* [PATCH 6.18 000/270] 6.18.30-rc1 review
@ 2026-05-12 17:36 Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 001/270] scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() Greg Kroah-Hartman
` (274 more replies)
0 siblings, 275 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.18.30 release.
There are 270 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 14 May 2026 17:38:03 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.30-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.18.30-rc1
Prathyushi Nangia <prathyushi.nangia@amd.com>
x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
Gary Guo <gary@garyguo.net>
rust: pin-init: fix incorrect accessor reference lifetime
Sam Edwards <cfsworks@gmail.com>
net: stmmac: Prevent NULL deref when RX memory exhausted
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
Thorsten Blum <thorsten.blum@linux.dev>
crypto: caam - guard HMAC key hex dumps in hash_digest_key
Thorsten Blum <thorsten.blum@linux.dev>
printk: add print_hex_dump_devel()
Junrui Luo <moonafterrain@outlook.com>
erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
Gao Xiang <xiang@kernel.org>
erofs: tidy up z_erofs_lz4_handle_overlap()
Zilin Guan <zilin@seu.edu.cn>
hfsplus: fix held lock freed on hfsplus_fill_super()
Deepanshu Kartikey <kartikey406@gmail.com>
hfsplus: fix uninit-value by validating catalog record size
Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
firmware: exynos-acpm: Drop fake 'const' on handle pointer
Kairui Song <kasong@tencent.com>
mm, swap: speed up hibernation allocation and writeout
Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
crypto: qat - fix firmware loading failure for GEN6 devices
Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
crypto: qat - fix indentation of macros in qat_hal.c
Luke Wang <ziniu.wang_1@nxp.com>
mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs
Avri Altman <avri.altman@sandisk.com>
mmc: core: Add quirk for incorrect manufacturing date
Avri Altman <avri.altman@sandisk.com>
mmc: core: Adjust MDT beyond 2025
David Carlier <devnexen@gmail.com>
octeon_ep_vf: add NULL check for napi_build_skb()
Thomas Weißschuh <linux@weissschuh.net>
hwmon: (powerz) Avoid cacheline sharing for DMA buffer
Michael S. Tsirkin <mst@redhat.com>
dma-mapping: add __dma_from_device_group_begin()/end()
Thomas Zimmermann <tzimmermann@suse.de>
fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
SeongJae Park <sj@kernel.org>
mm/damon/core: disallow non-power of two min_region_sz on damon_start()
Alexei Starovoitov <ast@kernel.org>
bpf: Fix use-after-free in arena_vm_close on fork
Jens Axboe <axboe@kernel.dk>
io_uring/tw: serialize ctx->retry_llist with ->uring_lock
Martin Michaelis <code@mgjm.de>
io_uring/kbuf: support min length left for incremental buffers
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup
Tao Cui <cuitao@kylinos.cn>
LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()
Bibo Mao <maobibo@loongson.cn>
LoongArch: KVM: Move unconditional delay into timer clear scenery
Bibo Mao <maobibo@loongson.cn>
LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by software
Xianglai Li <lixianglai@loongson.cn>
LoongArch: KVM: Fix "unreliable stack" for kvm_exc_entry
Qiang Ma <maqianga@uniontech.com>
LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS
Wentao Guan <guanwentao@uniontech.com>
LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()
Fuad Tabba <tabba@google.com>
KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()
Fuad Tabba <tabba@google.com>
KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer
Fuad Tabba <tabba@google.com>
KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer
Quentin Perret <qperret@google.com>
KVM: arm64: Fix initialisation order in __pkvm_init_finalise()
David Woodhouse <dwmw@amazon.co.uk>
KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value
Marc Zyngier <maz@kernel.org>
KVM: arm64: Wake-up from WFI when iqrchip is in userspace
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix fsck inconsistency caused by FGGC of node block
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix inline data not being written to disk in writeback path
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: refactor f2fs_move_node_folio function
Guangshuo Li <lgs201920130244@gmail.com>
f2fs: fix uninitialized kobject put in f2fs_init_sysfs()
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix node_cnt race between extent node destroy and writeback
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix incorrect file address mapping when inline inode is unwritten
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix fiemap boundary handling when read extent cache is incomplete
Cen Zhang <zzzccc427@gmail.com>
f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: return early if no retrans
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: free sk if last
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: always decrease sk refcount
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: fix potential data-race
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: allow ID 0
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: prio: skip closed subflows
Gang Yan <yangang@kylinos.cn>
mptcp: fix scheduling with atomic in timestamp sockopt
Paolo Abeni <pabeni@redhat.com>
mptcp: fix rx timestamp corruption on fastopen
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf
Gang Yan <yangang@kylinos.cn>
mptcp: sockopt: set timestamp flags on subflow socket, not msk
Shardul Bankar <shardul.b@mpiricsoftware.com>
mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
Shardul Bankar <shardul.b@mpiricsoftware.com>
mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: fastclose msk when linger time is 0
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: pm: restrict 'unknown' check to pm_nl_ctl
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: check output: catch cmd errors
David Carlier <devnexen@gmail.com>
sched_ext: idle: Recheck prev_cpu after narrowing allowed mask
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
Michael Bommarito <michael.bommarito@gmail.com>
RDMA/rxe: Reject unknown opcodes before ICRC processing
Michael Bommarito <michael.bommarito@gmail.com>
RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
Junrui Luo <moonafterrain@outlook.com>
RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/mana: Validate rx_hash_key_len
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/ionic: Fix typo in format string
Kai Zen <kai.aizen.dev@gmail.com>
RDMA/ionic: bound node_desc sysfs read with %.64s
Dapeng Mi <dapeng1.mi@linux.intel.com>
perf/x86/intel: Always reprogram ACR events to prevent stale masks
Nilay Shroff <nilay@linux.ibm.com>
powerpc/xive: fix kmemleak caused by incorrect chip_data lookup
André Draszik <andre.draszik@linaro.org>
power: supply: max17042: avoid overflow when determining health
Lukas Wunner <lukas@wunner.de>
PCI/ASPM: Fix pci_clear_and_set_config_dword() usage
Lukas Wunner <lukas@wunner.de>
PCI/AER: Stop ruling out unbound devices as error source
Shuai Xue <xueshuai@linux.alibaba.com>
PCI/AER: Clear only error bits in PCIe Device Status
Lukas Wunner <lukas@wunner.de>
PCI: Update saved_config_space upon resource assignment
SeongJae Park <sj@kernel.org>
mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
SeongJae Park <sj@kernel.org>
mm/damon/stat: detect and use fresh enabled value
Paolo Bonzini <pbonzini@redhat.com>
KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty
Paolo Bonzini <pbonzini@redhat.com>
KVM: x86: check for nEPT/nNPT in slow flush hypercalls
Michael Bommarito <michael.bommarito@gmail.com>
smb: client: validate dacloffset before building DACL pointers
Bjoern Doebel <doebel@amazon.de>
smb: client: use kzalloc to zero-initialize security descriptor buffer
Zisen Ye <zisenye@stu.xidian.edu.cn>
smb/client: fix out-of-bounds read in symlink_data()
Zisen Ye <zisenye@stu.xidian.edu.cn>
smb/client: fix out-of-bounds read in smb2_compound_op()
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: mpt3sas: Limit NVMe request size to 2 MiB
Pengpeng Hou <pengpeng@iscas.ac.cn>
s390/debug: Reject zero-length input before trimming a newline
Vasily Gorbik <gor@linux.ibm.com>
s390/debug: Reject zero-length input in debug_input_flush_fn()
Osama Abdelkader <osama.abdelkader@gmail.com>
riscv: kvm: fix vector context allocation leak
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
David Carlier <devnexen@gmail.com>
psp: strip variable-length PSP header in psp_dev_rcv()
Ulf Hansson <ulf.hansson@linaro.org>
pmdomain: core: Fix detach procedure for virtual devices in genpd
Ilya Maximets <i.maximets@ovn.org>
openvswitch: vport: fix self-deadlock on release of tunnel ports
Chaitanya Kulkarni <kch@nvidia.com>
nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
Chaitanya Kulkarni <kch@nvidia.com>
nvmet-tcp: fix race between ICReq handling and queue teardown
Fedor Pchelkin <pchelkin@ispras.ru>
nvme-apple: drop invalid put of admin queue reference count
Junrui Luo <moonafterrain@outlook.com>
md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Fix slab-out-of-bounds access in auth message processing
Christian A. Ehrhardt <lk@c--e.de>
lib/scatterlist: fix temp buffer in extract_user_to_sg()
Christian A. Ehrhardt <lk@c--e.de>
lib/scatterlist: fix length calculations in extract_kvec_to_sg
Lukas Wunner <lukas@wunner.de>
lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
Nicolin Chen <nicolinc@nvidia.com>
iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update
Zhenzhong Duan <zhenzhong.duan@intel.com>
iommu/vt-d: Block PASID attachment to nested domain with dirty tracking
Zhenzhong Duan <zhenzhong.duan@intel.com>
iommufd: Fix return value of iommufd_fault_fops_write()
Michael Bommarito <michael.bommarito@gmail.com>
isofs: validate block number from NFS file handle in isofs_export_iget
Michael Bommarito <michael.bommarito@gmail.com>
isofs: validate Rock Ridge CE continuation extent against volume size
Eric Biggers <ebiggers@kernel.org>
dm-verity-fec: correctly reject too-small hash devices
Eric Biggers <ebiggers@kernel.org>
dm-verity-fec: correctly reject too-small FEC devices
David Carlier <devnexen@gmail.com>
eventfs: Hold eventfs_mutex and SRCU when remount walks events
Mikulas Patocka <mpatocka@redhat.com>
dm: fix a buffer overflow in ioctl processing
Mikulas Patocka <mpatocka@redhat.com>
dm: don't report warning when doing deferred remove
Mikulas Patocka <mpatocka@redhat.com>
dm-thin: fix metadata refcount underflow
Filipe Manana <fdmanana@suse.com>
btrfs: fix missing last_unlink_trans update when removing a directory
Guangshuo Li <lgs201920130244@gmail.com>
btrfs: fix double free in create_space_info() error path
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6apm: remove child devices when apm is removed
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error
Joseph Salisbury <joseph.salisbury@oracle.com>
ASoC: fsl_easrc: fix comment typo
Li Jian <lazycat-xiao@foxmail.com>
ASoC: ES8389: convert to devm_clk_get_optional() to get clock
Tommaso Soncin <soncintommaso@gmail.com>
ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table
Shrikanth Hegde <sshegde@linux.ibm.com>
cpuidle: powerpc: avoid double clear when breaking snooze
Conor Dooley <conor.dooley@microchip.com>
clk: microchip: mpfs-ccc: fix out of bounds access during output registration
Stefan Eichenberger <stefan.eichenberger@toradex.com>
clk: imx: imx8-acm: fix flags for acm clocks
Steven Rostedt <rostedt@goodmis.org>
tracing/probes: Limit size of event probe to 3K
Johan Hovold <johan@kernel.org>
spi: topcliff-pch: fix use-after-free on unbind
Johan Hovold <johan@kernel.org>
spi: topcliff-pch: fix controller deregistration
Thorsten Blum <thorsten.blum@linux.dev>
thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp
Thorsten Blum <thorsten.blum@linux.dev>
thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
thermal: core: Free thermal zone ID later during removal
Michael Bommarito <michael.bommarito@gmail.com>
udf: reject descriptors with oversized CRC length
David Carlier <devnexen@gmail.com>
tracefs: Fix default permissions not being applied on initial mount
Conor Dooley <conor.dooley@microchip.com>
spi: microchip-core-qspi: control built-in cs manually
Conor Dooley <conor.dooley@microchip.com>
spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations
Johan Hovold <johan@kernel.org>
spi: microchip-core-qspi: fix controller deregistration
Guangshuo Li <lgs201920130244@gmail.com>
ice: fix double free in ice_sf_eth_activate() error path
Mingming Cao <mmc@linux.ibm.com>
ibmveth: Disable GSO for packets with small MSS
Dexuan Cui <decui@microsoft.com>
hv_sock: Return -EIO for malformed/short packets
Dexuan Cui <decui@microsoft.com>
hv_sock: Report EOF instead of -EIO for FIN
Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
hv_sock: fix ARM64 support
Thomas Zimmermann <tzimmermann@suse.de>
hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
gpio: of: clear OF_POPULATED on hog nodes in remove path
Xu Yang <xu.yang_2@nxp.com>
extcon: ptn5150: handle pending IRQ events during system resume
Shyam Prasad N <sprasad@microsoft.com>
cifs: change_conf needs to be called for session setup
Shyam Prasad N <sprasad@microsoft.com>
cifs: abort open_cached_dir if we don't request leases
Jens Axboe <axboe@kernel.dk>
block: only read from sqe on initial invocation of blkdev_uring_cmd()
Naman Jain <namjain@linux.microsoft.com>
block: add pgmap check to biovec_phys_mergeable
Wentao Liang <vulab@iscas.ac.cn>
pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
Breno Leitao <leitao@debian.org>
arm64/fpsimd: ptrace: zero target's fpsimd_state, not the tracer's
Jiexun Wang <wangjiexun2025@gmail.com>
af_unix: Reject SIOCATMARK on non-stream sockets
Myeonghun Pak <mhun512@gmail.com>
hwmon: (corsair-psu) Close HID device on probe errors
Johan Hovold <johan@kernel.org>
clk: rk808: fix OF node reference imbalance
Sanman Pradhan <psanman@juniper.net>
hwmon: (ltc2992) Fix u32 overflow in power read path
Sanman Pradhan <psanman@juniper.net>
hwmon: (ltc2992) Clamp threshold writes to hardware range
Ivan Hu <ivan.hu@canonical.com>
x86/efi: Fix graceful fault handling after FPU softirq changes
Hongling Zeng <zenghongling@kylinos.cn>
parisc: Fix IRQ leak in LASI driver
Tzung-Bi Shih <tzungbi@kernel.org>
platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration
Pavitra Jha <jhapavitra98@gmail.com>
net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
Nan Li <tonanli66@gmail.com>
net/rds: handle zerocopy send cleanup before the message is queued
Breno Leitao <leitao@debian.org>
netpoll: pass buffer size to egress_dev() to avoid MAC truncation
Jiawen Wu <jiawenwu@trustnetic.com>
net: libwx: use request_irq for VF misc interrupt
Maoyi Xie <maoyixie.tju@gmail.com>
ip6_gre: Use cached t->net in ip6erspan_changelink().
Jiawen Wu <jiawenwu@trustnetic.com>
net: libwx: fix VF illegal register access
Ritesh Harjani (IBM) <ritesh.list@gmail.com>
pseries/papr-hvpipe: Fix the usage of copy_to_user()
Ritesh Harjani (IBM) <ritesh.list@gmail.com>
pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init()
Ritesh Harjani (IBM) <ritesh.list@gmail.com>
pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace
SeungJu Cheon <suunj1331@gmail.com>
sound: ua101: fix division by zero at probe
Dapeng Mi <dapeng1.mi@linux.intel.com>
perf/x86/intel: Improve validation and configuration of ACR masks
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: skip inactive subflows
Kai Zen <kai.aizen.dev@gmail.com>
net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo
Xianglai Li <lixianglai@loongson.cn>
LoongArch: KVM: Compile switch.S directly into the kernel
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT
Sang-Heon Jeon <ekffu200098@gmail.com>
mm/hugetlb_cma: round up per_node before logging it
Kevin Brodsky <kevin.brodsky@arm.com>
arm64: signal: Preserve POR_EL0 if poe_context is missing
Tudor Ambarus <tudor.ambarus@linaro.org>
mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
Fuad Tabba <tabba@google.com>
KVM: arm64: Fix kvm_vcpu_initialized() macro parameter
Miklos Szeredi <mszeredi@redhat.com>
fanotify: fix false positive on permission events
Johan Hovold <johan@kernel.org>
staging: vme_user: fix root device leak on init failure
Johan Hovold <johan@kernel.org>
spi: s3c64xx: fix NULL-deref on driver unbind
Johan Hovold <johan@kernel.org>
spi: zynqmp-gqspi: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: sun6i: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: ti-qspi: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: sun4i: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: syncuacer: fix controller deregistration
Miguel Ojeda <ojeda@kernel.org>
rust: allow `clippy::collapsible_if` globally
Miguel Ojeda <ojeda@kernel.org>
rust: allow `clippy::collapsible_match` globally
Eliot Courtney <ecourtney@nvidia.com>
rust: drm: gem: clean up GEM state in init failure case
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
Tristan Madani <tristan@talencesecurity.com>
Bluetooth: btmtk: validate WMT event SKB length before struct access
Michael Bommarito <michael.bommarito@gmail.com>
Bluetooth: virtio_bt: validate rx pkt_type header length
Michael Bommarito <michael.bommarito@gmail.com>
Bluetooth: virtio_bt: clamp rx length before skb_put
Tao Cui <cuitao@kylinos.cn>
LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()
Stephen Smalley <stephen.smalley.work@gmail.com>
selinux: prune /sys/fs/selinux/user
Stephen Smalley <stephen.smalley.work@gmail.com>
selinux: prune /sys/fs/selinux/disable
Stephen Smalley <stephen.smalley.work@gmail.com>
selinux: prune /sys/fs/selinux/checkreqprot
Stephen Smalley <stephen.smalley.work@gmail.com>
selinux: shrink critical section in sel_write_load()
David Windsor <dwindsor@gmail.com>
selinux: don't reserve xattr slot when we won't fill it
Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
selinux: use sk blob accessor in socket permission helpers
Stephen Smalley <stephen.smalley.work@gmail.com>
selinux: fix avdcache auditing
Michael Bommarito <michael.bommarito@gmail.com>
xfrm: ah: account for ESN high bits in async callbacks
Yilin Zhu <zylzyl2333@gmail.com>
ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
Michal Kosiorek <mkosiorek121@gmail.com>
xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
Ruijie Li <ruijieli51@gmail.com>
xfrm: provide message size for XFRM_MSG_MAPPING
Ard Biesheuvel <ardb@kernel.org>
x86/efi: Restore IRQ state in EFI page fault handler
Sourabh Jain <sourabhjain@linux.ibm.com>
powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: seq: Fix UMP group 16 filtering
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: core: Serialize deferred fasync state checks
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: firewire-tascam: Do not drop unread control events
Yuriy Padlyak <yuriypadlyak@gmail.com>
ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi Laptop Pro 15
Takashi Iwai <tiwai@suse.de>
ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: hda: cs35l56: Propagate ASP TX source control errors
Xu Yang <xu.yang_2@nxp.com>
usb: typec: tcpm: fix debug accessory mode detection for sink ports
Felix Gu <ustc.gu@gmail.com>
usb: ulpi: fix memory leak on ulpi_register() error paths
Fabio Porcedda <fabio.porcedda@gmail.com>
USB: serial: option: add Telit Cinterion LE910Cx compositions
Aaro Koskinen <aaro.koskinen@iki.fi>
USB: omap_udc: DMA: Don't enable burst 4 mode
Amit Sunil Dhamne <amitsd@google.com>
usb: typec: tcpm: reset internal port states on soft reset AMS
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: Fix UAC3 cluster descriptor size check
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: midi2: Restart output URBs on resume
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: usblp: fix heap leak in IEEE 1284 device ID via short response
Marek Szyprowski <m.szyprowski@samsung.com>
wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task
Tristan Madani <tristan@talencesecurity.com>
wifi: b43: enforce bounds check on firmware key index in b43_rx()
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: remove station if connection prep fails
Jiri Slaby (SUSE) <jirislaby@kernel.org>
wifi: ath5k: do not access array OOB
Benjamin Berg <benjamin.berg@intel.com>
wifi: mac80211: use safe list iteration in radar detect work
Jeongjun Park <aha310510@gmail.com>
wifi: rsi: fix kthread lifetime race between self-exit and external-stop
Catherine <enderaoelyther@gmail.com>
wifi: mac80211: drop stray 'static' from fast-RX rx_result
Tristan Madani <tristan@talencesecurity.com>
wifi: b43legacy: enforce bounds check on firmware key index in RX path
Quan Zhou <quan.zhou@mediatek.com>
wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work
Leon Yen <leon.yen@mediatek.com>
wifi: mt76: mt7921: fix a potential clc buffer length underflow
Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
wifi: mt76: mt7925: fix incorrect length field in txpower command
Quan Zhou <quan.zhou@mediatek.com>
wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr
Jann Horn <jannh@google.com>
exit: prevent preemption of oopsing TASK_DEAD task
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked
Ovidiu Panait <ovidiu.panait.rb@renesas.com>
net: stmmac: Disable EEE RX clock stop when VLAN is enabled
Paolo Bonzini <pbonzini@redhat.com>
KVM: SVM: check validity of VMCB controls when returning from SMM
Zhengchuan Liang <zcliangcn@gmail.com>
net: af_key: zero aligned sockaddr tail in PF_KEY exports
Yi Kuo <yi@yikuo.dev>
smb: client/smbdirect: fix MR registration for coalesced SG lists
Gang Yan <yangang@kylinos.cn>
mptcp: sync the msk->sndbuf at accept() time
Qingfang Deng <qingfang.deng@linux.dev>
flow_dissector: do not dissect PPPoE PFC frames
Sam Edwards <cfsworks@gmail.com>
ceph: fix num_ops off-by-one when crypto allocation fails
Sean Christopherson <seanjc@google.com>
KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
DaeMyung Kang <charsyam@gmail.com>
ksmbd: rewrite stop_sessions() with restartable iteration
Johan Hovold <johan@kernel.org>
spi: rockchip: fix controller deregistration
Quan Zhou <quan.zhou@mediatek.com>
wifi: mt76: mt7925: fix incorrect TLV length in CLC command
Mark Brown <broonie@kernel.org>
ASoC: SOF: Don't allow pointer operations on unconfigured streams
Sina Hassani <sina@openai.com>
iommufd: Fix a race with concurrent allocation and unmap
David Carlier <devnexen@gmail.com>
tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
Shivam Kalra <shivamkalra98@zohomail.in>
ACPI: video: force native backlight on HP OMEN 16 (8A44)
Jinjie Ruan <ruanjinjie@huawei.com>
ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
Jan Schär <jan@jschaer.ch>
ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO
Guangshuo Li <lgs201920130244@gmail.com>
ACPI: scan: Use acpi_dev_put() in object add error paths
Rajat Gupta <rajgupt@qti.qualcomm.com>
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
Corey Minyard <corey@minyard.net>
ipmi:si: Return state to normal if message allocation fails
Corey Minyard <corey@minyard.net>
ipmi: Check event message buffer response for bad data
Corey Minyard <corey@minyard.net>
ipmi: Add limits to event and receive message requests
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
-------------
Diffstat:
.../ABI/{obsolete => removed}/sysfs-selinux-user | 0
Makefile | 6 +-
arch/arm64/include/asm/kvm_host.h | 2 +-
arch/arm64/kernel/ptrace.c | 4 +-
arch/arm64/kernel/signal.c | 54 +++++--
arch/arm64/kvm/arm.c | 4 +
arch/arm64/kvm/config.c | 17 +-
arch/arm64/kvm/hyp/nvhe/pkvm.c | 38 +++--
arch/arm64/kvm/hyp/nvhe/setup.c | 8 +-
arch/arm64/kvm/vgic/vgic-mmio-v2.c | 2 +-
arch/arm64/kvm/vgic/vgic-mmio-v3.c | 2 +-
arch/loongarch/Kbuild | 2 +-
arch/loongarch/include/asm/asm-prototypes.h | 20 +++
arch/loongarch/include/asm/kvm_host.h | 3 -
arch/loongarch/include/asm/linkage.h | 2 +-
arch/loongarch/kvm/Makefile | 3 +-
arch/loongarch/kvm/exit.c | 1 +
arch/loongarch/kvm/interrupt.c | 14 ++
arch/loongarch/kvm/main.c | 35 +---
arch/loongarch/kvm/mmu.c | 2 +-
arch/loongarch/kvm/switch.S | 22 ++-
arch/loongarch/kvm/timer.c | 10 +-
arch/loongarch/kvm/vm.c | 2 +-
arch/loongarch/pci/acpi.c | 5 +
arch/loongarch/pci/pci.c | 3 +
arch/powerpc/kexec/Makefile | 2 +-
arch/powerpc/platforms/pseries/papr-hvpipe.c | 53 +++---
arch/powerpc/sysdev/xive/common.c | 16 +-
arch/riscv/kvm/vcpu_vector.c | 5 +-
arch/s390/kernel/debug.c | 8 +
arch/x86/events/core.c | 13 +-
arch/x86/events/intel/core.c | 32 +++-
arch/x86/include/asm/efi.h | 3 +-
arch/x86/include/asm/msr-index.h | 3 +-
arch/x86/kernel/cpu/amd.c | 3 +
arch/x86/kvm/hyperv.c | 2 +-
arch/x86/kvm/lapic.c | 8 +-
arch/x86/kvm/mmu/mmu.c | 35 ++--
arch/x86/kvm/svm/nested.c | 12 +-
arch/x86/kvm/svm/svm.c | 4 +
arch/x86/kvm/svm/svm.h | 1 +
arch/x86/mm/fault.c | 2 +-
arch/x86/platform/efi/quirks.c | 13 +-
block/blk.h | 2 +
block/ioctl.c | 24 +--
drivers/acpi/cppc_acpi.c | 6 +-
drivers/acpi/power.c | 2 +-
drivers/acpi/scan.c | 2 +-
drivers/acpi/video_detect.c | 16 ++
drivers/android/binder/range_alloc/array.rs | 1 -
drivers/bluetooth/btmtk.c | 15 +-
drivers/bluetooth/virtio_bt.c | 39 ++++-
drivers/char/ipmi/ipmi_si_intf.c | 70 ++++++--
drivers/char/ipmi/ipmi_ssif.c | 23 ++-
drivers/clk/clk-rk808.c | 2 +-
drivers/clk/imx/clk-imx8-acm.c | 3 +-
drivers/clk/microchip/clk-mpfs-ccc.c | 6 +-
drivers/cpuidle/cpuidle-powernv.c | 5 +-
drivers/cpuidle/cpuidle-pseries.c | 5 +-
drivers/crypto/caam/caamalg_qi2.c | 4 +-
drivers/crypto/caam/caamhash.c | 4 +-
.../crypto/intel/qat/qat_common/adf_accel_engine.c | 7 +
.../qat/qat_common/icp_qat_fw_loader_handle.h | 1 +
drivers/crypto/intel/qat/qat_common/qat_hal.c | 27 ++--
drivers/extcon/extcon-ptn5150.c | 14 ++
drivers/firmware/samsung/exynos-acpm-pmic.c | 10 +-
drivers/firmware/samsung/exynos-acpm-pmic.h | 10 +-
drivers/firmware/samsung/exynos-acpm.c | 16 +-
drivers/firmware/samsung/exynos-acpm.h | 2 +-
drivers/gpio/gpiolib-of.c | 9 +-
drivers/hv/Kconfig | 2 +-
drivers/hwmon/corsair-psu.c | 4 +-
drivers/hwmon/ltc2992.c | 41 +++--
drivers/hwmon/powerz.c | 5 +-
drivers/infiniband/hw/hns/hns_roce_qp.c | 7 +
drivers/infiniband/hw/ionic/ionic_ibdev.c | 2 +-
drivers/infiniband/hw/mana/cq.c | 5 +-
drivers/infiniband/hw/mana/qp.c | 16 +-
drivers/infiniband/hw/mlx4/srq.c | 4 +-
drivers/infiniband/hw/mlx5/main.c | 1 +
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 4 +-
drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c | 2 +-
drivers/infiniband/sw/rxe/rxe_recv.c | 11 ++
drivers/infiniband/sw/rxe/rxe_resp.c | 14 +-
drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 7 +
drivers/iommu/intel/nested.c | 6 +-
drivers/iommu/iommufd/eventq.c | 5 +-
drivers/iommu/iommufd/io_pagetable.c | 10 ++
drivers/md/dm-ioctl.c | 6 +-
drivers/md/dm-verity-fec.c | 8 +-
drivers/md/persistent-data/dm-btree-remove.c | 8 +
drivers/md/raid10.c | 2 +
drivers/mfd/sec-acpm.c | 10 +-
drivers/mmc/core/card.h | 11 ++
drivers/mmc/core/mmc.c | 12 ++
drivers/mmc/core/queue.c | 9 +-
drivers/mmc/core/quirks.h | 12 ++
drivers/mtd/spi-nor/debugfs.c | 4 +-
drivers/net/ethernet/ibm/ibmveth.c | 22 +++
drivers/net/ethernet/ibm/ibmveth.h | 1 +
drivers/net/ethernet/intel/ice/ice_sf_eth.c | 2 +
.../ethernet/marvell/octeon_ep_vf/octep_vf_rx.c | 36 ++++-
drivers/net/ethernet/mellanox/mlx4/srq.c | 13 +-
drivers/net/ethernet/stmicro/stmmac/chain_mode.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/common.h | 2 +-
drivers/net/ethernet/stmicro/stmmac/ring_mode.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 47 +++---
drivers/net/ethernet/wangxun/libwx/wx_hw.c | 7 +-
drivers/net/ethernet/wangxun/libwx/wx_vf_common.c | 4 +-
drivers/net/wireless/ath/ath5k/base.c | 3 +-
drivers/net/wireless/broadcom/b43/xmit.c | 3 +-
drivers/net/wireless/broadcom/b43legacy/xmit.c | 3 +-
.../wireless/broadcom/brcm80211/brcmfmac/sdio.c | 6 +-
drivers/net/wireless/mediatek/mt76/mt7921/main.c | 7 +-
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 3 +
drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 6 +-
drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 +-
drivers/net/wireless/rsi/rsi_common.h | 5 +-
drivers/net/wwan/t7xx/t7xx_modem_ops.c | 20 ++-
drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c | 18 ++-
drivers/net/wwan/t7xx/t7xx_port_proxy.h | 2 +-
drivers/nvme/host/apple.c | 6 +-
drivers/nvme/target/core.c | 2 +-
drivers/nvme/target/tcp.c | 26 +++
drivers/parisc/lasi.c | 12 +-
drivers/pci/pci.c | 7 +-
drivers/pci/pcie/aer.c | 2 -
drivers/pci/pcie/aspm.c | 17 +-
drivers/pci/setup-res.c | 2 +
drivers/platform/chrome/cros_typec_altmode.c | 1 +
drivers/pmdomain/core.c | 10 +-
drivers/pmdomain/mediatek/mtk-pm-domains.c | 10 +-
drivers/power/supply/max17042_battery.c | 2 +-
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 14 +-
drivers/spi/spi-microchip-core-qspi.c | 103 +++++++++---
drivers/spi/spi-rockchip.c | 4 +-
drivers/spi/spi-s3c64xx.c | 5 -
drivers/spi/spi-sun4i.c | 10 +-
drivers/spi/spi-sun6i.c | 8 +-
drivers/spi/spi-synquacer.c | 8 +-
drivers/spi/spi-ti-qspi.c | 14 +-
drivers/spi/spi-topcliff-pch.c | 11 +-
drivers/spi/spi-zynqmp-gqspi.c | 4 +-
drivers/staging/vme_user/vme_fake.c | 2 +
drivers/target/target_core_configfs.c | 2 +-
drivers/thermal/sprd_thermal.c | 4 +-
drivers/thermal/thermal_core.c | 6 +-
drivers/usb/class/usblp.c | 3 +-
drivers/usb/common/ulpi.c | 5 +-
drivers/usb/gadget/udc/omap_udc.c | 4 -
drivers/usb/serial/option.c | 4 +
drivers/usb/typec/tcpm/tcpm.c | 27 ++--
drivers/video/fbdev/core/fb_defio.c | 178 ++++++++++++++++-----
drivers/video/fbdev/udlfb.c | 31 +++-
fs/btrfs/inode.c | 2 +
fs/btrfs/space-info.c | 2 +-
fs/ceph/addr.c | 4 +
fs/erofs/decompressor.c | 86 +++++-----
fs/f2fs/data.c | 28 +++-
fs/f2fs/extent_cache.c | 17 +-
fs/f2fs/f2fs.h | 2 +
fs/f2fs/inline.c | 22 ++-
fs/f2fs/inode.c | 2 +-
fs/f2fs/node.c | 95 +++++------
fs/f2fs/sysfs.c | 10 +-
fs/hfsplus/bfind.c | 51 ++++++
fs/hfsplus/catalog.c | 4 +-
fs/hfsplus/dir.c | 2 +-
fs/hfsplus/hfsplus_fs.h | 9 ++
fs/hfsplus/super.c | 6 +-
fs/isofs/export.c | 2 +-
fs/isofs/rock.c | 9 ++
fs/notify/fsnotify.c | 2 +-
fs/notify/mark.c | 18 ++-
fs/smb/client/cached_dir.c | 8 +
fs/smb/client/cifsacl.c | 37 ++++-
fs/smb/client/smb2inode.c | 12 +-
fs/smb/client/smb2misc.c | 3 +-
fs/smb/client/smb2ops.c | 11 ++
fs/smb/client/smbdirect.c | 21 +--
fs/smb/server/connection.c | 48 ++++--
fs/smb/server/connection.h | 1 +
fs/tracefs/event_inode.c | 14 ++
fs/tracefs/inode.c | 6 +-
fs/tracefs/internal.h | 3 +
fs/udf/misc.c | 8 +-
include/linux/dma-mapping.h | 13 ++
include/linux/fb.h | 4 +-
.../linux/firmware/samsung/exynos-acpm-protocol.h | 29 ++--
include/linux/fsnotify_backend.h | 1 +
include/linux/mmc/card.h | 2 +
include/linux/printk.h | 13 ++
include/uapi/linux/io_uring.h | 3 +-
include/video/udlfb.h | 1 +
io_uring/io_uring.c | 12 +-
io_uring/kbuf.c | 12 +-
io_uring/kbuf.h | 7 +
kernel/bpf/arena.c | 19 ++-
kernel/exit.c | 1 +
kernel/sched/ext_idle.c | 12 +-
kernel/trace/trace_probe.c | 6 +
kernel/trace/trace_probe.h | 4 +-
kernel/tracepoint.c | 2 +
lib/crypto/mpi/mpicoder.c | 2 +-
lib/scatterlist.c | 8 +-
mm/damon/core.c | 5 +
mm/damon/stat.c | 30 ++--
mm/damon/sysfs-schemes.c | 12 +-
mm/hugetlb_cma.c | 1 +
mm/swapfile.c | 21 ++-
net/bluetooth/hci_event.c | 29 +++-
net/bluetooth/l2cap_sock.c | 9 ++
net/ceph/auth.c | 2 +-
net/ceph/mon_client.c | 2 +
net/core/flow_dissector.c | 13 +-
net/core/netpoll.c | 23 +--
net/core/rtnetlink.c | 1 +
net/ipv4/ah4.c | 14 +-
net/ipv6/ah6.c | 14 +-
net/ipv6/ip6_gre.c | 5 +-
net/ipv6/xfrm6_protocol.c | 4 +-
net/key/af_key.c | 52 +++---
net/mac80211/mlme.c | 9 +-
net/mac80211/rx.c | 2 +-
net/mac80211/util.c | 4 +-
net/mptcp/fastopen.c | 4 +-
net/mptcp/pm.c | 62 ++++---
net/mptcp/pm_kernel.c | 13 +-
net/mptcp/protocol.c | 6 +-
net/mptcp/sockopt.c | 16 +-
net/mptcp/subflow.c | 4 +-
net/openvswitch/vport-netdev.c | 6 +-
net/psp/psp_main.c | 42 +++--
net/rds/message.c | 20 ++-
net/sched/sch_red.c | 2 +-
net/unix/af_unix.c | 3 +
net/vmw_vsock/hyperv_transport.c | 33 +++-
net/xfrm/xfrm_state.c | 12 +-
net/xfrm/xfrm_user.c | 1 +
rust/kernel/drm/gem/mod.rs | 13 +-
rust/pin-init/src/__internal.rs | 28 ++--
rust/pin-init/src/macros.rs | 91 ++++++-----
security/selinux/hooks.c | 38 ++---
security/selinux/include/objsec.h | 4 +-
security/selinux/include/security.h | 2 -
security/selinux/selinuxfs.c | 169 ++++---------------
security/selinux/ss/services.c | 125 ---------------
sound/core/misc.c | 8 +-
sound/core/oss/pcm_oss.c | 29 +++-
sound/core/seq/seq_clientmgr.c | 2 +-
sound/core/seq/seq_clientmgr.h | 5 +-
sound/core/seq/seq_ump_client.c | 2 +-
sound/firewire/tascam/tascam-hwdep.c | 1 +
sound/hda/codecs/realtek/alc269.c | 19 +++
sound/hda/codecs/side-codecs/cs35l56_hda.c | 19 ++-
sound/soc/amd/yc/acp6x-mach.c | 14 ++
sound/soc/codecs/es8389.c | 2 +-
sound/soc/fsl/fsl_easrc.c | 2 +-
sound/soc/intel/boards/bytcr_wm5102.c | 1 +
sound/soc/qcom/qdsp6/q6apm-dai.c | 1 +
sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 2 +-
sound/soc/qcom/qdsp6/q6apm.c | 3 +
sound/soc/sof/compress.c | 3 +
sound/usb/midi2.c | 9 +-
sound/usb/misc/ua101.c | 7 +
sound/usb/stream.c | 4 +-
tools/arch/x86/include/asm/msr-index.h | 3 +-
tools/testing/selftests/net/mptcp/mptcp_lib.sh | 16 +-
tools/testing/selftests/net/mptcp/pm_netlink.sh | 20 ++-
269 files changed, 2440 insertions(+), 1165 deletions(-)
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 001/270] scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 002/270] ipmi: Add limits to event and receive message requests Greg Kroah-Hartman
` (273 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Martin K. Petersen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 772a896a56e0e3ef9424a025cec9176f9d8f4552 upstream.
target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a
256-byte stack buffer, then will memcpy() cur_len bytes from that
buffer. snprintf() returns the length the output would have had, which
can exceed the buffer size when the fabric WWN is long because iSCSI IQN
names can be up to 223 bytes. The check at the memcpy() site only
guards the destination page write, not the source read, so memcpy() will
read past the stack buffer and copy adjacent stack contents to the sysfs
reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic()
will be triggered.
Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length
check to avoid buffer overflow") added the same bound to the
target_lu_gp_members_show() but the tg_pt_gp variant was missed so
resolve that here.
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Fixes: c66ac9db8d4a ("[SCSI] target: Add LIO target core v4.0.0-rc6")
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026041159-garter-theft-3be0@gregkh
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/target_core_configfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/target/target_core_configfs.c
+++ b/drivers/target/target_core_configfs.c
@@ -3170,7 +3170,7 @@ static ssize_t target_tg_pt_gp_members_s
config_item_name(&lun->lun_group.cg_item));
cur_len++; /* Extra byte for NULL terminator */
- if ((cur_len + len) > PAGE_SIZE) {
+ if (cur_len > TG_PT_GROUP_NAME_BUF || (cur_len + len) > PAGE_SIZE) {
pr_warn("Ran out of lu_gp_show_attr"
"_members buffer\n");
break;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 002/270] ipmi: Add limits to event and receive message requests
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 001/270] scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 003/270] ipmi: Check event message buffer response for bad data Greg Kroah-Hartman
` (272 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matt Fleming, Corey Minyard
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit c4cca236968683eb0d59abfb12d5c7e4d8514227 upstream.
The driver would just fetch events and receive messages until the
BMC said it was done. To avoid issues with BMCs that never say they are
done, add a limit of 10 fetches at a time.
In addition, an si interface has an attn state it can return from the
hardware which is supposed to cause a flag fetch to see if the driver
needs to fetch events or message or a few other things. If the attn
bit gets stuck, it's a similar problem. So allow messages in between
flag fetches so the driver itself doesn't get stuck.
This is a more general fix than the previous fix for the specific bad
BMC, but should fix the more general issue of a BMC that won't stop
saying it has data.
This has been there from the beginning of the driver. It's not a bug
per-se, but it is accounting for bugs in BMCs.
Reported-by: Matt Fleming <mfleming@cloudflare.com>
Closes: https://lore.kernel.org/lkml/20260415115930.3428942-1-matt@readmodwrite.com/
Fixes: <1da177e4c3f4> ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_si_intf.c | 54 +++++++++++++++++++++++++++++++--------
drivers/char/ipmi/ipmi_ssif.c | 23 +++++++++++++++-
2 files changed, 64 insertions(+), 13 deletions(-)
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -168,6 +168,10 @@ struct smi_info {
OEM2_DATA_AVAIL)
unsigned char msg_flags;
+ /* When requesting events and messages, don't do it forever. */
+ unsigned int num_requests_in_a_row;
+ bool last_was_flag_fetch;
+
/* Does the BMC have an event buffer? */
bool has_event_buffer;
@@ -411,7 +415,10 @@ static void start_getting_msg_queue(stru
start_new_msg(smi_info, smi_info->curr_msg->data,
smi_info->curr_msg->data_size);
- smi_info->si_state = SI_GETTING_MESSAGES;
+ if (smi_info->si_state != SI_GETTING_MESSAGES) {
+ smi_info->num_requests_in_a_row = 0;
+ smi_info->si_state = SI_GETTING_MESSAGES;
+ }
}
static void start_getting_events(struct smi_info *smi_info)
@@ -422,7 +429,10 @@ static void start_getting_events(struct
start_new_msg(smi_info, smi_info->curr_msg->data,
smi_info->curr_msg->data_size);
- smi_info->si_state = SI_GETTING_EVENTS;
+ if (smi_info->si_state != SI_GETTING_EVENTS) {
+ smi_info->num_requests_in_a_row = 0;
+ smi_info->si_state = SI_GETTING_EVENTS;
+ }
}
/*
@@ -596,6 +606,7 @@ static void handle_transaction_done(stru
smi_info->si_state = SI_NORMAL;
} else {
smi_info->msg_flags = msg[3];
+ smi_info->last_was_flag_fetch = true;
handle_flags(smi_info);
}
break;
@@ -641,6 +652,11 @@ static void handle_transaction_done(stru
} else {
smi_inc_stat(smi_info, events);
+ smi_info->num_requests_in_a_row++;
+ if (smi_info->num_requests_in_a_row > 10)
+ /* Stop if we do this too many times. */
+ smi_info->msg_flags &= ~EVENT_MSG_BUFFER_FULL;
+
/*
* Do this before we deliver the message
* because delivering the message releases the
@@ -679,6 +695,11 @@ static void handle_transaction_done(stru
} else {
smi_inc_stat(smi_info, incoming_messages);
+ smi_info->num_requests_in_a_row++;
+ if (smi_info->num_requests_in_a_row > 10)
+ /* Stop if we do this too many times. */
+ smi_info->msg_flags &= ~RECEIVE_MSG_AVAIL;
+
/*
* Do this before we deliver the message
* because delivering the message releases the
@@ -821,6 +842,26 @@ restart:
}
/*
+ * If we are currently idle, or if the last thing that was
+ * done was a flag fetch and there is a message pending, try
+ * to start the next message.
+ *
+ * We do the waiting message check to avoid a stuck flag
+ * completely wedging the driver. Let a message through
+ * in between flag operations if that happens.
+ */
+ if (si_sm_result == SI_SM_IDLE ||
+ (si_sm_result == SI_SM_ATTN && smi_info->waiting_msg &&
+ smi_info->last_was_flag_fetch)) {
+ smi_info->last_was_flag_fetch = false;
+ smi_inc_stat(smi_info, idles);
+
+ si_sm_result = start_next_msg(smi_info);
+ if (si_sm_result != SI_SM_IDLE)
+ goto restart;
+ }
+
+ /*
* We prefer handling attn over new messages. But don't do
* this if there is not yet an upper layer to handle anything.
*/
@@ -847,15 +888,6 @@ restart:
}
}
- /* If we are currently idle, try to start the next message. */
- if (si_sm_result == SI_SM_IDLE) {
- smi_inc_stat(smi_info, idles);
-
- si_sm_result = start_next_msg(smi_info);
- if (si_sm_result != SI_SM_IDLE)
- goto restart;
- }
-
if ((si_sm_result == SI_SM_IDLE)
&& (atomic_read(&smi_info->req_events))) {
/*
--- a/drivers/char/ipmi/ipmi_ssif.c
+++ b/drivers/char/ipmi/ipmi_ssif.c
@@ -225,6 +225,9 @@ struct ssif_info {
bool has_event_buffer;
bool supports_alert;
+ /* When requesting events and messages, don't do it forever. */
+ unsigned int num_requests_in_a_row;
+
/*
* Used to tell what we should do with alerts. If we are
* waiting on a response, read the data immediately.
@@ -413,7 +416,10 @@ static void start_event_fetch(struct ssi
}
ssif_info->curr_msg = msg;
- ssif_info->ssif_state = SSIF_GETTING_EVENTS;
+ if (ssif_info->ssif_state != SSIF_GETTING_EVENTS) {
+ ssif_info->num_requests_in_a_row = 0;
+ ssif_info->ssif_state = SSIF_GETTING_EVENTS;
+ }
ipmi_ssif_unlock_cond(ssif_info, flags);
msg->data[0] = (IPMI_NETFN_APP_REQUEST << 2);
@@ -436,7 +442,10 @@ static void start_recv_msg_fetch(struct
}
ssif_info->curr_msg = msg;
- ssif_info->ssif_state = SSIF_GETTING_MESSAGES;
+ if (ssif_info->ssif_state != SSIF_GETTING_MESSAGES) {
+ ssif_info->num_requests_in_a_row = 0;
+ ssif_info->ssif_state = SSIF_GETTING_MESSAGES;
+ }
ipmi_ssif_unlock_cond(ssif_info, flags);
msg->data[0] = (IPMI_NETFN_APP_REQUEST << 2);
@@ -843,6 +852,11 @@ static void msg_done_handler(struct ssif
ssif_info->msg_flags &= ~EVENT_MSG_BUFFER_FULL;
handle_flags(ssif_info, flags);
} else {
+ ssif_info->num_requests_in_a_row++;
+ if (ssif_info->num_requests_in_a_row > 10)
+ /* Stop if we do this too many times. */
+ ssif_info->msg_flags &= ~EVENT_MSG_BUFFER_FULL;
+
handle_flags(ssif_info, flags);
ssif_inc_stat(ssif_info, events);
deliver_recv_msg(ssif_info, msg);
@@ -876,6 +890,11 @@ static void msg_done_handler(struct ssif
ssif_info->msg_flags &= ~RECEIVE_MSG_AVAIL;
handle_flags(ssif_info, flags);
} else {
+ ssif_info->num_requests_in_a_row++;
+ if (ssif_info->num_requests_in_a_row > 10)
+ /* Stop if we do this too many times. */
+ ssif_info->msg_flags &= ~RECEIVE_MSG_AVAIL;
+
ssif_inc_stat(ssif_info, incoming_messages);
handle_flags(ssif_info, flags);
deliver_recv_msg(ssif_info, msg);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 003/270] ipmi: Check event message buffer response for bad data
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 001/270] scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 002/270] ipmi: Add limits to event and receive message requests Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 004/270] ipmi:si: Return state to normal if message allocation fails Greg Kroah-Hartman
` (271 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matt Fleming, Corey Minyard
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit 36920f30e78e69df01f9691c470b6f3ba8aebf98 upstream.
The event message buffer response data size got checked later when
processing, but check it right after the response comes back. It
appears some BMCs may return an empty message instead of an error
when fetching events.
There are apparently some new BMCs that make this error, so we need to
compensate.
Reported-by: Matt Fleming <mfleming@cloudflare.com>
Closes: https://lore.kernel.org/lkml/20260415115930.3428942-1-matt@readmodwrite.com/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: <stable@vger.kernel.org>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_si_intf.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -642,7 +642,13 @@ static void handle_transaction_done(stru
*/
msg = smi_info->curr_msg;
smi_info->curr_msg = NULL;
- if (msg->rsp[2] != 0) {
+ /*
+ * It appears some BMCs, with no event data, return no
+ * data in the message and not a 0x80 error as the
+ * spec says they should. Shut down processing if
+ * the data is not the right length.
+ */
+ if (msg->rsp[2] != 0 || msg->rsp_size != 19) {
/* Error getting event, probably done. */
msg->done(msg);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 004/270] ipmi:si: Return state to normal if message allocation fails
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-05-12 17:36 ` [PATCH 6.18 003/270] ipmi: Check event message buffer response for bad data Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 005/270] fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free Greg Kroah-Hartman
` (270 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Corey Minyard
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit 09dd798270ff582d7309f285d4aaf5dbebae01cb upstream.
There were places where nothing would get started if a message
allocation failed, so the driver needs to return to normal state.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: <stable@vger.kernel.org>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_si_intf.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -498,15 +498,19 @@ retry:
} else if (smi_info->msg_flags & RECEIVE_MSG_AVAIL) {
/* Messages available. */
smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
- if (!smi_info->curr_msg)
+ if (!smi_info->curr_msg) {
+ smi_info->si_state = SI_NORMAL;
return;
+ }
start_getting_msg_queue(smi_info);
} else if (smi_info->msg_flags & EVENT_MSG_BUFFER_FULL) {
/* Events available. */
smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
- if (!smi_info->curr_msg)
+ if (!smi_info->curr_msg) {
+ smi_info->si_state = SI_NORMAL;
return;
+ }
start_getting_events(smi_info);
} else if (smi_info->msg_flags & OEM_DATA_AVAIL &&
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 005/270] fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-05-12 17:36 ` [PATCH 6.18 004/270] ipmi:si: Return state to normal if message allocation fails Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 006/270] ACPI: scan: Use acpi_dev_put() in object add error paths Greg Kroah-Hartman
` (269 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rajat Gupta, Helge Deller
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rajat Gupta <rajgupt@qti.qualcomm.com>
commit 8de779dc40d35d39fa07387b6f921eb11df0f511 upstream.
dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages
to userspace but sets no vm_ops on the VMA. This means the kernel cannot
track active mmaps. When dlfb_realloc_framebuffer() replaces the backing
buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated.
On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages
while userspace PTEs still reference them, resulting in a use-after-free:
the process retains read/write access to freed kernel pages.
Add vm_operations_struct with open/close callbacks that maintain an
atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(),
check mmap_count and return -EBUSY if the buffer is currently mapped,
preventing buffer replacement while userspace holds stale PTEs.
Tested with PoC using dummy_hcd + raw_gadget USB device emulation.
Signed-off-by: Rajat Gupta <rajgupt@qti.qualcomm.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/udlfb.c | 31 ++++++++++++++++++++++++++++++-
include/video/udlfb.h | 1 +
2 files changed, 31 insertions(+), 1 deletion(-)
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -321,12 +321,32 @@ static int dlfb_set_video_mode(struct dl
return retval;
}
+static void dlfb_vm_open(struct vm_area_struct *vma)
+{
+ struct dlfb_data *dlfb = vma->vm_private_data;
+
+ atomic_inc(&dlfb->mmap_count);
+}
+
+static void dlfb_vm_close(struct vm_area_struct *vma)
+{
+ struct dlfb_data *dlfb = vma->vm_private_data;
+
+ atomic_dec(&dlfb->mmap_count);
+}
+
+static const struct vm_operations_struct dlfb_vm_ops = {
+ .open = dlfb_vm_open,
+ .close = dlfb_vm_close,
+};
+
static int dlfb_ops_mmap(struct fb_info *info, struct vm_area_struct *vma)
{
unsigned long start = vma->vm_start;
unsigned long size = vma->vm_end - vma->vm_start;
unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
unsigned long page, pos;
+ struct dlfb_data *dlfb = info->par;
if (info->fbdefio)
return fb_deferred_io_mmap(info, vma);
@@ -358,6 +378,9 @@ static int dlfb_ops_mmap(struct fb_info
size = 0;
}
+ vma->vm_ops = &dlfb_vm_ops;
+ vma->vm_private_data = dlfb;
+ atomic_inc(&dlfb->mmap_count);
return 0;
}
@@ -1176,7 +1199,6 @@ static void dlfb_deferred_vfree(struct d
/*
* Assumes &info->lock held by caller
- * Assumes no active clients have framebuffer open
*/
static int dlfb_realloc_framebuffer(struct dlfb_data *dlfb, struct fb_info *info, u32 new_len)
{
@@ -1188,6 +1210,13 @@ static int dlfb_realloc_framebuffer(stru
new_len = PAGE_ALIGN(new_len);
if (new_len > old_len) {
+ if (atomic_read(&dlfb->mmap_count) > 0) {
+ dev_warn(info->dev,
+ "refusing realloc: %d active mmaps\n",
+ atomic_read(&dlfb->mmap_count));
+ return -EBUSY;
+ }
+
/*
* Alloc system memory for virtual framebuffer
*/
--- a/include/video/udlfb.h
+++ b/include/video/udlfb.h
@@ -56,6 +56,7 @@ struct dlfb_data {
spinlock_t damage_lock;
struct work_struct damage_work;
struct fb_ops ops;
+ atomic_t mmap_count;
/* blit-only rendering path metrics, exposed through sysfs */
atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
atomic_t bytes_identical; /* saved effort with backbuffer comparison */
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 006/270] ACPI: scan: Use acpi_dev_put() in object add error paths
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-05-12 17:36 ` [PATCH 6.18 005/270] fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 007/270] ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO Greg Kroah-Hartman
` (268 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Rafael J. Wysocki
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 9c0acc169ac71535477caedea8315f7041c5f07c upstream.
After acpi_init_device_object(), the lifetime of struct acpi_device is
managed by the driver core through reference counting.
Both acpi_add_power_resource() and acpi_add_single_object() call
acpi_init_device_object() and then invoke acpi_device_add(). If that
fails, their error paths call the release callback directly instead of
dropping the device reference through acpi_dev_put().
This bypasses the normal device lifetime rules and frees the object
without releasing the reference acquired by device_initialize(), which
may lead to a refcount leak.
The issue was identified by a static analysis tool I developed and
confirmed by manual review.
Fix both error paths by using acpi_dev_put() and let the release
callback handle the final cleanup.
Fixes: 781d737c7466 ("ACPI: Drop power resources driver")
Fixes: 718fb0de8ff88 ("ACPI: fix NULL bug for HID/UID string")
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Link: https://patch.msgid.link/20260413135343.2884481-1-lgs201920130244@gmail.com
Signed-off-by: Rafael J. Wysocki <rjw@rjwysocki.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/power.c | 2 +-
drivers/acpi/scan.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/acpi/power.c
+++ b/drivers/acpi/power.c
@@ -991,7 +991,7 @@ struct acpi_device *acpi_add_power_resou
return device;
err:
- acpi_release_power_resource(&device->dev);
+ acpi_dev_put(device);
return NULL;
}
--- a/drivers/acpi/scan.c
+++ b/drivers/acpi/scan.c
@@ -1910,7 +1910,7 @@ static int acpi_add_single_object(struct
result = acpi_device_add(device);
if (result) {
- acpi_device_release(&device->dev);
+ acpi_dev_put(device);
return result;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 007/270] ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-05-12 17:36 ` [PATCH 6.18 006/270] ACPI: scan: Use acpi_dev_put() in object add error paths Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 008/270] ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug Greg Kroah-Hartman
` (267 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Schär, Hans de Goede,
Rafael J. Wysocki
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Schär <jan@jschaer.ch>
commit ad7997f5a01af6f711fe6b6a2df578b964109d49 upstream.
The Dell OptiPlex 7770 AIO needs the same quirk as the 7760 AIO. The
backlight can be controlled with the native controller, intel_backlight,
but not with dell_uart_backlight.
I dumped the DSDT using acpidump, acpixtract and iasl, and confirmed
that it contains the DELL0501 device. When loading the
dell_uart_backlight driver with `rmmod dell_uart_backlight`, `modprobe
dell_uart_backlight dyndbg`, it reports "Firmware version: GL_Re_V18".
Fixes: cd8e468efb4f ("ACPI: video: Add Dell UART backlight controller detection")
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Jan Schär <jan@jschaer.ch>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Link: https://patch.msgid.link/20260411092606.47925-1-jan@jschaer.ch
Signed-off-by: Rafael J. Wysocki <rjw@rjwysocki.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/video_detect.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/acpi/video_detect.c
+++ b/drivers/acpi/video_detect.c
@@ -878,6 +878,14 @@ static const struct dmi_system_id video_
DMI_MATCH(DMI_PRODUCT_NAME, "OptiPlex 7760 AIO"),
},
},
+ {
+ .callback = video_detect_force_native,
+ /* Dell OptiPlex 7770 AIO */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "OptiPlex 7770 AIO"),
+ },
+ },
/*
* Models which have nvidia-ec-wmi support, but should not use it.
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 008/270] ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-05-12 17:36 ` [PATCH 6.18 007/270] ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 009/270] ACPI: video: force native backlight on HP OMEN 16 (8A44) Greg Kroah-Hartman
` (266 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Kelley, Jinjie Ruan,
Rafael J. Wysocki
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjie Ruan <ruanjinjie@huawei.com>
commit 75141a770f4f8225d316f6c7e146723a32e9720e upstream.
When concurrently bringing up and down two SMT threads of a physical
core, many warning call traces occur as below:
The issue timeline is as follows:
1. When the system starts,
cpufreq: CPU: 220, policy->related_cpus: 220-221, policy->cpus: 220-221
2. Offline CPU 220 and CPU 221.
3. Online CPU 220
- CPU 221 is now offline, as acpi_get_psd_map() use
for_each_online_cpu(), so the cpu_data->shared_cpu_map,
policy->cpus, and related_cpus has only CPU 220.
cpufreq: CPU: 220, policy->related_cpus: 220, policy->cpus: 220
4. Offline CPU 220
5. Online CPU 221, the below call trace occurs:
- Since CPU 220 and CPU 221 share one policy, and
policy->related_cpus = 220 after step 3, so CPU 221
is not in policy->related_cpus but
per_cpu(cpufreq_cpu_data, cpu221) is not NULL.
After reverting commit 56eb0c0ed345 ("ACPI: CPPC: Fix remaining
for_each_possible_cpu() to use online CPUs"), the issue disappeared.
The _PSD (P-State Dependency) defines the hardware-level dependency of
frequency control across CPU cores. Since this relationship is a physical
attribute of the hardware topology, it remains constant regardless of the
online or offline status of the CPUs.
Using for_each_online_cpu() in acpi_get_psd_map() is problematic. If a
CPU is offline, it will be excluded from the shared_cpu_map.
Consequently, if that CPU is brought online later, the kernel will fail
to recognize it as part of any shared frequency domain.
Switch back to for_each_possible_cpu() to ensure that all cores defined
in the ACPI tables are correctly mapped into their respective performance
domains from the start. This aligns with the logic of policy->related_cpus,
which must encompass all potentially available cores in the domain to
prevent logic gaps during CPU hotplug operations.
To resolve the original issue regarding the "nosmt" or "nosmt=force"
boot parameter, as send_pcc_cmd() function already does if (!desc)
continue, so reverting that loop back to for_each_possible_cpu() is ok,
only need to change the match_cpc_ptr NULL case in acpi_get_psd_map() to
continue as Sean suggested.
How to reproduce, on arm64 machine with SMT support which use acpi cppc
cpufreq driver:
bash test.sh 220 & bash test.sh 221 &
The test.sh is as below:
while true
do
echo 0 > /sys/devices/system/cpu/cpu${1}/online
sleep 0.5
cat /sys/devices/system/cpu/cpu${1}/cpufreq/related_cpus
echo 1 > /sys/devices/system/cpu/cpu${1}/online
cat /sys/devices/system/cpu/cpu${1}/cpufreq/related_cpus
done
CPU: 221 PID: 1119 Comm: cpuhp/221 Kdump: loaded Not tainted 6.6.0debug+ #5
Hardware name: To be filled by O.E.M. S920X20/BC83AMDA01-7270Z, BIOS 20.39 09/04/2024
pstate: a1400009 (NzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : cpufreq_online+0x8ac/0xa90
lr : cpuhp_cpufreq_online+0x18/0x30
sp : ffff80008739bce0
x29: ffff80008739bce0 x28: 0000000000000000 x27: ffff28400ca32200
x26: 0000000000000000 x25: 0000000000000003 x24: ffffd483503ff000
x23: ffffd483504051a0 x22: ffffd48350024a00 x21: 00000000000000dd
x20: 000000000000001d x19: ffff28400ca32000 x18: 0000000000000000
x17: 0000000000000020 x16: ffffd4834e6a3fc8 x15: 0000000000000020
x14: 0000000000000008 x13: 0000000000000001 x12: 00000000ffffffff
x11: 0000000000000040 x10: ffffd48350430728 x9 : ffffd4834f087c78
x8 : 0000000000000001 x7 : ffff2840092bdf00 x6 : ffffd483504264f0
x5 : ffffd48350405000 x4 : ffff283f7f95cc60 x3 : 0000000000000000
x2 : ffff53bc2f94b000 x1 : 00000000000000dd x0 : 0000000000000000
Call trace:
cpufreq_online+0x8ac/0xa90
cpuhp_cpufreq_online+0x18/0x30
cpuhp_invoke_callback+0x128/0x580
cpuhp_thread_fun+0x110/0x1b0
smpboot_thread_fn+0x140/0x190
kthread+0xec/0x100
ret_from_fork+0x10/0x20
---[ end trace 0000000000000000 ]---
Cc: All applicable <stable@vger.kernel.org>
Fixes: 56eb0c0ed345 ("ACPI: CPPC: Fix remaining for_each_possible_cpu() to use online CPUs")
Co-developed-by: Sean Kelley <skelley@nvidia.com>
Signed-off-by: Sean Kelley <skelley@nvidia.com>
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
[ rjw: Changelog edits ]
Link: https://patch.msgid.link/20260417040112.3727756-1-ruanjinjie@huawei.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/cppc_acpi.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/acpi/cppc_acpi.c
+++ b/drivers/acpi/cppc_acpi.c
@@ -362,7 +362,7 @@ static int send_pcc_cmd(int pcc_ss_id, u
end:
if (cmd == CMD_WRITE) {
if (unlikely(ret)) {
- for_each_online_cpu(i) {
+ for_each_possible_cpu(i) {
struct cpc_desc *desc = per_cpu(cpc_desc_ptr, i);
if (!desc)
@@ -524,13 +524,13 @@ int acpi_get_psd_map(unsigned int cpu, s
else if (pdomain->coord_type == DOMAIN_COORD_TYPE_SW_ANY)
cpu_data->shared_type = CPUFREQ_SHARED_TYPE_ANY;
- for_each_online_cpu(i) {
+ for_each_possible_cpu(i) {
if (i == cpu)
continue;
match_cpc_ptr = per_cpu(cpc_desc_ptr, i);
if (!match_cpc_ptr)
- goto err_fault;
+ continue;
match_pdomain = &(match_cpc_ptr->domain_info);
if (match_pdomain->domain != pdomain->domain)
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 009/270] ACPI: video: force native backlight on HP OMEN 16 (8A44)
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-05-12 17:36 ` [PATCH 6.18 008/270] ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 010/270] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() Greg Kroah-Hartman
` (265 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shivam Kalra, Rafael J. Wysocki
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shivam Kalra <shivamkalra98@zohomail.in>
commit 4b506ea5351a1f5937ac632a4a5c35f6f796cc41 upstream.
The HP OMEN 16 Gaming Laptop (board name 8A44) has a mux-less hybrid
GPU configuration with AMD Rembrandt (Radeon 680M) and NVIDIA GA104
(RTX 3070 Ti). The internal eDP panel is wired to the AMD iGPU.
When Nouveau loads without GSP firmware, the ACPI video backlight
device (acpi_video0) gets registered alongside the native AMD
backlight (amdgpu_bl2). In this state, writes to amdgpu_bl2 update
the software brightness value but fail to change the physical panel
brightness.
Force native backlight to prevent acpi_video0 from registering.
Confirmed that booting with acpi_backlight=native resolves the
issue.
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Shivam Kalra <shivamkalra98@zohomail.in>
Link: https://patch.msgid.link/20260426-omen-16-backlight-fix-v1-1-62364f268ea6@zohomail.in
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/video_detect.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/acpi/video_detect.c
+++ b/drivers/acpi/video_detect.c
@@ -907,6 +907,14 @@ static const struct dmi_system_id video_
DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 15 3535"),
},
},
+ {
+ .callback = video_detect_force_native,
+ /* HP OMEN Gaming Laptop 16-n0xxx */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "HP"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "OMEN by HP Gaming Laptop 16-n0xxx"),
+ },
+ },
/*
* x86 android tablets which directly control the backlight through
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 010/270] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-05-12 17:36 ` [PATCH 6.18 009/270] ACPI: video: force native backlight on HP OMEN 16 (8A44) Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 011/270] iommufd: Fix a race with concurrent allocation and unmap Greg Kroah-Hartman
` (264 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
David Carlier, Steven Rostedt (Google)
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
commit fad217e16fded7f3c09f8637b0f6a224d58b5f2e upstream.
When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func()
invokes the subsystem's ext->regfunc() before attempting to install the
new probe via func_add(). If func_add() then fails (for example, when
allocate_probes() cannot allocate a new probe array under memory pressure
and returns -ENOMEM), the function returns the error without calling the
matching ext->unregfunc(), leaving the side effects of regfunc() behind
with no installed probe to justify them.
For syscall tracepoints this is particularly unpleasant: syscall_regfunc()
bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task.
After a leaked failure, the refcount is stuck at a non-zero value with no
consumer, and every task continues paying the syscall trace entry/exit
overhead until reboot. Other subsystems providing regfunc()/unregfunc()
pairs exhibit similarly scoped persistent state.
Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the
func_add() error path, gated on the same condition used there so the
unwind is symmetric with the registration.
Fixes: 8cf868affdc4 ("tracing: Have the reg function allow to fail")
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/20260413190601.21993-1-devnexen@gmail.com
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/tracepoint.c | 2 ++
1 file changed, 2 insertions(+)
--- a/kernel/tracepoint.c
+++ b/kernel/tracepoint.c
@@ -291,6 +291,8 @@ static int tracepoint_add_func(struct tr
lockdep_is_held(&tracepoints_mutex));
old = func_add(&tp_funcs, func, prio);
if (IS_ERR(old)) {
+ if (tp->ext && tp->ext->unregfunc && !static_key_enabled(&tp->key))
+ tp->ext->unregfunc();
WARN_ON_ONCE(warn && PTR_ERR(old) != -ENOMEM);
return PTR_ERR(old);
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 011/270] iommufd: Fix a race with concurrent allocation and unmap
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-05-12 17:36 ` [PATCH 6.18 010/270] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 012/270] ASoC: SOF: Dont allow pointer operations on unconfigured streams Greg Kroah-Hartman
` (263 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sina Hassani, Kevin Tian,
Jason Gunthorpe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sina Hassani <sina@openai.com>
commit 8602018b1f17fbdaa5e5d79f4c8603ad20640c12 upstream.
iopt_unmap_iova_range() releases the lock on iova_rwsem inside the loop
body when getting to the more expensive unmap operations. This is fine on
its own, except the loop condition is based on the first area that matches
the unmap address range. If a concurrent call to map picks an area that
was unmapped in previous iterations, the loop mistakenly tries to unmap
it.
This is reproducible by having one userspace thread map buffers and pass
them to another thread that unmaps them. The problem manifests as EBUSY
errors with single page mappings.
Fix this by advancing the start pointer after unmapping an area. This
ensures each iteration only examines the IOVA range that remains mapped,
which is guaranteed not to have overlaps.
Cc: stable@vger.kernel.org
Fixes: 51fe6141f0f6 ("iommufd: Data structure to provide IOVA to PFN mapping")
Link: https://patch.msgid.link/r/CAAJpGJSR4r_ds1JOjmkqHtsBPyxu8GntoeW08Sk5RNQPmgi+tg@mail.gmail.com
Signed-off-by: Sina Hassani <sina@openai.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/io_pagetable.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/iommu/iommufd/io_pagetable.c
+++ b/drivers/iommu/iommufd/io_pagetable.c
@@ -777,6 +777,16 @@ again:
unmapped_bytes += area_last - area_first + 1;
down_write(&iopt->iova_rwsem);
+
+ /*
+ * After releasing the iova_rwsem concurrent allocation could
+ * place new areas at IOVAs we have already unmapped. Keep
+ * moving the start of the search forward to ignore the area
+ * already unmapped.
+ */
+ if (area_last >= last)
+ break;
+ start = area_last + 1;
}
out_unlock_iova:
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 012/270] ASoC: SOF: Dont allow pointer operations on unconfigured streams
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-05-12 17:36 ` [PATCH 6.18 011/270] iommufd: Fix a race with concurrent allocation and unmap Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 013/270] wifi: mt76: mt7925: fix incorrect TLV length in CLC command Greg Kroah-Hartman
` (262 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
commit c5b6285aae050ff1c3ea824ca3d88ac4be1e69c8 upstream.
When reporting the pointer for a compressed stream we report the current
I/O frame position by dividing the position by the number of channels
multiplied by the number of container bytes. These values default to 0 and
are only configured as part of setting the stream parameters so this allows
a divide by zero to be configured. Validate that they are non zero,
returning an error if not
Fixes: c1a731c71359 ("ASoC: SOF: compress: Add support for computing timestamps")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260326-asoc-compress-tstamp-params-v1-1-3dc735b3d599@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/sof/compress.c | 3 +++
1 file changed, 3 insertions(+)
--- a/sound/soc/sof/compress.c
+++ b/sound/soc/sof/compress.c
@@ -371,6 +371,9 @@ static int sof_compr_pointer(struct snd_
if (!spcm)
return -EINVAL;
+ if (!sstream->channels || !sstream->sample_container_bytes)
+ return -EBUSY;
+
tstamp->sampling_rate = sstream->sampling_rate;
tstamp->copied_total = sstream->copied_total;
tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn,
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 013/270] wifi: mt76: mt7925: fix incorrect TLV length in CLC command
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-05-12 17:36 ` [PATCH 6.18 012/270] ASoC: SOF: Dont allow pointer operations on unconfigured streams Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 014/270] spi: rockchip: fix controller deregistration Greg Kroah-Hartman
` (261 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Quan Zhou, Sean Wang, Felix Fietkau
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quan Zhou <quan.zhou@mediatek.com>
commit 62e037aa8cf5a69b7ea63336705a35c897b9db2b upstream.
The previous implementation of __mt7925_mcu_set_clc() set the TLV length
field (.len) incorrectly during CLC command construction. The length was
initialized as sizeof(req) - 4, regardless of the actual segment length.
This could cause the WiFi firmware to misinterpret the command payload,
resulting in command execution errors.
This patch moves the TLV length assignment to after the segment is
selected, and sets .len to sizeof(req) + seg->len - 4, matching the
actual command content. This ensures the firmware receives the
correct TLV length and parses the command properly.
Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
Cc: stable@vger.kernel.org
Signed-off-by: Quan Zhou <quan.zhou@mediatek.com>
Acked-by: Sean Wang <sean.wang@mediatek.com>
Link: https://patch.msgid.link/f56ae0e705774dfa8aab3b99e5bbdc92cd93523e.1772011204.git.quan.zhou@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -3324,7 +3324,6 @@ __mt7925_mcu_set_clc(struct mt792x_dev *
u8 rsvd[64];
} __packed req = {
.tag = cpu_to_le16(0x3),
- .len = cpu_to_le16(sizeof(req) - 4),
.idx = idx,
.env = env_cap,
@@ -3353,6 +3352,7 @@ __mt7925_mcu_set_clc(struct mt792x_dev *
memcpy(req.type, rule->type, 2);
req.size = cpu_to_le16(seg->len);
+ req.len = cpu_to_le16(sizeof(req) + seg->len - 4);
dev->phy.clc_chan_conf = clc->ver == 1 ? 0xff : rule->flag;
skb = __mt76_mcu_msg_alloc(&dev->mt76, &req,
le16_to_cpu(req.size) + sizeof(req),
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 014/270] spi: rockchip: fix controller deregistration
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-05-12 17:36 ` [PATCH 6.18 013/270] wifi: mt76: mt7925: fix incorrect TLV length in CLC command Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 015/270] ksmbd: rewrite stop_sessions() with restartable iteration Greg Kroah-Hartman
` (260 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, addy ke, Johan Hovold, Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 53e7a16070feb7d1d4d81a583eaac5e25048b9c3 upstream.
Make sure to deregister the controller before freeing underlying
resources like DMA channels during driver unbind.
Fixes: 64e36824b32b ("spi/rockchip: add driver for Rockchip RK3xxx SoCs integrated SPI")
Cc: stable@vger.kernel.org # 3.17
Cc: addy ke <addy.ke@rock-chips.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260324082326.901043-3-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-rockchip.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-rockchip.c
+++ b/drivers/spi/spi-rockchip.c
@@ -909,7 +909,7 @@ static int rockchip_spi_probe(struct pla
break;
}
- ret = devm_spi_register_controller(&pdev->dev, ctlr);
+ ret = spi_register_controller(ctlr);
if (ret < 0) {
dev_err(&pdev->dev, "Failed to register controller\n");
goto err_free_dma_rx;
@@ -937,6 +937,8 @@ static void rockchip_spi_remove(struct p
pm_runtime_get_sync(&pdev->dev);
+ spi_unregister_controller(ctlr);
+
pm_runtime_put_noidle(&pdev->dev);
pm_runtime_disable(&pdev->dev);
pm_runtime_set_suspended(&pdev->dev);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 015/270] ksmbd: rewrite stop_sessions() with restartable iteration
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-05-12 17:36 ` [PATCH 6.18 014/270] spi: rockchip: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 016/270] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN Greg Kroah-Hartman
` (259 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DaeMyung Kang, Namjae Jeon,
Steve French
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: DaeMyung Kang <charsyam@gmail.com>
commit c444139cb747bf6de1922b39900fdf02281490f4 upstream.
stop_sessions() walks conn_list with hash_for_each() and, for every
entry, drops conn_list_lock across the transport ->shutdown() call
before re-acquiring the read lock to continue the loop. The hash
walk relies on cross-iteration state (the current bucket and the
hlist position), which is not preserved across unlock/relock: if
another thread performs a list mutation during the unlocked window,
the ongoing iteration becomes unreliable and can re-visit
connections that have already been handled or skip connections that
have not. The outer `if (!hash_empty(conn_list)) goto again;` retry
masks the symptom in the common case but does not address the
unsafe iteration itself.
Reframe the loop so it never relies on iterator state across
unlock/relock. Under conn_list_lock held for read, pick the first
connection whose ->shutdown() has not yet been issued by this path,
pin it by taking an extra reference, record that fact on the
connection and mark it EXITING while still inside the locked walk,
then drop the lock. Then call ->shutdown() outside the lock, drop
the pin (freeing the connection if the handler already released its
reference), and restart from the top.
Use a new per-connection flag, conn->stop_called, as the "shutdown
issued from stop_sessions()" marker rather than reusing the status
state. ksmbd_conn_set_exiting() is also invoked by
ksmbd_sessions_deregister() on sibling channels of a multichannel
session without issuing a transport shutdown, so treating
KSMBD_SESS_EXITING as "already handled here" would skip connections
that still need shutdown() to wake their handler out of recv(),
leaving the outer retry waiting indefinitely for the hash to drain.
stop_sessions() is serialised by init_lock in
ksmbd_conn_transport_destroy(), so writing stop_called under the
read lock has no other writer.
Set EXITING inside the locked walk so the selection, the stop_called
marker, and the status transition all happen together, and guard
against regressing a connection that has already advanced to
KSMBD_SESS_RELEASING on its own (for example, if the handler exited
its receive loop for an unrelated reason between teardown steps).
When the pin drop is the last put, release the transport and pair
ida_destroy(&target->async_ida) with the ida_init() done in
ksmbd_conn_alloc(), so stop_sessions() retiring a connection on its
own does not leak the xarray backing of the embedded async_ida.
The outer retry with msleep() is kept to wait for handler threads to
reach ksmbd_conn_free() and drain the hash.
Observed with an instrumented build that logs one line per visit and
widens the unlocked window before ->shutdown() by 200 ms, under
five concurrent cifs mounts (nosharesock, one connection each):
* Current code: the same connection address is revisited many
times during a single stop_sessions() call and ->shutdown() is
invoked well beyond the number of live connections before the
hash finally drains.
* Rewritten code: each live connection produces exactly one
->shutdown() call; the function returns as soon as the hash is
empty.
Functional teardown via `ksmbd.control --shutdown` with the same
five mounts completes cleanly on the rewritten path.
Performance is observably unchanged. Tearing down N concurrent
nosharesock cifs connections with `ksmbd.control --shutdown` +
`rmmod ksmbd` takes essentially the same wall time before and after
the rewrite:
N before after
10 4.93s 5.34s
30 7.34s 7.03s
50 7.31s 7.01s (3-run avg: 7.04s vs 7.25s)
100 6.98s 6.78s
200 6.77s 6.89s
and the number of ->shutdown() calls equals the number of live
connections on both paths when the race is not widened. The
teardown is dominated by the msleep(100)-based outer retry waiting
for handler threads to run ksmbd_conn_free(), not by the iteration
itself; the restartable loop's worst-case O(N^2) visit cost is in
the microseconds even at N=200 and sits far below the msleep(100)
granularity.
Applied alone on top of ksmbd-for-next-next, this patch does not
introduce a new leak site. Under the same reproducer (10x
concurrent-holders + ss -K + ksmbd.control --shutdown + rmmod), the
tree still shows the pre-existing per-connection transport leak
count that arises when the last refcount drop lands in one of
ksmbd_conn_r_count_dec(), __free_opinfo() or session_fd_check() -
all of which end with a bare kfree() today. kmemleak backtraces
for the unreferenced objects point into the TCP accept path
(sk_clone -> inet_csk_clone_lock, sock_alloc_inode) and none
involve stop_sessions(). Plugging those bare-kfree sites is the
responsibility of the follow-up patch.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/connection.c | 46 +++++++++++++++++++++++++++++++++++++--------
fs/smb/server/connection.h | 1
2 files changed, 39 insertions(+), 8 deletions(-)
--- a/fs/smb/server/connection.c
+++ b/fs/smb/server/connection.c
@@ -476,24 +476,54 @@ out:
static void stop_sessions(void)
{
- struct ksmbd_conn *conn;
+ struct ksmbd_conn *conn, *target;
struct ksmbd_transport *t;
+ bool any;
int bkt;
+ /*
+ * Serialised via init_lock; no concurrent stop_sessions() can
+ * touch conn->stop_called, so writing it under the read lock is
+ * safe.
+ */
again:
+ target = NULL;
+ any = false;
down_read(&conn_list_lock);
hash_for_each(conn_list, bkt, conn, hlist) {
- t = conn->transport;
- ksmbd_conn_set_exiting(conn);
- if (t->ops->shutdown) {
- up_read(&conn_list_lock);
+ any = true;
+ if (conn->stop_called)
+ continue;
+ atomic_inc(&conn->refcnt);
+ conn->stop_called = true;
+ /*
+ * Mark the connection EXITING while still holding the
+ * read lock so the selection and the status transition
+ * happen together. Do not regress a connection that has
+ * already advanced to RELEASING on its own (e.g. the
+ * handler exited its receive loop for an unrelated
+ * reason).
+ */
+ if (READ_ONCE(conn->status) != KSMBD_SESS_RELEASING)
+ ksmbd_conn_set_exiting(conn);
+ target = conn;
+ break;
+ }
+ up_read(&conn_list_lock);
+
+ if (target) {
+ t = target->transport;
+ if (t->ops->shutdown)
t->ops->shutdown(t);
- down_read(&conn_list_lock);
+ if (atomic_dec_and_test(&target->refcnt)) {
+ ida_destroy(&target->async_ida);
+ t->ops->free_transport(t);
+ kfree(target);
}
+ goto again;
}
- up_read(&conn_list_lock);
- if (!hash_empty(conn_list)) {
+ if (any) {
msleep(100);
goto again;
}
--- a/fs/smb/server/connection.h
+++ b/fs/smb/server/connection.h
@@ -48,6 +48,7 @@ struct ksmbd_conn {
struct mutex srv_mutex;
int status;
unsigned int cli_cap;
+ bool stop_called;
union {
__be32 inet_addr;
#if IS_ENABLED(CONFIG_IPV6)
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 016/270] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-05-12 17:36 ` [PATCH 6.18 015/270] ksmbd: rewrite stop_sessions() with restartable iteration Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 017/270] ceph: fix num_ops off-by-one when crypto allocation fails Greg Kroah-Hartman
` (258 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Bulekov, Fred Griffoul,
Sean Christopherson, Paolo Bonzini, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 0cb2af2ea66ad8ff195c156ea690f11216285bdf upstream.
The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus
the SPTE index. This assumption breaks for shadow paging if the guest
page tables are modified between VM entries (similar to commit
aad885e77496, "KVM: x86/mmu: Drop/zap existing present SPTE even
when creating an MMIO SPTE", 2026-03-27). The flow is as follows:
- a PDE is installed for a 2MB mapping, and a page in that area is
accessed. KVM creates a kvm_mmu_page consisting of 512 4KB pages;
the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because
the guest's mapping is a huge page (and thus contiguous).
- the PDE mapping is changed from outside the guest.
- the guest accesses another page in the same 2MB area. KVM installs
a new leaf SPTE and rmap entry; the SPTE uses the "correct" GFN
(i.e. based on the new mapping, as changed in the previous step) but
that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore
the rmap entry cannot be found and removed when the kvm_mmu_page
is zapped.
- the memslot that covers the first 2MB mapping is deleted, and the
kvm_mmu_page for the now-invalid GPA is zapped. However, rmap_remove()
only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,
and fails to find the rmap entry that was recorded by step 3.
- any operation that causes an rmap walk for the same page accessed
by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.
This includes dirty logging or MMU notifier invalidations (e.g., from
MADV_DONTNEED).
The underlying issue is that KVM's walking of shadow PTEs assumes that
if a SPTE is present when KVM wants to install a non-leaf SPTE, then the
existing kvm_mmu_page must be for the correct gfn. Because the only way
for the gfn to be wrong is if KVM messed up and failed to zap a SPTE...
which shouldn't happen, but *actually* only happens in response to a
guest write.
That bug dates back literally forever, as even the first version of KVM
assumes that the GFN matches and walks into the "wrong" shadow page.
However, that was only an imprecision until 2032a93d66fa ("KVM: MMU:
Don't allocate gfns page for direct mmu pages") came along.
Fix it by checking for a target gfn mismatch and zapping the existing
SPTE. That way the old SP and rmap entries are gone, KVM installs
the rmap in the right location, and everyone is happy.
Fixes: 2032a93d66fa ("KVM: MMU: Don't allocate gfns page for direct mmu pages")
Fixes: 6aa8b732ca01 ("kvm: userspace interface")
Reported-by: Alexander Bulekov <bkov@amazon.com>
Reported-by: Fred Griffoul <fgriffo@amazon.co.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Link: https://patch.msgid.link/20260503201029.106481-1-pbonzini@redhat.com/
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/mmu/mmu.c | 35 ++++++++++++++---------------------
1 file changed, 14 insertions(+), 21 deletions(-)
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index dad7abb1112b7..0bd0cb8992c9f 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -182,6 +182,8 @@ static struct kmem_cache *pte_list_desc_cache;
struct kmem_cache *mmu_page_header_cache;
static void mmu_spte_set(u64 *sptep, u64 spte);
+static int mmu_page_zap_pte(struct kvm *kvm, struct kvm_mmu_page *sp,
+ u64 *spte, struct list_head *invalid_list);
struct kvm_mmu_role_regs {
const unsigned long cr0;
@@ -1287,19 +1289,6 @@ static void drop_spte(struct kvm *kvm, u64 *sptep)
rmap_remove(kvm, sptep);
}
-static void drop_large_spte(struct kvm *kvm, u64 *sptep, bool flush)
-{
- struct kvm_mmu_page *sp;
-
- sp = sptep_to_sp(sptep);
- WARN_ON_ONCE(sp->role.level == PG_LEVEL_4K);
-
- drop_spte(kvm, sptep);
-
- if (flush)
- kvm_flush_remote_tlbs_sptep(kvm, sptep);
-}
-
/*
* Write-protect on the specified @sptep, @pt_protect indicates whether
* spte write-protection is caused by protecting shadow page table.
@@ -2466,7 +2455,8 @@ static struct kvm_mmu_page *kvm_mmu_get_child_sp(struct kvm_vcpu *vcpu,
{
union kvm_mmu_page_role role;
- if (is_shadow_present_pte(*sptep) && !is_large_pte(*sptep))
+ if (is_shadow_present_pte(*sptep) && !is_large_pte(*sptep) &&
+ spte_to_child_sp(*sptep) && spte_to_child_sp(*sptep)->gfn == gfn)
return ERR_PTR(-EEXIST);
role = kvm_mmu_child_role(sptep, direct, access);
@@ -2544,13 +2534,16 @@ static void __link_shadow_page(struct kvm *kvm,
BUILD_BUG_ON(VMX_EPT_WRITABLE_MASK != PT_WRITABLE_MASK);
- /*
- * If an SPTE is present already, it must be a leaf and therefore
- * a large one. Drop it, and flush the TLB if needed, before
- * installing sp.
- */
- if (is_shadow_present_pte(*sptep))
- drop_large_spte(kvm, sptep, flush);
+ if (is_shadow_present_pte(*sptep)) {
+ struct kvm_mmu_page *parent_sp;
+ LIST_HEAD(invalid_list);
+
+ parent_sp = sptep_to_sp(sptep);
+ WARN_ON_ONCE(parent_sp->role.level == PG_LEVEL_4K);
+
+ mmu_page_zap_pte(kvm, parent_sp, sptep, &invalid_list);
+ kvm_mmu_remote_flush_or_zap(kvm, &invalid_list, true);
+ }
spte = make_nonleaf_spte(sp->spt, sp_ad_disabled(sp));
--
2.53.0
^ permalink raw reply related [flat|nested] 282+ messages in thread
* [PATCH 6.18 017/270] ceph: fix num_ops off-by-one when crypto allocation fails
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-05-12 17:36 ` [PATCH 6.18 016/270] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 018/270] flow_dissector: do not dissect PPPoE PFC frames Greg Kroah-Hartman
` (257 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam Edwards, Viacheslav Dubeyko,
Ilya Dryomov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Edwards <cfsworks@gmail.com>
commit a0d9555bf9eaeba34fe6b6bb86f442fe08ba3842 upstream.
move_dirty_folio_in_page_array() may fail if the file is encrypted, the
dirty folio is not the first in the batch, and it fails to allocate a
bounce buffer to hold the ciphertext. When that happens,
ceph_process_folio_batch() simply redirties the folio and flushes the
current batch -- it can retry that folio in a future batch.
However, if this failed folio is not contiguous with the last folio that
did make it into the batch, then ceph_process_folio_batch() has already
incremented `ceph_wbc->num_ops`; because it doesn't follow through and
add the discontiguous folio to the array, ceph_submit_write() -- which
expects that `ceph_wbc->num_ops` accurately reflects the number of
contiguous ranges (and therefore the required number of "write extent"
ops) in the writeback -- will panic the kernel:
BUG_ON(ceph_wbc->op_idx + 1 != req->r_num_ops);
This issue can be reproduced on affected kernels by writing to
fscrypt-enabled CephFS file(s) with a 4KiB-written/4KiB-skipped/repeat
pattern (total filesize should not matter) and gradually increasing the
system's memory pressure until a bounce buffer allocation fails.
Fix this crash by decrementing `ceph_wbc->num_ops` back to the correct
value when move_dirty_folio_in_page_array() fails, but the folio already
started counting a new (i.e. still-empty) extent.
The defect corrected by this patch has existed since 2022 (see first
`Fixes:`), but another bug blocked multi-folio encrypted writeback until
recently (see second `Fixes:`). The second commit made it into 6.18.16,
6.19.6, and 7.0-rc1, unmasking the panic in those versions. This patch
therefore fixes a regression (panic) introduced by cac190c7674f.
Cc: stable@vger.kernel.org
Fixes: d55207717ded ("ceph: add encryption support to writepage and writepages")
Fixes: cac190c7674f ("ceph: fix write storm on fscrypted files")
Signed-off-by: Sam Edwards <CFSworks@gmail.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ceph/addr.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c
index 390f122feeaaf..3af6795cb3c15 100644
--- a/fs/ceph/addr.c
+++ b/fs/ceph/addr.c
@@ -1373,6 +1373,10 @@ int ceph_process_folio_batch(struct address_space *mapping,
rc = move_dirty_folio_in_page_array(mapping, wbc, ceph_wbc,
folio);
if (rc) {
+ /* Did we just begin a new contiguous op? Nevermind! */
+ if (ceph_wbc->len == 0)
+ ceph_wbc->num_ops--;
+
rc = 0;
folio_redirty_for_writepage(wbc, folio);
folio_unlock(folio);
--
2.53.0
^ permalink raw reply related [flat|nested] 282+ messages in thread
* [PATCH 6.18 018/270] flow_dissector: do not dissect PPPoE PFC frames
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-05-12 17:36 ` [PATCH 6.18 017/270] ceph: fix num_ops off-by-one when crypto allocation fails Greg Kroah-Hartman
@ 2026-05-12 17:36 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 019/270] mptcp: sync the msk->sndbuf at accept() time Greg Kroah-Hartman
` (256 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qingfang Deng, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingfang Deng <qingfang.deng@linux.dev>
[ Upstream commit d6c19b31a3c1d519fabdcf0aa239e6b6109b9473 ]
RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the flow dissector driver has assumed an
uncompressed frame until the blamed commit.
During the review process of that commit [1], support for PFC is
suggested. However, having a compressed (1-byte) protocol field means
the subsequent PPP payload is shifted by one byte, causing 4-byte
misalignment for the network header and an unaligned access exception
on some architectures.
The exception can be reproduced by sending a PPPoE PFC frame to an
ethernet interface of a MIPS board, with RPS enabled, even if no PPPoE
session is active on that interface:
$ 0 : 00000000 80c40000 00000000 85144817
$ 4 : 00000008 00000100 80a75758 81dc9bb8
$ 8 : 00000010 8087ae2c 0000003d 00000000
$12 : 000000e0 00000039 00000000 00000000
$16 : 85043240 80a75758 81dc9bb8 00006488
$20 : 0000002f 00000007 85144810 80a70000
$24 : 81d1bda0 00000000
$28 : 81dc8000 81dc9aa8 00000000 805ead08
Hi : 00009d51
Lo : 2163358a
epc : 805e91f0 __skb_flow_dissect+0x1b0/0x1b50
ra : 805ead08 __skb_get_hash_net+0x74/0x12c
Status: 11000403 KERNEL EXL IE
Cause : 40800010 (ExcCode 04)
BadVA : 85144817
PrId : 0001992f (MIPS 1004Kc)
Call Trace:
[<805e91f0>] __skb_flow_dissect+0x1b0/0x1b50
[<805ead08>] __skb_get_hash_net+0x74/0x12c
[<805ef330>] get_rps_cpu+0x1b8/0x3fc
[<805fca70>] netif_receive_skb_list_internal+0x324/0x364
[<805fd120>] napi_complete_done+0x68/0x2a4
[<8058de5c>] mtk_napi_rx+0x228/0xfec
[<805fd398>] __napi_poll+0x3c/0x1c4
[<805fd754>] napi_threaded_poll_loop+0x234/0x29c
[<805fd848>] napi_threaded_poll+0x8c/0xb0
[<80053544>] kthread+0x104/0x12c
[<80002bd8>] ret_from_kernel_thread+0x14/0x1c
Code: 02d51821 1060045b 00000000 <8c640000> 3084000f 2c820005 144001a2 00042080 8e220000
To reduce the attack surface and maintain performance, do not process
PPPoE PFC frames.
[1] https://lore.kernel.org/r/20220630231016.GA392@debian.home
Fixes: 46126db9c861 ("flow_dissector: Add PPPoE dissectors")
Signed-off-by: Qingfang Deng <qingfang.deng@linux.dev>
Link: https://patch.msgid.link/20260415022456.141758-1-qingfang.deng@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/flow_dissector.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 1b61bb25ba0e5..2a98f5fa74eb0 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -1374,16 +1374,13 @@ bool __skb_flow_dissect(const struct net *net,
break;
}
- /* least significant bit of the most significant octet
- * indicates if protocol field was compressed
+ /* PFC (compressed 1-byte protocol) frames are not processed.
+ * A compressed protocol field has the least significant bit of
+ * the most significant octet set, which will fail the following
+ * ppp_proto_is_valid(), returning FLOW_DISSECT_RET_OUT_BAD.
*/
ppp_proto = ntohs(hdr->proto);
- if (ppp_proto & 0x0100) {
- ppp_proto = ppp_proto >> 8;
- nhoff += PPPOE_SES_HLEN - 1;
- } else {
- nhoff += PPPOE_SES_HLEN;
- }
+ nhoff += PPPOE_SES_HLEN;
if (ppp_proto == PPP_IP) {
proto = htons(ETH_P_IP);
--
2.53.0
^ permalink raw reply related [flat|nested] 282+ messages in thread
* [PATCH 6.18 019/270] mptcp: sync the msk->sndbuf at accept() time
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-05-12 17:36 ` [PATCH 6.18 018/270] flow_dissector: do not dissect PPPoE PFC frames Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 020/270] smb: client/smbdirect: fix MR registration for coalesced SG lists Greg Kroah-Hartman
` (255 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gang Yan, Paolo Abeni,
Matthieu Baerts (NGI0), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gang Yan <yangang@kylinos.cn>
commit fcf04b14334641f4b0b8647824480935e9416d52 upstream.
On passive MPTCP connections, the msk sndbuf is not updated correctly.
The root cause is an order issue in the accept path:
- tcp_check_req() -> subflow_syn_recv_sock() -> mptcp_sk_clone_init()
calls __mptcp_propagate_sndbuf() to copy the ssk sndbuf into msk
- Later, tcp_child_process() -> tcp_init_transfer() ->
tcp_sndbuf_expand() grows the ssk sndbuf.
So __mptcp_propagate_sndbuf() runs before the ssk sndbuf has been
expanded and the msk ends up with a much smaller sndbuf than the
subflow:
MPTCP: msk->sndbuf:20480, msk->first->sndbuf:2626560
Fix this by moving the __mptcp_propagate_sndbuf() call from
mptcp_sk_clone_init() -- the ssk sndbuf is not yet finalized there -- to
__mptcp_propagate_sndbuf() at accept() time, when the ssk sndbuf has
been fully expanded by tcp_sndbuf_expand().
Fixes: 8005184fd1ca ("mptcp: refactor sndbuf auto-tuning")
Cc: stable@vger.kernel.org
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/602
Signed-off-by: Gang Yan <yangang@kylinos.cn>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260420-net-mptcp-sync-sndbuf-accept-v1-1-e3523e3aeb44@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ No conflicts, but move __mptcp_propagate_sndbuf() above the for-loop
(mptcp_for_each_subflow()) present in this version, which will modify
'subflow' used by __mptcp_propagate_sndbuf() in this new patch. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mptcp/protocol.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index 09e1a93b7daab..c805d36fe50d5 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -3428,7 +3428,6 @@ struct sock *mptcp_sk_clone_init(const struct sock *sk,
* uses the correct data
*/
mptcp_copy_inaddrs(nsk, ssk);
- __mptcp_propagate_sndbuf(nsk, ssk);
mptcp_rcv_space_init(msk, ssk);
msk->rcvq_space.time = mptcp_stamp();
@@ -4027,6 +4026,8 @@ static int mptcp_stream_accept(struct socket *sock, struct socket *newsock,
msk = mptcp_sk(newsk);
msk->in_accept_queue = 0;
+ __mptcp_propagate_sndbuf(newsk, mptcp_subflow_tcp_sock(subflow));
+
/* set ssk->sk_socket of accept()ed flows to mptcp socket.
* This is needed so NOSPACE flag can be set from tcp stack.
*/
--
2.53.0
^ permalink raw reply related [flat|nested] 282+ messages in thread
* [PATCH 6.18 020/270] smb: client/smbdirect: fix MR registration for coalesced SG lists
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 019/270] mptcp: sync the msk->sndbuf at accept() time Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 021/270] net: af_key: zero aligned sockaddr tail in PF_KEY exports Greg Kroah-Hartman
` (254 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Metzmacher, Namjae Jeon,
Yi Kuo, Steve French, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yi Kuo <yi@yikuo.dev>
commit 9900b9fee5a0e0f72d7c744b37c7c851d5785ac6 upstream.
The stable backport to < 7.1 patches a different file. Also
the Fixes tag below is adjusted for the old code path.
ib_dma_map_sg() modifies the provided scatterlist and returns the
number of mapped entries, which can be fewer than the requested
mr->sgt.nents if the DMA controller coalesces contiguous memory
segments. Passing the original, uncoalesced count to ib_map_mr_sg()
causes memory registration failures if coalescing actually occurs.
Capture the actual mapped count returned by ib_dma_map_sg() and pass it
to ib_map_mr_sg() to ensure correct MR registration.
Also update the ib_dma_map_sg() error logging to drop the error
pointer formatting, since the return value is an integer count
rather than an error code.
Ensure a proper error code (-EIO) is assigned when DMA mapping or
MR registration fails.
Fixes: c7398583340a ("CIFS: SMBD: Implement RDMA memory registration")
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221408
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Yi Kuo <yi@yikuo.dev>
Signed-off-by: Steve French <stfrench@microsoft.com>
Cc: stable@vger.kernel.org
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/smbdirect.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
index ff44a2dc49938..e2b20219ba2c7 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
@@ -2895,7 +2895,7 @@ struct smbdirect_mr_io *smbd_register_mr(struct smbd_connection *info,
struct smbdirect_socket *sc = &info->socket;
struct smbdirect_socket_parameters *sp = &sc->parameters;
struct smbdirect_mr_io *mr;
- int rc, num_pages;
+ int rc, num_pages, num_mapped;
struct ib_reg_wr *reg_wr;
num_pages = iov_iter_npages(iter, sp->max_frmr_depth + 1);
@@ -2923,18 +2923,21 @@ struct smbdirect_mr_io *smbd_register_mr(struct smbd_connection *info,
num_pages, iov_iter_count(iter), sp->max_frmr_depth);
smbd_iter_to_mr(iter, &mr->sgt, sp->max_frmr_depth);
- rc = ib_dma_map_sg(sc->ib.dev, mr->sgt.sgl, mr->sgt.nents, mr->dir);
- if (!rc) {
- log_rdma_mr(ERR, "ib_dma_map_sg num_pages=%x dir=%x rc=%x\n",
- num_pages, mr->dir, rc);
+ num_mapped = ib_dma_map_sg(sc->ib.dev, mr->sgt.sgl, mr->sgt.nents, mr->dir);
+ if (!num_mapped) {
+ log_rdma_mr(ERR, "ib_dma_map_sg num_pages=%x dir=%x num_mapped=%x\n",
+ num_pages, mr->dir, num_mapped);
+ rc = -EIO;
goto dma_map_error;
}
- rc = ib_map_mr_sg(mr->mr, mr->sgt.sgl, mr->sgt.nents, NULL, PAGE_SIZE);
- if (rc != mr->sgt.nents) {
+ rc = ib_map_mr_sg(mr->mr, mr->sgt.sgl, num_mapped, NULL, PAGE_SIZE);
+ if (rc != num_mapped) {
log_rdma_mr(ERR,
- "ib_map_mr_sg failed rc = %d nents = %x\n",
- rc, mr->sgt.nents);
+ "ib_map_mr_sg failed rc = %d num_mapped = %x\n",
+ rc, num_mapped);
+ if (rc >= 0)
+ rc = -EIO;
goto map_mr_error;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 282+ messages in thread
* [PATCH 6.18 021/270] net: af_key: zero aligned sockaddr tail in PF_KEY exports
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 020/270] smb: client/smbdirect: fix MR registration for coalesced SG lists Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 022/270] KVM: SVM: check validity of VMCB controls when returning from SMM Greg Kroah-Hartman
` (253 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Xiao Liu, Zhengchuan Liang, Steffen Klassert,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
[ Upstream commit 426c355742f02cf743b347d9d7dbdc1bfbfa31ef ]
PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr
payload space, so IPv6 addresses occupy 32 bytes on the wire. However,
`pfkey_sockaddr_fill()` initializes only the first 28 bytes of
`struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized.
Not every PF_KEY message is affected. The state and policy dump builders
already zero the whole message buffer before filling the sockaddr
payloads. Keep the fix to the export paths that still append aligned
sockaddr payloads with plain `skb_put()`:
- `SADB_ACQUIRE`
- `SADB_X_NAT_T_NEW_MAPPING`
- `SADB_X_MIGRATE`
Fix those paths by clearing only the aligned sockaddr tail after
`pfkey_sockaddr_fill()`.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Fixes: 08de61beab8a ("[PFKEYV2]: Extension for dynamic update of endpoint address(es)")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Xiao Liu <lx24@stu.ynu.edu.cn>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/key/af_key.c | 52 +++++++++++++++++++++++++++++++-----------------
1 file changed, 34 insertions(+), 18 deletions(-)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index ceaa82bc78acc..e01939ab81039 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -757,6 +757,22 @@ static unsigned int pfkey_sockaddr_fill(const xfrm_address_t *xaddr, __be16 port
return 0;
}
+static unsigned int pfkey_sockaddr_fill_zero_tail(const xfrm_address_t *xaddr,
+ __be16 port,
+ struct sockaddr *sa,
+ unsigned short family)
+{
+ unsigned int prefixlen;
+ int sockaddr_len = pfkey_sockaddr_len(family);
+ int sockaddr_size = pfkey_sockaddr_size(family);
+
+ prefixlen = pfkey_sockaddr_fill(xaddr, port, sa, family);
+ if (sockaddr_size > sockaddr_len)
+ memset((u8 *)sa + sockaddr_len, 0, sockaddr_size - sockaddr_len);
+
+ return prefixlen;
+}
+
static struct sk_buff *__pfkey_xfrm_state2msg(const struct xfrm_state *x,
int add_keys, int hsc)
{
@@ -3206,9 +3222,9 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
addr->sadb_address_proto = 0;
addr->sadb_address_reserved = 0;
addr->sadb_address_prefixlen =
- pfkey_sockaddr_fill(&x->props.saddr, 0,
- (struct sockaddr *) (addr + 1),
- x->props.family);
+ pfkey_sockaddr_fill_zero_tail(&x->props.saddr, 0,
+ (struct sockaddr *)(addr + 1),
+ x->props.family);
if (!addr->sadb_address_prefixlen)
BUG();
@@ -3221,9 +3237,9 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
addr->sadb_address_proto = 0;
addr->sadb_address_reserved = 0;
addr->sadb_address_prefixlen =
- pfkey_sockaddr_fill(&x->id.daddr, 0,
- (struct sockaddr *) (addr + 1),
- x->props.family);
+ pfkey_sockaddr_fill_zero_tail(&x->id.daddr, 0,
+ (struct sockaddr *)(addr + 1),
+ x->props.family);
if (!addr->sadb_address_prefixlen)
BUG();
@@ -3421,9 +3437,9 @@ static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr,
addr->sadb_address_proto = 0;
addr->sadb_address_reserved = 0;
addr->sadb_address_prefixlen =
- pfkey_sockaddr_fill(&x->props.saddr, 0,
- (struct sockaddr *) (addr + 1),
- x->props.family);
+ pfkey_sockaddr_fill_zero_tail(&x->props.saddr, 0,
+ (struct sockaddr *)(addr + 1),
+ x->props.family);
if (!addr->sadb_address_prefixlen)
BUG();
@@ -3443,9 +3459,9 @@ static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr,
addr->sadb_address_proto = 0;
addr->sadb_address_reserved = 0;
addr->sadb_address_prefixlen =
- pfkey_sockaddr_fill(ipaddr, 0,
- (struct sockaddr *) (addr + 1),
- x->props.family);
+ pfkey_sockaddr_fill_zero_tail(ipaddr, 0,
+ (struct sockaddr *)(addr + 1),
+ x->props.family);
if (!addr->sadb_address_prefixlen)
BUG();
@@ -3474,15 +3490,15 @@ static int set_sadb_address(struct sk_buff *skb, int sasize, int type,
switch (type) {
case SADB_EXT_ADDRESS_SRC:
addr->sadb_address_prefixlen = sel->prefixlen_s;
- pfkey_sockaddr_fill(&sel->saddr, 0,
- (struct sockaddr *)(addr + 1),
- sel->family);
+ pfkey_sockaddr_fill_zero_tail(&sel->saddr, 0,
+ (struct sockaddr *)(addr + 1),
+ sel->family);
break;
case SADB_EXT_ADDRESS_DST:
addr->sadb_address_prefixlen = sel->prefixlen_d;
- pfkey_sockaddr_fill(&sel->daddr, 0,
- (struct sockaddr *)(addr + 1),
- sel->family);
+ pfkey_sockaddr_fill_zero_tail(&sel->daddr, 0,
+ (struct sockaddr *)(addr + 1),
+ sel->family);
break;
default:
return -EINVAL;
--
2.53.0
^ permalink raw reply related [flat|nested] 282+ messages in thread
* [PATCH 6.18 022/270] KVM: SVM: check validity of VMCB controls when returning from SMM
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 021/270] net: af_key: zero aligned sockaddr tail in PF_KEY exports Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 023/270] net: stmmac: Disable EEE RX clock stop when VLAN is enabled Greg Kroah-Hartman
` (252 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paolo Bonzini
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit be5fa8737d42c5ba16d2ea72c23681f8abbb07e8 upstream.
The VMCB12 is stored in guest memory and can be mangled while in SMM; it
is then reloaded by svm_leave_smm(), but it is not checked again for
validity.
Move the cached vmcb12 control and save consistency checks out of
svm_set_nested_state() and into a helper, and reuse it in
svm_leave_smm().
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 12 ++++++++++--
arch/x86/kvm/svm/svm.c | 4 ++++
arch/x86/kvm/svm/svm.h | 1 +
3 files changed, 15 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -484,6 +484,15 @@ void nested_copy_vmcb_save_to_cache(stru
__nested_copy_vmcb_save_to_cache(&svm->nested.save, save);
}
+int nested_svm_check_cached_vmcb12(struct kvm_vcpu *vcpu)
+{
+ if (!nested_vmcb_check_save(vcpu) ||
+ !nested_vmcb_check_controls(vcpu))
+ return -EINVAL;
+
+ return 0;
+}
+
/*
* Synchronize fields that are written by the processor, so that
* they can be copied back into the vmcb12.
@@ -990,8 +999,7 @@ int nested_svm_vmrun(struct kvm_vcpu *vc
nested_copy_vmcb_control_to_cache(svm, &vmcb12->control);
nested_copy_vmcb_save_to_cache(svm, &vmcb12->save);
- if (!nested_vmcb_check_save(vcpu) ||
- !nested_vmcb_check_controls(vcpu)) {
+ if (nested_svm_check_cached_vmcb12(vcpu) < 0) {
vmcb12->control.exit_code = SVM_EXIT_ERR;
vmcb12->control.exit_code_hi = -1u;
vmcb12->control.exit_info_1 = 0;
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4885,6 +4885,10 @@ static int svm_leave_smm(struct kvm_vcpu
vmcb12 = map.hva;
nested_copy_vmcb_control_to_cache(svm, &vmcb12->control);
nested_copy_vmcb_save_to_cache(svm, &vmcb12->save);
+
+ if (nested_svm_check_cached_vmcb12(vcpu) < 0)
+ goto unmap_save;
+
ret = enter_svm_guest_mode(vcpu, smram64->svm_guest_vmcb_gpa, vmcb12, false);
if (ret)
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -782,6 +782,7 @@ static inline int nested_svm_simple_vmex
int nested_svm_exit_handled(struct vcpu_svm *svm);
int nested_svm_check_permissions(struct kvm_vcpu *vcpu);
+int nested_svm_check_cached_vmcb12(struct kvm_vcpu *vcpu);
int nested_svm_check_exception(struct vcpu_svm *svm, unsigned nr,
bool has_error_code, u32 error_code);
int nested_svm_exit_special(struct vcpu_svm *svm);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 023/270] net: stmmac: Disable EEE RX clock stop when VLAN is enabled
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 022/270] KVM: SVM: check validity of VMCB controls when returning from SMM Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 024/270] net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
` (251 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ovidiu Panait, Russell King (Oracle),
Paolo Abeni
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
commit c171e679ee66d7c0e2b58db9531af96797a76bca upstream.
On the Renesas RZ/V2H EVK platform, where the stmmac MAC is connected to a
Microchip KSZ9131RNXI PHY, creating or deleting VLAN interfaces may fail
with timeouts:
# ip link add link end1 name end1.5 type vlan id 5
15c40000.ethernet end1: Timeout accessing MAC_VLAN_Tag_Filter
RTNETLINK answers: Device or resource busy
Disabling EEE at runtime avoids the problem:
# ethtool --set-eee end1 eee off
# ip link add link end1 name end1.5 type vlan id 5
# ip link del end1.5
The stmmac hardware requires the receive clock to be running when writing
certain registers, such as those used for MAC address configuration or
VLAN filtering. However, by default the driver enables Energy Efficient
Ethernet (EEE) and allows the PHY to stop the receive clock when the link
is idle. As a result, the RX clock might be stopped when attempting to
access these registers, leading to timeouts and other issues.
Commit dd557266cf5fb ("net: stmmac: block PHY RXC clock-stop")
addressed this issue for most register accesses by wrapping them in
phylink_rx_clk_stop_block()/phylink_rx_clk_stop_unblock() calls.
However, VLAN add/delete operations may be invoked with bottom halves
disabled, where sleeping is not allowed, so using these helpers is not
possible.
Therefore, to fix this, disable the RX clock stop feature in the phylink
configuration if VLAN features are set. This ensures the RX clock remains
active and register accesses succeed during VLAN operations.
Signed-off-by: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://patch.msgid.link/20251113112721.70500-3-ovidiu.panait.rb@renesas.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -1204,7 +1204,11 @@ static int stmmac_phy_setup(struct stmma
/* Stmmac always requires an RX clock for hardware initialization */
config->mac_requires_rxc = true;
- if (!(priv->plat->flags & STMMAC_FLAG_RX_CLK_RUNS_IN_LPI))
+ /* Disable EEE RX clock stop to ensure VLAN register access works
+ * correctly.
+ */
+ if (!(priv->plat->flags & STMMAC_FLAG_RX_CLK_RUNS_IN_LPI) &&
+ !(priv->dev->features & NETIF_F_VLAN_FEATURES))
config->eee_rx_clk_stop_enable = true;
/* Set the default transmit clock stop bit based on the platform glue */
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 024/270] net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 023/270] net: stmmac: Disable EEE RX clock stop when VLAN is enabled Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 025/270] exit: prevent preemption of oopsing TASK_DEAD task Greg Kroah-Hartman
` (250 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manas, Rakshit Awasthi,
Jamal Hadi Salim, Eric Dumazet, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
commit 458d5615272d3de535748342eb68ca492343048c upstream.
When red qdisc has children (eg qfq qdisc) whose peek() callback is
qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such
qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from
its child (red in this case), it will do the following:
1a. do a peek() - and when sensing there's an skb the child can offer, then
- the child in this case(red) calls its child's (qfq) peek.
qfq does the right thing and will return the gso_skb queue packet.
Note: if there wasnt a gso_skb entry then qfq will store it there.
1b. invoke a dequeue() on the child (red). And herein lies the problem.
- red will call the child's dequeue() which will essentially just
try to grab something of qfq's queue.
[ 78.667668][ T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]
[ 78.667927][ T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full)
[ 78.668263][ T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 78.668486][ T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq]
[ 78.668718][ T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d
[ 78.669312][ T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216
[ 78.669533][ T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 78.669790][ T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048
[ 78.670044][ T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078
[ 78.670297][ T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000
[ 78.670560][ T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200
[ 78.670814][ T363] FS: 00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000
[ 78.671110][ T363] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 78.671324][ T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0
[ 78.671585][ T363] PKRU: 55555554
[ 78.671713][ T363] Call Trace:
[ 78.671843][ T363] <TASK>
[ 78.671936][ T363] ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq]
[ 78.672148][ T363] ? __pfx__printk+0x10/0x10
[ 78.672322][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.672496][ T363] ? lockdep_hardirqs_on_prepare+0xa8/0x1a0
[ 78.672706][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.672875][ T363] ? trace_hardirqs_on+0x19/0x1a0
[ 78.673047][ T363] red_dequeue+0x65/0x270 [sch_red]
[ 78.673217][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.673385][ T363] tbf_dequeue.cold+0xb0/0x70c [sch_tbf]
[ 78.673566][ T363] __qdisc_run+0x169/0x1900
The right thing to do in #1b is to grab the skb off gso_skb queue.
This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked()
method instead.
Fixes: 77be155cba4e ("pkt_sched: Add peek emulation for non-work-conserving qdiscs.")
Reported-by: Manas <ghandatmanas@gmail.com>
Reported-by: Rakshit Awasthi <rakshitawasthi17@gmail.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260430152957.194015-2-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_red.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -155,7 +155,7 @@ static struct sk_buff *red_dequeue(struc
struct red_sched_data *q = qdisc_priv(sch);
struct Qdisc *child = q->qdisc;
- skb = child->dequeue(child);
+ skb = qdisc_dequeue_peeked(child);
if (skb) {
qdisc_bstats_update(sch, skb);
qdisc_qstats_backlog_dec(sch, skb);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 025/270] exit: prevent preemption of oopsing TASK_DEAD task
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 024/270] net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 026/270] wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr Greg Kroah-Hartman
` (249 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jann Horn, Peter Zijlstra,
Linus Torvalds
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891 upstream.
When an already-exiting task oopses, make_task_dead() currently calls
do_task_dead() with preemption enabled. That is forbidden:
do_task_dead() calls __schedule(), which has a comment saying "WARNING:
must be called with preemption disabled!".
If an oopsing task is preempted in do_task_dead(), between becoming
TASK_DEAD and entering the scheduler explicitly, bad things happen:
finish_task_switch() assumes that once the scheduler has switched away
from a TASK_DEAD task, the task can never run again and its stack is no
longer needed; but that assumption apparently doesn't hold if the dead
task was preempted (the SM_PREEMPT case).
This means that the scheduler ends up repeatedly dropping references on
the dead task's stack, which can lead to use-after-free or double-free
of the entire task stack; in other words, two tasks can end up running
on the same stack, resulting in various kinds of memory corruption.
(This does not just affect "recursively oopsing" tasks; it is enough to
oops once during task exit, for example in a file_operations::release
handler)
Fixes: 7f80a2fd7db9 ("exit: Stop poorly open coding do_task_dead in make_task_dead")
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/exit.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -1069,6 +1069,7 @@ void __noreturn make_task_dead(int signr
futex_exit_recursive(tsk);
tsk->exit_state = EXIT_DEAD;
refcount_inc(&tsk->rcu_users);
+ preempt_disable();
do_task_dead();
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 026/270] wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 025/270] exit: prevent preemption of oopsing TASK_DEAD task Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 027/270] wifi: mt76: mt7925: fix incorrect length field in txpower command Greg Kroah-Hartman
` (248 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Quan Zhou, Sean Wang, Felix Fietkau
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quan Zhou <quan.zhou@mediatek.com>
commit bb8e38fcdbf7290d7f0cd572d2d8fdb2b641b492 upstream.
Previously, the AMPDU state bit for a given TID was set before attempting
to start a BA session, which could result in the AMPDU state being marked
active even if ieee80211_start_tx_ba_session() failed. This patch changes
the logic to only set the AMPDU state bit after successfully starting a BA
session, ensuring proper synchronization between AMPDU state and BA session
status.
This fixes potential issues with aggregation state tracking and improves
compatibility with mac80211 BA session management.
Fixes: 44eb173bdd4f ("wifi: mt76: mt7925: add link handling in mt7925_txwi_free")
Cc: stable@vger.kernel.org
Signed-off-by: Quan Zhou <quan.zhou@mediatek.com>
Reviewed-by: Sean Wang <sean.wang@mediatek.com>
Link: https://patch.msgid.link/d5960fbced0beaf33c30203f7f8fb91d0899c87b.1764228973.git.quan.zhou@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
@@ -881,8 +881,10 @@ static void mt7925_tx_check_aggr(struct
else
mlink = &msta->deflink;
- if (!test_and_set_bit(tid, &mlink->wcid.ampdu_state))
- ieee80211_start_tx_ba_session(sta, tid, 0);
+ if (!test_and_set_bit(tid, &mlink->wcid.ampdu_state)) {
+ if (ieee80211_start_tx_ba_session(sta, tid, 0))
+ clear_bit(tid, &mlink->wcid.ampdu_state);
+ }
}
static bool
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 027/270] wifi: mt76: mt7925: fix incorrect length field in txpower command
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 026/270] wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 028/270] wifi: mt76: mt7921: fix a potential clc buffer length underflow Greg Kroah-Hartman
` (247 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ming Yen Hsieh, Felix Fietkau
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
commit ccb186326bb6b7f20d77982f855568e7087ad0d7 upstream.
Set `tx_power_tlv->len` to `msg_len` instead of `sizeof(*tx_power_tlv)`
to ensure the correct message length is sent to firmware.
Cc: stable@vger.kernel.org
Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20250908072526.1833938-1-mingyen.hsieh@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -3673,7 +3673,7 @@ mt7925_mcu_rate_txpower_band(struct mt76
memcpy(tx_power_tlv->alpha2, dev->alpha2, sizeof(dev->alpha2));
tx_power_tlv->n_chan = num_ch;
tx_power_tlv->tag = cpu_to_le16(0x1);
- tx_power_tlv->len = cpu_to_le16(sizeof(*tx_power_tlv));
+ tx_power_tlv->len = cpu_to_le16(msg_len);
switch (band) {
case NL80211_BAND_2GHZ:
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 028/270] wifi: mt76: mt7921: fix a potential clc buffer length underflow
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 027/270] wifi: mt76: mt7925: fix incorrect length field in txpower command Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 029/270] wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work Greg Kroah-Hartman
` (246 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Leon Yen, Ming Yen Hsieh,
Felix Fietkau
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Yen <leon.yen@mediatek.com>
commit 5373f8b19e568b5c217832b9bbef165bd2b2df14 upstream.
The buf_len is used to limit the iterations for retrieving the country
power setting and may underflow under certain conditions due to changes
in the power table in CLC.
This underflow leads to an almost infinite loop or an invalid power
setting resulting in driver initialization failure.
Cc: stable@vger.kernel.org
Fixes: fa6ad88e023d ("wifi: mt76: mt7921: fix country count limitation for CLC")
Signed-off-by: Leon Yen <leon.yen@mediatek.com>
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20251009020158.1923429-1-mingyen.hsieh@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
@@ -1353,6 +1353,9 @@ int __mt7921_mcu_set_clc(struct mt792x_d
u16 len = le16_to_cpu(rule->len);
u16 offset = len + sizeof(*rule);
+ if (buf_len < offset)
+ break;
+
pos += offset;
buf_len -= offset;
if (rule->alpha2[0] != alpha2[0] ||
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 029/270] wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 028/270] wifi: mt76: mt7921: fix a potential clc buffer length underflow Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 030/270] wifi: b43legacy: enforce bounds check on firmware key index in RX path Greg Kroah-Hartman
` (245 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Quan Zhou, Sean Wang, Felix Fietkau
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quan Zhou <quan.zhou@mediatek.com>
commit fdfa39f9f4fbae532b162da913a67b2410caf38f upstream.
The mt7921_set_roc API may be executed concurrently with mt7921_roc_work,
specifically between the following code paths:
- The check and clear of MT76_STATE_ROC in mt7921_roc_work:
if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state))
return;
- The execution of ieee80211_iterate_active_interfaces.
This race condition can interrupt the ROC abort flow, resulting in
the ROC process failing to abort as expected.
To address this defect, the modification of MT76_STATE_ROC is now
protected by mt792x_mutex_acquire(phy->dev). This ensures that
changes to the ROC state are properly synchronized, preventing
race conditions and ensuring the ROC abort flow is not interrupted.
Fixes: 034ae28b56f1 ("wifi: mt76: mt7921: introduce remain_on_channel support")
Cc: stable@vger.kernel.org
Signed-off-by: Quan Zhou <quan.zhou@mediatek.com>
Reviewed-by: Sean Wang <sean.wang@mediatek.com>
Link: https://patch.msgid.link/2568ece8b557e5dda79391414c834ef3233049b6.1769133724.git.quan.zhou@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7921/main.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
@@ -387,10 +387,11 @@ void mt7921_roc_work(struct work_struct
phy = (struct mt792x_phy *)container_of(work, struct mt792x_phy,
roc_work);
- if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state))
- return;
-
mt792x_mutex_acquire(phy->dev);
+ if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state)) {
+ mt792x_mutex_release(phy->dev);
+ return;
+ }
ieee80211_iterate_active_interfaces(phy->mt76->hw,
IEEE80211_IFACE_ITER_RESUME_ALL,
mt7921_roc_iter, phy);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 030/270] wifi: b43legacy: enforce bounds check on firmware key index in RX path
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 029/270] wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 031/270] wifi: mac80211: drop stray static from fast-RX rx_result Greg Kroah-Hartman
` (244 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tristan Madani, Johannes Berg
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristan Madani <tristan@talencesecurity.com>
commit a035766f970bde2d4298346a31a80685be5c0205 upstream.
Same fix as b43: the firmware-controlled key index in b43legacy_rx()
can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is
non-enforcing in production builds, allowing an out-of-bounds read of
dev->key[].
Make the check enforcing by dropping the frame for invalid indices.
Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Link: https://patch.msgid.link/20260417111145.2694196-2-tristmd@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/b43legacy/xmit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/broadcom/b43legacy/xmit.c
+++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c
@@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev
* key index, but the ucode passed it slightly different.
*/
keyidx = b43legacy_kidx_to_raw(dev, keyidx);
- B43legacy_WARN_ON(keyidx >= dev->max_nr_keys);
+ if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys))
+ goto drop;
if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) {
/* Remove PROTECTED flag to mark it as decrypted. */
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 031/270] wifi: mac80211: drop stray static from fast-RX rx_result
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 030/270] wifi: b43legacy: enforce bounds check on firmware key index in RX path Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 032/270] wifi: rsi: fix kthread lifetime race between self-exit and external-stop Greg Kroah-Hartman
` (243 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Catherine, Johannes Berg
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Catherine <enderaoelyther@gmail.com>
commit 7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba upstream.
ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but
its per-invocation rx_result is declared static. Concurrent callers then
share one instance and can overwrite each other's result between
ieee80211_rx_mesh_data() and the switch on res.
That can make a packet that was queued or consumed by
ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make
a packet that should continue return as queued.
Make res an automatic variable so each invocation keeps its own result.
Fixes: 3468e1e0c639 ("wifi: mac80211: add mesh fast-rx support")
Cc: stable@vger.kernel.org
Signed-off-by: Catherine <enderaoelyther@gmail.com>
Link: https://patch.msgid.link/20260424131435.83212-2-enderaoelyther@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/rx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -4824,7 +4824,7 @@ static bool ieee80211_invoke_fast_rx(str
struct sk_buff *skb = rx->skb;
struct ieee80211_hdr *hdr = (void *)skb->data;
struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
- static ieee80211_rx_result res;
+ ieee80211_rx_result res;
int orig_len = skb->len;
int hdrlen = ieee80211_hdrlen(hdr->frame_control);
int snap_offs = hdrlen;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 032/270] wifi: rsi: fix kthread lifetime race between self-exit and external-stop
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 031/270] wifi: mac80211: drop stray static from fast-RX rx_result Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 033/270] wifi: mac80211: use safe list iteration in radar detect work Greg Kroah-Hartman
` (242 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5de83f57cd8531f55596,
Jeongjun Park, Johannes Berg
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
commit db57a1aa54ff68669781976e4edb045e09e2b65b upstream.
RSI driver use both self-exit(kthread_complete_and_exit) and external-stop
(kthread_stop) when killing a kthread. Generally, kthread_stop() is called
first, and in this case, no particular issues occur.
However, in rare instances where kthread_complete_and_exit() is called
first and then kthread_stop() is called, a UAF occurs because the kthread
object, which has already exited and been freed, is accessed again.
Therefore, to prevent this with minimal modification, you must remove
kthread_stop() and change the code to wait until the self-exit operation
is completed.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+5de83f57cd8531f55596@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69e5d03b.a00a0220.1bd0ca.0064.GAE@google.com/
Fixes: 4c62764d0fc2 ("rsi: improve kernel thread handling to fix kernel panic")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Link: https://patch.msgid.link/20260422173846.37640-1-aha310510@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/rsi/rsi_common.h | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/rsi/rsi_common.h
+++ b/drivers/net/wireless/rsi/rsi_common.h
@@ -70,12 +70,11 @@ static inline int rsi_create_kthread(str
return 0;
}
-static inline int rsi_kill_thread(struct rsi_thread *handle)
+static inline void rsi_kill_thread(struct rsi_thread *handle)
{
atomic_inc(&handle->thread_done);
rsi_set_event(&handle->event);
-
- return kthread_stop(handle->task);
+ wait_for_completion(&handle->completion);
}
void rsi_mac80211_detach(struct rsi_hw *hw);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 033/270] wifi: mac80211: use safe list iteration in radar detect work
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 032/270] wifi: rsi: fix kthread lifetime race between self-exit and external-stop Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 034/270] wifi: ath5k: do not access array OOB Greg Kroah-Hartman
` (241 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Benjamin Berg, Johannes Berg
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Berg <benjamin.berg@intel.com>
commit ac8eb3e18f41e2cc8492cc1d358bcb786c850270 upstream.
The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to
be freed and removed from the list. Guard against this to avoid a
slab-use-after-free error.
Cc: stable@vger.kernel.org
Fixes: bca8bc0399ac ("wifi: mac80211: handle ieee80211_radar_detected() for MLO")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Link: https://patch.msgid.link/20260505151539.236d63a1b736.I35dbb9e96a2d4a480be208770fdd99ba3b817b79@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/util.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -3565,11 +3565,11 @@ void ieee80211_dfs_radar_detected_work(s
struct ieee80211_local *local =
container_of(work, struct ieee80211_local, radar_detected_work);
struct cfg80211_chan_def chandef;
- struct ieee80211_chanctx *ctx;
+ struct ieee80211_chanctx *ctx, *tmp;
lockdep_assert_wiphy(local->hw.wiphy);
- list_for_each_entry(ctx, &local->chanctx_list, list) {
+ list_for_each_entry_safe(ctx, tmp, &local->chanctx_list, list) {
if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER)
continue;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 034/270] wifi: ath5k: do not access array OOB
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 033/270] wifi: mac80211: use safe list iteration in radar detect work Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 035/270] wifi: mac80211: remove station if connection prep fails Greg Kroah-Hartman
` (240 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Slaby (SUSE), Vincent Danjean,
Jeff Johnson
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
commit d748603f12baff112caa3ab7d39f50100f010dbd upstream.
Vincent reports:
> The ath5k driver seems to do an array-index-out-of-bounds access as
> shown by the UBSAN kernel message:
> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20
> index 4 is out of range for type 'ieee80211_tx_rate [4]'
> ...
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5d/0x80
> ubsan_epilogue+0x5/0x2b
> __ubsan_handle_out_of_bounds.cold+0x46/0x4b
> ath5k_tasklet_tx+0x4e0/0x560 [ath5k]
> tasklet_action_common+0xb5/0x1c0
It is real. 'ts->ts_final_idx' can be 3 on 5212, so:
info->status.rates[ts->ts_final_idx + 1].idx = -1;
with the array defined as:
struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
while the size is:
#define IEEE80211_TX_MAX_RATES 4
is indeed bogus.
Set this 'idx = -1' sentinel only if the array index is less than the
array size. As mac80211 will not look at rates beyond the size
(IEEE80211_TX_MAX_RATES).
Note: The effect of the OOB write is negligible. It just overwrites the
next member of info->status, i.e. ack_signal.
Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
Reported-by: Vincent Danjean <vdanjean@debian.org>
Link: https://lore.kernel.org/all/aQYUkIaT87ccDCin@eldamar.lan
Closes: https://bugs.debian.org/1119093
Fixes: 6d7b97b23e11 ("ath5k: fix tx status reporting issues")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251209100459.2253198-1-jirislaby@kernel.org
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath5k/base.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/ath/ath5k/base.c
+++ b/drivers/net/wireless/ath/ath5k/base.c
@@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw
}
info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry;
- info->status.rates[ts->ts_final_idx + 1].idx = -1;
+ if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES)
+ info->status.rates[ts->ts_final_idx + 1].idx = -1;
if (unlikely(ts->ts_status)) {
ah->stats.ack_fail++;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 035/270] wifi: mac80211: remove station if connection prep fails
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 034/270] wifi: ath5k: do not access array OOB Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 036/270] wifi: b43: enforce bounds check on firmware key index in b43_rx() Greg Kroah-Hartman
` (239 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miriam Rachel Korenblit,
Johannes Berg
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit 283fc9e44ff5b5ac967439b4951b80bd4299f4e4 upstream.
If connection preparation fails for MLO connections, then the
interface is completely reset to non-MLD. In this case, we must
not keep the station since it's related to the link of the vif
being removed. Delete an existing station. Any "new_sta" is
already being removed, so that doesn't need changes.
This fixes a use-after-free/double-free in debugfs if that's
enabled, because a vif going from MLD (and to MLD, but that's
not relevant here) recreates its entire debugfs.
Cc: stable@vger.kernel.org
Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link")
Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260505151533.c4e52deb06ad.Iafe56cec7de8512626169496b134bce3a6c17010@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/mlme.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -8926,7 +8926,7 @@ static int ieee80211_prep_connection(str
struct ieee80211_bss *bss = (void *)cbss->priv;
struct sta_info *new_sta = NULL;
struct ieee80211_link_data *link;
- bool have_sta = false;
+ struct sta_info *have_sta = NULL;
bool mlo;
int err;
u16 new_links;
@@ -8945,11 +8945,8 @@ static int ieee80211_prep_connection(str
mlo = false;
}
- if (assoc) {
- rcu_read_lock();
+ if (assoc)
have_sta = sta_info_get(sdata, ap_mld_addr);
- rcu_read_unlock();
- }
if (mlo && !have_sta &&
WARN_ON(sdata->vif.valid_links || sdata->vif.active_links))
@@ -9108,6 +9105,8 @@ static int ieee80211_prep_connection(str
out_release_chan:
ieee80211_link_release_channel(link);
out_err:
+ if (mlo && have_sta)
+ WARN_ON(__sta_info_destroy(have_sta));
ieee80211_vif_set_links(sdata, 0, 0);
return err;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 036/270] wifi: b43: enforce bounds check on firmware key index in b43_rx()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 035/270] wifi: mac80211: remove station if connection prep fails Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 037/270] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Greg Kroah-Hartman
` (238 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski, Michael Büsch,
Tristan Madani, Johannes Berg
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristan Madani <tristan@talencesecurity.com>
commit 1f4f78bf8549e6ac4f04fba4176854f3a6e0c332 upstream.
The firmware-controlled key index in b43_rx() can exceed the dev->key[]
array size (58 entries). The existing B43_WARN_ON is non-enforcing in
production builds, allowing an out-of-bounds read.
Make the B43_WARN_ON check enforcing by dropping the frame when the
firmware returns an invalid key index.
Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Michael Büsch <m@bues.ch>
Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Link: https://patch.msgid.link/20260417111145.2694196-1-tristmd@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/b43/xmit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/broadcom/b43/xmit.c
+++ b/drivers/net/wireless/broadcom/b43/xmit.c
@@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struc
* key index, but the ucode passed it slightly different.
*/
keyidx = b43_kidx_to_raw(dev, keyidx);
- B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));
+ if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)))
+ goto drop;
if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) {
wlhdr_len = ieee80211_hdrlen(fctl);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 037/270] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 036/270] wifi: b43: enforce bounds check on firmware key index in b43_rx() Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 038/270] usb: usblp: fix heap leak in IEEE 1284 device ID via short response Greg Kroah-Hartman
` (237 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Arend van Spriel,
Johannes Berg
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
commit c623b63580880cc742255eaed3d79804c1b91143 upstream.
Watchdog task might end between send_sig() and kthread_stop() calls, what
results in the use-after-free issue. Fix this by increasing watchdog task
reference count before calling send_sig() and dropping it by switching to
kthread_stop_put().
Cc: stable@vger.kernel.org
Fixes: 373c83a801f1 ("brcmfmac: stop watchdog before detach and free everything")
Fixes: a9ffda88be74 ("brcm80211: fmac: abstract bus_stop interface function pointer")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Link: https://patch.msgid.link/20260416093339.2066829-1-m.szyprowski@samsung.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
@@ -2476,8 +2476,9 @@ static void brcmf_sdio_bus_stop(struct d
brcmf_dbg(TRACE, "Enter\n");
if (bus->watchdog_tsk) {
+ get_task_struct(bus->watchdog_tsk);
send_sig(SIGTERM, bus->watchdog_tsk, 1);
- kthread_stop(bus->watchdog_tsk);
+ kthread_stop_put(bus->watchdog_tsk);
bus->watchdog_tsk = NULL;
}
@@ -4567,8 +4568,9 @@ void brcmf_sdio_remove(struct brcmf_sdio
if (bus) {
/* Stop watchdog task */
if (bus->watchdog_tsk) {
+ get_task_struct(bus->watchdog_tsk);
send_sig(SIGTERM, bus->watchdog_tsk, 1);
- kthread_stop(bus->watchdog_tsk);
+ kthread_stop_put(bus->watchdog_tsk);
bus->watchdog_tsk = NULL;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 038/270] usb: usblp: fix heap leak in IEEE 1284 device ID via short response
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 037/270] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 039/270] usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Greg Kroah-Hartman
` (236 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pete Zaitcev, stable
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7a400c6fe3617e31e690e3f7ca37bb335e0498f3 upstream.
usblp_ctrl_msg() collapses the usb_control_msg() return value to
0/-errno, discarding the actual number of bytes transferred. A broken
printer can complete the GET_DEVICE_ID control transfer short and the
driver has no way to know.
usblp_cache_device_id_string() reads the 2-byte big-endian length prefix
from the response and trusts it (clamped only to the buffer bounds).
The buffer is kmalloc(1024) at probe time. A device that sends exactly
two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves
device_id_string[2..1022] holding stale kmalloc heap.
That stale data is then exposed:
- via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated
at the first NUL in the stale heap), and
- via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full
claimed length regardless of NULs, up to 1021 bytes of uninitialized
heap, with the leak size chosen by the device.
Fix this up by just zapping the buffer with zeros before each request
sent to the device.
Cc: Pete Zaitcev <zaitcev@redhat.com>
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/2026042002-unicorn-greedily-3c63@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usblp.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/class/usblp.c
+++ b/drivers/usb/class/usblp.c
@@ -1377,6 +1377,7 @@ static int usblp_cache_device_id_string(
{
int err, length;
+ memset(usblp->device_id_string, 0, USBLP_DEVICE_ID_SIZE);
err = usblp_get_id(usblp, 0, usblp->device_id_string, USBLP_DEVICE_ID_SIZE - 1);
if (err < 0) {
dev_dbg(&usblp->intf->dev,
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 039/270] usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 038/270] usb: usblp: fix heap leak in IEEE 1284 device ID via short response Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 040/270] ALSA: usb-audio: midi2: Restart output URBs on resume Greg Kroah-Hartman
` (235 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pete Zaitcev, stable
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b38e53cbfb9d84732e5984fbd73e128d592415c5 upstream.
Just like in a previous problem in this driver, usblp_ctrl_msg() will
collapse the usb_control_msg() return value to 0/-errno, discarding the
actual number of bytes transferred.
Ideally that short command should be detected and error out, but many
printers are known to send "incorrect" responses back so we can't just
do that.
statusbuf is kmalloc(8) at probe time and never filled before the first
LPGETSTATUS ioctl.
usblp_read_status() requests 1 byte. If a malicious printer responds
with zero bytes, *statusbuf is one byte of stale kmalloc heap,
sign-extended into the local int status, which the LPGETSTATUS path then
copy_to_user()s directly to the ioctl caller.
Fix this all by just zapping out the memory buffer when allocated at
probe time. If a later call does a short read, the data will be
identical to what the device sent it the last time, so there is no
"leak" of information happening.
Cc: Pete Zaitcev <zaitcev@redhat.com>
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/2026042011-shredder-savage-48c6@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usblp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/class/usblp.c
+++ b/drivers/usb/class/usblp.c
@@ -1178,7 +1178,7 @@ static int usblp_probe(struct usb_interf
}
/* Allocate buffer for printer status */
- usblp->statusbuf = kmalloc(STATUS_BUF_SIZE, GFP_KERNEL);
+ usblp->statusbuf = kzalloc(STATUS_BUF_SIZE, GFP_KERNEL);
if (!usblp->statusbuf) {
retval = -ENOMEM;
goto abort;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 040/270] ALSA: usb-audio: midi2: Restart output URBs on resume
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 039/270] usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 041/270] ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() Greg Kroah-Hartman
` (234 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit f3c57c9c2a49a21d784b7c04a2c883bffc070659 upstream.
USB MIDI 2.0 suspend saves the endpoint running state, clears it and
kills all endpoint URBs. Resume restores the running state, but only
restarts input endpoints.
For a running output endpoint, this leaves the endpoint marked running
with an empty URB queue. Output transfer progress depends on either the
rawmidi trigger path starting the queue or an output completion refilling
it. After suspend there is no completion left, and output data that
remains queued in the raw UMP or legacy rawmidi buffer can stay stalled
until userspace happens to trigger the stream again.
Restore the saved state with atomic accessors, keep input endpoints
restarted as before, and restart output endpoints that were running before
suspend. Clear the saved suspend state after restoring it.
Fixes: ff49d1df79ae ("ALSA: usb-audio: USB MIDI 2.0 UMP support")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260504-usb-midi2-output-resume-v1-1-c089cc8ad3c6@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/midi2.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/sound/usb/midi2.c
+++ b/sound/usb/midi2.c
@@ -227,7 +227,7 @@ static void kill_midi_urbs(struct snd_us
if (!ep)
return;
if (suspending)
- ep->suspended = ep->running;
+ atomic_set(&ep->suspended, atomic_read(&ep->running));
atomic_set(&ep->running, 0);
for (i = 0; i < ep->num_urbs; i++) {
if (!ep->urbs[i].urb)
@@ -1190,10 +1190,11 @@ void snd_usb_midi_v2_suspend_all(struct
static void resume_midi2_endpoint(struct snd_usb_midi2_endpoint *ep)
{
- ep->running = ep->suspended;
- if (ep->direction == STR_IN)
+ atomic_set(&ep->running, atomic_read(&ep->suspended));
+ atomic_set(&ep->suspended, 0);
+
+ if (ep->direction == STR_IN || atomic_read(&ep->running))
submit_io_urbs(ep);
- /* FIXME: does it all? */
}
void snd_usb_midi_v2_resume_all(struct snd_usb_audio *chip)
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 041/270] ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 040/270] ALSA: usb-audio: midi2: Restart output URBs on resume Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 042/270] ALSA: usb-audio: Fix UAC3 cluster descriptor size check Greg Kroah-Hartman
` (233 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 6e7247d8f5fefeceb0bb9cc80a5388a636b219cd upstream.
The convert_chmap_v3() has a loop with its increment size of
cs_desc->wLength, but we forgot to validate cs_desc->wLength itself,
which may lead to potential endless loop by a malformed descriptor.
Add a proper size check to abort the loop for plugging the hole.
Fixes: ecfd41166b72 ("ALSA: usb-audio: Validate UAC3 cluster segment descriptors")
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260427152224.15276-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/stream.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -352,6 +352,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(str
if (len < sizeof(*cs_desc))
break;
cs_len = le16_to_cpu(cs_desc->wLength);
+ if (cs_len < sizeof(*cs_desc))
+ break;
if (len < cs_len)
break;
cs_type = cs_desc->bSegmentType;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 042/270] ALSA: usb-audio: Fix UAC3 cluster descriptor size check
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 041/270] ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 043/270] usb: typec: tcpm: reset internal port states on soft reset AMS Greg Kroah-Hartman
` (232 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 26265dd69da32d88a88d21987853cec899d9e21f upstream.
The UAC3 cluster descriptor length check in
snd_usb_get_audioformat_uac3()was added to
make sure that the buffer is large enough for
a struct uac3_cluster_header_descriptor before the
returned data is cast and used.
However, the check uses sizeof(cluster), where cluster
is a pointer, not the size of the descriptor header.
This makes the validation depend on the architecture
pointer size and does not match the intended object size.
Check against sizeof(*cluster) instead.
Fixes: fb4e2a6e8f28 ("ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260424-alsa-usb-uac3-cluster-size-v1-1-99a5808898a3@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -999,7 +999,7 @@ snd_usb_get_audioformat_uac3(struct snd_
* and request Cluster Descriptor
*/
wLength = le16_to_cpu(hc_header.wLength);
- if (wLength < sizeof(cluster))
+ if (wLength < sizeof(*cluster))
return NULL;
cluster = kzalloc(wLength, GFP_KERNEL);
if (!cluster)
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 043/270] usb: typec: tcpm: reset internal port states on soft reset AMS
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 042/270] ALSA: usb-audio: Fix UAC3 cluster descriptor size check Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 20:43 ` Amit Sunil Dhamne
2026-05-12 17:37 ` [PATCH 6.18 044/270] USB: omap_udc: DMA: Dont enable burst 4 mode Greg Kroah-Hartman
` (231 subsequent siblings)
274 siblings, 1 reply; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amit Sunil Dhamne, stable,
Badhri Jagan Sridharan, Heikki Krogerus
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amit Sunil Dhamne <amitsd@google.com>
commit 2909f0d4994fb4306bf116df5ccee797791fce2c upstream.
Reset internal port states (such as vdm_sm_running and
explicit_contract) on soft reset AMS as the port needs to negotiate a
new contract. The consequence of leaving the states in as-is cond are as
follows:
* port is in SRC power role and an explicit contract is negotiated
with the port partner (in sink role)
* port partner sends a Soft Reset AMS while VDM State Machine is
running
* port accepts the Soft Reset request and the port advertises src caps
* port partner sends a Request message but since the explicit_contract
and vdm_sm_running are true from previous negotiation, the port ends
up sending Soft Reset instead of Accept msg.
Stub Log:
[ 203.653942] AMS DISCOVER_IDENTITY start
[ 203.653947] PD TX, header: 0x176f
[ 203.655901] PD TX complete, status: 0
[ 203.657470] PD RX, header: 0x124f [1]
[ 203.657477] Rx VDM cmd 0xff008081 type 2 cmd 1 len 1
[ 203.657482] AMS DISCOVER_IDENTITY finished
[ 203.657484] cc:=4
[ 204.155698] PD RX, header: 0x144f [1]
[ 204.155718] Rx VDM cmd 0xeeee8001 type 0 cmd 1 len 1
[ 204.155741] PD TX, header: 0x196f
[ 204.157622] PD TX complete, status: 0
[ 204.160060] PD RX, header: 0x4d [1]
[ 204.160066] state change SRC_READY -> SOFT_RESET [rev2 SOFT_RESET_AMS]
[ 204.160076] PD TX, header: 0x163
[ 204.162486] PD TX complete, status: 0
[ 204.162832] AMS SOFT_RESET_AMS finished
[ 204.162840] cc:=4
[ 204.162891] AMS POWER_NEGOTIATION start
[ 204.162896] state change SOFT_RESET -> AMS_START [rev2 POWER_NEGOTIATION]
[ 204.162908] state change AMS_START -> SRC_SEND_CAPABILITIES [rev2 POWER_NEGOTIATION]
[ 204.162913] PD TX, header: 0x1361
[ 204.165529] PD TX complete, status: 0
[ 204.165571] pending state change SRC_SEND_CAPABILITIES -> SRC_SEND_CAPABILITIES_TIMEOUT @ 60 ms [rev2 POWER_NEGOTIATION]
[ 204.166996] PD RX, header: 0x1242 [1]
[ 204.167009] state change SRC_SEND_CAPABILITIES -> SRC_SOFT_RESET_WAIT_SNK_TX [rev2 POWER_NEGOTIATION]
[ 204.167019] AMS POWER_NEGOTIATION finished
[ 204.167020] cc:=4
[ 204.167083] AMS SOFT_RESET_AMS start
[ 204.167086] state change SRC_SOFT_RESET_WAIT_SNK_TX -> SOFT_RESET_SEND [rev2 SOFT_RESET_AMS]
[ 204.167092] PD TX, header: 0x16d
[ 204.168824] PD TX complete, status: 0
[ 204.168854] pending state change SOFT_RESET_SEND -> HARD_RESET_SEND @ 60 ms [rev2 SOFT_RESET_AMS]
[ 204.171876] PD RX, header: 0x43 [1]
[ 204.171879] AMS SOFT_RESET_AMS finished
This causes COMMON.PROC.PD.11.2 check failure for
TEST.PD.VDM.SRC.2_Rev2Src test on the PD compliance tester.
Signed-off-by: Amit Sunil Dhamne <amitsd@google.com>
Fixes: 8d3a0578ad1a ("usb: typec: tcpm: Respond Wait if VDM state machine is running")
Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)")
Cc: stable <stable@kernel.org>
Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260414-fix-soft-reset-v1-1-01d7cb9764e2@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -5728,6 +5728,8 @@ static void run_state_machine(struct tcp
case VCONN_SWAP_ACCEPT:
tcpm_pd_send_control(port, PD_CTRL_ACCEPT, TCPC_TX_SOP);
+ port->vdm_sm_running = false;
+ port->explicit_contract = false;
tcpm_ams_finish(port);
tcpm_set_state(port, VCONN_SWAP_START, 0);
break;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 044/270] USB: omap_udc: DMA: Dont enable burst 4 mode
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 043/270] usb: typec: tcpm: reset internal port states on soft reset AMS Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 045/270] USB: serial: option: add Telit Cinterion LE910Cx compositions Greg Kroah-Hartman
` (230 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Aaro Koskinen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaro Koskinen <aaro.koskinen@iki.fi>
commit 3f91484f6c13c434bd573ca6b6779c26adb0ddab upstream.
Commit 65111084c63d7 ("USB: more omap_udc updates (dma and omap1710)")
added setting for DMA burst 4 mode. But I think this should be undone for
two reasons:
- It breaks DMA on 15xx boards - transfers just silently stall.
- On newer OMAP1 boards, like Nokia 770 (omap1710), there is no measurable
performance impact when testing TCP throughput with g_ether with large
15000 byte MTU size.
It's also worth noting that when the original change was made, the
OMAP_DMA_DATA_BURST_4 handling in arch/arm/plat-omap/dma.c was broken, and
actually resulted in the same as the OMAP_DMA_DATA_BURST_DIS i.e. burst
disabled. This was fixed not until a couple kernel releases later in an
unrelated commit 1a8bfa1eb998a ("[ARM] 3142/1: OMAP 2/5: Update files
common to omap1 and omap2").
So based on this it seems there was never really a very good reason to
enable this burst mode in omap_udc, so remove it now to allow 15xx DMA
to work again (it provides 2x throughput compared to PIO mode).
Fixes: 65111084c63d ("[PATCH] USB: more omap_udc updates (dma and omap1710)")
Cc: stable <stable@kernel.org>
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Link: https://patch.msgid.link/ad06qHLclWHeSGnV@darkstar.musicnaut.iki.fi
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/omap_udc.c | 4 ----
1 file changed, 4 deletions(-)
--- a/drivers/usb/gadget/udc/omap_udc.c
+++ b/drivers/usb/gadget/udc/omap_udc.c
@@ -733,8 +733,6 @@ static void dma_channel_claim(struct oma
if (status == 0) {
omap_writew(reg, UDC_TXDMA_CFG);
/* EMIFF or SDRC */
- omap_set_dma_src_burst_mode(ep->lch,
- OMAP_DMA_DATA_BURST_4);
omap_set_dma_src_data_pack(ep->lch, 1);
/* TIPB */
omap_set_dma_dest_params(ep->lch,
@@ -756,8 +754,6 @@ static void dma_channel_claim(struct oma
UDC_DATA_DMA,
0, 0);
/* EMIFF or SDRC */
- omap_set_dma_dest_burst_mode(ep->lch,
- OMAP_DMA_DATA_BURST_4);
omap_set_dma_dest_data_pack(ep->lch, 1);
}
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 045/270] USB: serial: option: add Telit Cinterion LE910Cx compositions
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 044/270] USB: omap_udc: DMA: Dont enable burst 4 mode Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 046/270] usb: ulpi: fix memory leak on ulpi_register() error paths Greg Kroah-Hartman
` (229 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit 100201d349edd226ca3470c894c92dccc67ee7a8 upstream.
Add the following Telit Cinterion LE910Cx compositions:
0x1251: RNDIS + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP)
T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=108 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1251 Rev=03.18
S: Manufacturer=Android
S: Product=LE910C1-EU
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=02 Prot=ff Driver=rndis_host
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
0x1253: ECM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP)
T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=121 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1253 Rev=03.18
S: Manufacturer=Android
S: Product=LE910C1-EU
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
0x1254: tty (AT) + tty (AT)
T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=122 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1254 Rev=03.18
S: Manufacturer=Android
S: Product=LE910C1-EU
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
0x1255: tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP)
T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=123 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1255 Rev=03.18
S: Manufacturer=Android
S: Product=LE910C1-EU
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
Cc: stable@vger.kernel.org
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1513,7 +1513,11 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1231, 0xff), /* Telit LE910Cx (RNDIS) */
.driver_info = NCTRL(2) | RSVD(3) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x1250, 0xff, 0x00, 0x00) }, /* Telit LE910Cx (rmnet) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1251, 0xff) }, /* Telit LE910Cx (RNDIS) */
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1252, 0xff) }, /* Telit LE910Cx (MBIM) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1253, 0xff) }, /* Telit LE910Cx (ECM) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1254, 0xff) }, /* Telit LE910Cx */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1255, 0xff) }, /* Telit LE910Cx */
{ USB_DEVICE(TELIT_VENDOR_ID, 0x1260),
.driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
{ USB_DEVICE(TELIT_VENDOR_ID, 0x1261),
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 046/270] usb: ulpi: fix memory leak on ulpi_register() error paths
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 045/270] USB: serial: option: add Telit Cinterion LE910Cx compositions Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 047/270] usb: typec: tcpm: fix debug accessory mode detection for sink ports Greg Kroah-Hartman
` (228 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Felix Gu, Heikki Krogerus
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
commit 0b9fcab1b8608d429e5f239afb197de928d4de7d upstream.
Commit 01af542392b5 ("usb: ulpi: fix double free in
ulpi_register_interface() error path") removed kfree(ulpi) from
ulpi_register_interface() to fix a double-free when device_register()
fails.
But when ulpi_of_register() or ulpi_read_id() fail before
device_register() is called, the ulpi allocation is leaked.
Add kfree(ulpi) on both error paths to properly clean up the allocation.
Fixes: 01af542392b5 ("usb: ulpi: fix double free in ulpi_register_interface() error path")
Cc: stable <stable@kernel.org>
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260407-ulpi-v1-1-f3fafe53f7b2@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/common/ulpi.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/usb/common/ulpi.c
+++ b/drivers/usb/common/ulpi.c
@@ -286,12 +286,15 @@ static int ulpi_register(struct device *
ACPI_COMPANION_SET(&ulpi->dev, ACPI_COMPANION(dev));
ret = ulpi_of_register(ulpi);
- if (ret)
+ if (ret) {
+ kfree(ulpi);
return ret;
+ }
ret = ulpi_read_id(ulpi);
if (ret) {
of_node_put(ulpi->dev.of_node);
+ kfree(ulpi);
return ret;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 047/270] usb: typec: tcpm: fix debug accessory mode detection for sink ports
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 046/270] usb: ulpi: fix memory leak on ulpi_register() error paths Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 048/270] ALSA: hda: cs35l56: Propagate ASP TX source control errors Greg Kroah-Hartman
` (227 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Xu Yang, Heikki Krogerus,
Amit Sunil Dhamne
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit f6ec9bb4acc7182b25a793ad094a764e1cb819a7 upstream.
The port in debug accessory mode can be either a source or sink. The
previous tcpm_port_is_debug() function only checked for source port.
Commit 8db73e6a42b6 ("usb: typec: tcpm: allow sink (ufp) to toggle into
accessory mode debug") changed the detection logic to support both roles,
but left some logic in _tcpm_cc_change() unchanged, This causes the state
machine to transition to an incorrect state when operating as a sink in
debug accessory mode. Log as below:
[ 978.637541] CC1: 0 -> 5, CC2: 0 -> 5 [state TOGGLING, polarity 0, connected]
[ 978.637567] state change TOGGLING -> SRC_ATTACH_WAIT [rev1 NONE_AMS]
[ 978.637596] pending state change SRC_ATTACH_WAIT -> DEBUG_ACC_ATTACHED @ 180 ms [rev1 NONE_AMS]
[ 978.647098] CC1: 5 -> 0, CC2: 5 -> 5 [state SRC_ATTACH_WAIT, polarity 0, connected]
[ 978.647115] state change SRC_ATTACH_WAIT -> SRC_ATTACH_WAIT [rev1 NONE_AMS]
It should go to SNK_ATTACH_WAIT instead of SRC_ATTACH_WAIT state.
To fix this, add tcpm_port_is_debug_source() and tcpm_port_is_debug_sink()
helper to explicitly identify the power mode in debug accessory mode.
Update the state transition logic in _tcpm_cc_change() to ensure the state
machine transitions comply with Type-C specification. Also update the logic
in run_state_machine() to keep consistency.
Fixes: 8db73e6a42b6 ("usb: typec: tcpm: allow sink (ufp) to toggle into accessory mode debug")
Cc: stable <stable@kernel.org>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Amit Sunil Dhamne <amitsd@google.com>
Link: https://patch.msgid.link/20260424074009.2979266-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -634,9 +634,14 @@ static const char * const pd_rev[] = {
(tcpm_cc_is_source((port)->cc2) && \
!tcpm_cc_is_source((port)->cc1)))
+#define tcpm_port_is_debug_source(port) \
+ (tcpm_cc_is_source((port)->cc1) && tcpm_cc_is_source((port)->cc2))
+
+#define tcpm_port_is_debug_sink(port) \
+ (tcpm_cc_is_sink((port)->cc1) && tcpm_cc_is_sink((port)->cc2))
+
#define tcpm_port_is_debug(port) \
- ((tcpm_cc_is_source((port)->cc1) && tcpm_cc_is_source((port)->cc2)) || \
- (tcpm_cc_is_sink((port)->cc1) && tcpm_cc_is_sink((port)->cc2)))
+ (tcpm_port_is_debug_source(port) || tcpm_port_is_debug_sink(port))
#define tcpm_port_is_audio(port) \
(tcpm_cc_is_audio((port)->cc1) && tcpm_cc_is_audio((port)->cc2))
@@ -4799,7 +4804,7 @@ static void run_state_machine(struct tcp
tcpm_set_state(port, SNK_UNATTACHED, PD_T_DRP_SNK);
break;
case SRC_ATTACH_WAIT:
- if (tcpm_port_is_debug(port))
+ if (tcpm_port_is_debug_source(port))
tcpm_set_state(port, DEBUG_ACC_ATTACHED,
port->timings.cc_debounce_time);
else if (tcpm_port_is_audio(port))
@@ -5057,7 +5062,7 @@ static void run_state_machine(struct tcp
tcpm_set_state(port, SRC_UNATTACHED, PD_T_DRP_SRC);
break;
case SNK_ATTACH_WAIT:
- if (tcpm_port_is_debug(port))
+ if (tcpm_port_is_debug_sink(port))
tcpm_set_state(port, DEBUG_ACC_ATTACHED,
PD_T_CC_DEBOUNCE);
else if (tcpm_port_is_audio(port))
@@ -5077,7 +5082,7 @@ static void run_state_machine(struct tcp
if (tcpm_port_is_disconnected(port))
tcpm_set_state(port, SNK_UNATTACHED,
PD_T_PD_DEBOUNCE);
- else if (tcpm_port_is_debug(port))
+ else if (tcpm_port_is_debug_sink(port))
tcpm_set_state(port, DEBUG_ACC_ATTACHED,
PD_T_CC_DEBOUNCE);
else if (tcpm_port_is_audio(port))
@@ -5950,10 +5955,10 @@ static void _tcpm_cc_change(struct tcpm_
switch (port->state) {
case TOGGLING:
- if (tcpm_port_is_debug(port) || tcpm_port_is_audio(port) ||
+ if (tcpm_port_is_debug_source(port) || tcpm_port_is_audio(port) ||
tcpm_port_is_source(port))
tcpm_set_state(port, SRC_ATTACH_WAIT, 0);
- else if (tcpm_port_is_sink(port))
+ else if (tcpm_port_is_debug_sink(port) || tcpm_port_is_sink(port))
tcpm_set_state(port, SNK_ATTACH_WAIT, 0);
break;
case CHECK_CONTAMINANT:
@@ -5961,9 +5966,11 @@ static void _tcpm_cc_change(struct tcpm_
break;
case SRC_UNATTACHED:
case ACC_UNATTACHED:
- if (tcpm_port_is_debug(port) || tcpm_port_is_audio(port) ||
+ if (tcpm_port_is_debug_source(port) || tcpm_port_is_audio(port) ||
tcpm_port_is_source(port))
tcpm_set_state(port, SRC_ATTACH_WAIT, 0);
+ else if (tcpm_port_is_debug_sink(port))
+ tcpm_set_state(port, SNK_ATTACH_WAIT, 0);
break;
case SRC_ATTACH_WAIT:
if (tcpm_port_is_disconnected(port) ||
@@ -5985,7 +5992,7 @@ static void _tcpm_cc_change(struct tcpm_
}
break;
case SNK_UNATTACHED:
- if (tcpm_port_is_debug(port) || tcpm_port_is_audio(port) ||
+ if (tcpm_port_is_debug_sink(port) || tcpm_port_is_audio(port) ||
tcpm_port_is_sink(port))
tcpm_set_state(port, SNK_ATTACH_WAIT, 0);
break;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 048/270] ALSA: hda: cs35l56: Propagate ASP TX source control errors
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 047/270] usb: typec: tcpm: fix debug accessory mode detection for sink ports Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 049/270] ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger Greg Kroah-Hartman
` (226 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel,
Richard Fitzgerald, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 0faacc0841d66f3cf51989c10a83f3a82d52ff2c upstream.
cs35l56_hda_mixer_get() ignores regmap_read() and
cs35l56_hda_mixer_put() ignores regmap_update_bits_check().
This makes the ASP TX source controls report success when a regmap
access fails. The write path returns no change instead of an error,
and the read path continues after a failed read instead of aborting
the control callback.
Propagate the regmap errors, matching the posture and volume controls
in this driver.
Fixes: 73cfbfa9caea ("ALSA: hda/cs35l56: Add driver for Cirrus Logic CS35L56 amplifier")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Reviewed-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260423-alsa-cs35l56-asp-tx-source-errors-v1-1-17ea7c62ec31@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/hda/codecs/side-codecs/cs35l56_hda.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
--- a/sound/hda/codecs/side-codecs/cs35l56_hda.c
+++ b/sound/hda/codecs/side-codecs/cs35l56_hda.c
@@ -180,11 +180,15 @@ static int cs35l56_hda_mixer_get(struct
{
struct cs35l56_hda *cs35l56 = snd_kcontrol_chip(kcontrol);
unsigned int reg_val;
- int i;
+ int i, ret;
cs35l56_hda_wait_dsp_ready(cs35l56);
- regmap_read(cs35l56->base.regmap, kcontrol->private_value, ®_val);
+ ret = regmap_read(cs35l56->base.regmap, kcontrol->private_value,
+ ®_val);
+ if (ret)
+ return ret;
+
reg_val &= CS35L56_ASP_TXn_SRC_MASK;
for (i = 0; i < CS35L56_NUM_INPUT_SRC; ++i) {
@@ -203,15 +207,20 @@ static int cs35l56_hda_mixer_put(struct
struct cs35l56_hda *cs35l56 = snd_kcontrol_chip(kcontrol);
unsigned int item = ucontrol->value.enumerated.item[0];
bool changed;
+ int ret;
if (item >= CS35L56_NUM_INPUT_SRC)
return -EINVAL;
cs35l56_hda_wait_dsp_ready(cs35l56);
- regmap_update_bits_check(cs35l56->base.regmap, kcontrol->private_value,
- CS35L56_INPUT_MASK, cs35l56_tx_input_values[item],
- &changed);
+ ret = regmap_update_bits_check(cs35l56->base.regmap,
+ kcontrol->private_value,
+ CS35L56_INPUT_MASK,
+ cs35l56_tx_input_values[item],
+ &changed);
+ if (ret)
+ return ret;
return changed;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 049/270] ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 048/270] ALSA: hda: cs35l56: Propagate ASP TX source control errors Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 050/270] ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi Laptop Pro 15 Greg Kroah-Hartman
` (225 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Jaeyoung Chung
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 901ac0ff15edf9503162e2cf6579bd11a30f1ed4 upstream.
Currently the runtime.oss.trigger field may be accessed concurrently
without protection, which may lead to the data race. And, in this
case, it may lead to more severe problem because it's a bit field; as
writing the data, it may overwrite other bit fields as well, which
confuses the operation completely, as spotted by fuzzing.
Fix it by covering runtime.oss.trigger bit fled also with the existing
params_lock mutex in both snd_pcm_oss_get_trigger() and
snd_pcm_oss_poll().
Reported-and-tested-by: Jaeyoung Chung <jjy600901@snu.ac.kr>
Closes: https://lore.kernel.org/20260423145330.210035-1-jjy600901@snu.ac.kr
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260424112205.123703-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/oss/pcm_oss.c | 29 +++++++++++++++++++++++------
1 file changed, 23 insertions(+), 6 deletions(-)
--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -2146,10 +2146,16 @@ static int snd_pcm_oss_get_trigger(struc
psubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_PLAYBACK];
csubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE];
- if (psubstream && psubstream->runtime && psubstream->runtime->oss.trigger)
- result |= PCM_ENABLE_OUTPUT;
- if (csubstream && csubstream->runtime && csubstream->runtime->oss.trigger)
- result |= PCM_ENABLE_INPUT;
+ if (psubstream && psubstream->runtime) {
+ guard(mutex)(&psubstream->runtime->oss.params_lock);
+ if (psubstream->runtime->oss.trigger)
+ result |= PCM_ENABLE_OUTPUT;
+ }
+ if (csubstream && csubstream->runtime) {
+ guard(mutex)(&csubstream->runtime->oss.params_lock);
+ if (csubstream->runtime->oss.trigger)
+ result |= PCM_ENABLE_INPUT;
+ }
return result;
}
@@ -2823,6 +2829,17 @@ static int snd_pcm_oss_capture_ready(str
runtime->oss.period_frames;
}
+static bool need_input_retrigger(struct snd_pcm_runtime *runtime)
+{
+ bool ret;
+
+ guard(mutex)(&runtime->oss.params_lock);
+ ret = runtime->oss.trigger;
+ if (ret)
+ runtime->oss.trigger = 0;
+ return ret;
+}
+
static __poll_t snd_pcm_oss_poll(struct file *file, poll_table * wait)
{
struct snd_pcm_oss_file *pcm_oss_file;
@@ -2855,11 +2872,11 @@ static __poll_t snd_pcm_oss_poll(struct
snd_pcm_oss_capture_ready(csubstream))
mask |= EPOLLIN | EPOLLRDNORM;
}
- if (ostate != SNDRV_PCM_STATE_RUNNING && runtime->oss.trigger) {
+ if (ostate != SNDRV_PCM_STATE_RUNNING &&
+ need_input_retrigger(runtime)) {
struct snd_pcm_oss_file ofile;
memset(&ofile, 0, sizeof(ofile));
ofile.streams[SNDRV_PCM_STREAM_CAPTURE] = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE];
- runtime->oss.trigger = 0;
snd_pcm_oss_set_trigger(&ofile, PCM_ENABLE_INPUT);
}
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 050/270] ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi Laptop Pro 15
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 049/270] ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 051/270] ALSA: firewire-tascam: Do not drop unread control events Greg Kroah-Hartman
` (224 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuriy Padlyak, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuriy Padlyak <yuriypadlyak@gmail.com>
commit 92a8b5e2eff6920bf815cd6a80b088ec3fdf01a3 upstream.
The Xiaomi Mi Laptop Pro 15 (TM1905, subsystem 1d72:1905) ships with the
Realtek ALC256 codec on Intel Comet Lake PCH-LP. After S3 resume the
codec sets coefficient register 0x10 to 0x0220 instead of 0x0020 — bit 9
is erroneously set, which silences the internal speaker. Bluetooth and
HDMI audio are unaffected because they use different paths.
This is the same mechanism fixed for Clevo NJ51CU by commit edca7cc4b0ac
("ALSA: hda/realtek: Fix quirk for Clevo NJ51CU"), but the existing
ALC256_FIXUP_MIC_NO_PRESENCE_AND_RESUME also reconfigures pin 0x19 as a
front mic, which is wrong for this Xiaomi where pin 0x19 default is
0x411111f0 (disabled). Add a minimal fixup that only clears the stuck
coef bit, and add the Xiaomi SSID to the quirk table.
Verified by reading coef 0x10 with hda-verb after resume (returns
0x0220), writing 0x0020, and confirming the internal speaker resumes
output. With this fixup applied the bit is cleared on every codec init,
including post-resume.
Signed-off-by: Yuriy Padlyak <yuriypadlyak@gmail.com>
Cc: <stable@vger.kernel.org>
Tested-by: Yuriy Padlyak <yuriypadlyak@gmail.com>
Link: https://patch.msgid.link/20260429220903.14918-1-yuriypadlyak@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/hda/codecs/realtek/alc269.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/sound/hda/codecs/realtek/alc269.c
+++ b/sound/hda/codecs/realtek/alc269.c
@@ -3338,6 +3338,19 @@ static void alc256_fixup_mic_no_presence
}
}
+static void alc256_fixup_xiaomi_pro15_resume(struct hda_codec *codec,
+ const struct hda_fixup *fix,
+ int action)
+{
+ /*
+ * On the Xiaomi Mi Laptop Pro 15 (TM1905, SSID 1d72:1905) the ALC256
+ * codec sets coefficient 0x10 bit 9 to 1 after S3 resume, silencing
+ * the internal speaker. Bluetooth and HDMI audio are unaffected.
+ * Clear the bit so the speaker keeps working across suspend cycles.
+ */
+ alc_update_coef_idx(codec, 0x10, 1<<9, 0);
+}
+
static void alc256_decrease_headphone_amp_val(struct hda_codec *codec,
const struct hda_fixup *fix, int action)
{
@@ -3925,6 +3938,7 @@ enum {
ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE,
ALC233_FIXUP_NO_AUDIO_JACK,
ALC256_FIXUP_MIC_NO_PRESENCE_AND_RESUME,
+ ALC256_FIXUP_XIAOMI_PRO15_RESUME,
ALC285_FIXUP_LEGION_Y9000X_SPEAKERS,
ALC285_FIXUP_LEGION_Y9000X_AUTOMUTE,
ALC287_FIXUP_LEGION_16ACHG6,
@@ -6099,6 +6113,10 @@ static const struct hda_fixup alc269_fix
.chained = true,
.chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC
},
+ [ALC256_FIXUP_XIAOMI_PRO15_RESUME] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc256_fixup_xiaomi_pro15_resume,
+ },
[ALC287_FIXUP_LEGION_16ACHG6] = {
.type = HDA_FIXUP_FUNC,
.v.func = alc287_fixup_legion_16achg6_speakers,
@@ -7538,6 +7556,7 @@ static const struct hda_quirk alc269_fix
SND_PCI_QUIRK(0x1d72, 0x1602, "RedmiBook", ALC255_FIXUP_XIAOMI_HEADSET_MIC),
SND_PCI_QUIRK(0x1d72, 0x1701, "XiaomiNotebook Pro", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1d72, 0x1905, "Xiaomi Mi Laptop Pro 15", ALC256_FIXUP_XIAOMI_PRO15_RESUME),
SND_PCI_QUIRK(0x1d72, 0x1945, "Redmi G", ALC256_FIXUP_ASUS_HEADSET_MIC),
SND_PCI_QUIRK(0x1d72, 0x1947, "RedmiBook Air", ALC255_FIXUP_XIAOMI_HEADSET_MIC),
SND_PCI_QUIRK(0x1e39, 0xca14, "MEDION NM14LNL", ALC233_FIXUP_MEDION_MTL_SPK),
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 051/270] ALSA: firewire-tascam: Do not drop unread control events
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 050/270] ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi Laptop Pro 15 Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 052/270] ALSA: core: Serialize deferred fasync state checks Greg Kroah-Hartman
` (223 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Takashi Sakamoto,
Cássio Gabriel, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 0749daa8eb5ab90334aaad3b0671efd7150d43b1 upstream.
tscm_hwdep_read_queue() copies as many queued control events as fit in
the userspace buffer. When the buffer is smaller than the current
contiguous queue segment, length is rounded down to the number of bytes
that can be copied.
However, after copying that shortened length, the code advances pull_pos
to the original tail_pos, marking the whole contiguous segment as
consumed. Any events between the copied portion and tail_pos are lost.
Limit tail_pos to the position after the entries actually copied before
updating pull_pos. When the whole segment fits, this is equivalent to the
old tail_pos update; when the buffer is smaller, the remaining events
stay queued for the next read.
Fixes: a8c0d13267a4 ("ALSA: firewire-tascam: notify events of change of state for userspace applications")
Cc: stable@vger.kernel.org
Suggested-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Co-developed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260503-alsa-firewire-tascam-read-queue-v2-1-126c6efd7642@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/firewire/tascam/tascam-hwdep.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/firewire/tascam/tascam-hwdep.c
+++ b/sound/firewire/tascam/tascam-hwdep.c
@@ -73,6 +73,7 @@ static long tscm_hwdep_read_queue(struct
length = rounddown(remained, sizeof(*entries));
if (length == 0)
break;
+ tail_pos = head_pos + length / sizeof(*entries);
spin_unlock_irq(&tscm->lock);
if (copy_to_user(pos, &entries[head_pos], length))
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 052/270] ALSA: core: Serialize deferred fasync state checks
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 051/270] ALSA: firewire-tascam: Do not drop unread control events Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 053/270] ALSA: seq: Fix UMP group 16 filtering Greg Kroah-Hartman
` (222 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 5337213381df578058e2e41da93cbd0e4639935f upstream.
snd_fasync_helper() updates fasync->on under snd_fasync_lock, and
snd_fasync_work_fn() now also evaluates fasync->on under the same
lock. snd_kill_fasync() still tests the flag before taking the lock,
leaving an unsynchronized read against FASYNC enable/disable updates.
Move the enabled-state check into the locked section.
Also clear fasync->on under snd_fasync_lock in snd_fasync_free()
before unlinking the pending entry. Together with the locked sender-side
check, this publishes teardown before flushing the deferred work and
prevents a racing sender from requeueing the entry after free has
started.
Fixes: ef34a0ae7a26 ("ALSA: core: Add async signal helpers")
Fixes: 8146cd333d23 ("ALSA: core: Fix potential data race at fasync handling")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260506-alsa-core-fasync-on-lock-v1-1-ea48c77d6ca4@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/misc.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/sound/core/misc.c
+++ b/sound/core/misc.c
@@ -148,9 +148,11 @@ EXPORT_SYMBOL_GPL(snd_fasync_helper);
void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll)
{
- if (!fasync || !fasync->on)
+ if (!fasync)
return;
guard(spinlock_irqsave)(&snd_fasync_lock);
+ if (!fasync->on)
+ return;
fasync->signal = signal;
fasync->poll = poll;
list_move(&fasync->list, &snd_fasync_list);
@@ -163,8 +165,10 @@ void snd_fasync_free(struct snd_fasync *
if (!fasync)
return;
- scoped_guard(spinlock_irq, &snd_fasync_lock)
+ scoped_guard(spinlock_irq, &snd_fasync_lock) {
+ fasync->on = 0;
list_del_init(&fasync->list);
+ }
flush_work(&snd_fasync_work);
kfree(fasync);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 053/270] ALSA: seq: Fix UMP group 16 filtering
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 052/270] ALSA: core: Serialize deferred fasync state checks Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 054/270] powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o Greg Kroah-Hartman
` (221 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 92429ca999db99febced82f23362a71b2ba4c1d8 upstream.
The sequencer UAPI defines group_filter as an unsigned int bitmap.
Bit 0 filters groupless messages and bits 1-16 filter UMP groups 1-16.
The internal snd_seq_client storage is only unsigned short, so bit 16
is truncated when userspace sets the filter. The same truncation affects
the automatic UMP client filter used to avoid delivery to inactive
groups, so events for group 16 cannot be filtered.
Store the internal bitmap as unsigned int and keep both userspace-provided
and automatically generated values limited to the defined UAPI bits.
Fixes: d2b706077792 ("ALSA: seq: Add UMP group filter")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260506-alsa-seq-ump-group16-filter-v1-1-b75160bf6993@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/seq/seq_clientmgr.c | 2 +-
sound/core/seq/seq_clientmgr.h | 5 ++++-
sound/core/seq/seq_ump_client.c | 2 +-
3 files changed, 6 insertions(+), 3 deletions(-)
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1252,7 +1252,7 @@ static int snd_seq_ioctl_set_client_info
if (client->user_pversion >= SNDRV_PROTOCOL_VERSION(1, 0, 3))
client->midi_version = client_info->midi_version;
memcpy(client->event_filter, client_info->event_filter, 32);
- client->group_filter = client_info->group_filter;
+ client->group_filter = client_info->group_filter & SND_SEQ_GROUP_FILTER_MASK;
/* notify the change */
snd_seq_system_client_ev_client_change(client->number);
--- a/sound/core/seq/seq_clientmgr.h
+++ b/sound/core/seq/seq_clientmgr.h
@@ -14,6 +14,9 @@
/* client manager */
+#define SND_SEQ_GROUP_FILTER_MASK GENMASK(SNDRV_UMP_MAX_GROUPS, 0)
+#define SND_SEQ_GROUP_FILTER_GROUPS GENMASK(SNDRV_UMP_MAX_GROUPS, 1)
+
struct snd_seq_user_client {
struct file *file; /* file struct of client */
/* ... */
@@ -40,7 +43,7 @@ struct snd_seq_client {
int number; /* client number */
unsigned int filter; /* filter flags */
DECLARE_BITMAP(event_filter, 256);
- unsigned short group_filter;
+ unsigned int group_filter;
snd_use_lock_t use_lock;
int event_lost;
/* ports */
--- a/sound/core/seq/seq_ump_client.c
+++ b/sound/core/seq/seq_ump_client.c
@@ -369,7 +369,7 @@ static void setup_client_group_filter(st
cptr = snd_seq_kernel_client_get(client->seq_client);
if (!cptr)
return;
- filter = ~(1U << 0); /* always allow groupless messages */
+ filter = SND_SEQ_GROUP_FILTER_GROUPS; /* always allow groupless messages */
for (p = 0; p < SNDRV_UMP_MAX_GROUPS; p++) {
if (client->ump->groups[p].active)
filter &= ~(1U << (p + 1));
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 054/270] powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 053/270] ALSA: seq: Fix UMP group 16 filtering Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 055/270] x86/efi: Restore IRQ state in EFI page fault handler Greg Kroah-Hartman
` (220 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Venkat Rao Bagalkote,
Ritesh Harjani (IBM), Mahesh Salgaonkar, Aboorva Devarajan,
Sourabh Jain, Madhavan Srinivasan
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sourabh Jain <sourabhjain@linux.ibm.com>
commit b3a97f9484080c6e71db9e803e3cc1bb372a9bc7 upstream.
KASAN instrumentation is intended to be disabled for the kexec core
code, but the existing Makefile entry misses the object suffix. As a
result, the flag is not applied correctly to core_$(BITS).o.
So when KASAN is enabled, kexec_copy_flush and copy_segments in
kexec/core_64.c are instrumented, which can result in accesses to
shadow memory via normal address translation paths. Since these run
with the MMU disabled, such accesses may trigger page faults
(bad_page_fault) that cannot be handled in the kdump path, ultimately
causing a hang and preventing the kdump kernel from booting. The same
is true for kexec as well, since the same functions are used there.
Update the entry to include the “.o” suffix so that KASAN
instrumentation is properly disabled for this object file.
Fixes: 2ab2d5794f14 ("powerpc/kasan: Disable address sanitization in kexec paths")
Reported-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Closes: https://lore.kernel.org/all/1dee8891-8bcc-46b4-93f3-fc3a774abd5b@linux.ibm.com/
Cc: stable@vger.kernel.org
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Acked-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
Reviewed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Tested-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260407124349.1698552-1-sourabhjain@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kexec/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/kexec/Makefile
+++ b/arch/powerpc/kexec/Makefile
@@ -16,4 +16,4 @@ GCOV_PROFILE_core_$(BITS).o := n
KCOV_INSTRUMENT_core_$(BITS).o := n
UBSAN_SANITIZE_core_$(BITS).o := n
KASAN_SANITIZE_core.o := n
-KASAN_SANITIZE_core_$(BITS) := n
+KASAN_SANITIZE_core_$(BITS).o := n
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 055/270] x86/efi: Restore IRQ state in EFI page fault handler
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 054/270] powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 056/270] xfrm: provide message size for XFRM_MSG_MAPPING Greg Kroah-Hartman
` (219 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Biggers, Ivan Hu, x86,
Ard Biesheuvel
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ardb@kernel.org>
commit 2c340aab5485ebe9e33c01437dd4815ef33c8df5 upstream.
The kernel's softirq API does not permit re-enabling softirqs while IRQs
are disabled. The reason for this is that local_bh_enable() will not
only re-enable delivery of softirqs over the back of IRQs, it will also
handle any pending softirqs immediately, regardless of whether IRQs are
enabled at that point.
For this reason, commit
d02198550423 ("x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs")
disables softirqs only when IRQs are enabled, as it is not permitted
otherwise, but also unnecessary, given that asynchronous softirq
delivery never happens to begin with while IRQs are disabled.
However, this does mean that entering a kernel mode FPU section with
IRQs enabled and leaving it with IRQs disabled leads to problems, as
identified by Sashiko [0]: the EFI page fault handler is called from
page_fault_oops() with IRQs disabled, and thus ends the kernel mode FPU
section with IRQs disabled as well, regardless of whether IRQs were
enabled when it was started. This may result in schedule() being called
with a non-zero preempt_count, causing a BUG().
So take care to re-enable IRQs when handling any EFI page faults if they
were taken with IRQs enabled.
[0] https://sashiko.dev/#/patchset/20260430074107.27051-1-ivan.hu%40canonical.com
Cc: Eric Biggers <ebiggers@kernel.org>
Cc: Ivan Hu <ivan.hu@canonical.com>
Cc: x86@kernel.org
Cc: <stable@vger.kernel.org>
Fixes: d02198550423 ("x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs")
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/efi.h | 3 ++-
arch/x86/mm/fault.c | 2 +-
arch/x86/platform/efi/quirks.c | 11 ++++++++++-
3 files changed, 13 insertions(+), 3 deletions(-)
--- a/arch/x86/include/asm/efi.h
+++ b/arch/x86/include/asm/efi.h
@@ -137,7 +137,8 @@ extern void __init efi_dump_pagetable(vo
extern void __init efi_apply_memmap_quirks(void);
extern int __init efi_reuse_config(u64 tables, int nr_tables);
extern void efi_delete_dummy_variable(void);
-extern void efi_crash_gracefully_on_page_fault(unsigned long phys_addr);
+extern void efi_crash_gracefully_on_page_fault(unsigned long phys_addr,
+ const struct pt_regs *regs);
extern void efi_unmap_boot_services(void);
void arch_efi_call_virt_setup(void);
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -686,7 +686,7 @@ page_fault_oops(struct pt_regs *regs, un
* avoid hanging the system.
*/
if (IS_ENABLED(CONFIG_EFI))
- efi_crash_gracefully_on_page_fault(address);
+ efi_crash_gracefully_on_page_fault(address, regs);
/* Only not-present faults should be handled by KFENCE. */
if (!(error_code & X86_PF_PROT) &&
--- a/arch/x86/platform/efi/quirks.c
+++ b/arch/x86/platform/efi/quirks.c
@@ -761,7 +761,8 @@ int efi_capsule_setup_info(struct capsul
* @return: Returns, if the page fault is not handled. This function
* will never return if the page fault is handled successfully.
*/
-void efi_crash_gracefully_on_page_fault(unsigned long phys_addr)
+void efi_crash_gracefully_on_page_fault(unsigned long phys_addr,
+ const struct pt_regs *regs)
{
if (!IS_ENABLED(CONFIG_X86_64))
return;
@@ -811,6 +812,14 @@ void efi_crash_gracefully_on_page_fault(
}
/*
+ * The API does not permit entering a kernel mode FPU section with
+ * interrupts enabled and leaving it with interrupts disabled. So
+ * re-enable interrupts now if they were enabled when the page fault
+ * occurred.
+ */
+ local_irq_restore(regs->flags);
+
+ /*
* Before calling EFI Runtime Service, the kernel has switched the
* calling process to efi_mm. Hence, switch back to task_mm.
*/
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 056/270] xfrm: provide message size for XFRM_MSG_MAPPING
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 055/270] x86/efi: Restore IRQ state in EFI page fault handler Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 057/270] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete Greg Kroah-Hartman
` (218 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Ruijie Li, Ren Wei, Steffen Klassert
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruijie Li <ruijieli51@gmail.com>
commit 28465227c80fe417b4013c432be1f3737cb9f9a3 upstream.
The compat 64=>32 translation path handles XFRM_MSG_MAPPING, but
xfrm_msg_min[] does not provide the native payload size for this
message type.
Add the missing XFRM_MSG_MAPPING entry so compat translation can size
and translate mapping notifications correctly.
Fixes: 5461fc0c8d9f ("xfrm/compat: Add 64=>32-bit messages translator")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_user.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -3314,6 +3314,7 @@ const int xfrm_msg_min[XFRM_NR_MSGTYPES]
[XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32),
[XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
[XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
+ [XFRM_MSG_MAPPING - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_mapping),
[XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default),
[XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default),
};
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 057/270] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 056/270] xfrm: provide message size for XFRM_MSG_MAPPING Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 058/270] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() Greg Kroah-Hartman
` (217 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michal Kosiorek, Steffen Klassert
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Kosiorek <mkosiorek121@gmail.com>
commit 14acf9652e5690de3c7486c6db5fb8dafd0a32a3 upstream.
KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s
hlist_del_rcu calls under syzkaller load on linux-6.12.y stable
(reproduced on 6.12.47, also reachable via the same code path on
torvalds/master and on the ipsec tree). Nine unique signatures cluster
in the xfrm_state lifecycle, the load-bearing one being:
BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]
BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]
BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c
Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435
Workqueue: netns cleanup_net
Call Trace:
__hlist_del / hlist_del_rcu
__xfrm_state_delete
xfrm_state_delete
xfrm_state_flush
xfrm_state_fini
ops_exit_list
cleanup_net
The other observed signatures hit the same slab object from
__xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB
write variant of __xfrm_state_delete, all on the byseq/byspi
hash chains.
__xfrm_state_delete() guards its byseq and byspi unhashes with
value-based predicates:
if (x->km.seq)
hlist_del_rcu(&x->byseq);
if (x->id.spi)
hlist_del_rcu(&x->byspi);
while everywhere else in the file (e.g. state_cache, state_cache_input)
the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets
x->id.spi = newspi inside xfrm_state_lock and then immediately inserts
into byspi, but a path that observes x->id.spi != 0 outside of
xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently
with whether x is actually on the list. The same holds for x->km.seq
versus byseq, and the bydst/bysrc unhashes have no predicate at all,
so a second __xfrm_state_delete() on the same object writes through
LIST_POISON pprev.
The defensive change here:
- Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,
bysrc, byseq and byspi so a second deletion is a no-op rather
than a write through LIST_POISON pprev. The byseq/byspi nodes
are already initialised in xfrm_state_alloc().
- Test hlist_unhashed() rather than the value predicate for
byseq/byspi, so the unhash decision tracks list state rather than
mutable scalar fields.
Empirical verification: applied this patch on top of v6.12.47, rebuilt,
and re-ran the same syzkaller harness for 1h16m on a previously-crashy
configuration that produced ~100 hits each of slab-use-after-free
Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in
__xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at
~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo
confirms the xfrm_state slab is actively allocated and freed during
the run (~143 KiB resident), so the fuzzer is still exercising those
code paths -- they just no longer crash.
Reproduction:
- Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV
- syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db
- 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal
- 9 unique signatures collected in ~9h, all within xfrm_state
lifecycle
Fixes: fe9f1d8779cb ("xfrm: add state hashtable keyed by seq")
Fixes: 7b4dc3600e48 ("[XFRM]: Do not add a state whose SPI is zero to the SPI hash.")
Reported-by: Michal Kosiorek <mkosiorek121@gmail.com>
Tested-by: Michal Kosiorek <mkosiorek121@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Michal Kosiorek <mkosiorek121@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_state.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -818,17 +818,17 @@ int __xfrm_state_delete(struct xfrm_stat
spin_lock(&net->xfrm.xfrm_state_lock);
list_del(&x->km.all);
- hlist_del_rcu(&x->bydst);
- hlist_del_rcu(&x->bysrc);
- if (x->km.seq)
- hlist_del_rcu(&x->byseq);
+ hlist_del_init_rcu(&x->bydst);
+ hlist_del_init_rcu(&x->bysrc);
+ if (!hlist_unhashed(&x->byseq))
+ hlist_del_init_rcu(&x->byseq);
if (!hlist_unhashed(&x->state_cache))
hlist_del_rcu(&x->state_cache);
if (!hlist_unhashed(&x->state_cache_input))
hlist_del_rcu(&x->state_cache_input);
- if (x->id.spi)
- hlist_del_rcu(&x->byspi);
+ if (!hlist_unhashed(&x->byspi))
+ hlist_del_init_rcu(&x->byspi);
net->xfrm.state_num--;
xfrm_nat_keepalive_state_updated(x);
spin_unlock(&net->xfrm.xfrm_state_lock);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 058/270] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 057/270] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 059/270] xfrm: ah: account for ESN high bits in async callbacks Greg Kroah-Hartman
` (216 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yifan Wu, Juefei Pu,
Yuan Tan, Xin Liu, Ruide Cao, Yilin Zhu, Ren Wei, Simon Horman,
Steffen Klassert
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yilin Zhu <zylzyl2333@gmail.com>
commit bc0fcb9823cd0894934cf968b525c575833d7078 upstream.
xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not
already have a dst attached. ip6_route_input_lookup() returns a
referenced dst entry even when the lookup resolves to an error route.
If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching
the dst to the skb and without releasing the reference returned by the
lookup. Repeated packets hitting this path therefore leak dst entries.
Release the dst before jumping to the drop path.
Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ruide Cao <caoruide123@gmail.com>
Signed-off-by: Yilin Zhu <zylzyl2333@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/xfrm6_protocol.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/ipv6/xfrm6_protocol.c
+++ b/net/ipv6/xfrm6_protocol.c
@@ -88,8 +88,10 @@ int xfrm6_rcv_encap(struct sk_buff *skb,
dst = ip6_route_input_lookup(dev_net(skb->dev), skb->dev, &fl6,
skb, flags);
- if (dst->error)
+ if (dst->error) {
+ dst_release(dst);
goto drop;
+ }
skb_dst_set(skb, dst);
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 059/270] xfrm: ah: account for ESN high bits in async callbacks
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 058/270] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 060/270] selinux: fix avdcache auditing Greg Kroah-Hartman
` (215 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steffen Klassert
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit ec54093e6a8f87e800bb6aa15eb7fc1e33faa524 upstream.
AH allocates its temporary auth/ICV layout differently when ESN is enabled:
the async ahash setup appends a 4-byte seqhi slot before the ICV or
auth_data area, but the async completion callbacks still reconstruct the
temporary layout as if seqhi were absent.
With an async AH implementation selected, that makes AH copy or compare
the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH
with ESN and forced async hmac(sha1), ping fails with 100% packet loss,
and the callback logs show the pre-fix drift:
ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24
ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36
Reconstruct the callback-side layout the same way the setup path built it
by skipping the ESN seqhi slot before locating the saved auth_data or ICV.
Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV
computation, so the async callbacks must account for the seqhi slot.
Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows
the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24
expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o
build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the
change has not been tested against a real async hardware AH engine.
Fixes: d4d573d0334d ("{IPv4,xfrm} Add ESN support for AH egress part")
Fixes: d8b2a8600b0e ("{IPv4,xfrm} Add ESN support for AH ingress part")
Fixes: 26dd70c3fad3 ("{IPv6,xfrm} Add ESN support for AH egress part")
Fixes: 8d6da6f32557 ("{IPv6,xfrm} Add ESN support for AH ingress part")
Cc: stable@vger.kernel.org
Assisted-by: Codex:gpt-5-4
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ah4.c | 14 ++++++++++++--
net/ipv6/ah6.c | 14 ++++++++++++--
2 files changed, 24 insertions(+), 4 deletions(-)
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -124,9 +124,14 @@ static void ah_output_done(void *data, i
struct iphdr *top_iph = ip_hdr(skb);
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
int ihl = ip_hdrlen(skb);
+ int seqhi_len = 0;
+ __be32 *seqhi;
+ if (x->props.flags & XFRM_STATE_ESN)
+ seqhi_len = sizeof(*seqhi);
iph = AH_SKB_CB(skb)->tmp;
- icv = ah_tmp_icv(iph, ihl);
+ seqhi = (__be32 *)((char *)iph + ihl);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
top_iph->tos = iph->tos;
@@ -270,12 +275,17 @@ static void ah_input_done(void *data, in
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
int ihl = ip_hdrlen(skb);
int ah_hlen = (ah->hdrlen + 2) << 2;
+ int seqhi_len = 0;
+ __be32 *seqhi;
if (err)
goto out;
+ if (x->props.flags & XFRM_STATE_ESN)
+ seqhi_len = sizeof(*seqhi);
work_iph = AH_SKB_CB(skb)->tmp;
- auth_data = ah_tmp_auth(work_iph, ihl);
+ seqhi = (__be32 *)((char *)work_iph + ihl);
+ auth_data = ah_tmp_auth(seqhi, seqhi_len);
icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -317,14 +317,19 @@ static void ah6_output_done(void *data,
struct ipv6hdr *top_iph = ipv6_hdr(skb);
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
struct tmp_ext *iph_ext;
+ int seqhi_len = 0;
+ __be32 *seqhi;
extlen = skb_network_header_len(skb) - sizeof(struct ipv6hdr);
if (extlen)
extlen += sizeof(*iph_ext);
+ if (x->props.flags & XFRM_STATE_ESN)
+ seqhi_len = sizeof(*seqhi);
iph_base = AH_SKB_CB(skb)->tmp;
iph_ext = ah_tmp_ext(iph_base);
- icv = ah_tmp_icv(iph_ext, extlen);
+ seqhi = (__be32 *)((char *)iph_ext + extlen);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
memcpy(top_iph, iph_base, IPV6HDR_BASELEN);
@@ -471,13 +476,18 @@ static void ah6_input_done(void *data, i
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
int hdr_len = skb_network_header_len(skb);
int ah_hlen = ipv6_authlen(ah);
+ int seqhi_len = 0;
+ __be32 *seqhi;
if (err)
goto out;
+ if (x->props.flags & XFRM_STATE_ESN)
+ seqhi_len = sizeof(*seqhi);
work_iph = AH_SKB_CB(skb)->tmp;
auth_data = ah_tmp_auth(work_iph, hdr_len);
- icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
+ seqhi = (__be32 *)(auth_data + ahp->icv_trunc_len);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
if (err)
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 060/270] selinux: fix avdcache auditing
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 059/270] xfrm: ah: account for ESN high bits in async callbacks Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 061/270] selinux: use sk blob accessor in socket permission helpers Greg Kroah-Hartman
` (214 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stephen Smalley, Paul Moore
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Smalley <stephen.smalley.work@gmail.com>
commit f92d542577db878acfd21cc18dab23d03023b217 upstream.
The per-task avdcache was incorrectly saving and reusing the
audited vector computed by avc_audit_required() rather than
recomputing based on the currently requested permissions and
distinguishing the denied versus allowed cases. As a result,
some permission checks were not being audited, e.g.
directory write checks after a previously cached directory
search check.
Cc: stable@vger.kernel.org
Fixes: dde3a5d0f4dce ("selinux: move avdcache to per-task security struct")
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
[PM: line wrap tweaks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/hooks.c | 31 +++++++++++++------------------
security/selinux/include/objsec.h | 4 +---
2 files changed, 14 insertions(+), 21 deletions(-)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3162,15 +3162,13 @@ static inline int task_avdcache_search(s
* @tsec: the task's security state
* @isec: the inode associated with the cache entry
* @avd: the AVD to cache
- * @audited: the permission audit bitmask to cache
*
- * Update the AVD cache in @tsec with the @avdc and @audited info associated
+ * Update the AVD cache in @tsec with the @avd info associated
* with @isec.
*/
static inline void task_avdcache_update(struct task_security_struct *tsec,
struct inode_security_struct *isec,
- struct av_decision *avd,
- u32 audited)
+ struct av_decision *avd)
{
int spot;
@@ -3182,9 +3180,7 @@ static inline void task_avdcache_update(
spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1);
tsec->avdcache.dir_spot = spot;
tsec->avdcache.dir[spot].isid = isec->sid;
- tsec->avdcache.dir[spot].audited = audited;
- tsec->avdcache.dir[spot].allowed = avd->allowed;
- tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE;
+ tsec->avdcache.dir[spot].avd = *avd;
tsec->avdcache.permissive_neveraudit =
(avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT));
}
@@ -3205,6 +3201,7 @@ static int selinux_inode_permission(stru
struct task_security_struct *tsec;
struct inode_security_struct *isec;
struct avdc_entry *avdc;
+ struct av_decision avd, *avdp = &avd;
int rc, rc2;
u32 audited, denied;
@@ -3226,23 +3223,21 @@ static int selinux_inode_permission(stru
rc = task_avdcache_search(tsec, isec, &avdc);
if (likely(!rc)) {
/* Cache hit. */
- audited = perms & avdc->audited;
- denied = perms & ~avdc->allowed;
- if (unlikely(denied && enforcing_enabled() &&
- !avdc->permissive))
+ avdp = &avdc->avd;
+ denied = perms & ~avdp->allowed;
+ if (unlikely(denied) && enforcing_enabled() &&
+ !(avdp->flags & AVD_FLAGS_PERMISSIVE))
rc = -EACCES;
} else {
- struct av_decision avd;
-
/* Cache miss. */
rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass,
- perms, 0, &avd);
- audited = avc_audit_required(perms, &avd, rc,
- (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0,
- &denied);
- task_avdcache_update(tsec, isec, &avd, audited);
+ perms, 0, avdp);
+ task_avdcache_update(tsec, isec, avdp);
}
+ audited = avc_audit_required(perms, avdp, rc,
+ (requested & MAY_ACCESS) ?
+ FILE__AUDIT_ACCESS : 0, &denied);
if (likely(!audited))
return rc;
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -32,9 +32,7 @@
struct avdc_entry {
u32 isid; /* inode SID */
- u32 allowed; /* allowed permission bitmask */
- u32 audited; /* audited permission bitmask */
- bool permissive; /* AVC permissive flag */
+ struct av_decision avd; /* av decision */
};
struct cred_security_struct {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 061/270] selinux: use sk blob accessor in socket permission helpers
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 060/270] selinux: fix avdcache auditing Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 062/270] selinux: dont reserve xattr slot when we wont fill it Greg Kroah-Hartman
` (213 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zongyao Chen, Paul Moore
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
commit 032e70aff025d7c519af9ab791cd084380619263 upstream.
SELinux socket state lives in the composite LSM socket blob.
sock_has_perm() and nlmsg_sock_has_extended_perms() currently
dereference sk->sk_security directly, which assumes the SELinux socket
blob is at offset zero.
In stacked configurations that assumption does not hold. If another LSM
allocates socket blob storage before SELinux, these helpers may read the
wrong blob and feed invalid SID and class values into AVC checks.
Use selinux_sock() instead of accessing sk->sk_security directly.
Fixes: d1d991efaf34 ("selinux: Add netlink xperm support")
Cc: stable@vger.kernel.org # v6.13+
Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/hooks.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4780,7 +4780,7 @@ static bool sock_skip_has_perm(u32 sid)
static int sock_has_perm(struct sock *sk, u32 perms)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct common_audit_data ad;
struct lsm_network_audit net;
@@ -6087,7 +6087,7 @@ static unsigned int selinux_ip_postroute
static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct common_audit_data ad;
u8 driver;
u8 xperm;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 062/270] selinux: dont reserve xattr slot when we wont fill it
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 061/270] selinux: use sk blob accessor in socket permission helpers Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 063/270] selinux: shrink critical section in sel_write_load() Greg Kroah-Hartman
` (212 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Windsor, Paul Moore
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Windsor <dwindsor@gmail.com>
commit 1e5a8eed7821e7a43a31b4c1b3675a91be6bc6f6 upstream.
Move lsm_get_xattr_slot() below the SBLABEL_MNT check so we don't leave
a NULL-named slot in the array when returning -EOPNOTSUPP; filesystem
initxattrs() callbacks stop iterating at the first NULL ->name, silently
dropping xattrs installed by later LSMs.
Cc: stable@vger.kernel.org
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/hooks.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2931,7 +2931,7 @@ static int selinux_inode_init_security(s
{
const struct cred_security_struct *crsec = selinux_cred(current_cred());
struct superblock_security_struct *sbsec;
- struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
+ struct xattr *xattr;
u32 newsid, clen;
u16 newsclass;
int rc;
@@ -2957,6 +2957,7 @@ static int selinux_inode_init_security(s
!(sbsec->flags & SBLABEL_MNT))
return -EOPNOTSUPP;
+ xattr = lsm_get_xattr_slot(xattrs, xattr_count);
if (xattr) {
rc = security_sid_to_context_force(newsid,
&context, &clen);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 063/270] selinux: shrink critical section in sel_write_load()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 062/270] selinux: dont reserve xattr slot when we wont fill it Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 064/270] selinux: prune /sys/fs/selinux/checkreqprot Greg Kroah-Hartman
` (211 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stephen Smalley, Paul Moore
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Smalley <stephen.smalley.work@gmail.com>
commit 868f31e4061eca8c3cd607d79d954d5e54f204aa upstream.
Currently sel_write_load() takes the policy mutex earlier than
necessary. Move the taking of the mutex later. This avoids
holding it unnecessarily across the vmalloc() and copy_from_user()
of the policy data.
Cc: stable@vger.kernel.org
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/selinuxfs.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -583,34 +583,31 @@ static ssize_t sel_write_load(struct fil
if (!count)
return -EINVAL;
- mutex_lock(&selinux_state.policy_mutex);
-
length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__LOAD_POLICY, NULL);
if (length)
- goto out;
+ return length;
data = vmalloc(count);
- if (!data) {
- length = -ENOMEM;
- goto out;
- }
+ if (!data)
+ return -ENOMEM;
if (copy_from_user(data, buf, count) != 0) {
length = -EFAULT;
goto out;
}
+ mutex_lock(&selinux_state.policy_mutex);
length = security_load_policy(data, count, &load_state);
if (length) {
pr_warn_ratelimited("SELinux: failed to load policy\n");
- goto out;
+ goto out_unlock;
}
fsi = file_inode(file)->i_sb->s_fs_info;
length = sel_make_policy_nodes(fsi, load_state.policy);
if (length) {
pr_warn_ratelimited("SELinux: failed to initialize selinuxfs\n");
selinux_policy_cancel(&load_state);
- goto out;
+ goto out_unlock;
}
selinux_policy_commit(&load_state);
@@ -620,8 +617,9 @@ static ssize_t sel_write_load(struct fil
from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current));
-out:
+out_unlock:
mutex_unlock(&selinux_state.policy_mutex);
+out:
vfree(data);
return length;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 064/270] selinux: prune /sys/fs/selinux/checkreqprot
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 063/270] selinux: shrink critical section in sel_write_load() Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 065/270] selinux: prune /sys/fs/selinux/disable Greg Kroah-Hartman
` (210 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stephen Smalley, Paul Moore
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Smalley <stephen.smalley.work@gmail.com>
commit 644132a48f4e28a1d949d162160869286f3e75de upstream.
commit a7e4676e8e2cb ("selinux: remove the 'checkreqprot'
functionality") removed the ability to modify the checkreqprot setting
but left everything except the updating of the checkreqprot value
intact. Aside from unnecessary processing, this could produce a local
DoS from log spam and incorrectly calls selinux_ima_measure_state() on
each write even though no state has changed. Prune it to just log an
error message once and return count (i.e. all bytes written
successfully) so that userspace never breaks.
Cc: stable@vger.kernel.org
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/selinuxfs.c | 47 ++++++-------------------------------------
1 file changed, 7 insertions(+), 40 deletions(-)
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -676,46 +676,13 @@ static ssize_t sel_read_checkreqprot(str
static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- char *page;
- ssize_t length;
- unsigned int new_value;
-
- length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
- SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT,
- NULL);
- if (length)
- return length;
-
- if (count >= PAGE_SIZE)
- return -ENOMEM;
-
- /* No partial writes. */
- if (*ppos != 0)
- return -EINVAL;
-
- page = memdup_user_nul(buf, count);
- if (IS_ERR(page))
- return PTR_ERR(page);
-
- if (sscanf(page, "%u", &new_value) != 1) {
- length = -EINVAL;
- goto out;
- }
- length = count;
-
- if (new_value) {
- char comm[sizeof(current->comm)];
-
- strscpy(comm, current->comm);
- pr_err("SELinux: %s (%d) set checkreqprot to 1. This is no longer supported.\n",
- comm, current->pid);
- }
-
- selinux_ima_measure_state();
-
-out:
- kfree(page);
- return length;
+ /*
+ * Setting checkreqprot is no longer supported, see
+ * https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-checkreqprot
+ */
+ pr_err_once("SELinux: %s (%d) wrote to checkreqprot. This is no longer supported.\n",
+ current->comm, current->pid);
+ return count;
}
static const struct file_operations sel_checkreqprot_ops = {
.read = sel_read_checkreqprot,
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 065/270] selinux: prune /sys/fs/selinux/disable
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 064/270] selinux: prune /sys/fs/selinux/checkreqprot Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 066/270] selinux: prune /sys/fs/selinux/user Greg Kroah-Hartman
` (209 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stephen Smalley, Paul Moore
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Smalley <stephen.smalley.work@gmail.com>
commit 19cfa0099024bb9cd40f6d950caa7f47ff8e77f6 upstream.
Commit f22f9aaf6c3d ("selinux: remove the runtime disable
functionality") removed the underlying SELinux runtime disable
functionality but left everything else intact and started logging an
error message to warn any residual users.
Prune it to just log an error message once and to return count
(i.e. all bytes written successfully) to avoid breaking
userspace. This also fixes a local DoS from logspam.
Cc: stable@vger.kernel.org
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/selinuxfs.c | 36 +++++++-----------------------------
1 file changed, 7 insertions(+), 29 deletions(-)
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -272,35 +272,13 @@ static ssize_t sel_write_disable(struct
size_t count, loff_t *ppos)
{
- char *page;
- ssize_t length;
- int new_value;
-
- if (count >= PAGE_SIZE)
- return -ENOMEM;
-
- /* No partial writes. */
- if (*ppos != 0)
- return -EINVAL;
-
- page = memdup_user_nul(buf, count);
- if (IS_ERR(page))
- return PTR_ERR(page);
-
- if (sscanf(page, "%d", &new_value) != 1) {
- length = -EINVAL;
- goto out;
- }
- length = count;
-
- if (new_value) {
- pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n");
- pr_err("SELinux: Runtime disable is not supported, use selinux=0 on the kernel cmdline.\n");
- }
-
-out:
- kfree(page);
- return length;
+ /*
+ * Setting disable is no longer supported, see
+ * https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable
+ */
+ pr_err_once("SELinux: %s (%d) wrote to disable. This is no longer supported.\n",
+ current->comm, current->pid);
+ return count;
}
static const struct file_operations sel_disable_ops = {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 066/270] selinux: prune /sys/fs/selinux/user
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 065/270] selinux: prune /sys/fs/selinux/disable Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 067/270] LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read() Greg Kroah-Hartman
` (208 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stephen Smalley, Paul Moore
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Smalley <stephen.smalley.work@gmail.com>
commit ad1ac3d740cc6b858a99ab9c45c8c0574be7d1d3 upstream.
Remove the previously deprecated /sys/fs/selinux/user interface aside
from a residual stub for userspace compatibility.
Commit d7b6918e22c7 ("selinux: Deprecate /sys/fs/selinux/user") started
the deprecation process for /sys/fs/selinux/user:
The selinuxfs "user" node allows userspace to request a list
of security contexts that can be reached for a given SELinux
user from a given starting context. This was used by libselinux
when various login-style programs requested contexts for
users, but libselinux stopped using it in 2020.
Kernel support will be removed no sooner than Dec 2025.
A pr_warn() message has been in place since Linux v6.13, and a 5
second sleep was introduced since Linux v6.17 to help make it more
noticeable.
We are now past the stated deadline of Dec 2025, so remove the
underlying functionality and replace it with a stub that returns a
'0\0' buffer to avoid breaking userspace. This also avoids a local DoS
from logspam and an uninterruptible sleep delay.
Cc: stable@vger.kernel.org
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
.../{obsolete => removed}/sysfs-selinux-user | 0
Documentation/ABI/obsolete/sysfs-selinux-user | 12 --
Documentation/ABI/removed/sysfs-selinux-user | 12 ++
security/selinux/include/security.h | 2
security/selinux/selinuxfs.c | 68 +-------------
security/selinux/ss/services.c | 125 --------------------------
5 files changed, 17 insertions(+), 202 deletions(-)
rename Documentation/ABI/{obsolete => removed}/sysfs-selinux-user (100%)
--- a/Documentation/ABI/obsolete/sysfs-selinux-user
+++ /dev/null
@@ -1,12 +0,0 @@
-What: /sys/fs/selinux/user
-Date: April 2005 (predates git)
-KernelVersion: 2.6.12-rc2 (predates git)
-Contact: selinux@vger.kernel.org
-Description:
-
- The selinuxfs "user" node allows userspace to request a list
- of security contexts that can be reached for a given SELinux
- user from a given starting context. This was used by libselinux
- when various login-style programs requested contexts for
- users, but libselinux stopped using it in 2020.
- Kernel support will be removed no sooner than Dec 2025.
--- /dev/null
+++ b/Documentation/ABI/removed/sysfs-selinux-user
@@ -0,0 +1,12 @@
+What: /sys/fs/selinux/user
+Date: April 2005 (predates git)
+KernelVersion: 2.6.12-rc2 (predates git)
+Contact: selinux@vger.kernel.org
+Description:
+
+ The selinuxfs "user" node allows userspace to request a list
+ of security contexts that can be reached for a given SELinux
+ user from a given starting context. This was used by libselinux
+ when various login-style programs requested contexts for
+ users, but libselinux stopped using it in 2020.
+ Kernel support will be removed no sooner than Dec 2025.
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -301,8 +301,6 @@ int security_context_to_sid_default(cons
int security_context_to_sid_force(const char *scontext, u32 scontext_len,
u32 *sid);
-int security_get_user_sids(u32 fromsid, const char *username, u32 **sids, u32 *nel);
-
int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1005,69 +1005,11 @@ out:
static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
{
- char *con = NULL, *user = NULL, *ptr;
- u32 sid, *sids = NULL;
- ssize_t length;
- char *newcon;
- int rc;
- u32 i, len, nsids;
-
- pr_warn_ratelimited("SELinux: %s (%d) wrote to /sys/fs/selinux/user!"
- " This will not be supported in the future; please update your"
- " userspace.\n", current->comm, current->pid);
- ssleep(5);
-
- length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
- SECCLASS_SECURITY, SECURITY__COMPUTE_USER,
- NULL);
- if (length)
- goto out;
-
- length = -ENOMEM;
- con = kzalloc(size + 1, GFP_KERNEL);
- if (!con)
- goto out;
-
- length = -ENOMEM;
- user = kzalloc(size + 1, GFP_KERNEL);
- if (!user)
- goto out;
-
- length = -EINVAL;
- if (sscanf(buf, "%s %s", con, user) != 2)
- goto out;
-
- length = security_context_str_to_sid(con, &sid, GFP_KERNEL);
- if (length)
- goto out;
-
- length = security_get_user_sids(sid, user, &sids, &nsids);
- if (length)
- goto out;
-
- length = sprintf(buf, "%u", nsids) + 1;
- ptr = buf + length;
- for (i = 0; i < nsids; i++) {
- rc = security_sid_to_context(sids[i], &newcon, &len);
- if (rc) {
- length = rc;
- goto out;
- }
- if ((length + len) >= SIMPLE_TRANSACTION_LIMIT) {
- kfree(newcon);
- length = -ERANGE;
- goto out;
- }
- memcpy(ptr, newcon, len);
- kfree(newcon);
- ptr += len;
- length += len;
- }
-out:
- kfree(sids);
- kfree(user);
- kfree(con);
- return length;
+ pr_err_once("SELinux: %s (%d) wrote to user. This is no longer supported.\n",
+ current->comm, current->pid);
+ buf[0] = '0';
+ buf[1] = 0;
+ return 2;
}
static ssize_t sel_write_member(struct file *file, char *buf, size_t size)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2746,131 +2746,6 @@ out:
return rc;
}
-#define SIDS_NEL 25
-
-/**
- * security_get_user_sids - Obtain reachable SIDs for a user.
- * @fromsid: starting SID
- * @username: username
- * @sids: array of reachable SIDs for user
- * @nel: number of elements in @sids
- *
- * Generate the set of SIDs for legal security contexts
- * for a given user that can be reached by @fromsid.
- * Set *@sids to point to a dynamically allocated
- * array containing the set of SIDs. Set *@nel to the
- * number of elements in the array.
- */
-
-int security_get_user_sids(u32 fromsid,
- const char *username,
- u32 **sids,
- u32 *nel)
-{
- struct selinux_policy *policy;
- struct policydb *policydb;
- struct sidtab *sidtab;
- struct context *fromcon, usercon;
- u32 *mysids = NULL, *mysids2, sid;
- u32 i, j, mynel, maxnel = SIDS_NEL;
- struct user_datum *user;
- struct role_datum *role;
- struct ebitmap_node *rnode, *tnode;
- int rc;
-
- *sids = NULL;
- *nel = 0;
-
- if (!selinux_initialized())
- return 0;
-
- mysids = kcalloc(maxnel, sizeof(*mysids), GFP_KERNEL);
- if (!mysids)
- return -ENOMEM;
-
-retry:
- mynel = 0;
- rcu_read_lock();
- policy = rcu_dereference(selinux_state.policy);
- policydb = &policy->policydb;
- sidtab = policy->sidtab;
-
- context_init(&usercon);
-
- rc = -EINVAL;
- fromcon = sidtab_search(sidtab, fromsid);
- if (!fromcon)
- goto out_unlock;
-
- rc = -EINVAL;
- user = symtab_search(&policydb->p_users, username);
- if (!user)
- goto out_unlock;
-
- usercon.user = user->value;
-
- ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
- role = policydb->role_val_to_struct[i];
- usercon.role = i + 1;
- ebitmap_for_each_positive_bit(&role->types, tnode, j) {
- usercon.type = j + 1;
-
- if (mls_setup_user_range(policydb, fromcon, user,
- &usercon))
- continue;
-
- rc = sidtab_context_to_sid(sidtab, &usercon, &sid);
- if (rc == -ESTALE) {
- rcu_read_unlock();
- goto retry;
- }
- if (rc)
- goto out_unlock;
- if (mynel < maxnel) {
- mysids[mynel++] = sid;
- } else {
- rc = -ENOMEM;
- maxnel += SIDS_NEL;
- mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
- if (!mysids2)
- goto out_unlock;
- memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
- kfree(mysids);
- mysids = mysids2;
- mysids[mynel++] = sid;
- }
- }
- }
- rc = 0;
-out_unlock:
- rcu_read_unlock();
- if (rc || !mynel) {
- kfree(mysids);
- return rc;
- }
-
- rc = -ENOMEM;
- mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
- if (!mysids2) {
- kfree(mysids);
- return rc;
- }
- for (i = 0, j = 0; i < mynel; i++) {
- struct av_decision dummy_avd;
- rc = avc_has_perm_noaudit(fromsid, mysids[i],
- SECCLASS_PROCESS, /* kernel value */
- PROCESS__TRANSITION, AVC_STRICT,
- &dummy_avd);
- if (!rc)
- mysids2[j++] = mysids[i];
- cond_resched();
- }
- kfree(mysids);
- *sids = mysids2;
- *nel = j;
- return 0;
-}
-
/**
* __security_genfs_sid - Helper to obtain a SID for a file in a filesystem
* @policy: policy
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 067/270] LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 066/270] selinux: prune /sys/fs/selinux/user Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 068/270] Bluetooth: virtio_bt: clamp rx length before skb_put Greg Kroah-Hartman
` (207 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bibo Mao, Tao Cui, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tao Cui <cuitao@kylinos.cn>
commit f26faae96c411a70641e4d21b759475caa6122d5 upstream.
In the ldptr (0x24...0x27) opcode decoding path, the default case only
breaks out but without setting "ret" value to EMULATE_FAIL. This leaves
run->mmio.len uninitialized (stale from a previous MMIO operation) while
"ret" value remains EMULATE_DO_MMIO, causing the code to proceed with an
incorrect MMIO length.
Add "ret = EMULATE_FAIL" to match the other default branches in the same
function (e.g. the 0x28...0x2e and 0x38 cases).
Cc: stable@vger.kernel.org
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Tao Cui <cuitao@kylinos.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kvm/exit.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/loongarch/kvm/exit.c
+++ b/arch/loongarch/kvm/exit.c
@@ -390,6 +390,7 @@ int kvm_emu_mmio_read(struct kvm_vcpu *v
run->mmio.len = 8;
break;
default:
+ ret = EMULATE_FAIL;
break;
}
break;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 068/270] Bluetooth: virtio_bt: clamp rx length before skb_put
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 067/270] LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read() Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 069/270] Bluetooth: virtio_bt: validate rx pkt_type header length Greg Kroah-Hartman
` (206 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Soenke Huster, Michael Bommarito,
Luiz Augusto von Dentz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 upstream.
virtbt_rx_work() calls skb_put(skb, len) where len comes directly
from virtqueue_get_buf() with no validation against the buffer we
posted to the device. The RX skb is allocated in virtbt_add_inbuf()
and exposed to virtio as exactly 1000 bytes via sg_init_one().
Checking len against skb_tailroom(skb) is not sufficient because
alloc_skb() can leave more tailroom than the 1000 bytes actually
handed to the device. A malicious or buggy backend can therefore
report used.len between 1001 and skb_tailroom(skb), causing skb_put()
to include uninitialized kernel heap bytes that were never written by
the device.
The same path also accepts len == 0, in which case skb_put(skb, 0)
leaves the skb empty but virtbt_rx_handle() still reads the pkt_type
byte from skb->data, consuming uninitialized memory.
Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and
sg_init_one(), and gate virtbt_rx_work() on that same constant so
the bound checked matches the buffer actually exposed to the device.
Reject used.len == 0 in the same gate so an empty completion can
no longer reach virtbt_rx_handle().
Use bt_dev_err_ratelimited() because the length value comes from an
untrusted backend that can otherwise flood the kernel log.
Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer
overflow in USB transport layer"), which hardened the USB 9p
transport against unchecked device-reported length.
Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length")
Cc: stable@vger.kernel.org
Cc: Soenke Huster <soenke.huster@eknoes.de>
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/virtio_bt.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/drivers/bluetooth/virtio_bt.c
+++ b/drivers/bluetooth/virtio_bt.c
@@ -12,6 +12,7 @@
#include <net/bluetooth/hci_core.h>
#define VERSION "0.1"
+#define VIRTBT_RX_BUF_SIZE 1000
enum {
VIRTBT_VQ_TX,
@@ -33,11 +34,11 @@ static int virtbt_add_inbuf(struct virti
struct sk_buff *skb;
int err;
- skb = alloc_skb(1000, GFP_KERNEL);
+ skb = alloc_skb(VIRTBT_RX_BUF_SIZE, GFP_KERNEL);
if (!skb)
return -ENOMEM;
- sg_init_one(sg, skb->data, 1000);
+ sg_init_one(sg, skb->data, VIRTBT_RX_BUF_SIZE);
err = virtqueue_add_inbuf(vq, sg, 1, skb, GFP_KERNEL);
if (err < 0) {
@@ -227,8 +228,15 @@ static void virtbt_rx_work(struct work_s
if (!skb)
return;
- skb_put(skb, len);
- virtbt_rx_handle(vbt, skb);
+ if (!len || len > VIRTBT_RX_BUF_SIZE) {
+ bt_dev_err_ratelimited(vbt->hdev,
+ "rx reply len %u outside [1, %u]\n",
+ len, VIRTBT_RX_BUF_SIZE);
+ kfree_skb(skb);
+ } else {
+ skb_put(skb, len);
+ virtbt_rx_handle(vbt, skb);
+ }
if (virtbt_add_inbuf(vbt) < 0)
return;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 069/270] Bluetooth: virtio_bt: validate rx pkt_type header length
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 068/270] Bluetooth: virtio_bt: clamp rx length before skb_put Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 070/270] Bluetooth: btmtk: validate WMT event SKB length before struct access Greg Kroah-Hartman
` (205 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Soenke Huster, Michael Bommarito,
Luiz Augusto von Dentz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit daf23014e5d975e72ea9c02b5160d3fcf070ea47 upstream.
virtbt_rx_handle() reads the leading pkt_type byte from the RX skb
and forwards the remainder to hci_recv_frame() for every
event/ACL/SCO/ISO type, without checking that the remaining payload
is at least the fixed HCI header for that type.
After the preceding patch bounds the backend-supplied used.len to
[1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches
hci_recv_frame() with skb->len already pulled to 0. If the byte
happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification
fast-path in hci_dev_classify_pkt_type() dereferences
hci_acl_hdr(skb)->handle whenever the HCI device has an active
CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of
uninitialized RX-buffer data. The same hazard exists for every
packet type the driver accepts because none of the switch cases in
virtbt_rx_handle() check skb->len against the per-type minimum HCI
header size before handing the frame to the core.
After stripping pkt_type, require skb->len to cover the fixed
header size for the selected type (event 2, ACL 4, SCO 3, ISO 4)
before calling hci_recv_frame(); drop ratelimited otherwise.
Unknown pkt_type values still take the original kfree_skb() default
path.
Use bt_dev_err_ratelimited() because both the length and pkt_type
values come from an untrusted backend that can otherwise flood the
kernel log.
Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length")
Cc: stable@vger.kernel.org
Cc: Soenke Huster <soenke.huster@eknoes.de>
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/virtio_bt.c | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
--- a/drivers/bluetooth/virtio_bt.c
+++ b/drivers/bluetooth/virtio_bt.c
@@ -198,6 +198,7 @@ static int virtbt_shutdown_generic(struc
static void virtbt_rx_handle(struct virtio_bluetooth *vbt, struct sk_buff *skb)
{
+ size_t min_hdr;
__u8 pkt_type;
pkt_type = *((__u8 *) skb->data);
@@ -205,16 +206,32 @@ static void virtbt_rx_handle(struct virt
switch (pkt_type) {
case HCI_EVENT_PKT:
+ min_hdr = sizeof(struct hci_event_hdr);
+ break;
case HCI_ACLDATA_PKT:
+ min_hdr = sizeof(struct hci_acl_hdr);
+ break;
case HCI_SCODATA_PKT:
+ min_hdr = sizeof(struct hci_sco_hdr);
+ break;
case HCI_ISODATA_PKT:
- hci_skb_pkt_type(skb) = pkt_type;
- hci_recv_frame(vbt->hdev, skb);
+ min_hdr = sizeof(struct hci_iso_hdr);
break;
default:
kfree_skb(skb);
- break;
+ return;
}
+
+ if (skb->len < min_hdr) {
+ bt_dev_err_ratelimited(vbt->hdev,
+ "rx pkt_type 0x%02x payload %u < hdr %zu\n",
+ pkt_type, skb->len, min_hdr);
+ kfree_skb(skb);
+ return;
+ }
+
+ hci_skb_pkt_type(skb) = pkt_type;
+ hci_recv_frame(vbt->hdev, skb);
}
static void virtbt_rx_work(struct work_struct *work)
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 070/270] Bluetooth: btmtk: validate WMT event SKB length before struct access
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 069/270] Bluetooth: virtio_bt: validate rx pkt_type header length Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 071/270] Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt Greg Kroah-Hartman
` (204 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tristan Madani,
Luiz Augusto von Dentz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristan Madani <tristan@talencesecurity.com>
commit 634a4408c0615c523cf7531790f4f14a422b9206 upstream.
btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to
struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc
(9 bytes) without first checking that the SKB contains enough data.
A short firmware response causes out-of-bounds reads from SKB tailroom.
Use skb_pull_data() to validate and advance past the base WMT event
header. For the FUNC_CTRL case, pull the additional status field bytes
before accessing them.
Fixes: d019930b0049 ("Bluetooth: btmtk: move btusb_mtk_hci_wmt_sync to btmtk.c")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btmtk.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -654,8 +654,13 @@ static int btmtk_usb_hci_wmt_sync(struct
if (data->evt_skb == NULL)
goto err_free_wc;
- /* Parse and handle the return WMT event */
- wmt_evt = (struct btmtk_hci_wmt_evt *)data->evt_skb->data;
+ wmt_evt = skb_pull_data(data->evt_skb, sizeof(*wmt_evt));
+ if (!wmt_evt) {
+ bt_dev_err(hdev, "WMT event too short (%u bytes)",
+ data->evt_skb->len);
+ err = -EINVAL;
+ goto err_free_skb;
+ }
if (wmt_evt->whdr.op != hdr->op) {
bt_dev_err(hdev, "Wrong op received %d expected %d",
wmt_evt->whdr.op, hdr->op);
@@ -671,6 +676,12 @@ static int btmtk_usb_hci_wmt_sync(struct
status = BTMTK_WMT_PATCH_DONE;
break;
case BTMTK_WMT_FUNC_CTRL:
+ if (!skb_pull_data(data->evt_skb,
+ sizeof(wmt_evt_funcc->status))) {
+ err = -EINVAL;
+ goto err_free_skb;
+ }
+
wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
if (be16_to_cpu(wmt_evt_funcc->status) == 0x404)
status = BTMTK_WMT_ON_DONE;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 071/270] Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 070/270] Bluetooth: btmtk: validate WMT event SKB length before struct access Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 072/270] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() Greg Kroah-Hartman
` (203 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ZhiTao Ou, Luiz Augusto von Dentz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit 5ddb8014261137cadaf83ab5617a588d80a22586 upstream.
hci_le_create_big_complete_evt() iterates over BT_BOUND connections for
a BIG handle using a while loop, accessing ev->bis_handle[i++] on each
iteration. However, there is no check that i stays within ev->num_bis
before the array access.
When a controller sends a LE_Create_BIG_Complete event with fewer
bis_handle entries than there are BT_BOUND connections for that BIG,
or with num_bis=0, the loop reads beyond the valid bis_handle[] flex
array into adjacent heap memory. Since the out-of-bounds values
typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle()
rejects them and the connection remains in BT_BOUND state. The same
connection is then found again by hci_conn_hash_lookup_big_state(),
creating an infinite loop with hci_dev_lock held.
Fix this by terminating the BIG if in case not all BIS could be setup
properly.
Fixes: a0bfde167b50 ("Bluetooth: ISO: Add support for connecting multiple BISes")
Cc: stable@vger.kernel.org
Signed-off-by: ZhiTao Ou <hkbinbinbin@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_event.c | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -6973,9 +6973,29 @@ static void hci_le_create_big_complete_e
continue;
}
+ if (ev->num_bis <= i) {
+ bt_dev_err(hdev,
+ "Not enough BIS handles for BIG 0x%2.2x",
+ ev->handle);
+ ev->status = HCI_ERROR_UNSPECIFIED;
+ hci_connect_cfm(conn, ev->status);
+ hci_conn_del(conn);
+ continue;
+ }
+
if (hci_conn_set_handle(conn,
- __le16_to_cpu(ev->bis_handle[i++])))
+ __le16_to_cpu(ev->bis_handle[i++]))) {
+ bt_dev_err(hdev,
+ "Failed to set BIS handle for BIG 0x%2.2x",
+ ev->handle);
+ /* Force error so BIG gets terminated as not all BIS
+ * could be connected.
+ */
+ ev->status = HCI_ERROR_UNSPECIFIED;
+ hci_connect_cfm(conn, ev->status);
+ hci_conn_del(conn);
continue;
+ }
conn->state = BT_CONNECTED;
set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
@@ -6984,7 +7004,10 @@ static void hci_le_create_big_complete_e
hci_iso_setup_path(conn);
}
- if (!ev->status && !i)
+ /* If there is an unexpected error or if no BISes have been connected
+ * for the BIG, terminate it.
+ */
+ if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i))
/* If no BISes have been connected for the BIG,
* terminate. This is in case all bound connections
* have been closed before the BIG creation
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 072/270] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 071/270] Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 073/270] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Greg Kroah-Hartman
` (202 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Siwei Zhang,
Luiz Augusto von Dentz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 0a120d96166301d7a95be75b52f843837dbd1219 upstream.
Add the same NULL guard already present in
l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
Fixes: 80808e431e1e ("Bluetooth: Add l2cap_chan_ops abstraction")
Cc: stable@kernel.org
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_sock.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1480,6 +1480,9 @@ static struct l2cap_chan *l2cap_sock_new
{
struct sock *sk, *parent = chan->data;
+ if (!parent)
+ return NULL;
+
lock_sock(parent);
/* Check for backlog size */
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 073/270] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 072/270] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 074/270] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() Greg Kroah-Hartman
` (201 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Siwei Zhang,
Luiz Augusto von Dentz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 2ff1a41a912de8517b4482e946dd951b7d80edbf upstream.
Add the same NULL guard already present in
l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
Fixes: 89bc500e41fc ("Bluetooth: Add state tracking to struct l2cap_chan")
Cc: stable@kernel.org
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_sock.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1643,6 +1643,9 @@ static void l2cap_sock_state_change_cb(s
{
struct sock *sk = chan->data;
+ if (!sk)
+ return;
+
sk->sk_state = state;
if (err)
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 074/270] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 073/270] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 075/270] rust: drm: gem: clean up GEM state in init failure case Greg Kroah-Hartman
` (200 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Siwei Zhang,
Luiz Augusto von Dentz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 78a88d43dab8d23aeef934ed8ce34d40e6b3d613 upstream.
Add the same NULL guard already present in
l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
Fixes: 8d836d71e222 ("Bluetooth: Access sk_sndtimeo indirectly in l2cap_core.c")
Cc: stable@kernel.org
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_sock.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1747,6 +1747,9 @@ static long l2cap_sock_get_sndtimeo_cb(s
{
struct sock *sk = chan->data;
+ if (!sk)
+ return 0;
+
return READ_ONCE(sk->sk_sndtimeo);
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 075/270] rust: drm: gem: clean up GEM state in init failure case
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 074/270] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 076/270] rust: allow `clippy::collapsible_match` globally Greg Kroah-Hartman
` (199 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eliot Courtney, Alice Ryhl,
Onur Özkan, Danilo Krummrich
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eliot Courtney <ecourtney@nvidia.com>
commit 2e42a17b8f6bc3c0cd69d7556b588011d3ec2394 upstream.
Currently, if `drm_gem_object_init` fails, the object is freed without
any cleanup. Perform the cleanup in that case.
Cc: stable@vger.kernel.org
Fixes: c284d3e42338 ("rust: drm: gem: Add GEM object abstraction")
Signed-off-by: Eliot Courtney <ecourtney@nvidia.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Onur Özkan <work@onurozkan.dev>
Link: https://patch.msgid.link/20260423-fix-gem-1-v1-1-e12e35f7bba9@nvidia.com
[ Move safety comment closer to unsafe block to avoid a clippy warning.
- Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
rust/kernel/drm/gem/mod.rs | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/rust/kernel/drm/gem/mod.rs
+++ b/rust/kernel/drm/gem/mod.rs
@@ -232,8 +232,17 @@ impl<T: DriverObject> Object<T> {
// SAFETY: `obj.as_raw()` is guaranteed to be valid by the initialization above.
unsafe { (*obj.as_raw()).funcs = &Self::OBJECT_FUNCS };
- // SAFETY: The arguments are all valid per the type invariants.
- to_result(unsafe { bindings::drm_gem_object_init(dev.as_raw(), obj.obj.get(), size) })?;
+ if let Err(err) =
+ // SAFETY: The arguments are all valid per the type invariants.
+ to_result(unsafe {
+ bindings::drm_gem_object_init(dev.as_raw(), obj.obj.get(), size)
+ })
+ {
+ // SAFETY: `drm_gem_object_init()` initializes the private GEM object state before
+ // failing, so `drm_gem_private_object_fini()` is the matching cleanup.
+ unsafe { bindings::drm_gem_private_object_fini(obj.obj.get()) };
+ return Err(err);
+ }
// SAFETY: We never move out of `Self`.
let ptr = KBox::into_raw(unsafe { Pin::into_inner_unchecked(obj) });
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 076/270] rust: allow `clippy::collapsible_match` globally
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 075/270] rust: drm: gem: clean up GEM state in init failure case Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 077/270] rust: allow `clippy::collapsible_if` globally Greg Kroah-Hartman
` (198 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gary Guo, Miguel Ojeda
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miguel Ojeda <ojeda@kernel.org>
commit 838d852da8503372f3a1779bfbd1ccb93153ab4e upstream.
The `clippy::collapsible_match` lint [1] can make code harder to read
in certain cases [2], e.g.
CLIPPY P rust/libmacros.so - due to command line change
warning: this `if` can be collapsed into the outer `match`
--> rust/pin-init/internal/src/helpers.rs:91:17
|
91 | / if nesting == 1 {
92 | | impl_generics.push(tt.clone());
93 | | impl_generics.push(tt);
94 | | skip_until_comma = false;
95 | | }
| |_________________^
|
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_match
= note: `-W clippy::collapsible-match` implied by `-W clippy::all`
= help: to override `-W clippy::all` add `#[allow(clippy::collapsible_match)]`
help: collapse nested if block
|
90 ~ TokenTree::Punct(p) if skip_until_comma && p.as_char() == ','
91 ~ && nesting == 1 => {
92 | impl_generics.push(tt.clone());
93 | impl_generics.push(tt);
94 | skip_until_comma = false;
95 ~ }
|
The lint does not have much upside -- when the suggestion may be a good
one, it would still read fine when nested anyway. And it is the kind of
lint that may easily bias people to just apply the suggestion instead
of allowing it.
[ In addition, as Gary points out [3], the suggestion is also wrong [4] and
in the process of being fixed [5], possibly for Rust 1.97.0:
Link: https://lore.kernel.org/rust-for-linux/DI3YV94TH9I3.1SOHW51552497@garyguo.net/ [3]
Link: https://github.com/rust-lang/rust-clippy/issues/16875 [4]
Link: https://github.com/rust-lang/rust-clippy/pull/16878 [5]
- Miguel ]
Thus just let developers decide on their own.
Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs).
Link: https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_match [1]
Link: https://lore.kernel.org/rust-for-linux/CANiq72nWYJna_hdFxjQCQZK6yJBrr1Mb86iKavivV0U0BgufeA@mail.gmail.com/ [2]
Reviewed-by: Gary Guo <gary@garyguo.net>
Link: https://patch.msgid.link/20260426144201.227108-1-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Makefile | 1 +
1 file changed, 1 insertion(+)
--- a/Makefile
+++ b/Makefile
@@ -483,6 +483,7 @@ export rust_common_flags := --edition=20
-Wclippy::as_ptr_cast_mut \
-Wclippy::as_underscore \
-Wclippy::cast_lossless \
+ -Aclippy::collapsible_match \
-Wclippy::ignored_unit_patterns \
-Wclippy::mut_mut \
-Wclippy::needless_bitwise_bool \
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 077/270] rust: allow `clippy::collapsible_if` globally
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 076/270] rust: allow `clippy::collapsible_match` globally Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 078/270] spi: syncuacer: fix controller deregistration Greg Kroah-Hartman
` (197 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gary Guo, Miguel Ojeda
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miguel Ojeda <ojeda@kernel.org>
commit 2adc8664018c1cc595c7c0c98474a33c7fe32a85 upstream.
Similar to `clippy::collapsible_match` (globally allowed in the previous
commit), the `clippy::collapsible_if` lint [1] can make code harder to
read in certain cases.
Thus just let developers decide on their own.
In addition, remove the existing `expect` we had.
Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs).
Suggested-by: Gary Guo <gary@garyguo.net>
Link: https://lore.kernel.org/rust-for-linux/DGROP5CHU1QZ.1OKJRAUZXE9WC@garyguo.net/
Link: https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_if [1]
Reviewed-by: Gary Guo <gary@garyguo.net>
Link: https://patch.msgid.link/20260426144201.227108-2-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Makefile | 1 +
drivers/android/binder/range_alloc/array.rs | 1 -
2 files changed, 1 insertion(+), 1 deletion(-)
--- a/Makefile
+++ b/Makefile
@@ -483,6 +483,7 @@ export rust_common_flags := --edition=20
-Wclippy::as_ptr_cast_mut \
-Wclippy::as_underscore \
-Wclippy::cast_lossless \
+ -Aclippy::collapsible_if \
-Aclippy::collapsible_match \
-Wclippy::ignored_unit_patterns \
-Wclippy::mut_mut \
--- a/drivers/android/binder/range_alloc/array.rs
+++ b/drivers/android/binder/range_alloc/array.rs
@@ -204,7 +204,6 @@ impl<T> ArrayRangeAllocator<T> {
// caller will mark them as unused, which means that they can be freed if the system comes
// under memory pressure.
let mut freed_range = FreedRange::interior_pages(offset, size);
- #[expect(clippy::collapsible_if)] // reads better like this
if offset % PAGE_SIZE != 0 {
if i == 0 || self.ranges[i - 1].endpoint() <= (offset & PAGE_MASK) {
freed_range.start_page_idx -= 1;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 078/270] spi: syncuacer: fix controller deregistration
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 077/270] rust: allow `clippy::collapsible_if` globally Greg Kroah-Hartman
@ 2026-05-12 17:37 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 079/270] spi: sun4i: " Greg Kroah-Hartman
` (196 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masahisa Kojima, Johan Hovold,
Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 75d849c3452e9611de031db45b3149ba9a99035f upstream.
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: b0823ee35cf9 ("spi: Add spi driver for Socionext SynQuacer platform")
Cc: stable@vger.kernel.org # 5.3
Cc: Masahisa Kojima <masahisa.kojima@linaro.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-21-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-synquacer.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-synquacer.c
+++ b/drivers/spi/spi-synquacer.c
@@ -719,7 +719,7 @@ static int synquacer_spi_probe(struct pl
pm_runtime_set_active(sspi->dev);
pm_runtime_enable(sspi->dev);
- ret = devm_spi_register_controller(sspi->dev, host);
+ ret = spi_register_controller(host);
if (ret)
goto disable_pm;
@@ -740,9 +740,15 @@ static void synquacer_spi_remove(struct
struct spi_controller *host = platform_get_drvdata(pdev);
struct synquacer_spi *sspi = spi_controller_get_devdata(host);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
pm_runtime_disable(sspi->dev);
clk_disable_unprepare(sspi->clk);
+
+ spi_controller_put(host);
}
static int __maybe_unused synquacer_spi_suspend(struct device *dev)
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 079/270] spi: sun4i: fix controller deregistration
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-05-12 17:37 ` [PATCH 6.18 078/270] spi: syncuacer: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 080/270] spi: ti-qspi: " Greg Kroah-Hartman
` (195 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maxime Ripard, Johan Hovold,
Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 42108a2f03e0fdeabe9d02d085bdb058baa1189f upstream.
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: b5f6517948cc ("spi: sunxi: Add Allwinner A10 SPI controller driver")
Cc: stable@vger.kernel.org # 3.15
Cc: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-19-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sun4i.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-sun4i.c
+++ b/drivers/spi/spi-sun4i.c
@@ -505,7 +505,7 @@ static int sun4i_spi_probe(struct platfo
pm_runtime_enable(&pdev->dev);
pm_runtime_idle(&pdev->dev);
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (ret) {
dev_err(&pdev->dev, "cannot register SPI host\n");
goto err_pm_disable;
@@ -523,7 +523,15 @@ err_free_host:
static void sun4i_spi_remove(struct platform_device *pdev)
{
+ struct spi_controller *host = platform_get_drvdata(pdev);
+
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
pm_runtime_force_suspend(&pdev->dev);
+
+ spi_controller_put(host);
}
static const struct of_device_id sun4i_spi_match[] = {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 080/270] spi: ti-qspi: fix controller deregistration
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 079/270] spi: sun4i: " Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 081/270] spi: sun6i: " Greg Kroah-Hartman
` (194 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Johan Hovold, Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 0c18a1bacbb1d8b8aa34d3d004a2cb8226c8b1ea upstream.
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Note that the controller is suspended before disabling and releasing
resources since commit 3ac066e2227c ("spi: spi-ti-qspi: Suspend the
queue before removing the device") which avoids issues like unclocked
accesses but prevents SPI device drivers from doing I/O during
deregistration.
Fixes: 3b3a80019ff1 ("spi: ti-qspi: one only one interrupt handler")
Cc: stable@vger.kernel.org # 3.13
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-24-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-ti-qspi.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
--- a/drivers/spi/spi-ti-qspi.c
+++ b/drivers/spi/spi-ti-qspi.c
@@ -889,7 +889,7 @@ no_dma:
qspi->mmap_enabled = false;
qspi->current_cs = -1;
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (!ret)
return 0;
@@ -904,19 +904,17 @@ free_host:
static void ti_qspi_remove(struct platform_device *pdev)
{
struct ti_qspi *qspi = platform_get_drvdata(pdev);
- int rc;
- rc = spi_controller_suspend(qspi->host);
- if (rc) {
- dev_alert(&pdev->dev, "spi_controller_suspend() failed (%pe)\n",
- ERR_PTR(rc));
- return;
- }
+ spi_controller_get(qspi->host);
+
+ spi_unregister_controller(qspi->host);
pm_runtime_put_sync(&pdev->dev);
pm_runtime_disable(&pdev->dev);
ti_qspi_dma_cleanup(qspi);
+
+ spi_controller_put(qspi->host);
}
static const struct dev_pm_ops ti_qspi_pm_ops = {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 081/270] spi: sun6i: fix controller deregistration
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 080/270] spi: ti-qspi: " Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 082/270] spi: zynqmp-gqspi: " Greg Kroah-Hartman
` (193 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maxime Ripard, Johan Hovold,
Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit d874a1c33aee0d88fb4ba2f8aeadaa9f1965209a upstream.
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: 3558fe900e8a ("spi: sunxi: Add Allwinner A31 SPI controller driver")
Cc: stable@vger.kernel.org # 3.15
Cc: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-20-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sun6i.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-sun6i.c
+++ b/drivers/spi/spi-sun6i.c
@@ -743,7 +743,7 @@ static int sun6i_spi_probe(struct platfo
pm_runtime_set_active(&pdev->dev);
pm_runtime_enable(&pdev->dev);
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (ret) {
dev_err(&pdev->dev, "cannot register SPI host\n");
goto err_pm_disable;
@@ -769,12 +769,18 @@ static void sun6i_spi_remove(struct plat
{
struct spi_controller *host = platform_get_drvdata(pdev);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
pm_runtime_force_suspend(&pdev->dev);
if (host->dma_tx)
dma_release_channel(host->dma_tx);
if (host->dma_rx)
dma_release_channel(host->dma_rx);
+
+ spi_controller_put(host);
}
static const struct sun6i_spi_cfg sun6i_a31_spi_cfg = {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 082/270] spi: zynqmp-gqspi: fix controller deregistration
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 081/270] spi: sun6i: " Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 083/270] spi: s3c64xx: fix NULL-deref on driver unbind Greg Kroah-Hartman
` (192 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ranjit Waghmode, Johan Hovold,
Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 upstream.
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: dfe11a11d523 ("spi: Add support for Zynq Ultrascale+ MPSoC GQSPI controller")
Cc: stable@vger.kernel.org # 4.2: 64640f6c972e
Cc: stable@vger.kernel.org # 4.2
Cc: Ranjit Waghmode <ranjit.waghmode@xilinx.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-26-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-zynqmp-gqspi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-zynqmp-gqspi.c
+++ b/drivers/spi/spi-zynqmp-gqspi.c
@@ -1324,7 +1324,7 @@ static int zynqmp_qspi_probe(struct plat
ctlr->dev.of_node = np;
ctlr->auto_runtime_pm = true;
- ret = devm_spi_register_controller(&pdev->dev, ctlr);
+ ret = spi_register_controller(ctlr);
if (ret) {
dev_err(&pdev->dev, "spi_register_controller failed\n");
goto clk_dis_all;
@@ -1362,6 +1362,8 @@ static void zynqmp_qspi_remove(struct pl
pm_runtime_get_sync(&pdev->dev);
+ spi_unregister_controller(xqspi->ctlr);
+
zynqmp_gqspi_write(xqspi, GQSPI_EN_OFST, 0x0);
pm_runtime_disable(&pdev->dev);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 083/270] spi: s3c64xx: fix NULL-deref on driver unbind
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 082/270] spi: zynqmp-gqspi: " Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 084/270] staging: vme_user: fix root device leak on init failure Greg Kroah-Hartman
` (191 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adithya K V, Johan Hovold,
Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 45daacbead8a009844bd5dba6cfa731332184d17 upstream.
A change moving DMA channel allocation from probe() back to
s3c64xx_spi_prepare_transfer() failed to remove the corresponding
deallocation from remove().
Drop the bogus DMA channel release from remove() to avoid triggering a
NULL-pointer dereference on driver unbind.
This issue was flagged by Sashiko when reviewing a controller
deregistration fix.
Fixes: f52b03c70744 ("spi: s3c64xx: requests spi-dma channel only during data transfer")
Cc: stable@vger.kernel.org # 6.0
Cc: Adithya K V <adithya.kv@samsung.com>
Link: https://sashiko.dev/#/patchset/20260410081757.503099-1-johan%40kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410094925.518343-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-s3c64xx.c | 5 -----
1 file changed, 5 deletions(-)
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -1402,11 +1402,6 @@ static void s3c64xx_spi_remove(struct pl
writel(0, sdd->regs + S3C64XX_SPI_INT_EN);
- if (!is_polling(sdd)) {
- dma_release_channel(sdd->rx_dma.ch);
- dma_release_channel(sdd->tx_dma.ch);
- }
-
pm_runtime_put_noidle(&pdev->dev);
pm_runtime_disable(&pdev->dev);
pm_runtime_set_suspended(&pdev->dev);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 084/270] staging: vme_user: fix root device leak on init failure
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 083/270] spi: s3c64xx: fix NULL-deref on driver unbind Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 085/270] fanotify: fix false positive on permission events Greg Kroah-Hartman
` (190 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Martyn Welch, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 32c91e8ee039777d0b95b914633fc6a42607959c upstream.
Make sure to deregister and free the root device in case module
initialisation fails.
Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver")
Cc: stable@vger.kernel.org # 4.9
Cc: Martyn Welch <martyn@welchs.me.uk>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260424104910.2619349-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/vme_user/vme_fake.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/staging/vme_user/vme_fake.c
+++ b/drivers/staging/vme_user/vme_fake.c
@@ -1230,6 +1230,8 @@ err_master:
err_driver:
kfree(fake_bridge);
err_struct:
+ root_device_unregister(vme_root);
+
return retval;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 085/270] fanotify: fix false positive on permission events
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 084/270] staging: vme_user: fix root device leak on init failure Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 086/270] KVM: arm64: Fix kvm_vcpu_initialized() macro parameter Greg Kroah-Hartman
` (189 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miklos Szeredi, Jan Kara
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
commit 7746e3bd4cc19b5092e00d32d676e329bfcb6900 upstream.
fsnotify_get_mark_safe() may return false for a mark on an unrelated group,
which results in bypassing the permission check.
Fix by skipping over detached marks that are not in the current group.
CC: stable@vger.kernel.org
Fixes: abc77577a669 ("fsnotify: Provide framework for dropping SRCU lock in ->handle_event")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Link: https://patch.msgid.link/20260410144950.156160-1-mszeredi@redhat.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/notify/fsnotify.c | 2 +-
fs/notify/mark.c | 18 +++++++++++-------
include/linux/fsnotify_backend.h | 1 +
3 files changed, 13 insertions(+), 8 deletions(-)
--- a/fs/notify/fsnotify.c
+++ b/fs/notify/fsnotify.c
@@ -444,7 +444,7 @@ static struct fsnotify_mark *fsnotify_fi
return hlist_entry_safe(node, struct fsnotify_mark, obj_list);
}
-static struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark)
+struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark)
{
struct hlist_node *node = NULL;
--- a/fs/notify/mark.c
+++ b/fs/notify/mark.c
@@ -453,9 +453,6 @@ EXPORT_SYMBOL_GPL(fsnotify_put_mark);
*/
static bool fsnotify_get_mark_safe(struct fsnotify_mark *mark)
{
- if (!mark)
- return true;
-
if (refcount_inc_not_zero(&mark->refcnt)) {
spin_lock(&mark->lock);
if (mark->flags & FSNOTIFY_MARK_FLAG_ATTACHED) {
@@ -496,15 +493,22 @@ bool fsnotify_prepare_user_wait(struct f
int type;
fsnotify_foreach_iter_type(type) {
+ struct fsnotify_mark *mark = iter_info->marks[type];
+
/* This can fail if mark is being removed */
- if (!fsnotify_get_mark_safe(iter_info->marks[type])) {
- __release(&fsnotify_mark_srcu);
- goto fail;
+ while (mark && !fsnotify_get_mark_safe(mark)) {
+ if (mark->group == iter_info->current_group) {
+ __release(&fsnotify_mark_srcu);
+ goto fail;
+ }
+ /* This is a mark in an unrelated group, skip */
+ mark = fsnotify_next_mark(mark);
+ iter_info->marks[type] = mark;
}
}
/*
- * Now that both marks are pinned by refcount in the inode / vfsmount
+ * Now that all marks are pinned by refcount in the inode / vfsmount / etc
* lists, we can drop SRCU lock, and safely resume the list iteration
* once userspace returns.
*/
--- a/include/linux/fsnotify_backend.h
+++ b/include/linux/fsnotify_backend.h
@@ -912,6 +912,7 @@ extern void fsnotify_clear_marks_by_grou
unsigned int obj_type);
extern void fsnotify_get_mark(struct fsnotify_mark *mark);
extern void fsnotify_put_mark(struct fsnotify_mark *mark);
+struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark);
extern void fsnotify_finish_user_wait(struct fsnotify_iter_info *iter_info);
extern bool fsnotify_prepare_user_wait(struct fsnotify_iter_info *iter_info);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 086/270] KVM: arm64: Fix kvm_vcpu_initialized() macro parameter
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 085/270] fanotify: fix false positive on permission events Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 087/270] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Greg Kroah-Hartman
` (188 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fuad Tabba, Marc Zyngier
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fuad Tabba <tabba@google.com>
commit d89fdda7dd8a488f922e1175e6782f781ba8a23b upstream.
The macro is defined with parameter 'v' but the body references the
literal token 'vcpu' instead, causing it to silently operate on whatever
'vcpu' resolves to in the caller's scope rather than the value passed by
the caller. All current call sites happen to use a variable named 'vcpu',
so the bug is latent.
Fixes: e016333745c7 ("KVM: arm64: Only reset vCPU-scoped feature ID regs once")
Signed-off-by: Fuad Tabba <tabba@google.com>
Link: https://patch.msgid.link/20260424084908.370776-5-tabba@google.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/kvm_host.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/include/asm/kvm_host.h
+++ b/arch/arm64/include/asm/kvm_host.h
@@ -1476,7 +1476,7 @@ static inline bool __vcpu_has_feature(co
#define kvm_vcpu_has_feature(k, f) __vcpu_has_feature(&(k)->arch, (f))
#define vcpu_has_feature(v, f) __vcpu_has_feature(&(v)->kvm->arch, (f))
-#define kvm_vcpu_initialized(v) vcpu_get_flag(vcpu, VCPU_INITIALIZED)
+#define kvm_vcpu_initialized(v) vcpu_get_flag(v, VCPU_INITIALIZED)
int kvm_trng_call(struct kvm_vcpu *vcpu);
#ifdef CONFIG_KVM
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 087/270] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 086/270] KVM: arm64: Fix kvm_vcpu_initialized() macro parameter Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 088/270] arm64: signal: Preserve POR_EL0 if poe_context is missing Greg Kroah-Hartman
` (187 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Takahiro Kuwano,
Michael Walle, Pratyush Yadav, Miquel Raynal
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@linaro.org>
commit e47029b977e747cb3a9174308fd55762cce70147 upstream.
Sashiko noticed an out-of-bounds read [1].
In spi_nor_params_show(), the snor_f_names array is passed to
spi_nor_print_flags() using sizeof(snor_f_names).
Since snor_f_names is an array of pointers, sizeof() returns the total
number of bytes occupied by the pointers
(element_count * sizeof(void *))
rather than the element count itself. On 64-bit systems, this makes the
passed length 8x larger than intended.
Inside spi_nor_print_flags(), the 'names_len' argument is used to
bounds-check the 'names' array access. An out-of-bounds read occurs
if a flag bit is set that exceeds the array's actual element count
but is within the inflated byte-size count.
Correct this by using ARRAY_SIZE() to pass the actual number of
string pointers in the array.
Cc: stable@vger.kernel.org
Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs")
Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Reviewed-by: Takahiro Kuwano <takahiro.kuwano@infineon.com>
Reviewed-by: Michael Walle <mwalle@kernel.org>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/debugfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/mtd/spi-nor/debugfs.c
+++ b/drivers/mtd/spi-nor/debugfs.c
@@ -1,5 +1,6 @@
// SPDX-License-Identifier: GPL-2.0
+#include <linux/array_size.h>
#include <linux/debugfs.h>
#include <linux/mtd/spi-nor.h>
#include <linux/spi/spi.h>
@@ -92,7 +93,8 @@ static int spi_nor_params_show(struct se
seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes);
seq_puts(s, "flags\t\t");
- spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names));
+ spi_nor_print_flags(s, nor->flags, snor_f_names,
+ ARRAY_SIZE(snor_f_names));
seq_puts(s, "\n");
seq_puts(s, "\nopcodes\n");
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 088/270] arm64: signal: Preserve POR_EL0 if poe_context is missing
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 087/270] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 089/270] mm/hugetlb_cma: round up per_node before logging it Greg Kroah-Hartman
` (186 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Will Deacon, Kevin Brodsky,
Catalin Marinas
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Brodsky <kevin.brodsky@arm.com>
commit 030e8a40fff65ca6ac1c04a4d3c08afe72438922 upstream.
Commit 2e8a1acea859 ("arm64: signal: Improve POR_EL0 handling to
avoid uaccess failures") delayed the write to POR_EL0 in
rt_sigreturn to avoid spurious uaccess failures. This change however
relies on the poe_context frame record being present: on a system
supporting POE, calling sigreturn without a poe_context record now
results in writing arbitrary data from the kernel stack into POR_EL0.
Fix this by adding a __valid_fields member to struct
user_access_state, and zeroing the struct on allocation.
restore_poe_context() then indicates that the por_el0 field is valid
by setting the corresponding bit in __valid_fields, and
restore_user_access_state() only touches POR_EL0 if there is a valid
value to set it to. This is in line with how POR_EL0 was originally
handled; all frame records are currently optional, except
fpsimd_context.
To ensure that __valid_fields is kept in sync, fields (currently
just por_el0) are now accessed via accessors and prefixed with __ to
discourage direct access.
Fixes: 2e8a1acea859 ("arm64: signal: Improve POR_EL0 handling to avoid uaccess failures")
Cc: <stable@vger.kernel.org>
Reported-by: Will Deacon <will@kernel.org>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/signal.c | 54 +++++++++++++++++++++++++++++++++++----------
1 file changed, 43 insertions(+), 11 deletions(-)
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -67,6 +67,9 @@ struct rt_sigframe_user_layout {
unsigned long end_offset;
};
+#define TERMINATOR_SIZE round_up(sizeof(struct _aarch64_ctx), 16)
+#define EXTRA_CONTEXT_SIZE round_up(sizeof(struct extra_context), 16)
+
/*
* Holds any EL0-controlled state that influences unprivileged memory accesses.
* This includes both accesses done in userspace and uaccess done in the kernel.
@@ -74,13 +77,35 @@ struct rt_sigframe_user_layout {
* This state needs to be carefully managed to ensure that it doesn't cause
* uaccess to fail when setting up the signal frame, and the signal handler
* itself also expects a well-defined state when entered.
+ *
+ * The struct should be zero-initialised. Its members should only be accessed
+ * via the accessors below. __valid_fields tracks which of the fields are valid
+ * (have been set to some value).
*/
struct user_access_state {
- u64 por_el0;
+ unsigned int __valid_fields;
+ u64 __por_el0;
};
-#define TERMINATOR_SIZE round_up(sizeof(struct _aarch64_ctx), 16)
-#define EXTRA_CONTEXT_SIZE round_up(sizeof(struct extra_context), 16)
+#define UA_STATE_HAS_POR_EL0 BIT(0)
+
+static void set_ua_state_por_el0(struct user_access_state *ua_state,
+ u64 por_el0)
+{
+ ua_state->__por_el0 = por_el0;
+ ua_state->__valid_fields |= UA_STATE_HAS_POR_EL0;
+}
+
+static int get_ua_state_por_el0(const struct user_access_state *ua_state,
+ u64 *por_el0)
+{
+ if (ua_state->__valid_fields & UA_STATE_HAS_POR_EL0) {
+ *por_el0 = ua_state->__por_el0;
+ return 0;
+ }
+
+ return -ENOENT;
+}
/*
* Save the user access state into ua_state and reset it to disable any
@@ -94,7 +119,7 @@ static void save_reset_user_access_state
for (int pkey = 0; pkey < arch_max_pkey(); pkey++)
por_enable_all |= POR_ELx_PERM_PREP(pkey, POE_RWX);
- ua_state->por_el0 = read_sysreg_s(SYS_POR_EL0);
+ set_ua_state_por_el0(ua_state, read_sysreg_s(SYS_POR_EL0));
write_sysreg_s(por_enable_all, SYS_POR_EL0);
/*
* No ISB required as we can tolerate spurious Overlay faults -
@@ -122,8 +147,10 @@ static void set_handler_user_access_stat
*/
static void restore_user_access_state(const struct user_access_state *ua_state)
{
- if (system_supports_poe())
- write_sysreg_s(ua_state->por_el0, SYS_POR_EL0);
+ u64 por_el0;
+
+ if (get_ua_state_por_el0(ua_state, &por_el0) == 0)
+ write_sysreg_s(por_el0, SYS_POR_EL0);
}
static void init_user_layout(struct rt_sigframe_user_layout *user)
@@ -333,11 +360,16 @@ static int restore_fpmr_context(struct u
static int preserve_poe_context(struct poe_context __user *ctx,
const struct user_access_state *ua_state)
{
- int err = 0;
+ int err;
+ u64 por_el0;
+
+ err = get_ua_state_por_el0(ua_state, &por_el0);
+ if (WARN_ON_ONCE(err))
+ return err;
__put_user_error(POE_MAGIC, &ctx->head.magic, err);
__put_user_error(sizeof(*ctx), &ctx->head.size, err);
- __put_user_error(ua_state->por_el0, &ctx->por_el0, err);
+ __put_user_error(por_el0, &ctx->por_el0, err);
return err;
}
@@ -353,7 +385,7 @@ static int restore_poe_context(struct us
__get_user_error(por_el0, &(user->poe->por_el0), err);
if (!err)
- ua_state->por_el0 = por_el0;
+ set_ua_state_por_el0(ua_state, por_el0);
return err;
}
@@ -1095,7 +1127,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
{
struct pt_regs *regs = current_pt_regs();
struct rt_sigframe __user *frame;
- struct user_access_state ua_state;
+ struct user_access_state ua_state = {};
/* Always make any pending restarted system calls return -EINTR */
current->restart_block.fn = do_no_restart_syscall;
@@ -1507,7 +1539,7 @@ static int setup_rt_frame(int usig, stru
{
struct rt_sigframe_user_layout user;
struct rt_sigframe __user *frame;
- struct user_access_state ua_state;
+ struct user_access_state ua_state = {};
int err = 0;
fpsimd_save_and_flush_current_state();
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 089/270] mm/hugetlb_cma: round up per_node before logging it
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 088/270] arm64: signal: Preserve POR_EL0 if poe_context is missing Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 090/270] LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT Greg Kroah-Hartman
` (185 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sang-Heon Jeon, Muchun Song,
David Hildenbrand, Oscar Salvador, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sang-Heon Jeon <ekffu200098@gmail.com>
commit 8f5ce56b76303c55b78a87af996e2e0f8535f979 upstream.
When the user requests a total hugetlb CMA size without per-node
specification, hugetlb_cma_reserve() computes per_node from
hugetlb_cma_size and the number of nodes that have memory
per_node = DIV_ROUND_UP(hugetlb_cma_size,
nodes_weight(hugetlb_bootmem_nodes));
The reservation loop later computes
size = round_up(min(per_node, hugetlb_cma_size - reserved),
PAGE_SIZE << order);
So the actually reserved per_node size is multiple of (PAGE_SIZE <<
order), but the logged per_node is not rounded up, so it may be smaller
than the actual reserved size.
For example, as the existing comment describes, if a 3 GB area is
requested on a machine with 4 NUMA nodes that have memory, 1 GB is
allocated on the first three nodes, but the printed log is
hugetlb_cma: reserve 3072 MiB, up to 768 MiB per node
Round per_node up to (PAGE_SIZE << order) before logging so that the
printed log always matches the actual reserved size. No functional change
to the actual reservation size, as the following case analysis shows
1. remaining (hugetlb_cma_size - reserved) >= rounded per_node
- AS-IS: min() picks unrounded per_node;
round_up() returns rounded per_node
- TO-BE: min() picks rounded per_node;
round_up() returns rounded per_node (no-op)
2. remaining < unrounded per_node
- AS-IS: min() picks remaining;
round_up() returns round_up(remaining)
- TO-BE: min() picks remaining;
round_up() returns round_up(remaining)
3. unrounded per_node <= remaining < rounded per_node
- AS-IS: min() picks unrounded per_node;
round_up() returns rounded per_node
- TO-BE: min() picks remaining;
round_up() returns round_up(remaining) equals rounded per_node
Link: https://lore.kernel.org/20260422143353.852257-1-ekffu200098@gmail.com
Fixes: cf11e85fc08c ("mm: hugetlb: optionally allocate gigantic hugepages using cma") # 5.7
Signed-off-by: Sang-Heon Jeon <ekffu200098@gmail.com>
Reviewed-by: Muchun Song <muchun.song@linux.dev>
Cc: David Hildenbrand <david@kernel.org>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/hugetlb_cma.c | 1 +
1 file changed, 1 insertion(+)
--- a/mm/hugetlb_cma.c
+++ b/mm/hugetlb_cma.c
@@ -193,6 +193,7 @@ void __init hugetlb_cma_reserve(int orde
*/
per_node = DIV_ROUND_UP(hugetlb_cma_size,
nodes_weight(hugetlb_bootmem_nodes));
+ per_node = round_up(per_node, PAGE_SIZE << order);
pr_info("hugetlb_cma: reserve %lu MiB, up to %lu MiB per node\n",
hugetlb_cma_size / SZ_1M, per_node / SZ_1M);
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 090/270] LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 089/270] mm/hugetlb_cma: round up per_node before logging it Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 091/270] LoongArch: KVM: Compile switch.S directly into the kernel Greg Kroah-Hartman
` (184 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xi Ruoyao, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 98b8aebb14fdc0133939fd8fe07d0d98333dc976 upstream.
The SYM_SIGFUNC_START definition should match sigcontext that the length
of GPRs are 8 bytes for both 32BIT and 64BIT. So replace SZREG with 8 to
fix it.
Cc: stable@vger.kernel.org
Fixes: e4878c37f6679fde ("LoongArch: vDSO: Emit GNU_EH_FRAME correctly")
Suggested-by: Xi Ruoyao <xry111@xry111.site>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/include/asm/linkage.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/loongarch/include/asm/linkage.h
+++ b/arch/loongarch/include/asm/linkage.h
@@ -69,7 +69,7 @@
9, 10, 11, 12, 13, 14, 15, 16, \
17, 18, 19, 20, 21, 22, 23, 24, \
25, 26, 27, 28, 29, 30, 31; \
- .cfi_offset \num, SC_REGS + \num * SZREG; \
+ .cfi_offset \num, SC_REGS + \num * 8; \
.endr; \
\
nop; \
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 091/270] LoongArch: KVM: Compile switch.S directly into the kernel
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 090/270] LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 20:52 ` Miguel Ojeda
2026-05-12 17:38 ` [PATCH 6.18 092/270] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo Greg Kroah-Hartman
` (183 subsequent siblings)
274 siblings, 1 reply; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xianglai Li, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xianglai Li <lixianglai@loongson.cn>
commit 5203012fa6045aac4b69d4e7c212e16dcf38ef10 upstream.
If we directly compile the switch.S file into the kernel, the address of
the kvm_exc_entry function will definitely be within the DMW memory area.
Therefore, we will no longer need to perform a copy relocation of the
kvm_exc_entry.
So this patch compiles switch.S directly into the kernel, and then remove
the copy relocation execution logic for the kvm_exc_entry function.
Cc: stable@vger.kernel.org
Signed-off-by: Xianglai Li <lixianglai@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/Kbuild | 2 -
arch/loongarch/include/asm/asm-prototypes.h | 20 ++++++++++++++++
arch/loongarch/include/asm/kvm_host.h | 3 --
arch/loongarch/kvm/Makefile | 3 +-
arch/loongarch/kvm/main.c | 35 ++--------------------------
arch/loongarch/kvm/switch.S | 20 ++++++++++++----
6 files changed, 41 insertions(+), 42 deletions(-)
--- a/arch/loongarch/Kbuild
+++ b/arch/loongarch/Kbuild
@@ -3,7 +3,7 @@ obj-y += mm/
obj-y += net/
obj-y += vdso/
-obj-$(CONFIG_KVM) += kvm/
+obj-$(subst m,y,$(CONFIG_KVM)) += kvm/
# for cleaning
subdir- += boot
--- a/arch/loongarch/include/asm/asm-prototypes.h
+++ b/arch/loongarch/include/asm/asm-prototypes.h
@@ -20,3 +20,23 @@ asmlinkage void noinstr __no_stack_prote
struct pt_regs *regs,
int (*fn)(void *),
void *fn_arg);
+
+struct kvm_run;
+struct kvm_vcpu;
+struct loongarch_fpu;
+
+void kvm_exc_entry(void);
+int kvm_enter_guest(struct kvm_run *run, struct kvm_vcpu *vcpu);
+
+void kvm_save_fpu(struct loongarch_fpu *fpu);
+void kvm_restore_fpu(struct loongarch_fpu *fpu);
+
+#ifdef CONFIG_CPU_HAS_LSX
+void kvm_save_lsx(struct loongarch_fpu *fpu);
+void kvm_restore_lsx(struct loongarch_fpu *fpu);
+#endif
+
+#ifdef CONFIG_CPU_HAS_LASX
+void kvm_save_lasx(struct loongarch_fpu *fpu);
+void kvm_restore_lasx(struct loongarch_fpu *fpu);
+#endif
--- a/arch/loongarch/include/asm/kvm_host.h
+++ b/arch/loongarch/include/asm/kvm_host.h
@@ -85,7 +85,6 @@ struct kvm_context {
struct kvm_world_switch {
int (*exc_entry)(void);
int (*enter_guest)(struct kvm_run *run, struct kvm_vcpu *vcpu);
- unsigned long page_order;
};
#define MAX_PGTABLE_LEVELS 4
@@ -339,8 +338,6 @@ void kvm_exc_entry(void);
int kvm_enter_guest(struct kvm_run *run, struct kvm_vcpu *vcpu);
extern unsigned long vpid_mask;
-extern const unsigned long kvm_exception_size;
-extern const unsigned long kvm_enter_guest_size;
extern struct kvm_world_switch *kvm_loongarch_ops;
#define SW_GCSR (1 << 0)
--- a/arch/loongarch/kvm/Makefile
+++ b/arch/loongarch/kvm/Makefile
@@ -7,11 +7,12 @@ include $(srctree)/virt/kvm/Makefile.kvm
obj-$(CONFIG_KVM) += kvm.o
+obj-y += switch.o
+
kvm-y += exit.o
kvm-y += interrupt.o
kvm-y += main.o
kvm-y += mmu.o
-kvm-y += switch.o
kvm-y += timer.o
kvm-y += tlb.o
kvm-y += vcpu.o
--- a/arch/loongarch/kvm/main.c
+++ b/arch/loongarch/kvm/main.c
@@ -340,8 +340,7 @@ void kvm_arch_disable_virtualization_cpu
static int kvm_loongarch_env_init(void)
{
- int cpu, order, ret;
- void *addr;
+ int cpu, ret;
struct kvm_context *context;
vmcs = alloc_percpu(struct kvm_context);
@@ -357,30 +356,8 @@ static int kvm_loongarch_env_init(void)
return -ENOMEM;
}
- /*
- * PGD register is shared between root kernel and kvm hypervisor.
- * So world switch entry should be in DMW area rather than TLB area
- * to avoid page fault reenter.
- *
- * In future if hardware pagetable walking is supported, we won't
- * need to copy world switch code to DMW area.
- */
- order = get_order(kvm_exception_size + kvm_enter_guest_size);
- addr = (void *)__get_free_pages(GFP_KERNEL, order);
- if (!addr) {
- free_percpu(vmcs);
- vmcs = NULL;
- kfree(kvm_loongarch_ops);
- kvm_loongarch_ops = NULL;
- return -ENOMEM;
- }
-
- memcpy(addr, kvm_exc_entry, kvm_exception_size);
- memcpy(addr + kvm_exception_size, kvm_enter_guest, kvm_enter_guest_size);
- flush_icache_range((unsigned long)addr, (unsigned long)addr + kvm_exception_size + kvm_enter_guest_size);
- kvm_loongarch_ops->exc_entry = addr;
- kvm_loongarch_ops->enter_guest = addr + kvm_exception_size;
- kvm_loongarch_ops->page_order = order;
+ kvm_loongarch_ops->exc_entry = (void *)kvm_exc_entry;
+ kvm_loongarch_ops->enter_guest = (void *)kvm_enter_guest;
vpid_mask = read_csr_gstat();
vpid_mask = (vpid_mask & CSR_GSTAT_GIDBIT) >> CSR_GSTAT_GIDBIT_SHIFT;
@@ -414,16 +391,10 @@ static int kvm_loongarch_env_init(void)
static void kvm_loongarch_env_exit(void)
{
- unsigned long addr;
-
if (vmcs)
free_percpu(vmcs);
if (kvm_loongarch_ops) {
- if (kvm_loongarch_ops->exc_entry) {
- addr = (unsigned long)kvm_loongarch_ops->exc_entry;
- free_pages(addr, kvm_loongarch_ops->page_order);
- }
kfree(kvm_loongarch_ops);
}
--- a/arch/loongarch/kvm/switch.S
+++ b/arch/loongarch/kvm/switch.S
@@ -4,9 +4,11 @@
*/
#include <linux/linkage.h>
+#include <linux/kvm_types.h>
#include <asm/asm.h>
#include <asm/asmmacro.h>
#include <asm/loongarch.h>
+#include <asm/page.h>
#include <asm/regdef.h>
#include <asm/unwind_hints.h>
@@ -100,8 +102,13 @@
* - is still in guest mode, such as pgd table/vmid registers etc,
* - will fix with hw page walk enabled in future
* load kvm_vcpu from reserved CSR KVM_VCPU_KS, and save a2 to KVM_TEMP_KS
+ *
+ * PGD register is shared between root kernel and kvm hypervisor.
+ * So world switch entry should be in DMW area rather than TLB area
+ * to avoid page fault re-enter.
*/
.text
+ .p2align PAGE_SHIFT
.cfi_sections .debug_frame
SYM_CODE_START(kvm_exc_entry)
UNWIND_HINT_UNDEFINED
@@ -190,8 +197,8 @@ ret_to_host:
kvm_restore_host_gpr a2
jr ra
-SYM_INNER_LABEL(kvm_exc_entry_end, SYM_L_LOCAL)
SYM_CODE_END(kvm_exc_entry)
+EXPORT_SYMBOL_FOR_KVM(kvm_exc_entry)
/*
* int kvm_enter_guest(struct kvm_run *run, struct kvm_vcpu *vcpu)
@@ -215,8 +222,8 @@ SYM_FUNC_START(kvm_enter_guest)
/* Save kvm_vcpu to kscratch */
csrwr a1, KVM_VCPU_KS
kvm_switch_to_guest
-SYM_INNER_LABEL(kvm_enter_guest_end, SYM_L_LOCAL)
SYM_FUNC_END(kvm_enter_guest)
+EXPORT_SYMBOL_FOR_KVM(kvm_enter_guest)
SYM_FUNC_START(kvm_save_fpu)
fpu_save_csr a0 t1
@@ -224,6 +231,7 @@ SYM_FUNC_START(kvm_save_fpu)
fpu_save_cc a0 t1 t2
jr ra
SYM_FUNC_END(kvm_save_fpu)
+EXPORT_SYMBOL_FOR_KVM(kvm_save_fpu)
SYM_FUNC_START(kvm_restore_fpu)
fpu_restore_double a0 t1
@@ -231,6 +239,7 @@ SYM_FUNC_START(kvm_restore_fpu)
fpu_restore_cc a0 t1 t2
jr ra
SYM_FUNC_END(kvm_restore_fpu)
+EXPORT_SYMBOL_FOR_KVM(kvm_restore_fpu)
#ifdef CONFIG_CPU_HAS_LSX
SYM_FUNC_START(kvm_save_lsx)
@@ -239,6 +248,7 @@ SYM_FUNC_START(kvm_save_lsx)
lsx_save_data a0 t1
jr ra
SYM_FUNC_END(kvm_save_lsx)
+EXPORT_SYMBOL_FOR_KVM(kvm_save_lsx)
SYM_FUNC_START(kvm_restore_lsx)
lsx_restore_data a0 t1
@@ -246,6 +256,7 @@ SYM_FUNC_START(kvm_restore_lsx)
fpu_restore_csr a0 t1 t2
jr ra
SYM_FUNC_END(kvm_restore_lsx)
+EXPORT_SYMBOL_FOR_KVM(kvm_restore_lsx)
#endif
#ifdef CONFIG_CPU_HAS_LASX
@@ -255,6 +266,7 @@ SYM_FUNC_START(kvm_save_lasx)
lasx_save_data a0 t1
jr ra
SYM_FUNC_END(kvm_save_lasx)
+EXPORT_SYMBOL_FOR_KVM(kvm_save_lasx)
SYM_FUNC_START(kvm_restore_lasx)
lasx_restore_data a0 t1
@@ -262,10 +274,8 @@ SYM_FUNC_START(kvm_restore_lasx)
fpu_restore_csr a0 t1 t2
jr ra
SYM_FUNC_END(kvm_restore_lasx)
+EXPORT_SYMBOL_FOR_KVM(kvm_restore_lasx)
#endif
- .section ".rodata"
-SYM_DATA(kvm_exception_size, .quad kvm_exc_entry_end - kvm_exc_entry)
-SYM_DATA(kvm_enter_guest_size, .quad kvm_enter_guest_end - kvm_enter_guest)
#ifdef CONFIG_CPU_HAS_LBT
STACK_FRAME_NON_STANDARD kvm_restore_fpu
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 092/270] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 091/270] LoongArch: KVM: Compile switch.S directly into the kernel Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 093/270] mptcp: pm: ADD_ADDR rtx: skip inactive subflows Greg Kroah-Hartman
` (182 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kai Zen, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai Zen <kai.aizen.dev@gmail.com>
commit 4b9e327991815e128ad3af75c3a04630a63ce3e0 upstream.
rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack
without initialisation:
struct ifla_vf_broadcast vf_broadcast;
The struct contains a single fixed 32-byte field:
/* include/uapi/linux/if_link.h */
struct ifla_vf_broadcast {
__u8 broadcast[32];
};
The function then copies dev->broadcast into it using dev->addr_len
as the length:
memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);
On Ethernet devices (the overwhelming majority of SR-IOV NICs)
dev->addr_len is 6, so only the first 6 bytes of broadcast[] are
written. The remaining 26 bytes retain whatever was previously on
the kernel stack. The full struct is then handed to userspace via:
nla_put(skb, IFLA_VF_BROADCAST,
sizeof(vf_broadcast), &vf_broadcast)
leaking up to 26 bytes of uninitialised kernel stack per VF per
RTM_GETLINK request, repeatable.
The other vf_* structs in the same function are explicitly zeroed
for exactly this reason - see the memset() calls for ivi,
vf_vlan_info, node_guid and port_guid a few lines above.
vf_broadcast was simply missed when it was added.
Reachability: any unprivileged local process can open AF_NETLINK /
NETLINK_ROUTE without capabilities and send RTM_GETLINK with an
IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks
each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per
VF per request. Stack residue at this call site can include return
addresses and transient sensitive data; KASAN with stack
instrumentation, or KMSAN, will flag the nla_put() when reproduced.
Zero the on-stack struct before the partial memcpy, matching the
existing pattern used for the other vf_* structs in the same
function.
Fixes: 75345f888f70 ("ipoib: show VF broadcast address")
Cc: stable@vger.kernel.org
Signed-off-by: Kai Zen <kai.aizen.dev@gmail.com>
Link: https://patch.msgid.link/3c506e8f936e52b57620269b55c348af05d413a2.1777557228.git.kai.aizen.dev@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/rtnetlink.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1566,6 +1566,7 @@ static noinline_for_stack int rtnl_fill_
port_guid.vf = ivi.vf;
memcpy(vf_mac.mac, ivi.mac, sizeof(ivi.mac));
+ memset(&vf_broadcast, 0, sizeof(vf_broadcast));
memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);
vf_vlan.vlan = ivi.vlan;
vf_vlan.qos = ivi.qos;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 093/270] mptcp: pm: ADD_ADDR rtx: skip inactive subflows
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 092/270] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 094/270] perf/x86/intel: Improve validation and configuration of ACR masks Greg Kroah-Hartman
` (181 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit c6d395e2de1306b5fef0344a3c3835fbbfaa18be upstream.
When looking at the maximum RTO amongst the subflows, inactive subflows
were taken into account: that includes stale ones, and the initial one
if it has been already been closed.
Unusable subflows are now simply skipped. Stale ones are used as an
alternative: if there are only stale ones, to take their maximum RTO and
avoid to eventually fallback to net.mptcp.add_addr_timeout, which is set
to 2 minutes by default.
Fixes: 30549eebc4d8 ("mptcp: make ADD_ADDR retransmission timeout adaptive")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-7-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -305,18 +305,28 @@ static unsigned int mptcp_adjust_add_add
const struct net *net = sock_net((struct sock *)msk);
unsigned int rto = mptcp_get_add_addr_timeout(net);
struct mptcp_subflow_context *subflow;
- unsigned int max = 0;
+ unsigned int max = 0, max_stale = 0;
mptcp_for_each_subflow(msk, subflow) {
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
struct inet_connection_sock *icsk = inet_csk(ssk);
- if (icsk->icsk_rto > max)
+ if (!__mptcp_subflow_active(subflow))
+ continue;
+
+ if (unlikely(subflow->stale)) {
+ if (icsk->icsk_rto > max_stale)
+ max_stale = icsk->icsk_rto;
+ } else if (icsk->icsk_rto > max) {
max = icsk->icsk_rto;
+ }
}
- if (max && max < rto)
- rto = max;
+ if (max)
+ return min(max, rto);
+
+ if (max_stale)
+ return min(max_stale, rto);
return rto;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 094/270] perf/x86/intel: Improve validation and configuration of ACR masks
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 093/270] mptcp: pm: ADD_ADDR rtx: skip inactive subflows Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 095/270] sound: ua101: fix division by zero at probe Greg Kroah-Hartman
` (180 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dapeng Mi, Peter Zijlstra (Intel)
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dapeng Mi <dapeng1.mi@linux.intel.com>
commit 5ad732a56be46aabf158c16aa0c095291727aaef upstream.
Currently there are several issues on the user space ACR mask validation
and configuration.
- The validation for user space ACR mask (attr.config2) is incomplete,
e.g., the ACR mask could include the index which belongs to another
ACR events group, but it's not validated.
- An early return on an invalid ACR mask caused all subsequent ACR groups
to be skipped.
- The stale hardware ACR mask (hw.config1) is not cleared before setting
new hardware ACR mask.
The following changes address all of the above issues.
- Figure out the event index group of an ACR group. Any bits in the
user-space mask not present in the index group are now dropped.
- Instead of an early return on invalid bits, drop only the invalid
portions and continue iterating through all ACR events to ensure full
configuration.
- Explicitly clear the stale hardware ACR mask for each event prior to
writing the new configuration.
Besides, a non-leader event member of ACR group could be disabled in
theory. This could cause bit-shifting errors in the acr_mask of remaining
group members. But since ACR sampling requires all events to be active,
this should not be a big concern in real use case. Add a "FIXME" comment
to notice this risk.
Fixes: ec980e4facef ("perf/x86/intel: Support auto counter reload")
Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260430002558.712334-2-dapeng1.mi@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/core.c | 32 +++++++++++++++++++++++++-------
1 file changed, 25 insertions(+), 7 deletions(-)
--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -2980,23 +2980,41 @@ static void intel_pmu_enable_event(struc
static void intel_pmu_acr_late_setup(struct cpu_hw_events *cpuc)
{
struct perf_event *event, *leader;
- int i, j, idx;
+ int i, j, k, bit, idx;
+ /*
+ * FIXME: ACR mask parsing relies on cpuc->event_list[] (active events only).
+ * Disabling an ACR event causes bit-shifting errors in the acr_mask of
+ * remaining group members. As ACR sampling requires all events to be active,
+ * this limitation is acceptable for now. Revisit if independent event toggling
+ * is required.
+ */
for (i = 0; i < cpuc->n_events; i++) {
leader = cpuc->event_list[i];
if (!is_acr_event_group(leader))
continue;
- /* The ACR events must be contiguous. */
+ /* Find the last event of the ACR group. */
for (j = i; j < cpuc->n_events; j++) {
event = cpuc->event_list[j];
if (event->group_leader != leader->group_leader)
break;
- for_each_set_bit(idx, (unsigned long *)&event->attr.config2, X86_PMC_IDX_MAX) {
- if (i + idx >= cpuc->n_events ||
- !is_acr_event_group(cpuc->event_list[i + idx]))
- return;
- __set_bit(cpuc->assign[i + idx], (unsigned long *)&event->hw.config1);
+ }
+
+ /*
+ * Translate the user-space ACR mask (attr.config2) into the physical
+ * counter bitmask (hw.config1) for each ACR event in the group.
+ * NOTE: ACR event contiguity is guaranteed by intel_pmu_hw_config().
+ */
+ for (k = i; k < j; k++) {
+ event = cpuc->event_list[k];
+ event->hw.config1 = 0;
+ for_each_set_bit(bit, (unsigned long *)&event->attr.config2, X86_PMC_IDX_MAX) {
+ idx = i + bit;
+ /* Event index of ACR group must locate in [i, j). */
+ if (idx >= j || !is_acr_event_group(cpuc->event_list[idx]))
+ continue;
+ __set_bit(cpuc->assign[idx], (unsigned long *)&event->hw.config1);
}
}
i = j - 1;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 095/270] sound: ua101: fix division by zero at probe
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 094/270] perf/x86/intel: Improve validation and configuration of ACR masks Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 096/270] pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace Greg Kroah-Hartman
` (179 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeungJu Cheon, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeungJu Cheon <suunj1331@gmail.com>
commit d1f73f169c1014463b5060e3f60813e13ddc7b87 upstream.
Add a missing sanity check for bNrChannels in detect_usb_format()
to prevent a division by zero in playback_urb_complete() and
capture_urb_complete().
USB core does not validate class-specific descriptor fields such
as bNrChannels, so drivers must verify them before use. If a
device provides bNrChannels = 0, frame_bytes becomes zero and is
later used as a divisor in the URB completion handlers, leading
to a kernel crash.
Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support")
Cc: stable@vger.kernel.org
Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
Link: https://patch.msgid.link/20260426111239.103296-1-suunj1331@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/misc/ua101.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/sound/usb/misc/ua101.c
+++ b/sound/usb/misc/ua101.c
@@ -974,6 +974,13 @@ static int detect_usb_format(struct ua10
ua->capture.channels = fmt_capture->bNrChannels;
ua->playback.channels = fmt_playback->bNrChannels;
+ if (!ua->capture.channels || !ua->playback.channels) {
+ dev_err(&ua->dev->dev,
+ "invalid channel count: capture %u, playback %u\n",
+ ua->capture.channels, ua->playback.channels);
+ return -EINVAL;
+ }
+
ua->capture.frame_bytes =
fmt_capture->bSubframeSize * ua->capture.channels;
ua->playback.frame_bytes =
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 096/270] pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 095/270] sound: ua101: fix division by zero at probe Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 097/270] pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init() Greg Kroah-Hartman
` (178 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ritesh Harjani (IBM),
Madhavan Srinivasan
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
commit cefeed44296261173a806bef988b26bc565da4be upstream.
The hdr variable is allocated on the stack and only hdr.version and
hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr
contains reserved padding bytes (reserved[3] and reserved2[40]), these
could leak the uninitialized bytes to userspace after copy_to_user().
This patch fixes that by initializing the whole struct to 0.
Cc: stable@vger.kernel.org
Fixes: cebdb522fd3ed ("powerpc/pseries: Receive payload with ibm,receive-hvpipe-msg RTAS")
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/7bfe03b65a282c856ed8182d1871bb973c0b78f2.1777606826.git.ritesh.list@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/pseries/papr-hvpipe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c
index c41d45e1986d..3392874ebdf6 100644
--- a/arch/powerpc/platforms/pseries/papr-hvpipe.c
+++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c
@@ -327,7 +327,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file,
{
struct hvpipe_source_info *src_info = file->private_data;
- struct papr_hvpipe_hdr hdr;
+ struct papr_hvpipe_hdr hdr = {};
long ret;
/*
--
2.54.0
^ permalink raw reply related [flat|nested] 282+ messages in thread
* [PATCH 6.18 097/270] pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 096/270] pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 098/270] pseries/papr-hvpipe: Fix the usage of copy_to_user() Greg Kroah-Hartman
` (177 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ritesh Harjani (IBM),
Madhavan Srinivasan
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
commit 713e468cdbc2277db6ce949c32c1acbd83501733 upstream.
Remove such 3 levels of nesting patterns to check success return values
from function calls.
ret = enable_hvpipe_IRQ()
if (!ret)
ret = set_hvpipe_sys_param(1)
if (!ret)
ret = misc_register()
Instead just bail out to "out*:" labels, in case of any error. This
simplifies the init flow.
While at it let's also fix the following error handling logic:
We have already enabled interrupt sources and enabled hvpipe to received
interrupts, if misc_register() fails, we will destroy the workqueue, but
the HMC might send us a msg via hvpipe which will call, queue work on
the workqueue which might be destroyed.
So instead, let's reverse the order of enabling set_hvpipe_sys_param(1)
and in case of an error let's remove the misc dev by calling
misc_deregister().
Cc: stable@vger.kernel.org
Fixes: 39a08a4f94980 ("powerpc/pseries: Enable hvpipe with ibm,set-system-parameter RTAS")
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/f2141eafb80e7780395e03aa9a22e8a37be80513.1777606826.git.ritesh.list@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/pseries/papr-hvpipe.c | 28 ++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
--- a/arch/powerpc/platforms/pseries/papr-hvpipe.c
+++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c
@@ -796,23 +796,29 @@ static int __init papr_hvpipe_init(void)
}
ret = enable_hvpipe_IRQ();
- if (!ret) {
- ret = set_hvpipe_sys_param(1);
- if (!ret)
- ret = misc_register(&papr_hvpipe_dev);
- }
+ if (ret)
+ goto out_wq;
- if (!ret) {
- pr_info("hvpipe feature is enabled\n");
- hvpipe_feature = true;
- return 0;
- }
+ ret = misc_register(&papr_hvpipe_dev);
+ if (ret)
+ goto out_wq;
- pr_err("hvpipe feature is not enabled %d\n", ret);
+ ret = set_hvpipe_sys_param(1);
+ if (ret)
+ goto out_misc;
+
+ pr_info("hvpipe feature is enabled\n");
+ hvpipe_feature = true;
+ return 0;
+
+out_misc:
+ misc_deregister(&papr_hvpipe_dev);
+out_wq:
destroy_workqueue(papr_hvpipe_wq);
out:
kfree(papr_hvpipe_work);
papr_hvpipe_work = NULL;
+ pr_err("hvpipe feature is not enabled %d\n", ret);
return ret;
}
machine_device_initcall(pseries, papr_hvpipe_init);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 098/270] pseries/papr-hvpipe: Fix the usage of copy_to_user()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 097/270] pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init() Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 099/270] net: libwx: fix VF illegal register access Greg Kroah-Hartman
` (176 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ritesh Harjani (IBM),
Madhavan Srinivasan
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
commit d48654bd8b1a75f662e224d257db54de475120dc upstream.
copy_to_user() return bytes_not_copied to the user buffer. If there was
an error writing bytes into the user buffer, i.e. if copy_to_user
returns a non-zero value, then we should simply return -EFAULT from the
->read() call.
Otherwise, in the non-patched version, we may end up mixing
"bytes_not_copied + bytes_copied (HVPIPE_HDR_LEN)" as the return value
to the user in ->read() call
Also let's make sure we clear the hvpipe_status flag, if we have
consumed the hvpipe msg by making the rtas call. ret = -EFAULT means
copy_to_user has failed but that still means that the msg was read from
the hvpipe, hence for both cases, success & -EFAULT, we should clear the
HVPIPE_MSG_AVAILABLE flag in hvpipe_status.
Cc: stable@vger.kernel.org
Fixes: cebdb522fd3edd1 ("powerpc/pseries: Receive payload with ibm,receive-hvpipe-msg RTAS")
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/8fda3212a1ad48879c174e92f67472d9b9f1c3b7.1777606826.git.ritesh.list@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/pseries/papr-hvpipe.c | 23 ++++++++++++--------
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c
index 800649f309a5..c007560d2d8c 100644
--- a/arch/powerpc/platforms/pseries/papr-hvpipe.c
+++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c
@@ -206,10 +206,11 @@ static int hvpipe_rtas_recv_msg(char __user *buf, int size)
bytes_written, size);
bytes_written = size;
}
- ret = copy_to_user(buf,
+ if (copy_to_user(buf,
rtas_work_area_raw_buf(work_area),
- bytes_written);
- if (!ret)
+ bytes_written))
+ ret = -EFAULT;
+ else
ret = bytes_written;
}
} else {
@@ -328,7 +329,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file,
struct hvpipe_source_info *src_info = file->private_data;
struct papr_hvpipe_hdr hdr = {};
- long ret;
+ ssize_t ret = 0;
/*
* Return -ENXIO during migration
@@ -376,7 +377,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file,
ret = copy_to_user(buf, &hdr, HVPIPE_HDR_LEN);
if (ret)
- return ret;
+ return -EFAULT;
/*
* Message event has payload, so get the payload with
@@ -385,19 +386,23 @@ static ssize_t papr_hvpipe_handle_read(struct file *file,
if (hdr.flags & HVPIPE_MSG_AVAILABLE) {
ret = hvpipe_rtas_recv_msg(buf + HVPIPE_HDR_LEN,
size - HVPIPE_HDR_LEN);
- if (ret > 0) {
+ /*
+ * Always clear MSG_AVAILABLE once the RTAS call has drained
+ * the message, regardless of whether copy_to_user succeeded.
+ */
+ if (ret >= 0 || ret == -EFAULT)
src_info->hvpipe_status &= ~HVPIPE_MSG_AVAILABLE;
- ret += HVPIPE_HDR_LEN;
- }
} else if (hdr.flags & HVPIPE_LOST_CONNECTION) {
/*
* Hypervisor is closing the pipe for the specific
* source. So notify user space.
*/
src_info->hvpipe_status &= ~HVPIPE_LOST_CONNECTION;
- ret = HVPIPE_HDR_LEN;
}
+ if (ret >= 0)
+ ret += HVPIPE_HDR_LEN;
+
return ret;
}
--
2.54.0
^ permalink raw reply related [flat|nested] 282+ messages in thread
* [PATCH 6.18 099/270] net: libwx: fix VF illegal register access
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 098/270] pseries/papr-hvpipe: Fix the usage of copy_to_user() Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 100/270] ip6_gre: Use cached t->net in ip6erspan_changelink() Greg Kroah-Hartman
` (175 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiawen Wu, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiawen Wu <jiawenwu@trustnetic.com>
commit 694de316f607fe2473d52ca0707e3918e72c1562 upstream.
Register WX_CFG_PORT_ST is a PF restricted register. When a VF is
initialized, attempting to read this register triggers an illegal
register access, which lead to a system hang.
When the device is VF, the bus function ID can be obtained directly from
the PCI_FUNC(pdev->devfn).
Fixes: a04ea57aae37 ("net: libwx: fix device bus LAN ID")
Cc: stable@vger.kernel.org
Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
Link: https://patch.msgid.link/4D1F4452D21DE107+20260429083743.88961-1-jiawenwu@trustnetic.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/wangxun/libwx/wx_hw.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c
+++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c
@@ -2427,8 +2427,11 @@ int wx_sw_init(struct wx *wx)
wx->oem_svid = pdev->subsystem_vendor;
wx->oem_ssid = pdev->subsystem_device;
wx->bus.device = PCI_SLOT(pdev->devfn);
- wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID,
- rd32(wx, WX_CFG_PORT_ST));
+ if (pdev->is_virtfn)
+ wx->bus.func = PCI_FUNC(pdev->devfn);
+ else
+ wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID,
+ rd32(wx, WX_CFG_PORT_ST));
if (wx->oem_svid == PCI_VENDOR_ID_WANGXUN ||
pdev->is_virtfn) {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 100/270] ip6_gre: Use cached t->net in ip6erspan_changelink().
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 099/270] net: libwx: fix VF illegal register access Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 101/270] net: libwx: use request_irq for VF misc interrupt Greg Kroah-Hartman
` (174 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maoyi Xie, Eric Dumazet,
Kuniyuki Iwashima, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit 1d324c2f43f70c965f25c58cc3611c779adbe47e upstream.
After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of
rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns
ip6gre hash via link_net. ip6erspan_changelink() was not converted in
that series and still uses dev_net(dev), which diverges from the
device's creation netns after IFLA_NET_NS_FD migration.
This re-inserts the tunnel into the wrong per-netns hash. The
original netns keeps a stale entry. When that netns is later
destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a
slab-use-after-free reported by KASAN, followed by a kernel BUG at
net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().
Reachable from an unprivileged user namespace (unshare --user
--map-root-user --net).
ip6gre_changelink() earlier in the same file already uses the cached
t->net; only ip6erspan_changelink() has the wrong shape.
Fixes: 2d665034f239 ("net: ip6_gre: Fix ip6erspan hlen calculation")
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260430103318.3206018-1-maoyi.xie@ntu.edu.sg
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_gre.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -2261,10 +2261,11 @@ static int ip6erspan_changelink(struct n
struct nlattr *data[],
struct netlink_ext_ack *extack)
{
- struct ip6gre_net *ign = net_generic(dev_net(dev), ip6gre_net_id);
+ struct ip6_tnl *t = netdev_priv(dev);
struct __ip6_tnl_parm p;
- struct ip6_tnl *t;
+ struct ip6gre_net *ign;
+ ign = net_generic(t->net, ip6gre_net_id);
t = ip6gre_changelink_common(dev, tb, data, &p, extack);
if (IS_ERR(t))
return PTR_ERR(t);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 101/270] net: libwx: use request_irq for VF misc interrupt
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 100/270] ip6_gre: Use cached t->net in ip6erspan_changelink() Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 102/270] netpoll: pass buffer size to egress_dev() to avoid MAC truncation Greg Kroah-Hartman
` (173 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiawen Wu, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiawen Wu <jiawenwu@trustnetic.com>
commit 7a33345153eeeda195c55f15be27074e4c3b5109 upstream.
Currently, request_threaded_irq() is used with a primary handler but a
NULL threaded handler, while also setting the IRQF_ONESHOT flag. This
specific combination triggers a WARNING since the commit aef30c8d569c
("genirq: Warn about using IRQF_ONESHOT without a threaded handler").
WARNING: kernel/irq/manage.c:1502 at __setup_irq+0x4fa/0x760
Fix the issue by switching to request_irq(), which is the appropriate
interface or a non-threaded interrupt handler, and removing the
unnecessary IRQF_ONESHOT flag.
Fixes: eb4898fde1de ("net: libwx: add wangxun vf common api")
Cc: stable@vger.kernel.org
Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
Link: https://patch.msgid.link/786DDC7D5CCA6D0A+20260429083743.88961-2-jiawenwu@trustnetic.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/wangxun/libwx/wx_vf_common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/wangxun/libwx/wx_vf_common.c
+++ b/drivers/net/ethernet/wangxun/libwx/wx_vf_common.c
@@ -98,8 +98,8 @@ int wx_request_msix_irqs_vf(struct wx *w
}
}
- err = request_threaded_irq(wx->msix_entry->vector, wx_msix_misc_vf,
- NULL, IRQF_ONESHOT, netdev->name, wx);
+ err = request_irq(wx->msix_entry->vector, wx_msix_misc_vf,
+ 0, netdev->name, wx);
if (err) {
wx_err(wx, "request_irq for msix_other failed: %d\n", err);
goto free_queue_irqs;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 102/270] netpoll: pass buffer size to egress_dev() to avoid MAC truncation
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 101/270] net: libwx: use request_irq for VF misc interrupt Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 103/270] net/rds: handle zerocopy send cleanup before the message is queued Greg Kroah-Hartman
` (172 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Breno Leitao, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
commit 76b93a8107574006b25495664304ea9237494d70 upstream.
egress_dev() formats np->dev_mac via snprintf() but receives buf as
a bare char *, so it cannot derive the buffer size from the pointer. The
size argument was hardcoded to MAC_ADDR_STR_LEN (3 * ETH_ALEN - 1 = 17),
which is silly wrong in two ways:
1) misleading kernel log output on the MAC-selected target path
(np->dev_name[0] == '\0'); for example "aa:bb:cc:dd:ee:ff doesn't
exist, aborting" was logged as "aa:bb:cc:dd:ee:f doesn't exist,
aborting".
2) the second argument of snprintf is the size of the buffer, not the
size of what you want to write.
Add a bufsz parameter to egress_dev() and pass sizeof(buf) from each
caller, matching the standard snprintf() idiom and removing the
hardcoded size from the helper.
Every caller already declares "char buf[MAC_ADDR_STR_LEN + 1]" so the
formatted MAC continues to fit.
Tested by booting with
netconsole=6665@/aa:bb:cc:dd:ee:ff,6666@10.0.0.1/00:11:22:33:44:55
on a kernel without a matching device. Pre-fix dmesg shows
"aa:bb:cc:dd:ee:f doesn't exist, aborting"; post-fix shows the full
"aa:bb:cc:dd:ee:ff doesn't exist, aborting".
Fixes: f8a10bed32f5 ("netconsole: allow selection of egress interface via MAC address")
Cc: stable@vger.kernel.org
Signed-off-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/20260501-netpoll_snprintf_fix-v1-1-84b0566e6597@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/netpoll.c | 23 +++++++++++++----------
1 file changed, 13 insertions(+), 10 deletions(-)
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -608,14 +608,16 @@ EXPORT_SYMBOL_GPL(__netpoll_setup);
/*
* Returns a pointer to a string representation of the identifier used
* to select the egress interface for the given netpoll instance. buf
- * must be a buffer of length at least MAC_ADDR_STR_LEN + 1.
+ * is used to format np->dev_mac when np->dev_name is empty; bufsz must
+ * be at least MAC_ADDR_STR_LEN + 1 to fit the formatted MAC address
+ * and its NUL terminator.
*/
-static char *egress_dev(struct netpoll *np, char *buf)
+static char *egress_dev(struct netpoll *np, char *buf, size_t bufsz)
{
if (np->dev_name[0])
return np->dev_name;
- snprintf(buf, MAC_ADDR_STR_LEN, "%pM", np->dev_mac);
+ snprintf(buf, bufsz, "%pM", np->dev_mac);
return buf;
}
@@ -645,7 +647,7 @@ static int netpoll_take_ipv6(struct netp
if (!IS_ENABLED(CONFIG_IPV6)) {
np_err(np, "IPv6 is not supported %s, aborting\n",
- egress_dev(np, buf));
+ egress_dev(np, buf, sizeof(buf)));
return -EINVAL;
}
@@ -667,7 +669,7 @@ static int netpoll_take_ipv6(struct netp
}
if (err) {
np_err(np, "no IPv6 address for %s, aborting\n",
- egress_dev(np, buf));
+ egress_dev(np, buf, sizeof(buf)));
return err;
}
@@ -687,14 +689,14 @@ static int netpoll_take_ipv4(struct netp
in_dev = __in_dev_get_rtnl(ndev);
if (!in_dev) {
np_err(np, "no IP address for %s, aborting\n",
- egress_dev(np, buf));
+ egress_dev(np, buf, sizeof(buf)));
return -EDESTADDRREQ;
}
ifa = rtnl_dereference(in_dev->ifa_list);
if (!ifa) {
np_err(np, "no IP address for %s, aborting\n",
- egress_dev(np, buf));
+ egress_dev(np, buf, sizeof(buf)));
return -EDESTADDRREQ;
}
@@ -719,7 +721,8 @@ int netpoll_setup(struct netpoll *np)
ndev = dev_getbyhwaddr(net, ARPHRD_ETHER, np->dev_mac);
if (!ndev) {
- np_err(np, "%s doesn't exist, aborting\n", egress_dev(np, buf));
+ np_err(np, "%s doesn't exist, aborting\n",
+ egress_dev(np, buf, sizeof(buf)));
err = -ENODEV;
goto unlock;
}
@@ -727,14 +730,14 @@ int netpoll_setup(struct netpoll *np)
if (netdev_master_upper_dev_get(ndev)) {
np_err(np, "%s is a slave device, aborting\n",
- egress_dev(np, buf));
+ egress_dev(np, buf, sizeof(buf)));
err = -EBUSY;
goto put;
}
if (!netif_running(ndev)) {
np_info(np, "device %s not up yet, forcing it\n",
- egress_dev(np, buf));
+ egress_dev(np, buf, sizeof(buf)));
err = dev_open(ndev, NULL);
if (err) {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 103/270] net/rds: handle zerocopy send cleanup before the message is queued
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 102/270] netpoll: pass buffer size to egress_dev() to avoid MAC truncation Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 104/270] net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler Greg Kroah-Hartman
` (171 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Xiao Liu, Nan Li, Ren Wei, Allison Henderson,
Paolo Abeni
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nan Li <tonanli66@gmail.com>
commit 44b550d88b267320459d518c0743a241ab2108fa upstream.
A zerocopy send can fail after user pages have been pinned but before
the message is attached to the sending socket.
The purge path currently infers zerocopy state from rm->m_rs, so an
unqueued message can be cleaned up as if it owned normal payload pages.
However, zerocopy ownership is really determined by the presence of
op_mmp_znotifier, regardless of whether the message has reached the
socket queue.
Capture op_mmp_znotifier up front in rds_message_purge() and use it as
the cleanup discriminator. If the message is already associated with a
socket, keep the existing completion path. Otherwise, drop the pinned
page accounting directly and release the notifier before putting the
payload pages.
This keeps early send failure cleanup consistent with the zerocopy
lifetime rules without changing the normal queued completion path.
Fixes: 0cebaccef3ac ("rds: zerocopy Tx support.")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Xiao Liu <lx24@stu.ynu.edu.cn>
Signed-off-by: Xiao Liu <lx24@stu.ynu.edu.cn>
Signed-off-by: Nan Li <tonanli66@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/d2ea98a6313d5467bac00f7c9fef8c7acddb9258.1777550074.git.tonanli66@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rds/message.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -129,24 +129,34 @@ static void rds_rm_zerocopy_callback(str
*/
static void rds_message_purge(struct rds_message *rm)
{
+ struct rds_znotifier *znotifier;
unsigned long i, flags;
- bool zcopy = false;
+ bool zcopy;
if (unlikely(test_bit(RDS_MSG_PAGEVEC, &rm->m_flags)))
return;
spin_lock_irqsave(&rm->m_rs_lock, flags);
+ znotifier = rm->data.op_mmp_znotifier;
+ rm->data.op_mmp_znotifier = NULL;
+ zcopy = !!znotifier;
+
if (rm->m_rs) {
struct rds_sock *rs = rm->m_rs;
- if (rm->data.op_mmp_znotifier) {
- zcopy = true;
- rds_rm_zerocopy_callback(rs, rm->data.op_mmp_znotifier);
+ if (znotifier) {
+ rds_rm_zerocopy_callback(rs, znotifier);
rds_wake_sk_sleep(rs);
- rm->data.op_mmp_znotifier = NULL;
}
sock_put(rds_rs_to_sk(rs));
rm->m_rs = NULL;
+ } else if (znotifier) {
+ /*
+ * Zerocopy can fail before the message is queued on the
+ * socket, so there is no rs to carry the notification.
+ */
+ mm_unaccount_pinned_pages(&znotifier->z_mmp);
+ kfree(rds_info_from_znotifier(znotifier));
}
spin_unlock_irqrestore(&rm->m_rs_lock, flags);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 104/270] net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 103/270] net/rds: handle zerocopy send cleanup before the message is queued Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 105/270] platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration Greg Kroah-Hartman
` (170 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pavitra Jha, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavitra Jha <jhapavitra98@gmail.com>
commit 0e7c074cfcd9bd93765505f9eb8b42f03ed2a744 upstream.
t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as
a loop bound over port_msg->data[] without checking that the message buffer
contains sufficient data. A modem sending port_count=65535 in a 12-byte
buffer triggers a slab-out-of-bounds read of up to 262140 bytes.
Add a sizeof(*port_msg) check before accessing the port message header
fields to guard against undersized messages.
Add a struct_size() check after extracting port_count and before the loop.
In t7xx_parse_host_rt_data(), guard the rt_feature header read with a
remaining-buffer check before accessing data_len, validate feat_data_len
against the actual remaining buffer to prevent OOB reads and signed
integer overflow on offset.
Pass msg_len from both call sites: skb->len at the DPMAIF path after
skb_pull(), and the validated feat_data_len at the handshake path.
Fixes: da45d2566a1d ("net: wwan: t7xx: Add control port")
Cc: stable@vger.kernel.org
Signed-off-by: Pavitra Jha <jhapavitra98@gmail.com>
Link: https://patch.msgid.link/20260501110713.145563-1-jhapavitra98@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wwan/t7xx/t7xx_modem_ops.c | 20 +++++++++++++++++---
drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c | 18 ++++++++++++++++--
drivers/net/wwan/t7xx/t7xx_port_proxy.h | 2 +-
3 files changed, 34 insertions(+), 6 deletions(-)
--- a/drivers/net/wwan/t7xx/t7xx_modem_ops.c
+++ b/drivers/net/wwan/t7xx/t7xx_modem_ops.c
@@ -457,8 +457,20 @@ static int t7xx_parse_host_rt_data(struc
offset = sizeof(struct feature_query);
for (i = 0; i < FEATURE_COUNT && offset < data_length; i++) {
+ size_t remaining = data_length - offset;
+ size_t feat_data_len, feat_total;
+
+ if (remaining < sizeof(*rt_feature))
+ break;
+
rt_feature = data + offset;
- offset += sizeof(*rt_feature) + le32_to_cpu(rt_feature->data_len);
+ feat_data_len = le32_to_cpu(rt_feature->data_len);
+
+ if (feat_data_len > remaining - sizeof(*rt_feature))
+ break;
+
+ feat_total = sizeof(*rt_feature) + feat_data_len;
+ offset += feat_total;
ft_spt_cfg = FIELD_GET(FEATURE_MSK, core->feature_set[i]);
if (ft_spt_cfg != MTK_FEATURE_MUST_BE_SUPPORTED)
@@ -468,8 +480,10 @@ static int t7xx_parse_host_rt_data(struc
if (ft_spt_st != MTK_FEATURE_MUST_BE_SUPPORTED)
return -EINVAL;
- if (i == RT_ID_MD_PORT_ENUM || i == RT_ID_AP_PORT_ENUM)
- t7xx_port_enum_msg_handler(ctl->md, rt_feature->data);
+ if (i == RT_ID_MD_PORT_ENUM || i == RT_ID_AP_PORT_ENUM) {
+ t7xx_port_enum_msg_handler(ctl->md, rt_feature->data,
+ feat_data_len);
+ }
}
return 0;
--- a/drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c
+++ b/drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c
@@ -117,6 +117,7 @@ static int fsm_ee_message_handler(struct
* t7xx_port_enum_msg_handler() - Parse the port enumeration message to create/remove nodes.
* @md: Modem context.
* @msg: Message.
+ * @msg_len: Length of @msg in bytes.
*
* Used to control create/remove device node.
*
@@ -124,12 +125,18 @@ static int fsm_ee_message_handler(struct
* * 0 - Success.
* * -EFAULT - Message check failure.
*/
-int t7xx_port_enum_msg_handler(struct t7xx_modem *md, void *msg)
+int t7xx_port_enum_msg_handler(struct t7xx_modem *md, void *msg, size_t msg_len)
{
struct device *dev = &md->t7xx_dev->pdev->dev;
unsigned int version, port_count, i;
struct port_msg *port_msg = msg;
+ if (msg_len < sizeof(*port_msg)) {
+ dev_err(dev, "Port enum msg too short for header: need %zu, have %zu\n",
+ sizeof(*port_msg), msg_len);
+ return -EINVAL;
+ }
+
version = FIELD_GET(PORT_MSG_VERSION, le32_to_cpu(port_msg->info));
if (version != PORT_ENUM_VER ||
le32_to_cpu(port_msg->head_pattern) != PORT_ENUM_HEAD_PATTERN ||
@@ -141,6 +148,13 @@ int t7xx_port_enum_msg_handler(struct t7
}
port_count = FIELD_GET(PORT_MSG_PRT_CNT, le32_to_cpu(port_msg->info));
+
+ if (msg_len < struct_size(port_msg, data, port_count)) {
+ dev_err(dev, "Port enum msg too short: need %zu, have %zu\n",
+ struct_size(port_msg, data, port_count), msg_len);
+ return -EINVAL;
+ }
+
for (i = 0; i < port_count; i++) {
u32 port_info = le32_to_cpu(port_msg->data[i]);
unsigned int ch_id;
@@ -191,7 +205,7 @@ static int control_msg_handler(struct t7
case CTL_ID_PORT_ENUM:
skb_pull(skb, sizeof(*ctrl_msg_h));
- ret = t7xx_port_enum_msg_handler(ctl->md, (struct port_msg *)skb->data);
+ ret = t7xx_port_enum_msg_handler(ctl->md, (struct port_msg *)skb->data, skb->len);
if (!ret)
ret = port_ctl_send_msg_to_md(port, CTL_ID_PORT_ENUM, 0);
else
--- a/drivers/net/wwan/t7xx/t7xx_port_proxy.h
+++ b/drivers/net/wwan/t7xx/t7xx_port_proxy.h
@@ -103,7 +103,7 @@ void t7xx_port_proxy_reset(struct port_p
void t7xx_port_proxy_uninit(struct port_proxy *port_prox);
int t7xx_port_proxy_init(struct t7xx_modem *md);
void t7xx_port_proxy_md_status_notify(struct port_proxy *port_prox, unsigned int state);
-int t7xx_port_enum_msg_handler(struct t7xx_modem *md, void *msg);
+int t7xx_port_enum_msg_handler(struct t7xx_modem *md, void *msg, size_t msg_len);
int t7xx_port_proxy_chl_enable_disable(struct port_proxy *port_prox, unsigned int ch_id,
bool en_flag);
void t7xx_port_proxy_set_cfg(struct t7xx_modem *md, enum port_cfg_id cfg_id);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 105/270] platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 104/270] net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 106/270] parisc: Fix IRQ leak in LASI driver Greg Kroah-Hartman
` (169 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benson Leung, Abhishek Pandit-Subedi,
Tzung-Bi Shih
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tzung-Bi Shih <tzungbi@kernel.org>
commit 525cb7ba6661074c1c5cc3772bccc6afab6791ef upstream.
cros_typec_register_thunderbolt() missed initializing the `adata->lock`
mutex. This leads to a NULL dereference when the mutex is later
acquired (e.g. in cros_typec_altmode_work()).
Initialize the mutex in cros_typec_register_thunderbolt() to fix the
issue.
Cc: stable@vger.kernel.org
Fixes: 3b00be26b16a ("platform/chrome: cros_ec_typec: Thunderbolt support")
Reviewed-by: Benson Leung <bleung@chromium.org>
Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
Link: https://lore.kernel.org/r/20260505053403.3335740-1-tzungbi@kernel.org
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/chrome/cros_typec_altmode.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/platform/chrome/cros_typec_altmode.c
+++ b/drivers/platform/chrome/cros_typec_altmode.c
@@ -359,6 +359,7 @@ cros_typec_register_thunderbolt(struct c
}
INIT_WORK(&adata->work, cros_typec_altmode_work);
+ mutex_init(&adata->lock);
adata->alt = alt;
adata->port = port;
adata->ap_mode_entry = true;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 106/270] parisc: Fix IRQ leak in LASI driver
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 105/270] platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 107/270] x86/efi: Fix graceful fault handling after FPU softirq changes Greg Kroah-Hartman
` (168 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Hongling Zeng, Helge Deller
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongling Zeng <zenghongling@kylinos.cn>
commit 37b0dc5e279f35036fb638d1e187197b6c05a76d upstream.
When request_irq() succeeds but gsc_common_setup() fails later,
the IRQ is never released. Fix this by adding proper error handling
with goto labels to ensure resources are released in LIFO order.
Detected by Smatch:
drivers/parisc/lasi.c:216 lasi_init_chip() warn: 'lasi->gsc_irq.irq'
from request_irq() not released on lines: 207.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202604180957.4QdAIxP6-lkp@intel.com/
Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/parisc/lasi.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/parisc/lasi.c
+++ b/drivers/parisc/lasi.c
@@ -193,8 +193,7 @@ static int __init lasi_init_chip(struct
ret = request_irq(lasi->gsc_irq.irq, gsc_asic_intr, 0, "lasi", lasi);
if (ret < 0) {
- kfree(lasi);
- return ret;
+ goto err_free;
}
/* enable IRQ's for devices below LASI */
@@ -203,8 +202,7 @@ static int __init lasi_init_chip(struct
/* Done init'ing, register this driver */
ret = gsc_common_setup(dev, lasi);
if (ret) {
- kfree(lasi);
- return ret;
+ goto err_irq;
}
gsc_fixup_irqs(dev, lasi, lasi_choose_irq);
@@ -214,6 +212,12 @@ static int __init lasi_init_chip(struct
SYS_OFF_PRIO_DEFAULT, lasi_power_off, lasi);
return ret;
+
+err_irq:
+ free_irq(lasi->gsc_irq.irq, lasi);
+err_free:
+ kfree(lasi);
+ return ret;
}
static struct parisc_device_id lasi_tbl[] __initdata = {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 107/270] x86/efi: Fix graceful fault handling after FPU softirq changes
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 106/270] parisc: Fix IRQ leak in LASI driver Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 108/270] hwmon: (ltc2992) Clamp threshold writes to hardware range Greg Kroah-Hartman
` (167 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ivan Hu, Ard Biesheuvel
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Hu <ivan.hu@canonical.com>
commit 088f65e206087bf903743bd18417261d7a4c9644 upstream.
Since commit d02198550423 ("x86/fpu: Improve crypto performance by
making kernel-mode FPU reliably usable in softirqs"), kernel_fpu_begin()
calls fpregs_lock() which uses local_bh_disable() instead of the
previous preempt_disable(). This sets SOFTIRQ_OFFSET in preempt_count
during the entire EFI runtime service call, causing in_interrupt() to
return true in normal task context.
The graceful page fault handler efi_crash_gracefully_on_page_fault()
uses in_interrupt() to bail out for faults in real interrupt context.
With SOFTIRQ_OFFSET now set, the handler always bails out, leaving EFI
firmware page faults unhandled. This escalates to die() which also sees
in_interrupt() as true and calls panic("Fatal exception in interrupt"),
resulting in a hard system freeze. On systems with buggy firmware that
triggers page faults during EFI runtime calls (e.g., accessing unmapped
memory in GetTime()), this causes an unrecoverable hang instead of the
expected graceful EFI_ABORTED recovery.
Fix by replacing in_interrupt() with !in_task(). This preserves the
original intent of bailing for interrupts or NMI faults, while no longer
falsely triggering from the FPU code path's local_bh_disable().
Fixes: d02198550423 ("x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs")
Cc: <stable@vger.kernel.org>
Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
[ardb: Sashiko spotted that using 'in_hardirq() || in_nmi()' leaves a
window where a softirq may be taken before fpregs_lock() is
called, but after efi_rts_work.efi_rts_id has been assigned,
and any page faults occurring in that window will then be
misidentified as having been caused by the firmware. Instead,
use !in_task(), which incorporates in_serving_softirq(). ]
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/platform/efi/quirks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/platform/efi/quirks.c
+++ b/arch/x86/platform/efi/quirks.c
@@ -771,7 +771,7 @@ void efi_crash_gracefully_on_page_fault(
* If we get an interrupt/NMI while processing an EFI runtime service
* then this is a regular OOPS, not an EFI failure.
*/
- if (in_interrupt())
+ if (!in_task())
return;
/*
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 108/270] hwmon: (ltc2992) Clamp threshold writes to hardware range
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 107/270] x86/efi: Fix graceful fault handling after FPU softirq changes Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 109/270] hwmon: (ltc2992) Fix u32 overflow in power read path Greg Kroah-Hartman
` (166 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanman Pradhan <psanman@juniper.net>
commit d6cc7c99bf1f73eda7d565d224d791d16239bb41 upstream.
ltc2992_set_voltage(), ltc2992_set_current(), and ltc2992_set_power()
do not validate the user-supplied value before converting it to a
register value. This can result in:
1. Negative input values wrapping to large positive register values.
For power, the negative long is implicitly cast to u64 in
mul_u64_u32_div(), producing an incorrect value. For voltage and
current, the negative converted value wraps when passed to
ltc2992_write_reg() as a u32.
2. Intermediate arithmetic exceeding the range representable in u64 on
64-bit platforms. In ltc2992_set_voltage(), (u64)val * 1000 can
exceed U64_MAX when val is a large positive long. In
ltc2992_set_current(), (u64)val * r_sense_uohm can overflow
similarly. In ltc2992_set_power(), the computed value may not fit
in u64.
3. Register values exceeding the hardware field width. Voltage and
current threshold registers are 12-bit (stored left-justified in
16 bits), and power threshold registers are 24-bit. Without
clamping, bits above the field width are truncated in
ltc2992_write_reg().
Fix by clamping negative values to zero, clamping positive values to
the rounded hardware-representable maximum (the value returned by the
read path for a full-scale register) to prevent intermediate overflow,
and clamping the converted register value to the hardware field width
before writing. The existing conversion formula and rounding behavior
are preserved.
In the power write path, cancel the factor of 1000 from both the
numerator (r_sense_uohm * 1000) and the denominator
(VADC_UV_LSB * IADC_NANOV_LSB) to also eliminate a u32 overflow of
r_sense_uohm * 1000 when r_sense_uohm exceeds about 4.29 ohms.
Fixes: b0bd407e94b03 ("hwmon: (ltc2992) Add support")
Cc: stable@vger.kernel.org
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Link: https://lore.kernel.org/r/20260416215904.101969-2-sanman.pradhan@hpe.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/ltc2992.c | 35 ++++++++++++++++++++++++++++-------
1 file changed, 28 insertions(+), 7 deletions(-)
--- a/drivers/hwmon/ltc2992.c
+++ b/drivers/hwmon/ltc2992.c
@@ -431,10 +431,16 @@ static int ltc2992_get_voltage(struct lt
static int ltc2992_set_voltage(struct ltc2992_state *st, u32 reg, u32 scale, long val)
{
- val = DIV_ROUND_CLOSEST(val * 1000, scale);
- val = val << 4;
+ u32 reg_val;
+ long vmax;
+
+ vmax = DIV_ROUND_CLOSEST_ULL(0xFFFULL * scale, 1000);
+ val = max(val, 0L);
+ val = min(val, vmax);
+ reg_val = min(DIV_ROUND_CLOSEST_ULL((u64)val * 1000, scale),
+ 0xFFFULL) << 4;
- return ltc2992_write_reg(st, reg, 2, val);
+ return ltc2992_write_reg(st, reg, 2, reg_val);
}
static int ltc2992_read_gpio_alarm(struct ltc2992_state *st, int nr_gpio, u32 attr, long *val)
@@ -559,9 +565,15 @@ static int ltc2992_get_current(struct lt
static int ltc2992_set_current(struct ltc2992_state *st, u32 reg, u32 channel, long val)
{
u32 reg_val;
+ long cmax;
- reg_val = DIV_ROUND_CLOSEST(val * st->r_sense_uohm[channel], LTC2992_IADC_NANOV_LSB);
- reg_val = reg_val << 4;
+ cmax = DIV_ROUND_CLOSEST_ULL(0xFFFULL * LTC2992_IADC_NANOV_LSB,
+ st->r_sense_uohm[channel]);
+ val = max(val, 0L);
+ val = min(val, cmax);
+ reg_val = min(DIV_ROUND_CLOSEST_ULL((u64)val * st->r_sense_uohm[channel],
+ LTC2992_IADC_NANOV_LSB),
+ 0xFFFULL) << 4;
return ltc2992_write_reg(st, reg, 2, reg_val);
}
@@ -634,9 +646,18 @@ static int ltc2992_get_power(struct ltc2
static int ltc2992_set_power(struct ltc2992_state *st, u32 reg, u32 channel, long val)
{
u32 reg_val;
+ u64 pmax, uval;
- reg_val = mul_u64_u32_div(val, st->r_sense_uohm[channel] * 1000,
- LTC2992_VADC_UV_LSB * LTC2992_IADC_NANOV_LSB);
+ uval = max(val, 0L);
+ pmax = mul_u64_u32_div(0xFFFFFFULL,
+ LTC2992_VADC_UV_LSB / 1000 *
+ LTC2992_IADC_NANOV_LSB,
+ st->r_sense_uohm[channel]);
+ uval = min(uval, pmax);
+ reg_val = min(mul_u64_u32_div(uval, st->r_sense_uohm[channel],
+ LTC2992_VADC_UV_LSB / 1000 *
+ LTC2992_IADC_NANOV_LSB),
+ 0xFFFFFFULL);
return ltc2992_write_reg(st, reg, 3, reg_val);
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 109/270] hwmon: (ltc2992) Fix u32 overflow in power read path
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 108/270] hwmon: (ltc2992) Clamp threshold writes to hardware range Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 110/270] clk: rk808: fix OF node reference imbalance Greg Kroah-Hartman
` (165 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanman Pradhan <psanman@juniper.net>
commit 2da0c1fd01dbd6b22844e8676585153dfc660cbe upstream.
ltc2992_get_power() computes the divisor for mul_u64_u32_div() as
r_sense_uohm * 1000. This multiplication overflows u32 when
r_sense_uohm exceeds about 4.29 ohms (4294967 micro-ohms), producing
a truncated divisor and an incorrect power reading.
Cancel the factor of 1000 from both the numerator
(VADC_UV_LSB * IADC_NANOV_LSB = 312500000) and the divisor
(r_sense_uohm * 1000), giving (VADC_UV_LSB / 1000) * IADC_NANOV_LSB
= 312500 as the numerator and plain r_sense_uohm as the divisor.
The cancellation is exact because LTC2992_VADC_UV_LSB (25000) is
divisible by 1000.
This is the read-path counterpart of the write-path fix applied in
the preceding patch.
Fixes: b0bd407e94b03 ("hwmon: (ltc2992) Add support")
Cc: stable@vger.kernel.org
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Link: https://lore.kernel.org/r/20260416215904.101969-3-sanman.pradhan@hpe.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/ltc2992.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/hwmon/ltc2992.c
+++ b/drivers/hwmon/ltc2992.c
@@ -637,8 +637,10 @@ static int ltc2992_get_power(struct ltc2
if (reg_val < 0)
return reg_val;
- *val = mul_u64_u32_div(reg_val, LTC2992_VADC_UV_LSB * LTC2992_IADC_NANOV_LSB,
- st->r_sense_uohm[channel] * 1000);
+ *val = mul_u64_u32_div(reg_val,
+ LTC2992_VADC_UV_LSB / 1000 *
+ LTC2992_IADC_NANOV_LSB,
+ st->r_sense_uohm[channel]);
return 0;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 110/270] clk: rk808: fix OF node reference imbalance
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 109/270] hwmon: (ltc2992) Fix u32 overflow in power read path Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 111/270] hwmon: (corsair-psu) Close HID device on probe errors Greg Kroah-Hartman
` (164 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Reichel, Johan Hovold,
Brian Masney, Heiko Stuebner, Stephen Boyd
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit de019f203b0d472c98ead4081ad4f05d92c9b826 upstream.
The driver reuses the OF node of the parent multi-function device but
fails to take another reference to balance the one dropped by the
platform bus code when unbinding the MFD and deregistering the child
devices.
Fix this by using the intended helper for reusing OF nodes.
Fixes: 2dc51ca822e4 ("clk: RK808: Reduce 'struct rk808' usage")
Cc: stable@vger.kernel.org # 6.5
Cc: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Reviewed-by: Brian Masney <bmasney@redhat.com>
Reviewed-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/clk-rk808.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/clk/clk-rk808.c
+++ b/drivers/clk/clk-rk808.c
@@ -153,7 +153,7 @@ static int rk808_clkout_probe(struct pla
struct rk808_clkout *rk808_clkout;
int ret;
- dev->of_node = pdev->dev.parent->of_node;
+ device_set_of_node_from_dev(dev, dev->parent);
rk808_clkout = devm_kzalloc(dev,
sizeof(*rk808_clkout), GFP_KERNEL);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 111/270] hwmon: (corsair-psu) Close HID device on probe errors
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 110/270] clk: rk808: fix OF node reference imbalance Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 112/270] af_unix: Reject SIOCATMARK on non-stream sockets Greg Kroah-Hartman
` (163 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Myeonghun Pak, Wilken Gottwalt,
Guenter Roeck
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myeonghun Pak <mhun512@gmail.com>
commit 174606451fbb17db506ebaacdd5e203e57773d5f upstream.
corsairpsu_probe() opens the HID device before sending the device init
and firmware-info commands. If either command fails, the error path jumps
directly to fail_and_stop and skips hid_hw_close().
Use the existing fail_and_close label for those post-open failures so the
open count and low-level close callback are balanced before hid_hw_stop().
Fixes: d115b51e0e56 ("hwmon: add Corsair PSU HID controller driver")
Cc: stable@vger.kernel.org
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Reviewed-by: Wilken Gottwalt <wilken.gottwalt@posteo.net>
Link: https://lore.kernel.org/r/20260424135107.13720-1-mhun512@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/corsair-psu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/hwmon/corsair-psu.c
+++ b/drivers/hwmon/corsair-psu.c
@@ -805,13 +805,13 @@ static int corsairpsu_probe(struct hid_d
ret = corsairpsu_init(priv);
if (ret < 0) {
dev_err(&hdev->dev, "unable to initialize device (%d)\n", ret);
- goto fail_and_stop;
+ goto fail_and_close;
}
ret = corsairpsu_fwinfo(priv);
if (ret < 0) {
dev_err(&hdev->dev, "unable to query firmware (%d)\n", ret);
- goto fail_and_stop;
+ goto fail_and_close;
}
corsairpsu_get_criticals(priv);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 112/270] af_unix: Reject SIOCATMARK on non-stream sockets
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 111/270] hwmon: (corsair-psu) Close HID device on probe errors Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 113/270] arm64/fpsimd: ptrace: zero targets fpsimd_state, not the tracers Greg Kroah-Hartman
` (162 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Kuniyuki Iwashima, Jiexun Wang, Ren Wei,
Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
commit d119775f2bad827edc28071c061fdd4a91f889a5 upstream.
SIOCATMARK reports whether the receive queue is at the urgent mark for
MSG_OOB.
In AF_UNIX, MSG_OOB is supported only for SOCK_STREAM sockets.
SOCK_DGRAM and SOCK_SEQPACKET reject MSG_OOB in sendmsg() and recvmsg(),
so they should not support SIOCATMARK either.
Return -EOPNOTSUPP for non-stream sockets before checking the receive
queue.
Fixes: 314001f0bf92 ("af_unix: Add OOB support")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260506140825.2987635-1-n05ec@lzu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/unix/af_unix.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -3339,6 +3339,9 @@ static int unix_ioctl(struct socket *soc
struct sk_buff *skb;
int answ = 0;
+ if (sk->sk_type != SOCK_STREAM)
+ return -EOPNOTSUPP;
+
mutex_lock(&u->iolock);
skb = skb_peek(&sk->sk_receive_queue);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 113/270] arm64/fpsimd: ptrace: zero targets fpsimd_state, not the tracers
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 112/270] af_unix: Reject SIOCATMARK on non-stream sockets Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 114/270] pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy() Greg Kroah-Hartman
` (161 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Mark Rutland,
Catalin Marinas
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
commit 5cbb61bf4168859d97c068d88d364f4f1f440325 upstream.
sve_set_common() is the backend for PTRACE_SETREGSET(NT_ARM_SVE) and
PTRACE_SETREGSET(NT_ARM_SSVE). Every write in the function operates on
the tracee (target) - except a single memset that uses current instead,
zeroing the tracer's saved V0-V31 / FPSR / FPCR shadow on every ptrace
SETREGSET call.
The memset is meant to give the tracee a defined zero register image
before the user-supplied payload is copied in (for partial writes,
header-only writes, and FPSIMD<->SVE format switches). Aiming it at
current both denies the tracee that clean slate and silently corrupts
the tracer.
The corruption of the tracer's saved FPSIMD state is not always
observable. Where the tracer's state is live on a CPU, this may be
reused without loading the corrupted state from memory, and will
eventually be written back over the corrupted state. Where the tracer's
state is saved in SVE_PT_REGS_SVE format, only the FPSR and FPCR are
clobbered, and the effective copy of the vectors is in the task's
sve_state.
Reproducible on an arm64 kernel with SVE: a single-threaded tracer that
loads a known pattern into V0-V31, issues PTRACE_SETREGSET(NT_ARM_SVE)
on a child, and reads V0-V31 back observes them all zeroed within tens
of thousands of iterations when a sibling thread keeps stealing the
FPSIMD CPU binding.
Fixes: 316283f276eb ("arm64/fpsimd: ptrace: Consistently handle partial writes to NT_ARM_(S)SVE")
Cc: <stable@vger.kernel.org>
Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/ptrace.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -957,8 +957,8 @@ static int sve_set_common(struct task_st
}
/* Always zero V regs, FPSR, and FPCR */
- memset(¤t->thread.uw.fpsimd_state, 0,
- sizeof(current->thread.uw.fpsimd_state));
+ memset(&target->thread.uw.fpsimd_state, 0,
+ sizeof(target->thread.uw.fpsimd_state));
/* Registers: FPSIMD-only case */
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 114/270] pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 113/270] arm64/fpsimd: ptrace: zero targets fpsimd_state, not the tracers Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 115/270] block: add pgmap check to biovec_phys_mergeable Greg Kroah-Hartman
` (160 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Ulf Hansson
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit ec1fcddb3117d9452210e838fd37389ee61e10e8 upstream.
In scpsys_get_bus_protection_legacy(), of_find_node_with_property()
returns a device node with its reference count incremented. The function
then calls of_node_put(node) before checking whether
syscon_regmap_lookup_by_phandle() returns an error. If an error occurs,
dev_err_probe() dereferences the node pointer to print diagnostic
information, but the node memory may have already been freed due to the
earlier of_node_put(), leading to a use-after-free vulnerability.
Fix this by moving the of_node_put() call after the error check, ensuring
the node is still valid when accessed in the error path.
Fixes: c29345fa5f66 ("pmdomain: mediatek: Refactor bus protection regmaps retrieval")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pmdomain/mediatek/mtk-pm-domains.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/drivers/pmdomain/mediatek/mtk-pm-domains.c
+++ b/drivers/pmdomain/mediatek/mtk-pm-domains.c
@@ -757,6 +757,7 @@ static int scpsys_get_bus_protection_leg
struct device_node *node, *smi_np;
int num_regmaps = 0, i, j;
struct regmap *regmap[3];
+ int ret = 0;
/*
* Legacy code retrieves a maximum of three bus protection handles:
@@ -807,11 +808,14 @@ static int scpsys_get_bus_protection_leg
if (node) {
regmap[2] = syscon_regmap_lookup_by_phandle(node, "mediatek,infracfg-nao");
num_regmaps++;
- of_node_put(node);
- if (IS_ERR(regmap[2]))
- return dev_err_probe(dev, PTR_ERR(regmap[2]),
+ if (IS_ERR(regmap[2])) {
+ ret = dev_err_probe(dev, PTR_ERR(regmap[2]),
"%pOF: failed to get infracfg regmap\n",
node);
+ of_node_put(node);
+ return ret;
+ }
+ of_node_put(node);
} else {
regmap[2] = NULL;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 115/270] block: add pgmap check to biovec_phys_mergeable
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 114/270] pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy() Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 116/270] block: only read from sqe on initial invocation of blkdev_uring_cmd() Greg Kroah-Hartman
` (159 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Naman Jain,
Jens Axboe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naman Jain <namjain@linux.microsoft.com>
commit 13920e4b7b784b40cf4519ff1f0f3e513476a499 upstream.
biovec_phys_mergeable() is used by the request merge, DMA mapping,
and integrity merge paths to decide if two physically contiguous
bvec segments can be coalesced into one. It currently has no check
for whether the segments belong to different dev_pagemaps.
When zone device memory is registered in multiple chunks, each chunk
gets its own dev_pagemap. A single bio can legitimately contain
bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at
pgmap boundaries but the outer loop in bio_iov_iter_get_pages()
continues filling the same bio. If such bvecs are physically
contiguous, biovec_phys_mergeable() will coalesce them, making it
impossible to recover the correct pgmap for the merged segment
via page_pgmap().
Add a zone_device_pages_have_same_pgmap() check to prevent merging
bvec segments that span different pgmaps.
Fixes: 49580e690755 ("block: add check when merging zone device pages")
Cc: stable@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
Link: https://patch.msgid.link/20260410153414.4159050-2-namjain@linux.microsoft.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk.h | 2 ++
1 file changed, 2 insertions(+)
--- a/block/blk.h
+++ b/block/blk.h
@@ -132,6 +132,8 @@ static inline bool biovec_phys_mergeable
if (addr1 + vec1->bv_len != addr2)
return false;
+ if (!zone_device_pages_have_same_pgmap(vec1->bv_page, vec2->bv_page))
+ return false;
if (xen_domain() && !xen_biovec_phys_mergeable(vec1, vec2->bv_page))
return false;
if ((addr1 | mask) != ((addr2 + vec2->bv_len - 1) | mask))
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 116/270] block: only read from sqe on initial invocation of blkdev_uring_cmd()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 115/270] block: add pgmap check to biovec_phys_mergeable Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 117/270] cifs: abort open_cached_dir if we dont request leases Greg Kroah-Hartman
` (158 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
commit 212ec34e4e726e8cd4af7bea4740db24de8a9dab upstream.
This passthrough helper currently only supports discards. Part of that
command is the start and length, which is read from the SQE. It does
so on every invocation, where it really should just make it stable
on the first invocation. This avoids needing to copy the SQE upfront,
as we only really need those two 8b values stored in our per-req
payload.
Cc: stable@vger.kernel.org # 6.17+
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/ioctl.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
--- a/block/ioctl.c
+++ b/block/ioctl.c
@@ -765,6 +765,8 @@ long compat_blkdev_ioctl(struct file *fi
#endif
struct blk_iou_cmd {
+ u64 start;
+ u64 len;
int res;
bool nowait;
};
@@ -852,23 +854,27 @@ int blkdev_uring_cmd(struct io_uring_cmd
{
struct block_device *bdev = I_BDEV(cmd->file->f_mapping->host);
struct blk_iou_cmd *bic = io_uring_cmd_to_pdu(cmd, struct blk_iou_cmd);
- const struct io_uring_sqe *sqe = cmd->sqe;
u32 cmd_op = cmd->cmd_op;
- uint64_t start, len;
- if (unlikely(sqe->ioprio || sqe->__pad1 || sqe->len ||
- sqe->rw_flags || sqe->file_index))
- return -EINVAL;
+ /* Read what we need from the SQE on the first issue */
+ if (!(issue_flags & IORING_URING_CMD_REISSUE)) {
+ const struct io_uring_sqe *sqe = cmd->sqe;
+
+ if (unlikely(sqe->ioprio || sqe->__pad1 || sqe->len ||
+ sqe->rw_flags || sqe->file_index))
+ return -EINVAL;
+
+ bic->start = READ_ONCE(sqe->addr);
+ bic->len = READ_ONCE(sqe->addr3);
+ }
bic->res = 0;
bic->nowait = issue_flags & IO_URING_F_NONBLOCK;
- start = READ_ONCE(sqe->addr);
- len = READ_ONCE(sqe->addr3);
-
switch (cmd_op) {
case BLOCK_URING_CMD_DISCARD:
- return blkdev_cmd_discard(cmd, bdev, start, len, bic->nowait);
+ return blkdev_cmd_discard(cmd, bdev, bic->start, bic->len,
+ bic->nowait);
}
return -EINVAL;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 117/270] cifs: abort open_cached_dir if we dont request leases
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 116/270] block: only read from sqe on initial invocation of blkdev_uring_cmd() Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 118/270] cifs: change_conf needs to be called for session setup Greg Kroah-Hartman
` (157 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bharath SM, Shyam Prasad N,
Steve French
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shyam Prasad N <sprasad@microsoft.com>
commit d68ce834f8cf6cb2e77f3331df65166b35466b53 upstream.
It is possible that SMB2_open_init may not set lease context based
on the requested oplock level. This can happen when leases have been
temporarily or permanently disabled. When this happens, we will have
open_cached_dir making an open without lease context and the response
will anyway be rejected by open_cached_dir (thereby forcing a close to
discard this open). That's unnecessary two round-trips to the server.
This change adds a check before making the open request to the server
to make sure that SMB2_open_init did add the expected lease context
to the open in open_cached_dir.
Cc: <stable@vger.kernel.org>
Reviewed-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cached_dir.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/smb/client/cached_dir.c
+++ b/fs/smb/client/cached_dir.c
@@ -286,6 +286,14 @@ replay_again:
&rqst[0], &oplock, &oparms, utf16_path);
if (rc)
goto oshr_free;
+
+ if (oplock != SMB2_OPLOCK_LEVEL_II) {
+ rc = -EINVAL;
+ cifs_dbg(FYI, "%s: Oplock level %d not suitable for cached directory\n",
+ __func__, oplock);
+ goto oshr_free;
+ }
+
smb2_set_next_command(tcon, &rqst[0]);
memset(&qi_iov, 0, sizeof(qi_iov));
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 118/270] cifs: change_conf needs to be called for session setup
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 117/270] cifs: abort open_cached_dir if we dont request leases Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 119/270] extcon: ptn5150: handle pending IRQ events during system resume Greg Kroah-Hartman
` (156 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bharath SM, Shyam Prasad N,
Steve French
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shyam Prasad N <sprasad@microsoft.com>
commit c208a2b95811d6e1ebae65d0d2fc13f73707f8e7 upstream.
Today we skip calling change_conf for negotiates and session setup
requests. This can be a problem for mchan as the immediate next call
after session setup could be due to an I/O that is made on the
mount point. For single channel, this is not a problem as
there will be several calls after setting up session.
This change enforces calling change_conf when the total credits contain
enough for reservations for echoes and oplocks. We expect this to happen
during the last session setup response. This way, echoes and oplocks are
not disabled before the first request to the server. So if that first
request is an open, it does not need to disable requesting leases.
Cc: <stable@vger.kernel.org>
Reviewed-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2ops.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -111,10 +111,21 @@ smb2_add_credits(struct TCP_Server_Info
cifs_trace_rw_credits_zero_in_flight);
}
server->in_flight--;
+
+ /*
+ * Rebalance credits when an op drains in_flight. For session setup,
+ * do this only when the total accumulated credits are high enough (>2)
+ * so that a newly established secondary channel can reserve credits for
+ * echoes and oplocks. We expect this to happen at the end of the final
+ * session setup response.
+ */
if (server->in_flight == 0 &&
((optype & CIFS_OP_MASK) != CIFS_NEG_OP) &&
((optype & CIFS_OP_MASK) != CIFS_SESS_OP))
rc = change_conf(server);
+ else if (server->in_flight == 0 &&
+ ((optype & CIFS_OP_MASK) == CIFS_SESS_OP) && *val > 2)
+ rc = change_conf(server);
/*
* Sometimes server returns 0 credits on oplock break ack - we need to
* rebalance credits in this case.
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 119/270] extcon: ptn5150: handle pending IRQ events during system resume
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 118/270] cifs: change_conf needs to be called for session setup Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 120/270] gpio: of: clear OF_POPULATED on hog nodes in remove path Greg Kroah-Hartman
` (155 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, MyungJoo Ham,
Xu Yang, Chanwoo Choi
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 4652fefcda3c604c83d1ae28ede94544e2142f06 upstream.
When the system is suspended and ptn5150 wakeup interrupt is disabled,
any changes on ptn5150 will only be record in interrupt status
registers and won't fire an IRQ since its trigger type is falling
edge. So the HW interrupt line will keep at low state and any further
changes won't trigger IRQ anymore. To fix it, this will schedule a
work to check whether any IRQ are pending and handle it accordingly.
Fixes: 4ed754de2d66 ("extcon: Add support for ptn5150 extcon driver")
Cc: stable@vger.kernel.org
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Acked-by: MyungJoo Ham <myungjoo.ham@samsung.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Link: https://lore.kernel.org/lkml/20251115025905.1395347-1-xu.yang_2@nxp.com/
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/extcon/extcon-ptn5150.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/extcon/extcon-ptn5150.c
+++ b/drivers/extcon/extcon-ptn5150.c
@@ -331,6 +331,19 @@ static int ptn5150_i2c_probe(struct i2c_
return 0;
}
+static int ptn5150_resume(struct device *dev)
+{
+ struct i2c_client *i2c = to_i2c_client(dev);
+ struct ptn5150_info *info = i2c_get_clientdata(i2c);
+
+ /* Need to check possible pending interrupt events */
+ schedule_work(&info->irq_work);
+
+ return 0;
+}
+
+static DEFINE_SIMPLE_DEV_PM_OPS(ptn5150_pm_ops, NULL, ptn5150_resume);
+
static const struct of_device_id ptn5150_dt_match[] = {
{ .compatible = "nxp,ptn5150" },
{ },
@@ -346,6 +359,7 @@ MODULE_DEVICE_TABLE(i2c, ptn5150_i2c_id)
static struct i2c_driver ptn5150_i2c_driver = {
.driver = {
.name = "ptn5150",
+ .pm = pm_sleep_ptr(&ptn5150_pm_ops),
.of_match_table = ptn5150_dt_match,
},
.probe = ptn5150_i2c_probe,
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 120/270] gpio: of: clear OF_POPULATED on hog nodes in remove path
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 119/270] extcon: ptn5150: handle pending IRQ events during system resume Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 121/270] hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS Greg Kroah-Hartman
` (154 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Andy Shevchenko,
Bartosz Golaszewski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
commit bbee90e750262bfb406d66dc65c46d616d2b6673 upstream.
The previously set OF_POPULATED flag should be cleared on the hog nodes
when removing the chip.
Cc: stable@vger.kernel.org
Fixes: 63636d956c455 ("gpio: of: Add DT overlay support for GPIO hogs")
Acked-by: Linus Walleij <linusw@kernel.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/20260309-gpio-hog-fwnode-v2-1-4e61f3dbf06a@oss.qualcomm.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib-of.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/gpio/gpiolib-of.c
+++ b/drivers/gpio/gpiolib-of.c
@@ -1285,7 +1285,14 @@ int of_gpiochip_add(struct gpio_chip *ch
void of_gpiochip_remove(struct gpio_chip *chip)
{
- of_node_put(dev_of_node(&chip->gpiodev->dev));
+ struct device_node *np = dev_of_node(&chip->gpiodev->dev);
+
+ for_each_child_of_node_scoped(np, child) {
+ if (of_property_present(child, "gpio-hog"))
+ of_node_clear_flag(child, OF_POPULATED);
+ }
+
+ of_node_put(np);
}
bool of_gpiochip_instance_match(struct gpio_chip *gc, unsigned int index)
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 121/270] hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 120/270] gpio: of: clear OF_POPULATED on hog nodes in remove path Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 122/270] hv_sock: fix ARM64 support Greg Kroah-Hartman
` (153 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Michael Kelley,
Saurabh Sengar, Wei Liu, K. Y. Srinivasan, Haiyang Zhang,
Dexuan Cui, Long Li, linux-hyperv
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
commit d33db956c9618e7cb08c2520ce708437914214ec upstream.
Hyperv's sysfb access only exists in the VMBUS support. Therefore
only select CONFIG_SYSFB for CONFIG_HYPERV_VMBUS. Avoids sysfb code
on systems that don't need it.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 96959283a58d ("Drivers: hv: Always select CONFIG_SYSFB for Hyper-V guests")
Cc: Michael Kelley <mhklinux@outlook.com>
Cc: Saurabh Sengar <ssengar@linux.microsoft.com>
Cc: Wei Liu <wei.liu@kernel.org>
Cc: "K. Y. Srinivasan" <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: Dexuan Cui <decui@microsoft.com>
Cc: Long Li <longli@microsoft.com>
Cc: linux-hyperv@vger.kernel.org
Cc: <stable@vger.kernel.org> # v6.16+
Reviewed-by: Saurabh Sengar <ssengar@linux.microsoft.com>
Link: https://patch.msgid.link/20260402092305.208728-2-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hv/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hv/Kconfig
+++ b/drivers/hv/Kconfig
@@ -9,7 +9,6 @@ config HYPERV
select PARAVIRT
select X86_HV_CALLBACK_VECTOR if X86
select OF_EARLY_FLATTREE if OF
- select SYSFB if EFI && !HYPERV_VTL_MODE
select IRQ_MSI_LIB if X86
help
Select this option to run Linux as a Hyper-V client operating
@@ -61,6 +60,7 @@ config HYPERV_VMBUS
tristate "Microsoft Hyper-V VMBus driver"
depends on HYPERV
default HYPERV
+ select SYSFB if EFI && !HYPERV_VTL_MODE
help
Select this option to enable Hyper-V Vmbus driver.
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 122/270] hv_sock: fix ARM64 support
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 121/270] hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 123/270] hv_sock: Report EOF instead of -EIO for FIN Greg Kroah-Hartman
` (152 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dexuan Cui, Hamza Mahfooz,
Stefano Garzarella, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
commit b31681206e3f527970a7c7ed807fbf6a028fc25b upstream.
VMBUS ring buffers must be page aligned. Therefore, the current value of
24K presents a challenge on ARM64 kernels (with 64K pages). So, use
VMBUS_RING_SIZE() to ensure they are always aligned and large enough to
hold all of the relevant data.
Cc: stable@vger.kernel.org
Fixes: 77ffe33363c0 ("hv_sock: use HV_HYP_PAGE_SIZE for Hyper-V communication")
Tested-by: Dexuan Cui <decui@microsoft.com>
Reviewed-by: Dexuan Cui <decui@microsoft.com>
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Acked-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260428125339.13963-1-hamzamahfooz@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/hyperv_transport.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -375,10 +375,10 @@ static void hvs_open_connection(struct v
} else {
sndbuf = max_t(int, sk->sk_sndbuf, RINGBUFFER_HVS_SND_SIZE);
sndbuf = min_t(int, sndbuf, RINGBUFFER_HVS_MAX_SIZE);
- sndbuf = ALIGN(sndbuf, HV_HYP_PAGE_SIZE);
+ sndbuf = VMBUS_RING_SIZE(sndbuf);
rcvbuf = max_t(int, sk->sk_rcvbuf, RINGBUFFER_HVS_RCV_SIZE);
rcvbuf = min_t(int, rcvbuf, RINGBUFFER_HVS_MAX_SIZE);
- rcvbuf = ALIGN(rcvbuf, HV_HYP_PAGE_SIZE);
+ rcvbuf = VMBUS_RING_SIZE(rcvbuf);
}
chan->max_pkt_size = HVS_MAX_PKT_SIZE;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 123/270] hv_sock: Report EOF instead of -EIO for FIN
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 122/270] hv_sock: fix ARM64 support Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 124/270] hv_sock: Return -EIO for malformed/short packets Greg Kroah-Hartman
` (151 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Hillis, Mitchell Levy,
Dexuan Cui, Stefano Garzarella, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dexuan Cui <decui@microsoft.com>
commit f6315295899415f1ddcf39f7c9cb46d25e2c6c6a upstream.
Commit f0c5827d07cb unluckily causes a regression for the FIN packet,
and the final read syscall gets an error rather than 0.
Ideally, we would want to fix hvs_channel_readable_payload() so that it
could return 0 in the FIN scenario, but it's not good for the hv_sock
driver to use the VMBus ringbuffer's cached priv_read_index, which is
internal data in the VMBus driver.
Fix the regression in hv_sock by returning 0 rather than -EIO.
Fixes: f0c5827d07cb ("hv_sock: Return the readable bytes in hvs_stream_has_data()")
Cc: stable@vger.kernel.org
Reported-by: Ben Hillis <Ben.Hillis@microsoft.com>
Reported-by: Mitchell Levy <levymitchell0@gmail.com>
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Acked-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260416191433.840637-1-decui@microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/hyperv_transport.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
index 2b7c0b5896ed..76e78c83fdbc 100644
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -694,7 +694,6 @@ static ssize_t hvs_stream_enqueue(struct vsock_sock *vsk, struct msghdr *msg,
static s64 hvs_stream_has_data(struct vsock_sock *vsk)
{
struct hvsock *hvs = vsk->trans;
- bool need_refill;
s64 ret;
if (hvs->recv_data_len > 0)
@@ -702,9 +701,22 @@ static s64 hvs_stream_has_data(struct vsock_sock *vsk)
switch (hvs_channel_readable_payload(hvs->chan)) {
case 1:
- need_refill = !hvs->recv_desc;
- if (!need_refill)
- return -EIO;
+ if (hvs->recv_desc) {
+ /* Here hvs->recv_data_len is 0, so hvs->recv_desc must
+ * be NULL unless it points to the 0-byte-payload FIN
+ * packet: see hvs_update_recv_data().
+ *
+ * Here all the payload has been dequeued, but
+ * hvs_channel_readable_payload() still returns 1,
+ * because the VMBus ringbuffer's read_index is not
+ * updated for the FIN packet: hvs_stream_dequeue() ->
+ * hv_pkt_iter_next() updates the cached priv_read_index
+ * but has no opportunity to update the read_index in
+ * hv_pkt_iter_close() as hvs_stream_has_data() returns
+ * 0 for the FIN packet, so it won't get dequeued.
+ */
+ return 0;
+ }
hvs->recv_desc = hv_pkt_iter_first(hvs->chan);
if (!hvs->recv_desc)
--
2.54.0
^ permalink raw reply related [flat|nested] 282+ messages in thread
* [PATCH 6.18 124/270] hv_sock: Return -EIO for malformed/short packets
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 123/270] hv_sock: Report EOF instead of -EIO for FIN Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 125/270] ibmveth: Disable GSO for packets with small MSS Greg Kroah-Hartman
` (150 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dexuan Cui, Stefano Garzarella,
Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dexuan Cui <decui@microsoft.com>
commit 3d1f20727a635811f6b77801a7b57b8995268abd upstream.
Commit f63152958994 fixes a regression, however it fails to report an
error for malformed/short packets -- normally we should never see such
packets, but let's report an error for them just in case.
Fixes: f63152958994 ("hv_sock: Report EOF instead of -EIO for FIN")
Cc: stable@vger.kernel.org
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Acked-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260423064811.1371749-1-decui@microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/hyperv_transport.c | 27 ++++++++++++++++++---------
1 file changed, 18 insertions(+), 9 deletions(-)
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -704,17 +704,26 @@ static s64 hvs_stream_has_data(struct vs
if (hvs->recv_desc) {
/* Here hvs->recv_data_len is 0, so hvs->recv_desc must
* be NULL unless it points to the 0-byte-payload FIN
- * packet: see hvs_update_recv_data().
+ * packet or a malformed/short packet: see
+ * hvs_update_recv_data().
*
- * Here all the payload has been dequeued, but
- * hvs_channel_readable_payload() still returns 1,
- * because the VMBus ringbuffer's read_index is not
- * updated for the FIN packet: hvs_stream_dequeue() ->
- * hv_pkt_iter_next() updates the cached priv_read_index
- * but has no opportunity to update the read_index in
- * hv_pkt_iter_close() as hvs_stream_has_data() returns
- * 0 for the FIN packet, so it won't get dequeued.
+ * If hvs->recv_desc points to the FIN packet, here all
+ * the payload has been dequeued and the peer_shutdown
+ * flag is set, but hvs_channel_readable_payload() still
+ * returns 1, because the VMBus ringbuffer's read_index
+ * is not updated for the FIN packet:
+ * hvs_stream_dequeue() -> hv_pkt_iter_next() updates
+ * the cached priv_read_index but has no opportunity to
+ * update the read_index in hv_pkt_iter_close() as
+ * hvs_stream_has_data() returns 0 for the FIN packet,
+ * so it won't get dequeued.
+ *
+ * In case hvs->recv_desc points to a malformed/short
+ * packet, return -EIO.
*/
+ if (!(vsk->peer_shutdown & SEND_SHUTDOWN))
+ return -EIO;
+
return 0;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 125/270] ibmveth: Disable GSO for packets with small MSS
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 124/270] hv_sock: Return -EIO for malformed/short packets Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 126/270] ice: fix double free in ice_sf_eth_activate() error path Greg Kroah-Hartman
` (149 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian King, Shaik Abdulla,
Naveed Ahmed, Mingming Cao, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingming Cao <mmc@linux.ibm.com>
commit cc427d24ac6442ffdeafd157a63c7c5b73ed4de4 upstream.
Some physical adapters on Power systems do not support segmentation
offload when the MSS is less than 224 bytes. Attempting to send such
packets causes the adapter to freeze, stopping all traffic until
manually reset.
Implement ndo_features_check to disable GSO for packets with small MSS
values. The network stack will perform software segmentation instead.
The 224-byte minimum matches ibmvnic
commit <f10b09ef687f> ("ibmvnic: Enforce stronger sanity checks
on GSO packets")
which uses the same physical adapters in SEA configurations.
The issue occurs specifically when the hardware attempts to perform
segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets
(gso_segs == 1) do not trigger the problematic LSO code path and are
transmitted normally without segmentation.
Add an ndo_features_check callback to disable GSO when MSS < 224 bytes.
Also call vlan_features_check() to ensure proper handling of VLAN packets,
particularly QinQ (802.1ad) configurations where the hardware parser may
not support certain offload features.
Validated using iptables to force small MSS values. Without the fix,
the adapter freezes. With the fix, packets are segmented in software
and transmission succeeds. Comprehensive regression testing completedd
(MSS tests, performance, stability).
Fixes: 8641dd85799f ("ibmveth: Add support for TSO")
Cc: stable@vger.kernel.org
Reviewed-by: Brian King <bjking1@linux.ibm.com>
Tested-by: Shaik Abdulla <shaik.abdulla1@ibm.com>
Tested-by: Naveed Ahmed <naveedaus@in.ibm.com>
Signed-off-by: Mingming Cao <mmc@linux.ibm.com>
Link: https://patch.msgid.link/20260424162917.65725-1-mmc@linux.ibm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/ibm/ibmveth.c | 22 ++++++++++++++++++++++
drivers/net/ethernet/ibm/ibmveth.h | 1 +
2 files changed, 23 insertions(+)
--- a/drivers/net/ethernet/ibm/ibmveth.c
+++ b/drivers/net/ethernet/ibm/ibmveth.c
@@ -1756,6 +1756,27 @@ static int ibmveth_set_mac_addr(struct n
return 0;
}
+static netdev_features_t ibmveth_features_check(struct sk_buff *skb,
+ struct net_device *dev,
+ netdev_features_t features)
+{
+ /* Some physical adapters do not support segmentation offload with
+ * MSS < 224. Disable GSO for such packets to avoid adapter freeze.
+ * Note: Single-segment packets (gso_segs == 1) don't need this check
+ * as they bypass the LSO path and are transmitted without segmentation.
+ */
+ if (skb_is_gso(skb)) {
+ if (skb_shinfo(skb)->gso_size < IBMVETH_MIN_LSO_MSS) {
+ netdev_warn_once(dev,
+ "MSS %u too small for LSO, disabling GSO\n",
+ skb_shinfo(skb)->gso_size);
+ features &= ~NETIF_F_GSO_MASK;
+ }
+ }
+
+ return vlan_features_check(skb, features);
+}
+
static const struct net_device_ops ibmveth_netdev_ops = {
.ndo_open = ibmveth_open,
.ndo_stop = ibmveth_close,
@@ -1767,6 +1788,7 @@ static const struct net_device_ops ibmve
.ndo_set_features = ibmveth_set_features,
.ndo_validate_addr = eth_validate_addr,
.ndo_set_mac_address = ibmveth_set_mac_addr,
+ .ndo_features_check = ibmveth_features_check,
#ifdef CONFIG_NET_POLL_CONTROLLER
.ndo_poll_controller = ibmveth_poll_controller,
#endif
--- a/drivers/net/ethernet/ibm/ibmveth.h
+++ b/drivers/net/ethernet/ibm/ibmveth.h
@@ -37,6 +37,7 @@
#define IBMVETH_ILLAN_IPV4_TCP_CSUM 0x0000000000000002UL
#define IBMVETH_ILLAN_ACTIVE_TRUNK 0x0000000000000001UL
+#define IBMVETH_MIN_LSO_MSS 224 /* Minimum MSS for LSO */
/* hcall macros */
#define h_register_logical_lan(ua, buflst, rxq, fltlst, mac) \
plpar_hcall_norets(H_REGISTER_LOGICAL_LAN, ua, buflst, rxq, fltlst, mac)
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 126/270] ice: fix double free in ice_sf_eth_activate() error path
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 125/270] ibmveth: Disable GSO for packets with small MSS Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 127/270] spi: microchip-core-qspi: fix controller deregistration Greg Kroah-Hartman
` (148 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov, Guangshuo Li,
Simon Horman, Jacob Keller, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 9aab1c3d7299285e2569cbc0ed5892d631a241b2 upstream.
When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to
aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).
The device release callback ice_sf_dev_release() frees sf_dev, but
the current error path falls through to sf_dev_free and calls
kfree(sf_dev) again, causing a double free.
Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but
avoid falling through to sf_dev_free after auxiliary_device_uninit().
Fixes: 13acc5c4cdbe ("ice: subfunction activation and base devlink ops")
Cc: stable@vger.kernel.org
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260416-iwl-net-submission-2026-04-14-v2-3-686c33c9828d@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_sf_eth.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/ethernet/intel/ice/ice_sf_eth.c
+++ b/drivers/net/ethernet/intel/ice/ice_sf_eth.c
@@ -305,6 +305,8 @@ ice_sf_eth_activate(struct ice_dynamic_p
aux_dev_uninit:
auxiliary_device_uninit(&sf_dev->adev);
+ return err;
+
sf_dev_free:
kfree(sf_dev);
xa_erase:
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 127/270] spi: microchip-core-qspi: fix controller deregistration
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 126/270] ice: fix double free in ice_sf_eth_activate() error path Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 128/270] spi: microchip-core-qspi: dont attempt to transmit during emulated read-only dual/quad operations Greg Kroah-Hartman
` (147 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naga Sureshkumar Relli, Johan Hovold,
Conor Dooley, Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit e6464140d439f2d42f072eb422a5b1fec470c5a6 upstream.
Make sure to deregister the controller before disabling underlying
resources like interrupts during driver unbind.
Fixes: 8596124c4c1b ("spi: microchip-core-qspi: Add support for microchip fpga qspi controllers")
Cc: stable@vger.kernel.org # 6.1
Cc: Naga Sureshkumar Relli <nagasuresh.relli@microchip.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://patch.msgid.link/20260409120419.388546-19-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-microchip-core-qspi.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-microchip-core-qspi.c
+++ b/drivers/spi/spi-microchip-core-qspi.c
@@ -692,7 +692,7 @@ static int mchp_coreqspi_probe(struct pl
return -ENOMEM;
qspi = spi_controller_get_devdata(ctlr);
- platform_set_drvdata(pdev, qspi);
+ platform_set_drvdata(pdev, ctlr);
qspi->regs = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(qspi->regs))
@@ -732,7 +732,7 @@ static int mchp_coreqspi_probe(struct pl
ctlr->num_chipselect = 2;
ctlr->use_gpio_descriptors = true;
- ret = devm_spi_register_controller(&pdev->dev, ctlr);
+ ret = spi_register_controller(ctlr);
if (ret)
return dev_err_probe(&pdev->dev, ret,
"spi_register_controller failed\n");
@@ -742,9 +742,13 @@ static int mchp_coreqspi_probe(struct pl
static void mchp_coreqspi_remove(struct platform_device *pdev)
{
- struct mchp_coreqspi *qspi = platform_get_drvdata(pdev);
- u32 control = readl_relaxed(qspi->regs + REG_CONTROL);
+ struct spi_controller *ctlr = platform_get_drvdata(pdev);
+ struct mchp_coreqspi *qspi = spi_controller_get_devdata(ctlr);
+ u32 control;
+ spi_unregister_controller(ctlr);
+
+ control = readl_relaxed(qspi->regs + REG_CONTROL);
mchp_coreqspi_disable_ints(qspi);
control &= ~CONTROL_ENABLE;
writel_relaxed(control, qspi->regs + REG_CONTROL);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 128/270] spi: microchip-core-qspi: dont attempt to transmit during emulated read-only dual/quad operations
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 127/270] spi: microchip-core-qspi: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 129/270] spi: microchip-core-qspi: control built-in cs manually Greg Kroah-Hartman
` (146 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Conor Dooley, Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Conor Dooley <conor.dooley@microchip.com>
commit eb56deaabf127e8985fc91fa6c97bf8a3b062844 upstream.
The core will deal with reads by creating clock cycles itself, there's
no need to generate clock cycles by transmitting garbage data at the
driver level. Further, transmitting garbage data just bricks the transfer
since QSPI doesn't have a dedicated master-out line like MOSI in regular
SPI. I'm not entirely sure if the transfer is bricked because of the
garbage data being transmitted on the bus or because the core loses
track of whether it is supposed to be sending or receiving data.
Fixes: 8f9cf02c88528 ("spi: microchip-core-qspi: Add regular transfers")
CC: stable@vger.kernel.org
Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://patch.msgid.link/20260430-freezing-saloon-95b1f3d9dad0@spud
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-microchip-core-qspi.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-microchip-core-qspi.c
+++ b/drivers/spi/spi-microchip-core-qspi.c
@@ -662,18 +662,28 @@ static int mchp_coreqspi_transfer_one(st
struct spi_transfer *t)
{
struct mchp_coreqspi *qspi = spi_controller_get_devdata(ctlr);
+ bool dual_quad = false;
qspi->tx_len = t->len;
+ if (t->tx_nbits == SPI_NBITS_QUAD || t->rx_nbits == SPI_NBITS_QUAD ||
+ t->tx_nbits == SPI_NBITS_DUAL ||
+ t->rx_nbits == SPI_NBITS_DUAL)
+ dual_quad = true;
+
if (t->tx_buf)
qspi->txbuf = (u8 *)t->tx_buf;
if (!t->rx_buf) {
mchp_coreqspi_write_op(qspi);
- } else {
+ } else if (!dual_quad) {
qspi->rxbuf = (u8 *)t->rx_buf;
qspi->rx_len = t->len;
mchp_coreqspi_write_read_op(qspi);
+ } else {
+ qspi->rxbuf = (u8 *)t->rx_buf;
+ qspi->rx_len = t->len;
+ mchp_coreqspi_read_op(qspi);
}
return 0;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 129/270] spi: microchip-core-qspi: control built-in cs manually
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 128/270] spi: microchip-core-qspi: dont attempt to transmit during emulated read-only dual/quad operations Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 130/270] tracefs: Fix default permissions not being applied on initial mount Greg Kroah-Hartman
` (145 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Conor Dooley, Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Conor Dooley <conor.dooley@microchip.com>
commit 7672749e1496215e8683ce57cf323119033954cf upstream.
The coreQSPI IP supports only a single chip select, which is
automagically operated by the hardware - set low when the transmit
buffer first gets written to and set high when the number of bytes
written to the TOTALBYTES field of the FRAMES register have been sent on
the bus. Additional devices must use GPIOs for their chip selects.
It was reported to me that if there are two devices attached to this
QSPI controller that the in-built chip select is set low while linux
tries to access the device attached to the GPIO.
This went undetected as the boards that connected multiple devices to
the SPI controller all exclusively used GPIOs for chip selects, not
relying on the built-in chip select at all. It turns out that this was
because the built-in chip select, when controlled automagically, is set
low when active and high when inactive, thereby ruling out its use for
active-high devices or devices that need to transmit with the chip
select disabled.
Modify the driver so that it controls chip select directly, retaining
the behaviour for mem_ops of setting the chip select active for the
entire duration of the transfer in the exec_op callback. For regular
transfers, implement the set_cs callback for the core to use.
As part of this, the existing setup callback, mchp_coreqspi_setup_op(),
is removed. Modifying the CLKIDLE field is not safe to do during
operation when there are multiple devices, so this code is removed
entirely. Setting the MASTER and ENABLE fields is something that can be
done once at probe, it doesn't need to be re-run for each device.
Instead the new setup callback sets the built-in chip select to its
inactive state for active-low devices, as the reset value of the chip
select in software controlled mode is low.
Fixes: 8f9cf02c88528 ("spi: microchip-core-qspi: Add regular transfers")
Fixes: 8596124c4c1bc ("spi: microchip-core-qspi: Add support for microchip fpga qspi controllers")
CC: stable@vger.kernel.org
Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://patch.msgid.link/20260430-hamstring-busload-f941d0347b5e@spud
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-microchip-core-qspi.c | 79 +++++++++++++++++++++++++++-------
1 file changed, 64 insertions(+), 15 deletions(-)
--- a/drivers/spi/spi-microchip-core-qspi.c
+++ b/drivers/spi/spi-microchip-core-qspi.c
@@ -74,6 +74,13 @@
#define STATUS_FLAGSX4 BIT(8)
#define STATUS_MASK GENMASK(8, 0)
+/*
+ * QSPI Direct Access register defines
+ */
+#define DIRECT_ACCESS_EN_SSEL BIT(0)
+#define DIRECT_ACCESS_OP_SSEL BIT(1)
+#define DIRECT_ACCESS_OP_SSEL_SHIFT 1
+
#define BYTESUPPER_MASK GENMASK(31, 16)
#define BYTESLOWER_MASK GENMASK(15, 0)
@@ -158,6 +165,38 @@ static int mchp_coreqspi_set_mode(struct
return 0;
}
+static void mchp_coreqspi_set_cs(struct spi_device *spi, bool enable)
+{
+ struct mchp_coreqspi *qspi = spi_controller_get_devdata(spi->controller);
+ u32 val;
+
+ val = readl(qspi->regs + REG_DIRECT_ACCESS);
+
+ val &= ~DIRECT_ACCESS_OP_SSEL;
+ val |= !enable << DIRECT_ACCESS_OP_SSEL_SHIFT;
+
+ writel(val, qspi->regs + REG_DIRECT_ACCESS);
+}
+
+static int mchp_coreqspi_setup(struct spi_device *spi)
+{
+ struct mchp_coreqspi *qspi = spi_controller_get_devdata(spi->controller);
+ u32 val;
+
+ /*
+ * Active low devices need to be specifically set to their inactive
+ * states during probe.
+ */
+ if (spi->mode & SPI_CS_HIGH)
+ return 0;
+
+ val = readl(qspi->regs + REG_DIRECT_ACCESS);
+ val |= DIRECT_ACCESS_OP_SSEL;
+ writel(val, qspi->regs + REG_DIRECT_ACCESS);
+
+ return 0;
+}
+
static inline void mchp_coreqspi_read_op(struct mchp_coreqspi *qspi)
{
u32 control, data;
@@ -380,19 +419,6 @@ static int mchp_coreqspi_setup_clock(str
return 0;
}
-static int mchp_coreqspi_setup_op(struct spi_device *spi_dev)
-{
- struct spi_controller *ctlr = spi_dev->controller;
- struct mchp_coreqspi *qspi = spi_controller_get_devdata(ctlr);
- u32 control = readl_relaxed(qspi->regs + REG_CONTROL);
-
- control |= (CONTROL_MASTER | CONTROL_ENABLE);
- control &= ~CONTROL_CLKIDLE;
- writel_relaxed(control, qspi->regs + REG_CONTROL);
-
- return 0;
-}
-
static inline void mchp_coreqspi_config_op(struct mchp_coreqspi *qspi, const struct spi_mem_op *op)
{
u32 idle_cycles = 0;
@@ -483,6 +509,7 @@ static int mchp_coreqspi_exec_op(struct
reinit_completion(&qspi->data_completion);
mchp_coreqspi_config_op(qspi, op);
+ mchp_coreqspi_set_cs(mem->spi, true);
if (op->cmd.opcode) {
qspi->txbuf = &opcode;
qspi->rxbuf = NULL;
@@ -523,6 +550,7 @@ static int mchp_coreqspi_exec_op(struct
err = -ETIMEDOUT;
error:
+ mchp_coreqspi_set_cs(mem->spi, false);
mutex_unlock(&qspi->op_lock);
mchp_coreqspi_disable_ints(qspi);
@@ -696,6 +724,7 @@ static int mchp_coreqspi_probe(struct pl
struct device *dev = &pdev->dev;
struct device_node *np = dev->of_node;
int ret;
+ u32 num_cs, val;
ctlr = devm_spi_alloc_host(&pdev->dev, sizeof(*qspi));
if (!ctlr)
@@ -728,10 +757,18 @@ static int mchp_coreqspi_probe(struct pl
return ret;
}
+ /*
+ * The IP core only has a single CS, any more have to be provided via
+ * gpios
+ */
+ if (of_property_read_u32(pdev->dev.of_node, "num-cs", &num_cs))
+ num_cs = 1;
+
+ ctlr->num_chipselect = num_cs;
+
ctlr->bits_per_word_mask = SPI_BPW_MASK(8);
ctlr->mem_ops = &mchp_coreqspi_mem_ops;
ctlr->mem_caps = &mchp_coreqspi_mem_caps;
- ctlr->setup = mchp_coreqspi_setup_op;
ctlr->mode_bits = SPI_CPOL | SPI_CPHA | SPI_RX_DUAL | SPI_RX_QUAD |
SPI_TX_DUAL | SPI_TX_QUAD;
ctlr->dev.of_node = np;
@@ -739,9 +776,21 @@ static int mchp_coreqspi_probe(struct pl
ctlr->prepare_message = mchp_coreqspi_prepare_message;
ctlr->unprepare_message = mchp_coreqspi_unprepare_message;
ctlr->transfer_one = mchp_coreqspi_transfer_one;
- ctlr->num_chipselect = 2;
+ ctlr->setup = mchp_coreqspi_setup;
+ ctlr->set_cs = mchp_coreqspi_set_cs;
ctlr->use_gpio_descriptors = true;
+ val = readl_relaxed(qspi->regs + REG_CONTROL);
+ val |= (CONTROL_MASTER | CONTROL_ENABLE);
+ writel_relaxed(val, qspi->regs + REG_CONTROL);
+
+ /*
+ * Put cs into software controlled mode
+ */
+ val = readl_relaxed(qspi->regs + REG_DIRECT_ACCESS);
+ val |= DIRECT_ACCESS_EN_SSEL;
+ writel(val, qspi->regs + REG_DIRECT_ACCESS);
+
ret = spi_register_controller(ctlr);
if (ret)
return dev_err_probe(&pdev->dev, ret,
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 130/270] tracefs: Fix default permissions not being applied on initial mount
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 129/270] spi: microchip-core-qspi: control built-in cs manually Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 131/270] udf: reject descriptors with oversized CRC length Greg Kroah-Hartman
` (144 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Carlier,
Steven Rostedt (Google)
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
commit e8368d1f4bedbb0cce4cfe33a1d2664bb0fd4f27 upstream.
Commit e4d32142d1de ("tracing: Fix tracefs mount options") moved the
option application from tracefs_fill_super() to tracefs_reconfigure()
called from tracefs_get_tree(). This fixed mount options being ignored
on user-space mounts when the superblock already exists, but introduced
a regression for the initial kernel-internal mount.
On the first mount (via simple_pin_fs during init), sget_fc() transfers
fc->s_fs_info to sb->s_fs_info and sets fc->s_fs_info to NULL. When
tracefs_get_tree() then calls tracefs_reconfigure(), it sees a NULL
fc->s_fs_info and returns early without applying any options. The root
inode keeps mode 0755 from simple_fill_super() instead of the intended
TRACEFS_DEFAULT_MODE (0700).
Furthermore, even on subsequent user-space mounts without an explicit
mode= option, tracefs_apply_options(sb, true) gates the mode behind
fsi->opts & BIT(Opt_mode), which is unset for the defaults. So the
mode is never corrected unless the user explicitly passes mode=0700.
Restore the tracefs_apply_options(sb, false) call in tracefs_fill_super()
to apply default permissions on initial superblock creation, matching
what debugfs does in debugfs_fill_super().
Cc: stable@vger.kernel.org
Fixes: e4d32142d1de ("tracing: Fix tracefs mount options")
Link: https://patch.msgid.link/20260404134747.98867-1-devnexen@gmail.com
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/tracefs/inode.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/tracefs/inode.c
+++ b/fs/tracefs/inode.c
@@ -491,6 +491,7 @@ static int tracefs_fill_super(struct sup
return err;
sb->s_op = &tracefs_super_operations;
+ tracefs_apply_options(sb, false);
set_default_d_op(sb, &tracefs_dentry_operations);
return 0;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 131/270] udf: reject descriptors with oversized CRC length
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 130/270] tracefs: Fix default permissions not being applied on initial mount Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 132/270] thermal: core: Free thermal zone ID later during removal Greg Kroah-Hartman
` (143 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jan Kara
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 55d41b0a20128e86b9e960dd2e3f0a2d69a18df7 upstream.
udf_read_tagged() skips CRC verification when descCRCLength +
sizeof(struct tag) exceeds the block size. A crafted UDF image can
set descCRCLength to an oversized value to bypass CRC validation
entirely; the descriptor is then accepted based solely on the 8-bit
tag checksum, which is trivially recomputable.
Reject such descriptors instead of silently accepting them. A
legitimate single-block descriptor should never have a CRC length that
exceeds the block.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260413211240.853662-1-michael.bommarito@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/misc.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/fs/udf/misc.c
+++ b/fs/udf/misc.c
@@ -230,8 +230,12 @@ struct buffer_head *udf_read_tagged(stru
}
/* Verify the descriptor CRC */
- if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocksize ||
- le16_to_cpu(tag_p->descCRC) == crc_itu_t(0,
+ if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocksize) {
+ udf_err(sb, "block %u: CRC length %u exceeds block size\n",
+ block, le16_to_cpu(tag_p->descCRCLength));
+ goto error_out;
+ }
+ if (le16_to_cpu(tag_p->descCRC) == crc_itu_t(0,
bh->b_data + sizeof(struct tag),
le16_to_cpu(tag_p->descCRCLength)))
return bh;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 132/270] thermal: core: Free thermal zone ID later during removal
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 131/270] udf: reject descriptors with oversized CRC length Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 133/270] thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata Greg Kroah-Hartman
` (142 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit daae9c18feec74566e023fc88cfb0ce26e39d868 upstream.
The thermal zone removal ordering is different from the thermal zone
registration rollback path ordering and the former is arguably
problematic because freeing a thermal zone ID prematurely may cause
it to be used during the registration of another thermal zone which
may fail as a result.
Prevent that from occurring by changing the thermal zone removal
ordering to reflect the thermal zone registration rollback path
ordering.
Also more the ida_destroy() call from thermal_zone_device_unregister()
to thermal_release() for consistency.
Fixes: b31ef8285b19 ("thermal core: convert ID allocation to IDA")
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/5063934.GXAFRqVoOG@rafael.j.wysocki
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/thermal_core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
@@ -965,6 +965,7 @@ static void thermal_release(struct devic
tz = to_thermal_zone(dev);
thermal_zone_destroy_device_groups(tz);
thermal_set_governor(tz, NULL);
+ ida_destroy(&tz->ida);
mutex_destroy(&tz->lock);
complete(&tz->removal);
} else if (!strncmp(dev_name(dev), "cooling_device",
@@ -1726,8 +1727,6 @@ void thermal_zone_device_unregister(stru
thermal_thresholds_exit(tz);
thermal_remove_hwmon_sysfs(tz);
- ida_free(&thermal_tz_ida, tz->id);
- ida_destroy(&tz->ida);
device_del(&tz->device);
put_device(&tz->device);
@@ -1735,6 +1734,9 @@ void thermal_zone_device_unregister(stru
thermal_notify_tz_delete(tz);
wait_for_completion(&tz->removal);
+
+ ida_free(&thermal_tz_ida, tz->id);
+
kfree(tz->tzp);
kfree(tz);
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 133/270] thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 132/270] thermal: core: Free thermal zone ID later during removal Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 134/270] thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp Greg Kroah-Hartman
` (141 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Daniel Lezcano,
Baolin Wang
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 83c0f9a5d679a6f8d84fc49b2f62ea434ccab4b6 upstream.
The temperature was never clamped to SPRD_THM_TEMP_LOW or
SPRD_THM_TEMP_HIGH because the return value of clamp() was not used. Fix
this by assigning the clamped value to 'temp'.
Casting SPRD_THM_TEMP_LOW and SPRD_THM_TEMP_HIGH to int is also
redundant and can be removed.
Fixes: 554fdbaf19b1 ("thermal: sprd: Add Spreadtrum thermal driver support")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260307102422.306055-1-thorsten.blum@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/sprd_thermal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/thermal/sprd_thermal.c
+++ b/drivers/thermal/sprd_thermal.c
@@ -192,7 +192,7 @@ static int sprd_thm_temp_to_rawdata(int
{
u32 val;
- clamp(temp, (int)SPRD_THM_TEMP_LOW, (int)SPRD_THM_TEMP_HIGH);
+ temp = clamp(temp, SPRD_THM_TEMP_LOW, SPRD_THM_TEMP_HIGH);
/*
* According to the thermal datasheet, the formula of converting
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 134/270] thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 133/270] thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 135/270] spi: topcliff-pch: fix controller deregistration Greg Kroah-Hartman
` (140 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Daniel Lezcano,
Baolin Wang
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit b3414148bbc1f9cd56217e58a558c6ac4fd1b4a6 upstream.
The raw temperature data was never clamped to SPRD_THM_RAW_DATA_LOW or
SPRD_THM_RAW_DATA_HIGH because the return value of clamp() was not used.
Fix this by assigning the clamped value to 'rawdata'.
Casting SPRD_THM_RAW_DATA_LOW and SPRD_THM_RAW_DATA_HIGH to u32 is also
redundant and can be removed.
Fixes: 554fdbaf19b1 ("thermal: sprd: Add Spreadtrum thermal driver support")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260307102422.306055-2-thorsten.blum@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/sprd_thermal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/thermal/sprd_thermal.c
+++ b/drivers/thermal/sprd_thermal.c
@@ -178,7 +178,7 @@ static int sprd_thm_sensor_calibration(s
static int sprd_thm_rawdata_to_temp(struct sprd_thermal_sensor *sen,
u32 rawdata)
{
- clamp(rawdata, (u32)SPRD_THM_RAW_DATA_LOW, (u32)SPRD_THM_RAW_DATA_HIGH);
+ rawdata = clamp(rawdata, SPRD_THM_RAW_DATA_LOW, SPRD_THM_RAW_DATA_HIGH);
/*
* According to the thermal datasheet, the formula of converting
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 135/270] spi: topcliff-pch: fix controller deregistration
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 134/270] thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 136/270] spi: topcliff-pch: fix use-after-free on unbind Greg Kroah-Hartman
` (139 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masayuki Ohtake, Johan Hovold,
Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 5d6f477d6fc0767c57c5e1e6f55a1662820eef87 upstream.
Make sure to deregister the controller before disabling and releasing
underlying resources like interrupts and DMA during driver unbind.
Fixes: e8b17b5b3f30 ("spi/topcliff: Add topcliff platform controller hub (PCH) spi bus driver")
Cc: stable@vger.kernel.org # 2.6.37
Cc: Masayuki Ohtake <masa-korg@dsn.okisemi.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260414134319.978196-8-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-topcliff-pch.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-topcliff-pch.c
+++ b/drivers/spi/spi-topcliff-pch.c
@@ -1406,6 +1406,10 @@ static void pch_spi_pd_remove(struct pla
dev_dbg(&plat_dev->dev, "%s:[ch%d] irq=%d\n",
__func__, plat_dev->id, board_dat->pdev->irq);
+ spi_controller_get(data->host);
+
+ spi_unregister_controller(data->host);
+
if (use_dma)
pch_free_dma_buf(board_dat, data);
@@ -1433,7 +1437,8 @@ static void pch_spi_pd_remove(struct pla
}
pci_iounmap(board_dat->pdev, data->io_remap_addr);
- spi_unregister_controller(data->host);
+
+ spi_controller_put(data->host);
}
#ifdef CONFIG_PM
static int pch_spi_pd_suspend(struct platform_device *pd_dev,
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 136/270] spi: topcliff-pch: fix use-after-free on unbind
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 135/270] spi: topcliff-pch: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 137/270] tracing/probes: Limit size of event probe to 3K Greg Kroah-Hartman
` (138 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomoya MORINAGA, Johan Hovold,
Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 9d72732fe70c11424bc90ed466c7ccfa58b42a9a upstream.
Give the driver a chance to flush its queue before releasing the DMA
buffers on driver unbind
Fixes: c37f3c2749b5 ("spi/topcliff_pch: DMA support")
Cc: stable@vger.kernel.org # 3.1
Cc: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260414134319.978196-9-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-topcliff-pch.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/spi/spi-topcliff-pch.c
+++ b/drivers/spi/spi-topcliff-pch.c
@@ -1410,9 +1410,6 @@ static void pch_spi_pd_remove(struct pla
spi_unregister_controller(data->host);
- if (use_dma)
- pch_free_dma_buf(board_dat, data);
-
/* check for any pending messages; no action is taken if the queue
* is still full; but at least we tried. Unload anyway */
count = 500;
@@ -1436,6 +1433,9 @@ static void pch_spi_pd_remove(struct pla
free_irq(board_dat->pdev->irq, data);
}
+ if (use_dma)
+ pch_free_dma_buf(board_dat, data);
+
pci_iounmap(board_dat->pdev, data->io_remap_addr);
spi_controller_put(data->host);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 137/270] tracing/probes: Limit size of event probe to 3K
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 136/270] spi: topcliff-pch: fix use-after-free on unbind Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 138/270] clk: imx: imx8-acm: fix flags for acm clocks Greg Kroah-Hartman
` (137 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers,
Masami Hiramatsu (Google), Steven Rostedt
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit b2aa3b4d64e460ac606f386c24e7d8a873ce6f1a upstream.
There currently isn't a max limit an event probe can be. One could make an
event greater than PAGE_SIZE, which makes the event useless because if
it's bigger than the max event that can be recorded into the ring buffer,
then it will never be recorded.
A event probe should never need to be greater than 3K, so make that the
max size. As long as the max is less than the max that can be recorded
onto the ring buffer, it should be fine.
Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Fixes: 93ccae7a22274 ("tracing/kprobes: Support basic types on dynamic events")
Link: https://patch.msgid.link/20260428122302.706610ba@gandalf.local.home
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_probe.c | 6 ++++++
kernel/trace/trace_probe.h | 4 +++-
2 files changed, 9 insertions(+), 1 deletion(-)
--- a/kernel/trace/trace_probe.c
+++ b/kernel/trace/trace_probe.c
@@ -1523,6 +1523,12 @@ static int traceprobe_parse_probe_arg_bo
parg->offset = *size;
*size += parg->type->size * (parg->count ?: 1);
+ if (*size > MAX_PROBE_EVENT_SIZE) {
+ ret = -E2BIG;
+ trace_probe_log_err(ctx->offset, EVENT_TOO_BIG);
+ goto fail;
+ }
+
if (parg->count) {
len = strlen(parg->type->fmttype) + 6;
parg->fmt = kmalloc(len, GFP_KERNEL);
--- a/kernel/trace/trace_probe.h
+++ b/kernel/trace/trace_probe.h
@@ -38,6 +38,7 @@
#define MAX_BTF_ARGS_LEN 128
#define MAX_DENTRY_ARGS_LEN 256
#define MAX_STRING_SIZE PATH_MAX
+#define MAX_PROBE_EVENT_SIZE 3072
/* Reserved field names */
#define FIELD_STRING_IP "__probe_ip"
@@ -561,7 +562,8 @@ extern int traceprobe_define_arg_fields(
C(BAD_TYPE4STR, "This type does not fit for string."),\
C(NEED_STRING_TYPE, "$comm and immediate-string only accepts string type"),\
C(TOO_MANY_ARGS, "Too many arguments are specified"), \
- C(TOO_MANY_EARGS, "Too many entry arguments specified"),
+ C(TOO_MANY_EARGS, "Too many entry arguments specified"), \
+ C(EVENT_TOO_BIG, "Event too big (too many fields?)"),
#undef C
#define C(a, b) TP_ERR_##a
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 138/270] clk: imx: imx8-acm: fix flags for acm clocks
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 137/270] tracing/probes: Limit size of event probe to 3K Greg Kroah-Hartman
@ 2026-05-12 17:38 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 139/270] clk: microchip: mpfs-ccc: fix out of bounds access during output registration Greg Kroah-Hartman
` (136 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Eichenberger, Shengjiu Wang,
Peng Fan, Abel Vesa
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
commit f2c2fc93b4a3efdfcf3805ab74741826d343ff2c upstream.
Currently, the flags for the ACM clocks are set to 0. This configuration
causes the fsl-sai audio driver to fail when attempting to set the
sysclk, returning an EINVAL error. The following error messages
highlight the issue:
fsl-sai 59090000.sai: ASoC: error at snd_soc_dai_set_sysclk on 59090000.sai: -22
imx-hdmi sound-hdmi: failed to set cpu sysclk: -22
By setting the flag CLK_SET_RATE_NO_REPARENT, we signal that the ACM
driver does not support reparenting and instead relies on the clock tree
as defined in the device tree. This change resolves the issue with the
fsl-sai audio driver.
CC: stable@vger.kernel.org
Fixes: d3a0946d7ac9 ("clk: imx: imx8: add audio clock mux driver")
Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260212085750.3253187-1-shengjiu.wang@nxp.com
Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/imx/clk-imx8-acm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/clk/imx/clk-imx8-acm.c
+++ b/drivers/clk/imx/clk-imx8-acm.c
@@ -371,7 +371,8 @@ static int imx8_acm_clk_probe(struct pla
for (i = 0; i < priv->soc_data->num_sels; i++) {
hws[sels[i].clkid] = devm_clk_hw_register_mux_parent_data_table(dev,
sels[i].name, sels[i].parents,
- sels[i].num_parents, 0,
+ sels[i].num_parents,
+ CLK_SET_RATE_NO_REPARENT,
base + sels[i].reg,
sels[i].shift, sels[i].width,
0, NULL, NULL);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 139/270] clk: microchip: mpfs-ccc: fix out of bounds access during output registration
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-05-12 17:38 ` [PATCH 6.18 138/270] clk: imx: imx8-acm: fix flags for acm clocks Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 140/270] cpuidle: powerpc: avoid double clear when breaking snooze Greg Kroah-Hartman
` (135 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Brian Masney, Conor Dooley
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Conor Dooley <conor.dooley@microchip.com>
commit 2f7ae8ab6aa73daaf080d5332110357c29df9c36 upstream.
UBSAN reported an out of bounds access during registration of the last
two outputs. This out of bounds access occurs because space is only
allocated in the hws array for two PLLs and the four output dividers
that each has, but the defined IDs contain two DLLS and their two
outputs each, which are not supported by the driver. The ID order is
PLLs -> DLLs -> PLL outputs -> DLL outputs. Decrement the PLL output IDs
by two while adding them to the array to avoid the problem.
Fixes: d39fb172760e ("clk: microchip: add PolarFire SoC fabric clock support")
CC: stable@vger.kernel.org
Reviewed-by: Brian Masney <bmasney@redhat.com>
Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/microchip/clk-mpfs-ccc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/clk/microchip/clk-mpfs-ccc.c
+++ b/drivers/clk/microchip/clk-mpfs-ccc.c
@@ -178,7 +178,7 @@ static int mpfs_ccc_register_outputs(str
return dev_err_probe(dev, ret, "failed to register clock id: %d\n",
out_hw->id);
- data->hw_data.hws[out_hw->id] = &out_hw->divider.hw;
+ data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw;
}
return 0;
@@ -234,6 +234,10 @@ static int mpfs_ccc_probe(struct platfor
unsigned int num_clks;
int ret;
+ /*
+ * If DLLs get added here, mpfs_ccc_register_outputs() currently packs
+ * sparse clock IDs in the hws array
+ */
num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) +
ARRAY_SIZE(mpfs_ccc_pll1out_clks);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 140/270] cpuidle: powerpc: avoid double clear when breaking snooze
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 139/270] clk: microchip: mpfs-ccc: fix out of bounds access during output registration Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 141/270] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table Greg Kroah-Hartman
` (134 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mukesh Kumar Chaurasiya (IBM),
Shrikanth Hegde, Madhavan Srinivasan
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shrikanth Hegde <sshegde@linux.ibm.com>
commit 64ed1e3e728afb57ba9acb59e69de930ead847d9 upstream.
snooze_loop is done often in any system which has fair bit of
idle time. So it qualifies for even micro-optimizations.
When breaking the snooze due to timeout, TIF_POLLING_NRFLAG is cleared
twice. Clearing the bit invokes atomics. Avoid double clear and thereby
avoid one atomic write.
dev->poll_time_limit indicates whether the loop was broken due to
timeout. Use that instead of defining a new variable.
Fixes: 7ded429152e8 ("cpuidle: powerpc: no memory barrier after break from idle")
Cc: stable@vger.kernel.org
Reviewed-by: Mukesh Kumar Chaurasiya (IBM) <mkchauras@gmail.com>
Signed-off-by: Shrikanth Hegde <sshegde@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260311061709.1230440-1-sshegde@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpuidle/cpuidle-powernv.c | 5 ++++-
drivers/cpuidle/cpuidle-pseries.c | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/cpuidle/cpuidle-powernv.c
+++ b/drivers/cpuidle/cpuidle-powernv.c
@@ -95,7 +95,10 @@ static int snooze_loop(struct cpuidle_de
HMT_medium();
ppc64_runlatch_on();
- clear_thread_flag(TIF_POLLING_NRFLAG);
+
+ /* Avoid double clear when breaking */
+ if (!dev->poll_time_limit)
+ clear_thread_flag(TIF_POLLING_NRFLAG);
local_irq_disable();
--- a/drivers/cpuidle/cpuidle-pseries.c
+++ b/drivers/cpuidle/cpuidle-pseries.c
@@ -64,7 +64,10 @@ int snooze_loop(struct cpuidle_device *d
}
HMT_medium();
- clear_thread_flag(TIF_POLLING_NRFLAG);
+
+ /* Avoid double clear when breaking */
+ if (!dev->poll_time_limit)
+ clear_thread_flag(TIF_POLLING_NRFLAG);
raw_local_irq_disable();
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 141/270] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 140/270] cpuidle: powerpc: avoid double clear when breaking snooze Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 142/270] ASoC: ES8389: convert to devm_clk_get_optional() to get clock Greg Kroah-Hartman
` (133 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tommaso Soncin, Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tommaso Soncin <soncintommaso@gmail.com>
commit d63c219b7ff39f897da10c160a2edef76320f16c upstream.
Add a DMI quirk for the HP OMEN Gaming Laptop 16-ap0xxx line fixing the
issue where the internal microphone was not detected.
Cc: stable@vger.kernel.org
Signed-off-by: Tommaso Soncin <soncintommaso@gmail.com>
Link: https://patch.msgid.link/20260429160858.538986-1-soncintommaso@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/amd/yc/acp6x-mach.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -55,6 +55,13 @@ static const struct dmi_system_id yc_acp
{
.driver_data = &acp6x_card,
.matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "OMEN Gaming Laptop 16-ap0xxx"),
+ }
+ },
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
DMI_MATCH(DMI_BOARD_VENDOR, "Dell Inc."),
DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5525"),
}
@@ -655,6 +662,13 @@ static const struct dmi_system_id yc_acp
}
},
{
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
+ DMI_MATCH(DMI_BOARD_NAME, "8E35"),
+ }
+ },
+ {
.driver_data = &acp6x_card,
.matches = {
DMI_MATCH(DMI_BOARD_VENDOR, "MECHREVO"),
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 142/270] ASoC: ES8389: convert to devm_clk_get_optional() to get clock
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 141/270] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 143/270] ASoC: fsl_easrc: fix comment typo Greg Kroah-Hartman
` (132 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Jian, Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Jian <lazycat-xiao@foxmail.com>
commit 8ed3311131077712cdd0b3afec6909b9388ad3e4 upstream.
When enabling ES8390 via ACPI description, es8389 would fail to
obtain a clock source, causing the driver to fail to initialize.
This was not an issue with older kernels, but since commit
abae8e57e49a ("clk: generalize devm_clk_get() a bit"),
devm_clk_get() would return an error pointer when a clock source
was not detected (instead of falling back to a static clock),
causing the driver to fail early.
Use devm_clk_get_optional() instead to return to the previous
behaviour, allowing the use of a static clock source.
Cc: stable@vger.kernel.org
Signed-off-by: Li Jian <lazycat-xiao@foxmail.com>
Link: https://patch.msgid.link/tencent_7C78374FB9F4B3A37101E5C719715D8BC40A@qq.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/es8389.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/codecs/es8389.c
+++ b/sound/soc/codecs/es8389.c
@@ -827,7 +827,7 @@ static int es8389_probe(struct snd_soc_c
es8389->mclk_src = ES8389_MCLK_SOURCE;
}
- es8389->mclk = devm_clk_get(component->dev, "mclk");
+ es8389->mclk = devm_clk_get_optional(component->dev, "mclk");
if (IS_ERR(es8389->mclk))
return dev_err_probe(component->dev, PTR_ERR(es8389->mclk),
"ES8389 is unable to get mclk\n");
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 143/270] ASoC: fsl_easrc: fix comment typo
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 142/270] ASoC: ES8389: convert to devm_clk_get_optional() to get clock Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 144/270] ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error Greg Kroah-Hartman
` (131 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joseph Salisbury, Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Salisbury <joseph.salisbury@oracle.com>
commit 804dce6c73fdfa44184ee4e8b09abad7f5da408f upstream.
The file contains a spelling error in a source comment (funciton).
Typos in comments reduce readability and make text searches less reliable
for developers and maintainers.
Replace 'funciton' with 'function' in the affected comment. This is a
comment-only cleanup and does not change behavior.
Fixes: 955ac624058f ("ASoC: fsl_easrc: Add EASRC ASoC CPU DAI drivers")
Cc: stable@vger.kernel.org
Signed-off-by: Joseph Salisbury <joseph.salisbury@oracle.com>
Link: https://patch.msgid.link/20260316180545.144032-1-joseph.salisbury@oracle.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/fsl/fsl_easrc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/fsl/fsl_easrc.c
+++ b/sound/soc/fsl/fsl_easrc.c
@@ -1286,7 +1286,7 @@ static int fsl_easrc_request_context(int
/*
* Release the context
*
- * This funciton is mainly doing the revert thing in request context
+ * This function is mainly doing the revert thing in request context
*/
static void fsl_easrc_release_context(struct fsl_asrc_pair *ctx)
{
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 144/270] ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 143/270] ASoC: fsl_easrc: fix comment typo Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 145/270] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop Greg Kroah-Hartman
` (130 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Cezary Rojewski,
Hans de Goede, Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 13d30682e8dee191ac04e93642f0372a723e8b0c upstream.
If byt_wm5102_prepare_and_enable_pll1() fails in the
SND_SOC_DAPM_EVENT_ON() path, platform_clock_control() returns after
clk_prepare_enable(priv->mclk) without disabling the clock again.
This leaks an MCLK enable reference on failed power-up attempts. Add the
missing clk_disable_unprepare() on the error path, matching the unwind
used by the other Intel platform_clock_control() implementations.
Fixes: 9a87fc1e0619 ("ASoC: Intel: bytcr_wm5102: Add machine driver for BYT/WM5102")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Link: https://patch.msgid.link/20260427-bytcr-wm5102-mclk-leak-v1-1-02b96d08e99c@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/intel/boards/bytcr_wm5102.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/soc/intel/boards/bytcr_wm5102.c
+++ b/sound/soc/intel/boards/bytcr_wm5102.c
@@ -171,6 +171,7 @@ static int platform_clock_control(struct
ret = byt_wm5102_prepare_and_enable_pll1(codec_dai, 48000);
if (ret) {
dev_err(card->dev, "Error setting codec sysclk: %d\n", ret);
+ clk_disable_unprepare(priv->mclk);
return ret;
}
} else {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 145/270] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 144/270] ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 146/270] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens Greg Kroah-Hartman
` (129 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit cab45ab95ce7600fc0ff84585c77fd45b7b0d67c upstream.
Reset queue pointer on SNDRV_PCM_TRIGGER_STOP event to be inline
with resetting appl_ptr. Without this we will end up with a queue_ptr
out of sync and driver could try to send data that is not ready yet.
Fix this by resetting the queue_ptr.
Fixes: 3d4a4411aa8bb ("ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260402081118.348071-6-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-dai.c | 1 +
sound/soc/qcom/qdsp6/q6apm.c | 2 ++
2 files changed, 3 insertions(+)
--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
@@ -323,6 +323,7 @@ static int q6apm_dai_trigger(struct snd_
case SNDRV_PCM_TRIGGER_STOP:
/* TODO support be handled via SoftPause Module */
prtd->state = Q6APM_STREAM_STOPPED;
+ prtd->queue_ptr = 0;
break;
case SNDRV_PCM_TRIGGER_SUSPEND:
case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
--- a/sound/soc/qcom/qdsp6/q6apm.c
+++ b/sound/soc/qcom/qdsp6/q6apm.c
@@ -225,6 +225,8 @@ int q6apm_map_memory_regions(struct q6ap
mutex_lock(&graph->lock);
+ data->dsp_buf = 0;
+
if (data->buf) {
mutex_unlock(&graph->lock);
return 0;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 146/270] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 145/270] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 147/270] ASoC: qcom: q6apm: remove child devices when apm is removed Greg Kroah-Hartman
` (128 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 69acc488aaf39d0ddf6c3cf0e47c1873d39919a2 upstream.
As prepare can be called mulitple times, this can result in multiple
graph opens for playback path.
This will result in a memory leaks, fix this by adding a check before
opening.
Fixes: be1fae62cf25 ("ASoC: q6apm-lpass-dai: close graph on prepare errors")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260402081118.348071-5-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c
+++ b/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c
@@ -181,7 +181,7 @@ static int q6apm_lpass_dai_prepare(struc
* It is recommend to load DSP with source graph first and then sink
* graph, so sequence for playback and capture will be different
*/
- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK && dai_data->graph[dai->id] == NULL) {
graph = q6apm_graph_open(dai->dev, NULL, dai->dev, graph_id);
if (IS_ERR(graph)) {
dev_err(dai->dev, "Failed to open graph (%d)\n", graph_id);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 147/270] ASoC: qcom: q6apm: remove child devices when apm is removed
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 146/270] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 148/270] btrfs: fix double free in create_space_info() error path Greg Kroah-Hartman
` (127 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 4a0e1bcc98f7281d1605768bd2fe71eacc34f9b7 upstream.
looks like q6apm driver does not remove the child driver q6apm-dai and
q6apm-bedais when the this driver is removed.
Fix this by depopulating them in remove callback.
With this change when the dsp is shutdown all the devices associated with
q6apm will now be removed.
Fixes: 5477518b8a0e ("ASoC: qdsp6: audioreach: add q6apm support")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260402081118.348071-3-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/soc/qcom/qdsp6/q6apm.c
+++ b/sound/soc/qcom/qdsp6/q6apm.c
@@ -784,6 +784,7 @@ static int apm_probe(gpr_device_t *gdev)
static void apm_remove(gpr_device_t *gdev)
{
+ of_platform_depopulate(&gdev->dev);
snd_soc_unregister_component(&gdev->dev);
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 148/270] btrfs: fix double free in create_space_info() error path
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 147/270] ASoC: qcom: q6apm: remove child devices when apm is removed Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 149/270] btrfs: fix missing last_unlink_trans update when removing a directory Greg Kroah-Hartman
` (126 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Guangshuo Li,
David Sterba
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 3f487be81292702a59ea9dbc4088b3360a50e837 upstream.
When kobject_init_and_add() fails, the call chain is:
create_space_info()
-> btrfs_sysfs_add_space_info_type()
-> kobject_init_and_add()
-> failure
-> kobject_put(&space_info->kobj)
-> space_info_release()
-> kfree(space_info)
Then control returns to create_space_info():
btrfs_sysfs_add_space_info_type() returns error
-> goto out_free
-> kfree(space_info)
This causes a double free.
Keep the direct kfree(space_info) for the earlier failure path, but
after btrfs_sysfs_add_space_info_type() has called kobject_put(), let
the kobject release callback handle the cleanup.
Fixes: a11224a016d6d ("btrfs: fix memory leaks in create_space_info() error paths")
CC: stable@vger.kernel.org # 6.19+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/space-info.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/btrfs/space-info.c
+++ b/fs/btrfs/space-info.c
@@ -311,7 +311,7 @@ static int create_space_info(struct btrf
ret = btrfs_sysfs_add_space_info_type(info, space_info);
if (ret)
- goto out_free;
+ return ret;
list_add(&space_info->list, &info->space_info);
if (flags & BTRFS_BLOCK_GROUP_DATA)
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 149/270] btrfs: fix missing last_unlink_trans update when removing a directory
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 148/270] btrfs: fix double free in create_space_info() error path Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 150/270] dm-thin: fix metadata refcount underflow Greg Kroah-Hartman
` (125 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Slava0135, Filipe Manana,
David Sterba
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 999757231c49376cd1a37308d2c8c4c9932571e1 upstream.
When removing a directory we are not updating its last_unlink_trans field,
which can result in incorrect fsync behaviour in case some one fsyncs the
directory after it was removed because it's holding a file descriptor on
it.
Example scenario:
mkdir /mnt/dir1
mkdir /mnt/dir1/dir2
mkdir /mnt/dir3
sync -f /mnt
# Do some change to the directory and fsync it.
chmod 700 /mnt/dir1
xfs_io -c fsync /mnt/dir1
# Move dir2 out of dir1 so that dir1 becomes empty.
mv /mnt/dir1/dir2 /mnt/dir3/
open fd on /mnt/dir1
call rmdir(2) on path "/mnt/dir1"
fsync fd
<trigger power failure>
When attempting to mount the filesystem, the log replay will fail with
an -EIO error and dmesg/syslog has the following:
[445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650
[445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm
[445771.627912] BTRFS info (device dm-0): start tree-log replay
[445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5
[445771.629453] memcg:ffff89f400351b00
[445771.629892] aops:btree_aops [btrfs] ino:1
[445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)
[445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8
[445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00
[445771.635029] page dumped because: eb page dump
[445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir
[445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5
[445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087
[445771.638094] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
[445771.638097] inode generation 3 transid 9 size 16 nbytes 16384
[445771.638098] block group 0 mode 40755 links 1 uid 0 gid 0
[445771.638100] rdev 0 sequence 2 flags 0x0
[445771.638102] atime 1775744884.0
[445771.660056] ctime 1775744885.645502983
[445771.660058] mtime 1775744885.645502983
[445771.660060] otime 1775744884.0
[445771.660062] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12
[445771.660064] index 0 name_len 2
[445771.660066] item 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34
[445771.660068] location key (259 1 0) type 2
[445771.660070] transid 9 data_len 0 name_len 4
[445771.660075] item 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34
[445771.660076] location key (257 1 0) type 2
[445771.660077] transid 9 data_len 0 name_len 4
[445771.660078] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34
[445771.660079] location key (257 1 0) type 2
[445771.660080] transid 9 data_len 0 name_len 4
[445771.660081] item 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34
[445771.660082] location key (259 1 0) type 2
[445771.660083] transid 9 data_len 0 name_len 4
[445771.660084] item 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160
[445771.660086] inode generation 9 transid 9 size 8 nbytes 0
[445771.660087] block group 0 mode 40777 links 1 uid 0 gid 0
[445771.660088] rdev 0 sequence 2 flags 0x0
[445771.660089] atime 1775744885.641174097
[445771.660090] ctime 1775744885.645502983
[445771.660091] mtime 1775744885.645502983
[445771.660105] otime 1775744885.641174097
[445771.660106] item 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14
[445771.660107] index 2 name_len 4
[445771.660108] item 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34
[445771.660109] location key (258 1 0) type 2
[445771.660110] transid 9 data_len 0 name_len 4
[445771.660111] item 9 key (257 DIR_INDEX 2) itemoff 15733 itemsize 34
[445771.660112] location key (258 1 0) type 2
[445771.660113] transid 9 data_len 0 name_len 4
[445771.660114] item 10 key (258 INODE_ITEM 0) itemoff 15573 itemsize 160
[445771.660115] inode generation 9 transid 10 size 0 nbytes 0
[445771.660116] block group 0 mode 40755 links 2 uid 0 gid 0
[445771.660117] rdev 0 sequence 0 flags 0x0
[445771.660118] atime 1775744885.645502983
[445771.660119] ctime 1775744885.645502983
[445771.660120] mtime 1775744885.645502983
[445771.660121] otime 1775744885.645502983
[445771.660122] item 11 key (258 INODE_REF 257) itemoff 15559 itemsize 14
[445771.660123] index 2 name_len 4
[445771.660124] item 12 key (258 INODE_REF 259) itemoff 15545 itemsize 14
[445771.660125] index 2 name_len 4
[445771.660126] item 13 key (259 INODE_ITEM 0) itemoff 15385 itemsize 160
[445771.660127] inode generation 9 transid 10 size 8 nbytes 0
[445771.660128] block group 0 mode 40755 links 1 uid 0 gid 0
[445771.660129] rdev 0 sequence 1 flags 0x0
[445771.660130] atime 1775744885.645502983
[445771.660130] ctime 1775744885.645502983
[445771.660131] mtime 1775744885.645502983
[445771.660132] otime 1775744885.645502983
[445771.660133] item 14 key (259 INODE_REF 256) itemoff 15371 itemsize 14
[445771.660134] index 3 name_len 4
[445771.660135] item 15 key (259 DIR_ITEM 2676584006) itemoff 15337 itemsize 34
[445771.660136] location key (258 1 0) type 2
[445771.660137] transid 10 data_len 0 name_len 4
[445771.660138] item 16 key (259 DIR_INDEX 2) itemoff 15303 itemsize 34
[445771.660139] location key (258 1 0) type 2
[445771.660140] transid 10 data_len 0 name_len 4
[445771.660144] BTRFS error (device dm-0): block=30408704 write time tree block corruption detected
[445771.661650] ------------[ cut here ]------------
[445771.662358] WARNING: fs/btrfs/disk-io.c:326 at btree_csum_one_bio+0x217/0x230 [btrfs], CPU#8: mount/3581087
[445771.663588] Modules linked in: btrfs f2fs xfs (...)
[445771.671229] CPU: 8 UID: 0 PID: 3581087 Comm: mount Tainted: G W 7.0.0-rc6-btrfs-next-230+ #2 PREEMPT(full)
[445771.672575] Tainted: [W]=WARN
[445771.672987] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[445771.674460] RIP: 0010:btree_csum_one_bio+0x217/0x230 [btrfs]
[445771.675222] Code: 89 44 24 (...)
[445771.677364] RSP: 0018:ffffd23882247660 EFLAGS: 00010246
[445771.678029] RAX: 0000000000000000 RBX: ffff89f6c51d1a90 RCX: 0000000000000000
[445771.678975] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff89f406020000
[445771.679983] RBP: ffff89f821204000 R08: 0000000000000000 R09: 00000000ffefffff
[445771.680905] R10: ffffd23882247448 R11: 0000000000000003 R12: ffffd23882247668
[445771.681978] R13: ffff89f458e40fc0 R14: ffff89f737f4f500 R15: ffff89f737f4f500
[445771.682912] FS: 00007f0447a98840(0000) GS:ffff89fb9771d000(0000) knlGS:0000000000000000
[445771.684393] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[445771.685230] CR2: 00007f0447bf1330 CR3: 000000017cb02002 CR4: 0000000000370ef0
[445771.686273] Call Trace:
[445771.686646] <TASK>
[445771.686969] btrfs_submit_bbio+0x83f/0x860 [btrfs]
[445771.687750] ? write_one_eb+0x28f/0x340 [btrfs]
[445771.688428] btree_writepages+0x2e3/0x550 [btrfs]
[445771.689180] ? kmem_cache_alloc_noprof+0x12a/0x490
[445771.689963] ? alloc_extent_state+0x19/0x120 [btrfs]
[445771.690801] ? kmem_cache_free+0x135/0x380
[445771.691328] ? preempt_count_add+0x69/0xa0
[445771.691831] ? set_extent_bit+0x252/0x8e0 [btrfs]
[445771.692468] ? xas_load+0x9/0xc0
[445771.692873] ? xas_find+0x14d/0x1a0
[445771.693304] do_writepages+0xc6/0x160
[445771.693756] filemap_writeback+0xb8/0xe0
[445771.694274] btrfs_write_marked_extents+0x61/0x170 [btrfs]
[445771.694999] btrfs_write_and_wait_transaction+0x4e/0xc0 [btrfs]
[445771.695818] btrfs_commit_transaction+0x5c8/0xd10 [btrfs]
[445771.696530] ? kmem_cache_free+0x135/0x380
[445771.697120] ? release_extent_buffer+0x34/0x160 [btrfs]
[445771.697786] btrfs_recover_log_trees+0x7be/0x7e0 [btrfs]
[445771.698525] ? __pfx_replay_one_buffer+0x10/0x10 [btrfs]
[445771.699206] open_ctree+0x11e5/0x1810 [btrfs]
[445771.699776] btrfs_get_tree.cold+0xb/0x162 [btrfs]
[445771.700463] ? fscontext_read+0x165/0x180
[445771.701146] ? rw_verify_area+0x50/0x180
[445771.701866] vfs_get_tree+0x25/0xd0
[445771.702491] vfs_cmd_create+0x59/0xe0
[445771.703125] __do_sys_fsconfig+0x303/0x610
[445771.703603] do_syscall_64+0xe9/0xf20
[445771.703974] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[445771.704700] RIP: 0033:0x7f0447cbd4aa
[445771.705108] Code: 73 01 c3 (...)
[445771.707263] RSP: 002b:00007ffc4e528318 EFLAGS: 00000246 ORIG_RAX: 00000000000001af
[445771.708107] RAX: ffffffffffffffda RBX: 00005561585d8c20 RCX: 00007f0447cbd4aa
[445771.708931] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003
[445771.709744] RBP: 00005561585d9120 R08: 0000000000000000 R09: 0000000000000000
[445771.710674] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[445771.711477] R13: 00007f0447e4f580 R14: 00007f0447e5126c R15: 00007f0447e36a23
[445771.712277] </TASK>
[445771.712541] ---[ end trace 0000000000000000 ]---
[445771.713382] BTRFS error (device dm-0): error while writing out transaction: -5
[445771.714679] BTRFS warning (device dm-0): Skipping commit of aborted transaction.
[445771.715562] BTRFS error (device dm-0 state A): Transaction aborted (error -5)
[445771.716459] BTRFS: error (device dm-0 state A) in cleanup_transaction:2068: errno=-5 IO failure
[445771.717936] BTRFS error (device dm-0 state EA): failed to recover log trees with error: -5
[445771.719681] BTRFS error (device dm-0 state EA): open_ctree failed: -5
The problem is that such a fsync should have result in a fallback to a
transaction commit, but that did not happen because through the
btrfs_rmdir() we never update the directory's last_unlink_trans field.
Any inode that had a link removed must have its last_unlink_trans updated
to the ID of transaction used for the operation, otherwise fsync and log
replay will not work correctly.
btrfs_rmdir() calls btrfs_unlink_inode() and through that call chain we
never call btrfs_record_unlink_dir() in order to update last_unlink_trans.
However btrfs_unlink(), which is used for unlinking regular files, calls
btrfs_record_unlink_dir() and then calls btrfs_unlink_inode(). So fix
this by moving the call to btrfs_record_unlink_dir() from btrfs_unlink()
to btrfs_unlink_inode().
A test case for fstests will follow soon.
Reported-by: Slava0135 <slava.kovalevskiy.2014@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/CAAJYhww5ov62Hm+n+tmhcL-e_4cBobg+OWogKjOJxVUXivC=MQ@mail.gmail.com/
CC: stable@vger.kernel.org
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4826,6 +4826,8 @@ static int btrfs_rmdir(struct inode *vfs
if (ret)
goto out;
+ btrfs_record_unlink_dir(trans, dir, inode, false);
+
/* now the directory is empty */
ret = btrfs_unlink_inode(trans, dir, inode, &fname.disk_name);
if (!ret)
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 150/270] dm-thin: fix metadata refcount underflow
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 149/270] btrfs: fix missing last_unlink_trans update when removing a directory Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 151/270] dm: dont report warning when doing deferred remove Greg Kroah-Hartman
` (124 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 09a65adc7d8bbfce06392cb6d375468e2728ead5 upstream.
There's a bug in dm-thin in the function rebalance_children. If the
internal btree node has one entry, the code tries to copy all btree
entries from the node's child to the node itself and then decrement the
child's reference count.
If the child node is shared (it has reference count > 1), we won't free
it, so there would be two pointers to each of the grandchildren nodes.
But the reference counts of the grandchildren is not increased, thus the
reference count doesn't match the number of pointers that point to the
grandchildren. This results in "device mapper: space map common: unable
to decrement block" errors.
Fix this bug by incrementing reference counts on the grandchildren if the
btree node is shared.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Fixes: 3241b1d3e0aa ("dm: add persistent data library")
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/persistent-data/dm-btree-remove.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/md/persistent-data/dm-btree-remove.c
+++ b/drivers/md/persistent-data/dm-btree-remove.c
@@ -490,12 +490,20 @@ static int rebalance_children(struct sha
if (le32_to_cpu(n->header.nr_entries) == 1) {
struct dm_block *child;
+ int is_shared;
dm_block_t b = value64(n, 0);
+ r = dm_tm_block_is_shared(info->tm, b, &is_shared);
+ if (r)
+ return r;
+
r = dm_tm_read_lock(info->tm, b, &btree_node_validator, &child);
if (r)
return r;
+ if (is_shared)
+ inc_children(info->tm, dm_block_data(child), vt);
+
memcpy(n, dm_block_data(child),
dm_bm_block_size(dm_tm_get_bm(info->tm)));
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 151/270] dm: dont report warning when doing deferred remove
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 150/270] dm-thin: fix metadata refcount underflow Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 152/270] dm: fix a buffer overflow in ioctl processing Greg Kroah-Hartman
` (123 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Zdenek Kabelac
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit b7cce3e2cca9cd78418f3c3784474b778e7996fe upstream.
If dm_hash_remove_all was called from dm_deferred_remove, it would write
a warning "remove_all left %d open device(s)" if there are some other
devices active.
The warning is bogus, so let's disable it in this case.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Zdenek Kabelac <zkabelac@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 2c140a246dc0 ("dm: allow remove to be deferred")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -384,7 +384,7 @@ retry:
up_write(&_hash_lock);
- if (dev_skipped)
+ if (dev_skipped && !only_deferred)
DMWARN("remove_all left %d open device(s)", dev_skipped);
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 152/270] dm: fix a buffer overflow in ioctl processing
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 151/270] dm: dont report warning when doing deferred remove Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 153/270] eventfs: Hold eventfs_mutex and SRCU when remount walks events Greg Kroah-Hartman
` (122 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Asleson, Mikulas Patocka,
Bryn M. Reeves
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 2fa49cc884f6496a915c35621ba4da35649bf159 upstream.
Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the
function retrieve_status:
1. The code in retrieve_status checks that the output string fits into
the output buffer and writes the output string there
2. Then, the code aligns the "outptr" variable to the next 8-byte
boundary:
outptr = align_ptr(outptr);
3. The alignment doesn't check overflow, so outptr could point past the
buffer end
4. The "for" loop is iterated again, it executes:
remaining = len - (outptr - outbuf);
5. If "outptr" points past "outbuf + len", the arithmetics wraps around
and the variable "remaining" contains unusually high number
6. With "remaining" being high, the code writes more data past the end of
the buffer
Luckily, this bug has no security implications because:
1. Only root can issue device mapper ioctls
2. The commonly used libraries that communicate with device mapper
(libdevmapper and devicemapper-rs) use buffer size that is aligned to
8 bytes - thus, "outptr = align_ptr(outptr)" can't overshoot the input
buffer and the bug can't happen accidentally
Reported-by: Tony Asleson <tasleson@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Bryn M. Reeves <bmr@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-ioctl.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1341,6 +1341,10 @@ static void retrieve_status(struct dm_ta
used = param->data_start + (outptr - outbuf);
outptr = align_ptr(outptr);
+ if (!outptr || outptr > outbuf + len) {
+ param->flags |= DM_BUFFER_FULL_FLAG;
+ break;
+ }
spec->next = outptr - outbuf;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 153/270] eventfs: Hold eventfs_mutex and SRCU when remount walks events
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 152/270] dm: fix a buffer overflow in ioctl processing Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 154/270] dm-verity-fec: correctly reject too-small FEC devices Greg Kroah-Hartman
` (121 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Carlier, Steven Rostedt
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
commit 07004a8c4b572171934390148ee48c4175c77eed upstream.
Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the
events descriptor") had eventfs_set_attrs() recurse through ei->children
on remount. The walk only holds the rcu_read_lock() taken by
tracefs_apply_options() over tracefs_inodes, which is wrong:
- list_for_each_entry over ei->children races with the list_del_rcu()
in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as
d2603279c7d6.
- eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).
rcu_read_lock() does not extend an SRCU grace period, so ti->private
can be reclaimed under the walk.
- The writes to ei->attr race with eventfs_set_attr(), which holds
eventfs_mutex.
Reproducer:
while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &
while :; do
echo "p:kp submit_bio" > /sys/kernel/tracing/kprobe_events
echo > /sys/kernel/tracing/kprobe_events
done
Wrap the events portion of tracefs_apply_options() in
eventfs_remount_lock()/_unlock() that take eventfs_mutex and
srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn't sleep so the
nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.
Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU.
Fixes: 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the events descriptor")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260418191737.10289-1-devnexen@gmail.com
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/tracefs/event_inode.c | 14 ++++++++++++++
fs/tracefs/inode.c | 5 ++++-
fs/tracefs/internal.h | 3 +++
3 files changed, 21 insertions(+), 1 deletion(-)
--- a/fs/tracefs/event_inode.c
+++ b/fs/tracefs/event_inode.c
@@ -250,6 +250,8 @@ static void eventfs_set_attrs(struct eve
{
struct eventfs_inode *ei_child;
+ lockdep_assert_held(&eventfs_mutex);
+
/* Update events/<system>/<event> */
if (WARN_ON_ONCE(level > 3))
return;
@@ -912,3 +914,15 @@ void eventfs_remove_events_dir(struct ev
d_invalidate(dentry);
dput(dentry);
}
+
+int eventfs_remount_lock(void)
+{
+ mutex_lock(&eventfs_mutex);
+ return srcu_read_lock(&eventfs_srcu);
+}
+
+void eventfs_remount_unlock(int srcu_idx)
+{
+ srcu_read_unlock(&eventfs_srcu, srcu_idx);
+ mutex_unlock(&eventfs_mutex);
+}
--- a/fs/tracefs/inode.c
+++ b/fs/tracefs/inode.c
@@ -336,6 +336,7 @@ static int tracefs_apply_options(struct
struct inode *inode = d_inode(sb->s_root);
struct tracefs_inode *ti;
bool update_uid, update_gid;
+ int srcu_idx;
umode_t tmp_mode;
/*
@@ -360,6 +361,7 @@ static int tracefs_apply_options(struct
update_uid = fsi->opts & BIT(Opt_uid);
update_gid = fsi->opts & BIT(Opt_gid);
+ srcu_idx = eventfs_remount_lock();
rcu_read_lock();
list_for_each_entry_rcu(ti, &tracefs_inodes, list) {
if (update_uid) {
@@ -381,6 +383,7 @@ static int tracefs_apply_options(struct
eventfs_remount(ti, update_uid, update_gid);
}
rcu_read_unlock();
+ eventfs_remount_unlock(srcu_idx);
}
return 0;
@@ -426,7 +429,7 @@ static int tracefs_drop_inode(struct ino
* This inode is being freed and cannot be used for
* eventfs. Clear the flag so that it doesn't call into
* eventfs during the remount flag updates. The eventfs_inode
- * gets freed after an RCU cycle, so the content will still
+ * gets freed after an SRCU cycle, so the content will still
* be safe if the iteration is going on now.
*/
ti->flags &= ~TRACEFS_EVENT_INODE;
--- a/fs/tracefs/internal.h
+++ b/fs/tracefs/internal.h
@@ -76,4 +76,7 @@ struct inode *tracefs_get_inode(struct s
void eventfs_remount(struct tracefs_inode *ti, bool update_uid, bool update_gid);
void eventfs_d_release(struct dentry *dentry);
+int eventfs_remount_lock(void);
+void eventfs_remount_unlock(int srcu_idx);
+
#endif /* _TRACEFS_INTERNAL_H */
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 154/270] dm-verity-fec: correctly reject too-small FEC devices
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 153/270] eventfs: Hold eventfs_mutex and SRCU when remount walks events Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 155/270] dm-verity-fec: correctly reject too-small hash devices Greg Kroah-Hartman
` (120 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Mikulas Patocka
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 2b14e0bb63cc671120e7791658f5c494fc66d072 upstream.
Fix verity_fec_ctr() to reject too-small FEC devices by correctly
computing the number of parity blocks as 'f->rounds * f->roots'.
Previously it incorrectly used 'div64_u64(f->rounds * f->roots,
v->fec->roots << SECTOR_SHIFT)' which is a much smaller value.
Note that the units of 'rounds' are blocks, not bytes. This matches the
units of the value returned by dm_bufio_get_device_size(), which are
also blocks. A later commit will give 'rounds' a clearer name.
Fixes: a739ff3f543a ("dm verity: add support for forward error correction")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-verity-fec.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/md/dm-verity-fec.c
+++ b/drivers/md/dm-verity-fec.c
@@ -657,7 +657,7 @@ int verity_fec_ctr(struct dm_verity *v)
{
struct dm_verity_fec *f = v->fec;
struct dm_target *ti = v->ti;
- u64 hash_blocks, fec_blocks;
+ u64 hash_blocks;
int ret;
if (!verity_fec_is_enabled(v)) {
@@ -738,8 +738,7 @@ int verity_fec_ctr(struct dm_verity *v)
dm_bufio_set_sector_offset(f->bufio, f->start << (v->data_dev_block_bits - SECTOR_SHIFT));
- fec_blocks = div64_u64(f->rounds * f->roots, v->fec->roots << SECTOR_SHIFT);
- if (dm_bufio_get_device_size(f->bufio) < fec_blocks) {
+ if (dm_bufio_get_device_size(f->bufio) < f->rounds * f->roots) {
ti->error = "FEC device is too small";
return -E2BIG;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 155/270] dm-verity-fec: correctly reject too-small hash devices
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 154/270] dm-verity-fec: correctly reject too-small FEC devices Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 156/270] isofs: validate Rock Ridge CE continuation extent against volume size Greg Kroah-Hartman
` (119 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Mikulas Patocka
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 4355142245f7e55336dcc005ec03592df4d546f8 upstream.
Fix verity_fec_ctr() to reject too-small hash devices by correctly
taking hash_start into account.
Note that this is necessary because dm-verity doesn't call
dm_bufio_set_sector_offset() on the hash device's bufio client
(v->bufio). Thus, dm_bufio_get_device_size(v->bufio) returns a size
relative to 0 rather than hash_start. An alternative fix would be to
call dm_bufio_set_sector_offset() on v->bufio, but then all the code
that reads from the hash device would have to be adjusted accordingly.
Fixes: a739ff3f543a ("dm verity: add support for forward error correction")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-verity-fec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/md/dm-verity-fec.c
+++ b/drivers/md/dm-verity-fec.c
@@ -720,7 +720,8 @@ int verity_fec_ctr(struct dm_verity *v)
* it to be large enough.
*/
f->hash_blocks = f->blocks - v->data_blocks;
- if (dm_bufio_get_device_size(v->bufio) < f->hash_blocks) {
+ if (dm_bufio_get_device_size(v->bufio) <
+ v->hash_start + f->hash_blocks) {
ti->error = "Hash device is too small for "
DM_VERITY_OPT_FEC_BLOCKS;
return -E2BIG;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 156/270] isofs: validate Rock Ridge CE continuation extent against volume size
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 155/270] dm-verity-fec: correctly reject too-small hash devices Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 157/270] isofs: validate block number from NFS file handle in isofs_export_iget Greg Kroah-Hartman
` (118 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jan Kara
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit a36d990f591320e9dd379ab30063ebfe91d47e1f upstream.
rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE
record and passes it to sb_bread() without checking that the block
number is within the mounted ISO 9660 volume. commit e595447e177b
("[PATCH] rock.c: handle corrupted directories") added cont_offset
and cont_size rejection for the CE continuation but did not validate
the extent block number itself. commit f54e18f1b831 ("isofs: Fix
infinite looping over CE entries") later capped the CE chain length
at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.
With a crafted ISO mounted via udisks2 (desktop optical auto-mount)
or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at
an out-of-range block or at blocks belonging to an adjacent
filesystem on the same block device. sb_bread() on an out-of-range
block returns NULL cleanly via the block layer EIO path, so there
is no memory-safety violation. For in-range reads of adjacent-
filesystem data, the CE buffer is parsed as Rock Ridge records and
only the text of SL sub-records reaches userspace through
readlink(), which makes the info-leak channel narrow and difficult
to exploit; still, rejecting the malformed CE outright matches the
rejection shape already present in the same function for
cont_offset and cont_size.
Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next
to the existing offset/size rejection, printing the same
corrupted-directory-entry notice.
Fixes: f54e18f1b831 ("isofs: Fix infinite looping over CE entries")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260419212155.2169382-2-michael.bommarito@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/isofs/rock.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -101,6 +101,15 @@ static int rock_continue(struct rock_sta
goto out;
}
+ if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) {
+ printk(KERN_NOTICE "rock: corrupted directory entry. "
+ "extent=%u out of volume (nzones=%lu)\n",
+ (unsigned)rs->cont_extent,
+ ISOFS_SB(rs->inode->i_sb)->s_nzones);
+ ret = -EIO;
+ goto out;
+ }
+
if (rs->cont_extent) {
struct buffer_head *bh;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 157/270] isofs: validate block number from NFS file handle in isofs_export_iget
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 156/270] isofs: validate Rock Ridge CE continuation extent against volume size Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 158/270] iommufd: Fix return value of iommufd_fault_fops_write() Greg Kroah-Hartman
` (117 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jan Kara
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 24376458138387fb251e782e624c7776e9826796 upstream.
isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker-
controlled block number (ifid->block or ifid->parent_block) from
the NFS file handle to isofs_export_iget(), which only rejects
block == 0 before calling isofs_iget() and ultimately sb_bread().
A crafted file handle with fh_len sufficient to pass the check
added by commit 0405d4b63d08 ("isofs: Prevent the use of too small
fid") can still drive the server to read any in-range block on the
backing device as if it were an iso_directory_record. That earlier
fix was assigned CVE-2025-37780.
sb_bread() on an out-of-range block returns NULL cleanly via the
EIO path, so there is no memory-safety violation. For in-range
reads of adjacent-partition data on the same block device, the
unrelated bytes end up in iso_inode_info fields that reach the NFS
client as dentry metadata. The deployment surface (isofs exported
over NFS from loop-mounted images) is narrow and requires an
authenticated NFS peer, but the malformed-file-handle class is
reportable as hardening next to the existing CVE-2025-37780 fix.
Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so
the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent()
call sites with a single line.
Fixes: 0405d4b63d08 ("isofs: Prevent the use of too small fid")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260419212155.2169382-3-michael.bommarito@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/isofs/export.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/isofs/export.c
+++ b/fs/isofs/export.c
@@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb
{
struct inode *inode;
- if (block == 0)
+ if (block == 0 || block >= ISOFS_SB(sb)->s_nzones)
return ERR_PTR(-ESTALE);
inode = isofs_iget(sb, block, offset);
if (IS_ERR(inode))
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 158/270] iommufd: Fix return value of iommufd_fault_fops_write()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 157/270] isofs: validate block number from NFS file handle in isofs_export_iget Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 159/270] iommu/vt-d: Block PASID attachment to nested domain with dirty tracking Greg Kroah-Hartman
` (116 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhenzhong Duan, Lu Baolu,
Pranjal Shrivastava, Shuai Xue, Kevin Tian, Jason Gunthorpe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
commit aaca2aa92785a6ab8e3183e7184bca447a99cd76 upstream.
copy_from_user() may return number of bytes failed to copy, we should
not pass over this number to user space to cheat that write() succeed.
Instead, -EFAULT should be returned.
Link: https://patch.msgid.link/r/20260330030755.12856-1-zhenzhong.duan@intel.com
Cc: stable@vger.kernel.org
Fixes: 07838f7fd529 ("iommufd: Add iommufd fault object")
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Reviewed-by: Pranjal Shrivastava <praan@google.com>
Reviewed-by: Shuai Xue <xueshuai@linux.alibaba.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/eventq.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/iommu/iommufd/eventq.c
+++ b/drivers/iommu/iommufd/eventq.c
@@ -187,9 +187,10 @@ static ssize_t iommufd_fault_fops_write(
mutex_lock(&fault->mutex);
while (count > done) {
- rc = copy_from_user(&response, buf + done, response_size);
- if (rc)
+ if (copy_from_user(&response, buf + done, response_size)) {
+ rc = -EFAULT;
break;
+ }
static_assert((int)IOMMUFD_PAGE_RESP_SUCCESS ==
(int)IOMMU_PAGE_RESP_SUCCESS);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 159/270] iommu/vt-d: Block PASID attachment to nested domain with dirty tracking
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 158/270] iommufd: Fix return value of iommufd_fault_fops_write() Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 160/270] iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update Greg Kroah-Hartman
` (115 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kevin Tian, Zhenzhong Duan, Yi Liu,
Lu Baolu, Joerg Roedel
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
commit cc5bd898ff70710ffc41cd8e5c2741cb64750047 upstream.
Kernel lacks dirty tracking support on nested domain attached to PASID,
fails the attachment early if nesting parent domain is dirty tracking
configured, otherwise dirty pages would be lost.
Cc: stable@vger.kernel.org
Fixes: 67f6f56b5912 ("iommu/vt-d: Add set_dev_pasid callback for nested domain")
Suggested-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Yi Liu <yi.l.liu@intel.com>
Link: https://lore.kernel.org/r/20260330101108.12594-2-zhenzhong.duan@intel.com
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Fixes: 67f6f56b5912 ("iommu/vt-d: Add set_dev_pasid callback for nested domain")
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/intel/nested.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/iommu/intel/nested.c
+++ b/drivers/iommu/intel/nested.c
@@ -154,6 +154,7 @@ static int intel_nested_set_dev_pasid(st
{
struct device_domain_info *info = dev_iommu_priv_get(dev);
struct dmar_domain *dmar_domain = to_dmar_domain(domain);
+ struct iommu_domain *s2_domain = &dmar_domain->s2_domain->domain;
struct intel_iommu *iommu = info->iommu;
struct dev_pasid_info *dev_pasid;
int ret;
@@ -161,10 +162,13 @@ static int intel_nested_set_dev_pasid(st
if (!pasid_supported(iommu) || dev_is_real_dma_subdevice(dev))
return -EOPNOTSUPP;
+ if (s2_domain->dirty_ops)
+ return -EINVAL;
+
if (context_copied(iommu, info->bus, info->devfn))
return -EBUSY;
- ret = paging_domain_compatible(&dmar_domain->s2_domain->domain, dev);
+ ret = paging_domain_compatible(s2_domain, dev);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 160/270] iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 159/270] iommu/vt-d: Block PASID attachment to nested domain with dirty tracking Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 161/270] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Greg Kroah-Hartman
` (114 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Will Deacon, Jason Gunthorpe,
Nicolin Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
commit 6fabce53f6b9c2419012a9103e1a46d40888cefa upstream.
When writing a new (previously invalid) valid IOPTE to a page table, then
installing the page table into an STE hitlesslessly (e.g. in S2TTB field),
there is a window before an STE invalidation, where the page-table may be
accessed by SMMU but the new IOPTE is still siting in the CPU cache.
This could occur when we allocate an iommu_domain and immediately install
it hitlessly, while there would be no dma_wmb() for the page table memory
prior to the earliest point of HW reading the STE.
Fix it by adding a dma_wmb() prior to updating the STE.
Fixes: 56e1a4cc2588 ("iommu/arm-smmu-v3: Add unit tests for arm_smmu_write_entry")
Cc: stable@vger.kernel.org
Reported-by: Will Deacon <will@kernel.org>
Closes: https://lore.kernel.org/linux-iommu/aXdlnLLFUBwjT0V5@willie-the-truck/
Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
+++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
@@ -1236,6 +1236,13 @@ void arm_smmu_write_entry(struct arm_smm
__le64 unused_update[NUM_ENTRY_QWORDS];
u8 used_qword_diff;
+ /*
+ * Many of the entry structures have pointers to other structures that
+ * need to have their updates be visible before any writes of the entry
+ * happen.
+ */
+ dma_wmb();
+
used_qword_diff =
arm_smmu_entry_qword_diff(writer, entry, target, unused_update);
if (hweight8(used_qword_diff) == 1) {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 161/270] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 160/270] iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 162/270] lib/scatterlist: fix length calculations in extract_kvec_to_sg Greg Kroah-Hartman
` (113 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Ignat Korchagin,
Jarkko Sakkinen, Eric Biggers, Yiming Qian
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 8c2f1288250a90a4b5cabed5d888d7e3aeed4035 upstream.
Yiming reports an integer underflow in mpi_read_raw_from_sgl() when
subtracting "lzeros" from the unsigned "nbytes".
For this to happen, the scatterlist "sgl" needs to occupy more bytes
than the "nbytes" parameter and the first "nbytes + 1" bytes of the
scatterlist must be zero. Under these conditions, the while loop
iterating over the scatterlist will count more zeroes than "nbytes",
subtract the number of zeroes from "nbytes" and cause the underflow.
When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally
introduced the bug, it couldn't be triggered because all callers of
mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to
"nbytes".
However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto
interface without scatterlists"), the underflow can now actually be
triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a
larger "out_len" than "in_len" and filling the "in" buffer with zeroes,
crypto_akcipher_sync_prep() will create an all-zero scatterlist used for
both the "src" and "dst" member of struct akcipher_request and thereby
fulfil the conditions to trigger the bug:
sys_keyctl()
keyctl_pkey_e_d_s()
asymmetric_key_eds_op()
software_key_eds_op()
crypto_akcipher_sync_encrypt()
crypto_akcipher_sync_prep()
crypto_akcipher_encrypt()
rsa_enc()
mpi_read_raw_from_sgl()
To the user this will be visible as a DoS as the kernel spins forever,
causing soft lockup splats as a side effect.
Fix it.
Reported-by: Yiming Qian <yimingqian591@gmail.com> # off-list
Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v4.4+
Reviewed-by: Ignat Korchagin <ignat@linux.win>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Link: https://lore.kernel.org/r/59eca92ff4f87e2081777f1423a0efaaadcfdb39.1776003111.git.lukas@wunner.de
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/crypto/mpi/mpicoder.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/crypto/mpi/mpicoder.c
+++ b/lib/crypto/mpi/mpicoder.c
@@ -347,7 +347,7 @@ MPI mpi_read_raw_from_sgl(struct scatter
lzeros = 0;
len = 0;
while (nbytes > 0) {
- while (len && !*buff) {
+ while (len && !*buff && lzeros < nbytes) {
lzeros++;
len--;
buff++;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 162/270] lib/scatterlist: fix length calculations in extract_kvec_to_sg
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 161/270] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 163/270] lib/scatterlist: fix temp buffer in extract_user_to_sg() Greg Kroah-Hartman
` (112 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian A. Ehrhardt, David Gow,
David Howells, Kees Cook, Petr Mladek, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian A. Ehrhardt <lk@c--e.de>
commit 07b7d66e65d9cfe6b9c2c34aa22cfcaac37a5c45 upstream.
Patch series "Fix bugs in extract_iter_to_sg()", v3.
Fix bugs in the kvec and user variants of extract_iter_to_sg. This series
is growing due to useful remarks made by sashiko.dev.
The main bugs are:
- The length for an sglist entry when extracting from
a kvec can exceed the number of bytes in the page. This
is obviously not intended.
- When extracting a user buffer the sglist is temporarily
used as a scratch buffer for extracted page pointers.
If the sglist already contains some elements this scratch
buffer could overlap with existing entries in the sglist.
The series adds test cases to the kunit_iov_iter test that demonstrate all
of these bugs. Additionally, there is a memory leak fix for the test
itself.
The bugs were orignally introduced into kernel v6.3 where the function
lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in
v6.5. Thus the actual fix is only marked for backports to v6.5+.
This patch (of 5):
When extracting from a kvec to a scatterlist, do not cross page
boundaries. The required length was already calculated but not used as
intended.
Adjust the copied length if the loop runs out of sglist entries without
extracting everything.
While there, return immediately from extract_iter_to_sg if there are no
sglist entries at all.
A subsequent commit will add kunit test cases that demonstrate that the
patch is necessary.
Link: https://lkml.kernel.org/r/20260326214905.818170-1-lk@c--e.de
Link: https://lkml.kernel.org/r/20260326214905.818170-2-lk@c--e.de
Fixes: 018584697533 ("netfs: Add a function to extract an iterator into a scatterlist")
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
Cc: David Gow <davidgow@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Kees Cook <kees@kernel.org>
Cc: Petr Mladek <pmladek@suse.com>
Cc: <stable@vger.kernel.org> [v6.5+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/scatterlist.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/lib/scatterlist.c
+++ b/lib/scatterlist.c
@@ -1223,7 +1223,7 @@ static ssize_t extract_kvec_to_sg(struct
else
page = virt_to_page((void *)kaddr);
- sg_set_page(sg, page, len, off);
+ sg_set_page(sg, page, seg, off);
sgtable->nents++;
sg++;
sg_max--;
@@ -1232,6 +1232,7 @@ static ssize_t extract_kvec_to_sg(struct
kaddr += PAGE_SIZE;
off = 0;
} while (len > 0 && sg_max > 0);
+ ret -= len;
if (maxsize <= 0 || sg_max == 0)
break;
@@ -1385,7 +1386,7 @@ ssize_t extract_iter_to_sg(struct iov_it
struct sg_table *sgtable, unsigned int sg_max,
iov_iter_extraction_t extraction_flags)
{
- if (maxsize == 0)
+ if (maxsize == 0 || sg_max == 0)
return 0;
switch (iov_iter_type(iter)) {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 163/270] lib/scatterlist: fix temp buffer in extract_user_to_sg()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 162/270] lib/scatterlist: fix length calculations in extract_kvec_to_sg Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 164/270] libceph: Fix slab-out-of-bounds access in auth message processing Greg Kroah-Hartman
` (111 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian A. Ehrhardt, David Howells,
David Gow, Kees Cook, Petr Mladek, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian A. Ehrhardt <lk@c--e.de>
commit 118cf3f55975352ac357fb194405031458186819 upstream.
Instead of allocating a temporary buffer for extracted user pages
extract_user_to_sg() uses the end of the to be filled scatterlist as a
temporary buffer.
Fix the calculation of the start address if the scatterlist already
contains elements. The unused space starts at sgtable->sgl +
sgtable->nents not directly at sgtable->nents and the temporary buffer is
placed at the end of this unused space.
A subsequent commit will add kunit test cases that demonstrate that the
patch is necessary.
Pointed out by sashiko.dev on a previous iteration of this series.
Link: https://lkml.kernel.org/r/20260326214905.818170-3-lk@c--e.de
Fixes: 018584697533 ("netfs: Add a function to extract an iterator into a scatterlist")
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
Cc: David Howells <dhowells@redhat.com>
Cc: David Gow <davidgow@google.com>
Cc: Kees Cook <kees@kernel.org>
Cc: Petr Mladek <pmladek@suse.com>
Cc: <stable@vger.kernel.org> [v6.5+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/scatterlist.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/lib/scatterlist.c
+++ b/lib/scatterlist.c
@@ -1099,8 +1099,7 @@ static ssize_t extract_user_to_sg(struct
size_t len, off;
/* We decant the page list into the tail of the scatterlist */
- pages = (void *)sgtable->sgl +
- array_size(sg_max, sizeof(struct scatterlist));
+ pages = (void *)sg + array_size(sg_max, sizeof(struct scatterlist));
pages -= sg_max;
do {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 164/270] libceph: Fix slab-out-of-bounds access in auth message processing
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 163/270] lib/scatterlist: fix temp buffer in extract_user_to_sg() Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 165/270] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies Greg Kroah-Hartman
` (110 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 1c439de70b1c3eb3c6bffa8245c16b9fc318f114 upstream.
If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY
contains a positive value in its result field, it is treated as an
error code by ceph_handle_auth_reply() and returned to
handle_auth_reply(). Thereafter, an attempt is made to send the
preallocated message of type CEPH_MSG_AUTH, where the returned value is
interpreted as the size of the front segment to send. If the result
value in the message is greater than the size of the memory buffer
allocated for the front segment, an out-of-bounds access occurs, and
the content of the memory region beyond this buffer is sent out.
This patch fixes the issue by treating only negative values in the
result field as errors. Positive values are therefore treated as success
in the same way as a zero value. Additionally, a BUG_ON is added to
__send_prepared_auth_request() comparing the len parameter to
front_alloc_len to prevent sending the message if it exceeds the bounds
of the allocation and to make it easier to catch any logic flaws leading
to this.
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/auth.c | 2 +-
net/ceph/mon_client.c | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_a
ac->negotiating = false;
}
- if (result) {
+ if (result < 0) {
pr_err("auth protocol '%s' mauth authentication failed: %d\n",
ceph_auth_proto_name(ac->protocol), result);
ret = result;
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_mon
*/
static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
{
+ BUG_ON(len > monc->m_auth->front_alloc_len);
+
monc->pending_auth = 1;
monc->m_auth->front.iov_len = len;
monc->m_auth->hdr.front_len = cpu_to_le32(len);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 165/270] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 164/270] libceph: Fix slab-out-of-bounds access in auth message processing Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 166/270] nvme-apple: drop invalid put of admin queue reference count Greg Kroah-Hartman
` (109 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Junrui Luo, Yu Kuai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit 9aa6d860b0930e2f72795665c42c44252a558a0c upstream.
setup_geo() extracts near_copies (nc) and far_copies (fc) from the
user-provided layout parameter without checking for zero. When fc=0
with the "improved" far set layout selected, 'geo->far_set_size =
disks / fc' triggers a divide-by-zero.
Validate nc and fc immediately after extraction, returning -1 if
either is zero.
Fixes: 475901aff158 ("MD RAID10: Improve redundancy for 'far' and 'offset' algorithms (part 1)")
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://lore.kernel.org/linux-raid/SYBPR01MB7881A5E2556806CC1D318582AF232@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/raid10.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -3856,6 +3856,8 @@ static int setup_geo(struct geom *geo, s
nc = layout & 255;
fc = (layout >> 8) & 255;
fo = layout & (1<<16);
+ if (!nc || !fc)
+ return -1;
geo->raid_disks = disks;
geo->near_copies = nc;
geo->far_copies = fc;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 166/270] nvme-apple: drop invalid put of admin queue reference count
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 165/270] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 167/270] nvmet-tcp: fix race between ICReq handling and queue teardown Greg Kroah-Hartman
` (108 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Fedor Pchelkin,
Keith Busch
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit ba9d308ccd6732dd97ed8080d834a4a89e758e14 upstream.
Commit 03b3bcd319b3 ("nvme: fix admin request_queue lifetime") moved the
admin queue reference ->put call into nvme_free_ctrl() - a controller
device release callback performed for every nvme driver doing
nvme_init_ctrl().
nvme-apple sets refcount of the admin queue to 1 at allocation during the
probe function and then puts it twice now:
nvme_free_ctrl()
blk_put_queue(ctrl->admin_q) // #1
->free_ctrl()
apple_nvme_free_ctrl()
blk_put_queue(anv->ctrl.admin_q) // #2
Note that there is a commit 941f7298c70c ("nvme-apple: remove an extra
queue reference") which intended to drop taking an extra admin queue
reference. Looks like at that moment it accidentally fixed a refcount
leak, which existed since the driver's introduction. There were two ->get
calls at driver's probe function and a single ->put inside
apple_nvme_free_ctrl().
However now after commit 03b3bcd319b3 ("nvme: fix admin request_queue
lifetime") the refcount is imbalanced again. Fix it by removing extra
->put call from apple_nvme_free_ctrl(). anv->dev and ctrl->dev point to
the same device, so use ctrl->dev directly for simplification. Compile
tested only.
Found by Linux Verification Center (linuxtesting.org).
Fixes: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime")
Cc: stable@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/apple.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
--- a/drivers/nvme/host/apple.c
+++ b/drivers/nvme/host/apple.c
@@ -1267,11 +1267,7 @@ static int apple_nvme_get_address(struct
static void apple_nvme_free_ctrl(struct nvme_ctrl *ctrl)
{
- struct apple_nvme *anv = ctrl_to_apple_nvme(ctrl);
-
- if (anv->ctrl.admin_q)
- blk_put_queue(anv->ctrl.admin_q);
- put_device(anv->dev);
+ put_device(ctrl->dev);
}
static const struct nvme_ctrl_ops nvme_ctrl_ops = {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 167/270] nvmet-tcp: fix race between ICReq handling and queue teardown
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 166/270] nvme-apple: drop invalid put of admin queue reference count Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 168/270] nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free Greg Kroah-Hartman
` (107 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shivam Kumar, Shivam Kumar,
Chaitanya Kulkarni, Keith Busch
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chaitanya Kulkarni <kch@nvidia.com>
commit 5293a8882c549fab4a878bc76b0b6c951f980a61 upstream.
nvmet_tcp_handle_icreq() updates queue->state after sending an
Initialization Connection Response (ICResp), but it does so without
serializing against target-side queue teardown.
If an NVMe/TCP host sends an Initialization Connection Request
(ICReq) and immediately closes the connection, target-side teardown
may start in softirq context before io_work drains the already
buffered ICReq. In that case, nvmet_tcp_schedule_release_queue()
sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue
reference under state_lock.
If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can
still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the
DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and
allows a later socket state change to re-enter teardown and issue a
second kref_put() on an already released queue.
The ICResp send failure path has the same problem. If teardown has
already moved the queue to DISCONNECTING, a send error can still
overwrite the state with NVMET_TCP_Q_FAILED, again reopening the
window for a second teardown path to drop the queue reference.
Fix this by serializing both post-send state transitions with
state_lock and bailing out if teardown has already started.
Use -ESHUTDOWN as an internal sentinel for that bail-out path rather
than propagating it as a transport error like -ECONNRESET. Keep
nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before
honoring that sentinel so receive-side parsing stays quiesced until the
existing release path completes.
Fixes: c46a6465bac2 ("nvmet-tcp: add NVMe over TCP target driver")
Cc: stable@vger.kernel.org
Reported-by: Shivam Kumar <skumar47@syr.edu>
Tested-by: Shivam Kumar <kumar.shivam43666@gmail.com>
Signed-off-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/target/tcp.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
--- a/drivers/nvme/target/tcp.c
+++ b/drivers/nvme/target/tcp.c
@@ -398,6 +398,19 @@ static void nvmet_tcp_build_pdu_iovec(st
static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue)
{
+ /*
+ * Keep rcv_state at RECV_ERR even for the internal -ESHUTDOWN path.
+ * nvmet_tcp_handle_icreq() can return -ESHUTDOWN after the ICReq has
+ * already been consumed and queue teardown has started.
+ *
+ * If nvmet_tcp_data_ready() or nvmet_tcp_write_space() queues
+ * nvmet_tcp_io_work() again before nvmet_tcp_release_queue_work()
+ * cancels it, the queue must not keep that old receive state.
+ * Otherwise the next nvmet_tcp_io_work() run can reach
+ * nvmet_tcp_done_recv_pdu() and try to handle the same ICReq again.
+ *
+ * That is why queue->rcv_state needs to be updated before we return.
+ */
queue->rcv_state = NVMET_TCP_RECV_ERR;
if (queue->nvme_sq.ctrl)
nvmet_ctrl_fatal_error(queue->nvme_sq.ctrl);
@@ -923,11 +936,24 @@ static int nvmet_tcp_handle_icreq(struct
iov.iov_len = sizeof(*icresp);
ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len);
if (ret < 0) {
+ spin_lock_bh(&queue->state_lock);
+ if (queue->state == NVMET_TCP_Q_DISCONNECTING) {
+ spin_unlock_bh(&queue->state_lock);
+ return -ESHUTDOWN;
+ }
queue->state = NVMET_TCP_Q_FAILED;
+ spin_unlock_bh(&queue->state_lock);
return ret; /* queue removal will cleanup */
}
+ spin_lock_bh(&queue->state_lock);
+ if (queue->state == NVMET_TCP_Q_DISCONNECTING) {
+ spin_unlock_bh(&queue->state_lock);
+ /* Tell nvmet_tcp_socket_error() teardown is in progress. */
+ return -ESHUTDOWN;
+ }
queue->state = NVMET_TCP_Q_LIVE;
+ spin_unlock_bh(&queue->state_lock);
nvmet_prepare_receive_pdu(queue);
return 0;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 168/270] nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 167/270] nvmet-tcp: fix race between ICReq handling and queue teardown Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 169/270] openvswitch: vport: fix self-deadlock on release of tunnel ports Greg Kroah-Hartman
` (106 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig,
Chaitanya Kulkarni, Keith Busch
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chaitanya Kulkarni <kch@nvidia.com>
commit aade8abd8b868b6ffa9697aadaea28ec7f65bee6 upstream.
nvmet_tcp_release_queue_work() runs on nvmet-wq and can drop the
final controller reference through nvmet_cq_put(). If that triggers
nvmet_ctrl_free(), the teardown path flushes ctrl->async_event_work on
the same nvmet-wq.
Call chain:
nvmet_tcp_schedule_release_queue()
kref_put(&queue->kref, nvmet_tcp_release_queue)
nvmet_tcp_release_queue()
queue_work(nvmet_wq, &queue->release_work) <--- nvmet_wq
process_one_work()
nvmet_tcp_release_queue_work()
nvmet_cq_put(&queue->nvme_cq)
nvmet_cq_destroy()
nvmet_ctrl_put(cq->ctrl)
nvmet_ctrl_free()
flush_work(&ctrl->async_event_work) <--- nvmet_wq
Previously Scheduled by :-
nvmet_add_async_event
queue_work(nvmet_wq, &ctrl->async_event_work);
This trips lockdep with a possible recursive locking warning.
[ 5223.015876] run blktests nvme/003 at 2026-04-07 20:53:55
[ 5223.061801] loop0: detected capacity change from 0 to 2097152
[ 5223.072206] nvmet: adding nsid 1 to subsystem blktests-subsystem-1
[ 5223.088368] nvmet_tcp: enabling port 0 (127.0.0.1:4420)
[ 5223.126086] nvmet: Created discovery controller 1 for subsystem nqn.2014-08.org.nvmexpress.discovery for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349.
[ 5223.128453] nvme nvme1: new ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349
[ 5233.199447] nvme nvme1: Removing ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery"
[ 5233.227718] ============================================
[ 5233.231283] WARNING: possible recursive locking detected
[ 5233.234696] 7.0.0-rc3nvme+ #20 Tainted: G O N
[ 5233.238434] --------------------------------------------
[ 5233.241852] kworker/u192:6/2413 is trying to acquire lock:
[ 5233.245429] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90
[ 5233.251438]
but task is already holding lock:
[ 5233.255254] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0
[ 5233.261125]
other info that might help us debug this:
[ 5233.265333] Possible unsafe locking scenario:
[ 5233.269217] CPU0
[ 5233.270795] ----
[ 5233.272436] lock((wq_completion)nvmet-wq);
[ 5233.275241] lock((wq_completion)nvmet-wq);
[ 5233.278020]
*** DEADLOCK ***
[ 5233.281793] May be due to missing lock nesting notation
[ 5233.286195] 3 locks held by kworker/u192:6/2413:
[ 5233.289192] #0: ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0
[ 5233.294569] #1: ffffc9000e2a7e40 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x6e0
[ 5233.300128] #2: ffffffff82d7dc40 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530
[ 5233.304290]
stack backtrace:
[ 5233.306520] CPU: 4 UID: 0 PID: 2413 Comm: kworker/u192:6 Tainted: G O N 7.0.0-rc3nvme+ #20 PREEMPT(full)
[ 5233.306524] Tainted: [O]=OOT_MODULE, [N]=TEST
[ 5233.306525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[ 5233.306527] Workqueue: nvmet-wq nvmet_tcp_release_queue_work [nvmet_tcp]
[ 5233.306532] Call Trace:
[ 5233.306534] <TASK>
[ 5233.306536] dump_stack_lvl+0x73/0xb0
[ 5233.306552] print_deadlock_bug+0x225/0x2f0
[ 5233.306556] __lock_acquire+0x13f0/0x2290
[ 5233.306563] lock_acquire+0xd0/0x300
[ 5233.306565] ? touch_wq_lockdep_map+0x26/0x90
[ 5233.306571] ? __flush_work+0x20b/0x530
[ 5233.306573] ? touch_wq_lockdep_map+0x26/0x90
[ 5233.306577] touch_wq_lockdep_map+0x3b/0x90
[ 5233.306580] ? touch_wq_lockdep_map+0x26/0x90
[ 5233.306583] ? __flush_work+0x20b/0x530
[ 5233.306585] __flush_work+0x268/0x530
[ 5233.306588] ? __pfx_wq_barrier_func+0x10/0x10
[ 5233.306594] ? xen_error_entry+0x30/0x60
[ 5233.306600] nvmet_ctrl_free+0x140/0x310 [nvmet]
[ 5233.306617] nvmet_cq_put+0x74/0x90 [nvmet]
[ 5233.306629] nvmet_tcp_release_queue_work+0x19f/0x360 [nvmet_tcp]
[ 5233.306634] process_one_work+0x206/0x6e0
[ 5233.306640] worker_thread+0x184/0x320
[ 5233.306643] ? __pfx_worker_thread+0x10/0x10
[ 5233.306646] kthread+0xf1/0x130
[ 5233.306648] ? __pfx_kthread+0x10/0x10
[ 5233.306651] ret_from_fork+0x355/0x450
[ 5233.306653] ? __pfx_kthread+0x10/0x10
[ 5233.306656] ret_from_fork_asm+0x1a/0x30
[ 5233.306664] </TASK>
There is also no need to flush async_event_work from controller
teardown. The admin queue teardown already fails outstanding AER
requests before the final controller put :-
nvmet_sq_destroy(admin sq)
nvmet_async_events_failall(ctrl)
The controller has already been removed from the subsystem list before
nvmet_ctrl_free() quiesces outstanding work.
Replace flush_work() with cancel_work_sync() so a pending
async_event_work item is canceled and a running instance is waited on
without recursing into the same workqueue.
Fixes: 06406d81a2d7 ("nvmet: cancel fatal error and flush async work before free controller")
Cc: stable@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/target/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1746,7 +1746,7 @@ static void nvmet_ctrl_free(struct kref
nvmet_stop_keep_alive_timer(ctrl);
- flush_work(&ctrl->async_event_work);
+ cancel_work_sync(&ctrl->async_event_work);
cancel_work_sync(&ctrl->fatal_err_work);
nvmet_destroy_auth(ctrl);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 169/270] openvswitch: vport: fix self-deadlock on release of tunnel ports
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 168/270] nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 170/270] pmdomain: core: Fix detach procedure for virtual devices in genpd Greg Kroah-Hartman
` (105 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eelco Chaudron, Ilya Maximets,
Aaron Conole, Paolo Abeni
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
commit aa69918bd418e700309fdd08509dba324fb24296 upstream.
vports are used concurrently and protected by RCU, so netdev_put()
must happen after the RCU grace period. So, either in an RCU call or
after the synchronize_net(). The rtnl_delete_link() must happen under
RTNL and so can't be executed in RCU context. Calling synchronize_net()
while holding RTNL is not a good idea for performance and system
stability under load in general, so calling netdev_put() in RCU call
is the right solution here.
However,
when the device is deleted, rtnl_unlock() will call netdev_run_todo()
and block until all the references are gone. In the current code this
means that we never reach the call_rcu() and the vport is never freed
and the reference is never released, causing a self-deadlock on device
removal.
Fix that by moving the rcu_call() before the rtnl_unlock(), so the
scheduled RCU callback will be executed when synchronize_net() is
called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself
is already released.
Fixes: 6931d21f87bc ("openvswitch: defer tunnel netdev_put to RCU release")
Cc: stable@vger.kernel.org
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20260430233848.440994-2-i.maximets@ovn.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/openvswitch/vport-netdev.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/net/openvswitch/vport-netdev.c
+++ b/net/openvswitch/vport-netdev.c
@@ -196,9 +196,13 @@ void ovs_netdev_tunnel_destroy(struct vp
*/
if (vport->dev->reg_state == NETREG_REGISTERED)
rtnl_delete_link(vport->dev, 0, NULL);
- rtnl_unlock();
+ /* We can't put the device reference yet, since it can still be in
+ * use, but rtnl_unlock()->netdev_run_todo() will block until all
+ * the references are released, so the RCU call must be before it.
+ */
call_rcu(&vport->rcu, vport_netdev_free);
+ rtnl_unlock();
}
EXPORT_SYMBOL_GPL(ovs_netdev_tunnel_destroy);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 170/270] pmdomain: core: Fix detach procedure for virtual devices in genpd
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 169/270] openvswitch: vport: fix self-deadlock on release of tunnel ports Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 171/270] psp: strip variable-length PSP header in psp_dev_rcv() Greg Kroah-Hartman
` (104 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven,
Geert Uytterhoeven, Ulf Hansson
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ulf Hansson <ulf.hansson@linaro.org>
commit 26735dfdd8930d9ef1fa92e590a9bf77726efdf6 upstream.
If a device is attached to a PM domain through genpd_dev_pm_attach_by_id(),
genpd calls pm_runtime_enable() for the corresponding virtual device that
it registers. While this avoids boilerplate code in drivers, there is no
corresponding call to pm_runtime_disable() in genpd_dev_pm_detach().
This means these virtual devices are typically detached from its genpd,
while runtime PM remains enabled for them, which is not how things are
designed to work. In worst cases it may lead to critical errors, like a
NULL pointer dereference bug in genpd_runtime_suspend(), which was recently
reported. For another case, we may end up keeping an unnecessary vote for a
performance state for the device.
To fix these problems, let's add this missing call to pm_runtime_disable()
in genpd_dev_pm_detach().
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Closes: https://lore.kernel.org/all/CAMuHMdWapT40hV3c+CSBqFOW05aWcV1a6v_NiJYgoYi0i9_PDQ@mail.gmail.com/
Fixes: 3c095f32a92b ("PM / Domains: Add support for multi PM domains per device to genpd")
Cc: stable@vger.kernel.org
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pmdomain/core.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/pmdomain/core.c
+++ b/drivers/pmdomain/core.c
@@ -3074,6 +3074,7 @@ static const struct bus_type genpd_bus_t
static void genpd_dev_pm_detach(struct device *dev, bool power_off)
{
struct generic_pm_domain *pd;
+ bool is_virt_dev;
unsigned int i;
int ret = 0;
@@ -3083,6 +3084,13 @@ static void genpd_dev_pm_detach(struct d
dev_dbg(dev, "removing from PM domain %s\n", pd->name);
+ /* Check if the device was created by genpd at attach. */
+ is_virt_dev = dev->bus == &genpd_bus_type;
+
+ /* Disable runtime PM if we enabled it at attach. */
+ if (is_virt_dev)
+ pm_runtime_disable(dev);
+
/* Drop the default performance state */
if (dev_gpd_data(dev)->default_pstate) {
dev_pm_genpd_set_performance_state(dev, 0);
@@ -3108,7 +3116,7 @@ static void genpd_dev_pm_detach(struct d
genpd_queue_power_off_work(pd);
/* Unregister the device if it was created by genpd. */
- if (dev->bus == &genpd_bus_type)
+ if (is_virt_dev)
device_unregister(dev);
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 171/270] psp: strip variable-length PSP header in psp_dev_rcv()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 170/270] pmdomain: core: Fix detach procedure for virtual devices in genpd Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 172/270] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() Greg Kroah-Hartman
` (103 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Willem de Bruijn, Daniel Zahka,
David Carlier, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
commit 30cb24f97d44f6b81c14b85c5323de62eef1fb7f upstream.
psp_dev_rcv() unconditionally removes a fixed PSP_ENCAP_HLEN, even
when psph->hdrlen indicates that the PSP header carries optional
fields. A frame whose PSP header advertises a non-zero VC or any
extension would therefore be silently mis-decapsulated: option bytes
would spill into the inner packet head and downstream parsing would
fail on a corrupted skb.
Compute the full PSP header length from psph->hdrlen, pull the
optional bytes into the linear region, and strip the whole header
when decapsulating. Optional fields (VC, ...) are still ignored,
just discarded with the rest of the header instead of leaking.
crypt_offset and the VIRT flag are intentionally not validated here
- callers know their device's PSP implementation and can decide.
Both in-tree callers gate on hardware-validated PSP, so this is a
correctness fix rather than a reachable corruption path under
current configurations.
Fixes: 0eddb8023cee ("psp: provide decapsulation and receive helper for drivers")
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Daniel Zahka <daniel.zahka@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
Link: https://patch.msgid.link/20260502141945.14484-1-devnexen@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/psp/psp_main.c | 42 +++++++++++++++++++++++++++++++-----------
1 file changed, 31 insertions(+), 11 deletions(-)
--- a/net/psp/psp_main.c
+++ b/net/psp/psp_main.c
@@ -262,15 +262,16 @@ EXPORT_SYMBOL(psp_dev_encapsulate);
/* Receive handler for PSP packets.
*
- * Presently it accepts only already-authenticated packets and does not
- * support optional fields, such as virtualization cookies. The caller should
- * ensure that skb->data is pointing to the mac header, and that skb->mac_len
- * is set. This function does not currently adjust skb->csum (CHECKSUM_COMPLETE
- * is not supported).
+ * Accepts only already-authenticated packets. The full PSP header is
+ * stripped according to psph->hdrlen; any optional fields it advertises
+ * (virtualization cookies, etc.) are ignored and discarded along with the
+ * rest of the header. The caller should ensure that skb->data is pointing
+ * to the mac header, and that skb->mac_len is set. This function does not
+ * currently adjust skb->csum (CHECKSUM_COMPLETE is not supported).
*/
int psp_dev_rcv(struct sk_buff *skb, u16 dev_id, u8 generation, bool strip_icv)
{
- int l2_hlen = 0, l3_hlen, encap;
+ int l2_hlen = 0, l3_hlen, encap, psp_hlen;
struct psp_skb_ext *pse;
struct psphdr *psph;
struct ethhdr *eth;
@@ -311,18 +312,36 @@ int psp_dev_rcv(struct sk_buff *skb, u16
if (unlikely(uh->dest != htons(PSP_DEFAULT_UDP_PORT)))
return -EINVAL;
- pse = skb_ext_add(skb, SKB_EXT_PSP);
- if (!pse)
+ psph = (struct psphdr *)(skb->data + l2_hlen + l3_hlen +
+ sizeof(struct udphdr));
+
+ /* Strip the full PSP header per psph->hdrlen; VC/options are pulled
+ * into the linear region only so they can be discarded with the
+ * rest of the header.
+ */
+ psp_hlen = (psph->hdrlen + 1) * 8;
+
+ if (unlikely(psp_hlen < sizeof(struct psphdr)))
+ return -EINVAL;
+
+ if (psp_hlen > sizeof(struct psphdr) &&
+ !pskb_may_pull(skb, l2_hlen + l3_hlen +
+ sizeof(struct udphdr) + psp_hlen))
return -EINVAL;
psph = (struct psphdr *)(skb->data + l2_hlen + l3_hlen +
sizeof(struct udphdr));
+
+ pse = skb_ext_add(skb, SKB_EXT_PSP);
+ if (!pse)
+ return -EINVAL;
+
pse->spi = psph->spi;
pse->dev_id = dev_id;
pse->generation = generation;
pse->version = FIELD_GET(PSPHDR_VERFL_VERSION, psph->verfl);
- encap = PSP_ENCAP_HLEN;
+ encap = sizeof(struct udphdr) + psp_hlen;
encap += strip_icv ? PSP_TRL_SIZE : 0;
if (proto == htons(ETH_P_IP)) {
@@ -339,8 +358,9 @@ int psp_dev_rcv(struct sk_buff *skb, u16
ipv6h->payload_len = htons(ntohs(ipv6h->payload_len) - encap);
}
- memmove(skb->data + PSP_ENCAP_HLEN, skb->data, l2_hlen + l3_hlen);
- skb_pull(skb, PSP_ENCAP_HLEN);
+ memmove(skb->data + sizeof(struct udphdr) + psp_hlen,
+ skb->data, l2_hlen + l3_hlen);
+ skb_pull(skb, sizeof(struct udphdr) + psp_hlen);
if (strip_icv)
pskb_trim(skb, skb->len - PSP_TRL_SIZE);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 172/270] RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 171/270] psp: strip variable-length PSP header in psp_dev_rcv() Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 173/270] riscv: kvm: fix vector context allocation leak Greg Kroah-Hartman
` (102 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Junxian Huang, Jason Gunthorpe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 0c99acbc8b6c6dd526ae475a48ee1897b61072fb upstream.
Sashiko points out that hns_roce_qp_remove() requires the caller to hold
locks. The error flow in hns_roce_create_qp_common() doesn't hold those
locks for the error unwind so it risks corrupting memory.
Grab the same locks the other two callers use.
Cc: stable@vger.kernel.org
Fixes: e088a685eae9 ("RDMA/hns: Support rq record doorbell for the user space")
Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=9
Link: https://patch.msgid.link/r/15-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Reviewed-by: Junxian Huang <huangjunxian6@hisilicon.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/hns/hns_roce_qp.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
+++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
@@ -1150,6 +1150,7 @@ static int hns_roce_create_qp_common(str
struct hns_roce_ib_create_qp_resp resp = {};
struct ib_device *ibdev = &hr_dev->ib_dev;
struct hns_roce_ib_create_qp ucmd = {};
+ unsigned long flags;
int ret;
mutex_init(&hr_qp->mutex);
@@ -1236,7 +1237,13 @@ static int hns_roce_create_qp_common(str
return 0;
err_flow_ctrl:
+ spin_lock_irqsave(&hr_dev->qp_list_lock, flags);
+ hns_roce_lock_cqs(init_attr->send_cq ? to_hr_cq(init_attr->send_cq) : NULL,
+ init_attr->recv_cq ? to_hr_cq(init_attr->recv_cq) : NULL);
hns_roce_qp_remove(hr_dev, hr_qp);
+ hns_roce_unlock_cqs(init_attr->send_cq ? to_hr_cq(init_attr->send_cq) : NULL,
+ init_attr->recv_cq ? to_hr_cq(init_attr->recv_cq) : NULL);
+ spin_unlock_irqrestore(&hr_dev->qp_list_lock, flags);
err_store:
free_qpc(hr_dev, hr_qp);
err_qpc:
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 173/270] riscv: kvm: fix vector context allocation leak
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 172/270] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 174/270] s390/debug: Reject zero-length input in debug_input_flush_fn() Greg Kroah-Hartman
` (101 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Osama Abdelkader, Andy Chiu,
Anup Patel
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Osama Abdelkader <osama.abdelkader@gmail.com>
commit b7c958d7c1eb1cb9b2be7b5ee4129fcd66cec978 upstream.
When the second kzalloc (host_context.vector.datap) fails in
kvm_riscv_vcpu_alloc_vector_context, the first allocation
(guest_context.vector.datap) is leaked. Free it before returning.
Fixes: 0f4b82579716 ("riscv: KVM: Add vector lazy save/restore support")
Cc: stable@vger.kernel.org
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Reviewed-by: Andy Chiu <andybnac@gmail.com>
Link: https://lore.kernel.org/r/20260316151612.13305-1-osama.abdelkader@gmail.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/kvm/vcpu_vector.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/riscv/kvm/vcpu_vector.c
+++ b/arch/riscv/kvm/vcpu_vector.c
@@ -80,8 +80,11 @@ int kvm_riscv_vcpu_alloc_vector_context(
return -ENOMEM;
vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
- if (!vcpu->arch.host_context.vector.datap)
+ if (!vcpu->arch.host_context.vector.datap) {
+ kfree(vcpu->arch.guest_context.vector.datap);
+ vcpu->arch.guest_context.vector.datap = NULL;
return -ENOMEM;
+ }
return 0;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 174/270] s390/debug: Reject zero-length input in debug_input_flush_fn()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 173/270] riscv: kvm: fix vector context allocation leak Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 175/270] s390/debug: Reject zero-length input before trimming a newline Greg Kroah-Hartman
` (100 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Vasily Gorbik,
Alexander Gordeev
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasily Gorbik <gor@linux.ibm.com>
commit e14622a7584f9608927c59a7d6ae4a0999dc545e upstream.
debug_input_flush_fn() always copies one byte from the userspace buffer
with copy_from_user() regardless of the supplied write length. A
zero-length write therefore reads one byte beyond the caller's buffer.
If the stale byte happens to be '-' or a digit the debug log is
silently flushed. With an unmapped buffer the call returns -EFAULT.
Reject zero-length writes before copying from userspace.
Cc: stable@vger.kernel.org # v5.10+
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kernel/debug.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/s390/kernel/debug.c
+++ b/arch/s390/kernel/debug.c
@@ -1586,6 +1586,11 @@ static int debug_input_flush_fn(debug_in
char input_buf[1];
int rc = user_len;
+ if (!user_len) {
+ rc = -EINVAL;
+ goto out;
+ }
+
if (user_len > 0x10000)
user_len = 0x10000;
if (*offset != 0) {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 175/270] s390/debug: Reject zero-length input before trimming a newline
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 174/270] s390/debug: Reject zero-length input in debug_input_flush_fn() Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 176/270] scsi: mpt3sas: Limit NVMe request size to 2 MiB Greg Kroah-Hartman
` (99 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, Benjamin Block,
Vasily Gorbik, Alexander Gordeev
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
commit c366a7b5ed7564e41345c380285bd3f6cb98971b upstream.
debug_get_user_string() duplicates the userspace buffer with
memdup_user_nul() and then unconditionally looks at buffer[user_len - 1]
to strip a trailing newline.
A zero-length write reaches this helper unchanged, so the newline trim
reads before the start of the allocated buffer.
Reject empty writes before accessing the last input byte.
Fixes: 66a464dbc8e0 ("[PATCH] s390: debug feature changes")
Cc: stable@vger.kernel.org
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Tested-by: Vasily Gorbik <gor@linux.ibm.com>
Link: https://lore.kernel.org/r/20260417073530.96002-1-pengpeng@iscas.ac.cn
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kernel/debug.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/s390/kernel/debug.c
+++ b/arch/s390/kernel/debug.c
@@ -1416,6 +1416,9 @@ static inline char *debug_get_user_strin
{
char *buffer;
+ if (!user_len)
+ return ERR_PTR(-EINVAL);
+
buffer = memdup_user_nul(user_buf, user_len);
if (IS_ERR(buffer))
return buffer;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 176/270] scsi: mpt3sas: Limit NVMe request size to 2 MiB
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 175/270] s390/debug: Reject zero-length input before trimming a newline Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 177/270] smb/client: fix out-of-bounds read in smb2_compound_op() Greg Kroah-Hartman
` (98 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mira Limbeck, Keith Busch,
Ranjan Kumar, Martin K. Petersen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
commit 04631f55afc543d5431a2bdee7f6cc0f2c0debe7 upstream.
The HBA firmware reports NVMe MDTS values based on the underlying drive
capability. However, because the driver allocates a fixed 4K buffer for
the PRP list, accommodating at most 512 entries, the driver supports a
maximum I/O transfer size of 2 MiB.
Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB
driver limit to prevent issuing oversized I/O that may lead to a kernel
oops.
Cc: stable@vger.kernel.org
Fixes: 9b8b84879d4a ("block: Increase BLK_DEF_MAX_SECTORS_CAP")
Reported-by: Mira Limbeck <m.limbeck@proxmox.com>
Closes: https://lore.kernel.org/r/291f78bf-4b4a-40dd-867d-053b36c564b3@proxmox.com
Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9b8b84879d4a
Suggested-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Tested-by: Mira Limbeck <m.limbeck@proxmox.com>
Link: https://patch.msgid.link/20260414110811.85156-1-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
@@ -2681,8 +2681,20 @@ scsih_sdev_configure(struct scsi_device
pcie_device->enclosure_level,
pcie_device->connector_name);
+ /*
+ * The HBA firmware passes the NVMe drive's MDTS
+ * (Maximum Data Transfer Size) up to the driver. However,
+ * the driver hardcodes a 4K buffer size for the PRP list,
+ * accommodating at most 512 entries. This strictly limits
+ * the maximum supported NVMe I/O transfer to 2 MiB.
+ *
+ * Cap max_hw_sectors to the smaller of the drive's reported
+ * MDTS or the 2 MiB driver limit to prevent kernel oopses.
+ */
+ lim->max_hw_sectors = SZ_2M >> SECTOR_SHIFT;
if (pcie_device->nvme_mdts)
- lim->max_hw_sectors = pcie_device->nvme_mdts / 512;
+ lim->max_hw_sectors = min(lim->max_hw_sectors,
+ pcie_device->nvme_mdts >> SECTOR_SHIFT);
pcie_device_put(pcie_device);
spin_unlock_irqrestore(&ioc->pcie_device_lock, flags);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 177/270] smb/client: fix out-of-bounds read in smb2_compound_op()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 176/270] scsi: mpt3sas: Limit NVMe request size to 2 MiB Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 178/270] smb/client: fix out-of-bounds read in symlink_data() Greg Kroah-Hartman
` (97 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zisen Ye, ChenXiaoSong, Steve French
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zisen Ye <zisenye@stu.xidian.edu.cn>
commit 8d09328dfda089675e4c049f3f256064a1d1996b upstream.
If a server sends a truncated response but a large OutputBufferLength, and
terminates the EA list early, check_wsl_eas() returns success without
validating that the entire OutputBufferLength fits within iov_len.
Then smb2_compound_op() does:
memcpy(idata->wsl.eas, data[0], size[0]);
Where size[0] is OutputBufferLength. If iov_len is smaller than size[0],
memcpy can read beyond the end of the rsp_iov allocation and leak adjacent
kernel heap memory.
Link: https://lore.kernel.org/linux-cifs/d998240c-aca9-420d-9dbd-f5ba24af19e0@chenxiaosong.com/
Fixes: ea41367b2a60 ("smb: client: introduce SMB2_OP_QUERY_WSL_EA")
Cc: stable@vger.kernel.org
Signed-off-by: Zisen Ye <zisenye@stu.xidian.edu.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2inode.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/fs/smb/client/smb2inode.c
+++ b/fs/smb/client/smb2inode.c
@@ -108,7 +108,7 @@ static int check_wsl_eas(struct kvec *rs
u32 outlen, next;
u16 vlen;
u8 nlen;
- u8 *end;
+ u8 *ea_end, *iov_end;
outlen = le32_to_cpu(rsp->OutputBufferLength);
if (outlen < SMB2_WSL_MIN_QUERY_EA_RESP_SIZE ||
@@ -117,15 +117,19 @@ static int check_wsl_eas(struct kvec *rs
ea = (void *)((u8 *)rsp_iov->iov_base +
le16_to_cpu(rsp->OutputBufferOffset));
- end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len;
+ ea_end = (u8 *)ea + outlen;
+ iov_end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len;
+ if (ea_end > iov_end)
+ return -EINVAL;
+
for (;;) {
- if ((u8 *)ea > end - sizeof(*ea))
+ if ((u8 *)ea > ea_end - sizeof(*ea))
return -EINVAL;
nlen = ea->ea_name_length;
vlen = le16_to_cpu(ea->ea_value_length);
if (nlen != SMB2_WSL_XATTR_NAME_LEN ||
- (u8 *)ea->ea_data + nlen + 1 + vlen > end)
+ (u8 *)ea->ea_data + nlen + 1 + vlen > ea_end)
return -EINVAL;
switch (vlen) {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 178/270] smb/client: fix out-of-bounds read in symlink_data()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 177/270] smb/client: fix out-of-bounds read in smb2_compound_op() Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 179/270] smb: client: use kzalloc to zero-initialize security descriptor buffer Greg Kroah-Hartman
` (96 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Zisen Ye, ChenXiaoSong,
Steve French
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zisen Ye <zisenye@stu.xidian.edu.cn>
commit d62b8d236fab503c6fec1d3e9a38bea71feaca20 upstream.
Since smb2_check_message() returns success without length validation for
the symlink error response, in symlink_data() it is possible for
iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer
only contains the base SMB2 header (64 bytes), accessing
err->ErrorContextCount (at offset 66) or err->ByteCount later in
symlink_data() will cause an out-of-bounds read.
Link: https://lore.kernel.org/linux-cifs/297d8d9b-adf7-42fd-a1c2-5b1f230032bc@chenxiaosong.com/
Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+")
Cc: Stable@vger.kernel.org
Signed-off-by: Zisen Ye <zisenye@stu.xidian.edu.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2misc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/smb/client/smb2misc.c
+++ b/fs/smb/client/smb2misc.c
@@ -240,7 +240,8 @@ smb2_check_message(char *buf, unsigned i
if (len != calc_len) {
/* create failed on symlink */
if (command == SMB2_CREATE_HE &&
- shdr->Status == STATUS_STOPPED_ON_SYMLINK)
+ shdr->Status == STATUS_STOPPED_ON_SYMLINK &&
+ len > calc_len)
return 0;
/* Windows 7 server returns 24 bytes more */
if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE)
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 179/270] smb: client: use kzalloc to zero-initialize security descriptor buffer
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 178/270] smb/client: fix out-of-bounds read in symlink_data() Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 180/270] smb: client: validate dacloffset before building DACL pointers Greg Kroah-Hartman
` (95 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bjoern Doebel, Steve French
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjoern Doebel <doebel@amazon.de>
commit 5e489c6c47a2ac15edbaca153b9348e42c1eacab upstream.
Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces
to le16") split struct smb_acl's __le32 num_aces field into __le16
num_aces and __le16 reserved. The reserved field corresponds to Sbz2
in the MS-DTYP ACL wire format, which must be zero [1].
When building an ACL descriptor in build_sec_desc(), we are using a
kmalloc()'ed descriptor buffer and writing the fields explicitly using
le16() writes now. This never writes to the 2 byte reserved field,
leaving it as uninitialized heap data.
When the reserved field happens to contain non-zero slab garbage,
Samba rejects the security descriptor with "ndr_pull_security_descriptor
failed: Range Error", causing chmod to fail with EINVAL.
Change kmalloc() to kzalloc() to ensure the entire buffer is
zero-initialized.
Fixes: 62e7dd0a39c2d ("smb: common: change the data type of num_aces to le16")
Cc: stable@vger.kernel.org
Signed-off-by: Bjoern Doebel <doebel@amazon.de>
Assisted-by: Kiro:claude-opus-4.6
[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsacl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/smb/client/cifsacl.c
+++ b/fs/smb/client/cifsacl.c
@@ -1685,7 +1685,7 @@ id_mode_to_cifs_acl(struct inode *inode,
* descriptor parameters, and security descriptor itself
*/
nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN);
- pnntsd = kmalloc(nsecdesclen, GFP_KERNEL);
+ pnntsd = kzalloc(nsecdesclen, GFP_KERNEL);
if (!pnntsd) {
kfree(pntsd);
cifs_put_tlink(tlink);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 180/270] smb: client: validate dacloffset before building DACL pointers
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 179/270] smb: client: use kzalloc to zero-initialize security descriptor buffer Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 181/270] KVM: x86: check for nEPT/nNPT in slow flush hypercalls Greg Kroah-Hartman
` (94 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steve French
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit f98b48151cc502ada59d9778f0112d21f2586ca3 upstream.
parse_sec_desc(), build_sec_desc(), and the chown path in
id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd
before proving a DACL header fits inside the returned security
descriptor.
On 32-bit builds a malicious server can return dacloffset near
U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip
past the later pointer-based bounds checks. build_sec_desc() and
id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped
pointer in the chmod/chown rewrite paths.
Validate dacloffset numerically before building any DACL pointer and
reuse the same helper at the three DACL entry points.
Fixes: bc3e9dd9d104 ("cifs: Change SIDs in ACEs while transferring file ownership.")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsacl.c | 35 ++++++++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
--- a/fs/smb/client/cifsacl.c
+++ b/fs/smb/client/cifsacl.c
@@ -1215,6 +1215,17 @@ static int parse_sid(struct smb_sid *psi
return 0;
}
+static bool dacl_offset_valid(unsigned int acl_len, __u32 dacloffset)
+{
+ if (acl_len < sizeof(struct smb_acl))
+ return false;
+
+ if (dacloffset < sizeof(struct smb_ntsd))
+ return false;
+
+ return dacloffset <= acl_len - sizeof(struct smb_acl);
+}
+
/* Convert CIFS ACL to POSIX form */
static int parse_sec_desc(struct cifs_sb_info *cifs_sb,
@@ -1235,7 +1246,6 @@ static int parse_sec_desc(struct cifs_sb
group_sid_ptr = (struct smb_sid *)((char *)pntsd +
le32_to_cpu(pntsd->gsidoffset));
dacloffset = le32_to_cpu(pntsd->dacloffset);
- dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
cifs_dbg(NOISY, "revision %d type 0x%x ooffset 0x%x goffset 0x%x sacloffset 0x%x dacloffset 0x%x\n",
pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset),
le32_to_cpu(pntsd->gsidoffset),
@@ -1266,11 +1276,18 @@ static int parse_sec_desc(struct cifs_sb
return rc;
}
- if (dacloffset)
+ if (dacloffset) {
+ if (!dacl_offset_valid(acl_len, dacloffset)) {
+ cifs_dbg(VFS, "Server returned illegal DACL offset\n");
+ return -EINVAL;
+ }
+
+ dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,
group_sid_ptr, fattr, get_mode_from_special_sid);
- else
+ } else {
cifs_dbg(FYI, "no ACL\n"); /* BB grant all or default perms? */
+ }
return rc;
}
@@ -1293,6 +1310,11 @@ static int build_sec_desc(struct smb_nts
dacloffset = le32_to_cpu(pntsd->dacloffset);
if (dacloffset) {
+ if (!dacl_offset_valid(secdesclen, dacloffset)) {
+ cifs_dbg(VFS, "Server returned illegal DACL offset\n");
+ return -EINVAL;
+ }
+
dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
if (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) {
cifs_dbg(VFS, "Server returned illegal ACL size\n");
@@ -1669,6 +1691,12 @@ id_mode_to_cifs_acl(struct inode *inode,
nsecdesclen = sizeof(struct smb_ntsd) + (sizeof(struct smb_sid) * 2);
dacloffset = le32_to_cpu(pntsd->dacloffset);
if (dacloffset) {
+ if (!dacl_offset_valid(secdesclen, dacloffset)) {
+ cifs_dbg(VFS, "Server returned illegal DACL offset\n");
+ rc = -EINVAL;
+ goto id_mode_to_cifs_acl_exit;
+ }
+
dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
if (mode_from_sid)
nsecdesclen +=
@@ -1705,6 +1733,7 @@ id_mode_to_cifs_acl(struct inode *inode,
rc = ops->set_acl(pnntsd, nsecdesclen, inode, path, aclflag);
cifs_dbg(NOISY, "set_cifs_acl rc: %d\n", rc);
}
+id_mode_to_cifs_acl_exit:
cifs_put_tlink(tlink);
kfree(pnntsd);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 181/270] KVM: x86: check for nEPT/nNPT in slow flush hypercalls
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 180/270] smb: client: validate dacloffset before building DACL pointers Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 182/270] KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty Greg Kroah-Hartman
` (93 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Paolo Bonzini
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 464af6fc2b1dcc74005b7f58ee3812b17777efee upstream.
Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa()
is only valid if an L2 guest is running *with nested EPT/NPT enabled*.
Instead use the same condition as translate_nested_gpa() itself.
Cc: stable@vger.kernel.org
Reviewed-by: Sean Christopherson <seanjc@google.com>
Fixes: aee738236dca ("KVM: x86: Prepare kvm_hv_flush_tlb() to handle L2's GPAs", 2022-11-18)
Link: https://patch.msgid.link/20260503200905.106077-1-pbonzini@redhat.com/
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/hyperv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/hyperv.c
+++ b/arch/x86/kvm/hyperv.c
@@ -2039,7 +2039,7 @@ static u64 kvm_hv_flush_tlb(struct kvm_v
* flush). Translate the address here so the memory can be uniformly
* read with kvm_read_guest().
*/
- if (!hc->fast && is_guest_mode(vcpu)) {
+ if (!hc->fast && mmu_is_nested(vcpu)) {
hc->ingpa = translate_nested_gpa(vcpu, hc->ingpa, 0, NULL);
if (unlikely(hc->ingpa == INVALID_GPA))
return HV_STATUS_INVALID_HYPERCALL_INPUT;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 182/270] KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 181/270] KVM: x86: check for nEPT/nNPT in slow flush hypercalls Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 183/270] mm/damon/stat: detect and use fresh enabled value Greg Kroah-Hartman
` (92 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Farrah Chen, Sean Christopherson,
Paolo Bonzini, Chenyi Qiang
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 33fd0ccd2590b470b65adcca288615ad3b5e3e06 upstream.
Fall back to apic_find_highest_vector() when PID.ON is set but PIR
turns out to be empty, to correctly report the highest pending interrupt
from the existing IRR.
In a nested VM stress test, the following WARNING fires in
vmx_check_nested_events() when kvm_cpu_has_interrupt() reports a pending
interrupt but the subsequent kvm_apic_has_interrupt() (which invokes
vmx_sync_pir_to_irr() again) returns -1:
WARNING: CPU: 99 PID: 57767 at arch/x86/kvm/vmx/nested.c:4449 vmx_check_nested_events+0x6bf/0x6e0 [kvm_intel]
Call Trace:
kvm_check_and_inject_events
vcpu_enter_guest.constprop.0
vcpu_run
kvm_arch_vcpu_ioctl_run
kvm_vcpu_ioctl
__x64_sys_ioctl
do_syscall_64
entry_SYSCALL_64_after_hwframe
The root cause is a race between vmx_sync_pir_to_irr() on the target vCPU
and __vmx_deliver_posted_interrupt() on a sender vCPU. The sender
performs two individually-atomic operations that are not a single
transaction:
1. pi_test_and_set_pir(vector) -- sets the PIR bit
2. pi_test_and_set_on() -- sets PID.ON
The following interleaving triggers the bug:
Sender vCPU (IPI): Target vCPU (1st sync_pir_to_irr):
B1: set PIR[vector]
A1: pi_clear_on()
A2: pi_harvest_pir() -> sees B1 bit
A3: xchg() -> consumes bit, PIR=0
(1st sync returns correct max_irr)
B2: set PID.ON = 1
Target vCPU (2nd sync_pir_to_irr):
C1: pi_test_on() -> TRUE (from B2)
C2: pi_clear_on() -> ON=0
C3: pi_harvest_pir() -> PIR empty
C4: *max_irr = -1, early return
IRR NOT SCANNED
The interrupt is not lost (it resides in the IRR from the first sync and
is recovered on the next vcpu_enter_guest() iteration), but the incorrect
max_irr causes a spurious WARNING and a wasted L2 VM-Enter/VM-Exit cycle.
Fixes: b41f8638b9d3 ("KVM: VMX: Isolate pure loads from atomic XCHG when processing PIR")
Reported-by: Farrah Chen <farrah.chen@intel.com>
Analyzed-by: Chenyi Qiang <chenyi.qiang@intel.com>
Cc: stable@vger.kernel.org
Reviewed-by: Sean Christopherson <seanjc@google.com>
Link: https://lore.kernel.org/kvm/20260428070349.1633238-1-chenyi.qiang@intel.com/T/
Link: https://patch.msgid.link/20260503201703.108231-2-pbonzini@redhat.com/
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/lapic.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -669,12 +669,14 @@ bool __kvm_apic_update_irr(unsigned long
u32 irr_val, prev_irr_val;
int max_updated_irr;
+ if (!pi_harvest_pir(pir, pir_vals)) {
+ *max_irr = apic_find_highest_vector(regs + APIC_IRR);
+ return false;
+ }
+
max_updated_irr = -1;
*max_irr = -1;
- if (!pi_harvest_pir(pir, pir_vals))
- return false;
-
for (i = vec = 0; i <= 7; i++, vec += 32) {
u32 *p_irr = (u32 *)(regs + APIC_IRR + i * 0x10);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 183/270] mm/damon/stat: detect and use fresh enabled value
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 182/270] KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 184/270] mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock Greg Kroah-Hartman
` (91 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Liew Rui Yan,
Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit f98590bc08d4aea435e1c2213e38bae0d9e9a7bb upstream.
DAMON_STAT updates 'enabled' parameter value, which represents the running
status of its kdamond, when the user explicitly requests start/stop of the
kdamond. The kdamond can, however, be stopped even if the user explicitly
requested the stop, if ctx->regions_score_histogram allocation failure at
beginning of the execution of the kdamond. Hence, if the kdamond is
stopped by the allocation failure, the value of the parameter can be
stale.
Users could show the stale value and be confused. The problem will only
rarely happen in real and common setups because the allocation is arguably
too small to fail. Also, unlike the similar bugs that are now fixed in
DAMON_RECLAIM and DAMON_LRU_SORT, kdamond can be restarted in this case,
because DAMON_STAT force-updates the enabled parameter value for user
inputs. The bug is a bug, though.
The issue stems from the fact that there are multiple events that can
change the status, and following all the events is challenging.
Dynamically detect and use the fresh status for the parameters when those
are requested.
The issue was dicovered [1] by Sashiko.
Link: https://lore.kernel.org/20260419161003.79176-4-sj@kernel.org
Link: https://lore.kernel.org/20260416040602.88665-1-sj@kernel.org [1]
Fixes: 369c415e6073 ("mm/damon: introduce DAMON_STAT module")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Liew Rui Yan <aethernet65535@gmail.com>
Cc: <stable@vger.kernel.org> # 6.17.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/stat.c | 30 ++++++++++++++++++++----------
1 file changed, 20 insertions(+), 10 deletions(-)
--- a/mm/damon/stat.c
+++ b/mm/damon/stat.c
@@ -19,14 +19,17 @@
static int damon_stat_enabled_store(
const char *val, const struct kernel_param *kp);
+static int damon_stat_enabled_load(char *buffer,
+ const struct kernel_param *kp);
+
static const struct kernel_param_ops enabled_param_ops = {
.set = damon_stat_enabled_store,
- .get = param_get_bool,
+ .get = damon_stat_enabled_load,
};
static bool enabled __read_mostly = IS_ENABLED(
CONFIG_DAMON_STAT_ENABLED_DEFAULT);
-module_param_cb(enabled, &enabled_param_ops, &enabled, 0600);
+module_param_cb(enabled, &enabled_param_ops, NULL, 0600);
MODULE_PARM_DESC(enabled, "Enable of disable DAMON_STAT");
static unsigned long estimated_memory_bandwidth __read_mostly;
@@ -265,17 +268,23 @@ static void damon_stat_stop(void)
damon_stat_context = NULL;
}
+static bool damon_stat_enabled(void)
+{
+ if (!damon_stat_context)
+ return false;
+ return damon_is_running(damon_stat_context);
+}
+
static int damon_stat_enabled_store(
const char *val, const struct kernel_param *kp)
{
- bool is_enabled = enabled;
int err;
err = kstrtobool(val, &enabled);
if (err)
return err;
- if (is_enabled == enabled)
+ if (damon_stat_enabled() == enabled)
return 0;
if (!damon_initialized())
@@ -285,16 +294,17 @@ static int damon_stat_enabled_store(
*/
return 0;
- if (enabled) {
- err = damon_stat_start();
- if (err)
- enabled = false;
- return err;
- }
+ if (enabled)
+ return damon_stat_start();
damon_stat_stop();
return 0;
}
+static int damon_stat_enabled_load(char *buffer, const struct kernel_param *kp)
+{
+ return sprintf(buffer, "%c\n", damon_stat_enabled() ? 'Y' : 'N');
+}
+
static int __init damon_stat_init(void)
{
int err = 0;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 184/270] mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 183/270] mm/damon/stat: detect and use fresh enabled value Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 185/270] PCI: Update saved_config_space upon resource assignment Greg Kroah-Hartman
` (90 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxi Qian, SeongJae Park,
Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 1e68eb96e8beb1abefd12dd22c5637795d8a877e upstream.
Patch series "mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path".
Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race
with their writes, results in use-after-free. Fix those.
This patch (of 2):
damon_sysfs_scheme_filter->mmecg_path can be read and written by users,
via DAMON sysfs memcg_path file. It can also be indirectly read, for the
parameters {on,off}line committing to DAMON. The reads for parameters
committing are protected by damon_sysfs_lock to avoid the sysfs files
being destroyed while any of the parameters are being read. But the
user-driven direct reads and writes are not protected by any lock, while
the write is deallocating the memcg_path-pointing buffer. As a result,
the readers could read the already freed buffer (user-after-free). Note
that the user-reads don't race when the same open file is used by the
writer, due to kernfs's open file locking. Nonetheless, doing the reads
and writes with separate open files would be common. Fix it by protecting
both the user-direct reads and writes with damon_sysfs_lock.
Link: https://lore.kernel.org/20260423150253.111520-1-sj@kernel.org
Link: https://lore.kernel.org/20260423150253.111520-2-sj@kernel.org
Fixes: 4f489fe6afb3 ("mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write")
Co-developed-by: Junxi Qian <qjx1298677004@gmail.com>
Signed-off-by: Junxi Qian <qjx1298677004@gmail.com>
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 6.16.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/sysfs-schemes.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/mm/damon/sysfs-schemes.c
+++ b/mm/damon/sysfs-schemes.c
@@ -494,9 +494,14 @@ static ssize_t memcg_path_show(struct ko
{
struct damon_sysfs_scheme_filter *filter = container_of(kobj,
struct damon_sysfs_scheme_filter, kobj);
+ int len;
- return sysfs_emit(buf, "%s\n",
+ if (!mutex_trylock(&damon_sysfs_lock))
+ return -EBUSY;
+ len = sysfs_emit(buf, "%s\n",
filter->memcg_path ? filter->memcg_path : "");
+ mutex_unlock(&damon_sysfs_lock);
+ return len;
}
static ssize_t memcg_path_store(struct kobject *kobj,
@@ -511,8 +516,13 @@ static ssize_t memcg_path_store(struct k
return -ENOMEM;
strscpy(path, buf, count + 1);
+ if (!mutex_trylock(&damon_sysfs_lock)) {
+ kfree(path);
+ return -EBUSY;
+ }
kfree(filter->memcg_path);
filter->memcg_path = path;
+ mutex_unlock(&damon_sysfs_lock);
return count;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 185/270] PCI: Update saved_config_space upon resource assignment
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 184/270] mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 186/270] PCI/AER: Clear only error bits in PCIe Device Status Greg Kroah-Hartman
` (89 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bernd Schumacher, Alexandre N.,
Lukas Wunner, Bjorn Helgaas
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 909f7bf9b080c10df3c3b38533906dbf09ff1d8b upstream.
Bernd reports passthrough failure of a Digital Devices Cine S2 V6 DVB
adapter plugged into an ASRock X570S PG Riptide board with BIOS version
P5.41 (09/07/2023):
ddbridge 0000:05:00.0: detected Digital Devices Cine S2 V6 DVB adapter
ddbridge 0000:05:00.0: cannot read registers
ddbridge 0000:05:00.0: fail
BIOS assigns an incorrect BAR to the DVB adapter which doesn't fit into the
upstream bridge window. The kernel corrects the BAR assignment:
pci 0000:07:00.0: BAR 0 [mem 0xfffffffffc500000-0xfffffffffc50ffff 64bit]: can't claim; no compatible bridge window
pci 0000:07:00.0: BAR 0 [mem 0xfc500000-0xfc50ffff 64bit]: assigned
Correction of the BAR assignment happens in an x86-specific fs_initcall,
pcibios_assign_resources(), after device enumeration in a subsys_initcall.
This order was introduced at the behest of Linus in 2004:
https://git.kernel.org/tglx/history/c/a06a30144bbc
No other architecture performs such a late BAR correction.
Bernd bisected the issue to commit a2f1e22390ac ("PCI/ERR: Ensure error
recoverability at all times"), but it only occurs in the absence of commit
4d4c10f763d7 ("PCI: Explicitly put devices into D0 when initializing").
This combination exists in stable kernel v6.12.70, but not in mainline,
hence Bernd cannot reproduce the issue with mainline.
Since a2f1e22390ac, config space is saved on enumeration, prior to BAR
correction. Upon passthrough, the corrected BAR is overwritten with the
incorrect saved value by:
vfio_pci_core_register_device()
vfio_pci_set_power_state()
pci_restore_state()
But only if the device's current_state is PCI_UNKNOWN, as it was prior to
commit 4d4c10f763d7. Since the commit, it is PCI_D0, which changes the
behavior of vfio_pci_set_power_state() to no longer restore the state
without saving it first.
Alexandre is reporting the same issue as Bernd, but in his case, mainline
is affected as well. The difference is that on Alexandre's system, the
host kernel binds a driver to the device which is unbound prior to
passthrough, whereas on Bernd's system no driver gets bound by the host
kernel.
Unbinding sets current_state to PCI_UNKNOWN in pci_device_remove(), so when
vfio-pci is subsequently bound to the device, pci_restore_state() is once
again called without invoking pci_save_state() first.
To robustly fix the issue, always update saved_config_space upon resource
assignment.
Reported-by: Bernd Schumacher <bernd@bschu.de>
Closes: https://lore.kernel.org/r/acfZrlP0Ua_5D3U4@eldamar.lan/
Reported-by: Alexandre N. <an.tech@mailo.com>
Closes: https://lore.kernel.org/r/dd3c3358-de0f-4a56-9c81-04aceaab4058@mailo.com/
Fixes: a2f1e22390ac ("PCI/ERR: Ensure error recoverability at all times")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Bernd Schumacher <bernd@bschu.de>
Tested-by: Alexandre N. <an.tech@mailo.com>
Cc: stable@vger.kernel.org # v6.12+
Link: https://patch.msgid.link/febc3f354e0c1f5a9f5b3ee9ffddaa44caccf651.1776268054.git.lukas@wunner.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/setup-res.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/pci/setup-res.c
+++ b/drivers/pci/setup-res.c
@@ -102,6 +102,7 @@ static void pci_std_update_resource(stru
}
pci_write_config_dword(dev, reg, new);
+ dev->saved_config_space[reg / 4] = new;
pci_read_config_dword(dev, reg, &check);
if ((new ^ check) & mask) {
@@ -112,6 +113,7 @@ static void pci_std_update_resource(stru
if (res->flags & IORESOURCE_MEM_64) {
new = region.start >> 16 >> 16;
pci_write_config_dword(dev, reg + 4, new);
+ dev->saved_config_space[(reg + 4) / 4] = new;
pci_read_config_dword(dev, reg + 4, &check);
if (check != new) {
pci_err(dev, "%s: error updating (high %#010x != %#010x)\n",
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 186/270] PCI/AER: Clear only error bits in PCIe Device Status
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 185/270] PCI: Update saved_config_space upon resource assignment Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 187/270] PCI/AER: Stop ruling out unbound devices as error source Greg Kroah-Hartman
` (88 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Shuai Xue,
Bjorn Helgaas, Kuppuswamy Sathyanarayanan
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuai Xue <xueshuai@linux.alibaba.com>
commit a8aeea1bf3c80cc87983689e0118770e019bd4f3 upstream.
Currently, pcie_clear_device_status() clears the entire PCIe Device Status
register (PCI_EXP_DEVSTA) by writing back the value read from the register,
which affects not only the error status bits but also other writable bits.
According to PCIe r7.0, sec 7.5.3.5, this register contains:
- RW1C error status bits (CED, NFED, FED, URD at bits 0-3): These are the
four error status bits that need to be cleared.
- Read-only bits (AUXPD at bit 4, TRPND at bit 5): Writing to these has
no effect.
- Emergency Power Reduction Detected (bit 6): A RW1C non-error bit
introduced in PCIe r5.0 (2019). This is currently the only writable
non-error bit in the Device Status register. Unconditionally clearing
this bit can interfere with other software components that rely on this
power management indication.
- Reserved bits (RsvdZ): These bits are required to be written as zero.
Writing 1s to them (as the current implementation may do) violates the
specification.
To prevent unintended side effects, modify pcie_clear_device_status() to
only write 1s to the four error status bits (CED, NFED, FED, URD), leaving
the Emergency Power Reduction Detected bit and reserved bits unaffected.
Fixes: ec752f5d54d7 ("PCI/AER: Clear device status bits during ERR_FATAL and ERR_NONFATAL")
Suggested-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Shuai Xue <xueshuai@linux.alibaba.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260211124624.49656-1-xueshuai@linux.alibaba.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -2272,10 +2272,9 @@ EXPORT_SYMBOL_GPL(pci_set_pcie_reset_sta
#ifdef CONFIG_PCIEAER
void pcie_clear_device_status(struct pci_dev *dev)
{
- u16 sta;
-
- pcie_capability_read_word(dev, PCI_EXP_DEVSTA, &sta);
- pcie_capability_write_word(dev, PCI_EXP_DEVSTA, sta);
+ pcie_capability_write_word(dev, PCI_EXP_DEVSTA,
+ PCI_EXP_DEVSTA_CED | PCI_EXP_DEVSTA_NFED |
+ PCI_EXP_DEVSTA_FED | PCI_EXP_DEVSTA_URD);
}
#endif
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 187/270] PCI/AER: Stop ruling out unbound devices as error source
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 186/270] PCI/AER: Clear only error bits in PCIe Device Status Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 188/270] PCI/ASPM: Fix pci_clear_and_set_config_dword() usage Greg Kroah-Hartman
` (87 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Bjorn Helgaas,
Stefan Roese
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 1ab4a3c805084d752ec571efc78272295a9f2f74 upstream.
When searching for the error source, the AER driver rules out devices whose
enable_cnt is zero. This was introduced in 2009 by commit 28eb27cf0839
("PCI AER: support invalid error source IDs") without providing a
rationale.
Drivers typically call pci_enable_device() on probe, hence the enable_cnt
check essentially filters out unbound devices. At the time of the commit,
drivers had to opt in to AER by calling pci_enable_pcie_error_reporting()
and so any AER-enabled device could be assumed to be bound to a driver.
The check thus made sense because it allowed skipping config space accesses
to devices which were known not to be the error source.
But since 2022, AER is universally enabled on all devices when they are
enumerated, cf. commit f26e58bf6f54 ("PCI/AER: Enable error reporting when
AER is native").
Errors may very well be reported by unbound devices, e.g. due to link
instability. By ruling them out as error source, errors reported by them
are neither logged nor cleared. When they do get bound and another error
occurs, the earlier error is reported together with the new error, which
may confuse users. Stop doing so.
Fixes: f26e58bf6f54 ("PCI/AER: Enable error reporting when AER is native")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Stefan Roese <stefan.roese@mailbox.org>
Cc: stable@vger.kernel.org # v6.0+
Link: https://patch.msgid.link/734338c2e8b669db5a5a3b45d34131b55ffebfca.1774605029.git.lukas@wunner.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pcie/aer.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/pci/pcie/aer.c
+++ b/drivers/pci/pcie/aer.c
@@ -1034,8 +1034,6 @@ static bool is_error_source(struct pci_d
* 3) There are multiple errors and prior ID comparing fails;
* We check AER status registers to find possible reporter.
*/
- if (atomic_read(&dev->enable_cnt) == 0)
- return false;
/* Check if AER is enabled */
pcie_capability_read_word(dev, PCI_EXP_DEVCTL, ®16);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 188/270] PCI/ASPM: Fix pci_clear_and_set_config_dword() usage
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 187/270] PCI/AER: Stop ruling out unbound devices as error source Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 189/270] power: supply: max17042: avoid overflow when determining health Greg Kroah-Hartman
` (86 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Bjorn Helgaas,
Adrià Vilanova Martínez
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit cc33985d26c92a5c908c0185239c59ec35b8637c upstream.
When aspm_calc_l12_info() programs the L1 PM Substates Control 1 register
fields Common_Mode_Restore_Time, LTR_L1.2_THRESHOLD_Value and _Scale, it
invokes pci_clear_and_set_config_dword() in an incorrect way:
For the bits to clear it selects those corresponding to the field. So far
so good. But for the bits to set it passes a full register value.
pci_clear_and_set_config_dword() performs a boolean OR operation which
sets all bits of that value, not just the ones that were just cleared.
Thus, when setting the LTR_L1.2_THRESHOLD_Value and _Scale on the child of
an ASPM link, aspm_calc_l12_info() also sets the Common_Mode_Restore_Time.
That's a spec violation: PCIe r7.0 sec 7.8.3.3 says this field is RsvdP
for Upstream Ports. On Adrià's Pixelbook Eve, Common_Mode_Restore_Time
of the Intel 7265 "Stone Peak" wifi card is zero, yet aspm_calc_l12_info()
does not preserve the zero bits but instead programs the value calculated
for the Root Port into the wifi card.
Likewise, when setting the Common_Mode_Restore_Time on the Root Port,
aspm_calc_l12_info() also changes the LTR_L1.2_THRESHOLD_Value and _Scale
from the initial 163840 nsec to 237568 nsec (due to ORing those fields),
only to reduce it afterwards to 106496 nsec.
Amend all invocations of pci_clear_and_set_config_dword() to only set bits
which are cleared.
Finally, when setting the T_POWER_ON_Value and _Scale on the Root Port and
the wifi card, aspm_calc_l12_info() fails to preserve bits declared RsvdP
and instead overwrites them with zeroes. Replace pci_write_config_dword()
with pci_clear_and_set_config_dword() to avoid this.
Fixes: aeda9adebab8 ("PCI/ASPM: Configure L1 substate settings")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=220705#c22
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Adrià Vilanova Martínez <me@avm99963.com>
Cc: stable@vger.kernel.org # v4.11+
Link: https://patch.msgid.link/5c1752d7512eed0f4ea57b84b12d7ee08ca61fc5.1771226659.git.lukas@wunner.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pcie/aspm.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
--- a/drivers/pci/pcie/aspm.c
+++ b/drivers/pci/pcie/aspm.c
@@ -706,22 +706,29 @@ static void aspm_calc_l12_info(struct pc
}
/* Program T_POWER_ON times in both ports */
- pci_write_config_dword(parent, parent->l1ss + PCI_L1SS_CTL2, ctl2);
- pci_write_config_dword(child, child->l1ss + PCI_L1SS_CTL2, ctl2);
+ pci_clear_and_set_config_dword(parent, parent->l1ss + PCI_L1SS_CTL2,
+ PCI_L1SS_CTL2_T_PWR_ON_VALUE |
+ PCI_L1SS_CTL2_T_PWR_ON_SCALE, ctl2);
+ pci_clear_and_set_config_dword(child, child->l1ss + PCI_L1SS_CTL2,
+ PCI_L1SS_CTL2_T_PWR_ON_VALUE |
+ PCI_L1SS_CTL2_T_PWR_ON_SCALE, ctl2);
/* Program Common_Mode_Restore_Time in upstream device */
pci_clear_and_set_config_dword(parent, parent->l1ss + PCI_L1SS_CTL1,
- PCI_L1SS_CTL1_CM_RESTORE_TIME, ctl1);
+ PCI_L1SS_CTL1_CM_RESTORE_TIME,
+ ctl1 & PCI_L1SS_CTL1_CM_RESTORE_TIME);
/* Program LTR_L1.2_THRESHOLD time in both ports */
pci_clear_and_set_config_dword(parent, parent->l1ss + PCI_L1SS_CTL1,
PCI_L1SS_CTL1_LTR_L12_TH_VALUE |
PCI_L1SS_CTL1_LTR_L12_TH_SCALE,
- ctl1);
+ ctl1 & (PCI_L1SS_CTL1_LTR_L12_TH_VALUE |
+ PCI_L1SS_CTL1_LTR_L12_TH_SCALE));
pci_clear_and_set_config_dword(child, child->l1ss + PCI_L1SS_CTL1,
PCI_L1SS_CTL1_LTR_L12_TH_VALUE |
PCI_L1SS_CTL1_LTR_L12_TH_SCALE,
- ctl1);
+ ctl1 & (PCI_L1SS_CTL1_LTR_L12_TH_VALUE |
+ PCI_L1SS_CTL1_LTR_L12_TH_SCALE));
if (pl1_2_enables || cl1_2_enables) {
pci_clear_and_set_config_dword(parent,
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 189/270] power: supply: max17042: avoid overflow when determining health
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 188/270] PCI/ASPM: Fix pci_clear_and_set_config_dword() usage Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 190/270] powerpc/xive: fix kmemleak caused by incorrect chip_data lookup Greg Kroah-Hartman
` (85 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, André Draszik,
Sebastian Reichel
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: André Draszik <andre.draszik@linaro.org>
commit 9a44949da669708f19d29141e65b3ac774d08f5a upstream.
If vmax has the default value of INT_MAX (e.g. because not specified in
DT), battery health is reported as over-voltage. This is because adding
any value to vmax (the vmax tolerance in this case) causes it to wrap
around, making it negative and smaller than the measured battery
voltage.
Avoid that by using size_add().
Fixes: edd4ab055931 ("power: max17042_battery: add HEALTH and TEMP_* properties support")
Cc: stable@vger.kernel.org
Signed-off-by: André Draszik <andre.draszik@linaro.org>
Link: https://patch.msgid.link/20260302-max77759-fg-v3-6-3c5f01dbda23@linaro.org
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/max17042_battery.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/power/supply/max17042_battery.c
+++ b/drivers/power/supply/max17042_battery.c
@@ -201,7 +201,7 @@ static int max17042_get_battery_health(s
goto out;
}
- if (vbatt > chip->pdata->vmax + MAX17042_VMAX_TOLERANCE) {
+ if (vbatt > size_add(chip->pdata->vmax, MAX17042_VMAX_TOLERANCE)) {
*health = POWER_SUPPLY_HEALTH_OVERVOLTAGE;
goto out;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 190/270] powerpc/xive: fix kmemleak caused by incorrect chip_data lookup
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 189/270] power: supply: max17042: avoid overflow when determining health Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 191/270] perf/x86/intel: Always reprogram ACR events to prevent stale masks Greg Kroah-Hartman
` (84 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nilay Shroff, Venkat Rao Bagalkote,
Nam Cao, Madhavan Srinivasan
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nilay Shroff <nilay@linux.ibm.com>
commit 6771c54728c278bf1e4bfdab4fddbbb186e33498 upstream.
The kmemleak reports the following memory leak:
Unreferenced object 0xc0000002a7fbc640 (size 64):
comm "kworker/8:1", pid 540, jiffies 4294937872
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00 ................
00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00 ................
backtrace (crc 177d48f6):
__kmalloc_cache_noprof+0x520/0x730
xive_irq_alloc_data.constprop.0+0x40/0xe0
xive_irq_domain_alloc+0xd0/0x1b0
irq_domain_alloc_irqs_parent+0x44/0x6c
pseries_irq_domain_alloc+0x1cc/0x354
irq_domain_alloc_irqs_parent+0x44/0x6c
msi_domain_alloc+0xb0/0x220
irq_domain_alloc_irqs_locked+0x138/0x4d0
__irq_domain_alloc_irqs+0x8c/0xfc
__msi_domain_alloc_irqs+0x214/0x4d8
msi_domain_alloc_irqs_all_locked+0x70/0xf8
pci_msi_setup_msi_irqs+0x60/0x78
__pci_enable_msix_range+0x54c/0x98c
pci_alloc_irq_vectors_affinity+0x16c/0x1d4
nvme_pci_enable+0xac/0x9c0 [nvme]
nvme_probe+0x340/0x764 [nvme]
This occurs when allocating MSI-X vectors for an NVMe device. During
allocation the XIVE code creates a struct xive_irq_data and stores it
in irq_data->chip_data.
When the MSI-X irqdomain is later freed, xive_irq_free_data() is
responsible for retrieving this structure and freeing it. However,
after commit cc0cc23babc9 ("powerpc/xive: Untangle xive from child
interrupt controller drivers"), xive_irq_free_data() retrieves the
chip_data using irq_get_chip_data(), which looks up the data through
the child domain.
This is incorrect because the XIVE-specific irq data is associated with
the XIVE (parent) domain. As a result the lookup fails and the allocated
struct xive_irq_data is never freed, leading to the kmemleak report
shown above.
Fix this by retrieving the irq_data from the correct domain using
irq_domain_get_irq_data() and then accessing the chip_data via
irq_data_get_irq_chip_data().
Cc: stable@vger.kernel.org
Fixes: cc0cc23babc9 ("powerpc/xive: Untangle xive from child interrupt controller drivers")
Signed-off-by: Nilay Shroff <nilay@linux.ibm.com>
Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Reviewed-by: Nam Cao <namcao@linutronix.de>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260311134336.326996-1-nilay@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/sysdev/xive/common.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
--- a/arch/powerpc/sysdev/xive/common.c
+++ b/arch/powerpc/sysdev/xive/common.c
@@ -1038,13 +1038,19 @@ static struct xive_irq_data *xive_irq_al
return xd;
}
-static void xive_irq_free_data(unsigned int virq)
+static void xive_irq_free_data(struct irq_domain *domain, unsigned int virq)
{
- struct xive_irq_data *xd = irq_get_chip_data(virq);
+ struct xive_irq_data *xd;
+ struct irq_data *data = irq_domain_get_irq_data(domain, virq);
+
+ if (!data)
+ return;
+ xd = irq_data_get_irq_chip_data(data);
if (!xd)
return;
- irq_set_chip_data(virq, NULL);
+
+ irq_domain_reset_irq_data(data);
xive_cleanup_irq_data(xd);
kfree(xd);
}
@@ -1304,7 +1310,7 @@ static int xive_irq_domain_map(struct ir
static void xive_irq_domain_unmap(struct irq_domain *d, unsigned int virq)
{
- xive_irq_free_data(virq);
+ xive_irq_free_data(d, virq);
}
static int xive_irq_domain_xlate(struct irq_domain *h, struct device_node *ct,
@@ -1442,7 +1448,7 @@ static void xive_irq_domain_free(struct
pr_debug("%s %d #%d\n", __func__, virq, nr_irqs);
for (i = 0; i < nr_irqs; i++)
- xive_irq_free_data(virq + i);
+ xive_irq_free_data(domain, virq + i);
}
#endif
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 191/270] perf/x86/intel: Always reprogram ACR events to prevent stale masks
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 190/270] powerpc/xive: fix kmemleak caused by incorrect chip_data lookup Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 192/270] RDMA/ionic: bound node_desc sysfs read with %.64s Greg Kroah-Hartman
` (83 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dapeng Mi, Peter Zijlstra (Intel)
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dapeng Mi <dapeng1.mi@linux.intel.com>
commit 8ba0b706a485b1e607594cf4210786d517ad1611 upstream.
Members of an ACR group are logically linked via a bitmask of their
hardware counter indices. If some members of the group are assigned new
hardware counters during rescheduling, even events that keep their
original counter index must be updated with a new mask.
Without this, an event will continue to use a stale acr_mask that
references the old indices of its group peers. Ensure all ACR events are
reprogrammed during the scheduling path to maintain consistency across
the group.
Fixes: ec980e4facef ("perf/x86/intel: Support auto counter reload")
Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260430002558.712334-3-dapeng1.mi@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/core.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -1281,13 +1281,16 @@ int x86_perf_rdpmc_index(struct perf_eve
return event->hw.event_base_rdpmc;
}
-static inline int match_prev_assignment(struct hw_perf_event *hwc,
+static inline int match_prev_assignment(struct perf_event *event,
struct cpu_hw_events *cpuc,
int i)
{
+ struct hw_perf_event *hwc = &event->hw;
+
return hwc->idx == cpuc->assign[i] &&
- hwc->last_cpu == smp_processor_id() &&
- hwc->last_tag == cpuc->tags[i];
+ hwc->last_cpu == smp_processor_id() &&
+ hwc->last_tag == cpuc->tags[i] &&
+ !is_acr_event_group(event);
}
static void x86_pmu_start(struct perf_event *event, int flags);
@@ -1333,7 +1336,7 @@ static void x86_pmu_enable(struct pmu *p
* - no other event has used the counter since
*/
if (hwc->idx == -1 ||
- match_prev_assignment(hwc, cpuc, i))
+ match_prev_assignment(event, cpuc, i))
continue;
/*
@@ -1354,7 +1357,7 @@ static void x86_pmu_enable(struct pmu *p
event = cpuc->event_list[i];
hwc = &event->hw;
- if (!match_prev_assignment(hwc, cpuc, i))
+ if (!match_prev_assignment(event, cpuc, i))
x86_assign_hw_event(event, cpuc, i);
else if (i < n_running)
continue;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 192/270] RDMA/ionic: bound node_desc sysfs read with %.64s
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 191/270] perf/x86/intel: Always reprogram ACR events to prevent stale masks Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 193/270] RDMA/ionic: Fix typo in format string Greg Kroah-Hartman
` (82 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kai Aizen, Jason Gunthorpe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai Zen <kai.aizen.dev@gmail.com>
commit 654a27f25530d052eeedf086e6c3e2d585c203bd upstream.
node_desc[64] in struct ib_device is not guaranteed to be NUL-
terminated. The core IB sysfs handler uses "%.64s" for exactly this
reason (drivers/infiniband/core/sysfs.c:1307), since node_desc_store()
performs a raw memcpy of up to IB_DEVICE_NODE_DESC_MAX bytes with no NUL
termination:
memcpy(desc.node_desc, buf, min_t(int, count, IB_DEVICE_NODE_DESC_MAX));
If exactly 64 bytes are written via the node_desc sysfs file, the array
contains no NUL byte. The ionic hca_type_show() handler uses unbounded
"%s" and will read past the end of node_desc into adjacent fields of
struct ib_device until it encounters a NUL.
ionic supports IB_DEVICE_MODIFY_NODE_DESC, so this is triggerable by
userspace.
Match the core handler and bound the format specifier.
Cc: stable@vger.kernel.org
Fixes: 2075bbe8ef03 ("RDMA/ionic: Register device ops for miscellaneous functionality")
Link: https://patch.msgid.link/r/CALynFi7NAbhDCt1tdaDbf6TnLvAqbaHa6-Wqf6OkzREbA_PAfg@mail.gmail.com
Signed-off-by: Kai Aizen <kai.aizen.dev@gmail.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/ionic/ionic_ibdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/ionic/ionic_ibdev.c b/drivers/infiniband/hw/ionic/ionic_ibdev.c
index bd4c73e530d0..0382a64839d2 100644
--- a/drivers/infiniband/hw/ionic/ionic_ibdev.c
+++ b/drivers/infiniband/hw/ionic/ionic_ibdev.c
@@ -185,7 +185,7 @@ static ssize_t hca_type_show(struct device *device,
struct ionic_ibdev *dev =
rdma_device_to_drv_device(device, struct ionic_ibdev, ibdev);
- return sysfs_emit(buf, "%s\n", dev->ibdev.node_desc);
+ return sysfs_emit(buf, "%s.64\n", dev->ibdev.node_desc);
}
static DEVICE_ATTR_RO(hca_type);
--
2.54.0
^ permalink raw reply related [flat|nested] 282+ messages in thread
* [PATCH 6.18 193/270] RDMA/ionic: Fix typo in format string
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 192/270] RDMA/ionic: bound node_desc sysfs read with %.64s Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 194/270] RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() Greg Kroah-Hartman
` (81 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Brad Spengler, Jason Gunthorpe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 70f780edcd1e86350202d8a409de026b2d2e2067 upstream.
Applying the corrupted patch by hand mangled the format string, put the s
in the right place.
Cc: stable@vger.kernel.org
Fixes: 654a27f25530 ("RDMA/ionic: bound node_desc sysfs read with %.64s")
Link: https://patch.msgid.link/r/1-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Reported-by: Brad Spengler <brad.spengler@opensrcsec.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/ionic/ionic_ibdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/ionic/ionic_ibdev.c b/drivers/infiniband/hw/ionic/ionic_ibdev.c
index 0382a64839d2..73a616ae3502 100644
--- a/drivers/infiniband/hw/ionic/ionic_ibdev.c
+++ b/drivers/infiniband/hw/ionic/ionic_ibdev.c
@@ -185,7 +185,7 @@ static ssize_t hca_type_show(struct device *device,
struct ionic_ibdev *dev =
rdma_device_to_drv_device(device, struct ionic_ibdev, ibdev);
- return sysfs_emit(buf, "%s.64\n", dev->ibdev.node_desc);
+ return sysfs_emit(buf, "%.64s\n", dev->ibdev.node_desc);
}
static DEVICE_ATTR_RO(hca_type);
--
2.54.0
^ permalink raw reply related [flat|nested] 282+ messages in thread
* [PATCH 6.18 194/270] RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 193/270] RDMA/ionic: Fix typo in format string Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 195/270] RDMA/mana: Fix mana_destroy_wq_obj() cleanup " Greg Kroah-Hartman
` (80 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Long Li, Jason Gunthorpe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 6aaa978c6b6218cfac15fe1dab17c76fe229ce3f upstream.
Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal
destroy path cleans it up.
Cc: stable@vger.kernel.org
Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
Link: https://patch.msgid.link/r/7-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Reviewed-by: Long Li <longli@microsoft.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mana/qp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mana/qp.c
+++ b/drivers/infiniband/hw/mana/qp.c
@@ -236,13 +236,15 @@ static int mana_ib_create_qp_rss(struct
ibdev_dbg(&mdev->ib_dev,
"Failed to copy to udata create rss-qp, %d\n",
ret);
- goto fail;
+ goto err_disable_vport_rx;
}
kfree(mana_ind_table);
return 0;
+err_disable_vport_rx:
+ mana_disable_vport_rx(mpc);
fail:
while (i-- > 0) {
ibwq = ind_tbl->ind_tbl[i];
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 195/270] RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 194/270] RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 196/270] RDMA/mana: Remove user triggerable WARN_ON() " Greg Kroah-Hartman
` (79 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Long Li, Jason Gunthorpe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 34ecf795692ee57c393109f4a24ccc313091e137 upstream.
Sashiko points out there are two bugs here in the error unwind flow, both
related to how the WQ table is unwound.
First there is a double i-- on the first failure path due to the while loop
having a i--, remove it.
Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not
undone due to the above i--.
Cc: stable@vger.kernel.org
Fixes: c15d7802a424 ("RDMA/mana_ib: Add CQ interrupt support for RAW QP")
Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=1
Link: https://patch.msgid.link/r/6-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Reviewed-by: Long Li <longli@microsoft.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mana/qp.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/drivers/infiniband/hw/mana/qp.c
+++ b/drivers/infiniband/hw/mana/qp.c
@@ -194,11 +194,8 @@ static int mana_ib_create_qp_rss(struct
ret = mana_create_wq_obj(mpc, mpc->port_handle, GDMA_RQ,
&wq_spec, &cq_spec, &wq->rx_object);
- if (ret) {
- /* Do cleanup starting with index i-1 */
- i--;
+ if (ret)
goto fail;
- }
/* The GDMA regions are now owned by the WQ object */
wq->queue.gdma_region = GDMA_INVALID_DMA_REGION;
@@ -218,8 +215,10 @@ static int mana_ib_create_qp_rss(struct
/* Create CQ table entry */
ret = mana_ib_install_cq_cb(mdev, cq);
- if (ret)
+ if (ret) {
+ mana_destroy_wq_obj(mpc, GDMA_RQ, wq->rx_object);
goto fail;
+ }
}
resp.num_entries = i;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 196/270] RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 195/270] RDMA/mana: Fix mana_destroy_wq_obj() cleanup " Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 197/270] RDMA/mana: Validate rx_hash_key_len Greg Kroah-Hartman
` (78 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Long Li, Jason Gunthorpe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 159f2efabc89d3f931d38f2d35876535d4abf0a3 upstream.
Sashiko points out that the user can specify WQs sharing the same CQ as a
part of the uAPI and this will trigger the WARN_ON() then go on to corrupt
the kernel.
Just reject it outright and fail the QP creation.
Cc: stable@vger.kernel.org
Fixes: c15d7802a424 ("RDMA/mana_ib: Add CQ interrupt support for RAW QP")
Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=1
Link: https://patch.msgid.link/r/5-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Reviewed-by: Long Li <longli@microsoft.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mana/cq.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/hw/mana/cq.c
+++ b/drivers/infiniband/hw/mana/cq.c
@@ -144,8 +144,9 @@ int mana_ib_install_cq_cb(struct mana_ib
if (cq->queue.id >= gc->max_num_cqs)
return -EINVAL;
- /* Create CQ table entry */
- WARN_ON(gc->cq_table[cq->queue.id]);
+ /* Create CQ table entry, sharing a CQ between WQs is not supported */
+ if (gc->cq_table[cq->queue.id])
+ return -EINVAL;
if (cq->queue.kmem)
gdma_cq = cq->queue.kmem;
else
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 197/270] RDMA/mana: Validate rx_hash_key_len
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 196/270] RDMA/mana: Remove user triggerable WARN_ON() " Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 198/270] RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() Greg Kroah-Hartman
` (77 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Long Li, Jason Gunthorpe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 6dd2d4ad9c8429523b1c220c5132bd551c006425 upstream.
Sashiko points out that rx_hash_key_len comes from a uAPI structure and is
blindly passed to memcpy, allowing the userspace to trash kernel
memory. Bounds check it so the memcpy cannot overflow.
Cc: stable@vger.kernel.org
Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=1
Link: https://patch.msgid.link/r/4-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Reviewed-by: Long Li <longli@microsoft.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mana/qp.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/hw/mana/qp.c
+++ b/drivers/infiniband/hw/mana/qp.c
@@ -21,6 +21,9 @@ static int mana_ib_cfg_vport_steering(st
gc = mdev_to_gc(dev);
+ if (rx_hash_key_len > sizeof(req->hashkey))
+ return -EINVAL;
+
req_buf_size = struct_size(req, indir_tab, MANA_INDIRECT_TABLE_DEF_SIZE);
req = kzalloc(req_buf_size, GFP_KERNEL);
if (!req)
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 198/270] RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 197/270] RDMA/mana: Validate rx_hash_key_len Greg Kroah-Hartman
@ 2026-05-12 17:39 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 199/270] RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() Greg Kroah-Hartman
` (76 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit c9341307ea16b9395c2e4c9c94d8499d91fe31d0 upstream.
Sashiko points out the radix_tree itself is RCU safe, but nothing ever
frees the mlx4_srq struct with RCU, and it isn't even accessed within the
RCU critical section. It also will crash if an event is delivered before
the srq object is finished initializing.
Use the spinlock since it isn't easy to make RCU work, use
refcount_inc_not_zero() to protect against partially initialized objects,
and order the refcount_set() to be after the srq is fully initialized.
Cc: stable@vger.kernel.org
Fixes: 30353bfc43a1 ("net/mlx4_core: Use RCU to perform radix tree lookup for SRQ")
Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=5
Link: https://patch.msgid.link/r/12-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx4/srq.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/srq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/srq.c
@@ -44,13 +44,14 @@ void mlx4_srq_event(struct mlx4_dev *dev
{
struct mlx4_srq_table *srq_table = &mlx4_priv(dev)->srq_table;
struct mlx4_srq *srq;
+ unsigned long flags;
- rcu_read_lock();
+ spin_lock_irqsave(&srq_table->lock, flags);
srq = radix_tree_lookup(&srq_table->tree, srqn & (dev->caps.num_srqs - 1));
- rcu_read_unlock();
- if (srq)
- refcount_inc(&srq->refcount);
- else {
+ if (!srq || !refcount_inc_not_zero(&srq->refcount))
+ srq = NULL;
+ spin_unlock_irqrestore(&srq_table->lock, flags);
+ if (!srq) {
mlx4_warn(dev, "Async event for bogus SRQ %08x\n", srqn);
return;
}
@@ -203,8 +204,8 @@ int mlx4_srq_alloc(struct mlx4_dev *dev,
if (err)
goto err_radix;
- refcount_set(&srq->refcount, 1);
init_completion(&srq->free);
+ refcount_set_release(&srq->refcount, 1);
return 0;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 199/270] RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-05-12 17:39 ` [PATCH 6.18 198/270] RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 200/270] RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() Greg Kroah-Hartman
` (75 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit c54c7e4cb679c0aaa1cb489b9c3f2cd98e63a44c upstream.
Sashiko points out that mlx4_srq_alloc() was not undone during error
unwind, add the missing call to mlx4_srq_free().
Cc: stable@vger.kernel.org
Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=8
Link: https://patch.msgid.link/r/11-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mlx4/srq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mlx4/srq.c
+++ b/drivers/infiniband/hw/mlx4/srq.c
@@ -193,13 +193,15 @@ int mlx4_ib_create_srq(struct ib_srq *ib
if (udata)
if (ib_copy_to_udata(udata, &srq->msrq.srqn, sizeof (__u32))) {
err = -EFAULT;
- goto err_wrid;
+ goto err_srq;
}
init_attr->attr.max_wr = srq->msrq.max - 1;
return 0;
+err_srq:
+ mlx4_srq_free(dev->dev, &srq->msrq);
err_wrid:
if (udata)
mlx4_ib_db_unmap_user(ucontext, &srq->db);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 200/270] RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 199/270] RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 201/270] RDMA/ocrdma: Dont NULL deref uctx on errors in ocrdma_copy_pd_uresp() Greg Kroah-Hartman
` (74 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Jason Gunthorpe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit c488df06bd552bb8b6e14fa0cfd5ad986c6e9525 upstream.
mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When
ib_create_srq() fails for s1, the error branch destroys s0 but falls
through and unconditionally assigns the freed s0 and the ERR_PTR s1 to
devr->s0 and devr->s1.
This leads to several problems: the lock-free fast path checks
"if (devr->s1) return 0;" and treats the ERR_PTR as already initialised;
users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via
to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences
the ERR_PTR and double-frees s0 on teardown.
Fix by adding the same `goto unlock` in the s1 failure path.
Cc: stable@vger.kernel.org
Fixes: 5895e70f2e6e ("IB/mlx5: Allocate resources just before first QP/SRQ is created")
Link: https://patch.msgid.link/r/SYBPR01MB7881E1E0970268BD69C0BA75AF2B2@SYBPR01MB7881.ausprd01.prod.outlook.com
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mlx5/main.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -3181,6 +3181,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5
"Couldn't create SRQ 1 for res init, err=%pe\n",
s1);
ib_destroy_srq(s0);
+ goto unlock;
}
devr->s0 = s0;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 201/270] RDMA/ocrdma: Dont NULL deref uctx on errors in ocrdma_copy_pd_uresp()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 200/270] RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 202/270] RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads Greg Kroah-Hartman
` (73 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 34fbf48cf3b410d2a6e8c586fa952a36331ca5ba upstream.
Sashiko points out that pd->uctx isn't initialized until late in the
function so all these error flow references are NULL and will crash. Use
the uctx that isn't NULL.
Cc: stable@vger.kernel.org
Fixes: fe2caefcdf58 ("RDMA/ocrdma: Add driver for Emulex OneConnect IBoE RDMA adapter")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
Link: https://patch.msgid.link/r/9-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
+++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
@@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct o
ucopy_err:
if (pd->dpp_enabled)
- ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE);
+ ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE);
dpp_map_err:
- ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size);
+ ocrdma_del_mmap(uctx, db_page_addr, db_page_size);
return status;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 202/270] RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 201/270] RDMA/ocrdma: Dont NULL deref uctx on errors in ocrdma_copy_pd_uresp() Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 203/270] RDMA/rxe: Reject unknown opcodes before ICRC processing Greg Kroah-Hartman
` (72 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Zhu Yanjun,
Jason Gunthorpe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 1114c87aa6f195cf07da55a27b2122ae26557b26 upstream.
atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c
unconditionally dereferences 8 bytes at payload_addr(pkt):
value = *(u64 *)payload_addr(pkt);
check_rkey() previously accepted an ATOMIC_WRITE request with pktlen ==
resid == 0 because the length validation only compared pktlen against
resid. A remote initiator that sets the RETH length to 0 therefore reaches
atomic_write_reply() with a zero-byte logical payload, and the responder
reads sizeof(u64) bytes from past the logical end of the packet into
skb->head tailroom, then writes those 8 bytes into the attacker's MR via
rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel
tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).
IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is
protocol-invalid. Hoist a strict length check into check_rkey() so the
responder never reaches the unchecked dereference, and keep the existing
WRITE-family length logic for the normal RDMA WRITE path.
Reproduced on mainline with an unmodified rxe driver: a sustained
zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer
bytes into the attacker's MR, including recognisable kernel strings and
partial kernel-direct-map pointer words. With this patch applied the
responder rejects the PDU and the MR stays all-zero.
Cc: stable@vger.kernel.org
Fixes: 034e285f8b99 ("RDMA/rxe: Make responder support atomic write on RC service")
Link: https://patch.msgid.link/r/20260418162141.3610201-1-michael.bommarito@gmail.com
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/sw/rxe/rxe_resp.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/sw/rxe/rxe_resp.c
+++ b/drivers/infiniband/sw/rxe/rxe_resp.c
@@ -526,7 +526,19 @@ static enum resp_states check_rkey(struc
}
skip_check_range:
- if (pkt->mask & (RXE_WRITE_MASK | RXE_ATOMIC_WRITE_MASK)) {
+ if (pkt->mask & RXE_ATOMIC_WRITE_MASK) {
+ /* IBA oA19-28: ATOMIC_WRITE payload is exactly 8 bytes.
+ * Reject any other length before the responder reads
+ * sizeof(u64) bytes from payload_addr(pkt); a shorter
+ * payload would read past the logical end of the packet
+ * into skb->head tailroom.
+ */
+ if (resid != sizeof(u64) || pktlen != sizeof(u64) ||
+ bth_pad(pkt)) {
+ state = RESPST_ERR_LENGTH;
+ goto err;
+ }
+ } else if (pkt->mask & RXE_WRITE_MASK) {
if (resid > mtu) {
if (pktlen != mtu || bth_pad(pkt)) {
state = RESPST_ERR_LENGTH;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 203/270] RDMA/rxe: Reject unknown opcodes before ICRC processing
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 202/270] RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 204/270] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Greg Kroah-Hartman
` (71 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Zhu Yanjun,
Jason Gunthorpe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 4c6f86d85d03cdb33addce86aa69aa795ca6c47a upstream.
Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC
before payload_size() in rxe_rcv"), a single unauthenticated UDP packet
can still trigger panic. That patch handled payload_size() underflow only
for valid opcodes with short packets, not for packets carrying an unknown
opcode. The unknown-opcode OOB read described below predates that commit
and reaches back to the initial Soft RoCE driver.
The check added there reads
pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE
where header_size(pkt) expands to rxe_opcode[pkt->opcode].length. The
rxe_opcode[] array has 256 entries but is only populated for defined IB
opcodes; any other entry (for example opcode 0xff) is zero-initialized, so
length == 0 and the check degenerates to
pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE
which does not constrain pkt->paylen enough. rxe_icrc_hdr() then computes
rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES
which underflows when length == 0 and passes a huge value to rxe_crc32(),
causing an out-of-bounds read of the skb payload.
Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with
CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after
rdma link add rxe0 type rxe netdev eth0
A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and
QPN=IB_MULTICAST_QPN triggers:
BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170
Read of size 1 at addr ...
The buggy address is located 0 bytes to the right of
allocated 704-byte region
Call Trace:
crc32_le+0x115/0x170
rxe_icrc_hdr.isra.0+0x226/0x300
rxe_icrc_check+0x13f/0x3a0
rxe_rcv+0x6e1/0x16e0
rxe_udp_encap_recv+0x20a/0x320
udp_queue_rcv_one_skb+0x7ed/0x12c0
Subsequent packets with the same shape fault on unmapped memory and panic
the kernel. The trigger requires only module load and "rdma link add"; no
QP, no connection, and no authentication.
Fix this by rejecting packets whose opcode has no rxe_opcode[] entry,
detected via the zero mask or zero length, before any length arithmetic
runs.
Cc: stable@vger.kernel.org
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Link: https://patch.msgid.link/r/20260414111555.3386793-1-michael.bommarito@gmail.com
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/sw/rxe/rxe_recv.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/infiniband/sw/rxe/rxe_recv.c
+++ b/drivers/infiniband/sw/rxe/rxe_recv.c
@@ -330,6 +330,17 @@ void rxe_rcv(struct sk_buff *skb)
pkt->qp = NULL;
pkt->mask |= rxe_opcode[pkt->opcode].mask;
+ /*
+ * Unknown opcodes have a zero-initialized rxe_opcode[] entry, so
+ * both mask and length are 0. Reject them before any length math:
+ * rxe_icrc_hdr() would otherwise compute length - RXE_BTH_BYTES
+ * and pass the underflowed value to rxe_crc32(), producing an
+ * out-of-bounds read.
+ */
+ if (unlikely(!rxe_opcode[pkt->opcode].mask ||
+ !rxe_opcode[pkt->opcode].length))
+ goto drop;
+
if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) +
RXE_ICRC_SIZE))
goto drop;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 204/270] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 203/270] RDMA/rxe: Reject unknown opcodes before ICRC processing Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 205/270] sched_ext: idle: Recheck prev_cpu after narrowing allowed mask Greg Kroah-Hartman
` (70 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit e38e86995df27f1f854063dab1f0c6a513db3faf upstream.
Sashiko points out that pvrdma_uar_free() is already called within
pvrdma_dealloc_ucontext(), so calling it before triggers a double free.
Cc: stable@vger.kernel.org
Fixes: 29c8d9eba550 ("IB: Add vmw_pvrdma driver")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
Link: https://patch.msgid.link/r/10-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c
+++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c
@@ -322,7 +322,7 @@ int pvrdma_alloc_ucontext(struct ib_ucon
uresp.qp_tab_size = vdev->dsr->caps.max_qp;
ret = ib_copy_to_udata(udata, &uresp, sizeof(uresp));
if (ret) {
- pvrdma_uar_free(vdev, &context->uar);
+ /* pvrdma_dealloc_ucontext() also frees the UAR */
pvrdma_dealloc_ucontext(&context->ibucontext);
return -EFAULT;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 205/270] sched_ext: idle: Recheck prev_cpu after narrowing allowed mask
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 204/270] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 206/270] selftests: mptcp: check output: catch cmd errors Greg Kroah-Hartman
` (69 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Andrea Righi,
Tejun Heo, Claude
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
commit b34c82777a2c0648ee053595f4b290fd5249b093 upstream.
scx_select_cpu_dfl() narrows @allowed to @cpus_allowed & @p->cpus_ptr
when the BPF caller supplies a @cpus_allowed that differs from
@p->cpus_ptr and @p doesn't have full affinity. However,
@is_prev_allowed was computed against the original (wider)
@cpus_allowed, so the prev_cpu fast paths could pick a @prev_cpu that
is in @cpus_allowed but not in @p->cpus_ptr, violating the intended
invariant that the returned CPU is always usable by @p. The kernel
masks this via the SCX_EV_SELECT_CPU_FALLBACK fallback, but the
behavior contradicts the documented contract.
Move the @is_prev_allowed evaluation past the narrowing block so it
tests against the final @allowed mask.
Fixes: ee9a4e92799d ("sched_ext: idle: Properly handle invalid prev_cpu during idle selection")
Cc: stable@vger.kernel.org # v6.16+
Assisted-by: Claude <noreply@anthropic.com>
Signed-off-by: David Carlier <devnexen@gmail.com>
Reviewed-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext_idle.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/kernel/sched/ext_idle.c
+++ b/kernel/sched/ext_idle.c
@@ -460,12 +460,6 @@ s32 scx_select_cpu_dfl(struct task_struc
preempt_disable();
/*
- * Check whether @prev_cpu is still within the allowed set. If not,
- * we can still try selecting a nearby CPU.
- */
- is_prev_allowed = cpumask_test_cpu(prev_cpu, allowed);
-
- /*
* Determine the subset of CPUs usable by @p within @cpus_allowed.
*/
if (allowed != p->cpus_ptr) {
@@ -482,6 +476,12 @@ s32 scx_select_cpu_dfl(struct task_struc
}
/*
+ * Check whether @prev_cpu is still within the allowed set. If not,
+ * we can still try selecting a nearby CPU.
+ */
+ is_prev_allowed = cpumask_test_cpu(prev_cpu, allowed);
+
+ /*
* This is necessary to protect llc_cpus.
*/
rcu_read_lock();
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 206/270] selftests: mptcp: check output: catch cmd errors
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 205/270] sched_ext: idle: Recheck prev_cpu after narrowing allowed mask Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 207/270] selftests: mptcp: pm: restrict unknown check to pm_nl_ctl Greg Kroah-Hartman
` (68 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 65db7b27b90e2ea8d4966935aa9a50b6a60c31ac upstream.
Using '${?}' inside the if-statement to check the returned value from
the command that was evaluated as part of the if-statement is not
correct: here, '${?}' will be linked to the previous instruction, not
the one that is expected here (${cmd}).
Instead, simply mark the error, except if an error is expected. If
that's the case, 1 can be passed as the 4th argument of this helper.
Three checks from pm_netlink.sh expect an error.
While at it, improve the error message when the command unexpectedly
fails or succeeds.
Note that we could expect a specific returned value, but the checks
currently expecting an error can be used with 'ip mptcp' or 'pm_nl_ctl',
and these two tools don't return the same error code.
Fixes: 2d0c1d27ea4e ("selftests: mptcp: add mptcp_lib_check_output helper")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-10-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_lib.sh | 16 ++++++++++------
tools/testing/selftests/net/mptcp/pm_netlink.sh | 10 ++++++----
2 files changed, 16 insertions(+), 10 deletions(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_lib.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_lib.sh
@@ -430,20 +430,24 @@ mptcp_lib_wait_local_port_listen() {
wait_local_port_listen "${@}" "tcp"
}
+# $1: error file, $2: cmd, $3: expected msg, [$4: expected error]
mptcp_lib_check_output() {
local err="${1}"
local cmd="${2}"
local expected="${3}"
+ local exp_error="${4:-0}"
local cmd_ret=0
local out
- if ! out=$(${cmd} 2>"${err}"); then
- cmd_ret=${?}
- fi
+ out=$(${cmd} 2>"${err}") || cmd_ret=1
- if [ ${cmd_ret} -ne 0 ]; then
- mptcp_lib_pr_fail "command execution '${cmd}' stderr"
- cat "${err}"
+ if [ "${cmd_ret}" != "${exp_error}" ]; then
+ mptcp_lib_pr_fail "unexpected returned code for '${cmd}', info:"
+ if [ "${exp_error}" = 0 ]; then
+ cat "${err}"
+ else
+ echo "${out}"
+ fi
return 2
elif [ "${out}" = "${expected}" ]; then
return 0
--- a/tools/testing/selftests/net/mptcp/pm_netlink.sh
+++ b/tools/testing/selftests/net/mptcp/pm_netlink.sh
@@ -122,10 +122,12 @@ check()
local cmd="$1"
local expected="$2"
local msg="$3"
+ local exp_error="$4"
local rc=0
mptcp_lib_print_title "$msg"
- mptcp_lib_check_output "${err}" "${cmd}" "${expected}" || rc=${?}
+ mptcp_lib_check_output "${err}" "${cmd}" "${expected}" "${exp_error}" ||
+ rc=${?}
if [ ${rc} -eq 2 ]; then
mptcp_lib_result_fail "${msg} # error ${rc}"
ret=${KSFT_FAIL}
@@ -158,13 +160,13 @@ check "show_endpoints" \
"3,10.0.1.3,signal backup")" "dump addrs"
del_endpoint 2
-check "get_endpoint 2" "" "simple del addr"
+check "get_endpoint 2" "" "simple del addr" 1
check "show_endpoints" \
"$(format_endpoints "1,10.0.1.1" \
"3,10.0.1.3,signal backup")" "dump addrs after del"
add_endpoint 10.0.1.3 2>/dev/null
-check "get_endpoint 4" "" "duplicate addr"
+check "get_endpoint 4" "" "duplicate addr" 1
add_endpoint 10.0.1.4 flags signal
check "get_endpoint 4" "$(format_endpoints "4,10.0.1.4,signal")" "id addr increment"
@@ -173,7 +175,7 @@ for i in $(seq 5 9); do
add_endpoint "10.0.1.${i}" flags signal >/dev/null 2>&1
done
check "get_endpoint 9" "$(format_endpoints "9,10.0.1.9,signal")" "hard addr limit"
-check "get_endpoint 10" "" "above hard addr limit"
+check "get_endpoint 10" "" "above hard addr limit" 1
del_endpoint 9
for i in $(seq 10 255); do
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 207/270] selftests: mptcp: pm: restrict unknown check to pm_nl_ctl
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 206/270] selftests: mptcp: check output: catch cmd errors Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 208/270] mptcp: fastclose msk when linger time is 0 Greg Kroah-Hartman
` (67 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 53705ddfa18408f8e1f064331b6387509fa19f7f upstream.
When pm_netlink.sh is executed with '-i', 'ip mptcp' is used instead of
'pm_nl_ctl'. IPRoute2 doesn't support the 'unknown' flag, which has only
been added to 'pm_nl_ctl' for this specific check: to ensure that the
kernel ignores such unsupported flag.
No reason to add this flag to 'ip mptcp'. Then, this check should be
skipped when 'ip mptcp' is used.
Fixes: 0cef6fcac24d ("selftests: mptcp: ip_mptcp option for more scripts")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-11-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/pm_netlink.sh | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/tools/testing/selftests/net/mptcp/pm_netlink.sh
+++ b/tools/testing/selftests/net/mptcp/pm_netlink.sh
@@ -194,9 +194,13 @@ check "show_endpoints" \
flush_endpoint
check "show_endpoints" "" "flush addrs"
-add_endpoint 10.0.1.1 flags unknown
-check "show_endpoints" "$(format_endpoints "1,10.0.1.1")" "ignore unknown flags"
-flush_endpoint
+# "unknown" flag is only supported by pm_nl_ctl
+if ! mptcp_lib_is_ip_mptcp; then
+ add_endpoint 10.0.1.1 flags unknown
+ check "show_endpoints" "$(format_endpoints "1,10.0.1.1")" \
+ "ignore unknown flags"
+ flush_endpoint
+fi
set_limits 9 1 2>/dev/null
check "get_limits" "${default_limits}" "rcv addrs above hard limit"
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 208/270] mptcp: fastclose msk when linger time is 0
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 207/270] selftests: mptcp: pm: restrict unknown check to pm_nl_ctl Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 209/270] mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure Greg Kroah-Hartman
` (66 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lance Tuller, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit f14d6e9c3678a067f304abba561e0c5446c7e845 upstream.
The SO_LINGER socket option has been supported for a while with MPTCP
sockets [1], but it didn't cause the equivalent of a TCP reset as
expected when enabled and its time was set to 0. This was causing some
behavioural differences with TCP where some connections were not
promptly stopped as expected.
To fix that, an extra condition is checked at close() time before
sending an MP_FASTCLOSE, the MPTCP equivalent of a TCP reset.
Note that backporting up to [1] will be difficult as more changes are
needed to be able to send MP_FASTCLOSE. It seems better to stop at [2],
which was supposed to already imitate TCP.
Validated with MPTCP packetdrill tests [3].
Fixes: 268b12387460 ("mptcp: setsockopt: support SO_LINGER") [1]
Fixes: d21f83485518 ("mptcp: use fastclose on more edge scenarios") [2]
Cc: stable@vger.kernel.org
Reported-by: Lance Tuller <lance@lance0.com>
Closes: https://github.com/lance0/xfr/pull/67
Link: https://github.com/multipath-tcp/packetdrill/pull/196 [3]
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260427-net-mptcp-misc-fixes-7-1-rc2-v1-3-7432b7f279fa@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -3162,7 +3162,8 @@ bool __mptcp_close(struct sock *sk, long
goto cleanup;
}
- if (mptcp_data_avail(msk) || timeout < 0) {
+ if (mptcp_data_avail(msk) || timeout < 0 ||
+ (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime)) {
/* If the msk has read data, or the caller explicitly ask it,
* do the MPTCP equivalent of TCP reset, aka MPTCP fastclose
*/
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 209/270] mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 208/270] mptcp: fastclose msk when linger time is 0 Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 210/270] mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure Greg Kroah-Hartman
` (65 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts (NGI0),
Shardul Bankar, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shardul Bankar <shardul.b@mpiricsoftware.com>
commit c4a99a921949cddc590b22bb14eeb23dffcc3ba6 upstream.
In subflow_finish_connect(), HMAC validation of the server's HMAC
in SYN/ACK + MP_JOIN increments MPTCP_MIB_JOINACKMAC ("HMAC was
wrong on ACK + MP_JOIN") on failure. The function processes the
SYN/ACK, not the ACK; the matching MPTCP_MIB_JOINSYNACKMAC counter
("HMAC was wrong on SYN/ACK + MP_JOIN") exists but is not
incremented anywhere in the tree.
The mirror site on the server, subflow_syn_recv_sock(), already
uses JOINACKMAC correctly for ACK HMAC failure. Use JOINSYNACKMAC
at the SYN/ACK validation site so each counter reflects the packet
whose HMAC actually failed.
Suggested-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Fixes: fc518953bc9c ("mptcp: add and use MIB counter infrastructure")
Cc: stable@vger.kernel.org
Signed-off-by: Shardul Bankar <shardul.b@mpiricsoftware.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260501-net-mptcp-misc-fixes-7-1-rc3-v1-1-b70118df778e@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/subflow.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -580,7 +580,7 @@ static void subflow_finish_connect(struc
subflow->backup);
if (!subflow_thmac_valid(subflow)) {
- MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_JOINACKMAC);
+ MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_JOINSYNACKMAC);
subflow->reset_reason = MPTCP_RST_EMPTCP;
goto do_reset;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 210/270] mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 209/270] mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 211/270] mptcp: sockopt: set timestamp flags on subflow socket, not msk Greg Kroah-Hartman
` (64 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts (NGI0),
Shardul Bankar, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shardul Bankar <shardul.b@mpiricsoftware.com>
commit a6da02d4c00fdda2417e42ad2b762a9209e6cc49 upstream.
When HMAC validation fails on a received ACK + MP_JOIN in
subflow_syn_recv_sock(), the subflow is reset with reason
MPTCP_RST_EPROHIBIT ("Administratively prohibited"). This is
incorrect: HMAC validation failure is an MPTCP protocol-level
error, not an administrative policy denial.
The mirror site on the client, in subflow_finish_connect(), already
uses MPTCP_RST_EMPTCP ("MPTCP-specific error") for the same kind of
HMAC failure on the SYN/ACK + MP_JOIN. Use the same reason on the
server side for symmetry and accuracy.
Suggested-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Fixes: 443041deb5ef ("mptcp: fix NULL pointer in can_accept_new_subflow")
Cc: stable@vger.kernel.org
Signed-off-by: Shardul Bankar <shardul.b@mpiricsoftware.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260501-net-mptcp-misc-fixes-7-1-rc3-v1-2-b70118df778e@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/subflow.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -907,7 +907,7 @@ create_child:
if (!subflow_hmac_valid(subflow_req, &mp_opt)) {
SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);
- subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT);
+ subflow_add_reset_reason(skb, MPTCP_RST_EMPTCP);
goto dispose_child;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 211/270] mptcp: sockopt: set timestamp flags on subflow socket, not msk
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 210/270] mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 212/270] mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf Greg Kroah-Hartman
` (63 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gang Yan, Matthieu Baerts (NGI0),
Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gang Yan <yangang@kylinos.cn>
commit 5f95c21fc23a7ef22b4d27d1ed9bb55557ffb926 upstream.
Both mptcp_setsockopt_sol_socket_tstamp() and
mptcp_setsockopt_sol_socket_timestamping() iterate over subflows,
acquire the subflow socket lock, but then erroneously pass the MPTCP
msk socket to sock_set_timestamp() / sock_set_timestamping() instead
of the subflow ssk. As a result, the timestamp flags are set on the
wrong socket and have no effect on the actual subflows.
Pass ssk instead of sk to both helpers.
Fixes: 9061f24bf82e ("mptcp: sockopt: propagate timestamp request to subflows")
Cc: stable@vger.kernel.org
Signed-off-by: Gang Yan <yangang@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260427-net-mptcp-misc-fixes-7-1-rc2-v1-1-7432b7f279fa@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/sockopt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/mptcp/sockopt.c
+++ b/net/mptcp/sockopt.c
@@ -161,7 +161,7 @@ static int mptcp_setsockopt_sol_socket_t
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
bool slow = lock_sock_fast(ssk);
- sock_set_timestamp(sk, optname, !!val);
+ sock_set_timestamp(ssk, optname, !!val);
unlock_sock_fast(ssk, slow);
}
@@ -237,7 +237,7 @@ static int mptcp_setsockopt_sol_socket_t
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
bool slow = lock_sock_fast(ssk);
- sock_set_timestamping(sk, optname, timestamping);
+ sock_set_timestamping(ssk, optname, timestamping);
unlock_sock_fast(ssk, slow);
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 212/270] mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 211/270] mptcp: sockopt: set timestamp flags on subflow socket, not msk Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 213/270] mptcp: fix rx timestamp corruption on fastopen Greg Kroah-Hartman
` (62 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 70ece9d7021c54cf40c72b31b066e9088f5f75f5 upstream.
mptcp_setsockopt_all_sf() was missing a call to sockopt_seq_inc(). This
is required not to cause missing synchronization for newer subflows
created later on.
This helper is called each time a socket option is set on subflows, and
future ones will need to inherit this option after their creation.
Fixes: 51c5fd09e1b4 ("mptcp: add TCP_MAXSEG sockopt support")
Cc: stable@vger.kernel.org
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260501-net-mptcp-misc-fixes-7-1-rc3-v1-4-b70118df778e@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/sockopt.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/mptcp/sockopt.c
+++ b/net/mptcp/sockopt.c
@@ -812,6 +812,10 @@ static int mptcp_setsockopt_all_sf(struc
if (ret)
break;
}
+
+ if (!ret)
+ sockopt_seq_inc(msk);
+
return ret;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 213/270] mptcp: fix rx timestamp corruption on fastopen
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 212/270] mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 214/270] mptcp: fix scheduling with atomic in timestamp sockopt Greg Kroah-Hartman
` (61 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 6254a16d6f0c672e3809ca5d7c9a28a55d71f764 upstream.
The skb cb offset containing the timestamp presence flag is cleared
before loading such information. Cache such value before MPTCP CB
initialization.
Fixes: 36b122baf6a8 ("mptcp: add subflow_v(4,6)_send_synack()")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260501-net-mptcp-misc-fixes-7-1-rc3-v1-3-b70118df778e@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/fastopen.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/mptcp/fastopen.c
+++ b/net/mptcp/fastopen.c
@@ -12,6 +12,7 @@ void mptcp_fastopen_subflow_synack_set_p
struct sock *sk, *ssk;
struct sk_buff *skb;
struct tcp_sock *tp;
+ bool has_rxtstamp;
/* on early fallback the subflow context is deleted by
* subflow_syn_recv_sock()
@@ -39,12 +40,13 @@ void mptcp_fastopen_subflow_synack_set_p
*/
tp->copied_seq += skb->len;
subflow->ssn_offset += skb->len;
+ has_rxtstamp = TCP_SKB_CB(skb)->has_rxtstamp;
/* Only the sequence delta is relevant */
MPTCP_SKB_CB(skb)->map_seq = -skb->len;
MPTCP_SKB_CB(skb)->end_seq = 0;
MPTCP_SKB_CB(skb)->offset = 0;
- MPTCP_SKB_CB(skb)->has_rxtstamp = TCP_SKB_CB(skb)->has_rxtstamp;
+ MPTCP_SKB_CB(skb)->has_rxtstamp = has_rxtstamp;
MPTCP_SKB_CB(skb)->cant_coalesce = 1;
mptcp_data_lock(sk);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 214/270] mptcp: fix scheduling with atomic in timestamp sockopt
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 213/270] mptcp: fix rx timestamp corruption on fastopen Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 215/270] mptcp: pm: prio: skip closed subflows Greg Kroah-Hartman
` (60 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko, Gang Yan,
Matthieu Baerts (NGI0), Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gang Yan <yangang@kylinos.cn>
commit b5c52908d52c6c8eb8933264aa6087a0600fd892 upstream.
Using lock_sock_fast() (atomic context) around sock_set_timestamp()
and sock_set_timestamping() is unsafe, as both helpers can sleep.
Replace lock_sock_fast() with sleepable lock_sock()/release_sock()
to avoid scheduling while atomic panic.
Fixes: 9061f24bf82e ("mptcp: sockopt: propagate timestamp request to subflows")
Cc: stable@vger.kernel.org
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260420093343.16443-1-gang.yan@linux.dev
Signed-off-by: Gang Yan <yangang@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260427-net-mptcp-misc-fixes-7-1-rc2-v1-2-7432b7f279fa@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/sockopt.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/mptcp/sockopt.c
+++ b/net/mptcp/sockopt.c
@@ -159,10 +159,10 @@ static int mptcp_setsockopt_sol_socket_t
lock_sock(sk);
mptcp_for_each_subflow(msk, subflow) {
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
- bool slow = lock_sock_fast(ssk);
+ lock_sock(ssk);
sock_set_timestamp(ssk, optname, !!val);
- unlock_sock_fast(ssk, slow);
+ release_sock(ssk);
}
release_sock(sk);
@@ -235,10 +235,10 @@ static int mptcp_setsockopt_sol_socket_t
mptcp_for_each_subflow(msk, subflow) {
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
- bool slow = lock_sock_fast(ssk);
+ lock_sock(ssk);
sock_set_timestamping(ssk, optname, timestamping);
- unlock_sock_fast(ssk, slow);
+ release_sock(ssk);
}
release_sock(sk);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 215/270] mptcp: pm: prio: skip closed subflows
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 214/270] mptcp: fix scheduling with atomic in timestamp sockopt Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 216/270] mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 Greg Kroah-Hartman
` (59 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 166b78344031bf7ac9f55cb5282776cfd85f220e upstream.
When sending an MP_PRIO, closed subflows need to be skipped.
This fixes the case where the initial subflow got closed, re-opened
later, then an MP_PRIO is needed for the same local address.
Note that explicit MP_PRIO cannot be sent during the 3WHS, so it is fine
to use __mptcp_subflow_active().
Fixes: 067065422fcd ("mptcp: add the outgoing MP_PRIO support")
Cc: stable@vger.kernel.org
Fixes: b29fcfb54cd7 ("mptcp: full disconnect implementation")
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-9-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -283,6 +283,9 @@ int mptcp_pm_mp_prio_send_ack(struct mpt
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
struct mptcp_addr_info local, remote;
+ if (!__mptcp_subflow_active(subflow))
+ continue;
+
mptcp_local_address((struct sock_common *)ssk, &local);
if (!mptcp_addresses_equal(&local, addr, addr->port))
continue;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 216/270] mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 215/270] mptcp: pm: prio: skip closed subflows Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 217/270] mptcp: pm: ADD_ADDR rtx: allow " Greg Kroah-Hartman
` (58 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit b12014d2d36eaed4e4bec5f1ac7e91110eeb100d upstream.
When adding the ADD_ADDR to the list, the address including the IP, port
and ID are copied. On the other hand, when the endpoint corresponds to
the one from the initial subflow, the ID is set to 0, as specified by
the MPTCP protocol.
The issue is that the ID was reset after having copied the ID in the
ADD_ADDR entry. So the retransmission was done, but using a different ID
than the initial one.
Fixes: 8b8ed1b429f8 ("mptcp: pm: reuse ID 0 after delete and re-add")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-1-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_kernel.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/net/mptcp/pm_kernel.c
+++ b/net/mptcp/pm_kernel.c
@@ -336,6 +336,8 @@ static void mptcp_pm_create_subflow_or_s
/* check first for announce */
if (msk->pm.add_addr_signaled < endp_signal_max) {
+ u8 endp_id;
+
/* due to racing events on both ends we can reach here while
* previous add address is still running: if we invoke now
* mptcp_pm_announce_addr(), that will fail and the
@@ -349,19 +351,20 @@ static void mptcp_pm_create_subflow_or_s
if (!select_signal_address(pernet, msk, &local))
goto subflow;
+ /* Special case for ID0: set the correct ID */
+ endp_id = local.addr.id;
+ if (endp_id == msk->mpc_endpoint_id)
+ local.addr.id = 0;
+
/* If the alloc fails, we are on memory pressure, not worth
* continuing, and trying to create subflows.
*/
if (!mptcp_pm_alloc_anno_list(msk, &local.addr))
return;
- __clear_bit(local.addr.id, msk->pm.id_avail_bitmap);
+ __clear_bit(endp_id, msk->pm.id_avail_bitmap);
msk->pm.add_addr_signaled++;
- /* Special case for ID0: set the correct ID */
- if (local.addr.id == msk->mpc_endpoint_id)
- local.addr.id = 0;
-
mptcp_pm_announce_addr(msk, &local.addr, false);
mptcp_pm_addr_send_ack(msk);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 217/270] mptcp: pm: ADD_ADDR rtx: allow ID 0
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 216/270] mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 218/270] mptcp: pm: ADD_ADDR rtx: fix potential data-race Greg Kroah-Hartman
` (57 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 03f324f3f1f7619a47b9c91282cb12775ab0a2f1 upstream.
ADD_ADDR can be sent for the ID 0, which corresponds to the local
address and port linked to the initial subflow.
Indeed, this address could be removed, and re-added later on, e.g. what
is done in the "delete re-add signal" MPTCP Join selftests. So no reason
to ignore it.
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-2-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 3 ---
1 file changed, 3 deletions(-)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -350,9 +350,6 @@ static void mptcp_pm_add_timer(struct ti
if (inet_sk_state_load(sk) == TCP_CLOSE)
return;
- if (!entry->addr.id)
- return;
-
if (mptcp_pm_should_add_signal_addr(msk)) {
sk_reset_timer(sk, timer, jiffies + TCP_RTO_MAX / 8);
goto out;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 218/270] mptcp: pm: ADD_ADDR rtx: fix potential data-race
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 217/270] mptcp: pm: ADD_ADDR rtx: allow " Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 219/270] mptcp: pm: ADD_ADDR rtx: always decrease sk refcount Greg Kroah-Hartman
` (56 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 5cd6e0ad79d2615264f63929f8b457ad97ae550d upstream.
This mptcp_pm_add_timer() helper is executed as a timer callback in
softirq context. To avoid any data races, the socket lock needs to be
held with bh_lock_sock().
If the socket is in use, retry again soon after, similar to what is done
with the keepalive timer.
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-3-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -350,6 +350,13 @@ static void mptcp_pm_add_timer(struct ti
if (inet_sk_state_load(sk) == TCP_CLOSE)
return;
+ bh_lock_sock(sk);
+ if (sock_owned_by_user(sk)) {
+ /* Try again later. */
+ sk_reset_timer(sk, timer, jiffies + HZ / 20);
+ goto out;
+ }
+
if (mptcp_pm_should_add_signal_addr(msk)) {
sk_reset_timer(sk, timer, jiffies + TCP_RTO_MAX / 8);
goto out;
@@ -378,6 +385,7 @@ static void mptcp_pm_add_timer(struct ti
mptcp_pm_subflow_established(msk);
out:
+ bh_unlock_sock(sk);
__sock_put(sk);
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 219/270] mptcp: pm: ADD_ADDR rtx: always decrease sk refcount
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 218/270] mptcp: pm: ADD_ADDR rtx: fix potential data-race Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 220/270] mptcp: pm: ADD_ADDR rtx: free sk if last Greg Kroah-Hartman
` (55 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 9634cb35af17019baec21ca648516ce376fa10e6 upstream.
When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer().
It should then be released in all cases at the end.
Some (unlikely) checks were returning directly instead of calling
sock_put() to decrease the refcount. Jump to a new 'exit' label to call
__sock_put() (which will become sock_put() in the next commit) to fix
this potential leak.
While at it, drop the '!msk' check which cannot happen because it is
never reset, and explicitly mark the remaining one as "unlikely".
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-4-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -344,11 +344,8 @@ static void mptcp_pm_add_timer(struct ti
pr_debug("msk=%p\n", msk);
- if (!msk)
- return;
-
- if (inet_sk_state_load(sk) == TCP_CLOSE)
- return;
+ if (unlikely(inet_sk_state_load(sk) == TCP_CLOSE))
+ goto exit;
bh_lock_sock(sk);
if (sock_owned_by_user(sk)) {
@@ -386,6 +383,7 @@ static void mptcp_pm_add_timer(struct ti
out:
bh_unlock_sock(sk);
+exit:
__sock_put(sk);
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 220/270] mptcp: pm: ADD_ADDR rtx: free sk if last
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 219/270] mptcp: pm: ADD_ADDR rtx: always decrease sk refcount Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 221/270] mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker Greg Kroah-Hartman
` (54 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit b7b9a461569734d33d3259d58d2507adfac107ed upstream.
When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(),
and released at the end.
If at that moment, it was the last reference being held, the sk would
not be freed. sock_put() should then be called instead of __sock_put().
But that's not enough: if it is the last reference, sock_put() will call
sk_free(), which will end up calling sk_stop_timer_sync() on the same
timer, and waiting indefinitely to finish. So it is needed to mark that
the timer is done at the end of the timer handler when it has not been
rescheduled, not to call sk_stop_timer_sync() on "itself".
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-5-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -16,6 +16,7 @@ struct mptcp_pm_add_entry {
struct list_head list;
struct mptcp_addr_info addr;
u8 retrans_times;
+ bool timer_done;
struct timer_list add_timer;
struct mptcp_sock *sock;
struct rcu_head rcu;
@@ -340,22 +341,22 @@ static void mptcp_pm_add_timer(struct ti
add_timer);
struct mptcp_sock *msk = entry->sock;
struct sock *sk = (struct sock *)msk;
- unsigned int timeout;
+ unsigned int timeout = 0;
pr_debug("msk=%p\n", msk);
+ bh_lock_sock(sk);
if (unlikely(inet_sk_state_load(sk) == TCP_CLOSE))
- goto exit;
+ goto out;
- bh_lock_sock(sk);
if (sock_owned_by_user(sk)) {
/* Try again later. */
- sk_reset_timer(sk, timer, jiffies + HZ / 20);
+ timeout = HZ / 20;
goto out;
}
if (mptcp_pm_should_add_signal_addr(msk)) {
- sk_reset_timer(sk, timer, jiffies + TCP_RTO_MAX / 8);
+ timeout = TCP_RTO_MAX / 8;
goto out;
}
@@ -373,8 +374,9 @@ static void mptcp_pm_add_timer(struct ti
}
if (entry->retrans_times < ADD_ADDR_RETRANS_MAX)
- sk_reset_timer(sk, timer,
- jiffies + (timeout << entry->retrans_times));
+ timeout <<= entry->retrans_times;
+ else
+ timeout = 0;
spin_unlock_bh(&msk->pm.lock);
@@ -382,9 +384,13 @@ static void mptcp_pm_add_timer(struct ti
mptcp_pm_subflow_established(msk);
out:
+ if (timeout)
+ sk_reset_timer(sk, timer, jiffies + timeout);
+ else
+ /* if sock_put calls sk_free: avoid waiting for this timer */
+ entry->timer_done = true;
bh_unlock_sock(sk);
-exit:
- __sock_put(sk);
+ sock_put(sk);
}
struct mptcp_pm_add_entry *
@@ -447,6 +453,7 @@ bool mptcp_pm_alloc_anno_list(struct mpt
timer_setup(&add_entry->add_timer, mptcp_pm_add_timer, 0);
reset_timer:
+ add_entry->timer_done = false;
timeout = mptcp_adjust_add_addr_timeout(msk);
if (timeout)
sk_reset_timer(sk, &add_entry->add_timer, jiffies + timeout);
@@ -467,7 +474,8 @@ static void mptcp_pm_free_anno_list(stru
spin_unlock_bh(&msk->pm.lock);
list_for_each_entry_safe(entry, tmp, &free_list, list) {
- sk_stop_timer_sync(sk, &entry->add_timer);
+ if (!entry->timer_done)
+ sk_stop_timer_sync(sk, &entry->add_timer);
kfree_rcu(entry, rcu);
}
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 221/270] mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 220/270] mptcp: pm: ADD_ADDR rtx: free sk if last Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 222/270] mptcp: pm: ADD_ADDR rtx: return early if no retrans Greg Kroah-Hartman
` (53 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 3cf12492891c4b5ff54dda404a2de4ec54c9e1b5 upstream.
When an ADD_ADDR needs to be retransmitted and another one has already
been prepared -- e.g. multiple ADD_ADDRs have been sent in a row and
need to be retransmitted later -- this additional retransmission will
need to wait.
In this case, the timer was reset to TCP_RTO_MAX / 8, which is ~15
seconds. This delay is unnecessary long: it should just be rescheduled
at the next opportunity, e.g. after the retransmission timeout.
Without this modification, some issues can be seen from time to time in
the selftests when multiple ADD_ADDRs are sent, and the host takes time
to process them, e.g. the "signal addresses, ADD_ADDR timeout" MPTCP
Join selftest, especially with a debug kernel config.
Note that on older kernels, 'timeout' is not available. It should be
enough to replace it by one second (HZ).
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-6-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -355,13 +355,8 @@ static void mptcp_pm_add_timer(struct ti
goto out;
}
- if (mptcp_pm_should_add_signal_addr(msk)) {
- timeout = TCP_RTO_MAX / 8;
- goto out;
- }
-
timeout = mptcp_adjust_add_addr_timeout(msk);
- if (!timeout)
+ if (!timeout || mptcp_pm_should_add_signal_addr(msk))
goto out;
spin_lock_bh(&msk->pm.lock);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 222/270] mptcp: pm: ADD_ADDR rtx: return early if no retrans
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 221/270] mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 223/270] f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() Greg Kroah-Hartman
` (52 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 62a9b19dce77e72426f049fb99b9d1d032b9a8ea upstream.
No need to iterate over all subflows if there is no retransmission
needed.
Exit early in this case then.
Fixes: 30549eebc4d8 ("mptcp: make ADD_ADDR retransmission timeout adaptive")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-8-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -311,6 +311,9 @@ static unsigned int mptcp_adjust_add_add
struct mptcp_subflow_context *subflow;
unsigned int max = 0, max_stale = 0;
+ if (!rto)
+ return 0;
+
mptcp_for_each_subflow(msk, subflow) {
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
struct inet_connection_sock *icsk = inet_csk(ssk);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 223/270] f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 222/270] mptcp: pm: ADD_ADDR rtx: return early if no retrans Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 224/270] f2fs: fix fiemap boundary handling when read extent cache is incomplete Greg Kroah-Hartman
` (51 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cen Zhang, Chao Yu, Jaegeuk Kim
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cen Zhang <zzzccc427@gmail.com>
commit 5471834a96fb697874be2ca0b052e74bcf3c23d1 upstream.
f2fs_update_inode() reads inode->i_blocks without holding i_lock to
serialize it to the on-disk inode, while concurrent truncate or
allocation paths may modify i_blocks under i_lock. Since blkcnt_t is
u64, this risks torn reads on 32-bit architectures.
Following the approach in ext4_inode_blocks_set(), add READ_ONCE() to prevent
potential compiler-induced tearing.
Fixes: 19f99cee206c ("f2fs: add core inode operations")
Cc: stable@vger.kernel.org
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -677,7 +677,7 @@ void f2fs_update_inode(struct inode *ino
ri->i_uid = cpu_to_le32(i_uid_read(inode));
ri->i_gid = cpu_to_le32(i_gid_read(inode));
ri->i_links = cpu_to_le32(inode->i_nlink);
- ri->i_blocks = cpu_to_le64(SECTOR_TO_BLOCK(inode->i_blocks) + 1);
+ ri->i_blocks = cpu_to_le64(SECTOR_TO_BLOCK(READ_ONCE(inode->i_blocks)) + 1);
if (!f2fs_is_atomic_file(inode) ||
is_inode_flag_set(inode, FI_ATOMIC_COMMITTED))
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 224/270] f2fs: fix fiemap boundary handling when read extent cache is incomplete
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 223/270] f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 225/270] f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage Greg Kroah-Hartman
` (50 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yongpeng Yang, Chao Yu,
Jaegeuk Kim
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
commit 95e159ad3e52f7478cfd22e44ec37c9f334f8993 upstream.
f2fs_fiemap() calls f2fs_map_blocks() to obtain the block mapping a
file, and then merges contiguous mappings into extents. If the mapping
is found in the read extent cache, node blocks do not need to be read.
However, in the following scenario, a contiguous extent can be split
into two extents:
$ dd if=/dev/zero of=data.128M bs=1M count=128
$ losetup -f data.128M
$ mkfs.f2fs /dev/loop0 -f
$ mount -o mode=lfs /dev/loop0 /mnt/f2fs/
$ cd /mnt/f2fs/
$ dd if=/dev/zero of=data.72M bs=1M count=72 && sync
$ dd if=/dev/zero of=data.4M bs=1M count=4 && sync
$ dd if=/dev/zero of=data.4M bs=1M count=2 seek=2 conv=notrunc && sync
$ echo 3 > /proc/sys/vm/drop_caches
$ dd if=/dev/zero of=data.4M bs=1M count=2 seek=0 conv=notrunc && sync
$ dd if=/dev/zero of=data.4M bs=1M count=2 seek=0 conv=notrunc && sync
$ f2fs_io fiemap 0 1024 data.4M
Fiemap: offset = 0 len = 1024
logical addr. physical addr. length flags
0 0000000000000000 0000000006400000 0000000000200000 00001000
1 0000000000200000 0000000006600000 0000000000200000 00001001
Although the physical addresses of the ranges 0~2MB and 2M~4MB are
contiguous, the mapping for the 2M~4MB range is not present in memory.
When the physical addresses for the 0~2MB range are updated, no merge
happens because the adjacent mapping is missing from the in-memory
cache. As a result, fiemap reports two separate extents instead of a
single contiguous one.
The root cause is that the read extent cache does not guarantee that all
blocks of an extent are present in memory. Therefore, when the extent
length returned by f2fs_map_blocks_cached() is smaller than maxblocks,
the remaining mappings are retrieved via f2fs_get_dnode_of_data() to
ensure correct fiemap extent boundary handling.
Cc: stable@kernel.org
Fixes: cd8fc5226bef ("f2fs: remove the create argument to f2fs_map_blocks")
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/data.c | 25 ++++++++++++++++++++++---
1 file changed, 22 insertions(+), 3 deletions(-)
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -1567,8 +1567,26 @@ int f2fs_map_blocks(struct inode *inode,
lfs_dio_write = (flag == F2FS_GET_BLOCK_DIO && f2fs_lfs_mode(sbi) &&
map->m_may_create);
- if (!map->m_may_create && f2fs_map_blocks_cached(inode, map, flag))
- goto out;
+ if (!map->m_may_create && f2fs_map_blocks_cached(inode, map, flag)) {
+ struct extent_info ei;
+
+ /*
+ * 1. If map->m_multidev_dio is true, map->m_pblk cannot be
+ * waitted by f2fs_wait_on_block_writeback_range() and are not
+ * mergeable.
+ * 2. If pgofs hits the read extent cache, it means the mapping
+ * is already cached in the extent cache, but it is not
+ * mergeable, and there is no need to query the mapping again
+ * via f2fs_get_dnode_of_data().
+ */
+ pgofs = (pgoff_t)map->m_lblk + map->m_len;
+ if (map->m_len == maxblocks ||
+ map->m_multidev_dio ||
+ f2fs_lookup_read_extent_cache(inode, pgofs, &ei))
+ goto out;
+ ofs = map->m_len;
+ goto map_more;
+ }
map->m_bdev = inode->i_sb->s_bdev;
map->m_multidev_dio =
@@ -1579,7 +1597,8 @@ int f2fs_map_blocks(struct inode *inode,
/* it only supports block size == page size */
pgofs = (pgoff_t)map->m_lblk;
- end = pgofs + maxblocks;
+map_more:
+ end = (pgoff_t)map->m_lblk + maxblocks;
if (flag == F2FS_GET_BLOCK_PRECACHE)
mode = LOOKUP_NODE_RA;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 225/270] f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 224/270] f2fs: fix fiemap boundary handling when read extent cache is incomplete Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 226/270] f2fs: fix incorrect file address mapping when inline inode is unwritten Greg Kroah-Hartman
` (49 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yongpeng Yang, Chao Yu,
Jaegeuk Kim
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
commit 019f9dda7f66e55eb94cd32e1d3fff5835f73fbc upstream.
f2fs_need_dentry_mark() reads nat_entry flags without mutual exclusion
with the checkpoint path, which can result in an incorrect inode block
marking state. The scenario is as follows:
create & write & fsync 'file A' write checkpoint
- f2fs_do_sync_file // inline inode
- f2fs_write_inode // inode folio is dirty
- f2fs_write_checkpoint
- f2fs_flush_merged_writes
- f2fs_sync_node_pages
- f2fs_fsync_node_pages // no dirty node
- f2fs_need_inode_block_update // return true
- f2fs_fsync_node_pages // inode dirtied
- f2fs_need_dentry_mark //return true
- f2fs_flush_nat_entries
- f2fs_write_checkpoint end
- __write_node_folio // inode with DENT_BIT_SHIFT set
SPO, "fsck --dry-run" find inode has already checkpointed but still
with DENT_BIT_SHIFT set
The state observed by f2fs_need_dentry_mark() can differ from the state
observed in __write_node_folio() after acquiring sbi->node_write. The
root cause is that the semantics of IS_CHECKPOINTED and
HAS_FSYNCED_INODE are only guaranteed after the checkpoint write has
fully completed.
This patch moves set_dentry_mark() into __write_node_folio() and
protects it with the sbi->node_write lock.
Cc: stable@kernel.org
Fixes: 88bd02c9472a ("f2fs: fix conditions to remain recovery information in f2fs_sync_file")
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/node.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -1780,13 +1780,12 @@ static bool __write_node_folio(struct fo
goto redirty_out;
}
- if (atomic) {
- if (!test_opt(sbi, NOBARRIER))
- fio.op_flags |= REQ_PREFLUSH | REQ_FUA;
- if (IS_INODE(folio))
- set_dentry_mark(folio,
+ if (atomic && !test_opt(sbi, NOBARRIER))
+ fio.op_flags |= REQ_PREFLUSH | REQ_FUA;
+
+ if (IS_INODE(folio) && (atomic || is_fsync_dnode(folio)))
+ set_dentry_mark(folio,
f2fs_need_dentry_mark(sbi, ino_of_node(folio)));
- }
/* should add to global list before clearing PAGECACHE status */
if (f2fs_in_warm_node_list(sbi, folio)) {
@@ -1927,9 +1926,6 @@ continue_unlock:
if (is_inode_flag_set(inode,
FI_DIRTY_INODE))
f2fs_update_inode(inode, folio);
- if (!atomic)
- set_dentry_mark(folio,
- f2fs_need_dentry_mark(sbi, ino));
}
/* may be written by other thread */
if (!folio_test_dirty(folio))
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 226/270] f2fs: fix incorrect file address mapping when inline inode is unwritten
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 225/270] f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 227/270] f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() Greg Kroah-Hartman
` (48 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yongpeng Yang, Chao Yu,
Jaegeuk Kim
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
commit 68a0178981a0f493295afa29f8880246e561494c upstream.
When `fileinfo->fi_flags` does not have the `FIEMAP_FLAG_SYNC` bit set
and inline data has not been persisted yet, the physical address of the
extent is calculated incorrectly for unwritten inline inodes.
root@vm:/mnt/f2fs# dd if=/dev/zero of=data.3k bs=3k count=1
root@vm:/mnt/f2fs# f2fs_io fiemap 0 100 data.3k
Fiemap: offset = 0 len = 100
logical addr. physical addr. length flags
0 0000000000000000 00000ffffffff16c 0000000000000c00 00000301
This patch fixes the issue by checking if the inode's address is valid.
If the inline inode is unwritten, set the physical address to 0 and
mark the extent with `FIEMAP_EXTENT_UNKNOWN | FIEMAP_EXTENT_DELALLOC`
flags.
Cc: stable@kernel.org
Fixes: 67f8cf3cee6f ("f2fs: support fiemap for inline_data")
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/inline.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/fs/f2fs/inline.c
+++ b/fs/f2fs/inline.c
@@ -790,7 +790,7 @@ int f2fs_read_inline_dir(struct file *fi
int f2fs_inline_data_fiemap(struct inode *inode,
struct fiemap_extent_info *fieinfo, __u64 start, __u64 len)
{
- __u64 byteaddr, ilen;
+ __u64 byteaddr = 0, ilen;
__u32 flags = FIEMAP_EXTENT_DATA_INLINE | FIEMAP_EXTENT_NOT_ALIGNED |
FIEMAP_EXTENT_LAST;
struct node_info ni;
@@ -823,9 +823,14 @@ int f2fs_inline_data_fiemap(struct inode
if (err)
goto out;
- byteaddr = (__u64)ni.blk_addr << inode->i_sb->s_blocksize_bits;
- byteaddr += (char *)inline_data_addr(inode, ifolio) -
- (char *)F2FS_INODE(ifolio);
+ if (__is_valid_data_blkaddr(ni.blk_addr)) {
+ byteaddr = (__u64)ni.blk_addr << inode->i_sb->s_blocksize_bits;
+ byteaddr += (char *)inline_data_addr(inode, ifolio) -
+ (char *)F2FS_INODE(ifolio);
+ } else {
+ f2fs_bug_on(F2FS_I_SB(inode), ni.blk_addr != NEW_ADDR);
+ flags |= FIEMAP_EXTENT_DELALLOC | FIEMAP_EXTENT_UNKNOWN;
+ }
err = fiemap_fill_next_extent(fieinfo, start, byteaddr, ilen, flags);
trace_f2fs_fiemap(inode, start, byteaddr, ilen, flags, err);
out:
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 227/270] f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 226/270] f2fs: fix incorrect file address mapping when inline inode is unwritten Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 228/270] f2fs: fix node_cnt race between extent node destroy and writeback Greg Kroah-Hartman
` (47 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yongpeng Yang, Chao Yu,
Jaegeuk Kim
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
commit eb2ca3ca983551a80e16a4a25df5a4ce59df8484 upstream.
When f2fs_map_blocks()->f2fs_map_blocks_cached() hits the read extent
cache, map->m_multidev_dio is not updated, which leads to incorrect
multidevice information being reported by trace_f2fs_map_blocks().
This patch updates map->m_multidev_dio in f2fs_map_blocks_cached() when
the read extent cache is hit.
Cc: stable@kernel.org
Fixes: 0094e98bd147 ("f2fs: factor a f2fs_map_blocks_cached helper")
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/data.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -1508,7 +1508,8 @@ static bool f2fs_map_blocks_cached(struc
f2fs_wait_on_block_writeback_range(inode,
map->m_pblk, map->m_len);
- if (f2fs_allow_multi_device_dio(sbi, flag)) {
+ map->m_multidev_dio = f2fs_allow_multi_device_dio(sbi, flag);
+ if (map->m_multidev_dio) {
int bidx = f2fs_target_device_index(sbi, map->m_pblk);
struct f2fs_dev_info *dev = &sbi->devs[bidx];
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 228/270] f2fs: fix node_cnt race between extent node destroy and writeback
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 227/270] f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 229/270] f2fs: fix uninitialized kobject put in f2fs_init_sysfs() Greg Kroah-Hartman
` (46 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yongpeng Yang, Chao Yu, Jaegeuk Kim
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
commit ed78aeebef05212ef7dca93bd931e4eff67c113f upstream.
f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing
extent nodes. When called from f2fs_drop_inode() with I_SYNC set,
concurrent kworker writeback can insert new extent nodes into the same
extent tree, racing with the destroy and triggering f2fs_bug_on() in
__destroy_extent_node(). The scenario is as follows:
drop inode writeback
- iput
- f2fs_drop_inode // I_SYNC set
- f2fs_destroy_extent_node
- __destroy_extent_node
- while (node_cnt) {
write_lock(&et->lock)
__free_extent_tree
write_unlock(&et->lock)
- __writeback_single_inode
- f2fs_outplace_write_data
- f2fs_update_read_extent_cache
- __update_extent_tree_range
// FI_NO_EXTENT not set,
// insert new extent node
} // node_cnt == 0, exit while
- f2fs_bug_on(node_cnt) // node_cnt > 0
Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for
EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.
This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(),
consistent with other callers (__update_extent_tree_range and
__drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and
EX_BLOCK_AGE tree.
Fixes: 3fc5d5a182f6 ("f2fs: fix to shrink read extent node in batches")
Cc: stable@vger.kernel.org
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/extent_cache.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -119,9 +119,10 @@ static bool __may_extent_tree(struct ino
if (!__init_may_extent_tree(inode, type))
return false;
+ if (is_inode_flag_set(inode, FI_NO_EXTENT))
+ return false;
+
if (type == EX_READ) {
- if (is_inode_flag_set(inode, FI_NO_EXTENT))
- return false;
if (is_inode_flag_set(inode, FI_COMPRESSED_FILE) &&
!f2fs_sb_has_readonly(F2FS_I_SB(inode)))
return false;
@@ -644,6 +645,8 @@ static unsigned int __destroy_extent_nod
while (atomic_read(&et->node_cnt)) {
write_lock(&et->lock);
+ if (!is_inode_flag_set(inode, FI_NO_EXTENT))
+ set_inode_flag(inode, FI_NO_EXTENT);
node_cnt += __free_extent_tree(sbi, et, nr_shrink);
write_unlock(&et->lock);
}
@@ -688,12 +691,12 @@ static void __update_extent_tree_range(s
write_lock(&et->lock);
- if (type == EX_READ) {
- if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
- write_unlock(&et->lock);
- return;
- }
+ if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
+ write_unlock(&et->lock);
+ return;
+ }
+ if (type == EX_READ) {
prev = et->largest;
dei.len = 0;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 229/270] f2fs: fix uninitialized kobject put in f2fs_init_sysfs()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 228/270] f2fs: fix node_cnt race between extent node destroy and writeback Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 230/270] f2fs: refactor f2fs_move_node_folio function Greg Kroah-Hartman
` (45 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Chao Yu, Jaegeuk Kim
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit b635f2ecdb5ad34f9c967cabb704d6bed9382fd0 upstream.
In f2fs_init_sysfs(), all failure paths after kset_register() jump to
put_kobject, which unconditionally releases both f2fs_tune and
f2fs_feat.
If kobject_init_and_add(&f2fs_feat, ...) fails, f2fs_tune has not been
initialized yet, so calling kobject_put(&f2fs_tune) is invalid.
Fix this by splitting the unwind path so each error path only releases
objects that were successfully initialized.
Fixes: a907f3a68ee26ba4 ("f2fs: add a sysfs entry to reclaim POSIX_FADV_NOREUSE pages")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/sysfs.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/fs/f2fs/sysfs.c
+++ b/fs/f2fs/sysfs.c
@@ -1935,24 +1935,26 @@ int __init f2fs_init_sysfs(void)
ret = kobject_init_and_add(&f2fs_feat, &f2fs_feat_ktype,
NULL, "features");
if (ret)
- goto put_kobject;
+ goto unregister_kset;
ret = kobject_init_and_add(&f2fs_tune, &f2fs_tune_ktype,
NULL, "tuning");
if (ret)
- goto put_kobject;
+ goto put_feat;
f2fs_proc_root = proc_mkdir("fs/f2fs", NULL);
if (!f2fs_proc_root) {
ret = -ENOMEM;
- goto put_kobject;
+ goto put_tune;
}
return 0;
-put_kobject:
+put_tune:
kobject_put(&f2fs_tune);
+put_feat:
kobject_put(&f2fs_feat);
+unregister_kset:
kset_unregister(&f2fs_kset);
return ret;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 230/270] f2fs: refactor f2fs_move_node_folio function
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 229/270] f2fs: fix uninitialized kobject put in f2fs_init_sysfs() Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 231/270] f2fs: fix inline data not being written to disk in writeback path Greg Kroah-Hartman
` (44 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yongpeng Yang, Chao Yu,
Jaegeuk Kim
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
commit 92c20989366e023b74fa0c1028af9436c1917dbf upstream.
This patch refactor the f2fs_move_node_folio() function. No logical
changes.
Cc: stable@kernel.org
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/node.c | 54 ++++++++++++++++++++++++++++++++----------------------
1 file changed, 32 insertions(+), 22 deletions(-)
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -1821,41 +1821,51 @@ redirty_out:
return false;
}
-int f2fs_move_node_folio(struct folio *node_folio, int gc_type)
+static int f2fs_write_single_node_folio(struct folio *node_folio, int sync_mode,
+ bool mark_dirty, enum iostat_type io_type)
{
int err = 0;
+ struct writeback_control wbc = {
+ .sync_mode = WB_SYNC_ALL,
+ .nr_to_write = 1,
+ };
- if (gc_type == FG_GC) {
- struct writeback_control wbc = {
- .sync_mode = WB_SYNC_ALL,
- .nr_to_write = 1,
- };
+ if (!sync_mode) {
+ /* set page dirty and write it */
+ if (!folio_test_writeback(node_folio))
+ folio_mark_dirty(node_folio);
+ goto out_folio;
+ }
- f2fs_folio_wait_writeback(node_folio, NODE, true, true);
+ f2fs_folio_wait_writeback(node_folio, NODE, true, true);
+ if (mark_dirty)
folio_mark_dirty(node_folio);
+ else if (!folio_test_dirty(node_folio))
+ goto out_folio;
- if (!folio_clear_dirty_for_io(node_folio)) {
- err = -EAGAIN;
- goto out_page;
- }
-
- if (!__write_node_folio(node_folio, false, NULL,
- &wbc, false, FS_GC_NODE_IO, NULL))
- err = -EAGAIN;
- goto release_page;
- } else {
- /* set page dirty and write it */
- if (!folio_test_writeback(node_folio))
- folio_mark_dirty(node_folio);
+ if (!folio_clear_dirty_for_io(node_folio)) {
+ err = -EAGAIN;
+ goto out_folio;
}
-out_page:
+
+ if (!__write_node_folio(node_folio, false, NULL,
+ &wbc, false, FS_GC_NODE_IO, NULL))
+ err = -EAGAIN;
+ goto release_folio;
+out_folio:
folio_unlock(node_folio);
-release_page:
+release_folio:
f2fs_folio_put(node_folio, false);
return err;
}
+int f2fs_move_node_folio(struct folio *node_folio, int gc_type)
+{
+ return f2fs_write_single_node_folio(node_folio, gc_type == FG_GC,
+ true, FS_GC_NODE_IO);
+}
+
int f2fs_fsync_node_pages(struct f2fs_sb_info *sbi, struct inode *inode,
struct writeback_control *wbc, bool atomic,
unsigned int *seq_id)
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 231/270] f2fs: fix inline data not being written to disk in writeback path
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 230/270] f2fs: refactor f2fs_move_node_folio function Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 232/270] f2fs: fix fsck inconsistency caused by FGGC of node block Greg Kroah-Hartman
` (43 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yongpeng Yang, Chao Yu,
Jaegeuk Kim
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
commit fe9b8b30b97102859a9102be7bd2a09803bd90bd upstream.
When f2fs_fiemap() is called with `fileinfo->fi_flags` containing the
FIEMAP_FLAG_SYNC flag, it attempts to write data to disk before
retrieving file mappings via filemap_write_and_wait(). However, there is
an issue where the file does not get mapped as expected. The following
scenario can occur:
root@vm:/mnt/f2fs# dd if=/dev/zero of=data.3k bs=3k count=1
root@vm:/mnt/f2fs# xfs_io data.3k -c "fiemap -v 0 4096"
data.3k:
EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS
0: [0..5]: 0..5 6 0x307
The root cause of this issue is that f2fs_write_single_data_page() only
calls f2fs_write_inline_data() to copy data from the data folio to the
inode folio, and it clears the dirty flag on the data folio. However, it
does not mark the data folio as writeback. When
__filemap_fdatawait_range() checks for folios with the writeback flag,
it returns early, causing f2fs_fiemap() to report that the file has no
mapping.
To fix this issue, the solution is to call
f2fs_write_single_node_folio() in f2fs_inline_data_fiemap() when
getting fiemap with FIEMAP_FLAG_SYNC flags. This patch ensures that the
inode folio is written back and the writeback process completes before
proceeding.
Cc: stable@kernel.org
Fixes: 9ffe0fb5f3bb ("f2fs: handle inline data operations")
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 2 ++
fs/f2fs/inline.c | 9 +++++++++
fs/f2fs/node.c | 2 +-
3 files changed, 12 insertions(+), 1 deletion(-)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -3888,6 +3888,8 @@ int f2fs_sanity_check_node_footer(struct
enum node_type ntype, bool in_irq);
struct folio *f2fs_get_inode_folio(struct f2fs_sb_info *sbi, pgoff_t ino);
struct folio *f2fs_get_xnode_folio(struct f2fs_sb_info *sbi, pgoff_t xnid);
+int f2fs_write_single_node_folio(struct folio *node_folio, int sync_mode,
+ bool mark_dirty, enum iostat_type io_type);
int f2fs_move_node_folio(struct folio *node_folio, int gc_type);
void f2fs_flush_inline_data(struct f2fs_sb_info *sbi);
int f2fs_fsync_node_pages(struct f2fs_sb_info *sbi, struct inode *inode,
--- a/fs/f2fs/inline.c
+++ b/fs/f2fs/inline.c
@@ -812,6 +812,15 @@ int f2fs_inline_data_fiemap(struct inode
goto out;
}
+ if (fieinfo->fi_flags & FIEMAP_FLAG_SYNC) {
+ err = f2fs_write_single_node_folio(ifolio, true, false, FS_NODE_IO);
+ if (err)
+ return err;
+ ifolio = f2fs_get_inode_folio(F2FS_I_SB(inode), inode->i_ino);
+ if (IS_ERR(ifolio))
+ return PTR_ERR(ifolio);
+ f2fs_folio_wait_writeback(ifolio, NODE, true, true);
+ }
ilen = min_t(size_t, MAX_INLINE_DATA(inode), i_size_read(inode));
if (start >= ilen)
goto out;
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -1821,7 +1821,7 @@ redirty_out:
return false;
}
-static int f2fs_write_single_node_folio(struct folio *node_folio, int sync_mode,
+int f2fs_write_single_node_folio(struct folio *node_folio, int sync_mode,
bool mark_dirty, enum iostat_type io_type)
{
int err = 0;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 232/270] f2fs: fix fsck inconsistency caused by FGGC of node block
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 231/270] f2fs: fix inline data not being written to disk in writeback path Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 233/270] KVM: arm64: Wake-up from WFI when iqrchip is in userspace Greg Kroah-Hartman
` (42 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yongpeng Yang, Chao Yu,
Jaegeuk Kim
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
commit c3e238bd1f56993f205ef83889d406dfeaf717a8 upstream.
During FGGC node block migration, fsck may incorrectly treat the
migrated node block as fsync-written data.
The reproduction scenario:
root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync
root@vm:/mnt/f2fs# rm -f 1
root@vm:/mnt/f2fs# sync
root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP
SPO, "fsck --dry-run" find inode has already checkpointed but still
with DENT_BIT_SHIFT set
The root cause is that GC does not clear the dentry mark and fsync mark
during node block migration, leading fsck to misinterpret them as
user-issued fsync writes.
In BGGC mode, node block migration is handled by f2fs_sync_node_pages(),
which guarantees the dentry and fsync marks are cleared before writing.
This patch move the set/clear of the fsync|dentry marks into
__write_node_folio to make the logic clearer, and ensures the
fsync|dentry mark is cleared in FGGC.
Cc: stable@kernel.org
Fixes: da011cc0da8c ("f2fs: move node pages only in victim section during GC")
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/node.c | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -1709,9 +1709,10 @@ continue_unlock:
return last_folio;
}
-static bool __write_node_folio(struct folio *folio, bool atomic, bool *submitted,
- struct writeback_control *wbc, bool do_balance,
- enum iostat_type io_type, unsigned int *seq_id)
+static bool __write_node_folio(struct folio *folio, bool atomic, bool do_fsync,
+ bool *submitted, struct writeback_control *wbc,
+ bool do_balance, enum iostat_type io_type,
+ unsigned int *seq_id)
{
struct f2fs_sb_info *sbi = F2FS_F_SB(folio);
nid_t nid;
@@ -1783,6 +1784,8 @@ static bool __write_node_folio(struct fo
if (atomic && !test_opt(sbi, NOBARRIER))
fio.op_flags |= REQ_PREFLUSH | REQ_FUA;
+ set_dentry_mark(folio, false);
+ set_fsync_mark(folio, do_fsync);
if (IS_INODE(folio) && (atomic || is_fsync_dnode(folio)))
set_dentry_mark(folio,
f2fs_need_dentry_mark(sbi, ino_of_node(folio)));
@@ -1849,7 +1852,7 @@ int f2fs_write_single_node_folio(struct
goto out_folio;
}
- if (!__write_node_folio(node_folio, false, NULL,
+ if (!__write_node_folio(node_folio, false, false, NULL,
&wbc, false, FS_GC_NODE_IO, NULL))
err = -EAGAIN;
goto release_folio;
@@ -1896,6 +1899,7 @@ retry:
for (i = 0; i < nr_folios; i++) {
struct folio *folio = fbatch.folios[i];
bool submitted = false;
+ bool do_fsync = false;
if (unlikely(f2fs_cp_error(sbi))) {
f2fs_folio_put(last_folio, false);
@@ -1926,11 +1930,8 @@ continue_unlock:
f2fs_folio_wait_writeback(folio, NODE, true, true);
- set_fsync_mark(folio, 0);
- set_dentry_mark(folio, 0);
-
if (!atomic || folio == last_folio) {
- set_fsync_mark(folio, 1);
+ do_fsync = true;
percpu_counter_inc(&sbi->rf_node_block_count);
if (IS_INODE(folio)) {
if (is_inode_flag_set(inode,
@@ -1947,8 +1948,9 @@ continue_unlock:
if (!__write_node_folio(folio, atomic &&
folio == last_folio,
- &submitted, wbc, true,
- FS_NODE_IO, seq_id)) {
+ do_fsync, &submitted,
+ wbc, true, FS_NODE_IO,
+ seq_id)) {
f2fs_folio_put(last_folio, false);
folio_batch_release(&fbatch);
ret = -EIO;
@@ -2148,10 +2150,7 @@ write_node:
if (!folio_clear_dirty_for_io(folio))
goto continue_unlock;
- set_fsync_mark(folio, 0);
- set_dentry_mark(folio, 0);
-
- if (!__write_node_folio(folio, false, &submitted,
+ if (!__write_node_folio(folio, false, false, &submitted,
wbc, do_balance, io_type, NULL)) {
folio_batch_release(&fbatch);
ret = -EIO;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 233/270] KVM: arm64: Wake-up from WFI when iqrchip is in userspace
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 232/270] f2fs: fix fsck inconsistency caused by FGGC of node block Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 234/270] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value Greg Kroah-Hartman
` (41 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Zyngier
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit 4ce98bf0865c349e7026ad9c14f48da264920953 upstream.
It appears that there is nothing in the wake-up path that
evaluates whether the in-kernel interrupts are pending unless
we have a vgic.
This means that the userspace irqchip support has been broken for
about four years, and nobody noticed. It was also broken before
as we wouldn't wake-up on a PMU interrupt, but hey, who cares...
It is probably time to remove the feature altogether, because it
was a terrible idea 10 years ago, and it still is.
Fixes: b57de4ffd7c6d ("KVM: arm64: Simplify kvm_cpu_has_pending_timer()")
Link: https://patch.msgid.link/20260423163607.486345-1-maz@kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/arm.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -755,6 +755,10 @@ int kvm_arch_vcpu_runnable(struct kvm_vc
{
bool irq_lines = *vcpu_hcr(v) & (HCR_VI | HCR_VF | HCR_VSE);
+ irq_lines |= (!irqchip_in_kernel(v->kvm) &&
+ (kvm_timer_should_notify_user(v) ||
+ kvm_pmu_should_notify_user(v)));
+
return ((irq_lines || kvm_vgic_vcpu_pending_irq(v))
&& !kvm_arm_vcpu_stopped(v) && !v->arch.pause);
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 234/270] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 233/270] KVM: arm64: Wake-up from WFI when iqrchip is in userspace Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 235/270] KVM: arm64: Fix initialisation order in __pkvm_init_finalise() Greg Kroah-Hartman
` (40 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Woodhouse, Marc Zyngier
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit a0e6ae45af17e8b27958830595799c702ffbab8d upstream.
The uaccess write handlers for GICD_IIDR in both GICv2 and GICv3
extract the revision field from 'reg' (the current IIDR value read back
from the emulated distributor) instead of 'val' (the value userspace is
trying to write). This means userspace can never actually change the
implementation revision — the extracted value is always the current one.
Fix the FIELD_GET to use 'val' so that userspace can select a different
revision for migration compatibility.
Fixes: 49a1a2c70a7f ("KVM: arm64: vgic-v3: Advertise GICR_CTLR.{IR, CES} as a new GICD_IIDR revision")
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Link: https://patch.msgid.link/20260407210949.2076251-2-dwmw2@infradead.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/vgic/vgic-mmio-v2.c | 2 +-
arch/arm64/kvm/vgic/vgic-mmio-v3.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/kvm/vgic/vgic-mmio-v2.c
+++ b/arch/arm64/kvm/vgic/vgic-mmio-v2.c
@@ -91,7 +91,7 @@ static int vgic_mmio_uaccess_write_v2_mi
* migration from old kernels to new kernels with legacy
* userspace.
*/
- reg = FIELD_GET(GICD_IIDR_REVISION_MASK, reg);
+ reg = FIELD_GET(GICD_IIDR_REVISION_MASK, val);
switch (reg) {
case KVM_VGIC_IMP_REV_2:
case KVM_VGIC_IMP_REV_3:
--- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c
+++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c
@@ -194,7 +194,7 @@ static int vgic_mmio_uaccess_write_v3_mi
if ((reg ^ val) & ~GICD_IIDR_REVISION_MASK)
return -EINVAL;
- reg = FIELD_GET(GICD_IIDR_REVISION_MASK, reg);
+ reg = FIELD_GET(GICD_IIDR_REVISION_MASK, val);
switch (reg) {
case KVM_VGIC_IMP_REV_2:
case KVM_VGIC_IMP_REV_3:
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 235/270] KVM: arm64: Fix initialisation order in __pkvm_init_finalise()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 234/270] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 236/270] KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer Greg Kroah-Hartman
` (39 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quentin Perret, Fuad Tabba,
Marc Zyngier
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quentin Perret <qperret@google.com>
commit 5bb0aed57ba944f8c201e4e82ec066e0187e0f85 upstream.
fix_host_ownership() walks the hypervisor's stage-1 page-table to
adjust the host's stage-2 accordingly. Any such adjustment that
requires cache maintenance operations depends on the per-CPU hyp
fixmap being present. However, fix_host_ownership() is currently
called before fix_hyp_pgtable_refcnt() and hyp_create_fixmap(), so
the fixmap does not yet exist when it runs.
This is benign today because the host stage-2 starts empty and no
CMOs are needed, but it becomes a latent crash as soon as
fix_host_ownership() is extended to operate on a non-empty
page-table.
Reorder the calls so that fix_hyp_pgtable_refcnt() and
hyp_create_fixmap() complete before fix_host_ownership() is invoked.
Fixes: 0d16d12eb26e ("KVM: arm64: Fix-up hyp stage-1 refcounts for all pages mapped at EL2")
Signed-off-by: Quentin Perret <qperret@google.com>
Signed-off-by: Fuad Tabba <tabba@google.com>
Link: https://patch.msgid.link/20260424084908.370776-7-tabba@google.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/hyp/nvhe/setup.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/arch/arm64/kvm/hyp/nvhe/setup.c
+++ b/arch/arm64/kvm/hyp/nvhe/setup.c
@@ -312,15 +312,15 @@ void __noreturn __pkvm_init_finalise(voi
};
pkvm_pgtable.mm_ops = &pkvm_pgtable_mm_ops;
- ret = fix_host_ownership();
+ ret = fix_hyp_pgtable_refcnt();
if (ret)
goto out;
- ret = fix_hyp_pgtable_refcnt();
+ ret = hyp_create_fixmap();
if (ret)
goto out;
- ret = hyp_create_fixmap();
+ ret = fix_host_ownership();
if (ret)
goto out;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 236/270] KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 235/270] KVM: arm64: Fix initialisation order in __pkvm_init_finalise() Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 237/270] KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer Greg Kroah-Hartman
` (38 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fuad Tabba, Marc Zyngier
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fuad Tabba <tabba@google.com>
commit 08d715338287a1affb4c7ad5733decef4558a5c8 upstream.
FEAT_SPE_FnE is architecturally detected via PMSIDR_EL1.FnE [6], not
ID_AA64DFR0_EL1.PMSVer. The FEAT_X macro form (register, field, value)
cannot encode a PMSIDR_EL1-based feature, so FEAT_SPE_FnE was defined
identically to FEAT_SPEv1p2 (ID_AA64DFR0_EL1, PMSVer, V1P2), producing
a duplicate that used PMSVer >= V1P2 as a proxy.
Replace the macro with feat_spe_fne(), following the same pattern as
the sibling feat_spe_fds(): guard on FEAT_SPEv1p2 and read
PMSIDR_EL1.FnE [6] directly. Wire the two NEEDS_FEAT consumers to use
the new function.
Remove the now-unused FEAT_SPE_FnE macro.
Fixes: 63d423a7635b ("KVM: arm64: Switch to table-driven FGU configuration")
Signed-off-by: Fuad Tabba <tabba@google.com>
Link: https://patch.msgid.link/20260424084908.370776-4-tabba@google.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/config.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/arch/arm64/kvm/config.c
+++ b/arch/arm64/kvm/config.c
@@ -127,7 +127,6 @@ struct reg_feat_map_desc {
}
#define FEAT_SPE ID_AA64DFR0_EL1, PMSVer, IMP
-#define FEAT_SPE_FnE ID_AA64DFR0_EL1, PMSVer, V1P2
#define FEAT_BRBE ID_AA64DFR0_EL1, BRBE, IMP
#define FEAT_TRC_SR ID_AA64DFR0_EL1, TraceVer, IMP
#define FEAT_PMUv3 ID_AA64DFR0_EL1, PMUVer, IMP
@@ -294,6 +293,16 @@ static bool feat_spe_fds(struct kvm *kvm
(read_sysreg_s(SYS_PMSIDR_EL1) & PMSIDR_EL1_FDS));
}
+static bool feat_spe_fne(struct kvm *kvm)
+{
+ /*
+ * Revisit this if KVM ever supports SPE -- this really should
+ * look at the guest's view of PMSIDR_EL1.
+ */
+ return (kvm_has_feat(kvm, FEAT_SPEv1p2) &&
+ (read_sysreg_s(SYS_PMSIDR_EL1) & PMSIDR_EL1_FnE));
+}
+
static bool feat_trbe_mpam(struct kvm *kvm)
{
/*
@@ -547,7 +556,7 @@ static const struct reg_bits_to_feat_map
HDFGRTR_EL2_PMBPTR_EL1 |
HDFGRTR_EL2_PMBLIMITR_EL1,
FEAT_SPE),
- NEEDS_FEAT(HDFGRTR_EL2_nPMSNEVFR_EL1, FEAT_SPE_FnE),
+ NEEDS_FEAT(HDFGRTR_EL2_nPMSNEVFR_EL1, feat_spe_fne),
NEEDS_FEAT(HDFGRTR_EL2_nBRBDATA |
HDFGRTR_EL2_nBRBCTL |
HDFGRTR_EL2_nBRBIDR,
@@ -615,7 +624,7 @@ static const struct reg_bits_to_feat_map
HDFGWTR_EL2_PMBPTR_EL1 |
HDFGWTR_EL2_PMBLIMITR_EL1,
FEAT_SPE),
- NEEDS_FEAT(HDFGWTR_EL2_nPMSNEVFR_EL1, FEAT_SPE_FnE),
+ NEEDS_FEAT(HDFGWTR_EL2_nPMSNEVFR_EL1, feat_spe_fne),
NEEDS_FEAT(HDFGWTR_EL2_nBRBDATA |
HDFGWTR_EL2_nBRBCTL,
FEAT_BRBE),
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 237/270] KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 236/270] KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 238/270] KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu() Greg Kroah-Hartman
` (37 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fuad Tabba, Marc Zyngier
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fuad Tabba <tabba@google.com>
commit 7fe2cd4e1a3ad230d8fcc00cc99c4bcce4412a75 upstream.
FEAT_Debugv8p9 is incorrectly defined against ID_AA64DFR0_EL1.PMUVer
instead of ID_AA64DFR0_EL1.DebugVer. All three consumers of the macro
gate features that are architecturally tied to FEAT_Debugv8p9
(DebugVer = 0b1011, DDI0487 M.b A2.2.10):
- HDFGRTR2_EL2.nMDSELR_EL1, HDFGWTR2_EL2.nMDSELR_EL1: MDSELR_EL1
is present only when FEAT_Debugv8p9 is implemented (D24.3.21).
- MDCR_EL2.EBWE: the Extended Breakpoint and Watchpoint Enable bit
is RES0 unless FEAT_Debugv8p9 is implemented (D24.3.17).
Neither register has any dependency on PMUVer.
FEAT_Debugv8p9 and FEAT_PMUv3p9 are independent. Per DDI0487 M.b
A2.2.10, FEAT_Debugv8p9 is unconditionally mandatory from Armv8.9,
whereas FEAT_PMUv3p9 is mandatory only when FEAT_PMUv3 is implemented.
An Armv8.9 CPU without a PMU has DebugVer = 0b1011 but PMUVer = 0b0000,
so the wrong field check would cause KVM to incorrectly treat EBWE and
MDSELR_EL1 as RES0 on such hardware.
Fixes: 4bc0fe089840 ("KVM: arm64: Add sanitisation for FEAT_FGT2 registers")
Signed-off-by: Fuad Tabba <tabba@google.com>
Link: https://patch.msgid.link/20260424084908.370776-2-tabba@google.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/config.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/kvm/config.c
+++ b/arch/arm64/kvm/config.c
@@ -187,7 +187,7 @@ struct reg_feat_map_desc {
#define FEAT_SRMASK ID_AA64MMFR4_EL1, SRMASK, IMP
#define FEAT_PoPS ID_AA64MMFR4_EL1, PoPS, IMP
#define FEAT_PFAR ID_AA64PFR1_EL1, PFAR, IMP
-#define FEAT_Debugv8p9 ID_AA64DFR0_EL1, PMUVer, V3P9
+#define FEAT_Debugv8p9 ID_AA64DFR0_EL1, DebugVer, V8P9
#define FEAT_PMUv3_SS ID_AA64DFR0_EL1, PMSS, IMP
#define FEAT_SEBEP ID_AA64DFR0_EL1, SEBEP, IMP
#define FEAT_EBEP ID_AA64DFR1_EL1, EBEP, IMP
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 238/270] KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 237/270] KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 239/270] LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang() Greg Kroah-Hartman
` (36 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Simner, Will Deacon, Fuad Tabba,
Marc Zyngier
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fuad Tabba <tabba@google.com>
commit 73b9c1e5da84cd69b1a86e374e450817cd051371 upstream.
Two bugs exist in the vCPU initialisation path:
1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup
path jumps to 'unlock' without calling unpin_host_vcpu() or
unpin_host_sve_state(), permanently leaking pin references on the
host vCPU and SVE state pages.
Extract a register_hyp_vcpu() helper that performs the checks and
the store. When register_hyp_vcpu() returns an error, call
unpin_host_vcpu() and unpin_host_sve_state() inline before falling
through to the existing 'unlock' label.
2. register_hyp_vcpu() publishes the new vCPU pointer into
'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller
of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU
object.
Ensure the store uses smp_store_release() and the load uses
smp_load_acquire(). While 'vm_table_lock' currently serialises the
store and the load, these barriers ensure the reader sees the fully
initialised 'hyp_vcpu' object even if there were a lockless path or
if the lock's own ordering guarantees were insufficient for nested
object initialization.
Fixes: 49af6ddb8e5c ("KVM: arm64: Add infrastructure to create and track pKVM instances at EL2")
Reported-by: Ben Simner <ben.simner@cl.cam.ac.uk>
Co-developed-by: Will Deacon <willdeacon@google.com>
Signed-off-by: Will Deacon <willdeacon@google.com>
Signed-off-by: Fuad Tabba <tabba@google.com>
Link: https://patch.msgid.link/20260424084908.370776-6-tabba@google.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/hyp/nvhe/pkvm.c | 38 +++++++++++++++++++++++++-------------
1 file changed, 25 insertions(+), 13 deletions(-)
--- a/arch/arm64/kvm/hyp/nvhe/pkvm.c
+++ b/arch/arm64/kvm/hyp/nvhe/pkvm.c
@@ -259,7 +259,8 @@ struct pkvm_hyp_vcpu *pkvm_load_hyp_vcpu
if (!hyp_vm || hyp_vm->kvm.created_vcpus <= vcpu_idx)
goto unlock;
- hyp_vcpu = hyp_vm->vcpus[vcpu_idx];
+ /* Pairs with smp_store_release() in register_hyp_vcpu(). */
+ hyp_vcpu = smp_load_acquire(&hyp_vm->vcpus[vcpu_idx]);
if (!hyp_vcpu)
goto unlock;
@@ -801,12 +802,30 @@ err_unpin_kvm:
* the page-aligned size of 'struct pkvm_hyp_vcpu'.
* Return 0 on success, negative error code on failure.
*/
+static int register_hyp_vcpu(struct pkvm_hyp_vm *hyp_vm,
+ struct pkvm_hyp_vcpu *hyp_vcpu)
+{
+ unsigned int idx = hyp_vcpu->vcpu.vcpu_idx;
+
+ if (idx >= hyp_vm->kvm.created_vcpus)
+ return -EINVAL;
+
+ if (hyp_vm->vcpus[idx])
+ return -EINVAL;
+
+ /*
+ * Ensure the hyp_vcpu is initialised before publishing it to
+ * the vCPU-load path via 'hyp_vm->vcpus[]'.
+ */
+ smp_store_release(&hyp_vm->vcpus[idx], hyp_vcpu);
+ return 0;
+}
+
int __pkvm_init_vcpu(pkvm_handle_t handle, struct kvm_vcpu *host_vcpu,
unsigned long vcpu_hva)
{
struct pkvm_hyp_vcpu *hyp_vcpu;
struct pkvm_hyp_vm *hyp_vm;
- unsigned int idx;
int ret;
hyp_vcpu = map_donated_memory(vcpu_hva, sizeof(*hyp_vcpu));
@@ -825,18 +844,11 @@ int __pkvm_init_vcpu(pkvm_handle_t handl
if (ret)
goto unlock;
- idx = hyp_vcpu->vcpu.vcpu_idx;
- if (idx >= hyp_vm->kvm.created_vcpus) {
- ret = -EINVAL;
- goto unlock;
- }
-
- if (hyp_vm->vcpus[idx]) {
- ret = -EINVAL;
- goto unlock;
+ ret = register_hyp_vcpu(hyp_vm, hyp_vcpu);
+ if (ret) {
+ unpin_host_vcpu(host_vcpu);
+ unpin_host_sve_state(hyp_vcpu);
}
-
- hyp_vm->vcpus[idx] = hyp_vcpu;
unlock:
hyp_spin_unlock(&vm_table_lock);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 239/270] LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 238/270] KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu() Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 240/270] LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS Greg Kroah-Hartman
` (35 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Guan, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Guan <guanwentao@uniontech.com>
commit 8dfa2f8780e486d05b9a0ffce70b8f5fbd62053e upstream.
The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and
readl(crtc_reg) will access with random address, because the "device" is
from "base+PCI_DEVICE_ID", "base" is from "pdev->devfn+1". This is wrong
when my platform inserts a discrete GPU:
lspci -tv
-[0000:00]-+-00.0 Loongson Technology LLC Hyper Transport Bridge Controller
...
+-06.0 Loongson Technology LLC LG100 GPU
+-06.2 Loongson Technology LLC Device 7a37
...
Add a default switch case to fix the panic as below:
Kernel ade access[#1]:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4
pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0
a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002
a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001
t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000
t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0
t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8
s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000
s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000
ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210
ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210
CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
PRMD: 00000004 (PPLV0 +PIE -PWE)
EUEN: 00000000 (-FPE -SXE -ASXE -BTE)
ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)
ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)
BADV: 7fffffffffffff00
PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)
Modules linked in:
Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))
Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007
0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff
900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08
0000000000000000 0000000000000000 0000000000000006 90000001002fb778
90000001000530b8 90000000027af000 0000000000000000 9000000100054000
9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001
90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000
0000000000000006 90000000027af000 0000000000000030 90000000027af000
900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560
7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030
...
Call Trace:
[<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210
[<9000000000eebc08>] pci_fixup_device+0x108/0x280
[<9000000000ebb70c>] pci_setup_device+0x24c/0x690
[<9000000000ebc560>] pci_scan_single_device+0xe0/0x140
[<9000000000ebc684>] pci_scan_slot+0xc4/0x280
[<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0
[<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420
[<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440
[<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0
[<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0
[<90000000010e200c>] device_for_each_child+0x6c/0xe0
[<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70
[<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0
[<90000000010e200c>] device_for_each_child+0x6c/0xe0
[<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70
[<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0
[<9000000000f5211c>] acpi_bus_scan+0x6c/0x280
[<900000000189c028>] acpi_scan_init+0x194/0x310
[<900000000189bc6c>] acpi_init+0xcc/0x140
[<9000000000220cdc>] do_one_initcall+0x4c/0x310
[<90000000018618fc>] kernel_init_freeable+0x258/0x2d4
[<900000000184326c>] kernel_init+0x28/0x13c
[<9000000000222008>] ret_from_kernel_thread+0xc/0xa4
Cc: stable@vger.kernel.org
Fixes: 95db0c9f526d ("LoongArch: Workaround LS2K/LS7A GPU DMA hang bug")
Link: https://gist.github.com/opsiff/ebf2dac51b4013d22462f2124c55f807
Link: https://gist.github.com/opsiff/a62f2a73db0492b3c49bf223a339b133
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/pci/pci.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/loongarch/pci/pci.c
+++ b/arch/loongarch/pci/pci.c
@@ -132,6 +132,9 @@ static void loongson_gpu_fixup_dma_hang(
crtc_reg = regbase;
crtc_offset = 0x400;
break;
+ default:
+ iounmap(regbase);
+ return;
}
for (i = 0; i < CRTC_NUM_MAX; i++, crtc_reg += crtc_offset) {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 240/270] LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 239/270] LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang() Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 241/270] LoongArch: KVM: Fix "unreliable stack" for kvm_exc_entry Greg Kroah-Hartman
` (34 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bibo Mao, Qiang Ma, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiang Ma <maqianga@uniontech.com>
commit b3e31a6650d4cab63f0814c37c0b360372c6ee9e upstream.
It doesn't make sense to return the recommended maximum number of vCPUs
which exceeds the maximum possible number of vCPUs.
Other architectures have already done this, such as commit 57a2e13ebdda
("KVM: MIPS: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS")
Cc: stable@vger.kernel.org
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Qiang Ma <maqianga@uniontech.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kvm/vm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/loongarch/kvm/vm.c
+++ b/arch/loongarch/kvm/vm.c
@@ -94,7 +94,7 @@ int kvm_vm_ioctl_check_extension(struct
r = 1;
break;
case KVM_CAP_NR_VCPUS:
- r = num_online_cpus();
+ r = min_t(unsigned int, num_online_cpus(), KVM_MAX_VCPUS);
break;
case KVM_CAP_MAX_VCPUS:
r = KVM_MAX_VCPUS;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 241/270] LoongArch: KVM: Fix "unreliable stack" for kvm_exc_entry
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 240/270] LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 242/270] LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by software Greg Kroah-Hartman
` (33 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xianglai Li, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xianglai Li <lixianglai@loongson.cn>
commit b323a441da602dfdfc24f30d3190cac786ffebf2 upstream.
Insert the appropriate UNWIND hint into the kvm_exc_entry assembly
function to guide the generation of correct ORC table entries, thereby
solving the timeout problem ("unreliable stack") while loading the
livepatch-sample module on a physical machine running virtual machines
with multiple vcpus.
Cc: stable@vger.kernel.org
Signed-off-by: Xianglai Li <lixianglai@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kvm/switch.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/loongarch/kvm/switch.S
+++ b/arch/loongarch/kvm/switch.S
@@ -111,7 +111,7 @@
.p2align PAGE_SHIFT
.cfi_sections .debug_frame
SYM_CODE_START(kvm_exc_entry)
- UNWIND_HINT_UNDEFINED
+ UNWIND_HINT_END_OF_STACK
csrwr a2, KVM_TEMP_KS
csrrd a2, KVM_VCPU_KS
addi.d a2, a2, KVM_VCPU_ARCH
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 242/270] LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by software
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 241/270] LoongArch: KVM: Fix "unreliable stack" for kvm_exc_entry Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 243/270] LoongArch: KVM: Move unconditional delay into timer clear scenery Greg Kroah-Hartman
` (32 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bibo Mao, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bibo Mao <maobibo@loongson.cn>
commit 2433f3f5724b3af569d9fb411ba728629524738b upstream.
With passthrough HW timer, timer interrupt is injected by HW. When
inject emulated CPU interrupt by software such SIP0/SIP1/IPI, HW timer
interrupt may be lost.
Here check whether there is timer tick value inversion before and after
injecting emulated CPU interrupt by software, timer enabling by reading
timer cfg register is skipped. If the timer tick value is detected with
changing, then timer should be enabled. And inject a timer interrupt by
software if there is.
Cc: <stable@vger.kernel.org>
Fixes: f45ad5b8aa93 ("LoongArch: KVM: Implement vcpu interrupt operations").
Signed-off-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kvm/interrupt.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/arch/loongarch/kvm/interrupt.c
+++ b/arch/loongarch/kvm/interrupt.c
@@ -26,6 +26,7 @@ static unsigned int priority_to_irq[EXCC
static int kvm_irq_deliver(struct kvm_vcpu *vcpu, unsigned int priority)
{
unsigned int irq = 0;
+ unsigned long old, new;
clear_bit(priority, &vcpu->arch.irq_pending);
if (priority < EXCCODE_INT_NUM)
@@ -36,7 +37,13 @@ static int kvm_irq_deliver(struct kvm_vc
case INT_IPI:
case INT_SWI0:
case INT_SWI1:
+ old = kvm_read_hw_gcsr(LOONGARCH_CSR_TVAL);
set_gcsr_estat(irq);
+ new = kvm_read_hw_gcsr(LOONGARCH_CSR_TVAL);
+
+ /* Inject TI if TVAL inverted */
+ if (new > old)
+ set_gcsr_estat(CPU_TIMER);
break;
case INT_HWI0 ... INT_HWI7:
@@ -53,6 +60,7 @@ static int kvm_irq_deliver(struct kvm_vc
static int kvm_irq_clear(struct kvm_vcpu *vcpu, unsigned int priority)
{
unsigned int irq = 0;
+ unsigned long old, new;
clear_bit(priority, &vcpu->arch.irq_clear);
if (priority < EXCCODE_INT_NUM)
@@ -63,7 +71,13 @@ static int kvm_irq_clear(struct kvm_vcpu
case INT_IPI:
case INT_SWI0:
case INT_SWI1:
+ old = kvm_read_hw_gcsr(LOONGARCH_CSR_TVAL);
clear_gcsr_estat(irq);
+ new = kvm_read_hw_gcsr(LOONGARCH_CSR_TVAL);
+
+ /* Inject TI if TVAL inverted */
+ if (new > old)
+ set_gcsr_estat(CPU_TIMER);
break;
case INT_HWI0 ... INT_HWI7:
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 243/270] LoongArch: KVM: Move unconditional delay into timer clear scenery
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 242/270] LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by software Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 244/270] LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte() Greg Kroah-Hartman
` (31 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bibo Mao, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bibo Mao <maobibo@loongson.cn>
commit 5a873d77ba792410a796595a917be6a440f9b7d2 upstream.
When timer interrupt arrives in guest kernel, guest kernel clears the
timer interrupt and program timer with the next incoming event.
During this stage, timer tick is -1 and timer interrupt status is
disabled in ESTAT register. KVM hypervisor need write zero with timer
tick register and wait timer interrupt injection from HW side, and
then clear timer interrupt.
So there is 2 cycle delay in KVM hypervisor to emulate such scenery,
and the delay is unnecessary if there is no need to clear the timer
interrupt.
Here move 2 cycle delay into timer clear scenery and add timer ESTAT
checking after delay, and set max timer expire value if timer interrupt
does not arrive still.
Cc: stable@vger.kernel.org
Signed-off-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kvm/timer.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/arch/loongarch/kvm/timer.c
+++ b/arch/loongarch/kvm/timer.c
@@ -96,15 +96,21 @@ void kvm_restore_timer(struct kvm_vcpu *
* and set CSR TVAL with -1
*/
write_gcsr_timertick(0);
- __delay(2); /* Wait cycles until timer interrupt injected */
/*
* Writing CSR_TINTCLR_TI to LOONGARCH_CSR_TINTCLR will clear
* timer interrupt, and CSR TVAL keeps unchanged with -1, it
* avoids spurious timer interrupt
*/
- if (!(estat & CPU_TIMER))
+ if (!(estat & CPU_TIMER)) {
+ __delay(2); /* Wait cycles until timer interrupt injected */
+
+ /* Write TVAL with max value if no TI shot */
+ estat = kvm_read_hw_gcsr(LOONGARCH_CSR_ESTAT);
+ if (!(estat & CPU_TIMER))
+ write_gcsr_timertick(CSR_TCFG_VAL);
gcsr_write(CSR_TINTCLR_TI, LOONGARCH_CSR_TINTCLR);
+ }
return;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 244/270] LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 243/270] LoongArch: KVM: Move unconditional delay into timer clear scenery Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 245/270] LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup Greg Kroah-Hartman
` (30 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bibo Mao, Tao Cui, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tao Cui <cuitao@kylinos.cn>
commit 81e18777d61440511451866c7c80b34a8bdd6b33 upstream.
kvm_flush_pte() is the only caller that directly assigns *pte instead
of using the kvm_set_pte() wrapper. Use the wrapper for consistency with
the rest of the file.
No functional change intended.
Cc: stable@vger.kernel.org
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Tao Cui <cuitao@kylinos.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kvm/mmu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/loongarch/kvm/mmu.c
+++ b/arch/loongarch/kvm/mmu.c
@@ -95,7 +95,7 @@ static int kvm_flush_pte(kvm_pte_t *pte,
else
kvm->stat.pages--;
- *pte = ctx->invalid_entry;
+ kvm_set_pte(pte, ctx->invalid_entry);
return 1;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 245/270] LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 244/270] LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte() Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 246/270] io_uring/kbuf: support min length left for incremental buffers Greg Kroah-Hartman
` (29 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Li, Dongyan Qian, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 49f33840dcc907d21313d369e34872880846b61c upstream.
When firmware enables 64-bit PCI host bridge support, some root bridges
already provide valid 64-bit mem resource windows through ACPI.
In this case, the LoongArch-specific mem resource high-bits fixup in
acpi_prepare_root_resources() should not be applied unconditionally.
Otherwise, the kernel may override the native resource layout derived
from firmware, and later BAR assignment can fail to place device BARs
into the intended 64-bit address space correctly.
Add a per-root-bridge ACPI flag, PCIH, and evaluate it from the current
root bridge device scope. When PCIH is set, skip the mem resource high-
bits fixup path and let the kernel use the firmware-provided resource
description directly. When PCIH is absent or cleared, keep the existing
behavior and continue filling the high address bits from the host bridge
address.
This makes the behavior per-root-bridge configurable and avoids breaking
valid 64-bit BAR space allocation on bridges whose 64-bit windows have
already been fully described by firmware.
Cc: stable@vger.kernel.org
Suggested-by: Chao Li <lichao@loongson.cn>
Tested-by: Dongyan Qian <qiandongyan@loongson.cn>
Signed-off-by: Dongyan Qian <qiandongyan@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/pci/acpi.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/loongarch/pci/acpi.c
+++ b/arch/loongarch/pci/acpi.c
@@ -61,11 +61,16 @@ static void acpi_release_root_info(struc
static int acpi_prepare_root_resources(struct acpi_pci_root_info *ci)
{
int status;
+ unsigned long long pci_h = 0;
struct resource_entry *entry, *tmp;
struct acpi_device *device = ci->bridge;
status = acpi_pci_probe_root_resources(ci);
if (status > 0) {
+ acpi_evaluate_integer(device->handle, "PCIH", NULL, &pci_h);
+ if (pci_h)
+ return status;
+
resource_list_for_each_entry_safe(entry, tmp, &ci->resources) {
if (entry->res->flags & IORESOURCE_MEM) {
entry->offset = ci->root->mcfg_addr & GENMASK_ULL(63, 40);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 246/270] io_uring/kbuf: support min length left for incremental buffers
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 245/270] LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 247/270] io_uring/tw: serialize ctx->retry_llist with ->uring_lock Greg Kroah-Hartman
` (28 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Michaelis,
Gabriel Krisman Bertazi, Jens Axboe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Michaelis <code@mgjm.de>
Commit 7deba791ad495ce1d7921683f4f7d1190fa210d1 upstream.
Incrementally consumed buffer rings are generally fully consumed, but
it's quite possible that the application has a minimum size it needs to
meet to avoid truncation. Currently that minimum limit is 1 byte, but
this should be a setting that is the hands of the application. For
recvmsg multishot, a prime use case for incrementally consumed buffers,
the application may get spurious -EFAULT returned at the end of an
incrementally consumed buffer, as less space is available than the
headers need.
Grab a u32 field in struct io_uring_buf_reg, which the application can
use to inform the kernel of the minimum size that should be available
in an incrementally consumed buffer. If less than that is available,
the current buffer is fully processed and the next one will be picked.
Cc: stable@vger.kernel.org
Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental buffer consumption")
Link: https://github.com/axboe/liburing/issues/1433
Signed-off-by: Martin Michaelis <code@mgjm.de>
[axboe: write commit message, change io_buffer_list member name]
Reviewed-by: Gabriel Krisman Bertazi <krisman@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/io_uring.h | 3 ++-
io_uring/kbuf.c | 12 +++++++++---
io_uring/kbuf.h | 7 +++++++
3 files changed, 18 insertions(+), 4 deletions(-)
--- a/include/uapi/linux/io_uring.h
+++ b/include/uapi/linux/io_uring.h
@@ -864,7 +864,8 @@ struct io_uring_buf_reg {
__u32 ring_entries;
__u16 bgid;
__u16 flags;
- __u64 resv[3];
+ __u32 min_left;
+ __u32 resv[5];
};
/* argument for IORING_REGISTER_PBUF_STATUS */
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -47,9 +47,9 @@ static bool io_kbuf_inc_commit(struct io
this_len = min_t(u32, len, buf_len);
buf_len -= this_len;
/* Stop looping for invalid buffer length of 0 */
- if (buf_len || !this_len) {
- buf->addr = READ_ONCE(buf->addr) + this_len;
- buf->len = buf_len;
+ if (buf_len > bl->min_left_sub_one || !this_len) {
+ WRITE_ONCE(buf->addr, READ_ONCE(buf->addr) + this_len);
+ WRITE_ONCE(buf->len, buf_len);
return false;
}
buf->len = 0;
@@ -637,6 +637,10 @@ int io_register_pbuf_ring(struct io_ring
if (reg.ring_entries >= 65536)
return -EINVAL;
+ /* minimum left byte count is a property of incremental buffers */
+ if (!(reg.flags & IOU_PBUF_RING_INC) && reg.min_left)
+ return -EINVAL;
+
bl = io_buffer_get_list(ctx, reg.bgid);
if (bl) {
/* if mapped buffer ring OR classic exists, don't allow */
@@ -684,6 +688,8 @@ int io_register_pbuf_ring(struct io_ring
bl->mask = reg.ring_entries - 1;
bl->flags |= IOBL_BUF_RING;
bl->buf_ring = br;
+ if (reg.min_left)
+ bl->min_left_sub_one = reg.min_left - 1;
if (reg.flags & IOU_PBUF_RING_INC)
bl->flags |= IOBL_INC;
ret = io_buffer_add_list(ctx, bl, reg.bgid);
--- a/io_uring/kbuf.h
+++ b/io_uring/kbuf.h
@@ -34,6 +34,13 @@ struct io_buffer_list {
__u16 flags;
+ /*
+ * minimum required amount to be left to reuse an incrementally
+ * consumed buffer. If less than this is left at consumption time,
+ * buffer is done and head is incremented to the next buffer.
+ */
+ __u32 min_left_sub_one;
+
struct io_mapped_region region;
};
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 247/270] io_uring/tw: serialize ctx->retry_llist with ->uring_lock
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 246/270] io_uring/kbuf: support min length left for incremental buffers Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 248/270] bpf: Fix use-after-free in arena_vm_close on fork Greg Kroah-Hartman
` (27 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
Commit 17666e2d7592c3e85260cafd3950121524acc2c5 upstream.
The DEFER_TASKRUN local task work paths all run under ctx->uring_lock,
which serializes them with each other and with the rest of the ring's
hot paths. io_move_task_work_from_local() is the exception - it's called
from io_ring_exit_work() on a kworker without holding the lock and from
the iopoll cancelation side right after dropping it.
->work_llist is fine with this, as it's only ever updated via the
expected paths. But the ->retry_llist is updated while runing, and hence
it could potentially race between normal task_work running and the
task-has-exited shutdown path.
Simply grab ->uring_lock while moving the local work to the fallback
list for exit purposes, which nicely serializes it across both the
normal additions and the exit prune path.
Cc: stable@vger.kernel.org
Fixes: f46b9cdb22f7 ("io_uring: limit local tw done")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io_uring.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1370,8 +1370,18 @@ void io_req_task_work_add_remote(struct
static void __cold io_move_task_work_from_local(struct io_ring_ctx *ctx)
{
- struct llist_node *node = llist_del_all(&ctx->work_llist);
+ struct llist_node *node;
+ /*
+ * Running the work items may utilize ->retry_llist as a means
+ * for capping the number of task_work entries run at the same
+ * time. But that list can potentially race with moving the work
+ * from here, if the task is exiting. As any normal task_work
+ * running holds ->uring_lock already, just guard this slow path
+ * with ->uring_lock to avoid racing on ->retry_llist.
+ */
+ guard(mutex)(&ctx->uring_lock);
+ node = llist_del_all(&ctx->work_llist);
__io_fallback_tw(node, false);
node = llist_del_all(&ctx->retry_llist);
__io_fallback_tw(node, false);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 248/270] bpf: Fix use-after-free in arena_vm_close on fork
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 247/270] io_uring/tw: serialize ctx->retry_llist with ->uring_lock Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 249/270] mm/damon/core: disallow non-power of two min_region_sz on damon_start() Greg Kroah-Hartman
` (26 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weiming Shi, Xiang Mei,
Emil Tsalapatis, Alexei Starovoitov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexei Starovoitov <ast@kernel.org>
commit 4fddde2a732de60bb97e3307d4eb69ac5f1d2b74 upstream.
arena_vm_open() only bumps vml->mmap_count but never registers the
child VMA in arena->vma_list. The vml->vma always points at the
parent VMA, so after parent munmap the pointer dangles. If the child
then calls bpf_arena_free_pages(), zap_pages() reads the stale
vml->vma triggering use-after-free.
Fix this by preventing the arena VMA from being inherited across
fork with VM_DONTCOPY, and preventing VMA splits via the may_split
callback.
Also reject mremap with a .mremap callback returning -EINVAL. A
same-size mremap(MREMAP_FIXED) on the full arena VMA reaches
copy_vma() through the following path:
check_prep_vma() - returns 0 early: new_len == old_len
skips VM_DONTEXPAND check
prep_move_vma() - vm_start == old_addr and
vm_end == old_addr + old_len
so may_split is never called
move_vma()
copy_vma_and_data()
copy_vma()
vm_area_dup() - copies vm_private_data (vml pointer)
vm_ops->open() - bumps vml->mmap_count
vm_ops->mremap() - returns -EINVAL, rollback unmaps new VMA
The refcount ensures the rollback's arena_vm_close does not free
the vml shared with the original VMA.
Reported-by: Weiming Shi <bestswngs@gmail.com>
Reported-by: Xiang Mei <xmei5@asu.edu>
Fixes: 317460317a02 ("bpf: Introduce bpf_arena.")
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Link: https://lore.kernel.org/r/20260413194245.21449-1-alexei.starovoitov@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/arena.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
--- a/kernel/bpf/arena.c
+++ b/kernel/bpf/arena.c
@@ -246,6 +246,16 @@ static void arena_vm_open(struct vm_area
refcount_inc(&vml->mmap_count);
}
+static int arena_vm_may_split(struct vm_area_struct *vma, unsigned long addr)
+{
+ return -EINVAL;
+}
+
+static int arena_vm_mremap(struct vm_area_struct *vma)
+{
+ return -EINVAL;
+}
+
static void arena_vm_close(struct vm_area_struct *vma)
{
struct bpf_map *map = vma->vm_file->private_data;
@@ -307,6 +317,8 @@ out:
static const struct vm_operations_struct arena_vm_ops = {
.open = arena_vm_open,
+ .may_split = arena_vm_may_split,
+ .mremap = arena_vm_mremap,
.close = arena_vm_close,
.fault = arena_vm_fault,
};
@@ -376,10 +388,11 @@ static int arena_map_mmap(struct bpf_map
arena->user_vm_end = vma->vm_end;
/*
* bpf_map_mmap() checks that it's being mmaped as VM_SHARED and
- * clears VM_MAYEXEC. Set VM_DONTEXPAND as well to avoid
- * potential change of user_vm_start.
+ * clears VM_MAYEXEC. Set VM_DONTEXPAND to avoid potential change
+ * of user_vm_start. Set VM_DONTCOPY to prevent arena VMA from
+ * being copied into the child process on fork.
*/
- vm_flags_set(vma, VM_DONTEXPAND);
+ vm_flags_set(vma, VM_DONTEXPAND | VM_DONTCOPY);
vma->vm_ops = &arena_vm_ops;
return 0;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 249/270] mm/damon/core: disallow non-power of two min_region_sz on damon_start()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 248/270] bpf: Fix use-after-free in arena_vm_close on fork Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 250/270] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Greg Kroah-Hartman
` (25 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 95093e5cb4c5b50a5b1a4b79f2942b62744bd66a upstream.
Commit d8f867fa0825 ("mm/damon: add damon_ctx->min_sz_region") introduced
a bug that allows unaligned DAMON region address ranges. Commit
c80f46ac228b ("mm/damon/core: disallow non-power of two min_region_sz")
fixed it, but only for damon_commit_ctx() use case. Still, DAMON sysfs
interface can emit non-power of two min_region_sz via damon_start(). Fix
the path by adding the is_power_of_2() check on damon_start().
The issue was discovered by sashiko [1].
Link: https://lore.kernel.org/20260411213638.77768-1-sj@kernel.org
Link: https://lore.kernel.org/20260403155530.64647-1-sj@kernel.org [1]
Fixes: d8f867fa0825 ("mm/damon: add damon_ctx->min_sz_region")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 6.18.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -1352,6 +1352,11 @@ int damon_start(struct damon_ctx **ctxs,
int i;
int err = 0;
+ for (i = 0; i < nr_ctxs; i++) {
+ if (!is_power_of_2(ctxs[i]->min_sz_region))
+ return -EINVAL;
+ }
+
mutex_lock(&damon_lock);
if ((exclusive && nr_running_ctxs) ||
(!exclusive && running_exclusive_ctxs)) {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 250/270] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 249/270] mm/damon/core: disallow non-power of two min_region_sz on damon_start() Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 251/270] dma-mapping: add __dma_from_device_group_begin()/end() Greg Kroah-Hartman
` (24 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Helge Deller,
linux-fbdev, dri-devel, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
[ Upstream commit 9ded47ad003f09a94b6a710b5c47f4aa5ceb7429 ]
Hold state of deferred I/O in struct fb_deferred_io_state. Allocate an
instance as part of initializing deferred I/O and remove it only after
the final mapping has been closed. If the fb_info and the contained
deferred I/O meanwhile goes away, clear struct fb_deferred_io_state.info
to invalidate the mapping. Any access will then result in a SIGBUS
signal.
Fixes a long-standing problem, where a device hot-unplug happens while
user space still has an active mapping of the graphics memory. The hot-
unplug frees the instance of struct fb_info. Accessing the memory will
operate on undefined state.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 60b59beafba8 ("fbdev: mm: Deferred IO support")
Cc: Helge Deller <deller@gmx.de>
Cc: linux-fbdev@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: stable@vger.kernel.org # v2.6.22+
Signed-off-by: Helge Deller <deller@gmx.de>
[ replaced kzalloc_obj(*fbdefio_state) with kzalloc(sizeof(*fbdefio_state), GFP_KERNEL) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fb_defio.c | 178 ++++++++++++++++++++++++++++--------
include/linux/fb.h | 4
2 files changed, 145 insertions(+), 37 deletions(-)
--- a/drivers/video/fbdev/core/fb_defio.c
+++ b/drivers/video/fbdev/core/fb_defio.c
@@ -24,6 +24,75 @@
#include <linux/rmap.h>
#include <linux/pagemap.h>
+/*
+ * struct fb_deferred_io_state
+ */
+
+struct fb_deferred_io_state {
+ struct kref ref;
+
+ struct mutex lock; /* mutex that protects the pageref list */
+ /* fields protected by lock */
+ struct fb_info *info;
+};
+
+static struct fb_deferred_io_state *fb_deferred_io_state_alloc(void)
+{
+ struct fb_deferred_io_state *fbdefio_state;
+
+ fbdefio_state = kzalloc(sizeof(*fbdefio_state), GFP_KERNEL);
+ if (!fbdefio_state)
+ return NULL;
+
+ kref_init(&fbdefio_state->ref);
+ mutex_init(&fbdefio_state->lock);
+
+ return fbdefio_state;
+}
+
+static void fb_deferred_io_state_release(struct fb_deferred_io_state *fbdefio_state)
+{
+ mutex_destroy(&fbdefio_state->lock);
+
+ kfree(fbdefio_state);
+}
+
+static void fb_deferred_io_state_get(struct fb_deferred_io_state *fbdefio_state)
+{
+ kref_get(&fbdefio_state->ref);
+}
+
+static void __fb_deferred_io_state_release(struct kref *ref)
+{
+ struct fb_deferred_io_state *fbdefio_state =
+ container_of(ref, struct fb_deferred_io_state, ref);
+
+ fb_deferred_io_state_release(fbdefio_state);
+}
+
+static void fb_deferred_io_state_put(struct fb_deferred_io_state *fbdefio_state)
+{
+ kref_put(&fbdefio_state->ref, __fb_deferred_io_state_release);
+}
+
+/*
+ * struct vm_operations_struct
+ */
+
+static void fb_deferred_io_vm_open(struct vm_area_struct *vma)
+{
+ struct fb_deferred_io_state *fbdefio_state = vma->vm_private_data;
+
+ fb_deferred_io_state_get(fbdefio_state);
+}
+
+static void fb_deferred_io_vm_close(struct vm_area_struct *vma)
+{
+ struct fb_deferred_io_state *fbdefio_state = vma->vm_private_data;
+
+ fb_deferred_io_state_put(fbdefio_state);
+}
+
static struct page *fb_deferred_io_get_page(struct fb_info *info, unsigned long offs)
{
struct fb_deferred_io *fbdefio = info->fbdefio;
@@ -121,25 +190,46 @@ static void fb_deferred_io_pageref_put(s
/* this is to find and return the vmalloc-ed fb pages */
static vm_fault_t fb_deferred_io_fault(struct vm_fault *vmf)
{
+ struct fb_info *info;
unsigned long offset;
struct page *page;
- struct fb_info *info = vmf->vma->vm_private_data;
+ vm_fault_t ret;
+ struct fb_deferred_io_state *fbdefio_state = vmf->vma->vm_private_data;
+
+ mutex_lock(&fbdefio_state->lock);
+
+ info = fbdefio_state->info;
+ if (!info) {
+ ret = VM_FAULT_SIGBUS; /* our device is gone */
+ goto err_mutex_unlock;
+ }
offset = vmf->pgoff << PAGE_SHIFT;
- if (offset >= info->fix.smem_len)
- return VM_FAULT_SIGBUS;
+ if (offset >= info->fix.smem_len) {
+ ret = VM_FAULT_SIGBUS;
+ goto err_mutex_unlock;
+ }
page = fb_deferred_io_get_page(info, offset);
- if (!page)
- return VM_FAULT_SIGBUS;
+ if (!page) {
+ ret = VM_FAULT_SIGBUS;
+ goto err_mutex_unlock;
+ }
if (!vmf->vma->vm_file)
fb_err(info, "no mapping available\n");
BUG_ON(!info->fbdefio->mapping);
+ mutex_unlock(&fbdefio_state->lock);
+
vmf->page = page;
+
return 0;
+
+err_mutex_unlock:
+ mutex_unlock(&fbdefio_state->lock);
+ return ret;
}
int fb_deferred_io_fsync(struct file *file, loff_t start, loff_t end, int datasync)
@@ -166,15 +256,24 @@ EXPORT_SYMBOL_GPL(fb_deferred_io_fsync);
* Adds a page to the dirty list. Call this from struct
* vm_operations_struct.page_mkwrite.
*/
-static vm_fault_t fb_deferred_io_track_page(struct fb_info *info, unsigned long offset,
- struct page *page)
+static vm_fault_t fb_deferred_io_track_page(struct fb_deferred_io_state *fbdefio_state,
+ unsigned long offset, struct page *page)
{
- struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct fb_info *info;
+ struct fb_deferred_io *fbdefio;
struct fb_deferred_io_pageref *pageref;
vm_fault_t ret;
/* protect against the workqueue changing the page list */
- mutex_lock(&fbdefio->lock);
+ mutex_lock(&fbdefio_state->lock);
+
+ info = fbdefio_state->info;
+ if (!info) {
+ ret = VM_FAULT_SIGBUS; /* our device is gone */
+ goto err_mutex_unlock;
+ }
+
+ fbdefio = info->fbdefio;
pageref = fb_deferred_io_pageref_get(info, offset, page);
if (WARN_ON_ONCE(!pageref)) {
@@ -192,50 +291,38 @@ static vm_fault_t fb_deferred_io_track_p
*/
lock_page(pageref->page);
- mutex_unlock(&fbdefio->lock);
+ mutex_unlock(&fbdefio_state->lock);
/* come back after delay to process the deferred IO */
schedule_delayed_work(&info->deferred_work, fbdefio->delay);
return VM_FAULT_LOCKED;
err_mutex_unlock:
- mutex_unlock(&fbdefio->lock);
+ mutex_unlock(&fbdefio_state->lock);
return ret;
}
-/*
- * fb_deferred_io_page_mkwrite - Mark a page as written for deferred I/O
- * @fb_info: The fbdev info structure
- * @vmf: The VM fault
- *
- * This is a callback we get when userspace first tries to
- * write to the page. We schedule a workqueue. That workqueue
- * will eventually mkclean the touched pages and execute the
- * deferred framebuffer IO. Then if userspace touches a page
- * again, we repeat the same scheme.
- *
- * Returns:
- * VM_FAULT_LOCKED on success, or a VM_FAULT error otherwise.
- */
-static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_info *info, struct vm_fault *vmf)
+static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_deferred_io_state *fbdefio_state,
+ struct vm_fault *vmf)
{
unsigned long offset = vmf->pgoff << PAGE_SHIFT;
struct page *page = vmf->page;
file_update_time(vmf->vma->vm_file);
- return fb_deferred_io_track_page(info, offset, page);
+ return fb_deferred_io_track_page(fbdefio_state, offset, page);
}
-/* vm_ops->page_mkwrite handler */
static vm_fault_t fb_deferred_io_mkwrite(struct vm_fault *vmf)
{
- struct fb_info *info = vmf->vma->vm_private_data;
+ struct fb_deferred_io_state *fbdefio_state = vmf->vma->vm_private_data;
- return fb_deferred_io_page_mkwrite(info, vmf);
+ return fb_deferred_io_page_mkwrite(fbdefio_state, vmf);
}
static const struct vm_operations_struct fb_deferred_io_vm_ops = {
+ .open = fb_deferred_io_vm_open,
+ .close = fb_deferred_io_vm_close,
.fault = fb_deferred_io_fault,
.page_mkwrite = fb_deferred_io_mkwrite,
};
@@ -252,7 +339,10 @@ int fb_deferred_io_mmap(struct fb_info *
vm_flags_set(vma, VM_DONTEXPAND | VM_DONTDUMP);
if (!(info->flags & FBINFO_VIRTFB))
vm_flags_set(vma, VM_IO);
- vma->vm_private_data = info;
+ vma->vm_private_data = info->fbdefio_state;
+
+ fb_deferred_io_state_get(info->fbdefio_state); /* released in vma->vm_ops->close() */
+
return 0;
}
EXPORT_SYMBOL_GPL(fb_deferred_io_mmap);
@@ -263,9 +353,10 @@ static void fb_deferred_io_work(struct w
struct fb_info *info = container_of(work, struct fb_info, deferred_work.work);
struct fb_deferred_io_pageref *pageref, *next;
struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct fb_deferred_io_state *fbdefio_state = info->fbdefio_state;
/* here we wrprotect the page's mappings, then do all deferred IO. */
- mutex_lock(&fbdefio->lock);
+ mutex_lock(&fbdefio_state->lock);
#ifdef CONFIG_MMU
list_for_each_entry(pageref, &fbdefio->pagereflist, list) {
struct page *page = pageref->page;
@@ -283,12 +374,13 @@ static void fb_deferred_io_work(struct w
list_for_each_entry_safe(pageref, next, &fbdefio->pagereflist, list)
fb_deferred_io_pageref_put(pageref, info);
- mutex_unlock(&fbdefio->lock);
+ mutex_unlock(&fbdefio_state->lock);
}
int fb_deferred_io_init(struct fb_info *info)
{
struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct fb_deferred_io_state *fbdefio_state;
struct fb_deferred_io_pageref *pagerefs;
unsigned long npagerefs;
int ret;
@@ -298,7 +390,11 @@ int fb_deferred_io_init(struct fb_info *
if (WARN_ON(!info->fix.smem_len))
return -EINVAL;
- mutex_init(&fbdefio->lock);
+ fbdefio_state = fb_deferred_io_state_alloc();
+ if (!fbdefio_state)
+ return -ENOMEM;
+ fbdefio_state->info = info;
+
INIT_DELAYED_WORK(&info->deferred_work, fb_deferred_io_work);
INIT_LIST_HEAD(&fbdefio->pagereflist);
if (fbdefio->delay == 0) /* set a default of 1 s */
@@ -315,10 +411,12 @@ int fb_deferred_io_init(struct fb_info *
info->npagerefs = npagerefs;
info->pagerefs = pagerefs;
+ info->fbdefio_state = fbdefio_state;
+
return 0;
err:
- mutex_destroy(&fbdefio->lock);
+ fb_deferred_io_state_release(fbdefio_state);
return ret;
}
EXPORT_SYMBOL_GPL(fb_deferred_io_init);
@@ -352,11 +450,19 @@ EXPORT_SYMBOL_GPL(fb_deferred_io_release
void fb_deferred_io_cleanup(struct fb_info *info)
{
struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct fb_deferred_io_state *fbdefio_state = info->fbdefio_state;
fb_deferred_io_lastclose(info);
+ info->fbdefio_state = NULL;
+
+ mutex_lock(&fbdefio_state->lock);
+ fbdefio_state->info = NULL;
+ mutex_unlock(&fbdefio_state->lock);
+
+ fb_deferred_io_state_put(fbdefio_state);
+
kvfree(info->pagerefs);
- mutex_destroy(&fbdefio->lock);
fbdefio->mapping = NULL;
}
EXPORT_SYMBOL_GPL(fb_deferred_io_cleanup);
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -217,13 +217,14 @@ struct fb_deferred_io {
unsigned long delay;
bool sort_pagereflist; /* sort pagelist by offset */
int open_count; /* number of opened files; protected by fb_info lock */
- struct mutex lock; /* mutex that protects the pageref list */
struct list_head pagereflist; /* list of pagerefs for touched pages */
struct address_space *mapping; /* page cache object for fb device */
/* callback */
struct page *(*get_page)(struct fb_info *info, unsigned long offset);
void (*deferred_io)(struct fb_info *info, struct list_head *pagelist);
};
+
+struct fb_deferred_io_state;
#endif
/*
@@ -490,6 +491,7 @@ struct fb_info {
unsigned long npagerefs;
struct fb_deferred_io_pageref *pagerefs;
struct fb_deferred_io *fbdefio;
+ struct fb_deferred_io_state *fbdefio_state;
#endif
const struct fb_ops *fbops;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 251/270] dma-mapping: add __dma_from_device_group_begin()/end()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 250/270] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 252/270] hwmon: (powerz) Avoid cacheline sharing for DMA buffer Greg Kroah-Hartman
` (23 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Petr Tesarik,
Michael S. Tsirkin, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Michael S. Tsirkin" <mst@redhat.com>
[ Upstream commit ca085faabb42c31ee204235facc5a430cb9e78a9 ]
When a structure contains a buffer that DMA writes to alongside fields
that the CPU writes to, cache line sharing between the DMA buffer and
CPU-written fields can cause data corruption on non-cache-coherent
platforms.
Add __dma_from_device_group_begin()/end() annotations to ensure proper
alignment to prevent this:
struct my_device {
spinlock_t lock1;
__dma_from_device_group_begin();
char dma_buffer1[16];
char dma_buffer2[16];
__dma_from_device_group_end();
spinlock_t lock2;
};
Message-ID: <19163086d5e4704c316f18f6da06bc1c72968904.1767601130.git.mst@redhat.com>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Petr Tesarik <ptesarik@suse.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Stable-dep-of: 3023c050af36 ("hwmon: (powerz) Avoid cacheline sharing for DMA buffer")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/dma-mapping.h | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/include/linux/dma-mapping.h
+++ b/include/linux/dma-mapping.h
@@ -7,6 +7,7 @@
#include <linux/dma-direction.h>
#include <linux/scatterlist.h>
#include <linux/bug.h>
+#include <linux/cache.h>
/**
* List of possible attributes associated with a DMA mapping. The semantics
@@ -710,6 +711,18 @@ static inline int dma_get_cache_alignmen
}
#endif
+#ifdef ARCH_HAS_DMA_MINALIGN
+#define ____dma_from_device_aligned __aligned(ARCH_DMA_MINALIGN)
+#else
+#define ____dma_from_device_aligned
+#endif
+/* Mark start of DMA buffer */
+#define __dma_from_device_group_begin(GROUP) \
+ __cacheline_group_begin(GROUP) ____dma_from_device_aligned
+/* Mark end of DMA buffer */
+#define __dma_from_device_group_end(GROUP) \
+ __cacheline_group_end(GROUP) ____dma_from_device_aligned
+
static inline void *dmam_alloc_coherent(struct device *dev, size_t size,
dma_addr_t *dma_handle, gfp_t gfp)
{
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 252/270] hwmon: (powerz) Avoid cacheline sharing for DMA buffer
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 251/270] dma-mapping: add __dma_from_device_group_begin()/end() Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 253/270] octeon_ep_vf: add NULL check for napi_build_skb() Greg Kroah-Hartman
` (22 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Guenter Roeck,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit 3023c050af3600bf451153335dea5e073c9a3088 ]
Depending on the architecture the transfer buffer may share a cacheline
with the following mutex. As the buffer may be used for DMA, that is
problematic.
Use the high-level DMA helpers to make sure that cacheline sharing can
not happen.
Also drop the comment, as the helpers are documentation enough.
https://sashiko.dev/#/message/20260408175814.934BFC19421%40smtp.kernel.org
Fixes: 4381a36abdf1c ("hwmon: add POWER-Z driver")
Cc: stable@vger.kernel.org # ca085faabb42: dma-mapping: add __dma_from_device_group_begin()/end()
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Link: https://lore.kernel.org/r/20260408-powerz-cacheline-alias-v1-1-1254891be0dd@weissschuh.net
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/powerz.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/hwmon/powerz.c
+++ b/drivers/hwmon/powerz.c
@@ -6,6 +6,7 @@
#include <linux/completion.h>
#include <linux/device.h>
+#include <linux/dma-mapping.h>
#include <linux/hwmon.h>
#include <linux/module.h>
#include <linux/mutex.h>
@@ -33,7 +34,9 @@ struct powerz_sensor_data {
} __packed;
struct powerz_priv {
- char transfer_buffer[64]; /* first member to satisfy DMA alignment */
+ __dma_from_device_group_begin();
+ char transfer_buffer[64];
+ __dma_from_device_group_end();
struct mutex mutex;
struct completion completion;
struct urb *urb;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 253/270] octeon_ep_vf: add NULL check for napi_build_skb()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 252/270] hwmon: (powerz) Avoid cacheline sharing for DMA buffer Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 254/270] mmc: core: Adjust MDT beyond 2025 Greg Kroah-Hartman
` (21 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit dd66b42854705e4e4ee7f14d260f86c578bed3e3 ]
napi_build_skb() can return NULL on allocation failure. In
__octep_vf_oq_process_rx(), the result is used directly without a NULL
check in both the single-buffer and multi-fragment paths, leading to a
NULL pointer dereference.
Add NULL checks after both napi_build_skb() calls, properly advancing
descriptors and consuming remaining fragments on failure.
Fixes: 1cd3b407977c ("octeon_ep_vf: add Tx/Rx processing and interrupt support")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
Link: https://patch.msgid.link/20260409184009.930359-3-devnexen@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ inlined missing octep_vf_oq_next_idx() helper as read_idx++ with wraparound ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c | 36 +++++++++++++++-
1 file changed, 34 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c
+++ b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c
@@ -409,10 +409,17 @@ static int __octep_vf_oq_process_rx(stru
data_offset = OCTEP_VF_OQ_RESP_HW_SIZE;
rx_ol_flags = 0;
}
- rx_bytes += buff_info->len;
-
if (buff_info->len <= oq->max_single_buffer_size) {
skb = napi_build_skb((void *)resp_hw, PAGE_SIZE);
+ if (!skb) {
+ oq->stats->alloc_failures++;
+ desc_used++;
+ read_idx++;
+ if (read_idx == oq->max_count)
+ read_idx = 0;
+ continue;
+ }
+ rx_bytes += buff_info->len;
skb_reserve(skb, data_offset);
skb_put(skb, buff_info->len);
read_idx++;
@@ -424,6 +431,31 @@ static int __octep_vf_oq_process_rx(stru
u16 data_len;
skb = napi_build_skb((void *)resp_hw, PAGE_SIZE);
+ if (!skb) {
+ oq->stats->alloc_failures++;
+ desc_used++;
+ read_idx++;
+ if (read_idx == oq->max_count)
+ read_idx = 0;
+ data_len = buff_info->len - oq->max_single_buffer_size;
+ while (data_len) {
+ dma_unmap_page(oq->dev, oq->desc_ring[read_idx].buffer_ptr,
+ PAGE_SIZE, DMA_FROM_DEVICE);
+ buff_info = (struct octep_vf_rx_buffer *)
+ &oq->buff_info[read_idx];
+ buff_info->page = NULL;
+ if (data_len < oq->buffer_size)
+ data_len = 0;
+ else
+ data_len -= oq->buffer_size;
+ desc_used++;
+ read_idx++;
+ if (read_idx == oq->max_count)
+ read_idx = 0;
+ }
+ continue;
+ }
+ rx_bytes += buff_info->len;
skb_reserve(skb, data_offset);
/* Head fragment includes response header(s);
* subsequent fragments contains only data.
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 254/270] mmc: core: Adjust MDT beyond 2025
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 253/270] octeon_ep_vf: add NULL check for napi_build_skb() Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 255/270] mmc: core: Add quirk for incorrect manufacturing date Greg Kroah-Hartman
` (20 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Avri Altman, Shawn Lin, Ulf Hansson,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Avri Altman <avri.altman@sandisk.com>
[ Upstream commit 3e487a634bc019166e452ea276f7522710eda9f4 ]
JEDEC JESD84-B51B which was released in September 2025, increases the
manufacturing year limit for eMMC devices. The eMMC manufacturing year
is stored in a 4-bit field in the CID register. Originally, it covered
1997–2012. Later, with EXT_CSD_REV=8, it was extended up to 2025. Now,
with EXT_CSD_REV=9, the range is rolled over by another 16 years, up to
2038.
The mapping is as follows:
cid[8..11] | rev ≤ 4 | 8 ≥ rev > 4 | rev > 8
---------------------------------------------
0 | 1997 | 2013 | 2029
1 | 1998 | 2014 | 2030
2 | 1999 | 2015 | 2031
3 | 2000 | 2016 | 2032
4 | 2001 | 2017 | 2033
5 | 2002 | 2018 | 2034
6 | 2003 | 2019 | 2035
7 | 2004 | 2020 | 2036
8 | 2005 | 2021 | 2037
9 | 2006 | 2022 | 2038
10 | 2007 | 2023 |
11 | 2008 | 2024 |
12 | 2009 | 2025 |
13 | 2010 | | 2026
14 | 2011 | | 2027
15 | 2012 | | 2028
Signed-off-by: Avri Altman <avri.altman@sandisk.com>
Reviewed-by: Shawn Lin <shawn.lin@rock-chips.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Stable-dep-of: d6bf2e64dec8 ("mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/mmc.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -671,7 +671,14 @@ static int mmc_decode_ext_csd(struct mmc
card->ext_csd.enhanced_rpmb_supported =
(card->ext_csd.rel_param &
EXT_CSD_WR_REL_PARAM_EN_RPMB_REL_WR);
+
+ if (card->ext_csd.rev >= 9) {
+ /* Adjust production date as per JEDEC JESD84-B51B September 2025 */
+ if (card->cid.year < 2023)
+ card->cid.year += 16;
+ }
}
+
out:
return err;
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 255/270] mmc: core: Add quirk for incorrect manufacturing date
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 254/270] mmc: core: Adjust MDT beyond 2025 Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 256/270] mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs Greg Kroah-Hartman
` (19 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Avri Altman, Ulf Hansson,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Avri Altman <avri.altman@sandisk.com>
[ Upstream commit 263ff314cc5602599d481b0912a381555fcbad28 ]
Some eMMC vendors need to report manufacturing dates beyond 2025 but are
reluctant to update the EXT_CSD revision from 8 to 9. Changing the
Updating the EXT_CSD revision may involve additional testing or
qualification steps with customers. To ease this transition and avoid a
full re-qualification process, a workaround is needed. This
patch introduces a temporary quirk that re-purposes the year codes
corresponding to 2010, 2011, and 2012 to represent the years 2026, 2027,
and 2028, respectively. This solution is only valid for this three-year
period.
After 2028, vendors must update their firmware to set EXT_CSD_REV=9 to
continue reporting the correct manufacturing date in compliance with the
JEDEC standard.
The `MMC_QUIRK_BROKEN_MDT` is introduced and enabled for all Sandisk
devices to handle this behavior.
Signed-off-by: Avri Altman <avri.altman@sandisk.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Stable-dep-of: d6bf2e64dec8 ("mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/card.h | 6 ++++++
drivers/mmc/core/mmc.c | 5 +++++
drivers/mmc/core/quirks.h | 3 +++
include/linux/mmc/card.h | 1 +
4 files changed, 15 insertions(+)
--- a/drivers/mmc/core/card.h
+++ b/drivers/mmc/core/card.h
@@ -89,6 +89,7 @@ struct mmc_fixup {
#define CID_MANFID_MICRON 0x13
#define CID_MANFID_SAMSUNG 0x15
#define CID_MANFID_APACER 0x27
+#define CID_MANFID_SANDISK_MMC 0x45
#define CID_MANFID_SWISSBIT 0x5D
#define CID_MANFID_KINGSTON 0x70
#define CID_MANFID_HYNIX 0x90
@@ -305,4 +306,9 @@ static inline int mmc_card_no_uhs_ddr50_
return c->quirks & MMC_QUIRK_NO_UHS_DDR50_TUNING;
}
+static inline int mmc_card_broken_mdt(const struct mmc_card *c)
+{
+ return c->quirks & MMC_QUIRK_BROKEN_MDT;
+}
+
#endif
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -676,6 +676,11 @@ static int mmc_decode_ext_csd(struct mmc
/* Adjust production date as per JEDEC JESD84-B51B September 2025 */
if (card->cid.year < 2023)
card->cid.year += 16;
+ } else {
+ /* Handle vendors with broken MDT reporting */
+ if (mmc_card_broken_mdt(card) && card->cid.year >= 2010 &&
+ card->cid.year <= 2012)
+ card->cid.year += 16;
}
}
--- a/drivers/mmc/core/quirks.h
+++ b/drivers/mmc/core/quirks.h
@@ -170,6 +170,9 @@ static const struct mmc_fixup __maybe_un
MMC_FIXUP_EXT_CSD_REV(CID_NAME_ANY, CID_MANFID_NUMONYX,
0x014e, add_quirk, MMC_QUIRK_BROKEN_HPI, 6),
+ MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_MMC, CID_OEMID_ANY, add_quirk_mmc,
+ MMC_QUIRK_BROKEN_MDT),
+
END_FIXUP
};
--- a/include/linux/mmc/card.h
+++ b/include/linux/mmc/card.h
@@ -330,6 +330,7 @@ struct mmc_card {
#define MMC_QUIRK_BROKEN_CACHE_FLUSH (1<<16) /* Don't flush cache until the write has occurred */
#define MMC_QUIRK_BROKEN_SD_POWEROFF_NOTIFY (1<<17) /* Disable broken SD poweroff notify support */
#define MMC_QUIRK_NO_UHS_DDR50_TUNING (1<<18) /* Disable DDR50 tuning */
+#define MMC_QUIRK_BROKEN_MDT (1<<19) /* Wrong manufacturing year */
bool written_flag; /* Indicates eMMC has been written since power on */
bool reenable_cmdq; /* Re-enable Command Queue */
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 256/270] mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 255/270] mmc: core: Add quirk for incorrect manufacturing date Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 257/270] crypto: qat - fix indentation of macros in qat_hal.c Greg Kroah-Hartman
` (18 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luke Wang, Ulf Hansson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luke Wang <ziniu.wang_1@nxp.com>
[ Upstream commit d6bf2e64dec87322f2b11565ddb59c0e967f96e3 ]
Kingston eMMC IY2964 and IB2932 takes a fixed ~2 seconds for each secure
erase/trim operation regardless of size - that is, a single secure
erase/trim operation of 1MB takes the same time as 1GB. With default
calculated 3.5MB max discard size, secure erase 1GB requires ~300 separate
operations taking ~10 minutes total.
Add a card quirk, MMC_QUIRK_FIXED_SECURE_ERASE_TRIM_TIME, to set maximum
secure erase size for those devices. This allows 1GB secure erase to
complete in a single operation, reducing time from 10 minutes to just 2
seconds.
Signed-off-by: Luke Wang <ziniu.wang_1@nxp.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/card.h | 5 +++++
drivers/mmc/core/queue.c | 9 +++++++--
drivers/mmc/core/quirks.h | 9 +++++++++
include/linux/mmc/card.h | 1 +
4 files changed, 22 insertions(+), 2 deletions(-)
--- a/drivers/mmc/core/card.h
+++ b/drivers/mmc/core/card.h
@@ -311,4 +311,9 @@ static inline int mmc_card_broken_mdt(co
return c->quirks & MMC_QUIRK_BROKEN_MDT;
}
+static inline int mmc_card_fixed_secure_erase_trim_time(const struct mmc_card *c)
+{
+ return c->quirks & MMC_QUIRK_FIXED_SECURE_ERASE_TRIM_TIME;
+}
+
#endif
--- a/drivers/mmc/core/queue.c
+++ b/drivers/mmc/core/queue.c
@@ -184,8 +184,13 @@ static void mmc_queue_setup_discard(stru
return;
lim->max_hw_discard_sectors = max_discard;
- if (mmc_card_can_secure_erase_trim(card))
- lim->max_secure_erase_sectors = max_discard;
+ if (mmc_card_can_secure_erase_trim(card)) {
+ if (mmc_card_fixed_secure_erase_trim_time(card))
+ lim->max_secure_erase_sectors = UINT_MAX >> card->erase_shift;
+ else
+ lim->max_secure_erase_sectors = max_discard;
+ }
+
if (mmc_card_can_trim(card) && card->erased_byte == 0)
lim->max_write_zeroes_sectors = max_discard;
--- a/drivers/mmc/core/quirks.h
+++ b/drivers/mmc/core/quirks.h
@@ -153,6 +153,15 @@ static const struct mmc_fixup __maybe_un
MMC_FIXUP("M62704", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc,
MMC_QUIRK_TRIM_BROKEN),
+ /*
+ * On Some Kingston eMMCs, secure erase/trim time is independent
+ * of erase size, fixed at approximately 2 seconds.
+ */
+ MMC_FIXUP("IY2964", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc,
+ MMC_QUIRK_FIXED_SECURE_ERASE_TRIM_TIME),
+ MMC_FIXUP("IB2932", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc,
+ MMC_QUIRK_FIXED_SECURE_ERASE_TRIM_TIME),
+
END_FIXUP
};
--- a/include/linux/mmc/card.h
+++ b/include/linux/mmc/card.h
@@ -331,6 +331,7 @@ struct mmc_card {
#define MMC_QUIRK_BROKEN_SD_POWEROFF_NOTIFY (1<<17) /* Disable broken SD poweroff notify support */
#define MMC_QUIRK_NO_UHS_DDR50_TUNING (1<<18) /* Disable DDR50 tuning */
#define MMC_QUIRK_BROKEN_MDT (1<<19) /* Wrong manufacturing year */
+#define MMC_QUIRK_FIXED_SECURE_ERASE_TRIM_TIME (1<<20) /* Secure erase/trim time is fixed regardless of size */
bool written_flag; /* Indicates eMMC has been written since power on */
bool reenable_cmdq; /* Re-enable Command Queue */
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 257/270] crypto: qat - fix indentation of macros in qat_hal.c
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 256/270] mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 258/270] crypto: qat - fix firmware loading failure for GEN6 devices Greg Kroah-Hartman
` (17 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suman Kumar Chakraborty,
Giovanni Cabiddu, Herbert Xu, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
[ Upstream commit 4963b39e3a3feed07fbf4d5cc2b5df8498888285 ]
The macros in qat_hal.c were using a mixture of tabs and spaces.
Update all macro indentation to use tabs consistently, matching the
predominant style.
This does not introduce any functional change.
Signed-off-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: e7dcb722bb75 ("crypto: qat - fix firmware loading failure for GEN6 devices")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/intel/qat/qat_common/qat_hal.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
--- a/drivers/crypto/intel/qat/qat_common/qat_hal.c
+++ b/drivers/crypto/intel/qat/qat_common/qat_hal.c
@@ -9,17 +9,17 @@
#include "icp_qat_hal.h"
#include "icp_qat_uclo.h"
-#define BAD_REGADDR 0xffff
-#define MAX_RETRY_TIMES 10000
-#define INIT_CTX_ARB_VALUE 0x0
-#define INIT_CTX_ENABLE_VALUE 0x0
-#define INIT_PC_VALUE 0x0
-#define INIT_WAKEUP_EVENTS_VALUE 0x1
-#define INIT_SIG_EVENTS_VALUE 0x1
-#define INIT_CCENABLE_VALUE 0x2000
-#define RST_CSR_QAT_LSB 20
-#define RST_CSR_AE_LSB 0
-#define MC_TIMESTAMP_ENABLE (0x1 << 7)
+#define BAD_REGADDR 0xffff
+#define MAX_RETRY_TIMES 10000
+#define INIT_CTX_ARB_VALUE 0x0
+#define INIT_CTX_ENABLE_VALUE 0x0
+#define INIT_PC_VALUE 0x0
+#define INIT_WAKEUP_EVENTS_VALUE 0x1
+#define INIT_SIG_EVENTS_VALUE 0x1
+#define INIT_CCENABLE_VALUE 0x2000
+#define RST_CSR_QAT_LSB 20
+#define RST_CSR_AE_LSB 0
+#define MC_TIMESTAMP_ENABLE (0x1 << 7)
#define IGNORE_W1C_MASK ((~(1 << CE_BREAKPOINT_BITPOS)) & \
(~(1 << CE_CNTL_STORE_PARITY_ERROR_BITPOS)) & \
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 258/270] crypto: qat - fix firmware loading failure for GEN6 devices
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 257/270] crypto: qat - fix indentation of macros in qat_hal.c Greg Kroah-Hartman
@ 2026-05-12 17:40 ` Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 259/270] mm, swap: speed up hibernation allocation and writeout Greg Kroah-Hartman
` (16 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suman Kumar Chakraborty,
Giovanni Cabiddu, Andy Shevchenko, Herbert Xu, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
[ Upstream commit e7dcb722bb75bb3f3992f580a8728a794732fd7a ]
QAT GEN6 hardware requires a minimum 3 us delay during the acceleration
engine reset sequence to ensure the hardware fully settles.
Without this delay, the firmware load may fail intermittently.
Add a delay after placing the AE into reset and before clearing the reset,
matching the hardware requirements and ensuring stable firmware loading.
Earlier generations remain unaffected.
Fixes: 17fd7514ae68 ("crypto: qat - add qat_6xxx driver")
Signed-off-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
Cc: stable@vger.kernel.org
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/intel/qat/qat_common/adf_accel_engine.c | 7 +++++++
drivers/crypto/intel/qat/qat_common/icp_qat_fw_loader_handle.h | 1 +
drivers/crypto/intel/qat/qat_common/qat_hal.c | 5 ++++-
3 files changed, 12 insertions(+), 1 deletion(-)
--- a/drivers/crypto/intel/qat/qat_common/adf_accel_engine.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_accel_engine.c
@@ -1,5 +1,6 @@
// SPDX-License-Identifier: (BSD-3-Clause OR GPL-2.0-only)
/* Copyright(c) 2014 - 2020 Intel Corporation */
+#include <linux/delay.h>
#include <linux/firmware.h>
#include <linux/pci.h>
#include "adf_cfg.h"
@@ -162,8 +163,14 @@ int adf_ae_stop(struct adf_accel_dev *ac
static int adf_ae_reset(struct adf_accel_dev *accel_dev, int ae)
{
struct adf_fw_loader_data *loader_data = accel_dev->fw_loader;
+ unsigned long reset_delay;
qat_hal_reset(loader_data->fw_loader);
+
+ reset_delay = loader_data->fw_loader->chip_info->reset_delay_us;
+ if (reset_delay)
+ fsleep(reset_delay);
+
if (qat_hal_clr_reset(loader_data->fw_loader))
return -EFAULT;
--- a/drivers/crypto/intel/qat/qat_common/icp_qat_fw_loader_handle.h
+++ b/drivers/crypto/intel/qat/qat_common/icp_qat_fw_loader_handle.h
@@ -27,6 +27,7 @@ struct icp_qat_fw_loader_chip_info {
int mmp_sram_size;
bool nn;
bool lm2lm3;
+ u16 reset_delay_us;
u32 lm_size;
u32 icp_rst_csr;
u32 icp_rst_mask;
--- a/drivers/crypto/intel/qat/qat_common/qat_hal.c
+++ b/drivers/crypto/intel/qat/qat_common/qat_hal.c
@@ -20,6 +20,7 @@
#define RST_CSR_QAT_LSB 20
#define RST_CSR_AE_LSB 0
#define MC_TIMESTAMP_ENABLE (0x1 << 7)
+#define MIN_RESET_DELAY_US 3
#define IGNORE_W1C_MASK ((~(1 << CE_BREAKPOINT_BITPOS)) & \
(~(1 << CE_CNTL_STORE_PARITY_ERROR_BITPOS)) & \
@@ -713,8 +714,10 @@ static int qat_hal_chip_init(struct icp_
handle->chip_info->wakeup_event_val = 0x80000000;
handle->chip_info->fw_auth = true;
handle->chip_info->css_3k = true;
- if (handle->pci_dev->device == PCI_DEVICE_ID_INTEL_QAT_6XXX)
+ if (handle->pci_dev->device == PCI_DEVICE_ID_INTEL_QAT_6XXX) {
handle->chip_info->dual_sign = true;
+ handle->chip_info->reset_delay_us = MIN_RESET_DELAY_US;
+ }
handle->chip_info->tgroup_share_ustore = true;
handle->chip_info->fcu_ctl_csr = FCU_CONTROL_4XXX;
handle->chip_info->fcu_sts_csr = FCU_STATUS_4XXX;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 259/270] mm, swap: speed up hibernation allocation and writeout
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-05-12 17:40 ` [PATCH 6.18 258/270] crypto: qat - fix firmware loading failure for GEN6 devices Greg Kroah-Hartman
@ 2026-05-12 17:41 ` Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 260/270] firmware: exynos-acpm: Drop fake const on handle pointer Greg Kroah-Hartman
` (15 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kairui Song, Carsten Grohmann,
Baoquan He, Barry Song, Chris Li, Kemeng Shi, Nhat Pham,
Andrew Morton, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kairui Song <kasong@tencent.com>
[ Upstream commit 396f57b5720024638dbb503f6a4abd988a49d815 ]
Since commit 0ff67f990bd4 ("mm, swap: remove swap slot cache"),
hibernation has been using the swap slot slow allocation path for
simplification, which turns out might cause regression for some devices
because the allocator now rotates clusters too often, leading to slower
allocation and more random distribution of data.
Fast allocation is not complex, so implement hibernation support as well.
Test result with Samsung SSD 830 Series (SATA II, 3.0 Gbps) shows the
performance is several times better [1]:
6.19: 324 seconds
After this series: 35 seconds
Link: https://lkml.kernel.org/r/20260216-hibernate-perf-v4-1-1ba9f0bf1ec9@tencent.com
Link: https://lore.kernel.org/linux-mm/8b4bdcfa-ce3f-4e23-839f-31367df7c18f@gmx.de/ [1]
Signed-off-by: Kairui Song <kasong@tencent.com>
Fixes: 0ff67f990bd4 ("mm, swap: remove swap slot cache")
Reported-by: Carsten Grohmann <mail@carstengrohmann.de>
Closes: https://lore.kernel.org/linux-mm/20260206121151.dea3633d1f0ded7bbf49c22e@linux-foundation.org/
Cc: Baoquan He <bhe@redhat.com>
Cc: Barry Song <baohua@kernel.org>
Cc: Chris Li <chrisl@kernel.org>
Cc: Kemeng Shi <shikemeng@huaweicloud.com>
Cc: Nhat Pham <nphamcs@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ adjusted helper signatures ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/swapfile.c | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -2014,8 +2014,9 @@ out:
swp_entry_t get_swap_page_of_type(int type)
{
- struct swap_info_struct *si = swap_type_to_info(type);
- unsigned long offset;
+ struct swap_info_struct *pcp_si, *si = swap_type_to_info(type);
+ unsigned long pcp_offset, offset = SWAP_ENTRY_INVALID;
+ struct swap_cluster_info *ci;
swp_entry_t entry = {0};
if (!si)
@@ -2025,11 +2026,21 @@ swp_entry_t get_swap_page_of_type(int ty
if (get_swap_device_info(si)) {
if (si->flags & SWP_WRITEOK) {
/*
- * Grab the local lock to be complaint
- * with swap table allocation.
+ * Try the local cluster first if it matches the device. If
+ * not, try grab a new cluster and override local cluster.
*/
local_lock(&percpu_swap_cluster.lock);
- offset = cluster_alloc_swap_entry(si, 0, 1);
+ pcp_si = this_cpu_read(percpu_swap_cluster.si[0]);
+ pcp_offset = this_cpu_read(percpu_swap_cluster.offset[0]);
+ if (pcp_si == si && pcp_offset) {
+ ci = swap_cluster_lock(si, pcp_offset);
+ if (cluster_is_usable(ci, 0))
+ offset = alloc_swap_scan_cluster(si, ci, pcp_offset, 0, 1);
+ else
+ swap_cluster_unlock(ci);
+ }
+ if (!offset)
+ offset = cluster_alloc_swap_entry(si, 0, 1);
local_unlock(&percpu_swap_cluster.lock);
if (offset)
entry = swp_entry(si->type, offset);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 260/270] firmware: exynos-acpm: Drop fake const on handle pointer
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-05-12 17:41 ` [PATCH 6.18 259/270] mm, swap: speed up hibernation allocation and writeout Greg Kroah-Hartman
@ 2026-05-12 17:41 ` Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 261/270] hfsplus: fix uninit-value by validating catalog record size Greg Kroah-Hartman
` (14 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Krzysztof Kozlowski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
[ Upstream commit a2be37eedb52ea26938fa4cc9de1ff84963c57ad ]
All the functions operating on the 'handle' pointer are claiming it is a
pointer to const thus they should not modify the handle. In fact that's
a false statement, because first thing these functions do is drop the
cast to const with container_of:
struct acpm_info *acpm = handle_to_acpm_info(handle);
And with such cast the handle is easily writable with simple:
acpm->handle.ops.pmic_ops.read_reg = NULL;
The code is not correct logically, either, because functions like
acpm_get_by_node() and acpm_handle_put() are meant to modify the handle
reference counting, thus they must modify the handle. Modification here
happens anyway, even if the reference counting is stored in the
container which the handle is part of.
The code does not have actual visible bug, but incorrect 'const'
annotations could lead to incorrect compiler decisions.
Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver")
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://patch.msgid.link/20260224104203.42950-2-krzysztof.kozlowski@oss.qualcomm.com
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
[ dropped hunks for DVFS/clk-acpm files and `acpm_dvfs_ops` struct that don't exist in 6.18 ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/samsung/exynos-acpm-pmic.c | 10 +++---
drivers/firmware/samsung/exynos-acpm-pmic.h | 10 +++---
drivers/firmware/samsung/exynos-acpm.c | 16 +++++----
drivers/firmware/samsung/exynos-acpm.h | 2 -
drivers/mfd/sec-acpm.c | 10 +++---
include/linux/firmware/samsung/exynos-acpm-protocol.h | 29 +++++++-----------
6 files changed, 37 insertions(+), 40 deletions(-)
--- a/drivers/firmware/samsung/exynos-acpm-pmic.c
+++ b/drivers/firmware/samsung/exynos-acpm-pmic.c
@@ -77,7 +77,7 @@ static void acpm_pmic_init_read_cmd(u32
cmd[3] = ktime_to_ms(ktime_get());
}
-int acpm_pmic_read_reg(const struct acpm_handle *handle,
+int acpm_pmic_read_reg(struct acpm_handle *handle,
unsigned int acpm_chan_id, u8 type, u8 reg, u8 chan,
u8 *buf)
{
@@ -107,7 +107,7 @@ static void acpm_pmic_init_bulk_read_cmd
FIELD_PREP(ACPM_PMIC_VALUE, count);
}
-int acpm_pmic_bulk_read(const struct acpm_handle *handle,
+int acpm_pmic_bulk_read(struct acpm_handle *handle,
unsigned int acpm_chan_id, u8 type, u8 reg, u8 chan,
u8 count, u8 *buf)
{
@@ -150,7 +150,7 @@ static void acpm_pmic_init_write_cmd(u32
cmd[3] = ktime_to_ms(ktime_get());
}
-int acpm_pmic_write_reg(const struct acpm_handle *handle,
+int acpm_pmic_write_reg(struct acpm_handle *handle,
unsigned int acpm_chan_id, u8 type, u8 reg, u8 chan,
u8 value)
{
@@ -187,7 +187,7 @@ static void acpm_pmic_init_bulk_write_cm
}
}
-int acpm_pmic_bulk_write(const struct acpm_handle *handle,
+int acpm_pmic_bulk_write(struct acpm_handle *handle,
unsigned int acpm_chan_id, u8 type, u8 reg, u8 chan,
u8 count, const u8 *buf)
{
@@ -220,7 +220,7 @@ static void acpm_pmic_init_update_cmd(u3
cmd[3] = ktime_to_ms(ktime_get());
}
-int acpm_pmic_update_reg(const struct acpm_handle *handle,
+int acpm_pmic_update_reg(struct acpm_handle *handle,
unsigned int acpm_chan_id, u8 type, u8 reg, u8 chan,
u8 value, u8 mask)
{
--- a/drivers/firmware/samsung/exynos-acpm-pmic.h
+++ b/drivers/firmware/samsung/exynos-acpm-pmic.h
@@ -11,19 +11,19 @@
struct acpm_handle;
-int acpm_pmic_read_reg(const struct acpm_handle *handle,
+int acpm_pmic_read_reg(struct acpm_handle *handle,
unsigned int acpm_chan_id, u8 type, u8 reg, u8 chan,
u8 *buf);
-int acpm_pmic_bulk_read(const struct acpm_handle *handle,
+int acpm_pmic_bulk_read(struct acpm_handle *handle,
unsigned int acpm_chan_id, u8 type, u8 reg, u8 chan,
u8 count, u8 *buf);
-int acpm_pmic_write_reg(const struct acpm_handle *handle,
+int acpm_pmic_write_reg(struct acpm_handle *handle,
unsigned int acpm_chan_id, u8 type, u8 reg, u8 chan,
u8 value);
-int acpm_pmic_bulk_write(const struct acpm_handle *handle,
+int acpm_pmic_bulk_write(struct acpm_handle *handle,
unsigned int acpm_chan_id, u8 type, u8 reg, u8 chan,
u8 count, const u8 *buf);
-int acpm_pmic_update_reg(const struct acpm_handle *handle,
+int acpm_pmic_update_reg(struct acpm_handle *handle,
unsigned int acpm_chan_id, u8 type, u8 reg, u8 chan,
u8 value, u8 mask);
#endif /* __EXYNOS_ACPM_PMIC_H__ */
--- a/drivers/firmware/samsung/exynos-acpm.c
+++ b/drivers/firmware/samsung/exynos-acpm.c
@@ -409,7 +409,7 @@ static int acpm_wait_for_message_respons
*
* Return: 0 on success, -errno otherwise.
*/
-int acpm_do_xfer(const struct acpm_handle *handle, const struct acpm_xfer *xfer)
+int acpm_do_xfer(struct acpm_handle *handle, const struct acpm_xfer *xfer)
{
struct acpm_info *acpm = handle_to_acpm_info(handle);
struct exynos_mbox_msg msg;
@@ -649,7 +649,7 @@ static int acpm_probe(struct platform_de
* acpm_handle_put() - release the handle acquired by acpm_get_by_phandle.
* @handle: Handle acquired by acpm_get_by_phandle.
*/
-static void acpm_handle_put(const struct acpm_handle *handle)
+static void acpm_handle_put(struct acpm_handle *handle)
{
struct acpm_info *acpm = handle_to_acpm_info(handle);
struct device *dev = acpm->dev;
@@ -675,9 +675,11 @@ static void devm_acpm_release(struct dev
* @np: ACPM device tree node.
*
* Return: pointer to handle on success, ERR_PTR(-errno) otherwise.
+ *
+ * Note: handle CANNOT be pointer to const
*/
-static const struct acpm_handle *acpm_get_by_node(struct device *dev,
- struct device_node *np)
+static struct acpm_handle *acpm_get_by_node(struct device *dev,
+ struct device_node *np)
{
struct platform_device *pdev;
struct device_link *link;
@@ -718,10 +720,10 @@ static const struct acpm_handle *acpm_ge
*
* Return: pointer to handle on success, ERR_PTR(-errno) otherwise.
*/
-const struct acpm_handle *devm_acpm_get_by_node(struct device *dev,
- struct device_node *np)
+struct acpm_handle *devm_acpm_get_by_node(struct device *dev,
+ struct device_node *np)
{
- const struct acpm_handle **ptr, *handle;
+ struct acpm_handle **ptr, *handle;
ptr = devres_alloc(devm_acpm_release, sizeof(*ptr), GFP_KERNEL);
if (!ptr)
--- a/drivers/firmware/samsung/exynos-acpm.h
+++ b/drivers/firmware/samsung/exynos-acpm.h
@@ -17,7 +17,7 @@ struct acpm_xfer {
struct acpm_handle;
-int acpm_do_xfer(const struct acpm_handle *handle,
+int acpm_do_xfer(struct acpm_handle *handle,
const struct acpm_xfer *xfer);
#endif /* __EXYNOS_ACPM_H__ */
--- a/drivers/mfd/sec-acpm.c
+++ b/drivers/mfd/sec-acpm.c
@@ -217,7 +217,7 @@ static const struct regmap_config s2mpg1
};
struct sec_pmic_acpm_shared_bus_context {
- const struct acpm_handle *acpm;
+ struct acpm_handle *acpm;
unsigned int acpm_chan_id;
u8 speedy_channel;
};
@@ -240,7 +240,7 @@ static int sec_pmic_acpm_bus_write(void
size_t count)
{
struct sec_pmic_acpm_bus_context *ctx = context;
- const struct acpm_handle *acpm = ctx->shared->acpm;
+ struct acpm_handle *acpm = ctx->shared->acpm;
const struct acpm_pmic_ops *pmic_ops = &acpm->ops.pmic_ops;
size_t val_count = count - BITS_TO_BYTES(ACPM_ADDR_BITS);
const u8 *d = data;
@@ -260,7 +260,7 @@ static int sec_pmic_acpm_bus_read(void *
void *val_buf, size_t val_size)
{
struct sec_pmic_acpm_bus_context *ctx = context;
- const struct acpm_handle *acpm = ctx->shared->acpm;
+ struct acpm_handle *acpm = ctx->shared->acpm;
const struct acpm_pmic_ops *pmic_ops = &acpm->ops.pmic_ops;
const u8 *r = reg_buf;
u8 reg;
@@ -279,7 +279,7 @@ static int sec_pmic_acpm_bus_reg_update_
unsigned int val)
{
struct sec_pmic_acpm_bus_context *ctx = context;
- const struct acpm_handle *acpm = ctx->shared->acpm;
+ struct acpm_handle *acpm = ctx->shared->acpm;
const struct acpm_pmic_ops *pmic_ops = &acpm->ops.pmic_ops;
return pmic_ops->update_reg(acpm, ctx->shared->acpm_chan_id, ctx->type, reg & 0xff,
@@ -335,7 +335,7 @@ static int sec_pmic_acpm_probe(struct pl
struct regmap *regmap_common, *regmap_pmic, *regmap;
const struct sec_pmic_acpm_platform_data *pdata;
struct sec_pmic_acpm_shared_bus_context *shared_ctx;
- const struct acpm_handle *acpm;
+ struct acpm_handle *acpm;
struct device *dev = &pdev->dev;
int ret, irq;
--- a/include/linux/firmware/samsung/exynos-acpm-protocol.h
+++ b/include/linux/firmware/samsung/exynos-acpm-protocol.h
@@ -14,21 +14,16 @@ struct acpm_handle;
struct device_node;
struct acpm_pmic_ops {
- int (*read_reg)(const struct acpm_handle *handle,
- unsigned int acpm_chan_id, u8 type, u8 reg, u8 chan,
- u8 *buf);
- int (*bulk_read)(const struct acpm_handle *handle,
- unsigned int acpm_chan_id, u8 type, u8 reg, u8 chan,
- u8 count, u8 *buf);
- int (*write_reg)(const struct acpm_handle *handle,
- unsigned int acpm_chan_id, u8 type, u8 reg, u8 chan,
- u8 value);
- int (*bulk_write)(const struct acpm_handle *handle,
- unsigned int acpm_chan_id, u8 type, u8 reg, u8 chan,
- u8 count, const u8 *buf);
- int (*update_reg)(const struct acpm_handle *handle,
- unsigned int acpm_chan_id, u8 type, u8 reg, u8 chan,
- u8 value, u8 mask);
+ int (*read_reg)(struct acpm_handle *handle, unsigned int acpm_chan_id,
+ u8 type, u8 reg, u8 chan, u8 *buf);
+ int (*bulk_read)(struct acpm_handle *handle, unsigned int acpm_chan_id,
+ u8 type, u8 reg, u8 chan, u8 count, u8 *buf);
+ int (*write_reg)(struct acpm_handle *handle, unsigned int acpm_chan_id,
+ u8 type, u8 reg, u8 chan, u8 value);
+ int (*bulk_write)(struct acpm_handle *handle, unsigned int acpm_chan_id,
+ u8 type, u8 reg, u8 chan, u8 count, const u8 *buf);
+ int (*update_reg)(struct acpm_handle *handle, unsigned int acpm_chan_id,
+ u8 type, u8 reg, u8 chan, u8 value, u8 mask);
};
struct acpm_ops {
@@ -45,7 +40,7 @@ struct acpm_handle {
struct device;
-const struct acpm_handle *devm_acpm_get_by_node(struct device *dev,
- struct device_node *np);
+struct acpm_handle *devm_acpm_get_by_node(struct device *dev,
+ struct device_node *np);
#endif /* __EXYNOS_ACPM_PROTOCOL_H */
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 261/270] hfsplus: fix uninit-value by validating catalog record size
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-05-12 17:41 ` [PATCH 6.18 260/270] firmware: exynos-acpm: Drop fake const on handle pointer Greg Kroah-Hartman
@ 2026-05-12 17:41 ` Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 262/270] hfsplus: fix held lock freed on hfsplus_fill_super() Greg Kroah-Hartman
` (13 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d80abb5b890d39261e72,
Viacheslav Dubeyko, Charalampos Mitrodimas, Deepanshu Kartikey,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit b6b592275aeff184aa82fcf6abccd833fb71b393 ]
Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The
root cause is that hfs_brec_read() doesn't validate that the on-disk
record size matches the expected size for the record type being read.
When mounting a corrupted filesystem, hfs_brec_read() may read less data
than expected. For example, when reading a catalog thread record, the
debug output showed:
HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26
HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!
hfs_brec_read() only validates that entrylength is not greater than the
buffer size, but doesn't check if it's less than expected. It successfully
reads 26 bytes into a 520-byte structure and returns success, leaving 494
bytes uninitialized.
This uninitialized data in tmp.thread.nodeName then gets copied by
hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering
the KMSAN warning when the uninitialized bytes are used as array indices
in case_fold().
Fix by introducing hfsplus_brec_read_cat() wrapper that:
1. Calls hfs_brec_read() to read the data
2. Validates the record size based on the type field:
- Fixed size for folder and file records
- Variable size for thread records (depends on string length)
3. Returns -EIO if size doesn't match expected
For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading
nodeName.length to avoid reading uninitialized data at call sites that
don't zero-initialize the entry structure.
Also initialize the tmp variable in hfsplus_find_cat() as defensive
programming to ensure no uninitialized data even if validation is
bypassed.
Reported-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Tested-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Tested-by: Viacheslav Dubeyko <slava@dubeyko.com>
Suggested-by: Charalampos Mitrodimas <charmitro@posteo.net>
Link: https://lore.kernel.org/all/20260120051114.1281285-1-kartikey406@gmail.com/ [v1]
Link: https://lore.kernel.org/all/20260121063109.1830263-1-kartikey406@gmail.com/ [v2]
Link: https://lore.kernel.org/all/20260212014233.2422046-1-kartikey406@gmail.com/ [v3]
Link: https://lore.kernel.org/all/20260214002100.436125-1-kartikey406@gmail.com/T/ [v4]
Link: https://lore.kernel.org/all/20260221061626.15853-1-kartikey406@gmail.com/T/ [v5]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20260307010302.41547-1-kartikey406@gmail.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Stable-dep-of: 90c500e4fd83 ("hfsplus: fix held lock freed on hfsplus_fill_super()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfsplus/bfind.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++
fs/hfsplus/catalog.c | 4 +--
fs/hfsplus/dir.c | 2 -
fs/hfsplus/hfsplus_fs.h | 9 ++++++++
fs/hfsplus/super.c | 2 -
5 files changed, 64 insertions(+), 4 deletions(-)
--- a/fs/hfsplus/bfind.c
+++ b/fs/hfsplus/bfind.c
@@ -287,3 +287,54 @@ out:
fd->bnode = bnode;
return res;
}
+
+/**
+ * hfsplus_brec_read_cat - read and validate a catalog record
+ * @fd: find data structure
+ * @entry: pointer to catalog entry to read into
+ *
+ * Reads a catalog record and validates its size matches the expected
+ * size based on the record type.
+ *
+ * Returns 0 on success, or negative error code on failure.
+ */
+int hfsplus_brec_read_cat(struct hfs_find_data *fd, hfsplus_cat_entry *entry)
+{
+ int res;
+ u32 expected_size;
+
+ res = hfs_brec_read(fd, entry, sizeof(hfsplus_cat_entry));
+ if (res)
+ return res;
+
+ /* Validate catalog record size based on type */
+ switch (be16_to_cpu(entry->type)) {
+ case HFSPLUS_FOLDER:
+ expected_size = sizeof(struct hfsplus_cat_folder);
+ break;
+ case HFSPLUS_FILE:
+ expected_size = sizeof(struct hfsplus_cat_file);
+ break;
+ case HFSPLUS_FOLDER_THREAD:
+ case HFSPLUS_FILE_THREAD:
+ /* Ensure we have at least the fixed fields before reading nodeName.length */
+ if (fd->entrylength < HFSPLUS_MIN_THREAD_SZ) {
+ pr_err("thread record too short (got %u)\n", fd->entrylength);
+ return -EIO;
+ }
+ expected_size = hfsplus_cat_thread_size(&entry->thread);
+ break;
+ default:
+ pr_err("unknown catalog record type %d\n",
+ be16_to_cpu(entry->type));
+ return -EIO;
+ }
+
+ if (fd->entrylength != expected_size) {
+ pr_err("catalog record size mismatch (type %d, got %u, expected %u)\n",
+ be16_to_cpu(entry->type), fd->entrylength, expected_size);
+ return -EIO;
+ }
+
+ return 0;
+}
--- a/fs/hfsplus/catalog.c
+++ b/fs/hfsplus/catalog.c
@@ -194,12 +194,12 @@ static int hfsplus_fill_cat_thread(struc
int hfsplus_find_cat(struct super_block *sb, u32 cnid,
struct hfs_find_data *fd)
{
- hfsplus_cat_entry tmp;
+ hfsplus_cat_entry tmp = {0};
int err;
u16 type;
hfsplus_cat_build_key_with_cnid(sb, fd->search_key, cnid);
- err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
+ err = hfsplus_brec_read_cat(fd, &tmp);
if (err)
return err;
--- a/fs/hfsplus/dir.c
+++ b/fs/hfsplus/dir.c
@@ -49,7 +49,7 @@ static struct dentry *hfsplus_lookup(str
if (unlikely(err < 0))
goto fail;
again:
- err = hfs_brec_read(&fd, &entry, sizeof(entry));
+ err = hfsplus_brec_read_cat(&fd, &entry);
if (err) {
if (err == -ENOENT) {
hfs_find_exit(&fd);
--- a/fs/hfsplus/hfsplus_fs.h
+++ b/fs/hfsplus/hfsplus_fs.h
@@ -507,6 +507,15 @@ int hfsplus_submit_bio(struct super_bloc
void **data, blk_opf_t opf);
int hfsplus_read_wrapper(struct super_block *sb);
+static inline u32 hfsplus_cat_thread_size(const struct hfsplus_cat_thread *thread)
+{
+ return offsetof(struct hfsplus_cat_thread, nodeName) +
+ offsetof(struct hfsplus_unistr, unicode) +
+ be16_to_cpu(thread->nodeName.length) * sizeof(hfsplus_unichr);
+}
+
+int hfsplus_brec_read_cat(struct hfs_find_data *fd, hfsplus_cat_entry *entry);
+
/*
* time helpers: convert between 1904-base and 1970-base timestamps
*
--- a/fs/hfsplus/super.c
+++ b/fs/hfsplus/super.c
@@ -571,7 +571,7 @@ static int hfsplus_fill_super(struct sup
err = hfsplus_cat_build_key(sb, fd.search_key, HFSPLUS_ROOT_CNID, &str);
if (unlikely(err < 0))
goto out_put_root;
- if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
+ if (!hfsplus_brec_read_cat(&fd, &entry)) {
hfs_find_exit(&fd);
if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
err = -EIO;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 262/270] hfsplus: fix held lock freed on hfsplus_fill_super()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-05-12 17:41 ` [PATCH 6.18 261/270] hfsplus: fix uninit-value by validating catalog record size Greg Kroah-Hartman
@ 2026-05-12 17:41 ` Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 263/270] erofs: tidy up z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
` (12 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Viacheslav Dubeyko,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 90c500e4fd83fa33c09bc7ee23b6d9cc487ac733 ]
hfsplus_fill_super() calls hfs_find_init() to initialize a search
structure, which acquires tree->tree_lock. If the subsequent call to
hfsplus_cat_build_key() fails, the function jumps to the out_put_root
error label without releasing the lock. The later cleanup path then
frees the tree data structure with the lock still held, triggering a
held lock freed warning.
Fix this by adding the missing hfs_find_exit(&fd) call before jumping
to the out_put_root error label. This ensures that tree->tree_lock is
properly released on the error path.
The bug was originally detected on v6.13-rc1 using an experimental
static analysis tool we are developing, and we have verified that the
issue persists in the latest mainline kernel. The tool is specifically
designed to detect memory management issues. It is currently under active
development and not yet publicly available.
We confirmed the bug by runtime testing under QEMU with x86_64 defconfig,
lockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we
used GDB to dynamically shrink the max_unistr_len parameter to 1 before
hfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally
return -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and
exercises the faulty error path. The following warning was observed
during mount:
=========================
WARNING: held lock freed!
7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted
-------------------------
mount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there!
ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0
2 locks held by mount/174:
#0: ffff888103f960e0 (&type->s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40
#1: ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0
stack backtrace:
CPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x82/0xd0
debug_check_no_locks_freed+0x13a/0x180
kfree+0x16b/0x510
? hfsplus_fill_super+0xcb4/0x18a0
hfsplus_fill_super+0xcb4/0x18a0
? __pfx_hfsplus_fill_super+0x10/0x10
? srso_return_thunk+0x5/0x5f
? bdev_open+0x65f/0xc30
? srso_return_thunk+0x5/0x5f
? pointer+0x4ce/0xbf0
? trace_contention_end+0x11c/0x150
? __pfx_pointer+0x10/0x10
? srso_return_thunk+0x5/0x5f
? bdev_open+0x79b/0xc30
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? vsnprintf+0x6da/0x1270
? srso_return_thunk+0x5/0x5f
? __mutex_unlock_slowpath+0x157/0x740
? __pfx_vsnprintf+0x10/0x10
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? mark_held_locks+0x49/0x80
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? irqentry_exit+0x17b/0x5e0
? trace_irq_disable.constprop.0+0x116/0x150
? __pfx_hfsplus_fill_super+0x10/0x10
? __pfx_hfsplus_fill_super+0x10/0x10
get_tree_bdev_flags+0x302/0x580
? __pfx_get_tree_bdev_flags+0x10/0x10
? vfs_parse_fs_qstr+0x129/0x1a0
? __pfx_vfs_parse_fs_qstr+0x3/0x10
vfs_get_tree+0x89/0x320
fc_mount+0x10/0x1d0
path_mount+0x5c5/0x21c0
? __pfx_path_mount+0x10/0x10
? trace_irq_enable.constprop.0+0x116/0x150
? trace_irq_enable.constprop.0+0x116/0x150
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? kmem_cache_free+0x307/0x540
? user_path_at+0x51/0x60
? __x64_sys_mount+0x212/0x280
? srso_return_thunk+0x5/0x5f
__x64_sys_mount+0x212/0x280
? __pfx___x64_sys_mount+0x10/0x10
? srso_return_thunk+0x5/0x5f
? trace_irq_enable.constprop.0+0x116/0x150
? srso_return_thunk+0x5/0x5f
do_syscall_64+0x111/0x680
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ffacad55eae
Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8
RSP: 002b:00007fff1ab55718 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffacad55eae
RDX: 000055740c64e5b0 RSI: 000055740c64e630 RDI: 000055740c651ab0
RBP: 000055740c64e380 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000055740c64e5b0 R14: 000055740c651ab0 R15: 000055740c64e380
</TASK>
After applying this patch, the warning no longer appears.
Fixes: 89ac9b4d3d1a ("hfsplus: fix longname handling")
CC: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Tested-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfsplus/super.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/hfsplus/super.c
+++ b/fs/hfsplus/super.c
@@ -569,8 +569,10 @@ static int hfsplus_fill_super(struct sup
if (err)
goto out_put_root;
err = hfsplus_cat_build_key(sb, fd.search_key, HFSPLUS_ROOT_CNID, &str);
- if (unlikely(err < 0))
+ if (unlikely(err < 0)) {
+ hfs_find_exit(&fd);
goto out_put_root;
+ }
if (!hfsplus_brec_read_cat(&fd, &entry)) {
hfs_find_exit(&fd);
if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 263/270] erofs: tidy up z_erofs_lz4_handle_overlap()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-05-12 17:41 ` [PATCH 6.18 262/270] hfsplus: fix held lock freed on hfsplus_fill_super() Greg Kroah-Hartman
@ 2026-05-12 17:41 ` Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 264/270] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
` (11 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Gao Xiang, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gao Xiang <hsiangkao@linux.alibaba.com>
[ Upstream commit 9ae77198d4815c63fc8ebacc659c71d150d1e51b ]
- Add some useful comments to explain inplace I/Os and decompression;
- Rearrange the code to get rid of one unnecessary goto.
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Stable-dep-of: 21e161de2dc6 ("erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/erofs/decompressor.c | 85 +++++++++++++++++++++++++-----------------------
1 file changed, 46 insertions(+), 39 deletions(-)
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -105,44 +105,58 @@ static int z_erofs_lz4_prepare_dstpages(
return kaddr ? 1 : 0;
}
-static void *z_erofs_lz4_handle_overlap(struct z_erofs_decompress_req *rq,
+static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq,
void *inpage, void *out, unsigned int *inputmargin,
int *maptype, bool may_inplace)
{
- unsigned int oend, omargin, total, i;
+ unsigned int oend, omargin, cnt, i;
struct page **in;
- void *src, *tmp;
-
- if (rq->inplace_io) {
- oend = rq->pageofs_out + rq->outputsize;
- omargin = PAGE_ALIGN(oend) - oend;
- if (rq->partial_decoding || !may_inplace ||
- omargin < LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize))
- goto docopy;
+ void *src;
+ /*
+ * If in-place I/O isn't used, for example, the bounce compressed cache
+ * can hold data for incomplete read requests. Just map the compressed
+ * buffer as well and decompress directly.
+ */
+ if (!rq->inplace_io) {
+ if (rq->inpages <= 1) {
+ *maptype = 0;
+ return inpage;
+ }
+ kunmap_local(inpage);
+ src = erofs_vm_map_ram(rq->in, rq->inpages);
+ if (!src)
+ return ERR_PTR(-ENOMEM);
+ *maptype = 1;
+ return src;
+ }
+ /*
+ * Then, deal with in-place I/Os. The reasons why in-place I/O is useful
+ * are: (1) It minimizes memory footprint during the I/O submission,
+ * which is useful for slow storage (including network devices and
+ * low-end HDDs/eMMCs) but with a lot inflight I/Os; (2) If in-place
+ * decompression can also be applied, it will reuse the unique buffer so
+ * that no extra CPU D-cache is polluted with temporary compressed data
+ * for extreme performance.
+ */
+ oend = rq->pageofs_out + rq->outputsize;
+ omargin = PAGE_ALIGN(oend) - oend;
+ if (!rq->partial_decoding && may_inplace &&
+ omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) {
for (i = 0; i < rq->inpages; ++i)
if (rq->out[rq->outpages - rq->inpages + i] !=
rq->in[i])
- goto docopy;
- kunmap_local(inpage);
- *maptype = 3;
- return out + ((rq->outpages - rq->inpages) << PAGE_SHIFT);
+ break;
+ if (i >= rq->inpages) {
+ kunmap_local(inpage);
+ *maptype = 3;
+ return out + ((rq->outpages - rq->inpages) << PAGE_SHIFT);
+ }
}
-
- if (rq->inpages <= 1) {
- *maptype = 0;
- return inpage;
- }
- kunmap_local(inpage);
- src = erofs_vm_map_ram(rq->in, rq->inpages);
- if (!src)
- return ERR_PTR(-ENOMEM);
- *maptype = 1;
- return src;
-
-docopy:
- /* Or copy compressed data which can be overlapped to per-CPU buffer */
- in = rq->in;
+ /*
+ * If in-place decompression can't be applied, copy compressed data that
+ * may potentially overlap during decompression to a per-CPU buffer.
+ */
src = z_erofs_get_gbuf(rq->inpages);
if (!src) {
DBG_BUGON(1);
@@ -150,20 +164,13 @@ docopy:
return ERR_PTR(-EFAULT);
}
- tmp = src;
- total = rq->inputsize;
- while (total) {
- unsigned int page_copycnt =
- min_t(unsigned int, total, PAGE_SIZE - *inputmargin);
-
+ for (i = 0, in = rq->in; i < rq->inputsize; i += cnt, ++in) {
+ cnt = min_t(u32, rq->inputsize - i, PAGE_SIZE - *inputmargin);
if (!inpage)
inpage = kmap_local_page(*in);
- memcpy(tmp, inpage + *inputmargin, page_copycnt);
+ memcpy(src + i, inpage + *inputmargin, cnt);
kunmap_local(inpage);
inpage = NULL;
- tmp += page_copycnt;
- total -= page_copycnt;
- ++in;
*inputmargin = 0;
}
*maptype = 2;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 264/270] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-05-12 17:41 ` [PATCH 6.18 263/270] erofs: tidy up z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
@ 2026-05-12 17:41 ` Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 265/270] printk: add print_hex_dump_devel() Greg Kroah-Hartman
` (10 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo, Gao Xiang,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab ]
Some crafted images can have illegal (!partial_decoding &&
m_llen < m_plen) extents, and the LZ4 inplace decompression path
can be wrongly hit, but it cannot handle (outpages < inpages)
properly: "outpages - inpages" wraps to a large value and
the subsequent rq->out[] access reads past the decompressed_pages
array.
However, such crafted cases can correctly result in a corruption
report in the normal LZ4 non-inplace path.
Let's add an additional check to fix this for backporting.
Reproducible image (base64-encoded gzipped blob):
H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g
dilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i
PNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz
2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w
ywAAAAAAAADwu14ATsEYtgBQAAA=
$ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt
$ dd if=/mnt/data of=/dev/null bs=4096 count=1
Fixes: 598162d05080 ("erofs: support decompress big pcluster for lz4 backend")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/erofs/decompressor.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -142,6 +142,7 @@ static void *z_erofs_lz4_handle_overlap(
oend = rq->pageofs_out + rq->outputsize;
omargin = PAGE_ALIGN(oend) - oend;
if (!rq->partial_decoding && may_inplace &&
+ rq->outpages >= rq->inpages &&
omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) {
for (i = 0; i < rq->inpages; ++i)
if (rq->out[rq->outpages - rq->inpages + i] !=
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 265/270] printk: add print_hex_dump_devel()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-05-12 17:41 ` [PATCH 6.18 264/270] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
@ 2026-05-12 17:41 ` Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 266/270] crypto: caam - guard HMAC key hex dumps in hash_digest_key Greg Kroah-Hartman
` (9 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Herbert Xu, Thorsten Blum,
John Ogness, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit d134feeb5df33fbf77f482f52a366a44642dba09 ]
Add print_hex_dump_devel() as the hex dump equivalent of pr_devel(),
which emits output only when DEBUG is enabled, but keeps call sites
compiled otherwise.
Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Reviewed-by: John Ogness <john.ogness@linutronix.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: 177730a273b1 ("crypto: caam - guard HMAC key hex dumps in hash_digest_key")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/printk.h | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/include/linux/printk.h
+++ b/include/linux/printk.h
@@ -802,6 +802,19 @@ static inline void print_hex_dump_debug(
}
#endif
+#if defined(DEBUG)
+#define print_hex_dump_devel(prefix_str, prefix_type, rowsize, \
+ groupsize, buf, len, ascii) \
+ print_hex_dump(KERN_DEBUG, prefix_str, prefix_type, rowsize, \
+ groupsize, buf, len, ascii)
+#else
+static inline void print_hex_dump_devel(const char *prefix_str, int prefix_type,
+ int rowsize, int groupsize,
+ const void *buf, size_t len, bool ascii)
+{
+}
+#endif
+
/**
* print_hex_dump_bytes - shorthand form of print_hex_dump() with default params
* @prefix_str: string to prefix each line with;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 266/270] crypto: caam - guard HMAC key hex dumps in hash_digest_key
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-05-12 17:41 ` [PATCH 6.18 265/270] printk: add print_hex_dump_devel() Greg Kroah-Hartman
@ 2026-05-12 17:41 ` Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 267/270] net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() Greg Kroah-Hartman
` (8 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit 177730a273b18e195263ed953853273e901b5064 ]
Use print_hex_dump_devel() for dumping sensitive HMAC key bytes in
hash_digest_key() to avoid leaking secrets at runtime when
CONFIG_DYNAMIC_DEBUG is enabled.
Fixes: 045e36780f11 ("crypto: caam - ahash hmac support")
Fixes: 3f16f6c9d632 ("crypto: caam/qi2 - add support for ahash algorithms")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/caam/caamalg_qi2.c | 4 ++--
drivers/crypto/caam/caamhash.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/crypto/caam/caamalg_qi2.c
+++ b/drivers/crypto/caam/caamalg_qi2.c
@@ -3269,7 +3269,7 @@ static int hash_digest_key(struct caam_h
dpaa2_fl_set_addr(out_fle, key_dma);
dpaa2_fl_set_len(out_fle, digestsize);
- print_hex_dump_debug("key_in@" __stringify(__LINE__)": ",
+ print_hex_dump_devel("key_in@" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, *keylen, 1);
print_hex_dump_debug("shdesc@" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, desc, desc_bytes(desc),
@@ -3289,7 +3289,7 @@ static int hash_digest_key(struct caam_h
/* in progress */
wait_for_completion(&result.completion);
ret = result.err;
- print_hex_dump_debug("digested key@" __stringify(__LINE__)": ",
+ print_hex_dump_devel("digested key@" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key,
digestsize, 1);
}
--- a/drivers/crypto/caam/caamhash.c
+++ b/drivers/crypto/caam/caamhash.c
@@ -393,7 +393,7 @@ static int hash_digest_key(struct caam_h
append_seq_store(desc, digestsize, LDST_CLASS_2_CCB |
LDST_SRCDST_BYTE_CONTEXT);
- print_hex_dump_debug("key_in@"__stringify(__LINE__)": ",
+ print_hex_dump_devel("key_in@"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, *keylen, 1);
print_hex_dump_debug("jobdesc@"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, desc, desc_bytes(desc),
@@ -408,7 +408,7 @@ static int hash_digest_key(struct caam_h
wait_for_completion(&result.completion);
ret = result.err;
- print_hex_dump_debug("digested key@"__stringify(__LINE__)": ",
+ print_hex_dump_devel("digested key@"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key,
digestsize, 1);
}
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 267/270] net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-05-12 17:41 ` [PATCH 6.18 266/270] crypto: caam - guard HMAC key hex dumps in hash_digest_key Greg Kroah-Hartman
@ 2026-05-12 17:41 ` Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 268/270] net: stmmac: Prevent NULL deref when RX memory exhausted Greg Kroah-Hartman
` (7 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Russell King (Oracle),
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>
[ Upstream commit 6b4286e0550814cdc4b897f881ec1fa8b0313227 ]
STMMAC_GET_ENTRY() doesn't describe what this macro is doing - it is
incrementing the provided index for the circular array of descriptors.
Replace "GET" with "NEXT" as this better describes the action here.
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://patch.msgid.link/E1w2vba-0000000DbWo-1oL5@rmk-PC.armlinux.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 0bb05e6adfa9 ("net: stmmac: Prevent NULL deref when RX memory exhausted")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/chain_mode.c | 2 -
drivers/net/ethernet/stmicro/stmmac/common.h | 2 -
drivers/net/ethernet/stmicro/stmmac/ring_mode.c | 2 -
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 26 +++++++++++-----------
4 files changed, 16 insertions(+), 16 deletions(-)
--- a/drivers/net/ethernet/stmicro/stmmac/chain_mode.c
+++ b/drivers/net/ethernet/stmicro/stmmac/chain_mode.c
@@ -47,7 +47,7 @@ static int jumbo_frm(struct stmmac_tx_qu
while (len != 0) {
tx_q->tx_skbuff[entry] = NULL;
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
desc = tx_q->dma_tx + entry;
if (len > bmax) {
--- a/drivers/net/ethernet/stmicro/stmmac/common.h
+++ b/drivers/net/ethernet/stmicro/stmmac/common.h
@@ -60,7 +60,7 @@ static inline bool dwmac_is_xmac(enum dw
#define DMA_MIN_RX_SIZE 64
#define DMA_MAX_RX_SIZE 1024
#define DMA_DEFAULT_RX_SIZE 512
-#define STMMAC_GET_ENTRY(x, size) ((x + 1) & (size - 1))
+#define STMMAC_NEXT_ENTRY(x, size) ((x + 1) & (size - 1))
#undef FRAME_FILTER_DEBUG
/* #define FRAME_FILTER_DEBUG */
--- a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
+++ b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
@@ -51,7 +51,7 @@ static int jumbo_frm(struct stmmac_tx_qu
stmmac_prepare_tx_desc(priv, desc, 1, bmax, csum,
STMMAC_RING_MODE, 0, false, skb->len);
tx_q->tx_skbuff[entry] = NULL;
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
if (priv->extend_desc)
desc = (struct dma_desc *)(tx_q->dma_etx + entry);
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -2609,7 +2609,7 @@ static bool stmmac_xdp_xmit_zc(struct st
xsk_tx_metadata_to_compl(meta,
&tx_q->tx_skbuff_dma[entry].xsk_meta);
- tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
+ tx_q->cur_tx = STMMAC_NEXT_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
entry = tx_q->cur_tx;
}
u64_stats_update_begin(&txq_stats->napi_syncp);
@@ -2780,7 +2780,7 @@ static int stmmac_tx_clean(struct stmmac
stmmac_release_tx_desc(priv, p, priv->mode);
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
}
tx_q->dirty_tx = entry;
@@ -4079,7 +4079,7 @@ static bool stmmac_vlan_insert(struct st
return false;
stmmac_set_tx_owner(priv, p);
- tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
+ tx_q->cur_tx = STMMAC_NEXT_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
return true;
}
@@ -4107,7 +4107,7 @@ static void stmmac_tso_allocator(struct
while (tmp_len > 0) {
dma_addr_t curr_addr;
- tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx,
+ tx_q->cur_tx = STMMAC_NEXT_ENTRY(tx_q->cur_tx,
priv->dma_conf.dma_tx_size);
WARN_ON(tx_q->tx_skbuff[tx_q->cur_tx]);
@@ -4258,7 +4258,7 @@ static netdev_tx_t stmmac_tso_xmit(struc
stmmac_set_mss(priv, mss_desc, mss);
tx_q->mss = mss;
- tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx,
+ tx_q->cur_tx = STMMAC_NEXT_ENTRY(tx_q->cur_tx,
priv->dma_conf.dma_tx_size);
WARN_ON(tx_q->tx_skbuff[tx_q->cur_tx]);
}
@@ -4362,7 +4362,7 @@ static netdev_tx_t stmmac_tso_xmit(struc
* ndo_start_xmit will fill this descriptor the next time it's
* called and stmmac_tx_clean may clean up to this descriptor.
*/
- tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
+ tx_q->cur_tx = STMMAC_NEXT_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
if (unlikely(stmmac_tx_avail(priv, queue) <= (MAX_SKB_FRAGS + 1))) {
netif_dbg(priv, hw, priv->dev, "%s: stop transmitted packets\n",
@@ -4566,7 +4566,7 @@ static netdev_tx_t stmmac_xmit(struct sk
int len = skb_frag_size(frag);
bool last_segment = (i == (nfrags - 1));
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
WARN_ON(tx_q->tx_skbuff[entry]);
if (likely(priv->extend_desc))
@@ -4636,7 +4636,7 @@ static netdev_tx_t stmmac_xmit(struct sk
* ndo_start_xmit will fill this descriptor the next time it's
* called and stmmac_tx_clean may clean up to this descriptor.
*/
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
tx_q->cur_tx = entry;
if (netif_msg_pktdata(priv)) {
@@ -4805,7 +4805,7 @@ static inline void stmmac_rx_refill(stru
dma_wmb();
stmmac_set_rx_owner(priv, p, use_rx_wd);
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_rx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_rx_size);
}
rx_q->dirty_rx = entry;
rx_q->rx_tail_addr = rx_q->dma_rx_phy +
@@ -4953,7 +4953,7 @@ static int stmmac_xdp_xmit_xdpf(struct s
stmmac_enable_dma_transmission(priv, priv->ioaddr, queue);
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
tx_q->cur_tx = entry;
return STMMAC_XDP_TX;
@@ -5187,7 +5187,7 @@ static bool stmmac_rx_refill_zc(struct s
dma_wmb();
stmmac_set_rx_owner(priv, rx_desc, use_rx_wd);
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_rx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_rx_size);
}
if (rx_desc) {
@@ -5282,7 +5282,7 @@ read_again:
break;
/* Prefetch the next RX descriptor */
- rx_q->cur_rx = STMMAC_GET_ENTRY(rx_q->cur_rx,
+ rx_q->cur_rx = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
priv->dma_conf.dma_rx_size);
next_entry = rx_q->cur_rx;
@@ -5478,7 +5478,7 @@ read_again:
if (unlikely(status & dma_own))
break;
- rx_q->cur_rx = STMMAC_GET_ENTRY(rx_q->cur_rx,
+ rx_q->cur_rx = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
priv->dma_conf.dma_rx_size);
next_entry = rx_q->cur_rx;
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 268/270] net: stmmac: Prevent NULL deref when RX memory exhausted
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-05-12 17:41 ` [PATCH 6.18 267/270] net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() Greg Kroah-Hartman
@ 2026-05-12 17:41 ` Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 269/270] rust: pin-init: fix incorrect accessor reference lifetime Greg Kroah-Hartman
` (6 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Russell King, Sam Edwards,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Edwards <cfsworks@gmail.com>
[ Upstream commit 0bb05e6adfa99a2ea1fee1125cc0953409f83ed8 ]
The CPU receives frames from the MAC through conventional DMA: the CPU
allocates buffers for the MAC, then the MAC fills them and returns
ownership to the CPU. For each hardware RX queue, the CPU and MAC
coordinate through a shared ring array of DMA descriptors: one
descriptor per DMA buffer. Each descriptor includes the buffer's
physical address and a status flag ("OWN") indicating which side owns
the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set
the flag and the MAC is only allowed to clear it, and both must move
through the ring in sequence: thus the ring is used for both
"submissions" and "completions."
In the stmmac driver, stmmac_rx() bookmarks its position in the ring
with the `cur_rx` index. The main receive loop in that function checks
for rx_descs[cur_rx].own=0, gives the corresponding buffer to the
network stack (NULLing the pointer), and increments `cur_rx` modulo the
ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its
position with `dirty_rx`, allocates fresh buffers and rearms the
descriptors (setting OWN=1). If it fails any allocation, it simply stops
early (leaving OWN=0) and will retry where it left off when next called.
This means descriptors have a three-stage lifecycle (terms my own):
- `empty` (OWN=1, buffer valid)
- `full` (OWN=0, buffer valid and populated)
- `dirty` (OWN=0, buffer NULL)
But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In
the past (see 'Fixes:'), there was a bug where the loop could cycle
`cur_rx` all the way back to the first descriptor it dirtied, resulting
in a NULL dereference when mistaken for `full`. The aforementioned
commit resolved that *specific* failure by capping the loop's iteration
limit at `dma_rx_size - 1`, but this is only a partial fix: if the
previous stmmac_rx_refill() didn't complete, then there are leftover
`dirty` descriptors that the loop might encounter without needing to
cycle fully around. The current code therefore panics (see 'Closes:')
when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to
catch up to `dirty_rx`.
Fix this by explicitly checking, before advancing `cur_rx`, if the next
entry is dirty; exit the loop if so. This prevents processing of the
final, used descriptor until stmmac_rx_refill() succeeds, but
fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix
intended: so remove the clamp as well. Since stmmac_rx_zc() is a
copy-paste-and-tweak of stmmac_rx() and the code structure is identical,
any fix to stmmac_rx() will also need a corresponding fix for
stmmac_rx_zc(). Therefore, apply the same check there.
In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the
MAC sets OWN=0 on the final descriptor, it will be unable to send any
further DMA-complete IRQs until it's given more `empty` descriptors.
Currently, the driver simply *hopes* that the next stmmac_rx_refill()
succeeds, risking an indefinite stall of the receive process if not. But
this is not a regression, so it can be addressed in a future change.
Fixes: b6cb4541853c7 ("net: stmmac: avoid rx queue overrun")
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221010
Cc: stable@vger.kernel.org
Suggested-by: Russell King <linux@armlinux.org.uk>
Signed-off-by: Sam Edwards <CFSworks@gmail.com>
Link: https://patch.msgid.link/20260422044503.5349-1-CFSworks@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -5282,9 +5282,12 @@ read_again:
break;
/* Prefetch the next RX descriptor */
- rx_q->cur_rx = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
- priv->dma_conf.dma_rx_size);
- next_entry = rx_q->cur_rx;
+ next_entry = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
+ priv->dma_conf.dma_rx_size);
+ if (unlikely(next_entry == rx_q->dirty_rx))
+ break;
+
+ rx_q->cur_rx = next_entry;
if (priv->extend_desc)
np = (struct dma_desc *)(rx_q->dma_erx + next_entry);
@@ -5422,7 +5425,6 @@ static int stmmac_rx(struct stmmac_priv
dma_dir = page_pool_get_dma_dir(rx_q->page_pool);
bufsz = DIV_ROUND_UP(priv->dma_conf.dma_buf_sz, PAGE_SIZE) * PAGE_SIZE;
- limit = min(priv->dma_conf.dma_rx_size - 1, (unsigned int)limit);
if (netif_msg_rx_status(priv)) {
void *rx_head;
@@ -5478,9 +5480,12 @@ read_again:
if (unlikely(status & dma_own))
break;
- rx_q->cur_rx = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
- priv->dma_conf.dma_rx_size);
- next_entry = rx_q->cur_rx;
+ next_entry = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
+ priv->dma_conf.dma_rx_size);
+ if (unlikely(next_entry == rx_q->dirty_rx))
+ break;
+
+ rx_q->cur_rx = next_entry;
if (priv->extend_desc)
np = (struct dma_desc *)(rx_q->dma_erx + next_entry);
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 269/270] rust: pin-init: fix incorrect accessor reference lifetime
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-05-12 17:41 ` [PATCH 6.18 268/270] net: stmmac: Prevent NULL deref when RX memory exhausted Greg Kroah-Hartman
@ 2026-05-12 17:41 ` Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 270/270] x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2s op cache Greg Kroah-Hartman
` (5 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable@vger.kernel.org, Gary Guo,
Gary Guo
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gary Guo <gary@garyguo.net>
commit 68bf102226cf2199dc609b67c1e847cad4de4b57 upstream
When a field has been initialized, `init!`/`pin_init!` create a reference
or pinned reference to the field so it can be accessed later during the
initialization of other fields. However, the reference it created is
incorrectly `&'static` rather than just the scope of the initializer.
This means that you can do
init!(Foo {
a: 1,
_: {
let b: &'static u32 = a;
}
})
which is unsound.
This is caused by `&mut (*$slot).$ident`, which actually allows arbitrary
lifetime, so this is effectively `'static`.
Fix it by adding `let_binding` method on `DropGuard` to shorten lifetime.
This results in exactly what we want for these accessors. The safety and
invariant comments of `DropGuard` have been reworked; instead of reasoning
about what caller can do with the guard, express it in a way that the
ownership is transferred to the guard and `forget` takes it back, so the
unsafe operations within the `DropGuard` can be more easily justified.
Assisted-by: Claude:claude-3-opus
Signed-off-by: Gary Guo <gary@garyguo.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
rust/pin-init/src/__internal.rs | 28 ++++++++----
rust/pin-init/src/macros.rs | 91 +++++++++++++++++++++++-----------------
2 files changed, 73 insertions(+), 46 deletions(-)
--- a/rust/pin-init/src/__internal.rs
+++ b/rust/pin-init/src/__internal.rs
@@ -218,32 +218,42 @@ fn stack_init_reuse() {
/// When a value of this type is dropped, it drops a `T`.
///
/// Can be forgotten to prevent the drop.
+///
+/// # Invariants
+///
+/// - `ptr` is valid and properly aligned.
+/// - `*ptr` is initialized and owned by this guard.
pub struct DropGuard<T: ?Sized> {
ptr: *mut T,
}
impl<T: ?Sized> DropGuard<T> {
- /// Creates a new [`DropGuard<T>`]. It will [`ptr::drop_in_place`] `ptr` when it gets dropped.
+ /// Creates a drop guard and transfer the ownership of the pointer content.
///
- /// # Safety
+ /// The ownership is only relinquished if the guard is forgotten via [`core::mem::forget`].
///
- /// `ptr` must be a valid pointer.
+ /// # Safety
///
- /// It is the callers responsibility that `self` will only get dropped if the pointee of `ptr`:
- /// - has not been dropped,
- /// - is not accessible by any other means,
- /// - will not be dropped by any other means.
+ /// - `ptr` is valid and properly aligned.
+ /// - `*ptr` is initialized, and the ownership is transferred to this guard.
#[inline]
pub unsafe fn new(ptr: *mut T) -> Self {
+ // INVARIANT: By safety requirement.
Self { ptr }
}
+
+ /// Create a let binding for accessor use.
+ #[inline]
+ pub fn let_binding(&mut self) -> &mut T {
+ // SAFETY: Per type invariant.
+ unsafe { &mut *self.ptr }
+ }
}
impl<T: ?Sized> Drop for DropGuard<T> {
#[inline]
fn drop(&mut self) {
- // SAFETY: A `DropGuard` can only be constructed using the unsafe `new` function
- // ensuring that this operation is safe.
+ // SAFETY: `self.ptr` is valid, properly aligned and `*self.ptr` is owned by this guard.
unsafe { ptr::drop_in_place(self.ptr) }
}
}
--- a/rust/pin-init/src/macros.rs
+++ b/rust/pin-init/src/macros.rs
@@ -1310,27 +1310,33 @@ macro_rules! __init_internal {
// return when an error/panic occurs.
// We also use the `data` to require the correct trait (`Init` or `PinInit`) for `$field`.
unsafe { $data.$field(::core::ptr::addr_of_mut!((*$slot).$field), init)? };
- // NOTE: the field accessor ensures that the initialized field is properly aligned.
+ // NOTE: this ensures that the initialized field is properly aligned.
// Unaligned fields will cause the compiler to emit E0793. We do not support
// unaligned fields since `Init::__init` requires an aligned pointer; the call to
// `ptr::write` below has the same requirement.
- // SAFETY:
- // - the project function does the correct field projection,
- // - the field has been initialized,
- // - the reference is only valid until the end of the initializer.
- #[allow(unused_variables)]
- let $field = $crate::macros::paste!(unsafe { $data.[< __project_ $field >](&mut (*$slot).$field) });
+ // SAFETY: the field has been initialized.
+ let _ = unsafe { &mut (*$slot).$field };
// Create the drop guard:
//
// We rely on macro hygiene to make it impossible for users to access this local variable.
// We use `paste!` to create new hygiene for `$field`.
$crate::macros::paste! {
- // SAFETY: We forget the guard later when initialization has succeeded.
- let [< __ $field _guard >] = unsafe {
+ // SAFETY:
+ // - `addr_of_mut!((*$slot).$field)` is valid.
+ // - `(*$slot).$field` has been initialized above.
+ // - We only need the ownership to the pointee back when initialization has
+ // succeeded, where we `forget` the guard.
+ let mut [< __ $field _guard >] = unsafe {
$crate::__internal::DropGuard::new(::core::ptr::addr_of_mut!((*$slot).$field))
};
+ // NOTE: The reference is derived from the guard so that it only lives as long as
+ // the guard does and cannot escape the scope.
+ #[allow(unused_variables)]
+ // SAFETY: the project function does the correct field projection.
+ let $field = unsafe { $data.[< __project_ $field >]([< __ $field _guard >].let_binding()) };
+
$crate::__init_internal!(init_slot($use_data):
@data($data),
@slot($slot),
@@ -1353,27 +1359,30 @@ macro_rules! __init_internal {
// return when an error/panic occurs.
unsafe { $crate::Init::__init(init, ::core::ptr::addr_of_mut!((*$slot).$field))? };
- // NOTE: the field accessor ensures that the initialized field is properly aligned.
+ // NOTE: this ensures that the initialized field is properly aligned.
// Unaligned fields will cause the compiler to emit E0793. We do not support
// unaligned fields since `Init::__init` requires an aligned pointer; the call to
// `ptr::write` below has the same requirement.
- // SAFETY:
- // - the field is not structurally pinned, since the line above must compile,
- // - the field has been initialized,
- // - the reference is only valid until the end of the initializer.
- #[allow(unused_variables)]
- let $field = unsafe { &mut (*$slot).$field };
+ // SAFETY: the field has been initialized.
+ let _ = unsafe { &mut (*$slot).$field };
// Create the drop guard:
//
// We rely on macro hygiene to make it impossible for users to access this local variable.
// We use `paste!` to create new hygiene for `$field`.
$crate::macros::paste! {
- // SAFETY: We forget the guard later when initialization has succeeded.
- let [< __ $field _guard >] = unsafe {
+ // SAFETY:
+ // - `addr_of_mut!((*$slot).$field)` is valid.
+ // - `(*$slot).$field` has been initialized above.
+ // - We only need the ownership to the pointee back when initialization has
+ // succeeded, where we `forget` the guard.
+ let mut [< __ $field _guard >] = unsafe {
$crate::__internal::DropGuard::new(::core::ptr::addr_of_mut!((*$slot).$field))
};
+ #[allow(unused_variables)]
+ let $field = [< __ $field _guard >].let_binding();
+
$crate::__init_internal!(init_slot():
@data($data),
@slot($slot),
@@ -1397,28 +1406,30 @@ macro_rules! __init_internal {
unsafe { ::core::ptr::write(::core::ptr::addr_of_mut!((*$slot).$field), $field) };
}
- // NOTE: the field accessor ensures that the initialized field is properly aligned.
+ // NOTE: this ensures that the initialized field is properly aligned.
// Unaligned fields will cause the compiler to emit E0793. We do not support
// unaligned fields since `Init::__init` requires an aligned pointer; the call to
// `ptr::write` below has the same requirement.
- #[allow(unused_variables)]
- // SAFETY:
- // - the field is not structurally pinned, since no `use_data` was required to create this
- // initializer,
- // - the field has been initialized,
- // - the reference is only valid until the end of the initializer.
- let $field = unsafe { &mut (*$slot).$field };
+ // SAFETY: the field has been initialized.
+ let _ = unsafe { &mut (*$slot).$field };
// Create the drop guard:
//
// We rely on macro hygiene to make it impossible for users to access this local variable.
// We use `paste!` to create new hygiene for `$field`.
$crate::macros::paste! {
- // SAFETY: We forget the guard later when initialization has succeeded.
- let [< __ $field _guard >] = unsafe {
+ // SAFETY:
+ // - `addr_of_mut!((*$slot).$field)` is valid.
+ // - `(*$slot).$field` has been initialized above.
+ // - We only need the ownership to the pointee back when initialization has
+ // succeeded, where we `forget` the guard.
+ let mut [< __ $field _guard >] = unsafe {
$crate::__internal::DropGuard::new(::core::ptr::addr_of_mut!((*$slot).$field))
};
+ #[allow(unused_variables)]
+ let $field = [< __ $field _guard >].let_binding();
+
$crate::__init_internal!(init_slot():
@data($data),
@slot($slot),
@@ -1441,27 +1452,33 @@ macro_rules! __init_internal {
// SAFETY: The memory at `slot` is uninitialized.
unsafe { ::core::ptr::write(::core::ptr::addr_of_mut!((*$slot).$field), $field) };
}
- // NOTE: the field accessor ensures that the initialized field is properly aligned.
+ // NOTE: this ensures that the initialized field is properly aligned.
// Unaligned fields will cause the compiler to emit E0793. We do not support
// unaligned fields since `Init::__init` requires an aligned pointer; the call to
// `ptr::write` below has the same requirement.
- // SAFETY:
- // - the project function does the correct field projection,
- // - the field has been initialized,
- // - the reference is only valid until the end of the initializer.
- #[allow(unused_variables)]
- let $field = $crate::macros::paste!(unsafe { $data.[< __project_ $field >](&mut (*$slot).$field) });
+ // SAFETY: the field has been initialized.
+ let _ = unsafe { &mut (*$slot).$field };
// Create the drop guard:
//
// We rely on macro hygiene to make it impossible for users to access this local variable.
// We use `paste!` to create new hygiene for `$field`.
$crate::macros::paste! {
- // SAFETY: We forget the guard later when initialization has succeeded.
- let [< __ $field _guard >] = unsafe {
+ // SAFETY:
+ // - `addr_of_mut!((*$slot).$field)` is valid.
+ // - `(*$slot).$field` has been initialized above.
+ // - We only need the ownership to the pointee back when initialization has
+ // succeeded, where we `forget` the guard.
+ let mut [< __ $field _guard >] = unsafe {
$crate::__internal::DropGuard::new(::core::ptr::addr_of_mut!((*$slot).$field))
};
+ // NOTE: The reference is derived from the guard so that it only lives as long as
+ // the guard does and cannot escape the scope.
+ #[allow(unused_variables)]
+ // SAFETY: the project function does the correct field projection.
+ let $field = unsafe { $data.[< __project_ $field >]([< __ $field _guard >].let_binding()) };
+
$crate::__init_internal!(init_slot($use_data):
@data($data),
@slot($slot),
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18 270/270] x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2s op cache
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-05-12 17:41 ` [PATCH 6.18 269/270] rust: pin-init: fix incorrect accessor reference lifetime Greg Kroah-Hartman
@ 2026-05-12 17:41 ` Greg Kroah-Hartman
2026-05-12 21:03 ` [PATCH 6.18 000/270] 6.18.30-rc1 review Pavel Machek
` (4 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-12 17:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Prathyushi Nangia,
Borislav Petkov (AMD), Linus Torvalds
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prathyushi Nangia <prathyushi.nangia@amd.com>
commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream.
Make sure resources are not improperly shared in the op cache and
cause instruction corruption this way.
Signed-off-by: Prathyushi Nangia <prathyushi.nangia@amd.com>
Co-developed-by: Borislav Petkov (AMD) <bp@alien8.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/msr-index.h | 3 ++-
arch/x86/kernel/cpu/amd.c | 3 +++
tools/arch/x86/include/asm/msr-index.h | 3 ++-
3 files changed, 7 insertions(+), 2 deletions(-)
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -767,9 +767,10 @@
#define MSR_AMD64_LBR_SELECT 0xc000010e
/* Zen4 */
-#define MSR_ZEN4_BP_CFG 0xc001102e
+#define MSR_ZEN4_BP_CFG 0xc001102e
#define MSR_ZEN4_BP_CFG_BP_SPEC_REDUCE_BIT 4
#define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5
+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
/* Fam 19h MSRs */
#define MSR_F19H_UMC_PERF_CTL 0xc0010800
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -994,6 +994,9 @@ static void init_amd_zen2(struct cpuinfo
/* Correct misconfigured CPUID on some clients. */
clear_cpu_cap(c, X86_FEATURE_INVLPGB);
+
+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR))
+ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT);
}
static void init_amd_zen3(struct cpuinfo_x86 *c)
--- a/tools/arch/x86/include/asm/msr-index.h
+++ b/tools/arch/x86/include/asm/msr-index.h
@@ -761,9 +761,10 @@
#define MSR_AMD64_LBR_SELECT 0xc000010e
/* Zen4 */
-#define MSR_ZEN4_BP_CFG 0xc001102e
+#define MSR_ZEN4_BP_CFG 0xc001102e
#define MSR_ZEN4_BP_CFG_BP_SPEC_REDUCE_BIT 4
#define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5
+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
/* Fam 19h MSRs */
#define MSR_F19H_UMC_PERF_CTL 0xc0010800
^ permalink raw reply [flat|nested] 282+ messages in thread
* Re: [PATCH 6.18 043/270] usb: typec: tcpm: reset internal port states on soft reset AMS
2026-05-12 17:37 ` [PATCH 6.18 043/270] usb: typec: tcpm: reset internal port states on soft reset AMS Greg Kroah-Hartman
@ 2026-05-12 20:43 ` Amit Sunil Dhamne
0 siblings, 0 replies; 282+ messages in thread
From: Amit Sunil Dhamne @ 2026-05-12 20:43 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, stable, Badhri Jagan Sridharan, Heikki Krogerus
Hi Greg,
On 5/12/26 10:37 AM, Greg Kroah-Hartman wrote:
> 6.18-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Amit Sunil Dhamne <amitsd@google.com>
>
> commit 2909f0d4994fb4306bf116df5ccee797791fce2c upstream.
>
> Reset internal port states (such as vdm_sm_running and
> explicit_contract) on soft reset AMS as the port needs to negotiate a
> new contract. The consequence of leaving the states in as-is cond are as
> follows:
> * port is in SRC power role and an explicit contract is negotiated
> with the port partner (in sink role)
> * port partner sends a Soft Reset AMS while VDM State Machine is
> running
> * port accepts the Soft Reset request and the port advertises src caps
> * port partner sends a Request message but since the explicit_contract
> and vdm_sm_running are true from previous negotiation, the port ends
> up sending Soft Reset instead of Accept msg.
>
> Stub Log:
> [ 203.653942] AMS DISCOVER_IDENTITY start
> [ 203.653947] PD TX, header: 0x176f
> [ 203.655901] PD TX complete, status: 0
> [ 203.657470] PD RX, header: 0x124f [1]
> [ 203.657477] Rx VDM cmd 0xff008081 type 2 cmd 1 len 1
> [ 203.657482] AMS DISCOVER_IDENTITY finished
> [ 203.657484] cc:=4
> [ 204.155698] PD RX, header: 0x144f [1]
> [ 204.155718] Rx VDM cmd 0xeeee8001 type 0 cmd 1 len 1
> [ 204.155741] PD TX, header: 0x196f
> [ 204.157622] PD TX complete, status: 0
> [ 204.160060] PD RX, header: 0x4d [1]
> [ 204.160066] state change SRC_READY -> SOFT_RESET [rev2 SOFT_RESET_AMS]
> [ 204.160076] PD TX, header: 0x163
> [ 204.162486] PD TX complete, status: 0
> [ 204.162832] AMS SOFT_RESET_AMS finished
> [ 204.162840] cc:=4
> [ 204.162891] AMS POWER_NEGOTIATION start
> [ 204.162896] state change SOFT_RESET -> AMS_START [rev2 POWER_NEGOTIATION]
> [ 204.162908] state change AMS_START -> SRC_SEND_CAPABILITIES [rev2 POWER_NEGOTIATION]
> [ 204.162913] PD TX, header: 0x1361
> [ 204.165529] PD TX complete, status: 0
> [ 204.165571] pending state change SRC_SEND_CAPABILITIES -> SRC_SEND_CAPABILITIES_TIMEOUT @ 60 ms [rev2 POWER_NEGOTIATION]
> [ 204.166996] PD RX, header: 0x1242 [1]
> [ 204.167009] state change SRC_SEND_CAPABILITIES -> SRC_SOFT_RESET_WAIT_SNK_TX [rev2 POWER_NEGOTIATION]
> [ 204.167019] AMS POWER_NEGOTIATION finished
> [ 204.167020] cc:=4
> [ 204.167083] AMS SOFT_RESET_AMS start
> [ 204.167086] state change SRC_SOFT_RESET_WAIT_SNK_TX -> SOFT_RESET_SEND [rev2 SOFT_RESET_AMS]
> [ 204.167092] PD TX, header: 0x16d
> [ 204.168824] PD TX complete, status: 0
> [ 204.168854] pending state change SOFT_RESET_SEND -> HARD_RESET_SEND @ 60 ms [rev2 SOFT_RESET_AMS]
> [ 204.171876] PD RX, header: 0x43 [1]
> [ 204.171879] AMS SOFT_RESET_AMS finished
>
> This causes COMMON.PROC.PD.11.2 check failure for
> TEST.PD.VDM.SRC.2_Rev2Src test on the PD compliance tester.
>
> Signed-off-by: Amit Sunil Dhamne <amitsd@google.com>
> Fixes: 8d3a0578ad1a ("usb: typec: tcpm: Respond Wait if VDM state machine is running")
> Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)")
> Cc: stable <stable@kernel.org>
> Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
> Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
> Link: https://patch.msgid.link/20260414-fix-soft-reset-v1-1-01d7cb9764e2@google.com
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> drivers/usb/typec/tcpm/tcpm.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> --- a/drivers/usb/typec/tcpm/tcpm.c
> +++ b/drivers/usb/typec/tcpm/tcpm.c
> @@ -5728,6 +5728,8 @@ static void run_state_machine(struct tcp
>
> case VCONN_SWAP_ACCEPT:
> tcpm_pd_send_control(port, PD_CTRL_ACCEPT, TCPC_TX_SOP);
> + port->vdm_sm_running = false;
> + port->explicit_contract = false;
Please drop this patch from the queue. It was incorrectly applied to the
VCONN_SWAP_ACCEPT case instead of the soft reset handling due to context
fuzz. I will send a proper rebased backport for the 6.18 stable tree
shortly.
Thanks,
Amit
>
^ permalink raw reply [flat|nested] 282+ messages in thread
* Re: [PATCH 6.18 091/270] LoongArch: KVM: Compile switch.S directly into the kernel
2026-05-12 17:38 ` [PATCH 6.18 091/270] LoongArch: KVM: Compile switch.S directly into the kernel Greg Kroah-Hartman
@ 2026-05-12 20:52 ` Miguel Ojeda
2026-05-12 21:53 ` Sean Christopherson
0 siblings, 1 reply; 282+ messages in thread
From: Miguel Ojeda @ 2026-05-12 20:52 UTC (permalink / raw)
To: gregkh, Tianrui Zhao, Bibo Mao, Huacai Chen
Cc: kvm, loongarch, Sean Christopherson, Dave Hansen, chenhuacai,
lixianglai, patches, stable
On Tue, 12 May 2026 19:38:12 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> 6.18-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Xianglai Li <lixianglai@loongson.cn>
>
> commit 5203012fa6045aac4b69d4e7c212e16dcf38ef10 upstream.
>
> If we directly compile the switch.S file into the kernel, the address of
> the kvm_exc_entry function will definitely be within the DMW memory area.
> Therefore, we will no longer need to perform a copy relocation of the
> kvm_exc_entry.
>
> So this patch compiles switch.S directly into the kernel, and then remove
> the copy relocation execution logic for the kvm_exc_entry function.
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Xianglai Li <lixianglai@loongson.cn>
> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
For loongarch64, I am seeing a bunch of errors like:
arch/loongarch/kvm/switch.S:201:1: error: unrecognized instruction mnemonic
EXPORT_SYMBOL_FOR_KVM(kvm_exc_entry)
^
`EXPORT_SYMBOL_FOR_KVM` does not exist in 6.18. Does this need a subset
of commit 6276c67f2bc4 ("x86: Restrict KVM-induced symbol exports to KVM
modules where obvious/possible")?
Cc'ing a few folks...
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 282+ messages in thread
* Re: [PATCH 6.18 000/270] 6.18.30-rc1 review
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-05-12 17:41 ` [PATCH 6.18 270/270] x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2s op cache Greg Kroah-Hartman
@ 2026-05-12 21:03 ` Pavel Machek
2026-05-12 22:47 ` Peter Schneider
` (3 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Pavel Machek @ 2026-05-12 21:03 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
[-- Attachment #1: Type: text/plain, Size: 504 bytes --]
Hi!
> This is the start of the stable review cycle for the 6.18.30 release.
> There are 270 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-6.18.y
Tested-by: Pavel Machek (CIP) <pavel@nabladev.com>
Best regards,
Pavel
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 282+ messages in thread
* Re: [PATCH 6.18 091/270] LoongArch: KVM: Compile switch.S directly into the kernel
2026-05-12 20:52 ` Miguel Ojeda
@ 2026-05-12 21:53 ` Sean Christopherson
2026-05-13 3:06 ` Huacai Chen
0 siblings, 1 reply; 282+ messages in thread
From: Sean Christopherson @ 2026-05-12 21:53 UTC (permalink / raw)
To: Miguel Ojeda
Cc: gregkh, Tianrui Zhao, Bibo Mao, Huacai Chen, kvm, loongarch,
Dave Hansen, chenhuacai, lixianglai, patches, stable
On Tue, May 12, 2026, Miguel Ojeda wrote:
> On Tue, 12 May 2026 19:38:12 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> >
> > 6.18-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Xianglai Li <lixianglai@loongson.cn>
> >
> > commit 5203012fa6045aac4b69d4e7c212e16dcf38ef10 upstream.
> >
> > If we directly compile the switch.S file into the kernel, the address of
> > the kvm_exc_entry function will definitely be within the DMW memory area.
> > Therefore, we will no longer need to perform a copy relocation of the
> > kvm_exc_entry.
> >
> > So this patch compiles switch.S directly into the kernel, and then remove
> > the copy relocation execution logic for the kvm_exc_entry function.
> >
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Xianglai Li <lixianglai@loongson.cn>
> > Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> For loongarch64, I am seeing a bunch of errors like:
>
> arch/loongarch/kvm/switch.S:201:1: error: unrecognized instruction mnemonic
> EXPORT_SYMBOL_FOR_KVM(kvm_exc_entry)
> ^
>
> `EXPORT_SYMBOL_FOR_KVM` does not exist in 6.18. Does this need a subset
> of commit 6276c67f2bc4 ("x86: Restrict KVM-induced symbol exports to KVM
> modules where obvious/possible")?
Either that or just convert EXPORT_SYMBOL_FOR_KVM() => EXPORT_SYMBOL_GPL(). If
that's somewhat scriptable for ongoing LTS backports, that's probably the best
option. EXPORT_SYMBOL_FOR_KVM() will only work for 6.18, and the list of backports
needed to get EXPORT_SYMBOL_FOR_MODULES() working on older LTS kernels looks to
be non-trivial
If we do end up backporting EXPORT_SYMBOL_FOR_KVM() and others, we might as well
also grab a subset of 01122b89361e ("perf: Use EXPORT_SYMBOL_FOR_KVM() for the
mediated APIs") to ensure a kvm_types.h stub is present on all archs. That way
EXPORT_SYMBOL_FOR_KVM() usage in arch-neutral code will also work.
diff --git include/asm-generic/Kbuild include/asm-generic/Kbuild
index 295c94a3ccc1..9aff61e7b8f2 100644
--- include/asm-generic/Kbuild
+++ include/asm-generic/Kbuild
@@ -32,6 +32,7 @@ mandatory-y += irq_work.h
mandatory-y += kdebug.h
mandatory-y += kmap_size.h
mandatory-y += kprobes.h
+mandatory-y += kvm_types.h
mandatory-y += linkage.h
mandatory-y += local.h
mandatory-y += local64.h
^ permalink raw reply related [flat|nested] 282+ messages in thread
* Re: [PATCH 6.18 000/270] 6.18.30-rc1 review
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-05-12 21:03 ` [PATCH 6.18 000/270] 6.18.30-rc1 review Pavel Machek
@ 2026-05-12 22:47 ` Peter Schneider
2026-05-13 5:01 ` Wentao Guan
` (2 subsequent siblings)
274 siblings, 0 replies; 282+ messages in thread
From: Peter Schneider @ 2026-05-12 22:47 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Am 12.05.2026 um 19:36 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.18.30 release.
> There are 270 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 282+ messages in thread
* Re: [PATCH 6.18 091/270] LoongArch: KVM: Compile switch.S directly into the kernel
2026-05-12 21:53 ` Sean Christopherson
@ 2026-05-13 3:06 ` Huacai Chen
2026-05-13 10:31 ` Greg KH
0 siblings, 1 reply; 282+ messages in thread
From: Huacai Chen @ 2026-05-13 3:06 UTC (permalink / raw)
To: Sean Christopherson
Cc: Miguel Ojeda, gregkh, Tianrui Zhao, Bibo Mao, kvm, loongarch,
Dave Hansen, chenhuacai, lixianglai, patches, stable
On Wed, May 13, 2026 at 5:53 AM Sean Christopherson <seanjc@google.com> wrote:
>
> On Tue, May 12, 2026, Miguel Ojeda wrote:
> > On Tue, 12 May 2026 19:38:12 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> > >
> > > 6.18-stable review patch. If anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > From: Xianglai Li <lixianglai@loongson.cn>
> > >
> > > commit 5203012fa6045aac4b69d4e7c212e16dcf38ef10 upstream.
> > >
> > > If we directly compile the switch.S file into the kernel, the address of
> > > the kvm_exc_entry function will definitely be within the DMW memory area.
> > > Therefore, we will no longer need to perform a copy relocation of the
> > > kvm_exc_entry.
> > >
> > > So this patch compiles switch.S directly into the kernel, and then remove
> > > the copy relocation execution logic for the kvm_exc_entry function.
> > >
> > > Cc: stable@vger.kernel.org
> > > Signed-off-by: Xianglai Li <lixianglai@loongson.cn>
> > > Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >
> > For loongarch64, I am seeing a bunch of errors like:
> >
> > arch/loongarch/kvm/switch.S:201:1: error: unrecognized instruction mnemonic
> > EXPORT_SYMBOL_FOR_KVM(kvm_exc_entry)
> > ^
> >
> > `EXPORT_SYMBOL_FOR_KVM` does not exist in 6.18. Does this need a subset
> > of commit 6276c67f2bc4 ("x86: Restrict KVM-induced symbol exports to KVM
> > modules where obvious/possible")?
>
> Either that or just convert EXPORT_SYMBOL_FOR_KVM() => EXPORT_SYMBOL_GPL(). If
> that's somewhat scriptable for ongoing LTS backports, that's probably the best
> option. EXPORT_SYMBOL_FOR_KVM() will only work for 6.18, and the list of backports
> needed to get EXPORT_SYMBOL_FOR_MODULES() working on older LTS kernels looks to
> be non-trivial
>
> If we do end up backporting EXPORT_SYMBOL_FOR_KVM() and others, we might as well
> also grab a subset of 01122b89361e ("perf: Use EXPORT_SYMBOL_FOR_KVM() for the
> mediated APIs") to ensure a kvm_types.h stub is present on all archs. That way
> EXPORT_SYMBOL_FOR_KVM() usage in arch-neutral code will also work.
I have already noticed Greg about this before.
And I think the best solution is to use EXPORT_SYMBOL_GPL().
If Greg doesn't want to adjust manually, please drop this patch and I
will send one.
Huacai
>
> diff --git include/asm-generic/Kbuild include/asm-generic/Kbuild
> index 295c94a3ccc1..9aff61e7b8f2 100644
> --- include/asm-generic/Kbuild
> +++ include/asm-generic/Kbuild
> @@ -32,6 +32,7 @@ mandatory-y += irq_work.h
> mandatory-y += kdebug.h
> mandatory-y += kmap_size.h
> mandatory-y += kprobes.h
> +mandatory-y += kvm_types.h
> mandatory-y += linkage.h
> mandatory-y += local.h
> mandatory-y += local64.h
>
>
^ permalink raw reply [flat|nested] 282+ messages in thread
* Re: [PATCH 6.18 000/270] 6.18.30-rc1 review
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-05-12 22:47 ` Peter Schneider
@ 2026-05-13 5:01 ` Wentao Guan
2026-05-13 10:32 ` Greg KH
2026-05-13 5:17 ` [PATCH 6.18.y] usb: typec: tcpm: reset internal port states on soft reset AMS Amit Sunil Dhamne
2026-05-13 7:16 ` [PATCH 6.18 000/270] 6.18.30-rc1 review Brett A C Sheffield
274 siblings, 1 reply; 282+ messages in thread
From: Wentao Guan @ 2026-05-13 5:01 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Wentao Guan
Build tested in our x86,arm64,riscv config successfully without error.
Tested-by: Wentao Guan <guanwentao@uniontech.com>
LoongArch build failed, you can drop the commit to build ok:
git revert a45361144d5a65dd3b7183fd7b511d9cdc143503
Revert "LoongArch: KVM: Compile switch.S directly into the kernel"
BRs
Wentao Guan
LoongArch fail log before revert:
arch/loongarch/kvm/switch.S: Assembler messages:
arch/loongarch/kvm/switch.S:201: Error: no match insn: export_symbol_for_kvm(kvm_exc_entry)
arch/loongarch/kvm/switch.S:226: Error: no match insn: export_symbol_for_kvm(kvm_enter_guest)
arch/loongarch/kvm/switch.S:234: Error: no match insn: export_symbol_for_kvm(kvm_save_fpu)
arch/loongarch/kvm/switch.S:242: Error: no match insn: export_symbol_for_kvm(kvm_restore_fpu)
arch/loongarch/kvm/switch.S:251: Error: no match insn: export_symbol_for_kvm(kvm_save_lsx)
arch/loongarch/kvm/switch.S:259: Error: no match insn: export_symbol_for_kvm(kvm_restore_lsx)
arch/loongarch/kvm/switch.S:269: Error: no match insn: export_symbol_for_kvm(kvm_save_lasx)
arch/loongarch/kvm/switch.S:277: Error: no match insn: export_symbol_for_kvm(kvm_restore_lasx)
make[4]: *** [scripts/Makefile.build:430: arch/loongarch/kvm/switch.o] Error 1
make[3]: *** [scripts/Makefile.build:544: arch/loongarch/kvm] Error 2
make[3]: *** Waiting for unfinished jobs....
make[2]: *** [scripts/Makefile.build:544: arch/loongarch] Error 2
make[2]: *** Waiting for unfinished jobs....
defconfigs:
https://gist.github.com/opsiff/a840ae9e3d6857f5b7bacb9cdc49f8e9
Log:
Linux version 6.18.30-rc1-g6a57bf31ed20 (guanwentao@uos-PC) (aarch64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) # SMP PREEMPT_DYNAMIC
Linux version 6.18.30-rc1-g6a57bf31ed20 (guanwentao@uos-PC) (aarch64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) #2 SMP PREEMPT_DYNAMIC Wed May 13 11:15:19 CST 2026
Linux version 6.18.30-rc1+ (guanwentao@uos-PC) (riscv64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) # SMP PREEMPT
Linux version 6.18.30-rc1+ (guanwentao@uos-PC) (riscv64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) #3 SMP PREEMPT Wed May 13 11:40:11 CST 2026
Linux version 6.18.30-rc1-g6a57bf31ed20 (guanwentao@uos-PC) (gcc (Deepin 12.3.0-17deepin15) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) # SMP PREEMPT_DYNAMIC
Linux version 6.18.30-rc1-g6a57bf31ed20 (guanwentao@uos-PC) (gcc (Deepin 12.3.0-17deepin15) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) #1 SMP PREEMPT_DYNAMIC Wed May 13 10:57:44 CST 2026
^ permalink raw reply [flat|nested] 282+ messages in thread
* [PATCH 6.18.y] usb: typec: tcpm: reset internal port states on soft reset AMS
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-05-13 5:01 ` Wentao Guan
@ 2026-05-13 5:17 ` Amit Sunil Dhamne
2026-05-13 7:16 ` [PATCH 6.18 000/270] 6.18.30-rc1 review Brett A C Sheffield
274 siblings, 0 replies; 282+ messages in thread
From: Amit Sunil Dhamne @ 2026-05-13 5:17 UTC (permalink / raw)
To: stable
Cc: Amit Sunil Dhamne, stable, Badhri Jagan Sridharan,
Heikki Krogerus, Greg Kroah-Hartman
Reset internal port states (such as vdm_sm_running and
explicit_contract) on soft reset AMS as the port needs to negotiate a
new contract. The consequence of leaving the states in as-is cond are as
follows:
* port is in SRC power role and an explicit contract is negotiated
with the port partner (in sink role)
* port partner sends a Soft Reset AMS while VDM State Machine is
running
* port accepts the Soft Reset request and the port advertises src caps
* port partner sends a Request message but since the explicit_contract
and vdm_sm_running are true from previous negotiation, the port ends
up sending Soft Reset instead of Accept msg.
Stub Log:
[ 203.653942] AMS DISCOVER_IDENTITY start
[ 203.653947] PD TX, header: 0x176f
[ 203.655901] PD TX complete, status: 0
[ 203.657470] PD RX, header: 0x124f [1]
[ 203.657477] Rx VDM cmd 0xff008081 type 2 cmd 1 len 1
[ 203.657482] AMS DISCOVER_IDENTITY finished
[ 203.657484] cc:=4
[ 204.155698] PD RX, header: 0x144f [1]
[ 204.155718] Rx VDM cmd 0xeeee8001 type 0 cmd 1 len 1
[ 204.155741] PD TX, header: 0x196f
[ 204.157622] PD TX complete, status: 0
[ 204.160060] PD RX, header: 0x4d [1]
[ 204.160066] state change SRC_READY -> SOFT_RESET [rev2 SOFT_RESET_AMS]
[ 204.160076] PD TX, header: 0x163
[ 204.162486] PD TX complete, status: 0
[ 204.162832] AMS SOFT_RESET_AMS finished
[ 204.162840] cc:=4
[ 204.162891] AMS POWER_NEGOTIATION start
[ 204.162896] state change SOFT_RESET -> AMS_START [rev2 POWER_NEGOTIATION]
[ 204.162908] state change AMS_START -> SRC_SEND_CAPABILITIES [rev2 POWER_NEGOTIATION]
[ 204.162913] PD TX, header: 0x1361
[ 204.165529] PD TX complete, status: 0
[ 204.165571] pending state change SRC_SEND_CAPABILITIES -> SRC_SEND_CAPABILITIES_TIMEOUT @ 60 ms [rev2 POWER_NEGOTIATION]
[ 204.166996] PD RX, header: 0x1242 [1]
[ 204.167009] state change SRC_SEND_CAPABILITIES -> SRC_SOFT_RESET_WAIT_SNK_TX [rev2 POWER_NEGOTIATION]
[ 204.167019] AMS POWER_NEGOTIATION finished
[ 204.167020] cc:=4
[ 204.167083] AMS SOFT_RESET_AMS start
[ 204.167086] state change SRC_SOFT_RESET_WAIT_SNK_TX -> SOFT_RESET_SEND [rev2 SOFT_RESET_AMS]
[ 204.167092] PD TX, header: 0x16d
[ 204.168824] PD TX complete, status: 0
[ 204.168854] pending state change SOFT_RESET_SEND -> HARD_RESET_SEND @ 60 ms [rev2 SOFT_RESET_AMS]
[ 204.171876] PD RX, header: 0x43 [1]
[ 204.171879] AMS SOFT_RESET_AMS finished
This causes COMMON.PROC.PD.11.2 check failure for
TEST.PD.VDM.SRC.2_Rev2Src test on the PD compliance tester.
Signed-off-by: Amit Sunil Dhamne <amitsd@google.com>
Fixes: 8d3a0578ad1a ("usb: typec: tcpm: Respond Wait if VDM state machine is running")
Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)")
Cc: stable <stable@kernel.org>
Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260414-fix-soft-reset-v1-1-01d7cb9764e2@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 2909f0d4994fb4306bf116df5ccee797791fce2c)
Signed-off-by: Amit Sunil Dhamne <amitsd@google.com>
---
drivers/usb/typec/tcpm/tcpm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
index cc78770509db..584618fe5fe5 100644
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -5521,6 +5521,8 @@ static void run_state_machine(struct tcpm_port *port)
usb_power_delivery_unregister_capabilities(port->partner_source_caps);
port->partner_source_caps = NULL;
tcpm_pd_send_control(port, PD_CTRL_ACCEPT, TCPC_TX_SOP);
+ port->vdm_sm_running = false;
+ port->explicit_contract = false;
tcpm_ams_finish(port);
if (port->pwr_role == TYPEC_SOURCE) {
port->upcoming_state = SRC_SEND_CAPABILITIES;
--
2.54.0.563.g4f69b47b94-goog
^ permalink raw reply related [flat|nested] 282+ messages in thread
* Re: [PATCH 6.18 000/270] 6.18.30-rc1 review
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-05-13 5:17 ` [PATCH 6.18.y] usb: typec: tcpm: reset internal port states on soft reset AMS Amit Sunil Dhamne
@ 2026-05-13 7:16 ` Brett A C Sheffield
274 siblings, 0 replies; 282+ messages in thread
From: Brett A C Sheffield @ 2026-05-13 7:16 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 6.18.30-rc1-g6a57bf31ed20 #1 SMP PREEMPT_DYNAMIC Wed May 13 07:07:55 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 282+ messages in thread
* Re: [PATCH 6.18 091/270] LoongArch: KVM: Compile switch.S directly into the kernel
2026-05-13 3:06 ` Huacai Chen
@ 2026-05-13 10:31 ` Greg KH
0 siblings, 0 replies; 282+ messages in thread
From: Greg KH @ 2026-05-13 10:31 UTC (permalink / raw)
To: Huacai Chen
Cc: Sean Christopherson, Miguel Ojeda, Tianrui Zhao, Bibo Mao, kvm,
loongarch, Dave Hansen, chenhuacai, lixianglai, patches, stable
On Wed, May 13, 2026 at 11:06:20AM +0800, Huacai Chen wrote:
> On Wed, May 13, 2026 at 5:53 AM Sean Christopherson <seanjc@google.com> wrote:
> >
> > On Tue, May 12, 2026, Miguel Ojeda wrote:
> > > On Tue, 12 May 2026 19:38:12 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> > > >
> > > > 6.18-stable review patch. If anyone has any objections, please let me know.
> > > >
> > > > ------------------
> > > >
> > > > From: Xianglai Li <lixianglai@loongson.cn>
> > > >
> > > > commit 5203012fa6045aac4b69d4e7c212e16dcf38ef10 upstream.
> > > >
> > > > If we directly compile the switch.S file into the kernel, the address of
> > > > the kvm_exc_entry function will definitely be within the DMW memory area.
> > > > Therefore, we will no longer need to perform a copy relocation of the
> > > > kvm_exc_entry.
> > > >
> > > > So this patch compiles switch.S directly into the kernel, and then remove
> > > > the copy relocation execution logic for the kvm_exc_entry function.
> > > >
> > > > Cc: stable@vger.kernel.org
> > > > Signed-off-by: Xianglai Li <lixianglai@loongson.cn>
> > > > Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
> > > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > >
> > > For loongarch64, I am seeing a bunch of errors like:
> > >
> > > arch/loongarch/kvm/switch.S:201:1: error: unrecognized instruction mnemonic
> > > EXPORT_SYMBOL_FOR_KVM(kvm_exc_entry)
> > > ^
> > >
> > > `EXPORT_SYMBOL_FOR_KVM` does not exist in 6.18. Does this need a subset
> > > of commit 6276c67f2bc4 ("x86: Restrict KVM-induced symbol exports to KVM
> > > modules where obvious/possible")?
> >
> > Either that or just convert EXPORT_SYMBOL_FOR_KVM() => EXPORT_SYMBOL_GPL(). If
> > that's somewhat scriptable for ongoing LTS backports, that's probably the best
> > option. EXPORT_SYMBOL_FOR_KVM() will only work for 6.18, and the list of backports
> > needed to get EXPORT_SYMBOL_FOR_MODULES() working on older LTS kernels looks to
> > be non-trivial
> >
> > If we do end up backporting EXPORT_SYMBOL_FOR_KVM() and others, we might as well
> > also grab a subset of 01122b89361e ("perf: Use EXPORT_SYMBOL_FOR_KVM() for the
> > mediated APIs") to ensure a kvm_types.h stub is present on all archs. That way
> > EXPORT_SYMBOL_FOR_KVM() usage in arch-neutral code will also work.
> I have already noticed Greg about this before.
You did? Where?
> And I think the best solution is to use EXPORT_SYMBOL_GPL().
>
> If Greg doesn't want to adjust manually, please drop this patch and I
> will send one.
I'll go drop this one from the queue.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 282+ messages in thread
* Re: [PATCH 6.18 000/270] 6.18.30-rc1 review
2026-05-13 5:01 ` Wentao Guan
@ 2026-05-13 10:32 ` Greg KH
0 siblings, 0 replies; 282+ messages in thread
From: Greg KH @ 2026-05-13 10:32 UTC (permalink / raw)
To: Wentao Guan
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds
On Wed, May 13, 2026 at 01:01:15PM +0800, Wentao Guan wrote:
> Build tested in our x86,arm64,riscv config successfully without error.
>
> Tested-by: Wentao Guan <guanwentao@uniontech.com>
>
> LoongArch build failed, you can drop the commit to build ok:
> git revert a45361144d5a65dd3b7183fd7b511d9cdc143503
> Revert "LoongArch: KVM: Compile switch.S directly into the kernel"
>
> BRs
> Wentao Guan
>
> LoongArch fail log before revert:
> arch/loongarch/kvm/switch.S: Assembler messages:
> arch/loongarch/kvm/switch.S:201: Error: no match insn: export_symbol_for_kvm(kvm_exc_entry)
> arch/loongarch/kvm/switch.S:226: Error: no match insn: export_symbol_for_kvm(kvm_enter_guest)
> arch/loongarch/kvm/switch.S:234: Error: no match insn: export_symbol_for_kvm(kvm_save_fpu)
> arch/loongarch/kvm/switch.S:242: Error: no match insn: export_symbol_for_kvm(kvm_restore_fpu)
> arch/loongarch/kvm/switch.S:251: Error: no match insn: export_symbol_for_kvm(kvm_save_lsx)
> arch/loongarch/kvm/switch.S:259: Error: no match insn: export_symbol_for_kvm(kvm_restore_lsx)
> arch/loongarch/kvm/switch.S:269: Error: no match insn: export_symbol_for_kvm(kvm_save_lasx)
> arch/loongarch/kvm/switch.S:277: Error: no match insn: export_symbol_for_kvm(kvm_restore_lasx)
> make[4]: *** [scripts/Makefile.build:430: arch/loongarch/kvm/switch.o] Error 1
> make[3]: *** [scripts/Makefile.build:544: arch/loongarch/kvm] Error 2
> make[3]: *** Waiting for unfinished jobs....
> make[2]: *** [scripts/Makefile.build:544: arch/loongarch] Error 2
> make[2]: *** Waiting for unfinished jobs....
>
> defconfigs:
> https://gist.github.com/opsiff/a840ae9e3d6857f5b7bacb9cdc49f8e9
>
> Log:
> Linux version 6.18.30-rc1-g6a57bf31ed20 (guanwentao@uos-PC) (aarch64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) # SMP PREEMPT_DYNAMIC
> Linux version 6.18.30-rc1-g6a57bf31ed20 (guanwentao@uos-PC) (aarch64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) #2 SMP PREEMPT_DYNAMIC Wed May 13 11:15:19 CST 2026
> Linux version 6.18.30-rc1+ (guanwentao@uos-PC) (riscv64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) # SMP PREEMPT
> Linux version 6.18.30-rc1+ (guanwentao@uos-PC) (riscv64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) #3 SMP PREEMPT Wed May 13 11:40:11 CST 2026
> Linux version 6.18.30-rc1-g6a57bf31ed20 (guanwentao@uos-PC) (gcc (Deepin 12.3.0-17deepin15) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) # SMP PREEMPT_DYNAMIC
> Linux version 6.18.30-rc1-g6a57bf31ed20 (guanwentao@uos-PC) (gcc (Deepin 12.3.0-17deepin15) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) #1 SMP PREEMPT_DYNAMIC Wed May 13 10:57:44 CST 2026
>
>
Offending commit now dropped.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 282+ messages in thread
end of thread, other threads:[~2026-05-13 10:35 UTC | newest]
Thread overview: 282+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-12 17:36 [PATCH 6.18 000/270] 6.18.30-rc1 review Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 001/270] scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 002/270] ipmi: Add limits to event and receive message requests Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 003/270] ipmi: Check event message buffer response for bad data Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 004/270] ipmi:si: Return state to normal if message allocation fails Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 005/270] fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 006/270] ACPI: scan: Use acpi_dev_put() in object add error paths Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 007/270] ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 008/270] ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 009/270] ACPI: video: force native backlight on HP OMEN 16 (8A44) Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 010/270] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 011/270] iommufd: Fix a race with concurrent allocation and unmap Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 012/270] ASoC: SOF: Dont allow pointer operations on unconfigured streams Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 013/270] wifi: mt76: mt7925: fix incorrect TLV length in CLC command Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 014/270] spi: rockchip: fix controller deregistration Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 015/270] ksmbd: rewrite stop_sessions() with restartable iteration Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 016/270] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 017/270] ceph: fix num_ops off-by-one when crypto allocation fails Greg Kroah-Hartman
2026-05-12 17:36 ` [PATCH 6.18 018/270] flow_dissector: do not dissect PPPoE PFC frames Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 019/270] mptcp: sync the msk->sndbuf at accept() time Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 020/270] smb: client/smbdirect: fix MR registration for coalesced SG lists Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 021/270] net: af_key: zero aligned sockaddr tail in PF_KEY exports Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 022/270] KVM: SVM: check validity of VMCB controls when returning from SMM Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 023/270] net: stmmac: Disable EEE RX clock stop when VLAN is enabled Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 024/270] net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 025/270] exit: prevent preemption of oopsing TASK_DEAD task Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 026/270] wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 027/270] wifi: mt76: mt7925: fix incorrect length field in txpower command Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 028/270] wifi: mt76: mt7921: fix a potential clc buffer length underflow Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 029/270] wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 030/270] wifi: b43legacy: enforce bounds check on firmware key index in RX path Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 031/270] wifi: mac80211: drop stray static from fast-RX rx_result Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 032/270] wifi: rsi: fix kthread lifetime race between self-exit and external-stop Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 033/270] wifi: mac80211: use safe list iteration in radar detect work Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 034/270] wifi: ath5k: do not access array OOB Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 035/270] wifi: mac80211: remove station if connection prep fails Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 036/270] wifi: b43: enforce bounds check on firmware key index in b43_rx() Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 037/270] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 038/270] usb: usblp: fix heap leak in IEEE 1284 device ID via short response Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 039/270] usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 040/270] ALSA: usb-audio: midi2: Restart output URBs on resume Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 041/270] ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 042/270] ALSA: usb-audio: Fix UAC3 cluster descriptor size check Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 043/270] usb: typec: tcpm: reset internal port states on soft reset AMS Greg Kroah-Hartman
2026-05-12 20:43 ` Amit Sunil Dhamne
2026-05-12 17:37 ` [PATCH 6.18 044/270] USB: omap_udc: DMA: Dont enable burst 4 mode Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 045/270] USB: serial: option: add Telit Cinterion LE910Cx compositions Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 046/270] usb: ulpi: fix memory leak on ulpi_register() error paths Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 047/270] usb: typec: tcpm: fix debug accessory mode detection for sink ports Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 048/270] ALSA: hda: cs35l56: Propagate ASP TX source control errors Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 049/270] ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 050/270] ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi Laptop Pro 15 Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 051/270] ALSA: firewire-tascam: Do not drop unread control events Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 052/270] ALSA: core: Serialize deferred fasync state checks Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 053/270] ALSA: seq: Fix UMP group 16 filtering Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 054/270] powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 055/270] x86/efi: Restore IRQ state in EFI page fault handler Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 056/270] xfrm: provide message size for XFRM_MSG_MAPPING Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 057/270] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 058/270] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 059/270] xfrm: ah: account for ESN high bits in async callbacks Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 060/270] selinux: fix avdcache auditing Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 061/270] selinux: use sk blob accessor in socket permission helpers Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 062/270] selinux: dont reserve xattr slot when we wont fill it Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 063/270] selinux: shrink critical section in sel_write_load() Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 064/270] selinux: prune /sys/fs/selinux/checkreqprot Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 065/270] selinux: prune /sys/fs/selinux/disable Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 066/270] selinux: prune /sys/fs/selinux/user Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 067/270] LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read() Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 068/270] Bluetooth: virtio_bt: clamp rx length before skb_put Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 069/270] Bluetooth: virtio_bt: validate rx pkt_type header length Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 070/270] Bluetooth: btmtk: validate WMT event SKB length before struct access Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 071/270] Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 072/270] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 073/270] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 074/270] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 075/270] rust: drm: gem: clean up GEM state in init failure case Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 076/270] rust: allow `clippy::collapsible_match` globally Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 077/270] rust: allow `clippy::collapsible_if` globally Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.18 078/270] spi: syncuacer: fix controller deregistration Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 079/270] spi: sun4i: " Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 080/270] spi: ti-qspi: " Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 081/270] spi: sun6i: " Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 082/270] spi: zynqmp-gqspi: " Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 083/270] spi: s3c64xx: fix NULL-deref on driver unbind Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 084/270] staging: vme_user: fix root device leak on init failure Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 085/270] fanotify: fix false positive on permission events Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 086/270] KVM: arm64: Fix kvm_vcpu_initialized() macro parameter Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 087/270] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 088/270] arm64: signal: Preserve POR_EL0 if poe_context is missing Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 089/270] mm/hugetlb_cma: round up per_node before logging it Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 090/270] LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 091/270] LoongArch: KVM: Compile switch.S directly into the kernel Greg Kroah-Hartman
2026-05-12 20:52 ` Miguel Ojeda
2026-05-12 21:53 ` Sean Christopherson
2026-05-13 3:06 ` Huacai Chen
2026-05-13 10:31 ` Greg KH
2026-05-12 17:38 ` [PATCH 6.18 092/270] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 093/270] mptcp: pm: ADD_ADDR rtx: skip inactive subflows Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 094/270] perf/x86/intel: Improve validation and configuration of ACR masks Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 095/270] sound: ua101: fix division by zero at probe Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 096/270] pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 097/270] pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init() Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 098/270] pseries/papr-hvpipe: Fix the usage of copy_to_user() Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 099/270] net: libwx: fix VF illegal register access Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 100/270] ip6_gre: Use cached t->net in ip6erspan_changelink() Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 101/270] net: libwx: use request_irq for VF misc interrupt Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 102/270] netpoll: pass buffer size to egress_dev() to avoid MAC truncation Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 103/270] net/rds: handle zerocopy send cleanup before the message is queued Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 104/270] net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 105/270] platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 106/270] parisc: Fix IRQ leak in LASI driver Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 107/270] x86/efi: Fix graceful fault handling after FPU softirq changes Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 108/270] hwmon: (ltc2992) Clamp threshold writes to hardware range Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 109/270] hwmon: (ltc2992) Fix u32 overflow in power read path Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 110/270] clk: rk808: fix OF node reference imbalance Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 111/270] hwmon: (corsair-psu) Close HID device on probe errors Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 112/270] af_unix: Reject SIOCATMARK on non-stream sockets Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 113/270] arm64/fpsimd: ptrace: zero targets fpsimd_state, not the tracers Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 114/270] pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy() Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 115/270] block: add pgmap check to biovec_phys_mergeable Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 116/270] block: only read from sqe on initial invocation of blkdev_uring_cmd() Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 117/270] cifs: abort open_cached_dir if we dont request leases Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 118/270] cifs: change_conf needs to be called for session setup Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 119/270] extcon: ptn5150: handle pending IRQ events during system resume Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 120/270] gpio: of: clear OF_POPULATED on hog nodes in remove path Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 121/270] hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 122/270] hv_sock: fix ARM64 support Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 123/270] hv_sock: Report EOF instead of -EIO for FIN Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 124/270] hv_sock: Return -EIO for malformed/short packets Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 125/270] ibmveth: Disable GSO for packets with small MSS Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 126/270] ice: fix double free in ice_sf_eth_activate() error path Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 127/270] spi: microchip-core-qspi: fix controller deregistration Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 128/270] spi: microchip-core-qspi: dont attempt to transmit during emulated read-only dual/quad operations Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 129/270] spi: microchip-core-qspi: control built-in cs manually Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 130/270] tracefs: Fix default permissions not being applied on initial mount Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 131/270] udf: reject descriptors with oversized CRC length Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 132/270] thermal: core: Free thermal zone ID later during removal Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 133/270] thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 134/270] thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 135/270] spi: topcliff-pch: fix controller deregistration Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 136/270] spi: topcliff-pch: fix use-after-free on unbind Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 137/270] tracing/probes: Limit size of event probe to 3K Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.18 138/270] clk: imx: imx8-acm: fix flags for acm clocks Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 139/270] clk: microchip: mpfs-ccc: fix out of bounds access during output registration Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 140/270] cpuidle: powerpc: avoid double clear when breaking snooze Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 141/270] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 142/270] ASoC: ES8389: convert to devm_clk_get_optional() to get clock Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 143/270] ASoC: fsl_easrc: fix comment typo Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 144/270] ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 145/270] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 146/270] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 147/270] ASoC: qcom: q6apm: remove child devices when apm is removed Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 148/270] btrfs: fix double free in create_space_info() error path Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 149/270] btrfs: fix missing last_unlink_trans update when removing a directory Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 150/270] dm-thin: fix metadata refcount underflow Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 151/270] dm: dont report warning when doing deferred remove Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 152/270] dm: fix a buffer overflow in ioctl processing Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 153/270] eventfs: Hold eventfs_mutex and SRCU when remount walks events Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 154/270] dm-verity-fec: correctly reject too-small FEC devices Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 155/270] dm-verity-fec: correctly reject too-small hash devices Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 156/270] isofs: validate Rock Ridge CE continuation extent against volume size Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 157/270] isofs: validate block number from NFS file handle in isofs_export_iget Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 158/270] iommufd: Fix return value of iommufd_fault_fops_write() Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 159/270] iommu/vt-d: Block PASID attachment to nested domain with dirty tracking Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 160/270] iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 161/270] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 162/270] lib/scatterlist: fix length calculations in extract_kvec_to_sg Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 163/270] lib/scatterlist: fix temp buffer in extract_user_to_sg() Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 164/270] libceph: Fix slab-out-of-bounds access in auth message processing Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 165/270] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 166/270] nvme-apple: drop invalid put of admin queue reference count Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 167/270] nvmet-tcp: fix race between ICReq handling and queue teardown Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 168/270] nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 169/270] openvswitch: vport: fix self-deadlock on release of tunnel ports Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 170/270] pmdomain: core: Fix detach procedure for virtual devices in genpd Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 171/270] psp: strip variable-length PSP header in psp_dev_rcv() Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 172/270] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 173/270] riscv: kvm: fix vector context allocation leak Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 174/270] s390/debug: Reject zero-length input in debug_input_flush_fn() Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 175/270] s390/debug: Reject zero-length input before trimming a newline Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 176/270] scsi: mpt3sas: Limit NVMe request size to 2 MiB Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 177/270] smb/client: fix out-of-bounds read in smb2_compound_op() Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 178/270] smb/client: fix out-of-bounds read in symlink_data() Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 179/270] smb: client: use kzalloc to zero-initialize security descriptor buffer Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 180/270] smb: client: validate dacloffset before building DACL pointers Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 181/270] KVM: x86: check for nEPT/nNPT in slow flush hypercalls Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 182/270] KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 183/270] mm/damon/stat: detect and use fresh enabled value Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 184/270] mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 185/270] PCI: Update saved_config_space upon resource assignment Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 186/270] PCI/AER: Clear only error bits in PCIe Device Status Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 187/270] PCI/AER: Stop ruling out unbound devices as error source Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 188/270] PCI/ASPM: Fix pci_clear_and_set_config_dword() usage Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 189/270] power: supply: max17042: avoid overflow when determining health Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 190/270] powerpc/xive: fix kmemleak caused by incorrect chip_data lookup Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 191/270] perf/x86/intel: Always reprogram ACR events to prevent stale masks Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 192/270] RDMA/ionic: bound node_desc sysfs read with %.64s Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 193/270] RDMA/ionic: Fix typo in format string Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 194/270] RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 195/270] RDMA/mana: Fix mana_destroy_wq_obj() cleanup " Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 196/270] RDMA/mana: Remove user triggerable WARN_ON() " Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 197/270] RDMA/mana: Validate rx_hash_key_len Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.18 198/270] RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 199/270] RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 200/270] RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 201/270] RDMA/ocrdma: Dont NULL deref uctx on errors in ocrdma_copy_pd_uresp() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 202/270] RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 203/270] RDMA/rxe: Reject unknown opcodes before ICRC processing Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 204/270] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 205/270] sched_ext: idle: Recheck prev_cpu after narrowing allowed mask Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 206/270] selftests: mptcp: check output: catch cmd errors Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 207/270] selftests: mptcp: pm: restrict unknown check to pm_nl_ctl Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 208/270] mptcp: fastclose msk when linger time is 0 Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 209/270] mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 210/270] mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 211/270] mptcp: sockopt: set timestamp flags on subflow socket, not msk Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 212/270] mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 213/270] mptcp: fix rx timestamp corruption on fastopen Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 214/270] mptcp: fix scheduling with atomic in timestamp sockopt Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 215/270] mptcp: pm: prio: skip closed subflows Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 216/270] mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 217/270] mptcp: pm: ADD_ADDR rtx: allow " Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 218/270] mptcp: pm: ADD_ADDR rtx: fix potential data-race Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 219/270] mptcp: pm: ADD_ADDR rtx: always decrease sk refcount Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 220/270] mptcp: pm: ADD_ADDR rtx: free sk if last Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 221/270] mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 222/270] mptcp: pm: ADD_ADDR rtx: return early if no retrans Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 223/270] f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 224/270] f2fs: fix fiemap boundary handling when read extent cache is incomplete Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 225/270] f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 226/270] f2fs: fix incorrect file address mapping when inline inode is unwritten Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 227/270] f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 228/270] f2fs: fix node_cnt race between extent node destroy and writeback Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 229/270] f2fs: fix uninitialized kobject put in f2fs_init_sysfs() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 230/270] f2fs: refactor f2fs_move_node_folio function Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 231/270] f2fs: fix inline data not being written to disk in writeback path Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 232/270] f2fs: fix fsck inconsistency caused by FGGC of node block Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 233/270] KVM: arm64: Wake-up from WFI when iqrchip is in userspace Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 234/270] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 235/270] KVM: arm64: Fix initialisation order in __pkvm_init_finalise() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 236/270] KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 237/270] KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 238/270] KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 239/270] LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 240/270] LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 241/270] LoongArch: KVM: Fix "unreliable stack" for kvm_exc_entry Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 242/270] LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by software Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 243/270] LoongArch: KVM: Move unconditional delay into timer clear scenery Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 244/270] LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 245/270] LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 246/270] io_uring/kbuf: support min length left for incremental buffers Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 247/270] io_uring/tw: serialize ctx->retry_llist with ->uring_lock Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 248/270] bpf: Fix use-after-free in arena_vm_close on fork Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 249/270] mm/damon/core: disallow non-power of two min_region_sz on damon_start() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 250/270] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 251/270] dma-mapping: add __dma_from_device_group_begin()/end() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 252/270] hwmon: (powerz) Avoid cacheline sharing for DMA buffer Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 253/270] octeon_ep_vf: add NULL check for napi_build_skb() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 254/270] mmc: core: Adjust MDT beyond 2025 Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 255/270] mmc: core: Add quirk for incorrect manufacturing date Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 256/270] mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 257/270] crypto: qat - fix indentation of macros in qat_hal.c Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.18 258/270] crypto: qat - fix firmware loading failure for GEN6 devices Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 259/270] mm, swap: speed up hibernation allocation and writeout Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 260/270] firmware: exynos-acpm: Drop fake const on handle pointer Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 261/270] hfsplus: fix uninit-value by validating catalog record size Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 262/270] hfsplus: fix held lock freed on hfsplus_fill_super() Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 263/270] erofs: tidy up z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 264/270] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 265/270] printk: add print_hex_dump_devel() Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 266/270] crypto: caam - guard HMAC key hex dumps in hash_digest_key Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 267/270] net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 268/270] net: stmmac: Prevent NULL deref when RX memory exhausted Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 269/270] rust: pin-init: fix incorrect accessor reference lifetime Greg Kroah-Hartman
2026-05-12 17:41 ` [PATCH 6.18 270/270] x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2s op cache Greg Kroah-Hartman
2026-05-12 21:03 ` [PATCH 6.18 000/270] 6.18.30-rc1 review Pavel Machek
2026-05-12 22:47 ` Peter Schneider
2026-05-13 5:01 ` Wentao Guan
2026-05-13 10:32 ` Greg KH
2026-05-13 5:17 ` [PATCH 6.18.y] usb: typec: tcpm: reset internal port states on soft reset AMS Amit Sunil Dhamne
2026-05-13 7:16 ` [PATCH 6.18 000/270] 6.18.30-rc1 review Brett A C Sheffield
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox