debug_objects_is_pi_blocked_on())
+ return false;
+
+ /*
+ * On RT enabled kernels the pool refill should happen in preemptible
+ * context.
*/
- if (!IS_ENABLED(CONFIG_PREEMPT_RT) || system_state < SYSTEM_SCHEDULING ||
- (preemptible() && !debug_objects_is_pi_blocked_on())) {
+ if (preemptible())
+ return true;
+
+ /*
+ * Though during system boot before scheduling is set up, preemption is
+ * disabled and the pool can get exhausted. Before scheduling is active
+ * a task cannot be blocked on a sleeping lock, but it might hold a lock
+ * and if interrupted then hard interrupt context might run into a lock
+ * inversion. So exclude hard interrupt context from allocations before
+ * scheduling is active.
+ */
+ return system_state < SYSTEM_SCHEDULING && !in_hardirq();
+}
+
+static void debug_objects_fill_pool(void)
+{
+ if (can_fill_pool()) {
/*
* Annotate away the spinlock_t inside raw_spinlock_t warning
* by temporarily raising the wait-type to LD_WAIT_CONFIG, matching
- * the preemptible() condition above.
+ * the preemptible() condition in can_fill_pool().
*/
static DEFINE_WAIT_OVERRIDE_MAP(fill_pool_map, LD_WAIT_CONFIG);
lock_map_acquire_try(&fill_pool_map);
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 027/129] ARM: group is_permission_fault() with is_translation_fault()
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 026/129] debugobjects: Dont call fill_pool() in early boot hardirq context Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 028/129] ARM: allow __do_kernel_fault() to report execution of memory faults Greg Kroah-Hartman
` (108 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Russell King (Oracle),
Sebastian Andrzej Siewior, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
commit dea20281ac88226615761c570c8ff7adc18e6ac2 upstream.
Group is_permission_fault() with is_translation_fault(), which is
needed to use is_permission_fault() in __do_kernel_fault(). As
this is static inline, there is no need for this to be under
CONFIG_MMU.
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mm/fault.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
index 16a7765511f8e4..2315d40760a787 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -125,6 +125,19 @@ static inline bool is_translation_fault(unsigned int fsr)
return false;
}
+static inline bool is_permission_fault(unsigned int fsr)
+{
+ int fs = fsr_fs(fsr);
+#ifdef CONFIG_ARM_LPAE
+ if ((fs & FS_MMU_NOLL_MASK) == FS_PERM_NOLL)
+ return true;
+#else
+ if (fs == FS_L1_PERM || fs == FS_L2_PERM)
+ return true;
+#endif
+ return false;
+}
+
static void die_kernel_fault(const char *msg, struct mm_struct *mm,
unsigned long addr, unsigned int fsr,
struct pt_regs *regs)
@@ -225,19 +238,6 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
#define VM_FAULT_BADMAP ((__force vm_fault_t)0x010000)
#define VM_FAULT_BADACCESS ((__force vm_fault_t)0x020000)
-static inline bool is_permission_fault(unsigned int fsr)
-{
- int fs = fsr_fs(fsr);
-#ifdef CONFIG_ARM_LPAE
- if ((fs & FS_MMU_NOLL_MASK) == FS_PERM_NOLL)
- return true;
-#else
- if (fs == FS_L1_PERM || fs == FS_L2_PERM)
- return true;
-#endif
- return false;
-}
-
static int __kprobes
do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
{
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 028/129] ARM: allow __do_kernel_fault() to report execution of memory faults
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 027/129] ARM: group is_permission_fault() with is_translation_fault() Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 029/129] ARM: fix hash_name() fault Greg Kroah-Hartman
` (107 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xie Yuanbin, Russell King (Oracle),
Sebastian Andrzej Siewior, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
commit 40b466db1dffb41f0529035c59c5739636d0e5b8 upstream
Allow __do_kernel_fault() to detect the execution of memory, so we can
provide the same fault message as do_page_fault() would do. This is
required when we split the kernel address fault handling from the
main do_page_fault() code path.
Reviewed-by: Xie Yuanbin <xieyuanbin1@huawei.com>
Tested-by: Xie Yuanbin <xieyuanbin1@huawei.com>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mm/fault.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
index 2315d40760a787..c94633eb64a1bb 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -172,6 +172,8 @@ __do_kernel_fault(struct mm_struct *mm, unsigned long addr, unsigned int fsr,
*/
if (addr < PAGE_SIZE) {
msg = "NULL pointer dereference";
+ } else if (is_permission_fault(fsr) && fsr & FSR_LNX_PF) {
+ msg = "execution of memory";
} else {
if (is_translation_fault(fsr) &&
kfence_handle_page_fault(addr, is_write_fault(fsr), regs))
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 029/129] ARM: fix hash_name() fault
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 028/129] ARM: allow __do_kernel_fault() to report execution of memory faults Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 030/129] ARM: fix branch predictor hardening Greg Kroah-Hartman
` (106 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zizhi Wo, Xie Yuanbin,
Russell King (Oracle), Sebastian Andrzej Siewior, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
commit 7733bc7d299d682f2723dc38fc7f370b9bf973e9 upstream.
Zizhi Wo reports:
"During the execution of hash_name()->load_unaligned_zeropad(), a
potential memory access beyond the PAGE boundary may occur. For
example, when the filename length is near the PAGE_SIZE boundary.
This triggers a page fault, which leads to a call to
do_page_fault()->mmap_read_trylock(). If we can't acquire the lock,
we have to fall back to the mmap_read_lock() path, which calls
might_sleep(). This breaks RCU semantics because path lookup occurs
under an RCU read-side critical section."
This is seen with CONFIG_DEBUG_ATOMIC_SLEEP=y and CONFIG_KFENCE=y.
Kernel addresses (with the exception of the vectors/kuser helper
page) do not have VMAs associated with them. If the vectors/kuser
helper page faults, then there are two possibilities:
1. if the fault happened while in kernel mode, then we're basically
dead, because the CPU won't be able to vector through this page
to handle the fault.
2. if the fault happened while in user mode, that means the page was
protected from user access, and we want to fault anyway.
Thus, we can handle kernel addresses from any context entirely
separately without going anywhere near the mmap lock. This gives us
an entirely non-sleeping path for all kernel mode kernel address
faults.
As we handle the kernel address faults before interrupts are enabled,
this change has the side effect of improving the branch predictor
hardening, but does not completely solve the issue.
Reported-by: Zizhi Wo <wozizhi@huaweicloud.com>
Reported-by: Xie Yuanbin <xieyuanbin1@huawei.com>
Link: https://lore.kernel.org/r/20251126090505.3057219-1-wozizhi@huaweicloud.com
Reviewed-by: Xie Yuanbin <xieyuanbin1@huawei.com>
Tested-by: Xie Yuanbin <xieyuanbin1@huawei.com>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mm/fault.c | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
index c94633eb64a1bb..907705992ab65f 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -240,6 +240,35 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
#define VM_FAULT_BADMAP ((__force vm_fault_t)0x010000)
#define VM_FAULT_BADACCESS ((__force vm_fault_t)0x020000)
+static int __kprobes
+do_kernel_address_page_fault(struct mm_struct *mm, unsigned long addr,
+ unsigned int fsr, struct pt_regs *regs)
+{
+ if (user_mode(regs)) {
+ /*
+ * Fault from user mode for a kernel space address. User mode
+ * should not be faulting in kernel space, which includes the
+ * vector/khelper page. Send a SIGSEGV.
+ */
+ __do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs);
+ } else {
+ /*
+ * Fault from kernel mode. Enable interrupts if they were
+ * enabled in the parent context. Section (upper page table)
+ * translation faults are handled via do_translation_fault(),
+ * so we will only get here for a non-present kernel space
+ * PTE or PTE permission fault. This may happen in exceptional
+ * circumstances and need the fixup tables to be walked.
+ */
+ if (interrupts_enabled(regs))
+ local_irq_enable();
+
+ __do_kernel_fault(mm, addr, fsr, regs);
+ }
+
+ return 0;
+}
+
static int __kprobes
do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
{
@@ -253,6 +282,12 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
if (kprobe_page_fault(regs, fsr))
return 0;
+ /*
+ * Handle kernel addresses faults separately, which avoids touching
+ * the mmap lock from contexts that are not able to sleep.
+ */
+ if (addr >= TASK_SIZE)
+ return do_kernel_address_page_fault(mm, addr, fsr, regs);
/* Enable interrupts if they were enabled in the parent context. */
if (interrupts_enabled(regs))
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 030/129] ARM: fix branch predictor hardening
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 029/129] ARM: fix hash_name() fault Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 031/129] RDMA/bnxt_re: zero shared page before exposing to userspace Greg Kroah-Hartman
` (105 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xie Yuanbin, Russell King (Oracle),
Sebastian Andrzej Siewior, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
commit fd2dee1c6e2256f726ba33fd3083a7be0efc80d3 upstream.
__do_user_fault() may be called with indeterminent interrupt enable
state, which means we may be preemptive at this point. This causes
problems when calling harden_branch_predictor(). For example, when
called from a data abort, do_alignment_fault()->do_bad_area().
Move harden_branch_predictor() out of __do_user_fault() and into the
calling contexts.
Moving it into do_kernel_address_page_fault(), we can be sure that
interrupts will be disabled here.
Converting do_translation_fault() to use do_kernel_address_page_fault()
rather than do_bad_area() means that we keep branch predictor handling
for translation faults. Interrupts will also be disabled at this call
site.
do_sect_fault() needs special handling, so detect user mode accesses
to kernel-addresses, and add an explicit call to branch predictor
hardening.
Finally, add branch predictor hardening to do_alignment() for the
faulting case (user mode accessing kernel addresses) before interrupts
are enabled.
This should cover all cases where harden_branch_predictor() is called,
ensuring that it is always has interrupts disabled, also ensuring that
it is called early in each call path.
Reviewed-by: Xie Yuanbin <xieyuanbin1@huawei.com>
Tested-by: Xie Yuanbin <xieyuanbin1@huawei.com>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mm/alignment.c | 4 ++++
arch/arm/mm/fault.c | 39 ++++++++++++++++++++++++++-------------
2 files changed, 30 insertions(+), 13 deletions(-)
diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c
index f8dd0b3cc8e040..ee264737be6d26 100644
--- a/arch/arm/mm/alignment.c
+++ b/arch/arm/mm/alignment.c
@@ -22,6 +22,7 @@
#include <asm/cp15.h>
#include <asm/system_info.h>
+#include <asm/system_misc.h>
#include <asm/unaligned.h>
#include <asm/opcodes.h>
@@ -809,6 +810,9 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
int thumb2_32b = 0;
int fault;
+ if (addr >= TASK_SIZE && user_mode(regs))
+ harden_branch_predictor();
+
if (interrupts_enabled(regs))
local_irq_enable();
diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
index 907705992ab65f..d0681285dbda3e 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -195,9 +195,6 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig,
{
struct task_struct *tsk = current;
- if (addr > TASK_SIZE)
- harden_branch_predictor();
-
#ifdef CONFIG_DEBUG_USER
if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) ||
((user_debug & UDBG_BUS) && (sig == SIGBUS))) {
@@ -248,8 +245,10 @@ do_kernel_address_page_fault(struct mm_struct *mm, unsigned long addr,
/*
* Fault from user mode for a kernel space address. User mode
* should not be faulting in kernel space, which includes the
- * vector/khelper page. Send a SIGSEGV.
+ * vector/khelper page. Handle the branch predictor hardening
+ * while interrupts are still disabled, then send a SIGSEGV.
*/
+ harden_branch_predictor();
__do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs);
} else {
/*
@@ -419,16 +418,20 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
* We enter here because the first level page table doesn't contain
* a valid entry for the address.
*
- * If the address is in kernel space (>= TASK_SIZE), then we are
- * probably faulting in the vmalloc() area.
+ * If this is a user address (addr < TASK_SIZE), we handle this as a
+ * normal page fault. This leaves the remainder of the function to handle
+ * kernel address translation faults.
*
- * If the init_task's first level page tables contains the relevant
- * entry, we copy the it to this task. If not, we send the process
- * a signal, fixup the exception, or oops the kernel.
+ * Since user mode is not permitted to access kernel addresses, pass these
+ * directly to do_kernel_address_page_fault() to handle.
*
- * NOTE! We MUST NOT take any locks for this case. We may be in an
- * interrupt or a critical region, and should only copy the information
- * from the master page table, nothing more.
+ * Otherwise, we're probably faulting in the vmalloc() area, so try to fix
+ * that up. Note that we must not take any locks or enable interrupts in
+ * this case.
+ *
+ * If vmalloc() fixup fails, that means the non-leaf page tables did not
+ * contain an entry for this address, so handle this via
+ * do_kernel_address_page_fault().
*/
#ifdef CONFIG_MMU
static int __kprobes
@@ -494,7 +497,8 @@ do_translation_fault(unsigned long addr, unsigned int fsr,
return 0;
bad_area:
- do_bad_area(addr, fsr, regs);
+ do_kernel_address_page_fault(current->mm, addr, fsr, regs);
+
return 0;
}
#else /* CONFIG_MMU */
@@ -514,7 +518,16 @@ do_translation_fault(unsigned long addr, unsigned int fsr,
static int
do_sect_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
{
+ /*
+ * If this is a kernel address, but from user mode, then userspace
+ * is trying bad stuff. Invoke the branch predictor handling.
+ * Interrupts are disabled here.
+ */
+ if (addr >= TASK_SIZE && user_mode(regs))
+ harden_branch_predictor();
+
do_bad_area(addr, fsr, regs);
+
return 0;
}
#endif /* CONFIG_ARM_LPAE */
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 031/129] RDMA/bnxt_re: zero shared page before exposing to userspace
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 030/129] ARM: fix branch predictor hardening Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 032/129] i2c: stub: Reject I2C block transfers with invalid length Greg Kroah-Hartman
` (104 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lord Ulf Henrik Holmberg,
Leon Romanovsky
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
commit f6b079629becfa977f9c51fe53ad2e6dcc55ef44 upstream.
bnxt_re_alloc_ucontext() allocates uctx->shpg via
__get_free_page(GFP_KERNEL). The buddy allocator does not zero pages
without __GFP_ZERO, so the page contains stale kernel data from
whatever object most recently freed it.
The page is then mapped into userspace via vm_insert_page() under
BNXT_RE_MMAP_SH_PAGE in bnxt_re_mmap(). The driver only ever writes
4 bytes (a u32 AVID) at offset BNXT_RE_AVID_OFFT (0x10) inside
bnxt_re_create_ah(); the remaining 4092 bytes of the page are exposed
to userspace unsanitised, leaking kernel memory contents.
Any user with access to /dev/infiniband/uverbsX on a host with a
bnxt_re device (typically rdma group membership) can read this data
via a single mmap() at pgoff 0 after IB_USER_VERBS_CMD_GET_CONTEXT.
Other shared pages in the same file already use get_zeroed_page()
correctly:
drivers/infiniband/hw/bnxt_re/ib_verbs.c
srq->uctx_srq_page = (void *)get_zeroed_page(GFP_KERNEL);
cq->uctx_cq_page = (void *)get_zeroed_page(GFP_KERNEL);
uctx->shpg is the only outlier. Bring it in line with the existing
convention by switching to get_zeroed_page().
Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
Signed-off-by: Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
Link: https://patch.msgid.link/20260509084011.11971-1-pomzm67@gmail.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
@@ -3870,7 +3870,7 @@ int bnxt_re_alloc_ucontext(struct ib_uco
uctx->rdev = rdev;
- uctx->shpg = (void *)__get_free_page(GFP_KERNEL);
+ uctx->shpg = (void *)get_zeroed_page(GFP_KERNEL);
if (!uctx->shpg) {
rc = -ENOMEM;
goto fail;
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 032/129] i2c: stub: Reject I2C block transfers with invalid length
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 031/129] RDMA/bnxt_re: zero shared page before exposing to userspace Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 033/129] net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink() Greg Kroah-Hartman
` (103 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Jean Delvare,
Wolfram Sang
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
commit 6036b5067a8199ba7a2dc7b377d4b9dd276d5f9e upstream.
The I2C_SMBUS_I2C_BLOCK_DATA case in stub_xfer() uses data->block[0]
as the transfer length. The existing check only clamps it to avoid
overrunning the chip->words[256] register array, but does not validate
it against I2C_SMBUS_BLOCK_MAX (32), which is the limit of the union
i2c_smbus_data.block buffer (34 bytes total). The driver is a
development/test tool (CONFIG_I2C_STUB=m, not built by default)
that must be loaded with a chip_addr= parameter.
A local user with access to /dev/i2c-* can issue an I2C_SMBUS ioctl
with I2C_SMBUS_I2C_BLOCK_DATA and data->block[0] > 32, causing
stub_xfer() to read or write past the end of the union
i2c_smbus_data.block buffer:
BUG: KASAN: stack-out-of-bounds in stub_xfer (drivers/i2c/i2c-stub.c:223)
Read of size 1 at addr ffff88800abcfd92 by task exploit/81
Call Trace:
<TASK>
stub_xfer (drivers/i2c/i2c-stub.c:223)
__i2c_smbus_xfer (drivers/i2c/i2c-core-smbus.c:593)
i2c_smbus_xfer (drivers/i2c/i2c-core-smbus.c:536)
i2cdev_ioctl_smbus (drivers/i2c/i2c-dev.c:391)
i2cdev_ioctl (drivers/i2c/i2c-dev.c:478)
__x64_sys_ioctl (fs/ioctl.c:583)
do_syscall_64 (arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
</TASK>
The bug exists because i2c-stub implements .smbus_xfer directly,
bypassing the I2C_SMBUS_BLOCK_MAX validation in
i2c_smbus_xfer_emulated(). The I2C_SMBUS_BLOCK_DATA case in the same
function correctly validates against I2C_SMBUS_BLOCK_MAX, but the
I2C_SMBUS_I2C_BLOCK_DATA case does not.
Fix by rejecting transfers with data->block[0] == 0 or
data->block[0] > I2C_SMBUS_BLOCK_MAX with -EINVAL, consistent with
both the I2C_SMBUS_BLOCK_DATA case in the same function and the
I2C_SMBUS_I2C_BLOCK_DATA validation in i2c_smbus_xfer_emulated().
Fixes: 4710317891e4 ("i2c-stub: Implement I2C block support")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/i2c-stub.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/i2c/i2c-stub.c
+++ b/drivers/i2c/i2c-stub.c
@@ -214,6 +214,11 @@ static s32 stub_xfer(struct i2c_adapter
* We ignore banks here, because banked chips don't use I2C
* block transfers
*/
+ if (data->block[0] == 0 ||
+ data->block[0] > I2C_SMBUS_BLOCK_MAX) {
+ ret = -EINVAL;
+ break;
+ }
if (data->block[0] > 256 - command) /* Avoid overrun */
data->block[0] = 256 - command;
len = data->block[0];
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 033/129] net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink()
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 032/129] i2c: stub: Reject I2C block transfers with invalid length Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 034/129] agp/amd64: Fix broken error propagation in agp_amd64_probe() Greg Kroah-Hartman
` (102 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
commit d00c953a8f69921f484b629801766da68f27f658 upstream.
rmnet_dellink() removes the endpoint from the hash table with
hlist_del_init_rcu() and then immediately frees it with kfree(). However,
RCU readers on the receive path (rmnet_rx_handler ->
__rmnet_map_ingress_handler) may still hold a reference to the endpoint and
dereference ep->egress_dev after the memory has been freed. The endpoint is
a kmalloc-32 object, and the stale read at offset 8 corresponds to the
egress_dev pointer.
BUG: unable to handle page fault for address: ffffffffde942eef
Oops: 0002 [#1] SMP NOPTI
CPU: 1 UID: 0 PID: 137 Comm: poc_write Not tainted 7.0.0+ #4 PREEMPTLAZY
RIP: 0010:rmnet_vnd_rx_fixup (rmnet_vnd.c:27)
Call Trace:
<TASK>
__rmnet_map_ingress_handler (rmnet_handlers.c:48 rmnet_handlers.c:101)
rmnet_rx_handler (rmnet_handlers.c:129 rmnet_handlers.c:235)
__netif_receive_skb_core.constprop.0 (net/core/dev.c:6096)
__netif_receive_skb_one_core (net/core/dev.c:6208)
netif_receive_skb (net/core/dev.c:6467)
tun_get_user (drivers/net/tun.c:1955)
tun_chr_write_iter (drivers/net/tun.c:2003)
vfs_write (fs/read_write.c:688)
ksys_write (fs/read_write.c:740)
</TASK>
Add an rcu_head field to struct rmnet_endpoint and replace kfree() with
kfree_rcu() so the endpoint memory remains valid through the RCU grace
period. Also remove the rmnet_vnd_dellink() call and inline only the
nr_rmnet_devs decrement, since rmnet_vnd_dellink() would set
ep->egress_dev to NULL during the grace period, creating a data race
with lockless readers.
Fixes: ceed73a2cf4a ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Link: https://patch.msgid.link/20260514122511.3083479-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c | 8 ++++----
drivers/net/ethernet/qualcomm/rmnet/rmnet_config.h | 1 +
2 files changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
+++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
@@ -205,8 +205,8 @@ static void rmnet_dellink(struct net_dev
ep = rmnet_get_endpoint(real_port, mux_id);
if (ep) {
hlist_del_init_rcu(&ep->hlnode);
- rmnet_vnd_dellink(mux_id, real_port, ep);
- kfree(ep);
+ real_port->nr_rmnet_devs--;
+ kfree_rcu(ep, rcu);
}
netdev_upper_dev_unlink(real_dev, dev);
@@ -230,9 +230,9 @@ static void rmnet_force_unassociate_devi
hash_for_each_safe(port->muxed_ep, bkt_ep, tmp_ep, ep, hlnode) {
unregister_netdevice_queue(ep->egress_dev, &list);
netdev_upper_dev_unlink(real_dev, ep->egress_dev);
- rmnet_vnd_dellink(ep->mux_id, port, ep);
hlist_del_init_rcu(&ep->hlnode);
- kfree(ep);
+ port->nr_rmnet_devs--;
+ kfree_rcu(ep, rcu);
}
rmnet_unregister_real_device(real_dev);
unregister_netdevice_many(&list);
--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.h
+++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.h
@@ -17,6 +17,7 @@ struct rmnet_endpoint {
u8 mux_id;
struct net_device *egress_dev;
struct hlist_node hlnode;
+ struct rcu_head rcu;
};
/* One instance of this structure is instantiated for each real_dev associated
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 034/129] agp/amd64: Fix broken error propagation in agp_amd64_probe()
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 033/129] net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink() Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 035/129] af_unix: Reject SIOCATMARK on non-stream sockets Greg Kroah-Hartman
` (101 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mingyu Wang, Lukas Wunner
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
commit b08472db93b1ccff84a7adec5779d47f0e9d3a30 upstream.
A NULL pointer dereference was observed in the AMD64 AGP driver when
running in a virtualized environment (e.g. qemu/kvm) without a physical
AMD northbridge. The crash occurs in amd64_fetch_size() when attempting
to dereference the pointer returned by node_to_amd_nb(0).
The root cause of this crash is broken error propagation in
agp_amd64_probe(): When no AMD northbridges are found, cache_nbs()
correctly returns -ENODEV. However, the probe function erroneously
checks the return value against exactly -1, rather than < 0.
As a result, the hardware absence error is masked, allowing the driver
to improperly proceed with initialization. It eventually calls
agp_add_bridge(), which invokes amd64_fetch_size(). Since the hardware
does not exist, node_to_amd_nb(0) returns NULL, leading to a General
Protection Fault (GPF) when accessing its ->misc member.
Fix the issue by correcting the error check in agp_amd64_probe() to
abort properly when cache_nbs() returns any negative error code. This
prevents the driver from erroneously proceeding without hardware, thereby
avoiding the subsequent NULL pointer dereference at its source.
Fixes: a32073bffc65 ("[PATCH] x86_64: Clean and enhance up K8 northbridge access code")
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v2.6.18+
Link: https://patch.msgid.link/20260504074823.99377-1-w15303746062@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/agp/amd64-agp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/char/agp/amd64-agp.c
+++ b/drivers/char/agp/amd64-agp.c
@@ -546,7 +546,7 @@ static int agp_amd64_probe(struct pci_de
/* Fill in the mode register */
pci_read_config_dword(pdev, bridge->capndx+PCI_AGP_STATUS, &bridge->mode);
- if (cache_nbs(pdev, cap_ptr) == -1) {
+ if (cache_nbs(pdev, cap_ptr) < 0) {
agp_put_bridge(bridge);
return -ENODEV;
}
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 035/129] af_unix: Reject SIOCATMARK on non-stream sockets
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 034/129] agp/amd64: Fix broken error propagation in agp_amd64_probe() Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 036/129] ring-buffer: Remove ring_buffer_read_prepare_sync() Greg Kroah-Hartman
` (100 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Kuniyuki Iwashima, Jiexun Wang, Ren Wei,
Jakub Kicinski, Alexander Martyniuk, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
commit d119775f2bad827edc28071c061fdd4a91f889a5 upstream.
SIOCATMARK reports whether the receive queue is at the urgent mark for
MSG_OOB.
In AF_UNIX, MSG_OOB is supported only for SOCK_STREAM sockets.
SOCK_DGRAM and SOCK_SEQPACKET reject MSG_OOB in sendmsg() and recvmsg(),
so they should not support SIOCATMARK either.
Return -EOPNOTSUPP for non-stream sockets before checking the receive
queue.
Fixes: 314001f0bf92 ("af_unix: Add OOB support")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260506140825.2987635-1-n05ec@lzu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Alexander Martyniuk <alexevgmart@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index f5b215ca76d249..3e5dc698416f09 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -3181,6 +3181,9 @@ static int unix_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
struct sk_buff *skb;
int answ = 0;
+ if (sk->sk_type != SOCK_STREAM)
+ return -EOPNOTSUPP;
+
skb = skb_peek(&sk->sk_receive_queue);
if (skb && skb == READ_ONCE(unix_sk(sk)->oob_skb))
answ = 1;
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 036/129] ring-buffer: Remove ring_buffer_read_prepare_sync()
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 035/129] af_unix: Reject SIOCATMARK on non-stream sockets Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 037/129] regulator: core: fix locking in regulator_resolve_supply() error path Greg Kroah-Hartman
` (99 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers, David Howells,
Masami Hiramatsu (Google), Steven Rostedt (Google), Bjoern Doebel,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjoern Doebel <doebel@amazon.de>
[ Upstream commit 119a5d573622ae90ba730d18acfae9bb75d77b9a ]
When the ring buffer was first introduced, reading the non-consuming
"trace" file required disabling the writing of the ring buffer. To make
sure the writing was fully disabled before iterating the buffer with a
non-consuming read, it would set the disable flag of the buffer and then
call an RCU synchronization to make sure all the buffers were
synchronized.
The function ring_buffer_read_start() originally would initialize the
iterator and call an RCU synchronization, but this was for each individual
per CPU buffer where this would get called many times on a machine with
many CPUs before the trace file could be read. The commit 72c9ddfd4c5bf
("ring-buffer: Make non-consuming read less expensive with lots of cpus.")
separated ring_buffer_read_start into ring_buffer_read_prepare(),
ring_buffer_read_sync() and then ring_buffer_read_start() to allow each of
the per CPU buffers to be prepared, call the read_buffer_read_sync() once,
and then the ring_buffer_read_start() for each of the CPUs which made
things much faster.
The commit 1039221cc278 ("ring-buffer: Do not disable recording when there
is an iterator") removed the requirement of disabling the recording of the
ring buffer in order to iterate it, but it did not remove the
synchronization that was happening that was required to wait for all the
buffers to have no more writers. It's now OK for the buffers to have
writers and no synchronization is needed.
Remove the synchronization and put back the interface for the ring buffer
iterator back before commit 72c9ddfd4c5bf was applied.
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://lore.kernel.org/20250630180440.3eabb514@batman.local.home
Reported-by: David Howells <dhowells@redhat.com>
Fixes: 1039221cc278 ("ring-buffer: Do not disable recording when there is an iterator")
Tested-by: David Howells <dhowells@redhat.com>
Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Assisted-by: Kiro:claude-opus-4.8
Signed-off-by: Bjoern Doebel <doebel@amazon.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/ring_buffer.h | 4 +--
kernel/trace/ring_buffer.c | 67 ++++++-------------------------------
kernel/trace/trace.c | 14 +++-----
kernel/trace/trace_kdb.c | 8 ++---
4 files changed, 18 insertions(+), 75 deletions(-)
diff --git a/include/linux/ring_buffer.h b/include/linux/ring_buffer.h
index 3e7bfc0f65aee2..b53335ed2d0efc 100644
--- a/include/linux/ring_buffer.h
+++ b/include/linux/ring_buffer.h
@@ -130,9 +130,7 @@ ring_buffer_consume(struct trace_buffer *buffer, int cpu, u64 *ts,
unsigned long *lost_events);
struct ring_buffer_iter *
-ring_buffer_read_prepare(struct trace_buffer *buffer, int cpu, gfp_t flags);
-void ring_buffer_read_prepare_sync(void);
-void ring_buffer_read_start(struct ring_buffer_iter *iter);
+ring_buffer_read_start(struct trace_buffer *buffer, int cpu, gfp_t flags);
void ring_buffer_read_finish(struct ring_buffer_iter *iter);
struct ring_buffer_event *
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index d3a31ba7c71044..5edc4126d0c6ba 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -5082,28 +5082,20 @@ ring_buffer_consume(struct trace_buffer *buffer, int cpu, u64 *ts,
EXPORT_SYMBOL_GPL(ring_buffer_consume);
/**
- * ring_buffer_read_prepare - Prepare for a non consuming read of the buffer
+ * ring_buffer_read_start - start a non consuming read of the buffer
* @buffer: The ring buffer to read from
* @cpu: The cpu buffer to iterate over
* @flags: gfp flags to use for memory allocation
*
- * This performs the initial preparations necessary to iterate
- * through the buffer. Memory is allocated, buffer recording
- * is disabled, and the iterator pointer is returned to the caller.
- *
- * Disabling buffer recording prevents the reading from being
- * corrupted. This is not a consuming read, so a producer is not
- * expected.
- *
- * After a sequence of ring_buffer_read_prepare calls, the user is
- * expected to make at least one call to ring_buffer_read_prepare_sync.
- * Afterwards, ring_buffer_read_start is invoked to get things going
- * for real.
+ * This creates an iterator to allow non-consuming iteration through
+ * the buffer. If the buffer is disabled for writing, it will produce
+ * the same information each time, but if the buffer is still writing
+ * then the first hit of a write will cause the iteration to stop.
*
- * This overall must be paired with ring_buffer_read_finish.
+ * Must be paired with ring_buffer_read_finish.
*/
struct ring_buffer_iter *
-ring_buffer_read_prepare(struct trace_buffer *buffer, int cpu, gfp_t flags)
+ring_buffer_read_start(struct trace_buffer *buffer, int cpu, gfp_t flags)
{
struct ring_buffer_per_cpu *cpu_buffer;
struct ring_buffer_iter *iter;
@@ -5128,51 +5120,12 @@ ring_buffer_read_prepare(struct trace_buffer *buffer, int cpu, gfp_t flags)
atomic_inc(&cpu_buffer->resize_disabled);
- return iter;
-}
-EXPORT_SYMBOL_GPL(ring_buffer_read_prepare);
-
-/**
- * ring_buffer_read_prepare_sync - Synchronize a set of prepare calls
- *
- * All previously invoked ring_buffer_read_prepare calls to prepare
- * iterators will be synchronized. Afterwards, read_buffer_read_start
- * calls on those iterators are allowed.
- */
-void
-ring_buffer_read_prepare_sync(void)
-{
- synchronize_rcu();
-}
-EXPORT_SYMBOL_GPL(ring_buffer_read_prepare_sync);
-
-/**
- * ring_buffer_read_start - start a non consuming read of the buffer
- * @iter: The iterator returned by ring_buffer_read_prepare
- *
- * This finalizes the startup of an iteration through the buffer.
- * The iterator comes from a call to ring_buffer_read_prepare and
- * an intervening ring_buffer_read_prepare_sync must have been
- * performed.
- *
- * Must be paired with ring_buffer_read_finish.
- */
-void
-ring_buffer_read_start(struct ring_buffer_iter *iter)
-{
- struct ring_buffer_per_cpu *cpu_buffer;
- unsigned long flags;
-
- if (!iter)
- return;
-
- cpu_buffer = iter->cpu_buffer;
-
- raw_spin_lock_irqsave(&cpu_buffer->reader_lock, flags);
+ guard(raw_spinlock_irqsave)(&cpu_buffer->reader_lock);
arch_spin_lock(&cpu_buffer->lock);
rb_iter_reset(iter);
arch_spin_unlock(&cpu_buffer->lock);
- raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags);
+
+ return iter;
}
EXPORT_SYMBOL_GPL(ring_buffer_read_start);
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 25f31d7718c64f..5ef1c79dc5c9e4 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -4819,21 +4819,15 @@ __tracing_open(struct inode *inode, struct file *file, bool snapshot)
if (iter->cpu_file == RING_BUFFER_ALL_CPUS) {
for_each_tracing_cpu(cpu) {
iter->buffer_iter[cpu] =
- ring_buffer_read_prepare(iter->array_buffer->buffer,
- cpu, GFP_KERNEL);
- }
- ring_buffer_read_prepare_sync();
- for_each_tracing_cpu(cpu) {
- ring_buffer_read_start(iter->buffer_iter[cpu]);
+ ring_buffer_read_start(iter->array_buffer->buffer,
+ cpu, GFP_KERNEL);
tracing_iter_reset(iter, cpu);
}
} else {
cpu = iter->cpu_file;
iter->buffer_iter[cpu] =
- ring_buffer_read_prepare(iter->array_buffer->buffer,
- cpu, GFP_KERNEL);
- ring_buffer_read_prepare_sync();
- ring_buffer_read_start(iter->buffer_iter[cpu]);
+ ring_buffer_read_start(iter->array_buffer->buffer,
+ cpu, GFP_KERNEL);
tracing_iter_reset(iter, cpu);
}
diff --git a/kernel/trace/trace_kdb.c b/kernel/trace/trace_kdb.c
index 59857a1ee44cdf..628c25693cef2f 100644
--- a/kernel/trace/trace_kdb.c
+++ b/kernel/trace/trace_kdb.c
@@ -43,17 +43,15 @@ static void ftrace_dump_buf(int skip_entries, long cpu_file)
if (cpu_file == RING_BUFFER_ALL_CPUS) {
for_each_tracing_cpu(cpu) {
iter.buffer_iter[cpu] =
- ring_buffer_read_prepare(iter.array_buffer->buffer,
- cpu, GFP_ATOMIC);
- ring_buffer_read_start(iter.buffer_iter[cpu]);
+ ring_buffer_read_start(iter.array_buffer->buffer,
+ cpu, GFP_ATOMIC);
tracing_iter_reset(&iter, cpu);
}
} else {
iter.cpu_file = cpu_file;
iter.buffer_iter[cpu_file] =
- ring_buffer_read_prepare(iter.array_buffer->buffer,
+ ring_buffer_read_start(iter.array_buffer->buffer,
cpu_file, GFP_ATOMIC);
- ring_buffer_read_start(iter.buffer_iter[cpu_file]);
tracing_iter_reset(&iter, cpu_file);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 037/129] regulator: core: fix locking in regulator_resolve_supply() error path
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 036/129] ring-buffer: Remove ring_buffer_read_prepare_sync() Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 038/129] dlm: prevent NPD when writing a positive value to event_done Greg Kroah-Hartman
` (98 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, André Draszik, Mark Brown,
Nazar Kalashnikov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: André Draszik <andre.draszik@linaro.org>
commit 497330b203d2c59c5ff3fa4c34d14494d7203bc3 upstream.
If late enabling of a supply regulator fails in
regulator_resolve_supply(), the code currently triggers a lockdep
warning:
WARNING: drivers/regulator/core.c:2649 at _regulator_put+0x80/0xa0, CPU#6: kworker/u32:4/596
...
Call trace:
_regulator_put+0x80/0xa0 (P)
regulator_resolve_supply+0x7cc/0xbe0
regulator_register_resolve_supply+0x28/0xb8
as the regulator_list_mutex must be held when calling _regulator_put().
To solve this, simply switch to using regulator_put().
While at it, we should also make sure that no concurrent access happens
to our rdev while we clear out the supply pointer. Add appropriate
locking to ensure that.
While the code in question will be removed altogether in a follow-up
commit, I believe it is still beneficial to have this corrected before
removal for future reference.
Fixes: 36a1f1b6ddc6 ("regulator: core: Fix memory leak in regulator_resolve_supply()")
Fixes: 8e5356a73604 ("regulator: core: Clear the supply pointer if enabling fails")
Signed-off-by: André Draszik <andre.draszik@linaro.org>
Link: https://patch.msgid.link/20260109-regulators-defer-v2-2-1a25dc968e60@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Nazar Kalashnikov <nazarkalashnikov0@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/core.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -2183,8 +2183,16 @@ static int regulator_resolve_supply(stru
if (rdev->use_count) {
ret = regulator_enable(rdev->supply);
if (ret < 0) {
- _regulator_put(rdev->supply);
+ struct regulator *supply;
+
+ regulator_lock_two(rdev, rdev->supply->rdev, &ww_ctx);
+
+ supply = rdev->supply;
rdev->supply = NULL;
+
+ regulator_unlock_two(rdev, supply->rdev, &ww_ctx);
+
+ regulator_put(supply);
goto out;
}
}
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 038/129] dlm: prevent NPD when writing a positive value to event_done
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 037/129] regulator: core: fix locking in regulator_resolve_supply() error path Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 039/129] netfilter: nf_tables: always walk all pending catchall elements Greg Kroah-Hartman
` (97 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
David Teigland, Nazar Kalashnikov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
commit 8e2bad543eca5c25cd02cbc63d72557934d45f13 upstream.
do_uevent returns the value written to event_done. In case it is a
positive value, new_lockspace would undo all the work, and lockspace
would not be set. __dlm_new_lockspace, however, would treat that
positive value as a success due to commit 8511a2728ab8 ("dlm: fix use
count with multiple joins").
Down the line, device_create_lockspace would pass that NULL lockspace to
dlm_find_lockspace_local, leading to a NULL pointer dereference.
Treating such positive values as successes prevents the problem. Given
this has been broken for so long, this is unlikely to break userspace
expectations.
Fixes: 8511a2728ab8 ("dlm: fix use count with multiple joins")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Nazar Kalashnikov <nazarkalashnikov0@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/dlm/lockspace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/dlm/lockspace.c
+++ b/fs/dlm/lockspace.c
@@ -657,7 +657,7 @@ static int new_lockspace(const char *nam
lockspace to start running (via sysfs) in dlm_ls_start(). */
error = do_uevent(ls, 1);
- if (error)
+ if (error < 0)
goto out_recoverd;
/* wait until recovery is successful or failed */
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 039/129] netfilter: nf_tables: always walk all pending catchall elements
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 038/129] dlm: prevent NPD when writing a positive value to event_done Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 040/129] vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write Greg Kroah-Hartman
` (96 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Florian Westphal,
Shivani Agarwal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9 upstream.
During transaction processing we might have more than one catchall element:
1 live catchall element and 1 pending element that is coming as part of the
new batch.
If the map holding the catchall elements is also going away, its
required to toggle all catchall elements and not just the first viable
candidate.
Otherwise, we get:
WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404
RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]
[..]
__nft_set_elem_destroy+0x106/0x380 [nf_tables]
nf_tables_abort_release+0x348/0x8d0 [nf_tables]
nf_tables_abort+0xcf2/0x3ac0 [nf_tables]
nfnetlink_rcv_batch+0x9c9/0x20e0 [..]
Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
[ Shivani: Modified to apply on v6.6.y-v6.1.y ]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 2 --
1 file changed, 2 deletions(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -627,7 +627,6 @@ static void nft_map_catchall_deactivate(
elem.priv = catchall->elem;
nft_set_elem_change_active(ctx->net, set, ext);
nft_setelem_data_deactivate(ctx->net, set, &elem);
- break;
}
}
@@ -5267,7 +5266,6 @@ static void nft_map_catchall_activate(co
nft_clear(ctx->net, ext);
elem.priv = catchall->elem;
nft_setelem_data_activate(ctx->net, set, &elem);
- break;
}
}
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 040/129] vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 039/129] netfilter: nf_tables: always walk all pending catchall elements Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 041/129] ksmbd: reject non-VALID session in compound request branch Greg Kroah-Hartman
` (95 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yi Yang, Jiri Slaby
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yi Yang <yiyang13@huawei.com>
commit a287620312dc6dcb9a093417a0e589bf30fcf38a upstream.
A KASAN null-ptr-deref was observed in vcs_notifier():
BUG: KASAN: null-ptr-deref in vcs_notifier+0x98/0x130
Read of size 2 at addr qmp_cmd_name: qmp_capabilities, arguments: {}
The issue is a race condition in vcs_write(). When the console_lock is
temporarily dropped (to copy data from userspace), the vc_data pointer
obtained from vcs_vc() may become stale. After re-acquiring the lock,
vcs_vc() is called again to re-validate the pointer. If the vc has been
deallocated in the meantime, vcs_vc() returns NULL, and the while loop
breaks (with written > 0). However, after the loop, vcs_scr_updated(vc)
is still called with the now-NULL vc pointer, leading to a null pointer
dereference in the notifier chain (vcs_notifier dereferences param->vc).
Fix this by adding a NULL check for vc before calling vcs_scr_updated().
Fixes: 8fb9ea65c9d1 ("vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF")
Cc: stable@vger.kernel.org
Signed-off-by: Yi Yang <yiyang13@huawei.com>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Link: https://patch.msgid.link/20260604060734.2914976-1-yiyang13@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/vt/vc_screen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/vt/vc_screen.c
+++ b/drivers/tty/vt/vc_screen.c
@@ -699,7 +699,7 @@ vcs_write(struct file *file, const char
}
*ppos += written;
ret = written;
- if (written)
+ if (written && vc)
vcs_scr_updated(vc);
unlock_out:
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 041/129] ksmbd: reject non-VALID session in compound request branch
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 040/129] vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 042/129] media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si Greg Kroah-Hartman
` (94 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gil Portnoy, Namjae Jeon,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gil Portnoy <dddhkts1@gmail.com>
commit 609ca17d869d04ba249e32cdcbf13c0b1c66f43c upstream.
smb2_check_user_session() takes a shortcut for any operation that is not
the first in a COMPOUND request: it reuses work->sess (the session bound by
the first operation) and validates only the SessionId, then returns
"valid". It never re-checks work->sess->state == SMB2_SESSION_VALID, and a
SessionId of 0xFFFFFFFFFFFFFFFF (ULLONG_MAX, the MS-SMB2 related-operation
value) skips even the id comparison. The standalone path
(ksmbd_session_lookup_all() plus the SESSION_SETUP state machine) does
enforce the VALID state; the compound branch bypasses all of it.
A SESSION_SETUP carrying only an NTLM Type-1 (NtLmNegotiate) blob publishes
a fresh SMB2_SESSION_IN_PROGRESS session whose sess->user is still NULL
(->user is assigned later, by ntlm_authenticate()). Used as operation 1 of
a COMPOUND with operation 2 = TREE_CONNECT (related, SessionId=ULLONG_MAX,
\\host\IPC$), the tree-connect then runs on that IN_PROGRESS session and
reaches ksmbd_ipc_tree_connect_request(), which dereferences
user_name(sess->user) with sess->user == NULL (transport_ipc.c:687/701/704)
-> remote NULL-pointer dereference and a kernel Oops that wedges the ksmbd
worker for all clients.
Reject any non-first compound operation that lands on a session which is
not SMB2_SESSION_VALID, mirroring the validity the standalone lookup path
enforces. SESSION_SETUP itself legitimately runs on an IN_PROGRESS session,
but it is never carried as a non-first compound operation, so multi-leg
authentication is unaffected by this check.
Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request")
Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -605,6 +605,11 @@ int smb2_check_user_session(struct ksmbd
sess_id, work->sess->id);
return -EINVAL;
}
+ if (work->sess->state != SMB2_SESSION_VALID) {
+ pr_err("compound request on a non-valid session (state %d)\n",
+ work->sess->state);
+ return -EINVAL;
+ }
return 1;
}
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 042/129] media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 041/129] ksmbd: reject non-VALID session in compound request branch Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 043/129] virtiofs: fix UAF on submount umount Greg Kroah-Hartman
` (93 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+814c351d094f4f1a1b86,
Ruslan Valiyev, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruslan Valiyev <linuxoid@gmail.com>
commit 7d8bf3d8f91073f4db347ed3aa6302b56107499c upstream.
syzbot reported a general protection fault in
vidtv_psi_ts_psi_write_into [1].
vidtv_mux_get_pid_ctx() can return NULL, but vidtv_mux_push_si() does
not check for this before dereferencing the returned pointer to access
the continuity counter. This leads to a general protection fault when
accessing a near-NULL address.
The root cause is that vidtv_mux_pid_ctx_init() does not check the
return value of vidtv_mux_create_pid_ctx_once() for PMT section PIDs.
If the allocation fails, the PID context is never created, but init
returns success. The subsequent vidtv_mux_push_si() call then gets
NULL from vidtv_mux_get_pid_ctx() and crashes.
Fix both the root cause (add error check in vidtv_mux_pid_ctx_init
for PMT PIDs) and add defensive NULL checks in vidtv_mux_push_si for
all vidtv_mux_get_pid_ctx() calls.
[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Workqueue: events vidtv_mux_tick
RIP: 0010:vidtv_psi_ts_psi_write_into+0x54a/0xbc0 drivers/media/test-drivers/vidtv/vidtv_psi.c:197
Call Trace:
<TASK>
vidtv_psi_table_header_write_into drivers/media/test-drivers/vidtv/vidtv_psi.c:799 [inline]
vidtv_psi_pmt_write_into+0x3b2/0xa70 drivers/media/test-drivers/vidtv/vidtv_psi.c:1231
vidtv_mux_push_si+0x932/0xe80 drivers/media/test-drivers/vidtv/vidtv_mux.c:196
vidtv_mux_tick+0xe9b/0x1480 drivers/media/test-drivers/vidtv/vidtv_mux.c:408
Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver")
Cc: stable@vger.kernel.org
Reported-by: syzbot+814c351d094f4f1a1b86@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=814c351d094f4f1a1b86
Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/test-drivers/vidtv/vidtv_mux.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/media/test-drivers/vidtv/vidtv_mux.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_mux.c
@@ -101,7 +101,8 @@ static int vidtv_mux_pid_ctx_init(struct
/* add a ctx for all PMT sections */
while (p) {
pid = vidtv_psi_get_pat_program_pid(p);
- vidtv_mux_create_pid_ctx_once(m, pid);
+ if (!vidtv_mux_create_pid_ctx_once(m, pid))
+ goto free;
p = p->next;
}
@@ -170,6 +171,9 @@ static u32 vidtv_mux_push_si(struct vidt
nit_ctx = vidtv_mux_get_pid_ctx(m, VIDTV_NIT_PID);
eit_ctx = vidtv_mux_get_pid_ctx(m, VIDTV_EIT_PID);
+ if (!pat_ctx || !sdt_ctx || !nit_ctx || !eit_ctx)
+ return 0;
+
pat_args.offset = m->mux_buf_offset;
pat_args.continuity_counter = &pat_ctx->cc;
@@ -186,6 +190,8 @@ static u32 vidtv_mux_push_si(struct vidt
}
pmt_ctx = vidtv_mux_get_pid_ctx(m, pmt_pid);
+ if (!pmt_ctx)
+ continue;
pmt_args.offset = m->mux_buf_offset;
pmt_args.pmt = m->si.pmt_secs[i];
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 043/129] virtiofs: fix UAF on submount umount
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 042/129] media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 044/129] perf bench: Avoid NDEBUG warning Greg Kroah-Hartman
` (92 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aurélien Bombo, Zhihao Cheng,
Greg Kurz, Miklos Szeredi
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
commit 06b41351779e9289e8785694ade9042ae85e41ea upstream.
iput() called from fuse_release_end() can Oops if the super block has
already been destroyed. Normally this is prevented by waiting for
num_waiting to go down to zero before commencing with super block shutdown.
This only works, however, for the last submount instance, as the wait
counter is per connection, not per superblock.
Revert to using synchronous release requests for the auto_submounts case,
which is virtiofs only at this time.
Reported-by: Aurélien Bombo <abombo@microsoft.com>
Reported-by: Zhihao Cheng <chengzhihao1@huawei.com>
Cc: Greg Kurz <gkurz@redhat.com>
Closes: https://github.com/kata-containers/kata-containers/issues/12589
Fixes: 26e5c67deb2e ("fuse: fix livelock in synchronous file put from fuseblk workers")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kurz <gkurz@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/file.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -356,8 +356,14 @@ void fuse_file_release(struct inode *ino
* aio and closes the fd before the aio completes. Since aio takes its
* own ref to the file, the IO completion has to drop the ref, which is
* how the fuse server can end up closing its clients' files.
+ *
+ * Exception is virtio-fs, which is not affected by the above (server is
+ * on host, cannot close open files in guest). Virtio-fs needs sync
+ * release, because the num_waiting mechanism to wait for all requests
+ * before commencing with fs shutdown doesn't work if submounts are
+ * used.
*/
- fuse_file_put(ff, false);
+ fuse_file_put(ff, ff->fm->fc->auto_submounts);
}
void fuse_release_common(struct file *file, bool isdir)
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 044/129] perf bench: Avoid NDEBUG warning
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 043/129] virtiofs: fix UAF on submount umount Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 045/129] perf block-range: Move debug code behind ifndef NDEBUG Greg Kroah-Hartman
` (91 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Adrian Hunter,
Alexander Shishkin, Ingo Molnar, Jiri Olsa, Mark Rutland,
Namhyung Kim, Paolo Bonzini, Peter Zijlstra, Sean Christopherson,
Arnaldo Carvalho de Melo, Simon Liebold, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit d1babea9c38282b58a6f822ab95027cba3165a42 ]
With NDEBUG set the asserts are compiled out. This yields
"unused-but-set-variable" variables. Move these variables behind
NDEBUG to avoid the warning.
Signed-off-by: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sean Christopherson <seanjc@google.com>
Link: https://lore.kernel.org/r/20230330183827.1412303-1-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Stable-dep-of: 616b14b47a86 ("perf build: Conditionally define NDEBUG")
Signed-off-by: Simon Liebold <simonlie@amazon.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/bench/find-bit-bench.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/tools/perf/bench/find-bit-bench.c b/tools/perf/bench/find-bit-bench.c
index 22b5cfe9702370..80f051f9c20fd9 100644
--- a/tools/perf/bench/find-bit-bench.c
+++ b/tools/perf/bench/find-bit-bench.c
@@ -61,7 +61,6 @@ static int do_for_each_set_bit(unsigned int num_bits)
double time_average, time_stddev;
unsigned int bit, i, j;
unsigned int set_bits, skip;
- unsigned int old;
init_stats(&fb_time_stats);
init_stats(&tb_time_stats);
@@ -73,7 +72,10 @@ static int do_for_each_set_bit(unsigned int num_bits)
set_bit(i, to_test);
for (i = 0; i < outer_iterations; i++) {
- old = accumulator;
+#ifndef NDEBUG
+ unsigned int old = accumulator;
+#endif
+
gettimeofday(&start, NULL);
for (j = 0; j < inner_iterations; j++) {
for_each_set_bit(bit, to_test, num_bits)
@@ -85,7 +87,9 @@ static int do_for_each_set_bit(unsigned int num_bits)
runtime_us = diff.tv_sec * USEC_PER_SEC + diff.tv_usec;
update_stats(&fb_time_stats, runtime_us);
+#ifndef NDEBUG
old = accumulator;
+#endif
gettimeofday(&start, NULL);
for (j = 0; j < inner_iterations; j++) {
for (bit = 0; bit < num_bits; bit++) {
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 045/129] perf block-range: Move debug code behind ifndef NDEBUG
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 044/129] perf bench: Avoid NDEBUG warning Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 046/129] KVM: x86: Fix shadow paging use-after-free due to unexpected role Greg Kroah-Hartman
` (90 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Adrian Hunter,
Alexander Shishkin, Ingo Molnar, Jiri Olsa, Mark Rutland,
Namhyung Kim, Paolo Bonzini, Peter Zijlstra, Sean Christopherson,
Arnaldo Carvalho de Melo, Simon Liebold, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit 984a785f25e5b5db5fa673130b60dca6ca794406 ]
Make good on a comment and avoid a unused-but-set-variable warning.
Signed-off-by: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sean Christopherson <seanjc@google.com>
Link: https://lore.kernel.org/r/20230330183827.1412303-1-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Stable-dep-of: 616b14b47a86 ("perf build: Conditionally define NDEBUG")
Signed-off-by: Simon Liebold <simonlie@amazon.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/block-range.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/tools/perf/util/block-range.c b/tools/perf/util/block-range.c
index 1be43265750137..680e92774d0cde 100644
--- a/tools/perf/util/block-range.c
+++ b/tools/perf/util/block-range.c
@@ -11,11 +11,7 @@ struct {
static void block_range__debug(void)
{
- /*
- * XXX still paranoid for now; see if we can make this depend on
- * DEBUG=1 builds.
- */
-#if 1
+#ifndef NDEBUG
struct rb_node *rb;
u64 old = 0; /* NULL isn't executable */
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 046/129] KVM: x86: Fix shadow paging use-after-free due to unexpected role
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 045/129] perf block-range: Move debug code behind ifndef NDEBUG Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 047/129] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level Greg Kroah-Hartman
` (89 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Paolo Bonzini,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 81ccda30b4e83d8f5cc4fd50503c44e3a33abfeb upstream.
Commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due
to unexpected GFN") fixed a shadow paging mismatch between stored and
computed GFNs; the bug could be triggered by changing a PDE mapping from
outside the guest, and then deleting a memslot. The rmap_remove()
call would miss entries created after the PDE change because the GFN
of the leaf SPTE does not match the GFN of the struct kvm_mmu_page.
A similar hole however remains if the modified PDE points to a non-leaf
page. In this case the gfn can be made to match, but the role does not
match: the original large 2MB page creates a kvm_mmu_page with direct=1,
while the new 4KB needs a kvm_mmu_page with direct=0. However,
kvm_mmu_get_child_sp() does not compare the role, and therefore reuses
the page.
The next step is installing a leaf (4KB) SPTE on the new path which
records an rmap entry under the gfn resolved by the walk. But when
that child is zapped its parent kvm_mmu_page has direct=1 and
kvm_mmu_page_get_gfn() computes the gfn for the 4KB page as
sp->gfn + index instead of using sp->shadowed_translation[] (or sp->gfns[]
in older kernels). It therefore fails to remove the recorded entry.
When the memslot is dropped the shadow page is freed but the rmap
entry survives, as in the scenario that was already fixed. Code that
later walks that gfn (dirty logging, MMU notifier invalidation, and
so on) dereferences an sptep that lies in the freed page, causing the
use-after-free.
Fixes: 2032a93d66fa ("KVM: MMU: Don't allocate gfns page for direct mmu pages")
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/mmu/mmu.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index 58d67e5ab2c583..9edfc812423766 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -2239,13 +2239,15 @@ static struct kvm_mmu_page *kvm_mmu_get_child_sp(struct kvm_vcpu *vcpu,
u64 *sptep, gfn_t gfn,
bool direct, unsigned int access)
{
- union kvm_mmu_page_role role;
+ union kvm_mmu_page_role role = kvm_mmu_child_role(sptep, direct, access);
- if (is_shadow_present_pte(*sptep) && !is_large_pte(*sptep) &&
- spte_to_child_sp(*sptep) && spte_to_child_sp(*sptep)->gfn == gfn)
+ if (is_shadow_present_pte(*sptep) &&
+ !is_large_pte(*sptep) &&
+ spte_to_child_sp(*sptep) &&
+ spte_to_child_sp(*sptep)->gfn == gfn &&
+ spte_to_child_sp(*sptep)->role.word == role.word)
return ERR_PTR(-EEXIST);
- role = kvm_mmu_child_role(sptep, direct, access);
return kvm_mmu_get_shadow_page(vcpu, gfn, role);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 047/129] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 046/129] KVM: x86: Fix shadow paging use-after-free due to unexpected role Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 048/129] Revert "ptp: add testptp mask test" Greg Kroah-Hartman
` (88 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Matlack, James Houghton,
Alexander Bulekov, Fred Griffoul, Alexander Graf, David Woodhouse,
Filippo Sironi, Ivan Orlov, Sean Christopherson, Paolo Bonzini,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit ef057cbf825e03b63f6edf5980f96abf3c53089d upstream.
When recovering hugepages in the shadow MMU, verify that the base gfn of
the shadow page is actually contained within the target memslot, *before*
querying the max mapping level given the shadow page's gfn. Failure to
pre-check the validity of the gfn can lead to an out-of-bounds access to
the slot's lpage_info (which typically manifests as a host #PF because the
lpage_info is vmalloc'd) if the guest creates a hugepage mapping (in its
PTEs) that extends "below" the bounds of a memslot.
When faulting in memory for a guest, and the size of the guest mapping is
greater than KVM's (current) max mapping, then KVM will create a "direct"
shadow page (direct in that there are no gPTEs to shadow, and so the target
gfn is a direct calculation given the base gfn of the shadow page). The
hugepage recovery flow looks for such direct shadow pages, as forcing 4KiB
mappings when dirty logging generates the guest > host mapping size case.
When the 4KiB restriction is lifted, then KVM can replace the shadow page
with a hugepage.
But if KVM originally used a smaller mapping than the guest because the
range of memory covered by the guest hugepage exceeds the bounds of a
memslot, then KVM will link a direct shadow page with a gfn that is outside
the bounds of the memslot being used to fault in memory. The rmap entry
added for the leaf mapping is correct and within bounds, but the gfn of the
leaf SPTE's parent shadow page will be out of bounds.
BUG: unable to handle page fault for address: ffffc90000806ffc
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 100000067 P4D 100000067 PUD 1002a7067 PMD 10612f067 PTE 0
Oops: Oops: 0000 [#1] SMP
CPU: 13 UID: 1000 PID: 757 Comm: mmu_stress_test Not tainted 7.1.0-rc1-48ce1e26eace-x86_pir_to_irr_comments-vm #341 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:kvm_mmu_max_mapping_level+0x79/0x2b0 [kvm]
Call Trace:
<TASK>
kvm_mmu_recover_huge_pages+0x21b/0x320 [kvm]
kvm_set_memslot+0x1ee/0x590 [kvm]
kvm_set_memory_region.part.0+0x3a1/0x4d0 [kvm]
kvm_vm_ioctl+0x9bf/0x15d0 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0xb7/0xbb0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f21c0f1a9bf
</TASK>
Don't bother pre-checking the bounds of the potential hugepage, i.e. don't
check that e.g. sp->gfn + KVM_PAGES_PER_HPAGE(sp->role.level + 1) is also
within the memslot, as the checks performed by kvm_mmu_max_mapping_level()
are a superset of the basic bounds checks. I.e. pre-checking the full
range would be a dubious micro-optimization.
Fixes: 9eba50f8d7fc ("KVM: x86/mmu: Consult max mapping level when zapping collapsible SPTEs")
Cc: stable@vger.kernel.org
Cc: David Matlack <dmatlack@google.com>
Cc: James Houghton <jthoughton@google.com>
Cc: Alexander Bulekov <bkov@amazon.com>
Cc: Fred Griffoul <fgriffo@amazon.co.uk>
Cc: Alexander Graf <graf@amazon.de>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Filippo Sironi <sironi@amazon.de>
Cc: Ivan Orlov <iorlov@amazon.co.uk>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/mmu/mmu.c | 18 ++++++++++++------
include/linux/kvm_host.h | 7 ++++++-
2 files changed, 18 insertions(+), 7 deletions(-)
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index 9edfc812423766..7785da8f0ad339 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -6417,13 +6417,19 @@ static bool kvm_mmu_zap_collapsible_spte(struct kvm *kvm,
sp = sptep_to_sp(sptep);
/*
- * We cannot do huge page mapping for indirect shadow pages,
- * which are found on the last rmap (level = 1) when not using
- * tdp; such shadow pages are synced with the page table in
- * the guest, and the guest page table is using 4K page size
- * mapping if the indirect sp has level = 1.
+ * Direct shadow page can be replaced by a hugepage if the host
+ * mapping level allows it and the memslot maps all of the host
+ * hugepage. Note! If the memslot maps only part of the
+ * hugepage, sp->gfn may be below slot->base_gfn, and querying
+ * the max mapping level would cause an out-of-bounds lpage_info
+ * access. So the gfn bounds check *must* be done first.
+ *
+ * Indirect shadow pages are created when the guest page tables
+ * are using 4K pages. Since the host mapping is always
+ * constrained by the page size in the guest, indirect shadow
+ * pages are never collapsible.
*/
- if (sp->role.direct &&
+ if (sp->role.direct && is_gfn_in_memslot(slot, sp->gfn) &&
sp->role.level < kvm_mmu_max_mapping_level(kvm, slot, sp->gfn,
PG_LEVEL_NUM)) {
kvm_zap_one_rmap_spte(kvm, rmap_head, sptep);
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index 04fac4cdcfbcef..624380c4fef809 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -1621,6 +1621,11 @@ int kvm_request_irq_source_id(struct kvm *kvm);
void kvm_free_irq_source_id(struct kvm *kvm, int irq_source_id);
bool kvm_arch_irqfd_allowed(struct kvm *kvm, struct kvm_irqfd *args);
+static inline bool is_gfn_in_memslot(const struct kvm_memory_slot *slot, gfn_t gfn)
+{
+ return gfn >= slot->base_gfn && gfn < slot->base_gfn + slot->npages;
+}
+
/*
* Returns a pointer to the memslot if it contains gfn.
* Otherwise returns NULL.
@@ -1631,7 +1636,7 @@ try_get_memslot(struct kvm_memory_slot *slot, gfn_t gfn)
if (!slot)
return NULL;
- if (gfn >= slot->base_gfn && gfn < slot->base_gfn + slot->npages)
+ if (is_gfn_in_memslot(slot, gfn))
return slot;
else
return NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 048/129] Revert "ptp: add testptp mask test"
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 047/129] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 049/129] mm/mglru: skip special VMAs in lru_gen_look_around() Greg Kroah-Hartman
` (87 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yong Wang, Petr Machata, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Machata <petrm@nvidia.com>
This reverts commit c1c50689799d0343598ab6ccb7209819bcef248d, which is
commit 26285e689c6cd2cf3849568c83b2ebe53f467143 upstream.
The reverted commit extends the selftest to test timestamp event queue mask
manipulation in testptp. It exercises masks PTP_MASK_CLEAR_ALL and
PTP_MASK_EN_SINGLE, introduced in commit c5a445b1e934 ("ptp: support event
queue reader channel masks"), which is not on this stable branch. The test
case thus cannot be built against this tree's own UAPI headers.
The reverted commit was introduced to resolve a missing dependency of
commit c6dc458227a3 ("testptp: Add option to open PHC in readonly mode"),
which is 76868642e427 upstream. The only conflict between the two is the
getopt string, and there is otherwise no direct dependency between the two.
This patch therefore reverts the cited commit, with hand-resolving the
getopt string to include 'r' (as introduced by c6dc458227a3), but not
'F' (introduced by c1c50689799d).
Reported-by: Yong Wang <yongwang@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/ptp/testptp.c | 19 +------------------
1 file changed, 1 insertion(+), 18 deletions(-)
diff --git a/tools/testing/selftests/ptp/testptp.c b/tools/testing/selftests/ptp/testptp.c
index 7030bae8e5e07e..14b975594c88e7 100644
--- a/tools/testing/selftests/ptp/testptp.c
+++ b/tools/testing/selftests/ptp/testptp.c
@@ -121,7 +121,6 @@ static void usage(char *progname)
" -d name device to open\n"
" -e val read 'val' external time stamp events\n"
" -f val adjust the ptp clock frequency by 'val' ppb\n"
- " -F chan Enable single channel mask and keep device open for debugfs verification.\n"
" -g get the ptp clock time\n"
" -h prints this message\n"
" -i val index for event/trigger\n"
@@ -190,7 +189,6 @@ int main(int argc, char *argv[])
int seconds = 0;
int readonly = 0;
int settime = 0;
- int channel = -1;
int64_t t1, t2, tp;
int64_t interval, offset;
@@ -200,7 +198,7 @@ int main(int argc, char *argv[])
progname = strrchr(argv[0], '/');
progname = progname ? 1+progname : argv[0];
- while (EOF != (c = getopt(argc, argv, "cd:e:f:F:ghH:i:k:lL:n:o:p:P:rsSt:T:w:x:Xz"))) {
+ while (EOF != (c = getopt(argc, argv, "cd:e:f:ghH:i:k:lL:n:o:p:P:rsSt:T:w:x:Xz"))) {
switch (c) {
case 'c':
capabilities = 1;
@@ -214,9 +212,6 @@ int main(int argc, char *argv[])
case 'f':
adjfreq = atoi(optarg);
break;
- case 'F':
- channel = atoi(optarg);
- break;
case 'g':
gettime = 1;
break;
@@ -616,18 +611,6 @@ int main(int argc, char *argv[])
free(xts);
}
- if (channel >= 0) {
- if (ioctl(fd, PTP_MASK_CLEAR_ALL)) {
- perror("PTP_MASK_CLEAR_ALL");
- } else if (ioctl(fd, PTP_MASK_EN_SINGLE, (unsigned int *)&channel)) {
- perror("PTP_MASK_EN_SINGLE");
- } else {
- printf("Channel %d exclusively enabled. Check on debugfs.\n", channel);
- printf("Press any key to continue\n.");
- getchar();
- }
- }
-
close(fd);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 049/129] mm/mglru: skip special VMAs in lru_gen_look_around()
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 048/129] Revert "ptp: add testptp mask test" Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 050/129] batman-adv: tp_meter: keep unacked list in ascending ordered Greg Kroah-Hartman
` (86 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yu Zhao, syzbot+03fd9b3f71641f0ebf2d,
Andrew Morton, Jakov Novak, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Zhao <yuzhao@google.com>
[ Upstream commit c28ac3c7eb945fee6e20f47d576af68fdff1392a ]
Special VMAs like VM_PFNMAP can contain anon pages from COW. There isn't
much profit in doing lookaround on them. Besides, they can trigger the
pte_special() warning in get_pte_pfn().
Skip them in lru_gen_look_around().
Link: https://lkml.kernel.org/r/20231223045647.1566043-1-yuzhao@google.com
Fixes: 018ee47f1489 ("mm: multi-gen LRU: exploit locality in rmap")
Signed-off-by: Yu Zhao <yuzhao@google.com>
Reported-by: syzbot+03fd9b3f71641f0ebf2d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/000000000000f9ff00060d14c256@google.com/
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[fix conflicts with variable declarations and vma pointer usage]
Signed-off-by: Jakov Novak <jakovnovak30@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/vmscan.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/mm/vmscan.c b/mm/vmscan.c
index 1f7a90ecc7007d..f6f8c18dc45f57 100644
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -4622,6 +4622,7 @@ void lru_gen_look_around(struct page_vma_mapped_walk *pvmw)
struct lru_gen_mm_walk *walk;
int young = 0;
unsigned long bitmap[BITS_TO_LONGS(MIN_LRU_BATCH)] = {};
+ struct vm_area_struct *vma = pvmw->vma;
struct folio *folio = pfn_folio(pvmw->pfn);
struct mem_cgroup *memcg = folio_memcg(folio);
struct pglist_data *pgdat = folio_pgdat(folio);
@@ -4635,11 +4636,15 @@ void lru_gen_look_around(struct page_vma_mapped_walk *pvmw)
if (spin_is_contended(pvmw->ptl))
return;
+ /* exclude special VMAs containing anon pages from COW */
+ if (vma->vm_flags & VM_SPECIAL)
+ return;
+
/* avoid taking the LRU lock under the PTL when possible */
walk = current->reclaim_state ? current->reclaim_state->mm_walk : NULL;
- start = max(pvmw->address & PMD_MASK, pvmw->vma->vm_start);
- end = min(pvmw->address | ~PMD_MASK, pvmw->vma->vm_end - 1) + 1;
+ start = max(pvmw->address & PMD_MASK, vma->vm_start);
+ end = min(pvmw->address | ~PMD_MASK, vma->vm_end - 1) + 1;
if (end - start > MIN_LRU_BATCH * PAGE_SIZE) {
if (pvmw->address - start < MIN_LRU_BATCH * PAGE_SIZE / 2)
@@ -4660,7 +4665,7 @@ void lru_gen_look_around(struct page_vma_mapped_walk *pvmw)
for (i = 0, addr = start; addr != end; i++, addr += PAGE_SIZE) {
unsigned long pfn;
- pfn = get_pte_pfn(pte[i], pvmw->vma, addr);
+ pfn = get_pte_pfn(pte[i], vma, addr);
if (pfn == -1)
continue;
@@ -4671,7 +4676,7 @@ void lru_gen_look_around(struct page_vma_mapped_walk *pvmw)
if (!folio)
continue;
- if (!ptep_test_and_clear_young(pvmw->vma, addr, pte + i))
+ if (!ptep_test_and_clear_young(vma, addr, pte + i))
VM_WARN_ON_ONCE(true);
young++;
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 050/129] batman-adv: tp_meter: keep unacked list in ascending ordered
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 049/129] mm/mglru: skip special VMAs in lru_gen_look_around() Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 051/129] batman-adv: tp_meter: initialize dup_acks explicitly Greg Kroah-Hartman
` (85 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 5aa8651527ea0b610e7a09fb3b8204c1398b9525 upstream.
When batadv_tp_handle_out_of_order inserts a new entry in the list of
unacked (out of order) packets, it searches from the entry with the newest
sequence number towards oldest sequence number. If an entry is found which
is older than the newly entry, the new entry has to be added after the
found one to keep the ascending order.
But for this operation list_add_tail() was used. But this function adds an
entry _before_ another one. As result, the list would contain a lot of
swapped sequence numbers. The consumer of this list
(batadv_tp_ack_unordered()) would then fail to correctly ack packets.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index dfc3374549921f..f350a60e6c76b9 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1325,7 +1325,7 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
* one is attached _after_ it. In this way the list is kept in
* ascending order
*/
- list_add_tail(&new->list, &un->list);
+ list_add(&new->list, &un->list);
added = true;
break;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 051/129] batman-adv: tp_meter: initialize dup_acks explicitly
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 050/129] batman-adv: tp_meter: keep unacked list in ascending ordered Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 052/129] batman-adv: tp_meter: initialize dec_cwnd explicitly Greg Kroah-Hartman
` (84 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit b2b68b32a715e0328662801576974aa37b942b00 upstream.
When an ack with a sequence number equal to the last_acked is received, the
dup_acks counter is increased to decide whether fast retransmit should be
performed. Only when the sequence numbers are not equal, the dup_acks is
set to the initial value (0).
But if the initial packet would have the sequence number
BATADV_TP_FIRST_SEQ, dup_acks would not be initialized and atomic_inc would
operate on an undefined starting value. It is therefore required to have it
explicitly initialized during the start of the sender session.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index f350a60e6c76b9..750e5e9d3dc9d6 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1045,6 +1045,7 @@ void batadv_tp_start(struct batadv_priv *bat_priv, const u8 *dst,
tp_vars->icmp_uid = icmp_uid;
tp_vars->last_sent = BATADV_TP_FIRST_SEQ;
+ atomic_set(&tp_vars->dup_acks, 0);
atomic_set(&tp_vars->last_acked, BATADV_TP_FIRST_SEQ);
tp_vars->fast_recovery = false;
tp_vars->recover = BATADV_TP_FIRST_SEQ;
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 052/129] batman-adv: tp_meter: initialize dec_cwnd explicitly
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 051/129] batman-adv: tp_meter: initialize dup_acks explicitly Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 053/129] batman-adv: tp_meter: avoid window underflow Greg Kroah-Hartman
` (83 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit febfb1b86224489535312296ecfa3d4bf467f339 upstream.
When batadv_tp_update_cwnd() is called, dec_cwnd is increased. But dec_cwnd
is only initialixed (to 0) when a duplicate Ack was received or when cwnd
is below the ss_threshold.
Just initialize the cwnd during the initialization to avoid any potential
access of uninitialized data.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 750e5e9d3dc9d6..f6ccb639744a2a 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1055,6 +1055,8 @@ void batadv_tp_start(struct batadv_priv *bat_priv, const u8 *dst,
* soft_interface, hence its MTU
*/
tp_vars->cwnd = BATADV_TP_PLEN * 3;
+ tp_vars->dec_cwnd = 0;
+
/* at the beginning initialise the SS threshold to the biggest possible
* window size, hence the AWND size
*/
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 053/129] batman-adv: tp_meter: avoid window underflow
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 052/129] batman-adv: tp_meter: initialize dec_cwnd explicitly Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 054/129] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd Greg Kroah-Hartman
` (82 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 765947b81fb54b6ebb0bc1cfe55c0fa399e002b8 upstream.
In batadv_tp_avail(), win_left is calculated with 32-bit unsigned
arithmetic: win_left = win_limit - tp_vars->last_sent;
During Fast Recovery, cwnd is inflated and last_sent advances rapidly. When
Fast Recovery ends, cwnd drops abruptly back to ss_threshold. If the newly
shrunk win_limit is less than last_sent, the unsigned subtraction will
underflow, wrapping to a massive positive value. Instead of returning that
the window is full (unavailable), it returns that the sender can continue
sending.
To handle this situation, it must be checked whether the windows end
sequence number (win_limit) has to be compared with the last sent sequence
number. If it would be before the last sent sequence number, then more acks
are needed before the transmission can be started again.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index f6ccb639744a2a..0fdcafca3aa02b 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -817,10 +817,15 @@ static void batadv_tp_recv_ack(struct batadv_priv *bat_priv,
static bool batadv_tp_avail(struct batadv_tp_vars *tp_vars,
size_t payload_len)
{
+ u32 last_sent = READ_ONCE(tp_vars->last_sent);
u32 win_left, win_limit;
win_limit = atomic_read(&tp_vars->last_acked) + tp_vars->cwnd;
- win_left = win_limit - tp_vars->last_sent;
+
+ if (batadv_seq_before(last_sent, win_limit))
+ win_left = win_limit - last_sent;
+ else
+ win_left = 0;
return win_left >= payload_len;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 054/129] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 053/129] batman-adv: tp_meter: avoid window underflow Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 055/129] batman-adv: tp_meter: fix fast recovery precondition Greg Kroah-Hartman
` (81 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 33ccd52f3cc9ed46ce395199f89aa3234dc83314 upstream.
The cwnd is always MSS <= cwnd <= 0x20000000. But the calculation in
batadv_tp_update_cwnd() assumes unsigned 32 bit arithmetics.
((mss * 8) ** 2) / (cwnd * 8)
In case cwnd is actually 0x20000000, it will be shifted by 3 bit to the
left end up at 0x100000000 or U32_MAX + 1. It will therefore wrap around
and be 0 - resulting in:
((mss * 8) ** 2) / 0
This is of course invalid and cannot be calculated. The calculation should
must be simplified to avoid this overflow:
(mss ** 2) * 8 / cwnd
It will keep the precision enhancement from the scaling (by 8) but avoid
the overflow in the divisor.
In theory, there could still be an overflow in the dividend. It is at the
moment fixed to BATADV_TP_PLEN in batadv_tp_recv_ack() - so it is not an
imminent problem. But allowing it to use the whole u32 bit range, would
mean that it can still use up to 67 bits. To keep this calculation safe for
32 bit arithmetic, mss must never use more than floor((32 - 3) / 2) bits -
or in other words: must never be larger than 16383.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 0fdcafca3aa02b..4ff80e4214ff0a 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -154,9 +154,12 @@ static void batadv_tp_update_cwnd(struct batadv_tp_vars *tp_vars, u32 mss)
return;
}
+ /* prevent overflow in (mss * mss) << 3 */
+ mss = min_t(u32, mss, (1U << 14) - 1);
+
/* increment CWND at least of 1 (section 3.1 of RFC5681) */
tp_vars->dec_cwnd += max_t(u32, 1U << 3,
- ((mss * mss) << 6) / (tp_vars->cwnd << 3));
+ ((mss * mss) << 3) / tp_vars->cwnd);
if (tp_vars->dec_cwnd < (mss << 3)) {
spin_unlock_bh(&tp_vars->cwnd_lock);
return;
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 055/129] batman-adv: tp_meter: fix fast recovery precondition
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 054/129] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 056/129] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection Greg Kroah-Hartman
` (80 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 2b0d08f08ed3b2174f05c43089ec65f3543a025b upstream.
The fast recovery precondition checks if the recover (initialized to
BATADV_TP_FIRST_SEQ) is bigger than the received ack. But since recover is
only updated when this check is successful, it will never enter the fast
recovery mode.
According to RFC6582 Section 3.2 step 2, the check should actually be
different:
> When the third duplicate ACK is received, the TCP sender first
> checks the value of recover to see if the Cumulative
> Acknowledgment field covers more than recover
The precondition must therefore check if recover is smaller than the
received ack - basically swapping the operands of the current check.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 4ff80e4214ff0a..c79352cfddc4ae 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -733,7 +733,7 @@ static void batadv_tp_recv_ack(struct batadv_priv *bat_priv,
if (atomic_read(&tp_vars->dup_acks) != 3)
goto out;
- if (recv_ack >= tp_vars->recover)
+ if (tp_vars->recover >= recv_ack)
goto out;
/* if this is the third duplicate ACK do Fast Retransmit */
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 056/129] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 055/129] batman-adv: tp_meter: fix fast recovery precondition Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 057/129] batman-adv: tp_meter: add only finished tp_vars to lists Greg Kroah-Hartman
` (79 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit f54c85ed42a1b27a516cf2a4728f5a612b799e07 upstream.
The recover variable and the last_sent sequence number are initialized on
purpose as a really high value which will wrap-around after the first 2000
bytes. The fast recovery precondition must therefore not use simple integer
comparisons but use helpers which are aware of the sequence number
wrap-arounds.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index c79352cfddc4ae..089ac7cc9fbebc 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -733,7 +733,7 @@ static void batadv_tp_recv_ack(struct batadv_priv *bat_priv,
if (atomic_read(&tp_vars->dup_acks) != 3)
goto out;
- if (tp_vars->recover >= recv_ack)
+ if (!batadv_seq_before(tp_vars->recover, recv_ack))
goto out;
/* if this is the third duplicate ACK do Fast Retransmit */
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 057/129] batman-adv: tp_meter: add only finished tp_vars to lists
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 056/129] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 058/129] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE Greg Kroah-Hartman
` (78 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 15ccbf685222274f5add1387af58c2a41a95f81e upstream.
When the receiver variables (aka "session") are initialized, then they are
added to the list of sessions before the timer is set up. A RCU protected
reader could therefore find the entry and run mod_setup before
batadv_tp_init_recv() finished the timer initialization.
The same is true for batadv_tp_start(), which must first initialize the
finish_work and the test_length to avoid a similar problem.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 089ac7cc9fbebc..2bba53fc6da5c0 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1096,21 +1096,21 @@ void batadv_tp_start(struct batadv_priv *bat_priv, const u8 *dst,
tp_vars->prerandom_offset = 0;
spin_lock_init(&tp_vars->prerandom_lock);
- kref_get(&tp_vars->refcount);
- hlist_add_head_rcu(&tp_vars->list, &bat_priv->tp_list);
- spin_unlock_bh(&bat_priv->tp_list_lock);
-
tp_vars->test_length = test_length;
if (!tp_vars->test_length)
tp_vars->test_length = BATADV_TP_DEF_TEST_LENGTH;
+ /* init work item for finished tp tests */
+ INIT_DELAYED_WORK(&tp_vars->finish_work, batadv_tp_sender_finish);
+
+ kref_get(&tp_vars->refcount);
+ hlist_add_head_rcu(&tp_vars->list, &bat_priv->tp_list);
+ spin_unlock_bh(&bat_priv->tp_list_lock);
+
batadv_dbg(BATADV_DBG_TP_METER, bat_priv,
"Meter: starting throughput meter towards %pM (length=%ums)\n",
dst, test_length);
- /* init work item for finished tp tests */
- INIT_DELAYED_WORK(&tp_vars->finish_work, batadv_tp_sender_finish);
-
/* start tp kthread. This way the write() call issued from userspace can
* happily return and avoid to block
*/
@@ -1430,10 +1430,10 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
INIT_LIST_HEAD(&tp_vars->unacked_list);
kref_get(&tp_vars->refcount);
- hlist_add_head_rcu(&tp_vars->list, &bat_priv->tp_list);
+ timer_setup(&tp_vars->timer, batadv_tp_receiver_shutdown, 0);
kref_get(&tp_vars->refcount);
- timer_setup(&tp_vars->timer, batadv_tp_receiver_shutdown, 0);
+ hlist_add_head_rcu(&tp_vars->list, &bat_priv->tp_list);
batadv_tp_reset_receiver_timer(tp_vars);
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 058/129] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 057/129] batman-adv: tp_meter: add only finished tp_vars to lists Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 059/129] batman-adv: prevent ELP transmission interval underflow Greg Kroah-Hartman
` (77 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 98b0fb191c878a64cbaebfe231d96d57576acf8c upstream.
The lasttime field for claim, backbone_gw, and loopdetect tracks the
jiffies value of the most recent activity and is used to detect timeouts.
These accesses are not consistently protected by a lock, so
READ_ONCE/WRITE_ONCE must be used to prevent data races caused by compiler
optimizations.
Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bridge_loop_avoidance.c | 28 +++++++++++++-------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index cfb1eb25c6ac4d..ac12c06f11b89e 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -512,7 +512,7 @@ batadv_bla_get_backbone_gw(struct batadv_priv *bat_priv, const u8 *orig,
return NULL;
entry->vid = vid;
- entry->lasttime = jiffies;
+ WRITE_ONCE(entry->lasttime, jiffies);
entry->crc = BATADV_BLA_CRC_INIT;
entry->bat_priv = bat_priv;
spin_lock_init(&entry->crc_lock);
@@ -580,7 +580,7 @@ batadv_bla_update_own_backbone_gw(struct batadv_priv *bat_priv,
if (unlikely(!backbone_gw))
return;
- backbone_gw->lasttime = jiffies;
+ WRITE_ONCE(backbone_gw->lasttime, jiffies);
batadv_backbone_gw_put(backbone_gw);
}
@@ -714,7 +714,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv,
ether_addr_copy(claim->addr, mac);
spin_lock_init(&claim->backbone_lock);
claim->vid = vid;
- claim->lasttime = jiffies;
+ WRITE_ONCE(claim->lasttime, jiffies);
kref_get(&backbone_gw->refcount);
claim->backbone_gw = backbone_gw;
kref_init(&claim->refcount);
@@ -736,7 +736,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv,
return;
}
} else {
- claim->lasttime = jiffies;
+ WRITE_ONCE(claim->lasttime, jiffies);
if (claim->backbone_gw == backbone_gw)
/* no need to register a new backbone */
goto claim_free_ref;
@@ -769,7 +769,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv,
spin_lock_bh(&backbone_gw->crc_lock);
backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
spin_unlock_bh(&backbone_gw->crc_lock);
- backbone_gw->lasttime = jiffies;
+ WRITE_ONCE(backbone_gw->lasttime, jiffies);
claim_free_ref:
batadv_claim_put(claim);
@@ -858,7 +858,7 @@ static bool batadv_handle_announce(struct batadv_priv *bat_priv, u8 *an_addr,
return true;
/* handle as ANNOUNCE frame */
- backbone_gw->lasttime = jiffies;
+ WRITE_ONCE(backbone_gw->lasttime, jiffies);
crc = ntohs(*((__force __be16 *)(&an_addr[4])));
batadv_dbg(BATADV_DBG_BLA, bat_priv,
@@ -1253,7 +1253,7 @@ static void batadv_bla_purge_backbone_gw(struct batadv_priv *bat_priv, int now)
head, hash_entry) {
if (now)
goto purge_now;
- if (!batadv_has_timed_out(backbone_gw->lasttime,
+ if (!batadv_has_timed_out(READ_ONCE(backbone_gw->lasttime),
BATADV_BLA_BACKBONE_TIMEOUT))
continue;
@@ -1334,7 +1334,7 @@ static void batadv_bla_purge_claims(struct batadv_priv *bat_priv,
primary_if->net_dev->dev_addr))
goto skip;
- if (!batadv_has_timed_out(claim->lasttime,
+ if (!batadv_has_timed_out(READ_ONCE(claim->lasttime),
BATADV_BLA_CLAIM_TIMEOUT))
goto skip;
@@ -1494,7 +1494,7 @@ static void batadv_bla_periodic_work(struct work_struct *work)
eth_random_addr(bat_priv->bla.loopdetect_addr);
bat_priv->bla.loopdetect_addr[0] = 0xba;
bat_priv->bla.loopdetect_addr[1] = 0xbe;
- bat_priv->bla.loopdetect_lasttime = jiffies;
+ WRITE_ONCE(bat_priv->bla.loopdetect_lasttime, jiffies);
atomic_set(&bat_priv->bla.loopdetect_next,
BATADV_BLA_LOOPDETECT_PERIODS);
@@ -1515,7 +1515,7 @@ static void batadv_bla_periodic_work(struct work_struct *work)
primary_if->net_dev->dev_addr))
continue;
- backbone_gw->lasttime = jiffies;
+ WRITE_ONCE(backbone_gw->lasttime, jiffies);
batadv_bla_send_announce(bat_priv, backbone_gw);
if (send_loopdetect)
@@ -1900,7 +1900,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb,
/* If the packet came too late, don't forward it on the mesh
* but don't consider that as loop. It might be a coincidence.
*/
- if (batadv_has_timed_out(bat_priv->bla.loopdetect_lasttime,
+ if (batadv_has_timed_out(READ_ONCE(bat_priv->bla.loopdetect_lasttime),
BATADV_BLA_LOOPDETECT_TIMEOUT))
return true;
@@ -2016,7 +2016,7 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
if (own_claim) {
/* ... allow it in any case */
- claim->lasttime = jiffies;
+ WRITE_ONCE(claim->lasttime, jiffies);
goto allow;
}
@@ -2118,7 +2118,7 @@ bool batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb,
/* if yes, the client has roamed and we have
* to unclaim it.
*/
- if (batadv_has_timed_out(claim->lasttime, 100)) {
+ if (batadv_has_timed_out(READ_ONCE(claim->lasttime), 100)) {
/* only unclaim if the last claim entry is
* older than 100 ms to make sure we really
* have a roaming client here.
@@ -2372,7 +2372,7 @@ batadv_bla_backbone_dump_entry(struct sk_buff *msg, u32 portid,
backbone_crc = backbone_gw->crc;
spin_unlock_bh(&backbone_gw->crc_lock);
- msecs = jiffies_to_msecs(jiffies - backbone_gw->lasttime);
+ msecs = jiffies_to_msecs(jiffies - READ_ONCE(backbone_gw->lasttime));
if (is_own)
if (nla_put_flag(msg, BATADV_ATTR_BLA_OWN)) {
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 059/129] batman-adv: prevent ELP transmission interval underflow
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 058/129] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 060/129] batman-adv: tp_meter: initialize last_recv_time during init Greg Kroah-Hartman
` (76 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 5e50d4b8ae3ea622122d3c6a38d7f6fe68dfddca upstream.
batadv_v_elp_start_timer() enqeues a delayed work. The time when it starts
is randomly chosen between (elp_interval - BATADV_JITTER) and
(elp_interval + BATADV_JITTER). The configured elp_interval must therefore
be larger or equal to BATADV_JITTER to avoid that it causes an underflow of
the unsigned integer. If this would happen, then a "fast" ELP interval
would turn into a "day long" delay.
At the same time, it must not be larger than the maximum value the variable
can store.
Cc: stable@kernel.org
Fixes: a10800829040 ("batman-adv: Add elp_interval hardif genl configuration")
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/netlink.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/batman-adv/netlink.c b/net/batman-adv/netlink.c
index 86e0664e0511bb..7ff48c968a13fe 100644
--- a/net/batman-adv/netlink.c
+++ b/net/batman-adv/netlink.c
@@ -941,9 +941,15 @@ static int batadv_netlink_set_hardif(struct sk_buff *skb,
#ifdef CONFIG_BATMAN_ADV_BATMAN_V
if (info->attrs[BATADV_ATTR_ELP_INTERVAL]) {
+ u32 elp_interval;
+
attr = info->attrs[BATADV_ATTR_ELP_INTERVAL];
+ elp_interval = nla_get_u32(attr);
+
+ elp_interval = min_t(u32, elp_interval, INT_MAX);
+ elp_interval = max_t(u32, elp_interval, BATADV_JITTER);
- atomic_set(&hard_iface->bat_v.elp_interval, nla_get_u32(attr));
+ atomic_set(&hard_iface->bat_v.elp_interval, elp_interval);
}
if (info->attrs[BATADV_ATTR_THROUGHPUT_OVERRIDE]) {
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 060/129] batman-adv: tp_meter: initialize last_recv_time during init
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 059/129] batman-adv: prevent ELP transmission interval underflow Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 061/129] batman-adv: ensure bcast is writable before modifying TTL Greg Kroah-Hartman
` (75 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 811cb00fa8cdc3f0a7f6eefc000a6888367c8c8f upstream.
The last_recv_time is the most important indicator for a receiver session
to figure out whether a session timed out or not. But this information was
only initialized after the session was added to the tp_receiver_list and
after the timer was started.
In the worst case, the timer (function) could have tried to access this
information before the actual initialization was reached. Like rest of the
variables of the tp_meter receiver session, this field has to be filled out
before any other (parallel running) context has the chance to access it.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 2bba53fc6da5c0..133eed2fa9507f 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1403,8 +1403,10 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
tp_vars = batadv_tp_list_find_session(bat_priv, icmp->orig,
icmp->session, BATADV_TP_RECEIVER);
- if (tp_vars)
+ if (tp_vars) {
+ tp_vars->last_recv_time = jiffies;
goto out_unlock;
+ }
if (!atomic_add_unless(&bat_priv->tp_num, 1, BATADV_TP_MAX_NUM)) {
batadv_dbg(BATADV_DBG_TP_METER, bat_priv,
@@ -1432,6 +1434,8 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
kref_get(&tp_vars->refcount);
timer_setup(&tp_vars->timer, batadv_tp_receiver_shutdown, 0);
+ tp_vars->last_recv_time = jiffies;
+
kref_get(&tp_vars->refcount);
hlist_add_head_rcu(&tp_vars->list, &bat_priv->tp_list);
@@ -1480,9 +1484,9 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
icmp->orig);
goto out;
}
- }
- tp_vars->last_recv_time = jiffies;
+ tp_vars->last_recv_time = jiffies;
+ }
/* if the packet is a duplicate, it may be the case that an ACK has been
* lost. Resend the ACK
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 061/129] batman-adv: ensure bcast is writable before modifying TTL
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 060/129] batman-adv: tp_meter: initialize last_recv_time during init Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 062/129] batman-adv: fix (m|b)cast csum after decrementing TTL Greg Kroah-Hartman
` (74 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 4cd6d3a4b96a8576f1fed8f9f9f17c2dc2978e0c upstream.
Before batman-adv is allowed to write to an skb, it either has to have its
own copy of the skb or used skb_cow() to ensure that the data part is not
shared.
The old implementation used a shared queue and created copies before
attempting to write to it. But with the new implementation, the broadcast
packet is already modified when it gets received. Potentially writing to
shared buffers in this process.
Adding a skb_cow() right before this operation avoids this and can at the
same time prepare it for the modifications required to rebroadcast the
packet.
Cc: stable@kernel.org
Fixes: 3f69339068f9 ("batman-adv: bcast: queue per interface, if needed")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/routing.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index 83f31494ea4d92..0709f42c54b496 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -1199,6 +1199,12 @@ int batadv_recv_bcast_packet(struct sk_buff *skb,
if (batadv_is_my_mac(bat_priv, bcast_packet->orig))
goto free_skb;
+ /* create a copy of the skb, if needed, to modify it. */
+ if (skb_cow(skb, ETH_HLEN) < 0)
+ goto free_skb;
+
+ bcast_packet = (struct batadv_bcast_packet *)skb->data;
+
if (bcast_packet->ttl-- < 2)
goto free_skb;
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 062/129] batman-adv: fix (m|b)cast csum after decrementing TTL
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 061/129] batman-adv: ensure bcast is writable before modifying TTL Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 063/129] batman-adv: frag: ensure fragment is writable before modifying TTL Greg Kroah-Hartman
` (73 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit e728bbdf32660c8f32b8f5e8d09427a2c131ad60 upstream.
The broadcast and multicast packets can be received at the same time by the
local system and forwarded to other nodes. Both are simply decrementing the
TTL at the beginning of the receive path - independent of chosen paths
(receive/forward). But such a modification of the data conflicts with the
hw csum. This is not a problem when the packet is directly forwarded but
can cause errors in the local receive path.
Such a problem can then trigger a "hw csum failure". The receiver path must
therefore ensure that the csum is fixed for each modification of the
payload before batadv_interface_rx() is reached.
Since all batman-adv packet types with a ttl have it as u8 at offset 2, a
helper can be used for all of them. But it is only used at the moment for
batadv_bcast_packet and batadv_mcast_packet because they are the only ones
which deliver the packet locally but unconditionally modify the TTL.
Cc: stable@kernel.org
Fixes: 3f69339068f9 ("batman-adv: bcast: queue per interface, if needed")
Fixes: 07afe1ba288c ("batman-adv: mcast: implement multicast packet reception and forwarding")
[ Context, Drop change for non-existing mcast handling ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/routing.c | 55 +++++++++++++++++++++++++++++++++++++++-
1 file changed, 54 insertions(+), 1 deletion(-)
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index 0709f42c54b496..e9347b25d2087a 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -8,6 +8,7 @@
#include "main.h"
#include <linux/atomic.h>
+#include <linux/build_bug.h>
#include <linux/byteorder/generic.h>
#include <linux/compiler.h>
#include <linux/errno.h>
@@ -205,6 +206,58 @@ bool batadv_check_management_packet(struct sk_buff *skb,
return true;
}
+/**
+ * batadv_skb_decrement_ttl() - decrement ttl in a batman-adv header, csum-safe
+ * @skb: the received packet with @skb->data pointing to the batman-adv header
+ *
+ * Supports the following packet types, all of which carry the TTL at offset 2:
+ *
+ * - batadv_ogm_packet
+ * - batadv_ogm2_packet
+ * - batadv_icmp_header
+ * - batadv_icmp_packet
+ * - batadv_icmp_tp_packet
+ * - batadv_icmp_packet_rr
+ * - batadv_unicast_packet
+ * - batadv_frag_packet
+ * - batadv_bcast_packet
+ * - batadv_mcast_packet
+ * - batadv_coded_packet
+ * - batadv_unicast_tvlv_packet
+ *
+ * Return: true if the packet may be forwarded (ttl decremented),
+ * false if it must be dropped (ttl would expire)
+ */
+static bool batadv_skb_decrement_ttl(struct sk_buff *skb)
+{
+ static const size_t ttl_offset = 2;
+ u8 *ttl_pos;
+
+ BUILD_BUG_ON(offsetof(struct batadv_ogm_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_ogm2_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_icmp_header, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_icmp_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_icmp_tp_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_icmp_packet_rr, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_unicast_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_frag_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_bcast_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_coded_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_unicast_tvlv_packet, ttl) != ttl_offset);
+
+ ttl_pos = skb->data + ttl_offset;
+
+ /* would expire on this hop -> drop, leave header + csum untouched */
+ if (*ttl_pos < 2)
+ return false;
+
+ skb_postpull_rcsum(skb, ttl_pos, 1);
+ (*ttl_pos)--;
+ skb_postpush_rcsum(skb, ttl_pos, 1);
+
+ return true;
+}
+
/**
* batadv_recv_my_icmp_packet() - receive an icmp packet locally
* @bat_priv: the bat priv with all the soft interface information
@@ -1205,7 +1258,7 @@ int batadv_recv_bcast_packet(struct sk_buff *skb,
bcast_packet = (struct batadv_bcast_packet *)skb->data;
- if (bcast_packet->ttl-- < 2)
+ if (!batadv_skb_decrement_ttl(skb))
goto free_skb;
orig_node = batadv_orig_hash_find(bat_priv, bcast_packet->orig);
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 063/129] batman-adv: frag: ensure fragment is writable before modifying TTL
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 062/129] batman-adv: fix (m|b)cast csum after decrementing TTL Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 064/129] batman-adv: frag: avoid underflow of TTL Greg Kroah-Hartman
` (72 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit b7293c6e8c15b2db77809b25cf8389e35331b27a upstream.
Before batman-adv is allowed to write to an skb, it either has to have its
own copy of the skb or use skb_cow() to ensure that the data part is not
shared. But batadv_frag_skb_fwd() modifies the TTL even when it is shared.
Adding a skb_cow() right before this operation avoids this and can at the
same time prepare it for the modifications required to forward the
fragment.
Cc: stable@kernel.org
Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/fragmentation.c | 15 ++++++++++++++-
net/batman-adv/fragmentation.h | 3 ++-
net/batman-adv/routing.c | 3 +--
3 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
index 4c193194034155..fbf030c57ac04d 100644
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -385,6 +385,8 @@ bool batadv_frag_skb_buffer(struct sk_buff **skb,
* @skb: skb to forward
* @recv_if: interface that the skb is received on
* @orig_node_src: originator that the skb is received from
+ * @rx_result: set to NET_RX_SUCCESS when the fragment was forwarded and
+ * NET_RX_DROP when it was dropped; only valid when true is returned
*
* Look up the next-hop of the fragments payload and check if the merged packet
* will exceed the MTU towards the next-hop. If so, the fragment is forwarded
@@ -394,7 +396,8 @@ bool batadv_frag_skb_buffer(struct sk_buff **skb,
*/
bool batadv_frag_skb_fwd(struct sk_buff *skb,
struct batadv_hard_iface *recv_if,
- struct batadv_orig_node *orig_node_src)
+ struct batadv_orig_node *orig_node_src,
+ int *rx_result)
{
struct batadv_priv *bat_priv = netdev_priv(recv_if->soft_iface);
struct batadv_orig_node *orig_node_dst;
@@ -417,12 +420,22 @@ bool batadv_frag_skb_fwd(struct sk_buff *skb,
*/
total_size = ntohs(packet->total_size);
if (total_size > neigh_node->if_incoming->net_dev->mtu) {
+ if (skb_cow(skb, ETH_HLEN) < 0) {
+ kfree_skb(skb);
+ *rx_result = NET_RX_DROP;
+ ret = true;
+ goto out;
+ }
+
+ packet = (struct batadv_frag_packet *)skb->data;
+
batadv_inc_counter(bat_priv, BATADV_CNT_FRAG_FWD);
batadv_add_counter(bat_priv, BATADV_CNT_FRAG_FWD_BYTES,
skb->len + ETH_HLEN);
packet->ttl--;
batadv_send_unicast_skb(skb, neigh_node);
+ *rx_result = NET_RX_SUCCESS;
ret = true;
}
diff --git a/net/batman-adv/fragmentation.h b/net/batman-adv/fragmentation.h
index dbf0871f870303..51e281027ab630 100644
--- a/net/batman-adv/fragmentation.h
+++ b/net/batman-adv/fragmentation.h
@@ -19,7 +19,8 @@ void batadv_frag_purge_orig(struct batadv_orig_node *orig,
bool (*check_cb)(struct batadv_frag_table_entry *));
bool batadv_frag_skb_fwd(struct sk_buff *skb,
struct batadv_hard_iface *recv_if,
- struct batadv_orig_node *orig_node_src);
+ struct batadv_orig_node *orig_node_src,
+ int *rx_result);
bool batadv_frag_skb_buffer(struct sk_buff **skb,
struct batadv_orig_node *orig_node);
int batadv_frag_send_packet(struct sk_buff *skb,
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index e9347b25d2087a..49cce0cbdff8b6 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -1175,10 +1175,9 @@ int batadv_recv_frag_packet(struct sk_buff *skb,
/* Route the fragment if it is not for us and too big to be merged. */
if (!batadv_is_my_mac(bat_priv, frag_packet->dest) &&
- batadv_frag_skb_fwd(skb, recv_if, orig_node_src)) {
+ batadv_frag_skb_fwd(skb, recv_if, orig_node_src, &ret)) {
/* skb was consumed */
skb = NULL;
- ret = NET_RX_SUCCESS;
goto put_orig_node;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 064/129] batman-adv: frag: avoid underflow of TTL
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 063/129] batman-adv: frag: ensure fragment is writable before modifying TTL Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 065/129] batman-adv: v: prevent OGM aggregation on disabled hardif Greg Kroah-Hartman
` (71 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 493d9d2528e1a09b090e4b37f0f553def7bd5ce9 upstream.
Packets with a TTL are using it to limit the amount of time this packet can
be forwarded. But for batadv_frag_packet, the TTL was always only reduced
but it was never evaluated. It could even underflow without any effect.
Check the TTL in batadv_frag_skb_fwd() before attempting to prepare it for
forwarding. This keeps it in sync with the not fragmented unicast packet.
Cc: stable@kernel.org
Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/fragmentation.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
index fbf030c57ac04d..0138b0953e10b5 100644
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -420,6 +420,13 @@ bool batadv_frag_skb_fwd(struct sk_buff *skb,
*/
total_size = ntohs(packet->total_size);
if (total_size > neigh_node->if_incoming->net_dev->mtu) {
+ if (packet->ttl < 2) {
+ kfree_skb(skb);
+ *rx_result = NET_RX_DROP;
+ ret = true;
+ goto out;
+ }
+
if (skb_cow(skb, ETH_HLEN) < 0) {
kfree_skb(skb);
*rx_result = NET_RX_DROP;
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 065/129] batman-adv: v: prevent OGM aggregation on disabled hardif
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 064/129] batman-adv: frag: avoid underflow of TTL Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 066/129] batman-adv: tp_meter: restrict number of unacked list entries Greg Kroah-Hartman
` (70 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit d11c00b95b2a3b3934007fc003dccc6fdcc061ad upstream.
When an interface gets disabled, the worker is correctly disabled by
batadv_hardif_disable_interface() -> ... -> batadv_v_ogm_iface_disable().
In this process, the skb aggr_list is also freed.
But batadv_v_ogm_send_meshif() can still queue new skbs (via
batadv_v_ogm_queue_on_if()) to the aggr_list. This will only stop after all
cores can no longer find the RCU protected list of hard interfaces. These
queued skbs will never be freed or consumed by batadv_v_ogm_aggr_work.
The batadv_v_ogm_iface_disable() function must block
batadv_v_ogm_queue_on_if() to avoid leak of skbs.
Cc: stable@kernel.org
Fixes: f89255a02f1d ("batman-adv: BATMAN_V: introduce per hard-iface OGMv2 queues")
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bat_v.c | 1 +
net/batman-adv/bat_v_ogm.c | 12 ++++++++++++
net/batman-adv/types.h | 6 ++++++
3 files changed, 19 insertions(+)
diff --git a/net/batman-adv/bat_v.c b/net/batman-adv/bat_v.c
index 651e01b86141e3..34874942ae8d03 100644
--- a/net/batman-adv/bat_v.c
+++ b/net/batman-adv/bat_v.c
@@ -838,6 +838,7 @@ void batadv_v_hardif_init(struct batadv_hard_iface *hard_iface)
hard_iface->bat_v.aggr_len = 0;
skb_queue_head_init(&hard_iface->bat_v.aggr_list);
+ hard_iface->bat_v.aggr_list_enabled = false;
INIT_DELAYED_WORK(&hard_iface->bat_v.aggr_wq,
batadv_v_ogm_aggr_work);
}
diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
index 57d0c6862f449c..f87c2b80e4291e 100644
--- a/net/batman-adv/bat_v_ogm.c
+++ b/net/batman-adv/bat_v_ogm.c
@@ -255,11 +255,18 @@ static void batadv_v_ogm_queue_on_if(struct batadv_priv *bat_priv,
}
spin_lock_bh(&hard_iface->bat_v.aggr_list.lock);
+ if (!hard_iface->bat_v.aggr_list_enabled) {
+ kfree_skb(skb);
+ goto unlock;
+ }
+
if (!batadv_v_ogm_queue_left(skb, hard_iface))
batadv_v_ogm_aggr_send(bat_priv, hard_iface);
hard_iface->bat_v.aggr_len += batadv_v_ogm_len(skb);
__skb_queue_tail(&hard_iface->bat_v.aggr_list, skb);
+
+unlock:
spin_unlock_bh(&hard_iface->bat_v.aggr_list.lock);
}
@@ -422,6 +429,10 @@ int batadv_v_ogm_iface_enable(struct batadv_hard_iface *hard_iface)
{
struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
+ spin_lock_bh(&hard_iface->bat_v.aggr_list.lock);
+ hard_iface->bat_v.aggr_list_enabled = true;
+ spin_unlock_bh(&hard_iface->bat_v.aggr_list.lock);
+
batadv_v_ogm_start_queue_timer(hard_iface);
batadv_v_ogm_start_timer(bat_priv);
@@ -437,6 +448,7 @@ void batadv_v_ogm_iface_disable(struct batadv_hard_iface *hard_iface)
cancel_delayed_work_sync(&hard_iface->bat_v.aggr_wq);
spin_lock_bh(&hard_iface->bat_v.aggr_list.lock);
+ hard_iface->bat_v.aggr_list_enabled = false;
batadv_v_ogm_aggr_list_free(hard_iface);
spin_unlock_bh(&hard_iface->bat_v.aggr_list.lock);
}
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index ca1c258faa095f..a61e319e4db0e9 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -130,6 +130,12 @@ struct batadv_hard_iface_bat_v {
/** @aggr_list: queue for to be aggregated OGM packets */
struct sk_buff_head aggr_list;
+ /**
+ * @aggr_list_enabled: aggr_list is active and new skbs can be
+ * enqueued. Protected by aggr_list.lock after initialization
+ */
+ bool aggr_list_enabled:1;
+
/** @aggr_len: size of the OGM aggregate (excluding ethernet header) */
unsigned int aggr_len;
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 066/129] batman-adv: tp_meter: restrict number of unacked list entries
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 065/129] batman-adv: v: prevent OGM aggregation on disabled hardif Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 067/129] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Greg Kroah-Hartman
` (69 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit e7c775110e1858e5a7471a23a9c9658c0af9df89 upstream.
When the unacked_list is unbound, an attacker could send messages with
small lengths and appropriated seqno + gaps to force the receiver to
allocate more and more unacked_list entries. And the end either causing an
out-of-memory situation or increase the management overhead for the (large)
list that significant portions of CPU cycles are wasted in searching
through the list.
When limiting the list to a specific number, it is important to still
correctly add a new entry to the list. But if the list became larger than
the limit, the last entry of the list (with the highest seqno) must be
dropped to still allow the earlier seqnos to finish and therefore to
continue the process. Otherwise, the process might get stuck with too high
seqnos which are not handled by batadv_tp_ack_unordered().
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
[ Switch to pre-splitted tp_vars structure names ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 23 ++++++++++++++++++++++-
net/batman-adv/types.h | 3 +++
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 133eed2fa9507f..638dd438a6c052 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -87,6 +87,11 @@
#define BATADV_TP_PLEN (BATADV_TP_PACKET_LEN - ETH_HLEN - \
sizeof(struct batadv_unicast_packet))
+/**
+ * BATADV_TP_MAX_UNACKED - maximum number of packets a receiver didn't yet ack
+ */
+#define BATADV_TP_MAX_UNACKED 100
+
static u8 batadv_tp_prerandom[4096] __read_mostly;
/**
@@ -1195,6 +1200,7 @@ static void batadv_tp_receiver_shutdown(struct timer_list *t)
list_for_each_entry_safe(un, safe, &tp_vars->unacked_list, list) {
list_del(&un->list);
kfree(un);
+ tp_vars->unacked_count--;
}
spin_unlock_bh(&tp_vars->unacked_lock);
@@ -1308,6 +1314,7 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
/* if the list is empty immediately attach this new object */
if (list_empty(&tp_vars->unacked_list)) {
list_add(&new->list, &tp_vars->unacked_list);
+ tp_vars->unacked_count++;
goto out;
}
@@ -1338,12 +1345,24 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
*/
list_add(&new->list, &un->list);
added = true;
+ tp_vars->unacked_count++;
break;
}
/* received packet with smallest seqno out of order; add it to front */
- if (!added)
+ if (!added) {
list_add(&new->list, &tp_vars->unacked_list);
+ tp_vars->unacked_count++;
+ }
+
+ /* remove the last (biggest) unacked seqno when list is too large */
+ if (tp_vars->unacked_count > BATADV_TP_MAX_UNACKED) {
+ un = list_last_entry(&tp_vars->unacked_list,
+ struct batadv_tp_unacked, list);
+ list_del(&un->list);
+ kfree(un);
+ tp_vars->unacked_count--;
+ }
out:
spin_unlock_bh(&tp_vars->unacked_lock);
@@ -1380,6 +1399,7 @@ static void batadv_tp_ack_unordered(struct batadv_tp_vars *tp_vars)
list_del(&un->list);
kfree(un);
+ tp_vars->unacked_count--;
}
spin_unlock_bh(&tp_vars->unacked_lock);
}
@@ -1430,6 +1450,7 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
spin_lock_init(&tp_vars->unacked_lock);
INIT_LIST_HEAD(&tp_vars->unacked_list);
+ tp_vars->unacked_count = 0;
kref_get(&tp_vars->refcount);
timer_setup(&tp_vars->timer, batadv_tp_receiver_shutdown, 0);
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index a61e319e4db0e9..d66726d0ea8112 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1494,6 +1494,9 @@ struct batadv_tp_vars {
/** @unacked_lock: protect unacked_list */
spinlock_t unacked_lock;
+ /** @unacked_count: number of unacked entries */
+ size_t unacked_count;
+
/** @last_recv_time: time (jiffies) a msg was received */
unsigned long last_recv_time;
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 067/129] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 066/129] batman-adv: tp_meter: restrict number of unacked list entries Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 068/129] batman-adv: tp_meter: prevent parallel modifications of last_recv Greg Kroah-Hartman
` (68 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit d67c728f07fca2ee6ffdc6dd4421cf2e8691f4d1 upstream.
The last_recv_time field for batadv_tp_receiver tracks the jiffies value of
the most recent activity and is used to detect timeouts. These accesses are
not consistently protected by a lock, so READ_ONCE/WRITE_ONCE must be used
to prevent data races caused by compiler optimizations.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 638dd438a6c052..b882919a868ca0 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1183,7 +1183,7 @@ static void batadv_tp_receiver_shutdown(struct timer_list *t)
bat_priv = tp_vars->bat_priv;
/* if there is recent activity rearm the timer */
- if (!batadv_has_timed_out(tp_vars->last_recv_time,
+ if (!batadv_has_timed_out(READ_ONCE(tp_vars->last_recv_time),
BATADV_TP_RECV_TIMEOUT)) {
/* reset the receiver shutdown timer */
batadv_tp_reset_receiver_timer(tp_vars);
@@ -1424,7 +1424,7 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
tp_vars = batadv_tp_list_find_session(bat_priv, icmp->orig,
icmp->session, BATADV_TP_RECEIVER);
if (tp_vars) {
- tp_vars->last_recv_time = jiffies;
+ WRITE_ONCE(tp_vars->last_recv_time, jiffies);
goto out_unlock;
}
@@ -1455,7 +1455,7 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
kref_get(&tp_vars->refcount);
timer_setup(&tp_vars->timer, batadv_tp_receiver_shutdown, 0);
- tp_vars->last_recv_time = jiffies;
+ WRITE_ONCE(tp_vars->last_recv_time, jiffies);
kref_get(&tp_vars->refcount);
hlist_add_head_rcu(&tp_vars->list, &bat_priv->tp_list);
@@ -1506,7 +1506,7 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
goto out;
}
- tp_vars->last_recv_time = jiffies;
+ WRITE_ONCE(tp_vars->last_recv_time, jiffies);
}
/* if the packet is a duplicate, it may be the case that an ACK has been
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 068/129] batman-adv: tp_meter: prevent parallel modifications of last_recv
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 067/129] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 069/129] batman-adv: tp_meter: handle overlapping packets Greg Kroah-Hartman
` (67 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 6dde0cfcb36e4d5b3de35b75696937478441eed4 upstream.
When last_recv is updated to store the last receive sequence number, it is
assuming that nothing is modifying in parallel while:
* check for outdated packets is done
* out of order check is performed (and packets are stored in out-of-order
queue)
* the out-of-order queue was searched for closed gaps
* sequence number for next ack is calculated
Nothing of that was actually protected. It could therefore happen that the
last_recv was updated multiple times in parallel and the final sequence
number was calculated with deltas which had no connection to the sequence
number they were added to.
Lock this whole region with the same lock which was already used to protect
the unacked (out-of-order) list.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
[ Switch to pre-splitted tp_vars structure names ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 22 +++++++++++++---------
net/batman-adv/types.h | 2 +-
2 files changed, 14 insertions(+), 10 deletions(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index b882919a868ca0..f745bc09a04963 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1294,6 +1294,7 @@ static int batadv_tp_send_ack(struct batadv_priv *bat_priv, const u8 *dst,
*/
static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
const struct sk_buff *skb)
+ __must_hold(&tp_vars->unacked_lock)
{
const struct batadv_icmp_tp_packet *icmp;
struct batadv_tp_unacked *un, *new;
@@ -1310,12 +1311,11 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
payload_len = skb->len - sizeof(struct batadv_unicast_packet);
new->len = payload_len;
- spin_lock_bh(&tp_vars->unacked_lock);
/* if the list is empty immediately attach this new object */
if (list_empty(&tp_vars->unacked_list)) {
list_add(&new->list, &tp_vars->unacked_list);
tp_vars->unacked_count++;
- goto out;
+ return true;
}
/* otherwise loop over the list and either drop the packet because this
@@ -1364,9 +1364,6 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
tp_vars->unacked_count--;
}
-out:
- spin_unlock_bh(&tp_vars->unacked_lock);
-
return true;
}
@@ -1376,6 +1373,7 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
* @tp_vars: the private data of the current TP meter session
*/
static void batadv_tp_ack_unordered(struct batadv_tp_vars *tp_vars)
+ __must_hold(&tp_vars->unacked_lock)
{
struct batadv_tp_unacked *un, *safe;
u32 to_ack;
@@ -1383,7 +1381,6 @@ static void batadv_tp_ack_unordered(struct batadv_tp_vars *tp_vars)
/* go through the unacked packet list and possibly ACK them as
* well
*/
- spin_lock_bh(&tp_vars->unacked_lock);
list_for_each_entry_safe(un, safe, &tp_vars->unacked_list, list) {
/* the list is ordered, therefore it is possible to stop as soon
* there is a gap between the last acked seqno and the seqno of
@@ -1401,7 +1398,6 @@ static void batadv_tp_ack_unordered(struct batadv_tp_vars *tp_vars)
kfree(un);
tp_vars->unacked_count--;
}
- spin_unlock_bh(&tp_vars->unacked_lock);
}
/**
@@ -1481,6 +1477,7 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
const struct batadv_icmp_tp_packet *icmp;
struct batadv_tp_vars *tp_vars;
size_t packet_size;
+ u32 to_ack;
u32 seqno;
icmp = (struct batadv_icmp_tp_packet *)skb->data;
@@ -1509,6 +1506,8 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
WRITE_ONCE(tp_vars->last_recv_time, jiffies);
}
+ spin_lock_bh(&tp_vars->unacked_lock);
+
/* if the packet is a duplicate, it may be the case that an ACK has been
* lost. Resend the ACK
*/
@@ -1520,8 +1519,10 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
/* exit immediately (and do not send any ACK) if the packet has
* not been enqueued correctly
*/
- if (!batadv_tp_handle_out_of_order(tp_vars, skb))
+ if (!batadv_tp_handle_out_of_order(tp_vars, skb)) {
+ spin_unlock_bh(&tp_vars->unacked_lock);
goto out;
+ }
/* send a duplicate ACK */
goto send_ack;
@@ -1535,11 +1536,14 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
batadv_tp_ack_unordered(tp_vars);
send_ack:
+ to_ack = tp_vars->last_recv;
+ spin_unlock_bh(&tp_vars->unacked_lock);
+
/* send the ACK. If the received packet was out of order, the ACK that
* is going to be sent is a duplicate (the sender will count them and
* possibly enter Fast Retransmit as soon as it has reached 3)
*/
- batadv_tp_send_ack(bat_priv, icmp->orig, tp_vars->last_recv,
+ batadv_tp_send_ack(bat_priv, icmp->orig, to_ack,
icmp->timestamp, icmp->session, icmp->uid);
out:
batadv_tp_vars_put(tp_vars);
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index d66726d0ea8112..0a6d0303a616c5 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1491,7 +1491,7 @@ struct batadv_tp_vars {
/** @unacked_list: list of unacked packets (meta-info only) */
struct list_head unacked_list;
- /** @unacked_lock: protect unacked_list */
+ /** @unacked_lock: protect unacked_list + &batadv_tp_receiver.last_recv */
spinlock_t unacked_lock;
/** @unacked_count: number of unacked entries */
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 069/129] batman-adv: tp_meter: handle overlapping packets
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 068/129] batman-adv: tp_meter: prevent parallel modifications of last_recv Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 070/129] batman-adv: tt: dont merge change entries with different VIDs Greg Kroah-Hartman
` (66 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit cbde75c38b21f022891525078622587ad557b7c1 upstream.
If the size of the packets would change during the transmission, it could
happen that some retries of packets are overlapping. In this case, precise
comparisons of sequence numbers by the receiver would be wrong. It is then
necessary to check if the start sequence number to the end sequence number
("seqno + length") would contain a new range.
If this is the case then this is enough to accept this packet. In all other
cases, the packet still has to be dropped (and not acked).
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
[ Switch to pre-splitted tp_vars structure names ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index f745bc09a04963..50b83e0438a07b 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1284,7 +1284,8 @@ static int batadv_tp_send_ack(struct batadv_priv *bat_priv, const u8 *dst,
/**
* batadv_tp_handle_out_of_order() - store an out of order packet
* @tp_vars: the private data of the current TP meter session
- * @skb: the buffer containing the received packet
+ * @seqno: sequence number of new received packet
+ * @payload_len: length of the received packet
*
* Store the out of order packet in the unacked list for late processing. This
* packets are kept in this list so that they can be ACKed at once as soon as
@@ -1293,22 +1294,17 @@ static int batadv_tp_send_ack(struct batadv_priv *bat_priv, const u8 *dst,
* Return: true if the packed has been successfully processed, false otherwise
*/
static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
- const struct sk_buff *skb)
+ u32 seqno, u32 payload_len)
__must_hold(&tp_vars->unacked_lock)
{
- const struct batadv_icmp_tp_packet *icmp;
struct batadv_tp_unacked *un, *new;
- u32 payload_len;
bool added = false;
new = kmalloc(sizeof(*new), GFP_ATOMIC);
if (unlikely(!new))
return false;
- icmp = (struct batadv_icmp_tp_packet *)skb->data;
-
- new->seqno = ntohl(icmp->seqno);
- payload_len = skb->len - sizeof(struct batadv_unicast_packet);
+ new->seqno = seqno;
new->len = payload_len;
/* if the list is empty immediately attach this new object */
@@ -1476,7 +1472,7 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
{
const struct batadv_icmp_tp_packet *icmp;
struct batadv_tp_vars *tp_vars;
- size_t packet_size;
+ u32 payload_len;
u32 to_ack;
u32 seqno;
@@ -1511,15 +1507,17 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
/* if the packet is a duplicate, it may be the case that an ACK has been
* lost. Resend the ACK
*/
- if (batadv_seq_before(seqno, tp_vars->last_recv))
+ payload_len = skb->len - sizeof(struct batadv_unicast_packet);
+ to_ack = seqno + payload_len;
+ if (batadv_seq_before(to_ack, tp_vars->last_recv))
goto send_ack;
/* if the packet is out of order enqueue it */
- if (ntohl(icmp->seqno) != tp_vars->last_recv) {
+ if (batadv_seq_before(tp_vars->last_recv, seqno)) {
/* exit immediately (and do not send any ACK) if the packet has
* not been enqueued correctly
*/
- if (!batadv_tp_handle_out_of_order(tp_vars, skb)) {
+ if (!batadv_tp_handle_out_of_order(tp_vars, seqno, payload_len)) {
spin_unlock_bh(&tp_vars->unacked_lock);
goto out;
}
@@ -1529,8 +1527,7 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
}
/* if everything was fine count the ACKed bytes */
- packet_size = skb->len - sizeof(struct batadv_unicast_packet);
- tp_vars->last_recv += packet_size;
+ tp_vars->last_recv = to_ack;
/* check if this ordered message filled a gap.... */
batadv_tp_ack_unordered(tp_vars);
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 070/129] batman-adv: tt: dont merge change entries with different VIDs
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 069/129] batman-adv: tp_meter: handle overlapping packets Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 071/129] batman-adv: tt: track roam count per VID Greg Kroah-Hartman
` (65 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit f08e06c2d5c3e2434e7c773f2213f4a7dce6bc1e upstream.
batadv_tt_local_event() merges/cancels events for the same client which
would conflict or be duplicates. The matching of the queued events only
compares the MAC address - the VLAN ID stored in each event is ignored.
If a MAC would now appear on multiple VID, the two ADD change events (for
VID 1 and VID 2) would be merged to a single vid event. The remote can
therefore not calculate the correct TT table and desync. A full translation
table exchange is required to recover from this state.
A check of VID is therefore necessary to avoid such wrong merges/cancels.
Cc: stable@kernel.org
Fixes: c018ad3de61a ("batman-adv: add the VLAN ID attribute to the TT entry")
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/translation-table.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 53d2aadcafa154..c3d62df9e2b87d 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -485,6 +485,9 @@ static void batadv_tt_local_event(struct batadv_priv *bat_priv,
if (!batadv_compare_eth(entry->change.addr, common->addr))
continue;
+ if (entry->change.vid != tt_change_node->change.vid)
+ continue;
+
/* DEL+ADD in the same orig interval have no effect and can be
* removed to avoid silly behaviour on the receiver side. The
* other way around (ADD+DEL) can happen in case of roaming of
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 071/129] batman-adv: tt: track roam count per VID
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 070/129] batman-adv: tt: dont merge change entries with different VIDs Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 072/129] batman-adv: dat: prevent false sharing between VLANs Greg Kroah-Hartman
` (64 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 12407d5f61c2653a64f2ff4b22f3c267f8420ef1 upstream.
batadv_tt_check_roam_count() is supposed to track roaming of a TT entry.
But TT entries are for a MAC + VID. The VID was completely missed and thus
leads to incorrect detection of ROAM counts when a client MAC exists in
multiple VLANs.
Cc: stable@kernel.org
Fixes: c018ad3de61a ("batman-adv: add the VLAN ID attribute to the TT entry")
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/translation-table.c | 9 +++++++--
net/batman-adv/types.h | 3 +++
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index c3d62df9e2b87d..5161ddf1c788e0 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -3517,6 +3517,7 @@ static void batadv_tt_roam_purge(struct batadv_priv *bat_priv)
* batadv_tt_check_roam_count() - check if a client has roamed too frequently
* @bat_priv: the bat priv with all the soft interface information
* @client: mac address of the roaming client
+ * @vid: VLAN identifier
*
* This function checks whether the client already reached the
* maximum number of possible roaming phases. In this case the ROAMING_ADV
@@ -3524,7 +3525,7 @@ static void batadv_tt_roam_purge(struct batadv_priv *bat_priv)
*
* Return: true if the ROAMING_ADV can be sent, false otherwise
*/
-static bool batadv_tt_check_roam_count(struct batadv_priv *bat_priv, u8 *client)
+static bool batadv_tt_check_roam_count(struct batadv_priv *bat_priv, u8 *client, u16 vid)
{
struct batadv_tt_roam_node *tt_roam_node;
bool ret = false;
@@ -3537,6 +3538,9 @@ static bool batadv_tt_check_roam_count(struct batadv_priv *bat_priv, u8 *client)
if (!batadv_compare_eth(tt_roam_node->addr, client))
continue;
+ if (tt_roam_node->vid != vid)
+ continue;
+
if (batadv_has_timed_out(tt_roam_node->first_time,
BATADV_ROAMING_MAX_TIME))
continue;
@@ -3558,6 +3562,7 @@ static bool batadv_tt_check_roam_count(struct batadv_priv *bat_priv, u8 *client)
atomic_set(&tt_roam_node->counter,
BATADV_ROAMING_MAX_COUNT - 1);
ether_addr_copy(tt_roam_node->addr, client);
+ tt_roam_node->vid = vid;
list_add(&tt_roam_node->list, &bat_priv->tt.roam_list);
ret = true;
@@ -3594,7 +3599,7 @@ static void batadv_send_roam_adv(struct batadv_priv *bat_priv, u8 *client,
/* before going on we have to check whether the client has
* already roamed to us too many times
*/
- if (!batadv_tt_check_roam_count(bat_priv, client))
+ if (!batadv_tt_check_roam_count(bat_priv, client, vid))
goto out;
batadv_dbg(BATADV_DBG_TT, bat_priv,
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index 0a6d0303a616c5..673b04dd71b043 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1995,6 +1995,9 @@ struct batadv_tt_roam_node {
/** @addr: mac address of the client in the roaming phase */
u8 addr[ETH_ALEN];
+ /** @vid: VLAN identifier */
+ u16 vid;
+
/**
* @counter: number of allowed roaming events per client within a single
* OGM interval (changes are committed with each OGM)
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 072/129] batman-adv: dat: prevent false sharing between VLANs
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 071/129] batman-adv: tt: track roam count per VID Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 073/129] batman-adv: tvlv: enforce 2-byte alignment Greg Kroah-Hartman
` (63 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 20d7658b74169f86d4ac01b9185b3eadddf71f28 upstream.
The local hash of DAT entries is supposed to be VLAN (VID) aware. But
the adding to the hash and the search in the hash were not checking the VID
information of the hash entries. The entries would therefore only be
correctly separated when batadv_hash_dat() didn't select the same buckets
for different VIDs.
Cc: stable@kernel.org
Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/distributed-arp-table.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
index e8d706d86aa82a..36462d9288c7ee 100644
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -215,10 +215,13 @@ static void batadv_dat_purge(struct work_struct *work)
*/
static bool batadv_compare_dat(const struct hlist_node *node, const void *data2)
{
- const void *data1 = container_of(node, struct batadv_dat_entry,
- hash_entry);
+ const struct batadv_dat_entry *entry1;
+ const struct batadv_dat_entry *entry2;
- return memcmp(data1, data2, sizeof(__be32)) == 0;
+ entry1 = container_of(node, struct batadv_dat_entry, hash_entry);
+ entry2 = data2;
+
+ return entry1->ip == entry2->ip && entry1->vid == entry2->vid;
}
/**
@@ -345,6 +348,9 @@ batadv_dat_entry_hash_find(struct batadv_priv *bat_priv, __be32 ip,
if (dat_entry->ip != ip)
continue;
+ if (dat_entry->vid != vid)
+ continue;
+
if (!kref_get_unless_zero(&dat_entry->refcount))
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 073/129] batman-adv: tvlv: enforce 2-byte alignment
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 072/129] batman-adv: dat: prevent false sharing between VLANs Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 074/129] batman-adv: tvlv: avoid race of cifsnotfound handler state Greg Kroah-Hartman
` (62 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 32a6799255525d6ea4da0f7e9e0e521ad9560a46 upstream.
The fields of an aggregated OGM(v2) are accessed assuming (at least) 2-byte
alignment, so a following OGM must start at an even offset. As the header
length is even, an odd tvlv_len would misalign it and trigger unaligned
accesses on strict-alignment architectures.
Such a misaligned TVLV/OGM/OGMv2 is not created by a normal participant in
the mesh. Therefore, reject such malformed packets.
Cc: stable@kernel.org
Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
[ Drop change for non-existing mcast handling ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bat_iv_ogm.c | 11 ++++++++++-
net/batman-adv/bat_v_ogm.c | 11 ++++++++++-
net/batman-adv/tvlv.c | 6 ++++++
3 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index c52e3b82889868..7fd692b642e392 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -311,14 +311,23 @@ batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
const struct batadv_ogm_packet *ogm_packet)
{
int next_buff_pos = 0;
+ u16 tvlv_len;
/* check if there is enough space for the header */
next_buff_pos += buff_pos + sizeof(*ogm_packet);
if (next_buff_pos > packet_len)
return false;
+ tvlv_len = ntohs(ogm_packet->tvlv_len);
+
+ /* the fields of an aggregated OGM are accessed assuming (at least)
+ * 2-byte alignment, so a following OGM must start at an even offset.
+ */
+ if (tvlv_len & 1)
+ return false;
+
/* check if there is enough space for the optional TVLV */
- next_buff_pos += ntohs(ogm_packet->tvlv_len);
+ next_buff_pos += tvlv_len;
return next_buff_pos <= packet_len;
}
diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
index f87c2b80e4291e..e8ad4817d20018 100644
--- a/net/batman-adv/bat_v_ogm.c
+++ b/net/batman-adv/bat_v_ogm.c
@@ -854,14 +854,23 @@ batadv_v_ogm_aggr_packet(int buff_pos, int packet_len,
const struct batadv_ogm2_packet *ogm2_packet)
{
int next_buff_pos = 0;
+ u16 tvlv_len;
/* check if there is enough space for the header */
next_buff_pos += buff_pos + sizeof(*ogm2_packet);
if (next_buff_pos > packet_len)
return false;
+ tvlv_len = ntohs(ogm2_packet->tvlv_len);
+
+ /* the fields of an aggregated OGMv2 are accessed assuming (at least)
+ * 2-byte alignment, so a following OGMv2 must start at an even offset.
+ */
+ if (tvlv_len & 1)
+ return false;
+
/* check if there is enough space for the optional TVLV */
- next_buff_pos += ntohs(ogm2_packet->tvlv_len);
+ next_buff_pos += tvlv_len;
return next_buff_pos <= packet_len;
}
diff --git a/net/batman-adv/tvlv.c b/net/batman-adv/tvlv.c
index 99e5e8518dcc9a..e25430da5afb1b 100644
--- a/net/batman-adv/tvlv.c
+++ b/net/batman-adv/tvlv.c
@@ -448,6 +448,12 @@ int batadv_tvlv_containers_process(struct batadv_priv *bat_priv,
if (tvlv_value_cont_len > tvlv_value_len)
break;
+ /* the next tvlv header is accessed assuming (at least) 2-byte
+ * alignment, so it must start at an even offset.
+ */
+ if (tvlv_value_cont_len & 1)
+ break;
+
tvlv_handler = batadv_tvlv_handler_get(bat_priv,
tvlv_hdr->type,
tvlv_hdr->version);
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 074/129] batman-adv: tvlv: avoid race of cifsnotfound handler state
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 073/129] batman-adv: tvlv: enforce 2-byte alignment Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 075/129] ntfs3: reject direct userspace writes to reserved $LX* xattrs Greg Kroah-Hartman
` (61 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit edb557b2ba38fea2c5eb710cf366c797e187218c upstream.
TVLV handlers can have the flag BATADV_TVLV_HANDLER_OGM_CIFNOTFND set to
signal that the OGM handler should be called (with NULL for data) when the
specific TVLV container was not found in the OGM. This is used by:
* DAT
* GW
* Multicast (OGM + Tracker)
The state whether the handler was executed was stored in the struct
batadv_tvlv_handler. But the TVLV processing is started without any lock.
Multiple parallel contexts processing TVLVs would therefore overwrite each
others BATADV_TVLV_HANDLER_OGM_CALLED flag in the shared
batadv_tvlv_handler.
Drop the shared BATADV_TVLV_HANDLER_OGM_CALLED flag and instead determine,
per TVLV buffer, whether a matching container was present by scanning the
packet's buffer.
Cc: stable@kernel.org
Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tvlv.c | 63 ++++++++++++++++++++++++++++++++++++++----
net/batman-adv/types.h | 7 -----
2 files changed, 57 insertions(+), 13 deletions(-)
diff --git a/net/batman-adv/tvlv.c b/net/batman-adv/tvlv.c
index e25430da5afb1b..61a1e5e5f0d913 100644
--- a/net/batman-adv/tvlv.c
+++ b/net/batman-adv/tvlv.c
@@ -394,7 +394,6 @@ static int batadv_tvlv_call_handler(struct batadv_priv *bat_priv,
tvlv_handler->ogm_handler(bat_priv, orig_node,
BATADV_NO_FLAGS,
tvlv_value, tvlv_value_len);
- tvlv_handler->flags |= BATADV_TVLV_HANDLER_OGM_CALLED;
} else {
if (!src)
return NET_RX_SUCCESS;
@@ -413,6 +412,48 @@ static int batadv_tvlv_call_handler(struct batadv_priv *bat_priv,
return NET_RX_SUCCESS;
}
+/**
+ * batadv_tvlv_containers_contain() - check if a tvlv buffer holds a container
+ * @tvlv_value: tvlv content
+ * @tvlv_value_len: tvlv content length
+ * @type: tvlv container type to look for
+ * @version: tvlv container version to look for
+ *
+ * Return: true if a container of the given type and version is present in the
+ * tvlv buffer, false otherwise.
+ */
+static bool batadv_tvlv_containers_contain(void *tvlv_value,
+ u16 tvlv_value_len, u8 type,
+ u8 version)
+{
+ struct batadv_tvlv_hdr *tvlv_hdr;
+ u16 tvlv_value_cont_len;
+
+ while (tvlv_value_len >= sizeof(*tvlv_hdr)) {
+ tvlv_hdr = tvlv_value;
+ tvlv_value_cont_len = ntohs(tvlv_hdr->len);
+ tvlv_value = tvlv_hdr + 1;
+ tvlv_value_len -= sizeof(*tvlv_hdr);
+
+ if (tvlv_value_cont_len > tvlv_value_len)
+ break;
+
+ /* the next tvlv header is accessed assuming (at least) 2-byte
+ * alignment, so it must start at an even offset.
+ */
+ if (tvlv_value_cont_len & 1)
+ break;
+
+ if (tvlv_hdr->type == type && tvlv_hdr->version == version)
+ return true;
+
+ tvlv_value = (u8 *)tvlv_value + tvlv_value_cont_len;
+ tvlv_value_len -= tvlv_value_cont_len;
+ }
+
+ return false;
+}
+
/**
* batadv_tvlv_containers_process() - parse the given tvlv buffer to call the
* appropriate handlers
@@ -433,7 +474,9 @@ int batadv_tvlv_containers_process(struct batadv_priv *bat_priv,
u8 *src, u8 *dst,
void *tvlv_value, u16 tvlv_value_len)
{
+ u16 tvlv_value_start_len = tvlv_value_len;
struct batadv_tvlv_handler *tvlv_handler;
+ void *tvlv_value_start = tvlv_value;
struct batadv_tvlv_hdr *tvlv_hdr;
u16 tvlv_value_cont_len;
u8 cifnotfound = BATADV_TVLV_HANDLER_OGM_CIFNOTFND;
@@ -473,12 +516,20 @@ int batadv_tvlv_containers_process(struct batadv_priv *bat_priv,
rcu_read_lock();
hlist_for_each_entry_rcu(tvlv_handler,
&bat_priv->tvlv.handler_list, list) {
- if ((tvlv_handler->flags & BATADV_TVLV_HANDLER_OGM_CIFNOTFND) &&
- !(tvlv_handler->flags & BATADV_TVLV_HANDLER_OGM_CALLED))
- tvlv_handler->ogm_handler(bat_priv, orig_node,
- cifnotfound, NULL, 0);
+ if (!(tvlv_handler->flags & BATADV_TVLV_HANDLER_OGM_CIFNOTFND))
+ continue;
- tvlv_handler->flags &= ~BATADV_TVLV_HANDLER_OGM_CALLED;
+ /* if the corresponding container was present then the handler
+ * was already called from the loop above
+ */
+ if (batadv_tvlv_containers_contain(tvlv_value_start,
+ tvlv_value_start_len,
+ tvlv_handler->type,
+ tvlv_handler->version))
+ continue;
+
+ tvlv_handler->ogm_handler(bat_priv, orig_node,
+ cifnotfound, NULL, 0);
}
rcu_read_unlock();
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index 673b04dd71b043..f009b2a381a468 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -2408,13 +2408,6 @@ enum batadv_tvlv_handler_flags {
* will call this handler even if its type was not found (with no data)
*/
BATADV_TVLV_HANDLER_OGM_CIFNOTFND = BIT(1),
-
- /**
- * @BATADV_TVLV_HANDLER_OGM_CALLED: interval tvlv handling flag - the
- * API marks a handler as being called, so it won't be called if the
- * BATADV_TVLV_HANDLER_OGM_CIFNOTFND flag was set
- */
- BATADV_TVLV_HANDLER_OGM_CALLED = BIT(2),
};
#endif /* _NET_BATMAN_ADV_TYPES_H_ */
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 075/129] ntfs3: reject direct userspace writes to reserved $LX* xattrs
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 074/129] batman-adv: tvlv: avoid race of cifsnotfound handler state Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 076/129] ext4: add bounds check for inline data length in ext4_read_inline_page Greg Kroah-Hartman
` (60 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhen Yan, Konstantin Komarov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
commit 5b08dccecf825cbf905f348bc6ccb497507e28e2 upstream.
NTFS3 uses $LXUID, $LXGID, $LXMOD and $LXDEV as internal WSL
permission metadata and reloads them into i_uid, i_gid and i_mode
from ntfs_get_wsl_perm().
Because the empty-prefix xattr handler also lets file owners call
setxattr() on these names directly, an unprivileged writer on a
writable ntfs3 mount can plant root ownership and S_ISUID on their own
file and gain euid 0 after inode reload.
Reject direct userspace writes to the reserved $LX* names. Internal
ntfs3 metadata updates are unchanged because ntfs_save_wsl_perm()
writes them via ntfs_set_ea() directly.
Signed-off-by: Zhen Yan <sdjasjbuaa@gmail.com>
[almaz.alexandrovich@paragon-software.com: added an additional check for non privileged users]
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/xattr.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -846,6 +846,12 @@ out:
return err;
}
+static bool ntfs_is_reserved_lxattr(const char *name)
+{
+ return !strcmp(name, "$LXUID") || !strcmp(name, "$LXGID") ||
+ !strcmp(name, "$LXMOD") || !strcmp(name, "$LXDEV");
+}
+
/*
* ntfs_setxattr - inode_operations::setxattr
*/
@@ -951,6 +957,12 @@ set_new_fa:
goto out;
}
+ /* Do not allow non privileged users to change $LXUID/$LXGID... */
+ if (ntfs_is_reserved_lxattr(name) && !capable(CAP_SYS_ADMIN)) {
+ err = -EPERM;
+ goto out;
+ }
+
/* Deal with NTFS extended attribute. */
err = ntfs_set_ea(inode, name, name_len, value, size, flags, 0);
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 076/129] ext4: add bounds check for inline data length in ext4_read_inline_page
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 075/129] ntfs3: reject direct userspace writes to reserved $LX* xattrs Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 077/129] mac802154: llsec: add skb_cow_data() before in-place crypto Greg Kroah-Hartman
` (59 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuto Ohnuki, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuto Ohnuki <ytohnuki@amazon.com>
[ Upstream commit 356227096eb66e41b23caf7045e6304877322edf ]
ext4_read_inline_page() does not validate that the inline data length
fits within a page before copying data. If the inline size exceeds
PAGE_SIZE due to filesystem corruption, this could lead to a kernel
memory write beyond the page boundary.
Add a bounds check after computing len, returning -EFSCORRUPTED if the
value exceeds PAGE_SIZE.
The upstream commit replaced a BUG_ON(len > PAGE_SIZE) in
ext4_read_inline_folio(). In 6.1 and earlier, the function is still named
ext4_read_inline_page() and the BUG_ON was never present, so this patch
adds the bounds check directly.
Fixes: 46c7f254543d ("ext4: add read support for inline data")
Signed-off-by: Yuto Ohnuki <ytohnuki@amazon.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/inline.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index a1fb99d2b472bf..c0c1e865270785 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -518,6 +518,14 @@ static int ext4_read_inline_page(struct inode *inode, struct page *page)
goto out;
len = min_t(size_t, ext4_get_inline_size(inode), i_size_read(inode));
+ if (len > PAGE_SIZE) {
+ ext4_error_inode(inode, __func__, __LINE__, 0,
+ "inline size %zu exceeds PAGE_SIZE", len);
+ ret = -EFSCORRUPTED;
+ brelse(iloc.bh);
+ goto out;
+ }
+
kaddr = kmap_atomic(page);
ret = ext4_read_inline_data(inode, kaddr, len, &iloc);
flush_dcache_page(page);
--
2.53.0
^ permalink raw reply related [flat|nested] 140+ messages in thread
* [PATCH 6.1 077/129] mac802154: llsec: add skb_cow_data() before in-place crypto
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 076/129] ext4: add bounds check for inline data length in ext4_read_inline_page Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 078/129] net: skmsg: preserve sg.copy across SG transforms Greg Kroah-Hartman
` (58 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doruk Tan Ozturk, Alexander Lobakin,
Stefan Schmidt
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doruk Tan Ozturk <doruk@0sec.ai>
commit 84a04eb5b210643bd67aab81ff805d32f62aa865 upstream.
llsec_do_encrypt_unauth(), llsec_do_encrypt_auth(),
llsec_do_decrypt_unauth(), and llsec_do_decrypt_auth() all perform
in-place cryptographic transformations on skb data. They build a
scatterlist with sg_init_one() pointing into the skb's linear data area
and then pass the same scatterlist as both src and dst to the crypto API
(e.g. crypto_skcipher_encrypt/decrypt, crypto_aead_encrypt/decrypt).
On the RX path, __ieee802154_rx_handle_packet() clones the received skb
before handing it to each subscriber via ieee802154_subif_frame(). The
cloned skb shares the same underlying data buffer via reference
counting. When llsec_do_decrypt() subsequently modifies this shared
buffer in place, it corrupts data that other clones -- potentially
belonging to other sockets or subsystems -- still reference.
On the TX path, similar data sharing can occur when an skb's head has
been cloned (skb_cloned() returns true).
The fix is to call skb_cow_data() before performing any in-place crypto
operation. skb_cow_data() ensures that the skb's data area is not
shared: if the skb head is cloned or the data spans multiple fragments,
it copies the data into a private buffer that can be safely modified in
place. This is the same pattern used by:
- ESP (net/ipv4/esp4.c, net/ipv6/esp6.c)
- MACsec (drivers/net/macsec.c)
- WireGuard (drivers/net/wireguard/receive.c)
- TIPC (net/tipc/crypto.c)
Without this guard, in-place crypto on shared skb data leads to:
- Silent data corruption of other skb clones
- Use-after-free when the crypto API scatterwalk writes through a
page that has already been freed by another clone's kfree_skb()
- Kernel crashes under concurrent 802.15.4 traffic with security
enabled (KASAN/KMSAN reports slab-use-after-free)
Found by 0sec (https://0sec.ai) using automated source analysis.
Fixes: 4c14a2fb5d14 ("mac802154: add llsec decryption method")
Fixes: 03556e4d0dbb ("mac802154: add llsec encryption method")
Cc: stable@vger.kernel.org
Reported-by: Doruk Tan Ozturk <doruk@0sec.ai>
Closes: https://lore.kernel.org/linux-wpan/20260525161806.96158-1-doruk@0sec.ai/
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
Closes: <link to your mail on lore>
Link: https://lore.kernel.org/20260526183726.56100-1-doruk@0sec.ai
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac802154/llsec.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/net/mac802154/llsec.c
+++ b/net/mac802154/llsec.c
@@ -710,6 +710,7 @@ int mac802154_llsec_encrypt(struct mac80
{
struct ieee802154_hdr hdr;
int rc, authlen, hlen;
+ struct sk_buff *trailer;
struct mac802154_llsec_key *key;
u32 frame_ctr;
@@ -766,6 +767,12 @@ int mac802154_llsec_encrypt(struct mac80
skb->mac_len = ieee802154_hdr_push(skb, &hdr);
skb_reset_mac_header(skb);
+ rc = skb_cow_data(skb, 0, &trailer);
+ if (rc < 0) {
+ llsec_key_put(key);
+ return rc;
+ }
+
rc = llsec_do_encrypt(skb, sec, &hdr, key);
llsec_key_put(key);
@@ -905,6 +912,13 @@ llsec_do_decrypt(struct sk_buff *skb, co
const struct ieee802154_hdr *hdr,
struct mac802154_llsec_key *key, __le64 dev_addr)
{
+ struct sk_buff *trailer;
+ int err;
+
+ err = skb_cow_data(skb, 0, &trailer);
+ if (err < 0)
+ return err;
+
if (hdr->sec.level == IEEE802154_SCF_SECLEVEL_ENC)
return llsec_do_decrypt_unauth(skb, sec, hdr, key, dev_addr);
else
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 078/129] net: skmsg: preserve sg.copy across SG transforms
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 077/129] mac802154: llsec: add skb_cow_data() before in-place crypto Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 079/129] apparmor: mediate the implicit connect of TCP fast open sendmsg Greg Kroah-Hartman
` (57 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Keenan Dong,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yiming Qian <yimingqian591@gmail.com>
commit 406e8a651a7b854c41fecd5117bb282b3a6c2c6b upstream.
The sk_msg sg.copy bitmap is part of the scatterlist entry ownership
state. A set bit tells sk_msg_compute_data_pointers() not to expose the
entry through writable BPF ctx->data. This protects entries backed by
pages that are not private to the sk_msg, such as splice-backed file
page-cache pages.
Several sk_msg transform paths move, copy, split, or compact
msg->sg.data[] entries without moving the matching sg.copy bit. This can
make an externally backed entry arrive at a new slot with a clear copy
bit. A later SK_MSG verdict can then expose sg_virt(sge) as writable
ctx->data and BPF stores can modify the original page cache.
Keep sg.copy synchronized with sg.data[] whenever entries are
transferred, shifted, split, or copied into a new sk_msg. Clear the bit
when an entry is replaced by a newly allocated private page or freed.
This covers the BPF pull/push/pop helpers, sk_msg_shift_left/right(),
sk_msg_xfer(), and tls_split_open_record(), including the partial tail
entry created during TLS open-record splitting.
Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
Cc: stable@vger.kernel.org
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Yiming Qian <yimingqian591@gmail.com>
Link: https://patch.msgid.link/20260610062137.49075-1-yimingqian591@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/skmsg.h | 15 +++++++++++----
net/core/filter.c | 27 +++++++++++++++++++++++++++
net/core/skmsg.c | 2 ++
net/tls/tls_sw.c | 4 ++++
4 files changed, 44 insertions(+), 4 deletions(-)
--- a/include/linux/skmsg.h
+++ b/include/linux/skmsg.h
@@ -4,6 +4,7 @@
#ifndef _LINUX_SKMSG_H
#define _LINUX_SKMSG_H
+#include <linux/bitops.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#include <linux/scatterlist.h>
@@ -188,11 +189,14 @@ static inline void sk_msg_xfer(struct sk
int which, u32 size)
{
dst->sg.data[which] = src->sg.data[which];
+ __assign_bit(which, dst->sg.copy, test_bit(which, src->sg.copy));
dst->sg.data[which].length = size;
dst->sg.size += size;
src->sg.size -= size;
src->sg.data[which].length -= size;
src->sg.data[which].offset += size;
+ if (!src->sg.data[which].length)
+ __clear_bit(which, src->sg.copy);
}
static inline void sk_msg_xfer_full(struct sk_msg *dst, struct sk_msg *src)
@@ -262,16 +266,19 @@ static inline void sk_msg_page_add(struc
static inline void sk_msg_sg_copy(struct sk_msg *msg, u32 i, bool copy_state)
{
do {
- if (copy_state)
- __set_bit(i, msg->sg.copy);
- else
- __clear_bit(i, msg->sg.copy);
+ __assign_bit(i, msg->sg.copy, copy_state);
sk_msg_iter_var_next(i);
if (i == msg->sg.end)
break;
} while (1);
}
+static inline void sk_msg_sg_copy_assign(struct sk_msg *dst, u32 dst_i,
+ const struct sk_msg *src, u32 src_i)
+{
+ __assign_bit(dst_i, dst->sg.copy, test_bit(src_i, src->sg.copy));
+}
+
static inline void sk_msg_sg_copy_set(struct sk_msg *msg, u32 start)
{
sk_msg_sg_copy(msg, start, true);
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2714,11 +2714,13 @@ BPF_CALL_4(bpf_msg_pull_data, struct sk_
poffset += len;
sge->length = 0;
put_page(sg_page(sge));
+ __clear_bit(i, msg->sg.copy);
sk_msg_iter_var_next(i);
} while (i != last_sge);
sg_set_page(&msg->sg.data[first_sge], page, copy, 0);
+ __clear_bit(first_sge, msg->sg.copy);
/* To repair sg ring we need to shift entries. If we only
* had a single entry though we can just replace it and
@@ -2744,9 +2746,11 @@ BPF_CALL_4(bpf_msg_pull_data, struct sk_
break;
msg->sg.data[i] = msg->sg.data[move_from];
+ sk_msg_sg_copy_assign(msg, i, msg, move_from);
msg->sg.data[move_from].length = 0;
msg->sg.data[move_from].page_link = 0;
msg->sg.data[move_from].offset = 0;
+ __clear_bit(move_from, msg->sg.copy);
sk_msg_iter_var_next(i);
} while (1);
@@ -2775,6 +2779,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
{
struct scatterlist sge, nsge, nnsge, rsge = {0}, *psge;
u32 new, i = 0, l = 0, space, copy = 0, offset = 0;
+ bool sge_copy, nsge_copy, nnsge_copy, rsge_copy = false;
u8 *raw, *to, *from;
struct page *page;
@@ -2847,6 +2852,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
sk_msg_iter_var_prev(i);
psge = sk_msg_elem(msg, i);
rsge = sk_msg_elem_cpy(msg, i);
+ rsge_copy = test_bit(i, msg->sg.copy);
psge->length = start - offset;
rsge.length -= psge->length;
@@ -2871,24 +2877,32 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
/* Shift one or two slots as needed */
sge = sk_msg_elem_cpy(msg, new);
+ sge_copy = test_bit(new, msg->sg.copy);
sg_unmark_end(&sge);
nsge = sk_msg_elem_cpy(msg, i);
+ nsge_copy = test_bit(i, msg->sg.copy);
if (rsge.length) {
sk_msg_iter_var_next(i);
nnsge = sk_msg_elem_cpy(msg, i);
+ nnsge_copy = test_bit(i, msg->sg.copy);
sk_msg_iter_next(msg, end);
}
while (i != msg->sg.end) {
msg->sg.data[i] = sge;
+ __assign_bit(i, msg->sg.copy, sge_copy);
sge = nsge;
+ sge_copy = nsge_copy;
sk_msg_iter_var_next(i);
if (rsge.length) {
nsge = nnsge;
+ nsge_copy = nnsge_copy;
nnsge = sk_msg_elem_cpy(msg, i);
+ nnsge_copy = test_bit(i, msg->sg.copy);
} else {
nsge = sk_msg_elem_cpy(msg, i);
+ nsge_copy = test_bit(i, msg->sg.copy);
}
}
@@ -2902,6 +2916,7 @@ place_new:
get_page(sg_page(&rsge));
sk_msg_iter_var_next(new);
msg->sg.data[new] = rsge;
+ __assign_bit(new, msg->sg.copy, rsge_copy);
}
sk_msg_reset_curr(msg);
@@ -2929,25 +2944,33 @@ static void sk_msg_shift_left(struct sk_
prev = i;
sk_msg_iter_var_next(i);
msg->sg.data[prev] = msg->sg.data[i];
+ sk_msg_sg_copy_assign(msg, prev, msg, i);
} while (i != msg->sg.end);
sk_msg_iter_prev(msg, end);
+ __clear_bit(msg->sg.end, msg->sg.copy);
}
static void sk_msg_shift_right(struct sk_msg *msg, int i)
{
struct scatterlist tmp, sge;
+ bool tmp_copy, sge_copy;
sk_msg_iter_next(msg, end);
sge = sk_msg_elem_cpy(msg, i);
+ sge_copy = test_bit(i, msg->sg.copy);
sk_msg_iter_var_next(i);
tmp = sk_msg_elem_cpy(msg, i);
+ tmp_copy = test_bit(i, msg->sg.copy);
while (i != msg->sg.end) {
msg->sg.data[i] = sge;
+ __assign_bit(i, msg->sg.copy, sge_copy);
sk_msg_iter_var_next(i);
sge = tmp;
+ sge_copy = tmp_copy;
tmp = sk_msg_elem_cpy(msg, i);
+ tmp_copy = test_bit(i, msg->sg.copy);
}
}
@@ -3007,6 +3030,8 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_m
struct scatterlist *nsge, *sge = sk_msg_elem(msg, i);
int a = start - offset;
int b = sge->length - pop - a;
+ u32 sge_i = i;
+ bool sge_copy = test_bit(i, msg->sg.copy);
sk_msg_iter_var_next(i);
@@ -3019,6 +3044,7 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_m
sg_set_page(nsge,
sg_page(sge),
b, sge->offset + pop + a);
+ __assign_bit(i, msg->sg.copy, sge_copy);
} else {
struct page *page, *orig;
u8 *to, *from;
@@ -3035,6 +3061,7 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_m
memcpy(to, from, a);
memcpy(to + a, from + a + pop, b);
sg_set_page(sge, page, a + b, 0);
+ __clear_bit(sge_i, msg->sg.copy);
put_page(orig);
}
pop = 0;
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -65,6 +65,7 @@ int sk_msg_alloc(struct sock *sk, struct
sge = &msg->sg.data[msg->sg.end];
sg_unmark_end(sge);
sg_set_page(sge, pfrag->page, use, orig_offset);
+ __clear_bit(msg->sg.end, msg->sg.copy);
get_page(pfrag->page);
sk_msg_iter_next(msg, end);
}
@@ -185,6 +186,7 @@ static int sk_msg_free_elem(struct sock
sk_mem_uncharge(sk, len);
put_page(sg_page(sge));
}
+ __clear_bit(i, msg->sg.copy);
memset(sge, 0, sizeof(*sge));
return len;
}
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -624,6 +624,7 @@ static int tls_split_open_record(struct
struct scatterlist *sge, *osge, *nsge;
u32 orig_size = msg_opl->sg.size;
struct scatterlist tmp = { };
+ u32 tmp_i = 0;
struct sk_msg *msg_npl;
struct tls_rec *new;
int ret;
@@ -645,6 +646,7 @@ static int tls_split_open_record(struct
if (sge->length > apply) {
u32 len = sge->length - apply;
+ tmp_i = i;
get_page(sg_page(sge));
sg_set_page(&tmp, sg_page(sge), len,
sge->offset + apply);
@@ -676,6 +678,7 @@ static int tls_split_open_record(struct
nsge = sk_msg_elem(msg_npl, j);
if (tmp.length) {
memcpy(nsge, &tmp, sizeof(*nsge));
+ sk_msg_sg_copy_assign(msg_npl, j, msg_opl, tmp_i);
sk_msg_iter_var_next(j);
nsge = sk_msg_elem(msg_npl, j);
}
@@ -683,6 +686,7 @@ static int tls_split_open_record(struct
osge = sk_msg_elem(msg_opl, i);
while (osge->length) {
memcpy(nsge, osge, sizeof(*nsge));
+ sk_msg_sg_copy_assign(msg_npl, j, msg_opl, i);
sg_unmark_end(nsge);
sk_msg_iter_var_next(i);
sk_msg_iter_var_next(j);
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 079/129] apparmor: mediate the implicit connect of TCP fast open sendmsg
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 078/129] net: skmsg: preserve sg.copy across SG transforms Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 080/129] apparmor: fix use-after-free in rawdata dedup loop Greg Kroah-Hartman
` (56 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bryam Vargas, John Johansen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryam Vargas <hexlabsecurity@proton.me>
commit 4d587cd8a72155089a627130bbd4716ec0856e21 upstream.
sendmsg()/sendto() with MSG_FASTOPEN is a combination of connect(2) and
write(2): it opens the connection in the SYN. apparmor_socket_sendmsg()
only checks AA_MAY_SEND, so a profile that grants send but denies connect
lets a confined task open an outbound TCP/MPTCP connection that connect(2)
would have refused, bypassing connect mediation.
Mediate the implicit connect when MSG_FASTOPEN is set and a destination
is supplied. Add it to apparmor_socket_sendmsg() (not the shared
aa_sock_msg_perm() helper, which recvmsg also uses) and call aa_sk_perm()
directly, mirroring the selinux and tomoyo fixes. sk_is_tcp() does not
cover MPTCP fast open, so the SOCK_STREAM/IPPROTO_MPTCP arm is explicit.
Fixes: cf60af03ca4e ("net-tcp: Fast Open client - sendmsg(MSG_FASTOPEN)")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/lsm.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -984,7 +984,21 @@ static int aa_sock_msg_perm(const char *
static int apparmor_socket_sendmsg(struct socket *sock,
struct msghdr *msg, int size)
{
- return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size);
+ int error = aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size);
+
+ if (error)
+ return error;
+
+ /* TCP fast open carries connect() semantics in sendmsg(); mediate
+ * the implicit connect so it cannot bypass the connect permission.
+ */
+ if ((msg->msg_flags & MSG_FASTOPEN) && msg->msg_name &&
+ (sk_is_tcp(sock->sk) ||
+ (sk_is_inet(sock->sk) && sock->sk->sk_type == SOCK_STREAM &&
+ sock->sk->sk_protocol == IPPROTO_MPTCP)))
+ error = aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk);
+
+ return error;
}
/**
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 080/129] apparmor: fix use-after-free in rawdata dedup loop
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 079/129] apparmor: mediate the implicit connect of TCP fast open sendmsg Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 081/129] NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR Greg Kroah-Hartman
` (55 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Colin Ian King, Ruslan Valiyev,
John Johansen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruslan Valiyev <linuxoid@gmail.com>
commit 6f060496d03e4dc560a40f73770bd08335cb7a27 upstream.
aa_replace_profiles() walks ns->rawdata_list to dedup the incoming
policy blob against entries already attached to existing profiles.
Per the kernel-doc on struct aa_loaddata, list membership does not
hold a reference: profiles hold pcount, and when the last pcount
drops, do_ploaddata_rmfs() is queued on a workqueue that takes
ns->lock and removes the entry. Between dropping the last pcount
and the workqueue running, an entry remains on the list with
pcount == 0.
aa_get_profile_loaddata() is an unconditional kref_get() on
pcount, so when the dedup loop hits such an entry, refcount
hardening reports
refcount_t: addition on 0; use-after-free.
inside aa_replace_profiles(), and the poisoned counter then
trips "saturated" and "underflow" warnings on the subsequent
uses of the same loaddata.
Before commit a0b7091c4de4 ("apparmor: fix race on rawdata
dereference") the dedup path used a get_unless_zero-style helper
on a single counter, so the existing "if (tmp)" guard was
meaningful. The split-refcount refactor introduced
aa_get_profile_loaddata(), which has plain kref_get() semantics,
and the guard quietly became a no-op.
Introduce aa_get_profile_loaddata_not0(), matching the existing
_not0 convention used by aa_get_profile_not0(), and use it for
the rawdata_list dedup lookup so dying entries are skipped.
Reproduced on x86_64 with v7.1-rc5 in QEMU+KVM running Ubuntu
24.04 + stress-ng 0.17.06:
stress-ng --apparmor 1 --klog-check --timeout 60s
Without this patch the three refcount_t warnings fire within a
few seconds. With it the same 60 s run is clean. Coverage is a
smoke-test only; a longer soak with CONFIG_KASAN, CONFIG_KCSAN
and CONFIG_PROVE_LOCKING would be welcome from anyone with the
cycles.
Fixes: a0b7091c4de4 ("apparmor: fix race on rawdata dereference")
Reported-by: Colin Ian King <colin.i.king@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221513
Cc: stable@vger.kernel.org
Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/include/policy_unpack.h | 19 +++++++++++++++++++
security/apparmor/policy.c | 8 ++++++--
2 files changed, 25 insertions(+), 2 deletions(-)
--- a/security/apparmor/include/policy_unpack.h
+++ b/security/apparmor/include/policy_unpack.h
@@ -161,6 +161,25 @@ aa_get_profile_loaddata(struct aa_loadda
return data;
}
+/**
+ * aa_get_profile_loaddata_not0 - get a profile reference count if not zero
+ * @data: reference to get a count on
+ *
+ * Like aa_get_profile_loaddata(), but safe to call on an entry that may
+ * be on a list (e.g. ns->rawdata_list) where the last pcount has already
+ * dropped and the deferred cleanup has not yet run.
+ *
+ * Returns: pointer to reference, or %NULL if @data is NULL or its
+ * profile refcount has already reached zero.
+ */
+static inline struct aa_loaddata *
+aa_get_profile_loaddata_not0(struct aa_loaddata *data)
+{
+ if (data && kref_get_unless_zero(&data->pcount))
+ return data;
+ return NULL;
+}
+
void __aa_loaddata_update(struct aa_loaddata *data, long revision);
bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r);
void aa_loaddata_kref(struct kref *kref);
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1018,8 +1018,12 @@ ssize_t aa_replace_profiles(struct aa_ns
if (aa_rawdata_eq(rawdata_ent, udata)) {
struct aa_loaddata *tmp;
- tmp = aa_get_profile_loaddata(rawdata_ent);
- /* check we didn't fail the race */
+ /*
+ * Entries remain on rawdata_list with
+ * pcount == 0 until do_ploaddata_rmfs()
+ * runs; only take a live profile ref.
+ */
+ tmp = aa_get_profile_loaddata_not0(rawdata_ent);
if (tmp) {
aa_put_profile_loaddata(udata);
udata = tmp;
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 081/129] NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 6.1 080/129] apparmor: fix use-after-free in rawdata dedup loop Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 082/129] KEYS: fix overflow in keyctl_pkey_params_get_2() Greg Kroah-Hartman
` (54 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Li, Koichiro Den, Dave Jiang,
Jon Mason
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Koichiro Den <den@valinux.co.jp>
commit d876153680e3d721d385e554def919bce3d18c74 upstream.
When BAR_PEER_SPAD and BAR_CONFIG share one PCI BAR, the module teardown
path ends up calling pci_iounmap() on the same iomem with some offset,
which is unnecessary and triggers a kernel warning like the following:
Trying to vunmap() nonexistent vm area (0000000069a5ffe8)
WARNING: mm/vmalloc.c:3470 at vunmap+0x58/0x68, CPU#5: modprobe/2937
[...]
Call trace:
vunmap+0x58/0x68 (P)
iounmap+0x34/0x48
pci_iounmap+0x2c/0x40
ntb_epf_pci_remove+0x44/0x80 [ntb_hw_epf]
pci_device_remove+0x48/0xf8
device_remove+0x50/0x88
device_release_driver_internal+0x1c8/0x228
driver_detach+0x50/0xb0
bus_remove_driver+0x74/0x100
driver_unregister+0x34/0x68
pci_unregister_driver+0x34/0xa0
ntb_epf_pci_driver_exit+0x14/0xfe0 [ntb_hw_epf]
[...]
Fix it by unmapping only when PEER_SPAD and CONFIG use difference bars.
Cc: stable@vger.kernel.org
Fixes: e75d5ae8ab88 ("NTB: epf: Allow more flexibility in the memory BAR map method")
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Koichiro Den <den@valinux.co.jp>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ntb/hw/epf/ntb_hw_epf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/ntb/hw/epf/ntb_hw_epf.c
+++ b/drivers/ntb/hw/epf/ntb_hw_epf.c
@@ -649,7 +649,8 @@ static void ntb_epf_deinit_pci(struct nt
struct pci_dev *pdev = ndev->ntb.pdev;
pci_iounmap(pdev, ndev->ctrl_reg);
- pci_iounmap(pdev, ndev->peer_spad_reg);
+ if (ndev->barno_map[BAR_PEER_SPAD] != ndev->barno_map[BAR_CONFIG])
+ pci_iounmap(pdev, ndev->peer_spad_reg);
pci_iounmap(pdev, ndev->db_reg);
pci_clear_master(pdev);
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 082/129] KEYS: fix overflow in keyctl_pkey_params_get_2()
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 081/129] NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 083/129] keys: Pin request_key_auth payload in instantiate paths Greg Kroah-Hartman
` (53 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alessandro Groppo, Jarkko Sakkinen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jarkko Sakkinen <jarkko@kernel.org>
commit cb481e59ea6cae3b7796ac1d7a22b6b24c3f3c0b upstream.
The length for the internal output buffer is calculated incorrectly, which
can result overflow when a too small buffer is provided.
Fix the bug by allocating internal output with the size of the maximum
length of the cryptographic primitive instead of caller provided size.
Link: https://lore.kernel.org/keyrings/20260531024914.3712130-1-jarkko@kernel.org/
Cc: stable@vger.kernel.org # v4.20+
Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
Reported-by: Alessandro Groppo <ale.grpp@gmail.com>
Tested-by: Alessandro Groppo <ale.grpp@gmail.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/keyctl_pkey.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/security/keys/keyctl_pkey.c
+++ b/security/keys/keyctl_pkey.c
@@ -138,28 +138,35 @@ static int keyctl_pkey_params_get_2(cons
if (uparams.in_len > info.max_dec_size ||
uparams.out_len > info.max_enc_size)
return -EINVAL;
+
+ params->out_len = info.max_enc_size;
break;
case KEYCTL_PKEY_DECRYPT:
if (uparams.in_len > info.max_enc_size ||
uparams.out_len > info.max_dec_size)
return -EINVAL;
+
+ params->out_len = info.max_dec_size;
break;
case KEYCTL_PKEY_SIGN:
if (uparams.in_len > info.max_data_size ||
uparams.out_len > info.max_sig_size)
return -EINVAL;
+
+ params->out_len = info.max_sig_size;
break;
case KEYCTL_PKEY_VERIFY:
if (uparams.in_len > info.max_data_size ||
uparams.in2_len > info.max_sig_size)
return -EINVAL;
+
+ params->out_len = info.max_sig_size;
break;
default:
BUG();
}
params->in_len = uparams.in_len;
- params->out_len = uparams.out_len; /* Note: same as in2_len */
return 0;
}
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 083/129] keys: Pin request_key_auth payload in instantiate paths
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 082/129] KEYS: fix overflow in keyctl_pkey_params_get_2() Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 084/129] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S Greg Kroah-Hartman
` (52 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shaomin Chen, Jarkko Sakkinen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shaomin Chen <eeesssooo020@gmail.com>
commit fd15b457a86939c38aa12116adabd8ff686c5e51 upstream.
A: request_key() B: KEYCTL_INSTANTIATE_IOV
================ =========================
create auth key
store rka in auth key
wait for helper
get auth key
load rka from auth key
copy user payload
sleep on #PF
helper completed
detach and free rka
destroy auth key
wake up
use rka->target_key
**USE-AFTER-FREE**
Give request_key_auth payloads a refcount. Take a payload reference while
authkey->sem stabilizes the payload and revocation state. Hold that
reference across the instantiate and reject paths. Drop the auth key
owning reference from revoke and destroy.
[jarkko: Replaced the first two paragraphs of text with an actual
concurrency scenario.]
Cc: stable@vger.kernel.org # v5.10+
Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys")
Reported-by: Shaomin Chen <eeesssooo020@gmail.com>
Closes: https://lore.kernel.org/r/20260519144403.436694-1-eeesssooo020@gmail.com
Signed-off-by: Shaomin Chen <eeesssooo020@gmail.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/keys/request_key_auth-type.h | 2 ++
security/keys/internal.h | 2 ++
security/keys/keyctl.c | 24 ++++++++++++++++++------
security/keys/request_key_auth.c | 33 +++++++++++++++++++++++++++++++--
4 files changed, 53 insertions(+), 8 deletions(-)
--- a/include/keys/request_key_auth-type.h
+++ b/include/keys/request_key_auth-type.h
@@ -9,12 +9,14 @@
#define _KEYS_REQUEST_KEY_AUTH_TYPE_H
#include <linux/key.h>
+#include <linux/refcount.h>
/*
* Authorisation record for request_key().
*/
struct request_key_auth {
struct rcu_head rcu;
+ refcount_t usage;
struct key *target_key;
struct key *dest_keyring;
const struct cred *cred;
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -215,6 +215,8 @@ extern struct key *request_key_auth_new(
const void *callout_info,
size_t callout_len,
struct key *dest_keyring);
+struct request_key_auth *request_key_auth_get(struct key *authkey);
+void request_key_auth_put(struct request_key_auth *rka);
extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1196,9 +1196,13 @@ static long keyctl_instantiate_key_commo
if (!instkey)
goto error;
- rka = instkey->payload.data[0];
- if (rka->target_key->serial != id)
+ rka = request_key_auth_get(instkey);
+ if (!rka) {
+ ret = -EKEYREVOKED;
goto error;
+ }
+ if (rka->target_key->serial != id)
+ goto error_put_rka;
/* pull the payload in if one was supplied */
payload = NULL;
@@ -1207,7 +1211,7 @@ static long keyctl_instantiate_key_commo
ret = -ENOMEM;
payload = kvmalloc(plen, GFP_KERNEL);
if (!payload)
- goto error;
+ goto error_put_rka;
ret = -EFAULT;
if (!copy_from_iter_full(payload, plen, from))
@@ -1233,6 +1237,8 @@ static long keyctl_instantiate_key_commo
error2:
kvfree_sensitive(payload, plen);
+error_put_rka:
+ request_key_auth_put(rka);
error:
return ret;
}
@@ -1358,15 +1364,19 @@ long keyctl_reject_key(key_serial_t id,
if (!instkey)
goto error;
- rka = instkey->payload.data[0];
- if (rka->target_key->serial != id)
+ rka = request_key_auth_get(instkey);
+ if (!rka) {
+ ret = -EKEYREVOKED;
goto error;
+ }
+ if (rka->target_key->serial != id)
+ goto error_put_rka;
/* find the destination keyring if present (which must also be
* writable) */
ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
if (ret < 0)
- goto error;
+ goto error_put_rka;
/* instantiate the key and link it into a keyring */
ret = key_reject_and_link(rka->target_key, timeout, error,
@@ -1379,6 +1389,8 @@ long keyctl_reject_key(key_serial_t id,
if (ret == 0)
keyctl_change_reqkey_auth(NULL);
+error_put_rka:
+ request_key_auth_put(rka);
error:
return ret;
}
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -23,6 +23,7 @@ static void request_key_auth_describe(co
static void request_key_auth_revoke(struct key *);
static void request_key_auth_destroy(struct key *);
static long request_key_auth_read(const struct key *, char *, size_t);
+static void request_key_auth_rcu_disposal(struct rcu_head *);
/*
* The request-key authorisation key type definition.
@@ -116,6 +117,31 @@ static void free_request_key_auth(struct
}
/*
+ * Take a reference to the request-key authorisation payload so callers can
+ * drop authkey->sem before doing operations that may sleep.
+ */
+struct request_key_auth *request_key_auth_get(struct key *authkey)
+{
+ struct request_key_auth *rka;
+
+ down_read(&authkey->sem);
+ rka = dereference_key_locked(authkey);
+ if (rka && !test_bit(KEY_FLAG_REVOKED, &authkey->flags))
+ refcount_inc(&rka->usage);
+ else
+ rka = NULL;
+ up_read(&authkey->sem);
+
+ return rka;
+}
+
+void request_key_auth_put(struct request_key_auth *rka)
+{
+ if (rka && refcount_dec_and_test(&rka->usage))
+ call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
+}
+
+/*
* Dispose of the request_key_auth record under RCU conditions
*/
static void request_key_auth_rcu_disposal(struct rcu_head *rcu)
@@ -136,8 +162,10 @@ static void request_key_auth_revoke(stru
struct request_key_auth *rka = dereference_key_locked(key);
kenter("{%d}", key->serial);
+ if (!rka)
+ return;
rcu_assign_keypointer(key, NULL);
- call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
+ request_key_auth_put(rka);
}
/*
@@ -150,7 +178,7 @@ static void request_key_auth_destroy(str
kenter("{%d}", key->serial);
if (rka) {
rcu_assign_keypointer(key, NULL);
- call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
+ request_key_auth_put(rka);
}
}
@@ -174,6 +202,7 @@ struct key *request_key_auth_new(struct
rka = kzalloc(sizeof(*rka), GFP_KERNEL);
if (!rka)
goto error;
+ refcount_set(&rka->usage, 1);
rka->callout_info = kmemdup(callout_info, callout_len, GFP_KERNEL);
if (!rka->callout_info)
goto error_free_rka;
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 084/129] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 083/129] keys: Pin request_key_auth payload in instantiate paths Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 085/129] wifi: ath11k: fix warning when unbinding Greg Kroah-Hartman
` (51 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zenm Chen, Lorenzo Bianconi,
Felix Fietkau
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zenm Chen <zenmchen@gmail.com>
commit f4ce0664e9f0387873b181777891741c33e19465 upstream.
Add the ID 056e:400a to the table to support an additional MT7612U
adapter: ELECOM WDC-867SU3S.
Compile tested only.
Cc: stable@vger.kernel.org # 5.10.x
Signed-off-by: Zenm Chen <zenmchen@gmail.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260407154430.9184-1-zenmchen@gmail.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
@@ -16,6 +16,7 @@ static const struct usb_device_id mt76x2
{ USB_DEVICE(0x0e8d, 0x7612) }, /* Aukey USBAC1200 - Alfa AWUS036ACM */
{ USB_DEVICE(0x057c, 0x8503) }, /* Avm FRITZ!WLAN AC860 */
{ USB_DEVICE(0x7392, 0xb711) }, /* Edimax EW 7722 UAC */
+ { USB_DEVICE(0x056e, 0x400a) }, /* ELECOM WDC-867SU3S */
{ USB_DEVICE(0x0e8d, 0x7632) }, /* HC-M7662BU1 */
{ USB_DEVICE(0x0471, 0x2126) }, /* LiteOn WN4516R module, nonstandard USB connector */
{ USB_DEVICE(0x0471, 0x7600) }, /* LiteOn WN4519R module, nonstandard USB connector */
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 085/129] wifi: ath11k: fix warning when unbinding
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 084/129] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 086/129] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor Greg Kroah-Hartman
` (50 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jose Ignacio Tornos Martinez,
Baochen Qiang, Rameshkumar Sundaram, Jeff Johnson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
commit 8b7a26b6681922a38cd5a7829ace61f8e54df9b7 upstream.
If there is an error during some initialization related to firmware,
the buffers dp->tx_ring[i].tx_status are released.
However this is released again when the device is unbinded (ath11k_pci),
and we get:
WARNING: CPU: 0 PID: 6231 at mm/slub.c:4368 free_large_kmalloc+0x57/0x90
Call Trace:
free_large_kmalloc
ath11k_dp_free
ath11k_core_deinit
ath11k_pci_remove
...
The issue is always reproducible from a VM because the MSI addressing
initialization is failing.
In order to fix the issue, just set the buffers to NULL after releasing in
order to avoid the double free.
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Cc: stable@vger.kernel.org
Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
Link: https://patch.msgid.link/20260420110130.509670-1-jtornosm@redhat.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath11k/dp.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/wireless/ath/ath11k/dp.c
+++ b/drivers/net/wireless/ath/ath11k/dp.c
@@ -1039,6 +1039,7 @@ void ath11k_dp_free(struct ath11k_base *
idr_destroy(&dp->tx_ring[i].txbuf_idr);
spin_unlock_bh(&dp->tx_ring[i].tx_idr_lock);
kfree(dp->tx_ring[i].tx_status);
+ dp->tx_ring[i].tx_status = NULL;
}
/* Deinit any SOC level resource */
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 086/129] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 085/129] wifi: ath11k: fix warning when unbinding Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 087/129] f2fs: validate compress cache inode only when enabled Greg Kroah-Hartman
` (49 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bitterblue Smith, Ping-Ke Shih
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
commit 83d38df6929118c3f996b9e3351c2d5014073d87 upstream.
Bit 28 of double word 2 in the RX descriptor indicates if the packet is
a normal 802.11 frame, or a message from the wifi firmware to the
driver (Card 2 Host).
Commit f5678bfe1cdc ("rtlwifi: rtl8821ae: Replace local bit manipulation
macros") mistakenly made the driver look for this bit in double word 1,
causing packet loss and Bluetooth coexistence problems.
Fixes: f5678bfe1cdc ("rtlwifi: rtl8821ae: Replace local bit manipulation macros")
Cc: <stable@vger.kernel.org>
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/04da7398-cedb-425a-a810-5772ab10139d@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtlwifi/rtl8821ae/trx.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/trx.h
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/trx.h
@@ -291,7 +291,7 @@ static inline int get_rx_desc_paggr(__le
static inline int get_rx_status_desc_rpt_sel(__le32 *__pdesc)
{
- return le32_get_bits(*(__pdesc + 1), BIT(28));
+ return le32_get_bits(*(__pdesc + 2), BIT(28));
}
static inline int get_rx_desc_rxmcs(__le32 *__pdesc)
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 087/129] f2fs: validate compress cache inode only when enabled
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 086/129] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 088/129] f2fs: fix to round down start offset of fallocate for pin file Greg Kroah-Hartman
` (48 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Wenjie Qi, Chao Yu,
Jaegeuk Kim
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenjie Qi <qwjhust@gmail.com>
commit 5073c66a96a9c23c0c2533ed4ed06e42f9021208 upstream.
F2FS_COMPRESS_INO() uses NM_I(sbi)->max_nid as the synthetic inode
number for the compressed page cache inode. That inode only exists when
the compress_cache mount option is enabled.
When compress_cache is disabled, max_nid is outside the valid inode
range. A corrupted directory entry that points to ino == max_nid should
therefore be rejected by f2fs_check_nid_range(). However, is_meta_ino()
currently treats F2FS_COMPRESS_INO() as a meta inode unconditionally,
so f2fs_iget() bypasses do_read_inode() and its nid range check, and
instantiates a fake internal inode instead.
Gate the compressed cache inode case on COMPRESS_CACHE, matching
f2fs_init_compress_inode(). With compress_cache disabled, ino ==
max_nid now follows the normal inode path and is rejected as an
out-of-range nid.
Cc: stable@kernel.org
Fixes: 6ce19aff0b8c ("f2fs: compress: add compress_inode to cache compressed blocks")
Signed-off-by: Wenjie Qi <qiwenjie@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/inode.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -476,8 +476,13 @@ static int do_read_inode(struct inode *i
static bool is_meta_ino(struct f2fs_sb_info *sbi, unsigned int ino)
{
- return ino == F2FS_NODE_INO(sbi) || ino == F2FS_META_INO(sbi) ||
- ino == F2FS_COMPRESS_INO(sbi);
+ if (ino == F2FS_NODE_INO(sbi) || ino == F2FS_META_INO(sbi))
+ return true;
+#ifdef CONFIG_F2FS_FS_COMPRESSION
+ if (test_opt(sbi, COMPRESS_CACHE) && ino == F2FS_COMPRESS_INO(sbi))
+ return true;
+#endif
+ return false;
}
struct inode *f2fs_iget(struct super_block *sb, unsigned long ino)
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 088/129] f2fs: fix to round down start offset of fallocate for pin file
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 087/129] f2fs: validate compress cache inode only when enabled Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 089/129] f2fs: validate ACL entry sizes in f2fs_acl_from_disk() Greg Kroah-Hartman
` (47 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yunji Kang, Yeongjin Gil,
Sungjong Seo, Sunmin Jeong, Chao Yu, Jaegeuk Kim
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sunmin Jeong <s_min.jeong@samsung.com>
commit 4275b59673eb60b02eec3997816c83f1f4b909c4 upstream.
Currently, the length of fallocate for pin file is section-aligned to
keep allocated sections from being selected as victims of GC. However,
for the case that the start offset of fallocate is not aligned in
section, the allocated sections can't be fully utilized. It's because a
new section is allocated by f2fs_allocate_pinning_section() after using
blks_per_sec blocks regardless of the start offset. As a result, several
unexpected dirty segments may be created, including blocks assigned to
the pinned file.
To address this issue, let's round down the start offset of fallocate
to the length of section.
The reproducing scenario is as below
chunk=$(((2<<20)+4096)) # 2MB + 4KB
touch test
f2fs_io pinfile set test
f2fs_io fallocate 0 0 $chunk test
f2fs_io fallocate 0 $chunk $chunk test
f2fs_io fallocate 0 $((chunk*2)) $chunk test
f2fs_io fiemap 0 $((chunk*3)) test
Fiemap: offset = 0 len = 12288
logical addr. physical addr. length flags
0 0000000000000000 000000068c600000 0000000000400000 00001088
1 0000000000400000 000000003d400000 0000000000001000 00001088
2 0000000000401000 00000003eb200000 0000000000200000 00001088
3 0000000000601000 00000005e4200000 0000000000001000 00001088
4 0000000000602000 0000000605400000 0000000000200000 00001089
Cc: stable@vger.kernel.org
Fixes: f5a53edcf01e ("f2fs: support aligned pinned file")
Reviewed-by: Yunji Kang <yunji0.kang@samsung.com>
Reviewed-by: Yeongjin Gil <youngjin.gil@samsung.com>
Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
Signed-off-by: Sunmin Jeong <s_min.jeong@samsung.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/file.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -1786,8 +1786,15 @@ static int expand_inode_data(struct inod
if (f2fs_is_pinned_file(inode)) {
block_t sec_blks = CAP_BLKS_PER_SEC(sbi);
- block_t sec_len = roundup(map.m_len, sec_blks);
+ block_t sec_len;
+ if (map.m_lblk % sec_blks) {
+ map.m_lblk = rounddown(map.m_lblk, sec_blks);
+ map.m_len = pg_end - map.m_lblk;
+ if (off_end)
+ map.m_len++;
+ }
+ sec_len = roundup(map.m_len, sec_blks);
map.m_len = sec_blks;
next_alloc:
if (has_not_enough_free_secs(sbi, 0,
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 089/129] f2fs: validate ACL entry sizes in f2fs_acl_from_disk()
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 088/129] f2fs: fix to round down start offset of fallocate for pin file Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 090/129] bpf: use kvfree() for replaced sysctl write buffer Greg Kroah-Hartman
` (46 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Zhang Cen, Chao Yu,
Jaegeuk Kim
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
commit c4810ada31e80cbe4011467c4f3b1e93f94134f3 upstream.
f2fs_acl_count() only validates the aggregate ACL xattr length. A
malformed ACL can still place ACL_USER or ACL_GROUP in a slot that only
contains struct f2fs_acl_entry_short bytes, and f2fs_acl_from_disk()
then reads entry->e_id before verifying that a full entry fits.
Require a short entry before reading e_tag and e_perm, and require a
full entry before reading e_id for ACL_USER and ACL_GROUP. Return
-EFSCORRUPTED from these new truncated-entry checks, while keeping the
pre-existing -EINVAL paths unchanged.
Validation reproduced this kernel report:
KASAN slab-out-of-bounds in __f2fs_get_acl+0x6fb/0x7e0
RIP: 0033:0x7f4b835ea7aa
The buggy address belongs to the object at ffff888114589960 which belongs
to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes to the right of allocated 8-byte
region [ffff888114589960, ffff888114589968)
Read of size 4
Call trace:
dump_stack_lvl+0x66/0xa0 (?:?)
print_report+0xce/0x630 (?:?)
__f2fs_get_acl+0x6fb/0x7e0 (fs/f2fs/acl.c:169)
srso_alias_return_thunk+0x5/0xfbef5 (?:?)
__virt_addr_valid+0x224/0x430 (?:?)
kasan_report+0xe0/0x110 (?:?)
__f2fs_get_acl+0x5/0x7e0 (fs/f2fs/acl.c:169)
__get_acl+0x281/0x380 (?:?)
vfs_get_acl+0x10b/0x190 (?:?)
do_get_acl+0x2a/0x410 (?:?)
do_get_acl+0x9/0x410 (?:?)
do_getxattr+0xe8/0x260 (?:?)
filename_getxattr+0xd1/0x140 (?:?)
do_getname+0x2d/0x2d0 (?:?)
path_getxattrat+0x16c/0x200 (?:?)
lock_release+0xc8/0x290 (?:?)
cgroup_update_frozen+0x9d/0x320 (?:?)
lockdep_hardirqs_on_prepare+0xea/0x1a0 (?:?)
trace_hardirqs_on+0x1a/0x170 (?:?)
_raw_spin_unlock_irq+0x28/0x50 (?:?)
do_syscall_64+0x115/0x6a0 (arch/x86/entry/syscall_64.c:87)
entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)
Cc: stable@kernel.org
Fixes: af48b85b8cd3 ("f2fs: add xattr and acl functionalities")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/acl.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/fs/f2fs/acl.c
+++ b/fs/f2fs/acl.c
@@ -46,6 +46,7 @@ static inline int f2fs_acl_count(size_t
static struct posix_acl *f2fs_acl_from_disk(const char *value, size_t size)
{
int i, count;
+ int err = -EINVAL;
struct posix_acl *acl;
struct f2fs_acl_header *hdr = (struct f2fs_acl_header *)value;
struct f2fs_acl_entry *entry = (struct f2fs_acl_entry *)(hdr + 1);
@@ -69,8 +70,11 @@ static struct posix_acl *f2fs_acl_from_d
for (i = 0; i < count; i++) {
- if ((char *)entry > end)
+ if (unlikely((char *)entry +
+ sizeof(struct f2fs_acl_entry_short) > end)) {
+ err = -EFSCORRUPTED;
goto fail;
+ }
acl->a_entries[i].e_tag = le16_to_cpu(entry->e_tag);
acl->a_entries[i].e_perm = le16_to_cpu(entry->e_perm);
@@ -85,6 +89,11 @@ static struct posix_acl *f2fs_acl_from_d
break;
case ACL_USER:
+ if (unlikely((char *)entry +
+ sizeof(struct f2fs_acl_entry) > end)) {
+ err = -EFSCORRUPTED;
+ goto fail;
+ }
acl->a_entries[i].e_uid =
make_kuid(&init_user_ns,
le32_to_cpu(entry->e_id));
@@ -92,6 +101,11 @@ static struct posix_acl *f2fs_acl_from_d
sizeof(struct f2fs_acl_entry));
break;
case ACL_GROUP:
+ if (unlikely((char *)entry +
+ sizeof(struct f2fs_acl_entry) > end)) {
+ err = -EFSCORRUPTED;
+ goto fail;
+ }
acl->a_entries[i].e_gid =
make_kgid(&init_user_ns,
le32_to_cpu(entry->e_id));
@@ -107,7 +121,7 @@ static struct posix_acl *f2fs_acl_from_d
return acl;
fail:
posix_acl_release(acl);
- return ERR_PTR(-EINVAL);
+ return ERR_PTR(err);
}
static void *f2fs_acl_to_disk(struct f2fs_sb_info *sbi,
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 090/129] bpf: use kvfree() for replaced sysctl write buffer
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 089/129] f2fs: validate ACL entry sizes in f2fs_acl_from_disk() Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 091/129] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS Greg Kroah-Hartman
` (45 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emil Tsalapatis, Jiayuan Chen,
Yonghong Song, Zilin Guan, Dawei Feng, Alexei Starovoitov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
commit 4c21b5927d4364bfe7365f2700da5fea0ed0d004 upstream.
proc_sys_call_handler() allocates its temporary sysctl buffer with
kvzalloc() and passes it to __cgroup_bpf_run_filter_sysctl(). Since
kvzalloc() may fall back to vmalloc() for large allocations, freeing
that buffer with kfree() is wrong and can corrupt memory.
Use kvfree() to safely handle both kmalloc and kvzalloc()/vmalloc
allocations.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still
present in v7.1-rc5.
Reproduced the bug based on v7.1-rc4 in a QEMU x86_64 guest booted with
KASAN and CONFIG_FAILSLAB enabled. To exercise the replacement path, the
test tree also included the accompanying fix for the stale ret == 1
check in __cgroup_bpf_run_filter_sysctl(). The reproducer confines
failslab injections to the proc_sys_call_handler() range, uses
stacktrace-depth=32, and injects fail-nth=1 while writing 8191 bytes to
/proc/sys/kernel/domainname from a task in the target cgroup. Under
that setup, fail-nth=1 triggered the fault:
BUG: unable to handle page fault for address: ffffeb0200024d48
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 SMP KASAN NOPTI
CPU: 2 UID: 0 PID: 209 Comm: repro_proc_sys_ Not tainted 7.1.0-rc4-00686-g97625979a5d4 PREEMPT(lazy)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
RIP: 0010:kfree+0x6e/0x510
...
Call Trace:
<TASK>
? __cgroup_bpf_run_filter_sysctl+0x626/0xc30
__cgroup_bpf_run_filter_sysctl+0x74d/0xc30
? __pfx___cgroup_bpf_run_filter_sysctl+0x10/0x10
? srso_return_thunk+0x5/0x5f
? __kvmalloc_node_noprof+0x345/0x870
? proc_sys_call_handler+0x250/0x480
? srso_return_thunk+0x5/0x5f
proc_sys_call_handler+0x3a2/0x480
? __pfx_proc_sys_call_handler+0x10/0x10
? srso_return_thunk+0x5/0x5f
? selinux_file_permission+0x39f/0x500
? srso_return_thunk+0x5/0x5f
? lock_is_held_type+0x9e/0x120
vfs_write+0x98e/0x1000
...
</TASK>
With this fix applied on top of the same test setup, rerunning the
reproducer with fail-nth=1 yields no corresponding Oops reports.
Fixes: 4508943794ef ("proc: use kvzalloc for our kernel buffer")
Cc: stable@vger.kernel.org
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Link: https://lore.kernel.org/r/20260603105317.944304-3-dawei.feng@seu.edu.cn
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/cgroup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -1745,7 +1745,7 @@ int __cgroup_bpf_run_filter_sysctl(struc
kfree(ctx.cur_val);
if (ret == 1 && ctx.new_updated) {
- kfree(*buf);
+ kvfree(*buf);
*buf = ctx.new_val;
*pcount = ctx.new_len;
} else {
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 091/129] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 090/129] bpf: use kvfree() for replaced sysctl write buffer Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 092/129] exfat: fix potential use-after-free in exfat_find_dir_entry() Greg Kroah-Hartman
` (44 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki,
Thomas Bogendoerfer
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 7fb13fd35110ebe95eb053faf79d018f51144d85 upstream.
In 64-bit configurations calling the initial console output handler from
a kernel thread other than the initial one will result in a situation
where the stack has been placed in the XKPHYS 64-bit memory segment and
consequently so has been the buffer allocated there that is used as the
argument corresponding to the `%s' output conversion specifier for the
firmware's printf() entry point.
This 64-bit address will then be truncated by 32-bit firmware, resulting
in an attempt to access the wrong memory location, which in turn will
cause all kinds of unpredictable behaviour, such as a kernel crash:
Console: colour dummy device 160x64
Calibrating delay loop... 49.36 BogoMIPS (lpj=192512)
pid_max: default: 32768 minimum: 301
CPU 0 Unable to handle kernel paging request at virtual address 000000000203bd00, epc == ffffffffbfc08364, ra == ffffffffbfc08800
Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 5.18.0-rc2-00254-gfb649bda6f56-dirty #121
$ 0 : 0000000000000000 0000000000000001 0000000000000023 ffffffff80684ba0
$ 4 : 000000000203bd00 ffffffffbfc0f3b4 ffffffffffffffff 0000000000000073
$ 8 : 0a303d7469000000 0000000000000000 0000000000000073 ffffffffbfc0f473
$12 : 0000000000000002 0000000000000000 ffffffff80684c1c 0000000000000000
$16 : 0000000000000000 ffffffff80596dc9 0000000000000000 ffffffffbfc09240
$20 : ffffffff80684c40 ffffffffbfc0f400 000000000000002d 000000000000002b
$24 : ffffffffffffffbf 000000000203bd00
$28 : ffffffff805f0000 ffffffff80684b58 0000000000000030 ffffffffbfc08800
Hi : 0000000000000000
Lo : 0000000000000aa8
epc : ffffffffbfc08364 0xffffffffbfc08364
ra : ffffffffbfc08800 0xffffffffbfc08800
Status: 140120e2 KX SX UX KERNEL EXL
Cause : 00000008 (ExcCode 02)
BadVA : 000000000203bd00
PrId : 00000430 (R4000SC)
Modules linked in:
Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____), tls=0000000000000000)
Stack : 0000000000000000 0000000000000000 0000000000000000 0000004d0000004d
80684cc0806a2a40 80596dc80000004d 8061000000000000 bfc0850c80684c38
0000000000000000 000000000203bd00 0000000000000000 0000000000000000
0000000000000000 00000000bfc0f3b4 0000000000000000 0000000000000000
0000000000000000 0000000000000000 0000000000000000 0000000000000000
0000000000000000 0000000000000000 0000000000000000 0000000000000000
0000002500000000 0000000000000000 0000000000000000 802c1a7400000000
0203bd0080596dc8 0203bd4d69000000 6c61632000000018 5f746567646e6172
6c616320625f6d6f 5f736e5f6d6f7266 206361323778302b 303d74696e726320
806a0a38806b0000 806a0a38806b0000 00000000806b0000 80683c58806b0000
...
Call Trace:
Code: a082ffff 03e00008 00601021 <80820000> 00001821 10400005 24840001 80820000 24630001
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Fatal exception in interrupt
KN04 V2.1k (PC: 0xa0026768, SP: 0x806848e8)
>>
In this case the pointer in $4 was truncated from 0x980000000203bd00 to
0x000000000203bd00.
This may happen when no final console driver has been enabled in the
configuration and consequently the initial console continues being used
late into bootstrap or with an upcoming change that will switch the zs
driver to use a platform device, which in turn will make the console
handover happen only after other kernel threads have already been
started.
Fix the issue by making the buffer static and initdata, and therefore
placed in the CKSEG0 32-bit compatibility segment, observing that the
console output handler is called with the console lock held, implying
no need for this code to be reentrant. Add an assertion to verify the
buffer actually has been placed in a compatibility segment.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.12+
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/dec/prom/console.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/arch/mips/dec/prom/console.c
+++ b/arch/mips/dec/prom/console.c
@@ -2,8 +2,9 @@
/*
* DECstation PROM-based early console support.
*
- * Copyright (C) 2004, 2007 Maciej W. Rozycki
+ * Copyright (C) 2004, 2007, 2026 Maciej W. Rozycki
*/
+#include <linux/bug.h>
#include <linux/console.h>
#include <linux/init.h>
#include <linux/kernel.h>
@@ -14,9 +15,11 @@
static void __init prom_console_write(struct console *con, const char *s,
unsigned int c)
{
- char buf[81];
+ static char buf[81] __initdata = { 0 };
unsigned int chunk = sizeof(buf) - 1;
+ BUG_ON((long)buf != (int)(long)buf);
+
while (c > 0) {
if (chunk > c)
chunk = c;
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 092/129] exfat: fix potential use-after-free in exfat_find_dir_entry()
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 091/129] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 093/129] hdlc_ppp: sync per-proto timers before freeing hdlc state Greg Kroah-Hartman
` (43 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Namjae Jeon
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 3f5f8ee9917cc2b9076ac533492d8a200edcabb8 upstream.
In exfat_find_dir_entry(), the buffer_head obtained from
exfat_get_dentry() is released with brelse(bh) before the fall-through
TYPE_EXTEND branch reads the directory entry through ep (which points
into bh->b_data):
brelse(bh);
if (entry_type == TYPE_EXTEND) {
...
len = exfat_extract_uni_name(ep, entry_uniname);
...
}
After brelse() drops our reference, nothing guarantees that the
underlying page backing bh->b_data remains valid for the subsequent
exfat_extract_uni_name() read. This is the same pattern fixed in
commit fc961522ddbd ("exfat: Fix potential use after free in
exfat_load_upcase_table()").
Move brelse(bh) so it runs after ep is no longer dereferenced on
each branch.
Confirmed on QEMU x86_64 with CONFIG_KASAN=y + CONFIG_DEBUG_PAGEALLOC=y
+ CONFIG_PAGE_POISONING=y on linux-next, using a crafted exFAT image
(long filename with same-hash collisions forcing the TYPE_EXTEND path).
With a debug-only invalidate_bdev() inserted between brelse(bh) and
the ep read to make the stale-deref window deterministic, the
unpatched kernel faults:
BUG: KASAN: use-after-free in exfat_find_dir_entry+0x133b/0x15a0
BUG: unable to handle page fault for address: ffff88801a5fa0c2
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI
RIP: 0010:exfat_find_dir_entry+0x1188/0x15a0
With this patch applied, the same instrumented harness completes
cleanly under the same sanitizer stack. I have not reproduced a
crash on an uninstrumented kernel under ordinary reclaim; the
instrumented A/B establishes the lifetime violation and that the
patch closes it, not an unaided triggerability claim.
Fixes: ca06197382bd ("exfat: add directory operations")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/exfat/dir.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/exfat/dir.c
+++ b/fs/exfat/dir.c
@@ -1040,12 +1040,12 @@ rewind:
continue;
}
- brelse(bh);
if (entry_type == TYPE_EXTEND) {
unsigned short entry_uniname[16], unichar;
if (step != DIRENT_STEP_NAME ||
name_len >= MAX_NAME_LENGTH) {
+ brelse(bh);
step = DIRENT_STEP_FILE;
continue;
}
@@ -1056,6 +1056,7 @@ rewind:
uniname += EXFAT_FILE_NAME_LEN;
len = exfat_extract_uni_name(ep, entry_uniname);
+ brelse(bh);
name_len += len;
unichar = *(uniname+len);
@@ -1074,6 +1075,7 @@ rewind:
continue;
}
+ brelse(bh);
if (entry_type &
(TYPE_CRITICAL_SEC | TYPE_BENIGN_SEC)) {
if (step == DIRENT_STEP_SECD) {
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 093/129] hdlc_ppp: sync per-proto timers before freeing hdlc state
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 092/129] exfat: fix potential use-after-free in exfat_find_dir_entry() Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 094/129] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done Greg Kroah-Hartman
` (42 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fan Wu, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fan Wu <fanwu01@zju.edu.cn>
commit c78a4e41ab5ead6193ad8a2dd92e8906bae659fa upstream.
Each PPP control protocol (LCP/IPCP/IPV6CP) embedded in struct ppp
registers a timer via timer_setup(). That struct ppp is the
hdlc->state allocation, which detach_hdlc_protocol() frees with kfree()
in both teardown paths: unregister_hdlc_device() and the re-attach inside
attach_hdlc_protocol().
The ppp proto never registered a .detach callback, so
detach_hdlc_protocol() performs no timer synchronization before the
kfree(). The only cancel, timer_delete(&proto->timer) in ppp_cp_event(),
is partial (it does not wait for a running callback) and only runs on the
->CLOSED transition; ppp_stop()/ppp_close() do not sync either. A
ppp_timer callback already executing (blocked on ppp->lock) survives the
kfree and then dereferences proto->state / ppp->lock in freed memory,
leading to a use-after-free.
Fix this by adding a .detach helper that calls timer_shutdown_sync() on
every per-proto timer. detach_hdlc_protocol() invokes proto->detach(dev)
before kfree(hdlc->state), so timer_shutdown_sync()
now runs on both free paths.
timer_shutdown_sync() is used instead of timer_delete_sync() because the
keepalive path re-arms the timer through add_timer()/mod_timer() and
shutdown blocks any re-activation during teardown.
Initialize the per-protocol timers in ppp_ioctl() when the protocol is
attached, and remove the now-redundant timer_setup() from ppp_start(), so
that the timers are initialized exactly once at attach time and
ppp_timer_release() never operates on uninitialized timer_list
structures. attach_hdlc_protocol() uses kmalloc() (not kzalloc), so
struct ppp's protos[i].timer is uninitialized garbage until the first
timer_setup(); without this init-at-attach, attaching the PPP protocol
without ever bringing the device up would leave timer_shutdown_sync()
operating on uninitialized memory in .detach. Moving the init out of
ppp_start() (which only runs on NETDEV_UP) into the attach path makes the
initialization unconditional and avoids initializing the same timer_list
twice.
This bug was found by static analysis.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
Link: https://patch.msgid.link/20260617020518.116319-1-fanwu01@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wan/hdlc_ppp.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/drivers/net/wan/hdlc_ppp.c
+++ b/drivers/net/wan/hdlc_ppp.c
@@ -621,7 +621,6 @@ static void ppp_start(struct net_device
struct proto *proto = &ppp->protos[i];
proto->dev = dev;
- timer_setup(&proto->timer, ppp_timer, 0);
proto->state = CLOSED;
}
ppp->protos[IDX_LCP].pid = PID_LCP;
@@ -641,6 +640,15 @@ static void ppp_close(struct net_device
ppp_tx_flush();
}
+static void ppp_timer_release(struct net_device *dev)
+{
+ struct ppp *ppp = get_ppp(dev);
+ int i;
+
+ for (i = 0; i < IDX_COUNT; i++)
+ timer_shutdown_sync(&ppp->protos[i].timer);
+}
+
static struct hdlc_proto proto = {
.start = ppp_start,
.stop = ppp_stop,
@@ -649,6 +657,7 @@ static struct hdlc_proto proto = {
.ioctl = ppp_ioctl,
.netif_rx = ppp_rx,
.module = THIS_MODULE,
+ .detach = ppp_timer_release,
};
static const struct header_ops ppp_header_ops = {
@@ -659,7 +668,7 @@ static int ppp_ioctl(struct net_device *
{
hdlc_device *hdlc = dev_to_hdlc(dev);
struct ppp *ppp;
- int result;
+ int i, result;
switch (ifs->type) {
case IF_GET_PROTO:
@@ -687,6 +696,8 @@ static int ppp_ioctl(struct net_device *
return result;
ppp = get_ppp(dev);
+ for (i = 0; i < IDX_COUNT; i++)
+ timer_setup(&ppp->protos[i].timer, ppp_timer, 0);
spin_lock_init(&ppp->lock);
ppp->req_timeout = 2;
ppp->cr_retries = 10;
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 094/129] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 093/129] hdlc_ppp: sync per-proto timers before freeing hdlc state Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 095/129] LoongArch: Report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
` (41 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doruk Tan Ozturk, Alexander Lobakin,
Tung Nguyen, Simon Horman, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doruk Tan Ozturk <doruk@0sec.ai>
commit bda3348872a2ef0d19f2df6aa8cb5025adce2f20 upstream.
tipc_aead_decrypt() goes straight from tipc_bearer_hold(b) to
crypto_aead_decrypt(req) without taking a reference on the netns, unlike
the encrypt path. When crypto_aead_decrypt() is offloaded asynchronously
(e.g. the SIMD aead wrapper queuing to cryptd), the cryptd worker runs
tipc_aead_decrypt_done() later. If the bearer's netns is torn down in the
meantime, cleanup_net() -> tipc_exit_net() -> tipc_crypto_stop() frees the
per-netns tipc_crypto, and the completion then reads it:
tipc_aead_decrypt_done() dereferences aead->crypto->stats and
aead->crypto->net, and tipc_crypto_rcv_complete() dereferences
aead->crypto->aead[] and the node table -- reading freed memory.
Decoded KASAN splat (v7.1-rc7, CONFIG_KASAN_INLINE + TIPC + TIPC_CRYPTO):
BUG: KASAN: slab-use-after-free in tipc_aead_decrypt_done (net/tipc/crypto.c:999)
Read of size 8 at addr ffff8881056258a8 by task kworker/u16:2/51
Workqueue: events_unbound
Call Trace:
tipc_aead_decrypt_done (net/tipc/crypto.c:999)
process_one_work (kernel/workqueue.c:3314)
worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
kthread (kernel/kthread.c:436)
ret_from_fork (arch/x86/kernel/process.c:158)
ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
Allocated by task 169:
__kasan_kmalloc (mm/kasan/common.c:398 mm/kasan/common.c:415)
tipc_crypto_start (net/tipc/crypto.c:1502)
tipc_init_net (net/tipc/core.c:72)
ops_init (net/core/net_namespace.c:137)
setup_net (net/core/net_namespace.c:446)
copy_net_ns (net/core/net_namespace.c:579)
create_new_namespaces (kernel/nsproxy.c:132)
__x64_sys_unshare (kernel/fork.c:3316)
do_syscall_64 (arch/x86/entry/syscall_64.c:63)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
Freed by task 8:
kfree (mm/slub.c:6566)
tipc_exit_net (net/tipc/core.c:119)
cleanup_net (net/core/net_namespace.c:704)
process_one_work (kernel/workqueue.c:3314)
kthread (kernel/kthread.c:436)
This is the same class of bug that commit e279024617134 ("net/tipc: fix
slab-use-after-free Read in tipc_aead_encrypt_done") fixed for the encrypt
side. The encrypt path takes maybe_get_net(aead->crypto->net) before
crypto_aead_encrypt() and drops it with put_net() on the synchronous
return paths and in tipc_aead_encrypt_done(); the -EINPROGRESS/-EBUSY
return keeps the reference for the async callback to release. The decrypt
path was left without the equivalent guard.
Mirror the encrypt-side fix on the decrypt path: take a net reference
before crypto_aead_decrypt() (failing with -ENODEV and the matching
bearer put if it cannot be acquired), keep it across the
-EINPROGRESS/-EBUSY async return, and drop it with put_net() on the
synchronous success/error return and at the end of
tipc_aead_decrypt_done().
Reproduced under KASAN on v7.1-rc7: a UDP bearer with a cluster key is
flooded with crafted encrypted frames from an unknown peer (driving the
cluster-key decrypt path) while the bearer's netns is repeatedly torn
down. The completion must run asynchronously to outlive
tipc_crypto_stop(); on x86 the stock aesni gcm(aes) now decrypts
synchronously, so the async path was exercised via cryptd offload. The
unguarded aead->crypto dereference in tipc_aead_decrypt_done() is the
unpatched upstream path; tipc_aead_decrypt() still lacks
maybe_get_net(aead->crypto->net), so the completion can outlive the free
on any config where crypto_aead_decrypt() goes async.
Found by 0sec automated security-research tooling (https://0sec.ai).
Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
Cc: stable@vger.kernel.org
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260617075818.37431-1-doruk@0sec.ai
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/crypto.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -950,12 +950,20 @@ static int tipc_aead_decrypt(struct net
goto exit;
}
+ /* Get net to avoid freed tipc_crypto when delete namespace */
+ if (!maybe_get_net(net)) {
+ tipc_bearer_put(b);
+ rc = -ENODEV;
+ goto exit;
+ }
+
/* Now, do decrypt */
rc = crypto_aead_decrypt(req);
if (rc == -EINPROGRESS || rc == -EBUSY)
return rc;
tipc_bearer_put(b);
+ put_net(net);
exit:
kfree(ctx);
@@ -993,6 +1001,7 @@ static void tipc_aead_decrypt_done(struc
}
tipc_bearer_put(b);
+ put_net(net);
}
static inline int tipc_ehdr_size(struct tipc_ehdr *ehdr)
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 095/129] LoongArch: Report dying CPU to RCU in stop_this_cpu()
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 094/129] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-03 3:12 ` 陈华才
2026-07-02 16:20 ` [PATCH 6.1 096/129] pNFS: Fix use-after-free in pnfs_update_layout() Greg Kroah-Hartman
` (40 subsequent siblings)
135 siblings, 1 reply; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guo Ren, Huacai Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit f2539c56c74691e7a88af6372ba2b48c06ed2fe4 upstream.
This is a port of MIPS commit 9f3f3bdc6d9dac1 ("MIPS: smp: report dying
CPU to RCU in stop_this_cpu()"). smp_send_stop() parks all secondary
CPUs in stop_this_cpu(). And the function marks the CPU offline for the
scheduler via set_cpu_online(false) but never informs RCU, so RCU keeps
expecting a quiescent state from CPUs that are now spinning forever with
interrupts disabled.
As long as nothing waits for an RCU grace period after smp_send_stop()
this is harmless, which is why it went unnoticed. However, since commit
91840be8f710370 ("irq_work: Fix use-after-free in irq_work_single() on
PREEMPT_RT"), irq_work_sync() calls synchronize_rcu() on architectures
without an irq_work self-IPI, i.e. where arch_irq_work_has_interrupt()
returns false. Any irq_work_sync() issued in the reboot/shutdown/halt
path after smp_send_stop() then blocks on a grace period that can never
complete, hanging the reboot:
WARNING: CPU: 0 PID: 15 at kernel/irq_work.c:144 irq_work_queue_on
...
rcu: INFO: rcu_sched detected stalls on CPUs/tasks:
rcu: Offline CPU 1 blocking current GP.
rcu: Offline CPU 2 blocking current GP.
rcu: Offline CPU 3 blocking current GP.
This issue needs some hacks to reproduce, and it was not noticed on
LoongArch because arch_irq_work_has_interrupt() usually returns true.
Call rcutree_report_cpu_dead() once interrupts are disabled, mirroring
the generic CPU-hotplug offline path, so RCU stops waiting on the parked
CPUs and grace periods can still complete. LoongArch shuts down all CPUs
here without going through the CPU-hotplug mechanism, so this report is
not otherwise issued.
Cc: <stable@vger.kernel.org>
Fixes: 91840be8f710 ("irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT")
Reviewed-by: Guo Ren <guoren@kernel.org>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/smp.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/loongarch/kernel/smp.c
+++ b/arch/loongarch/kernel/smp.c
@@ -517,6 +517,7 @@ static void stop_this_cpu(void *dummy)
set_cpu_online(smp_processor_id(), false);
calculate_cpu_foreign_map();
local_irq_disable();
+ rcutree_report_cpu_dead();
while (true);
}
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 096/129] pNFS: Fix use-after-free in pnfs_update_layout()
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 095/129] LoongArch: Report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 097/129] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove Greg Kroah-Hartman
` (39 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Anna Schumaker
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 13e198a90ca4050f4bee8a3f23680389a6563ccc upstream.
When hitting the NFS_LAYOUT_RETURN branch in pnfs_update_layout(),
the code calls pnfs_prepare_to_retry_layoutget(lo). If it succeeds,
pnfs_put_layout_hdr(lo) is called before trace_pnfs_update_layout(),
which still references 'lo'. This results in a use-after-free when the
tracepoint accesses lo's fields.
Fix this by moving the tracepoint call before pnfs_put_layout_hdr(lo).
Fixes: 2c8d5fc37fe2 ("pNFS: Stricter ordering of layoutget and layoutreturn")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/pnfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -2070,11 +2070,11 @@ lookup_again:
dprintk("%s wait for layoutreturn\n", __func__);
lseg = ERR_PTR(pnfs_prepare_to_retry_layoutget(lo));
if (!IS_ERR(lseg)) {
- pnfs_put_layout_hdr(lo);
dprintk("%s retrying\n", __func__);
trace_pnfs_update_layout(ino, pos, count, iomode, lo,
lseg,
PNFS_UPDATE_LAYOUT_RETRY);
+ pnfs_put_layout_hdr(lo);
goto lookup_again;
}
trace_pnfs_update_layout(ino, pos, count, iomode, lo, lseg,
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 097/129] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 096/129] pNFS: Fix use-after-free in pnfs_update_layout() Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 098/129] fpga: region: fix use-after-free in child_regions_with_firmware() Greg Kroah-Hartman
` (38 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qingshuang Fu, Thomas Gleixner
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingshuang Fu <fuqingshuang@kylinos.cn>
commit 37738fdf2ab1e504d1c63ce5bc0aeb6452d8f057 upstream.
The driver allocates domain generic chips using
irq_alloc_domain_generic_chips() during probe and sets up chained
handlers using irq_set_chained_handler_and_data(). However, on driver
removal, the generic chips are not freed and the chained handlers are
not removed.
The generic chips remain on the global gc_list and may later be accessed by
generic interrupt chip suspend, resume, or shutdown callbacks after the
driver has been removed, potentially resulting in a use-after-free and
kernel crash.
The chained handlers that were installed in probe for peripheral and
syswake interrupts are also left dangling, which can lead to spurious
interrupts accessing freed memory.
Fix these issues by:
- Setting IRQ_DOMAIN_FLAG_DESTROY_GC flag in domain->flags, so the
core code automatically removes generic chips when irq_domain_remove()
is called
- Clearing all chained handlers with NULL in pdc_intc_remove()
Fixes: b6ef9161e43a ("irq-imgpdc: add ImgTec PDC irqchip driver")
Signed-off-by: Qingshuang Fu <fuqingshuang@kylinos.cn>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260618021352.661773-1-fffsqian@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-imgpdc.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/irqchip/irq-imgpdc.c
+++ b/drivers/irqchip/irq-imgpdc.c
@@ -378,6 +378,7 @@ static int pdc_intc_probe(struct platfor
dev_err(&pdev->dev, "cannot add IRQ domain\n");
return -ENOMEM;
}
+ priv->domain->flags |= IRQ_DOMAIN_FLAG_DESTROY_GC;
/*
* Set up 2 generic irq chips with 2 chip types.
@@ -465,6 +466,11 @@ static int pdc_intc_remove(struct platfo
{
struct pdc_intc_priv *priv = platform_get_drvdata(pdev);
+ for (unsigned int i = 0; i < priv->nr_perips; ++i)
+ irq_set_chained_handler_and_data(priv->perip_irqs[i], NULL, NULL);
+
+ irq_set_chained_handler_and_data(priv->syswake_irq, NULL, NULL);
+
irq_domain_remove(priv->domain);
return 0;
}
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 098/129] fpga: region: fix use-after-free in child_regions_with_firmware()
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 097/129] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 099/129] ocfs2: reject oversized group bitmap descriptors Greg Kroah-Hartman
` (37 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Xu Yilun, Xu Yilun
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 54f3c5643ec523a04b6ec0e7c19eb10f5ebebdd3 upstream.
Move of_node_put(child_region) after the error print to avoid accessing
freed memory when pr_err() references child_region.
Fixes: 0fa20cdfcc1f ("fpga: fpga-region: device tree control for FPGA")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
[ Yilun: Fix the Fixes tag ]
Reviewed-by: Xu Yilun <yilun.xu@intel.com>
Link: https://lore.kernel.org/r/20260408154534.404327-1-vulab@iscas.ac.cn
Signed-off-by: Xu Yilun <yilun.xu@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/fpga/of-fpga-region.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/fpga/of-fpga-region.c
+++ b/drivers/fpga/of-fpga-region.c
@@ -166,11 +166,10 @@ static int child_regions_with_firmware(s
fpga_region_of_match);
}
- of_node_put(child_region);
-
if (ret)
pr_err("firmware-name not allowed in child FPGA region: %pOF",
child_region);
+ of_node_put(child_region);
return ret;
}
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 099/129] ocfs2: reject oversized group bitmap descriptors
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 098/129] fpga: region: fix use-after-free in child_regions_with_firmware() Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 100/129] 9p: avoid putting oldfid in p9_client_walk() error path Greg Kroah-Hartman
` (36 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Cen, Joseph Qi, Mark Fasheh,
Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao, Heming Zhao,
Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
commit 9bd541e09dffff27e5bec0f9f45b0228173a5375 upstream.
ocfs2_validate_gd_parent() only bounds bg_bits against the parent
allocator's chain geometry. A malicious descriptor can still claim a
bg_size/bg_bits pair that exceeds the bitmap bytes that physically fit in
the group descriptor block, so later bitmap scans and bit updates can run
past bg_bitmap.
Add a physical-cap check based on ocfs2_group_bitmap_size() for the parent
allocator type and reject descriptors whose bg_size or bg_bits exceed that
capacity. Keep the existing chain geometry check so both the on-disk
bitmap layout and the allocator metadata must agree before the descriptor
is used.
Validation reproduced this kernel report:
KASAN use-after-free in _find_next_bit+0x7f/0xc0
Read of size 8
Call trace:
dump_stack_lvl+0x66/0xa0 (?:?)
print_report+0xd0/0x630 (?:?)
_find_next_bit+0x7f/0xc0 (?:?)
srso_alias_return_thunk+0x5/0xfbef5 (?:?)
__virt_addr_valid+0x188/0x2f0 (?:?)
kasan_report+0xe4/0x120 (?:?)
ocfs2_find_max_contig_free_bits+0x35/0x70 (fs/ocfs2/suballoc.c:1375)
ocfs2_block_group_set_bits+0x472/0x4b0 (fs/ocfs2/suballoc.c:1457)
ocfs2_cluster_group_search+0x16b/0x440 (fs/ocfs2/suballoc.c:86)
ocfs2_bg_discontig_fix_result+0x1ef/0x230 (fs/ocfs2/suballoc.c:1786)
ocfs2_search_chain+0x8f8/0x10a0 (fs/ocfs2/suballoc.c:1886)
get_page_from_freelist+0x70e/0x2370 (?:?)
lock_release+0xc6/0x290 (?:?)
do_raw_spin_unlock+0x9a/0x100 (?:?)
kasan_unpoison+0x27/0x60 (?:?)
__bfs+0x147/0x240 (?:?)
get_page_from_freelist+0x83d/0x2370 (?:?)
ocfs2_claim_suballoc_bits+0x38c/0xe70 (fs/ocfs2/suballoc.c:96)
sched_domains_numa_masks_clear+0x70/0xd0 (?:?)
check_irq_usage+0xe8/0xb70 (?:?)
__ocfs2_claim_clusters+0x18d/0x4c0 (fs/ocfs2/suballoc.c:2497)
check_path+0x24/0x50 (?:?)
rcu_is_watching+0x20/0x50 (?:?)
check_prev_add+0xfd/0xd00 (?:?)
ocfs2_add_clusters_in_btree+0x17d/0x810 (fs/ocfs2/suballoc.c:?)
__folio_batch_add_and_move+0x1f5/0x3d0 (?:?)
ocfs2_add_inode_data+0xd9/0x120 (fs/ocfs2/suballoc.c:?)
filemap_add_folio+0x105/0x1f0 (?:?)
ocfs2_write_begin_nolock+0x29f7/0x2f80 (fs/ocfs2/suballoc.c:3043)
ocfs2_read_inode_block+0xb5/0x110 (fs/ocfs2/suballoc.c:?)
down_write+0xf5/0x180 (?:?)
ocfs2_write_begin+0x180/0x240 (fs/ocfs2/suballoc.c:?)
__mark_inode_dirty+0x758/0x9a0 (?:?)
inode_to_bdi+0x41/0x90 (?:?)
balance_dirty_pages_ratelimited_flags+0xf8/0x1d0 (?:?)
generic_perform_write+0x252/0x440 (?:?)
mnt_put_write_access_file+0x16/0x70 (?:?)
file_update_time_flags+0xe4/0x200 (?:?)
ocfs2_file_write_iter+0x80a/0x1320 (fs/ocfs2/suballoc.c:?)
lock_acquire+0x184/0x2f0 (?:?)
ksys_write+0xd2/0x170 (?:?)
apparmor_file_permission+0xf5/0x310 (?:?)
read_zero+0x8d/0x140 (?:?)
lock_is_held_type+0x8f/0x100 (?:?)
Link: https://lore.kernel.org/20260524111248.1429884-1-rollkingzzc@gmail.com
Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/suballoc.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -201,8 +201,16 @@ static int ocfs2_validate_gd_parent(stru
int resize)
{
unsigned int max_bits;
+ unsigned int max_bitmap_bits;
+ unsigned int max_bitmap_size;
+ int suballocator;
struct ocfs2_group_desc *gd = (struct ocfs2_group_desc *)bh->b_data;
+ suballocator = le64_to_cpu(di->i_blkno) != OCFS2_SB(sb)->bitmap_blkno;
+ max_bitmap_size = ocfs2_group_bitmap_size(sb, suballocator,
+ OCFS2_SB(sb)->s_feature_incompat);
+ max_bitmap_bits = max_bitmap_size * 8;
+
if (di->i_blkno != gd->bg_parent_dinode) {
do_error("Group descriptor #%llu has bad parent pointer (%llu, expected %llu)\n",
(unsigned long long)bh->b_blocknr,
@@ -210,6 +218,20 @@ static int ocfs2_validate_gd_parent(stru
(unsigned long long)le64_to_cpu(di->i_blkno));
}
+ if (le16_to_cpu(gd->bg_size) > max_bitmap_size) {
+ do_error("Group descriptor #%llu has bitmap size %u but physical max of %u\n",
+ (unsigned long long)bh->b_blocknr,
+ le16_to_cpu(gd->bg_size),
+ max_bitmap_size);
+ }
+
+ if (le16_to_cpu(gd->bg_bits) > max_bitmap_bits) {
+ do_error("Group descriptor #%llu has bit count %u but physical max of %u\n",
+ (unsigned long long)bh->b_blocknr,
+ le16_to_cpu(gd->bg_bits),
+ max_bitmap_bits);
+ }
+
max_bits = le16_to_cpu(di->id2.i_chain.cl_cpg) * le16_to_cpu(di->id2.i_chain.cl_bpc);
if (le16_to_cpu(gd->bg_bits) > max_bits) {
do_error("Group descriptor #%llu has bit count of %u\n",
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 100/129] 9p: avoid putting oldfid in p9_client_walk() error path
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 099/129] ocfs2: reject oversized group bitmap descriptors Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 101/129] MIPS: smp: report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
` (35 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuxiang Yang, Ao Wang, Xuewei Feng,
Qi Li, Ke Xu, Yizhou Zhao, Dominique Martinet
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
commit 1a3860d46e3eb47dbd60339783cdad7904486b9f upstream.
When p9_client_walk() is called with clone set to false, fid aliases
oldfid. If the walk subsequently fails after the request has been sent,
the error path jumps to clunk_fid, which currently calls p9_fid_put(fid)
unconditionally.
This drops a reference to oldfid even though ownership of oldfid remains
with the caller. If this is the last reference, oldfid can be clunked and
destroyed while the caller still expects it to be valid. A later use or
put of oldfid can then trigger a use-after-free or refcount underflow.
Fix this by only putting fid in the clunk_fid error path when it does not
alias oldfid, matching the existing guard in the error path below.
This can be triggered when a multi-component walk is split into multiple
p9_client_walk() calls and a later non-cloning walk fails. A reproducer
and refcount warning logs are available on request.
Fixes: b48dbb998d70 ("9p fid refcount: add p9_fid_get/put wrappers")
Cc: stable@vger.kernel.org
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Assisted-by: GLM 5.1
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Message-ID: <20260528053918.53550-1-zhaoyz24@mails.tsinghua.edu.cn>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/9p/client.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -1207,7 +1207,8 @@ struct p9_fid *p9_client_walk(struct p9_
clunk_fid:
kfree(wqids);
- p9_fid_put(fid);
+ if (fid != oldfid)
+ p9_fid_put(fid);
fid = NULL;
error:
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 101/129] MIPS: smp: report dying CPU to RCU in stop_this_cpu()
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 100/129] 9p: avoid putting oldfid in p9_client_walk() error path Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 102/129] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path Greg Kroah-Hartman
` (34 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jonas Jelonek, Thomas Bogendoerfer
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Jelonek <jelonek.jonas@gmail.com>
commit 9f3f3bdc6d9dac1a5a8262ee7ad0f2ff1527a7e7 upstream.
smp_send_stop() parks all secondary CPUs in stop_this_cpu(). The function
marks the CPU offline for the scheduler via set_cpu_online(false) but
never informs RCU, so RCU keeps expecting a quiescent state from CPUs
that are now spinning forever with interrupts disabled.
As long as nothing waits for an RCU grace period after smp_send_stop()
this is harmless, which is why it went unnoticed. Since commit
91840be8f710 ("irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT")
however, irq_work_sync() calls synchronize_rcu() on architectures without
an irq_work self-IPI, i.e. where arch_irq_work_has_interrupt() returns
false. That is the asm-generic default used by MIPS. Any irq_work_sync()
issued in the reboot/shutdown path after smp_send_stop() then blocks on
a grace period that can never complete, hanging the reboot:
WARNING: CPU: 0 PID: 15 at kernel/irq_work.c:144 irq_work_queue_on
...
rcu: INFO: rcu_sched detected stalls on CPUs/tasks:
rcu: Offline CPU 1 blocking current GP.
rcu: Offline CPU 2 blocking current GP.
rcu: Offline CPU 3 blocking current GP.
This issue was noticed on several Realtek MIPS switch SoCs (MIPS
interAptiv) and came up during kernel bump downstream in OpenWrt from
6.18.33 to 6.18.34, after the backport of the patch to the 6.18 stable
branch. The patch also has been backported all the way back to 6.1.
Call rcutree_report_cpu_dead() once interrupts are disabled, mirroring the
generic CPU-hotplug offline path, so RCU stops waiting on the parked CPUs
and grace periods can still complete. MIPS shuts down all CPUs here
without going through the CPU-hotplug mechanism, so this report is not
otherwise issued. Reporting a dying CPU to RCU outside the regular hotplug
offline path is not unprecedented: arm64 does the same in cpu_die_early().
There it is an exception for a CPU that was coming online and is aborting
bringup, rather than the default shutdown action as on MIPS.
Fixes: 91840be8f710 ("irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT")
CC: stable@vger.kernel.org
Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/kernel/smp.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/mips/kernel/smp.c
+++ b/arch/mips/kernel/smp.c
@@ -19,6 +19,7 @@
#include <linux/sched/mm.h>
#include <linux/cpumask.h>
#include <linux/cpu.h>
+#include <linux/rcupdate.h>
#include <linux/err.h>
#include <linux/ftrace.h>
#include <linux/irqdomain.h>
@@ -392,6 +393,7 @@ static void stop_this_cpu(void *dummy)
set_cpu_online(smp_processor_id(), false);
calculate_cpu_foreign_map();
local_irq_disable();
+ rcutree_report_cpu_dead();
while (1);
}
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 102/129] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 101/129] MIPS: smp: report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 103/129] power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init() Greg Kroah-Hartman
` (33 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ashutosh Desai, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ashutosh Desai <ashutoshdesai993@gmail.com>
commit 78ee2d50185a037b3d2452a97f3dad69c3f7f389 upstream.
In sev_dbg_crypt(), the per-iteration transfer length is bounded by
the source page offset (PAGE_SIZE - s_off) but not by the destination
page offset (PAGE_SIZE - d_off). When d_off > s_off, the encrypt
path (__sev_dbg_encrypt_user) performs a read-modify-write using a
single-page intermediate buffer (dst_tpage):
1. __sev_dbg_decrypt() expands the size to round_up(len + (d_off & 15), 16)
before issuing the PSP command. If len + (d_off & 15) > PAGE_SIZE,
the PSP writes beyond the end of the 4096-byte dst_tpage allocation.
2. The subsequent memcpy()/copy_from_user() into
page_address(dst_tpage) + (d_off & 15) of 'len' bytes overflows
by up to 15 bytes under the same condition.
Trigger example: s_off = 0, d_off = 1, debug.len = PAGE_SIZE -
the PSP is instructed to write round_up(4097, 16) = 4112 bytes to
a 4096-byte buffer.
Fix by also bounding len by (PAGE_SIZE - d_off), the same check that
sev_send_update_data() already performs for its single-page guest
region.
==================================================================
BUG: KASAN: slab-use-after-free in sev_dbg_crypt+0x993/0xd10 [kvm_amd]
Write of size 4095 at addr ff110062293bb009 by task sev_dbg_test/228214
CPU: 96 UID: 0 PID: 228214 Comm: sev_dbg_test Tainted: G U W 7.0.0-smp--5ce9b0c48211-dbg #156 PREEMPTLAZY
Tainted: [U]=USER, [W]=WARN
Hardware name: Google Astoria/astoria, BIOS 0.20250817.1-0 08/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0x54/0x70
print_report+0xbc/0x260
kasan_report+0xa2/0xd0
kasan_check_range+0x25f/0x2c0
__asan_memcpy+0x40/0x70
sev_dbg_crypt+0x993/0xd10 [kvm_amd]
sev_mem_enc_ioctl+0x33c/0x450 [kvm_amd]
kvm_vm_ioctl+0x65d/0x6d0 [kvm]
__se_sys_ioctl+0xb2/0x100
do_syscall_64+0xe8/0x870
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7fe72b6a0 pfn:0x62293bb
memcg:ff11000112827d82
flags: 0x1400000000000000(node=1|zone=1)
raw: 1400000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 00000007fe72b6a0 0000000000000000 00000001ffffffff ff11000112827d82
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ff110062293bbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff110062293bbf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ff110062293bc000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ff110062293bc080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ff110062293bc100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
Disabling lock debugging due to kernel taint
Fixes: 24f41fb23a39 ("KVM: SVM: Add support for SEV DEBUG_DECRYPT command")
Fixes: 7d1594f5d94b ("KVM: SVM: Add support for SEV DEBUG_ENCRYPT command")
Cc: stable@vger.kernel.org
Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
[sean: add sample KASAN splat, Fixes, and stable@]
Link: https://patch.msgid.link/20260501203537.2120074-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -977,6 +977,7 @@ static int sev_dbg_crypt(struct kvm *kvm
s_off = vaddr & ~PAGE_MASK;
d_off = dst_vaddr & ~PAGE_MASK;
len = min_t(size_t, (PAGE_SIZE - s_off), size);
+ len = min_t(size_t, len, PAGE_SIZE - d_off);
if (dec)
ret = __sev_dbg_decrypt_user(kvm,
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 103/129] power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init()
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 102/129] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 104/129] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
` (32 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Sebastian Reichel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 8eec545cde69e46e9a1d2b7d915ce4f5df85b3bd upstream.
Move of_node_put(dn) after the of_match_node() call, which still needs
the node pointer. The node reference is correctly released after use.
Fixes: e2f471efe1d6 ("power: reset: linkstation-poweroff: prepare for new devices")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260407073025.271865-1-vulab@iscas.ac.cn
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/reset/linkstation-poweroff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/power/reset/linkstation-poweroff.c
+++ b/drivers/power/reset/linkstation-poweroff.c
@@ -163,10 +163,10 @@ static int __init linkstation_poweroff_i
dn = of_find_matching_node(NULL, ls_poweroff_of_match);
if (!dn)
return -ENODEV;
- of_node_put(dn);
match = of_match_node(ls_poweroff_of_match, dn);
cfg = match->data;
+ of_node_put(dn);
dn = of_find_node_by_name(NULL, cfg->mdio_node_name);
if (!dn)
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 104/129] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 103/129] power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init() Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 105/129] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode Greg Kroah-Hartman
` (31 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Bridges, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Bridges <icb@fastmail.org>
commit 7f08fc10fa3d3366dc3af723970bd03d7d6d10e3 upstream.
info->var, a framebuffer's current mode, is expected to have a matching
entry in info->modelist. var_to_display() relies on this and treats a
failed fb_match_mode() as "This should not happen". fb_set_var() keeps it
true by adding the mode to the list on every change, and
do_register_framebuffer() does the same at registration.
store_modes() replaces the modelist from userspace. fb_new_modelist()
validates the new modes but does not check that info->var still has a
match. It relies on fbcon_new_modelist() to re-point consoles, but that
only handles consoles mapped to the framebuffer. With fbcon unbound there
are none, so info->var is left describing a mode that is no longer in the
list.
A later console takeover runs var_to_display(), where fb_match_mode()
returns NULL and leaves fb_display[i].mode NULL. fbcon_switch() passes it
to display_to_var(), and fb_videomode_to_var() dereferences the NULL mode.
Keep the current mode in the list in fb_new_modelist(), the same way
fb_set_var() does.
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Ian Bridges <icb@fastmail.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fbmem.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1855,6 +1855,18 @@ int fb_new_modelist(struct fb_info *info
if (list_empty(&info->modelist))
return 1;
+ /*
+ * The new modelist may not contain the current mode (info->var), and
+ * fbcon_new_modelist() below only re-points consoles mapped to this
+ * framebuffer. Add the current mode here so info->var keeps a match
+ * even when fbcon is unbound.
+ */
+ if (!fb_match_mode(&info->var, &info->modelist)) {
+ fb_var_to_videomode(&mode, &info->var);
+ if (fb_add_videomode(&mode, &info->modelist))
+ return 1;
+ }
+
fbcon_new_modelist(info);
return 0;
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 105/129] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 104/129] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 106/129] NFSD: Fix SECINFO_NO_NAME decode error cleanup Greg Kroah-Hartman
` (30 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Steffen Persvold, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steffen Persvold <spersvold@gmail.com>
commit d894c48a57d78206e4df9c90d4acfaf39394806a upstream.
The 1920x1080@60 modedb entry has one too many initializers before
its sync field: a stray "0" occupies the sync slot, which shifts the
remaining values by one field. The entry therefore decodes as
sync = 0, vmode = FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT (0x3,
i.e. FB_VMODE_INTERLACED | FB_VMODE_DOUBLE), and flag =
FB_VMODE_NONINTERLACED, instead of the intended sync = positive H/V,
vmode = non-interlaced.
fb_find_mode() then returns a 1920x1080 mode flagged as interlaced +
doublescan with active-low syncs. Drivers that honour var->vmode and
var->sync when programming display timing enable doublescan and the
wrong sync polarity, corrupting the output.
Drop the stray initializer so sync and vmode hold their intended
values (positive H/V sync, non-interlaced), matching the adjacent
1920x1200 entry.
Fixes: c8902258b2b8 ("fbdev: modedb: Add 1920x1080 at 60 Hz video mode")
Cc: stable@vger.kernel.org
Signed-off-by: Steffen Persvold <spersvold@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/modedb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/fbdev/core/modedb.c
+++ b/drivers/video/fbdev/core/modedb.c
@@ -258,7 +258,7 @@ static const struct fb_videomode modedb[
FB_VMODE_DOUBLE },
/* 1920x1080 @ 60 Hz, 67.3 kHz hsync */
- { NULL, 60, 1920, 1080, 6734, 148, 88, 36, 4, 44, 5, 0,
+ { NULL, 60, 1920, 1080, 6734, 148, 88, 36, 4, 44, 5,
FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
FB_VMODE_NONINTERLACED },
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 106/129] NFSD: Fix SECINFO_NO_NAME decode error cleanup
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 105/129] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 107/129] nfsd: fix posix_acl leak on SETACL decode failure Greg Kroah-Hartman
` (29 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guannan Wang, Chuck Lever
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guannan Wang <wgnbuaa@gmail.com>
commit 9e18e83b8846a5c3fe13fc8a464b4865d33996c6 upstream.
nfsd4_decode_secinfo_no_name() currently initializes sin_exp after
decoding sin_style. If the XDR stream is truncated, the decoder returns
nfserr_bad_xdr before sin_exp is initialized.
Since commit 3fdc54646234 ("NFSD: Reduce amount of struct
nfsd4_compoundargs that needs clearing"), the inline iops array is not
cleared between RPC calls. A failed SECINFO_NO_NAME decode can therefore
leave sin_exp holding stale union contents from a previous operation.
The error response path still invokes nfsd4_secinfo_no_name_release(),
which calls exp_put() on a non-NULL sin_exp.
Initialize sin_exp before the first failable decode step, matching
nfsd4_decode_secinfo().
Fixes: 3fdc54646234 ("NFSD: Reduce amount of struct nfsd4_compoundargs that needs clearing")
Cc: stable@vger.kernel.org
Signed-off-by: Guannan Wang <wgnbuaa@gmail.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4xdr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -1821,10 +1821,11 @@ static __be32 nfsd4_decode_secinfo_no_na
union nfsd4_op_u *u)
{
struct nfsd4_secinfo_no_name *sin = &u->secinfo_no_name;
+
+ sin->sin_exp = NULL;
if (xdr_stream_decode_u32(argp->xdr, &sin->sin_style) < 0)
return nfserr_bad_xdr;
- sin->sin_exp = NULL;
return nfs_ok;
}
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 107/129] nfsd: fix posix_acl leak on SETACL decode failure
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 106/129] NFSD: Fix SECINFO_NO_NAME decode error cleanup Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 108/129] nfsd: check get_user() return when reading princhashlen Greg Kroah-Hartman
` (28 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Chuck Lever
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
commit 0853ac544c590880d797b04daa33fcb72b6be0e1 upstream.
nfsaclsvc_decode_setaclargs() and nfs3svc_decode_setaclargs() each
call nfs_stream_decode_acl() twice, first for NFS_ACL and then for
NFS_DFACL. Each successful call transfers ownership of a freshly
allocated posix_acl into argp->acl_access or argp->acl_default. If
the first call succeeds but the second fails, the decoder returns
false and argp->acl_access is left dangling.
ACLPROC2_SETACL.pc_release was wired to nfssvc_release_attrstat and
ACLPROC3_SETACL.pc_release was wired to nfs3svc_release_fhandle.
Both only call fh_put() and have no knowledge of the ACL fields on
argp. The posix_acl_release() pairs sat at the out: labels inside
nfsacld_proc_setacl() and nfsd3_proc_setacl(), but svc_process()
skips pc_func when pc_decode returns false, so that cleanup is
unreachable on decode failure:
svc_process_common()
pc_decode() /* decode_setaclargs: false */
/* pc_func skipped */
pc_release() /* fh_put only -- ACLs leaked */
The orphaned posix_acl is leaked for the lifetime of the server.
Fix by adding nfsaclsvc_release_setacl() and nfs3svc_release_setacl(),
which release both argp->acl_access and argp->acl_default in addition
to fh_put(), and wiring them as pc_release for their respective SETACL
procedures. pc_release runs on every path svc_process() takes after
decode, including decode failure, so the posix_acl_release() pairs are
removed from the proc functions' out: labels to keep ownership in one
place. This matches the existing release_getacl() pattern used by
the sibling GETACL procedures.
Fixes: a257cdd0e217 ("[PATCH] NFSD: Add server support for NFSv3 ACLs.")
Cc: stable@vger.kernel.org
Assisted-by: kres:claude-opus-4-7
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs2acl.c | 17 ++++++++++++-----
fs/nfsd/nfs3acl.c | 17 ++++++++++++-----
2 files changed, 24 insertions(+), 10 deletions(-)
--- a/fs/nfsd/nfs2acl.c
+++ b/fs/nfsd/nfs2acl.c
@@ -131,10 +131,7 @@ static __be32 nfsacld_proc_setacl(struct
resp->status = fh_getattr(fh, &resp->stat);
out:
- /* argp->acl_{access,default} may have been allocated in
- nfssvc_decode_setaclargs. */
- posix_acl_release(argp->acl_access);
- posix_acl_release(argp->acl_default);
+ /* argp->acl_{access,default} are released in nfsaclsvc_release_setacl. */
return rpc_success;
out_drop_lock:
@@ -312,6 +309,16 @@ static void nfsaclsvc_release_access(str
struct nfsd3_voidargs { int dummy; };
+static void nfsaclsvc_release_setacl(struct svc_rqst *rqstp)
+{
+ struct nfsd3_setaclargs *argp = rqstp->rq_argp;
+ struct nfsd_attrstat *resp = rqstp->rq_resp;
+
+ fh_put(&resp->fh);
+ posix_acl_release(argp->acl_access);
+ posix_acl_release(argp->acl_default);
+}
+
#define ST 1 /* status*/
#define AT 21 /* attributes */
#define pAT (1+AT) /* post attributes - conditional */
@@ -345,7 +352,7 @@ static const struct svc_procedure nfsd_a
.pc_func = nfsacld_proc_setacl,
.pc_decode = nfsaclsvc_decode_setaclargs,
.pc_encode = nfssvc_encode_attrstatres,
- .pc_release = nfssvc_release_attrstat,
+ .pc_release = nfsaclsvc_release_setacl,
.pc_argsize = sizeof(struct nfsd3_setaclargs),
.pc_argzero = sizeof(struct nfsd3_setaclargs),
.pc_ressize = sizeof(struct nfsd_attrstat),
--- a/fs/nfsd/nfs3acl.c
+++ b/fs/nfsd/nfs3acl.c
@@ -118,10 +118,7 @@ out_drop_lock:
out_errno:
resp->status = nfserrno(error);
out:
- /* argp->acl_{access,default} may have been allocated in
- nfs3svc_decode_setaclargs. */
- posix_acl_release(argp->acl_access);
- posix_acl_release(argp->acl_default);
+ /* argp->acl_{access,default} are released in nfs3svc_release_setacl. */
return rpc_success;
}
@@ -225,6 +222,16 @@ static void nfs3svc_release_getacl(struc
struct nfsd3_voidargs { int dummy; };
+static void nfs3svc_release_setacl(struct svc_rqst *rqstp)
+{
+ struct nfsd3_setaclargs *argp = rqstp->rq_argp;
+ struct nfsd3_attrstat *resp = rqstp->rq_resp;
+
+ fh_put(&resp->fh);
+ posix_acl_release(argp->acl_access);
+ posix_acl_release(argp->acl_default);
+}
+
#define ST 1 /* status*/
#define AT 21 /* attributes */
#define pAT (1+AT) /* post attributes - conditional */
@@ -258,7 +265,7 @@ static const struct svc_procedure nfsd_a
.pc_func = nfsd3_proc_setacl,
.pc_decode = nfs3svc_decode_setaclargs,
.pc_encode = nfs3svc_encode_setaclres,
- .pc_release = nfs3svc_release_fhandle,
+ .pc_release = nfs3svc_release_setacl,
.pc_argsize = sizeof(struct nfsd3_setaclargs),
.pc_argzero = sizeof(struct nfsd3_setaclargs),
.pc_ressize = sizeof(struct nfsd3_attrstat),
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 108/129] nfsd: check get_user() return when reading princhashlen
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 107/129] nfsd: fix posix_acl leak on SETACL decode failure Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 109/129] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr Greg Kroah-Hartman
` (27 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dominik Woźniak, Jeff Layton,
Chuck Lever
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dominik Woźniak <stalion@gmail.com>
commit e186fa1c057f5eccb22afb1e83e34c0627085868 upstream.
In __cld_pipe_inprogress_downcall(), the get_user() that reads
princhashlen from the userspace cld_msg_v2 buffer does not check its
return value. A failing copy leaves princhashlen with uninitialised
stack contents, which are then used to drive memdup_user() and stored
as princhash.len on the resulting reclaim record. The other get_user()
calls in this function all check the return; only this one is missed,
which is most likely a copy-paste oversight from when v2 upcalls were
introduced.
Mirror the existing pattern used a few lines above for namelen.
namecopy is declared with __free(kfree) so the early return cleans up
the already-allocated buffer automatically.
Fixes: 6ee95d1c8991 ("nfsd: add support for upcall version 2")
Cc: stable@vger.kernel.org
Signed-off-by: Dominik Woźniak <stalion@gmail.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4recover.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -815,7 +815,8 @@ __cld_pipe_inprogress_downcall(const str
if (IS_ERR(name.data))
return PTR_ERR(name.data);
name.len = namelen;
- get_user(princhashlen, &ci->cc_princhash.cp_len);
+ if (get_user(princhashlen, &ci->cc_princhash.cp_len))
+ return -EFAULT;
if (princhashlen > 0) {
princhash.data = memdup_user(
&ci->cc_princhash.cp_data,
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 109/129] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 108/129] nfsd: check get_user() return when reading princhashlen Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 110/129] ksmbd: fix out-of-bounds read in smb_check_perm_dacl() Greg Kroah-Hartman
` (26 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Anna Schumaker
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 41fe0f7b84f0cb822ae10ab08592996a592b2a25 upstream.
nfs4_decode_mp_ds_addr() decodes the r_netid and r_addr opaques of a
netaddr4 from a GETDEVICEINFO multipath-DS body, then immediately
calls strrchr(buf, '.') to locate the port separator. Both decodes
use xdr_stream_decode_string_dup(), and the current code checks only
"nlen < 0" / "rlen < 0" before dereferencing the returned string.
When the on-wire opaque has length zero, xdr_stream_decode_opaque_inline()
returns 0 and xdr_stream_decode_string_dup() falls through to its
"*str = NULL; return ret" tail, leaving buf NULL with a return value
of 0. The "< 0" check does not catch this, and the next line is
strrchr(NULL, '.'), a kernel NULL pointer dereference reachable from
any pNFS-flexfile client mounted against a malicious or compromised
metadata server.
Reject the zero-length cases explicitly so the decoder fails with
-EBADMSG (treated as a malformed GETDEVICEINFO body) instead of
panicking the client.
Cc: stable@vger.kernel.org
Fixes: 6b7f3cf96364 ("nfs41: pull decode_ds_addr from file layout to generic pnfs")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/pnfs_nfs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/nfs/pnfs_nfs.c
+++ b/fs/nfs/pnfs_nfs.c
@@ -1057,14 +1057,14 @@ nfs4_decode_mp_ds_addr(struct net *net,
/* r_netid */
nlen = xdr_stream_decode_string_dup(xdr, &netid, XDR_MAX_NETOBJ,
gfp_flags);
- if (unlikely(nlen < 0))
+ if (unlikely(nlen <= 0))
goto out_err;
/* r_addr: ip/ip6addr with port in dec octets - see RFC 5665 */
/* port is ".ABC.DEF", 8 chars max */
rlen = xdr_stream_decode_string_dup(xdr, &buf, INET6_ADDRSTRLEN +
IPV6_SCOPE_ID_LEN + 8, gfp_flags);
- if (unlikely(rlen < 0))
+ if (unlikely(rlen <= 0))
goto out_free_netid;
/* replace port '.' with '-' */
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 110/129] ksmbd: fix out-of-bounds read in smb_check_perm_dacl()
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 109/129] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 111/129] rpmsg: char: Add lock to avoid race when rpmsg device is released Greg Kroah-Hartman
` (25 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hem Parekh, Namjae Jeon,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hem Parekh <hemparekh1596@gmail.com>
commit 1ef06004ed4bd6d3ed8c840d9d1a376b66d4935b upstream.
The permission-check ACE walk in smb_check_perm_dacl() validates the ACE
header size and caps sid.num_subauth at SID_MAX_SUB_AUTHORITIES, but it
never checks that ace->size is actually large enough to contain
num_subauth sub-authorities before compare_sids() dereferences them.
CIFS_SID_BASE_SIZE covers the SID header up to but excluding the
sub_auth[] array, and offsetof(struct smb_ace, sid) is the ACE header,
so the existing guards only guarantee the 8-byte SID base, i.e. zero
sub-authorities. compare_sids() then reads ace->sid.sub_auth[i] for
i < min(local_sid->num_subauth, ace->sid.num_subauth). The local
comparison SIDs (sid_everyone, sid_unix_NFS_mode, and the id_to_sid()
result) always have at least one sub-authority, and an attacker controls
the ACE revision and authority bytes (which lie within the in-bounds SID
base), so they can match one of those SIDs and force the sub_auth read.
A crafted ACE with size == 16 and num_subauth >= 1 placed at the tail of
the security descriptor therefore causes a heap out-of-bounds read of up
to SID_MAX_SUB_AUTHORITIES * sizeof(__le32) bytes past the pntsd
allocation. The security descriptor is loaded by ksmbd_vfs_get_sd_xattr()
into a buffer sized exactly to the on-disk data (kzalloc(sd_size) in
ndr_decode_v4_ntacl()), so the read lands past the allocation. The
malformed descriptor can be stored verbatim via SMB2_SET_INFO (the DACL
is not normalised before being written to the security.NTACL xattr) and
the read fires on a subsequent SMB2_CREATE access check, making this
reachable by an authenticated client on a share that uses ACL xattrs.
Add the missing num_subauth-versus-ace_size check, mirroring the
identical guards already present in the sibling parsers parse_dacl() and
smb_inherit_dacl().
Fixes: d07b26f39246 ("ksmbd: require minimum ACE size in smb_check_perm_dacl()")
Cc: stable@vger.kernel.org
Signed-off-by: Hem Parekh <hemparekh1596@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smbacl.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -1331,7 +1331,9 @@ int smb_check_perm_dacl(struct ksmbd_con
break;
aces_size -= ace_size;
- if (ace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES)
+ if (ace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||
+ ace_size < offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE +
+ sizeof(__le32) * ace->sid.num_subauth)
break;
if (!compare_sids(&sid, &ace->sid) ||
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 111/129] rpmsg: char: Add lock to avoid race when rpmsg device is released
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 110/129] ksmbd: fix out-of-bounds read in smb_check_perm_dacl() Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 112/129] mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation Greg Kroah-Hartman
` (24 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Deepak Kumar Singh, Bjorn Andersson,
Wen Yang
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepak Kumar Singh <quic_deesin@quicinc.com>
commit 17b88a2050e9d1f89a53562f2adb709a8959e763 upstream.
When remote host goes down glink char device channel is freed and
associated rpdev is destroyed through rpmsg_chrdev_eptdev_destroy(),
At the same time user space apps can still try to open/poll rpmsg
char device which will result in calling rpmsg_create_ept()/rpmsg_poll().
These functions will try to reference rpdev which has already been freed
through rpmsg_chrdev_eptdev_destroy().
File operation functions and device removal function must be protected
with lock. This patch adds existing ept lock in remove function as well.
Signed-off-by: Deepak Kumar Singh <quic_deesin@quicinc.com>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/1663584840-15762-2-git-send-email-quic_deesin@quicinc.com
Signed-off-by: Wen Yang <wen.yang@linux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rpmsg/rpmsg_char.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/rpmsg/rpmsg_char.c
+++ b/drivers/rpmsg/rpmsg_char.c
@@ -75,6 +75,7 @@ int rpmsg_chrdev_eptdev_destroy(struct d
struct rpmsg_eptdev *eptdev = dev_to_eptdev(dev);
mutex_lock(&eptdev->ept_lock);
+ eptdev->rpdev = NULL;
if (eptdev->ept) {
/* The default endpoint is released by the rpmsg core */
if (!eptdev->default_ept)
@@ -128,6 +129,11 @@ static int rpmsg_eptdev_open(struct inod
return -EBUSY;
}
+ if (!eptdev->rpdev) {
+ mutex_unlock(&eptdev->ept_lock);
+ return -ENETRESET;
+ }
+
get_device(dev);
/*
@@ -279,7 +285,9 @@ static __poll_t rpmsg_eptdev_poll(struct
if (!skb_queue_empty(&eptdev->queue))
mask |= EPOLLIN | EPOLLRDNORM;
+ mutex_lock(&eptdev->ept_lock);
mask |= rpmsg_poll(eptdev->ept, filp, wait);
+ mutex_unlock(&eptdev->ept_lock);
return mask;
}
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 112/129] mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 111/129] rpmsg: char: Add lock to avoid race when rpmsg device is released Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 113/129] mptcp: fix missing wakeups in edge scenarios Greg Kroah-Hartman
` (23 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tao Cui, Matthieu Baerts (NGI0),
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tao Cui <cuitao@kylinos.cn>
[ Upstream commit 14e9fea30b68fc75b2b3d97396a7e6adb544bd2a ]
The userspace PM increments extra_subflows after __mptcp_subflow_connect()
succeeds, but __mptcp_subflow_connect() calls mptcp_pm_close_subflow()
on failure to roll back the pre-increment done by the kernel PM's fill_*()
helpers. Because the userspace PM hasn't incremented yet at that point,
this decrement is spurious and causes extra_subflows to underflow.
Fix it by aligning the userspace PM with the kernel PM: increment
extra_subflows before calling __mptcp_subflow_connect(), so the existing
error path in subflow.c correctly rolls it back on failure. Also simplify
the error handling by taking pm.lock only when needed for cleanup.
Fixes: 77e4b94a3de6 ("mptcp: update userspace pm infos")
Cc: stable@vger.kernel.org
Signed-off-by: Tao Cui <cuitao@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-5-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_userspace.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/net/mptcp/pm_userspace.c
+++ b/net/mptcp/pm_userspace.c
@@ -410,18 +410,21 @@ int mptcp_nl_cmd_sf_create(struct sk_buf
goto create_err;
}
+ spin_lock_bh(&msk->pm.lock);
+ msk->pm.subflows++;
+ spin_unlock_bh(&msk->pm.lock);
+
lock_sock(sk);
err = __mptcp_subflow_connect(sk, &addr_l, &addr_r);
release_sock(sk);
- spin_lock_bh(&msk->pm.lock);
- if (err)
+ if (err) {
+ spin_lock_bh(&msk->pm.lock);
mptcp_userspace_pm_delete_local_addr(msk, &local);
- else
- msk->pm.subflows++;
- spin_unlock_bh(&msk->pm.lock);
+ spin_unlock_bh(&msk->pm.lock);
+ }
create_err:
sock_put((struct sock *)msk);
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 113/129] mptcp: fix missing wakeups in edge scenarios
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 112/129] mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 114/129] hv: utils: handle and propagate errors in kvp_register Greg Kroah-Hartman
` (22 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 9d8d28738f24b75616d6ca7a27cb4aed88520343 ]
The mptcp_recvmsg() can fill MPTCP socket receive queue via
mptcp_move_skbs(), but currently does not try to wakeup any listener,
because the same process is going to check the receive queue soon.
When multiple threads are reading from the same fd, the above can
cause stall. Add the missing wakeup.
Fixes: 6771bfd9ee24 ("mptcp: update mptcp ack sequence from work queue")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-1-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2197,8 +2197,10 @@ static bool __mptcp_move_skbs(struct mpt
__mptcp_splice_receive_queue(sk);
mptcp_data_unlock(sk);
}
- if (ret)
+ if (ret) {
mptcp_check_data_fin((struct sock *)msk);
+ sk->sk_data_ready(sk);
+ }
return !skb_queue_empty(&msk->receive_queue);
}
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 114/129] hv: utils: handle and propagate errors in kvp_register
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 113/129] mptcp: fix missing wakeups in edge scenarios Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 115/129] misc: fastrpc: Add dma_mask to fastrpc_channel_ctx Greg Kroah-Hartman
` (21 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Long Li, Wei Liu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit 3fcf923302a8f5c0dc3af3d2ca2657cb5fae4297 ]
Make kvp_register() return an error code instead of silently ignoring
failures, and propagate the error from kvp_handle_handshake() instead of
returning success.
This propagates both kzalloc_obj() and hvutil_transport_send() failures
to kvp_handle_handshake() and thus to kvp_on_msg().
Fixes: 245ba56a52a3 ("Staging: hv: Implement key/value pair (KVP)")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Reviewed-by: Long Li <longli@microsoft.com>
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hv/hv_kvp.c | 27 ++++++++++++++-------------
1 file changed, 14 insertions(+), 13 deletions(-)
--- a/drivers/hv/hv_kvp.c
+++ b/drivers/hv/hv_kvp.c
@@ -93,7 +93,7 @@ static void kvp_send_key(struct work_str
static void kvp_respond_to_host(struct hv_kvp_msg *msg, int error);
static void kvp_timeout_func(struct work_struct *dummy);
static void kvp_host_handshake_func(struct work_struct *dummy);
-static void kvp_register(int);
+static int kvp_register(int);
static DECLARE_DELAYED_WORK(kvp_timeout_work, kvp_timeout_func);
static DECLARE_DELAYED_WORK(kvp_host_handshake_work, kvp_host_handshake_func);
@@ -127,24 +127,26 @@ static void kvp_register_done(void)
hv_poll_channel(kvp_transaction.recv_channel, kvp_poll_wrapper);
}
-static void
+static int
kvp_register(int reg_value)
{
struct hv_kvp_msg *kvp_msg;
char *version;
+ int ret;
kvp_msg = kzalloc(sizeof(*kvp_msg), GFP_KERNEL);
+ if (!kvp_msg)
+ return -ENOMEM;
- if (kvp_msg) {
- version = kvp_msg->body.kvp_register.version;
- kvp_msg->kvp_hdr.operation = reg_value;
- strcpy(version, HV_DRV_VERSION);
-
- hvutil_transport_send(hvt, kvp_msg, sizeof(*kvp_msg),
- kvp_register_done);
- kfree(kvp_msg);
- }
+ version = kvp_msg->body.kvp_register.version;
+ kvp_msg->kvp_hdr.operation = reg_value;
+ strcpy(version, HV_DRV_VERSION);
+
+ ret = hvutil_transport_send(hvt, kvp_msg, sizeof(*kvp_msg),
+ kvp_register_done);
+ kfree(kvp_msg);
+ return ret;
}
static void kvp_timeout_func(struct work_struct *dummy)
@@ -186,9 +188,8 @@ static int kvp_handle_handshake(struct h
*/
pr_debug("KVP: userspace daemon ver. %d connected\n",
msg->kvp_hdr.operation);
- kvp_register(dm_reg_value);
- return 0;
+ return kvp_register(dm_reg_value);
}
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 115/129] misc: fastrpc: Add dma_mask to fastrpc_channel_ctx
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 114/129] hv: utils: handle and propagate errors in kvp_register Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 116/129] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Greg Kroah-Hartman
` (20 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abel Vesa, Srinivas Kandagatla,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abel Vesa <abel.vesa@linaro.org>
[ Upstream commit 9bde43a0e2f469961e18d0a3496a9a74379c22bf ]
dma_set_mask_and_coherent only updates the mask to which the device
dma_mask pointer points to. Add a dma_mask to the channel ctx and set
the device dma_mask to point to that, otherwise the dma_set_mask will
return an error and the dma_set_coherent_mask will be skipped too.
Co-developed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20221125071405.148786-11-srinivas.kandagatla@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 5401fb4fe10f ("misc: fastrpc: Fix NULL pointer dereference in rpmsg callback")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/fastrpc.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -262,6 +262,7 @@ struct fastrpc_channel_ctx {
struct fastrpc_device *fdevice;
bool secure;
bool unsigned_support;
+ u64 dma_mask;
};
struct fastrpc_device {
@@ -2175,6 +2176,7 @@ static int fastrpc_rpmsg_probe(struct rp
kref_init(&data->refcount);
dev_set_drvdata(&rpdev->dev, data);
+ rdev->dma_mask = &data->dma_mask;
dma_set_mask_and_coherent(rdev, DMA_BIT_MASK(32));
INIT_LIST_HEAD(&data->users);
spin_lock_init(&data->lock);
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 116/129] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 115/129] misc: fastrpc: Add dma_mask to fastrpc_channel_ctx Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 117/129] futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock Greg Kroah-Hartman
` (19 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mukesh Ojha, Bjorn Andersson,
Srinivas Kandagatla, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
[ Upstream commit 5401fb4fe10fac6134c308495df18ed74aebb9c4 ]
A NULL pointer dereference was observed on Hawi at boot when the DSP
sends a glink message before fastrpc_rpmsg_probe() has completed
initialization:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178
pc : _raw_spin_lock_irqsave+0x34/0x8c
lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
...
Call trace:
_raw_spin_lock_irqsave+0x34/0x8c (P)
fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
qcom_glink_native_rx+0x538/0x6a4
qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem]
The faulting address 0x178 corresponds to the lock variable inside
struct fastrpc_channel_ctx, confirming that cctx is NULL when
fastrpc_rpmsg_callback() attempts to take the spinlock.
There are two issues here. First, dev_set_drvdata() is called before
spin_lock_init() and idr_init(), leaving a window where the callback
can retrieve a valid cctx pointer but operate on an uninitialized
spinlock. Second, the rpmsg channel becomes live as soon as the driver
is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata()
is called at all, resulting in dev_get_drvdata() returning NULL.
Fix both issues by moving all cctx initialization ahead of
dev_set_drvdata() so the structure is fully initialized before it
becomes visible to the callback, and add a NULL check in
fastrpc_rpmsg_callback() as a guard against any remaining window.
Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model")
Cc: stable@vger.kernel.org
Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204528.116920-4-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/fastrpc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -2175,7 +2175,6 @@ static int fastrpc_rpmsg_probe(struct rp
kref_init(&data->refcount);
- dev_set_drvdata(&rpdev->dev, data);
rdev->dma_mask = &data->dma_mask;
dma_set_mask_and_coherent(rdev, DMA_BIT_MASK(32));
INIT_LIST_HEAD(&data->users);
@@ -2183,6 +2182,7 @@ static int fastrpc_rpmsg_probe(struct rp
idr_init(&data->ctx_idr);
data->domain_id = domain_id;
data->rpdev = rpdev;
+ dev_set_drvdata(&rpdev->dev, data);
err = of_platform_populate(rdev->of_node, NULL, NULL, rdev);
if (err)
@@ -2249,6 +2249,9 @@ static int fastrpc_rpmsg_callback(struct
if (len < sizeof(*rsp))
return -EINVAL;
+ if (!cctx)
+ return -ENODEV;
+
ctxid = ((rsp->ctx & FASTRPC_CTXID_MASK) >> 4);
spin_lock_irqsave(&cctx->lock, flags);
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 117/129] futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 116/129] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 118/129] Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs Greg Kroah-Hartman
` (18 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jian Zhou, Thomas Gleixner,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
[ Upstream commit 74e144274af39935b0f410c0ee4d2b91c3730414 ]
When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the
target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting
waiter->task.
The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences
the NULL waiter->task, causing a kernel crash.
Add a self-deadlock check for non-top waiters before calling
rt_mutex_start_proxy_lock(), analogous to the top-waiter check in
futex_lock_pi_atomic().
Fixes: 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 ("rtmutex: Use waiter::task instead of current in remove_waiter()")
Signed-off-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/futex/requeue.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/kernel/futex/requeue.c
+++ b/kernel/futex/requeue.c
@@ -629,6 +629,12 @@ retry_private:
continue;
}
+ /* Self-deadlock: non-top waiter already owns the PI futex. */
+ if (rt_mutex_owner(&pi_state->pi_mutex) == this->task) {
+ ret = -EDEADLK;
+ break;
+ }
+
ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex,
this->rt_waiter,
this->task);
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 118/129] Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 117/129] futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 119/129] locking/rtmutex: Skip remove_waiter() when waiter is not enqueued Greg Kroah-Hartman
` (17 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Kelley, Krister Johansen,
Matthew Ruffell, Dexuan Cui, Wei Liu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dexuan Cui <decui@microsoft.com>
[ Upstream commit 016a25e4b0df4d77e7c258edee4aaf982e4ee809 ]
If vmbus_reserve_fb() in the kdump/kexec kernel fails to properly reserve
the framebuffer MMIO range (which is below 4GB) due to a Gen2 VM's
screen.lfb_base being zero [1], there is an MMIO conflict between the
drivers hyperv-drm and pci-hyperv: when the driver pci-hyperv's
hv_allocate_config_window() calls vmbus_allocate_mmio() to get an
MMIO range, typically it gets a 32-bit MMIO range that overlaps with the
framebuffer MMIO range, and later hv_pci_enter_d0() fails with an
error message "PCI Pass-through VSP failed D0 Entry with status" since
the host thinks that PCI devices must not use MMIO space that the
host has assigned to the framebuffer.
This is especially an issue if pci-hyperv is built-in and hyperv-drm is
built as a module. Consequently, the kdump/kexec kernel fails to detect
PCI devices via pci-hyperv, and may fail to mount the root file system,
which may reside in a NVMe disk. The issue described here has existed
for SR-IOV VF NICs since day one of the pci-hyperv driver, and has been
worked around on x64 when possible. With the recent introduction of
ARM64 VMs that boot from NVMe, there is no workaround, so we need a
formal fix.
On Gen2 VMs, if the screen.lfb_base is 0 in the kdump/kexec kernel [1],
fall back to the low MMIO base, which should be equal to the framebuffer
MMIO base [2] (the statement is true according to my testing on x64
Windows Server 2016, and on x64 and ARM64 Windows Server 2025 and on
Azure. I checked with the Hyper-V team and they said the statement should
continue to be true for Gen2 VMs). In the first kernel, screen.lfb_base
is not 0; if the user specifies a very high resolution, it's not enough
to only reserve 8MB: let's always reserve half of the space below 4GB,
but cap the reservation to 128MB, which is the required framebuffer size
of the highest resolution 7680*4320 supported by Hyper-V.
While at it, fix the comparison "end > VTPM_BASE_ADDRESS" by changing
the > to >=. Here the 'end' is an inclusive end (typically, it's
0xFFFF_FFFF for the low MMIO range).
Note: vmbus_reserve_fb() now also reserves an MMIO range at the beginning
of the low MMIO range on CVMs, which have no framebuffers (the
'screen.lfb_base' in vmbus_reserve_fb() is 0 for CVMs), just in case the
host might treat the beginning of the low MMIO range specially [3]. BTW,
the OpenHCL kernel is not affected by the change, because that kernel
boots with DeviceTree rather than ACPI (so vmbus_reserve_fb() won't run
there), and there is no framebuffer device for that kernel.
Note: normally Gen1 VMs don't have the MMIO conflict issue because the
framebuffer MMIO range (which is hardcoded to base=4GB-128MB and
size=64MB for Gen1 VMs by the host) is always reported via the legacy PCI
graphics device's BAR, so the kdump/kexec kernel can reserve the 64MB
MMIO range; however, if the VM is configured to use a very high resolution
and the required framebuffer size exceeds 64MB (AFAIK, in practice, this
isn't a typical configuration by users), the hyperv-drm driver may need to
allocate an MMIO range above 4GB and change the framebuffer MMIO location
to the allocated MMIO range -- in this case, there can still be issues [4]
which can't be easily fixed: any possible affected Gen1 users would have
to use a resolution whose framebuffer size is <= 64MB, or switch to Gen2
VMs.
[1] https://lore.kernel.org/all/SA1PR21MB692176C1BC53BFC9EAE5CF8EBF51A@SA1PR21MB6921.namprd21.prod.outlook.com/
[2] https://lore.kernel.org/all/SA1PR21MB69218F955B62DFF62E3E88D2BF222@SA1PR21MB6921.namprd21.prod.outlook.com/
[3] https://lore.kernel.org/all/SN6PR02MB415726B17D5A6027CD1717E8D4342@SN6PR02MB4157.namprd02.prod.outlook.com/
[4] https://lore.kernel.org/all/SA1PR21MB69213486F821CA5A2C793C81BF342@SA1PR21MB6921.namprd21.prod.outlook.com/
Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs")
CC: stable@vger.kernel.org
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Tested-by: Krister Johansen <kjlx@templeofstupid.com>
Tested-by: Matthew Ruffell <matthew.ruffell@canonical.com>
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Signed-off-by: Wei Liu <wei.liu@kernel.org>
[ changed `sysfb_primary_display.screen.lfb_base/lfb_size` reads to the global `screen_info.lfb_base/lfb_size` and dropped the `if (IS_ENABLED(CONFIG_SYSFB))` wrapper, de-indenting the block. ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hv/vmbus_drv.c | 29 ++++++++++++++++++++++++++---
1 file changed, 26 insertions(+), 3 deletions(-)
--- a/drivers/hv/vmbus_drv.c
+++ b/drivers/hv/vmbus_drv.c
@@ -2027,8 +2027,8 @@ static acpi_status vmbus_walk_resources(
return AE_NO_MEMORY;
/* If this range overlaps the virtual TPM, truncate it. */
- if (end > VTPM_BASE_ADDRESS && start < VTPM_BASE_ADDRESS)
- end = VTPM_BASE_ADDRESS;
+ if (end >= VTPM_BASE_ADDRESS && start < VTPM_BASE_ADDRESS)
+ end = VTPM_BASE_ADDRESS - 1;
new_res->name = "hyperv mmio";
new_res->flags = IORESOURCE_MEM;
@@ -2096,12 +2096,31 @@ static int vmbus_acpi_remove(struct acpi
static void vmbus_reserve_fb(void)
{
resource_size_t start = 0, size;
+ resource_size_t low_mmio_base;
struct pci_dev *pdev;
if (efi_enabled(EFI_BOOT)) {
/* Gen2 VM: get FB base from EFI framebuffer */
start = screen_info.lfb_base;
size = max_t(__u32, screen_info.lfb_size, 0x800000);
+
+ low_mmio_base = hyperv_mmio->start;
+ if (!low_mmio_base || upper_32_bits(low_mmio_base) ||
+ (start && start < low_mmio_base)) {
+ pr_warn("Unexpected low mmio base %pa\n", &low_mmio_base);
+ } else {
+ /*
+ * If the kdump/kexec or CVM kernel's lfb_base
+ * is 0, fall back to the low mmio base.
+ */
+ if (!start)
+ start = low_mmio_base;
+ /*
+ * Reserve half of the space below 4GB for high
+ * resolutions, but cap the reservation to 128MB.
+ */
+ size = min((SZ_4G - start) / 2, SZ_128M);
+ }
} else {
/* Gen1 VM: get FB base from PCI */
pdev = pci_get_device(PCI_VENDOR_ID_MICROSOFT,
@@ -2121,8 +2140,10 @@ static void vmbus_reserve_fb(void)
pci_dev_put(pdev);
}
- if (!start)
+ if (!start) {
+ pr_warn("Unexpected framebuffer mmio base of zero\n");
return;
+ }
/*
* Make a claim for the frame buffer in the resource tree under the
@@ -2132,6 +2153,8 @@ static void vmbus_reserve_fb(void)
*/
for (; !fb_mmio && (size >= 0x100000); size >>= 1)
fb_mmio = __request_region(hyperv_mmio, start, size, fb_mmio_name, 0);
+
+ pr_info("hv_mmio=%pR,%pR fb=%pR\n", hyperv_mmio, hyperv_mmio->sibling, fb_mmio);
}
/**
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 119/129] locking/rtmutex: Skip remove_waiter() when waiter is not enqueued
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 118/129] Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 120/129] phonet: Pass ifindex to fill_addr() Greg Kroah-Hartman
` (16 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+78147abe6c524f183ee9,
Davidlohr Bueso, Thomas Gleixner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davidlohr Bueso <dave@stgolabs.net>
[ Upstream commit 40a25d59e85b3c8709ac2424d44f65610467871e ]
syzbot triggered the following splat in remove_waiter() via
FUTEX_CMP_REQUEUE_PI:
KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f]
class_raw_spinlock_constructor
remove_waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561
rt_mutex_start_proxy_lock+0x103/0x120
futex_requeue+0x10e4/0x20d0
__x64_sys_futex+0x34f/0x4d0
task_blocks_on_rt_mutex() does not arm the waiter upon deadlock detection,
leaving waiter->task nil, where 3bfdc63936dd ("rtmutex: Use waiter::task instead
of current in remove_waiter()") made this fatal.
Furthermore, rt_mutex_start_proxy_lock() should not be calling into remove_waiter()
upon a successfully grabbing the rtmutex. 1a1fb985f2e2 ("futex: Handle early deadlock
return correctly"), moved the remove_waiter() out of __rt_mutex_start_proxy_lock()
(where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to
account for try_to_take_rt_mutex().
Fixes: 3bfdc63936dd ("rtmutex: Use waiter::task instead of current in remove_waiter()")
Reported-by: syzbot+78147abe6c524f183ee9@syzkaller.appspotmail.com
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/all/69f114ac.050a0220.ac8b.0003.GAE@google.com/
Link: https://patch.msgid.link/20260507112913.1019537-1-dave@stgolabs.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/locking/rtmutex.c | 3 +++
kernel/locking/rtmutex_api.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1524,6 +1524,9 @@ static void __sched remove_waiter(struct
lockdep_assert_held(&lock->wait_lock);
+ if (!waiter_task) /* never enqueued */
+ return;
+
scoped_guard(raw_spinlock, &waiter_task->pi_lock) {
rt_mutex_dequeue(lock, waiter);
waiter_task->pi_blocked_on = NULL;
--- a/kernel/locking/rtmutex_api.c
+++ b/kernel/locking/rtmutex_api.c
@@ -344,7 +344,7 @@ int __sched rt_mutex_start_proxy_lock(st
raw_spin_lock_irq(&lock->wait_lock);
ret = __rt_mutex_start_proxy_lock(lock, waiter, task);
- if (unlikely(ret))
+ if (unlikely(ret < 0))
remove_waiter(lock, waiter);
raw_spin_unlock_irq(&lock->wait_lock);
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 120/129] phonet: Pass ifindex to fill_addr().
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 119/129] locking/rtmutex: Skip remove_waiter() when waiter is not enqueued Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 121/129] phonet: Pass net and ifindex to phonet_address_notify() Greg Kroah-Hartman
` (15 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Eric Dumazet,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 08a9572be36819b5d9011604edfa5db6c5062a7a ]
We will convert addr_doit() and getaddr_dumpit() to RCU, both
of which call fill_addr().
The former will call phonet_address_notify() outside of RCU
due to GFP_KERNEL, so dev will not be available in fill_addr().
Let's pass ifindex directly to fill_addr().
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 71de0177b28d ("net: phonet: free phonet_device after RCU grace period")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/phonet/pn_netlink.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/net/phonet/pn_netlink.c
+++ b/net/phonet/pn_netlink.c
@@ -19,7 +19,7 @@
/* Device address handling */
-static int fill_addr(struct sk_buff *skb, struct net_device *dev, u8 addr,
+static int fill_addr(struct sk_buff *skb, u32 ifindex, u8 addr,
u32 portid, u32 seq, int event);
void phonet_address_notify(int event, struct net_device *dev, u8 addr)
@@ -31,7 +31,8 @@ void phonet_address_notify(int event, st
nla_total_size(1), GFP_KERNEL);
if (skb == NULL)
goto errout;
- err = fill_addr(skb, dev, addr, 0, 0, event);
+
+ err = fill_addr(skb, dev->ifindex, addr, 0, 0, event);
if (err < 0) {
WARN_ON(err == -EMSGSIZE);
kfree_skb(skb);
@@ -92,8 +93,8 @@ static int addr_doit(struct sk_buff *skb
return err;
}
-static int fill_addr(struct sk_buff *skb, struct net_device *dev, u8 addr,
- u32 portid, u32 seq, int event)
+static int fill_addr(struct sk_buff *skb, u32 ifindex, u8 addr,
+ u32 portid, u32 seq, int event)
{
struct ifaddrmsg *ifm;
struct nlmsghdr *nlh;
@@ -107,7 +108,7 @@ static int fill_addr(struct sk_buff *skb
ifm->ifa_prefixlen = 0;
ifm->ifa_flags = IFA_F_PERMANENT;
ifm->ifa_scope = RT_SCOPE_LINK;
- ifm->ifa_index = dev->ifindex;
+ ifm->ifa_index = ifindex;
if (nla_put_u8(skb, IFA_LOCAL, addr))
goto nla_put_failure;
nlmsg_end(skb, nlh);
@@ -140,7 +141,7 @@ static int getaddr_dumpit(struct sk_buff
if (addr_idx++ < addr_start_idx)
continue;
- if (fill_addr(skb, pnd->netdev, addr << 2,
+ if (fill_addr(skb, pnd->netdev->ifindex, addr << 2,
NETLINK_CB(cb->skb).portid,
cb->nlh->nlmsg_seq, RTM_NEWADDR) < 0)
goto out;
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 121/129] phonet: Pass net and ifindex to phonet_address_notify().
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 120/129] phonet: Pass ifindex to fill_addr() Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 122/129] net: phonet: free phonet_device after RCU grace period Greg Kroah-Hartman
` (14 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Eric Dumazet,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 68ed5c38b512b734caf3da1f87db4a99fcfe3002 ]
Currently, phonet_address_notify() fetches netns and ifindex from dev.
Once addr_doit() is converted to RCU, phonet_address_notify() will be
called outside of RCU due to GFP_KERNEL, and dev will be unavailable
there.
Let's pass net and ifindex to phonet_address_notify().
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 71de0177b28d ("net: phonet: free phonet_device after RCU grace period")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/phonet/pn_dev.h | 2 +-
net/phonet/pn_dev.c | 10 +++++++---
net/phonet/pn_netlink.c | 12 ++++++------
3 files changed, 14 insertions(+), 10 deletions(-)
--- a/include/net/phonet/pn_dev.h
+++ b/include/net/phonet/pn_dev.h
@@ -38,7 +38,7 @@ int phonet_address_add(struct net_device
int phonet_address_del(struct net_device *dev, u8 addr);
u8 phonet_address_get(struct net_device *dev, u8 addr);
int phonet_address_lookup(struct net *net, u8 addr);
-void phonet_address_notify(int event, struct net_device *dev, u8 addr);
+void phonet_address_notify(struct net *net, int event, u32 ifindex, u8 addr);
int phonet_route_add(struct net_device *dev, u8 daddr);
int phonet_route_del(struct net_device *dev, u8 daddr);
--- a/net/phonet/pn_dev.c
+++ b/net/phonet/pn_dev.c
@@ -98,10 +98,13 @@ static void phonet_device_destroy(struct
mutex_unlock(&pndevs->lock);
if (pnd) {
+ struct net *net = dev_net(dev);
+ u32 ifindex = dev->ifindex;
u8 addr;
for_each_set_bit(addr, pnd->addrs, 64)
- phonet_address_notify(RTM_DELADDR, dev, addr);
+ phonet_address_notify(net, RTM_DELADDR, ifindex, addr);
+
kfree(pnd);
}
}
@@ -244,8 +247,9 @@ static int phonet_device_autoconf(struct
ret = phonet_address_add(dev, req.ifr_phonet_autoconf.device);
if (ret)
return ret;
- phonet_address_notify(RTM_NEWADDR, dev,
- req.ifr_phonet_autoconf.device);
+
+ phonet_address_notify(dev_net(dev), RTM_NEWADDR, dev->ifindex,
+ req.ifr_phonet_autoconf.device);
return 0;
}
--- a/net/phonet/pn_netlink.c
+++ b/net/phonet/pn_netlink.c
@@ -22,7 +22,7 @@
static int fill_addr(struct sk_buff *skb, u32 ifindex, u8 addr,
u32 portid, u32 seq, int event);
-void phonet_address_notify(int event, struct net_device *dev, u8 addr)
+void phonet_address_notify(struct net *net, int event, u32 ifindex, u8 addr)
{
struct sk_buff *skb;
int err = -ENOBUFS;
@@ -32,17 +32,17 @@ void phonet_address_notify(int event, st
if (skb == NULL)
goto errout;
- err = fill_addr(skb, dev->ifindex, addr, 0, 0, event);
+ err = fill_addr(skb, ifindex, addr, 0, 0, event);
if (err < 0) {
WARN_ON(err == -EMSGSIZE);
kfree_skb(skb);
goto errout;
}
- rtnl_notify(skb, dev_net(dev), 0,
- RTNLGRP_PHONET_IFADDR, NULL, GFP_KERNEL);
+
+ rtnl_notify(skb, net, 0, RTNLGRP_PHONET_IFADDR, NULL, GFP_KERNEL);
return;
errout:
- rtnl_set_sk_err(dev_net(dev), RTNLGRP_PHONET_IFADDR, err);
+ rtnl_set_sk_err(net, RTNLGRP_PHONET_IFADDR, err);
}
static const struct nla_policy ifa_phonet_policy[IFA_MAX+1] = {
@@ -89,7 +89,7 @@ static int addr_doit(struct sk_buff *skb
else
err = phonet_address_del(dev, pnaddr);
if (!err)
- phonet_address_notify(nlh->nlmsg_type, dev, pnaddr);
+ phonet_address_notify(net, nlh->nlmsg_type, ifm->ifa_index, pnaddr);
return err;
}
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 122/129] net: phonet: free phonet_device after RCU grace period
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 121/129] phonet: Pass net and ifindex to phonet_address_notify() Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 123/129] fuse: re-lock request before replacing page cache folio Greg Kroah-Hartman
` (13 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Santosh Kalluri,
Rémi Denis-Courmont, Simon Horman, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Santosh Kalluri <santosh.kalluri129@gmail.com>
[ Upstream commit 71de0177b28da751f407581a4515cf4d762f6296 ]
phonet_device_destroy() removes a phonet_device from the per-net device
list with list_del_rcu(), but frees it immediately. RCU readers walking
the same list can still hold a pointer to the object after it has been
removed, leading to a slab-use-after-free.
Use kfree_rcu(), matching the lifetime rule already used by
phonet_address_del() for the same object type.
Fixes: eeb74a9d45f7 ("Phonet: convert devices list to RCU")
Cc: stable@vger.kernel.org
Signed-off-by: Santosh Kalluri <santosh.kalluri129@gmail.com>
Acked-by: Rémi Denis-Courmont <remi@remlab.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/phonet/pn_dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/phonet/pn_dev.c
+++ b/net/phonet/pn_dev.c
@@ -105,7 +105,7 @@ static void phonet_device_destroy(struct
for_each_set_bit(addr, pnd->addrs, 64)
phonet_address_notify(net, RTM_DELADDR, ifindex, addr);
- kfree(pnd);
+ kfree_rcu(pnd, rcu);
}
}
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 123/129] fuse: re-lock request before replacing page cache folio
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 122/129] net: phonet: free phonet_device after RCU grace period Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 124/129] serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails Greg Kroah-Hartman
` (12 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lei Lu, Joanne Koong, Miklos Szeredi,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
[ Upstream commit a078484921052d0badd827fcc2770b5cfc1d4120 ]
fuse_try_move_folio() unlocks the request on entry but does not
re-lock it on the success path. This means fuse_chan_abort() can end the
request and free the fuse_io_args (eg fuse_readpages_end()) while the
subsequent copy chain logic after fuse_try_move_folio() accesses the
fuse_io_args, leading to use-after-free issues.
Fix this by calling lock_request() before replace_page_cache_folio().
This ensures the request is locked on the success path which will
prevent the fuse_io_args from being freed while the later copying logic
runs, and also ensures that the ap->folios[i]->mapping is never null
since ap->folios[i] will always point to the newfolio after
replace_page_cache_folio().
Fixes: ce534fb05292 ("fuse: allow splice to move pages")
Cc: stable@vger.kernel.org
Reported-by: Lei Lu <llfamsec@gmail.com>
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 19 +++++--------------
1 file changed, 5 insertions(+), 14 deletions(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -839,6 +839,10 @@ static int fuse_try_move_page(struct fus
if (WARN_ON(PageMlocked(oldpage)))
goto out_fallback_unlock;
+ err = lock_request(cs->req);
+ if (err)
+ goto out_fallback_unlock;
+
replace_page_cache_page(oldpage, newpage);
get_page(newpage);
@@ -852,20 +856,7 @@ static int fuse_try_move_page(struct fus
*/
pipe_buf_release(cs->pipe, buf);
- err = 0;
- spin_lock(&cs->req->waitq.lock);
- if (test_bit(FR_ABORTED, &cs->req->flags))
- err = -ENOENT;
- else
- *pagep = newpage;
- spin_unlock(&cs->req->waitq.lock);
-
- if (err) {
- unlock_page(newpage);
- put_page(newpage);
- goto out_put_old;
- }
-
+ *pagep = newpage;
unlock_page(oldpage);
/* Drop ref for ap->pages[] array */
put_page(oldpage);
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 124/129] serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 123/129] fuse: re-lock request before replacing page cache folio Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 125/129] Documentation: ioctl-number: Extend "Include File" column width Greg Kroah-Hartman
` (11 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stepan Ionichev, Andy Shevchenko,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stepan Ionichev <sozdayvek@gmail.com>
[ Upstream commit 10fc708b4de7f86002d2d735a2dbf3b5b7f65692 ]
dw8250_probe() registers the 8250 port via serial8250_register_8250_port()
and then, if the device has a clock, registers a clock notifier. If
clk_notifier_register() fails, probe returns the error but leaves the
8250 port registered. The matching serial8250_unregister_port() lives
in dw8250_remove(), which is not called when probe fails, so the port
slot stays occupied until the device is rebound or the system is
rebooted. The devm-allocated driver data is freed while the port still
references it (via the saved private_data and serial_in/serial_out
callbacks), so any access to that port slot before a rebind is a
use-after-free hazard.
Unregister the port on the clk_notifier_register() error path.
Fixes: cc816969d7b5 ("serial: 8250_dw: Fix common clocks usage race condition")
Cc: stable@vger.kernel.org
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/20260514143746.23671-2-sozdayvek@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_dw.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/tty/serial/8250/8250_dw.c
+++ b/drivers/tty/serial/8250/8250_dw.c
@@ -673,8 +673,10 @@ static int dw8250_probe(struct platform_
*/
if (data->clk) {
err = clk_notifier_register(data->clk, &data->clk_notifier);
- if (err)
+ if (err) {
+ serial8250_unregister_port(data->data.line);
return dev_err_probe(dev, err, "Failed to set the clock notifier\n");
+ }
queue_work(system_unbound_wq, &data->clk_work);
}
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 125/129] Documentation: ioctl-number: Extend "Include File" column width
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 124/129] serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 126/129] crypto: qat - Replace kzalloc() + copy_from_user() with memdup_user() Greg Kroah-Hartman
` (10 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haren Myneni, Bagas Sanjaya,
Madhavan Srinivasan, Jonathan Corbet, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bagas Sanjaya <bagasdotme@gmail.com>
[ Upstream commit 15afd5def819e4df2a29cef6fcfa6ae7ba167c0f ]
Extend width of "Include File" column to fit full path to
papr-physical-attestation.h in later commit.
Reviewed-by: Haren Myneni <haren@linux.ibm.com>
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Acked-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Link: https://lore.kernel.org/r/20250714015711.14525-3-bagasdotme@gmail.com
Stable-dep-of: d237230728c5 ("crypto: qat - remove unused character device and IOCTLs")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/userspace-api/ioctl/ioctl-number.rst | 464 ++++++++++-----------
1 file changed, 232 insertions(+), 232 deletions(-)
--- a/Documentation/userspace-api/ioctl/ioctl-number.rst
+++ b/Documentation/userspace-api/ioctl/ioctl-number.rst
@@ -66,17 +66,17 @@ This table lists ioctls visible from use
most drivers up to 2.6.31, but I know I am missing some. There has been
no attempt to list non-X86 architectures or ioctls from drivers/staging/.
-==== ===== ======================================================= ================================================================
-Code Seq# Include File Comments
+==== ===== ========================================================= ================================================================
+Code Seq# Include File Comments
(hex)
-==== ===== ======================================================= ================================================================
-0x00 00-1F linux/fs.h conflict!
-0x00 00-1F scsi/scsi_ioctl.h conflict!
-0x00 00-1F linux/fb.h conflict!
-0x00 00-1F linux/wavefront.h conflict!
+==== ===== ========================================================= ================================================================
+0x00 00-1F linux/fs.h conflict!
+0x00 00-1F scsi/scsi_ioctl.h conflict!
+0x00 00-1F linux/fb.h conflict!
+0x00 00-1F linux/wavefront.h conflict!
0x02 all linux/fd.h
0x03 all linux/hdreg.h
-0x04 D2-DC linux/umsdos_fs.h Dead since 2.6.11, but don't reuse these.
+0x04 D2-DC linux/umsdos_fs.h Dead since 2.6.11, but don't reuse these.
0x06 all linux/lp.h
0x09 all linux/raid/md_u.h
0x10 00-0F drivers/char/s390/vmcp.h
@@ -84,298 +84,298 @@ Code Seq# Include File
0x10 20-2F arch/s390/include/uapi/asm/hypfs.h
0x12 all linux/fs.h
linux/blkpg.h
-0x1b all InfiniBand Subsystem
- <http://infiniband.sourceforge.net/>
+0x1b all InfiniBand Subsystem
+ <http://infiniband.sourceforge.net/>
0x20 all drivers/cdrom/cm206.h
0x22 all scsi/sg.h
-0x3E 00-0F linux/counter.h <mailto:linux-iio@vger.kernel.org>
+0x3E 00-0F linux/counter.h <mailto:linux-iio@vger.kernel.org>
'!' 00-1F uapi/linux/seccomp.h
-'#' 00-3F IEEE 1394 Subsystem
- Block for the entire subsystem
+'#' 00-3F IEEE 1394 Subsystem
+ Block for the entire subsystem
'$' 00-0F linux/perf_counter.h, linux/perf_event.h
-'%' 00-0F include/uapi/linux/stm.h System Trace Module subsystem
- <mailto:alexander.shishkin@linux.intel.com>
+'%' 00-0F include/uapi/linux/stm.h System Trace Module subsystem
+ <mailto:alexander.shishkin@linux.intel.com>
'&' 00-07 drivers/firewire/nosy-user.h
-'1' 00-1F linux/timepps.h PPS kit from Ulrich Windl
- <ftp://ftp.de.kernel.org/pub/linux/daemons/ntp/PPS/>
+'1' 00-1F linux/timepps.h PPS kit from Ulrich Windl
+ <ftp://ftp.de.kernel.org/pub/linux/daemons/ntp/PPS/>
'2' 01-04 linux/i2o.h
-'3' 00-0F drivers/s390/char/raw3270.h conflict!
-'3' 00-1F linux/suspend_ioctls.h, conflict!
+'3' 00-0F drivers/s390/char/raw3270.h conflict!
+'3' 00-1F linux/suspend_ioctls.h, conflict!
kernel/power/user.c
-'8' all SNP8023 advanced NIC card
- <mailto:mcr@solidum.com>
+'8' all SNP8023 advanced NIC card
+ <mailto:mcr@solidum.com>
';' 64-7F linux/vfio.h
-'=' 00-3f uapi/linux/ptp_clock.h <mailto:richardcochran@gmail.com>
-'@' 00-0F linux/radeonfb.h conflict!
-'@' 00-0F drivers/video/aty/aty128fb.c conflict!
-'A' 00-1F linux/apm_bios.h conflict!
-'A' 00-0F linux/agpgart.h, conflict!
+'=' 00-3f uapi/linux/ptp_clock.h <mailto:richardcochran@gmail.com>
+'@' 00-0F linux/radeonfb.h conflict!
+'@' 00-0F drivers/video/aty/aty128fb.c conflict!
+'A' 00-1F linux/apm_bios.h conflict!
+'A' 00-0F linux/agpgart.h, conflict!
drivers/char/agp/compat_ioctl.h
-'A' 00-7F sound/asound.h conflict!
-'B' 00-1F linux/cciss_ioctl.h conflict!
-'B' 00-0F include/linux/pmu.h conflict!
-'B' C0-FF advanced bbus <mailto:maassen@uni-freiburg.de>
-'B' 00-0F xen/xenbus_dev.h conflict!
-'C' all linux/soundcard.h conflict!
-'C' 01-2F linux/capi.h conflict!
-'C' F0-FF drivers/net/wan/cosa.h conflict!
+'A' 00-7F sound/asound.h conflict!
+'B' 00-1F linux/cciss_ioctl.h conflict!
+'B' 00-0F include/linux/pmu.h conflict!
+'B' C0-FF advanced bbus <mailto:maassen@uni-freiburg.de>
+'B' 00-0F xen/xenbus_dev.h conflict!
+'C' all linux/soundcard.h conflict!
+'C' 01-2F linux/capi.h conflict!
+'C' F0-FF drivers/net/wan/cosa.h conflict!
'D' all arch/s390/include/asm/dasd.h
-'D' 40-5F drivers/scsi/dpt/dtpi_ioctl.h Dead since 2022
+'D' 40-5F drivers/scsi/dpt/dtpi_ioctl.h Dead since 2022
'D' 05 drivers/scsi/pmcraid.h
-'E' all linux/input.h conflict!
-'E' 00-0F xen/evtchn.h conflict!
-'F' all linux/fb.h conflict!
-'F' 01-02 drivers/scsi/pmcraid.h conflict!
-'F' 20 drivers/video/fsl-diu-fb.h conflict!
-'F' 20 drivers/video/intelfb/intelfb.h conflict!
-'F' 20 linux/ivtvfb.h conflict!
-'F' 20 linux/matroxfb.h conflict!
-'F' 20 drivers/video/aty/atyfb_base.c conflict!
-'F' 00-0F video/da8xx-fb.h conflict!
-'F' 80-8F linux/arcfb.h conflict!
-'F' DD video/sstfb.h conflict!
-'G' 00-3F drivers/misc/sgi-gru/grulib.h conflict!
-'G' 00-0F xen/gntalloc.h, xen/gntdev.h conflict!
-'H' 00-7F linux/hiddev.h conflict!
-'H' 00-0F linux/hidraw.h conflict!
-'H' 01 linux/mei.h conflict!
-'H' 02 linux/mei.h conflict!
-'H' 03 linux/mei.h conflict!
-'H' 00-0F sound/asound.h conflict!
-'H' 20-40 sound/asound_fm.h conflict!
-'H' 80-8F sound/sfnt_info.h conflict!
-'H' 10-8F sound/emu10k1.h conflict!
-'H' 10-1F sound/sb16_csp.h conflict!
-'H' 10-1F sound/hda_hwdep.h conflict!
-'H' 40-4F sound/hdspm.h conflict!
-'H' 40-4F sound/hdsp.h conflict!
+'E' all linux/input.h conflict!
+'E' 00-0F xen/evtchn.h conflict!
+'F' all linux/fb.h conflict!
+'F' 01-02 drivers/scsi/pmcraid.h conflict!
+'F' 20 drivers/video/fsl-diu-fb.h conflict!
+'F' 20 drivers/video/intelfb/intelfb.h conflict!
+'F' 20 linux/ivtvfb.h conflict!
+'F' 20 linux/matroxfb.h conflict!
+'F' 20 drivers/video/aty/atyfb_base.c conflict!
+'F' 00-0F video/da8xx-fb.h conflict!
+'F' 80-8F linux/arcfb.h conflict!
+'F' DD video/sstfb.h conflict!
+'G' 00-3F drivers/misc/sgi-gru/grulib.h conflict!
+'G' 00-0F xen/gntalloc.h, xen/gntdev.h conflict!
+'H' 00-7F linux/hiddev.h conflict!
+'H' 00-0F linux/hidraw.h conflict!
+'H' 01 linux/mei.h conflict!
+'H' 02 linux/mei.h conflict!
+'H' 03 linux/mei.h conflict!
+'H' 00-0F sound/asound.h conflict!
+'H' 20-40 sound/asound_fm.h conflict!
+'H' 80-8F sound/sfnt_info.h conflict!
+'H' 10-8F sound/emu10k1.h conflict!
+'H' 10-1F sound/sb16_csp.h conflict!
+'H' 10-1F sound/hda_hwdep.h conflict!
+'H' 40-4F sound/hdspm.h conflict!
+'H' 40-4F sound/hdsp.h conflict!
'H' 90 sound/usb/usx2y/usb_stream.h
-'H' 00-0F uapi/misc/habanalabs.h conflict!
+'H' 00-0F uapi/misc/habanalabs.h conflict!
'H' A0 uapi/linux/usb/cdc-wdm.h
-'H' C0-F0 net/bluetooth/hci.h conflict!
-'H' C0-DF net/bluetooth/hidp/hidp.h conflict!
-'H' C0-DF net/bluetooth/cmtp/cmtp.h conflict!
-'H' C0-DF net/bluetooth/bnep/bnep.h conflict!
-'H' F1 linux/hid-roccat.h <mailto:erazor_de@users.sourceforge.net>
+'H' C0-F0 net/bluetooth/hci.h conflict!
+'H' C0-DF net/bluetooth/hidp/hidp.h conflict!
+'H' C0-DF net/bluetooth/cmtp/cmtp.h conflict!
+'H' C0-DF net/bluetooth/bnep/bnep.h conflict!
+'H' F1 linux/hid-roccat.h <mailto:erazor_de@users.sourceforge.net>
'H' F8-FA sound/firewire.h
-'I' all linux/isdn.h conflict!
-'I' 00-0F drivers/isdn/divert/isdn_divert.h conflict!
-'I' 40-4F linux/mISDNif.h conflict!
+'I' all linux/isdn.h conflict!
+'I' 00-0F drivers/isdn/divert/isdn_divert.h conflict!
+'I' 40-4F linux/mISDNif.h conflict!
'K' all linux/kd.h
-'L' 00-1F linux/loop.h conflict!
-'L' 10-1F drivers/scsi/mpt3sas/mpt3sas_ctl.h conflict!
-'L' E0-FF linux/ppdd.h encrypted disk device driver
- <http://linux01.gwdg.de/~alatham/ppdd.html>
-'M' all linux/soundcard.h conflict!
-'M' 01-16 mtd/mtd-abi.h conflict!
+'L' 00-1F linux/loop.h conflict!
+'L' 10-1F drivers/scsi/mpt3sas/mpt3sas_ctl.h conflict!
+'L' E0-FF linux/ppdd.h encrypted disk device driver
+ <http://linux01.gwdg.de/~alatham/ppdd.html>
+'M' all linux/soundcard.h conflict!
+'M' 01-16 mtd/mtd-abi.h conflict!
and drivers/mtd/mtdchar.c
'M' 01-03 drivers/scsi/megaraid/megaraid_sas.h
-'M' 00-0F drivers/video/fsl-diu-fb.h conflict!
+'M' 00-0F drivers/video/fsl-diu-fb.h conflict!
'N' 00-1F drivers/usb/scanner.h
'N' 40-7F drivers/block/nvme.c
-'O' 00-06 mtd/ubi-user.h UBI
-'P' all linux/soundcard.h conflict!
-'P' 60-6F sound/sscape_ioctl.h conflict!
-'P' 00-0F drivers/usb/class/usblp.c conflict!
-'P' 01-09 drivers/misc/pci_endpoint_test.c conflict!
-'P' 00-0F xen/privcmd.h conflict!
+'O' 00-06 mtd/ubi-user.h UBI
+'P' all linux/soundcard.h conflict!
+'P' 60-6F sound/sscape_ioctl.h conflict!
+'P' 00-0F drivers/usb/class/usblp.c conflict!
+'P' 01-09 drivers/misc/pci_endpoint_test.c conflict!
+'P' 00-0F xen/privcmd.h conflict!
'Q' all linux/soundcard.h
-'R' 00-1F linux/random.h conflict!
-'R' 01 linux/rfkill.h conflict!
+'R' 00-1F linux/random.h conflict!
+'R' 01 linux/rfkill.h conflict!
'R' C0-DF net/bluetooth/rfcomm.h
'R' E0 uapi/linux/fsl_mc.h
-'S' all linux/cdrom.h conflict!
-'S' 80-81 scsi/scsi_ioctl.h conflict!
-'S' 82-FF scsi/scsi.h conflict!
-'S' 00-7F sound/asequencer.h conflict!
-'T' all linux/soundcard.h conflict!
-'T' 00-AF sound/asound.h conflict!
-'T' all arch/x86/include/asm/ioctls.h conflict!
-'T' C0-DF linux/if_tun.h conflict!
-'U' all sound/asound.h conflict!
-'U' 00-CF linux/uinput.h conflict!
+'S' all linux/cdrom.h conflict!
+'S' 80-81 scsi/scsi_ioctl.h conflict!
+'S' 82-FF scsi/scsi.h conflict!
+'S' 00-7F sound/asequencer.h conflict!
+'T' all linux/soundcard.h conflict!
+'T' 00-AF sound/asound.h conflict!
+'T' all arch/x86/include/asm/ioctls.h conflict!
+'T' C0-DF linux/if_tun.h conflict!
+'U' all sound/asound.h conflict!
+'U' 00-CF linux/uinput.h conflict!
'U' 00-EF linux/usbdevice_fs.h
'U' C0-CF drivers/bluetooth/hci_uart.h
-'V' all linux/vt.h conflict!
-'V' all linux/videodev2.h conflict!
-'V' C0 linux/ivtvfb.h conflict!
-'V' C0 linux/ivtv.h conflict!
-'V' C0 media/davinci/vpfe_capture.h conflict!
-'V' C0 media/si4713.h conflict!
-'W' 00-1F linux/watchdog.h conflict!
-'W' 00-1F linux/wanrouter.h conflict! (pre 3.9)
-'W' 00-3F sound/asound.h conflict!
+'V' all linux/vt.h conflict!
+'V' all linux/videodev2.h conflict!
+'V' C0 linux/ivtvfb.h conflict!
+'V' C0 linux/ivtv.h conflict!
+'V' C0 media/davinci/vpfe_capture.h conflict!
+'V' C0 media/si4713.h conflict!
+'W' 00-1F linux/watchdog.h conflict!
+'W' 00-1F linux/wanrouter.h conflict! (pre 3.9)
+'W' 00-3F sound/asound.h conflict!
'W' 40-5F drivers/pci/switch/switchtec.c
'W' 60-61 linux/watch_queue.h
-'X' all fs/xfs/xfs_fs.h, conflict!
+'X' all fs/xfs/xfs_fs.h, conflict!
fs/xfs/linux-2.6/xfs_ioctl32.h,
include/linux/falloc.h,
linux/fs.h,
-'X' all fs/ocfs2/ocfs_fs.h conflict!
-'X' 01 linux/pktcdvd.h conflict!
+'X' all fs/ocfs2/ocfs_fs.h conflict!
+'X' 01 linux/pktcdvd.h conflict!
'Z' 14-15 drivers/message/fusion/mptctl.h
-'[' 00-3F linux/usb/tmc.h USB Test and Measurement Devices
- <mailto:gregkh@linuxfoundation.org>
-'a' all linux/atm*.h, linux/sonet.h ATM on linux
- <http://lrcwww.epfl.ch/>
-'a' 00-0F drivers/crypto/qat/qat_common/adf_cfg_common.h conflict! qat driver
-'b' 00-FF conflict! bit3 vme host bridge
- <mailto:natalia@nikhefk.nikhef.nl>
-'c' all linux/cm4000_cs.h conflict!
-'c' 00-7F linux/comstats.h conflict!
-'c' 00-7F linux/coda.h conflict!
-'c' 00-1F linux/chio.h conflict!
-'c' 80-9F arch/s390/include/asm/chsc.h conflict!
+'[' 00-3F linux/usb/tmc.h USB Test and Measurement Devices
+ <mailto:gregkh@linuxfoundation.org>
+'a' all linux/atm*.h, linux/sonet.h ATM on linux
+ <http://lrcwww.epfl.ch/>
+'a' 00-0F drivers/crypto/qat/qat_common/adf_cfg_common.h conflict! qat driver
+'b' 00-FF conflict! bit3 vme host bridge
+ <mailto:natalia@nikhefk.nikhef.nl>
+'c' all linux/cm4000_cs.h conflict!
+'c' 00-7F linux/comstats.h conflict!
+'c' 00-7F linux/coda.h conflict!
+'c' 00-1F linux/chio.h conflict!
+'c' 80-9F arch/s390/include/asm/chsc.h conflict!
'c' A0-AF arch/x86/include/asm/msr.h conflict!
-'d' 00-FF linux/char/drm/drm.h conflict!
-'d' 02-40 pcmcia/ds.h conflict!
+'d' 00-FF linux/char/drm/drm.h conflict!
+'d' 02-40 pcmcia/ds.h conflict!
'd' F0-FF linux/digi1.h
-'e' all linux/digi1.h conflict!
-'f' 00-1F linux/ext2_fs.h conflict!
-'f' 00-1F linux/ext3_fs.h conflict!
-'f' 00-0F fs/jfs/jfs_dinode.h conflict!
-'f' 00-0F fs/ext4/ext4.h conflict!
-'f' 00-0F linux/fs.h conflict!
-'f' 00-0F fs/ocfs2/ocfs2_fs.h conflict!
+'e' all linux/digi1.h conflict!
+'f' 00-1F linux/ext2_fs.h conflict!
+'f' 00-1F linux/ext3_fs.h conflict!
+'f' 00-0F fs/jfs/jfs_dinode.h conflict!
+'f' 00-0F fs/ext4/ext4.h conflict!
+'f' 00-0F linux/fs.h conflict!
+'f' 00-0F fs/ocfs2/ocfs2_fs.h conflict!
'f' 13-27 linux/fscrypt.h
'f' 81-8F linux/fsverity.h
'g' 00-0F linux/usb/gadgetfs.h
'g' 20-2F linux/usb/g_printer.h
-'h' 00-7F conflict! Charon filesystem
- <mailto:zapman@interlan.net>
-'h' 00-1F linux/hpet.h conflict!
+'h' 00-7F conflict! Charon filesystem
+ <mailto:zapman@interlan.net>
+'h' 00-1F linux/hpet.h conflict!
'h' 80-8F fs/hfsplus/ioctl.c
-'i' 00-3F linux/i2o-dev.h conflict!
-'i' 0B-1F linux/ipmi.h conflict!
+'i' 00-3F linux/i2o-dev.h conflict!
+'i' 0B-1F linux/ipmi.h conflict!
'i' 80-8F linux/i8k.h
-'i' 90-9F `linux/iio/*.h` IIO
+'i' 90-9F `linux/iio/*.h` IIO
'j' 00-3F linux/joystick.h
-'k' 00-0F linux/spi/spidev.h conflict!
-'k' 00-05 video/kyro.h conflict!
-'k' 10-17 linux/hsi/hsi_char.h HSI character device
-'l' 00-3F linux/tcfs_fs.h transparent cryptographic file system
- <http://web.archive.org/web/%2A/http://mikonos.dia.unisa.it/tcfs>
-'l' 40-7F linux/udf_fs_i.h in development:
- <https://github.com/pali/udftools>
-'m' 00-09 linux/mmtimer.h conflict!
-'m' all linux/mtio.h conflict!
-'m' all linux/soundcard.h conflict!
-'m' all linux/synclink.h conflict!
-'m' 00-19 drivers/message/fusion/mptctl.h conflict!
-'m' 00 drivers/scsi/megaraid/megaraid_ioctl.h conflict!
+'k' 00-0F linux/spi/spidev.h conflict!
+'k' 00-05 video/kyro.h conflict!
+'k' 10-17 linux/hsi/hsi_char.h HSI character device
+'l' 00-3F linux/tcfs_fs.h transparent cryptographic file system
+ <http://web.archive.org/web/%2A/http://mikonos.dia.unisa.it/tcfs>
+'l' 40-7F linux/udf_fs_i.h in development:
+ <https://github.com/pali/udftools>
+'m' 00-09 linux/mmtimer.h conflict!
+'m' all linux/mtio.h conflict!
+'m' all linux/soundcard.h conflict!
+'m' all linux/synclink.h conflict!
+'m' 00-19 drivers/message/fusion/mptctl.h conflict!
+'m' 00 drivers/scsi/megaraid/megaraid_ioctl.h conflict!
'n' 00-7F linux/ncp_fs.h and fs/ncpfs/ioctl.c
-'n' 80-8F uapi/linux/nilfs2_api.h NILFS2
-'n' E0-FF linux/matroxfb.h matroxfb
-'o' 00-1F fs/ocfs2/ocfs2_fs.h OCFS2
-'o' 00-03 mtd/ubi-user.h conflict! (OCFS2 and UBI overlaps)
-'o' 40-41 mtd/ubi-user.h UBI
-'o' 01-A1 `linux/dvb/*.h` DVB
-'p' 00-0F linux/phantom.h conflict! (OpenHaptics needs this)
-'p' 00-1F linux/rtc.h conflict!
+'n' 80-8F uapi/linux/nilfs2_api.h NILFS2
+'n' E0-FF linux/matroxfb.h matroxfb
+'o' 00-1F fs/ocfs2/ocfs2_fs.h OCFS2
+'o' 00-03 mtd/ubi-user.h conflict! (OCFS2 and UBI overlaps)
+'o' 40-41 mtd/ubi-user.h UBI
+'o' 01-A1 `linux/dvb/*.h` DVB
+'p' 00-0F linux/phantom.h conflict! (OpenHaptics needs this)
+'p' 00-1F linux/rtc.h conflict!
'p' 40-7F linux/nvram.h
-'p' 80-9F linux/ppdev.h user-space parport
- <mailto:tim@cyberelk.net>
-'p' A1-A5 linux/pps.h LinuxPPS
- <mailto:giometti@linux.it>
+'p' 80-9F linux/ppdev.h user-space parport
+ <mailto:tim@cyberelk.net>
+'p' A1-A5 linux/pps.h LinuxPPS
+ <mailto:giometti@linux.it>
'q' 00-1F linux/serio.h
-'q' 80-FF linux/telephony.h Internet PhoneJACK, Internet LineJACK
- linux/ixjuser.h <http://web.archive.org/web/%2A/http://www.quicknet.net>
+'q' 80-FF linux/telephony.h Internet PhoneJACK, Internet LineJACK
+ linux/ixjuser.h <http://web.archive.org/web/%2A/http://www.quicknet.net>
'r' 00-1F linux/msdos_fs.h and fs/fat/dir.c
's' all linux/cdk.h
't' 00-7F linux/ppp-ioctl.h
't' 80-8F linux/isdn_ppp.h
-'t' 90-91 linux/toshiba.h toshiba and toshiba_acpi SMM
-'u' 00-1F linux/smb_fs.h gone
-'u' 20-3F linux/uvcvideo.h USB video class host driver
-'u' 40-4f linux/udmabuf.h userspace dma-buf misc device
-'v' 00-1F linux/ext2_fs.h conflict!
-'v' 00-1F linux/fs.h conflict!
-'v' 00-0F linux/sonypi.h conflict!
-'v' 00-0F media/v4l2-subdev.h conflict!
-'v' 20-27 arch/powerpc/include/uapi/asm/vas-api.h VAS API
-'v' C0-FF linux/meye.h conflict!
-'w' all CERN SCI driver
-'y' 00-1F packet based user level communications
- <mailto:zapman@interlan.net>
-'z' 00-3F CAN bus card conflict!
- <mailto:hdstich@connectu.ulm.circular.de>
-'z' 40-7F CAN bus card conflict!
- <mailto:oe@port.de>
-'z' 10-4F drivers/s390/crypto/zcrypt_api.h conflict!
+'t' 90-91 linux/toshiba.h toshiba and toshiba_acpi SMM
+'u' 00-1F linux/smb_fs.h gone
+'u' 20-3F linux/uvcvideo.h USB video class host driver
+'u' 40-4f linux/udmabuf.h userspace dma-buf misc device
+'v' 00-1F linux/ext2_fs.h conflict!
+'v' 00-1F linux/fs.h conflict!
+'v' 00-0F linux/sonypi.h conflict!
+'v' 00-0F media/v4l2-subdev.h conflict!
+'v' 20-27 arch/powerpc/include/uapi/asm/vas-api.h VAS API
+'v' C0-FF linux/meye.h conflict!
+'w' all CERN SCI driver
+'y' 00-1F packet based user level communications
+ <mailto:zapman@interlan.net>
+'z' 00-3F CAN bus card conflict!
+ <mailto:hdstich@connectu.ulm.circular.de>
+'z' 40-7F CAN bus card conflict!
+ <mailto:oe@port.de>
+'z' 10-4F drivers/s390/crypto/zcrypt_api.h conflict!
'|' 00-7F linux/media.h
0x80 00-1F linux/fb.h
0x81 00-1F linux/vduse.h
0x89 00-06 arch/x86/include/asm/sockios.h
0x89 0B-DF linux/sockios.h
-0x89 E0-EF linux/sockios.h SIOCPROTOPRIVATE range
-0x89 F0-FF linux/sockios.h SIOCDEVPRIVATE range
+0x89 E0-EF linux/sockios.h SIOCPROTOPRIVATE range
+0x89 F0-FF linux/sockios.h SIOCDEVPRIVATE range
0x8B all linux/wireless.h
-0x8C 00-3F WiNRADiO driver
- <http://www.winradio.com.au/>
+0x8C 00-3F WiNRADiO driver
+ <http://www.winradio.com.au/>
0x90 00 drivers/cdrom/sbpcd.h
0x92 00-0F drivers/usb/mon/mon_bin.c
0x93 60-7F linux/auto_fs.h
-0x94 all fs/btrfs/ioctl.h Btrfs filesystem
- and linux/fs.h some lifted to vfs/generic
-0x97 00-7F fs/ceph/ioctl.h Ceph file system
-0x99 00-0F 537-Addinboard driver
- <mailto:buk@buks.ipn.de>
-0xA0 all linux/sdp/sdp.h Industrial Device Project
- <mailto:kenji@bitgate.com>
-0xA1 0 linux/vtpm_proxy.h TPM Emulator Proxy Driver
-0xA2 all uapi/linux/acrn.h ACRN hypervisor
-0xA3 80-8F Port ACL in development:
- <mailto:tlewis@mindspring.com>
+0x94 all fs/btrfs/ioctl.h Btrfs filesystem
+ and linux/fs.h some lifted to vfs/generic
+0x97 00-7F fs/ceph/ioctl.h Ceph file system
+0x99 00-0F 537-Addinboard driver
+ <mailto:buk@buks.ipn.de>
+0xA0 all linux/sdp/sdp.h Industrial Device Project
+ <mailto:kenji@bitgate.com>
+0xA1 0 linux/vtpm_proxy.h TPM Emulator Proxy Driver
+0xA2 all uapi/linux/acrn.h ACRN hypervisor
+0xA3 80-8F Port ACL in development:
+ <mailto:tlewis@mindspring.com>
0xA3 90-9F linux/dtlk.h
-0xA4 00-1F uapi/linux/tee.h Generic TEE subsystem
-0xA4 00-1F uapi/asm/sgx.h <mailto:linux-sgx@vger.kernel.org>
-0xA5 01-05 linux/surface_aggregator/cdev.h Microsoft Surface Platform System Aggregator
- <mailto:luzmaximilian@gmail.com>
-0xA5 20-2F linux/surface_aggregator/dtx.h Microsoft Surface DTX driver
- <mailto:luzmaximilian@gmail.com>
+0xA4 00-1F uapi/linux/tee.h Generic TEE subsystem
+0xA4 00-1F uapi/asm/sgx.h <mailto:linux-sgx@vger.kernel.org>
+0xA5 01-05 linux/surface_aggregator/cdev.h Microsoft Surface Platform System Aggregator
+ <mailto:luzmaximilian@gmail.com>
+0xA5 20-2F linux/surface_aggregator/dtx.h Microsoft Surface DTX driver
+ <mailto:luzmaximilian@gmail.com>
0xAA 00-3F linux/uapi/linux/userfaultfd.h
0xAB 00-1F linux/nbd.h
0xAC 00-1F linux/raw.h
-0xAD 00 Netfilter device in development:
- <mailto:rusty@rustcorp.com.au>
-0xAE 00-1F linux/kvm.h Kernel-based Virtual Machine
- <mailto:kvm@vger.kernel.org>
-0xAE 40-FF linux/kvm.h Kernel-based Virtual Machine
- <mailto:kvm@vger.kernel.org>
-0xAE 20-3F linux/nitro_enclaves.h Nitro Enclaves
-0xAF 00-1F linux/fsl_hypervisor.h Freescale hypervisor
-0xB0 all RATIO devices in development:
- <mailto:vgo@ratio.de>
-0xB1 00-1F PPPoX
- <mailto:mostrows@styx.uwaterloo.ca>
+0xAD 00 Netfilter device in development:
+ <mailto:rusty@rustcorp.com.au>
+0xAE 00-1F linux/kvm.h Kernel-based Virtual Machine
+ <mailto:kvm@vger.kernel.org>
+0xAE 40-FF linux/kvm.h Kernel-based Virtual Machine
+ <mailto:kvm@vger.kernel.org>
+0xAE 20-3F linux/nitro_enclaves.h Nitro Enclaves
+0xAF 00-1F linux/fsl_hypervisor.h Freescale hypervisor
+0xB0 all RATIO devices in development:
+ <mailto:vgo@ratio.de>
+0xB1 00-1F PPPoX
+ <mailto:mostrows@styx.uwaterloo.ca>
0xB3 00 linux/mmc/ioctl.h
-0xB4 00-0F linux/gpio.h <mailto:linux-gpio@vger.kernel.org>
-0xB5 00-0F uapi/linux/rpmsg.h <mailto:linux-remoteproc@vger.kernel.org>
+0xB4 00-0F linux/gpio.h <mailto:linux-gpio@vger.kernel.org>
+0xB5 00-0F uapi/linux/rpmsg.h <mailto:linux-remoteproc@vger.kernel.org>
0xB6 all linux/fpga-dfl.h
-0xB7 all uapi/linux/remoteproc_cdev.h <mailto:linux-remoteproc@vger.kernel.org>
-0xB7 all uapi/linux/nsfs.h <mailto:Andrei Vagin <avagin@openvz.org>>
+0xB7 all uapi/linux/remoteproc_cdev.h <mailto:linux-remoteproc@vger.kernel.org>
+0xB7 all uapi/linux/nsfs.h <mailto:Andrei Vagin <avagin@openvz.org>>
0xC0 00-0F linux/usb/iowarrior.h
0xCA 00-0F uapi/misc/cxl.h
0xCA 10-2F uapi/misc/ocxl.h
0xCA 80-BF uapi/scsi/cxlflash_ioctl.h
-0xCB 00-1F CBM serial IEC bus in development:
- <mailto:michael.klein@puffin.lb.shuttle.de>
-0xCC 00-0F drivers/misc/ibmvmc.h pseries VMC driver
+0xCB 00-1F CBM serial IEC bus in development:
+ <mailto:michael.klein@puffin.lb.shuttle.de>
+0xCC 00-0F drivers/misc/ibmvmc.h pseries VMC driver
0xCD 01 linux/reiserfs_fs.h
-0xCE 01-02 uapi/linux/cxl_mem.h Compute Express Link Memory Devices
+0xCE 01-02 uapi/linux/cxl_mem.h Compute Express Link Memory Devices
0xCF 02 fs/cifs/ioctl.c
0xDB 00-0F drivers/char/mwave/mwavepub.h
-0xDD 00-3F ZFCP device driver see drivers/s390/scsi/
- <mailto:aherrman@de.ibm.com>
+0xDD 00-3F ZFCP device driver see drivers/s390/scsi/
+ <mailto:aherrman@de.ibm.com>
0xE5 00-3F linux/fuse.h
-0xEC 00-01 drivers/platform/chrome/cros_ec_dev.h ChromeOS EC driver
-0xEE 00-09 uapi/linux/pfrut.h Platform Firmware Runtime Update and Telemetry
-0xF3 00-3F drivers/usb/misc/sisusbvga/sisusb.h sisfb (in development)
- <mailto:thomas@winischhofer.net>
-0xF6 all LTTng Linux Trace Toolkit Next Generation
- <mailto:mathieu.desnoyers@efficios.com>
-0xF8 all arch/x86/include/uapi/asm/amd_hsmp.h AMD HSMP EPYC system management interface driver
- <mailto:nchatrad@amd.com>
+0xEC 00-01 drivers/platform/chrome/cros_ec_dev.h ChromeOS EC driver
+0xEE 00-09 uapi/linux/pfrut.h Platform Firmware Runtime Update and Telemetry
+0xF3 00-3F drivers/usb/misc/sisusbvga/sisusb.h sisfb (in development)
+ <mailto:thomas@winischhofer.net>
+0xF6 all LTTng Linux Trace Toolkit Next Generation
+ <mailto:mathieu.desnoyers@efficios.com>
+0xF8 all arch/x86/include/uapi/asm/amd_hsmp.h AMD HSMP EPYC system management interface driver
+ <mailto:nchatrad@amd.com>
0xFD all linux/dm-ioctl.h
0xFE all linux/isst_if.h
-==== ===== ======================================================= ================================================================
+==== ===== ========================================================= ================================================================
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 126/129] crypto: qat - Replace kzalloc() + copy_from_user() with memdup_user()
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 125/129] Documentation: ioctl-number: Extend "Include File" column width Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 127/129] crypto: qat - Return pointer directly in adf_ctl_alloc_resources Greg Kroah-Hartman
` (9 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit 1e26339703e2afd397037defa798682b2b93dcc0 ]
Replace kzalloc() followed by copy_from_user() with memdup_user() to
improve and simplify adf_ctl_alloc_resources(). memdup_user() returns
either -ENOMEM or -EFAULT (instead of -EIO) if an error occurs.
Remove the unnecessary device id initialization, since memdup_user()
(like copy_from_user()) immediately overwrites it.
No functional changes intended other than returning the more idiomatic
error code -EFAULT.
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: d237230728c5 ("crypto: qat - remove unused character device and IOCTLs")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/qat/qat_common/adf_ctl_drv.c | 13 +++----------
1 file changed, 3 insertions(+), 10 deletions(-)
--- a/drivers/crypto/qat/qat_common/adf_ctl_drv.c
+++ b/drivers/crypto/qat/qat_common/adf_ctl_drv.c
@@ -90,17 +90,10 @@ static int adf_ctl_alloc_resources(struc
{
struct adf_user_cfg_ctl_data *cfg_data;
- cfg_data = kzalloc(sizeof(*cfg_data), GFP_KERNEL);
- if (!cfg_data)
- return -ENOMEM;
-
- /* Initialize device id to NO DEVICE as 0 is a valid device id */
- cfg_data->device_id = ADF_CFG_NO_DEVICE;
-
- if (copy_from_user(cfg_data, (void __user *)arg, sizeof(*cfg_data))) {
+ cfg_data = memdup_user((void __user *)arg, sizeof(*cfg_data));
+ if (IS_ERR(cfg_data)) {
pr_err("QAT: failed to copy from user cfg_data.\n");
- kfree(cfg_data);
- return -EIO;
+ return PTR_ERR(cfg_data);
}
*ctl_data = cfg_data;
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 127/129] crypto: qat - Return pointer directly in adf_ctl_alloc_resources
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 126/129] crypto: qat - Replace kzalloc() + copy_from_user() with memdup_user() Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 128/129] crypto: qat - remove unused character device and IOCTLs Greg Kroah-Hartman
` (8 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Herbert Xu, Thorsten Blum,
Giovanni Cabiddu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 5ce9891ea928208a915411ce8227f8c3e37e5ad9 ]
Returning values through arguments is confusing and that has
upset the compiler with the recent change to memdup_user:
../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c: In function ‘adf_ctl_ioctl’:
../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:308:26: warning: ‘ctl_data’ may be used uninitialized [-Wmaybe-uninitialized]
308 | ctl_data->device_id);
| ^~
../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:294:39: note: ‘ctl_data’ was declared here
294 | struct adf_user_cfg_ctl_data *ctl_data;
| ^~~~~~~~
In function ‘adf_ctl_ioctl_dev_stop’,
inlined from ‘adf_ctl_ioctl’ at ../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:386:9:
../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:273:48: warning: ‘ctl_data’ may be used uninitialized [-Wmaybe-uninitialized]
273 | ret = adf_ctl_is_device_in_use(ctl_data->device_id);
| ~~~~~~~~^~~~~~~~~~~
../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c: In function ‘adf_ctl_ioctl’:
../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:261:39: note: ‘ctl_data’ was declared here
261 | struct adf_user_cfg_ctl_data *ctl_data;
| ^~~~~~~~
In function ‘adf_ctl_ioctl_dev_config’,
inlined from ‘adf_ctl_ioctl’ at ../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:382:9:
../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:192:54: warning: ‘ctl_data’ may be used uninitialized [-Wmaybe-uninitialized]
192 | accel_dev = adf_devmgr_get_dev_by_id(ctl_data->device_id);
| ~~~~~~~~^~~~~~~~~~~
../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c: In function ‘adf_ctl_ioctl’:
../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:185:39: note: ‘ctl_data’ was declared here
185 | struct adf_user_cfg_ctl_data *ctl_data;
| ^~~~~~~~
Fix this by returning the pointer directly.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Thorsten Blum <thorsten.blum@linux.dev>
Acked-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: d237230728c5 ("crypto: qat - remove unused character device and IOCTLs")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/qat/qat_common/adf_ctl_drv.c | 31 +++++++++++-----------------
1 file changed, 13 insertions(+), 18 deletions(-)
--- a/drivers/crypto/qat/qat_common/adf_ctl_drv.c
+++ b/drivers/crypto/qat/qat_common/adf_ctl_drv.c
@@ -85,19 +85,14 @@ err_chrdev_unreg:
return -EFAULT;
}
-static int adf_ctl_alloc_resources(struct adf_user_cfg_ctl_data **ctl_data,
- unsigned long arg)
+static struct adf_user_cfg_ctl_data *adf_ctl_alloc_resources(unsigned long arg)
{
struct adf_user_cfg_ctl_data *cfg_data;
cfg_data = memdup_user((void __user *)arg, sizeof(*cfg_data));
- if (IS_ERR(cfg_data)) {
+ if (IS_ERR(cfg_data))
pr_err("QAT: failed to copy from user cfg_data.\n");
- return PTR_ERR(cfg_data);
- }
-
- *ctl_data = cfg_data;
- return 0;
+ return cfg_data;
}
static int adf_add_key_value_data(struct adf_accel_dev *accel_dev,
@@ -177,13 +172,13 @@ out_err:
static int adf_ctl_ioctl_dev_config(struct file *fp, unsigned int cmd,
unsigned long arg)
{
- int ret;
struct adf_user_cfg_ctl_data *ctl_data;
struct adf_accel_dev *accel_dev;
+ int ret = 0;
- ret = adf_ctl_alloc_resources(&ctl_data, arg);
- if (ret)
- return ret;
+ ctl_data = adf_ctl_alloc_resources(arg);
+ if (IS_ERR(ctl_data))
+ return PTR_ERR(ctl_data);
accel_dev = adf_devmgr_get_dev_by_id(ctl_data->device_id);
if (!accel_dev) {
@@ -258,9 +253,9 @@ static int adf_ctl_ioctl_dev_stop(struct
int ret;
struct adf_user_cfg_ctl_data *ctl_data;
- ret = adf_ctl_alloc_resources(&ctl_data, arg);
- if (ret)
- return ret;
+ ctl_data = adf_ctl_alloc_resources(arg);
+ if (IS_ERR(ctl_data))
+ return PTR_ERR(ctl_data);
if (adf_devmgr_verify_id(ctl_data->device_id)) {
pr_err("QAT: Device %d not found\n", ctl_data->device_id);
@@ -292,9 +287,9 @@ static int adf_ctl_ioctl_dev_start(struc
struct adf_user_cfg_ctl_data *ctl_data;
struct adf_accel_dev *accel_dev;
- ret = adf_ctl_alloc_resources(&ctl_data, arg);
- if (ret)
- return ret;
+ ctl_data = adf_ctl_alloc_resources(arg);
+ if (IS_ERR(ctl_data))
+ return PTR_ERR(ctl_data);
ret = -ENODEV;
accel_dev = adf_devmgr_get_dev_by_id(ctl_data->device_id);
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 128/129] crypto: qat - remove unused character device and IOCTLs
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 127/129] crypto: qat - Return pointer directly in adf_ctl_alloc_resources Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 129/129] ipv6: account for fraggap on the paged allocation path Greg Kroah-Hartman
` (7 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhi Wang, Bin Yu, MingYu Wang,
Giovanni Cabiddu, Ahsan Atta, Herbert Xu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
[ Upstream commit d237230728c567297f2f98b425d63156ab2ed17f ]
The QAT driver exposes a character device (qat_adf_ctl) with IOCTLs
for device configuration, start, stop, status query and enumeration.
These IOCTLs are not part of any public uAPI header and have no known
in-tree or out-of-tree users. Device lifecycle is already managed via
sysfs.
The ioctl interface also increases the attack surface and is the
subject of a number of bug reports.
Remove the character device, the IOCTL definitions, and the related
data structures (adf_dev_status_info, adf_user_cfg_key_val,
adf_user_cfg_section, adf_user_cfg_ctl_data). Drop the now-unused
adf_cfg_user.h header and strip adf_ctl_drv.c down to the minimal
module_init/module_exit hooks for workqueue, AER, and crypto/compression
algorithm registration.
Clean up leftover dead code that was only reachable from the removed
IOCTL paths: adf_cfg_del_all(), adf_devmgr_verify_id(),
adf_devmgr_get_num_dev(), adf_devmgr_get_dev_by_id(),
adf_get_vf_real_id() and the unused ADF_CFG macros.
Additionally, drop the entry associated to QAT IOCTLs in
ioctl-number.rst.
Cc: stable@vger.kernel.org
Fixes: d8cba25d2c68 ("crypto: qat - Intel(R) QAT driver framework")
Reported-by: Zhi Wang <wangzhi@stu.xidian.edu.cn>
Reported-by: Bin Yu <byu@xidian.edu.cn>
Reported-by: MingYu Wang <w15303746062@163.com>
Closes: https://lore.kernel.org/all/61d6d499.ab89.19b9b7f3186.Coremail.wangzhi_xd@stu.xidian.edu.cn/
Link: https://lore.kernel.org/all/20260508034841.256794-1-w15303746062@163.com/
Link: https://lore.kernel.org/all/20260508023542.256299-1-w15303746062@163.com/
Link: https://lore.kernel.org/all/20260504025120.98242-1-w15303746062@163.com/
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/userspace-api/ioctl/ioctl-number.rst | 1
drivers/crypto/qat/qat_common/adf_cfg_common.h | 32 -
drivers/crypto/qat/qat_common/adf_cfg_user.h | 38 -
drivers/crypto/qat/qat_common/adf_common_drv.h | 3
drivers/crypto/qat/qat_common/adf_ctl_drv.c | 413 ---------------------
drivers/crypto/qat/qat_common/adf_dev_mgr.c | 70 ---
6 files changed, 3 insertions(+), 554 deletions(-)
delete mode 100644 drivers/crypto/qat/qat_common/adf_cfg_user.h
--- a/Documentation/userspace-api/ioctl/ioctl-number.rst
+++ b/Documentation/userspace-api/ioctl/ioctl-number.rst
@@ -218,7 +218,6 @@ Code Seq# Include File
<mailto:gregkh@linuxfoundation.org>
'a' all linux/atm*.h, linux/sonet.h ATM on linux
<http://lrcwww.epfl.ch/>
-'a' 00-0F drivers/crypto/qat/qat_common/adf_cfg_common.h conflict! qat driver
'b' 00-FF conflict! bit3 vme host bridge
<mailto:natalia@nikhefk.nikhef.nl>
'c' all linux/cm4000_cs.h conflict!
--- a/drivers/crypto/qat/qat_common/adf_cfg_common.h
+++ b/drivers/crypto/qat/qat_common/adf_cfg_common.h
@@ -4,18 +4,11 @@
#define ADF_CFG_COMMON_H_
#include <linux/types.h>
-#include <linux/ioctl.h>
#define ADF_CFG_MAX_STR_LEN 64
#define ADF_CFG_MAX_KEY_LEN_IN_BYTES ADF_CFG_MAX_STR_LEN
#define ADF_CFG_MAX_VAL_LEN_IN_BYTES ADF_CFG_MAX_STR_LEN
#define ADF_CFG_MAX_SECTION_LEN_IN_BYTES ADF_CFG_MAX_STR_LEN
-#define ADF_CFG_BASE_DEC 10
-#define ADF_CFG_BASE_HEX 16
-#define ADF_CFG_ALL_DEVICES 0xFE
-#define ADF_CFG_NO_DEVICE 0xFF
-#define ADF_CFG_AFFINITY_WHATEVER 0xFF
-#define MAX_DEVICE_NAME_SIZE 32
#define ADF_MAX_DEVICES (32 * 32)
#define ADF_DEVS_ARRAY_SIZE BITS_TO_LONGS(ADF_MAX_DEVICES)
@@ -48,29 +41,4 @@ enum adf_device_type {
DEV_C3XXXVF,
DEV_4XXX,
};
-
-struct adf_dev_status_info {
- enum adf_device_type type;
- __u32 accel_id;
- __u32 instance_id;
- __u8 num_ae;
- __u8 num_accel;
- __u8 num_logical_accel;
- __u8 banks_per_accel;
- __u8 state;
- __u8 bus;
- __u8 dev;
- __u8 fun;
- char name[MAX_DEVICE_NAME_SIZE];
-};
-
-#define ADF_CTL_IOC_MAGIC 'a'
-#define IOCTL_CONFIG_SYS_RESOURCE_PARAMETERS _IOW(ADF_CTL_IOC_MAGIC, 0, \
- struct adf_user_cfg_ctl_data)
-#define IOCTL_STOP_ACCEL_DEV _IOW(ADF_CTL_IOC_MAGIC, 1, \
- struct adf_user_cfg_ctl_data)
-#define IOCTL_START_ACCEL_DEV _IOW(ADF_CTL_IOC_MAGIC, 2, \
- struct adf_user_cfg_ctl_data)
-#define IOCTL_STATUS_ACCEL_DEV _IOW(ADF_CTL_IOC_MAGIC, 3, __u32)
-#define IOCTL_GET_NUM_DEVICES _IOW(ADF_CTL_IOC_MAGIC, 4, __s32)
#endif
--- a/drivers/crypto/qat/qat_common/adf_cfg_user.h
+++ /dev/null
@@ -1,38 +0,0 @@
-/* SPDX-License-Identifier: (BSD-3-Clause OR GPL-2.0-only) */
-/* Copyright(c) 2014 - 2020 Intel Corporation */
-#ifndef ADF_CFG_USER_H_
-#define ADF_CFG_USER_H_
-
-#include "adf_cfg_common.h"
-#include "adf_cfg_strings.h"
-
-struct adf_user_cfg_key_val {
- char key[ADF_CFG_MAX_KEY_LEN_IN_BYTES];
- char val[ADF_CFG_MAX_VAL_LEN_IN_BYTES];
- union {
- struct adf_user_cfg_key_val *next;
- __u64 padding3;
- };
- enum adf_cfg_val_type type;
-} __packed;
-
-struct adf_user_cfg_section {
- char name[ADF_CFG_MAX_SECTION_LEN_IN_BYTES];
- union {
- struct adf_user_cfg_key_val *params;
- __u64 padding1;
- };
- union {
- struct adf_user_cfg_section *next;
- __u64 padding3;
- };
-} __packed;
-
-struct adf_user_cfg_ctl_data {
- union {
- struct adf_user_cfg_section *config_section;
- __u64 padding;
- };
- __u8 device_id;
-} __packed;
-#endif
--- a/drivers/crypto/qat/qat_common/adf_common_drv.h
+++ b/drivers/crypto/qat/qat_common/adf_common_drv.h
@@ -75,11 +75,8 @@ int adf_devmgr_add_dev(struct adf_accel_
void adf_devmgr_rm_dev(struct adf_accel_dev *accel_dev,
struct adf_accel_dev *pf);
struct list_head *adf_devmgr_get_head(void);
-struct adf_accel_dev *adf_devmgr_get_dev_by_id(u32 id);
struct adf_accel_dev *adf_devmgr_get_first(void);
struct adf_accel_dev *adf_devmgr_pci_to_accel_dev(struct pci_dev *pci_dev);
-int adf_devmgr_verify_id(u32 id);
-void adf_devmgr_get_num_dev(u32 *num);
int adf_devmgr_in_reset(struct adf_accel_dev *accel_dev);
int adf_dev_started(struct adf_accel_dev *accel_dev);
int adf_dev_restarting_notify(struct adf_accel_dev *accel_dev);
--- a/drivers/crypto/qat/qat_common/adf_ctl_drv.c
+++ b/drivers/crypto/qat/qat_common/adf_ctl_drv.c
@@ -1,416 +1,14 @@
// SPDX-License-Identifier: (BSD-3-Clause OR GPL-2.0-only)
/* Copyright(c) 2014 - 2020 Intel Corporation */
+
+#include <crypto/algapi.h>
+#include <linux/errno.h>
#include <linux/module.h>
-#include <linux/mutex.h>
-#include <linux/slab.h>
-#include <linux/fs.h>
-#include <linux/bitops.h>
-#include <linux/pci.h>
-#include <linux/cdev.h>
-#include <linux/uaccess.h>
-#include <linux/crypto.h>
-#include "adf_accel_devices.h"
#include "adf_common_drv.h"
-#include "adf_cfg.h"
-#include "adf_cfg_common.h"
-#include "adf_cfg_user.h"
-
-#define ADF_CFG_MAX_SECTION 512
-#define ADF_CFG_MAX_KEY_VAL 256
-
-#define DEVICE_NAME "qat_adf_ctl"
-
-static DEFINE_MUTEX(adf_ctl_lock);
-static long adf_ctl_ioctl(struct file *fp, unsigned int cmd, unsigned long arg);
-
-static const struct file_operations adf_ctl_ops = {
- .owner = THIS_MODULE,
- .unlocked_ioctl = adf_ctl_ioctl,
- .compat_ioctl = compat_ptr_ioctl,
-};
-
-struct adf_ctl_drv_info {
- unsigned int major;
- struct cdev drv_cdev;
- struct class *drv_class;
-};
-
-static struct adf_ctl_drv_info adf_ctl_drv;
-
-static void adf_chr_drv_destroy(void)
-{
- device_destroy(adf_ctl_drv.drv_class, MKDEV(adf_ctl_drv.major, 0));
- cdev_del(&adf_ctl_drv.drv_cdev);
- class_destroy(adf_ctl_drv.drv_class);
- unregister_chrdev_region(MKDEV(adf_ctl_drv.major, 0), 1);
-}
-
-static int adf_chr_drv_create(void)
-{
- dev_t dev_id;
- struct device *drv_device;
-
- if (alloc_chrdev_region(&dev_id, 0, 1, DEVICE_NAME)) {
- pr_err("QAT: unable to allocate chrdev region\n");
- return -EFAULT;
- }
-
- adf_ctl_drv.drv_class = class_create(THIS_MODULE, DEVICE_NAME);
- if (IS_ERR(adf_ctl_drv.drv_class)) {
- pr_err("QAT: class_create failed for adf_ctl\n");
- goto err_chrdev_unreg;
- }
- adf_ctl_drv.major = MAJOR(dev_id);
- cdev_init(&adf_ctl_drv.drv_cdev, &adf_ctl_ops);
- if (cdev_add(&adf_ctl_drv.drv_cdev, dev_id, 1)) {
- pr_err("QAT: cdev add failed\n");
- goto err_class_destr;
- }
-
- drv_device = device_create(adf_ctl_drv.drv_class, NULL,
- MKDEV(adf_ctl_drv.major, 0),
- NULL, DEVICE_NAME);
- if (IS_ERR(drv_device)) {
- pr_err("QAT: failed to create device\n");
- goto err_cdev_del;
- }
- return 0;
-err_cdev_del:
- cdev_del(&adf_ctl_drv.drv_cdev);
-err_class_destr:
- class_destroy(adf_ctl_drv.drv_class);
-err_chrdev_unreg:
- unregister_chrdev_region(dev_id, 1);
- return -EFAULT;
-}
-
-static struct adf_user_cfg_ctl_data *adf_ctl_alloc_resources(unsigned long arg)
-{
- struct adf_user_cfg_ctl_data *cfg_data;
-
- cfg_data = memdup_user((void __user *)arg, sizeof(*cfg_data));
- if (IS_ERR(cfg_data))
- pr_err("QAT: failed to copy from user cfg_data.\n");
- return cfg_data;
-}
-
-static int adf_add_key_value_data(struct adf_accel_dev *accel_dev,
- const char *section,
- const struct adf_user_cfg_key_val *key_val)
-{
- if (key_val->type == ADF_HEX) {
- long *ptr = (long *)key_val->val;
- long val = *ptr;
-
- if (adf_cfg_add_key_value_param(accel_dev, section,
- key_val->key, (void *)val,
- key_val->type)) {
- dev_err(&GET_DEV(accel_dev),
- "failed to add hex keyvalue.\n");
- return -EFAULT;
- }
- } else {
- if (adf_cfg_add_key_value_param(accel_dev, section,
- key_val->key, key_val->val,
- key_val->type)) {
- dev_err(&GET_DEV(accel_dev),
- "failed to add keyvalue.\n");
- return -EFAULT;
- }
- }
- return 0;
-}
-
-static int adf_copy_key_value_data(struct adf_accel_dev *accel_dev,
- struct adf_user_cfg_ctl_data *ctl_data)
-{
- struct adf_user_cfg_key_val key_val;
- struct adf_user_cfg_key_val *params_head;
- struct adf_user_cfg_section section, *section_head;
- int i, j;
-
- section_head = ctl_data->config_section;
-
- for (i = 0; section_head && i < ADF_CFG_MAX_SECTION; i++) {
- if (copy_from_user(§ion, (void __user *)section_head,
- sizeof(*section_head))) {
- dev_err(&GET_DEV(accel_dev),
- "failed to copy section info\n");
- goto out_err;
- }
-
- if (adf_cfg_section_add(accel_dev, section.name)) {
- dev_err(&GET_DEV(accel_dev),
- "failed to add section.\n");
- goto out_err;
- }
-
- params_head = section.params;
-
- for (j = 0; params_head && j < ADF_CFG_MAX_KEY_VAL; j++) {
- if (copy_from_user(&key_val, (void __user *)params_head,
- sizeof(key_val))) {
- dev_err(&GET_DEV(accel_dev),
- "Failed to copy keyvalue.\n");
- goto out_err;
- }
- if (adf_add_key_value_data(accel_dev, section.name,
- &key_val)) {
- goto out_err;
- }
- params_head = key_val.next;
- }
- section_head = section.next;
- }
- return 0;
-out_err:
- adf_cfg_del_all(accel_dev);
- return -EFAULT;
-}
-
-static int adf_ctl_ioctl_dev_config(struct file *fp, unsigned int cmd,
- unsigned long arg)
-{
- struct adf_user_cfg_ctl_data *ctl_data;
- struct adf_accel_dev *accel_dev;
- int ret = 0;
-
- ctl_data = adf_ctl_alloc_resources(arg);
- if (IS_ERR(ctl_data))
- return PTR_ERR(ctl_data);
-
- accel_dev = adf_devmgr_get_dev_by_id(ctl_data->device_id);
- if (!accel_dev) {
- ret = -EFAULT;
- goto out;
- }
-
- if (adf_dev_started(accel_dev)) {
- ret = -EFAULT;
- goto out;
- }
-
- if (adf_copy_key_value_data(accel_dev, ctl_data)) {
- ret = -EFAULT;
- goto out;
- }
- set_bit(ADF_STATUS_CONFIGURED, &accel_dev->status);
-out:
- kfree(ctl_data);
- return ret;
-}
-
-static int adf_ctl_is_device_in_use(int id)
-{
- struct adf_accel_dev *dev;
-
- list_for_each_entry(dev, adf_devmgr_get_head(), list) {
- if (id == dev->accel_id || id == ADF_CFG_ALL_DEVICES) {
- if (adf_devmgr_in_reset(dev) || adf_dev_in_use(dev)) {
- dev_info(&GET_DEV(dev),
- "device qat_dev%d is busy\n",
- dev->accel_id);
- return -EBUSY;
- }
- }
- }
- return 0;
-}
-
-static void adf_ctl_stop_devices(u32 id)
-{
- struct adf_accel_dev *accel_dev;
-
- list_for_each_entry(accel_dev, adf_devmgr_get_head(), list) {
- if (id == accel_dev->accel_id || id == ADF_CFG_ALL_DEVICES) {
- if (!adf_dev_started(accel_dev))
- continue;
-
- /* First stop all VFs */
- if (!accel_dev->is_vf)
- continue;
-
- adf_dev_stop(accel_dev);
- adf_dev_shutdown(accel_dev);
- }
- }
-
- list_for_each_entry(accel_dev, adf_devmgr_get_head(), list) {
- if (id == accel_dev->accel_id || id == ADF_CFG_ALL_DEVICES) {
- if (!adf_dev_started(accel_dev))
- continue;
-
- adf_dev_stop(accel_dev);
- adf_dev_shutdown(accel_dev);
- }
- }
-}
-
-static int adf_ctl_ioctl_dev_stop(struct file *fp, unsigned int cmd,
- unsigned long arg)
-{
- int ret;
- struct adf_user_cfg_ctl_data *ctl_data;
-
- ctl_data = adf_ctl_alloc_resources(arg);
- if (IS_ERR(ctl_data))
- return PTR_ERR(ctl_data);
-
- if (adf_devmgr_verify_id(ctl_data->device_id)) {
- pr_err("QAT: Device %d not found\n", ctl_data->device_id);
- ret = -ENODEV;
- goto out;
- }
-
- ret = adf_ctl_is_device_in_use(ctl_data->device_id);
- if (ret)
- goto out;
-
- if (ctl_data->device_id == ADF_CFG_ALL_DEVICES)
- pr_info("QAT: Stopping all acceleration devices.\n");
- else
- pr_info("QAT: Stopping acceleration device qat_dev%d.\n",
- ctl_data->device_id);
-
- adf_ctl_stop_devices(ctl_data->device_id);
-
-out:
- kfree(ctl_data);
- return ret;
-}
-
-static int adf_ctl_ioctl_dev_start(struct file *fp, unsigned int cmd,
- unsigned long arg)
-{
- int ret;
- struct adf_user_cfg_ctl_data *ctl_data;
- struct adf_accel_dev *accel_dev;
-
- ctl_data = adf_ctl_alloc_resources(arg);
- if (IS_ERR(ctl_data))
- return PTR_ERR(ctl_data);
-
- ret = -ENODEV;
- accel_dev = adf_devmgr_get_dev_by_id(ctl_data->device_id);
- if (!accel_dev)
- goto out;
-
- if (!adf_dev_started(accel_dev)) {
- dev_info(&GET_DEV(accel_dev),
- "Starting acceleration device qat_dev%d.\n",
- ctl_data->device_id);
- ret = adf_dev_init(accel_dev);
- if (!ret)
- ret = adf_dev_start(accel_dev);
- } else {
- dev_info(&GET_DEV(accel_dev),
- "Acceleration device qat_dev%d already started.\n",
- ctl_data->device_id);
- }
- if (ret) {
- dev_err(&GET_DEV(accel_dev), "Failed to start qat_dev%d\n",
- ctl_data->device_id);
- adf_dev_stop(accel_dev);
- adf_dev_shutdown(accel_dev);
- }
-out:
- kfree(ctl_data);
- return ret;
-}
-
-static int adf_ctl_ioctl_get_num_devices(struct file *fp, unsigned int cmd,
- unsigned long arg)
-{
- u32 num_devices = 0;
-
- adf_devmgr_get_num_dev(&num_devices);
- if (copy_to_user((void __user *)arg, &num_devices, sizeof(num_devices)))
- return -EFAULT;
-
- return 0;
-}
-
-static int adf_ctl_ioctl_get_status(struct file *fp, unsigned int cmd,
- unsigned long arg)
-{
- struct adf_hw_device_data *hw_data;
- struct adf_dev_status_info dev_info;
- struct adf_accel_dev *accel_dev;
-
- if (copy_from_user(&dev_info, (void __user *)arg,
- sizeof(struct adf_dev_status_info))) {
- pr_err("QAT: failed to copy from user.\n");
- return -EFAULT;
- }
-
- accel_dev = adf_devmgr_get_dev_by_id(dev_info.accel_id);
- if (!accel_dev)
- return -ENODEV;
-
- hw_data = accel_dev->hw_device;
- dev_info.state = adf_dev_started(accel_dev) ? DEV_UP : DEV_DOWN;
- dev_info.num_ae = hw_data->get_num_aes(hw_data);
- dev_info.num_accel = hw_data->get_num_accels(hw_data);
- dev_info.num_logical_accel = hw_data->num_logical_accel;
- dev_info.banks_per_accel = hw_data->num_banks
- / hw_data->num_logical_accel;
- strscpy(dev_info.name, hw_data->dev_class->name, sizeof(dev_info.name));
- dev_info.instance_id = hw_data->instance_id;
- dev_info.type = hw_data->dev_class->type;
- dev_info.bus = accel_to_pci_dev(accel_dev)->bus->number;
- dev_info.dev = PCI_SLOT(accel_to_pci_dev(accel_dev)->devfn);
- dev_info.fun = PCI_FUNC(accel_to_pci_dev(accel_dev)->devfn);
-
- if (copy_to_user((void __user *)arg, &dev_info,
- sizeof(struct adf_dev_status_info))) {
- dev_err(&GET_DEV(accel_dev), "failed to copy status.\n");
- return -EFAULT;
- }
- return 0;
-}
-
-static long adf_ctl_ioctl(struct file *fp, unsigned int cmd, unsigned long arg)
-{
- int ret;
-
- if (mutex_lock_interruptible(&adf_ctl_lock))
- return -EFAULT;
-
- switch (cmd) {
- case IOCTL_CONFIG_SYS_RESOURCE_PARAMETERS:
- ret = adf_ctl_ioctl_dev_config(fp, cmd, arg);
- break;
-
- case IOCTL_STOP_ACCEL_DEV:
- ret = adf_ctl_ioctl_dev_stop(fp, cmd, arg);
- break;
-
- case IOCTL_START_ACCEL_DEV:
- ret = adf_ctl_ioctl_dev_start(fp, cmd, arg);
- break;
-
- case IOCTL_GET_NUM_DEVICES:
- ret = adf_ctl_ioctl_get_num_devices(fp, cmd, arg);
- break;
-
- case IOCTL_STATUS_ACCEL_DEV:
- ret = adf_ctl_ioctl_get_status(fp, cmd, arg);
- break;
- default:
- pr_err_ratelimited("QAT: Invalid ioctl %d\n", cmd);
- ret = -EFAULT;
- break;
- }
- mutex_unlock(&adf_ctl_lock);
- return ret;
-}
static int __init adf_register_ctl_device_driver(void)
{
- if (adf_chr_drv_create())
- goto err_chr_dev;
-
if (adf_init_misc_wq())
goto err_misc_wq;
@@ -437,22 +35,17 @@ err_pf_wq:
err_aer:
adf_exit_misc_wq();
err_misc_wq:
- adf_chr_drv_destroy();
-err_chr_dev:
- mutex_destroy(&adf_ctl_lock);
return -EFAULT;
}
static void __exit adf_unregister_ctl_device_driver(void)
{
- adf_chr_drv_destroy();
adf_exit_misc_wq();
adf_exit_aer();
adf_exit_vf_wq();
adf_exit_pf_wq();
qat_crypto_unregister();
adf_clean_vf_map(false);
- mutex_destroy(&adf_ctl_lock);
}
module_init(adf_register_ctl_device_driver);
--- a/drivers/crypto/qat/qat_common/adf_dev_mgr.c
+++ b/drivers/crypto/qat/qat_common/adf_dev_mgr.c
@@ -45,19 +45,6 @@ static struct vf_id_map *adf_find_vf(u32
return NULL;
}
-static int adf_get_vf_real_id(u32 fake)
-{
- struct list_head *itr;
-
- list_for_each(itr, &vfs_table) {
- struct vf_id_map *ptr =
- list_entry(itr, struct vf_id_map, list);
- if (ptr->fake_id == fake)
- return ptr->id;
- }
- return -1;
-}
-
/**
* adf_clean_vf_map() - Cleans VF id mapings
*
@@ -314,63 +301,6 @@ struct adf_accel_dev *adf_devmgr_pci_to_
}
EXPORT_SYMBOL_GPL(adf_devmgr_pci_to_accel_dev);
-struct adf_accel_dev *adf_devmgr_get_dev_by_id(u32 id)
-{
- struct list_head *itr;
- int real_id;
-
- mutex_lock(&table_lock);
- real_id = adf_get_vf_real_id(id);
- if (real_id < 0)
- goto unlock;
-
- id = real_id;
-
- list_for_each(itr, &accel_table) {
- struct adf_accel_dev *ptr =
- list_entry(itr, struct adf_accel_dev, list);
- if (ptr->accel_id == id) {
- mutex_unlock(&table_lock);
- return ptr;
- }
- }
-unlock:
- mutex_unlock(&table_lock);
- return NULL;
-}
-
-int adf_devmgr_verify_id(u32 id)
-{
- if (id == ADF_CFG_ALL_DEVICES)
- return 0;
-
- if (adf_devmgr_get_dev_by_id(id))
- return 0;
-
- return -ENODEV;
-}
-
-static int adf_get_num_dettached_vfs(void)
-{
- struct list_head *itr;
- int vfs = 0;
-
- mutex_lock(&table_lock);
- list_for_each(itr, &vfs_table) {
- struct vf_id_map *ptr =
- list_entry(itr, struct vf_id_map, list);
- if (ptr->bdf != ~0 && !ptr->attached)
- vfs++;
- }
- mutex_unlock(&table_lock);
- return vfs;
-}
-
-void adf_devmgr_get_num_dev(u32 *num)
-{
- *num = num_devices - adf_get_num_dettached_vfs();
-}
-
/**
* adf_dev_in_use() - Check whether accel_dev is currently in use
* @accel_dev: Pointer to acceleration device.
^ permalink raw reply [flat|nested] 140+ messages in thread
* [PATCH 6.1 129/129] ipv6: account for fraggap on the paged allocation path
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 128/129] crypto: qat - remove unused character device and IOCTLs Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 19:46 ` [PATCH 6.1 000/129] 6.1.177-rc1 review Brett A C Sheffield
` (6 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jungwoo Lee, Wongi Lee, Ido Schimmel,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wongi Lee <qw3rtyp0@gmail.com>
[ Upstream commit 736b380e28d0480c7bc3e022f1950f31fe53a7c5 ]
In __ip6_append_data(), when the paged-allocation branch is taken
(MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are
computed as
alloclen = fragheaderlen + transhdrlen;
pagedlen = datalen - transhdrlen;
datalen already includes fraggap (datalen = length + fraggap). When
fraggap is non-zero, this is not the first skb and transhdrlen is zero.
The fraggap bytes carried over from the previous skb are copied just past
the fragment headers in the new skb's linear area. The linear area is
therefore undersized by fraggap bytes while pagedlen is overstated by the
same amount, and the copy writes past skb->end into the trailing
skb_shared_info.
An unprivileged user can trigger this via a UDPv6 socket using
MSG_MORE together with MSG_SPLICE_PAGES.
The bad accounting was introduced by commit 773ba4fe9104 ("ipv6:
avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix
__ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative
copy value caused -EINVAL to be returned. That later commit allowed
MSG_SPLICE_PAGES to proceed in this case, making the corruption
triggerable.
The non-paged branch sets alloclen to fraglen, which already accounts
for fraggap because datalen does. Bring the paged branch in line by
adding fraggap to alloclen and subtracting it from pagedlen.
After this adjustment, copy no longer collapses to -fraggap on the
paged path, so remove the stale comment describing that old arithmetic.
Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES
case, remove the MSG_SPLICE_PAGES exception from the negative copy check.
Fixes: 773ba4fe9104 ("ipv6: avoid partial copy for zc")
Signed-off-by: Jungwoo Lee <jwlee2217@gmail.com>
Signed-off-by: Wongi Lee <qw3rtyp0@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/ajFTqRljatR17fFy@DESKTOP-19IMU7U.localdomain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_output.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1622,8 +1622,8 @@ alloc_new_skb:
!(rt->dst.dev->features & NETIF_F_SG)))
alloclen = fraglen;
else {
- alloclen = fragheaderlen + transhdrlen;
- pagedlen = datalen - transhdrlen;
+ alloclen = fragheaderlen + transhdrlen + fraggap;
+ pagedlen = datalen - transhdrlen - fraggap;
}
alloclen += alloc_extra;
^ permalink raw reply [flat|nested] 140+ messages in thread
* Re: [PATCH 6.1 000/129] 6.1.177-rc1 review
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 6.1 129/129] ipv6: account for fraggap on the paged allocation path Greg Kroah-Hartman
@ 2026-07-02 19:46 ` Brett A C Sheffield
2026-07-02 20:25 ` Peter Schneider
` (5 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Brett A C Sheffield @ 2026-07-02 19:46 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 6.1.177-rc1-00130-g7ab3c992455f #1 SMP PREEMPT_DYNAMIC Thu Jul 2 19:26:24 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 140+ messages in thread
* Re: [PATCH 6.1 000/129] 6.1.177-rc1 review
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-07-02 19:46 ` [PATCH 6.1 000/129] 6.1.177-rc1 review Brett A C Sheffield
@ 2026-07-02 20:25 ` Peter Schneider
2026-07-02 21:49 ` Francesco Dolcini
` (4 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Peter Schneider @ 2026-07-02 20:25 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Am 02.07.2026 um 18:18 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.1.177 release.
> There are 129 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
So while I'm watching the Spain vs Austria soccer match, I managed to do some kernel building and testing...
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 140+ messages in thread
* Re: [PATCH 6.1 000/129] 6.1.177-rc1 review
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-07-02 20:25 ` Peter Schneider
@ 2026-07-02 21:49 ` Francesco Dolcini
2026-07-02 23:46 ` Miguel Ojeda
` (3 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Francesco Dolcini @ 2026-07-02 21:49 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Thu, Jul 02, 2026 at 06:18:39PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.177 release.
> There are 129 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com>
^ permalink raw reply [flat|nested] 140+ messages in thread
* Re: [PATCH 6.1 000/129] 6.1.177-rc1 review
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-07-02 21:49 ` Francesco Dolcini
@ 2026-07-02 23:46 ` Miguel Ojeda
2026-07-03 6:39 ` Ron Economos
` (2 subsequent siblings)
135 siblings, 0 replies; 140+ messages in thread
From: Miguel Ojeda @ 2026-07-02 23:46 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda
On Thu, 02 Jul 2026 18:18:39 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.1.177 release.
> There are 129 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 04 Jul 2026 15:50:58 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 140+ messages in thread
* Re: [PATCH 6.1 095/129] LoongArch: Report dying CPU to RCU in stop_this_cpu()
2026-07-02 16:20 ` [PATCH 6.1 095/129] LoongArch: Report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
@ 2026-07-03 3:12 ` 陈华才
2026-07-03 7:22 ` Greg Kroah-Hartman
2026-07-03 13:16 ` Sasha Levin
0 siblings, 2 replies; 140+ messages in thread
From: 陈华才 @ 2026-07-03 3:12 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: stable, patches, Guo Ren
Hi, Greg,
> -----原始邮件-----
> 发件人: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>
> 发送时间:2026-07-03 00:20:14 (星期五)
> 收件人: stable@vger.kernel.org
> 抄送: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, patches@lists.linux.dev, "Guo Ren" <guoren@kernel.org>, "Huacai Chen" <chenhuacai@loongson.cn>
> 主题: [PATCH 6.1 095/129] LoongArch: Report dying CPU to RCU in stop_this_cpu()
>
> 6.1-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Huacai Chen <chenhuacai@loongson.cn>
>
> commit f2539c56c74691e7a88af6372ba2b48c06ed2fe4 upstream.
>
> This is a port of MIPS commit 9f3f3bdc6d9dac1 ("MIPS: smp: report dying
> CPU to RCU in stop_this_cpu()"). smp_send_stop() parks all secondary
> CPUs in stop_this_cpu(). And the function marks the CPU offline for the
> scheduler via set_cpu_online(false) but never informs RCU, so RCU keeps
> expecting a quiescent state from CPUs that are now spinning forever with
> interrupts disabled.
>
> As long as nothing waits for an RCU grace period after smp_send_stop()
> this is harmless, which is why it went unnoticed. However, since commit
> 91840be8f710370 ("irq_work: Fix use-after-free in irq_work_single() on
> PREEMPT_RT"), irq_work_sync() calls synchronize_rcu() on architectures
> without an irq_work self-IPI, i.e. where arch_irq_work_has_interrupt()
> returns false. Any irq_work_sync() issued in the reboot/shutdown/halt
> path after smp_send_stop() then blocks on a grace period that can never
> complete, hanging the reboot:
>
> WARNING: CPU: 0 PID: 15 at kernel/irq_work.c:144 irq_work_queue_on
> ...
> rcu: INFO: rcu_sched detected stalls on CPUs/tasks:
> rcu: Offline CPU 1 blocking current GP.
> rcu: Offline CPU 2 blocking current GP.
> rcu: Offline CPU 3 blocking current GP.
>
> This issue needs some hacks to reproduce, and it was not noticed on
> LoongArch because arch_irq_work_has_interrupt() usually returns true.
>
> Call rcutree_report_cpu_dead() once interrupts are disabled, mirroring
> the generic CPU-hotplug offline path, so RCU stops waiting on the parked
> CPUs and grace periods can still complete. LoongArch shuts down all CPUs
> here without going through the CPU-hotplug mechanism, so this report is
> not otherwise issued.
>
> Cc: <stable@vger.kernel.org>
> Fixes: 91840be8f710 ("irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT")
> Reviewed-by: Guo Ren <guoren@kernel.org>
> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> arch/loongarch/kernel/smp.c | 1 +
> 1 file changed, 1 insertion(+)
>
> --- a/arch/loongarch/kernel/smp.c
> +++ b/arch/loongarch/kernel/smp.c
> @@ -517,6 +517,7 @@ static void stop_this_cpu(void *dummy)
> set_cpu_online(smp_processor_id(), false);
> calculate_cpu_foreign_map();
> local_irq_disable();
> + rcutree_report_cpu_dead();
For 6.1 & 6.6 this should be "rcu_report_dead(smp_processor_id())". If you don't want to modify please just drop this patch, and I will send for them.
Huacai
> while (true);
> }
>
>
本邮件及其附件含有龙芯中科的商业秘密信息,仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制或散发)本邮件及其附件中的信息。如果您错收本邮件,请您立即电话或邮件通知发件人并删除本邮件。
This email and its attachments contain confidential information from Loongson Technology , which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this email in error, please notify the sender by phone or email immediately and delete it.
^ permalink raw reply [flat|nested] 140+ messages in thread
* Re: [PATCH 6.1 000/129] 6.1.177-rc1 review
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-07-02 23:46 ` Miguel Ojeda
@ 2026-07-03 6:39 ` Ron Economos
2026-07-03 7:15 ` Shung-Hsi Yu
2026-07-03 13:51 ` Mark Brown
135 siblings, 0 replies; 140+ messages in thread
From: Ron Economos @ 2026-07-03 6:39 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
On 7/2/26 09:18, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.177 release.
> There are 129 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 04 Jul 2026 15:50:58 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.177-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 140+ messages in thread
* Re: [PATCH 6.1 000/129] 6.1.177-rc1 review
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-07-03 6:39 ` Ron Economos
@ 2026-07-03 7:15 ` Shung-Hsi Yu
2026-07-03 13:51 ` Mark Brown
135 siblings, 0 replies; 140+ messages in thread
From: Shung-Hsi Yu @ 2026-07-03 7:15 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Thu, Jul 02, 2026 at 06:18:39PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.177 release.
> There are 129 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 04 Jul 2026 15:50:58 +0000.
> Anything received after that time might be too late.
test_progs, test_progs-no_alu32, test_progs-cpuv4, test_maps, test_verifier
in BPF selftests all passes[1] on x86_64.
Tested-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
1: https://github.com/kernel-patches/linux-stable/actions/runs/28642578397/job/84941873172
[...]
^ permalink raw reply [flat|nested] 140+ messages in thread
* Re: [PATCH 6.1 095/129] LoongArch: Report dying CPU to RCU in stop_this_cpu()
2026-07-03 3:12 ` 陈华才
@ 2026-07-03 7:22 ` Greg Kroah-Hartman
2026-07-03 13:16 ` Sasha Levin
1 sibling, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-03 7:22 UTC (permalink / raw)
To: 陈华才; +Cc: stable, patches, Guo Ren
On Fri, Jul 03, 2026 at 11:12:40AM +0800, 陈华才 wrote:
> Hi, Greg,
>
>
> > -----原始邮件-----
> > 发件人: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>
> > 发送时间:2026-07-03 00:20:14 (星期五)
> > 收件人: stable@vger.kernel.org
> > 抄送: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, patches@lists.linux.dev, "Guo Ren" <guoren@kernel.org>, "Huacai Chen" <chenhuacai@loongson.cn>
> > 主题: [PATCH 6.1 095/129] LoongArch: Report dying CPU to RCU in stop_this_cpu()
> >
> > 6.1-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Huacai Chen <chenhuacai@loongson.cn>
> >
> > commit f2539c56c74691e7a88af6372ba2b48c06ed2fe4 upstream.
> >
> > This is a port of MIPS commit 9f3f3bdc6d9dac1 ("MIPS: smp: report dying
> > CPU to RCU in stop_this_cpu()"). smp_send_stop() parks all secondary
> > CPUs in stop_this_cpu(). And the function marks the CPU offline for the
> > scheduler via set_cpu_online(false) but never informs RCU, so RCU keeps
> > expecting a quiescent state from CPUs that are now spinning forever with
> > interrupts disabled.
> >
> > As long as nothing waits for an RCU grace period after smp_send_stop()
> > this is harmless, which is why it went unnoticed. However, since commit
> > 91840be8f710370 ("irq_work: Fix use-after-free in irq_work_single() on
> > PREEMPT_RT"), irq_work_sync() calls synchronize_rcu() on architectures
> > without an irq_work self-IPI, i.e. where arch_irq_work_has_interrupt()
> > returns false. Any irq_work_sync() issued in the reboot/shutdown/halt
> > path after smp_send_stop() then blocks on a grace period that can never
> > complete, hanging the reboot:
> >
> > WARNING: CPU: 0 PID: 15 at kernel/irq_work.c:144 irq_work_queue_on
> > ...
> > rcu: INFO: rcu_sched detected stalls on CPUs/tasks:
> > rcu: Offline CPU 1 blocking current GP.
> > rcu: Offline CPU 2 blocking current GP.
> > rcu: Offline CPU 3 blocking current GP.
> >
> > This issue needs some hacks to reproduce, and it was not noticed on
> > LoongArch because arch_irq_work_has_interrupt() usually returns true.
> >
> > Call rcutree_report_cpu_dead() once interrupts are disabled, mirroring
> > the generic CPU-hotplug offline path, so RCU stops waiting on the parked
> > CPUs and grace periods can still complete. LoongArch shuts down all CPUs
> > here without going through the CPU-hotplug mechanism, so this report is
> > not otherwise issued.
> >
> > Cc: <stable@vger.kernel.org>
> > Fixes: 91840be8f710 ("irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT")
> > Reviewed-by: Guo Ren <guoren@kernel.org>
> > Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> > arch/loongarch/kernel/smp.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > --- a/arch/loongarch/kernel/smp.c
> > +++ b/arch/loongarch/kernel/smp.c
> > @@ -517,6 +517,7 @@ static void stop_this_cpu(void *dummy)
> > set_cpu_online(smp_processor_id(), false);
> > calculate_cpu_foreign_map();
> > local_irq_disable();
> > + rcutree_report_cpu_dead();
> For 6.1 & 6.6 this should be "rcu_report_dead(smp_processor_id())". If you don't want to modify please just drop this patch, and I will send for them.
Now dropped from those queues.
> 本邮件及其附件含有龙芯中科的商业秘密信息,仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制或散发)本邮件及其附件中的信息。如果您错收本邮件,请您立即电话或邮件通知发件人并删除本邮件。
> This email and its attachments contain confidential information from Loongson Technology , which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this email in error, please notify the sender by phone or email immediately and delete it.
Watch out for footers like this, normally my email system just deletes
the message as you shouldn't be sending any "confidential" info to me or
a public list.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 140+ messages in thread
* Re: [PATCH 6.1 095/129] LoongArch: Report dying CPU to RCU in stop_this_cpu()
2026-07-03 3:12 ` 陈华才
2026-07-03 7:22 ` Greg Kroah-Hartman
@ 2026-07-03 13:16 ` Sasha Levin
1 sibling, 0 replies; 140+ messages in thread
From: Sasha Levin @ 2026-07-03 13:16 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: Sasha Levin, stable, patches, Guo Ren, Huacai Chen
> For 6.1 & 6.6 this should be "rcu_report_dead(smp_processor_id())". If
> you don't want to modify please just drop this patch, and I will send
> for them.
Dropped, thanks!
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 140+ messages in thread
* Re: [PATCH 6.1 000/129] 6.1.177-rc1 review
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-07-03 7:15 ` Shung-Hsi Yu
@ 2026-07-03 13:51 ` Mark Brown
135 siblings, 0 replies; 140+ messages in thread
From: Mark Brown @ 2026-07-03 13:51 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, achill, sr
[-- Attachment #1: Type: text/plain, Size: 346 bytes --]
On Thu, Jul 02, 2026 at 06:18:39PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.177 release.
> There are 129 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 140+ messages in thread
end of thread, other threads:[~2026-07-03 13:51 UTC | newest]
Thread overview: 140+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02 16:18 [PATCH 6.1 000/129] 6.1.177-rc1 review Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 001/129] fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 002/129] net/sched: act_pedit: check static offsets a priori Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 003/129] net/sched: act_pedit: rate limit datapath messages Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 004/129] net/sched: fix pedit partial COW leading to page cache corruption Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 005/129] net/sched: act_pedit: free pedit keys on bail from offset check Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 006/129] selftests/bpf: move SYS() macro into the test_progs.h Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 007/129] KVM: VMX: Make vmread_error_trampoline() uncallable from C code Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 008/129] drm/amd/display: Bound VBIOS record-chain walk loops Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 009/129] ip6_vti: set netns_immutable on the fallback device Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 010/129] netfilter: nf_tables: always increment set element count Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 011/129] netfilter: nf_tables: fix set size with rbtree backend Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 012/129] netfilter: nf_tables: unconditionally bump set->nelems before insertion Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 013/129] selftests/bpf: Move get_time_ns to testing_helpers.h Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 014/129] selftests/bpf: Check for timeout in perf_link test Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 015/129] drm/v3d: Store the active job inside the queues state Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 016/129] drm/v3d: Skip CSD when it has zeroed workgroups Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 017/129] batman-adv: tt: prevent TVLV entry number overflow Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 018/129] KVM: nVMX: Add a helper to get highest pending from Posted Interrupt vector Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 019/129] KVM: nVMX: Check for pending posted interrupts when looking for nested events Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 6.1 020/129] KVM: nVMX: Fold requested virtual interrupt check into has_nested_events() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 021/129] net: annotate data-races around sk->sk_{data_ready,write_space} Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 022/129] debugobjects,locking: Annotate debug_object_fill_pool() wait type violation Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 023/129] debugobjects: Allow to refill the pool before SYSTEM_SCHEDULING Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 024/129] debugobjects: Use LD_WAIT_CONFIG instead of LD_WAIT_SLEEP Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 025/129] debugobjects: Do not fill_pool() if pi_blocked_on Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 026/129] debugobjects: Dont call fill_pool() in early boot hardirq context Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 027/129] ARM: group is_permission_fault() with is_translation_fault() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 028/129] ARM: allow __do_kernel_fault() to report execution of memory faults Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 029/129] ARM: fix hash_name() fault Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 030/129] ARM: fix branch predictor hardening Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 031/129] RDMA/bnxt_re: zero shared page before exposing to userspace Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 032/129] i2c: stub: Reject I2C block transfers with invalid length Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 033/129] net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 034/129] agp/amd64: Fix broken error propagation in agp_amd64_probe() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 035/129] af_unix: Reject SIOCATMARK on non-stream sockets Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 036/129] ring-buffer: Remove ring_buffer_read_prepare_sync() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 037/129] regulator: core: fix locking in regulator_resolve_supply() error path Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 038/129] dlm: prevent NPD when writing a positive value to event_done Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 039/129] netfilter: nf_tables: always walk all pending catchall elements Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 040/129] vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 041/129] ksmbd: reject non-VALID session in compound request branch Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 042/129] media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 043/129] virtiofs: fix UAF on submount umount Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 044/129] perf bench: Avoid NDEBUG warning Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 045/129] perf block-range: Move debug code behind ifndef NDEBUG Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 046/129] KVM: x86: Fix shadow paging use-after-free due to unexpected role Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 047/129] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 048/129] Revert "ptp: add testptp mask test" Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 049/129] mm/mglru: skip special VMAs in lru_gen_look_around() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 050/129] batman-adv: tp_meter: keep unacked list in ascending ordered Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 051/129] batman-adv: tp_meter: initialize dup_acks explicitly Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 052/129] batman-adv: tp_meter: initialize dec_cwnd explicitly Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 053/129] batman-adv: tp_meter: avoid window underflow Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 054/129] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 055/129] batman-adv: tp_meter: fix fast recovery precondition Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 056/129] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 057/129] batman-adv: tp_meter: add only finished tp_vars to lists Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 058/129] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 059/129] batman-adv: prevent ELP transmission interval underflow Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 060/129] batman-adv: tp_meter: initialize last_recv_time during init Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 061/129] batman-adv: ensure bcast is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 062/129] batman-adv: fix (m|b)cast csum after decrementing TTL Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 063/129] batman-adv: frag: ensure fragment is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 064/129] batman-adv: frag: avoid underflow of TTL Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 065/129] batman-adv: v: prevent OGM aggregation on disabled hardif Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 066/129] batman-adv: tp_meter: restrict number of unacked list entries Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 067/129] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 068/129] batman-adv: tp_meter: prevent parallel modifications of last_recv Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 069/129] batman-adv: tp_meter: handle overlapping packets Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 070/129] batman-adv: tt: dont merge change entries with different VIDs Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 071/129] batman-adv: tt: track roam count per VID Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 072/129] batman-adv: dat: prevent false sharing between VLANs Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 073/129] batman-adv: tvlv: enforce 2-byte alignment Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 074/129] batman-adv: tvlv: avoid race of cifsnotfound handler state Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 075/129] ntfs3: reject direct userspace writes to reserved $LX* xattrs Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 076/129] ext4: add bounds check for inline data length in ext4_read_inline_page Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 077/129] mac802154: llsec: add skb_cow_data() before in-place crypto Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 078/129] net: skmsg: preserve sg.copy across SG transforms Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 079/129] apparmor: mediate the implicit connect of TCP fast open sendmsg Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.1 080/129] apparmor: fix use-after-free in rawdata dedup loop Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 081/129] NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 082/129] KEYS: fix overflow in keyctl_pkey_params_get_2() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 083/129] keys: Pin request_key_auth payload in instantiate paths Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 084/129] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 085/129] wifi: ath11k: fix warning when unbinding Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 086/129] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 087/129] f2fs: validate compress cache inode only when enabled Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 088/129] f2fs: fix to round down start offset of fallocate for pin file Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 089/129] f2fs: validate ACL entry sizes in f2fs_acl_from_disk() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 090/129] bpf: use kvfree() for replaced sysctl write buffer Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 091/129] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 092/129] exfat: fix potential use-after-free in exfat_find_dir_entry() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 093/129] hdlc_ppp: sync per-proto timers before freeing hdlc state Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 094/129] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 095/129] LoongArch: Report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
2026-07-03 3:12 ` 陈华才
2026-07-03 7:22 ` Greg Kroah-Hartman
2026-07-03 13:16 ` Sasha Levin
2026-07-02 16:20 ` [PATCH 6.1 096/129] pNFS: Fix use-after-free in pnfs_update_layout() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 097/129] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 098/129] fpga: region: fix use-after-free in child_regions_with_firmware() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 099/129] ocfs2: reject oversized group bitmap descriptors Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 100/129] 9p: avoid putting oldfid in p9_client_walk() error path Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 101/129] MIPS: smp: report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 102/129] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 103/129] power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 104/129] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 105/129] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 106/129] NFSD: Fix SECINFO_NO_NAME decode error cleanup Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 107/129] nfsd: fix posix_acl leak on SETACL decode failure Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 108/129] nfsd: check get_user() return when reading princhashlen Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 109/129] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 110/129] ksmbd: fix out-of-bounds read in smb_check_perm_dacl() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 111/129] rpmsg: char: Add lock to avoid race when rpmsg device is released Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 112/129] mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 113/129] mptcp: fix missing wakeups in edge scenarios Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 114/129] hv: utils: handle and propagate errors in kvp_register Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 115/129] misc: fastrpc: Add dma_mask to fastrpc_channel_ctx Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 116/129] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 117/129] futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 118/129] Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 119/129] locking/rtmutex: Skip remove_waiter() when waiter is not enqueued Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 120/129] phonet: Pass ifindex to fill_addr() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 121/129] phonet: Pass net and ifindex to phonet_address_notify() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 122/129] net: phonet: free phonet_device after RCU grace period Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 123/129] fuse: re-lock request before replacing page cache folio Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 124/129] serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 125/129] Documentation: ioctl-number: Extend "Include File" column width Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 126/129] crypto: qat - Replace kzalloc() + copy_from_user() with memdup_user() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 127/129] crypto: qat - Return pointer directly in adf_ctl_alloc_resources Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 128/129] crypto: qat - remove unused character device and IOCTLs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.1 129/129] ipv6: account for fraggap on the paged allocation path Greg Kroah-Hartman
2026-07-02 19:46 ` [PATCH 6.1 000/129] 6.1.177-rc1 review Brett A C Sheffield
2026-07-02 20:25 ` Peter Schneider
2026-07-02 21:49 ` Francesco Dolcini
2026-07-02 23:46 ` Miguel Ojeda
2026-07-03 6:39 ` Ron Economos
2026-07-03 7:15 ` Shung-Hsi Yu
2026-07-03 13:51 ` Mark Brown
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox